nerdexam
Exams300-415Questions#424
Cisco

300-415 · Question #424

300-415 Question #424: Real Exam Question with Answer & Explanation

The correct answer is C: policy list site-list Site-1 site-id 1 vpn-list vpn-10 vpn 10 data-policy FW-policy vpn-list vpn-10 sequence 1 match ip-destination 10.1.1.0/24 action accept set nexthop 10.0.0.2 apply-policy site-list Hub-1 data-policy netsvc1-policy. To route VPN 10 traffic from all sites through a firewall at Site 1, a centralized data policy on the vSmart controller should be used to set the firewall's IP as the next-hop.

Policies

Question

Refer to the exhibit. A customer wants to deploy service insertion at site 1, in which traffic from VPN 10 must route to this site through a firewall. A policy must be in place to route VPN 10 traffic from all sites toward this firewall. Which configuration must be on the vSmart controller to meet this requirement?

Options

  • Apolicy lists site-list Site-1 site-id 1 control-policy firewall-service sequence 10 match route vpn 10 action accept set service FW apply-policy site-list device-1 control-policy custom-firewall-service out
  • Bpolicy control-policy FW_Policy sequence 1 match route vpn-list vpn-prefix-list_anyIpv4PrefixList action accept export-to vpn-list VPN10-VPN20 set service netsvc1 default-action reject apply-policy site-list Site1 control-policy FW_Policy out
  • Cpolicy list site-list Site-1 site-id 1 vpn-list vpn-10 vpn 10 data-policy FW-policy vpn-list vpn-10 sequence 1 match ip-destination 10.1.1.0/24 action accept set nexthop 10.0.0.2 apply-policy site-list Hub-1 data-policy netsvc1-policy
  • Dpolicy data-policy_VPN_10_FW vpn-list VPN_10 sequence 1 match ip-destination-ip 10.1.1.0/24 action accept set tloc tloc 10.10.10.1 color mpls encap ipsec default-action drop apply-policy site-list Site1 data-policy_VPN_10_FW from-service

Explanation

To route VPN 10 traffic from all sites through a firewall at Site 1, a centralized data policy on the vSmart controller should be used to set the firewall's IP as the next-hop.

Common mistakes.

  • A. This is a control policy, which primarily manipulates routes advertised in OMP, not specific data plane flows by setting a next-hop IP for service insertion.
  • B. This is a control policy that includes export-to vpn-list, indicating route leaking between VPNs, and uses set service which is generally for control-plane service insertion, not specific data-plane next-hop steering for a firewall.
  • D. This is a data policy using set tloc action, which steers traffic to a specific transport location (WAN Edge TLOC), rather than directly to the firewall's IP address (nexthop) for a local service insertion scenario within a VPN.

Concept tested. Cisco SD-WAN centralized data policy for service chaining with next-hop

Reference. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/sdwan-xe-gs-book/c_centralized_data_policy.html

Topics

#SD-WAN Policies#Service Insertion#Data Policy#vSmart Configuration

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 300-415 Practice