300-415 Question #425: Real Exam Question with Answer & Explanation

This question tests knowledge of Cisco SD-WAN (Viptela) hub-and-spoke topology policy configuration, specifically how to restrict spoke (Tier2) sites to communicate only through hub locations and prevent direct BFD data-plane tunnel formation between spoke sites.

Policies

Question

An enterprise requires Tier2 sites to communicate with Tier1 and Tier2 sites through hub locations only. Additionally, Tier2 is restricted from establishing BFD sessions with Tier1 and Tier2 sites. Drag and drop the code snippets from the bottom onto the boxes in the configuration to meet the requirements. Not all options are used.

Explanation

Approach. The correct approach uses a vSmart Control Policy with a 'hub-and-spoke' topology type. Tier1 sites are declared as 'hub-sites' using a site-list, and Tier2 sites are declared as 'spoke-sites' using their own site-list. The critical addition is the 'restrict' keyword under the spoke-sites block - this is what enforces both requirements simultaneously: it forces Tier2 traffic to route through hub locations AND prevents Tier2 sites from establishing direct BFD sessions (data-plane tunnels) with any other Tier1 or Tier2 site. Without 'restrict', SD-WAN would allow on-demand direct spoke-to-spoke BFD sessions to form dynamically, violating the enterprise policy.

Concept tested. Cisco SD-WAN hub-and-spoke topology policy with the 'restrict' keyword to enforce hub-only forwarding and suppress direct BFD session establishment between spoke (Tier2) sites

Reference. Cisco SD-WAN (Viptela) Configuration Guide - Centralized Policy: Hub-and-Spoke Topology; vSmart Policy configuration; BFD session control via topology restrict

Topics

#SD-WAN Control Policy#Hub-and-Spoke Topology#BFD Configuration#Site Segmentation

Community Discussion

No community discussion yet for this question.

Full 300-415 Practice