300-415 Question #439: Real Exam Question with Answer & Explanation

Question

Explanation

This question tests knowledge of Cisco SD-WAN localized policy configuration to block ICMP traffic arriving on an internet-facing circuit from reaching users in a specific VPN segment (VPN10) at a designated site (site 101). The task requires correctly assembling an access-list or data-policy construct and applying it to the appropriate interface in the correct direction.

Approach. The correct approach is to configure a localized data policy (access-list) that matches protocol ICMP (protocol number 1), sets the action to 'drop', and applies a default-action of 'accept' for all other traffic. This access-list must then be applied ingress on the internet-facing WAN interface within VPN 0 (the transport VPN) at site 101. Because SD-WAN uses VPN segmentation, blocking ICMP at the ingress WAN interface in VPN 0 prevents those packets from ever being forwarded into VPN 10, protecting the user segment without affecting other traffic. The 'not all options are used' hint signals that distractors such as 'reject', egress direction, or wrong VPN references must be excluded.

Concept tested. Cisco SD-WAN localized policy (access-list) construction and interface-level application to filter ICMP traffic from an internet transport circuit before it can reach a segmented user VPN (VPN10) at a specific site - covering policy sequence matching, protocol specification, drop action, and ingress direction on the correct WAN interface.

Reference. Cisco SD-WAN Policies Configuration Guide - Localized Policy / Access Lists; relevant to Cisco ENSDWI 300-415 exam objectives on SD-WAN security policy.

No community discussion yet for this question.