300-415 Question #441: Real Exam Question with Answer & Explanation

Question

Options

• Asequence 20 match source-data-prefix-list GOVERNMENT-WEBSITES ! action accept nat use-vpn 0
• Bsequence 20 match destination-port 80 443 source-data-prefix-list GOVERNMENT-WEBSITES ! action accept nat use-vpn 0
• Csequence 20 match source-port 80 443 destination-data-prefix-list GOVERNMENT-WEBSITES ! action accept nat use-vpn 0 nat fallback
• Dsequence 20 match destination-port 80 443 destination-data-prefix-list GOVERNMENT-WEBSITES ! action accept nat use-vpn 0

Explanation

To admit web browsing traffic to government websites for DIA, the policy must match destination ports 80 and 443 against a destination prefix list representing government IP ranges, then NAT the traffic out VPN 0.

Common mistakes.

• A. Using 'source-data-prefix-list GOVERNMENT-WEBSITES' incorrectly treats government website addresses as traffic sources rather than destinations, so outbound browsing traffic to government sites would not be matched.
• B. Using 'source-data-prefix-list GOVERNMENT-WEBSITES' has the same source-vs-destination error as option A; government websites are destinations of user traffic, not the source.
• C. 'source-port 80 443' matches traffic where the source port is 80 or 443, which applies to server responses rather than client web browsing requests, causing the policy to miss outbound user traffic.

Concept tested. SD-WAN DIA data policy with destination prefix and port matching

Reference. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/policies/ios-xe-17/policies-book-xe/data-policy.html

No community discussion yet for this question.