300-415 Question #45: Real Exam Question with Answer & Explanation

Question

Options

• AVPN 10 ip route 0.0.0.0/0 vpn 0 VPN 0 interface Gig1/1 nat
• BVPN 10 ip route 0.0.0.0/0 vpn 0
• Cpolicy data-policy DPI vpn-list vpn10 sequence 10 match app-list YouTube destination-port 80 443 ! action accept count Youtube ! default-action accept ! lists vpn-list vpn10 vpn 10 ! app-list YouTube app youtube app youtube_hd ! site-list Remote site-id 14 site-id 15 ! ! apply-policy site-list Remote data-policy DPI from-transport vpn 10 ip route 0.0.0.0/0 vpn 0
• Dpolicy data-policy DPI vpn-list vpn10 sequence 10 match app-list YouTube destination-port 80 443 ! action drop count Youtube ! default-action accept ! lists vpn-list vpn10 vpn 10 ! app-list YouTube app youtube app youtube_hd ! site-list Remote site-id 14 site-id 15 ! ! apply-policy site-list Remote data-policy DPI from-transport vpn 10 ip route 0.0.0.0/0 vpn 0

Explanation

To enable local Internet breakout for users from a service VPN, traffic must be routed to the transport VPN, and NAT must be enabled on the outgoing interface.

Common mistakes.

• B. This option correctly routes traffic from VPN 10 to VPN 0 but lacks the essential NAT configuration on the VPN 0 interface, which is required for local internet breakout.
• C. This option includes a data policy to accept YouTube traffic, but the policy alone doesn't configure the necessary local internet breakout, and it still requires explicit NAT on the VPN 0 interface, which is missing.
• D. This option includes a data policy that explicitly drops YouTube traffic, which would prevent access, and it also omits the necessary NAT configuration on the VPN 0 interface.

Concept tested. Local Internet breakout with NAT

Reference. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/nat/nat-book.html#configuring-nat-with-a-local-internet-breakout-on-cisco-sd-wan-devices

No community discussion yet for this question.