300-730 Question #124: Real Exam Question with Answer & Explanation

Question

Options

• AAdd the aaa authorization group cert list default default command to the spoke ikev2 profile.
• BAdd the route set remote ipv4 192.168.200.0 255.255.255.0 command to the hub authorization policy.
• CAdd the aaa authorization group cert list default default command to the hub ikev2 profile.
• DAdd the route set remote ipv4 192.168.100.0 255.255.255.0 command to the spoke authorization policy.

Explanation

In FlexVPN, the route set remote command must be configured directly in the authorization policy that applies to the peer whose subnets are being advertised - in this case the spoke authorization policy for the spoke's local prefix.

Common mistakes.

• A. Adding aaa authorization group cert list default default to the spoke IKEv2 profile enables certificate-based group authorization lookup but does not itself inject a route - it only determines which authorization policy is applied.
• B. Adding a route set command for 192.168.200.0/24 to the hub authorization policy would install a route toward the hub prefix on the spoke, which is the opposite of what is required and addresses a different subnet.
• C. Adding the aaa authorization group cert list command to the hub IKEv2 profile controls how the hub itself is authorized, not how routes for the spoke subnet are pushed to the hub.

Concept tested. FlexVPN IKEv2 authorization policy route injection

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/sec_conn_ike2vpn/configuration/xe-16/sec-ike2-vpn-xe-16-book/sec-cfg-flex-vpn.html

No community discussion yet for this question.