nerdexam
Exams352-001Questions#523
Cisco

352-001 · Question #523

352-001 Question #523: Real Exam Question with Answer & Explanation

The correct answer is E: Use policy-based routing to direct traffic into the correct VRF. Policy-based routing with 'set vrf' steers untagged traffic from a single CE interface into separate VRFs on the PE without requiring any VLAN capability on the CE.

Question

An ISP provides VoIP and internet services to its customers. For security reasons, these services must be transported in different MPLS Layer 3 VPNs over the ISP core network. The customer CEs do not have the ability to segment the services using different VLANs and have only one uplink interface that does not support VLAN tagging. How should you design the network to ensure that VoIP traffic that is received from the CE goes in the VoIP VPN, and that Internet traffic goes into the Internet VPN on the ISP PE devices?

Options

  • AUse a secondary interface IP address to differentiate between VoIP and Internet traffic
  • BExtend the Layer 3 VPN toward the CE
  • CEnable NBAR on the PE to direct the traffic into the correct VRF
  • DUse a subinterface on the PE for each service, VoIP and Internet, with different subnets
  • EUse policy-based routing to direct traffic into the correct VRF

Explanation

Policy-based routing with 'set vrf' steers untagged traffic from a single CE interface into separate VRFs on the PE without requiring any VLAN capability on the CE.

Common mistakes.

  • A. A secondary IP address on the PE interface assigns an additional subnet to the same interface but provides no mechanism to classify traffic by type or steer it into different VRFs.
  • B. Extending the L3 VPN toward the CE requires the CE to participate in MPLS VPN signaling or CE-based VRF segmentation, which the CE in this scenario is explicitly incapable of supporting.
  • C. NBAR can recognize and classify application traffic for QoS marking and policy enforcement, but it cannot directly assign or redirect traffic into a specific VRF on a PE.
  • D. Subinterfaces on the PE use 802.1Q VLAN tags to demultiplex traffic arriving from the CE, but the CE in this scenario has no VLAN tagging capability, so there are no tags for the PE to use for subinterface selection.

Concept tested. Policy-based routing for multi-VRF traffic steering on PE

Reference. https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/iproute_pi/configuration/xe-16/iri-xe-16-book/iri-pbr.html

Community Discussion

No community discussion yet for this question.

Sign up to join the discussion
Full 352-001 Practice