PROFESSIONAL-CLOUD-NETWORK-ENGINEER Question #222: Real Exam Question with Answer & Explanation

Question

Your organization has a legacy VPN device that uses IKEv1 and does not support BGP. Connectivity from your on-premises environment to Google Cloud needs to be established. You are using 172.16.100.0/24, 172.16.101.0/24, and 172.16.102.0/24 in your on-premises environment, and 192.168.100.0/24, 192.168.101.0/24, and 192.168.102.0/24 in your Google Cloud environment. You have configured a VPN gateway and you need to configure a policy- based VPN tunnel. What should you do?

Options

• AConfigure the tunnel with LOCAL_TS set to 172.16.100.0/22 and REMOTE_TS set to
• BConfigure the tunnel with LOCAL_TS set to 192.168.100.0/22 and REMOTE_TS set to
• CConfigure the tunnel with LOCAL_TS set to 172.16.100.0/24, 172.16.101.0/24, and
• DConfigure the tunnel with LOCAL_TS set to 172.16.100.0/24, 172.16.101.0/24, and

Explanation

Policy-based VPNs require explicit configuration of traffic selectors, known as LOCAL_TS (local traffic selector) and REMOTE_TS (remote traffic selector), which define the specific subnet ranges allowed to pass through the VPN tunnel. 1. Set LOCAL_TS to your on-premises subnets: Since on-premises subnets are 172.16.100.0/24, 172.16.101.0/24, and 172.16.102.0/24, they should be included in the LOCAL_TS. 2. Set REMOTE_TS to your Google Cloud subnets: Google Cloud subnets are 192.168.100.0/24, 192.168.101.0/24, and 192.168.102.0/24, so they should be included in the REMOTE_TS. 3. Match specific subnets: Policy-based VPNs require a one-to-one mapping of the traffic selectors. Wildcard ranges (e.g., /22 or 0.0.0.0/0) cannot be used because policy-based VPNs rely on matching specific subnet ranges to establish secure connectivity.

No community discussion yet for this question.