Cisco 300-415 Practice Test - Questions Answers, Page 37

To establish a strict hub-and-spoke topology in Cisco SD-WAN for a specific VPN, such as VPN2, a control policy must be configured. This control policy dictates how traffic flows between sites, ensuring that all branch traffic is routed through the hub site.

1.Control Policy Components:

oSite Lists: Define which sites are considered hubs and which are branches.

oVPN Lists: Identify the VPNs to which the policy applies.

oControl Policy: Use sequences to match routes and specify actions to accept or reject traffic based on the defined topology.

1.Policy Analysis:

oOption A: Correctly defines site lists for hub sites (site-id 1-2) and creates a control policy that matches routes for VPN2, accepting routes from hub sites and rejecting routes from others. This ensures that traffic from branches (other sites) is only accepted if it routes through the hubs.

oOther options either incorrectly define the site lists or do not properly match and set the routes to enforce the strict hub-and-spoke topology.

1.Policy Configuration:

policy

lists

vpn-list VPN2

vpn 2

site-list hub_sites

site-id 1-2

!

control-policy vpn_multi_topology

sequence 10

match route

site-list hub_sites

vpn-list VPN2

!

action accept

!

sequence 20

match route

vpn-list VPN2

!

action reject

!

default-action accept

1.Reference:

oCisco SD-WAN Control Policy Configuration Guide

oCisco SD-WAN Hub-and-Spoke Topology Deployment Guide

In Cisco SD-WAN, TLOC (Transport Locator) colors are used to categorize and manage different types of transport networks. When integrating with cloud services such as Google Cloud, specific TLOC colors are designated for managing site-to-site communication within the cloud infrastructure.

1.TLOC Color Assignment:

oFor Google Cloud integration, Cisco SD-WAN uses specific TLOC colors to differentiate between various types of transport links and to ensure that traffic is routed appropriately between sites.

1.Private1 for Site-to-Site Communication:

oThe TLOC color private1 is specifically used for site-to-site communication within Google Cloud. This ensures that the traffic between different sites within the Google Cloud infrastructure is managed efficiently and securely.

1.Reference:

oCisco SD-WAN Cloud Integration Guide

oCisco SD-WAN Google Cloud Configuration Documentation

In Cisco SD-WAN, data policies can influence the routing traffic flow, particularly when using BGP (Border Gateway Protocol) to manage the traffic from the LAN to the WAN. This involves route manipulation techniques such as AS-path prepending to influence path selection.

1.AS-Path Prepending:

oAS-path prepending is a technique used to manipulate the path selection process in BGP. By adding extra AS numbers to the AS-path attribute, you make a particular route less preferred.

oThis can be useful in directing traffic to take a different path by making certain routes appear longer.

1.Option C Analysis:

oPolicy Definition: The policy named BGP-AS-PREPEND includes a sequence that sets the AS-path to prepend the AS numbers 10 and 20.

oApplication: The policy is applied in the outbound direction of BGP, which means it will influence the BGP routes being advertised from the LAN to the WAN.

oThis ensures that the traffic flow from the LAN to the WAN is influenced by the AS-path prepending, making certain paths less preferred.

1.Reference:

oCisco SD-WAN Routing Configuration Guide

oCisco SD-WAN BGP Policy Configuration Documentation

Cisco TrustSec (CTS) is a technology that enables secure access and dynamic role-based access control in the network. The Security Group Tag (SGT) Exchange Protocol (SXP) is used to propagate SGTs across network devices. To ensure the secure exchange of these tags, Cisco uses encryption algorithms.

1.AES (Advanced Encryption Standard): AES is widely used in many security protocols and standards because of its strong encryption capabilities. In the context of Cisco TrustSec, AES is the encryption algorithm used to secure binding exchanges between SXP peers. It provides robust encryption, ensuring the integrity and confidentiality of the data being exchanged.

1.Implementation: When configuring SXP peers, the AES encryption ensures that the SGT information transmitted is secure and cannot be intercepted or tampered with by unauthorized entities.

1.Reference:

oCisco TrustSec Configuration Guide

oCisco's official documentation on TrustSec SXP deployment

In a Cisco SD-WAN high availability (HA) vManage cluster, several components work together to ensure redundancy and availability. The vManage cluster is responsible for network management and configuration and consists of multiple servers that handle different functions.

1.Application Server: This server handles the core functionalities of vManage, including processing user requests, managing configurations, and executing policies. In an HA setup, multiple application servers work together to provide redundancy and load balancing.

1.Messaging Server: The messaging server is responsible for inter-server communication within the cluster. It ensures that configuration changes, policy updates, and other important messages are propagated across all vManage servers in the cluster.

These components work in tandem to maintain the operational integrity and availability of the vManage system in an HA configuration.

3.Reference:

oCisco SD-WAN vManage Cluster Deployment Guide

oCisco SD-WAN High Availability Configuration Documentation

Deploying on-premises vBond controllers through the Cisco Plug and Play Connect process requires specific configurations to ensure proper identification and communication between the controllers and the devices.

1.DNS Name: A DNS name that identifies the vBond orchestrator is crucial. This DNS name allows devices to dynamically resolve the IP address of the vBond orchestrator. This is especially important in environments where IP addresses may change, ensuring that devices can always reach the vBond orchestrator through its DNS name.

1.Process:

oWhen a device comes online, it contacts the Plug and Play server to get the necessary information for connecting to the SD-WAN fabric.

oThe DNS name is used to resolve the vBond's IP address, enabling secure and reliable communication between the device and the vBond orchestrator.

1.Reference:

oCisco SD-WAN Plug and Play Connect Deployment Guide

oCisco SD-WAN vBond Orchestrator Configuration Documentation

To achieve communication between Barcelona and Paris through the London site, a control policy needs to be configured to force traffic from these two sites to pass through the London site. This setup involves manipulating the routing information such that London becomes a transit hub for traffic between Barcelona and Paris.

1.Understanding the Policy Requirements:

oCentralized Policy: This type of policy is applied at the controller level and affects multiple devices in the SD-WAN fabric. It allows the control of routing behavior across the entire network.

oRoute Policy: Specifically, a route policy will be used to set the preferred path for traffic between sites, ensuring that it passes through London.

1.Option Analysis:

oOption A: Shows the configuration of a centralized policy with a focus on route policy, which is necessary to achieve the desired traffic flow manipulation.

oOther Options: Do not provide the necessary centralized policy or route policy configurations that are needed to control the routing paths between the sites.

1.Configuration Details:

oCentralized Policy: Define the policy under the centralized policy section in the vManage GUI.

oRoute Policy: Create and apply a route policy that specifies the desired routing behavior for traffic between Barcelona and Paris, ensuring it routes through London.

1.Reference:

oCisco SD-WAN Control Policy Configuration Guide

Cisco SD-WAN Centralized Policy Documentation

Deploying the SD-WAN controller on-premises offers several advantages, particularly in terms of control and customization.

1.Full Control of the Data Plane and the Control Plane: When the controller is deployed on-premises, the organization maintains complete control over both the data plane (traffic forwarding) and the control plane (network management and configuration). This allows for more granular control over network policies, security configurations, and performance optimizations.

1.Customization and Security: On-premises deployment allows organizations to customize their SD-WAN setup to meet specific security and compliance requirements. Sensitive data remains within the organization's control, which can be crucial for industries with strict data privacy regulations.

1.Operational Flexibility: Having the controller on-premises provides operational flexibility, enabling organizations to integrate the SD-WAN solution with existing network management tools and processes.

1.Reference:

oCisco SD-WAN Deployment Guide

oCisco SD-WAN On-Premises Controller Configuration Documentation