Home > VPN Questions

VPN Questions

May 4th, 2020 Go to comments

Question 1

Explanation

For Direct Internet Access (DIA), NAT translation for packets exiting into the internet within the branch is enabled on the WAN edge devices via NAT overload. NAT overload is the mapping of multiple unregistered IP addresses to a single registered IP address by using different ports. To achieve this functionality on WAN edge devices, configure NAT on all WAN transport interfaces that face the Internet. The NAT operation on outgoing traffic is performed in VPN 0, which is always only a transport VPN. The router’s connection to the Internet is in VPN 0.

VPN0_Internet.jpg

Reference: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/sdwan-dia-deploy-2019nov.pdf

Question 2

Explanation

There might be cases where the network administrator might want to explicitly disallow the creation of VPNs on the vEdge router. An example is in a B2B partnership, when the vEdge router is not located at the customer premise. For these situations, the network administrator can choose to allow only certain VPNs on these vEdge routers. Effectively, you are controlling membership in the VPN.

In the link below you can see the configuration to disallow VPN 1 at sites 20 and 30.

Configuration example and reference: https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_17.2/04Segmentation/03Segmentation_(VPN)_Configuration_Examples

Question 3

Explanation

Zone configuration consists of the following components:
+ Source zone – A grouping of VPNs where the data traffic flows originate. A VPN can be part of only one zone.
+ Destination zone – A grouping of VPNs where the data traffic flows terminate. A VPN can be part of only one zone.

Reference: https://sdwan-docs.cisco.com/Product_Documentation/Software_Features/Release_18.4/Security/Enterprise_Firewall_with_Application_Awareness

Question 4

Explanation

VPN 512 is the management VPN. It carries out-of-band network management traffic among the Viptela devices in the overlay network.

Note: The table in answer C configures the out-of-band management VLAN 512 while the table in answer B configures the interface under the Management VLAN.

Reference: https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/SDWAN/SD-WAN-End-to-End-Deployment-Guide.pdf

Comments
  1. Anonymous
    February 22nd, 2021

    @certprepare: Is there any new questions after September 10th, 2020 ?

  2. JR
    April 26th, 2021

    @Anonymous, there are but only for premium members. I am premium and can confirm

  3. Anonymous
    August 10th, 2022

    Q2: C is not correct.
    “match vpn-id” syntax doesn’t exist, can be “match vpn” or “match vpn-list”

  4. Louise Newkirk
    October 31st, 2022

    Hello!

  5. Sh Sh
    April 26th, 2024

    @Cert Prep
    I agree with Anonymous regarding Q2
    Q2: C is not correct.
    “match vpn-id” syntax doesn’t exist, I would suggest the correct answer to be A
    Please double check

  6. Anonymous
    September 15th, 2024

    @certprepare

    Please check Q2

  1. No trackbacks yet.