Exam 300-415 topic 1 question 98 discussion

i think B -C-D-A first you need to enable NAT first on the interface. then create central policy

1. enable nat 2. create centralized policy 3 identify vpn and match criteria 4 apply

In the CBT Nuggets video course, the instructor (Knox Hutchinson) showed how it is (DIA) done. Steps: 1. Enable NAT 2. Create policy 3. Identify 4. Apply policy So, B > C > D > A

Selecting NAT as the action in the policy is not the same thing as enabling NAT functionality. Enabling NAT functionality means configuring NAT on the WAN interface in VPN 0, and this is always the first step.

the given answer is correct. The Questions goes only for generating a Traffic-Data Policy with Direct Internet Access (DIA) and not regarding the native Interface Configuration on the Router. So the Steps in the actual Row are right from a Policy-Building Perspektive.

Given answer is correct, they are asking about the "Data Policy" steps

I'm beginning to believe the given answer is correct. Speirsington explained correctly. First off this is Centralized Data policy configured via CLI. That is important. Create Centralized Data Policy (Match) Identity VPN and Match Criteria (Action) Enable NAT - this is done via "nat use-vpn 0" Apply Please reference page 307 of the Cisco SD-WAN configuration guide 18.4. "Rather than have a single exit point from the overlay network to the Internet, vSmart data-policy can provide local Internet exit from vEdge routers. You implement this using a data-policy that includes a NAT directive. The data-policy is configured on the vSmart controller, so local Internet exit is managed centrally."

the answer is correct if we are following the GUI configuration, however, it can be in different order if we are using CLI.

The NAT function is configured on the transport side, on VPN 0 Ge0/1 using the following commands: vpn 0 interface ge0/1 nat The VPNs and site lists are configured, as always, in the lists as groups of interest. lists vpn-list guest-wifi vpn 2 site-list wifi-sites site-id 10-15 The actual policy is applied to the corresponding VPN list, and states that if the destination port is 80 or 443 (match), then (action) use the NAT function in VPN 0. data-policy wifi-dia vpn-list guest-wifi sequence 10 match destination-port 80 443 action accept nat use-vpn 0 ! default-action accept

Enable NAT Functionality in the WAN VPN The first step in setting up Internet exit on a Cisco vEdge device is to configure the router to act as a NAT device. You do this by enabling NAT functionality in VPNs that have interfaces that connect to a WAN transport network. By default, VPN 0 always connects to the WAN transport. Other VPNs in your network might also connect to WANs. so answer is : Enable NAT Created centralized policy. ID VPN and match. Apply data policy.

question talks about data policy construct :: so wrt to that seq is correct , create CENTRAL DATA policy> match (vpn and all)> action (nat) > apply policy ... offcourse nat should be enabled on the transport interface but that is out of scope from data policy construct

Ans must be B,D,C,A To configure the Cisco vEdge device to act as a NAT device so that some traffic from the router can go directly to a public network, you do three things: Enable NAT in the transport VPN (VPN 0) on the WAN-transport–facing interface, which here is ge0/0. All traffic exiting from the Cisco vEdge device, going either to other overlay network sites or to a public network, passes through this interface. To direct data traffic from other VPNs to exit from the Cisco vEdge device directly to a public network, enable NAT in those VPNs or ensure that those VPNs have a route to VPN 0. On the vCisco vSmart Controller, create a centralized data policy the redirects the desired data traffic from the non-transport VPN to VPN 0, and then apply that data policy to the non-transport VPN. In this case, we apply the policy to VPN 1

I think Isa1010 is correct. Question is about creating data policy Create centralised policy Create match conditions Action nat VPN 0 Apply policy

It´s correct, Create centralized policy, then go to traffic-rules>traffic-data, add policy and select your "match" conditions and choose NAT VPN = 0 under ACTIONS column. finally apply said policy to vsmart.

In order to create a centralized data policy you need to identify the vpns involved and match criteria first, i would go with -Identify vpn and match criteria -create the policy -enable nat -apply the policy

Correct: https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/policies/vedge-20-x/policies-book/vEdge-as-NAT-device.html

To configure a Cisco vEdge device to be an Internet exit point, you enable NAT within a VPN on the Cisco vEdge device, and then you configure a centralized data policy on a Cisco vSmart controller. This policy splits the traffic within the VPN so that some of it is directed towards remote sites within the VPN, and hence remains within the overlay network, and other traffic is directed to the Internet or other destinations outside the overlay network. It is also possible to configure a Cisco vEdge device to forward data traffic directly to the Internet, by specifying the destination IP prefix.