Versa Networks VNX301 Exam Questions Instant Access

Question 1

You configured Direct Internet Access on your Versa branches using the workflow template. Which statement is true in this scenario?

AYou must define a CGNAT address pool and rule, and associate the rule with the internet-facing network.

BYou must define a CGNAT address pool and rule, and associate the rule with the LAN interface.

CDIA configured in a workflow automatically creates a CGNAT pool and rule, and associates it with the internet-facing network.

DCGNAT is not required when you configure DIA services.

Answer : C

The correct answer is C. In Versa Secure SD-WAN, Direct Internet Access, or DIA, provides local internet breakout from the branch rather than backhauling internet-bound traffic through a hub. Versa design documentation explains that the DIA architecture creates an internal connection between the tenant VRF and the WAN transport VR and uses CGNAT to translate internet-bound LAN traffic to the public IP address associated with the WAN transport interface. It specifically states that the main DIA components include the CGNAT function for translating internet-bound traffic and that DIA is configured using Director Workflows when configuring tunnels.

When the workflow template is used and the DIA option is selected for the internet breakout tunnel, Director automatically builds the required DIA infrastructure, including the NAPT/CGNAT configuration associated with the internet-facing transport network. This is why manual creation of the CGNAT pool and rule is not required in the workflow-based method. Option A describes a manual configuration approach, not the workflow-generated behavior. Option B is incorrect because NAT must be associated with the internet-facing breakout path, not simply the LAN interface. Option D is incorrect because DIA normally requires address translation for LAN users accessing the public internet.

Question 2

Examine the exhibit below. A DoS Profile shown in the exhibit is applied to an SD-WAN branch. Referring to the exhibit, which statement is correct?

AAn alarm is generated if TCP throughput is 7000 packets per second.

BPackets are randomly dropped if TCP throughput is 7000 packets per second.

CPackets are completely dropped if TCP throughput is 7000 packets per second.

DPackets are completely dropped if TCP throughput is 5000 packets per second.

Answer : B

The correct answer is B. The DoS profile in the exhibit is a Classified Profile using Source IP Only as the classification key. For TCP flood protection, the profile is enabled and shows an Alarm Rate of 5000 packets per second, an Activate Rate of 7000 packets per second, a Maximum Rate of 100000 packets per second, a Drop Period of 300 seconds, and an action of Random. This means the first threshold, 5000 pps, is used to trigger alarm behavior, while the second threshold, 7000 pps, activates the configured mitigation action. Since the selected action is Random, packets are randomly dropped when the TCP rate reaches the activate threshold.

Versa documentation shows that DoS policies can match traffic using source, destination, service, application, schedule, IP version, DSCP, and other conditions, and that a DoS policy can set either an aggregate or classified DoS profile. It also documents that DoS policies support enforcement actions and logging through LEF profiles for DoS events. Therefore, 7000 pps does not merely generate an alarm, and it does not mean complete dropping. Complete dropping is not selected in the exhibit.

Question 3

A branch device has completed Stage 3 onboarding. Which set of tunnels or sessions should exist after the device becomes fully operational in the customer SD-WAN network?

AIKE and IPsec sessions between the branch and Controller, and VXLAN and ESP sessions between branches

BOnly an HTTPS session between the branch and Director

COnly a BGP session between the branch and Analytics

DGRE-only tunnels between all branches without IPsec

Answer : A

The correct answer is A. In Versa Secure SD-WAN onboarding, the branch moves through three staging phases before becoming fully operational. Versa documentation states that in Stage 3, Versa Director pushes the stage-three configuration to the branch device over the IKE session and reboots the branch. After this stage, the branch becomes fully operational and is part of the customer SD-WAN network. At this point, IKE and IPsec sessions are created between the branch and Controller, and VXLAN and ESP sessions are created between branch to branch.

This distinction is important because the Controller connection is used for SD-WAN control-plane functions, while branch-to-branch overlay communication uses tunnel encapsulation for data forwarding. The documentation also notes that branch-to-branch ESP is maintained using a lightweight DH key-pair proprietary protocol.

Options B, C, and D are incorrect. HTTPS to Director alone does not represent the complete SD-WAN operational tunnel state. BGP to Analytics is not the required operational tunnel set. GRE-only tunnels without IPsec do not match the Versa Stage 3 SD-WAN tunnel behavior described in the staging documentation.

Question 4

Examine the exhibit below.

AThe VOS device will determine the optimal path out of INET and INET-2 using a proprietary algorithm.

BThe VOS device will load balance the sessions across INET and INET-2 as long as they are both SLA-compliant.

CThe VOS device will start using the LTE traffic if the INET circuit becomes unavailable.

DThe VOS device will not drop the traffic if there are no SLA-compliant nexthops.

Answer : B, D

The correct answers are B and D. In the exhibit, the Next-Hop Selection Method is configured as Load Balance, and both INET and INET-2 have the same next-hop priority value of 1. Versa SD-WAN guidance states that load balancing between WAN paths is achieved by configuring at least two circuits with equal priority. Therefore, when both INET and INET-2 satisfy the SLA requirements, sessions can be load-balanced across those two internet circuits.

Option D is also correct because the exhibit shows SLA Violation Action: Forward. This means that if no next hop is SLA-compliant, the VOS device is still allowed to forward traffic instead of dropping it. This behavior is consistent with Versa SD-WAN traffic-steering concepts, where forwarding profiles define circuit or path priorities, connection methods, load-balancing behavior, and SLA handling for traffic that matches an SD-WAN policy.

Option A is incorrect because the exhibit does not use the Automatic next-hop selection method. Versa's performance-based SaaS optimization uses monitoring metrics to select the best path when configured for automatic/performance-based selection, but this exhibit shows Load Balance instead. Option C is not the best answer because LTE has lower priority 2 and would be considered only after the higher-priority INET and INET-2 paths are unavailable or unusable, not merely when one INET circuit fails.

Question 5

You want to test a WAN circuit in a way that more closely simulates a single SCP or FTP file transfer. Which method should you use?

ARun the internet speed test from Versa Director with default settings.

BRun the internet speed test from the VOS CLI using the single-session option.

CRun show interfaces brief repeatedly during business hours.

DUse only the SD-WAN SLA monitor latency value.

Answer : B

The correct answer is B. Versa documentation for internet speed tests explains that when you run an internet speed test from a Director node, it creates approximately 200 sessions. This is useful for measuring aggregate throughput, but it does not represent the behavior of a single application flow. The same documentation states that you can run a speed test with a single session from the device CLI, and that this is useful for simulating file transfer rates when using SCP or FTP.

Therefore, when the goal is to understand how a single file transfer behaves, the CLI-based single-session test is the best option. A default Director-based test may produce higher aggregate results because multiple sessions can use parallelism and better fill the pipe.

show interfaces brief is useful for interface status and addressing, but it does not measure file-transfer throughput. SLA latency is useful for path-quality monitoring, but latency alone does not show single-session TCP throughput.

Question 6

A VOS branch has two WAN circuits. You suspect the configured transport domain mapping is wrong because one link is not building the expected SD-WAN path. Which VSM control-plane command is most useful to check local WAN circuit information, transport domains, NAT status, and local tunnel-site details?

Ashow vsm p2mp local-tunnel-sites 0

Bshow system package-info

Cshow orgs org-services cgnat summary

Dshow device cpuload

Answer : A

The correct answer is A. Versa SD-WAN data-path troubleshooting documentation instructs administrators to connect to the VSM control plane with vsh connect vsmd and then use show vsm p2mp local-tunnel-sites 0 to check the status of local site objects. The example output includes the local site key, neighbor IP, site type, site name, branch ID, tenant ID, and detailed WAN link information. It also shows fields such as WAN local VRF ID, WAN local link name, circuit information, link ID, behind-NAT status, shaping rate, public and private addresses, link flags, transport domain, and SLA interval.

This command is therefore highly relevant when validating whether the local SD-WAN site has learned and built the correct WAN transport objects for overlay tunnel creation. If a circuit is mapped to the wrong transport domain or has incorrect NAT/public/private address state, the local-tunnel-site output is one of the best places to confirm it.

The other commands are useful for software version, CGNAT summary, or CPU usage, but they do not show the detailed SD-WAN local tunnel-site transport mapping.

Question 7

Examine the exhibit below. You are onboarding the SOLDEU-R2 branch device using the staging script. You cannot get a Versa-Provider-Controller-VR IP address assigned, indicating that the IPsec tunnel to the corrector has not come up. You verified that the cables have been connected to the correct ports. What has caused this issue?

AThe Controller IP address is incorrectly specified in the staging script.

BThe default gateway is in not in the same subnet as the WAN IP address.

CThe serial number was corrupted in the line feed.

DThe incorrect port was specified in the staging script.

Answer : D

The issue is caused by specifying the incorrect WAN port in the staging script. In the exhibit, the SOLDEU-R2 branch is physically connected to the Internet cloud through vni-0/0, while vni-0/1 is shown as the inter-device link toward SOLDEU-R1. However, the show interfaces brief output shows that the WAN IP address 192.168.122.121/24 has been assigned to vni-0/1.0, not to the Internet-facing interface. Since the cables are confirmed to be connected correctly, the mismatch must be in the staging script interface selection, not in the cabling.

Versa documentation states that during SD-WAN staging, the branch establishes an IKE session with the Controller, and after that the Controller assigns an IP address to the branch device. Versa troubleshooting guidance also states that after transport connectivity to the Controller is established, the branch forms IKE-based IPsec connectivity, and if this succeeds, the ptvi interface toward the Controller comes up. If IKE/IPsec fails, the ptvi interface remains down. Because the staged WAN IP is placed on the wrong VNI interface, the branch cannot reach the Controller over the intended Internet transport, so the Controller tunnel does not come up.

Versa Networks Versa Certified SD-WAN Specialist VNX301 Exam Questions