In Prisma Access's default routing mode, the service connections establish BGP sessions with the

customer premises equipment (CPE) in the data centers. To ensure traffic destined for mobile users

in a specific region (e.g., North America) traverses the service connection in that same region, you

need to control the route advertisements.

Filtering out the mobile user pool prefixes from the other region on each service connection achieves

this by:

Preventing the data center in one region from learning the specific mobile user prefixes of the other

region. For example, the North American service connection would filter out the mobile user pool

prefixes allocated to European users.

Ensuring that when a data center needs to send traffic to a mobile user, it will only see and use the

route advertised by the service connection in the appropriate geographical region. This forces the

traffic to enter the Prisma Access infrastructure through the intended regional service connection.

Let's analyze why the other options are incorrect based on official documentation regarding default

routing mode:

A . Configure BGP on the customer premises equipment (CPE) to prefer the assigned community

string attribute on the mobile user prefixes in its respective Prisma Access region. While BGP

communities can be used for influencing routing decisions, in the context of default routing mode

and ensuring regional traffic flow, relying solely on the CPE to prefer community strings might not be

the most robust or direct method to guarantee traffic traverses the correct regional service

connection. The service connection itself needs to control the advertisement of prefixes.

C . Configure BGP on the customer premises equipment (CPE) to prefer the MED attribute on the

mobile user prefixes in its respective Prisma Access region. The BGP MED (Multi-Exit Discriminator)

attribute is primarily used to influence the path selection between autonomous systems (AS) or

within the same AS at different entry points. In this scenario, where service connections are

advertising prefixes, filtering at the source (service connection) is a more direct and reliable way to

ensure regional traffic flow than relying on the MED attribute on the CPE.

D . Configure each service connection to prepend the BGP ASN five times for mobile user pool

prefixes originating from the other region. BGP AS path prepending is a mechanism to make a path

less desirable. While this could influence routing, it doesn't guarantee that traffic will always take the

intended regional path. Filtering provides a more definitive control over which routes are advertised

and learned.

Therefore, configuring each service connection to filter out the mobile user pool prefixes from the

other region in the advertisements to the data center is the verified method to ensure traffic

destined for mobile users traverses the service connection in the appropriate region when using

Prisma Access in default routing mode.