300-620 Questions and Answers

The Cisco ACI site deployment feature that enables an engineer to control which bridge domains contain Layer 2 flooding across geographically separated data centers is Multi-Site. This feature allows for the extension of Layer 2 and Layer 3 connectivity between different locations with consistent policy enforcement5.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/aci_multi-site/sw/2x/fundamentals/Cisco-ACI-Multi-Site-Fundamentals-Guide-211/Cisco-ACI-Multi- Site-Fundamentals-Guide-211_chapter_011.html#id_51188

The two actions that extend a Layer 2 domain beyond the ACI fabric are extending the bridge domain out of the ACI fabric (Option D) and extending the EPG out of the ACI fabric (Option E)34. Extending the bridge domain involves creating a Layer 2 outside connection, while extending the EPG involves statically assigning a port with a VLAN ID to an EPG34.

 When VM2 is live migrated from POD1 to POD2, the spines in POD2 will send an MP-BGP EVPN update to the leaves in POD1. This update informs the leaves in POD1 about the new location of VM2, allowingthem to update their forwarding tables and ensure that traffic destined for VM2 is correctly routed to its new location in POD2.

In a Cisco ACI fabric, Spanning Tree Protocol (STP) Bridge Protocol Data Units (BPDUs) that are generated by an external switch, such as Switch2 in this scenario, are indeed forwarded across the fabric. This allows externally connected switches to maintain a loop-free topology. While Cisco ACI does not participate in STP as it uses its own protocols and mechanisms for loop prevention within the fabric, it will forward STP BPDUs across End Point Groups (EPGs) on whichthey are received1. This ensures that the connected external switches can still use STP for their loop prevention mechanisms.

References :=

Cisco Community Discussion on STP BPDUs in ACI1

For the new nodes in a Cisco ACI Multi-Pod deployment to be discoverable by the existing Cisco APICs, DHCP relay should be enabled on all links that are connected to Cisco ACI spines on Inter-Pod Network (IPN) devices. This allows the APICs to dynamically assign IP addresses to the new nodes, facilitating their discovery and integration into the fabric.

References :=

Cisco ACI Multi-Pod Configuration Guide

Cisco ACI Best Practices Guide

To meet the criteria for configuring the Cisco ACI fabric to connect to vCenter, the following actions should be taken:

Create a dynamic VLAN pool with the VLAN range of 20-30: This step involves creating a VLAN pool that dynamically assigns VLANs within the specified range to the port groups as they are created1.

Create a VMM domain and associate it with the VLAN pool: The VMM domain is a representation of the VMware vSphere Distributed Switch (VDS) in ACI, and associating it with the VLAN pool allows for the automatic creation of port groups on the VDS1.

Create the EPG and associate the domain: An Endpoint Group (EPG) is a logical entity to which workloads are attached. Associating the EPG with the VMM domain ensures that the port groups are automatically created in vCenter when the EPG is associated with a VMM domain1.

Set the deployment immediacy to On Demand: Setting the deployment immediacy to ‘On Demand’ optimizes the CAM space on the leaf switches by deploying policies to leaf nodes only when endpoints assigned to this EPG are connected, rather than immediately upon configuration12.

By following these steps, the network engineer can ensure that the Cisco ACI fabric is correctly configured to connect to vCenter, with port groups being automatically created on the distributed virtual switch, using the VLAN allocation in the range between 20-30, and optimizing the CAM space on the leaf switches.

The two protocols that support accessing backup files on a remote location from the APIC are FTP (File Transfer Protocol) and SFTP (SSH File Transfer Protocol). Both FTP and SFTP allow for the transfer of files to and from a remote location, but SFTP provides an additional layer of security by utilizing SSH.

The Cisco AV Pair resolves to a managed object class. In the context of Cisco ACI, the AV Pair is used to define specific attributes for RADIUS users, which then map to managed objects within the ACI fabric3.

 In the Cisco ACI Active-Active Across Pods deployment mode, one of the key characteristics of Policy-Based Redirect (PBR) is that traffic is dynamically redirected to the firewall that owns the connection. This allows for load distribution across multiple Layer 4 to Layer 7 devices, also known as symmetric PBR. Additionally, deployment in this mode occurs in go-to mode only, which means that traffic is explicitly directed to a service node or firewall for processing

To integrate the VMware vCenter cluster with Cisco ACI and ensure that the management traffic of the hypervisors and VM controllers uses the virtual switch associated with the Cisco Application Policy, the following steps must be taken:

Enable Infrastructure VLAN on AAEP used toward VMware hypervisors: This step involves enabling the infrastructure VLAN on the Attachable Access Entity Profile (AAEP) that is used for the VMware hypervisors. This VLAN is used for carrying infrastructure traffic such as management, vMotion, and fault tolerance.

Create a static binding in the target EPG toward VMware hypervisors with VLAN 300: This step involves creating a static binding in the “Vmware-MGMT” EPG for the VMware hypervisors with VLAN 300, setting it as an untagged access VLAN, and using Untagged 802.1P mode. This ensures that the management traffic is correctly tagged and associated with the appropriate EPG.

References :=

Cisco ACI Fabric Hardware Installation Guide

Cisco ACI Troubleshooting Guide

Cisco ACI Multi-Site Architecture White Paper

Cisco ACI Virtual Machine Manager (VMM) Integration White Paper

When a bridge domain is configured with the hardware-proxy option for Layer 2 unknown unicast traffic, if the spine switch is unable to find the MAC address in the proxy database, it will drop the Layer 2unknown unicast packet4. This behavior is controlled by the hardware proxy option associated with a bridge domain4.

To filter the System Faults page and view only the active faults present in the Cisco ACI fabric, the two lifecycle stages that must be selected for filtering are:

Raised (Option A): This stage indicates that the fault is currently active and has been raised.

Raised, Clearing (Option D): This combination indicates that the fault is active but is in the process of being cleared.

In the Cisco ACI environment, when an engineer wants to enforce a specific path for ICMP replies and prevent packets from taking a direct path, setting Layer 2 Unknown Unicast to Hardware Proxy on the bridge domain (BD1) is the appropriate action. This setting ensures that the unknown unicast traffic, which includes ICMP packets destined for an unknown MAC address, is forwarded to the spine proxy. The spine proxy then forwards the packets based on the endpoint table information, ensuring that the packets follow the expected path through the fabric and do not take any shortcuts or direct paths that bypass the intended routing.

On the egress leaf switch, when traffic is received from an L3Out, no source MAC or IP address of the traffic is learned as a remote endpoint1. The Cisco ACI fabric does not learn the IP addresses from the data plane in an L3Out domain; instead, it uses ARP to resolve next-hop IP and MAC relationships to reach the prefixes behind external routers1.

In a two-pod Cisco ACI Multi-Pod environment, it is recommended to deploy no more than two Cisco APIC controllers in the same pod to avoid losing all replicas of a shard if a pod fails. TheAPIC cluster is a distributed system where each APIC contains a replica of the configuration database, referred to as a shard. If all replicas of a shard were located in the same pod and that pod were to fail, it would result in the loss of the shard and potentially impact the entire fabric’s operation. By distributing the APIC controllers across pods, the risk of losing all replicas due to a single point of failure is mitigated, enhancing the overall resiliency of the system1.

References :=

ACI Multi-Pod White Paper - Cisco1

 To allow multiple external networks to communicate with internal ACI subnets and assign the prefix to the class ID of the external Endpoint Group, the engineer should configure subnets with the External Subnets for External EPG flag enabled1. This configuration allows the specified subnets to be associatedwith an external EPG, which facilitates communication between internal tenants and external routed networks via L3Outs1.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/ACI_Best_Practices/b_ACI_Best_Practices/b_ACI_Best_Practices_chapter_01001.html

 When migrating the vSphere Management VMkernel of all ESXi hosts from the standard default virtual switch to a Virtual Distributed Switch (VDS) that is integrated with APIC in a VMM domain, it is essential to set the Management VMkernel EPG resolution to Pre-Provision. This action ensures that the necessary policies are in place on the ACI fabric before the migration occurs, allowing for a seamless transition and continuous management connectivity.

When designing two data centers based on Cisco ACI technology that can extend L2/L3, VXLAN, and network policy across locations with ACI Multi-Pod, the two requirements that must be considered are:

A single APIC Cluster is required in a Multi-Pod design4.

ACI Multi-Pod requires an IP Network supporting PIM-Bidir2.

o protect the ACI fabric from spanning-tree loops, the feature that must be enabled on the ACI leaf ports is BPDU Guard 

 Changing the Layer 2 unknown unicast policy from Flood to Hardware Proxy results in the traffic being forwarded to one of the spines to perform as a spine proxy4. If the spine proxy also does not know the address, the packet is discarded4.

 To redirect traffic to the firewall using a one-armed policy-based redirect service insertion, the following configuration set should be used:

Configure a service graph: This involves defining the service graph template that represents the logical flow of traffic through network services.

Associate the service graph with All_Traffic_Allowed: By associating the service graph with the contract named All_Traffic_Allowed, traffic that matches the contract will be redirected through the service graph to the firewall device.

References :=

Cisco ACI Fabric Administration Guide, Release 4.2(1)

Cisco ACI Virtualization Guide, Release 4.2(1)

To monitor the statistics of unicast and BUM traffic seen in a certain EPG, the collection of statistics must be enabled at the EPG level. This is done by enabling the statistics specifically for unicast and BUM traffic within the EPG settings3.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/Operating_ACI/guide/b_Cisco_Operating_ACI/b_Cisco_Operating_ACI_chapter_01011.html

Text Description automatically generated with medium confidence

To meet the server team’s requirements for VMM integration with ESXi servers, the two enhanced LAG policies that should be configured are:

LB Mode: Destination IP Address and TCP/UDP Port (Option B): This load balancing mode ensures that traffic is evenly distributed across all available links based on the destination IP address and the TCP/UDP port numbers, which can provide a balanced traffic flow for different sessions.

LACP Mode: LACP Active (Option E): Setting the LACP mode to active allows the network switches to initiate the LACP negotiation, which is necessary when the servers are not configured to initiate the LACP process.

These settings ensure that the LAG group consisting of two 10 Gigabit Ethernet links will have traffic evenly distributed across them and that the network switches will initiate the LACP negotiation as required by the server team.

To ensure that users can access the Cisco APIC GUI with a local account if the RADIUS server is unreachable, the network administrator must enable the fallback check with the default authentication domain. This allows for local authentication as a backup method when RADIUS is not available. The fallback mechanism is crucial for maintaining access to the APIC GUI in case of RADIUS server issues1.

References :=

Cisco Community Discussion on Auth Radius fallback to Local1

Cisco APIC Security Configuration Guide

The two dynamic routing protocols supported when using Cisco ACI to connect to an external Layer 3 network are iBGP (Option A) and eBGP (Option E)78. These protocols are included in the routing protocol options for a Layer 3 external outside network configuration in ACI

To resolve the issue of STP convergence causing a microloop and significant CPU spike on all switches after connecting legacy non-ACI switches to the Cisco ACI fabric, BPDU filtering should be configured on the interfaces of the external switches that face the Cisco ACI fabric. BPDU filtering prevents Bridge Protocol Data Units (BPDUs) from being sent or received on those interfaces, which stops the STP process and eliminates the possibility of microloops.

 In a Cisco ACI Multi-Site fabric, when the Inter-Site BUM Traffic Allow option is enabled for a stretched bridge domain, ingress replication on the spines in the source site is used to forward Broadcast, Unknown unicast, and Multicast (BUM) traffic to all endpoints in the same broadcast domain. This method ensures that BUM traffic is replicated and sent out through the spines to the destination sites.

To enable communication between the external subnet and internal EPG1, and to allow L3Out traffic to leak into the VRF named “VF1”, the following configuration set should be used:

External Subnets for External EPG: This configuration defines the subnets that are external to the ACI fabric but need to be reachable from within the fabric. It is necessary to specify which subnets are to be considered part of the L3Out1.

Shared Route Control Subnet: This setting allows the subnets to be shared across different VRFs, enabling communication between EPGs that are in different tenants but within the same VRF1.

Shared Security Import Subnet: This configuration ensures that the security policies (contracts) associated with the shared subnets are also imported, allowing for the necessary traffic to flow between the internal and external endpoints1.

By applying this configuration set, the external subnet and internal EPG1 will be able to communicate, and the L3Out traffic will be properly leaked into the designated VRF, meeting the specified goals.

References :=

ACI Inter VRF/Tenant Route Leaking Configuration Example1

The XML configuration snippet provided in the exhibit results in the creation of two objects within the Cisco ACI environment:

Bridge Domain (Option C): This is indicated by the XML element , which defines a bridge domain with the name “bd1”.

VRF (Option E): This is shown by the XML element , which defines a Virtual Routing and Forwarding instance named “pvn1”.

These objects are essential for network segmentation and routing within the ACI fabric, where the bridge domain represents a Layer 2 broadcast domain and the VRF is used for Layer 3 routing separation.

The L3Out subnet configuration option that creates an inbound route map for route filtering is Import Route Control Subnet3. This option allows for the application of route maps to incoming routes from external networks, providing granular control over which routes are allowed into the ACI fabric3.

To implement the Inter-Site Network (ISN) for a Cisco ACI Multi-Site deployment, the following configuration steps are essential:

Configure OSPF on all ISN routers: OSPF (Open Shortest Path First) is a routing protocol that is used to ensure that all routers in the ISN have the necessary routing information to forward packets between sites.

Configure BIDIR-PIM on all ISN routers: BIDIR-PIM (Bidirectional Protocol Independent Multicast) is used for efficient multicast traffic forwarding across the ISN. This is particularly important for Cisco ACI Multi-Site deployments as it supports the replication of broadcast, unknown unicast, and multicast (BUM) traffic across sites.

References :=

Cisco ACI Multi-Site Configuration Guide

Cisco ACI Multi-Site Architecture White Paper

 For a blade server that lacks support of bonding, the port channel mode that results in “route based on originating virtual port” on the VMware VDS is MAC Pinning-Physical-NIC-load (Option B). This mode ensures that the virtual machine traffic is distributed across the available uplinks based on the MAC address of the originating virtual port1.

https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/6x/virtualization/cisco-aci-virtualization-guide-60x/ACI-Virtualization-Guide-60x-aci-with-vmware-vds.pdf

To ensure that servers supporting only Cisco Discovery Protocol are discovered automatically by the Cisco ACI fabric when connected, the action that must be taken is to Create an override policy that enables Cisco Discovery Protocol after LLDP is enabled in the default policy group

 The two true statements regarding ACI Multi-Site are:

ACI Multi-Site is a solution that supports a dedicated APIC cluster per site1.

ACI Multi-Site is a solution that allows one APIC cluster to manage multiple ACI sites1.

When configuring in-band management IP addresses for Cisco APICs, leaf nodes, and spine nodes, the tenant used is the mgmt tenant1.

 The minimum number of APICs that Cisco recommends to deploy in a production cluster is 3 (Option B). This recommendation is based on the need for high availability and redundancy in a production environment.

In a Cisco ACI bridge domain and VRF configured with a default data-plane learning configuration, the two endpoint attributes that are programmed in the leaf switch when receiving traffic are:

Local MAC, IP (Option D)5.

Local Subnet (Option E)5. These attributes are learned by the ACI fabric through common network methods such as ARP, GARP, and ND, as well as through the data-plane. The local MAC and IP addresses are learned and used for traffic routing and bridging, while the local subnet information is used for traffic optimization and endpoint location tracking56.

To support the addition of new ESXi hosts to the existing VMM domain, the action that should be taken is to map the leaf interface selector to the AEP that is associated with the VMM domain (Option D). This ensures that the correct policies are applied to the interfaces where the new ESXi hosts are connected.

ACI Multi-Site architecture is designed to interconnect geographically dispersed data centers and extend Layer 2 and Layer 3 connectivity between those locations with consistent policy enforcement. It allows for either a single APIC cluster to manage multiple ACI sites or supports a dedicated APIC cluster per site. This architecture ensures a scalable and flexible approach to managing multiple data center sites, providing a unified policy framework and operational model across the sites34.

References :=

Cisco Multi-Site Deployment Guide for ACI Fabrics3

Cisco ACI Multi-Site Architecture White Paper4

To enable inter-VRF communication, the following configurations are necessary:

Set the subnet scope to Shared Between VRFs: This allows the subnets to be shared across different VRFs within the same tenant or across tenants, enabling communication between EPGs that are in different VRFs1.

Export the contract and import as a contract interface: By exporting a contract from the provider tenant and importing it as a contract interface in the consumer tenant, you establish a relationship that allows for controlled communication between EPGs in separate VRFs or tenants1.

References :=

ACI Inter VRF/Tenant Route Leaking Configuration Example1

The feature that allows firewall ACLs to be configured automatically when new endpoints are attached to an EPG is ARP gleaning. This feature helps in identifying the endpoints and applying the necessary ACLs to them as they are discovered

The Cisco APIC configuration that prevents a remote network that is not configured on the bridge domain from being learned by the fabric is to enable Limit IP Learning to Subnet2. This setting restricts IP address learning to only those subnets that are defined on the bridge domain2.

To backup the PRODUCTION tenant configuration on the APIC using a markup language and include all secure information, the network engineer must use an export policy that allows for exporting in a markup language format such as XML or JSON and includes secure attributes. In this case, the correct export policy is Option A, which shows an interface with “Export-Tenant-Production” where the format can be selected as ‘xml’ or ‘json’, and there is an option to modify global AES encryption settings, indicating that secure information can be included in the backup.

References :=

Cisco Application Policy Infrastructure Controller (APIC) - Cisco APIC

Cisco Application Centric Infrastructure Best Practices Guide - Cisco ACI Design Guide

The image shows a graphical user interface for an export policy named “Export-Tenant-Production.” The interface provides options to select the format of the backup (either ‘json’ or ‘xml’), whether to start now with options ‘Yes’ or ‘No’, a field for Target DN with ‘/tn-PRODUCTION’filled in, a scheduler dropdown menu, and a checkbox for modifying global AES encryption settings which is enabled. This image is relevant because it depicts how to configure an export policy on Cisco’s APIC to backup tenant configurations securely.

 In Cisco ACI, the object classes are used to categorize different types of managed objects within the ACI model. The output presented is indicative of a Tenant class object. Tenants in ACI are a top-level container for application policies, essentially providing a unit of isolation from other tenants. Each tenant can contain its own application policies, services, and network policies, and they are separate from other tenants to ensure multi-tenancy1.

References :=

Cisco ACI Policy Model Guide1

Object Renaming in Cisco ACI - Cisco2

Application Centric Infrastructure (ACI) REST API Guide - Cisco DevNet

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci /apic/sw/4-x/openstack/ACI-Installation-Guide-for-Red-Hat-Using-OSP13-Director/m-configuring-ironic-for-openstack.html

 In a Cisco ACI Multi-Pod environment with active-active data centers and active-standby firewalls in each data center, enabling Pod ID Aware Redirection is the action that should be taken to maintain traffic symmetry through the firewalls. This feature ensures that traffic is consistently directed through the active firewall based on the pod identifier, thus maintaining the desired traffic flow and symmetry2.

References :=

Cisco ACI Multi-Pod and Service Node Integration White Paper

The true statement regarding ACI Multi-Pod and TEP pool is that the same TEP pool is used in all Pods. This shared TEP pool ensures consistent addressing and simplifies the management of the overlay network across multiple Pods.

For AAA configuration within the Cisco ACI fabric, where authentication should fall back to local users if the TACACS+ server is unreachable, and access must be granted through the fallback domain if the Cisco APIC is out of the cluster, the configuration set that meets these requirements is to have the Default Authentication Realm set to TACACS+ with Fallback Check enabled. This ensures that when the TACACS+ server cannot be reached, the system will fall back to using local authentication

To modify the event to be displayed as a warning in the future, you need to navigate to the ACI Fault tab and change the severity level of the fault. This involves selecting the monitoring objectthat corresponds to the class of the Managed Object (MO) that generated the fault, then choosing the fault code you want to modify and setting an initial severity value1.

References :=

Cisco APIC Faults, Events, and System Messages Management Guide2

How ACI Faults Are Generated and How to Selectively Prevent … - Cisco1

In Cisco ACI, when a packet is routed between two endpoints on different leaf switches, the VXLAN VNID that is applied to the packet corresponds to the Bridge Domain (BD). The BD VNID is used to encapsulate the packet for Layer 2 transport across the fabric. This VNID ensures that the packet is delivered to the correct bridge domain, maintaining the segmentation and policy enforcement required by the ACI fabric.

References :=

Cisco ACI Fabric Forwarding White Paper

Cisco ACI Basic Configuration Guide

 When creating a subnet within a bridge domain in Cisco ACI, the configuration option used to specify the network visibility of the subnet is the scope12. The scope can be set to private, public, or shared, determining how the subnet is advertised and accessed within and outside of the ACI fabric12.

When traffic is received from a Layer 3 Out (L3Out) on the ingress leaf switch in a Cisco ACI fabric, the source IP address of the traffic is learned as a remote endpoint. This is because the traffic is entering the ACI fabric from an external network, and the source IP is considered remote to the fabric.