300-620 Implementing Cisco Application Centric Infrastructure (300-620 DCACI) Question and Answers

In the Cisco ACI environment, when an engineer wants to enforce a specific path for ICMP replies and prevent packets from taking a direct path, setting Layer 2 Unknown Unicast to Hardware Proxy on the bridge domain (BD1) is the appropriate action. This setting ensures that the unknown unicast traffic, which includes ICMP packets destined for an unknown MAC address, is forwarded to the spine proxy. The spine proxy then forwards the packets based on the endpoint table information, ensuring that the packets follow the expected path through the fabric and do not take any shortcuts or direct paths that bypass the intended routing.

In Cisco ACI, when a packet is routed between two endpoints on different leaf switches, the VXLAN VNID that is applied to the packet corresponds to the Bridge Domain (BD). The BD VNID is used to encapsulate the packet for Layer 2 transport across the fabric. This VNID ensures that the packet is delivered to the correct bridge domain, maintaining the segmentation and policy enforcement required by the ACI fabric.

References :=

Cisco ACI Fabric Forwarding White Paper

Cisco ACI Basic Configuration Guide

 To determine if a change in the behavior of the ACI fabric was due to human intervention, an ACI administrator should inspect the audit logs in the APIC UI. The audit logs provide a record of all user events, which includes actions performed by users, making it possible to trace any changes back to specific human activities1.

The characteristic of Cisco ACI Multi-Pod that makes it unsuitable for deploying three separate data centers is that it requires all pods to share the same Cisco APIC cluster. In a Multi-Pod deployment, all the pods are part of the same fabric and are managed by a single APIC cluster, which means that they are not completely isolated from each other.

The XML configuration snippet provided in the exhibit results in the creation of two objects within the Cisco ACI environment:

Bridge Domain (Option C): This is indicated by the XML element , which defines a bridge domain with the name “bd1”.

VRF (Option E): This is shown by the XML element , which defines a Virtual Routing and Forwarding instance named “pvn1”.

These objects are essential for network segmentation and routing within the ACI fabric, where the bridge domain represents a Layer 2 broadcast domain and the VRF is used for Layer 3 routing separation.

When the Cisco ACI fabric has a stale endpoint entry for the destination endpoint, the traffic flow is affected in that the leaf switch floods the traffic to the endpoint throughout the fabric (Option C). This flooding occurs because the leaf switch does not have the correct location of the endpoint in its endpoint table, leading it to flood the traffic in an attempt to reach the destination.

When a pre-provision immediacy is used, the policy is downloaded to the Cisco ACI leaf switch and programmed into the hardware policy Content Addressable Memory (CAM) as soon as the change isimplemented on the Cisco Application Policy Infrastructure Controller (APIC). This means that the policy is ready on the leaf switch before any endpoints are actually connected.

In Cisco ACI, a leaf switch learns a source IP or MAC as a remote endpoint when VXLAN traffic arrives on a leaf fabric port from the spine, and the inner source IP is within the range of the bridge domain subnets associated with the leaf. This process is part of the ACI’s COOP (Council Of Oracles Protocol), which ensures that endpoint information is accurately disseminated across the fabric for efficient traffic forwarding.

To extend the EPG-100 to the vCenter as a port group with a tagged VLAN ID of 100, the following actions should be taken:

Define a static VLAN range (from 100-200) under a VLAN pool: This step involves creating a VLAN pool that includes the desired VLAN range. The VLAN pool is then associated with the VMM domain that corresponds to the vCenter integration1.

Associate the dc1vcdev domain with EPG: The VMM domain named ‘dc1vcdev’ should be associated with the EPG-100. This association allows for the automatic creation of port groups in vCenter when the EPG is associated with a VMM domain1.

Select the appropriate settings for the domain association:

Untagged VLAN Access: This should be unselected because the VLAN ID needs to be tagged.

VLAN Mode: Set to ‘Static’ to specify the encapsulation VLAN ID.

Encap: Set to ‘100’ to define the specific VLAN ID that should be tagged for the port group1.

References :=

Cisco APIC Layer 2 Networking Configuration Guide1

Cisco APIC Layer 2 Networking Configuration Guide1

 In a Cisco ACI fabric, the spine switches are typically configured as route reflectors. This is because spine switches are central to the fabric’s architecture and are responsible for interconnecting all the leaf switches, making them ideal for reflecting BGP routes within the fabric. Therefore, the components that should be configured as route reflectors are:

Spine1 (Option A)

Spine2 (Option C)

The purpose of the Overlay Multicast TEP (O-MTEP) in a Cisco ACI Multi-Site deployment is to perform head-end replication for BUM (Broadcast, Unknown unicast, Multicast) traffic. This common anycast address is shared by all the spine nodes in the same site and is used to replicate BUM traffic across the sites4.

When configuring a Multi-Pod system with the default gateway residing outside of the ACI fabric for a bridge domain, the setting that should be configured is to disable Limit IP Learning to Subnet (Option A). This allows the ACI fabric to learn IP addresses outside of the defined subnet, which is necessary when the default gateway is external.

To filter the System Faults page and view only the active faults present in the Cisco ACI fabric, the two lifecycle stages that must be selected for filtering are:

Raised (Option A): This stage indicates that the fault is currently active and has been raised.

Raised, Clearing (Option D): This combination indicates that the fault is active but is in the process of being cleared.

 When the VMM resolution immediacy is set to pre-provision in a Cisco ACI environment, policies are downloaded to the ACI leaf switch regardless of Cisco Discovery Protocol neighborship1. This setting ensures that the policies are in place on the leaf switches even before a VM controller is attached to the virtual switch1.

When traffic is received from a Layer 3 Out (L3Out) on the ingress leaf switch in a Cisco ACI fabric, the source IP address of the traffic is learned as a remote endpoint. This is because the traffic is entering the ACI fabric from an external network, and the source IP is considered remote to the fabric.

The type of policy that configures the suppression of faults generated from a port being down is the ‘fault severity assignment’ policy. This policy allows administrators to change the severity of a fault or suppress it altogether, which can be useful for managing expected faults and reducing noise from non-critical events

 In the context of ACI Multi-Site, the information of an endpoint (MAC/IP) that belongs to site 1 is advertised to site 2 using the EVPN control plane as soon as the endpoint is discovered in one site. This allows for immediate visibility of the endpoint across sites.

Associating the VMM domain with the EPGs (Endpoint Groups) that must be available in vCenter is the action that accomplishes the goal of creating port groups automatically in vSphere and propagating them to hypervisors when created in the ACI environment. This integration allows the APIC to automatically create port groups in the VMware vCenter under the VDS (vSphere Distributed Switch), which provisions the network policy in the VMware vCenter

To set Layer 2 loop migration in an ACI Fabric with a Layer 2 Out configured, MCP (Misconfiguration Protocol) must be enabled on the ACI fabric56. MCP helps to prevent Layer 2 loops by detecting misconfigurations that could potentially cause loops56.

 To perform a Cisco ACI fabric upgrade that minimizes the impact on user traffic and allows only permitted users to perform an upgrade, the following configuration steps should be taken:

Divide Cisco APIC controllers into two or more maintenance groups: This step involves organizing the APIC controllers into separate maintenance groups to allow for a phased upgrade process, reducing the impact on user traffic5.

Divide switches into two or more maintenance groups: This step involves organizing the switches into separate maintenance groups, which allows for a controlled and phased upgrade process, minimizing the impact on the network during the upgrade5.

To implement a Layer 3 out (L3Out) inside the Cisco ACI fabric that meets the specified requirements, the following steps should be taken:

Configure the OSPF Protocol policy with an area of 0: This step involves setting up OSPF, a link-state routing protocol that supports hierarchical network design, as the routing protocol for the L3Out1.

Create Routed Outside object and Node Profile, selecting OSPF: This step involves creating a Routed Outside object and associating it with a Node Profile that specifies OSPF as the routing protocol1.

Build the Interface profile, selecting Routed Sub-interface and the appropriate VLAN: This step involves creating an Interface profile for the connection to the data center core switch, using 802.1Q tagging for VLAN separation2.

Configure the External Network object with a network of 0.0.0.0/0: This step involves setting up the External Network object to advertise routes to the rest of the network1.

 To allow multiple external networks to communicate with internal ACI subnets and assign the prefix to the class ID of the external Endpoint Group, the engineer should configure subnets with the External Subnets for External EPG flag enabled1. This configuration allows the specified subnets to be associatedwith an external EPG, which facilitates communication between internal tenants and external routed networks via L3Outs1.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/ACI_Best_Practices/b_ACI_Best_Practices/b_ACI_Best_Practices_chapter_01001.html

The import mode that must be used to ensure that the import process terminates if the imported configuration is incompatible with the existing system is the ‘atomic’ mode. This mode ignores shards that contain objects that cannot be imported while proceeding with shards that can be imported. If the incoming configuration’s version is incompatible with the existing system, the import process will terminate2.

The two dynamic routing protocols supported when using Cisco ACI to connect to an external Layer 3 network are iBGP (Option A) and eBGP (Option E)78. These protocols are included in the routing protocol options for a Layer 3 external outside network configuration in ACI

To implement management policy and data plane separation in the Cisco ACI fabric, the ACI object that must be created in Cisco APIC is a Bridge domain

On the egress leaf switch, when traffic is received from an L3Out, no source MAC or IP address of the traffic is learned as a remote endpoint1. The Cisco ACI fabric does not learn the IP addresses from the data plane in an L3Out domain; instead, it uses ARP to resolve next-hop IP and MAC relationships to reach the prefixes behind external routers1.

 The table that holds IP address, MAC address, and VXLAN/VLAN information on a Cisco ACI leaf is the endpoint table6. This table is essential for the ACI fabric’s ability to track and apply policies to endpoints.

To backup the PRODUCTION tenant configuration on the APIC using a markup language and include all secure information, the network engineer must use an export policy that allows for exporting in a markup language format such as XML or JSON and includes secure attributes. In this case, the correct export policy is Option A, which shows an interface with “Export-Tenant-Production” where the format can be selected as ‘xml’ or ‘json’, and there is an option to modify global AES encryption settings, indicating that secure information can be included in the backup.

References :=

Cisco Application Policy Infrastructure Controller (APIC) - Cisco APIC

Cisco Application Centric Infrastructure Best Practices Guide - Cisco ACI Design Guide

The image shows a graphical user interface for an export policy named “Export-Tenant-Production.” The interface provides options to select the format of the backup (either ‘json’ or ‘xml’), whether to start now with options ‘Yes’ or ‘No’, a field for Target DN with ‘/tn-PRODUCTION’filled in, a scheduler dropdown menu, and a checkbox for modifying global AES encryption settings which is enabled. This image is relevant because it depicts how to configure an export policy on Cisco’s APIC to backup tenant configurations securely.

In a Cisco ACI environment with multiple silent hosts that are often relocated between leaf switches, configuring IP Data-Plane Learning to ‘No’ will minimize the relocation impact and make the ACI fabric relearn the new location of the host faster. Disabling IP Data-Plane Learning prevents the fabric from learning IP addresses from the data plane, which can speed up the process of relearning host locations when they move3.

To allow SNMP traffic on the APIC controller, a contract under tenant mgmt must be configured3.

Table Description automatically generated with medium confidence

When implementing a connection that represents an external bridged network, the configurations used are Layer 2 outside (Option B) and Static path binding (Option D)12. Layer 2 outside is typically used to connect a bridged external network trunk switch to a leaf switch in the ACI fabric, while static path binding is used to assign specific ports on a leaf switch to an external bridged network12.

In a Cisco ACI configuration with IEEE 802.1p ports, the traffic exits from the EPG untagged from leaf ports. This means that when the port is configured in Access (802.1p) mode and the access VLAN is the only VLAN deployed on the port, then traffic will be untagged on egress56.

To minimize possible traffic impact during the upgrade of an ACI fabric with 3 APIC controllers and servers dual-homed to pairs of leaf switches configured in VPC mode, the fabric should be upgraded following Option A2. This option involves creating two maintenance groups for the APIC controllers, upgrading one group at a time, and then proceeding with the leaf switches2. This staged approach helps ensure that not all paths are affected simultaneously, thereby reducing the potential for traffic disruption2.

When extending EPG connectivity to an external network that houses the Layer 3 gateway and other end hosts, the ACI bridge domain configuration should use Forwarding: Custom, L2 Unknown Unicast: Hardware Proxy, L3 Unknown Multicast Flooding: Flood, Multi Destination Flooding: Flood in BD, and ARP Flooding: Enabled23. This configuration ensures that unknown unicast traffic is handled efficiently while still allowing ARP flooding, which is necessary for the ACI fabric to learn about endpoints on the external network23.

 When migrating the vSphere Management VMkernel of all ESXi hosts from the standard default virtual switch to a Virtual Distributed Switch (VDS) that is integrated with APIC in a VMM domain, it is essential to set the Management VMkernel EPG resolution to Pre-Provision. This action ensures that the necessary policies are in place on the ACI fabric before the migration occurs, allowing for a seamless transition and continuous management connectivity.

With unicast routing enabled on the bridge domain, the two conditions that enable the Cisco ACI leaf to learn a source IP as a local endpoint are:

Through Ethernet traffic received in a bridge domain (Option A): The leaf switch learns the source IP address as a local endpoint when it receives Ethernet traffic within the bridge domain.

Through ARP received on an SVI (Option E): The leaf switch also learns the source IP address as a local endpoint when it receives an ARP request or reply on a Switched Virtual Interface (SVI) associated with the bridge domain.

These conditions allow the ACI fabric to maintain an accurate endpoint database for efficient routing and forwarding of traffic within the fabric.

https://www.cisco .com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739989.html

Graphical user interface, text Description automatically generated with medium confidence

To prevent packet loss between the distributed virtual switch and the ACI fabric in a company’s ESXi infrastructure hosted on Cisco UCS-B Blade Servers, the vSwitch policy must implement MAC Pinning. This setting ensures that each virtual interface card (vNIC) on the UCS servers is pinned to an uplink Ethernet port, providing a stable and consistent path for traffic and preventing packet loss due to path changes.

 For Cisco ACI IPN (Inter-Pod Network) to manage multidestination traffic, multicast routing is a requirement. This is because multidestination traffic includes broadcast, unknown unicast, and multicast (BUM) traffic, which needs to be efficiently transported across different pods in a Cisco ACI Multi-Pod environment. Multicast routing protocols like Bidirectional Protocol-Independent Multicast (Bidir PIM) are used to handle this type of traffic1.

References :=

Cisco Application Centric Infrastructure Multi-Pod Configuration White Paper1

In a Cisco ACI fabric, Spanning Tree Protocol (STP) Bridge Protocol Data Units (BPDUs) that are generated by an external switch, such as Switch2 in this scenario, are indeed forwarded across the fabric. This allows externally connected switches to maintain a loop-free topology. While Cisco ACI does not participate in STP as it uses its own protocols and mechanisms for loop prevention within the fabric, it will forward STP BPDUs across End Point Groups (EPGs) on whichthey are received1. This ensures that the connected external switches can still use STP for their loop prevention mechanisms.

References :=

Cisco Community Discussion on STP BPDUs in ACI1

To configure communication between the EPGs in different tenants, the subnet scope should be set to “Shared between VRFs”. This allows the subnet to be shared across different VRFs, enabling communication between EPGs that are in different tenants but within the same VRF. By marking the subnet as shared, it becomes visible to other VRFs, which is necessary for inter-tenant communication1.

References :=

Learning ACI - Part 12: Inter-VRF and Inter-Tenant Communication

The two requirements for the IPN network when implementing a Multi-Pod ACI fabric are:

PIM ASM multicast routing2.

OSPF routing3.

The COOP (Council Of Oracle Protocol) database is located on each spine switch within the Cisco ACI fabric. The COOP database is responsible for maintaining a consistent copy of endpoint address and location information across the fabric

 In Cisco Application Centric Infrastructure (ACI), when a subnet is configured on a bridge domain, the gateway IP address is configured on the leaf switches where the bridge domain of the tenant is present. This configuration allows for localized routing within the fabric, providing efficient east-west traffic handling without requiring traffic to traverse up to the spine nodes unless necessary for north-south routing or policy enforcement.

To ensure that Cisco ACI flushes the appropriate endpoints when a topology change notification message is received in an MST domain, the three steps required are:

Enable the BPDU interface controls under the spanning tree interface policy (Option A)2.

Bind the spanning tree policy to the switch policy group (Option C)3.

Associate the STP interface policy to the appropriate interface policy group (Option D)3. These steps ensure that the ACI fabric responds correctly to STP events, such as topology changes, by flushing the MAC address table and the Local Station Table for the affected VLAN on the leaf switch4.

To enable the APIC in a Cisco ACI fabric using out-of-band management connectivity to access a routable host with an IP address of 192.168.11.2, you need to add a Fabric Access Policy that allows management connections. This involves configuring a contract that will be consumed and provided to your OOB devices. The contract will let the system know what traffic is allowed. In this case, you will use the default/common contract to permit any traffic. This is necessary because the APIC needs to be able to send traffic to and receive traffic from the management network1.

References :=

ACI: Configuring Out-of-Band (OOB) Access for Your Fabric - Cisco1

Troubleshoot ACI Management and Core Services - In-band and Out-of-band Management - Cisco2

The two protocols that support accessing backup files on a remote location from the APIC are FTP (File Transfer Protocol) and SFTP (SSH File Transfer Protocol). Both FTP and SFTP allow for the transfer of files to and from a remote location, but SFTP provides an additional layer of security by utilizing SSH.

Enabling the “disable Remote EP learn” feature in Cisco ACI has the effect of preventing border leaf switches from receiving routes through peering with external routers. This feature is particularly useful when there is a mix of Gen1 and Gen2 hardware in the fabric, as it clears all the remote endpoints from the border leaf only. Traffic will still use hardware proxy if the endpoint is not learned on the border leaf, ensuring no operational impact12.

References :=

ACI Fabric Endpoint Learning White Paper2

Cisco Community Discussion on Disable Remote EP Learn

https://unofficialaciguide.com/2018/11/29/aci-best-practice-configurations/

To deploy an access port policy group within Cisco ACI, an attachable entity profile (AEP) needs to be created. An AEP is a policy construct that groups together various domains and allows them to be attached to the fabric access layer

C:\Users\User\AppData\Local\Temp\SNAGHTML5a772e.PNG

To restrict User X to have access only to TenantX without any extra privileges in the Cisco ACI fabric domain, the Cisco AV pair that must be implemented on the RADIUS server is shell:domains = TenantX-SD/tenant-admin. This AV pair assigns User X the role of tenant admin within the security domain of TenantX, ensuring that the user has the necessary permissions to manage resources within TenantX and no additional privileges outside of this scope.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/Security_config/b_Cisco_APIC_Securi ty_Guide/b_Cisco_APIC_Security_Guide_chapter_0100.html

Graphical user interface, text, application Description automatically generated

When extending an EPG out of the ACI fabric using static path binding, it is true that external endpoints are in the same EPG as the directly attached endpoints8. This means that traffic received on a statically bound leaf port with a specific VLAN ID is mapped to the EPG, and the same policies applied to directly attached endpoints are enforced on the external endpoints8.

 To resolve the VRF route leaking issue and ensure that the route in the Non-Production:vrf-nonprod VRF to the production tenant is present, the action that should be taken is to enable the “Shared between VRFs” option for the bridge domain (BD) subnet in the production VRF. This setting allows the subnet to be shared across different VRFs within the same tenant or across tenants, enabling communication between EPGs that are in different VRFs1.

References :=

ACI Inter VRF/Tenant Route Leaking Configuration Example