Cisco 300-620 Implementing Cisco Application Centric Infrastructure (300-620 DCACI) Exam Practice Test

 In Cisco ACI, communication between Endpoint Groups (EPGs) is controlled by contracts. Contracts define the types of traffic and the rules that govern how EPGs can communicate with each other. They act as a policy framework that enforces security and segmentation within the ACI fabric.

In Cisco ACI fabric, MP-BGP (Multi-Protocol Border Gateway Protocol) is utilized for several purposes, one of which includes the propagation of L3Out (Layer 3 Out) routes within the fabric. Specifically, MP-BGP with VPNv4 address family (AF) is used in the ACI infra VRF (overlay-1 VRF) to distribute external routes from a border leaf to other leaf switches1. This allows for the efficient dissemination of routing information and ensures that all relevant leaf switches are aware of the routes necessary to reach external networks.

References :=

ACI Fabric L3Out White Paper - Cisco1

Configuring ACI Fabric BGP Route Reflectors - Cisco2

ACI Fabric - Underlying protocols - Cisco Community3

Cisco Application Centric Infrastructure Fundamentals, Release 5.3(x)4

On the egress leaf switch, when traffic is received from an L3Out, no source MAC or IP address of the traffic is learned as a remote endpoint1. The Cisco ACI fabric does not learn the IP addresses from the data plane in an L3Out domain; instead, it uses ARP to resolve next-hop IP and MAC relationships to reach the prefixes behind external routers1.

The two requirements for the IPN network when implementing a Multi-Pod ACI fabric are:

PIM ASM multicast routing2.

OSPF routing3.

When deploying a new Cisco ACI Multi-Pod setup, it’s crucial to ensure that the Tunnel Endpoint (TEP) pool of the new pod is routable across the Inter-Pod Network (IPN). This allows the TEP addresses to be reachable across the pods, facilitating communication between them. Additionally, increasing the Maximum Transmission Unit (MTU) for all IPN routers is necessary to support the larger frame size required by VXLAN encapsulation, which is typically above the standard Ethernet MTU of 1500 bytes.

References :=

Cisco ACI Multi-Pod Configuration Guide

Cisco ACI Best Practices Guide

When a bridge domain is configured with the hardware-proxy option for Layer 2 unknown unicast traffic, if the spine switch is unable to find the MAC address in the proxy database, it will drop the Layer 2unknown unicast packet4. This behavior is controlled by the hardware proxy option associated with a bridge domain4.

 To perform a Cisco ACI fabric upgrade that minimizes the impact on user traffic and allows only permitted users to perform an upgrade, the following configuration steps should be taken:

Divide Cisco APIC controllers into two or more maintenance groups: This step involves organizing the APIC controllers into separate maintenance groups to allow for a phased upgrade process, reducing the impact on user traffic5.

Divide switches into two or more maintenance groups: This step involves organizing the switches into separate maintenance groups, which allows for a controlled and phased upgrade process, minimizing the impact on the network during the upgrade5.

In a Cisco ACI Multi-Pod environment, Pods use over Layer 3 IPN connectivity via spines to allow Pod-to-Pod communication6.

https://www.cisco.com/c/ en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-737855.html

The two actions that extend a Layer 2 domain beyond the ACI fabric are extending the bridge domain out of the ACI fabric (Option D) and extending the EPG out of the ACI fabric (Option E)34. Extending the bridge domain involves creating a Layer 2 outside connection, while extending the EPG involves statically assigning a port with a VLAN ID to an EPG34.

When the client endpoint and the service node interface are in different subnets, the Adjacency Type value should be set to Routed. This setting is used to indicate that routing is required between the client endpoint and the service node interface, as they are not in the same Layer 2 broadcast domain and need Layer 3 routing to communicate.

To support cross-site connectivity in a production Multi-Site solution, where connectivity from EPGs from a specific site to networks reachable through a remote site L3OUT is required, the additional configuration that must be implemented in the Multi-Site Orchestrator is to add a new stretched external EPG to the existing L3OUT1. This allows the EPGs from one site to communicate with the networks defined in the L3OUT at the remote site, facilitating the required connectivity across sites.

References :=

Cisco ACI Multi-Site Configuration Guide1

When traffic is received from a Layer 3 Out (L3Out) on the ingress leaf switch in a Cisco ACI fabric, the source IP address of the traffic is learned as a remote endpoint. This is because the traffic is entering the ACI fabric from an external network, and the source IP is considered remote to the fabric.

To integrate a new Hyperflex storage cluster into an existing Cisco ACI fabric and manage it with vCenter, the following steps should be taken:

Create a new vSphere Distributed Switch (vDS): This is done within the vCenter interface. The vDS acts as a single virtual switch across all associated hosts in the data center, providing centralized management and monitoring of the network configuration1.

Configure the vDS for the Hyperflex cluster: This involves setting up the correct port groups, VLANs, and uplink profiles to ensure proper network segmentation and performance2.

Enable hardware discovery using a vendor-neutral protocol: This could involve using protocols like LLDP (Link Layer Discovery Protocol) or CDP (Cisco Discovery Protocol), which are supported by vCenter and can help in identifying and managing physical network devices3.

Integrate the Hyperflex cluster with ACI using the Application Policy Infrastructure Controller (APIC): This involves creating the necessary policies and profiles in ACI to manage the Hyperflex storage traffic effectively4.

References :=

Cisco HyperFlex Systems Installation Guide for VMware ESXi1

Cisco HyperFlex Virtual Server Infrastructure 3.0 with Cisco ACI 3.2 and VMware vSphere 6.52

How to Set Up Networking with vSphere Distributed Switches - VMware Docs3

Tutorial: How to integrate HyperFlex and ACI with VMM (VMware) and UCSM4

To prevent packet loss between the distributed virtual switch and the ACI fabric in a company’s ESXi infrastructure hosted on Cisco UCS-B Blade Servers, the vSwitch policy must implement MAC Pinning. This setting ensures that each virtual interface card (vNIC) on the UCS servers is pinned to an uplink Ethernet port, providing a stable and consistent path for traffic and preventing packet loss due to path changes.

To enable the APIC in a Cisco ACI fabric using out-of-band management connectivity to access a routable host with an IP address of 192.168.11.2, you need to add a Fabric Access Policy that allows management connections. This involves configuring a contract that will be consumed and provided to your OOB devices. The contract will let the system know what traffic is allowed. Inthis case, you will use the default/common contract to permit any traffic. This is necessary because the APIC needs to be able to send traffic to and receive traffic from the management network1.

References :=

ACI: Configuring Out-of-Band (OOB) Access for Your Fabric - Cisco1

Troubleshoot ACI Management and Core Services - In-band and Out-of-band Management - Cisco2

The XML configuration snippet provided in the exhibit results in the creation of two objects within the Cisco ACI environment:

Bridge Domain (Option C): This is indicated by the XML element , which defines a bridge domain with the name “bd1”.

VRF (Option E): This is shown by the XML element , which defines a Virtual Routing and Forwarding instance named “pvn1”.

These objects are essential for network segmentation and routing within the ACI fabric, where the bridge domain represents a Layer 2 broadcast domain and the VRF is used for Layer 3 routing separation.

To support a new application that is sensitive to latency and jitter and sets the DSCP values of packets to AF31 and CS6, it is necessary to align the ACI Quality of Service (QoS) levels and Inter-Pod Network (IPN) QoS policies. This alignment ensures that the DSCP values are preserved and respected across the ACI fabric and the IPN, preventing packets from being delayed or dropped between pods.

References :=

Cisco ACI Multi-Site Architecture White Paper

Cisco ACI Best Practices Guide

Cisco ACI Quality of Service Configuration Guide

An EPG is extended outside of the ACI fabric by statically assigning a VLAN ID to a leaf port in an EPG. This method maps the traffic received on the leaf port to the EPG, and the policy for this EPG is enforced

To clear the critical fault related to B2B credit oversubscription in the ACI domain connectivity to the fiber channel storage, the value that should be chosen is 5101. This value is set to address the issue of B2B credit oversubscription and clear the critical fault as reported by the client1.

 To have the endpoint table learn the IP addresses of endpoints in a bridge domain, unicast routing must be enabled1. This allows the bridge domain to learn the IP addresses of endpoints through the data plane1.

To migrate the gateway address out of the ACI fabric for an endpoint group (EPG), the bridge domain configuration must ensure that routing is contained within the ACI fabric and that ARP requests are managed efficiently. The correct configuration set is:

L2 Unknown Unicast: Set to Hardware Proxy. This setting allows the ACI fabric to use the spine proxy function to handle unknown unicast traffic, which helps to reduce flooding within the fabric.

Unicast Routing: Set to Disabled. Since the gateway is being migrated out of the ACI fabric, unicast routing should be disabled to prevent the ACI fabric from attempting to route traffic for the EPG.

ARP Flooding: Set to Enabled. This allows ARP requests to be flooded within the bridge domain, which is necessary when the unicast routing is disabled, to ensure that ARP requests can still be resolved.

References :=

Cisco ACI Bridge Domain Configuration Guide

Cisco ACI Best Practices Guide

 In Cisco ACI, the object classes are used to categorize different types of managed objects within the ACI model. The output presented is indicative of a Tenant class object. Tenants in ACI are a top-level container for application policies, essentially providing a unit of isolation from other tenants. Each tenant can contain its own application policies, services, and network policies, and they are separate from other tenants to ensure multi-tenancy1.

References :=

Cisco ACI Policy Model Guide1

Object Renaming in Cisco ACI - Cisco2

Application Centric Infrastructure (ACI) REST API Guide - Cisco DevNet

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci /apic/sw/4-x/openstack/ACI-Installation-Guide-for-Red-Hat-Using-OSP13-Director/m-configuring-ironic-for-openstack.html

For AAA configuration within the Cisco ACI fabric, where authentication should fall back to local users if the TACACS+ server is unreachable, and access must be granted through the fallback domain if the Cisco APIC is out of the cluster, the configuration set that meets these requirements is to have the Default Authentication Realm set to TACACS+ with Fallback Check enabled. This ensures that when the TACACS+ server cannot be reached, the system will fall back to using local authentication

To create a backup of the Cisco ACI fabric for disaster recovery that is secure, encrypted, and in a format conducive to processing with a Python script, the engineer must select Secure Copy Protocol (SCP) for secure and encrypted transport. The backup file should be in JSON format, which is similar to a Python dictionary and can be easily processed by a Python script. Additionally, enabling Global AES Encryption ensures that all user and password-related information is included securely in the backup1.

In a Cisco ACI fabric, Spanning Tree Protocol (STP) Bridge Protocol Data Units (BPDUs) that are generated by an external switch, such as Switch2 in this scenario, are indeed forwarded across the fabric. This allows externally connected switches to maintain a loop-free topology. While Cisco ACI does not participate in STP as it uses its own protocols and mechanisms for loop prevention within the fabric, it will forward STP BPDUs across End Point Groups (EPGs) on whichthey are received1. This ensures that the connected external switches can still use STP for their loop prevention mechanisms.

References :=

Cisco Community Discussion on STP BPDUs in ACI1

 The table that holds IP address, MAC address, and VXLAN/VLAN information on a Cisco ACI leaf is the endpoint table6. This table is essential for the ACI fabric’s ability to track and apply policies to endpoints.

To ensure that only events related to leaf and spine environmental information are logged without including specific customer data, the configuration should be applied to the fabric policy. The fabric policy in Cisco ACI is used to define global settings that apply to the entire fabric, such as syslog settings, which can be configured to filter and forward only the desired types of system messages12.

C:\Users\User\AppData\Local\Temp\SNAGHTML5a772e.PNG

 In the Cisco ACI Active-Active Across Pods deployment mode, one of the key characteristics of Policy-Based Redirect (PBR) is that traffic is dynamically redirected to the firewall that owns the connection. This allows for load distribution across multiple Layer 4 to Layer 7 devices, also known as symmetric PBR. Additionally, deployment in this mode occurs in go-to mode only, which means that traffic is explicitly directed to a service node or firewall for processing

In the Cisco ACI fabric, Spanning Tree Protocol (STP) Bridge Protocol Data Units (BPDUs) are flooded within the bridge domain VLAN. This allows the BPDUs to be propagated throughout the bridge domain, enabling STP to function correctly for the associated VLAN.

 In the context of ACI Multi-Site, the information of an endpoint (MAC/IP) that belongs to site 1 is advertised to site 2 using the EVPN control plane as soon as the endpoint is discovered in one site. This allows for immediate visibility of the endpoint across sites.

In Cisco ACI, when a packet is routed between two endpoints on different leaf switches, the VXLAN VNID that is applied to the packet corresponds to the Bridge Domain (BD). The BD VNID is used to encapsulate the packet for Layer 2 transport across the fabric. This VNID ensures that the packet is delivered to the correct bridge domain, maintaining the segmentation and policy enforcement required by the ACI fabric.

References :=

Cisco ACI Fabric Forwarding White Paper

Cisco ACI Basic Configuration Guide

To securely back up the current Cisco ACI configuration to a remote location with encryption and authentication, and ensure that sensitive information is not exported, the following steps should be taken:

Create a Remote Location: Define a remote location where the backup will be stored. This involves specifying the hostname or IP address of the remote server and selecting the protocol (SCP/FTP/SFTP) to be used1.

Create a Configuration Export Policy: Set up an export policy that defines the format (XML/JSON) and the destination for the backup. This policy will also include the schedule for the backup to run once per day1.

Configure Global AES Encryption: To ensure that the backup is encrypted, configure the Global AES Encryption setting. This will allow for hashed secure properties, such as passwords and certificates, to be exported in an encrypted form. It’s important to configure a passphrase that is at least 16 characters long for the encryption1.

Schedule the Backup Job: Use the scheduler to set up the backup job to run once per day. This ensures that the backup process is automated and adheres to the customer’s security policy1.

Exclude Sensitive Information: To comply with the security policy that mandates sensitive information not be exported, ensure that the configuration export policy is set to exclude secure fields unless encryption is enabled1.

References :=

Cisco Guide on Creating a Backup for Your APIC Cluster1

Cisco Community Discussion on Backing Up ACI Configuration2

The two essential components of a Cisco ACI Virtual Machine Manager (VMM) domain policy configuration are:

VMM domain profile1.

EPG association1.

https://www.cisco.com/c/en/us/td/docs/switches/datac enter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI-Fundamentals_chapter_01011.html#concept_74EFC437C0AA44A391676F70ACE59DF3

 In Cisco ACI, a contract is used to define the communication policy between EPGs (Endpoint Groups). It specifies which types of traffic are allowed to pass between EPGs and can include filters for protocols, ports, and other attributes. In the context of the logical system design, the contract would be the object that completes the communication requirements as indicated by the dotted line in the exhibit12.

References :=

Cisco Application Centric Infrastructure (ACI) Design Guide1

Cisco ACI Policy Model Guide2

The type of port used for in-band management within ACI fabric is the spine switch port4.

The two protocols that support accessing backup files on a remote location from the APIC are FTP (File Transfer Protocol) and SFTP (SSH File Transfer Protocol). Both FTP and SFTP allow for the transfer of files to and from a remote location, but SFTP provides an additional layer of security by utilizing SSH.

The attribute that should be configured for each user to enable RADIUS for external authentication in Cisco ACI is cisco-av-pair. This attribute allows for the assignment of roles and permissions to users authenticated via RADIUS.

The feature that dynamically assigns or modifies the EPG association of virtual machines based on their attributes is uSeg EPGs. uSeg EPGs allow for microsegmentation within the Cisco ACI environment, enabling the dynamic assignment of VMs to EPGs based on attributes such as VM name, tag, or other identifiers

To resolve the issue of STP convergence causing a microloop and significant CPU spike on all switches after connecting legacy non-ACI switches to the Cisco ACI fabric, BPDU filtering should be configured on the interfaces of the external switches that face the Cisco ACI fabric. BPDU filtering prevents Bridge Protocol Data Units (BPDUs) from being sent or received on those interfaces, which stops the STP process and eliminates the possibility of microloops.

To implement the inter-tenant service graph, the set of actions that must be taken are:

Define the contract in the provider tenant and export it to the consumer tenant (Option B).

Define the L4-L7 device and service graph template in the provider tenant and the ASA bridge domains in the consumer tenant (Option B).

This approach allows for the proper configuration and association of the service graph between the provider and consumer tenants, ensuring that the services are correctly applied to the traffic flowing between them.

In Cisco ACI, the interface lo1023 is assigned as a fabric tunnel endpoint (FTEP). This is a pervasive address found on every leaf and it’s always the same. It is used mostly for AVS (Application Virtual Switch) when the infra VXLAN is extended out of the fabric1. The FTEP is crucial for the internal operation of the fabric, particularly for scenarios where the infrastructure VXLAN needs to be extended outside of the ACI fabric.

References :=

Default IP interfaces on Fabric nodes - Cisco Community1

To meet the requirement of sending all faults and events related to endpoint groups, bridge domains, and VRFs to the new SNMP configuration and syslog servers, the network engineer should utilizecommon tenant monitoring policies in the Cisco APIC. The common tenant is used for global configurations that apply across the entire fabric, including monitoring policies.

When the Cisco ACI fabric has a stale endpoint entry for the destination endpoint, the traffic flow is affected in that the leaf switch floods the traffic to the endpoint throughout the fabric (Option C). This flooding occurs because the leaf switch does not have the correct location of the endpoint in its endpoint table, leading it to flood the traffic in an attempt to reach the destination.

 To allow multiple external networks to communicate with internal ACI subnets and assign the prefix to the class ID of the external Endpoint Group, the engineer should configure subnets with the External Subnets for External EPG flag enabled1. This configuration allows the specified subnets to be associatedwith an external EPG, which facilitates communication between internal tenants and external routed networks via L3Outs1.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/ACI_Best_Practices/b_ACI_Best_Practices/b_ACI_Best_Practices_chapter_01001.html

 In the Cisco ACI VMM domain configuration, to generate port groups with names formatted as “Tenant=Application=EPG”, the configuration option used is delimiter. The delimiter is a character that separates the elements of the port-group name. By changing the delimiter setting to “=”, the port-group names will be generated with the desired format.

The initial APIC cluster discovery process involves each APIC using an internal private IP address from a pool to communicate with the nodes and other APICs in the cluster. The APICs discover the IP addresses of other APIC controllers through an LLDP-based discovery process

 To redirect traffic to the firewall using a one-armed policy-based redirect service insertion, the following configuration set should be used:

Configure a service graph: This involves defining the service graph template that represents the logical flow of traffic through network services.

Associate the service graph with All_Traffic_Allowed: By associating the service graph with the contract named All_Traffic_Allowed, traffic that matches the contract will be redirected through the service graph to the firewall device.

References :=

Cisco ACI Fabric Administration Guide, Release 4.2(1)

Cisco ACI Virtualization Guide, Release 4.2(1)

To enable communication between the external subnet and internal EPG1, and to allow L3Out traffic to leak into the VRF named “VF1”, the following configuration set should be used:

External Subnets for External EPG: This configuration defines the subnets that are external to the ACI fabric but need to be reachable from within the fabric. It is necessary to specify which subnets are to be considered part of the L3Out1.

Shared Route Control Subnet: This setting allows the subnets to be shared across different VRFs, enabling communication between EPGs that are in different tenants but within the same VRF1.

Shared Security Import Subnet: This configuration ensures that the security policies (contracts) associated with the shared subnets are also imported, allowing for the necessary traffic to flow between the internal and external endpoints1.

By applying this configuration set, the external subnet and internal EPG1 will be able to communicate, and the L3Out traffic will be properly leaked into the designated VRF, meeting the specified goals.

References :=

ACI Inter VRF/Tenant Route Leaking Configuration Example1

The advantage of implementing an active-active firewall cluster that is stretched across separate pods when anycast services are configured is that local traffic within a pod is load-balanced between the clustered firewalls. This means that traffic destined for the anycast IP address of the service node (firewall) will preferentially be directed to the local node within the same pod, thus optimizing traffic flows and reducing latency by avoiding unnecessary traffic tromboning to a remote pod1.

To implement a Layer 3 out (L3Out) inside the Cisco ACI fabric that meets the specified requirements, the following steps should be taken:

Configure the OSPF Protocol policy with an area of 0: This step involves setting up OSPF, a link-state routing protocol that supports hierarchical network design, as the routing protocol for the L3Out1.

Create Routed Outside object and Node Profile, selecting OSPF: This step involves creating a Routed Outside object and associating it with a Node Profile that specifies OSPF as the routing protocol1.

Build the Interface profile, selecting Routed Sub-interface and the appropriate VLAN: This step involves creating an Interface profile for the connection to the data center core switch, using 802.1Q tagging for VLAN separation2.

Configure the External Network object with a network of 0.0.0.0/0: This step involves setting up the External Network object to advertise routes to the rest of the network1.

 After ARP flooding is enabled in Cisco ACI Multi-Pod, broadcast frames are forwarded within the pod and across the Inter-Pod Network (IPN) using the multicast address associated with the bridge domain. If the setting is ‘Flood’, the leaf switch floods to the Group IP (GIPo) multicast group allocated for the bridge domain, ensuring that both local and remote pods receive a flooded copy

To complete the task of configuring a Layer 3 connection to the WAN router and allowing hosts in the production VRF to access WAN subnets, the engineer should configure the Export Route Control Subnet scope for the external EPG. This setting allows the subnets associated with the external EPG to be advertised to external routers, enabling connectivity to the WAN.

To support the addition of new ESXi hosts to the existing VMM domain, the action that should be taken is to map the leaf interface selector to the AEP that is associated with the VMM domain (Option D). This ensures that the correct policies are applied to the interfaces where the new ESXi hosts are connected.

Graphical user interface, text, application, email Description automatically generated