Cisco 300-620 Implementing Cisco Application Centric Infrastructure (300-620 DCACI) Exam Practice Test

The scenario involves a tenant configured with a single L3Out and a single-homed link from the ACI fabric (via border leaf BL-1001) to a core router (Core-1). The engineer must add a second link to the L3Out, connecting to Core-2 via BL-1002, ensuring that traffic from Core-2 to BL-1002 has the same connectivity as traffic from Core-1 to BL-1001. The exhibit shows a single-homed setup with BL-1001 and BL-1002 as potential border leaves, with a dashed line indicating a planned second link.

Requirement Analysis

The existing L3Out is single-homed to Core-1 via BL-1001, and the goal is to extend it to a multi-homed configuration with Core-2 via BL-1002.

"Same connectivity" implies that the second link must be integrated into the existing L3Out configuration, sharing the same routing policies, external EPG, and subnet reachability.

The solution must leverage ACI’s L3Out framework to add the new path without creating a separate L3Out or altering the current routing setup unnecessarily.

Option Evaluation

A. Add a second path to the logical interface profile of the existing L3Out:

The logical interface profile in an L3Out defines the interfaces (e.g., routed ports or sub-interfaces) and their associations with nodes (border leaves). Adding a second path to this profile allows the inclusion of the new link from BL-1002 to Core-2, ensuring it operates under the same L3Out configuration (e.g., routing protocol, external EPG). This maintains consistent connectivity and leverages ACI’s multi-homing support.

 To redirect traffic to the firewall using a one-armed policy-based redirect service insertion, the following configuration set should be used:

Configure a service graph: This involves defining the service graph template that represents the logical flow of traffic through network services.

Associate the service graph with All_Traffic_Allowed: By associating the service graph with the contract named All_Traffic_Allowed, traffic that matches the contract will be redirected through the service graph to the firewall device.

References :=

Cisco ACI Fabric Administration Guide, Release 4.2(1)

Cisco ACI Virtualization Guide, Release 4.2(1)

To resolve the issue of STP convergence causing a microloop and significant CPU spike on all switches after connecting legacy non-ACI switches to the Cisco ACI fabric, BPDU filtering should be configured on the interfaces of the external switches that face the Cisco ACI fabric. BPDU filtering prevents Bridge Protocol Data Units (BPDUs) from being sent or received on those interfaces, which stops the STP process and eliminates the possibility of microloops.

For the new nodes in a Cisco ACI Multi-Pod deployment to be discoverable by the existing Cisco APICs, DHCP relay should be enabled on all links that are connected to Cisco ACI spines on Inter-Pod Network (IPN) devices. This allows the APICs to dynamically assign IP addresses to the new nodes, facilitating their discovery and integration into the fabric.

References :=

Cisco ACI Multi-Pod Configuration Guide

Cisco ACI Best Practices Guide

To allow IP mobility between Site1 and Site2 in a Cisco ACI Multi-Site orchestrator while meeting the disaster recovery (DR) requirements and avoiding broadcast storms, the following actions should be taken:

Disable Inter-site BUM Traffic: Disabling Broadcast, Unknown unicast, and Multicast (BUM) traffic between sites helps to avoid broadcast storms that can occur when extending Layer 2 domains across multiple sites1.

Apply the L2 Stretch feature: The Layer 2 Stretch feature allows subnets to be extended across multiple sites without the need to re-IP the application servers. This supports IP mobility and enables applications to be started at a DR site using the same IP address space1.

These actions ensure that the design supports a DR solution without requiring vMotion support, allows applications to be started at a DR site without re-IPing servers, and avoids broadcast storms between the sites.

References :=

Cisco ACI Multi-Site Architecture White Paper1

Cisco Nexus Dashboard Orchestrator Overview2

To configure an L3Out peering with the backbone network that must forward both unicast and multicast traffic, the two methods that should be used are:

Layer 3 routed port (Option A): This method involves configuring a physical port on the Cisco ACI leaf switch as a Layer 3 interface, which is suitable for routing unicast and multicast traffic.

Layer 3 routed subinterface (Option D): This method involves configuring a subinterface under a physical port, which allows for traffic segregation and routing over the same physical link, supporting both unicast and multicast traffic.

These methods ensure that the L3Out can handle the required traffic types and maintain proper routing with the backbone network.

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centricinfrastructure/

guide-c07-743150.html#_L3Out_sStatic_rRoutes

https://www.cisco.com/ c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/L3-configuration/Cisco-APIC-Layer-3-Networking-Configuration-Guide-401/Cisco-APIC-Layer-3-Networking-Configuration-Guide-401_chapter_010010.html

The attribute that should be configured for each user to enable RADIUS for external authentication in Cisco ACI is cisco-av-pair. This attribute allows for the assignment of roles and permissions to users authenticated via RADIUS.

In a Cisco ACI configuration with IEEE 802.1p ports, the traffic exits from the EPG untagged from leaf ports. This means that when the port is configured in Access (802.1p) mode and the access VLAN is the only VLAN deployed on the port, then traffic will be untagged on egress56.

ACI Multi-Site architecture is designed to interconnect geographically dispersed data centers and extend Layer 2 and Layer 3 connectivity between those locations with consistent policy enforcement. It allows for either a single APIC cluster to manage multiple ACI sites or supports a dedicated APIC cluster per site. This architecture ensures a scalable and flexible approach to managing multiple data center sites, providing a unified policy framework and operational model across the sites34.

References :=

Cisco Multi-Site Deployment Guide for ACI Fabrics3

Cisco ACI Multi-Site Architecture White Paper4

To divert traffic between VM-1 and VM-2 using a Multi-Node service graph while preventing an insufficient number of available Layer 4 to Layer 7 devices in the first cluster, the following configuration set should be used:

PBR node tracking: This feature monitors the health of the nodes (Layer 4 to Layer 7 devices) in the service graph. If a node becomes unavailable, the system can take action based on the tracking threshold1.

Tracking threshold with action bypass: When the number of healthy nodes falls below the tracking threshold, the action ‘bypass’ ensures that traffic is not sent to the unhealthy nodes, thus preventing service disruption1.

Symmetric PBR: This ensures that return traffic follows the same path as the original traffic, maintaining session consistency and avoiding asymmetric routing issues1.

Resilient hashing: This hashing mechanism provides a consistent and optimal distribution of traffic across the available Layer 4 to Layer 7 devices, even when the number of nodes changes due to a failure or maintenance1.

References :=

Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 5.2(x)

To securely export Cisco APIC configuration snapshots to a secure, offsite location using an encrypted tunnel and a platform-agnostic data format that provides namespace support, the following configuration set must be used:

Choose a Platform-Agnostic Data Format: Export the configuration in a data format like JSON or XML, which are platform-agnostic and support namespaces1.

Use an Encrypted Tunnel: Transfer the configuration snapshot over a secure protocol such as SFTP or SCP, which provides an encrypted tunnel for the data transfer1.

Schedule the Export: Set up a scheduled export of the configuration in the Cisco APIC to occur at regular intervals, ensuring the process is automated1.

Enable Encryption: Make sure the configuration export policy includes encryption settings. Cisco APIC supports AES-256 encryption for securing exported configuration files2.

Verify Namespace Support: Ensure that the chosen data format and the method of export support the use of namespaces, which are essential for organizing elements and attributes in XML documents1.

By following these steps and choosing Option B, the engineer can meet the requirements for securely exporting Cisco APIC configuration snapshots to an offsite location.

 When migrating the vSphere Management VMkernel of all ESXi hosts from the standard default virtual switch to a Virtual Distributed Switch (VDS) that is integrated with APIC in a VMM domain, it is essential to set the Management VMkernel EPG resolution to Pre-Provision. This action ensures that the necessary policies are in place on the ACI fabric before the migration occurs, allowing for a seamless transition and continuous management connectivity.

To allow SNMP traffic on the APIC controller, a contract under tenant mgmt must be configured3.

The Cisco AV Pair resolves to a managed object class. In the context of Cisco ACI, the AV Pair is used to define specific attributes for RADIUS users, which then map to managed objects within the ACI fabric3.

 To have the endpoint table learn the IP addresses of endpoints in a bridge domain, unicast routing must be enabled1. This allows the bridge domain to learn the IP addresses of endpoints through the data plane1.

The two actions that extend a Layer 2 domain beyond the ACI fabric are extending the bridge domain out of the ACI fabric (Option D) and extending the EPG out of the ACI fabric (Option E)34. Extending the bridge domain involves creating a Layer 2 outside connection, while extending the EPG involves statically assigning a port with a VLAN ID to an EPG34.

To enable communication between EPGs and BDs from any tenant without the need for contracts or VRF route leaking, the best approach is to implement an unenforced VRF within the common tenant. By doing so, all bridge domains that are associated with this VRF will be able to communicate with each other without additional configurations. This method simplifies the network architecture and reduces the complexity associated with contract management and VRF route leaking1.

References :=

Cisco ACI Contract Guide White Paper1

When the client endpoint and the service node interface are in different subnets, the Adjacency Type value should be set to Routed. This setting is used to indicate that routing is required between the client endpoint and the service node interface, as they are not in the same Layer 2 broadcast domain and need Layer 3 routing to communicate.

The Cisco ACI site deployment feature that enables an engineer to control which bridge domains contain Layer 2 flooding across geographically separated data centers is Multi-Site. This feature allows for the extension of Layer 2 and Layer 3 connectivity between different locations with consistent policy enforcement5.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/aci_multi-site/sw/2x/fundamentals/Cisco-ACI-Multi-Site-Fundamentals-Guide-211/Cisco-ACI-Multi- Site-Fundamentals-Guide-211_chapter_011.html#id_51188

To set up a Cisco ACI fabric to send Syslog messages related to hardware events to a dedicated Syslog server, the policy should be configured at uni/fabric/monfab-default4. This location in the Cisco APIC allows for the configuration of Syslog policies that can be applied to the entire fabric4.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/aci -fundamentals/Cisco-ACI-Fundamentals-401/Cisco-ACI-Fundamentals-401_chapter_01100.html

When Cisco ACI connects to an outside Layer 2 network, the ACI fabric floods the STP BPDU frame within the bridge domain (Option A)5. This ensures that BPDUs are properly propagated within the relevant VLAN encapsulation associated with the bridge domain5.

The scenario involves an application (App_1) on server S1 and a silent host application (App_2) on S2, both using the same VLAN encapsulation. The task is to force the ACI fabric to learn App_2 on Leaf-2. A silent host does not generate traffic, so special handling is needed.

Requirement Analysis

A silent host requires flooding (e.g., ARP or unknown unicast) to be learned by the fabric when it moves or is detected.

The goal is to ensure Leaf-2 learns App_2’s endpoint.

Option Evaluation

A. Set Multi-Destination Flooding to Drop:

Dropping multi-destination traffic prevents learning, which is counterproductive for a silent host.

When a bridge domain is configured with the hardware-proxy option for Layer 2 unknown unicast traffic, if the spine switch is unable to find the MAC address in the proxy database, it will drop the Layer 2 unknown unicast packet4. This behavior is controlled by the hardware proxy option associated with a bridge domain4.

The Infrastructure VLAN is automatically configured during the Cisco ACI fabric discovery process. This VLAN, often referred to as the “infra VLAN,” is used to enable internal communication between the ACI fabric components, such as the leaf and spine nodes. It is vital for the overlay network and the control plane functionality. In the provided output, VLAN 3600 represents the Infrastructure VLAN, which is configured for inter-node communication.

To support a new application that is sensitive to latency and jitter and sets the DSCP values of packets to AF31 and CS6, it is necessary to align the ACI Quality of Service (QoS) levels and Inter-Pod Network (IPN) QoS policies. This alignment ensures that the DSCP values are preserved and respected across the ACI fabric and the IPN, preventing packets from being delayed or dropped between pods.

References :=

Cisco ACI Multi-Site Architecture White Paper

Cisco ACI Best Practices Guide

Cisco ACI Quality of Service Configuration Guide

The group of settings required to meet the requirements for workload migration where servers will physically terminate at the Cisco ACI, but their gateway must stay in the existing network, is:

L2 Unknown Unicast: Flood

L3 Unknown Multicast Flooding: Flood

Multi Destination Flooding: Flood in BD

ARP Flooding: Enable5

These settings ensure that the bridge domain is configured to handle unknown unicast and multicast traffic appropriately, and ARP flooding is enabled to allow for the resolution of IP addresses when the gateway is outside the fabric5.

https://www.cisco.com/c/en/us/td/docs/switches/datac enter/aci/apic/sw/migration_guides/migrating_existing_networks_to_aci.html

When configuring a Multi-Pod system with the default gateway residing outside of the ACI fabric for a bridge domain, the setting that should be configured is to disable Limit IP Learning to Subnet (Option A). This allows the ACI fabric to learn IP addresses outside of the defined subnet, which is necessary when the default gateway is external.

When the default gateway for endpoints is on an external device instead of a Cisco ACI bridge domain Switched Virtual Interface (SVI), the unicast routing feature should be disabled on the bridge domain. This prevents the ACI fabric from attempting to route traffic for the endpoints, which should instead be directed to the external default gateway.

 For a blade server that lacks support of bonding, the port channel mode that results in “route based on originating virtual port” on the VMware VDS is MAC Pinning-Physical-NIC-load (Option B). This mode ensures that the virtual machine traffic is distributed across the available uplinks based on the MAC address of the originating virtual port1.

https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/6x/virtualization/cisco-aci-virtualization-guide-60x/ACI-Virtualization-Guide-60x-aci-with-vmware-vds.pdf

Storm control should be configured on port channel on a single leaf switch (Option B) and endpoint-facing trunk interface (Option D) to protect against broadcast traffic6. These interfaces are where storm control policies are typically applied to prevent disruptions caused by traffic storms6.

To complete the task of configuring a Layer 3 connection to the WAN router and allowing hosts in the production VRF to access WAN subnets, the engineer should configure the Export Route Control Subnet scope for the external EPG. This setting allows the subnets associated with the external EPG to be advertised to external routers, enabling connectivity to the WAN.

 In Cisco Application Centric Infrastructure (ACI), when a subnet is configured on a bridge domain, the gateway IP address is configured on the leaf switches where the bridge domain of the tenant is present. This configuration allows for localized routing within the fabric, providing efficient east-west traffic handling without requiring traffic to traverse up to the spine nodes unless necessary for north-south routing or policy enforcement.

To ensure that servers supporting only Cisco Discovery Protocol are discovered automatically by the Cisco ACI fabric when connected, the action that must be taken is to Create an override policy that enables Cisco Discovery Protocol after LLDP is enabled in the default policy group

To clear the fault raised by the Cisco APIC when the EPG must accept endpoints from a VMM domain, the EPG should be associated with the VMM domain. This association is necessary for the APIC to recognize the endpoints within the VMM domain as part of the EPG. Without this association, the APIC cannot apply the policies defined in the EPG to the endpoints, which can result in errors1.

References :=

APIC Policy Deployment and Resolution Immediacy For AVS VMM Domain - Cisco Community

 In the context of ACI Multi-Site, the information of an endpoint (MAC/IP) that belongs to site 1 is advertised to site 2 using the EVPN control plane as soon as the endpoint is discovered in one site. This allows for immediate visibility of the endpoint across sites.

 To redistribute externally learned OSPF routes within the ACI fabric, a Route Control Profile must be configured1. This profile allows for the control of route redistribution and the application of route maps to influence routing decisions within the fabric1.

 A bridge domain in Cisco ACI represents a Layer 2 forwarding construct345. It defines a unique Layer 2 MAC address space and can include one or more subnets. Bridge domains are associated with a VRF and can contain multiple EPGs345.

An EPG is extended outside of the ACI fabric by statically assigning a VLAN ID to a leaf port in an EPG. This method maps the traffic received on the leaf port to the EPG, and the policy for this EPG is enforced

 When VM2 is live migrated from POD1 to POD2, the spines in POD2 will send an MP-BGP EVPN update to the leaves in POD1. This update informs the leaves in POD1 about the new location of VM2, allowing them to update their forwarding tables and ensure that traffic destined for VM2 is correctly routed to its new location in POD2.

 The two true statements regarding ACI Multi-Site are:

ACI Multi-Site is a solution that supports a dedicated APIC cluster per site1.

ACI Multi-Site is a solution that allows one APIC cluster to manage multiple ACI sites1.

 In the Cisco ACI Active-Active Across Pods deployment mode, one of the key characteristics of Policy-Based Redirect (PBR) is that traffic is dynamically redirected to the firewall that owns the connection. This allows for load distribution across multiple Layer 4 to Layer 7 devices, also known as symmetric PBR. Additionally, deployment in this mode occurs in go-to mode only, which means that traffic is explicitly directed to a service node or firewall for processing

The feature that dynamically assigns or modifies the EPG association of virtual machines based on their attributes is uSeg EPGs. uSeg EPGs allow for microsegmentation within the Cisco ACI environment, enabling the dynamic assignment of VMs to EPGs based on attributes such as VM name, tag, or other identifiers

To configure a bridge domain for an EPC called “Web Servers” that meets the specified requirements, the following steps should be taken:

Set L2 Unknown Unicast to Hardware Proxy: This setting ensures that only traffic to known MAC addresses is allowed, which helps to reduce noise by preventing unknown unicast flooding within the bridge domain1.

Configure L3 Unknown Multicast Flooding to Optimized Flood: This setting limits multicast traffic to the ports that are participating in multicast routing, which optimizes the delivery of multicast packets1.

Create an Endpoint Retention Policy with a Local Endpoint Aging interval of 1200 seconds (20 minutes): This policy ensures that endpoints within the bridge domain are kept in the endpoint table for 20 minutes without any updates, maintaining the stability of the network1.

By following these steps, the bridge domain will be configured to satisfy the requirements for the EPC called “Web Servers” in the Cisco APIC environment.

To enable communication between the external subnet and internal EPG1, and to allow L3Out traffic to leak into the VRF named “VF1”, the following configuration set should be used:

External Subnets for External EPG: This configuration defines the subnets that are external to the ACI fabric but need to be reachable from within the fabric. It is necessary to specify which subnets are to be considered part of the L3Out1.

Shared Route Control Subnet: This setting allows the subnets to be shared across different VRFs, enabling communication between EPGs that are in different tenants but within the same VRF1.

Shared Security Import Subnet: This configuration ensures that the security policies (contracts) associated with the shared subnets are also imported, allowing for the necessary traffic to flow between the internal and external endpoints1.

By applying this configuration set, the external subnet and internal EPG1 will be able to communicate, and the L3Out traffic will be properly leaked into the designated VRF, meeting the specified goals.

References :=

ACI Inter VRF/Tenant Route Leaking Configuration Example1

To deploy a leaf access port policy group in ACI Fabric that controls the amount of application data flowing into the system and allows auto-negotiation of link speed, the two ACI policies that must be configured are:

Link level policy2.

Ingress data plane policing policy2.

Slow Drain handles FCoE packets that are causing traffic congestion on ACI fabric. So, it is wrong.

Ingress control plane is wrong, because the request is for “application data flowing”.

L2 interface policy is concerned about QinQ and VLAN scope.

ACI uses the SCP (Secure Copy Protocol) to securely save the configuration in a remote location. SCP is a network protocol that supports file transfers and relies on the Secure Shell (SSH) protocol to provide security for the transferred data.

To clear the MCP (Mis-Cabling Protocol) fault in a Cisco ACI fabric when an egress L3Out is configured from Leaf-101 and Leaf-102 to CORE-1, and VLAN 102 is used for OSPF adjacency, the encapsulation VLAN on the EPG-101 static port binding should match the VLAN used for OSPF adjacency. This means that VLAN 102 should be used as the encapsulation VLAN for the static port binding on Leaf-103 e1/1. Using the same VLAN for both OSPF adjacency and the static port binding ensures consistency and prevents misconfiguration that could lead to MCP faults1.

References :=

ACI Fabric L3Out White Paper - Cisco1

The "Import Route Control Subnet" scope is used to control which external routes are imported into the ACI fabric's routing table

In a Cisco ACI bridge domain and VRF configured with a default data-plane learning configuration, the two endpoint attributes that are programmed in the leaf switch when receiving traffic are:

Local MAC, IP (Option D)5.

Local Subnet (Option E)5. These attributes are learned by the ACI fabric through common network methods such as ARP, GARP, and ND, as well as through the data-plane. The local MAC and IP addresses are learned and used for traffic routing and bridging, while the local subnet information is used for traffic optimization and endpoint location tracking56.

 The statement about the MTU value of MP-BGP EVPN control plane packets in Cisco ACI that is true for communication between spine nodes in different sites is that by default, spine nodes generate 9000-bytes packets to exchange endpoints routing information. As a result, the Inter-Site network should be able to carry 9000-bytes packets2. This ensures that the control plane traffic, which is not VXLAN encapsulated, can be properly handled across the sites2.

To enable the APIC in a Cisco ACI fabric using out-of-band management connectivity to access a routable host with an IP address of 192.168.11.2, you need to add a Fabric Access Policy that allows management connections. This involves configuring a contract that will be consumed and provided to your OOB devices. The contract will let the system know what traffic is allowed. In this case, you will use the default/common contract to permit any traffic. This is necessary because the APIC needs to be able to send traffic to and receive traffic from the management network1.

References :=

ACI: Configuring Out-of-Band (OOB) Access for Your Fabric - Cisco1

Troubleshoot ACI Management and Core Services - In-band and Out-of-band Management - Cisco2

To implement a Layer 3 out (L3Out) inside the Cisco ACI fabric that meets the specified requirements, the following steps should be taken:

Configure the OSPF Protocol policy with an area of 0: This step involves setting up OSPF, a link-state routing protocol that supports hierarchical network design, as the routing protocol for the L3Out1.

Create Routed Outside object and Node Profile, selecting OSPF: This step involves creating a Routed Outside object and associating it with a Node Profile that specifies OSPF as the routing protocol1.

Build the Interface profile, selecting Routed Sub-interface and the appropriate VLAN: This step involves creating an Interface profile for the connection to the data center core switch, using 802.1Q tagging for VLAN separation2.

Configure the External Network object with a network of 0.0.0.0/0: This step involves setting up the External Network object to advertise routes to the rest of the network1.

When designing two data centers based on Cisco ACI technology that can extend L2/L3, VXLAN, and network policy across locations with ACI Multi-Pod, the two requirements that must be considered are:

A single APIC Cluster is required in a Multi-Pod design4.

ACI Multi-Pod requires an IP Network supporting PIM-Bidir2.

To move the gateway address for VLAN 1001 from the core outside the Cisco ACI fabric into the Cisco ACI fabric and ensure that endpoints in EPG-1001 route traffic to endpoints in other EPGs while minimizing flooded traffic in the fabric, the following configuration set is needed on the bridge domain:

Enable Hardware Proxy: This step involves enabling the hardware proxy feature, which allows the fabric to learn and maintain endpoint information more efficiently7.

Enable Unicast Routing: This step involves enabling unicast routing within the bridge domain, which allows for the routing of traffic between different EPGs and minimizes flooded traffic

The setting that prevents the learning of Endpoint IP addresses whose subnet does not match the bridge domain subnet is the “Limit IP learning to subnet” setting within the bridge domain1. This setting ensures that only IP addresses belonging to the subnets configured on the bridge domain are learned, preventing mis-learning of IP addresses that may not belong to the fabric1.

 To determine if a change in the behavior of the ACI fabric was due to human intervention, an ACI administrator should inspect the audit logs in the APIC UI. The audit logs provide a record of all user events, which includes actions performed by users, making it possible to trace any changes back to specific human activities1.

 When configuring ACI VMM domain integration with Cisco UCS-B Series, the type of port channel policy that must be configured in the vSwitch policy is MAC Pinning-Physical-NIC-load. This policy type allows for the distribution of traffic across physical NICs based on MAC address hashing, which is suitable for environments where dynamic port channels (LACP) are not used.

To break the STP loop between switch1 and switch2 in a Cisco ACI environment, enabling BPDU filtering on the interfaces facing the MST (Multiple Spanning Tree) switches is the necessary step. BPDU filtering prevents BPDUs from being sent or received through a port, which effectively stops the STP process on those ports and breaks the loop1.

When BPDU filtering is enabled on an interface, the switch does not send any BPDUs and ignores any BPDUs it receives on that interface. This can be used to prevent unwanted STP negotiations on ports where loops are not expected to happen or where STP is not desired1.

References :=

Use of ACI Operation with L2 Switches and Spanning Tree Link Types - Cisco1

The purpose of the Overlay Multicast TEP (O-MTEP) in a Cisco ACI Multi-Site deployment is to perform head-end replication for BUM (Broadcast, Unknown unicast, Multicast) traffic. This common anycast address is shared by all the spine nodes in the same site and is used to replicate BUM traffic across the sites4.

To monitor all configuration changes, threshold crossing, and link-state transitions in a Cisco ACI fabric, the action that must be taken is to Include Audit Logs and Events in the Syslog source policy 

https://community.cisco.com/legacy fs/online/attachments/blog/technote-aci-syslog_external-latest.pdf

https://www.cis co.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/all/faults/guide/b_APIC_Faults_Errors/b_IFC_Faults_Errors_chapter_010.html

To meet the requirements for the new e-commerce software deployed on the Cisco ACI fabric, the scope of the contracts should be set to “Application Profile”. This scope ensures that the contracts are applied within the same Application Network Profile (ANP), allowing the e-commerce software to communicate only with software Endpoint Groups (EPGs) that are part of the same ANP. It also prevents communication with applications in different ANPs, thus maintaining the necessary isolation and reducing the overall number of contracts by reusing existing ones within a VRF.

References :=

Cisco ACI Contracts and Scopes Documentation

Cisco ACI Best Practices Guide

The two dynamic routing protocols supported when using Cisco ACI to connect to an external Layer 3 network are iBGP (Option A) and eBGP (Option E)78. These protocols are included in the routing protocol options for a Layer 3 external outside network configuration in ACI

The initial APIC cluster discovery process involves each APIC using an internal private IP address from a pool to communicate with the nodes and other APICs in the cluster. The APICs discover the IP addresses of other APIC controllers through an LLDP-based discovery process