Cisco 300-620 Implementing Cisco Application Centric Infrastructure (300-620 DCACI) Exam Practice Test

To deploy an access port policy group within Cisco ACI, an attachable entity profile (AEP) needs to be created. An AEP is a policy construct that groups together various domains and allows them to be attached to the fabric access layer

The group of settings required to meet the requirements for workload migration where servers will physically terminate at the Cisco ACI, but their gateway must stay in the existing network, is:

L2 Unknown Unicast: Flood

L3 Unknown Multicast Flooding: Flood

Multi Destination Flooding: Flood in BD

ARP Flooding: Enable5

These settings ensure that the bridge domain is configured to handle unknown unicast and multicast traffic appropriately, and ARP flooding is enabled to allow for the resolution of IP addresses when the gateway is outside the fabric5.

https://www.cisco.com/c/en/us/td/docs/switches/datac enter/aci/apic/sw/migration_guides/migrating_existing_networks_to_aci.html

Related image, diagram or screenshot

The two IP address types that are available for transport over the Inter-Site Network (ISN) when they are configured from Cisco ACI Multi-Site Orchestrator (MSO) are the Anycast Overlay Multicast Tunnel Endpoint (TEP) and the MP-BGP EVPN Router-ID. These IP addresses are used for inter-site communication and routing in a Multi-Site deployment.

C:\Users\User\AppData\Local\Temp\SNAGHTML5a772e.PNG

 Changing the Layer 2 unknown unicast policy from Flood to Hardware Proxy results in the traffic being forwarded to one of the spines to perform as a spine proxy4. If the spine proxy also does not know the address, the packet is discarded4.

The true statement regarding ACI Multi-Pod and TEP pool is that the same TEP pool is used in all Pods. This shared TEP pool ensures consistent addressing and simplifies the management of the overlay network across multiple Pods.

When configuring an L3Out in Cisco ACI and encountering a QoS-related error, creating a custom QoS policy is often necessary to clear the fault. This involves defining a QoS policy that meets the specific requirements of the L3Out configuration and applying it to the relevant interfaces or globally within the fabric. The custom QoS policy should be designed to prioritize traffic appropriately and ensure that the necessary QoS settings are in place for the L3Out connections1.

References :=

Cisco ACI L3Out Configuration Examples1

 In the scenario where Server A is connected to the Cisco ACI fabric using teamed interfaces with one active and one standby, enabling ARP flooding in the bridge domain configuration is necessary to resolve the issue that occurs when the standby interface becomes active and uses its built-in MAC address to send traffic. Enabling ARP flooding allows the fabric to learn the new MAC address without waiting for the ARP timeout, which helps to ensure that traffic continues to flow to the correct destination after a failover event1.

References :=

Discuss Cisco 300-620 Exam Topic 9 Question 71 | Pass4Success1

The method that the Cisco ACI fabric uses to load-balance multidestination traffic is forwarding tag trees3. This method involves assigning a forwarding tag (FTAG) to the traffic when it is forwarded within the fabric, ensuring efficient load balancing of multi-destination traffic3.

https://www.cisco.com/c/en/us/td/doc s/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI-Fundamentals_chapter_010010.html

Graphical user interface Description automatically generated

 When two interface protocol policies need to be used together in a single policy, the ACI object that must be used is an interface policy group

To minimize possible traffic impact during the upgrade of an ACI fabric with 3 APIC controllers and servers dual-homed to pairs of leaf switches configured in VPC mode, the fabric should be upgraded following Option A2. This option involves creating two maintenance groups for the APIC controllers, upgrading one group at a time, and then proceeding with the leaf switches2. This staged approach helps ensure that not all paths are affected simultaneously, thereby reducing the potential for traffic disruption2.

To set Layer 2 loop migration in an ACI Fabric with a Layer 2 Out configured, MCP (Misconfiguration Protocol) must be enabled on the ACI fabric56. MCP helps to prevent Layer 2 loops by detecting misconfigurations that could potentially cause loops56.

The attribute that should be configured for each user to enable RADIUS for external authentication in Cisco ACI is cisco-av-pair. This attribute allows for the assignment of roles and permissions to users authenticated via RADIUS.

To restrict User X to have access only to TenantX without any extra privileges in the Cisco ACI fabric domain, the Cisco AV pair that must be implemented on the RADIUS server is shell:domains = TenantX-SD/tenant-admin. This AV pair assigns User X the role of tenant admin within the security domain of TenantX, ensuring that the user has the necessary permissions to manage resources within TenantX and no additional privileges outside of this scope.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/Security_config/b_Cisco_APIC_Securi ty_Guide/b_Cisco_APIC_Security_Guide_chapter_0100.html

Graphical user interface, text, application Description automatically generated

To connect Cisco ACI fabric using Layer 2 with external third-party switches configured using 802.1s protocol, the two constructs required are:

Spanning tree policy for mapping MST Instances to VLANs (Option A): This policy will ensure that the Multiple Spanning Tree (MST) instances on the third-party switches are correctly mapped to the VLANs in the ACI fabric.

Static binding of native VLAN in all existing EPGs (Option E): This construct is necessary to maintain the native VLAN across all EPGs when integrating with third-party switches that use 802.1s protocol.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKACI-3101.pdf

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-in frastructure/white-paper-c07-732033.html

To create an exit point from all tenants using the common tenant and decrease the routing footprint, the following configuration tasks must be completed:

Update the L3Out ExtEPG subnet in the common tenant with flag Shared Route Control Subnet and Aggregate Shared Routes: This configuration allows the subnets to be sharedacross different VRFs within the common tenant, enabling communication between EPGs that are in different tenants1.

Change contract Ctr-3 scope to Global, consume it by all EPGs, and flag all subnets with flag Shared between VRFs: By changing the scope of contract Ctr-3 to Global, it can be consumed by all EPGs across the fabric. Additionally, flagging all subnets with Shared between VRFs ensures that the subnets can be used by multiple tenants1.

References :=

Cisco Community Discussion on Common Tenant1

Cisco ACI Basic Configuration Guide2

Cisco ACI Configuring Shared L3Outs Documentation

The feature that dynamically assigns or modifies the EPG association of virtual machines based on their attributes is uSeg EPGs. uSeg EPGs allow for microsegmentation within the Cisco ACI environment, enabling the dynamic assignment of VMs to EPGs based on attributes such as VM name, tag, or other identifiers

 In a Cisco ACI fabric, the spine switches are typically configured as route reflectors. This is because spine switches are central to the fabric’s architecture and are responsible for interconnecting all the leaf switches, making them ideal for reflecting BGP routes within the fabric. Therefore, the components that should be configured as route reflectors are:

Spine1 (Option A)

Spine2 (Option C)

In the Cisco ACI environment, when an engineer wants to enforce a specific path for ICMP replies and prevent packets from taking a direct path, setting Layer 2 Unknown Unicast to Hardware Proxy on the bridge domain (BD1) is the appropriate action. This setting ensures that the unknown unicast traffic, which includes ICMP packets destined for an unknown MAC address, is forwarded to the spine proxy. The spine proxy then forwards the packets based on the endpoint table information, ensuring that the packets follow the expected path through the fabric and do not take any shortcuts or direct paths that bypass the intended routing.

When the client endpoint and the service node interface are in different subnets, the Adjacency Type value should be set to Routed. This setting is used to indicate that routing is required between the client endpoint and the service node interface, as they are not in the same Layer 2 broadcast domain and need Layer 3 routing to communicate.

In a Cisco ACI Multi-Pod environment, Pods use over Layer 3 IPN connectivity via spines to allow Pod-to-Pod communication6.

https://www.cisco.com/c/ en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-737855.html

For a redundant interconnection that routes both unicast and multicast traffic, the L3Out (Layer 3 Outside) implementation in Cisco ACI should include the following:

Redundant Connections: Ensure there are at least two connections from the ACI fabric to the external network for redundancy. These connections should be to different leaf switches if possible.

Routing Protocols: Configure a routing protocol that supports both unicast and multicast routing. OSPF or EIGRP can be used for unicast, and PIM (Protocol Independent Multicast) should be configured for multicast.

Route Redistribution: Set up route redistribution between the ACI fabric and the external network to ensure that routes are shared across both networks.

Multicast Configuration: Enable multicast routing within the ACI fabric and configure the necessary multicast policies.

Contract and Policy Configuration: Define contracts and policies that allow the required unicast and multicast traffic to flow between the ACI fabric and the external network.

References :=

Cisco documentation on configuring L3Outs in ACI

Cisco white paper on ACI Multicast Routing

The feature that allows firewall ACLs to be configured automatically when new endpoints are attached to an EPG is ARP gleaning. This feature helps in identifying the endpoints and applying the necessary ACLs to them as they are discovered

The unique identifier of an ACI object is represented by the universal resource identifier (URI)2.

To configure a bridge domain for an EPC called “Web Servers” that meets the specified requirements, the following steps should be taken:

Set L2 Unknown Unicast to Hardware Proxy: This setting ensures that only traffic to known MAC addresses is allowed, which helps to reduce noise by preventing unknown unicast flooding within the bridge domain1.

Configure L3 Unknown Multicast Flooding to Optimized Flood: This setting limits multicast traffic to the ports that are participating in multicast routing, which optimizes the delivery of multicast packets1.

Create an Endpoint Retention Policy with a Local Endpoint Aging interval of 1200 seconds (20 minutes): This policy ensures that endpoints within the bridge domain are kept in the endpoint table for 20 minutes without any updates, maintaining the stability of the network1.

By following these steps, the bridge domain will be configured to satisfy the requirements for the EPC called “Web Servers” in the Cisco APIC environment.

To ensure that users can access the Cisco APIC GUI with a local account if the RADIUS server is unreachable, the network administrator must enable the fallback check with the default authentication domain. This allows for local authentication as a backup method when RADIUS is not available. The fallback mechanism is crucial for maintaining access to the APIC GUI in case of RADIUS server issues1.

References :=

Cisco Community Discussion on Auth Radius fallback to Local1

Cisco APIC Security Configuration Guide

The setting that prevents the learning of Endpoint IP addresses whose subnet does not match the bridge domain subnet is the “Limit IP learning to subnet” setting within the bridge domain1. This setting ensures that only IP addresses belonging to the subnets configured on the bridge domain are learned, preventing mis-learning of IP addresses that may not belong to the fabric1.

To implement the Inter-Site Network (ISN) for a Cisco ACI Multi-Site deployment, the following configuration steps are essential:

Configure OSPF on all ISN routers: OSPF (Open Shortest Path First) is a routing protocol that is used to ensure that all routers in the ISN have the necessary routing information to forward packets between sites.

Configure BIDIR-PIM on all ISN routers: BIDIR-PIM (Bidirectional Protocol Independent Multicast) is used for efficient multicast traffic forwarding across the ISN. This is particularly important for Cisco ACI Multi-Site deployments as it supports the replication of broadcast, unknown unicast, and multicast (BUM) traffic across sites.

References :=

Cisco ACI Multi-Site Configuration Guide

Cisco ACI Multi-Site Architecture White Paper

 For Cisco ACI IPN (Inter-Pod Network) to manage multidestination traffic, multicast routing is a requirement. This is because multidestination traffic includes broadcast, unknown unicast, and multicast (BUM) traffic, which needs to be efficiently transported across different pods in a Cisco ACI Multi-Pod environment. Multicast routing protocols like Bidirectional Protocol-Independent Multicast (Bidir PIM) are used to handle this type of traffic1.

References :=

Cisco Application Centric Infrastructure Multi-Pod Configuration White Paper1

The L3Out subnet configuration option that creates an inbound route map for route filtering is Import Route Control Subnet3. This option allows for the application of route maps to incoming routes from external networks, providing granular control over which routes are allowed into the ACI fabric3.

In Cisco ACI, when a packet is routed between two endpoints on different leaf switches, the VXLAN VNID that is applied to the packet corresponds to the Bridge Domain (BD). The BD VNID is used to encapsulate the packet for Layer 2 transport across the fabric. This VNID ensures that the packet is delivered to the correct bridge domain, maintaining the segmentation and policy enforcement required by the ACI fabric.

References :=

Cisco ACI Fabric Forwarding White Paper

Cisco ACI Basic Configuration Guide

To integrate a new Hyperflex storage cluster into an existing Cisco ACI fabric and manage it with vCenter, the following steps should be taken:

Create a new vSphere Distributed Switch (vDS): This is done within the vCenter interface. The vDS acts as a single virtual switch across all associated hosts in the data center, providing centralized management and monitoring of the network configuration1.

Configure the vDS for the Hyperflex cluster: This involves setting up the correct port groups, VLANs, and uplink profiles to ensure proper network segmentation and performance2.

Enable hardware discovery using a vendor-neutral protocol: This could involve using protocols like LLDP (Link Layer Discovery Protocol) or CDP (Cisco Discovery Protocol), which are supported by vCenter and can help in identifying and managing physical network devices3.

Integrate the Hyperflex cluster with ACI using the Application Policy Infrastructure Controller (APIC): This involves creating the necessary policies and profiles in ACI to manage the Hyperflex storage traffic effectively4.

References :=

Cisco HyperFlex Systems Installation Guide for VMware ESXi1

Cisco HyperFlex Virtual Server Infrastructure 3.0 with Cisco ACI 3.2 and VMware vSphere 6.52

How to Set Up Networking with vSphere Distributed Switches - VMware Docs3

Tutorial: How to integrate HyperFlex and ACI with VMM (VMware) and UCSM4

When designing two data centers based on Cisco ACI technology that can extend L2/L3, VXLAN, and network policy across locations with ACI Multi-Pod, the two requirements that must be considered are:

A single APIC Cluster is required in a Multi-Pod design4.

ACI Multi-Pod requires an IP Network supporting PIM-Bidir2.

To extend functional VMM integration to the new group of 70 bare-metal ESXi servers, a separate VMM domain should be implemented using the AEP_VMM. This allows for the management and automation of network policies for the bare-metal servers in a manner similar to the virtualized environment managed by vCenter1.

To deploy a leaf access port policy group in ACI Fabric that controls the amount of application data flowing into the system and allows auto-negotiation of link speed, the two ACI policies that must be configured are:

Link level policy2.

Ingress data plane policing policy2.

Slow Drain handles FCoE packets that are causing traffic congestion on ACI fabric. So, it is wrong.

Ingress control plane is wrong, because the request is for “application data flowing”.

L2 interface policy is concerned about QinQ and VLAN scope.

 To configure a group of servers with a contract that uses TCP port 80 and requires an external Layer 3 cloud to initiate communication, the EPG that contains the web servers should be configured as a consumer of the contract, and the Layer 3 Out (L3Out) should be configured as the provider of the contract. This configuration establishes the direction of the contract and allows the external Layer 3 cloud to initiate communication with the web servers within the EPG.

To redirect HTTP traffic between the EPG client and EPG server through the Cisco ASA firewall using a service graph in Cisco ACI, a precise filter must be configured to allow only HTTP traffic. This filter will specify the protocol (HTTP) and the Layer 4 port (typically port 80 for HTTP) to ensure that only HTTP traffic is redirected to the firewall for inspection or processing. The service graph can then be associated with the relevant EPGs to enforce the redirection1.

References :=

Service Graph Design with Cisco ACI (Updated to Cisco APIC Release 5.2) White Paper

To configure an L3Out peering with the backbone network that must forward both unicast and multicast traffic, the two methods that should be used are:

Layer 3 routed port (Option A): This method involves configuring a physical port on the Cisco ACI leaf switch as a Layer 3 interface, which is suitable for routing unicast and multicast traffic.

Layer 3 routed subinterface (Option D): This method involves configuring a subinterface under a physical port, which allows for traffic segregation and routing over the same physical link, supporting both unicast and multicast traffic.

These methods ensure that the L3Out can handle the required traffic types and maintain proper routing with the backbone network.

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centricinfrastructure/

guide-c07-743150.html#_L3Out_sStatic_rRoutes

https://www.cisco.com/ c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/L3-configuration/Cisco-APIC-Layer-3-Networking-Configuration-Guide-401/Cisco-APIC-Layer-3-Networking-Configuration-Guide-401_chapter_010010.html

To meet the requirements for the new endpoint group’s bridge domain in the Cisco ACI fabric, the following actions must be taken:

Disable ARP Flooding: This action prevents ARP requests from being broadcast across the entire bridge domain, which reduces excessive broadcast traffic.

Enable Limit IP Learning to Subnet: This setting restricts IP address learning to only those IPs within the configured subnet, minimizing the impact of misconfigured virtual machines.

Enable Unicast Routing on the bridge domain and configure a subnet: Enabling unicast routing allows the bridge domain to function as the default gateway for the subnet, ensuring that routing remains within the Cisco ACI fabric.

 In the Cisco ACI Active-Active Across Pods deployment mode, one of the key characteristics of Policy-Based Redirect (PBR) is that traffic is dynamically redirected to the firewall that owns the connection. This allows for load distribution across multiple Layer 4 to Layer 7 devices, also known as symmetric PBR. Additionally, deployment in this mode occurs in go-to mode only, which means that traffic is explicitly directed to a service node or firewall for processing

 When configuring ACI VMM domain integration with Cisco UCS-B Series, the type of port channel policy that must be configured in the vSwitch policy is MAC Pinning-Physical-NIC-load. This policy type allows for the distribution of traffic across physical NICs based on MAC address hashing, which is suitable for environments where dynamic port channels (LACP) are not used.

Graphical user interface, text, application, email Description automatically generated

To configure leaf and spine switches in a Cisco ACI fabric to use out-of-band management for NTP protocol, an Override Policy with NTP Out-of-Band must be created. This policy specifies that NTP traffic should be directed through the out-of-band management network, separate from the in-band management traffic, ensuring dedicated management connectivity for time synchronization.

https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/application-policy-infrastructure-controller-apic/200128-Configuring-NTP-in-ACI-Fabric-Solution.html

To prevent packet loss between the distributed virtual switch and the ACI fabric in a company’s ESXi infrastructure hosted on Cisco UCS-B Blade Servers, the vSwitch policy must implement MAC Pinning. This setting ensures that each virtual interface card (vNIC) on the UCS servers is pinned to an uplink Ethernet port, providing a stable and consistent path for traffic and preventing packet loss due to path changes.

To clear the MCP (Mis-Cabling Protocol) fault in a Cisco ACI fabric when an egress L3Out is configured from Leaf-101 and Leaf-102 to CORE-1, and VLAN 102 is used for OSPF adjacency, the encapsulation VLAN on the EPG-101 static port binding should match the VLAN used for OSPF adjacency. This means that VLAN 102 should be used as the encapsulation VLAN for the static port binding on Leaf-103 e1/1. Using the same VLAN for both OSPF adjacency and the static port binding ensures consistency and prevents misconfiguration that could lead to MCP faults1.

References :=

ACI Fabric L3Out White Paper - Cisco1

To modify the event to be displayed as a warning in the future, you need to navigate to the ACI Fault tab and change the severity level of the fault. This involves selecting the monitoring objectthat corresponds to the class of the Managed Object (MO) that generated the fault, then choosing the fault code you want to modify and setting an initial severity value1.

References :=

Cisco APIC Faults, Events, and System Messages Management Guide2

How ACI Faults Are Generated and How to Selectively Prevent … - Cisco1

 The two true statements regarding ACI Multi-Site are:

ACI Multi-Site is a solution that supports a dedicated APIC cluster per site1.

ACI Multi-Site is a solution that allows one APIC cluster to manage multiple ACI sites1.

The two requirements for the IPN network when implementing a Multi-Pod ACI fabric are:

PIM ASM multicast routing2.

OSPF routing3.

To meet the requirement of sending all faults and events related to endpoint groups, bridge domains, and VRFs to the new SNMP configuration and syslog servers, the network engineer should utilizecommon tenant monitoring policies in the Cisco APIC. The common tenant is used for global configurations that apply across the entire fabric, including monitoring policies.

 To determine if a change in the behavior of the ACI fabric was due to human intervention, an ACI administrator should inspect the audit logs in the APIC UI. The audit logs provide a record of all user events, which includes actions performed by users, making it possible to trace any changes back to specific human activities1.

When extending an EPG out of the ACI fabric using static path binding, it is true that external endpoints are in the same EPG as the directly attached endpoints8. This means that traffic received on a statically bound leaf port with a specific VLAN ID is mapped to the EPG, and the same policies applied to directly attached endpoints are enforced on the external endpoints8.

To advertise the 0.0.0.0/0 prefix out on L3Out-2 OSPF, when it is configured as a default static route on L3Out-1, the action that should be taken is to enable the Export Route Control Subnet. This setting allows the default route to be advertised to other L3Outs, enabling the ACI fabric to act as a transit network1.

References :=

ACI Fabric L3Out White Paper - Cisco1

To support the addition of new ESXi hosts to the existing VMM domain, the action that should be taken is to map the leaf interface selector to the AEP that is associated with the VMM domain (Option D). This ensures that the correct policies are applied to the interfaces where the new ESXi hosts are connected.

The two essential components of a Cisco ACI Virtual Machine Manager (VMM) domain policy configuration are:

VMM domain profile1.

EPG association1.

https://www.cisco.com/c/en/us/td/docs/switches/datac enter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI-Fundamentals_chapter_01011.html#concept_74EFC437C0AA44A391676F70ACE59DF3

 To prevent a fault from appearing that is not directly relevant to the environment, the ACI administrator should create a fault severity assignment policy that hides the fault. This can be done by selecting “Ignore Fault” under System -> Faults in the APIC UI2

When configuring a Multi-Pod system with the default gateway residing outside of the ACI fabric for a bridge domain, the setting that should be configured is to disable Limit IP Learning to Subnet (Option A). This allows the ACI fabric to learn IP addresses outside of the defined subnet, which is necessary when the default gateway is external.