300-620 Sample Questions Answers

When configuring in-band management, the new construct that must be created is a bridge domain1.

To break the STP loop between switch1 and switch2 in a Cisco ACI environment, enabling BPDU filtering on the interfaces facing the MST (Multiple Spanning Tree) switches is the necessary step. BPDU filtering prevents BPDUs from being sent or received through a port, which effectively stops the STP process on those ports and breaks the loop1.

When BPDU filtering is enabled on an interface, the switch does not send any BPDUs and ignores any BPDUs it receives on that interface. This can be used to prevent unwanted STP negotiations on ports where loops are not expected to happen or where STP is not desired1.

References :=

Use of ACI Operation with L2 Switches and Spanning Tree Link Types - Cisco1

 In Cisco ACI, the object classes are used to categorize different types of managed objects within the ACI model. The output presented is indicative of a Tenant class object. Tenants in ACI are a top-level container for application policies, essentially providing a unit of isolation from other tenants. Each tenant can contain its own application policies, services, and network policies, and they are separate from other tenants to ensure multi-tenancy1.

References :=

Cisco ACI Policy Model Guide1

Object Renaming in Cisco ACI - Cisco2

Application Centric Infrastructure (ACI) REST API Guide - Cisco DevNet

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci /apic/sw/4-x/openstack/ACI-Installation-Guide-for-Red-Hat-Using-OSP13-Director/m-configuring-ironic-for-openstack.html

The advantage of implementing an active-active firewall cluster that is stretched across separate pods when anycast services are configured is that local traffic within a pod is load-balanced between the clustered firewalls. This means that traffic destined for the anycast IP address of the service node (firewall) will preferentially be directed to the local node within the same pod, thus optimizing traffic flows and reducing latency by avoiding unnecessary traffic tromboning to a remote pod1.

When Cisco ACI connects to an outside Layer 2 network, the ACI fabric floods the STP BPDU frame within the bridge domain (Option A)5. This ensures that BPDUs are properly propagated within the relevant VLAN encapsulation associated with the bridge domain5.

To implement the Inter-Site Network (ISN) for a Cisco ACI Multi-Site deployment, the following configuration steps are essential:

Configure OSPF on all ISN routers: OSPF (Open Shortest Path First) is a routing protocol that is used to ensure that all routers in the ISN have the necessary routing information to forward packets between sites.

Configure BIDIR-PIM on all ISN routers: BIDIR-PIM (Bidirectional Protocol Independent Multicast) is used for efficient multicast traffic forwarding across the ISN. This is particularly important for Cisco ACI Multi-Site deployments as it supports the replication of broadcast, unknown unicast, and multicast (BUM) traffic across sites.

References :=

Cisco ACI Multi-Site Configuration Guide

Cisco ACI Multi-Site Architecture White Paper

In a two-pod Cisco ACI Multi-Pod environment, it is recommended to deploy no more than two Cisco APIC controllers in the same pod to avoid losing all replicas of a shard if a pod fails. The APIC cluster is a distributed system where each APIC contains a replica of the configuration database, referred to as a shard. If all replicas of a shard were located in the same pod and that pod were to fail, it would result in the loss of the shard and potentially impact the entire fabric’s operation. By distributing the APIC controllers across pods, the risk of losing all replicas due to a single point of failure is mitigated, enhancing the overall resiliency of the system1.

References :=

ACI Multi-Pod White Paper - Cisco1

To modify the event to be displayed as a warning in the future, you need to navigate to the ACI Fault tab and change the severity level of the fault. This involves selecting the monitoring object that corresponds to the class of the Managed Object (MO) that generated the fault, then choosing the fault code you want to modify and setting an initial severity value1.

References :=

Cisco APIC Faults, Events, and System Messages Management Guide2

How ACI Faults Are Generated and How to Selectively Prevent … - Cisco1

To determine which user is responsible for the disappearance of a previously existing port group from vCenter, the engineer should check the EPG audit logs for any ‘deletion’ actions. By comparing the affected object and the user who performed the action, the engineer can identify the responsible individual2.

The setting that prevents the learning of Endpoint IP addresses whose subnet does not match the bridge domain subnet is the “Limit IP learning to subnet” setting within the bridge domain1. This setting ensures that only IP addresses belonging to the subnets configured on the bridge domain are learned, preventing mis-learning of IP addresses that may not belong to the fabric1.

The two protocols used for fabric discovery in Cisco ACI are LLDP (Link Layer Discovery Protocol) and ISIS (Intermediate System to Intermediate System). LLDP is used for neighbor discovery on the data link layer, while ISIS is a routing protocol used for reachability between the TEP IPs (VTEPs) within the ACI fabric23.

To create a backup of the Cisco ACI fabric for disaster recovery that is secure, encrypted, and in a format conducive to processing with a Python script, the engineer must select Secure Copy Protocol (SCP) for secure and encrypted transport. The backup file should be in JSON format, which is similar to a Python dictionary and can be easily processed by a Python script. Additionally, enabling Global AES Encryption ensures that all user and password-related information is included securely in the backup1.

 To design a method that allows the Cisco ACI to redirect traffic to the firewalls based on specific L4-L7 policy rules and distribute the load across multiple firewalls, the action that must be taken is to Configure ACI Service Graph with Unidirectional PBR (

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/applicatio n-centric-infrastructure/white-paper-c11-739971.html

 In the context of ACI Multi-Site, the information of an endpoint (MAC/IP) that belongs to site 1 is advertised to site 2 using the EVPN control plane as soon as the endpoint is discovered in one site. This allows for immediate visibility of the endpoint across sites.

 In a Cisco ACI fabric, the spine switches are typically configured as route reflectors. This is because spine switches are central to the fabric’s architecture and are responsible for interconnecting all the leaf switches, making them ideal for reflecting BGP routes within the fabric. Therefore, the components that should be configured as route reflectors are:

Spine1 (Option A)

Spine2 (Option C)

Enabling the “disable Remote EP learn” feature in Cisco ACI has the effect of preventing border leaf switches from receiving routes through peering with external routers. This feature is particularly useful when there is a mix of Gen1 and Gen2 hardware in the fabric, as it clears all the remote endpoints from the border leaf only. Traffic will still use hardware proxy if the endpoint is not learned on the border leaf, ensuring no operational impact12.

References :=

ACI Fabric Endpoint Learning White Paper2

Cisco Community Discussion on Disable Remote EP Learn

https://unofficialaciguide.com/2018/11/29/aci-best-practice-configurations/

 When VM2 is live migrated from POD1 to POD2, the spines in POD2 will send an MP-BGP EVPN update to the leaves in POD1. This update informs the leaves in POD1 about the new location of VM2, allowing them to update their forwarding tables and ensure that traffic destined for VM2 is correctly routed to its new location in POD2.

The two protocols that support accessing backup files on a remote location from the APIC are FTP (File Transfer Protocol) and SFTP (SSH File Transfer Protocol). Both FTP and SFTP allow for the transfer of files to and from a remote location, but SFTP provides an additional layer of security by utilizing SSH.

 When migrating the vSphere Management VMkernel of all ESXi hosts from the standard default virtual switch to a Virtual Distributed Switch (VDS) that is integrated with APIC in a VMM domain, it is essential to set the Management VMkernel EPG resolution to Pre-Provision. This action ensures that the necessary policies are in place on the ACI fabric before the migration occurs, allowing for a seamless transition and continuous management connectivity.

When a pre-provision immediacy is used, the policy is downloaded to the Cisco ACI leaf switch and programmed into the hardware policy Content Addressable Memory (CAM) as soon as the change is implemented on the Cisco Application Policy Infrastructure Controller (APIC). This means that the policy is ready on the leaf switch before any endpoints are actually connected.

In Cisco ACI, when a packet is routed between two endpoints on different leaf switches, the VXLAN VNID that is applied to the packet corresponds to the Bridge Domain (BD). The BD VNID is used to encapsulate the packet for Layer 2 transport across the fabric. This VNID ensures that the packet is delivered to the correct bridge domain, maintaining the segmentation and policy enforcement required by the ACI fabric.

References :=

Cisco ACI Fabric Forwarding White Paper

Cisco ACI Basic Configuration Guide

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-7DC6486F-5400-44DF-8A62-6273798A2F80.html

In a Cisco ACI Multi-Site setup, back-to-back spine connectivity is limited to a direct connection between two sites. This design simplifies inter-site communication by avoiding the need for an intermediate Inter-Pod Network (IPN) or Multi-Site Orchestrator.

 When the VMM resolution immediacy is set to pre-provision in a Cisco ACI environment, policies are downloaded to the ACI leaf switch regardless of Cisco Discovery Protocol neighborship1. This setting ensures that the policies are in place on the leaf switches even before a VM controller is attached to the virtual switch1.

 In the scenario where Server A is connected to the Cisco ACI fabric using teamed interfaces with one active and one standby, enabling ARP flooding in the bridge domain configuration is necessary to resolve the issue that occurs when the standby interface becomes active and uses its built-in MAC address to send traffic. Enabling ARP flooding allows the fabric to learn the new MAC address without waiting for the ARP timeout, which helps to ensure that traffic continues to flow to the correct destination after a failover event1.

References :=

Discuss Cisco 300-620 Exam Topic 9 Question 71 | Pass4Success1

When designing two data centers based on Cisco ACI technology that can extend L2/L3, VXLAN, and network policy across locations with ACI Multi-Pod, the two requirements that must be considered are:

A single APIC Cluster is required in a Multi-Pod design4.

ACI Multi-Pod requires an IP Network supporting PIM-Bidir2.

When implementing a connection that represents an external bridged network, the configurations used are Layer 2 outside (Option B) and Static path binding (Option D)12. Layer 2 outside is typically used to connect a bridged external network trunk switch to a leaf switch in the ACI fabric, while static path binding is used to assign specific ports on a leaf switch to an external bridged network12.

To enable communication between the external subnet and internal EPG1, and to allow L3Out traffic to leak into the VRF named “VF1”, the following configuration set should be used:

External Subnets for External EPG: This configuration defines the subnets that are external to the ACI fabric but need to be reachable from within the fabric. It is necessary to specify which subnets are to be considered part of the L3Out1.

Shared Route Control Subnet: This setting allows the subnets to be shared across different VRFs, enabling communication between EPGs that are in different tenants but within the same VRF1.

Shared Security Import Subnet: This configuration ensures that the security policies (contracts) associated with the shared subnets are also imported, allowing for the necessary traffic to flow between the internal and external endpoints1.

By applying this configuration set, the external subnet and internal EPG1 will be able to communicate, and the L3Out traffic will be properly leaked into the designated VRF, meeting the specified goals.

References :=

ACI Inter VRF/Tenant Route Leaking Configuration Example1

To extend the EPG-100 to the vCenter as a port group with a tagged VLAN ID of 100, the following actions should be taken:

Define a static VLAN range (from 100-200) under a VLAN pool: This step involves creating a VLAN pool that includes the desired VLAN range. The VLAN pool is then associated with the VMM domain that corresponds to the vCenter integration1.

Associate the dc1vcdev domain with EPG: The VMM domain named ‘dc1vcdev’ should be associated with the EPG-100. This association allows for the automatic creation of port groups in vCenter when the EPG is associated with a VMM domain1.

Select the appropriate settings for the domain association:

Untagged VLAN Access: This should be unselected because the VLAN ID needs to be tagged.

VLAN Mode: Set to ‘Static’ to specify the encapsulation VLAN ID.

Encap: Set to ‘100’ to define the specific VLAN ID that should be tagged for the port group1.

References :=

Cisco APIC Layer 2 Networking Configuration Guide1

Cisco APIC Layer 2 Networking Configuration Guide1

The feature that dynamically assigns or modifies the EPG association of virtual machines based on their attributes is uSeg EPGs. uSeg EPGs allow for microsegmentation within the Cisco ACI environment, enabling the dynamic assignment of VMs to EPGs based on attributes such as VM name, tag, or other identifiers

 In the Cisco ACI Active-Active Across Pods deployment mode, one of the key characteristics of Policy-Based Redirect (PBR) is that traffic is dynamically redirected to the firewall that owns the connection. This allows for load distribution across multiple Layer 4 to Layer 7 devices, also known as symmetric PBR. Additionally, deployment in this mode occurs in go-to mode only, which means that traffic is explicitly directed to a service node or firewall for processing

To allow SNMP traffic on the APIC controller, a contract under tenant mgmt must be configured3.

The Cisco ACI site deployment feature that enables an engineer to control which bridge domains contain Layer 2 flooding across geographically separated data centers is Multi-Site. This feature allows for the extension of Layer 2 and Layer 3 connectivity between different locations with consistent policy enforcement5.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/aci_multi-site/sw/2x/fundamentals/Cisco-ACI-Multi-Site-Fundamentals-Guide-211/Cisco-ACI-Multi- Site-Fundamentals-Guide-211_chapter_011.html#id_51188

To complete the task of configuring a Layer 3 connection to the WAN router and allowing hosts in the production VRF to access WAN subnets, the engineer should configure the Export Route Control Subnet scope for the external EPG. This setting allows the subnets associated with the external EPG to be advertised to external routers, enabling connectivity to the WAN.

The initial APIC cluster discovery process involves each APIC using an internal private IP address from a pool to communicate with the nodes and other APICs in the cluster. The APICs discover the IP addresses of other APIC controllers through an LLDP-based discovery process

https://community.cisco.com/t5/documentos-data-center/configuraci%C3%B3n-snmp-para-aci/ta-p/4680520

 To limit management access to the Cisco ACI fabric that originates from a single subnet where the NOC operates, the policy should be configured in the management tenant on the Cisco APIC5.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/ apic/sw/1-x/Operating_ACI/guide/b_Cisco_Operating_ACI/b_Cisco_Operating_ACI_chapter_0111.html

To clear the MCP (Mis-Cabling Protocol) fault in a Cisco ACI fabric when an egress L3Out is configured from Leaf-101 and Leaf-102 to CORE-1, and VLAN 102 is used for OSPF adjacency, the encapsulation VLAN on the EPG-101 static port binding should match the VLAN used for OSPF adjacency. This means that VLAN 102 should be used as the encapsulation VLAN for the static port binding on Leaf-103 e1/1. Using the same VLAN for both OSPF adjacency and the static port binding ensures consistency and prevents misconfiguration that could lead to MCP faults1.

References :=

ACI Fabric L3Out White Paper - Cisco1

To reduce instability during the migration of a legacy environment to Cisco ACI, the feature that should be enabled in the bridge domain is to Set Multi-Destination Flooding to Flood in BD (Option A). This setting allows unknown multicast, broadcast, and unknown unicast traffic to be flooded within the bridge domain, which can help prevent traffic loss during the migration process.

The group of settings required to meet the requirements for workload migration where servers will physically terminate at the Cisco ACI, but their gateway must stay in the existing network, is:

L2 Unknown Unicast: Flood

L3 Unknown Multicast Flooding: Flood

Multi Destination Flooding: Flood in BD

ARP Flooding: Enable5

These settings ensure that the bridge domain is configured to handle unknown unicast and multicast traffic appropriately, and ARP flooding is enabled to allow for the resolution of IP addresses when the gateway is outside the fabric5.

https://www.cisco.com/c/en/us/td/docs/switches/datac enter/aci/apic/sw/migration_guides/migrating_existing_networks_to_aci.html

For external connections to the fabric that only require a default route, there is support for originating a default route for OSPF, EIGRP, and BGP L3Out connections. If a default route is received from an external peer, this route can be redistributed out to another peer following the transit export route control as described earlier in this article. A default route can also be advertised out using a Default Route Leak policy. This policy supports advertising a default route if it is present in the routing table or it always supports advertising a default route. The Default Route Leak policy is configured in the L3Out connection. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/L3_config/b_Cisco_APIC_Layer_3_Configuration_Guide/b_Cisco_APIC_Layer_3_Configuration_Guide_chapter_010100.html

To implement management policy and data plane separation in the Cisco ACI fabric, the ACI object that must be created in Cisco APIC is a Bridge domain

When configuring Cisco ACI VMM domain integration with VMware vCenter, the object that is created in vCenter is a VMware vSphere Distributed Switch (VDS)12. The VDS is a virtual switch that extends across all esxi hosts in the cluster and provides a centralized interface from which network configurations can be managed12. This switch allows network administrators to manage networking for multiple hosts and virtual machines from a single interface within vCenter12.

In the Cisco ACI environment, when an engineer wants to enforce a specific path for ICMP replies and prevent packets from taking a direct path, setting Layer 2 Unknown Unicast to Hardware Proxy on the bridge domain (BD1) is the appropriate action. This setting ensures that the unknown unicast traffic, which includes ICMP packets destined for an unknown MAC address, is forwarded to the spine proxy. The spine proxy then forwards the packets based on the endpoint table information, ensuring that the packets follow the expected path through the fabric and do not take any shortcuts or direct paths that bypass the intended routing.

 To perform a Cisco ACI fabric upgrade that minimizes the impact on user traffic and allows only permitted users to perform an upgrade, the following configuration steps should be taken:

Divide Cisco APIC controllers into two or more maintenance groups: This step involves organizing the APIC controllers into separate maintenance groups to allow for a phased upgrade process, reducing the impact on user traffic5.

Divide switches into two or more maintenance groups: This step involves organizing the switches into separate maintenance groups, which allows for a controlled and phased upgrade process, minimizing the impact on the network during the upgrade5.

MisCabling Protocol (MCP) detects loops from external sources (i.e., misbehaving servers, external networking equipment running STP, etc.) and will err-disable the interface on which ACI receives its own packet. Enabling this feature is a best practice, and it should be enabled globally and on all interfaces, regardless of the end device. For MCP to be enabled, you need to have it enabled globally and on a per-interface basis. While MCP is enabled on all interfaces by default, it is not turned “on” until you also enable it globally. The global configuration knob for MCP can be enabled by configuring the global settings here: Fabric > Access Policies > Global Policies > MCP Instance Policy default. https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/aci-guide-using-mcp-mis-cabling-protocol.pdf

The COOP (Council Of Oracle Protocol) database is located on each spine switch within the Cisco ACI fabric. The COOP database is responsible for maintaining a consistent copy of endpoint address and location information across the fabric

 To determine if a change in the behavior of the ACI fabric was due to human intervention, an ACI administrator should inspect the audit logs in the APIC UI. The audit logs provide a record of all user events, which includes actions performed by users, making it possible to trace any changes back to specific human activities1.

 When creating a subnet within a bridge domain in Cisco ACI, the configuration option used to specify the network visibility of the subnet is the scope12. The scope can be set to private, public, or shared, determining how the subnet is advertised and accessed within and outside of the ACI fabric12.

To enable the APIC in a Cisco ACI fabric using out-of-band management connectivity to access a routable host with an IP address of 192.168.11.2, you need to add a Fabric Access Policy that allows management connections. This involves configuring a contract that will be consumed and provided to your OOB devices. The contract will let the system know what traffic is allowed. In this case, you will use the default/common contract to permit any traffic. This is necessary because the APIC needs to be able to send traffic to and receive traffic from the management network1.

References :=

ACI: Configuring Out-of-Band (OOB) Access for Your Fabric - Cisco1

Troubleshoot ACI Management and Core Services - In-band and Out-of-band Management - Cisco2

When a bridge domain is configured with the hardware-proxy option for Layer 2 unknown unicast traffic, if the spine switch is unable to find the MAC address in the proxy database, it will drop the Layer 2 unknown unicast packet4. This behavior is controlled by the hardware proxy option associated with a bridge domain4.

ACI Multi-Site architecture is designed to interconnect geographically dispersed data centers and extend Layer 2 and Layer 3 connectivity between those locations with consistent policy enforcement. It allows for either a single APIC cluster to manage multiple ACI sites or supports a dedicated APIC cluster per site. This architecture ensures a scalable and flexible approach to managing multiple data center sites, providing a unified policy framework and operational model across the sites34.

References :=

Cisco Multi-Site Deployment Guide for ACI Fabrics3

Cisco ACI Multi-Site Architecture White Paper4

 In the process of discovering a new Cisco ACI fabric, after the discovery of leaf 1 has been completed, the next nodes expected to be discovered are the spine switches. This is because the spines are typically connected to the leaf switches and play a central role in the fabric’s topology6.

In Cisco ACI, the mgmt0 interface is used for out-of-band (OOB) management, and its IP address must be explicitly assigned through the Node Management Address Policy under the mgmt tenant. When new leaf switches are registered in the fabric, they do not automatically receive an IP address for their mgmt0 interfaces unless they are added to this policy.

When the Cisco ACI fabric has a stale endpoint entry for the destination endpoint, the traffic flow is affected in that the leaf switch floods the traffic to the endpoint throughout the fabric (Option C). This flooding occurs because the leaf switch does not have the correct location of the endpoint in its endpoint table, leading it to flood the traffic in an attempt to reach the destination.

To support the addition of new ESXi hosts to the existing VMM domain, the action that should be taken is to map the leaf interface selector to the AEP that is associated with the VMM domain (Option D). This ensures that the correct policies are applied to the interfaces where the new ESXi hosts are connected.

In a Cisco ACI environment with multiple silent hosts that are often relocated between leaf switches, configuring IP Data-Plane Learning to ‘No’ will minimize the relocation impact and make the ACI fabric relearn the new location of the host faster. Disabling IP Data-Plane Learning prevents the fabric from learning IP addresses from the data plane, which can speed up the process of relearning host locations when they move3.

To securely back up the current Cisco ACI configuration to a remote location with encryption and authentication, and ensure that sensitive information is not exported, the following steps should be taken:

Create a Remote Location: Define a remote location where the backup will be stored. This involves specifying the hostname or IP address of the remote server and selecting the protocol (SCP/FTP/SFTP) to be used1.

Create a Configuration Export Policy: Set up an export policy that defines the format (XML/JSON) and the destination for the backup. This policy will also include the schedule for the backup to run once per day1.

Configure Global AES Encryption: To ensure that the backup is encrypted, configure the Global AES Encryption setting. This will allow for hashed secure properties, such as passwords and certificates, to be exported in an encrypted form. It’s important to configure a passphrase that is at least 16 characters long for the encryption1.

Schedule the Backup Job: Use the scheduler to set up the backup job to run once per day. This ensures that the backup process is automated and adheres to the customer’s security policy1.

Exclude Sensitive Information: To comply with the security policy that mandates sensitive information not be exported, ensure that the configuration export policy is set to exclude secure fields unless encryption is enabled1.

References :=

Cisco Guide on Creating a Backup for Your APIC Cluster1

Cisco Community Discussion on Backing Up ACI Configuration2

 The statement about the MTU value of MP-BGP EVPN control plane packets in Cisco ACI that is true for communication between spine nodes in different sites is that by default, spine nodes generate 9000-bytes packets to exchange endpoints routing information. As a result, the Inter-Site network should be able to carry 9000-bytes packets2. This ensures that the control plane traffic, which is not VXLAN encapsulated, can be properly handled across the sites2.

https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/application-policy-infrastructure-controller-apic/221867-configure-in-band-management-in-aci.html Scope - Choose according to the route leakage method you use. Here choose to use L3out, and then click Advertised Externally.

To configure an L3Out peering with the backbone network that must forward both unicast and multicast traffic, the two methods that should be used are:

Layer 3 routed port (Option A): This method involves configuring a physical port on the Cisco ACI leaf switch as a Layer 3 interface, which is suitable for routing unicast and multicast traffic.

Layer 3 routed subinterface (Option D): This method involves configuring a subinterface under a physical port, which allows for traffic segregation and routing over the same physical link, supporting both unicast and multicast traffic.

These methods ensure that the L3Out can handle the required traffic types and maintain proper routing with the backbone network.

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centricinfrastructure/

guide-c07-743150.html#_L3Out_sStatic_rRoutes

https://www.cisco.com/ c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/L3-configuration/Cisco-APIC-Layer-3-Networking-Configuration-Guide-401/Cisco-APIC-Layer-3-Networking-Configuration-Guide-401_chapter_010010.html