Cisco 300-620 Implementing Cisco Application Centric Infrastructure (300-620 DCACI) Exam Practice Test

The question asks which switch type is discovered first in the Cisco ACI fabric discovery process. The ACI fabric consists of spine and leaf switches, and the discovery process is a critical initial step to establish the fabric topology. Let’s analyze this based on Cisco ACI documentation.

Requirement Analysis

The ACI fabric discovery process involves the Application Policy Infrastructure Controller (APIC) identifying and registering switches to form the network topology.

The process relies on protocols like Link Layer Discovery Protocol (LLDP) and Cisco Discovery Protocol (CDP) to detect connected devices.

The sequence of discovery is determined by the physical connectivity and the role of switches in the fabric.

Option Evaluation

A. leaf:

In the Cisco ACI fabric, the discovery process begins with the leaf switches. When the APIC is powered on and connected to the fabric, it first discovers the leaf switches directly attached to it or other initial points of connectivity. Leaf switches are the access layer devices that connect endpoints and are the starting point for fabric topology discovery. Once leaf switches are identified, they assist in discovering the spine switches.

To resolve the issue of STP convergence causing a microloop and significant CPU spike on all switches after connecting legacy non-ACI switches to the Cisco ACI fabric, BPDU filtering should be configured on the interfaces of the external switches that face the Cisco ACI fabric. BPDU filtering prevents Bridge Protocol Data Units (BPDUs) from being sent or received on those interfaces, which stops the STP process and eliminates the possibility of microloops.

The scenario involves a tenant configured with a single L3Out and a single-homed link from the ACI fabric (via border leaf BL-1001) to a core router (Core-1). The engineer must add a second link to the L3Out, connecting to Core-2 via BL-1002, ensuring that traffic from Core-2 to BL-1002 has the same connectivity as traffic from Core-1 to BL-1001. The exhibit shows a single-homed setup with BL-1001 and BL-1002 as potential border leaves, with a dashed line indicating a planned second link.

Requirement Analysis

The existing L3Out is single-homed to Core-1 via BL-1001, and the goal is to extend it to a multi-homed configuration with Core-2 via BL-1002.

"Same connectivity" implies that the second link must be integrated into the existing L3Out configuration, sharing the same routing policies, external EPG, and subnet reachability.

The solution must leverage ACI’s L3Out framework to add the new path without creating a separate L3Out or altering the current routing setup unnecessarily.

Option Evaluation

A. Add a second path to the logical interface profile of the existing L3Out:

The logical interface profile in an L3Out defines the interfaces (e.g., routed ports or sub-interfaces) and their associations with nodes (border leaves). Adding a second path to this profile allows the inclusion of the new link from BL-1002 to Core-2, ensuring it operates under the same L3Out configuration (e.g., routing protocol, external EPG). This maintains consistent connectivity and leverages ACI’s multi-homing support.

For external connections to the fabric that only require a default route, there is support for originating a default route for OSPF, EIGRP, and BGP L3Out connections. If a default route is received from an external peer, this route can be redistributed out to another peer following the transit export route control as described earlier in this article. A default route can also be advertised out using a Default Route Leak policy. This policy supports advertising a default route if it is present in the routing table or it always supports advertising a default route. The Default Route Leak policy is configured in the L3Out connection.

In a Cisco ACI configuration with IEEE 802.1p ports, the traffic exits from the EPG untagged from leaf ports. This means that when the port is configured in Access (802.1p) mode and the access VLAN is the only VLAN deployed on the port, then traffic will be untagged on egress56.

In the context of VMM, the protocol between ACI leaf and compute hosts that ensures that the policies are pushed to the leaf switches for immediate and on-demand resolution immediacy is LLDP (Link Layer Discovery Protocol)2. LLDP is used for discovery and to ensure that the policies are applied as needed for the virtual machines2.

The type of port used for in-band management within ACI fabric is the spine switch port4.

The question asks which bridge domain setting is used when a Cisco ACI leaf switch learns the source IP address of a packet entering the front panel port. This involves understanding how ACI handles endpoint learning and IP address association within a bridge domain.

Requirement Analysis

When a packet enters a leaf switch’s front panel port, ACI learns the source IP and MAC address of the endpoint to populate its endpoint table.

The bridge domain settings control how IP addresses are learned and routed, especially for Layer 3 traffic.

The correct setting must enable the leaf switch to associate the source IP with the endpoint.

Option Evaluation

A. Unicast Routing:

The "Unicast Routing" setting in a bridge domain enables Layer 3 routing and allows the leaf switch to learn the source IP address of a packet by associating it with the MAC address and VLAN. When enabled, the switch performs IP-to-MAC mapping and updates the endpoint database, which is the standard mechanism for learning source IP addresses from incoming traffic.

 To limit management access to the Cisco ACI fabric that originates from a single subnet where the NOC operates, the policy should be configured in the management tenant on the Cisco APIC5.

apic/sw/1-x/Operating_ACI/guide/b_Cisco_Operating_ACI/b_Cisco_Operating_ACI_chapter_0111.html

When implementing a connection that represents an external bridged network, the configurations used are Layer 2 outside (Option B) and Static path binding (Option D)12. Layer 2 outside is typically used to connect a bridged external network trunk switch to a leaf switch in the ACI fabric, while static path binding is used to assign specific ports on a leaf switch to an external bridged network12.

To redirect HTTP traffic between the EPG client and EPG server through the Cisco ASA firewall using a service graph in Cisco ACI, a precise filter must be configured to allow only HTTP traffic. This filter will specify the protocol (HTTP) and the Layer 4 port (typically port 80 for HTTP) to ensure that only HTTP traffic is redirected to the firewall for inspection or processing. The service graph can then be associated with the relevant EPGs to enforce the redirection1.

References :=

Service Graph Design with Cisco ACI (Updated to Cisco APIC Release 5.2) White Paper

With unicast routing enabled on the bridge domain, the two conditions that enable the Cisco ACI leaf to learn a source IP as a local endpoint are:

Through Ethernet traffic received in a bridge domain (Option A): The leaf switch learns the source IP address as a local endpoint when it receives Ethernet traffic within the bridge domain.

Through ARP received on an SVI (Option E): The leaf switch also learns the source IP address as a local endpoint when it receives an ARP request or reply on a Switched Virtual Interface (SVI) associated with the bridge domain.

These conditions allow the ACI fabric to maintain an accurate endpoint database for efficient routing and forwarding of traffic within the fabric.

.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739989.html

When extending EPG connectivity to an external network that houses the Layer 3 gateway and other end hosts, the ACI bridge domain configuration should use Forwarding: Custom, L2 Unknown Unicast: Hardware Proxy, L3 Unknown Multicast Flooding: Flood, Multi Destination Flooding: Flood in BD, and ARP Flooding: Enabled23. This configuration ensures that unknown unicast traffic is handled efficiently while still allowing ARP flooding, which is necessary for the ACI fabric to learn about endpoints on the external network23.

The Cisco ACI site deployment feature that enables an engineer to control which bridge domains contain Layer 2 flooding across geographically separated data centers is Multi-Site. This feature allows for the extension of Layer 2 and Layer 3 connectivity between different locations with consistent policy enforcement5.

Site-Fundamentals-Guide-211_chapter_011.html#id_51188

To migrate the gateway address out of the ACI fabric for an endpoint group (EPG), the bridge domain configuration must ensure that routing is contained within the ACI fabric and that ARP requests are managed efficiently. The correct configuration set is:

L2 Unknown Unicast: Set to Hardware Proxy. This setting allows the ACI fabric to use the spine proxy function to handle unknown unicast traffic, which helps to reduce flooding within the fabric.

Unicast Routing: Set to Disabled. Since the gateway is being migrated out of the ACI fabric, unicast routing should be disabled to prevent the ACI fabric from attempting to route traffic for the EPG.

ARP Flooding: Set to Enabled. This allows ARP requests to be flooded within the bridge domain, which is necessary when the unicast routing is disabled, to ensure that ARP requests can still be resolved.

References :=

Cisco ACI Bridge Domain Configuration Guide

Cisco ACI Best Practices Guide

To meet the requirements for the new e-commerce software deployed on the Cisco ACI fabric, the scope of the contracts should be set to “Application Profile”. This scope ensures that the contracts are applied within the same Application Network Profile (ANP), allowing the e-commerce software to communicate only with software Endpoint Groups (EPGs) that are part of the same ANP. It also prevents communication with applications in different ANPs, thus maintaining the necessary isolation and reducing the overall number of contracts by reusing existing ones within a VRF.

References :=

Cisco ACI Contracts and Scopes Documentation

Cisco ACI Best Practices Guide

To clear the fault raised by the Cisco APIC when the EPG must accept endpoints from a VMM domain, the EPG should be associated with the VMM domain. This association is necessary for the APIC to recognize the endpoints within the VMM domain as part of the EPG. Without this association, the APIC cannot apply the policies defined in the EPG to the endpoints, which can result in errors1.

References :=

APIC Policy Deployment and Resolution Immediacy For AVS VMM Domain - Cisco Community

To enable communication between EPGs and BDs from any tenant without the need for contracts or VRF route leaking, the best approach is to implement an unenforced VRF within the common tenant. By doing so, all bridge domains that are associated with this VRF will be able to communicate with each other without additional configurations. This method simplifies the network architecture and reduces the complexity associated with contract management and VRF route leaking1.

References :=

Cisco ACI Contract Guide White Paper1

To implement the Inter-Site Network (ISN) for a Cisco ACI Multi-Site deployment, the following configuration steps are essential:

Configure OSPF on all ISN routers: OSPF (Open Shortest Path First) is a routing protocol that is used to ensure that all routers in the ISN have the necessary routing information to forward packets between sites.

Configure BIDIR-PIM on all ISN routers: BIDIR-PIM (Bidirectional Protocol Independent Multicast) is used for efficient multicast traffic forwarding across the ISN. This is particularly important for Cisco ACI Multi-Site deployments as it supports the replication of broadcast, unknown unicast, and multicast (BUM) traffic across sites.

References :=

Cisco ACI Multi-Site Configuration Guide

Cisco ACI Multi-Site Architecture White Paper

To monitor all configuration changes, threshold crossing, and link-state transitions in a Cisco ACI fabric, the action that must be taken is to Include Audit Logs and Events in the Syslog source policy 

fs/online/attachments/blog/technote-aci-syslog_external-latest.pdf

co.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/all/faults/guide/b_APIC_Faults_Errors/b_IFC_Faults_Errors_chapter_010.html

 To have the endpoint table learn the IP addresses of endpoints in a bridge domain, unicast routing must be enabled1. This allows the bridge domain to learn the IP addresses of endpoints through the data plane1.

For a redundant interconnection that routes both unicast and multicast traffic, the L3Out (Layer 3 Outside) implementation in Cisco ACI should include the following:

Redundant Connections: Ensure there are at least two connections from the ACI fabric to the external network for redundancy. These connections should be to different leaf switches if possible.

Routing Protocols: Configure a routing protocol that supports both unicast and multicast routing. OSPF or EIGRP can be used for unicast, and PIM (Protocol Independent Multicast) should be configured for multicast.

Route Redistribution: Set up route redistribution between the ACI fabric and the external network to ensure that routes are shared across both networks.

Multicast Configuration: Enable multicast routing within the ACI fabric and configure the necessary multicast policies.

Contract and Policy Configuration: Define contracts and policies that allow the required unicast and multicast traffic to flow between the ACI fabric and the external network.

References :=

Cisco documentation on configuring L3Outs in ACI

Cisco white paper on ACI Multicast Routing

The correct statement about ACI syslog is that all syslog messages are sent to the destination through APIC1. This centralized approach allows for consistent logging and monitoring across the ACI fabric1.

The two IP address types that are available for transport over the Inter-Site Network (ISN) when they are configured from Cisco ACI Multi-Site Orchestrator (MSO) are the Anycast Overlay Multicast Tunnel Endpoint (TEP) and the MP-BGP EVPN Router-ID. These IP addresses are used for inter-site communication and routing in a Multi-Site deployment.

 When two interface protocol policies need to be used together in a single policy, the ACI object that must be used is an interface policy group

To allow IP mobility between Site1 and Site2 in a Cisco ACI Multi-Site orchestrator while meeting the disaster recovery (DR) requirements and avoiding broadcast storms, the following actions should be taken:

Disable Inter-site BUM Traffic: Disabling Broadcast, Unknown unicast, and Multicast (BUM) traffic between sites helps to avoid broadcast storms that can occur when extending Layer 2 domains across multiple sites1.

Apply the L2 Stretch feature: The Layer 2 Stretch feature allows subnets to be extended across multiple sites without the need to re-IP the application servers. This supports IP mobility and enables applications to be started at a DR site using the same IP address space1.

These actions ensure that the design supports a DR solution without requiring vMotion support, allows applications to be started at a DR site without re-IPing servers, and avoids broadcast storms between the sites.

References :=

Cisco ACI Multi-Site Architecture White Paper1

Cisco Nexus Dashboard Orchestrator Overview2

When deploying a new Cisco ACI Multi-Pod setup, it’s crucial to ensure that the Tunnel Endpoint (TEP) pool of the new pod is routable across the Inter-Pod Network (IPN). This allows the TEP addresses to be reachable across the pods, facilitating communication between them. Additionally, increasing the Maximum Transmission Unit (MTU) for all IPN routers is necessary to support the larger frame size required by VXLAN encapsulation, which is typically above the standard Ethernet MTU of 1500 bytes.

References :=

Cisco ACI Multi-Pod Configuration Guide

Cisco ACI Best Practices Guide

Scope - Choose according to the route leakage method you use. Here choose to use L3out, and then click Advertised Externally.

 The two true statements regarding ACI Multi-Site are:

ACI Multi-Site is a solution that supports a dedicated APIC cluster per site1.

ACI Multi-Site is a solution that allows one APIC cluster to manage multiple ACI sites1.

When a bridge domain is configured with the hardware-proxy option for Layer 2 unknown unicast traffic, if the spine switch is unable to find the MAC address in the proxy database, it will drop the Layer 2 unknown unicast packet4. This behavior is controlled by the hardware proxy option associated with a bridge domain4.

To complete the task of configuring a Layer 3 connection to the WAN router and allowing hosts in the production VRF to access WAN subnets, the engineer should configure the Export Route Control Subnet scope for the external EPG. This setting allows the subnets associated with the external EPG to be advertised to external routers, enabling connectivity to the WAN.

The engineer configures port 1/2 on Leaf-101 and Leaf-102 to connect to a new server (SVR-12), which belongs to EPG-12 using VLAN-1212 encapsulation. The server is configured as a vPC member port and statically bound to EPG-12. The task is to ensure connectivity, indicating a missing configuration step.

Requirement Analysis

Static binding of a vPC member port to an EPG requires proper VLAN association and domain mapping.

vPC ensures redundancy, and the VLAN (1212) must be allocated and associated with the EPG via a domain (e.g., VMM or physical domain).

Option Evaluation

A. Create a VPC Explicit Protection Group for EPG-12 and VLAN-1212:

vPC Explicit Protection Groups are used for specific vPC configurations, but this is not a standard requirement for EPG binding and VLAN association.

To restrict User X to have access only to TenantX without any extra privileges in the Cisco ACI fabric domain, the Cisco AV pair that must be implemented on the RADIUS server is shell:domains = TenantX-SD/tenant-admin. This AV pair assigns User X the role of tenant admin within the security domain of TenantX, ensuring that the user has the necessary permissions to manage resources within TenantX and no additional privileges outside of this scope.

ty_Guide/b_Cisco_APIC_Security_Guide_chapter_0100.html

The question asks about the mechanism Cisco ACI uses to detect silent hosts when Layer 3 routed traffic is destined to the ACI fabric. A "silent host" refers to an endpoint that does not initiate traffic or send ARP requests, making detection challenging without specific mechanisms. Let’s evaluate the options based on Cisco ACI documentation and best practices.

Requirement Analysis

Layer 3 routed traffic implies that the ACI fabric is handling IP routing, and the detection mechanism must work within the context of the bridge domain and endpoint learning.

Silent hosts require passive detection methods since they do not generate active traffic (e.g., ARP requests).

The solution must align with ACI’s endpoint learning and proxy mechanisms.

Option Evaluation

A. Gratuitous ARP:

Gratuitous ARP (GARP) is a mechanism where a host announces its IP-to-MAC mapping to update network devices. However, this requires the host to send the GARP, which a silent host does not do. ACI can use GARP when hosts are active, but it is not the primary method for silent hosts.

To enable the APIC in a Cisco ACI fabric using out-of-band management connectivity to access a routable host with an IP address of 192.168.11.2, you need to add a Fabric Access Policy that allows management connections. This involves configuring a contract that will be consumed and provided to your OOB devices. The contract will let the system know what traffic is allowed. In this case, you will use the default/common contract to permit any traffic. This is necessary because the APIC needs to be able to send traffic to and receive traffic from the management network1.

References :=

ACI: Configuring Out-of-Band (OOB) Access for Your Fabric - Cisco1

Troubleshoot ACI Management and Core Services - In-band and Out-of-band Management - Cisco2

To implement a Layer 3 out (L3Out) inside the Cisco ACI fabric that meets the specified requirements, the following steps should be taken:

Configure the OSPF Protocol policy with an area of 0: This step involves setting up OSPF, a link-state routing protocol that supports hierarchical network design, as the routing protocol for the L3Out1.

Create Routed Outside object and Node Profile, selecting OSPF: This step involves creating a Routed Outside object and associating it with a Node Profile that specifies OSPF as the routing protocol1.

Build the Interface profile, selecting Routed Sub-interface and the appropriate VLAN: This step involves creating an Interface profile for the connection to the data center core switch, using 802.1Q tagging for VLAN separation2.

Configure the External Network object with a network of 0.0.0.0/0: This step involves setting up the External Network object to advertise routes to the rest of the network1.

To deploy an access port policy group within Cisco ACI, an attachable entity profile (AEP) needs to be created. An AEP is a policy construct that groups together various domains and allows them to be attached to the fabric access layer

The advantage of implementing an active-active firewall cluster that is stretched across separate pods when anycast services are configured is that local traffic within a pod is load-balanced between the clustered firewalls. This means that traffic destined for the anycast IP address of the service node (firewall) will preferentially be directed to the local node within the same pod, thus optimizing traffic flows and reducing latency by avoiding unnecessary traffic tromboning to a remote pod1.

Storm control should be configured on port channel on a single leaf switch (Option B) and endpoint-facing trunk interface (Option D) to protect against broadcast traffic6. These interfaces are where storm control policies are typically applied to prevent disruptions caused by traffic storms6.

When Cisco ACI connects to an outside Layer 2 network, the ACI fabric floods the STP BPDU frame within the bridge domain (Option A)5. This ensures that BPDUs are properly propagated within the relevant VLAN encapsulation associated with the bridge domain5.

The scenario involves an application (App_1) on server S1 and a silent host application (App_2) on S2, both using the same VLAN encapsulation. The task is to force the ACI fabric to learn App_2 on Leaf-2. A silent host does not generate traffic, so special handling is needed.

Requirement Analysis

A silent host requires flooding (e.g., ARP or unknown unicast) to be learned by the fabric when it moves or is detected.

The goal is to ensure Leaf-2 learns App_2’s endpoint.

Option Evaluation

A. Set Multi-Destination Flooding to Drop:

Dropping multi-destination traffic prevents learning, which is counterproductive for a silent host.

The "Import Route Control Subnet" scope is used to control which external routes are imported into the ACI fabric's routing table

 When VM2 is live migrated from POD1 to POD2, the spines in POD2 will send an MP-BGP EVPN update to the leaves in POD1. This update informs the leaves in POD1 about the new location of VM2, allowing them to update their forwarding tables and ensure that traffic destined for VM2 is correctly routed to its new location in POD2.

In the Cisco ACI fabric, Spanning Tree Protocol (STP) Bridge Protocol Data Units (BPDUs) are flooded within the bridge domain VLAN. This allows the BPDUs to be propagated throughout the bridge domain, enabling STP to function correctly for the associated VLAN.

To divert traffic between VM-1 and VM-2 using a Multi-Node service graph while preventing an insufficient number of available Layer 4 to Layer 7 devices in the first cluster, the following configuration set should be used:

PBR node tracking: This feature monitors the health of the nodes (Layer 4 to Layer 7 devices) in the service graph. If a node becomes unavailable, the system can take action based on the tracking threshold1.

Tracking threshold with action bypass: When the number of healthy nodes falls below the tracking threshold, the action ‘bypass’ ensures that traffic is not sent to the unhealthy nodes, thus preventing service disruption1.

Symmetric PBR: This ensures that return traffic follows the same path as the original traffic, maintaining session consistency and avoiding asymmetric routing issues1.

Resilient hashing: This hashing mechanism provides a consistent and optimal distribution of traffic across the available Layer 4 to Layer 7 devices, even when the number of nodes changes due to a failure or maintenance1.

References :=

Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 5.2(x)

In a Cisco ACI fabric, Spanning Tree Protocol (STP) Bridge Protocol Data Units (BPDUs) that are generated by an external switch, such as Switch2 in this scenario, are indeed forwarded across the fabric. This allows externally connected switches to maintain a loop-free topology. While Cisco ACI does not participate in STP as it uses its own protocols and mechanisms for loop prevention within the fabric, it will forward STP BPDUs across End Point Groups (EPGs) on which they are received1. This ensures that the connected external switches can still use STP for their loop prevention mechanisms.

References :=

Cisco Community Discussion on STP BPDUs in ACI1

To ensure that servers supporting only Cisco Discovery Protocol are discovered automatically by the Cisco ACI fabric when connected, the action that must be taken is to Create an override policy that enables Cisco Discovery Protocol after LLDP is enabled in the default policy group

When upgrading the Cisco ACI fabric through an intermediate release, the following steps should be taken:

Upgrade the APICs to an interim release: This is the first step to ensure that the APICs are running a stable version that is compatible with both the current and the targeted release1.

Upgrade the switches to an interim release: After the APICs are upgraded, the next step is to upgrade the leaf and spine switches to the same interim release. This ensures that the entire fabric is running on a compatible version before moving to the targeted release1.

Upgrade the APICs to the targeted release: Once the fabric is stable on the interim release, the APICs can be upgraded to the targeted release. It’s important to verify that the APICs are fully operational before proceeding to upgrade the switches1.

Upgrade the leaf and spine switches to the targeted release: The final step is to upgrade the leaf and spine switches to the targeted release. This should be done after the APICs have been successfully upgraded and are stable on the targeted release1.

By following these steps, the customer can successfully upgrade the Cisco ACI fabric to the new code release that includes the desired feature.

 When creating a subnet within a bridge domain in Cisco ACI, the configuration option used to specify the network visibility of the subnet is the scope12. The scope can be set to private, public, or shared, determining how the subnet is advertised and accessed within and outside of the ACI fabric12.

 To allow multiple external networks to communicate with internal ACI subnets and assign the prefix to the class ID of the external Endpoint Group, the engineer should configure subnets with the External Subnets for External EPG flag enabled1. This configuration allows the specified subnets to be associated with an external EPG, which facilitates communication between internal tenants and external routed networks via L3Outs1.

To connect Cisco ACI fabric using Layer 2 with external third-party switches configured using 802.1s protocol, the two constructs required are:

Spanning tree policy for mapping MST Instances to VLANs (Option A): This policy will ensure that the Multiple Spanning Tree (MST) instances on the third-party switches are correctly mapped to the VLANs in the ACI fabric.

Static binding of native VLAN in all existing EPGs (Option E): This construct is necessary to maintain the native VLAN across all EPGs when integrating with third-party switches that use 802.1s protocol.

frastructure/white-paper-c07-732033.html

In the Cisco ACI environment, when an engineer wants to enforce a specific path for ICMP replies and prevent packets from taking a direct path, setting Layer 2 Unknown Unicast to Hardware Proxy on the bridge domain (BD1) is the appropriate action. This setting ensures that the unknown unicast traffic, which includes ICMP packets destined for an unknown MAC address, is forwarded to the spine proxy. The spine proxy then forwards the packets based on the endpoint table information, ensuring that the packets follow the expected path through the fabric and do not take any shortcuts or direct paths that bypass the intended routing.

The Infrastructure VLAN is automatically configured during the Cisco ACI fabric discovery process. This VLAN, often referred to as the “infra VLAN,” is used to enable internal communication between the ACI fabric components, such as the leaf and spine nodes. It is vital for the overlay network and the control plane functionality. In the provided output, VLAN 3600 represents the Infrastructure VLAN, which is configured for inter-node communication.

To configure leaf and spine switches in a Cisco ACI fabric to use out-of-band management for NTP protocol, an Override Policy with NTP Out-of-Band must be created. This policy specifies that NTP traffic should be directed through the out-of-band management network, separate from the in-band management traffic, ensuring dedicated management connectivity for time synchronization.

To configure a bridge domain for an EPC called “Web Servers” that meets the specified requirements, the following steps should be taken:

Set L2 Unknown Unicast to Hardware Proxy: This setting ensures that only traffic to known MAC addresses is allowed, which helps to reduce noise by preventing unknown unicast flooding within the bridge domain1.

Configure L3 Unknown Multicast Flooding to Optimized Flood: This setting limits multicast traffic to the ports that are participating in multicast routing, which optimizes the delivery of multicast packets1.

Create an Endpoint Retention Policy with a Local Endpoint Aging interval of 1200 seconds (20 minutes): This policy ensures that endpoints within the bridge domain are kept in the endpoint table for 20 minutes without any updates, maintaining the stability of the network1.

By following these steps, the bridge domain will be configured to satisfy the requirements for the EPC called “Web Servers” in the Cisco APIC environment.

To support the addition of new ESXi hosts to the existing VMM domain, the action that should be taken is to map the leaf interface selector to the AEP that is associated with the VMM domain (Option D). This ensures that the correct policies are applied to the interfaces where the new ESXi hosts are connected.

To advertise the 0.0.0.0/0 prefix out on L3Out-2 OSPF, when it is configured as a default static route on L3Out-1, the action that should be taken is to enable the Export Route Control Subnet. This setting allows the default route to be advertised to other L3Outs, enabling the ACI fabric to act as a transit network1.

References :=

ACI Fabric L3Out White Paper - Cisco1

To set up a Cisco ACI fabric to send Syslog messages related to hardware events to a dedicated Syslog server, the policy should be configured at uni/fabric/monfab-default4. This location in the Cisco APIC allows for the configuration of Syslog policies that can be applied to the entire fabric4.

-fundamentals/Cisco-ACI-Fundamentals-401/Cisco-ACI-Fundamentals-401_chapter_01100.html

 To perform a Cisco ACI fabric upgrade that minimizes the impact on user traffic and allows only permitted users to perform an upgrade, the following configuration steps should be taken:

Divide Cisco APIC controllers into two or more maintenance groups: This step involves organizing the APIC controllers into separate maintenance groups to allow for a phased upgrade process, reducing the impact on user traffic5.

Divide switches into two or more maintenance groups: This step involves organizing the switches into separate maintenance groups, which allows for a controlled and phased upgrade process, minimizing the impact on the network during the upgrade5.

To meet the server team’s requirements for VMM integration with ESXi servers, the two enhanced LAG policies that should be configured are:

LB Mode: Destination IP Address and TCP/UDP Port (Option B): This load balancing mode ensures that traffic is evenly distributed across all available links based on the destination IP address and the TCP/UDP port numbers, which can provide a balanced traffic flow for different sessions.

LACP Mode: LACP Active (Option E): Setting the LACP mode to active allows the network switches to initiate the LACP negotiation, which is necessary when the servers are not configured to initiate the LACP process.

These settings ensure that the LAG group consisting of two 10 Gigabit Ethernet links will have traffic evenly distributed across them and that the network switches will initiate the LACP negotiation as required by the server team.

The XML configuration snippet provided in the exhibit results in the creation of two objects within the Cisco ACI environment:

Bridge Domain (Option C): This is indicated by the XML element , which defines a bridge domain with the name “bd1”.

VRF (Option E): This is shown by the XML element , which defines a Virtual Routing and Forwarding instance named “pvn1”.

These objects are essential for network segmentation and routing within the ACI fabric, where the bridge domain represents a Layer 2 broadcast domain and the VRF is used for Layer 3 routing separation.

 In Cisco Application Centric Infrastructure (ACI), when a subnet is configured on a bridge domain, the gateway IP address is configured on the leaf switches where the bridge domain of the tenant is present. This configuration allows for localized routing within the fabric, providing efficient east-west traffic handling without requiring traffic to traverse up to the spine nodes unless necessary for north-south routing or policy enforcement.

Associating the VMM domain with the EPGs (Endpoint Groups) that must be available in vCenter is the action that accomplishes the goal of creating port groups automatically in vSphere and propagating them to hypervisors when created in the ACI environment. This integration allows the APIC to automatically create port groups in the VMware vCenter under the VDS (vSphere Distributed Switch), which provisions the network policy in the VMware vCenter

To determine which user is responsible for the disappearance of a previously existing port group from vCenter, the engineer should check the EPG audit logs for any ‘deletion’ actions. By comparing the affected object and the user who performed the action, the engineer can identify the responsible individual2.