Free and Premium Cisco 300-620 Dumps Questions Answers

To integrate the VMware vCenter cluster with Cisco ACI and ensure that the management traffic of the hypervisors and VM controllers uses the virtual switch associated with the Cisco Application Policy, the following steps must be taken:

Enable Infrastructure VLAN on AAEP used toward VMware hypervisors: This step involves enabling the infrastructure VLAN on the Attachable Access Entity Profile (AAEP) that is used for the VMware hypervisors. This VLAN is used for carrying infrastructure traffic such as management, vMotion, and fault tolerance.

Create a static binding in the target EPG toward VMware hypervisors with VLAN 300: This step involves creating a static binding in the “Vmware-MGMT” EPG for the VMware hypervisors with VLAN 300, setting it as an untagged access VLAN, and using Untagged 802.1P mode. This ensures that the management traffic is correctly tagged and associated with the appropriate EPG.

References :=

Cisco ACI Fabric Hardware Installation Guide

Cisco ACI Troubleshooting Guide

Cisco ACI Multi-Site Architecture White Paper

Cisco ACI Virtual Machine Manager (VMM) Integration White Paper

To filter the System Faults page and view only the active faults present in the Cisco ACI fabric, the two lifecycle stages that must be selected for filtering are:

Raised (Option A): This stage indicates that the fault is currently active and has been raised.

Raised, Clearing (Option D): This combination indicates that the fault is active but is in the process of being cleared.

 In the Cisco ACI VMM domain configuration, to generate port groups with names formatted as “Tenant=Application=EPG”, the configuration option used is delimiter. The delimiter is a character that separates the elements of the port-group name. By changing the delimiter setting to “=”, the port-group names will be generated with the desired format.

When configuring an L3Out in Cisco ACI and encountering a QoS-related error, creating a custom QoS policy is often necessary to clear the fault. This involves defining a QoS policy that meets the specific requirements of the L3Out configuration and applying it to the relevant interfaces or globally within the fabric. The custom QoS policy should be designed to prioritize traffic appropriately and ensure that the necessary QoS settings are in place for the L3Out connections1.

References :=

Cisco ACI L3Out Configuration Examples1

To redirect HTTP traffic between the EPG client and EPG server through the Cisco ASA firewall using a service graph in Cisco ACI, a precise filter must be configured to allow only HTTP traffic. This filter will specify the protocol (HTTP) and the Layer 4 port (typically port 80 for HTTP) to ensure that only HTTP traffic is redirected to the firewall for inspection or processing. The service graph can then be associated with the relevant EPGs to enforce the redirection1.

References :=

Service Graph Design with Cisco ACI (Updated to Cisco APIC Release 5.2) White Paper

 For a blade server that lacks support of bonding, the port channel mode that results in “route based on originating virtual port” on the VMware VDS is MAC Pinning-Physical-NIC-load (Option B). This mode ensures that the virtual machine traffic is distributed across the available uplinks based on the MAC address of the originating virtual port1.

In a two-pod Cisco ACI Multi-Pod environment, it is recommended to deploy no more than two Cisco APIC controllers in the same pod to avoid losing all replicas of a shard if a pod fails. The APIC cluster is a distributed system where each APIC contains a replica of the configuration database, referred to as a shard. If all replicas of a shard were located in the same pod and that pod were to fail, it would result in the loss of the shard and potentially impact the entire fabric’s operation. By distributing the APIC controllers across pods, the risk of losing all replicas due to a single point of failure is mitigated, enhancing the overall resiliency of the system1.

References :=

ACI Multi-Pod White Paper - Cisco1

The scenario involves a tenant configured with a single L3Out and a single-homed link from the ACI fabric (via border leaf BL-1001) to a core router (Core-1). The engineer must add a second link to the L3Out, connecting to Core-2 via BL-1002, ensuring that traffic from Core-2 to BL-1002 has the same connectivity as traffic from Core-1 to BL-1001. The exhibit shows a single-homed setup with BL-1001 and BL-1002 as potential border leaves, with a dashed line indicating a planned second link.

Requirement Analysis

The existing L3Out is single-homed to Core-1 via BL-1001, and the goal is to extend it to a multi-homed configuration with Core-2 via BL-1002.

"Same connectivity" implies that the second link must be integrated into the existing L3Out configuration, sharing the same routing policies, external EPG, and subnet reachability.

The solution must leverage ACI’s L3Out framework to add the new path without creating a separate L3Out or altering the current routing setup unnecessarily.

Option Evaluation

A. Add a second path to the logical interface profile of the existing L3Out:

The logical interface profile in an L3Out defines the interfaces (e.g., routed ports or sub-interfaces) and their associations with nodes (border leaves). Adding a second path to this profile allows the inclusion of the new link from BL-1002 to Core-2, ensuring it operates under the same L3Out configuration (e.g., routing protocol, external EPG). This maintains consistent connectivity and leverages ACI’s multi-homing support.

When traffic is received from a Layer 3 Out (L3Out) on the ingress leaf switch in a Cisco ACI fabric, the source IP address of the traffic is learned as a remote endpoint. This is because the traffic is entering the ACI fabric from an external network, and the source IP is considered remote to the fabric.

o protect the ACI fabric from spanning-tree loops, the feature that must be enabled on the ACI leaf ports is BPDU Guard 

 To allow multiple external networks to communicate with internal ACI subnets and assign the prefix to the class ID of the external Endpoint Group, the engineer should configure subnets with the External Subnets for External EPG flag enabled1. This configuration allows the specified subnets to be associated with an external EPG, which facilitates communication between internal tenants and external routed networks via L3Outs1.

To prevent frequent MAC and IP address moves between different leaf switch ports, enabling rogue endpoint control is the recommended action. This feature helps in identifying and mitigating the movement of endpoints that could potentially cause loops or other issues within the network.

In Cisco ACI, when a service graph is deployed under one tenant (e.g., Operations) and needs to be referenced by another tenant (e.g., Management), the Layer 4-Layer 7 (L4-L7) device export action is used. This allows the firewall or other L4-L7 devices defined in the service graph to be shared across tenants. By exporting the L4-L7 device, the configuration enables the Management tenant to reference and use the firewall deployed in the Operations tenant.

To extend functional VMM integration to the new group of 70 bare-metal ESXi servers, a separate VMM domain should be implemented using the AEP_VMM. This allows for the management and automation of network policies for the bare-metal servers in a manner similar to the virtualized environment managed by vCenter1.

In a Cisco ACI Multi-Pod environment, Pods use over Layer 3 IPN connectivity via spines to allow Pod-to-Pod communication6.

en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-737855.html

In a Cisco ACI Multi-Pod architecture, multiple pods (each with its own leaf-and-spine topology) are interconnected via an Inter-Pod Network (IPN). The key characteristic of the Multi-Pod setup is that it is managed as a single fabric by a single APIC cluster, simplifying operations and maintaining consistency across all pods.

In a Cisco ACI bridge domain and VRF configured with a default data-plane learning configuration, the two endpoint attributes that are programmed in the leaf switch when receiving traffic are:

Local MAC, IP (Option D)5.

Local Subnet (Option E)5. These attributes are learned by the ACI fabric through common network methods such as ARP, GARP, and ND, as well as through the data-plane. The local MAC and IP addresses are learned and used for traffic routing and bridging, while the local subnet information is used for traffic optimization and endpoint location tracking56.

 In a Cisco ACI Multi-Site fabric, when the Inter-Site BUM Traffic Allow option is enabled for a stretched bridge domain, ingress replication on the spines in the source site is used to forward Broadcast, Unknown unicast, and Multicast (BUM) traffic to all endpoints in the same broadcast domain. This method ensures that BUM traffic is replicated and sent out through the spines to the destination sites.

To minimize possible traffic impact during the upgrade of an ACI fabric with 3 APIC controllers and servers dual-homed to pairs of leaf switches configured in VPC mode, the fabric should be upgraded following Option A2. This option involves creating two maintenance groups for the APIC controllers, upgrading one group at a time, and then proceeding with the leaf switches2. This staged approach helps ensure that not all paths are affected simultaneously, thereby reducing the potential for traffic disruption2.

In Cisco ACI fabric, MP-BGP (Multi-Protocol Border Gateway Protocol) is utilized for several purposes, one of which includes the propagation of L3Out (Layer 3 Out) routes within the fabric. Specifically, MP-BGP with VPNv4 address family (AF) is used in the ACI infra VRF (overlay-1 VRF) to distribute external routes from a border leaf to other leaf switches1. This allows for the efficient dissemination of routing information and ensures that all relevant leaf switches are aware of the routes necessary to reach external networks.

References :=

ACI Fabric L3Out White Paper - Cisco1

Configuring ACI Fabric BGP Route Reflectors - Cisco2

ACI Fabric - Underlying protocols - Cisco Community3

Cisco Application Centric Infrastructure Fundamentals, Release 5.3(x)4

To configure a Cisco ACI system to detect network loops for both untagged and tagged traffic and to stop the loop by disabling an interface within 4 seconds, the following configuration must be used:

Enable Mis-Cabling Protocol (MCP): MCP detects loops from external sources and will err-disable the interface on which Cisco ACI receives its own packet. This is crucial for preventing loops in the network1.

Configure MCP Transmit Frequency: Set the MCP transmit frequency to a value that allows for quick loop detection. The Cisco ACI fabric provides faster loop detection with transmit frequencies from 100 milliseconds to 300 seconds. To meet the requirement of detecting and stopping a loop within 4 seconds, you would set the transmit frequency to a value less than 4 seconds2.

Set Action on Loop Detection: Configure the MCP policies to identify loops and decide how to act upon them. You can set the policy to generate a syslog message or disable the port upon loop detection2.

Implement Error Disabled Recovery Policy: Configure an error disabled recovery policy to automatically re-enable ports that were disabled due to loop detection after a configurable interval2.

By implementing these configurations, the Cisco ACI system will be able to detect and stop network loops quickly and efficiently, ensuring network stability and preventing potential disruptions.

References :=

Cisco APIC Online Help - Loop Detection2

Cisco ACI Best Practices Quick Summary

To reduce instability during the migration of a legacy environment to Cisco ACI, the feature that should be enabled in the bridge domain is to Set Multi-Destination Flooding to Flood in BD (Option A). This setting allows unknown multicast, broadcast, and unknown unicast traffic to be flooded within the bridge domain, which can help prevent traffic loss during the migration process.

 In Cisco ACI, the object classes are used to categorize different types of managed objects within the ACI model. The output presented is indicative of a Tenant class object. Tenants in ACI are a top-level container for application policies, essentially providing a unit of isolation from other tenants. Each tenant can contain its own application policies, services, and network policies, and they are separate from other tenants to ensure multi-tenancy1.

References :=

Cisco ACI Policy Model Guide1

Object Renaming in Cisco ACI - Cisco2

Application Centric Infrastructure (ACI) REST API Guide - Cisco DevNet

/apic/sw/4-x/openstack/ACI-Installation-Guide-for-Red-Hat-Using-OSP13-Director/m-configuring-ironic-for-openstack.html

To implement the Inter-Site Network (ISN) for a Cisco ACI Multi-Site deployment, the following configuration steps are essential:

Configure OSPF on all ISN routers: OSPF (Open Shortest Path First) is a routing protocol that is used to ensure that all routers in the ISN have the necessary routing information to forward packets between sites.

Configure BIDIR-PIM on all ISN routers: BIDIR-PIM (Bidirectional Protocol Independent Multicast) is used for efficient multicast traffic forwarding across the ISN. This is particularly important for Cisco ACI Multi-Site deployments as it supports the replication of broadcast, unknown unicast, and multicast (BUM) traffic across sites.

References :=

Cisco ACI Multi-Site Configuration Guide

Cisco ACI Multi-Site Architecture White Paper

 In a Cisco ACI fabric, the spine switches are typically configured as route reflectors. This is because spine switches are central to the fabric’s architecture and are responsible for interconnecting all the leaf switches, making them ideal for reflecting BGP routes within the fabric. Therefore, the components that should be configured as route reflectors are:

Spine1 (Option A)

Spine2 (Option C)

 The two true statements regarding ACI Multi-Site are:

ACI Multi-Site is a solution that supports a dedicated APIC cluster per site1.

ACI Multi-Site is a solution that allows one APIC cluster to manage multiple ACI sites1.

By enabling Global AES Encryption and ensuring secure data inclusion, you can safely back up and restore the Cisco ACI fabric configuration, including the vCenter password.

When configuring in-band management IP addresses for Cisco APICs, leaf nodes, and spine nodes, the tenant used is the mgmt tenant1.

To ensure that destination updates from a newly created L3Out are propagated to all Cisco ACI leaf switches, a BGP route reflector policy should be applied. This policy allows the border leaf switches, which act as BGP route reflectors, to redistribute the learned routes to other leaf switches within the fabric1.

The type of port used for in-band management within ACI fabric is the spine switch port4.

For the BGP Route Reflector policy to take effect, the components that must be configured are the leaf fabric interface overrides and profiles. These configurations are necessary to establish the route reflector relationships within the BGP protocol on the leaf switches

To advertise a bridge domain subnet out of the ACI fabric to an OSPF neighbor, the following configuration steps are required:

Configure Subnet scope to Advertised Externally: This step involves setting the scope of the subnet within the bridge domain to be advertised externally, which allows the subnet to be propagated to external routing entities3.

Add L30ut profile to the bridge domain using Associated L30uts section: This step involves associating the bridge domain with an L3Out profile, which is necessary for the bridge domain subnet to be advertised to OSPF neighbors4.

ACI Multi-Site architecture is designed to interconnect geographically dispersed data centers and extend Layer 2 and Layer 3 connectivity between those locations with consistent policy enforcement. It allows for either a single APIC cluster to manage multiple ACI sites or supports a dedicated APIC cluster per site. This architecture ensures a scalable and flexible approach to managing multiple data center sites, providing a unified policy framework and operational model across the sites34.

References :=

Cisco Multi-Site Deployment Guide for ACI Fabrics3

Cisco ACI Multi-Site Architecture White Paper4

In a Cisco ACI fabric, Spanning Tree Protocol (STP) Bridge Protocol Data Units (BPDUs) that are generated by an external switch, such as Switch2 in this scenario, are indeed forwarded across the fabric. This allows externally connected switches to maintain a loop-free topology. While Cisco ACI does not participate in STP as it uses its own protocols and mechanisms for loop prevention within the fabric, it will forward STP BPDUs across End Point Groups (EPGs) on which they are received1. This ensures that the connected external switches can still use STP for their loop prevention mechanisms.

References :=

Cisco Community Discussion on STP BPDUs in ACI1

To monitor all configuration changes, threshold crossing, and link-state transitions in a Cisco ACI fabric, the action that must be taken is to Include Audit Logs and Events in the Syslog source policy 

fs/online/attachments/blog/technote-aci-syslog_external-latest.pdf

co.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/all/faults/guide/b_APIC_Faults_Errors/b_IFC_Faults_Errors_chapter_010.html

The Cisco ACI site deployment feature that enables an engineer to control which bridge domains contain Layer 2 flooding across geographically separated data centers is Multi-Site. This feature allows for the extension of Layer 2 and Layer 3 connectivity between different locations with consistent policy enforcement5.

Site-Fundamentals-Guide-211_chapter_011.html#id_51188

Scope - Choose according to the route leakage method you use. Here choose to use L3out, and then click Advertised Externally.

To meet the requirement of sending all faults and events related to endpoint groups, bridge domains, and VRFs to the new SNMP configuration and syslog servers, the network engineer should utilize common tenant monitoring policies in the Cisco APIC. The common tenant is used for global configurations that apply across the entire fabric, including monitoring policies.

The scenario involves deploying a WAN with Cisco ACI, where Routers 1 and 2 (connected via an L3Out with OSPF Area 0) must receive specific routes (192.168.11.0/24 and 192.168.21.0/24) from the ACI fabric, and reachability to WAN users must be permitted only for servers in vrf_prod. The diagram shows three bridge domains (bd_vlan11, bd_vlan21, bd_vlan31) with their respective subnets and EPGs, all under vrf_prod, along with an L3Out (epg_l3out) for WAN connectivity.

Requirement Analysis

Routers 1 and 2 must receive only routes 192.168.11.0/24 and 192.168.21.0/24:

These subnets belong to bd_vlan11 and bd_vlan21, respectively. To advertise these routes to Routers 1 and 2 via the L3Out, they must be marked with the appropriate scope in the bridge domain configuration.

In ACI, the "Advertised Externally" scope on a subnet ensures that it is advertised to external routers via the L3Out routing protocol (OSPF in this case).

Reachability to WAN users must be permitted only for servers in vrf_prod:

This implies that only the subnets in vrf_prod (192.168.11.0/24, 192.168.21.0/24, and 192.168.31.0/24) should be accessible, but WAN users should only reach specific subnets based on policy.

The external EPG (epg_l3out) represents the WAN users (10.171.0.0/16), and its subnet scope must control inbound reachability.

The subnet 192.168.31.0/24 (bd_vlan31) should not be advertised to the WAN, as it is not listed in the routes Routers 1 and 2 should receive.

Option Evaluation

A. Configure the subnets 192.168.11.0/24 and 192.168.21.0/24 as Private to VRF. Configure the subnet 192.168.31.0/24 as Advertised Externally. Configure an EPG subnet 0.0.0.0/0 as External Subnets for External EPG:

Setting 192.168.11.0/24 and 192.168.21.0/24 as "Private to VRF" means they are not advertised externally, which fails the requirement for Routers 1 and 2 to receive these routes.

Setting 192.168.31.0/24 as "Advertised Externally" incorrectly advertises this subnet to the WAN, which is not desired.

The "External Subnets for External EPG" scope on 0.0.0.0/0 allows WAN users to reach all subnets in vrf_prod, which is correct for reachability.

Conclusion: Fails the first requirement (route advertisement).

When a bridge domain is configured with the hardware-proxy option for Layer 2 unknown unicast traffic, if the spine switch is unable to find the MAC address in the proxy database, it will drop the Layer 2 unknown unicast packet4. This behavior is controlled by the hardware proxy option associated with a bridge domain4.

To enable communication between the external subnet and internal EPG1, and to allow L3Out traffic to leak into the VRF named “VF1”, the following configuration set should be used:

External Subnets for External EPG: This configuration defines the subnets that are external to the ACI fabric but need to be reachable from within the fabric. It is necessary to specify which subnets are to be considered part of the L3Out1.

Shared Route Control Subnet: This setting allows the subnets to be shared across different VRFs, enabling communication between EPGs that are in different tenants but within the same VRF1.

Shared Security Import Subnet: This configuration ensures that the security policies (contracts) associated with the shared subnets are also imported, allowing for the necessary traffic to flow between the internal and external endpoints1.

By applying this configuration set, the external subnet and internal EPG1 will be able to communicate, and the L3Out traffic will be properly leaked into the designated VRF, meeting the specified goals.

References :=

ACI Inter VRF/Tenant Route Leaking Configuration Example1

For AAA configuration within the Cisco ACI fabric, where authentication should fall back to local users if the TACACS+ server is unreachable, and access must be granted through the fallback domain if the Cisco APIC is out of the cluster, the configuration set that meets these requirements is to have the Default Authentication Realm set to TACACS+ with Fallback Check enabled. This ensures that when the TACACS+ server cannot be reached, the system will fall back to using local authentication

To set Layer 2 loop migration in an ACI Fabric with a Layer 2 Out configured, MCP (Misconfiguration Protocol) must be enabled on the ACI fabric56. MCP helps to prevent Layer 2 loops by detecting misconfigurations that could potentially cause loops56.

In Cisco ACI, a leaf switch learns a source IP or MAC as a remote endpoint when VXLAN traffic arrives on a leaf fabric port from the spine, and the inner source IP is within the range of the bridge domain subnets associated with the leaf. This process is part of the ACI’s COOP (Council Of Oracles Protocol), which ensures that endpoint information is accurately disseminated across the fabric for efficient traffic forwarding.

 To export all configuration parameters necessary for disaster recovery in Cisco ACI, the setting that must be enabled is enabled JSON format export1. This format allows for a complete and structured export of the configuration that can be used for recovery purposes1.

b_KB_Using_Import_Export_to_Recover_Config_States.html

When configuring Cisco ACI VMM domain integration with VMware vCenter, the object that is created in vCenter is a VMware vSphere Distributed Switch (VDS)12. The VDS is a virtual switch that extends across all esxi hosts in the cluster and provides a centralized interface from which network configurations can be managed12. This switch allows network administrators to manage networking for multiple hosts and virtual machines from a single interface within vCenter12.

 In the scenario where Server2 information is missing from the Leaf 101 endpoint table and the COOP database of the spine, setting Layer 2 Unknown Unicast to Flood (Option B) is the correct action to meet the requirements. This setting will cause the ACI fabric to flood unicast packets destined for unknown destinations within the bridge domain. This ensures that packets from Server1 will reach Server2 even though its location isn’t known by Leaf 101 or the spine’s COOP database. frastructure/white-paper-c11-739989.html

 To have the endpoint table learn the IP addresses of endpoints in a bridge domain, unicast routing must be enabled1. This allows the bridge domain to learn the IP addresses of endpoints through the data plane1.

When deploying a new Cisco ACI Multi-Pod setup, it’s crucial to ensure that the Tunnel Endpoint (TEP) pool of the new pod is routable across the Inter-Pod Network (IPN). This allows the TEP addresses to be reachable across the pods, facilitating communication between them. Additionally, increasing the Maximum Transmission Unit (MTU) for all IPN routers is necessary to support the larger frame size required by VXLAN encapsulation, which is typically above the standard Ethernet MTU of 1500 bytes.

References :=

Cisco ACI Multi-Pod Configuration Guide

Cisco ACI Best Practices Guide

To configure communication between the EPGs in different tenants, the subnet scope should be set to “Shared between VRFs”. This allows the subnet to be shared across different VRFs, enabling communication between EPGs that are in different tenants but within the same VRF. By marking the subnet as shared, it becomes visible to other VRFs, which is necessary for inter-tenant communication1.

References :=

Learning ACI - Part 12: Inter-VRF and Inter-Tenant Communication

The group of settings required to meet the requirements for workload migration where servers will physically terminate at the Cisco ACI, but their gateway must stay in the existing network, is:

L2 Unknown Unicast: Flood

L3 Unknown Multicast Flooding: Flood

Multi Destination Flooding: Flood in BD

ARP Flooding: Enable5

These settings ensure that the bridge domain is configured to handle unknown unicast and multicast traffic appropriately, and ARP flooding is enabled to allow for the resolution of IP addresses when the gateway is outside the fabric5.

enter/aci/apic/sw/migration_guides/migrating_existing_networks_to_aci.html

 In the scenario where Server A is connected to the Cisco ACI fabric using teamed interfaces with one active and one standby, enabling ARP flooding in the bridge domain configuration is necessary to resolve the issue that occurs when the standby interface becomes active and uses its built-in MAC address to send traffic. Enabling ARP flooding allows the fabric to learn the new MAC address without waiting for the ARP timeout, which helps to ensure that traffic continues to flow to the correct destination after a failover event1.

References :=

Discuss Cisco 300-620 Exam Topic 9 Question 71 | Pass4Success1

The method that the Cisco ACI fabric uses to load-balance multidestination traffic is forwarding tag trees3. This method involves assigning a forwarding tag (FTAG) to the traffic when it is forwarded within the fabric, ensuring efficient load balancing of multi-destination traffic3.

s/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI-Fundamentals_chapter_010010.html

When configuring in-band management, the new construct that must be created is a bridge domain1.

In the Cisco ACI environment, when an engineer wants to enforce a specific path for ICMP replies and prevent packets from taking a direct path, setting Layer 2 Unknown Unicast to Hardware Proxy on the bridge domain (BD1) is the appropriate action. This setting ensures that the unknown unicast traffic, which includes ICMP packets destined for an unknown MAC address, is forwarded to the spine proxy. The spine proxy then forwards the packets based on the endpoint table information, ensuring that the packets follow the expected path through the fabric and do not take any shortcuts or direct paths that bypass the intended routing.

To securely back up the current Cisco ACI configuration to a remote location with encryption and authentication, and ensure that sensitive information is not exported, the following steps should be taken:

Create a Remote Location: Define a remote location where the backup will be stored. This involves specifying the hostname or IP address of the remote server and selecting the protocol (SCP/FTP/SFTP) to be used1.

Create a Configuration Export Policy: Set up an export policy that defines the format (XML/JSON) and the destination for the backup. This policy will also include the schedule for the backup to run once per day1.

Configure Global AES Encryption: To ensure that the backup is encrypted, configure the Global AES Encryption setting. This will allow for hashed secure properties, such as passwords and certificates, to be exported in an encrypted form. It’s important to configure a passphrase that is at least 16 characters long for the encryption1.

Schedule the Backup Job: Use the scheduler to set up the backup job to run once per day. This ensures that the backup process is automated and adheres to the customer’s security policy1.

Exclude Sensitive Information: To comply with the security policy that mandates sensitive information not be exported, ensure that the configuration export policy is set to exclude secure fields unless encryption is enabled1.

References :=

Cisco Guide on Creating a Backup for Your APIC Cluster1

Cisco Community Discussion on Backing Up ACI Configuration2

 To redistribute externally learned OSPF routes within the ACI fabric, a Route Control Profile must be configured1. This profile allows for the control of route redistribution and the application of route maps to influence routing decisions within the fabric1.

To support a new application that is sensitive to latency and jitter and sets the DSCP values of packets to AF31 and CS6, it is necessary to align the ACI Quality of Service (QoS) levels and Inter-Pod Network (IPN) QoS policies. This alignment ensures that the DSCP values are preserved and respected across the ACI fabric and the IPN, preventing packets from being delayed or dropped between pods.

References :=

Cisco ACI Multi-Site Architecture White Paper

Cisco ACI Best Practices Guide

Cisco ACI Quality of Service Configuration Guide

Enabling the “disable Remote EP learn” feature in Cisco ACI has the effect of preventing border leaf switches from receiving routes through peering with external routers. This feature is particularly useful when there is a mix of Gen1 and Gen2 hardware in the fabric, as it clears all the remote endpoints from the border leaf only. Traffic will still use hardware proxy if the endpoint is not learned on the border leaf, ensuring no operational impact12.

References :=

ACI Fabric Endpoint Learning White Paper2

Cisco Community Discussion on Disable Remote EP Learn

The two requirements for the IPN network when implementing a Multi-Pod ACI fabric are:

PIM ASM multicast routing2.

OSPF routing3.

To clear the critical fault related to B2B credit oversubscription in the ACI domain connectivity to the fiber channel storage, the value that should be chosen is 5101. This value is set to address the issue of B2B credit oversubscription and clear the critical fault as reported by the client1.