Free and Premium Cisco 300-620 Dumps Questions Answers

 In the Cisco ACI Active-Active Across Pods deployment mode, one of the key characteristics of Policy-Based Redirect (PBR) is that traffic is dynamically redirected to the firewall that owns the connection. This allows for load distribution across multiple Layer 4 to Layer 7 devices, also known as symmetric PBR. Additionally, deployment in this mode occurs in go-to mode only, which means that traffic is explicitly directed to a service node or firewall for processing

 When configuring ACI VMM domain integration with Cisco UCS-B Series, the type of port channel policy that must be configured in the vSwitch policy is MAC Pinning-Physical-NIC-load. This policy type allows for the distribution of traffic across physical NICs based on MAC address hashing, which is suitable for environments where dynamic port channels (LACP) are not used.

To move the gateway address for VLAN 1001 from the core outside the Cisco ACI fabric into the Cisco ACI fabric and ensure that endpoints in EPG-1001 route traffic to endpoints in other EPGs while minimizing flooded traffic in the fabric, the following configuration set is needed on the bridge domain:

Enable Hardware Proxy: This step involves enabling the hardware proxy feature, which allows the fabric to learn and maintain endpoint information more efficiently7.

Enable Unicast Routing: This step involves enabling unicast routing within the bridge domain, which allows for the routing of traffic between different EPGs and minimizes flooded traffic

The method that the Cisco ACI fabric uses to load-balance multidestination traffic is forwarding tag trees3. This method involves assigning a forwarding tag (FTAG) to the traffic when it is forwarded within the fabric, ensuring efficient load balancing of multi-destination traffic3.

s/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI-Fundamentals_chapter_010010.html

When designing two data centers based on Cisco ACI technology that can extend L2/L3, VXLAN, and network policy across locations with ACI Multi-Pod, the two requirements that must be considered are:

A single APIC Cluster is required in a Multi-Pod design4.

ACI Multi-Pod requires an IP Network supporting PIM-Bidir2.

To meet the requirement of sending all faults and events related to endpoint groups, bridge domains, and VRFs to the new SNMP configuration and syslog servers, the network engineer should utilizecommon tenant monitoring policies in the Cisco APIC. The common tenant is used for global configurations that apply across the entire fabric, including monitoring policies.

 In the context of ACI Multi-Site, the information of an endpoint (MAC/IP) that belongs to site 1 is advertised to site 2 using the EVPN control plane as soon as the endpoint is discovered in one site. This allows for immediate visibility of the endpoint across sites.

To backup the PRODUCTION tenant configuration on the APIC using a markup language and include all secure information, the network engineer must use an export policy that allows for exporting in a markup language format such as XML or JSON and includes secure attributes. In this case, the correct export policy is Option A, which shows an interface with “Export-Tenant-Production” where the format can be selected as ‘xml’ or ‘json’, and there is an option to modify global AES encryption settings, indicating that secure information can be included in the backup.

References :=

Cisco Application Policy Infrastructure Controller (APIC) - Cisco APIC

Cisco Application Centric Infrastructure Best Practices Guide - Cisco ACI Design Guide

The image shows a graphical user interface for an export policy named “Export-Tenant-Production.” The interface provides options to select the format of the backup (either ‘json’ or ‘xml’), whether to start now with options ‘Yes’ or ‘No’, a field for Target DN with ‘/tn-PRODUCTION’filled in, a scheduler dropdown menu, and a checkbox for modifying global AES encryption settings which is enabled. This image is relevant because it depicts how to configure an export policy on Cisco’s APIC to backup tenant configurations securely.

To reduce instability during the migration of a legacy environment to Cisco ACI, the feature that should be enabled in the bridge domain is to Set Multi-Destination Flooding to Flood in BD (Option A). This setting allows unknown multicast, broadcast, and unknown unicast traffic to be flooded within the bridge domain, which can help prevent traffic loss during the migration process.

To filter the System Faults page and view only the active faults present in the Cisco ACI fabric, the two lifecycle stages that must be selected for filtering are:

Raised (Option A): This stage indicates that the fault is currently active and has been raised.

Raised, Clearing (Option D): This combination indicates that the fault is active but is in the process of being cleared.

To connect Cisco ACI fabric using Layer 2 with external third-party switches configured using 802.1s protocol, the two constructs required are:

Spanning tree policy for mapping MST Instances to VLANs (Option A): This policy will ensure that the Multiple Spanning Tree (MST) instances on the third-party switches are correctly mapped to the VLANs in the ACI fabric.

Static binding of native VLAN in all existing EPGs (Option E): This construct is necessary to maintain the native VLAN across all EPGs when integrating with third-party switches that use 802.1s protocol.

frastructure/white-paper-c07-732033.html

To support cross-site connectivity in a production Multi-Site solution, where connectivity from EPGs from a specific site to networks reachable through a remote site L3OUT is required, the additional configuration that must be implemented in the Multi-Site Orchestrator is to add a new stretched external EPG to the existing L3OUT1. This allows the EPGs from one site to communicate with the networks defined in the L3OUT at the remote site, facilitating the required connectivity across sites.

References :=

Cisco ACI Multi-Site Configuration Guide1

To redirect HTTP traffic between the EPG client and EPG server through the Cisco ASA firewall using a service graph in Cisco ACI, a precise filter must be configured to allow only HTTP traffic. This filter will specify the protocol (HTTP) and the Layer 4 port (typically port 80 for HTTP) to ensure that only HTTP traffic is redirected to the firewall for inspection or processing. The service graph can then be associated with the relevant EPGs to enforce the redirection1.

References :=

Service Graph Design with Cisco ACI (Updated to Cisco APIC Release 5.2) White Paper

The Cisco AV Pair resolves to a managed object class. In the context of Cisco ACI, the AV Pair is used to define specific attributes for RADIUS users, which then map to managed objects within the ACI fabric3.

The group of settings required to meet the requirements for workload migration where servers will physically terminate at the Cisco ACI, but their gateway must stay in the existing network, is:

L2 Unknown Unicast: Flood

L3 Unknown Multicast Flooding: Flood

Multi Destination Flooding: Flood in BD

ARP Flooding: Enable5

These settings ensure that the bridge domain is configured to handle unknown unicast and multicast traffic appropriately, and ARP flooding is enabled to allow for the resolution of IP addresses when the gateway is outside the fabric5.

enter/aci/apic/sw/migration_guides/migrating_existing_networks_to_aci.html

Related image, diagram or screenshot

To advertise a bridge domain subnet out of the ACI fabric to an OSPF neighbor, the following configuration steps are required:

Configure Subnet scope to Advertised Externally: This step involves setting the scope of the subnet within the bridge domain to be advertised externally, which allows the subnet to be propagated to external routing entities3.

Add L30ut profile to the bridge domain using Associated L30uts section: This step involves associating the bridge domain with an L3Out profile, which is necessary for the bridge domain subnet to be advertised to OSPF neighbors4.

To ensure authentication if the RADIUS servers are unavailable, the action that should be taken is to set the fallback login to local. This setting allows users to authenticate using the local database on the Cisco APIC when external RADIUS servers cannot be reached.

To enable communication between the external subnet and internal EPG1, and to allow L3Out traffic to leak into the VRF named “VF1”, the following configuration set should be used:

External Subnets for External EPG: This configuration defines the subnets that are external to the ACI fabric but need to be reachable from within the fabric. It is necessary to specify which subnets are to be considered part of the L3Out1.

Shared Route Control Subnet: This setting allows the subnets to be shared across different VRFs, enabling communication between EPGs that are in different tenants but within the same VRF1.

Shared Security Import Subnet: This configuration ensures that the security policies (contracts) associated with the shared subnets are also imported, allowing for the necessary traffic to flow between the internal and external endpoints1.

By applying this configuration set, the external subnet and internal EPG1 will be able to communicate, and the L3Out traffic will be properly leaked into the designated VRF, meeting the specified goals.

References :=

ACI Inter VRF/Tenant Route Leaking Configuration Example1

In a Cisco ACI environment with multiple silent hosts that are often relocated between leaf switches, configuring IP Data-Plane Learning to ‘No’ will minimize the relocation impact and make the ACI fabric relearn the new location of the host faster. Disabling IP Data-Plane Learning prevents the fabric from learning IP addresses from the data plane, which can speed up the process of relearning host locations when they move3.

To configure leaf and spine switches in a Cisco ACI fabric to use out-of-band management for NTP protocol, an Override Policy with NTP Out-of-Band must be created. This policy specifies that NTP traffic should be directed through the out-of-band management network, separate from the in-band management traffic, ensuring dedicated management connectivity for time synchronization.

To advertise the 0.0.0.0/0 prefix out on L3Out-2 OSPF, when it is configured as a default static route on L3Out-1, the action that should be taken is to enable the Export Route Control Subnet. This setting allows the default route to be advertised to other L3Outs, enabling the ACI fabric to act as a transit network1.

References :=

ACI Fabric L3Out White Paper - Cisco1

The purpose of the Overlay Multicast TEP (O-MTEP) in a Cisco ACI Multi-Site deployment is to perform head-end replication for BUM (Broadcast, Unknown unicast, Multicast) traffic. This common anycast address is shared by all the spine nodes in the same site and is used to replicate BUM traffic across the sites4.

The setting that prevents the learning of Endpoint IP addresses whose subnet does not match the bridge domain subnet is the “Limit IP learning to subnet” setting within the bridge domain1. This setting ensures that only IP addresses belonging to the subnets configured on the bridge domain are learned, preventing mis-learning of IP addresses that may not belong to the fabric1.

 For Cisco ACI IPN (Inter-Pod Network) to manage multidestination traffic, multicast routing is a requirement. This is because multidestination traffic includes broadcast, unknown unicast, and multicast (BUM) traffic, which needs to be efficiently transported across different pods in a Cisco ACI Multi-Pod environment. Multicast routing protocols like Bidirectional Protocol-Independent Multicast (Bidir PIM) are used to handle this type of traffic1.

References :=

Cisco Application Centric Infrastructure Multi-Pod Configuration White Paper1

When a pre-provision immediacy is used, the policy is downloaded to the Cisco ACI leaf switch and programmed into the hardware policy Content Addressable Memory (CAM) as soon as the change isimplemented on the Cisco Application Policy Infrastructure Controller (APIC). This means that the policy is ready on the leaf switch before any endpoints are actually connected.

The import mode that must be used to ensure that the import process terminates if the imported configuration is incompatible with the existing system is the ‘atomic’ mode. This mode ignores shards that contain objects that cannot be imported while proceeding with shards that can be imported. If the incoming configuration’s version is incompatible with the existing system, the import process will terminate2.

To implement the Inter-Site Network (ISN) for a Cisco ACI Multi-Site deployment, the following configuration steps are essential:

Configure OSPF on all ISN routers: OSPF (Open Shortest Path First) is a routing protocol that is used to ensure that all routers in the ISN have the necessary routing information to forward packets between sites.

Configure BIDIR-PIM on all ISN routers: BIDIR-PIM (Bidirectional Protocol Independent Multicast) is used for efficient multicast traffic forwarding across the ISN. This is particularly important for Cisco ACI Multi-Site deployments as it supports the replication of broadcast, unknown unicast, and multicast (BUM) traffic across sites.

References :=

Cisco ACI Multi-Site Configuration Guide

Cisco ACI Multi-Site Architecture White Paper

The COOP (Council Of Oracle Protocol) database is located on each spine switch within the Cisco ACI fabric. The COOP database is responsible for maintaining a consistent copy of endpoint address and location information across the fabric

 In the Cisco ACI VMM domain configuration, to generate port groups with names formatted as “Tenant=Application=EPG”, the configuration option used is delimiter. The delimiter is a character that separates the elements of the port-group name. By changing the delimiter setting to “=”, the port-group names will be generated with the desired format.

To migrate the gateway address out of the ACI fabric for an endpoint group (EPG), the bridge domain configuration must ensure that routing is contained within the ACI fabric and that ARP requests are managed efficiently. The correct configuration set is:

L2 Unknown Unicast: Set to Hardware Proxy. This setting allows the ACI fabric to use the spine proxy function to handle unknown unicast traffic, which helps to reduce flooding within the fabric.

Unicast Routing: Set to Disabled. Since the gateway is being migrated out of the ACI fabric, unicast routing should be disabled to prevent the ACI fabric from attempting to route traffic for the EPG.

ARP Flooding: Set to Enabled. This allows ARP requests to be flooded within the bridge domain, which is necessary when the unicast routing is disabled, to ensure that ARP requests can still be resolved.

References :=

Cisco ACI Bridge Domain Configuration Guide

Cisco ACI Best Practices Guide

In a Cisco ACI configuration with IEEE 802.1p ports, the traffic exits from the EPG untagged from leaf ports. This means that when the port is configured in Access (802.1p) mode and the access VLAN is the only VLAN deployed on the port, then traffic will be untagged on egress56.

 To prevent a fault from appearing that is not directly relevant to the environment, the ACI administrator should create a fault severity assignment policy that hides the fault. This can be done by selecting “Ignore Fault” under System -> Faults in the APIC UI2

 To redistribute externally learned OSPF routes within the ACI fabric, a Route Control Profile must be configured1. This profile allows for the control of route redistribution and the application of route maps to influence routing decisions within the fabric1.

The two protocols that support accessing backup files on a remote location from the APIC are FTP (File Transfer Protocol) and SFTP (SSH File Transfer Protocol). Both FTP and SFTP allow for the transfer of files to and from a remote location, but SFTP provides an additional layer of security by utilizing SSH.

In Cisco ACI, when a packet is routed between two endpoints on different leaf switches, the VXLAN VNID that is applied to the packet corresponds to the Bridge Domain (BD). The BD VNID is used to encapsulate the packet for Layer 2 transport across the fabric. This VNID ensures that the packet is delivered to the correct bridge domain, maintaining the segmentation and policy enforcement required by the ACI fabric.

References :=

Cisco ACI Fabric Forwarding White Paper

Cisco ACI Basic Configuration Guide

The supported physical topology for a Cisco ACI data center network that includes Cisco Nexus 2000 Series 10G fabric extenders is depicted in Option A. This topology illustrates a pair of spine switches connected to leaf switches, which are then connected to the fabric extenders. The Cisco Nexus 2000 Series Fabric Extenders act as remote line cards for a parent Cisco Nexus switch, extending the network fabric. The topology shown is a spine-leaf architecture, which is a scalable, high-bandwidth framework that is typical in ACI deployments.

References :=

For a detailed understanding of the ACI fabric and supported topologies, you can refer to the Cisco Application Centric Infrastructure Design Guide, which provides comprehensive information on design recommendations and deployment models: Cisco ACI Design Guide.

To learn more about the role of fabric extenders in the ACI architecture, the following resource offers insights into how they integrate with the ACI fabric: Understanding the ACI Fabric.

 To configure a group of servers with a contract that uses TCP port 80 and requires an external Layer 3 cloud to initiate communication, the EPG that contains the web servers should be configured as a consumer of the contract, and the Layer 3 Out (L3Out) should be configured as the provider of the contract. This configuration establishes the direction of the contract and allows the external Layer 3 cloud to initiate communication with the web servers within the EPG.

The L3Out subnet configuration option that creates an inbound route map for route filtering is Import Route Control Subnet3. This option allows for the application of route maps to incoming routes from external networks, providing granular control over which routes are allowed into the ACI fabric3.

o protect the ACI fabric from spanning-tree loops, the feature that must be enabled on the ACI leaf ports is BPDU Guard 

To clear the critical fault related to B2B credit oversubscription in the ACI domain connectivity to the fiber channel storage, the value that should be chosen is 5101. This value is set to address the issue of B2B credit oversubscription and clear the critical fault as reported by the client1.

 To have the endpoint table learn the IP addresses of endpoints in a bridge domain, unicast routing must be enabled1. This allows the bridge domain to learn the IP addresses of endpoints through the data plane1.

To create a backup of the Cisco ACI fabric for disaster recovery that is secure, encrypted, and in a format conducive to processing with a Python script, the engineer must select Secure Copy Protocol (SCP) for secure and encrypted transport. The backup file should be in JSON format, which is similar to a Python dictionary and can be easily processed by a Python script. Additionally, enabling Global AES Encryption ensures that all user and password-related information is included securely in the backup1.

To implement a Layer 3 out (L3Out) inside the Cisco ACI fabric that meets the specified requirements, the following steps should be taken:

Configure the OSPF Protocol policy with an area of 0: This step involves setting up OSPF, a link-state routing protocol that supports hierarchical network design, as the routing protocol for the L3Out1.

Create Routed Outside object and Node Profile, selecting OSPF: This step involves creating a Routed Outside object and associating it with a Node Profile that specifies OSPF as the routing protocol1.

Build the Interface profile, selecting Routed Sub-interface and the appropriate VLAN: This step involves creating an Interface profile for the connection to the data center core switch, using 802.1Q tagging for VLAN separation2.

Configure the External Network object with a network of 0.0.0.0/0: This step involves setting up the External Network object to advertise routes to the rest of the network1.

To configure a Cisco ACI system to detect network loops for both untagged and tagged traffic and to stop the loop by disabling an interface within 4 seconds, the following configuration must be used:

Enable Mis-Cabling Protocol (MCP): MCP detects loops from external sources and will err-disable the interface on which Cisco ACI receives its own packet. This is crucial for preventing loops in the network1.

Configure MCP Transmit Frequency: Set the MCP transmit frequency to a value that allows for quick loop detection. The Cisco ACI fabric provides faster loop detection with transmit frequencies from 100 milliseconds to 300 seconds. To meet the requirement of detecting and stopping a loop within 4 seconds, you would set the transmit frequency to a value less than 4 seconds2.

Set Action on Loop Detection: Configure the MCP policies to identify loops and decide how to act upon them. You can set the policy to generate a syslog message or disable the port upon loop detection2.

Implement Error Disabled Recovery Policy: Configure an error disabled recovery policy to automatically re-enable ports that were disabled due to loop detection after a configurable interval2.

By implementing these configurations, the Cisco ACI system will be able to detect and stop network loops quickly and efficiently, ensuring network stability and preventing potential disruptions.

References :=

Cisco APIC Online Help - Loop Detection2

Cisco ACI Best Practices Quick Summary

 In Cisco ACI, a contract is used to define the communication policy between EPGs (Endpoint Groups). It specifies which types of traffic are allowed to pass between EPGs and can include filters for protocols, ports, and other attributes. In the context of the logical system design, the contract would be the object that completes the communication requirements as indicated by the dotted line in the exhibit12.

References :=

Cisco Application Centric Infrastructure (ACI) Design Guide1

Cisco ACI Policy Model Guide2

In the context of VMM, the protocol between ACI leaf and compute hosts that ensures that the policies are pushed to the leaf switches for immediate and on-demand resolution immediacy is LLDP (Link Layer Discovery Protocol)2. LLDP is used for discovery and to ensure that the policies are applied as needed for the virtual machines2.

When extending an EPG out of the ACI fabric using static path binding, it is true that external endpoints are in the same EPG as the directly attached endpoints8. This means that traffic received on a statically bound leaf port with a specific VLAN ID is mapped to the EPG, and the same policies applied to directly attached endpoints are enforced on the external endpoints8.

 In the scenario where Server A is connected to the Cisco ACI fabric using teamed interfaces with one active and one standby, enabling ARP flooding in the bridge domain configuration is necessary to resolve the issue that occurs when the standby interface becomes active and uses its built-in MAC address to send traffic. Enabling ARP flooding allows the fabric to learn the new MAC address without waiting for the ARP timeout, which helps to ensure that traffic continues to flow to the correct destination after a failover event1.

References :=

Discuss Cisco 300-620 Exam Topic 9 Question 71 | Pass4Success1

The two protocols used for fabric discovery in Cisco ACI are LLDP (Link Layer Discovery Protocol) and ISIS (Intermediate System to Intermediate System). LLDP is used for neighbor discovery on the data link layer, while ISIS is a routing protocol used for reachability between the TEP IPs (VTEPs) within the ACI fabric23.

The correct statement about ACI syslog is that all syslog messages are sent to the destination through APIC1. This centralized approach allows for consistent logging and monitoring across the ACI fabric1.

To complete the task of configuring a Layer 3 connection to the WAN router and allowing hosts in the production VRF to access WAN subnets, the engineer should configure the Export Route Control Subnet scope for the external EPG. This setting allows the subnets associated with the external EPG to be advertised to external routers, enabling connectivity to the WAN.

ACI uses the SCP (Secure Copy Protocol) to securely save the configuration in a remote location. SCP is a network protocol that supports file transfers and relies on the Secure Shell (SSH) protocol to provide security for the transferred data.

When configuring in-band management, the new construct that must be created is a bridge domain1.

 In Cisco ACI, the object classes are used to categorize different types of managed objects within the ACI model. The output presented is indicative of a Tenant class object. Tenants in ACI are a top-level container for application policies, essentially providing a unit of isolation from other tenants. Each tenant can contain its own application policies, services, and network policies, and they are separate from other tenants to ensure multi-tenancy1.

References :=

Cisco ACI Policy Model Guide1

Object Renaming in Cisco ACI - Cisco2

Application Centric Infrastructure (ACI) REST API Guide - Cisco DevNet

/apic/sw/4-x/openstack/ACI-Installation-Guide-for-Red-Hat-Using-OSP13-Director/m-configuring-ironic-for-openstack.html

To enable the APIC in a Cisco ACI fabric using out-of-band management connectivity to access a routable host with an IP address of 192.168.11.2, you need to add a Fabric Access Policy that allows management connections. This involves configuring a contract that will be consumed and provided to your OOB devices. The contract will let the system know what traffic is allowed. In this case, you will use the default/common contract to permit any traffic. This is necessary because the APIC needs to be able to send traffic to and receive traffic from the management network1.

References :=

ACI: Configuring Out-of-Band (OOB) Access for Your Fabric - Cisco1

Troubleshoot ACI Management and Core Services - In-band and Out-of-band Management - Cisco2