Pass the Cisco CCNP Data Center 300-620 Questions and answers with CertsForce

To filter the System Faults page and view only the active faults present in the Cisco ACI fabric, the two lifecycle stages that must be selected for filtering are:

Raised (Option A): This stage indicates that the fault is currently active and has been raised.

Raised, Clearing (Option D): This combination indicates that the fault is active but is in the process of being cleared.

The two actions that extend a Layer 2 domain beyond the ACI fabric are extending the bridge domain out of the ACI fabric (Option D) and extending the EPG out of the ACI fabric (Option E)34. Extending the bridge domain involves creating a Layer 2 outside connection, while extending the EPG involves statically assigning a port with a VLAN ID to an EPG34.

To ensure that users can access the Cisco APIC GUI with a local account if the RADIUS server is unreachable, the network administrator must enable the fallback check with the default authentication domain. This allows for local authentication as a backup method when RADIUS is not available. The fallback mechanism is crucial for maintaining access to the APIC GUI in case of RADIUS server issues1.

References :=

Cisco Community Discussion on Auth Radius fallback to Local1

Cisco APIC Security Configuration Guide

https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/5x/security-configuration/cisco-apic-security-configuration-guide-release-52x/protocol-authentication-52x.html

The engineer is implementing out-of-band (OOB) management access for the Cisco ACI fabric with the following requirements:

Only GUI (HTTPS) and Secure Shell (SSH) must be allowed to access the management interfaces.

Only IP ranges 10.10.10.0/24 and 192.168.15.0/24 must be permitted to connect.

This requires configuring access control and restricting IP ranges for OOB management.

Requirement Analysis

OOB management in ACI is typically handled via the Management Tenant (mgmt) and an OOB contract to define allowed protocols and sources.

The external network instance profile defines the permitted IP ranges for external access.

Option Evaluation

A. Implement HTTPS and SSH protocol filters in the OOB contract. Add the required subnets to the external network instance profile:

An OOB contract can specify allowed protocols (HTTPS on port 443 and SSH on port 22) to restrict access to GUI and SSH only. Adding the subnets 10.10.10.0/24 and 192.168.15.0/24 to the external network instance profile limits the source IP ranges, meeting both requirements.

 In a Cisco ACI fabric, the spine switches are typically configured as route reflectors. This is because spine switches are central to the fabric’s architecture and are responsible for interconnecting all the leaf switches, making them ideal for reflecting BGP routes within the fabric. Therefore, the components that should be configured as route reflectors are:

Spine1 (Option A)

Spine2 (Option C)

When traffic is received from a Layer 3 Out (L3Out) on the ingress leaf switch in a Cisco ACI fabric, the source IP address of the traffic is learned as a remote endpoint. This is because the traffic is entering the ACI fabric from an external network, and the source IP is considered remote to the fabric.

 In Cisco Application Centric Infrastructure (ACI), when a subnet is configured on a bridge domain, the gateway IP address is configured on the leaf switches where the bridge domain of the tenant is present. This configuration allows for localized routing within the fabric, providing efficient east-west traffic handling without requiring traffic to traverse up to the spine nodes unless necessary for north-south routing or policy enforcement.