Pass the Cisco CCNP Data Center 300-620 Questions and answers with CertsForce

In a Cisco ACI fabric, when a silent host moves from one location to another without notifying the ACI leaf switch (e.g., via Gratuitous ARP), the detection mechanism depends on how the bridge domain is configured. Specifically, ARP flooding can help detect such silent hosts.

The scenario involves a tenant configured with a single L3Out and a single-homed link from the ACI fabric (via border leaf BL-1001) to a core router (Core-1). The engineer must add a second link to the L3Out, connecting to Core-2 via BL-1002, ensuring that traffic from Core-2 to BL-1002 has the same connectivity as traffic from Core-1 to BL-1001. The exhibit shows a single-homed setup with BL-1001 and BL-1002 as potential border leaves, with a dashed line indicating a planned second link.

Requirement Analysis

The existing L3Out is single-homed to Core-1 via BL-1001, and the goal is to extend it to a multi-homed configuration with Core-2 via BL-1002.

"Same connectivity" implies that the second link must be integrated into the existing L3Out configuration, sharing the same routing policies, external EPG, and subnet reachability.

The solution must leverage ACI’s L3Out framework to add the new path without creating a separate L3Out or altering the current routing setup unnecessarily.

Option Evaluation

A. Add a second path to the logical interface profile of the existing L3Out:

The logical interface profile in an L3Out defines the interfaces (e.g., routed ports or sub-interfaces) and their associations with nodes (border leaves). Adding a second path to this profile allows the inclusion of the new link from BL-1002 to Core-2, ensuring it operates under the same L3Out configuration (e.g., routing protocol, external EPG). This maintains consistent connectivity and leverages ACI’s multi-homing support.

To connect Cisco ACI fabric using Layer 2 with external third-party switches configured using 802.1s protocol, the two constructs required are:

Spanning tree policy for mapping MST Instances to VLANs (Option A): This policy will ensure that the Multiple Spanning Tree (MST) instances on the third-party switches are correctly mapped to the VLANs in the ACI fabric.

Static binding of native VLAN in all existing EPGs (Option E): This construct is necessary to maintain the native VLAN across all EPGs when integrating with third-party switches that use 802.1s protocol.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKACI-3101.pdf

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-in frastructure/white-paper-c07-732033.html

To meet the criteria for configuring the Cisco ACI fabric to connect to vCenter, the following actions should be taken:

Create a dynamic VLAN pool with the VLAN range of 20-30: This step involves creating a VLAN pool that dynamically assigns VLANs within the specified range to the port groups as they are created1.

Create a VMM domain and associate it with the VLAN pool: The VMM domain is a representation of the VMware vSphere Distributed Switch (VDS) in ACI, and associating it with the VLAN pool allows for the automatic creation of port groups on the VDS1.

Create the EPG and associate the domain: An Endpoint Group (EPG) is a logical entity to which workloads are attached. Associating the EPG with the VMM domain ensures that the port groups are automatically created in vCenter when the EPG is associated with a VMM domain1.

Set the deployment immediacy to On Demand: Setting the deployment immediacy to ‘On Demand’ optimizes the CAM space on the leaf switches by deploying policies to leaf nodes only when endpoints assigned to this EPG are connected, rather than immediately upon configuration12.

By following these steps, the network engineer can ensure that the Cisco ACI fabric is correctly configured to connect to vCenter, with port groups being automatically created on the distributed virtual switch, using the VLAN allocation in the range between 20-30, and optimizing the CAM space on the leaf switches.

To enable connectivity for the external endpoints in the 172.16.1.0/24 subnet, the following actions should be taken:

Delete both external EPG subnets: This action removes any specific subnet configurations that might be causing routing issues or conflicts within the external EPG1.

Create the 0.0.0.0/0 subnet: By configuring a 0.0.0.0/0 subnet, you are effectively creating a default route that allows all traffic to be routed, ensuring that endpoints in any subnet, including the 172.16.1.0/24 subnet, can reach internal endpoints1.

This configuration change addresses the issue where traffic from the 172.16.1.0/24 subnet is not reaching the internal endpoints, likely due to a lack of a default route or misconfigured subnets within the external EPG

In Cisco ACI, when a packet is routed between two endpoints on different leaf switches, the VXLAN VNID that is applied to the packet corresponds to the Bridge Domain (BD). The BD VNID is used to encapsulate the packet for Layer 2 transport across the fabric. This VNID ensures that the packet is delivered to the correct bridge domain, maintaining the segmentation and policy enforcement required by the ACI fabric.

References :=

Cisco ACI Fabric Forwarding White Paper

Cisco ACI Basic Configuration Guide

 In Cisco ACI, a contract is used to define the communication policy between EPGs (Endpoint Groups). It specifies which types of traffic are allowed to pass between EPGs and can include filters for protocols, ports, and other attributes. In the context of the logical system design, the contract would be the object that completes the communication requirements as indicated by the dotted line in the exhibit12.

References :=

Cisco Application Centric Infrastructure (ACI) Design Guide1

Cisco ACI Policy Model Guide2

To support cross-site connectivity in a production Multi-Site solution, where connectivity from EPGs from a specific site to networks reachable through a remote site L3OUT is required, the additional configuration that must be implemented in the Multi-Site Orchestrator is to add a new stretched external EPG to the existing L3OUT1. This allows the EPGs from one site to communicate with the networks defined in the L3OUT at the remote site, facilitating the required connectivity across sites.

References :=

Cisco ACI Multi-Site Configuration Guide1

 To design a method that allows the Cisco ACI to redirect traffic to the firewalls based on specific L4-L7 policy rules and distribute the load across multiple firewalls, the action that must be taken is to Configure ACI Service Graph with Unidirectional PBR (

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/applicatio n-centric-infrastructure/white-paper-c11-739971.html