300-620 Implementing Cisco Application Centric Infrastructure (300-620 DCACI) Questions and Answers

To meet the requirement of sending all faults and events related to endpoint groups, bridge domains, and VRFs to the new SNMP configuration and syslog servers, the network engineer should utilize common tenant monitoring policies in the Cisco APIC. The common tenant is used for global configurations that apply across the entire fabric, including monitoring policies.

The method that the Cisco ACI fabric uses to load-balance multidestination traffic is forwarding tag trees3. This method involves assigning a forwarding tag (FTAG) to the traffic when it is forwarded within the fabric, ensuring efficient load balancing of multi-destination traffic3.

https://www.cisco.com/c/en/us/td/doc s/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI-Fundamentals_chapter_010010.html

When extending an EPG out of the ACI fabric using static path binding, it is true that external endpoints are in the same EPG as the directly attached endpoints8. This means that traffic received on a statically bound leaf port with a specific VLAN ID is mapped to the EPG, and the same policies applied to directly attached endpoints are enforced on the external endpoints8.

The scenario involves a Cisco ACI fabric with 10 standalone leaf switches, and the engineer must configure only the first two leaf switches (e.g., Leaf-1 and Leaf-2) in a Virtual Port Channel (vPC) configuration. The goal is to select the appropriate vPC protection type to achieve this specific pairing while leaving the other eight leaf switches standalone.

Requirement Analysis

In Cisco ACI, vPC is used to provide active-active link redundancy and load balancing between two leaf switches connected to the same set of endpoints (e.g., servers or external devices).

The fabric contains 10 standalone leaf switches, meaning no pre-existing vPC pairs are configured, and the task is to form a vPC specifically between the first two leaf switches.

The vPC protection type determines how the pair is defined and protected within the ACI fabric, ensuring the configuration is limited to the intended switches.

Option Evaluation

A. serial:

The "serial" protection type is not a valid vPC protection option in Cisco ACI. This term might be confused with serial link configurations or other networking contexts, but it does not apply to vPC in ACI.

 To resolve the VRF route leaking issue and ensure that the route in the Non-Production:vrf-nonprod VRF to the production tenant is present, the action that should be taken is to enable the “Shared between VRFs” option for the bridge domain (BD) subnet in the production VRF. This setting allows the subnet to be shared across different VRFs within the same tenant or across tenants, enabling communication between EPGs that are in different VRFs1.

References :=

ACI Inter VRF/Tenant Route Leaking Configuration Example

The type of policy that configures the suppression of faults generated from a port being down is the ‘fault severity assignment’ policy. This policy allows administrators to change the severity of a fault or suppress it altogether, which can be useful for managing expected faults and reducing noise from non-critical events

To monitor all configuration changes, threshold crossing, and link-state transitions in a Cisco ACI fabric, the action that must be taken is to Include Audit Logs and Events in the Syslog source policy 

https://community.cisco.com/legacy fs/online/attachments/blog/technote-aci-syslog_external-latest.pdf

https://www.cis co.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/all/faults/guide/b_APIC_Faults_Errors/b_IFC_Faults_Errors_chapter_010.html

Associating the VMM domain with the EPGs (Endpoint Groups) that must be available in vCenter is the action that accomplishes the goal of creating port groups automatically in vSphere and propagating them to hypervisors when created in the ACI environment. This integration allows the APIC to automatically create port groups in the VMware vCenter under the VDS (vSphere Distributed Switch), which provisions the network policy in the VMware vCenter

 A bridge domain in Cisco ACI represents a Layer 2 forwarding construct345. It defines a unique Layer 2 MAC address space and can include one or more subnets. Bridge domains are associated with a VRF and can contain multiple EPGs345.

To configure a Cisco ACI system to detect network loops for both untagged and tagged traffic and to stop the loop by disabling an interface within 4 seconds, the following configuration must be used:

Enable Mis-Cabling Protocol (MCP): MCP detects loops from external sources and will err-disable the interface on which Cisco ACI receives its own packet. This is crucial for preventing loops in the network1.

Configure MCP Transmit Frequency: Set the MCP transmit frequency to a value that allows for quick loop detection. The Cisco ACI fabric provides faster loop detection with transmit frequencies from 100 milliseconds to 300 seconds. To meet the requirement of detecting and stopping a loop within 4 seconds, you would set the transmit frequency to a value less than 4 seconds2.

Set Action on Loop Detection: Configure the MCP policies to identify loops and decide how to act upon them. You can set the policy to generate a syslog message or disable the port upon loop detection2.

Implement Error Disabled Recovery Policy: Configure an error disabled recovery policy to automatically re-enable ports that were disabled due to loop detection after a configurable interval2.

By implementing these configurations, the Cisco ACI system will be able to detect and stop network loops quickly and efficiently, ensuring network stability and preventing potential disruptions.

References :=

Cisco APIC Online Help - Loop Detection2

Cisco ACI Best Practices Quick Summary

The type of port used for in-band management within ACI fabric is the spine switch port4.

ACI Multi-Site architecture is designed to interconnect geographically dispersed data centers and extend Layer 2 and Layer 3 connectivity between those locations with consistent policy enforcement. It allows for either a single APIC cluster to manage multiple ACI sites or supports a dedicated APIC cluster per site. This architecture ensures a scalable and flexible approach to managing multiple data center sites, providing a unified policy framework and operational model across the sites34.

References :=

Cisco Multi-Site Deployment Guide for ACI Fabrics3

Cisco ACI Multi-Site Architecture White Paper4

To ensure that Cisco ACI flushes the appropriate endpoints when a topology change notification message is received in an MST domain, the three steps required are:

Enable the BPDU interface controls under the spanning tree interface policy (Option A)2.

Bind the spanning tree policy to the switch policy group (Option C)3.

Associate the STP interface policy to the appropriate interface policy group (Option D)3. These steps ensure that the ACI fabric responds correctly to STP events, such as topology changes, by flushing the MAC address table and the Local Station Table for the affected VLAN on the leaf switch4.

To support the addition of new ESXi hosts to the existing VMM domain, the action that should be taken is to map the leaf interface selector to the AEP that is associated with the VMM domain (Option D). This ensures that the correct policies are applied to the interfaces where the new ESXi hosts are connected.

 For a blade server that lacks support of bonding, the port channel mode that results in “route based on originating virtual port” on the VMware VDS is MAC Pinning-Physical-NIC-load (Option B). This mode ensures that the virtual machine traffic is distributed across the available uplinks based on the MAC address of the originating virtual port1.

https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/6x/virtualization/cisco-aci-virtualization-guide-60x/ACI-Virtualization-Guide-60x-aci-with-vmware-vds.pdf

 When VM2 is live migrated from POD1 to POD2, the spines in POD2 will send an MP-BGP EVPN update to the leaves in POD1. This update informs the leaves in POD1 about the new location of VM2, allowing them to update their forwarding tables and ensure that traffic destined for VM2 is correctly routed to its new location in POD2.

The Cisco APIC configuration that prevents a remote network that is not configured on the bridge domain from being learned by the fabric is to enable Limit IP Learning to Subnet2. This setting restricts IP address learning to only those subnets that are defined on the bridge domain2.

In the Cisco ACI fabric, Spanning Tree Protocol (STP) Bridge Protocol Data Units (BPDUs) are flooded within the bridge domain VLAN. This allows the BPDUs to be propagated throughout the bridge domain, enabling STP to function correctly for the associated VLAN.

To meet the requirements for the new endpoint group’s bridge domain in the Cisco ACI fabric, the following actions must be taken:

Disable ARP Flooding: This action prevents ARP requests from being broadcast across the entire bridge domain, which reduces excessive broadcast traffic.

Enable Limit IP Learning to Subnet: This setting restricts IP address learning to only those IPs within the configured subnet, minimizing the impact of misconfigured virtual machines.

Enable Unicast Routing on the bridge domain and configure a subnet: Enabling unicast routing allows the bridge domain to function as the default gateway for the subnet, ensuring that routing remains within the Cisco ACI fabric.

In Cisco ACI, Intra-EPG Isolation is a feature that prevents communication between endpoints within the same EPG. By default, endpoints in the same EPG can communicate freely without requiring contracts. To disable communication between two backup servers within the same EPG (e.g., in the "Backup EPG"), you need to enforce Intra-EPG Isolation.

To enable the APIC in a Cisco ACI fabric using out-of-band management connectivity to access a routable host with an IP address of 192.168.11.2, you need to add a Fabric Access Policy that allows management connections. This involves configuring a contract that will be consumed and provided to your OOB devices. The contract will let the system know what traffic is allowed. In this case, you will use the default/common contract to permit any traffic. This is necessary because the APIC needs to be able to send traffic to and receive traffic from the management network1.

References :=

ACI: Configuring Out-of-Band (OOB) Access for Your Fabric - Cisco1

Troubleshoot ACI Management and Core Services - In-band and Out-of-band Management - Cisco2

To implement a Layer 3 out (L3Out) inside the Cisco ACI fabric that meets the specified requirements, the following steps should be taken:

Configure the OSPF Protocol policy with an area of 0: This step involves setting up OSPF, a link-state routing protocol that supports hierarchical network design, as the routing protocol for the L3Out1.

Create Routed Outside object and Node Profile, selecting OSPF: This step involves creating a Routed Outside object and associating it with a Node Profile that specifies OSPF as the routing protocol1.

Build the Interface profile, selecting Routed Sub-interface and the appropriate VLAN: This step involves creating an Interface profile for the connection to the data center core switch, using 802.1Q tagging for VLAN separation2.

Configure the External Network object with a network of 0.0.0.0/0: This step involves setting up the External Network object to advertise routes to the rest of the network1.

By enabling Global AES Encryption and ensuring secure data inclusion, you can safely back up and restore the Cisco ACI fabric configuration, including the vCenter password.

When the Cisco ACI fabric has a stale endpoint entry for the destination endpoint, the traffic flow is affected in that the leaf switch floods the traffic to the endpoint throughout the fabric (Option C). This flooding occurs because the leaf switch does not have the correct location of the endpoint in its endpoint table, leading it to flood the traffic in an attempt to reach the destination.

 In the Cisco ACI Active-Active Across Pods deployment mode, one of the key characteristics of Policy-Based Redirect (PBR) is that traffic is dynamically redirected to the firewall that owns the connection. This allows for load distribution across multiple Layer 4 to Layer 7 devices, also known as symmetric PBR. Additionally, deployment in this mode occurs in go-to mode only, which means that traffic is explicitly directed to a service node or firewall for processing

The Infrastructure VLAN is automatically configured during the Cisco ACI fabric discovery process. This VLAN, often referred to as the “infra VLAN,” is used to enable internal communication between the ACI fabric components, such as the leaf and spine nodes. It is vital for the overlay network and the control plane functionality. In the provided output, VLAN 3600 represents the Infrastructure VLAN, which is configured for inter-node communication.

To filter the System Faults page and view only the active faults present in the Cisco ACI fabric, the two lifecycle stages that must be selected for filtering are:

Raised (Option A): This stage indicates that the fault is currently active and has been raised.

Raised, Clearing (Option D): This combination indicates that the fault is active but is in the process of being cleared.

In Cisco ACI, the mgmt0 interface is used for out-of-band (OOB) management, and its IP address must be explicitly assigned through the Node Management Address Policy under the mgmt tenant. When new leaf switches are registered in the fabric, they do not automatically receive an IP address for their mgmt0 interfaces unless they are added to this policy.

To enable connectivity for the external endpoints in the 172.16.1.0/24 subnet, the following actions should be taken:

Delete both external EPG subnets: This action removes any specific subnet configurations that might be causing routing issues or conflicts within the external EPG1.

Create the 0.0.0.0/0 subnet: By configuring a 0.0.0.0/0 subnet, you are effectively creating a default route that allows all traffic to be routed, ensuring that endpoints in any subnet, including the 172.16.1.0/24 subnet, can reach internal endpoints1.

This configuration change addresses the issue where traffic from the 172.16.1.0/24 subnet is not reaching the internal endpoints, likely due to a lack of a default route or misconfigured subnets within the external EPG

The question asks which bridge domain setting is used when a Cisco ACI leaf switch learns the source IP address of a packet entering the front panel port. This involves understanding how ACI handles endpoint learning and IP address association within a bridge domain.

Requirement Analysis

When a packet enters a leaf switch’s front panel port, ACI learns the source IP and MAC address of the endpoint to populate its endpoint table.

The bridge domain settings control how IP addresses are learned and routed, especially for Layer 3 traffic.

The correct setting must enable the leaf switch to associate the source IP with the endpoint.

Option Evaluation

A. Unicast Routing:

The "Unicast Routing" setting in a bridge domain enables Layer 3 routing and allows the leaf switch to learn the source IP address of a packet by associating it with the MAC address and VLAN. When enabled, the switch performs IP-to-MAC mapping and updates the endpoint database, which is the standard mechanism for learning source IP addresses from incoming traffic.

To allow SNMP traffic on the APIC controller, a contract under tenant mgmt must be configured3.

The two dynamic routing protocols supported when using Cisco ACI to connect to an external Layer 3 network are iBGP (Option A) and eBGP (Option E)78. These protocols are included in the routing protocol options for a Layer 3 external outside network configuration in ACI

To securely back up the current Cisco ACI configuration to a remote location with encryption and authentication, and ensure that sensitive information is not exported, the following steps should be taken:

Create a Remote Location: Define a remote location where the backup will be stored. This involves specifying the hostname or IP address of the remote server and selecting the protocol (SCP/FTP/SFTP) to be used1.

Create a Configuration Export Policy: Set up an export policy that defines the format (XML/JSON) and the destination for the backup. This policy will also include the schedule for the backup to run once per day1.

Configure Global AES Encryption: To ensure that the backup is encrypted, configure the Global AES Encryption setting. This will allow for hashed secure properties, such as passwords and certificates, to be exported in an encrypted form. It’s important to configure a passphrase that is at least 16 characters long for the encryption1.

Schedule the Backup Job: Use the scheduler to set up the backup job to run once per day. This ensures that the backup process is automated and adheres to the customer’s security policy1.

Exclude Sensitive Information: To comply with the security policy that mandates sensitive information not be exported, ensure that the configuration export policy is set to exclude secure fields unless encryption is enabled1.

References :=

Cisco Guide on Creating a Backup for Your APIC Cluster1

Cisco Community Discussion on Backing Up ACI Configuration2

To create a backup of the Cisco ACI fabric for disaster recovery that is secure, encrypted, and in a format conducive to processing with a Python script, the engineer must select Secure Copy Protocol (SCP) for secure and encrypted transport. The backup file should be in JSON format, which is similar to a Python dictionary and can be easily processed by a Python script. Additionally, enabling Global AES Encryption ensures that all user and password-related information is included securely in the backup1.

The setting that prevents the learning of Endpoint IP addresses whose subnet does not match the bridge domain subnet is the “Limit IP learning to subnet” setting within the bridge domain1. This setting ensures that only IP addresses belonging to the subnets configured on the bridge domain are learned, preventing mis-learning of IP addresses that may not belong to the fabric1.

The initial APIC cluster discovery process involves each APIC using an internal private IP address from a pool to communicate with the nodes and other APICs in the cluster. The APICs discover the IP addresses of other APIC controllers through an LLDP-based discovery process

 The statement about the MTU value of MP-BGP EVPN control plane packets in Cisco ACI that is true for communication between spine nodes in different sites is that by default, spine nodes generate 9000-bytes packets to exchange endpoints routing information. As a result, the Inter-Site network should be able to carry 9000-bytes packets2. This ensures that the control plane traffic, which is not VXLAN encapsulated, can be properly handled across the sites2.

 When the VMM resolution immediacy is set to pre-provision in a Cisco ACI environment, policies are downloaded to the ACI leaf switch regardless of Cisco Discovery Protocol neighborship1. This setting ensures that the policies are in place on the leaf switches even before a VM controller is attached to the virtual switch1.

On the egress leaf switch, when traffic is received from an L3Out, no source MAC or IP address of the traffic is learned as a remote endpoint1. The Cisco ACI fabric does not learn the IP addresses from the data plane in an L3Out domain; instead, it uses ARP to resolve next-hop IP and MAC relationships to reach the prefixes behind external routers1.

 To have the endpoint table learn the IP addresses of endpoints in a bridge domain, unicast routing must be enabled1. This allows the bridge domain to learn the IP addresses of endpoints through the data plane1.

 For Cisco ACI IPN (Inter-Pod Network) to manage multidestination traffic, multicast routing is a requirement. This is because multidestination traffic includes broadcast, unknown unicast, and multicast (BUM) traffic, which needs to be efficiently transported across different pods in a Cisco ACI Multi-Pod environment. Multicast routing protocols like Bidirectional Protocol-Independent Multicast (Bidir PIM) are used to handle this type of traffic1.

References :=

Cisco Application Centric Infrastructure Multi-Pod Configuration White Paper1

In Cisco ACI, when a service graph is deployed under one tenant (e.g., Operations) and needs to be referenced by another tenant (e.g., Management), the Layer 4-Layer 7 (L4-L7) device export action is used. This allows the firewall or other L4-L7 devices defined in the service graph to be shared across tenants. By exporting the L4-L7 device, the configuration enables the Management tenant to reference and use the firewall deployed in the Operations tenant.

 In the context of ACI Multi-Site, the information of an endpoint (MAC/IP) that belongs to site 1 is advertised to site 2 using the EVPN control plane as soon as the endpoint is discovered in one site. This allows for immediate visibility of the endpoint across sites.

 When configuring ACI VMM domain integration with Cisco UCS-B Series, the type of port channel policy that must be configured in the vSwitch policy is MAC Pinning-Physical-NIC-load. This policy type allows for the distribution of traffic across physical NICs based on MAC address hashing, which is suitable for environments where dynamic port channels (LACP) are not used.

 To limit management access to the Cisco ACI fabric that originates from a single subnet where the NOC operates, the policy should be configured in the management tenant on the Cisco APIC5.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/ apic/sw/1-x/Operating_ACI/guide/b_Cisco_Operating_ACI/b_Cisco_Operating_ACI_chapter_0111.html

 In Cisco ACI, the object classes are used to categorize different types of managed objects within the ACI model. The output presented is indicative of a Tenant class object. Tenants in ACI are a top-level container for application policies, essentially providing a unit of isolation from other tenants. Each tenant can contain its own application policies, services, and network policies, and they are separate from other tenants to ensure multi-tenancy1.

References :=

Cisco ACI Policy Model Guide1

Object Renaming in Cisco ACI - Cisco2

Application Centric Infrastructure (ACI) REST API Guide - Cisco DevNet

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci /apic/sw/4-x/openstack/ACI-Installation-Guide-for-Red-Hat-Using-OSP13-Director/m-configuring-ironic-for-openstack.html

The two requirements for the IPN network when implementing a Multi-Pod ACI fabric are:

PIM ASM multicast routing2.

OSPF routing3.

The COOP (Council Of Oracle Protocol) database is located on each spine switch within the Cisco ACI fabric. The COOP database is responsible for maintaining a consistent copy of endpoint address and location information across the fabric

The unique identifier of an ACI object is represented by the universal resource identifier (URI)2.

To enable communication between EPGs and BDs from any tenant without the need for contracts or VRF route leaking, the best approach is to implement an unenforced VRF within the common tenant. By doing so, all bridge domains that are associated with this VRF will be able to communicate with each other without additional configurations. This method simplifies the network architecture and reduces the complexity associated with contract management and VRF route leaking1.

References :=

Cisco ACI Contract Guide White Paper1

To ensure that only events related to leaf and spine environmental information are logged without including specific customer data, the configuration should be applied to the fabric policy. The fabric policy in Cisco ACI is used to define global settings that apply to the entire fabric, such as syslog settings, which can be configured to filter and forward only the desired types of system messages12.

The Cisco AV Pair resolves to a managed object class. In the context of Cisco ACI, the AV Pair is used to define specific attributes for RADIUS users, which then map to managed objects within the ACI fabric3.

To extend the EPG-100 to the vCenter as a port group with a tagged VLAN ID of 100, the following actions should be taken:

Define a static VLAN range (from 100-200) under a VLAN pool: This step involves creating a VLAN pool that includes the desired VLAN range. The VLAN pool is then associated with the VMM domain that corresponds to the vCenter integration1.

Associate the dc1vcdev domain with EPG: The VMM domain named ‘dc1vcdev’ should be associated with the EPG-100. This association allows for the automatic creation of port groups in vCenter when the EPG is associated with a VMM domain1.

Select the appropriate settings for the domain association:

Untagged VLAN Access: This should be unselected because the VLAN ID needs to be tagged.

VLAN Mode: Set to ‘Static’ to specify the encapsulation VLAN ID.

Encap: Set to ‘100’ to define the specific VLAN ID that should be tagged for the port group1.

References :=

Cisco APIC Layer 2 Networking Configuration Guide1

Cisco APIC Layer 2 Networking Configuration Guide1

For AAA configuration within the Cisco ACI fabric, where authentication should fall back to local users if the TACACS+ server is unreachable, and access must be granted through the fallback domain if the Cisco APIC is out of the cluster, the configuration set that meets these requirements is to have the Default Authentication Realm set to TACACS+ with Fallback Check enabled. This ensures that when the TACACS+ server cannot be reached, the system will fall back to using local authentication

 In the scenario where Server A is connected to the Cisco ACI fabric using teamed interfaces with one active and one standby, enabling ARP flooding in the bridge domain configuration is necessary to resolve the issue that occurs when the standby interface becomes active and uses its built-in MAC address to send traffic. Enabling ARP flooding allows the fabric to learn the new MAC address without waiting for the ARP timeout, which helps to ensure that traffic continues to flow to the correct destination after a failover event1.

References :=

Discuss Cisco 300-620 Exam Topic 9 Question 71 | Pass4Success1

To implement the Inter-Site Network (ISN) for a Cisco ACI Multi-Site deployment, the following configuration steps are essential:

Configure OSPF on all ISN routers: OSPF (Open Shortest Path First) is a routing protocol that is used to ensure that all routers in the ISN have the necessary routing information to forward packets between sites.

Configure BIDIR-PIM on all ISN routers: BIDIR-PIM (Bidirectional Protocol Independent Multicast) is used for efficient multicast traffic forwarding across the ISN. This is particularly important for Cisco ACI Multi-Site deployments as it supports the replication of broadcast, unknown unicast, and multicast (BUM) traffic across sites.

References :=

Cisco ACI Multi-Site Configuration Guide

Cisco ACI Multi-Site Architecture White Paper

To create an exit point from all tenants using the common tenant and decrease the routing footprint, the following configuration tasks must be completed:

Update the L3Out ExtEPG subnet in the common tenant with flag Shared Route Control Subnet and Aggregate Shared Routes: This configuration allows the subnets to be shared across different VRFs within the common tenant, enabling communication between EPGs that are in different tenants1.

Change contract Ctr-3 scope to Global, consume it by all EPGs, and flag all subnets with flag Shared between VRFs: By changing the scope of contract Ctr-3 to Global, it can be consumed by all EPGs across the fabric. Additionally, flagging all subnets with Shared between VRFs ensures that the subnets can be used by multiple tenants1.

References :=

Cisco Community Discussion on Common Tenant1

Cisco ACI Basic Configuration Guide2

Cisco ACI Configuring Shared L3Outs Documentation

To enable the APIC in a Cisco ACI fabric using out-of-band management connectivity to access a routable host with an IP address of 192.168.11.2, you need to add a Fabric Access Policy that allows management connections. This involves configuring a contract that will be consumed and provided to your OOB devices. The contract will let the system know what traffic is allowed. In this case, you will use the default/common contract to permit any traffic. This is necessary because the APIC needs to be able to send traffic to and receive traffic from the management network1.

References :=

ACI: Configuring Out-of-Band (OOB) Access for Your Fabric - Cisco1

Troubleshoot ACI Management and Core Services - In-band and Out-of-band Management - Cisco2

To resolve the issue of STP convergence causing a microloop and significant CPU spike on all switches after connecting legacy non-ACI switches to the Cisco ACI fabric, BPDU filtering should be configured on the interfaces of the external switches that face the Cisco ACI fabric. BPDU filtering prevents Bridge Protocol Data Units (BPDUs) from being sent or received on those interfaces, which stops the STP process and eliminates the possibility of microloops.

The question asks about the mechanism Cisco ACI uses to detect silent hosts when Layer 3 routed traffic is destined to the ACI fabric. A "silent host" refers to an endpoint that does not initiate traffic or send ARP requests, making detection challenging without specific mechanisms. Let’s evaluate the options based on Cisco ACI documentation and best practices.

Requirement Analysis

Layer 3 routed traffic implies that the ACI fabric is handling IP routing, and the detection mechanism must work within the context of the bridge domain and endpoint learning.

Silent hosts require passive detection methods since they do not generate active traffic (e.g., ARP requests).

The solution must align with ACI’s endpoint learning and proxy mechanisms.

Option Evaluation

A. Gratuitous ARP:

Gratuitous ARP (GARP) is a mechanism where a host announces its IP-to-MAC mapping to update network devices. However, this requires the host to send the GARP, which a silent host does not do. ACI can use GARP when hosts are active, but it is not the primary method for silent hosts.

The supported physical topology for a Cisco ACI data center network that includes Cisco Nexus 2000 Series 10G fabric extenders is depicted in Option A. This topology illustrates a pair of spine switches connected to leaf switches, which are then connected to the fabric extenders. The Cisco Nexus 2000 Series Fabric Extenders act as remote line cards for a parent Cisco Nexus switch, extending the network fabric. The topology shown is a spine-leaf architecture, which is a scalable, high-bandwidth framework that is typical in ACI deployments.

References :=

For a detailed understanding of the ACI fabric and supported topologies, you can refer to the Cisco Application Centric Infrastructure Design Guide, which provides comprehensive information on design recommendations and deployment models: Cisco ACI Design Guide.

To learn more about the role of fabric extenders in the ACI architecture, the following resource offers insights into how they integrate with the ACI fabric: Understanding the ACI Fabric.

The XML configuration snippet provided in the exhibit results in the creation of two objects within the Cisco ACI environment:

Bridge Domain (Option C): This is indicated by the XML element , which defines a bridge domain with the name “bd1”.

VRF (Option E): This is shown by the XML element , which defines a Virtual Routing and Forwarding instance named “pvn1”.

These objects are essential for network segmentation and routing within the ACI fabric, where the bridge domain represents a Layer 2 broadcast domain and the VRF is used for Layer 3 routing separation.