300-620 Questions and Answers

When configuring an L3Out in Cisco ACI and encountering a QoS-related error, creating a custom QoS policy is often necessary to clear the fault. This involves defining a QoS policy that meets the specific requirements of the L3Out configuration and applying it to the relevant interfaces or globally within the fabric. The custom QoS policy should be designed to prioritize traffic appropriately and ensure that the necessary QoS settings are in place for the L3Out connections1.

References :=

Cisco ACI L3Out Configuration Examples1

The scenario involves associating EPG-A with a Virtual Machine Manager (VMM) domain, setting the Deployment and Resolution preferences to Immediate, and attaching the host (generating endpoints for EPG-A) to Leaf-101 and Leaf-102 via eth1/1. However, no configuration for EPG-A is pushed to the leaf switches. This suggests an issue with the discovery or communication between the ACI fabric and the host. Let’s analyze the options based on Cisco ACI documentation.

Requirement Analysis

The VMM domain integration (e.g., VMware vCenter) relies on protocols like Cisco Discovery Protocol (CDP) or Link Layer Discovery Protocol (LLDP) to detect and map virtualized endpoints to the correct EPG.

The "Immediate" preference ensures that policies are applied as soon as endpoints are detected, but this requires proper protocol support for host discovery.

No configuration on the leaf switches indicates a failure in endpoint detection or policy application.

Option Evaluation

A. Enable CDP or LLDP on the host:

ACI uses CDP or LLDP to discover hosts and their interfaces when integrated with a VMM domain. If the host does not have CDP or LLDP enabled, the ACI fabric cannot detect the host’s attachment to Leaf-101 and Leaf-102, preventing EPG-A configuration from being pushed. Enabling these protocols on the host resolves the issue.

 In the process of discovering a new Cisco ACI fabric, after the discovery of leaf 1 has been completed, the next nodes expected to be discovered are the spine switches. This is because the spines are typically connected to the leaf switches and play a central role in the fabric’s topology6.

To meet the requirements for the new endpoint group’s bridge domain in the Cisco ACI fabric, the following actions must be taken:

Disable ARP Flooding: This action prevents ARP requests from being broadcast across the entire bridge domain, which reduces excessive broadcast traffic.

Enable Limit IP Learning to Subnet: This setting restricts IP address learning to only those IPs within the configured subnet, minimizing the impact of misconfigured virtual machines.

Enable Unicast Routing on the bridge domain and configure a subnet: Enabling unicast routing allows the bridge domain to function as the default gateway for the subnet, ensuring that routing remains within the Cisco ACI fabric.

The attribute that should be configured for each user to enable RADIUS for external authentication in Cisco ACI is cisco-av-pair. This attribute allows for the assignment of roles and permissions to users authenticated via RADIUS.

The scenario involves a tenant configured with a single L3Out and a single-homed link from the ACI fabric (via border leaf BL-1001) to a core router (Core-1). The engineer must add a second link to the L3Out, connecting to Core-2 via BL-1002, ensuring that traffic from Core-2 to BL-1002 has the same connectivity as traffic from Core-1 to BL-1001. The exhibit shows a single-homed setup with BL-1001 and BL-1002 as potential border leaves, with a dashed line indicating a planned second link.

Requirement Analysis

The existing L3Out is single-homed to Core-1 via BL-1001, and the goal is to extend it to a multi-homed configuration with Core-2 via BL-1002.

"Same connectivity" implies that the second link must be integrated into the existing L3Out configuration, sharing the same routing policies, external EPG, and subnet reachability.

The solution must leverage ACI’s L3Out framework to add the new path without creating a separate L3Out or altering the current routing setup unnecessarily.

Option Evaluation

A. Add a second path to the logical interface profile of the existing L3Out:

The logical interface profile in an L3Out defines the interfaces (e.g., routed ports or sub-interfaces) and their associations with nodes (border leaves). Adding a second path to this profile allows the inclusion of the new link from BL-1002 to Core-2, ensuring it operates under the same L3Out configuration (e.g., routing protocol, external EPG). This maintains consistent connectivity and leverages ACI’s multi-homing support.

To prevent frequent MAC and IP address moves between different leaf switch ports, enabling rogue endpoint control is the recommended action. This feature helps in identifying and mitigating the movement of endpoints that could potentially cause loops or other issues within the network.

To clear the critical fault related to B2B credit oversubscription in the ACI domain connectivity to the fiber channel storage, the value that should be chosen is 5101. This value is set to address the issue of B2B credit oversubscription and clear the critical fault as reported by the client1.

The scenario involves a Cisco ACI fabric with 10 standalone leaf switches, and the engineer must configure only the first two leaf switches (e.g., Leaf-1 and Leaf-2) in a Virtual Port Channel (vPC) configuration. The goal is to select the appropriate vPC protection type to achieve this specific pairing while leaving the other eight leaf switches standalone.

Requirement Analysis

In Cisco ACI, vPC is used to provide active-active link redundancy and load balancing between two leaf switches connected to the same set of endpoints (e.g., servers or external devices).

The fabric contains 10 standalone leaf switches, meaning no pre-existing vPC pairs are configured, and the task is to form a vPC specifically between the first two leaf switches.

The vPC protection type determines how the pair is defined and protected within the ACI fabric, ensuring the configuration is limited to the intended switches.

Option Evaluation

A. serial:

The "serial" protection type is not a valid vPC protection option in Cisco ACI. This term might be confused with serial link configurations or other networking contexts, but it does not apply to vPC in ACI.

 In a Cisco ACI Multi-Pod environment with active-active data centers and active-standby firewalls in each data center, enabling Pod ID Aware Redirection is the action that should be taken to maintain traffic symmetry through the firewalls. This feature ensures that traffic is consistently directed through the active firewall based on the pod identifier, thus maintaining the desired traffic flow and symmetry2.

References :=

Cisco ACI Multi-Pod and Service Node Integration White Paper

 When configuring ACI VMM domain integration with Cisco UCS-B Series, the type of port channel policy that must be configured in the vSwitch policy is MAC Pinning-Physical-NIC-load. This policy type allows for the distribution of traffic across physical NICs based on MAC address hashing, which is suitable for environments where dynamic port channels (LACP) are not used.

To break the STP loop between switch1 and switch2 in a Cisco ACI environment, enabling BPDU filtering on the interfaces facing the MST (Multiple Spanning Tree) switches is the necessary step. BPDU filtering prevents BPDUs from being sent or received through a port, which effectively stops the STP process on those ports and breaks the loop1.

When BPDU filtering is enabled on an interface, the switch does not send any BPDUs and ignores any BPDUs it receives on that interface. This can be used to prevent unwanted STP negotiations on ports where loops are not expected to happen or where STP is not desired1.

References :=

Use of ACI Operation with L2 Switches and Spanning Tree Link Types - Cisco1

To determine which user is responsible for the disappearance of a previously existing port group from vCenter, the engineer should check the EPG audit logs for any ‘deletion’ actions. By comparing the affected object and the user who performed the action, the engineer can identify the responsible individual2.

The engineer configures port 1/2 on Leaf-101 and Leaf-102 to connect to a new server (SVR-12), which belongs to EPG-12 using VLAN-1212 encapsulation. The server is configured as a vPC member port and statically bound to EPG-12. The task is to ensure connectivity, indicating a missing configuration step.

Requirement Analysis

Static binding of a vPC member port to an EPG requires proper VLAN association and domain mapping.

vPC ensures redundancy, and the VLAN (1212) must be allocated and associated with the EPG via a domain (e.g., VMM or physical domain).

Option Evaluation

A. Create a VPC Explicit Protection Group for EPG-12 and VLAN-1212:

vPC Explicit Protection Groups are used for specific vPC configurations, but this is not a standard requirement for EPG binding and VLAN association.

When configuring in-band management, the new construct that must be created is a bridge domain1.

The type of policy that configures the suppression of faults generated from a port being down is the ‘fault severity assignment’ policy. This policy allows administrators to change the severity of a fault or suppress it altogether, which can be useful for managing expected faults and reducing noise from non-critical events

 To redirect traffic to the firewall using a one-armed policy-based redirect service insertion, the following configuration set should be used:

Configure a service graph: This involves defining the service graph template that represents the logical flow of traffic through network services.

Associate the service graph with All_Traffic_Allowed: By associating the service graph with the contract named All_Traffic_Allowed, traffic that matches the contract will be redirected through the service graph to the firewall device.

References :=

Cisco ACI Fabric Administration Guide, Release 4.2(1)

Cisco ACI Virtualization Guide, Release 4.2(1)

The advantage of implementing an active-active firewall cluster that is stretched across separate pods when anycast services are configured is that local traffic within a pod is load-balanced between the clustered firewalls. This means that traffic destined for the anycast IP address of the service node (firewall) will preferentially be directed to the local node within the same pod, thus optimizing traffic flows and reducing latency by avoiding unnecessary traffic tromboning to a remote pod1.

To clear the fault raised by the Cisco APIC when the EPG must accept endpoints from a VMM domain, the EPG should be associated with the VMM domain. This association is necessary for the APIC to recognize the endpoints within the VMM domain as part of the EPG. Without this association, the APIC cannot apply the policies defined in the EPG to the endpoints, which can result in errors1.

References :=

APIC Policy Deployment and Resolution Immediacy For AVS VMM Domain - Cisco Community

In a Cisco ACI fabric, when a silent host moves from one location to another without notifying the ACI leaf switch (e.g., via Gratuitous ARP), the detection mechanism depends on how the bridge domain is configured. Specifically, ARP flooding can help detect such silent hosts.

The true statement regarding ACI Multi-Pod and TEP pool is that the same TEP pool is used in all Pods. This shared TEP pool ensures consistent addressing and simplifies the management of the overlay network across multiple Pods.

 To configure a group of servers with a contract that uses TCP port 80 and requires an external Layer 3 cloud to initiate communication, the EPG that contains the web servers should be configured as a consumer of the contract, and the Layer 3 Out (L3Out) should be configured as the provider of the contract. This configuration establishes the direction of the contract and allows the external Layer 3 cloud to initiate communication with the web servers within the EPG.

The unique identifier of an ACI object is represented by the universal resource identifier (URI)2.

 When two interface protocol policies need to be used together in a single policy, the ACI object that must be used is an interface policy group

The scenario involves deploying a WAN with Cisco ACI, where Routers 1 and 2 (connected via an L3Out with OSPF Area 0) must receive specific routes (192.168.11.0/24 and 192.168.21.0/24) from the ACI fabric, and reachability to WAN users must be permitted only for servers in vrf_prod. The diagram shows three bridge domains (bd_vlan11, bd_vlan21, bd_vlan31) with their respective subnets and EPGs, all under vrf_prod, along with an L3Out (epg_l3out) for WAN connectivity.

Requirement Analysis

Routers 1 and 2 must receive only routes 192.168.11.0/24 and 192.168.21.0/24:

These subnets belong to bd_vlan11 and bd_vlan21, respectively. To advertise these routes to Routers 1 and 2 via the L3Out, they must be marked with the appropriate scope in the bridge domain configuration.

In ACI, the "Advertised Externally" scope on a subnet ensures that it is advertised to external routers via the L3Out routing protocol (OSPF in this case).

Reachability to WAN users must be permitted only for servers in vrf_prod:

This implies that only the subnets in vrf_prod (192.168.11.0/24, 192.168.21.0/24, and 192.168.31.0/24) should be accessible, but WAN users should only reach specific subnets based on policy.

The external EPG (epg_l3out) represents the WAN users (10.171.0.0/16), and its subnet scope must control inbound reachability.

The subnet 192.168.31.0/24 (bd_vlan31) should not be advertised to the WAN, as it is not listed in the routes Routers 1 and 2 should receive.

Option Evaluation

A. Configure the subnets 192.168.11.0/24 and 192.168.21.0/24 as Private to VRF. Configure the subnet 192.168.31.0/24 as Advertised Externally. Configure an EPG subnet 0.0.0.0/0 as External Subnets for External EPG:

Setting 192.168.11.0/24 and 192.168.21.0/24 as "Private to VRF" means they are not advertised externally, which fails the requirement for Routers 1 and 2 to receive these routes.

Setting 192.168.31.0/24 as "Advertised Externally" incorrectly advertises this subnet to the WAN, which is not desired.

The "External Subnets for External EPG" scope on 0.0.0.0/0 allows WAN users to reach all subnets in vrf_prod, which is correct for reachability.

Conclusion: Fails the first requirement (route advertisement).

When the client endpoint and the service node interface are in different subnets, the Adjacency Type value should be set to Routed. This setting is used to indicate that routing is required between the client endpoint and the service node interface, as they are not in the same Layer 2 broadcast domain and need Layer 3 routing to communicate.

The two dynamic routing protocols supported when using Cisco ACI to connect to an external Layer 3 network are iBGP (Option A) and eBGP (Option E)78. These protocols are included in the routing protocol options for a Layer 3 external outside network configuration in ACI

An EPG is extended outside of the ACI fabric by statically assigning a VLAN ID to a leaf port in an EPG. This method maps the traffic received on the leaf port to the EPG, and the policy for this EPG is enforced

To allow SNMP traffic on the APIC controller, a contract under tenant mgmt must be configured3.

MisCabling Protocol (MCP) detects loops from external sources (i.e., misbehaving servers, external networking equipment running STP, etc.) and will err-disable the interface on which ACI receives its own packet. Enabling this feature is a best practice, and it should be enabled globally and on all interfaces, regardless of the end device. For MCP to be enabled, you need to have it enabled globally and on a per-interface basis. While MCP is enabled on all interfaces by default, it is not turned “on” until you also enable it globally. The global configuration knob for MCP can be enabled by configuring the global settings here: Fabric > Access Policies > Global Policies > MCP Instance Policy default. https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/aci-guide-using-mcp-mis-cabling-protocol.pdf

When deploying a new Cisco ACI Multi-Pod setup, it’s crucial to ensure that the Tunnel Endpoint (TEP) pool of the new pod is routable across the Inter-Pod Network (IPN). This allows the TEP addresses to be reachable across the pods, facilitating communication between them. Additionally, increasing the Maximum Transmission Unit (MTU) for all IPN routers is necessary to support the larger frame size required by VXLAN encapsulation, which is typically above the standard Ethernet MTU of 1500 bytes.

References :=

Cisco ACI Multi-Pod Configuration Guide

Cisco ACI Best Practices Guide

In a Cisco ACI Multi-Pod environment, the supported routing protocol between Cisco ACI spines and IPNs (Inter-Pod Network) is Open Shortest Path First (OSPF)4.

https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/6x/l4-l7-configuration/cisco-apic-layer-4-to-layer-7-services-deployment-guide-60x/defining-a-logical-device-60x.html

 In Cisco ACI, a contract is used to define the communication policy between EPGs (Endpoint Groups). It specifies which types of traffic are allowed to pass between EPGs and can include filters for protocols, ports, and other attributes. In the context of the logical system design, the contract would be the object that completes the communication requirements as indicated by the dotted line in the exhibit12.

References :=

Cisco Application Centric Infrastructure (ACI) Design Guide1

Cisco ACI Policy Model Guide2

The correct statement about ACI syslog is that all syslog messages are sent to the destination through APIC1. This centralized approach allows for consistent logging and monitoring across the ACI fabric1.

To ensure that servers supporting only Cisco Discovery Protocol are discovered automatically by the Cisco ACI fabric when connected, the action that must be taken is to Create an override policy that enables Cisco Discovery Protocol after LLDP is enabled in the default policy group

For the BGP Route Reflector policy to take effect, the components that must be configured are the leaf fabric interface overrides and profiles. These configurations are necessary to establish the route reflector relationships within the BGP protocol on the leaf switches

The "Import Route Control Subnet" scope is used to control which external routes are imported into the ACI fabric's routing table

To implement the Inter-Site Network (ISN) for a Cisco ACI Multi-Site deployment, the following configuration steps are essential:

Configure OSPF on all ISN routers: OSPF (Open Shortest Path First) is a routing protocol that is used to ensure that all routers in the ISN have the necessary routing information to forward packets between sites.

Configure BIDIR-PIM on all ISN routers: BIDIR-PIM (Bidirectional Protocol Independent Multicast) is used for efficient multicast traffic forwarding across the ISN. This is particularly important for Cisco ACI Multi-Site deployments as it supports the replication of broadcast, unknown unicast, and multicast (BUM) traffic across sites.

References :=

Cisco ACI Multi-Site Configuration Guide

Cisco ACI Multi-Site Architecture White Paper

 After ARP flooding is enabled in Cisco ACI Multi-Pod, broadcast frames are forwarded within the pod and across the Inter-Pod Network (IPN) using the multicast address associated with the bridge domain. If the setting is ‘Flood’, the leaf switch floods to the Group IP (GIPo) multicast group allocated for the bridge domain, ensuring that both local and remote pods receive a flooded copy

When Cisco ACI connects to an outside Layer 2 network, the ACI fabric floods the STP BPDU frame within the bridge domain (Option A)5. This ensures that BPDUs are properly propagated within the relevant VLAN encapsulation associated with the bridge domain5.

 In a Cisco ACI Multi-Site fabric, when the Inter-Site BUM Traffic Allow option is enabled for a stretched bridge domain, ingress replication on the spines in the source site is used to forward Broadcast, Unknown unicast, and Multicast (BUM) traffic to all endpoints in the same broadcast domain. This method ensures that BUM traffic is replicated and sent out through the spines to the destination sites.

For AAA configuration within the Cisco ACI fabric, where authentication should fall back to local users if the TACACS+ server is unreachable, and access must be granted through the fallback domain if the Cisco APIC is out of the cluster, the configuration set that meets these requirements is to have the Default Authentication Realm set to TACACS+ with Fallback Check enabled. This ensures that when the TACACS+ server cannot be reached, the system will fall back to using local authentication

 The statement about the MTU value of MP-BGP EVPN control plane packets in Cisco ACI that is true for communication between spine nodes in different sites is that by default, spine nodes generate 9000-bytes packets to exchange endpoints routing information. As a result, the Inter-Site network should be able to carry 9000-bytes packets2. This ensures that the control plane traffic, which is not VXLAN encapsulated, can be properly handled across the sites2.

To prevent packet loss between the distributed virtual switch and the ACI fabric in a company’s ESXi infrastructure hosted on Cisco UCS-B Blade Servers, the vSwitch policy must implement MAC Pinning. This setting ensures that each virtual interface card (vNIC) on the UCS servers is pinned to an uplink Ethernet port, providing a stable and consistent path for traffic and preventing packet loss due to path changes.

In Cisco ACI, when a service graph is deployed under one tenant (e.g., Operations) and needs to be referenced by another tenant (e.g., Management), the Layer 4-Layer 7 (L4-L7) device export action is used. This allows the firewall or other L4-L7 devices defined in the service graph to be shared across tenants. By exporting the L4-L7 device, the configuration enables the Management tenant to reference and use the firewall deployed in the Operations tenant.

The two requirements for the IPN network when implementing a Multi-Pod ACI fabric are:

PIM ASM multicast routing2.

OSPF routing3.

When designing two data centers based on Cisco ACI technology that can extend L2/L3, VXLAN, and network policy across locations with ACI Multi-Pod, the two requirements that must be considered are:

A single APIC Cluster is required in a Multi-Pod design4.

ACI Multi-Pod requires an IP Network supporting PIM-Bidir2.

https://learnduty.com/cisco-aci/aci-multi-pod-overview-and-basics/

In Cisco ACI, Intra-EPG Isolation is a feature that prevents communication between endpoints within the same EPG. By default, endpoints in the same EPG can communicate freely without requiring contracts. To disable communication between two backup servers within the same EPG (e.g., in the "Backup EPG"), you need to enforce Intra-EPG Isolation.

To deploy an access port policy group within Cisco ACI, an attachable entity profile (AEP) needs to be created. An AEP is a policy construct that groups together various domains and allows them to be attached to the fabric access layer

In Cisco ACI, when a packet is routed between two endpoints on different leaf switches, the VXLAN VNID that is applied to the packet corresponds to the Bridge Domain (BD). The BD VNID is used to encapsulate the packet for Layer 2 transport across the fabric. This VNID ensures that the packet is delivered to the correct bridge domain, maintaining the segmentation and policy enforcement required by the ACI fabric.

References :=

Cisco ACI Fabric Forwarding White Paper

Cisco ACI Basic Configuration Guide

To integrate a new Hyperflex storage cluster into an existing Cisco ACI fabric and manage it with vCenter, the following steps should be taken:

Create a new vSphere Distributed Switch (vDS): This is done within the vCenter interface. The vDS acts as a single virtual switch across all associated hosts in the data center, providing centralized management and monitoring of the network configuration1.

Configure the vDS for the Hyperflex cluster: This involves setting up the correct port groups, VLANs, and uplink profiles to ensure proper network segmentation and performance2.

Enable hardware discovery using a vendor-neutral protocol: This could involve using protocols like LLDP (Link Layer Discovery Protocol) or CDP (Cisco Discovery Protocol), which are supported by vCenter and can help in identifying and managing physical network devices3.

Integrate the Hyperflex cluster with ACI using the Application Policy Infrastructure Controller (APIC): This involves creating the necessary policies and profiles in ACI to manage the Hyperflex storage traffic effectively4.

References :=

Cisco HyperFlex Systems Installation Guide for VMware ESXi1

Cisco HyperFlex Virtual Server Infrastructure 3.0 with Cisco ACI 3.2 and VMware vSphere 6.52

How to Set Up Networking with vSphere Distributed Switches - VMware Docs3

Tutorial: How to integrate HyperFlex and ACI with VMM (VMware) and UCSM4

In a Cisco ACI bridge domain and VRF configured with a default data-plane learning configuration, the two endpoint attributes that are programmed in the leaf switch when receiving traffic are:

Local MAC, IP (Option D)5.

Local Subnet (Option E)5. These attributes are learned by the ACI fabric through common network methods such as ARP, GARP, and ND, as well as through the data-plane. The local MAC and IP addresses are learned and used for traffic routing and bridging, while the local subnet information is used for traffic optimization and endpoint location tracking56.

To configure a Cisco ACI system to detect network loops for both untagged and tagged traffic and to stop the loop by disabling an interface within 4 seconds, the following configuration must be used:

Enable Mis-Cabling Protocol (MCP): MCP detects loops from external sources and will err-disable the interface on which Cisco ACI receives its own packet. This is crucial for preventing loops in the network1.

Configure MCP Transmit Frequency: Set the MCP transmit frequency to a value that allows for quick loop detection. The Cisco ACI fabric provides faster loop detection with transmit frequencies from 100 milliseconds to 300 seconds. To meet the requirement of detecting and stopping a loop within 4 seconds, you would set the transmit frequency to a value less than 4 seconds2.

Set Action on Loop Detection: Configure the MCP policies to identify loops and decide how to act upon them. You can set the policy to generate a syslog message or disable the port upon loop detection2.

Implement Error Disabled Recovery Policy: Configure an error disabled recovery policy to automatically re-enable ports that were disabled due to loop detection after a configurable interval2.

By implementing these configurations, the Cisco ACI system will be able to detect and stop network loops quickly and efficiently, ensuring network stability and preventing potential disruptions.

References :=

Cisco APIC Online Help - Loop Detection2

Cisco ACI Best Practices Quick Summary

To create an exit point from all tenants using the common tenant and decrease the routing footprint, the following configuration tasks must be completed:

Update the L3Out ExtEPG subnet in the common tenant with flag Shared Route Control Subnet and Aggregate Shared Routes: This configuration allows the subnets to be shared across different VRFs within the common tenant, enabling communication between EPGs that are in different tenants1.

Change contract Ctr-3 scope to Global, consume it by all EPGs, and flag all subnets with flag Shared between VRFs: By changing the scope of contract Ctr-3 to Global, it can be consumed by all EPGs across the fabric. Additionally, flagging all subnets with Shared between VRFs ensures that the subnets can be used by multiple tenants1.

References :=

Cisco Community Discussion on Common Tenant1

Cisco ACI Basic Configuration Guide2

Cisco ACI Configuring Shared L3Outs Documentation

To securely export Cisco APIC configuration snapshots to a secure, offsite location using an encrypted tunnel and a platform-agnostic data format that provides namespace support, the following configuration set must be used:

Choose a Platform-Agnostic Data Format: Export the configuration in a data format like JSON or XML, which are platform-agnostic and support namespaces1.

Use an Encrypted Tunnel: Transfer the configuration snapshot over a secure protocol such as SFTP or SCP, which provides an encrypted tunnel for the data transfer1.

Schedule the Export: Set up a scheduled export of the configuration in the Cisco APIC to occur at regular intervals, ensuring the process is automated1.

Enable Encryption: Make sure the configuration export policy includes encryption settings. Cisco APIC supports AES-256 encryption for securing exported configuration files2.

Verify Namespace Support: Ensure that the chosen data format and the method of export support the use of namespaces, which are essential for organizing elements and attributes in XML documents1.

By following these steps and choosing Option B, the engineer can meet the requirements for securely exporting Cisco APIC configuration snapshots to an offsite location.

To support a new application that is sensitive to latency and jitter and sets the DSCP values of packets to AF31 and CS6, it is necessary to align the ACI Quality of Service (QoS) levels and Inter-Pod Network (IPN) QoS policies. This alignment ensures that the DSCP values are preserved and respected across the ACI fabric and the IPN, preventing packets from being delayed or dropped between pods.

References :=

Cisco ACI Multi-Site Architecture White Paper

Cisco ACI Best Practices Guide

Cisco ACI Quality of Service Configuration Guide

In Cisco ACI, the interface lo1023 is assigned as a fabric tunnel endpoint (FTEP). This is a pervasive address found on every leaf and it’s always the same. It is used mostly for AVS (Application Virtual Switch) when the infra VXLAN is extended out of the fabric1. The FTEP is crucial for the internal operation of the fabric, particularly for scenarios where the infrastructure VXLAN needs to be extended outside of the ACI fabric.

References :=

Default IP interfaces on Fabric nodes - Cisco Community1

To ensure that only events related to leaf and spine environmental information are logged without including specific customer data, the configuration should be applied to the fabric policy. The fabric policy in Cisco ACI is used to define global settings that apply to the entire fabric, such as syslog settings, which can be configured to filter and forward only the desired types of system messages12.

For the new nodes in a Cisco ACI Multi-Pod deployment to be discoverable by the existing Cisco APICs, DHCP relay should be enabled on all links that are connected to Cisco ACI spines on Inter-Pod Network (IPN) devices. This allows the APICs to dynamically assign IP addresses to the new nodes, facilitating their discovery and integration into the fabric.

References :=

Cisco ACI Multi-Pod Configuration Guide

Cisco ACI Best Practices Guide