To extend functional VMM integration to the new group of 70 bare-metal ESXi servers, a separate VMM domain should be implemented using the AEP_VMM. This allows for the management and automation of network policies for the bare-metal servers in a manner similar to the virtualized environment managed by vCenter1.

To configure a Cisco ACI system to detect network loops for both untagged and tagged traffic and to stop the loop by disabling an interface within 4 seconds, the following configuration must be used:

Enable Mis-Cabling Protocol (MCP): MCP detects loops from external sources and will err-disable the interface on which Cisco ACI receives its own packet. This is crucial for preventing loops in the network1.

Configure MCP Transmit Frequency: Set the MCP transmit frequency to a value that allows for quick loop detection. The Cisco ACI fabric provides faster loop detection with transmit frequencies from 100 milliseconds to 300 seconds. To meet the requirement of detecting and stopping a loop within 4 seconds, you would set the transmit frequency to a value less than 4 seconds2.

Set Action on Loop Detection: Configure the MCP policies to identify loops and decide how to act upon them. You can set the policy to generate a syslog message or disable the port upon loop detection2.

Implement Error Disabled Recovery Policy: Configure an error disabled recovery policy to automatically re-enable ports that were disabled due to loop detection after a configurable interval2.

By implementing these configurations, the Cisco ACI system will be able to detect and stop network loops quickly and efficiently, ensuring network stability and preventing potential disruptions.

References :=

Cisco APIC Online Help - Loop Detection2

Cisco ACI Best Practices Quick Summary

To securely export Cisco APIC configuration snapshots to a secure, offsite location using an encrypted tunnel and a platform-agnostic data format that provides namespace support, the following configuration set must be used:

Choose a Platform-Agnostic Data Format: Export the configuration in a data format like JSON or XML, which are platform-agnostic and support namespaces1.

Use an Encrypted Tunnel: Transfer the configuration snapshot over a secure protocol such as SFTP or SCP, which provides an encrypted tunnel for the data transfer1.

Schedule the Export: Set up a scheduled export of the configuration in the Cisco APIC to occur at regular intervals, ensuring the process is automated1.

Enable Encryption: Make sure the configuration export policy includes encryption settings. Cisco APIC supports AES-256 encryption for securing exported configuration files2.

Verify Namespace Support: Ensure that the chosen data format and the method of export support the use of namespaces, which are essential for organizing elements and attributes in XML documents1.

By following these steps and choosing Option B, the engineer can meet the requirements for securely exporting Cisco APIC configuration snapshots to an offsite location.

 To limit management access to the Cisco ACI fabric that originates from a single subnet where the NOC operates, the policy should be configured in the management tenant on the Cisco APIC5.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/ apic/sw/1-x/Operating_ACI/guide/b_Cisco_Operating_ACI/b_Cisco_Operating_ACI_chapter_0111.html

 To redistribute externally learned OSPF routes within the ACI fabric, a Route Control Profile must be configured1. This profile allows for the control of route redistribution and the application of route maps to influence routing decisions within the fabric1.

 In Cisco ACI, communication between Endpoint Groups (EPGs) is controlled by contracts. Contracts define the types of traffic and the rules that govern how EPGs can communicate with each other. They act as a policy framework that enforces security and segmentation within the ACI fabric.

To minimize possible traffic impact during the upgrade of an ACI fabric with 3 APIC controllers and servers dual-homed to pairs of leaf switches configured in VPC mode, the fabric should be upgraded following Option A2. This option involves creating two maintenance groups for the APIC controllers, upgrading one group at a time, and then proceeding with the leaf switches2. This staged approach helps ensure that not all paths are affected simultaneously, thereby reducing the potential for traffic disruption2.

The correct statement about ACI syslog is that all syslog messages are sent to the destination through APIC1. This centralized approach allows for consistent logging and monitoring across the ACI fabric1.

In a Cisco ACI Multi-Pod environment, Pods use over Layer 3 IPN connectivity via spines to allow Pod-to-Pod communication6.

https://www.cisco.com/c/ en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-737855.html

To implement a Layer 3 out (L3Out) inside the Cisco ACI fabric that meets the specified requirements, the following steps should be taken:

Configure the OSPF Protocol policy with an area of 0: This step involves setting up OSPF, a link-state routing protocol that supports hierarchical network design, as the routing protocol for the L3Out1.

Create Routed Outside object and Node Profile, selecting OSPF: This step involves creating a Routed Outside object and associating it with a Node Profile that specifies OSPF as the routing protocol1.

Build the Interface profile, selecting Routed Sub-interface and the appropriate VLAN: This step involves creating an Interface profile for the connection to the data center core switch, using 802.1Q tagging for VLAN separation2.

Configure the External Network object with a network of 0.0.0.0/0: This step involves setting up the External Network object to advertise routes to the rest of the network1.

 When migrating the vSphere Management VMkernel of all ESXi hosts from the standard default virtual switch to a Virtual Distributed Switch (VDS) that is integrated with APIC in a VMM domain, it is essential to set the Management VMkernel EPG resolution to Pre-Provision. This action ensures that the necessary policies are in place on the ACI fabric before the migration occurs, allowing for a seamless transition and continuous management connectivity.

 In a Cisco ACI fabric, the spine switches are typically configured as route reflectors. This is because spine switches are central to the fabric’s architecture and are responsible for interconnecting all the leaf switches, making them ideal for reflecting BGP routes within the fabric. Therefore, the components that should be configured as route reflectors are:

Spine1 (Option A)

Spine2 (Option C)

In a Cisco ACI Multi-Pod environment, the supported routing protocol between Cisco ACI spines and IPNs (Inter-Pod Network) is Open Shortest Path First (OSPF)4.

The purpose of the Overlay Multicast TEP (O-MTEP) in a Cisco ACI Multi-Site deployment is to perform head-end replication for BUM (Broadcast, Unknown unicast, Multicast) traffic. This common anycast address is shared by all the spine nodes in the same site and is used to replicate BUM traffic across the sites4.

When extending EPG connectivity to an external network that houses the Layer 3 gateway and other end hosts, the ACI bridge domain configuration should use Forwarding: Custom, L2 Unknown Unicast: Hardware Proxy, L3 Unknown Multicast Flooding: Flood, Multi Destination Flooding: Flood in BD, and ARP Flooding: Enabled23. This configuration ensures that unknown unicast traffic is handled efficiently while still allowing ARP flooding, which is necessary for the ACI fabric to learn about endpoints on the external network23.

When deploying a new Cisco ACI Multi-Pod setup, it’s crucial to ensure that the Tunnel Endpoint (TEP) pool of the new pod is routable across the Inter-Pod Network (IPN). This allows the TEP addresses to be reachable across the pods, facilitating communication between them. Additionally, increasing the Maximum Transmission Unit (MTU) for all IPN routers is necessary to support the larger frame size required by VXLAN encapsulation, which is typically above the standard Ethernet MTU of 1500 bytes.

References :=

Cisco ACI Multi-Pod Configuration Guide

Cisco ACI Best Practices Guide

 In the scenario where Server2 information is missing from the Leaf 101 endpoint table and the COOP database of the spine, setting Layer 2 Unknown Unicast to Flood (Option B) is the correct action to meet the requirements. This setting will cause the ACI fabric to flood unicast packets destined for unknown destinations within the bridge domain. This ensures that packets from Server1 will reach Server2 even though its location isn’t known by Leaf 101 or the spine’s COOP database.https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-in frastructure/white-paper-c11-739989.html

Text Description automatically generated

 When configuring ACI VMM domain integration with Cisco UCS-B Series, the type of port channel policy that must be configured in the vSwitch policy is MAC Pinning-Physical-NIC-load. This policy type allows for the distribution of traffic across physical NICs based on MAC address hashing, which is suitable for environments where dynamic port channels (LACP) are not used.

When extending an EPG out of the ACI fabric using static path binding, it is true that external endpoints are in the same EPG as the directly attached endpoints8. This means that traffic received on a statically bound leaf port with a specific VLAN ID is mapped to the EPG, and the same policies applied to directly attached endpoints are enforced on the external endpoints8.

In the context of VMM, the protocol between ACI leaf and compute hosts that ensures that the policies are pushed to the leaf switches for immediate and on-demand resolution immediacy is LLDP (Link Layer Discovery Protocol)2. LLDP is used for discovery and to ensure that the policies are applied as needed for the virtual machines2.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI-Fundamentals_chapter_01011.html

The two essential components of a Cisco ACI Virtual Machine Manager (VMM) domain policy configuration are:

VMM domain profile1.

EPG association1.

https://www.cisco.com/c/en/us/td/docs/switches/datac enter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI-Fundamentals_chapter_01011.html#concept_74EFC437C0AA44A391676F70ACE59DF3

In a Cisco ACI configuration with IEEE 802.1p ports, the traffic exits from the EPG untagged from leaf ports. This means that when the port is configured in Access (802.1p) mode and the access VLAN is the only VLAN deployed on the port, then traffic will be untagged on egress56.

To set up a Cisco ACI fabric to send Syslog messages related to hardware events to a dedicated Syslog server, the policy should be configured at uni/fabric/monfab-default4. This location in the Cisco APIC allows for the configuration of Syslog policies that can be applied to the entire fabric4.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/aci -fundamentals/Cisco-ACI-Fundamentals-401/Cisco-ACI-Fundamentals-401_chapter_01100.html

Graphical user interface, text, application, email Description automatically generated

When a bridge domain is configured with the hardware-proxy option for Layer 2 unknown unicast traffic, if the spine switch is unable to find the MAC address in the proxy database, it will drop the Layer 2unknown unicast packet4. This behavior is controlled by the hardware proxy option associated with a bridge domain4.

The supported physical topology for a Cisco ACI data center network that includes Cisco Nexus 2000 Series 10G fabric extenders is depicted in Option A. This topology illustrates a pair of spine switches connected to leaf switches, which are then connected to the fabric extenders. The Cisco Nexus 2000 Series Fabric Extenders act as remote line cards for a parent Cisco Nexus switch, extending the network fabric. The topology shown is a spine-leaf architecture, which is a scalable, high-bandwidth framework that is typical in ACI deployments.

References :=

For a detailed understanding of the ACI fabric and supported topologies, you can refer to the Cisco Application Centric Infrastructure Design Guide, which provides comprehensive information on design recommendations and deployment models: Cisco ACI Design Guide.

To learn more about the role of fabric extenders in the ACI architecture, the following resource offers insights into how they integrate with the ACI fabric: Understanding the ACI Fabric.

The type of port used for in-band management within ACI fabric is the spine switch port4.

In Cisco ACI, the interface lo1023 is assigned as a fabric tunnel endpoint (FTEP). This is a pervasive address found on every leaf and it’s always the same. It is used mostly for AVS (Application Virtual Switch) when the infra VXLAN is extended out of the fabric1. The FTEP is crucial for the internal operation of the fabric, particularly for scenarios where the infrastructure VXLAN needs to be extended outside of the ACI fabric.

References :=

Default IP interfaces on Fabric nodes - Cisco Community1

In Cisco ACI, a leaf switch learns a source IP or MAC as a remote endpoint when VXLAN traffic arrives on a leaf fabric port from the spine, and the inner source IP is within the range of the bridge domain subnets associated with the leaf. This process is part of the ACI’s COOP (Council Of Oracles Protocol), which ensures that endpoint information is accurately disseminated across the fabric for efficient traffic forwarding.

 Changing the Layer 2 unknown unicast policy from Flood to Hardware Proxy results in the traffic being forwarded to one of the spines to perform as a spine proxy4. If the spine proxy also does not know the address, the packet is discarded4.

To implement the inter-tenant service graph, the set of actions that must be taken are:

Define the contract in the provider tenant and export it to the consumer tenant (Option B).

Define the L4-L7 device and service graph template in the provider tenant and the ASA bridge domains in the consumer tenant (Option B).

This approach allows for the proper configuration and association of the service graph between the provider and consumer tenants, ensuring that the services are correctly applied to the traffic flowing between them.

 The statement about the MTU value of MP-BGP EVPN control plane packets in Cisco ACI that is true for communication between spine nodes in different sites is that by default, spine nodes generate 9000-bytes packets to exchange endpoints routing information. As a result, the Inter-Site network should be able to carry 9000-bytes packets2. This ensures that the control plane traffic, which is not VXLAN encapsulated, can be properly handled across the sites2.

The two actions that extend a Layer 2 domain beyond the ACI fabric are extending the bridge domain out of the ACI fabric (Option D) and extending the EPG out of the ACI fabric (Option E)34. Extending the bridge domain involves creating a Layer 2 outside connection, while extending the EPG involves statically assigning a port with a VLAN ID to an EPG34.

To ensure that Cisco ACI flushes the appropriate endpoints when a topology change notification message is received in an MST domain, the three steps required are:

Enable the BPDU interface controls under the spanning tree interface policy (Option A)2.

Bind the spanning tree policy to the switch policy group (Option C)3.

Associate the STP interface policy to the appropriate interface policy group (Option D)3. These steps ensure that the ACI fabric responds correctly to STP events, such as topology changes, by flushing the MAC address table and the Local Station Table for the affected VLAN on the leaf switch4.

To determine which user is responsible for the disappearance of a previously existing port group from vCenter, the engineer should check the EPG audit logs for any ‘deletion’ actions. By comparing the affected object and the user who performed the action, the engineer can identify the responsible individual2.

To integrate a new Hyperflex storage cluster into an existing Cisco ACI fabric and manage it with vCenter, the following steps should be taken:

Create a new vSphere Distributed Switch (vDS): This is done within the vCenter interface. The vDS acts as a single virtual switch across all associated hosts in the data center, providing centralized management and monitoring of the network configuration1.

Configure the vDS for the Hyperflex cluster: This involves setting up the correct port groups, VLANs, and uplink profiles to ensure proper network segmentation and performance2.

Enable hardware discovery using a vendor-neutral protocol: This could involve using protocols like LLDP (Link Layer Discovery Protocol) or CDP (Cisco Discovery Protocol), which are supported by vCenter and can help in identifying and managing physical network devices3.

Integrate the Hyperflex cluster with ACI using the Application Policy Infrastructure Controller (APIC): This involves creating the necessary policies and profiles in ACI to manage the Hyperflex storage traffic effectively4.

References :=

Cisco HyperFlex Systems Installation Guide for VMware ESXi1

Cisco HyperFlex Virtual Server Infrastructure 3.0 with Cisco ACI 3.2 and VMware vSphere 6.52

How to Set Up Networking with vSphere Distributed Switches - VMware Docs3

Tutorial: How to integrate HyperFlex and ACI with VMM (VMware) and UCSM4

To restrict User X to have access only to TenantX without any extra privileges in the Cisco ACI fabric domain, the Cisco AV pair that must be implemented on the RADIUS server is shell:domains = TenantX-SD/tenant-admin. This AV pair assigns User X the role of tenant admin within the security domain of TenantX, ensuring that the user has the necessary permissions to manage resources within TenantX and no additional privileges outside of this scope.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/Security_config/b_Cisco_APIC_Securi ty_Guide/b_Cisco_APIC_Security_Guide_chapter_0100.html

Graphical user interface, text, application Description automatically generated

To integrate the VMware vCenter cluster with Cisco ACI and ensure that the management traffic of the hypervisors and VM controllers uses the virtual switch associated with the Cisco Application Policy, the following steps must be taken:

Enable Infrastructure VLAN on AAEP used toward VMware hypervisors: This step involves enabling the infrastructure VLAN on the Attachable Access Entity Profile (AAEP) that is used for the VMware hypervisors. This VLAN is used for carrying infrastructure traffic such as management, vMotion, and fault tolerance.

Create a static binding in the target EPG toward VMware hypervisors with VLAN 300: This step involves creating a static binding in the “Vmware-MGMT” EPG for the VMware hypervisors with VLAN 300, setting it as an untagged access VLAN, and using Untagged 802.1P mode. This ensures that the management traffic is correctly tagged and associated with the appropriate EPG.

References :=

Cisco ACI Fabric Hardware Installation Guide

Cisco ACI Troubleshooting Guide

Cisco ACI Multi-Site Architecture White Paper

Cisco ACI Virtual Machine Manager (VMM) Integration White Paper

For the new nodes in a Cisco ACI Multi-Pod deployment to be discoverable by the existing Cisco APICs, DHCP relay should be enabled on all links that are connected to Cisco ACI spines on Inter-Pod Network (IPN) devices. This allows the APICs to dynamically assign IP addresses to the new nodes, facilitating their discovery and integration into the fabric.

References :=

Cisco ACI Multi-Pod Configuration Guide

Cisco ACI Best Practices Guide

 To determine if a change in the behavior of the ACI fabric was due to human intervention, an ACI administrator should inspect the audit logs in the APIC UI. The audit logs provide a record of all user events, which includes actions performed by users, making it possible to trace any changes back to specific human activities1.

To implement the Inter-Site Network (ISN) for a Cisco ACI Multi-Site deployment, the following configuration steps are essential:

Configure OSPF on all ISN routers: OSPF (Open Shortest Path First) is a routing protocol that is used to ensure that all routers in the ISN have the necessary routing information to forward packets between sites.

Configure BIDIR-PIM on all ISN routers: BIDIR-PIM (Bidirectional Protocol Independent Multicast) is used for efficient multicast traffic forwarding across the ISN. This is particularly important for Cisco ACI Multi-Site deployments as it supports the replication of broadcast, unknown unicast, and multicast (BUM) traffic across sites.

References :=

Cisco ACI Multi-Site Configuration Guide

Cisco ACI Multi-Site Architecture White Paper

The Cisco AV Pair resolves to a managed object class. In the context of Cisco ACI, the AV Pair is used to define specific attributes for RADIUS users, which then map to managed objects within the ACI fabric3.

With unicast routing enabled on the bridge domain, the two conditions that enable the Cisco ACI leaf to learn a source IP as a local endpoint are:

Through Ethernet traffic received in a bridge domain (Option A): The leaf switch learns the source IP address as a local endpoint when it receives Ethernet traffic within the bridge domain.

Through ARP received on an SVI (Option E): The leaf switch also learns the source IP address as a local endpoint when it receives an ARP request or reply on a Switched Virtual Interface (SVI) associated with the bridge domain.

These conditions allow the ACI fabric to maintain an accurate endpoint database for efficient routing and forwarding of traffic within the fabric.

https://www.cisco .com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739989.html

Graphical user interface, text Description automatically generated with medium confidence

When configuring Cisco ACI VMM domain integration with VMware vCenter, the object that is created in vCenter is a VMware vSphere Distributed Switch (VDS)12. The VDS is a virtual switch that extends across all esxi hosts in the cluster and provides a centralized interface from which network configurations can be managed12. This switch allows network administrators to manage networking for multiple hosts and virtual machines from a single interface within vCenter12.

In a Cisco ACI bridge domain and VRF configured with a default data-plane learning configuration, the two endpoint attributes that are programmed in the leaf switch when receiving traffic are:

Local MAC, IP (Option D)5.

Local Subnet (Option E)5. These attributes are learned by the ACI fabric through common network methods such as ARP, GARP, and ND, as well as through the data-plane. The local MAC and IP addresses are learned and used for traffic routing and bridging, while the local subnet information is used for traffic optimization and endpoint location tracking56.

When the default gateway for endpoints is on an external device instead of a Cisco ACI bridge domain Switched Virtual Interface (SVI), the unicast routing feature should be disabled on the bridge domain. This prevents the ACI fabric from attempting to route traffic for the endpoints, which should instead be directed to the external default gateway.

To monitor all configuration changes, threshold crossing, and link-state transitions in a Cisco ACI fabric, the action that must be taken is to Include Audit Logs and Events in the Syslog source policy 

https://community.cisco.com/legacy fs/online/attachments/blog/technote-aci-syslog_external-latest.pdf

https://www.cis co.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/all/faults/guide/b_APIC_Faults_Errors/b_IFC_Faults_Errors_chapter_010.html

To ensure that servers supporting only Cisco Discovery Protocol are discovered automatically by the Cisco ACI fabric when connected, the action that must be taken is to Create an override policy that enables Cisco Discovery Protocol after LLDP is enabled in the default policy group

To complete the task of configuring a Layer 3 connection to the WAN router and allowing hosts in the production VRF to access WAN subnets, the engineer should configure the Export Route Control Subnet scope for the external EPG. This setting allows the subnets associated with the external EPG to be advertised to external routers, enabling connectivity to the WAN.

To clear the fault raised by the Cisco APIC when the EPG must accept endpoints from a VMM domain, the EPG should be associated with the VMM domain. This association is necessary for the APIC to recognize the endpoints within the VMM domain as part of the EPG. Without this association, the APIC cannot apply the policies defined in the EPG to the endpoints, which can result in errors1.

References :=

APIC Policy Deployment and Resolution Immediacy For AVS VMM Domain - Cisco Community

To backup the PRODUCTION tenant configuration on the APIC using a markup language and include all secure information, the network engineer must use an export policy that allows for exporting in a markup language format such as XML or JSON and includes secure attributes. In this case, the correct export policy is Option A, which shows an interface with “Export-Tenant-Production” where the format can be selected as ‘xml’ or ‘json’, and there is an option to modify global AES encryption settings, indicating that secure information can be included in the backup.

References :=

Cisco Application Policy Infrastructure Controller (APIC) - Cisco APIC

Cisco Application Centric Infrastructure Best Practices Guide - Cisco ACI Design Guide

The image shows a graphical user interface for an export policy named “Export-Tenant-Production.” The interface provides options to select the format of the backup (either ‘json’ or ‘xml’), whether to start now with options ‘Yes’ or ‘No’, a field for Target DN with ‘/tn-PRODUCTION’filled in, a scheduler dropdown menu, and a checkbox for modifying global AES encryption settings which is enabled. This image is relevant because it depicts how to configure an export policy on Cisco’s APIC to backup tenant configurations securely.

The two dynamic routing protocols supported when using Cisco ACI to connect to an external Layer 3 network are iBGP (Option A) and eBGP (Option E)78. These protocols are included in the routing protocol options for a Layer 3 external outside network configuration in ACI

ACI uses the SCP (Secure Copy Protocol) to securely save the configuration in a remote location. SCP is a network protocol that supports file transfers and relies on the Secure Shell (SSH) protocol to provide security for the transferred data.

 To allow multiple external networks to communicate with internal ACI subnets and assign the prefix to the class ID of the external Endpoint Group, the engineer should configure subnets with the External Subnets for External EPG flag enabled1. This configuration allows the specified subnets to be associatedwith an external EPG, which facilitates communication between internal tenants and external routed networks via L3Outs1.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/ACI_Best_Practices/b_ACI_Best_Practices/b_ACI_Best_Practices_chapter_01001.html