300-620 Implementing Cisco Application Centric Infrastructure (300-620 DCACI) Questions and Answers

 In a Cisco ACI Multi-Pod environment with active-active data centers and active-standby firewalls in each data center, enabling Pod ID Aware Redirection is the action that should be taken to maintain traffic symmetry through the firewalls.  This feature ensures that traffic is consistently directed through the active firewall based on the pod identifier, thus maintaining the desired traffic flow and symmetry 2 .

References  :=

Cisco ACI Multi-Pod and Service Node Integration White Paper

The import mode that must be used to ensure that the import process terminates if the imported configuration is incompatible with the existing system is the ‘atomic’ mode. This mode ignores shards that contain objects that cannot be imported while proceeding with shards that can be imported.  If the incoming configuration’s version is incompatible with the existing system, the import process will terminate 2 .

https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-7DC6486F-5400-44DF-8A62-6273798A2F80.html

To clear the MCP (Mis-Cabling Protocol) fault in a Cisco ACI fabric when an egress L3Out is configured from Leaf-101 and Leaf-102 to CORE-1, and VLAN 102 is used for OSPF adjacency, the encapsulation VLAN on the EPG-101 static port binding should match the VLAN used for OSPF adjacency. This means that VLAN 102 should be used as the encapsulation VLAN for the static port binding on Leaf-103 e1/1.  Using the same VLAN for both OSPF adjacency and the static port binding ensures consistency and prevents misconfiguration that could lead to MCP faults 1 .

References  :=

ACI Fabric L3Out White Paper - Cisco 1

The purpose of the Overlay Multicast TEP (O-MTEP) in a Cisco ACI Multi-Site deployment is to perform head-end replication for BUM (Broadcast, Unknown unicast, Multicast) traffic.  This common anycast address is shared by all the spine nodes in the same site and is used to replicate BUM traffic across the sites 4 .

https://learnduty.com/cisco-aci/aci-multi-pod-overview-and-basics/

When the client endpoint and the service node interface are in different subnets, the Adjacency Type value should be set to Routed. This setting is used to indicate that routing is required between the client endpoint and the service node interface, as they are not in the same Layer 2 broadcast domain and need Layer 3 routing to communicate.

The supported physical topology for a Cisco ACI data center network that includes Cisco Nexus 2000 Series 10G fabric extenders is depicted in Option A. This topology illustrates a pair of spine switches connected to leaf switches, which are then connected to the fabric extenders. The Cisco Nexus 2000 Series Fabric Extenders act as remote line cards for a parent Cisco Nexus switch, extending the network fabric. The topology shown is a spine-leaf architecture, which is a scalable, high-bandwidth framework that is typical in ACI deployments.

References  :=

For a detailed understanding of the ACI fabric and supported topologies, you can refer to the Cisco Application Centric Infrastructure Design Guide, which provides comprehensive information on design recommendations and deployment models:  Cisco ACI Design Guide .

To learn more about the role of fabric extenders in the ACI architecture, the following resource offers insights into how they integrate with the ACI fabric:  Understanding the ACI Fabric .

 To determine if a change in the behavior of the ACI fabric was due to human intervention, an ACI administrator should inspect the audit logs in the APIC UI.  The audit logs provide a record of all user events, which includes actions performed by users, making it possible to trace any changes back to specific human activities 1 .

 To allow multiple external networks to communicate with internal ACI subnets and assign the prefix to the class ID of the external Endpoint Group, the engineer should configure subnets with the  External Subnets for External EPG  flag enabled 1 .  This configuration allows the specified subnets to be associated with an external EPG, which facilitates communication between internal tenants and external routed networks via L3Outs 1 .

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/ACI_Best_Practices/b_ACI_Best_Practices/b_ACI_Best_Practices_chapter_01001.html

The scenario involves a Cisco ACI fabric with 10 standalone leaf switches, and the engineer must configure only the first two leaf switches (e.g., Leaf-1 and Leaf-2) in a Virtual Port Channel (vPC) configuration. The goal is to select the appropriate vPC protection type to achieve this specific pairing while leaving the other eight leaf switches standalone.

Requirement Analysis

In Cisco ACI, vPC is used to provide active-active link redundancy and load balancing between two leaf switches connected to the same set of endpoints (e.g., servers or external devices).

The fabric contains 10 standalone leaf switches, meaning no pre-existing vPC pairs are configured, and the task is to form a vPC specifically between the first two leaf switches.

The vPC protection type determines how the pair is defined and protected within the ACI fabric, ensuring the configuration is limited to the intended switches.

Option Evaluation

A. serial :

The " serial " protection type is not a valid vPC protection option in Cisco ACI. This term might be confused with serial link configurations or other networking contexts, but it does not apply to vPC in ACI.

In Cisco ACI, when a packet is routed between two endpoints on different leaf switches, the VXLAN VNID that is applied to the packet corresponds to the Bridge Domain (BD). The BD VNID is used to encapsulate the packet for Layer 2 transport across the fabric. This VNID ensures that the packet is delivered to the correct bridge domain, maintaining the segmentation and policy enforcement required by the ACI fabric.

References  :=

Cisco ACI Fabric Forwarding White Paper

Cisco ACI Basic Configuration Guide

https://community.cisco.com/t5/documentos-data-center/configuraci%C3%B3n-snmp-para-aci/ta-p/4680520

https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/5x/security-configuration/cisco-apic-security-configuration-guide-release-52x/protocol-authentication-52x.html

In a Cisco ACI configuration with IEEE 802.1p ports, the traffic exits from the EPG untagged from leaf ports.  This means that when the port is configured in Access (802.1p) mode and the access VLAN is the only VLAN deployed on the port, then traffic will be untagged on egress 5 6 .

 The two true statements regarding ACI Multi-Site are:

ACI Multi-Site is a solution that supports a dedicated APIC cluster per site 1 .

ACI Multi-Site is a solution that allows one APIC cluster to manage multiple ACI sites 1 .

 In the Cisco ACI VMM domain configuration, to generate port groups with names formatted as “Tenant=Application=EPG”, the configuration option used is delimiter. The delimiter is a character that separates the elements of the port-group name. By changing the delimiter setting to “=”, the port-group names will be generated with the desired format.

The engineer configures port 1/2 on Leaf-101 and Leaf-102 to connect to a new server (SVR-12), which belongs to EPG-12 using VLAN-1212 encapsulation. The server is configured as a vPC member port and statically bound to EPG-12. The task is to ensure connectivity, indicating a missing configuration step.

Requirement Analysis

Static binding of a vPC member port to an EPG requires proper VLAN association and domain mapping.

vPC ensures redundancy, and the VLAN (1212) must be allocated and associated with the EPG via a domain (e.g., VMM or physical domain).

Option Evaluation

A. Create a VPC Explicit Protection Group for EPG-12 and VLAN-1212 :

vPC Explicit Protection Groups are used for specific vPC configurations, but this is not a standard requirement for EPG binding and VLAN association.

To enable communication between EPGs and BDs from any tenant without the need for contracts or VRF route leaking, the best approach is to implement an unenforced VRF within the common tenant. By doing so, all bridge domains that are associated with this VRF will be able to communicate with each other without additional configurations.  This method simplifies the network architecture and reduces the complexity associated with contract management and VRF route leaking 1 .

References  :=

Cisco ACI Contract Guide White Paper 1

When extending EPG connectivity to an external network that houses the Layer 3 gateway and other end hosts, the ACI bridge domain configuration should use  Forwarding: Custom ,  L2 Unknown Unicast: Hardware Proxy ,  L3 Unknown Multicast Flooding: Flood ,  Multi Destination Flooding: Flood in BD , and  ARP Flooding: Enabled 2 3 .  This configuration ensures that unknown unicast traffic is handled efficiently while still allowing ARP flooding, which is necessary for the ACI fabric to learn about endpoints on the external network 2 3 .

To divert traffic between VM-1 and VM-2 using a Multi-Node service graph while preventing an insufficient number of available Layer 4 to Layer 7 devices in the first cluster, the following configuration set should be used:

PBR node tracking : This feature monitors the health of the nodes (Layer 4 to Layer 7 devices) in the service graph.  If a node becomes unavailable, the system can take action based on the tracking threshold 1 .

Tracking threshold with action bypass : When the number of healthy nodes falls below the tracking threshold, the action ‘bypass’ ensures that traffic is not sent to the unhealthy nodes, thus preventing service disruption 1 .

Symmetric PBR : This ensures that return traffic follows the same path as the original traffic, maintaining session consistency and avoiding asymmetric routing issues 1 .

Resilient hashing : This hashing mechanism provides a consistent and optimal distribution of traffic across the available Layer 4 to Layer 7 devices, even when the number of nodes changes due to a failure or maintenance 1 .

References  :=

Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 5.2(x)

The two essential components of a Cisco ACI Virtual Machine Manager (VMM) domain policy configuration are:

VMM domain profile 1 .

EPG association 1 .

https: //www.cisco.com/c/en/us/td/docs/switches/datac ente r/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Funda mentals/b_ACI-Fundamentals_chapter_01011.html#conc ept_74EFC437C0AA44A391676F70ACE59DF3

MisCabling Protocol (MCP) detects loops from external sources (i.e., misbehaving servers, external networking equipment running STP, etc.) and will err-disable the interface on which ACI receives its own packet. Enabling this feature is a best practice, and it should be enabled globally and on all interfaces, regardless of the end device. For MCP to be enabled, you need to have it enabled globally and on a per-interface basis. While MCP is enabled on all interfaces by default, it is not turned “on” until you also enable it globally. The global configuration knob for MCP can be enabled by configuring the global settings here: Fabric > Access Policies > Global Policies > MCP Instance Policy default. https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/aci-guide-using-mcp-mis-cabling-protocol.pdf

ACI uses the SCP (Secure Copy Protocol) to securely save the configuration in a remote location. SCP is a network protocol that supports file transfers and relies on the Secure Shell (SSH) protocol to provide security for the transferred data.

 When two interface protocol policies need to be used together in a single policy, the ACI object that must be used is an interface policy group

The Cisco AV Pair resolves to a  managed object class .  In the context of Cisco ACI, the AV Pair is used to define specific attributes for RADIUS users, which then map to managed objects within the ACI fabric 3 .

When designing two data centers based on Cisco ACI technology that can extend L2/L3, VXLAN, and network policy across locations with ACI Multi-Pod, the two requirements that must be considered are:

A single APIC Cluster is required in a Multi-Pod design 4 .

ACI Multi-Pod requires an IP Network supporting PIM-Bidir 2 .

To allow IP mobility between Site1 and Site2 in a Cisco ACI Multi-Site orchestrator while meeting the disaster recovery (DR) requirements and avoiding broadcast storms, the following actions should be taken:

Disable Inter-site BUM Traffic : Disabling Broadcast, Unknown unicast, and Multicast (BUM) traffic between sites helps to avoid broadcast storms that can occur when extending Layer 2 domains across multiple sites 1 .

Apply the L2 Stretch feature : The Layer 2 Stretch feature allows subnets to be extended across multiple sites without the need to re-IP the application servers.  This supports IP mobility and enables applications to be started at a DR site using the same IP address space 1 .

These actions ensure that the design supports a DR solution without requiring vMotion support, allows applications to be started at a DR site without re-IPing servers, and avoids broadcast storms between the sites.

References  :=

Cisco ACI Multi-Site Architecture White Paper 1

Cisco Nexus Dashboard Orchestrator Overview 2

In VMware vSphere, " MAC Pinning " refers to the " Route based on originating virtual port " load-balancing algorithm. This method assigns each virtual machine (VM) vNIC to a specific uplink (pNIC) and ensures that all traffic from that VM consistently exits through the same uplink.

When configuring in-band management IP addresses for Cisco APICs, leaf nodes, and spine nodes, the tenant used is the  mgmt  tenant 1 .

To prevent frequent MAC and IP address moves between different leaf switch ports, enabling rogue endpoint control is the recommended action. This feature helps in identifying and mitigating the movement of endpoints that could potentially cause loops or other issues within the network.

To backup the PRODUCTION tenant configuration on the APIC using a markup language and include all secure information, the network engineer must use an export policy that allows for exporting in a markup language format such as XML or JSON and includes secure attributes. In this case, the correct export policy is Option A, which shows an interface with “Export-Tenant-Production” where the format can be selected as ‘xml’ or ‘json’, and there is an option to modify global AES encryption settings, indicating that secure information can be included in the backup.

References  :=

Cisco Application Policy Infrastructure Controller (APIC) -  Cisco APIC

Cisco Application Centric Infrastructure Best Practices Guide -  Cisco ACI Design Guide

The image shows a graphical user interface for an export policy named “Export-Tenant-Production.” The interface provides options to select the format of the backup (either ‘json’ or ‘xml’), whether to start now with options ‘Yes’ or ‘No’, a field for Target DN with ‘/tn-PRODUCTION’ filled in, a scheduler dropdown menu, and a checkbox for modifying global AES encryption settings which is enabled. This image is relevant because it depicts how to configure an export policy on Cisco’s APIC to backup tenant configurations securely.

To support a new application that is sensitive to latency and jitter and sets the DSCP values of packets to AF31 and CS6, it is necessary to align the ACI Quality of Service (QoS) levels and Inter-Pod Network (IPN) QoS policies. This alignment ensures that the DSCP values are preserved and respected across the ACI fabric and the IPN, preventing packets from being delayed or dropped between pods.

References  :=

Cisco ACI Multi-Site Architecture White Paper

Cisco ACI Best Practices Guide

Cisco ACI Quality of Service Configuration Guide

 After ARP flooding is enabled in Cisco ACI Multi-Pod, broadcast frames are forwarded within the pod and across the Inter-Pod Network (IPN) using the multicast address associated with the bridge domain.  If the setting is ‘Flood’, the leaf switch floods to the Group IP (GIPo) multicast group allocated for the bridge domain, ensuring that both local and remote pods receive a flooded copy

The type of port used for in-band management within ACI fabric is the  spine switch port 4 .

To ensure that Cisco ACI flushes the appropriate endpoints when a topology change notification message is received in an MST domain, the three steps required are:

Enable the BPDU interface controls under the spanning tree interface policy (Option A) 2 .

Bind the spanning tree policy to the switch policy group (Option C) 3 .

Associate the STP interface policy to the appropriate interface policy group (Option D) 3 . These steps ensure that the ACI fabric responds correctly to STP events, such as topology changes, by flushing the MAC address table and the Local Station Table for the affected VLAN on the leaf switch 4 .

 In a Cisco ACI fabric, the  spine switches  are typically configured as route reflectors. This is because spine switches are central to the fabric’s architecture and are responsible for interconnect ing all the leaf switches, making them ideal for reflecting BGP routes within the fabric. Therefore, the components that should be configured as route reflectors are:

Spine1  (Option A)

Spine2  (Option C)

To meet the server team’s requirements for VMM integration with ESXi servers, the two enhanced LAG policies that should be configured are:

LB Mode: Destination IP Address and TCP/UDP Port (Option B) : This load balancing mode ensures that traffic is evenly distributed across all available links based on the destination IP address and the TCP/UDP port numbers, which can provide a balanced traffic flow for different sessions.

LACP Mode: LACP Active (Option E) : Setting the LACP mode to active allows the network switches to initiate the LACP negotiation, which is necessary when the servers are not configured to initiate the LACP process.

These settings ensure that the LAG group consisting of two 10 Gigabit Ethernet links will have traffic evenly distributed across them and that the network switches will initiate the LACP negotiation as required by the server team.

When deploying a new Cisco ACI Multi-Pod setup, it’s crucial to ensure that the Tunnel Endpoint (TEP) pool of the new pod is routable across the Inter-Pod Network (IPN). This allows the TEP addresses to be reachable across the pods, facilitating communication between them. Additionally, increasing the Maximum Transmission Unit (MTU) for all IPN routers is necessary to support the larger frame size required by VXLAN encapsulation, which is typically above the standard Ethernet MTU of 1500 bytes.

References  :=

Cisco ACI Multi-Pod Configuration Guide

Cisco ACI Best Practices Guide

To deploy an access port policy group within Cisco ACI, an  attachable entity profile (AEP)  needs to be created.  An AEP is a policy construct that groups together various domains and allows them to be attached to the fabric access layer

When extending an EPG out of the ACI fabric using static path binding, it is true that  external endpoints are in the same EPG as the directly attached endpoints 8 .  This means that traffic received on a statically bound leaf port with a specific VLAN ID is mapped to the EPG, and the same policies applied to directly attached endpoints are enforced on the external endpoints 8 .

To enable the APIC in a Cisco ACI fabric using out-of-band management connectivity to access a routable host with an IP address of 192.168.11.2, you need to add a Fabric Access Policy that allows management connections. This involves configuring a contract that will be consumed and provided to your OOB devices. The contract will let the system know what traffic is allowed. In this case, you will use the default/common contract to permit any traffic.  This is necessary because the APIC needs to be able to send traffic to and receive traffic from the management network 1 .

References  :=

ACI: Configuring Out-of-Band (OOB) Access for Your Fabric - Cisco 1

Troubleshoot ACI Management and Core Services - In-band and Out-of-band Management - Cisco 2

Enabling AES encryption ensures that sensitive data, such as credentials for VMMs and third-party integrations, is securely encrypted in the backup file. This is essential for a fully functional restore without requiring re-entry of sensitive details.

In Cisco ACI, the interface lo1023 is assigned as a fabric tunnel endpoint (FTEP). This is a pervasive address found on every leaf and it’s always the same.  It is used mostly for AVS (Application Virtual Switch) when the infra VXLAN is extended out of the fabric 1 . The FTEP is crucial for the internal operation of the fabric, particularly for scenarios where the infrastructure VXLAN needs to be extended outside of the ACI fabric.

References  :=

Default IP interfaces on Fabric nodes - Cisco Community 1

To monitor all configuration changes, threshold crossing, and link-state transitions in a Cisco ACI fabric, the action that must be taken is to Include Audit Logs and Events in the Syslog source policy 

https://community.cisco.com/legacy fs/online/attachments/blog/technote-aci-syslog_external-latest.pdf

https://www.cis co.com/c/en/ us/td/docs/switches/datacenter/aci/apic/sw/all/faults/guide/b_APIC_Faults_Errors/b _IFC_Faults_Errors_chapter_010.html

 In the scenario where Server A is connected to the Cisco ACI fabric using teamed interfaces with one active and one standby, enabling ARP flooding in the bridge domain configuration is necessary to resolve the issue that occurs when the standby interface becomes active and uses its built-in MAC address to send traffic.  Enabling ARP flooding allows the fabric to learn the new MAC address without waiting for the ARP timeout, which helps to ensure that traffic continues to flow to the correct destination after a failover event 1 .

References  :=

Discuss Cisco 300-620 Exam Topic 9 Question 71 | Pass4Success 1

https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/application-policy-infrastructure-controller-apic/221867-configure-in-band-management-in-aci.html Scope - Choose according to the route leakage method you use. Here choose to use L3out, and then click Advertised Externally.

In a Cisco ACI fabric, when a silent host moves from one location to another without notifying the ACI leaf switch (e.g., via Gratuitous ARP), the detection mechanism depends on how the bridge domain is configured. Specifically, ARP flooding can help detect such silent hosts.

To modify the event to be displayed as a warning in the future, you need to navigate to the ACI Fault tab and change the severity level of the fault.  This involves selecting the monitoring object that corresponds to the class of the Managed Object (MO) that generated the fault, then choosing the fault code you want to modify and setting an initial severity value 1 .

References  :=

Cisco APIC Faults, Events, and System Messages Management Guide 2

How ACI Faults Are Generated and How to Selectively Prevent … - Cisco 1

To meet the requirements for the new endpoint group’s bridge domain in the Cisco ACI fabric, the following actions must be taken:

Disable ARP Flooding : This action prevents ARP requests from being broadcast across the entire bridge domain, which reduces excessive broadcast traffic.

Enable Limit IP Learning to Subnet : This setting restricts IP address learning to only those IPs within the configured subnet, minimizing the impact of misconfigured virtual machines.

Enable Unicast Routing on the bridge domain and configure a subnet : Enabling unicast routing allows the bridge domain to function as the default gateway for the subnet, ensuring that routing remains within the Cisco ACI fabric.

Storm control should be configured on  port channel on a single leaf switch (Option B)  and  endpoint-facing trunk interface (Option D)  to protect against broadcast traffic 6 .  These interfaces are where storm control policies are typically applied to prevent disruptions caused by traffic storms 6 .

To integrate the VMware vCenter cluster with Cisco ACI and ensure that the management traffic of the hypervisors and VM controllers uses the virtual switch associated with the Cisco Application Policy, the following steps must be taken:

Enable Infrastructure VLAN on AAEP used toward VMware hypervisors : This step involves enabling the infrastructure VLAN on the Attachable Access Entity Profile (AAEP) that is used for the VMware hypervisors. This VLAN is used for carrying infrastructure traffic such as management, vMotion, and fault tolerance.

Create a static binding in the target EPG toward VMware hypervisors with VLAN 300 : This step involves creating a static binding in the “Vmware-MGMT” EPG for the VMware hypervisors with VLAN 300, setting it as an untagged access VLAN, and using Untagged 802.1P mode. This ensures that the management traffic is correctly tagged and associated with the appropriate EPG.

References  :=

Cisco ACI Fabric Hardware Installation Guide

Cisco ACI Troubleshooting Guide

Cisco ACI Multi-Site Architecture White Paper

Cisco ACI Virtual Machine Manager (VMM) Integration White Paper

In a Cisco ACI environment with multiple silent hosts that are often relocated between leaf switches, configuring IP Data-Plane Learning to ‘No’ will minimize the relocation impact and make the ACI fabric relearn the new location of the host faster.  Disabling IP Data-Plane Learning prevents the fabric from learning IP addresses from the data plane, which can speed up the process of relearning host locations when they move 3 .

The L3Out subnet configuration option that creates an inbound route map for route filtering is  Import Route Control Subnet 3 .  This option allows for the application of route maps to incoming routes from external networks, providing granular control over which routes are allowed into the ACI fabric 3 .

 A bridge domain in Cisco ACI represents a  Layer 2 forwarding construct 3 4 5 . It defines a unique Layer 2 MAC address space and can include one or more subnets.  Bridge domains are associated with a VRF and can contain multiple EPGs 3 4 5 .

When implementing a connection that represents an external bridged network, the configurations used are  Layer 2 outside (Option B)  and  Static path binding (Option D) 1 2 .  Layer 2 outside is typically used to connect a bridged external network trunk switch to a leaf switch in the ACI fabric, while static path binding is used to assign specific ports on a leaf switch to an external bridged network 1 2 .

The question asks which switch type is discovered first in the Cisco ACI fabric discovery process. The ACI fabric consists of spine and leaf switches, and the discovery process is a critical initial step to establish the fabric topology. Let’s analyze this based on Cisco ACI documentation.

Requirement Analysis

The ACI fabric discovery process involves the Application Policy Infrastructure Controller (APIC) identifying and registering switches to form the network topology.

The process relies on protocols like Link Layer Discovery Protocol (LLDP) and Cisco Discovery Protocol (CDP) to detect connected devices.

The sequence of discovery is determined by the physical connectivity and the role of switches in the fabric.

Option Evaluation

A. leaf :

In the Cisco ACI fabric, the discovery process begins with the leaf switches. When the APIC is powered on and connected to the fabric, it first discovers the leaf switches directly attached to it or other initial points of connectivity. Leaf switches are the access layer devices that connect endpoints and are the starting point for fabric topology discovery. Once leaf switches are identified, they assist in discovering the spine switches.

To configure leaf and spine switches in a Cisco ACI fabric to use out-of-band management for NTP protocol, an Override Policy with NTP Out-of-Band must be created. This policy specifies that NTP traffic should be directed through the out-of-band management network, separate from the in-band management traffic, ensuring dedicated management connectivity for time synchronization.

https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/application-policy-infrastructure-controller-apic/200128-Configuring-NTP-in-ACI-Fabric-Solution.html

 In the context of ACI Multi-Site, the information of an endpoint (MAC/IP) that belongs to site 1 is advertised to site 2 using the EVPN control plane as soon as the endpoint is discovered in one site. This allows for immediate visibility of the endpoint across sites.

The engineer is implementing out-of-band (OOB) management access for the Cisco ACI fabric with the following requirements:

Only GUI (HTTPS) and Secure Shell (SSH) must be allowed to access the management interfaces.

Only IP ranges 10.10.10.0/24 and 192.168.15.0/24 must be permitted to connect.

This requires configuring access control and restricting IP ranges for OOB management.

Requirement Analysis

OOB management in ACI is typically handled via the Management Tenant (mgmt) and an OOB contract to define allowed protocols and sources.

The external network instance profile defines the permitted IP ranges for external access.

Option Evaluation

A. Implement HTTPS and SSH protocol filters in the OOB contract. Add the required subnets to the external network instance profile :

An OOB contract can specify allowed protocols (HTTPS on port 443 and SSH on port 22) to restrict access to GUI and SSH only. Adding the subnets 10.10.10.0/24 and 192.168.15.0/24 to the external network instance profile limits the source IP ranges, meeting both requirements.

To meet the criteria for configuring the Cisco ACI fabric to connect to vCenter, the following actions should be taken:

Create a dynamic VLAN pool with the VLAN range of 20-30 : This step involves creating a VLAN pool that dynamically assigns VLANs within the specified range to the port groups as they are created 1 .

Create a VMM domain and associate it with the VLAN pool : The VMM domain is a representation of the VMware vSphere Distributed Switch (VDS) in ACI, and associating it with the VLAN pool allows for the automatic creation of port groups on the VDS 1 .

Create the EPG and associate the domain : An Endpoint Group (EPG) is a logical entity to which workloads are attached.  Associating the EPG with the VMM domain ensures that the port groups are automatically created in vCenter when the EPG is associated with a VMM domain 1 .

Set the deployment immediacy to On Demand : Setting the deployment immediacy to ‘On Demand’ optimizes the CAM space on the leaf switches by deploying policies to leaf nodes only when endpoints assigned to this EPG are connected, rather than immediately upon configuration 1 2 .

By following these steps, the network engineer can ensure that the Cisco ACI fabric is correctly configured to connect to vCenter, with port groups being automatically created on the distributed virtual switch, using the VLAN allocation in the range between 20-30, and optimizing the CAM space on the leaf switches.