300-620 Implementing Cisco Application Centric Infrastructure (300-620 DCACI) Questions and Answers

The import mode that must be used to ensure that the import process terminates if the imported configuration is incompatible with the existing system is the ‘atomic’ mode. This mode ignores shards that contain objects that cannot be imported while proceeding with shards that can be imported. If the incoming configuration’s version is incompatible with the existing system, the import process will terminate2.

An EPG is extended outside of the ACI fabric by statically assigning a VLAN ID to a leaf port in an EPG. This method maps the traffic received on the leaf port to the EPG, and the policy for this EPG is enforced

In a Cisco ACI bridge domain and VRF configured with a default data-plane learning configuration, the two endpoint attributes that are programmed in the leaf switch when receiving traffic are:

Local MAC, IP (Option D)5.

Local Subnet (Option E)5. These attributes are learned by the ACI fabric through common network methods such as ARP, GARP, and ND, as well as through the data-plane. The local MAC and IP addresses are learned and used for traffic routing and bridging, while the local subnet information is used for traffic optimization and endpoint location tracking56.

https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/5x/security-configuration/cisco-apic-security-configuration-guide-release-52x/protocol-authentication-52x.html

For AAA configuration within the Cisco ACI fabric, where authentication should fall back to local users if the TACACS+ server is unreachable, and access must be granted through the fallback domain if the Cisco APIC is out of the cluster, the configuration set that meets these requirements is to have the Default Authentication Realm set to TACACS+ with Fallback Check enabled. This ensures that when the TACACS+ server cannot be reached, the system will fall back to using local authentication

The feature that dynamically assigns or modifies the EPG association of virtual machines based on their attributes is uSeg EPGs. uSeg EPGs allow for microsegmentation within the Cisco ACI environment, enabling the dynamic assignment of VMs to EPGs based on attributes such as VM name, tag, or other identifiers

For the new nodes in a Cisco ACI Multi-Pod deployment to be discoverable by the existing Cisco APICs, DHCP relay should be enabled on all links that are connected to Cisco ACI spines on Inter-Pod Network (IPN) devices. This allows the APICs to dynamically assign IP addresses to the new nodes, facilitating their discovery and integration into the fabric.

References :=

Cisco ACI Multi-Pod Configuration Guide

Cisco ACI Best Practices Guide

 The two true statements regarding ACI Multi-Site are:

ACI Multi-Site is a solution that supports a dedicated APIC cluster per site1.

ACI Multi-Site is a solution that allows one APIC cluster to manage multiple ACI sites1.

The two dynamic routing protocols supported when using Cisco ACI to connect to an external Layer 3 network are iBGP (Option A) and eBGP (Option E)78. These protocols are included in the routing protocol options for a Layer 3 external outside network configuration in ACI

In a Cisco ACI fabric, when a silent host moves from one location to another without notifying the ACI leaf switch (e.g., via Gratuitous ARP), the detection mechanism depends on how the bridge domain is configured. Specifically, ARP flooding can help detect such silent hosts.

To reduce instability during the migration of a legacy environment to Cisco ACI, the feature that should be enabled in the bridge domain is to Set Multi-Destination Flooding to Flood in BD (Option A). This setting allows unknown multicast, broadcast, and unknown unicast traffic to be flooded within the bridge domain, which can help prevent traffic loss during the migration process.

When configuring in-band management IP addresses for Cisco APICs, leaf nodes, and spine nodes, the tenant used is the mgmt tenant1.

To support cross-site connectivity in a production Multi-Site solution, where connectivity from EPGs from a specific site to networks reachable through a remote site L3OUT is required, the additional configuration that must be implemented in the Multi-Site Orchestrator is to add a new stretched external EPG to the existing L3OUT1. This allows the EPGs from one site to communicate with the networks defined in the L3OUT at the remote site, facilitating the required connectivity across sites.

References :=

Cisco ACI Multi-Site Configuration Guide1

 To have the endpoint table learn the IP addresses of endpoints in a bridge domain, unicast routing must be enabled1. This allows the bridge domain to learn the IP addresses of endpoints through the data plane1.

When configuring a Multi-Pod system with the default gateway residing outside of the ACI fabric for a bridge domain, the setting that should be configured is to disable Limit IP Learning to Subnet (Option A). This allows the ACI fabric to learn IP addresses outside of the defined subnet, which is necessary when the default gateway is external.

Associating the VMM domain with the EPGs (Endpoint Groups) that must be available in vCenter is the action that accomplishes the goal of creating port groups automatically in vSphere and propagating them to hypervisors when created in the ACI environment. This integration allows the APIC to automatically create port groups in the VMware vCenter under the VDS (vSphere Distributed Switch), which provisions the network policy in the VMware vCenter

To deploy a leaf access port policy group in ACI Fabric that controls the amount of application data flowing into the system and allows auto-negotiation of link speed, the two ACI policies that must be configured are:

Link level policy2.

Ingress data plane policing policy2.

Slow Drain handles FCoE packets that are causing traffic congestion on ACI fabric. So, it is wrong.

Ingress control plane is wrong, because the request is for “application data flowing”.

L2 interface policy is concerned about QinQ and VLAN scope.

The feature that allows firewall ACLs to be configured automatically when new endpoints are attached to an EPG is ARP gleaning. This feature helps in identifying the endpoints and applying the necessary ACLs to them as they are discovered

To deploy an access port policy group within Cisco ACI, an attachable entity profile (AEP) needs to be created. An AEP is a policy construct that groups together various domains and allows them to be attached to the fabric access layer

To backup the PRODUCTION tenant configuration on the APIC using a markup language and include all secure information, the network engineer must use an export policy that allows for exporting in a markup language format such as XML or JSON and includes secure attributes. In this case, the correct export policy is Option A, which shows an interface with “Export-Tenant-Production” where the format can be selected as ‘xml’ or ‘json’, and there is an option to modify global AES encryption settings, indicating that secure information can be included in the backup.

References :=

Cisco Application Policy Infrastructure Controller (APIC) - Cisco APIC

Cisco Application Centric Infrastructure Best Practices Guide - Cisco ACI Design Guide

The image shows a graphical user interface for an export policy named “Export-Tenant-Production.” The interface provides options to select the format of the backup (either ‘json’ or ‘xml’), whether to start now with options ‘Yes’ or ‘No’, a field for Target DN with ‘/tn-PRODUCTION’ filled in, a scheduler dropdown menu, and a checkbox for modifying global AES encryption settings which is enabled. This image is relevant because it depicts how to configure an export policy on Cisco’s APIC to backup tenant configurations securely.

To minimize possible traffic impact during the upgrade of an ACI fabric with 3 APIC controllers and servers dual-homed to pairs of leaf switches configured in VPC mode, the fabric should be upgraded following Option A2. This option involves creating two maintenance groups for the APIC controllers, upgrading one group at a time, and then proceeding with the leaf switches2. This staged approach helps ensure that not all paths are affected simultaneously, thereby reducing the potential for traffic disruption2.

To meet the server team’s requirements for VMM integration with ESXi servers, the two enhanced LAG policies that should be configured are:

LB Mode: Destination IP Address and TCP/UDP Port (Option B): This load balancing mode ensures that traffic is evenly distributed across all available links based on the destination IP address and the TCP/UDP port numbers, which can provide a balanced traffic flow for different sessions.

LACP Mode: LACP Active (Option E): Setting the LACP mode to active allows the network switches to initiate the LACP negotiation, which is necessary when the servers are not configured to initiate the LACP process.

These settings ensure that the LAG group consisting of two 10 Gigabit Ethernet links will have traffic evenly distributed across them and that the network switches will initiate the LACP negotiation as required by the server team.

 A bridge domain in Cisco ACI represents a Layer 2 forwarding construct345. It defines a unique Layer 2 MAC address space and can include one or more subnets. Bridge domains are associated with a VRF and can contain multiple EPGs345.

To modify the event to be displayed as a warning in the future, you need to navigate to the ACI Fault tab and change the severity level of the fault. This involves selecting the monitoring object that corresponds to the class of the Managed Object (MO) that generated the fault, then choosing the fault code you want to modify and setting an initial severity value1.

References :=

Cisco APIC Faults, Events, and System Messages Management Guide2

How ACI Faults Are Generated and How to Selectively Prevent … - Cisco1

To implement the Inter-Site Network (ISN) for a Cisco ACI Multi-Site deployment, the following configuration steps are essential:

Configure OSPF on all ISN routers: OSPF (Open Shortest Path First) is a routing protocol that is used to ensure that all routers in the ISN have the necessary routing information to forward packets between sites.

Configure BIDIR-PIM on all ISN routers: BIDIR-PIM (Bidirectional Protocol Independent Multicast) is used for efficient multicast traffic forwarding across the ISN. This is particularly important for Cisco ACI Multi-Site deployments as it supports the replication of broadcast, unknown unicast, and multicast (BUM) traffic across sites.

References :=

Cisco ACI Multi-Site Configuration Guide

Cisco ACI Multi-Site Architecture White Paper

The question asks which switch type is discovered first in the Cisco ACI fabric discovery process. The ACI fabric consists of spine and leaf switches, and the discovery process is a critical initial step to establish the fabric topology. Let’s analyze this based on Cisco ACI documentation.

Requirement Analysis

The ACI fabric discovery process involves the Application Policy Infrastructure Controller (APIC) identifying and registering switches to form the network topology.

The process relies on protocols like Link Layer Discovery Protocol (LLDP) and Cisco Discovery Protocol (CDP) to detect connected devices.

The sequence of discovery is determined by the physical connectivity and the role of switches in the fabric.

Option Evaluation

A. leaf:

In the Cisco ACI fabric, the discovery process begins with the leaf switches. When the APIC is powered on and connected to the fabric, it first discovers the leaf switches directly attached to it or other initial points of connectivity. Leaf switches are the access layer devices that connect endpoints and are the starting point for fabric topology discovery. Once leaf switches are identified, they assist in discovering the spine switches.

To ensure that destination updates from a newly created L3Out are propagated to all Cisco ACI leaf switches, a BGP route reflector policy should be applied. This policy allows the border leaf switches, which act as BGP route reflectors, to redistribute the learned routes to other leaf switches within the fabric1.

To integrate a new Hyperflex storage cluster into an existing Cisco ACI fabric and manage it with vCenter, the following steps should be taken:

Create a new vSphere Distributed Switch (vDS): This is done within the vCenter interface. The vDS acts as a single virtual switch across all associated hosts in the data center, providing centralized management and monitoring of the network configuration1.

Configure the vDS for the Hyperflex cluster: This involves setting up the correct port groups, VLANs, and uplink profiles to ensure proper network segmentation and performance2.

Enable hardware discovery using a vendor-neutral protocol: This could involve using protocols like LLDP (Link Layer Discovery Protocol) or CDP (Cisco Discovery Protocol), which are supported by vCenter and can help in identifying and managing physical network devices3.

Integrate the Hyperflex cluster with ACI using the Application Policy Infrastructure Controller (APIC): This involves creating the necessary policies and profiles in ACI to manage the Hyperflex storage traffic effectively4.

References :=

Cisco HyperFlex Systems Installation Guide for VMware ESXi1

Cisco HyperFlex Virtual Server Infrastructure 3.0 with Cisco ACI 3.2 and VMware vSphere 6.52

How to Set Up Networking with vSphere Distributed Switches - VMware Docs3

Tutorial: How to integrate HyperFlex and ACI with VMM (VMware) and UCSM4

The Cisco ACI site deployment feature that enables an engineer to control which bridge domains contain Layer 2 flooding across geographically separated data centers is Multi-Site. This feature allows for the extension of Layer 2 and Layer 3 connectivity between different locations with consistent policy enforcement5.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/aci_multi-site/sw/2x/fundamentals/Cisco-ACI-Multi-Site-Fundamentals-Guide-211/Cisco-ACI-Multi- Site-Fundamentals-Guide-211_chapter_011.html#id_51188

To divert traffic between VM-1 and VM-2 using a Multi-Node service graph while preventing an insufficient number of available Layer 4 to Layer 7 devices in the first cluster, the following configuration set should be used:

PBR node tracking: This feature monitors the health of the nodes (Layer 4 to Layer 7 devices) in the service graph. If a node becomes unavailable, the system can take action based on the tracking threshold1.

Tracking threshold with action bypass: When the number of healthy nodes falls below the tracking threshold, the action ‘bypass’ ensures that traffic is not sent to the unhealthy nodes, thus preventing service disruption1.

Symmetric PBR: This ensures that return traffic follows the same path as the original traffic, maintaining session consistency and avoiding asymmetric routing issues1.

Resilient hashing: This hashing mechanism provides a consistent and optimal distribution of traffic across the available Layer 4 to Layer 7 devices, even when the number of nodes changes due to a failure or maintenance1.

References :=

Cisco APIC Layer 4 to Layer 7 Services Deployment Guide, Release 5.2(x)

o protect the ACI fabric from spanning-tree loops, the feature that must be enabled on the ACI leaf ports is BPDU Guard 

To extend the EPG-100 to the vCenter as a port group with a tagged VLAN ID of 100, the following actions should be taken:

Define a static VLAN range (from 100-200) under a VLAN pool: This step involves creating a VLAN pool that includes the desired VLAN range. The VLAN pool is then associated with the VMM domain that corresponds to the vCenter integration1.

Associate the dc1vcdev domain with EPG: The VMM domain named ‘dc1vcdev’ should be associated with the EPG-100. This association allows for the automatic creation of port groups in vCenter when the EPG is associated with a VMM domain1.

Select the appropriate settings for the domain association:

Untagged VLAN Access: This should be unselected because the VLAN ID needs to be tagged.

VLAN Mode: Set to ‘Static’ to specify the encapsulation VLAN ID.

Encap: Set to ‘100’ to define the specific VLAN ID that should be tagged for the port group1.

References :=

Cisco APIC Layer 2 Networking Configuration Guide1

Cisco APIC Layer 2 Networking Configuration Guide1

 In the Cisco ACI VMM domain configuration, to generate port groups with names formatted as “Tenant=Application=EPG”, the configuration option used is delimiter. The delimiter is a character that separates the elements of the port-group name. By changing the delimiter setting to “=”, the port-group names will be generated with the desired format.

To enable the APIC in a Cisco ACI fabric using out-of-band management connectivity to access a routable host with an IP address of 192.168.11.2, you need to add a Fabric Access Policy that allows management connections. This involves configuring a contract that will be consumed and provided to your OOB devices. The contract will let the system know what traffic is allowed. In this case, you will use the default/common contract to permit any traffic. This is necessary because the APIC needs to be able to send traffic to and receive traffic from the management network1.

References :=

ACI: Configuring Out-of-Band (OOB) Access for Your Fabric - Cisco1

Troubleshoot ACI Management and Core Services - In-band and Out-of-band Management - Cisco2

To configure a Cisco ACI system to detect network loops for both untagged and tagged traffic and to stop the loop by disabling an interface within 4 seconds, the following configuration must be used:

Enable Mis-Cabling Protocol (MCP): MCP detects loops from external sources and will err-disable the interface on which Cisco ACI receives its own packet. This is crucial for preventing loops in the network1.

Configure MCP Transmit Frequency: Set the MCP transmit frequency to a value that allows for quick loop detection. The Cisco ACI fabric provides faster loop detection with transmit frequencies from 100 milliseconds to 300 seconds. To meet the requirement of detecting and stopping a loop within 4 seconds, you would set the transmit frequency to a value less than 4 seconds2.

Set Action on Loop Detection: Configure the MCP policies to identify loops and decide how to act upon them. You can set the policy to generate a syslog message or disable the port upon loop detection2.

Implement Error Disabled Recovery Policy: Configure an error disabled recovery policy to automatically re-enable ports that were disabled due to loop detection after a configurable interval2.

By implementing these configurations, the Cisco ACI system will be able to detect and stop network loops quickly and efficiently, ensuring network stability and preventing potential disruptions.

References :=

Cisco APIC Online Help - Loop Detection2

Cisco ACI Best Practices Quick Summary

The L3Out subnet configuration option that creates an inbound route map for route filtering is Import Route Control Subnet3. This option allows for the application of route maps to incoming routes from external networks, providing granular control over which routes are allowed into the ACI fabric3.

To advertise a bridge domain subnet out of the ACI fabric to an OSPF neighbor, the following configuration steps are required:

Configure Subnet scope to Advertised Externally: This step involves setting the scope of the subnet within the bridge domain to be advertised externally, which allows the subnet to be propagated to external routing entities3.

Add L30ut profile to the bridge domain using Associated L30uts section: This step involves associating the bridge domain with an L3Out profile, which is necessary for the bridge domain subnet to be advertised to OSPF neighbors4.

 To redistribute externally learned OSPF routes within the ACI fabric, a Route Control Profile must be configured1. This profile allows for the control of route redistribution and the application of route maps to influence routing decisions within the fabric1.

To prevent frequent MAC and IP address moves between different leaf switch ports, enabling rogue endpoint control is the recommended action. This feature helps in identifying and mitigating the movement of endpoints that could potentially cause loops or other issues within the network.

The engineer configures port 1/2 on Leaf-101 and Leaf-102 to connect to a new server (SVR-12), which belongs to EPG-12 using VLAN-1212 encapsulation. The server is configured as a vPC member port and statically bound to EPG-12. The task is to ensure connectivity, indicating a missing configuration step.

Requirement Analysis

Static binding of a vPC member port to an EPG requires proper VLAN association and domain mapping.

vPC ensures redundancy, and the VLAN (1212) must be allocated and associated with the EPG via a domain (e.g., VMM or physical domain).

Option Evaluation

A. Create a VPC Explicit Protection Group for EPG-12 and VLAN-1212:

vPC Explicit Protection Groups are used for specific vPC configurations, but this is not a standard requirement for EPG binding and VLAN association.

For a redundant interconnection that routes both unicast and multicast traffic, the L3Out (Layer 3 Outside) implementation in Cisco ACI should include the following:

Redundant Connections: Ensure there are at least two connections from the ACI fabric to the external network for redundancy. These connections should be to different leaf switches if possible.

Routing Protocols: Configure a routing protocol that supports both unicast and multicast routing. OSPF or EIGRP can be used for unicast, and PIM (Protocol Independent Multicast) should be configured for multicast.

Route Redistribution: Set up route redistribution between the ACI fabric and the external network to ensure that routes are shared across both networks.

Multicast Configuration: Enable multicast routing within the ACI fabric and configure the necessary multicast policies.

Contract and Policy Configuration: Define contracts and policies that allow the required unicast and multicast traffic to flow between the ACI fabric and the external network.

References :=

Cisco documentation on configuring L3Outs in ACI

Cisco white paper on ACI Multicast Routing

The two actions that extend a Layer 2 domain beyond the ACI fabric are extending the bridge domain out of the ACI fabric (Option D) and extending the EPG out of the ACI fabric (Option E)34. Extending the bridge domain involves creating a Layer 2 outside connection, while extending the EPG involves statically assigning a port with a VLAN ID to an EPG34.

When the default gateway for endpoints is on an external device instead of a Cisco ACI bridge domain Switched Virtual Interface (SVI), the unicast routing feature should be disabled on the bridge domain. This prevents the ACI fabric from attempting to route traffic for the endpoints, which should instead be directed to the external default gateway.

In Cisco ACI, the interface lo1023 is assigned as a fabric tunnel endpoint (FTEP). This is a pervasive address found on every leaf and it’s always the same. It is used mostly for AVS (Application Virtual Switch) when the infra VXLAN is extended out of the fabric1. The FTEP is crucial for the internal operation of the fabric, particularly for scenarios where the infrastructure VXLAN needs to be extended outside of the ACI fabric.

References :=

Default IP interfaces on Fabric nodes - Cisco Community1

When the client endpoint and the service node interface are in different subnets, the Adjacency Type value should be set to Routed. This setting is used to indicate that routing is required between the client endpoint and the service node interface, as they are not in the same Layer 2 broadcast domain and need Layer 3 routing to communicate.

To set Layer 2 loop migration in an ACI Fabric with a Layer 2 Out configured, MCP (Misconfiguration Protocol) must be enabled on the ACI fabric56. MCP helps to prevent Layer 2 loops by detecting misconfigurations that could potentially cause loops56.

The question asks about the mechanism Cisco ACI uses to detect silent hosts when Layer 3 routed traffic is destined to the ACI fabric. A "silent host" refers to an endpoint that does not initiate traffic or send ARP requests, making detection challenging without specific mechanisms. Let’s evaluate the options based on Cisco ACI documentation and best practices.

Requirement Analysis

Layer 3 routed traffic implies that the ACI fabric is handling IP routing, and the detection mechanism must work within the context of the bridge domain and endpoint learning.

Silent hosts require passive detection methods since they do not generate active traffic (e.g., ARP requests).

The solution must align with ACI’s endpoint learning and proxy mechanisms.

Option Evaluation

A. Gratuitous ARP:

Gratuitous ARP (GARP) is a mechanism where a host announces its IP-to-MAC mapping to update network devices. However, this requires the host to send the GARP, which a silent host does not do. ACI can use GARP when hosts are active, but it is not the primary method for silent hosts.

The characteristic of Cisco ACI Multi-Pod that makes it unsuitable for deploying three separate data centers is that it requires all pods to share the same Cisco APIC cluster. In a Multi-Pod deployment, all the pods are part of the same fabric and are managed by a single APIC cluster, which means that they are not completely isolated from each other.

To implement a Layer 3 out (L3Out) inside the Cisco ACI fabric that meets the specified requirements, the following steps should be taken:

Configure the OSPF Protocol policy with an area of 0: This step involves setting up OSPF, a link-state routing protocol that supports hierarchical network design, as the routing protocol for the L3Out1.

Create Routed Outside object and Node Profile, selecting OSPF: This step involves creating a Routed Outside object and associating it with a Node Profile that specifies OSPF as the routing protocol1.

Build the Interface profile, selecting Routed Sub-interface and the appropriate VLAN: This step involves creating an Interface profile for the connection to the data center core switch, using 802.1Q tagging for VLAN separation2.

Configure the External Network object with a network of 0.0.0.0/0: This step involves setting up the External Network object to advertise routes to the rest of the network1.

The Cisco AV Pair resolves to a managed object class. In the context of Cisco ACI, the AV Pair is used to define specific attributes for RADIUS users, which then map to managed objects within the ACI fabric3.

https://community.cisco.com/t5/documentos-data-center/configuraci%C3%B3n-snmp-para-aci/ta-p/4680520

When a pre-provision immediacy is used, the policy is downloaded to the Cisco ACI leaf switch and programmed into the hardware policy Content Addressable Memory (CAM) as soon as the change is implemented on the Cisco Application Policy Infrastructure Controller (APIC). This means that the policy is ready on the leaf switch before any endpoints are actually connected.

The advantage of implementing an active-active firewall cluster that is stretched across separate pods when anycast services are configured is that local traffic within a pod is load-balanced between the clustered firewalls. This means that traffic destined for the anycast IP address of the service node (firewall) will preferentially be directed to the local node within the same pod, thus optimizing traffic flows and reducing latency by avoiding unnecessary traffic tromboning to a remote pod1.

 To configure a group of servers with a contract that uses TCP port 80 and requires an external Layer 3 cloud to initiate communication, the EPG that contains the web servers should be configured as a consumer of the contract, and the Layer 3 Out (L3Out) should be configured as the provider of the contract. This configuration establishes the direction of the contract and allows the external Layer 3 cloud to initiate communication with the web servers within the EPG.

The two requirements for the IPN network when implementing a Multi-Pod ACI fabric are:

PIM ASM multicast routing2.

OSPF routing3.

To extend functional VMM integration to the new group of 70 bare-metal ESXi servers, a separate VMM domain should be implemented using the AEP_VMM. This allows for the management and automation of network policies for the bare-metal servers in a manner similar to the virtualized environment managed by vCenter1.

To ensure that only events related to leaf and spine environmental information are logged without including specific customer data, the configuration should be applied to the fabric policy. The fabric policy in Cisco ACI is used to define global settings that apply to the entire fabric, such as syslog settings, which can be configured to filter and forward only the desired types of system messages12.

To redirect HTTP traffic between the EPG client and EPG server through the Cisco ASA firewall using a service graph in Cisco ACI, a precise filter must be configured to allow only HTTP traffic. This filter will specify the protocol (HTTP) and the Layer 4 port (typically port 80 for HTTP) to ensure that only HTTP traffic is redirected to the firewall for inspection or processing. The service graph can then be associated with the relevant EPGs to enforce the redirection1.

References :=

Service Graph Design with Cisco ACI (Updated to Cisco APIC Release 5.2) White Paper

To allow IP mobility between Site1 and Site2 in a Cisco ACI Multi-Site orchestrator while meeting the disaster recovery (DR) requirements and avoiding broadcast storms, the following actions should be taken:

Disable Inter-site BUM Traffic: Disabling Broadcast, Unknown unicast, and Multicast (BUM) traffic between sites helps to avoid broadcast storms that can occur when extending Layer 2 domains across multiple sites1.

Apply the L2 Stretch feature: The Layer 2 Stretch feature allows subnets to be extended across multiple sites without the need to re-IP the application servers. This supports IP mobility and enables applications to be started at a DR site using the same IP address space1.

These actions ensure that the design supports a DR solution without requiring vMotion support, allows applications to be started at a DR site without re-IPing servers, and avoids broadcast storms between the sites.

References :=

Cisco ACI Multi-Site Architecture White Paper1

Cisco Nexus Dashboard Orchestrator Overview2

By enabling Global AES Encryption and ensuring secure data inclusion, you can safely back up and restore the Cisco ACI fabric configuration, including the vCenter password.

To set up a Cisco ACI fabric to send Syslog messages related to hardware events to a dedicated Syslog server, the policy should be configured at uni/fabric/monfab-default4. This location in the Cisco APIC allows for the configuration of Syslog policies that can be applied to the entire fabric4.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-x/aci -fundamentals/Cisco-ACI-Fundamentals-401/Cisco-ACI-Fundamentals-401_chapter_01100.html

In Cisco ACI, when a packet is routed between two endpoints on different leaf switches, the VXLAN VNID that is applied to the packet corresponds to the Bridge Domain (BD). The BD VNID is used to encapsulate the packet for Layer 2 transport across the fabric. This VNID ensures that the packet is delivered to the correct bridge domain, maintaining the segmentation and policy enforcement required by the ACI fabric.

References :=

Cisco ACI Fabric Forwarding White Paper

Cisco ACI Basic Configuration Guide

https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/6x/l4-l7-configuration/cisco-apic-layer-4-to-layer-7-services-deployment-guide-60x/defining-a-logical-device-60x.html

 To limit management access to the Cisco ACI fabric that originates from a single subnet where the NOC operates, the policy should be configured in the management tenant on the Cisco APIC5.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/ apic/sw/1-x/Operating_ACI/guide/b_Cisco_Operating_ACI/b_Cisco_Operating_ACI_chapter_0111.html