Cisco CCNP 300-620 Questions & Answers

• Question 31:

  Refer to the exhibit.

  

  A Cisco ACI fabric uses L3Out to connect with R1. The 192.168.1.0/24 subnet is received over the physical interface Eth1/1 of Leaf1 and Leaf2. Which set of actions must be taken to receive the 2001:db8::2:1 subnet over the interface Eth1/1 interface?

  A. Create a new interface profile. Mark the IPv6 subnet as the export route control subnet.

  B. Create a new interface profile. Mark the IPv6 subnet as the import route control subnet.

  C. Use the current interface profile. Mark the IPv6 subnet as the export route control subnet.

  D. Use the current interface profile. Mark the IPv6 subnet as the import route control subnet.

  Correct Answer: B

  https://community.cisco.com/t5/application-centric-infrastructure/l3out-with-ipv4-and-ipv6/td-p/4012784

• Question 32:

  Refer to the exhibit.

  

  An engineer applies an OSPF L3Out between a Cisco ACI fabric and an external router. Router1 must receive a default route from the Cisco ACI via OSPF. Which action ensures that the ACI fabric is the Layer 3 gateway for Router1?

  A. A. Configure a default route leak policy in the L3Out.

  B. Apply an OSPF interface policy in the OSPF interface profile.

  C. Associate the external EPG with the appropriate contract.

  D. Include an OSPF route summarization policy in external EPG.

  Correct Answer: A

  For external connections to the fabric that only require a default route, there is support for originating a default route for OSPF, EIGRP, and BGP L3Out connections. If a default route is received from an external peer, this route can be

  redistributed out to another peer following the transit export route control as described earlier in this article. A default route can also be advertised out using a Default Route Leak policy. This policy supports advertising a default route if it is

  present in the routing table or it always supports advertising a default route. The Default Route Leak policy is configured in the L3Out connection.

  When creating a Default Route Leak policy, follow these guidelines:

  For BGP, the Always property is not applicable. When configuring the Scope property, choose Outside. For OSPF, the scope value Context creates a type-5 LSA while the Scope value Outside creates type-7 LSA. For EIGRP, when choosing

  the Scope property, you must choose Context.

• Question 33:

  Refer to the exhibit.

  

  An engineer configures a static port binding for EPG-3. These Cisco ACI objects are already configured:

  1.

  The EPG-3 is associated with a physical domain.

  2.

  The physical domain is associated with a VLAN pool called VLP-1.

  3.

  The VLAN pool contains VLANs 200-250. Which step completes the configuration?

  A. Associate an interface policy group with an interface selector for eth1/2.

  B. Associate the switch profile to an interface profile by using an interface policy.

  C. Associate the domain to an interface selector by using an AEP.

  D. Associate an interface policy group to a switch profile for Node-101.

  Correct Answer: A

• Question 34:

  Refer to the exhibit.

  

  A Cisco ACI fabric is created with L2Out to N7K1 and N7K2 switches. The switches are running MSTP with native VLAN 10. The N7K1 and N7K2 act as the root bridge for VLAN 20. An EPG named Data has been created. The ACI fabric must be configured with these requirements:

  1.

  The ACI fabric must receive MSTP BPDU.

  2.

  The N7K1 switch must act as the root bridge for VLAN 20.

  Which set of actions accomplishes these goals?

  A. Encapsulate EPG Data with VLAN 20. Set the VLAN mode to Trunk.

  B. Encapsulate EPG Data with VLAN 10. Set the VLAN mode to Trunk.

  C. Encapsulate EPG Data with VLAN 10. Set the VLAN mode to 802.1P.

  D. Encapsulate EPG Data with VLAN 20. Set the VLAN mode to 802.1P.

  Correct Answer: A

• Question 35:

  Refer to the exhibit.

  

  An engineer is migrating legacy servers into the Cisco ACI environment. The requirement is to ensure that all endpoints and MAC addresses are learned properly in legacy and Cisco ACI switches. Which configuration set must be configured under the bridge domain called bd_360 to accomplish this goal?

  A. L2 Unknown Unicast: Hardware Proxy ARP Flooding: Disabled

  B. L2 Unknown Unicast: Flood ARP Flooding: Enabled

  C. L2 Unknown Unicast: Hardware Proxy ARP Flooding: Enabled

  D. L2 Unknown Unicast: Flood ARP Flooding: Disabled

  Correct Answer: B

  ARP HW proxy is not suited for this scenario as the routing is outside ACI

• Question 36:

  Refer to the exhibit.

  

  The VMs called VM1 and VM2 are deployed on the ESXi Server in a Cisco ACI environment. VM1 has MAC address A and an IP address 192.168.1.1/24, and VM2 has MAC address B. VM1 has been shut down. Which set of actions must be taken to detect the movement of IP address 192.168.1.1/24 to MAC address B?

  A. Enable ARP flooding. Disable unicast routing. Enable GARP-based detection.

  B. Disable ARP flooding. Disable unicast routing. Disable GARP-based detection.

  C. Disable ARP flooding. Enable unicast routing. Disable GARP-based detection.

  D. Enable ARP flooding. Enable unicast routing. Enable GARP-based detection.

  Correct Answer: D

  GARP is used to update IP to MAC relation on upstream network devices. It is most relevant in case of vmotions or VMs/servers moving from one host to another, and the MAC address changes, but the IP remains the same.

  In the context of ACI, the leaf switches can detect MAC and IP address movement between leaf switch ports, leaf switches, bridge domains, and EPGs, but it does not detect the movement of an IP address to a new MAC address if the new MAC address is from the same interface and same EPG as the old MAC address.

  When the GARP based detection option is enabled (configuration available under the BD), Cisco ACI will trigger an endpoint move based on GARP packets if the move occurs on the same interface and same EPG. If a GARP packet comes from the same interface and same EPG, then endpoint learning is triggered only when Unicast Routing, ARP Flooding, and “GARP based detection” are all enabled for the bridge domain.

• Question 37:

  Refer to the exhibit.

  

  An engineer is implementing a BPDU filter on external switch interfaces that face the Cisco ACI fabric to prevent excessive TCNs from impacting the fabric. Which configuration must be applied on Cisco ACI to avoid a Layer 2 loop?

  A. Configure MCP globally.

  B. Implement BPDU Guard.

  C. Apply an MSTP instance on Cisco ACI.

  D. Enable STP on downlinks.

  Correct Answer: A

  https://www.linkedin.com/pulse/cisco-aci-network-behaviour-stptcn-how-identify-loop-ankit-kulshresta

• Question 38:

  Refer to the exhibit.

  

  A client is configuring a new Cisco ACI fabric. All VLANs will be extended during the migration phase using the VPC connections on leaf switches 3, 4 and leaf switches 5, 6 toward the legacy network. The migration phase has these requirements:

  1.

  The legacy switches must be able to transfer BPDUs through the ACI fabric.

  2.

  If the legacy switches fail to break a loop, Cisco ACI must break the loop.

  Which group settings must be configured on VPC interface policy groups ipg_vpc-legacy_1 and ipg_vpc-legacy_2 to meet these requirements?

  A. MCP: enabled BPDU Guard: disabled BPDU Filter: disabled

  B. MCP: disabled BPDU Guard: enabled BPDU Filter: enabled

  C. MCP: enabled BPDU Guard: enabled BPDU Filter: disabled

  D. MCP: disabled BPDU Guard: disabled BPDU Filter: enabled

  Correct Answer: A

  MCP detects loops from external sources and will err-disable the interface on which ACI receives its own packet. Enabling this feature is a best practice and it should be enabled globally and on all interfaces, regardless of the end device. MCP works to stop Layer-2 loops, it should be enabled right away on an ACI Fabric prior to connecting Layer-2 devices for migration purposes.

  As explained in this article, ACI Operation with L2 Switches and Spanning-tree Link Types, by default, the STP link type on Legacy switches is P2P. ACI acts as a hub for BPDUs. By configuring the STP link type as Shared for your external switch interfaces which connect to ACI, you ensure that you allow the switches to take their time with the STP transition process, thereby protecting your environment from potential STP loop formation. Even though ACI does not generate STP BPDUs, ACI switches will forward STP BPDUs across EPGs on which they are received. This allows the externally connected switches to maintain a loop-free topology and avoid broadcast storms and other nastiness that goes hand-inhand when layer-2 loops form!

• Question 39:

  An engineer must configure a new local user inside a Cisco ACI. The new user must meet these criteria:

  1.

  Must be provided with complete read-only access to the tenant.

  2.

  Must be permitted to create and delete EPGs within a specific tenant.

  3.

  Must not be allowed to modify any other objects within that tenant.

  The tenant and security domain association is already in place. Which configuration set configures the new tenant?

  A. Create a new role with tenant-admin privilege. Create the local user and assign it to the tenant-security domain. Add the tenant-security domain to the role admin with access privilege type Read. Add the tenant-security domain to the new role with access privilege type Write.

  B. Create a new role with tenant-epg privilege. Create the local user and assign it to the tenant-security domain. Add the tenant-security domain to the role read-all with access privilege type Read. Add the tenant-security domain to the new role with access privilege type Write.

  C. Create a new role with tenant-connectivity privilege. Create the local user and assign it to the tenant-security domain. Add the tenant-security domain to the role access-admin with access privilege type Read. Add the tenant-security domain to the new role with access privilege type Write.

  D. Create a new role with tenant-security privilege. Create the local user and assign it to the tenant-security domain. Add the tenant-security domain to the role tenant-admin with access privilege type Read. Add the tenant-security domain to the new role with access privilege type Write.

  Correct Answer: B

• Question 40:

  Which two actions does the Cisco ACI take when a bridge domain is configured with a subnet and unicast routing is enabled? (Choose two.)

  A. enables routing to and from that subnet

  B. disables the ARP flooding feature

  C. learns MAC and IP addresses

  D. stops remote endpoint learning

  E. discovers endpoints from data plane learning only

  Correct Answer: AC

  The Layer 3 Configurations tab of the bridge domain panel allows the administrator to configure the following parameters:

  Unicast Routing: If this setting is enabled and a subnet address is configured, the fabric provides the default gateway function and routes the traffic. Enabling unicast routing also instructs the mapping database to learn the endpoint IP-to-VTEP mapping for this bridge domain. The IP learning is not dependent upon having a subnet configured under the bridge domain.

  Subnet Address: This option configures the SVI IP addresses (default gateway) for the bridge domain.

  Limit IP Learning to Subnet: This option is similar to a unicast reverse-forwarding-path check. If this option is selected, the fabric will not learn IP addresses from a subnet other than the one configured on the bridge domain.

  Unicast Routing feature in ACI allows the Leaf Switches to learn the IP addresses associated with the Endpoint which are connected to ACI Fabric.

  The Unicast Routing feature also enables IP Routing under the bridge domain ( Similar to IP Routing Command in Nexus-OS/ Catalyst OS).