300-620 Implementing Cisco Application Centric Infrastructure (300-620 DCACI) Questions and Answers

The feature that dynamically assigns or modifies the EPG association of virtual machines based on their attributes is uSeg EPGs. uSeg EPGs allow for microsegmentation within the Cisco ACI environment, enabling the dynamic assignment of VMs to EPGs based on attributes such as VM name, tag, or other identifiers

 For a blade server that lacks support of bonding, the port channel mode that results in “route based on originating virtual port” on the VMware VDS is MAC Pinning-Physical-NIC-load (Option B). This mode ensures that the virtual machine traffic is distributed across the available uplinks based on the MAC address of the originating virtual port1.

https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/6x/virtualization/cisco-aci-virtualization-guide-60x/ACI-Virtualization-Guide-60x-aci-with-vmware-vds.pdf

When designing two data centers based on Cisco ACI technology that can extend L2/L3, VXLAN, and network policy across locations with ACI Multi-Pod, the two requirements that must be considered are:

A single APIC Cluster is required in a Multi-Pod design4.

ACI Multi-Pod requires an IP Network supporting PIM-Bidir2.

In a Cisco ACI fabric, Spanning Tree Protocol (STP) Bridge Protocol Data Units (BPDUs) that are generated by an external switch, such as Switch2 in this scenario, are indeed forwarded across the fabric. This allows externally connected switches to maintain a loop-free topology. While Cisco ACI does not participate in STP as it uses its own protocols and mechanisms for loop prevention within the fabric, it will forward STP BPDUs across End Point Groups (EPGs) on which they are received1. This ensures that the connected external switches can still use STP for their loop prevention mechanisms.

References :=

Cisco Community Discussion on STP BPDUs in ACI1

 When configuring ACI VMM domain integration with Cisco UCS-B Series, the type of port channel policy that must be configured in the vSwitch policy is MAC Pinning-Physical-NIC-load. This policy type allows for the distribution of traffic across physical NICs based on MAC address hashing, which is suitable for environments where dynamic port channels (LACP) are not used.

By enabling Global AES Encryption and ensuring secure data inclusion, you can safely back up and restore the Cisco ACI fabric configuration, including the vCenter password.

In Cisco ACI, the mgmt0 interface is used for out-of-band (OOB) management, and its IP address must be explicitly assigned through the Node Management Address Policy under the mgmt tenant. When new leaf switches are registered in the fabric, they do not automatically receive an IP address for their mgmt0 interfaces unless they are added to this policy.

To reduce instability during the migration of a legacy environment to Cisco ACI, the feature that should be enabled in the bridge domain is to Set Multi-Destination Flooding to Flood in BD (Option A). This setting allows unknown multicast, broadcast, and unknown unicast traffic to be flooded within the bridge domain, which can help prevent traffic loss during the migration process.

The Infrastructure VLAN is automatically configured during the Cisco ACI fabric discovery process. This VLAN, often referred to as the “infra VLAN,” is used to enable internal communication between the ACI fabric components, such as the leaf and spine nodes. It is vital for the overlay network and the control plane functionality. In the provided output, VLAN 3600 represents the Infrastructure VLAN, which is configured for inter-node communication.

To enable communication between EPGs and BDs from any tenant without the need for contracts or VRF route leaking, the best approach is to implement an unenforced VRF within the common tenant. By doing so, all bridge domains that are associated with this VRF will be able to communicate with each other without additional configurations. This method simplifies the network architecture and reduces the complexity associated with contract management and VRF route leaking1.

References :=

Cisco ACI Contract Guide White Paper1

To securely export Cisco APIC configuration snapshots to a secure, offsite location using an encrypted tunnel and a platform-agnostic data format that provides namespace support, the following configuration set must be used:

Choose a Platform-Agnostic Data Format: Export the configuration in a data format like JSON or XML, which are platform-agnostic and support namespaces1.

Use an Encrypted Tunnel: Transfer the configuration snapshot over a secure protocol such as SFTP or SCP, which provides an encrypted tunnel for the data transfer1.

Schedule the Export: Set up a scheduled export of the configuration in the Cisco APIC to occur at regular intervals, ensuring the process is automated1.

Enable Encryption: Make sure the configuration export policy includes encryption settings. Cisco APIC supports AES-256 encryption for securing exported configuration files2.

Verify Namespace Support: Ensure that the chosen data format and the method of export support the use of namespaces, which are essential for organizing elements and attributes in XML documents1.

By following these steps and choosing Option B, the engineer can meet the requirements for securely exporting Cisco APIC configuration snapshots to an offsite location.

The supported physical topology for a Cisco ACI data center network that includes Cisco Nexus 2000 Series 10G fabric extenders is depicted in Option A. This topology illustrates a pair of spine switches connected to leaf switches, which are then connected to the fabric extenders. The Cisco Nexus 2000 Series Fabric Extenders act as remote line cards for a parent Cisco Nexus switch, extending the network fabric. The topology shown is a spine-leaf architecture, which is a scalable, high-bandwidth framework that is typical in ACI deployments.

References :=

For a detailed understanding of the ACI fabric and supported topologies, you can refer to the Cisco Application Centric Infrastructure Design Guide, which provides comprehensive information on design recommendations and deployment models: Cisco ACI Design Guide.

To learn more about the role of fabric extenders in the ACI architecture, the following resource offers insights into how they integrate with the ACI fabric: Understanding the ACI Fabric.

The COOP (Council Of Oracle Protocol) database is located on each spine switch within the Cisco ACI fabric. The COOP database is responsible for maintaining a consistent copy of endpoint address and location information across the fabric

The true statement regarding ACI Multi-Pod and TEP pool is that the same TEP pool is used in all Pods. This shared TEP pool ensures consistent addressing and simplifies the management of the overlay network across multiple Pods.

To integrate the VMware vCenter cluster with Cisco ACI and ensure that the management traffic of the hypervisors and VM controllers uses the virtual switch associated with the Cisco Application Policy, the following steps must be taken:

Enable Infrastructure VLAN on AAEP used toward VMware hypervisors: This step involves enabling the infrastructure VLAN on the Attachable Access Entity Profile (AAEP) that is used for the VMware hypervisors. This VLAN is used for carrying infrastructure traffic such as management, vMotion, and fault tolerance.

Create a static binding in the target EPG toward VMware hypervisors with VLAN 300: This step involves creating a static binding in the “Vmware-MGMT” EPG for the VMware hypervisors with VLAN 300, setting it as an untagged access VLAN, and using Untagged 802.1P mode. This ensures that the management traffic is correctly tagged and associated with the appropriate EPG.

References :=

Cisco ACI Fabric Hardware Installation Guide

Cisco ACI Troubleshooting Guide

Cisco ACI Multi-Site Architecture White Paper

Cisco ACI Virtual Machine Manager (VMM) Integration White Paper

For external connections to the fabric that only require a default route, there is support for originating a default route for OSPF, EIGRP, and BGP L3Out connections. If a default route is received from an external peer, this route can be redistributed out to another peer following the transit export route control as described earlier in this article. A default route can also be advertised out using a Default Route Leak policy. This policy supports advertising a default route if it is present in the routing table or it always supports advertising a default route. The Default Route Leak policy is configured in the L3Out connection. https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/L3_config/b_Cisco_APIC_Layer_3_Configuration_Guide/b_Cisco_APIC_Layer_3_Configuration_Guide_chapter_010100.html

To support cross-site connectivity in a production Multi-Site solution, where connectivity from EPGs from a specific site to networks reachable through a remote site L3OUT is required, the additional configuration that must be implemented in the Multi-Site Orchestrator is to add a new stretched external EPG to the existing L3OUT1. This allows the EPGs from one site to communicate with the networks defined in the L3OUT at the remote site, facilitating the required connectivity across sites.

References :=

Cisco ACI Multi-Site Configuration Guide1

To restrict User X to have access only to TenantX without any extra privileges in the Cisco ACI fabric domain, the Cisco AV pair that must be implemented on the RADIUS server is shell:domains = TenantX-SD/tenant-admin. This AV pair assigns User X the role of tenant admin within the security domain of TenantX, ensuring that the user has the necessary permissions to manage resources within TenantX and no additional privileges outside of this scope.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/2-x/Security_config/b_Cisco_APIC_Securi ty_Guide/b_Cisco_APIC_Security_Guide_chapter_0100.html

 To redistribute externally learned OSPF routes within the ACI fabric, a Route Control Profile must be configured1. This profile allows for the control of route redistribution and the application of route maps to influence routing decisions within the fabric1.

To connect Cisco ACI fabric using Layer 2 with external third-party switches configured using 802.1s protocol, the two constructs required are:

Spanning tree policy for mapping MST Instances to VLANs (Option A): This policy will ensure that the Multiple Spanning Tree (MST) instances on the third-party switches are correctly mapped to the VLANs in the ACI fabric.

Static binding of native VLAN in all existing EPGs (Option E): This construct is necessary to maintain the native VLAN across all EPGs when integrating with third-party switches that use 802.1s protocol.

https://www.ciscolive.com/c/dam/r/ciscolive/emea/docs/2019/pdf/BRKACI-3101.pdf

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-in frastructure/white-paper-c07-732033.html

To create a backup of the Cisco ACI fabric for disaster recovery that is secure, encrypted, and in a format conducive to processing with a Python script, the engineer must select Secure Copy Protocol (SCP) for secure and encrypted transport. The backup file should be in JSON format, which is similar to a Python dictionary and can be easily processed by a Python script. Additionally, enabling Global AES Encryption ensures that all user and password-related information is included securely in the backup1.

When Cisco ACI connects to an outside Layer 2 network, the ACI fabric floods the STP BPDU frame within the bridge domain (Option A)5. This ensures that BPDUs are properly propagated within the relevant VLAN encapsulation associated with the bridge domain5.

The two essential components of a Cisco ACI Virtual Machine Manager (VMM) domain policy configuration are:

VMM domain profile1.

EPG association1.

https://www.cisco.com/c/en/us/td/docs/switches/datac enter/aci/apic/sw/1-x/aci-fundamentals/b_ACI-Fundamentals/b_ACI-Fundamentals_chapter_01011.html#concept_74EFC437C0AA44A391676F70ACE59DF3

To clear the MCP (Mis-Cabling Protocol) fault in a Cisco ACI fabric when an egress L3Out is configured from Leaf-101 and Leaf-102 to CORE-1, and VLAN 102 is used for OSPF adjacency, the encapsulation VLAN on the EPG-101 static port binding should match the VLAN used for OSPF adjacency. This means that VLAN 102 should be used as the encapsulation VLAN for the static port binding on Leaf-103 e1/1. Using the same VLAN for both OSPF adjacency and the static port binding ensures consistency and prevents misconfiguration that could lead to MCP faults1.

References :=

ACI Fabric L3Out White Paper - Cisco1

 In a Cisco ACI Multi-Pod environment with active-active data centers and active-standby firewalls in each data center, enabling Pod ID Aware Redirection is the action that should be taken to maintain traffic symmetry through the firewalls. This feature ensures that traffic is consistently directed through the active firewall based on the pod identifier, thus maintaining the desired traffic flow and symmetry2.

References :=

Cisco ACI Multi-Pod and Service Node Integration White Paper

To deploy an access port policy group within Cisco ACI, an attachable entity profile (AEP) needs to be created. An AEP is a policy construct that groups together various domains and allows them to be attached to the fabric access layer

For AAA configuration within the Cisco ACI fabric, where authentication should fall back to local users if the TACACS+ server is unreachable, and access must be granted through the fallback domain if the Cisco APIC is out of the cluster, the configuration set that meets these requirements is to have the Default Authentication Realm set to TACACS+ with Fallback Check enabled. This ensures that when the TACACS+ server cannot be reached, the system will fall back to using local authentication

In VMware vSphere, "MAC Pinning" refers to the "Route based on originating virtual port" load-balancing algorithm. This method assigns each virtual machine (VM) vNIC to a specific uplink (pNIC) and ensures that all traffic from that VM consistently exits through the same uplink.

To enable communication between the external subnet and internal EPG1, and to allow L3Out traffic to leak into the VRF named “VF1”, the following configuration set should be used:

External Subnets for External EPG: This configuration defines the subnets that are external to the ACI fabric but need to be reachable from within the fabric. It is necessary to specify which subnets are to be considered part of the L3Out1.

Shared Route Control Subnet: This setting allows the subnets to be shared across different VRFs, enabling communication between EPGs that are in different tenants but within the same VRF1.

Shared Security Import Subnet: This configuration ensures that the security policies (contracts) associated with the shared subnets are also imported, allowing for the necessary traffic to flow between the internal and external endpoints1.

By applying this configuration set, the external subnet and internal EPG1 will be able to communicate, and the L3Out traffic will be properly leaked into the designated VRF, meeting the specified goals.

References :=

ACI Inter VRF/Tenant Route Leaking Configuration Example1

To ensure that application EPGs communicate only with their respective database EPGs, the app-to-db contract should be configured with a scope set to the Application Profile. This scope ensures that the contract is applied only within the specific application profile, allowing for granular control over the communication between the application and database tiers. By setting the scope to Application Profile, the contract will not apply to other application profiles, thus preventing unwanted traffic between EPGs of different applications1.

References :=

Cisco ACI Contract Guide White Paper1

In a Cisco ACI environment with multiple silent hosts that are often relocated between leaf switches, configuring IP Data-Plane Learning to ‘No’ will minimize the relocation impact and make the ACI fabric relearn the new location of the host faster. Disabling IP Data-Plane Learning prevents the fabric from learning IP addresses from the data plane, which can speed up the process of relearning host locations when they move3.

 In the Cisco ACI Active-Active Across Pods deployment mode, one of the key characteristics of Policy-Based Redirect (PBR) is that traffic is dynamically redirected to the firewall that owns the connection. This allows for load distribution across multiple Layer 4 to Layer 7 devices, also known as symmetric PBR. Additionally, deployment in this mode occurs in go-to mode only, which means that traffic is explicitly directed to a service node or firewall for processing

To enable connectivity for the external endpoints in the 172.16.1.0/24 subnet, the following actions should be taken:

Delete both external EPG subnets: This action removes any specific subnet configurations that might be causing routing issues or conflicts within the external EPG1.

Create the 0.0.0.0/0 subnet: By configuring a 0.0.0.0/0 subnet, you are effectively creating a default route that allows all traffic to be routed, ensuring that endpoints in any subnet, including the 172.16.1.0/24 subnet, can reach internal endpoints1.

This configuration change addresses the issue where traffic from the 172.16.1.0/24 subnet is not reaching the internal endpoints, likely due to a lack of a default route or misconfigured subnets within the external EPG

 In Cisco ACI, a contract is used to define the communication policy between EPGs (Endpoint Groups). It specifies which types of traffic are allowed to pass between EPGs and can include filters for protocols, ports, and other attributes. In the context of the logical system design, the contract would be the object that completes the communication requirements as indicated by the dotted line in the exhibit12.

References :=

Cisco Application Centric Infrastructure (ACI) Design Guide1

Cisco ACI Policy Model Guide2

 When creating a subnet within a bridge domain in Cisco ACI, the configuration option used to specify the network visibility of the subnet is the scope12. The scope can be set to private, public, or shared, determining how the subnet is advertised and accessed within and outside of the ACI fabric12.

To implement the inter-tenant service graph, the set of actions that must be taken are:

Define the contract in the provider tenant and export it to the consumer tenant (Option B).

Define the L4-L7 device and service graph template in the provider tenant and the ASA bridge domains in the consumer tenant (Option B).

This approach allows for the proper configuration and association of the service graph between the provider and consumer tenants, ensuring that the services are correctly applied to the traffic flowing between them.

With unicast routing enabled on the bridge domain, the two conditions that enable the Cisco ACI leaf to learn a source IP as a local endpoint are:

Through Ethernet traffic received in a bridge domain (Option A): The leaf switch learns the source IP address as a local endpoint when it receives Ethernet traffic within the bridge domain.

Through ARP received on an SVI (Option E): The leaf switch also learns the source IP address as a local endpoint when it receives an ARP request or reply on a Switched Virtual Interface (SVI) associated with the bridge domain.

These conditions allow the ACI fabric to maintain an accurate endpoint database for efficient routing and forwarding of traffic within the fabric.

https://www.cisco .com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739989.html

 The two true statements regarding ACI Multi-Site are:

ACI Multi-Site is a solution that supports a dedicated APIC cluster per site1.

ACI Multi-Site is a solution that allows one APIC cluster to manage multiple ACI sites1.

The two protocols that support accessing backup files on a remote location from the APIC are FTP (File Transfer Protocol) and SFTP (SSH File Transfer Protocol). Both FTP and SFTP allow for the transfer of files to and from a remote location, but SFTP provides an additional layer of security by utilizing SSH.

 To design a method that allows the Cisco ACI to redirect traffic to the firewalls based on specific L4-L7 policy rules and distribute the load across multiple firewalls, the action that must be taken is to Configure ACI Service Graph with Unidirectional PBR (

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/applicatio n-centric-infrastructure/white-paper-c11-739971.html

For the new nodes in a Cisco ACI Multi-Pod deployment to be discoverable by the existing Cisco APICs, DHCP relay should be enabled on all links that are connected to Cisco ACI spines on Inter-Pod Network (IPN) devices. This allows the APICs to dynamically assign IP addresses to the new nodes, facilitating their discovery and integration into the fabric.

References :=

Cisco ACI Multi-Pod Configuration Guide

Cisco ACI Best Practices Guide

In Cisco ACI, when a packet is routed between two endpoints on different leaf switches, the VXLAN VNID that is applied to the packet corresponds to the Bridge Domain (BD). The BD VNID is used to encapsulate the packet for Layer 2 transport across the fabric. This VNID ensures that the packet is delivered to the correct bridge domain, maintaining the segmentation and policy enforcement required by the ACI fabric.

References :=

Cisco ACI Fabric Forwarding White Paper

Cisco ACI Basic Configuration Guide

When configuring an L3Out in Cisco ACI and encountering a QoS-related error, creating a custom QoS policy is often necessary to clear the fault. This involves defining a QoS policy that meets the specific requirements of the L3Out configuration and applying it to the relevant interfaces or globally within the fabric. The custom QoS policy should be designed to prioritize traffic appropriately and ensure that the necessary QoS settings are in place for the L3Out connections1.

References :=

Cisco ACI L3Out Configuration Examples1

The import mode that must be used to ensure that the import process terminates if the imported configuration is incompatible with the existing system is the ‘atomic’ mode. This mode ignores shards that contain objects that cannot be imported while proceeding with shards that can be imported. If the incoming configuration’s version is incompatible with the existing system, the import process will terminate2.

In the Cisco ACI environment, when an engineer wants to enforce a specific path for ICMP replies and prevent packets from taking a direct path, setting Layer 2 Unknown Unicast to Hardware Proxy on the bridge domain (BD1) is the appropriate action. This setting ensures that the unknown unicast traffic, which includes ICMP packets destined for an unknown MAC address, is forwarded to the spine proxy. The spine proxy then forwards the packets based on the endpoint table information, ensuring that the packets follow the expected path through the fabric and do not take any shortcuts or direct paths that bypass the intended routing.

Storm control should be configured on port channel on a single leaf switch (Option B) and endpoint-facing trunk interface (Option D) to protect against broadcast traffic6. These interfaces are where storm control policies are typically applied to prevent disruptions caused by traffic storms6.

 To limit management access to the Cisco ACI fabric that originates from a single subnet where the NOC operates, the policy should be configured in the management tenant on the Cisco APIC5.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/ apic/sw/1-x/Operating_ACI/guide/b_Cisco_Operating_ACI/b_Cisco_Operating_ACI_chapter_0111.html

On border leaf switches in Cisco ACI, the two types of interfaces supported to connect to an external router are subinterface with 802.1Q tagging and Switch Virtual Interface (SVI)7. These interfaces allow for the segmentation of traffic and the extension of Layer 2 and Layer 3 services to external networks7.

To configure leaf and spine switches in a Cisco ACI fabric to use out-of-band management for NTP protocol, an Override Policy with NTP Out-of-Band must be created. This policy specifies that NTP traffic should be directed through the out-of-band management network, separate from the in-band management traffic, ensuring dedicated management connectivity for time synchronization.

https://www.cisco.com/c/en/us/support/docs/cloud-systems-management/application-policy-infrastructure-controller-apic/200128-Configuring-NTP-in-ACI-Fabric-Solution.html

When extending an EPG out of the ACI fabric using static path binding, it is true that external endpoints are in the same EPG as the directly attached endpoints8. This means that traffic received on a statically bound leaf port with a specific VLAN ID is mapped to the EPG, and the same policies applied to directly attached endpoints are enforced on the external endpoints8.

 To allow multiple external networks to communicate with internal ACI subnets and assign the prefix to the class ID of the external Endpoint Group, the engineer should configure subnets with the External Subnets for External EPG flag enabled1. This configuration allows the specified subnets to be associated with an external EPG, which facilitates communication between internal tenants and external routed networks via L3Outs1.

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/ACI_Best_Practices/b_ACI_Best_Practices/b_ACI_Best_Practices_chapter_01001.html

To meet the server team’s requirements for VMM integration with ESXi servers, the two enhanced LAG policies that should be configured are:

LB Mode: Destination IP Address and TCP/UDP Port (Option B): This load balancing mode ensures that traffic is evenly distributed across all available links based on the destination IP address and the TCP/UDP port numbers, which can provide a balanced traffic flow for different sessions.

LACP Mode: LACP Active (Option E): Setting the LACP mode to active allows the network switches to initiate the LACP negotiation, which is necessary when the servers are not configured to initiate the LACP process.

These settings ensure that the LAG group consisting of two 10 Gigabit Ethernet links will have traffic evenly distributed across them and that the network switches will initiate the LACP negotiation as required by the server team.

 When migrating the vSphere Management VMkernel of all ESXi hosts from the standard default virtual switch to a Virtual Distributed Switch (VDS) that is integrated with APIC in a VMM domain, it is essential to set the Management VMkernel EPG resolution to Pre-Provision. This action ensures that the necessary policies are in place on the ACI fabric before the migration occurs, allowing for a seamless transition and continuous management connectivity.

 To prevent a fault from appearing that is not directly relevant to the environment, the ACI administrator should create a fault severity assignment policy that hides the fault. This can be done by selecting “Ignore Fault” under System -> Faults in the APIC UI2

To enable the APIC in a Cisco ACI fabric using out-of-band management connectivity to access a routable host with an IP address of 192.168.11.2, you need to add a Fabric Access Policy that allows management connections. This involves configuring a contract that will be consumed and provided to your OOB devices. The contract will let the system know what traffic is allowed. In this case, you will use the default/common contract to permit any traffic. This is necessary because the APIC needs to be able to send traffic to and receive traffic from the management network1.

References :=

ACI: Configuring Out-of-Band (OOB) Access for Your Fabric - Cisco1

Troubleshoot ACI Management and Core Services - In-band and Out-of-band Management - Cisco2

For the BGP Route Reflector policy to take effect, the components that must be configured are the leaf fabric interface overrides and profiles. These configurations are necessary to establish the route reflector relationships within the BGP protocol on the leaf switches

To enable the APIC in a Cisco ACI fabric using out-of-band management connectivity to access a routable host with an IP address of 192.168.11.2, you need to add a Fabric Access Policy that allows management connections. This involves configuring a contract that will be consumed and provided to your OOB devices. The contract will let the system know what traffic is allowed. In this case, you will use the default/common contract to permit any traffic. This is necessary because the APIC needs to be able to send traffic to and receive traffic from the management network1.

References :=

ACI: Configuring Out-of-Band (OOB) Access for Your Fabric - Cisco1

Troubleshoot ACI Management and Core Services - In-band and Out-of-band Management - Cisco2

To advertise the 0.0.0.0/0 prefix out on L3Out-2 OSPF, when it is configured as a default static route on L3Out-1, the action that should be taken is to enable the Export Route Control Subnet. This setting allows the default route to be advertised to other L3Outs, enabling the ACI fabric to act as a transit network1.

References :=

ACI Fabric L3Out White Paper - Cisco1

The two requirements for the IPN network when implementing a Multi-Pod ACI fabric are:

PIM ASM multicast routing2.

OSPF routing3.

To configure communication between the EPGs in different tenants, the subnet scope should be set to “Shared between VRFs”. This allows the subnet to be shared across different VRFs, enabling communication between EPGs that are in different tenants but within the same VRF. By marking the subnet as shared, it becomes visible to other VRFs, which is necessary for inter-tenant communication1.

References :=

Learning ACI - Part 12: Inter-VRF and Inter-Tenant Communication

 In the Cisco ACI VMM domain configuration, to generate port groups with names formatted as “Tenant=Application=EPG”, the configuration option used is delimiter. The delimiter is a character that separates the elements of the port-group name. By changing the delimiter setting to “=”, the port-group names will be generated with the desired format.

The scenario involves a tenant configured with a single L3Out and a single-homed link from the ACI fabric (via border leaf BL-1001) to a core router (Core-1). The engineer must add a second link to the L3Out, connecting to Core-2 via BL-1002, ensuring that traffic from Core-2 to BL-1002 has the same connectivity as traffic from Core-1 to BL-1001. The exhibit shows a single-homed setup with BL-1001 and BL-1002 as potential border leaves, with a dashed line indicating a planned second link.

Requirement Analysis

The existing L3Out is single-homed to Core-1 via BL-1001, and the goal is to extend it to a multi-homed configuration with Core-2 via BL-1002.

"Same connectivity" implies that the second link must be integrated into the existing L3Out configuration, sharing the same routing policies, external EPG, and subnet reachability.

The solution must leverage ACI’s L3Out framework to add the new path without creating a separate L3Out or altering the current routing setup unnecessarily.

Option Evaluation

A. Add a second path to the logical interface profile of the existing L3Out:

The logical interface profile in an L3Out defines the interfaces (e.g., routed ports or sub-interfaces) and their associations with nodes (border leaves). Adding a second path to this profile allows the inclusion of the new link from BL-1002 to Core-2, ensuring it operates under the same L3Out configuration (e.g., routing protocol, external EPG). This maintains consistent connectivity and leverages ACI’s multi-homing support.