Cisco CCNP 300-620 Questions & Answers

• Question 1:

  Refer to the exhibit.

  

  An engineer must migrate workloads from the brownfield network to the Cisco ACI fabric. The VLAN 10 default gateway remains in the router located in the brownfield network. The bridge domain has already been associated with L2Out. Which two actions must be taken to migrate the workloads? (Choose two.)

  A. Enable ARP Flooding.

  B. Configure Multi-Destination Flooding Flood in Encapsulation.

  C. Select limit IP learning to Subnet.

  D. Set L2 Unknown Unicast Flood.

  E. Map the MAC address of the default gateway to the bridge domain.

  Correct Answer: AD

  https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/migration_guides/migrating_existing_networks_to_aci.html#_Toc133408118

  Enable ARP flooding: ARP requests originated from devices connected to the Cisco ACI fabric should be able to reach the default gateway or other endpoints part of the same IP subnet and still connected to the brownfield network. Since

  those entities are unknown to the Cisco ACI fabric, it is required to flood ARP requests across the Cisco ACI fabric and toward the brownfield network.

  Enable Unknown Unicast flooding: similar considerations valid for ARP traffic apply also to Layer 2 unknown traffic (unicast and multicast), so it is required to ensure flooding is enabled in this phase for those traffic types.

• Question 2:

  An engineer is configuring a new user account in Cisco ACI. The new user will be assigned the role of fabric administrator. The fabric has only one tenant, so the engineer associated the new user account with a security domain for the tenant, as well as the security domain for the management tenant.

  Which configuration permits the new user with admin access to the fabric?

  A. Associate the new user with the security domain all.

  B. Grant the new user R/W access to the user and management tenant.

  C. Add the DN uni/fabric under explicit rules.

  D. Bind the security domain infra to the new user account.

  Correct Answer: D

  The Cisco Application Centric Infrastructure (ACI) RBAC rules enable or restrict access to some or all of the fabric. For example, in order to configure a leaf switch for bare metal server access, the logged in administrator must have rights to the infra domain. By default, a tenant administrator does not have rights to the infra domain. In this case, a tenant administrator who plans to use a bare metal server connected to a leaf switch could not complete all the necessary steps to do so. The tenant administrator would have to coordinate with a fabric administrator who has rights to the infra domain. The fabric administrator would set up the switch configuration policies that the tenant administrator would use to deploy an application policy that uses the bare metal server attached to an ACI leaf switch.

  https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/5-x/security/cisco-apic-security-configuration-guide-50x/m_access_authentication_and_accounting.html

• Question 3:

  An engineer must integrate a Cisco ACI fabric with VMware and discover an ESXi host using LLDP. Two EPGs have been created and associated with the VMM domain. The engineer must configure the ACI such that contracts are pushed to the ACI leaf switches when the VM is mapped to EPG and the contracts are removed when LLDP is disabled.

  Which configuration must be selected to meet these requirements?

  A. Deployment immediacy: On-Demand

  B. Resolution immediacy: On-Demand

  C. Deployment immediacy: Immediate

  D. Resolution immediacy: Immediate

  Correct Answer: B

• Question 4:

  An engineer must implement user activity tracking in the Cisco ACI with a solution that meets these requirements:

  1.

  All user activity that is related to the Cisco ACI infrastructure hardware must be tracked.

  2.

  All audit logs with severity level 5 and below must be collected and exported.

  3.

  Logs must be exported to a Security Information and Event Management (SIEM) appliance.

  Which set of steps must be taken?

  A. Create a Syslog Monitoring Destination Group with a remote destination of the SIEM device. Create a Tenant-level Syslog Source under the Monitoring section of the Tenant Tab. Select Audit Logs and a severity level of Warning,

  B. Create a Syslog Monitoring Destination Group with a Local File destination. Create an Access-level Syslog Source under the Monitoring section of the Fabric Tab. Select Fault Logs and a severity level of Notification.

  C. Create a Syslog Monitoring Destination Group with a remote destination of the SIEM device. Create a Fabric-level Syslog Source under the Monitoring section of the Fabric Tab. Select Audit Logs and a severity level of Notification.

  D. Create a Syslog Monitoring Destination Group with Console Destination. Create a System-level Syslog Source under the Monitoring section of the System Tab. Select Session Logs and a severity level of Warning.

  Correct Answer: C

  Fabric > Fabric > Policies > Monitoring > default > Callhome/Smart Callhome/SNMP/Syslog/TACACs

  uni/fabric/monfab-default

  Create Syslog Source

  Provide a name for this source (i.e., FabricDefaultSyslog)

  Select the Minimum Syslog Severity Level (default is warning; we have changed this to information)

  Select the categories of messages to source (default is faults; we have selected all categories)

  Select the Destination Syslog Server (this is the server we previously defined)

  https://unofficialaciguide.com/2018/08/11/configuring-syslog-for-aci/

• Question 5:

  A network engineer is implementing a Layer 3 Out in the Cisco ACI fabric. The data center core switches must connect to a pair of leaf switches and exchange routes via a routing protocol. In addition, the implementation must meet these criteria:

  1.

  The external switch interface must use 802.1Q tagging.

  2.

  Access to the Internet for the ACI fabric must be the L3Out.

  3.

  The L3Out must use a routing protocol that has rapid convergence time and low CPU usage.

  Which configuration set meets these requirements?

  A. Configure the OSPF Protocol policy with an area of 0. Set up the Routed External Network object and Node Profile and select OSPF. Create the Switch profile and select VPC with the appropriate interfaces. Create the default network and associate it with the Routed Outside object.

  B. Configure the BGP Protocol policy with the appropriate Autonomous System number.

  Configure an Interface policy and an External Bridged Domain.

  Create an External Bridged Network and use the configured VLAN pool.

  Build the Leaf profile and select the Routed sub-interface with the appropriate VLAN.

  C. Implement the IS-IS Protocol policy with the selected Autonomous System number. Create the Routed Outside object and Node Profile and select IS-IS. Configure the Interface profile and select the Routed Interface with the appropriate interfaces. Create the External Network object.

  D. Implement the EIGRP Protocol policy with the selected Autonomous System number. Create Routed Outside object and Node Profile and select EIGRP as the routing protocol. Build the Interface profile and select SVI and the appropriate VPC. Configure the External Network object with a network of 0.0.0.0/0.

  Correct Answer: A

• Question 6:

  An engineer must monitor a Cisco ACI fabric with SNMP. The “permit any contract” attribute is not configured in the fabric.

  Which action must be taken to receive SNMP traps from Cisco APIC?

  A. Consume the inband contract from the out-of-band EPG.

  B. Configure the OOB contract under the common tenant.

  C. Add the UDP filter port 162 to the existing OOB contract.

  D. Provide a standard contract under the user tenant.

  Correct Answer: C

  1.

  To allow SNMP communications, you must configure an "out-of-band (OOB) contract" in the "mgmt" tenant to allow SNMP traffic. SNMP traffic typically uses UDP port 161 for SNMP requests.

  2.

  Configure the APIC OOB IP addresses in the "mgmt" tenant. Although the OOB addresses are configured during APIC setup, the addresses must be explicitly configured in the "mgmt" tenant before the OOB contract will take effect. About SNMP ACI provides SNMPv1, v2, and v3 support, including Management Information Bases (MIBs) and notifications (traps). The SNMP standard allows any third-party applications that support the different MIBs to manage and monitor the ACI fabric.

  https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/aci-guide-configuring-snmp.pdf

• Question 7:

  An engineer wants to configure Cisco ACI switches to use authenticated ZMQ when communicating with the proxy spine.

  Which configuration allows MD5 ZMQ messages only?

  A. COOP Group policy in strict mode

  B. IS-IS password using MD5

  C. BGP password using MD5

  D. COOP Group policy in compatible mode

  Correct Answer: A

  There are 2 choices, Compatible Type and Strict Type. Compatible Type accepts both MD5 authenticated and non-authenticated ZMQ connections, whereas Strict Type only allows MD5 authenticated ZMQ connections.

• Question 8:

  An engineer created a monitoring policy called Test in a Cisco ACI fabric and had to change the severity level of the monitored object Call home source.

  Which set of actions prevent the event from appearing in event reports?

  A. Select Faults Severity Assignment Policies. Set severity level to cleared.

  B. Select Event Severity Assignment Policies. Set severity level to squelched.

  C. Select Faults Severity Assignment Policies. Set severity level to squelched.

  D. Select Event Severity Assignment Policies. Set severity level to cleared.

  Correct Answer: C

• Question 9:

  Refer to the exhibit.

  

  Cisco ACI fabric is connected to a Cisco Catalyst 3850 Series Switch using EBGP. Server 2 is unable to communicate with Server 1. Leaf-2 fails to learn the external subnet 10.2.2.0/24 and other external subnets from other L3Outs. Which configuration ensures that the networks from Leaf-2 are learned by the external network?

  A. Configure 10.2.2.0/24 under the external EPG of the L3Out.

  B. Implement a contract between the Server 2 EPG and the L3Out.

  C. Implement the bridge domain to advertise the bridge domain subnet.

  D. Configure Spine-1 as the MP-BGP route reflector.

  Correct Answer: D

• Question 10:

  What is the result of the pcEnPref flag configured on the epg-App_EPG?

  

  A. Any configuration changes to the private network are validated.

  B. Access control rules for the L3Out network are applied.

  C. Access control rules for the private network are applied.

  D. Any changes to the underlying EPG objects are forbidden.

  Correct Answer: C