Cisco ACI Interview Questions

Best Cisco ACI Interview Q&As
1. What is the hardware series we use for Application Centric Infrastructure?
Answer: We have Cisco Nexus 9000 series. In this we mainly have Nexus 9500
Modular, Nexus 9300 Non-Modular series switches. In my course, I used 9500 as
spine and 9300 as Leaf Switches.
2. What are the mode of operations in nexus 9000 series switches?
Answer: We have two modes in which nexus 9K Switches can be used,

namely NX-OS and ACI Mode. These are exclusive modes; means you cannot run
both modes at the same time in a switch. If you switch the mode, then complete
config will be deleted.
3. What is CLOS architecture or ACI Spine-Leaf Architecture?
Answer: This architecture was designed by Charles Clos. In today’s IT world,

Applications are increasingly deployed in a distributed fashion which leads to
increased east-west traffic. Traditional 3-Tier Data Centers are unable to meet the
high bandwidth and low latency demands. This is where Leaf-Spine 2-layer
network topology (composed of leaf switches and spine switches) addresses the
challenges faced in traditional network architecture. Leaf-Spine 2-layer data center
network topology that's useful for data centers that experience more east-west
network traffic than north-south traffic. The topology is composed of leaf switches
(to which servers and storage connect) and spine switches (to which leaf switches
connect). In this two-tier Clos architecture, every lower-tier switch (leaf layer) is
connected to each of the top-tier switches (spine layer) in a full-mesh topology.
The leaf layer consists of access switches that connect to devices such as servers.
The spine layer is the backbone of the network and is responsible for
interconnecting all leaf switches. Every leaf switch connects to every spine switch
in the fabric. The path is randomly chosen so that the traffic load is evenly
distributed among the top-tier switches. If one of the top tier switches were to fail,
it would only slightly degrade performance throughout the data center.
Telegram Channel for Jobs - https://t.me/nwopenings

Telegram Group for Discussions - https://t.me/pynetlabs
LinkedIn for Latest Updates - https://www.linkedin.com/company/pynetlabs
YouTube for Learning – https://www.youtube.com/pynetlabs
If oversubscription of a link occurs (that is, if more traffic is generated than can be
aggregated on the active link at one time), the process for expanding capacity is
straightforward. An additional spine switch can be added, and uplinks can be
extended to every leaf switch, resulting in the addition of interlayer bandwidth and
reduction of the oversubscription. If device port capacity becomes a concern, a
new leaf switch can be added by connecting it to every spine switch and adding the
network configuration to the switch. The ease of expansion optimizes the IT
department’s process of scaling the network. If no oversubscription occurs between
the lower-tier switches and their uplinks, then a nonblocking architecture can be
achieved.
With a spine-and-leaf architecture, no matter which leaf switch to which a server is

connected, its traffic always has to cross the same number of devices to get to
another server (unless the other server is located on the same leaf). This approach
keeps latency at a predictable level because a payload only has to hop to a spine
switch and another leaf switch to reach its destination. APIC Controllers
(responsible for providing a unified point of automation and management, policy
programming, application deployment, and health monitoring for the ACI fabric)
also connect to Leaf nodes. The ACI fabric appears as a single switch to the
outside world, capable of bridging and routing. Moving Layer 3 routing to the
access layer would limit the Layer 2reachability that modern applications require.
In ACI, all the links work in Active-Active mode (ECMP) to allow higher
throughput and fast convergence.
4. In ACI mode of operation, how do we connect Leaf and Spine Switches?
Answer: We can only connect Leaf switches to Spine Switches and vice versa.
5. In ACI mode of operation, can we connect Spine with another Spine switch?
Answer: No, connection will only work between Spine and Leaf. No Spine to
Spine connectivity can be established.
6. Can we connect Leaf to Leaf Switch, in ACI mode?

Answer: No, only connectivity from Leaf to Spine is possible. No leaf to leaf or
spine to spine connection is possible.
7. What is APIC controller in ACI?
Answer: It is known as Cisco Application Policy Infrastructure Controller. Cisco

APIC is the main architectural component of the Cisco ACI solution. It is the
unified point of automation and management for the Cisco ACI fabric, policy
enforcement, and health monitoring in both physical and virtual environments.
The controller optimizes performance and manages and operates a scalable

multitenant Cisco ACI fabric. ACI Fabric is managed from APIC controller only,
however, we also have an option to login into individual switches for
troubleshooting and verification purposes.
8. In ACI, how many APIC Controller can exist?
Answer: You may choose to have only one APIC controller, however, cisco
recommends using minimum 3 APIC controller and in order of 3,5,7.
9. In ACI mode deployment (Layer2/Layer3 fabric), how many Spine, Leaf

Switches and FEX can be deployed?
Answer: In L2 Fabric, we can use up to 80 Leaf Switches, 24 Spine Switches per

fabric ( 6 Spine per POD) , 650 FEX per fabric (20 FEX per leaf Switch) & 1000
Tenants can be created.
In large L3 Fabric, we can use up to 200 Leaf Switches, 24 Spine switches per
fabric (6 spine per POD), 650 FEX per fabric (20 FEX per leaf Switch) & 3000
Tenants can be created.
Refer below link:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/4-
x/verified-scalability/Cisco-ACI-Verified-Scalability-Guide-422.html
10. What are the benefits of Nexus ACI compared to tradition network
solution/architecture?
Answer: Below are the key benefits of ACI fabric –
· From operations standpoint, ACI will allow network teams to simplify

management and operations across the network by providing a common place to
manage & enforce policies.
· Centralized real-time health monitoring of physical and virtual networks
· Automation of repetitive tasks, reducing configuration errors
· ACI is agnostic to both physical and virtual environments.
· Elimination of flooding from the fabric
· ACI’s template-based provisioning and automation improves network agility, real

time monitoring of physical and virtual environment and hence faster
troubleshooting.
· Hypervisors compatibility and integration without the need to add software to the
hypervisor.
· ACI is tailor made for Data Centers requiring multi-tenancy setup (Virtualized)
with easy to configure steps in GUI.
· Competitive pricing for Nexus 9000 switching.
· Traffic optimization that improves application performance
· Can run as a conventional switch NX-OS or in “ACI” mode and supports FEX.
· Enable seamless connectivity between on-premises and remote data centers and
geographically dispersed multiple data centers under a single pane of policy
orchestration.
· It strengthens security (ACI is a whitelist model). This means that there is no

communication between EPGs unless network policy explicitly allows it. The
networking team may want to silo services (DHCP, LDAP, etc.) into EPGs. It can
then define access to these services using Contracts.
· Open APIs allows easy integration with 3rd party devices like firewall and
ADCs.
· Single point of provisioning via GUI and/or REST API.
· ACI centralizes policy-based management and enables the automation of

repetitive tasks to man-hours and reduce errors.
· It streamlines configuration management. ACI’s configurations are for the entire

fabric. It makes backing up and rolling back all the devices in the fabric a simple
process.
11. What is role of APIC controller in ACI fabric?
Answer: The infrastructure controller is the main architectural component

of the Cisco ACI solution.
o APIC Controller is the unified point of automation and management for

the Cisco ACI fabric, policy enforcement, and health monitoring in both
physical and virtual environments, allowing administrators/designers to
build fully automated and multi-tenant networks with scalability.
o The main function of Cisco APIC is to offer policy authority and

resolution methods for the Cisco ACI, as well as devices attached to Cisco
ACI.
o The controller manages and operates a scalable multitenant Cisco ACI

fabric.
o In ACI networks, network admins use the APIC to manage the network –
they no longer need to access the CLI on every node to configure or
provision network resources.

o We can do monitoring of Tenant, Application and health monitoring of
fabric devices.
o Cisco APIC includes a CLI and a GUI as central points of management for
the entire Cisco ACI fabric
o It is very helpful in troubleshooting the issues in ACI fabric.
o It Integrates with third-party Layer 4-7 services, virtualization, and

management.
o An open framework through northbound and southbound APIs
o It can provide security for multitenant environments at scale
o Cisco APIC also has completely open APIs so that users can use
Representational State Transfer (REST)-based calls (through XML or
JavaScript Object Notation [JSON]) to provision, manage, monitor, or
troubleshoot the system
12. Does APIC controller forward data traffic?
Answer: Cisco APIC Controller does not sit in data plane; therefore, it does
not forward data plane traffic. It works as orchestrator of ACI fabric.
13. What happens when all APIC controller in fabric go down?
Answer: If all the APIC controllers go down then there won’t be any outage
in data forwarding of traffic, however, we cannot make any changes to the
fabric. We need to bring up the APIC controller to be able to make new
policies or monitor/troubleshoot the ACI fabric.
14. Where do we connect APIC Controller in ACI Spine-Leaf Architecture?

Answer: APIC Controller is connected on Leaf Switch(s). It is not connected
to Spine Switch.
15. Where do we connect servers in ACI Spine-Leaf Architecture?
Answer: All endpoints including APIC controller will be connected on Leaf

Switches only. If you have one server connected to two leaf switches, then
you may form vpc (Virtual Port channel) at leaf switches. Here, we do not
have any VPC Peer link between Leaf Switches because cisco architecture
does not allow link connection between leaf and leaf switch.
16. Once fabric is up, can endpoints (Like Servers, Firewalls, IDS, IPS, Bare
metal servers etc.) communicate to each other?
Answer: By default, no end point communication will be allowed by ACI

Fabric. Policies need to be explicitly implemented to allow traffic
forwarding and for endpoint to communicate to each other. We need to
create Tenant, VRF, Bridge domain, Switch profile, Interface Policy, IPG,
VLAN Pools, Domain, AAEP, Application Profile, EPGs, Contracts, Filters,
Subjects etc. Once these things are setup, then you will be able to
communicate. Few additional components may be required.
17. What is Bridge domain in Cisco ACI?
Answer: A Bridge Domain is a layer 2 construct in Cisco ACI Fabric. It must

be part of VRF (Virtual Routing Forwarder).
The bridge domain is like a container for subnets — it’s used to define a L2
boundary, but not like a VLAN, infact it is a VXLAN, represented as VNI
(VXLAN Network Identifier).
The BD defines the unique Layer 2 MAC address space and a Layer 2 flood
domain if such flooding is enabled. It can carry multiple subnets in a single

bridge domain. Inter-subnet communication within Bridge domain is
enabled.
We can create multiple Bridge Domains inside of a single VRF. We can not
link one BD to two different VRFs.
Bridge domains can be public, private, or shared. Public bridge domains are
where the subnet can be exported to a routed connection, whereas private
ones apply only within the tenancy. Shared bridge domains can be exported
to multiple VRFs within the same tenant, or across tenants when part of a
shared service.
18. What is the difference between a VLAN and Bridge Domain?
Answer: A VLAN means one network whereas a BD can carry multiple

subnets. Bridge domain is represented with VNI i.e. VXLAN Network
Identifier. Behind the scene, this VNI will be mapped to an internal VLAN.
19. What do you mean by Endpoint, End Point Group (EPG)?
Answer: Endpoints are the devices that are connected to the network
directly or indirectly. They have an address, a location, attributes (like
version or patch level) and can be virtual or physical e.g. Bare-metal server,
Switch, Router, Firewall, IDS, IPS etc.
EPGs (Endpoint groups) are a grouping of endpoints representing

application or
application components independent of other network constructs. An EPG

is an object that represents a collection of endpoints with common
properties e.g. EPG-web, EPG-DB, EPG-App etc.
20. What do you mean by “Tenant”?

Answer: A Tenant is a secure and exclusive virtual computing environment.
A Tenant is a logical unit of isolation from a policy perspective; However, it
is not a private network. Tenant is referred as a largest logical unit or entity
or a highest-level object for management in Cisco ACI.
Tenant is very much like your Business unit, department, or an

organization/company. Tenants can represent a customer in a service
provider setting, an organization or domain in an enterprise setting, or just
a convenient grouping of policies.
Tenants allow re-use of an IP Address space i.e. multiple tenants can have
same IP Address schemas.
Cisco ACI tenants can contain multiple private networks (VRF instances).
One user created tenant can’t talk to another tenant.
By default, ACI has three tenants: Common, Infra & Management.
User tenant is for administrators to create their own tenant.
Tenant contains VRFs, BDs, Subnets, Application Profiles, EPGs, Subjects,

Filters, Contracts.
21. What is Common Tenant?

The Common Tenant is preconfigured for defining policies that provides
common behavior for all the tenants in the fabric. The policies defined
within the Common Tenant can be used by all the Tenants, if needed.
22. What is Infrastructure Tenant?
Answer: Infrastructure Tenant is used for internal fabric communication.

This tenant does not get exposed to user tenant. Fabric discovery, image
management and DHCP for fabric functions are all handled within this
tenant.
23. What is MGMT Tenant?

The MGMT Tenant is preconfigured for in-band and out-of-band
connectivity
configuration of host and fabric nodes (leaf, spine & controllers). MGMT
Tenant is used for In-Band and out of band services. It provides convenient
means to configure access policies for fabric nodes.
24. What is VRF?

Answer: VRF Is virtual Routing Forwarder, also known as Context and used
for creating separate routing table. IP Address networks can be duplicated
between VRFs. VRFs contain Bridge Domains.
25. What do you mean by Bridge Domain?

Answer: BD (Bridge Domain) refers to a VXLAN and is represented by VNI
(VXLAN Network Identifier) number. It is container which carries multiple
subnets with bridging functionality. Traffic between the subnets within BD
will be bridged, i.e. no routing is required. Traffic between the subnets of
different BDs, will require routing.
Every host is represented as /32 Network in ACI. Layer 2 flooding is

disabled by default within a BD, however, can be enabled.
26. What is Interface Policy in ACI?

Answer: It is the policy we require for setting up protocols on Interfaces
such as LACP, CDP, Storm Control, LLDP, Link-level for speed/duplex
settings, NetFlow, Port Security, 802.1x port authentication and many
more.
27. If we do not create Interface Policy in ACI, what will happen?

Answer: In that case, default policy will be applicable e.g. Default CDP,
LLDP, MCP polices will be applicable on interfaces.

28. What do you mean by Switch and Interface Profiles?
Answer: In ACI, each leaf switch or the pair of leaf switches (for vPC) need
to be identified or represented with Switch Profile.
Thereafter, these switch profiles will need to be associated with Interface

Profiles.
Interface selectors inside of Interface profiles will be mapped with IPGs.
This association pushes the configuration to the interface.
29. What is an Access Policy?

The Access Policies govern the operation of the interfaces that provide
external access to the fabric. Access policies are used for configuring the
interfaces or ports on Leaf Switches which connect to Servers, Hosts,
Routers, Firewalls, or other endpoint devices.
We can enable port channel, vPC and protocols like LLDP, CDP, LACP and
some of the features like monitoring and diagnostics. Once the ACI Access
policy is setup, then it can automate the configuration for rest of the
interfaces.
30. What protocols are by default enabled in ACI Infrastructure fabric?

Answer: IS-IS (Intermediate System to Intermediate System), LLDP , DHCP
& VXLAN are pre-enabled in ACI Fabric.
IS-IS is used for Layer 2 Routing,
LLDP is used for discovering Leaf and spine switches.
Leaf & Spine receive auto IP using DHCP.
31. What do you mean by “Contract” in Cisco ACI?

Answer: Contracts are used to permit or deny traffic flows within the ACI
fabric. They control traffic between EPGs i.e. the relationship between two
EPGs is called a “Contract”.
Contract is more of extended bidirectional Access list. Contracts are the

rules that govern the interaction of EPGs. Contracts determine how
applications use the network.
“Contracts” are group of subjects which define communications between

source and destination EPGs.
“Subjects” are a combination of Filter, Action and Label.
Basic ACI contract is composed of three elements:
Subject, Filter, Statements/Entries used in filter
Compared with ACLs we won’t find source and destination IP definitions

here. This data is determined on the grounds of belonging to a specific
EPG object.
EPG (Contract provider) = Destination IP

EPG (Contract consumer) = Source IP
32. What is taboo Contract?
Answer: Taboo contracts are used to deny, and log traffic related to regular
contracts and are configured into the hardware before the regular contract.
For example, if the objective was to allow traffic with source ports 100
through 900 with the exception of port 415, then the regular contract would
allow all ports in the range of 100 through 900 while the taboo contract
would have a single entry denying port 415.

The taboo contract denying port 415 would be programmed into the
hardware before the regular contract allowing ports 100 through 900.
33. Can I have same VRF Name in multiple Tenants?
Answer: Yes, we can have same VRF in multiple tenants. Each Tenant is
different logical unit, so we can have duplicate VRF names between
Tenants.
34. Can we link one EPG Endpoint group to multiple Bridge Domains?
Answer: No, Single EPG can not be referenced to multiple Bridge Domains.
35. What do you mean by Application Profile in Cisco ACI?
Answer: Application profiles (APs) are containers for the grouping of

endpoint groups (EPGs). Application profiles contain one or more EPGs.
Modern applications contain multiple components.
For example, an e-commerce application could require a web server, a

database server, data located in a storage area network, and access to
outside resources that enable financial transactions.
The application profile contains as many (or as few) EPGs as necessary

that are logically related to providing the capabilities of an application.
EPGs are assigned to different bridge domains. Remember, One EPG can
be assigned to one BD only.
Application Profiles are created inside of the tenant.
36. What are the different types of EPGs?

Answer:
EPGs contain endpoints that have common policy requirements such as

security, virtual machine mobility (VMM), QoS, or Layer 4 to Layer 7
services. Rather than configuring & managing endpoints individually, they
are placed in an EPG and are managed as a group.
The ACI fabric can contain the following types of EPGs –
· Application endpoint group (fvAEPg)
· Layer 2 external outside network instance endpoint group (l2extInstP)
· Layer 3 external outside network instance endpoint group (l3extInstP)
· Management endpoint groups for out-of-band (mgmtOoB) or in-band

(mgmtInB) access.
37. Can the policies be applied to endpoints individually?
Answer: No, policies can only be applied to EPGs. Rather than configuring &
managing endpoints individually, they are placed in an EPG and are
managed as a group. Therefore, policies are applied to EPGs
38. Can we create multiple Bridge Domains inside of same VRF?
Answer: Yes, we can always create more than one bridge domain in same
VRF; however, we cannot duplicate the subnets. Bridge domain is a Layer 2
construct within the fabric, used to define a flood domain, also represented
with VNI (VXLAN Network Identifier).
39. What do you mean by Private Network or VRF?
Answer: VRF or Private network in ACI is same as VRF in traditional

networking. VRF is also known as context or virtual routing table. It
contains L3 Routing instances and IPs. VRFs are part of a tenant and
networks inside of VRFs must be unique but can have duplicate subnets
between VRFs.
VRF can have duplicate name if these are part of different Tenants.
Multiple VRFs can be linked to a Tenant.
40. What is L3 out or External L3 out and where it is used?
Answer: Using a Layer 3 Out, ACI can extend its connectivity to the external
devices. These external devices may be External Router, firewall or Layer 3
Switch and are connected on Leaf Switches (therefore, known as Border
Leaf Switches). Border leaves use EIGRP OSPF, BGP dynamic routing
protocol and static routing to exchange external prefixes and networks. We
create External L3 EPG based on prefixes we receive from external
network. In one EPG, we can have all networks as well i.e. 0.0.0.0/0.
41. Which routing protocol runs for internal communication between ACI
Spine and Leaf?
Answer: Within the ACI fabric, we use Multiprotocol BGP (MP-BGP)

between the leaf and spine switches to propagate external routes within
the fabric. External prefixes will be redistributed in to BGP and then there
will be mutual redistribution from BGP to the dynamic routing protocol
being used at Border Leaf. We need to enable this MP-BGP at POD level by
creating POD policy, POD policy group & POD Policy Profile.
Only one AS will be used in the ACI fabric, therefore, Leaf and Spine
relationship will be iBGP.
42. In ACI Fabric, which node is configured as BGP Route Reflector? Why it
is required?

Answer: We use one AS within ACI Fabric. It means only IBGP peers will
exist.
Since prefixes of one IBGP can’t be shared with other IBGP peer so we
need to use either full mesh or BGP Route Reflector.
ACI fabric is 2-tier architecture and we can’t have full mesh, so we will use
BGP RR by making Spine as RR and Leaf switches will become BGP RR
Client.
Answer is we need to configure all spine switches as BGP RR.
43. Which Cisco 9K models are used as Spine Nodes in ACI Setup?
Answer: List of Cisco Nexus Spine Switches – 9316D-GX, 9332D-GX2B,

9336PQ, 9364D-GX2A, 9364C, 9332C, 9504, 9508, 9516
Refer this link for latest models-

https://www.cisco.com/c/en_in/products/switches/nexus-9000-series-
switches/models-comparison.html
44. Which Cisco 9K models are used as Leaf Nodes in ACI Setup?
Answer: List of Cisco Nexus leaf Switches – C9316D-GX, C93600CD-GX,

C9332DGX2B, C9364D-GX2A, 93120TX , 93108TC, 9348GC-FXP, 93108TC-
FX, 93180YC-EX, 93180YC-EX, 93180YC-FX, 93180YC-FX3, 93240YC-FX2,
93360YC-FX2 , 9336C-FX2, 9336C-FX2-E, 9364C-GX
Refer this link for latest models-

https://www.cisco.com/c/en_in/products/switches/nexus-9000-series-
switches/models-comparison.html

45. Can we connect Access Layer switches in downlink to Leaf Node?
Answer: Yes, we can configure Network Switches (Catalyst, Nexus, or other

Vendor Switches) as downlink to ACI Leaf Switches. Though the
management of these non-ACI Fabric switches will remain separate and
cannot be bundled into ACI Fabric controlled/managed via APIC
controllers.
We can create an external L2 network/ External L2 EPG if we want to

connect External L2 domain with ACI Bridge Domain.
46. I have Trunk ports configured in one EPG. Can the access ports also be
added in same EPG? Answer: Yes, it can be configured. See below
snapshot, you can see that in the App EPG-1, we can see one port in trunk
whereas other in access (untagged).
47. Can we integrate management of third party devices in APIC controller?
Answer: The Cisco ACI programmability model allows complete

programmatic access to the application centric infrastructure. With this
access, customers can integrate network deployment into management
and monitoring tools and deploy new workloads programmatically. Cisco
ACI Fabric has APIs (Application Programming Interface) to integrate 3rd
party devices managed through APIC Controller.

48. What are the options available to establish local serial connection to
the APIC controllers for Initial Setup?
Answer: There are two options available –
· Use a KVM cable to connect a keyboard and monitor to the KVM

connector on the front panel of the server.
· Connect a USB keyboard and VGA monitor to the corresponding

connectors on the rear panel of the server.
Note, we cannot use the front panel VGA and the rear panel VGA at the
same time.
49. What are 2 types of tables and databases in ACI?

Answer: These two tables are as follow:
· LST (Local station Table) - This table contains address of all host
attached directly to leaf. When End Points are discovered, this table is
populated and is synchronized with spine-proxy full GST. When any Bridge
Domain is not configured for routing, then LST learns only MAC address(s)
and if the BD is enabled with routing option, this table will learn both IP
address and MAC address of End Points.
· GST (Global Switching Table) - GST contains addresses of all hosts

learned as remote end points through active conversation and are locally
cached. The table contains
Local Mac and IP entries of End Points, Remote MAC if there is an active
conversation (VRFs, BD, Mac Address), Remote IP if there is an active
conversation: VRF, IP address
50. What is the latest version of ACI Fabric in market?
Answer: Latest version of ACI in market is ACI 5.0

51. What do you mean by the concept of SHARDS?
Answer: The APIC cluster uses a large database technology
called Sharding. This technology provides scalability and reliability to the
data sets generated and processed by the APIC. The data for APIC
configurations is partitioned into logically bounded subsets called shards
which are analogous to database shards. A shard is a unit of data
management, and the APIC manages shards in the following ways:
· Each shard has three replicas.
· Shards are evenly distributed across the appliances that comprise the
APIC cluster.
One or more shards are located on each APIC appliance. The shard data
assignments are based on a predetermined hash function, and a static
shard layout determines the assignment of shards to appliances.
52. What is Multi-Pod ACI?

Answer: ACI Multi-Pod represents the natural evolution of the original ACI
Stretched Fabric design and allows to interconnect and centrally manage
separate ACI networks.
ACI Multi-Pod is part of the “Single APIC Cluster/Single Domain” family of

solutions as a single APIC cluster is deployed to manage all the different
ACI fabrics that are interconnected.
Those separate ACI fabrics are named “Pods” and each of them looks like
a regular two-tiers spine-leaf fabrics.

The same APIC cluster can manage several Pods and to increase the
resiliency of the solution the various controller nodes that make up the
cluster can be deployed across different Pods.
53. What is concept of micro segmentation in Cisco ACI?

Answer: Microsegmentation with the Cisco Application Centric
Infrastructure (ACI) provides the ability to automatically assign endpoints
to logical security zones called endpoint groups (EPGs) based on various
attributes.
Microsegmentation with Cisco ACI provides support for virtual endpoints

attached to the following:
· VMware vSphere Distributed Switch (VDS)
· Cisco Application Virtual Switch (AVS)
· Microsoft vSwitch
Endpoint groups (EPGs) are used to group virtual machines (VMs) within a
tenant and apply filtering and forwarding policies to them.
Microsegmentation with Cisco ACI adds the ability to associate EPGs with
network or VM-based attributes, enabling you to filter with those attributes
and apply more dynamic policies. Microsegmentation with Cisco ACI also
allows you to apply policies to any endpoints within the tenant.
54. What is the role of VXLAN in ACI fabric?

Answer: VXLAN is an industry-standard protocol that extends Layer 2
segments over Layer 3 infrastructure to build Layer 2 overlay logical
networks. The ACI infrastructure Layer 2 domains reside in the overlay, with
isolated broadcast and failure bridge domains. This approach allows the
data center network to grow without the risk of creating too large a failure
domain.

VXLAN uses a 24-bit VNID for tagging traffic which allows for 16 million
segments as opposed to the 12-bit 802.1Q VLAN ID which only gives you
4096 segments.
User traffic is encapsulated from the user space into VXLAN and use the
VXLAN overlay to provide layer 2 adjacency when need to.
So, we can emulate the layer 2 connectivity while providing the extensibility
of VXLAN for scalability and flexibility.
All traffic within the ACI Fabric is encapsulated with an extended VxLAN
header along with its VTEP, VXLAN Tunnel End Point.
The ACI VXLAN packet contains both Layer 2 MAC address and Layer 3 IP
address source and destination fields, which enables efficient and scalable
forwarding within the fabric
When traffic is received from a host at the Leaf, frames are translated to
VxLAN and transported to the destination on the fabric. ACI fabric gives the
ability to completely normalize traffic coming from one Leaf and send to
another (it can be on the same Leaf). When the frames exit the destination
Leaf, they are re-encapsulated to whatever the destination network is
asking for. It can be formatted to untagged frames, 802.1Q truck, VxLAN or
NVGRE.
Good thing is that, VXLAN is automatically configured in Cisco ACI,

therefore, we do not have to do anything. Whereas, in Non-ACI
infrastructure, it may take hours to configure VXLAN


Cisco ACI Interview Questions

Uploaded by

Copyright:

Available Formats

Cisco ACI Interview Questions

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco ACI Interview Questions

Uploaded by

Copyright:

Available Formats

What is the hardware series used for Application Centric Infrastructure?

What is the hardware series used for Application Centric Infrastructure?

What are the two modes of operation for Nexus 9000 series switches?

What are the two modes of operation for Nexus 9000 series switches?

Best Cisco ACI Interview Q&As

1. What is the hardware series we use for Application Centric Infrastructure?

2. What are the mode of operations in nexus 9000 series switches?

Answer: We have two modes in which nexus 9K Switches can be used,

3. What is CLOS architecture or ACI Spine-Leaf Architecture?

Answer: This architecture was designed by Charles Clos. In today’s IT world,

Telegram Channel for Jobs - https://t.me/nwopenings

With a spine-and-leaf architecture, no matter which leaf switch to which a server is

4. In ACI mode of operation, how do we connect Leaf and Spine Switches?

6. Can we connect Leaf to Leaf Switch, in ACI mode?

Telegram Channel for Jobs - https://t.me/nwopenings

7. What is APIC controller in ACI?

Answer: It is known as Cisco Application Policy Infrastructure Controller. Cisco

The controller optimizes performance and manages and operates a scalable

8. In ACI, how many APIC Controller can exist?

9. In ACI mode deployment (Layer2/Layer3 fabric), how many Spine, Leaf

Answer: In L2 Fabric, we can use up to 80 Leaf Switches, 24 Spine Switches per

Refer below link:

Answer: Below are the key benefits of ACI fabric –

· From operations standpoint, ACI will allow network teams to simplify

· Centralized real-time health monitoring of physical and virtual networks

· Automation of repetitive tasks, reducing configuration errors

· ACI is agnostic to both physical and virtual environments.

· Elimination of flooding from the fabric

· ACI’s template-based provisioning and automation improves network agility, real

· Competitive pricing for Nexus 9000 switching.

· Traffic optimization that improves application performance

· It strengthens security (ACI is a whitelist model). This means that there is no

· Single point of provisioning via GUI and/or REST API.

· ACI centralizes policy-based management and enables the automation of

· It streamlines configuration management. ACI’s configurations are for the entire

11. What is role of APIC controller in ACI fabric?

Answer: The infrastructure controller is the main architectural component

o APIC Controller is the unified point of automation and management for

o The main function of Cisco APIC is to offer policy authority and

o The controller manages and operates a scalable multitenant Cisco ACI

Telegram Channel for Jobs - https://t.me/nwopenings

o It is very helpful in troubleshooting the issues in ACI fabric.

o It Integrates with third-party Layer 4-7 services, virtualization, and

o An open framework through northbound and southbound APIs

o It can provide security for multitenant environments at scale

12. Does APIC controller forward data traffic?

13. What happens when all APIC controller in fabric go down?

14. Where do we connect APIC Controller in ACI Spine-Leaf Architecture?

Telegram Channel for Jobs - https://t.me/nwopenings

15. Where do we connect servers in ACI Spine-Leaf Architecture?

Answer: All endpoints including APIC controller will be connected on Leaf

Answer: By default, no end point communication will be allowed by ACI

17. What is Bridge domain in Cisco ACI?

Answer: A Bridge Domain is a layer 2 construct in Cisco ACI Fabric. It must

Telegram Channel for Jobs - https://t.me/nwopenings

18. What is the difference between a VLAN and Bridge Domain?

Answer: A VLAN means one network whereas a BD can carry multiple

19. What do you mean by Endpoint, End Point Group (EPG)?

EPGs (Endpoint groups) are a grouping of endpoints representing

application components independent of other network constructs. An EPG