Cisco 300-620 Exam Dumps & Practice Test Questions
An ACI fabric administrator observes abnormal network behavior and suspects it may have been caused by manual configuration changes. Which is the best way to verify if a user was responsible for this change?
A. Review system event logs via the APIC user interface
B. Examine the /var/log/audit_messages file directly on the APIC
C. Access audit logs using the APIC GUI to view user-triggered actions
D. Use the show command history command in the APIC CLI
Correct Answer: C
Explanation:
In Cisco ACI environments, identifying the source of unexpected changes in network behavior is crucial for maintaining operational stability. Often, sudden changes in configuration or behavior can stem from either automated processes or manual intervention by users. To distinguish between these, administrators need a reliable and comprehensive audit trail of all user actions.
The APIC audit logs available through the Graphical User Interface (GUI) provide the most effective way to determine whether a user was responsible for specific changes. These audit logs are purpose-built to record every user interaction with the system—whether performed through the GUI, CLI, or via API calls.
Key features of the APIC UI audit logs include:
Timestamped entries for all user actions
Usernames and associated roles for accountability
Action descriptions, such as configuration changes, deletions, additions, and logins
Affected objects, so you know exactly what was modified
These logs are not only comprehensive but also user-friendly, making it easier for administrators to quickly identify and respond to configuration issues without needing advanced command-line skills.
Let’s evaluate why the other choices are less appropriate:
Option A: Event records in the APIC UI typically focus on system-generated events like hardware faults, software status, or operational warnings. They don't specifically track detailed user actions.
Option B: The /var/log/audit_messages file does contain system-level auditing details, but accessing this file requires CLI access and is not as intuitive or comprehensive for tracking user behavior compared to the GUI audit logs.
Option D: The show command history command only shows CLI commands executed in that specific session. It does not capture actions performed via the APIC GUI or API, thus offering only a narrow view of user behavior.
In conclusion, if the goal is to audit user actions that may have contributed to network changes, Option C provides the most effective, centralized, and detailed method. By accessing audit logs through the APIC UI, administrators can ensure accountability and track down the origin of unexpected behavior efficiently.
While importing a new configuration into a system, an engineer wants the entire process to fail immediately if any part of the configuration is invalid.
Which import mode guarantees this all-or-nothing behavior?
A. Merge
B. Atomic
C. Best effort
D. Replace
Correct Answer: B
Explanation:
When importing settings or configurations into a system—especially in network or data center environments—it’s critical to ensure that the import either succeeds completely or not at all. This is important to prevent partial changes from corrupting the system or leaving it in an inconsistent state.
The Atomic import mode provides this exact behavior. In atomic mode, the system treats the entire configuration import as a single, indivisible transaction. If any portion of the configuration is incompatible, the entire import fails and no changes are applied. This ensures the integrity and stability of the system by avoiding partial or incomplete configuration states.
Atomic imports are especially valuable in large environments where configurations span multiple policies, tenants, or components. If one item fails validation, rolling back everything ensures the system remains predictable and consistent with its previous state.
Here’s how the other modes compare:
Option A: Merge
The merge mode applies changes incrementally. It adds or updates the existing configuration but does not remove anything. If a portion of the import is incompatible, it might skip over that section and proceed with others. This can lead to partial configuration changes and potentially introduce inconsistencies.
Option C: Best effort
This mode applies whatever parts of the configuration it can, even if some portions fail. It is designed for flexibility, not precision or consistency. In environments where consistency is key, this behavior can be dangerous because it might leave the system in a mixed state.
Option D: Replace
Replace mode overwrites existing configurations with the new ones. However, it doesn’t guarantee rollback on failure unless explicitly designed to do so. If an error is encountered mid-process, it may still apply parts of the configuration, which could result in an unstable system.
Ultimately, atomic mode is the best choice when you want to ensure that the system configuration remains unchanged unless the entire import is valid. This approach minimizes risk, eliminates partial changes, and upholds the integrity of the system’s configuration baseline.
In a Cisco ACI fabric, what needs to be configured to enable the BGP Route Reflector policy effectively across the network?
A. Spine fabric interface overrides and profiles
B. Access policies and profiles
C. Pod policy groups and profiles
D. Leaf fabric interface overrides and profiles
Correct Answer: C
Explanation:
In Cisco ACI (Application Centric Infrastructure), the BGP Route Reflector (RR) policy is crucial for optimizing routing across the fabric, particularly in complex or large-scale data center environments. Route reflectors serve the purpose of centralizing BGP routing updates to avoid the inefficiencies of full-mesh peerings between devices. This is especially valuable in ACI, where BGP EVPN is used as the control plane for VXLAN.
To apply a Route Reflector policy in ACI, the configuration must be implemented through Pod policy groups and profiles. These pod-level constructs allow you to push specific configurations, including RR settings, to the correct devices—typically spine switches—within a pod. Here's why this step is essential:
Pod Policy Groups serve as containers for configurations that affect the entire pod, including policies related to BGP, IS-IS, or OSPF.
Within these groups, Pod Profiles are used to bind those policies to specific spines or nodes. This ensures the Route Reflector configuration is effectively applied to the designated devices that serve as route reflectors.
The route reflector function typically runs on spine nodes. When you configure the BGP Route Reflector policy via pod policy groups and profiles, you inform the ACI fabric which spines should assume that role and how BGP routes should be distributed.
Now, consider why the other options are not applicable:
A. Spine fabric interface overrides and profiles: While these deal with configuring interface-level behaviors on spine switches, they do not handle routing policies like Route Reflector.
B. Access policies and profiles: These are used for configuring endpoint access and interface behaviors on leaf switches. They are unrelated to fabric-level routing control.
D. Leaf fabric interface overrides and profiles: Like spine interface profiles, these deal with port-level settings and are not where BGP policies such as Route Reflector configuration are applied.
In summary, when you want to enable the BGP Route Reflector role in an ACI fabric, you must use Pod policy groups and profiles to designate and configure the appropriate devices (usually spines) for route reflection duties. This approach ensures that routing information is shared efficiently across the fabric without requiring a full mesh of BGP peerings between all nodes.
Which type of policy is designed to suppress fault notifications, such as those generated when a port goes down in a Cisco ACI environment?
A. Fault Lifecycle Assignment
B. Event Lifecycle Assignment
C. Fault Severity Assignment
D. Event Severity Assignment
Correct Answer: A
Explanation:
In large-scale network environments like Cisco ACI, managing system alerts and notifications is essential to prevent operational overload and alert fatigue. One common scenario that can generate numerous alerts is when a port transitions to a "down" state—either because of administrative action, maintenance, or a real issue. If not managed properly, these events can produce a flood of unnecessary fault alarms.
To handle this efficiently, ACI allows the use of Fault Lifecycle Assignment policies. These policies give administrators the ability to customize how the system handles specific faults, including whether certain faults should be suppressed, auto-acknowledged, or allowed to escalate.
Here's why Fault Lifecycle Assignment is the correct choice:
These policies allow fault suppression when certain conditions are known and do not require immediate action (e.g., when a port is intentionally shut down).
They let administrators control fault visibility and streamline troubleshooting by preventing non-critical issues from overwhelming operational teams.
Lifecycle policies can be defined to handle specific fault codes or types, setting parameters like time-to-resolve or suppress-after duration.
By using this policy, faults such as “port down” can be automatically suppressed when known maintenance is taking place, keeping the monitoring environment cleaner and focused on issues that genuinely require intervention.
Let’s look at the incorrect options:
B. Event Lifecycle Assignment: While related to handling the lifecycle of events (like state transitions), this policy type does not govern the behavior of faults and cannot suppress fault notifications.
C. Fault Severity Assignment: This policy defines how severe a fault is—critical, major, minor, or warning—but does not control suppression. It is more about prioritization than filtering.
D. Event Severity Assignment: Like its fault counterpart, this policy focuses on classifying the importance of events but does not affect fault suppression mechanisms.
In conclusion, Fault Lifecycle Assignment is the correct policy used to suppress recurring or non-critical fault messages, such as those generated when a port goes down for routine reasons. This helps streamline operations, reduce alert fatigue, and maintain a clear focus on actionable issues within the network.
In a Cisco ACI fabric, what type of profile must be configured to apply an access port policy group to an interface?
A. Attachable Entity
B. Pod
C. Module
D. Leaf Interface
Correct Answer: B
In Cisco Application Centric Infrastructure (ACI), deploying policies correctly ensures that end devices function as intended when connected to the fabric. When administrators need to define how access ports (which typically connect to endpoints like servers, virtual machines, or printers) should behave, they create an access port policy group that contains configurations such as CDP, LLDP, port speed, and link-level policies. However, assigning this policy group to a physical port isn't done directly. Instead, an intermediate configuration object, known as the Attachable Entity Profile (AEP), must be created.
The Attachable Entity Profile (AEP) acts as a binding mechanism between logical policies and physical interfaces. It connects the access port policy group to the physical leaf switch interfaces, ensuring consistent policy enforcement across the fabric. AEPs are especially useful in large environments where multiple interfaces need to share common configurations without redundant manual assignments.
Let’s look at why the other choices are incorrect:
Pod: A pod in ACI refers to a set of leaf and spine switches that make up a scalable domain in the fabric. While it's crucial in defining ACI architecture, it has no role in applying access port policy groups.
Module: This term generally refers to physical components like switch line cards or interface modules. It’s part of the hardware infrastructure but does not participate in policy binding or profile creation.
Leaf Interface: While leaf interfaces are the actual physical ports on leaf switches, configuring them alone is not sufficient. Policies must be applied through constructs like interface profiles and AEPs to ensure scalability and compliance.
Therefore, creating an Attachable Entity Profile is a fundamental step in mapping policies to physical ports in an ACI environment. This design not only promotes consistency and reusability but also supports efficient policy management. The AEP is linked to interface selectors, which in turn bind to interface profiles that specify which ports will inherit the policy.
To summarize, the correct answer is A. AEP is the necessary configuration object to deploy and manage access port policy groups effectively within a Cisco ACI fabric.
If an administrator sees a fault on the APIC that is not applicable to their current deployment and wants to prevent it from being displayed, what is the appropriate action to take?
A. Right-click the fault under System → Faults and select "Acknowledge Fault" to remove it from view.
B. Create a stats threshold policy with specific thresholds to suppress the fault's severity.
C. Right-click the fault under System → Faults and select "Ignore Fault" to apply a suppression policy.
D. Design a global health score policy to exclude the fault based on its fault code.
Correct Answer: C
In Cisco ACI, the APIC (Application Policy Infrastructure Controller) continually monitors the fabric for anomalies or deviations from normal operations. When it detects such events, it raises faults to notify administrators. However, not every fault is critical or applicable to the active configuration. Some may arise from features that are intentionally disabled, partially configured elements, or benign environmental factors.
To reduce clutter and streamline fault management, administrators have the option to suppress irrelevant faults using the "Ignore Fault" action. This is done by right-clicking on the fault under System → Faults and selecting Ignore Fault, which creates a Fault Severity Assignment Policy. This policy reclassifies or hides specific faults based on their fault codes, effectively removing them from dashboards, alerts, and fault logs.
This is a powerful tool for improving operational focus, especially in environments with many interconnected systems, where dozens of minor, non-actionable faults might otherwise overwhelm administrators.
Here’s why the other options are incorrect:
A. Acknowledge Fault: Acknowledging a fault simply marks it as recognized but doesn’t suppress or hide it. It remains visible in the system and continues to appear in logs and summaries.
B. Stats Threshold Policy: These policies are used for setting thresholds on performance metrics (e.g., CPU or memory usage). They do not affect fault visibility or suppression. They are part of performance monitoring, not fault management.
D. Global Health Score Policy: This policy contributes to overall system health evaluation by assigning weights and thresholds to components, but it doesn’t offer fine-grained suppression for specific fault codes.
By using the "Ignore Fault" feature, administrators ensure that only relevant and actionable faults are shown, which streamlines troubleshooting and prevents misallocation of resources to non-critical alerts. It’s particularly useful in lab environments, multi-tenant environments, or during system testing, where certain faults are expected and can be safely ignored.
Thus, the correct approach is to use the Ignore Fault action to hide unnecessary fault messages, making option C the best choice.
When a user is authenticated via RADIUS in Cisco ACI, the Cisco AV Pair determines the user’s role. Which ACI object does this AV Pair correlate to?
A. Tenant
B. Security Domain
C. Primary Cisco APIC
D. Managed Object Class
Correct Answer: D
In the Cisco Application Centric Infrastructure (ACI) environment, RADIUS (Remote Authentication Dial-In User Service) is widely used for user authentication and authorization, especially for administrative access to the fabric. During this authentication process, the RADIUS server sends back a set of attributes to define the level of access the user should receive. One of the most critical components of this process is the Cisco AV Pair (Attribute-Value Pair), which plays a central role in mapping user access rights.
The Cisco AV Pair contains specific syntax and values that define the user’s role, which is then matched within the ACI system to grant the appropriate level of permissions. These permissions are not mapped directly to tenants, domains, or controllers—instead, they are mapped to Managed Object Classes.
A Managed Object Class in ACI is a fundamental building block that represents various configuration entities within the ACI fabric. This includes components like tenants, endpoint groups (EPGs), contracts, bridge domains, and more. By mapping the AV Pair to a Managed Object Class, Cisco ACI can determine exactly what areas or functionalities a user can access. This approach allows for granular control over administrative roles, ensuring that each user only has access to the specific components relevant to their role.
Let’s briefly examine why the other answer choices are not correct:
A. Tenant: Although user roles may be limited to certain tenants, the Cisco AV Pair does not resolve directly to a tenant. Instead, the AV Pair designates a Managed Object Class that may include tenant configurations.
B. Security Domain: Security domains are used to group tenants for RBAC (Role-Based Access Control) purposes, but again, the Cisco AV Pair does not resolve to this object directly.
C. Primary Cisco APIC: The APIC is the controller that manages the ACI fabric, but it is not the object to which a role or AV Pair maps.
In conclusion, when user roles in Cisco ACI are defined via RADIUS authentication using Cisco AV Pairs, these pairs resolve to Managed Object Classes. This ensures users gain appropriate access to the various objects they need to administer or interact with inside the ACI fabric.
Which Cisco ACI feature enables the automatic assignment or adjustment of Endpoint Group (EPG) membership for virtual machines based on VM-specific attributes?
A. vzAny Contracts
B. Standard Contracts
C. Application EPGs
D. uSeg EPGs
Correct Answer: D
In Cisco ACI, Endpoint Groups (EPGs) are a central concept used to define how groups of endpoints (such as virtual machines) communicate within the fabric. EPGs are policy containers that apply networking and security rules to grouped endpoints. However, manually managing EPG assignments for every virtual machine (VM) in large, dynamic environments can be inefficient and error-prone. This is where uSeg EPGs, or User-Segmented Endpoint Groups, come into play.
uSeg EPGs provide a powerful way to dynamically assign VMs to EPGs based on a set of attributes. These attributes can include the VM’s name, IP address, operating system type, security tag, or even metadata from orchestration platforms like VMware vCenter or Microsoft SCVMM. By analyzing these attributes, ACI can automatically determine the appropriate EPG for the VM, ensuring that the right network policies are applied without requiring manual configuration.
This dynamic classification significantly enhances operational agility and policy accuracy. As VMs are created, moved, or reconfigured, their EPG memberships are updated in real-time based on their attributes. This also supports workload mobility, allowing VMs to retain their security and network policies even as they migrate across the fabric.
Let’s consider why the other answer choices are incorrect:
A. vzAny Contracts: These are used to define policies that apply across all EPGs but don’t perform dynamic classification or EPG assignment based on VM attributes.
B. Standard Contracts: These define communication rules between EPGs, but again, they do not handle dynamic VM classification.
C. Application EPGs: While these represent logical groupings of endpoints for application segmentation, they are static and do not dynamically associate VMs based on their properties.
In essence, uSeg EPGs provide fine-grained, dynamic segmentation in Cisco ACI environments by evaluating VM attributes and automatically determining their EPG association. This makes the network more adaptable, especially in virtualized and cloud environments where changes are frequent and speed is essential.
You are configuring contracts in Cisco ACI to control traffic between EPGs. Which component defines the type of traffic allowed between consumer and provider EPGs?
A. Subject
B. Filter
C. Bridge Domain
D. Application Profile
Correct Answer: B
Explanation:
In Cisco ACI, contracts are used to define communication rules between Endpoint Groups (EPGs). A contract determines what kind of traffic is allowed between a consumer EPG (the one initiating traffic) and a provider EPG (the one receiving traffic). The contract itself is composed of multiple components, including subjects and filters.
The filter is the key element that specifies the type of traffic allowed through a contract. It defines the Layer 3 and Layer 4 parameters such as IP protocols, source and destination ports, and even specific services. A filter can include rules that match traffic types like HTTP (TCP port 80), HTTPS (TCP port 443), ICMP, and others. These filters are then associated with subjects, which group one or more filters and link them to the contract.
To illustrate this in practice:
Let’s say EPG-Web needs to access EPG-Database using SQL traffic.
You would create a filter allowing TCP port 1433 (used for SQL Server).
Then, you’d define a subject, attach the filter to that subject, and finally associate the subject with a contract.
The contract is then applied between the consumer (Web) and provider (Database) EPGs.
Let’s review the incorrect options:
A. Subject: Subjects organize filters within a contract but do not define traffic themselves.
C. Bridge Domain: A bridge domain provides Layer 2 forwarding capabilities and is unrelated to defining permitted traffic types.
D. Application Profile: This is a logical container for EPGs and policies but does not define traffic filtering directly.
In summary, the filter within a contract plays a crucial role in traffic control by explicitly defining what type of data can pass between EPGs. Understanding this is essential for anyone working with ACI policy enforcement and secure data center configurations.
In Cisco ACI, which component provides Layer 2 forwarding within a Tenant, allowing endpoints to communicate within the same subnet?
A. VRF
B. Bridge Domain
C. Contract
D. EPG
Correct Answer: B
Explanation:
In the Cisco ACI architecture, Bridge Domains (BDs) play a fundamental role in Layer 2 forwarding. A Bridge Domain is a Layer 2 construct within a tenant that maps closely to a subnet or VLAN in traditional networking. It provides the Layer 2 boundary and is responsible for MAC address learning, flooding behavior, ARP handling, and more.
When endpoints (such as virtual machines or physical servers) belong to different EPGs but share the same bridge domain, they can communicate at Layer 2 if policies allow. A bridge domain can also be associated with one or more subnets, which are typically configured for IP gateway functionality. This allows endpoints within the bridge domain to communicate via their default gateway managed by the ACI fabric.
For example:
Suppose you have a BD named BD-Users and two EPGs: EPG-Sales and EPG-Marketing.
If both EPGs are associated with BD-Users, and contracts permit it, their endpoints can communicate within the same Layer 2 network.
Let’s examine the incorrect answers:
A. VRF (Virtual Routing and Forwarding): This provides Layer 3 separation and enables multiple routing instances. It doesn't handle Layer 2 communication.
C. Contract: Contracts govern traffic filtering and communication permissions but are not responsible for forwarding.
D. EPG (Endpoint Group): EPGs group similar endpoints for policy application but rely on the bridge domain for Layer 2 forwarding.
In conclusion, the Bridge Domain is the core Layer 2 forwarding entity in Cisco ACI. It allows endpoints in the same subnet to communicate and handles critical functions such as ARP flooding control and gateway configuration. Understanding how BDs interact with EPGs and VRFs is essential for designing efficient and segmented ACI-based data center networks.
Top Cisco Certification Exams
Site Search:
SPECIAL OFFER: GET 10% OFF
Pass your Exam with ExamCollection's PREMIUM files!
SPECIAL OFFER: GET 10% OFF
Use Discount Code:
MIN10OFF
A confirmation link was sent to your e-mail.
Please check your mailbox for a message from support@examcollection.com and follow the directions.
Download Free Demo of VCE Exam Simulator
Experience Avanset VCE Exam Simulator for yourself.
Simply submit your e-mail address below to get started with our interactive software demo of your free trial.