- Q1: What are the main components that make up the ACI architecture ? …
- Q2 : What model of switches have you used to deploy ACI architecture? …
- Q3: What is the purpose of IS-IS ? …
- Q4: What Cisco ACI policy object is similar to a VLAN ?
ACI INTERVIEW BASIC QUESTIONS AND ANSWERS #ccie #cisco #ciscoaci #interview
Top 15 Most-Asked Cisco ACI Interview Questions and Answers
Without further ado, let’s get to the ACI interview questions and answers.
Question 1 – What is the hardware series we use for Application Centric Infrastructure?
Answer: We have the Cisco Nexus 9000 series. In this, we mainly have Nexus 9500 Modular and Nexus 9300 Non-Modular series switches. One of the best ways is to use 9500 as spine and 9300 as Leaf Switches.
Nexus ACI Interview Questions and Answers Ques 1. There are two different operating modes that the Nexus 9000 Series switches can be set up to use: NX-OS mode and ACI Mode Ques 2 In the modern IT environment, applications are increasingly deployed in a distributed manner, which results in increased east-west traffic. High bandwidth and low latency requirements are too much for traditional 3-Tier Data Centers to handle. This is where the shortcomings of conventional network architecture are addressed by the Leaf-Spine 2-layer network topology (consisting of leaf switches and spine switches). For data centers that experience more east-west network traffic than north-south traffic, the Leaf-Spine 2-layer topology is useful. Servers and storage are connected to leaf switches in the topology, and leaf switches are connected to spine switches. The access layer, formed by leaf switches meshing together to form the spine, provides servers with network connection points. Additionally, Leaf nodes are connected to APIC Controllers, which are in charge of providing a single point of automation and management, policy programming, application deployment, and health monitoring for the ACI fabric. To the outside world, the ACI fabric appears as a single switch that is capable of both bridging and routing. Modern applications’ need for Layer 2 reachability would be lowered if Layer 3 routing were moved to the access layer. All links in ACI operate in Active-Active mode (ECMP), enabling higher throughput and quick convergence. Ques 3. The ACI architecture prohibits one Spine from connecting to another Spine directly, so we cannot do so in ACI Mode. Ques 4. No, ACI Architecture prohibits direct connections between Leafs, so we cannot connect one Leaf to another Leaf in ACI Mode. Any communication between the leaves must take place through the spine. Ques 5. It is advised to have a minimum of three APIC controllers in the Layer 3 fabric when using ACI mode deployment. Ques 6. What is the maximum number of Spine and Leaf Switches supported in ACI mode deployment (Layer2/Layer3 fabric)? Maximum number of Spine supported in L2 Fabric – Total 24 (max 6 per pod) – Large L3 Fabric – Total 24 (max 6 per pod) Maximum number of Leafs supported in L2 Fabric – 80 – Large L3 Fabric – 200 Ques 7 The following are the main advantages of Nexus ACI compared to conventional network solutions: It offers a robust network fabric and includes real-time application health statistics ACI is agnostic to both physical and virtual environments. The use of templates for provisioning and automation in ACI increases network agility, real-time monitoring of the physical and virtual environment, and speedier troubleshooting. ACI is designed specifically for Data Centers that need a multi-tenancy setup (virtualized), and it has simple configuration steps in the GUI. Competitive pricing (CAPEX and OPEX) for Nexus 9000 switching is available. The switch can operate in “ACI” mode or as a regular switch under NX-OS. It also supports Nexus 2000 fabric extenders. Create a single pane of policy orchestration that enables seamless connectivity between on-premises and remote data centers, as well as multiple geographically dispersed data centers. Integration with third-party devices like firewalls and ADCs is made simple by open APIs. Single point of provisioning via GUI and/or REST API. ACI allows for the automation of repetitive tasks to save man-hours, reduce errors, and centralize policy-based management. Ques 8. The APIC controller serves as the central hub for automation and management in both physical and virtual environments, enabling administrators and network designers to create fully automated, scalable, and multi-tenant networks. The primary role of Cisco APIC is to provide policy authority and resolution techniques for Cisco ACI and the devices connected to it. A single point of contact for application-centric network policies is what APIC offers. Troubleshooting for ACI fabric, Application, Tenant, and Topology Monitoring, and Integration of Third-Party Layer 4-7 Services, Virtualization, and Management are some of the additional key features of APIC. With the help of northbound and southbound application program interfaces (APIs), an open standards framework Scalable security for multitenant environments. Ques 9. Does an APIC controller forward data traffic? APIC Controllers are no longer included in the data path of any traffic thanks to Cisco ACI architecture. APIC serves as the orchestrator of the ACI fabric and is freed from being in the data forwarding path. Ques 10. What happens if every APIC controller in the fabric fails? If every APIC controller fails, we are unable to alter the fabric in any way. Although data plane will continue to forward, there is no way to make new policies or changes because there is no APIC. Ques 11. According to the Cisco ACI Architecture design, APICs should only be directly connected to Leaf layer Switches in the ACI fabric; can we connect APIC directly with Spine? APICs should not be connected to SPINE Layer. Hence above diagram is incorrect. Ques 12. The customer wants to combine the ports from 3 Leaf nodes into 1 VPC (VPC 1) because they have a new server. No, the VPC between the server and leaf nodes cannot be extended beyond two leaf switches in the ACI configuration. The server can only connect to two Leaf Switches in order to form a VPC. Hence the above shown diagram is not possible. Ques 13. Once fabric is up, can endpoints (Like Servers etc. ) communicate with one another? If not, why not? By default, ACI Fabric won’t permit any end point communication. Endpoint communication and traffic forwarding require the implementation of explicit policies. Ques 14. A layer 2 construct known as a bridge domain is what Cisco ACI calls it. Within the VRFs are bridge-domains. The bridgedomain is used to define a L2 boundary, but it differs from a VLAN in that it acts as a container for subnets. This layer’s main function is to permit L2 broadcasts inside the container. Most tenants will have a single bridge-domain, but depending on the situation, there may be more than one. Within the bridge domains we have subnets. Ques 15. Bridge Domain differs from VLAN in that it can contain more than one subnet, whereas VLAN can only contain one subnet. A subnet container that serves as a L2 boundary But it is not a VLAN. Ques 16. The term “End Point Group” (EPG) refers to an object that represents a group of endpoints with similar characteristics. Endpoints are objects that are either directly or indirectly linked to the network. They can be physical or virtual, and they have a name, a location, attributes (like version or patch level), and an address. Endpoint examples include servers or virtual machines. Ques 17. Why is a tenant not a private network? In Cisco ACI, a tenant is a unit of isolation from a policy perspective. Tenants may stand in for a client in a service provider setting, a company or domain in an enterprise setting, or simply a useful collection of rules. Cisco ACI tenants can contain multiple private networks (VRF instances). In other words, we could say that the Tenant is an object container. The tenant will include the following: VRFs, Bridge Domains, Subnets, Endpoint Groups, Contracts, Filters, and Question 18. What is meant by the term “Contract”? A contract is a legal agreement between two EPGs. Contract is more of extended bidirectional Access list. Contracts are a group of issues that specify how source and destination EPGs communicate with one another. Subjects are a combination of Filter, Action and Label. The relationship between contract, subject, filter, action, and label is shown in the diagram below. There may be circumstances where the ACI administrator needs to block traffic that is authorized by another contract. ACI administrators can use taboos, a special kind of contract, to block particular traffic that would otherwise be permitted by another contract. Taboos can be used to block traffic that matches a pattern (such as an EPG or a filter). ). Taboo rules are implemented in the hardware before standard contracts’ rules are implemented. Ques 20. Can I use the same VRF number for multiple tenants? Yes, we can use the same VRF number for multiple tenants. Since both VRF are in separate logical groups, creating filtering and administrative configurations would be done separately. Ques 21. No, a single EPG can only point to a single BD, and thus only allow access to a single subnet. One subnet cannot have more than one BD, but a bridge domain can have multiple subnets. Rational – This is part of set of rules. One BD can be created if two different servers that are a part of a single EPG WEB-EPG but have two different subnets need to communicate. Ques 22. An application network profile is a logical profile that illustrates how an application will appear, connect, and operate on the Cisco ACI fabric. As a parent object to store policy for a group of EPGs, Application Network Profiles can be thought of as a set of defined contracts between EPGs. As shown below, Application Network Profile defines the policies between EPG A and EPG B Ques 23. Application endpoint groups (fvAEPg), Layer 2 external outside network instance endpoint groups (l2extInstP), Layer 3 external outside network instance endpoint groups (l3extInstP), and management endpoint groups for out-of-band (mgmtOoB) or in-band (mgmtInB) access are the different types of EPGs that an ACI fabric can contain. Ques 24. Policies cannot be applied to individual endpoints; only EPGs can receive them. Policies apply to EPGs, never to individual endpoints. Ques 25. What does the Cisco ACI concept of micro segmentation mean? Microsegmentation is a method for improving security measures inside the data center perimeter. Micro-segmentation’s main benefit is that it reduces the attack surface by limiting lateral movement options in the event of a security breach. Endpoints can be automatically assigned to logical security zones known as endpoint groups (EPGs) using Cisco Application Centric Infrastructure (ACI) microsegmentation based on various network- or virtual machine (VM)-based attributes. The diagram below demonstrates how Microsegmentation permits endpoints to communicate on TCP port 443, but prevents endpoint communication on TCP port 21. Ques 26. The need for inspection or policy control between various bridge domains or Layer 2 groups may arise in certain scenarios, which is why it is necessary to have more than one bridge domain in the same VRF. This allows for the placement of a security device to allow for the controlled flow of traffic between two or more bridge domains. Ques 27. The three types of default tenants in Cisco ACI are: Management – The management tenant offers an easy way to set up access policies for fabric nodes A special tenant called “Common” exists in the ACI fabric to provide “common” services to other tenants. “Infra” is the infrastructure tenant, which handles all communications within the fabric, including policy deployment and tunneling. Switch to switch (leaf, spine, Application Virtual Switch (AVS)), as well as switch to Application Policy Infrastructure Controller (APIC) are included in this. Explain the function of VXLAN in the ACI fabric. VxLAN is an overlay technology that extends layer 2 across layer 3 boundaries. Some of the main advantages VxLAN brings to ACI fabric include increased robustness, improved ECMP, dropping broadcast, and reduced flooding. Scalability is another important advantage of VxLAN. In a data center environment, VxLAN can scale up to 16 million devices. VxLAN 16Million VMotion requirements are also addressed by VxLAN efficiently. The diagram below demonstrates how VxLAN operates when traffic is received (ingress) and sent out (egress). User traffic is encapsulated into VxLAN from the user space, and when necessary, the VxLAN overlay provides layer 2 adjacency. As a result, we can simulate layer 2 connectivity while enabling VxLAN extensibility for scaling and flexibility. VTEP, or VxLAN Tunnel End Point, and an extended VxLAN header are used to encapsulate all traffic within the ACI Fabric. When a host sends traffic to the Leaf, frames are converted to VxLAN and sent to the intended location on the fabric. The ability to completely normalize traffic sent from one Leaf to another (which may be on the same Leaf) is provided by ACI fabric. The frames are re-encapsulated to whatever the destination network requests when they leave the destination Leaf. It can be formatted to untagged frames, 802. 1Q truck, VxLAN or NVGRE. Encapsulation, de-capsulation, and re-encapsulation are all handled in line rate by the ACI fabric. In addition to providing layer 3 routing within the fabric for packet movement, the fabric also offers external routing to connect to routers on the Internet and intranet. Ques 29. What is a Private Network, and how does it relate to VRF? A Private Network is a layer 3 context (a VRF) that gives tenants IP address space isolation. Private networks are a child of the Tenant object. Because it is possible to forward packets directly between these devices if the policy permits it, every endpoint in the private network needs to have a distinct IP address. An association between one or more bridge domains and a private network exists. Ques 30. What does “L3 out” mean, why is it necessary, and how can ACI use it to connect to external devices? These external devices may be External Router, firewall etc. Border leaves exchange external prefixes using OSPF, BGP, or static protocols. L3 Out is configured for ACI fabric to communicate with the outside world, as shown in the diagram below. e. Internet. Ques 31. Which routing protocol is used for internal communication between ACI Spine and Leaf switches? MP-BGP is implemented between the leaf and spine switches within the ACI fabric to propagate external routes. Ques 32. What node in ACI Fabric is configured as a route reflector, and why is a route reflector necessary? Spine switches are set up as BGP route reflectors in ACI Fabric. The border leaf switch in MP-BGP, which runs between ACI Spine and Leaf Switches, advertises routes to a spine switch, a BGP route reflector. Once the VRFs are created, the routes are propagated to all of the leaf switches. Ques 33. The following list of Cisco Nexus Spine Switches are used as Spine Nodes in ACI Setup: 9336PQ, 9364C, 9504, 9508, and 9516 Ques 34 The following list of Cisco Nexus leaf switches are used as leaf nodes in an ACI configuration: 93108TC-EX, 93108TC-FX, 93120TX, 93128TX, 93180LC-EX, 93180YC-EX, 93180YC-FX, 9332PQ, 9348GC-FXP, 9372PX, 9372PX-E, 9372TX, 9372 Yes, it is possible to connect Layer 3 devices to SPINE, but only if they are VXLAN aware. Ques 36. Yes, we can configure Network Switches (Catalyst, Nexus, or other Vendor Switches) as downlink to ACI Leaf Switches in order to connect Access Layer switches in downlink to Leaf Node. Despite the fact that the management of these non-ACI Fabric switches must remain distinct and cannot be integrated into the ACI Fabric controlled/managed by APIC controllers Ques 37. What are the differences between multiport and multisite? A comparison of the two is provided in the table below. Post below the OS versions of APIC controller and 9K Leaf/Spine, Leaf uplinks ports can be used both for SPINE and endpoint connectivity APIC Controller – apic-3 2(1m) 9K Nodes – n9000-13. 2(1m) Ques 39. I have Trunk ports configured in one EPG. In the current ACI OS, access ports cannot be configured along with trunk ports in the same EPG; can they be added, though? Ques 40. I have non-Cisco device (for e. g. Checkpoint) and wish to integrate Cisco APIC with Checkpoint management It is possible to integrate this third-party management into Cisco ACI using APIC controllers because Cisco ACI Fabric has those APIs. Ques 41. There are two ways to manage or configure the APIC controllers: Using the Monitor and Keyboard to have a KVM console and configure the APIC using CIMC Using Any Switch and setting up DHCP on the switch Since DHCP is already enabled by default on the APIC CMIC port, connecting to a switch will cause it to choose an IP address from DHCP. then attach the laptop to the switch so that it is in the same segment as the APIC. It is possible to browse the APIC CMIC from a PC and then configure the APIC using the KVM console. Ques 42. If a console cable to connect via Hypertrm is not available during initial setup, is there another way to access the APIC controller? If so, the alternative option is as follows: Use Any Switch and set the DHCP on the switch Since DHCP is already enabled by default on the APIC CMIC port, connecting to a switch will cause it to choose an IP address from DHCP. then attach the laptop to the switch so that it is in the same segment as the APIC. It is possible to browse the APIC CMIC from a PC and then configure the APIC using the KVM console. Ques 43. There are two different types of tables on Leaf Nodes: LST (Leaf Switching Table) – All hosts connected to the Leaf GST (Global Switching Table) – Local cache of fabric endpoints, or all the fabric endpoints on the N9K in ACI mode Ques 44 What is the most recent version of ACI Fabric available? What are the primary differences between these versions? 0 with a new ACI Multisite feature that enables greater scalability and distinct availability zones. Ques 45. The data for APIC configurations is divided into logically bounded subsets known as shards, which are comparable to database shards. Each shard, which serves as a unit for managing data, is managed by the APIC in the following ways: Shards are distributed uniformly among the appliances that make up the APIC cluster. Ques 46. ACI Multi-Pod is a solution that is a member of the “Single APIC Cluster/Single Domain” family of solutions because it uses a single APIC cluster to manage all of the connected ACI fabrics. These various ACI fabrics are referred to as “Pods,” and each one resembles a standard two-tier spine-leaf fabric. ACI Multipod Fabric design was introduced in ACI 2. 0 – The following are the main characteristics of the ACI Multpod fabric: Single availability zone. Single change, policy and management domain. An IP Inter-Pod L3 network connecting several ACI Pods, each of which has Leaf and Spine nodes Fault isolation for control plane protocol. Tenant data is carried in VXLAN between PODs. End to end Policy enforcement. The IP network must be able to support bidirectional PIM multicast traffic.
Above video will provide solutions for below questions
2. What is Cloud Computing?
3. What are the components of Cloud Computing?
4. What is service model in Cloud Computing?
5. Common Characteristics of Cloud Computing?
6. Essential Characteristics of Cloud Computing?
7. To view the definition of “Software as a Service” (SaaS), please enable JavaScript.
FAQ
What are ACI interview questions?
What are the advantages of Nexus ACI in comparison to conventional network solutions/architecture? Cisco ACI Interview Questions and Answers What occurs if every APIC Controller in the network fails? What is the difference between network-centric and application-centric in ACI? . What is the Bridge Domain?.
What are the 3 core components of ACI Architecture?
Application Policy Infrastructure Controller (APIC), spine switches, and leaf switches are the only three types of ACI components.
What is Cisco ACI used for?
For data centers, Cisco Application Centric Infrastructure (ACI) is a software-defined networking (SDN) solution. Cisco ACI makes it possible to define network infrastructure based on network policies, simplifying, enhancing, and speeding up the application deployment lifecycle.
What is Cisco ACI mode?
The data center’s Application Centric Infrastructure (ACI) is a comprehensive architecture with centralized automation and application profiles that are governed by policies. ACI delivers software flexibility with the scalability of hardware performance. The latest Cisco Nexus 9000 Series Switches make up Cisco ACI.
