Visit here for our full Cisco 350-601 exam dumps and practice test questions.

Question 136

What is the primary purpose of the Cisco ACI Bridge Domain?

A) To provide Layer 3 routing between EPGs

B) To represent a Layer 2 forwarding construct within a tenant

C) To manage physical switch configurations

D) To control access policies for endpoints

Answer: B

Explanation:

A Bridge Domain in Cisco ACI represents a Layer 2 forwarding construct within a tenant that defines the unique Layer 2 flood domain and can contain multiple subnets. The Bridge Domain is a fundamental building block of the ACI policy model that controls how Layer 2 traffic is forwarded, how broadcasts are handled, whether unicast routing is enabled, and how endpoints learn MAC and IP addresses within the fabric.

Bridge Domains contain configuration parameters that determine Layer 2 behavior including the flooding scope that controls where broadcast, unknown unicast, and multicast traffic is sent, ARP flooding settings that determine whether ARP requests flood throughout the domain or are handled by the fabric’s hardware-based proxy ARP, unicast routing enablement that determines whether the fabric routes traffic between subnets in the Bridge Domain, and endpoint learning controls that affect how MAC and IP addresses are discovered.

Each Bridge Domain associates with one or more EPGs that represent collections of endpoints requiring similar network policies. The Bridge Domain provides the Layer 2 connectivity between endpoints within associated EPGs while also defining subnet information used for Layer 3 routing. Multiple EPGs can share a Bridge Domain, enabling Layer 2 communication between endpoints in different EPGs while Layer 3 policies control inter-EPG traffic through contracts.

Layer 3 routing between EPGs is handled through contracts and VRF instances rather than Bridge Domains directly. Physical switch configuration is managed by the APIC controller through policies. Access policies are defined through EPGs and contracts. The Bridge Domain specifically provides the Layer 2 forwarding domain that controls broadcast flooding, endpoint learning, and subnet definitions within the ACI fabric.

Question 137

Which Cisco Nexus feature provides active-active Layer 2 connectivity between two switches?

A) HSRP

B) vPC

C) StackWise

D) VSS

Answer: B

Explanation:

Virtual Port Channel provides active-active Layer 2 connectivity between two Nexus switches, allowing them to appear as a single logical switch to downstream devices while maintaining independent control planes and separate management. vPC enables dual-homed devices to use both uplinks simultaneously for forwarding traffic, providing bandwidth aggregation, fast convergence, and elimination of Spanning Tree Protocol blocked ports.

The vPC architecture consists of two peer switches connected through vPC peer links that carry synchronization traffic and data plane traffic for orphan ports. Each peer switch runs independent control plane protocols but shares Layer 2 forwarding state for vPC member ports through the Cisco Fabric Services protocol over the peer link. This synchronization ensures that both peers have consistent MAC address tables, ARP information, and IGMP snooping state.

vPC member ports on both peer switches appear as a standard port channel to the downstream device, which uses LACP or static configuration for the port channel. Traffic from the downstream device can be forwarded through either vPC peer based on the hashing algorithm, providing load distribution and redundancy. If one peer fails, the surviving peer continues forwarding all traffic without reconvergence delays or topology changes.

HSRP provides Layer 3 gateway redundancy rather than Layer 2 active-active connectivity. StackWise creates a single logical switch from multiple physical switches in Catalyst platforms. VSS is a Catalyst technology similar to vPC but for 6500 series switches. vPC is the Nexus-specific technology that enables dual-homed Layer 2 connectivity with active-active forwarding across two independent switches.

Question 138

What is the function of the Cisco ACI fabric access policy?

A) To define EPG communication rules

B) To configure how external devices connect to the ACI fabric

C) To manage tenant isolation

D) To control APIC cluster settings

Answer: B

Explanation:

Fabric access policies in Cisco ACI define how external devices including servers, storage, network equipment, and hypervisors connect to the ACI fabric by configuring interface policies, interface profiles, switch profiles, and physical domain associations. These policies translate high-level intent into concrete switch port configurations that determine port speeds, channel bundling, VLAN pools, and connectivity parameters for devices attaching to leaf switches.

Access policies are organized hierarchically starting with interface policy groups that bundle common settings like link speed, CDP/LLDP enablement, port channel configuration, and storm control parameters. These policy groups are then associated with interface profiles that map specific ports or port ranges on switches. Switch profiles identify which leaf switches should receive these configurations. The modular approach enables policy reuse and consistent configuration across many ports.

Physical and external domains link access policies to EPGs, defining which VLAN or VXLAN encapsulations are used when EPG traffic egresses the fabric on specific ports. Static path bindings within EPGs reference these access policies to determine exactly which switch ports carry traffic for particular application endpoints. This connection between tenant networking policies and physical infrastructure policies enables the ACI fabric to automatically configure switch ports based on application requirements.

EPG communication rules are defined through contracts rather than fabric access policies. Tenant isolation is managed through VRF instances and security policies. APIC cluster settings are configured through system-level management policies. Fabric access policies specifically handle the physical connectivity layer, translating application-centric policies into concrete switch port configurations for external device attachment.

Question 139

Which protocol does Cisco ACI use for communication between leaf and spine switches?

A) OSPF

B) IS-IS

C) VXLAN with EVPN

D) EIGRP

Answer: C

Explanation:

Cisco ACI uses VXLAN encapsulation with MP-BGP EVPN control plane for communication between leaf and spine switches in the fabric underlay and overlay networks. The underlay network uses IS-IS as the routing protocol to establish IP connectivity between all leaf and spine switches, while the overlay uses VXLAN tunnels to carry tenant traffic with EVPN providing the control plane for endpoint learning and MAC/IP advertisement.

The IS-IS underlay creates a simple Layer 3 network where every leaf switch establishes adjacencies with all spine switches in a spine-leaf topology. This underlay provides the IP transport for VXLAN tunnels that encapsulate all tenant traffic flowing through the fabric. Each leaf switch establishes VXLAN tunnels to every other leaf switch through the spine switches, creating a full-mesh overlay topology that enables any-to-any communication.

EVPN control plane using MP-BGP runs between leaf switches with spines acting as route reflectors, distributing endpoint MAC and IP address information throughout the fabric. When a leaf learns a new endpoint through data plane traffic, it advertises this information via EVPN to all other leafs. This control plane distribution enables the fabric to build forwarding tables without flooding unknown unicast traffic, significantly improving scalability and efficiency.

OSPF and EIGRP are not used in standard ACI fabric operations. While IS-IS provides underlay routing, it works in conjunction with VXLAN/EVPN rather than being the sole communication protocol. The combination of IS-IS underlay for IP transport and VXLAN with EVPN overlay for tenant traffic encapsulation and endpoint learning is the complete answer for fabric communication protocols.

Question 140

What is the purpose of policy-based routing in Cisco NX-OS?

A) To increase routing table capacity

B) To forward packets based on criteria other than destination IP address

C) To encrypt routing updates

D) To compress routing tables

Answer: B

Explanation:

Policy-based routing in Cisco NX-OS enables forwarding decisions based on criteria beyond the destination IP address, including source IP address, source and destination ports, protocol types, packet size, or other packet characteristics defined in access lists or route maps. PBR overrides the normal destination-based routing table lookup, providing granular control over traffic forwarding paths for specific flows.

PBR is implemented using route maps that define match criteria and set actions. Match criteria can include source addresses allowing different traffic sources to use different paths, packet length for size-based routing decisions, IP precedence or DSCP values for QoS-based forwarding, and application identification through ACLs matching port numbers or protocol types. Set actions specify the next-hop IP address, outgoing interface, IP precedence, or other forwarding parameters.

Common use cases for PBR include directing traffic from specific sources through security inspection devices, implementing quality of service by routing time-sensitive traffic over low-latency paths, load balancing across multiple WAN links based on source networks or applications, and implementing multi-tenancy where different customers or departments use separate internet connections. PBR provides flexibility that destination-based routing cannot achieve.

PBR does not increase routing table capacity which is a hardware limitation. It does not encrypt routing updates which would use authentication mechanisms. Routing table compression is not a function of PBR. The ability to make forwarding decisions based on multiple packet characteristics beyond destination address is the fundamental purpose that distinguishes policy-based routing from standard destination-based forwarding.

Question 141

Which Cisco UCS component provides centralized management for blade and rack servers?

A) Fabric Interconnect

B) IOM

C) CIMC

D) FEX

Answer: A

Explanation:

The Fabric Interconnect provides centralized management for both blade servers in chassis and rack-mount servers in Cisco UCS, serving as the central point of control and connectivity for the entire UCS domain. Fabric Interconnects run UCS Manager software that provides unified management, policy-based configuration, identity pooling, and automated deployment across all servers in the domain.

Fabric Interconnects operate in pairs providing high availability and redundancy. They connect to blade server chassis through IOM modules and to rack servers through FEX units or direct connections. The FI manages all aspects of server configuration including BIOS settings, boot order, network connectivity, storage access, and power management through service profiles that abstract hardware identity from physical servers.

The centralized management architecture enables server administrators to manage hundreds or thousands of servers through a single interface, apply consistent policies across the infrastructure, automate server provisioning by associating service profiles with physical hardware, and maintain configuration consistency through template-based deployments. The Fabric Interconnect also provides network connectivity aggregating all server traffic and connecting to upstream LAN and SAN networks.

IOM modules provide connectivity between chassis and Fabric Interconnects but do not offer management functions. CIMC provides individual server management for standalone servers outside UCS domains. FEX extends fabric connectivity to rack servers but does not provide management capabilities. The Fabric Interconnect uniquely combines centralized management and network connectivity functions for the entire UCS domain.

Question 142

What is the primary benefit of using Cisco ACI Multi-Pod?

A) To reduce licensing costs

B) To extend a single ACI fabric across multiple geographic locations

C) To eliminate the need for leaf switches

D) To provide Layer 2 DCI connectivity

Answer: B

Explanation:

Cisco ACI Multi-Pod extends a single unified ACI fabric across multiple physical locations or pods connected through an IP network, enabling centralized policy management and consistent security controls while allowing geographic distribution of application workloads. Multi-Pod maintains a single APIC cluster managing all pods, providing operational simplicity and policy consistency across all locations within the fabric.

Each pod contains spine and leaf switches forming a complete ACI fabric with local VXLAN overlay networking. Pods connect through an Inter-Pod Network that provides Layer 3 IP connectivity between spines in different pods. This IPN can span data centers, use existing network infrastructure, and support various topologies as long as it meets latency, bandwidth, and reliability requirements. Traffic between pods traverses the IPN using VXLAN encapsulation.

Multi-Pod enables several important use cases including workload mobility where applications move between pods while maintaining IP addresses and policies, disaster recovery with active-active data center configurations, geographic distribution of application tiers for performance optimization, and incremental fabric expansion by adding new pods to existing domains. The single management domain simplifies operations compared to managing separate fabric instances.

Multi-Pod does not reduce licensing as all switches and APICs require appropriate licenses. It does not eliminate leaf switches which remain essential in each pod. While it enables workload mobility, it does not provide pure Layer 2 DCI which would use Multi-Site instead. The geographic extension of a unified fabric with centralized management is the defining characteristic and primary benefit of Multi-Pod architecture.

Question 143

Which feature in Cisco Nexus switches provides loop prevention without using Spanning Tree Protocol?

A) BPDU Guard

B) Loop Guard

C) Fabric Path

D) Root Guard

Answer: C

Explanation:

Cisco FabricPath provides loop prevention without using Spanning Tree Protocol by implementing IS-IS routing at Layer 2, enabling all links to forward traffic simultaneously without requiring blocking ports. FabricPath transforms the traditional Layer 2 network into a routed fabric where switches use equal-cost multipath forwarding and shortest path calculations to distribute traffic across all available links.

FabricPath operates by encapsulating Ethernet frames with a FabricPath header that includes source and destination switch IDs, allowing switches to route frames through the fabric using IS-IS topology information. Each FabricPath switch has a unique switch ID and runs IS-IS to learn the fabric topology and compute optimal paths to all destinations. This routing approach eliminates broadcast storms and Layer 2 loops without blocking any links.

The technology provides multiple benefits including higher bandwidth utilization because all links actively forward traffic rather than being blocked by STP, faster convergence with sub-second failover times compared to STP convergence delays, simplified operations without VLAN-based spanning tree instances, and better scalability supporting thousands of switches in a single Layer 2 domain. FabricPath enables building large Layer 2 networks with the efficiency and stability of Layer 3 routing.

BPDU Guard, Loop Guard, and Root Guard are STP enhancement features that improve STP behavior but still rely on Spanning Tree Protocol for basic loop prevention. FabricPath fundamentally replaces STP with a routing-based approach that eliminates the need for link blocking while providing superior performance and convergence characteristics for large Layer 2 data center networks.

Question 144

What is the function of the Cisco ACI Contract?

A) To define allowed communication between EPGs

B) To configure physical port settings

C) To manage APIC cluster synchronization

D) To assign IP addresses to endpoints

Answer: A

Explanation:

Contracts in Cisco ACI define the communication policies that govern allowed traffic flows between endpoint groups, implementing security controls and service insertion requirements between application tiers or components. Contracts use a provider-consumer model where EPGs providing services export contracts and EPGs consuming services import contracts, with traffic permitted only when contract relationships exist.

Contracts contain subjects that group related filters defining the specific protocols, ports, and directions of traffic permitted between EPGs. Filters specify Layer 4 protocol types, source and destination port ranges, and other traffic characteristics that should be permitted or denied. The modular contract structure enables policy reuse where common contracts like permit-HTTPS or permit-database can be consumed by multiple EPGs.

The contract model implements whitelist security where traffic is denied by default unless explicitly permitted through contract relationships. EPGs can be both providers and consumers of multiple contracts simultaneously, enabling complex application topologies with granular security controls. Contracts can also specify service graphs that insert Layer 4 through Layer 7 services like firewalls or load balancers into permitted traffic flows.

Physical port settings are configured through fabric access policies rather than contracts. APIC cluster synchronization uses internal management protocols. IP address assignment occurs through Bridge Domain subnet configuration or external IPAM integration. Contracts specifically implement the security policy layer that controls which EPGs can communicate and what traffic types are permitted between them.

Question 145

Which Cisco NX-OS feature provides first-hop redundancy for IPv4?

A) VRRP

B) GLBP

C) HSRP

D) All of the above

Answer: D

Explanation:

Cisco NX-OS supports multiple first-hop redundancy protocols for IPv4 including Hot Standby Router Protocol, Virtual Router Redundancy Protocol, and Gateway Load Balancing Protocol, providing flexibility for different deployment scenarios and interoperability requirements. Each protocol enables multiple routers to share a virtual IP address for default gateway redundancy, ensuring continuous network access when individual routers fail.

HSRP is Cisco’s original FHRP that uses active-standby operation where one router actively forwards traffic while others remain in standby waiting to assume the active role upon failure. HSRP is widely deployed in Cisco environments and integrates well with other Cisco features. VRRP is an industry standard protocol similar to HSRP providing active-standby operation with slight differences in terminology and some operational behaviors.

GLBP provides load balancing capabilities in addition to redundancy by allowing multiple routers to simultaneously forward traffic for the same virtual IP address. GLBP assigns different virtual MAC addresses to group members and distributes these MAC addresses to clients through ARP responses, enabling traffic distribution across all available routers. This load sharing improves bandwidth utilization compared to active-standby protocols.

NX-OS implements all three protocols allowing network designers to choose based on requirements for standards compliance, load balancing needs, and integration with existing infrastructure. The support for multiple FHRPs provides deployment flexibility while maintaining first-hop redundancy that ensures clients retain default gateway connectivity despite individual router failures. The comprehensive FHRP support demonstrates NX-OS versatility in data center environments.

Question 146

What is the purpose of Cisco UCS service profiles?

A) To monitor network traffic

B) To abstract server identity and enable stateless computing

C) To compress storage data

D) To encrypt management traffic

Answer: B

Explanation:

UCS service profiles abstract server identity and configuration from physical hardware, enabling stateless computing where all server personality including BIOS settings, firmware versions, network identities, storage configurations, and boot parameters are defined in software policies that can be applied to any compatible physical server. This abstraction revolutionizes server management by making hardware interchangeable and simplifying provisioning, replacement, and disaster recovery.

A service profile contains all information needed to configure a server including identity pools for MAC addresses, WWNs, and UUIDs, network and storage connectivity through vNICs and vHBAs, BIOS and firmware policies, boot order and boot device specifications, power and scrub policies, and management configurations. When a service profile associates with physical hardware, UCS Manager automatically configures all these parameters without manual intervention.

The stateless computing model enables rapid server provisioning by applying pre-configured service profiles to new hardware in minutes, simplified hardware maintenance by migrating service profiles to replacement servers without complex rebuild procedures, disaster recovery by maintaining service profile backups that can instantiate on any available hardware, and consistent configuration by using templates that ensure uniform settings across many servers.

Service profiles do not monitor network traffic which is handled by separate monitoring tools. Storage compression is a storage array function. Management traffic encryption uses SSL/TLS protocols. The server identity abstraction and stateless computing capabilities are the defining characteristics that make UCS service profiles a transformative server management approach in modern data centers.

Question 147

Which Cisco ACI component maintains the central repository of all policies and configurations?

A) Spine switch

B) Leaf switch

C) Application Policy Infrastructure Controller

D) Fabric Interconnect

Answer: C

Explanation:

The Application Policy Infrastructure Controller maintains the central repository of all policies, configurations, and operational state for the ACI fabric in its managed object database. The APIC cluster provides the single source of truth for all fabric configuration, tenant policies, access policies, and operational state, ensuring consistency across all switches and enabling centralized management through GUI, CLI, or API interfaces.

APIC stores the complete fabric configuration as a hierarchical object model in its PostgreSQL database, representing every switch, port, tenant, EPG, contract, and policy as objects with defined attributes and relationships. When administrators create or modify policies through the APIC interface, changes are stored in this database and then distributed to affected switches using OpFlex protocol which pushes relevant portions of policy to each switch.

The APIC cluster typically consists of three or more controllers operating in a distributed database architecture where all APICs maintain synchronized copies of the configuration database. This redundancy ensures high availability where fabric operations continue even if individual APICs fail. The cluster presents a single management interface with API requests and GUI sessions load balanced across healthy controllers.

Spine and leaf switches implement forwarding based on policies received from APIC but do not maintain the authoritative configuration repository. Fabric Interconnects are UCS components unrelated to ACI. The APIC’s role as central policy repository and management platform is fundamental to the ACI architecture, enabling the intent-based networking model where administrators define desired outcomes and the APIC translates these into switch configurations.

Question 148

What is the primary function of Cisco Nexus vPC peer-keepalive link?

A) To forward data plane traffic between peers

B) To monitor peer health and prevent split-brain scenarios

C) To synchronize MAC address tables

D) To provide management access

Answer: B

Explanation:

The vPC peer-keepalive link monitors the health status of the peer switch and prevents split-brain scenarios where both vPC peers could simultaneously believe they are the sole active switch. This dedicated link carries lightweight heartbeat messages between peers on a separate Layer 3 network path that is independent of the peer link, providing failure detection even when the peer link itself fails.

Keepalive messages exchange at regular intervals with configurable timers typically set to 1 second interval and 5 second timeout. When a peer stops receiving keepalive messages, it determines whether the peer has failed or if only the keepalive link has failed by checking peer link status. If both keepalive and peer link are down, the secondary peer suspends its vPC member ports to prevent both peers from simultaneously forwarding traffic which could cause Layer 2 loops or other network issues.

The peer-keepalive link requirements are minimal as it only carries heartbeat messages rather than large data volumes. It should use a separate network path from the peer link and vPC member ports, often leveraging the management network or a dedicated Layer 3 link. This separation ensures that keepalive communication remains available even during peer link failures, providing accurate failure detection and appropriate failover behavior.

Data plane traffic between peers uses the peer link rather than keepalive link. MAC address table synchronization also traverses the peer link using Cisco Fabric Services. Management access uses dedicated management interfaces. The peer-keepalive link specifically provides the health monitoring function that enables reliable dual-active detection and prevents the split-brain conditions that would disrupt vPC operation.

Question 149

Which protocol does Cisco UCS use for server discovery and inventory?

A) SNMP

B) CDP

C) Server Discovery Protocol

D) LLDP

Answer: C

Explanation:

Cisco UCS uses the Server Discovery Protocol for automatic discovery and inventory of blade and rack servers connecting to Fabric Interconnects. When a new server chassis is connected or a new blade is inserted, the IOM modules and servers announce their presence through SDP messages, allowing the Fabric Interconnect to automatically discover the hardware and make it available for service profile association.

The discovery process begins when servers power on and communicate through the chassis backplane to IOM modules. IOMs relay server information to Fabric Interconnects including server model, CPU and memory configuration, adapter types, firmware versions, and other hardware details. This information populates UCS Manager inventory enabling administrators to view available hardware and assign service profiles.

SDP operates at a low level in the UCS infrastructure, working even before servers have IP addresses or operating systems installed. The automatic discovery eliminates manual server registration processes and enables true plug-and-play operation where administrators can insert new hardware and immediately use it for workload deployment. The continuous discovery process also detects hardware changes like memory upgrades or adapter replacements.

While SNMP can monitor UCS components, it does not provide the initial discovery mechanism. CDP is used for network device discovery but not for UCS server discovery. LLDP provides link layer discovery for Ethernet devices but is not the UCS server discovery protocol. The Server Discovery Protocol is purpose-built for UCS server infrastructure providing the automatic discovery that enables unified management.

Question 150

What is the function of the Cisco ACI endpoint retention policy?

A) To control how long physical ports remain enabled

B) To define how long endpoint information remains in the endpoint database after the endpoint disconnects

C) To manage contract expiration

D) To control tenant deletion timing

Answer: B

Explanation:

The endpoint retention policy in Cisco ACI defines how long the fabric retains information about endpoints in the endpoint database after those endpoints disconnect or become inactive. This retention affects how quickly the fabric removes stale endpoint entries and how it handles endpoints that frequently connect and disconnect, balancing between rapid cleanup that conserves resources and longer retention that accommodates intermittent connectivity patterns.

The policy includes several timers: the local endpoint aging interval that determines how long a leaf switch retains locally learned endpoint information without receiving traffic from that endpoint, the remote endpoint aging interval for endpoints learned from other leafs through the fabric, and the bounce entry aging interval that controls how long the fabric remembers endpoints that have moved between different locations in the fabric.

Appropriate retention settings depend on application behavior and endpoint characteristics. Servers with stable connectivity benefit from longer retention preventing unnecessary relearning after brief communication gaps. Mobile devices or VDI environments with frequent connection changes might use shorter timers to quickly remove stale entries. The bounce interval is particularly important in virtualized environments where VMs migrate between hosts requiring the fabric to track endpoint mobility.

The policy does not control physical port operational status which follows standard interface state management. Contract expiration and tenant deletion use separate policy mechanisms. The endpoint retention policy specifically manages the endpoint database lifecycle, controlling how the fabric maintains its distributed forwarding tables and adapts to endpoint mobility and connectivity patterns in dynamic data center environments.