Visit here for our full Cisco 350-601 exam dumps and practice test questions.

Question 196

A data center engineer is implementing VXLAN EVPN and needs to advertise host reachability information. Which BGP address family is used for EVPN route advertisement?

A) IPv4 unicast

B) IPv6 unicast

C) L2VPN EVPN

D) VPNv4

Answer: C

Explanation:

The L2VPN EVPN address family is used in BGP for advertising EVPN routes that carry host reachability information in VXLAN environments. EVPN uses BGP as its control plane protocol to distribute MAC addresses, IP addresses, and other reachability information across the VXLAN fabric. This control plane approach eliminates the need for data plane learning through flooding and provides efficient, scalable MAC and IP advertisement across the overlay network. The L2VPN EVPN address family is specifically designed to carry these Layer 2 and Layer 3 overlay routing information between VTEPs.

EVPN defines multiple route types that serve different purposes in the overlay network. Type 2 routes advertise MAC and MAC-IP bindings, informing all VTEPs where specific hosts are located. Type 3 routes advertise inclusive multicast Ethernet tag routes used for BUM traffic handling and VTEP discovery. Type 5 routes carry IP prefix information for inter-subnet routing in the overlay. Each route type includes the VNI information, VTEP IP address, and other attributes needed for proper forwarding. BGP carries these routes using the L2VPN EVPN address family and distributes them to all participating VTEPs in the fabric.

The BGP EVPN control plane provides significant advantages over multicast-based VXLAN. It enables efficient MAC learning without flooding by advertising MAC addresses through BGP before any data plane traffic flows. It supports optimal forwarding by providing all VTEPs with complete reachability information, eliminating unknown unicast flooding. It enables advanced features like distributed anycast gateway, MAC mobility detection, and multi-homing with all-active forwarding. The protocol also provides better visibility and troubleshooting capabilities through standard BGP show commands and monitoring tools.

IPv4 unicast and IPv6 unicast address families carry traditional IP routing information but do not support EVPN route types or overlay network information. VPNv4 address family is used for MPLS Layer 3 VPNs but does not carry the Layer 2 MAC address and Ethernet segment information required for VXLAN EVPN. Only the L2VPN EVPN address family provides the specialized route types and attributes needed for VXLAN overlay control plane operations.

Question 197

An administrator is configuring storage networking in a Cisco UCS environment using Fibre Channel. Which component provides Fibre Channel connectivity from UCS to the SAN?

A) Fabric Extender

B) Fabric Interconnect with FC uplink ports

C) Management port

D) Ethernet uplink port

Answer: B

Explanation:

The Fabric Interconnect with Fibre Channel uplink ports provides Fibre Channel connectivity from Cisco UCS to the SAN infrastructure. Fabric Interconnects serve as the network gateway for the entire UCS domain and can be equipped with both Ethernet and Fibre Channel connectivity through appropriate line cards or built-in ports. The FC uplink ports on Fabric Interconnects connect to external FC switches in the SAN fabric, providing the path for storage traffic to flow from UCS blade and rack servers to storage arrays. This unified connectivity model allows UCS to support converged networking with both LAN and SAN traffic managed through the same management interface.

UCS Fabric Interconnects support multiple Fibre Channel modes depending on the deployment requirements. In FC switching mode, the Fabric Interconnect operates as a full Fibre Channel switch with its own domain ID in the FC fabric, providing FC switching services and zoning capabilities. In FC end-host mode, also called NPV mode, the Fabric Interconnect acts as an FC node proxy, aggregating server HBAs and presenting them to upstream FC switches without participating in fabric services. End-host mode simplifies SAN fabric management by reducing the number of domain IDs consumed and avoiding changes to existing SAN zoning configurations.

The storage connectivity architecture in UCS involves multiple components working together. Server adapters present virtual HBAs to the operating system based on vHBA definitions in service profiles. These vHBAs map to physical adapter ports that connect through chassis I/O modules to the Fabric Interconnects. The Fabric Interconnects then forward storage traffic through their FC uplink ports to the external SAN fabric. This abstraction allows WWPNs and storage connectivity to be defined in service profiles and follow servers if they are moved or replaced, enabling stateless computing and rapid server provisioning.

Fabric Extenders extend Ethernet connectivity from Fabric Interconnects to rack servers but do not provide Fibre Channel connectivity. Management ports are used for out-of-band management access and do not carry storage traffic. Ethernet uplink ports carry LAN traffic including potentially FCoE but not native Fibre Channel. Only Fabric Interconnects with dedicated FC uplink ports or unified ports configured for FC mode provide native Fibre Channel connectivity to external SAN infrastructure.

Question 198

A network engineer is troubleshooting an ACI fabric where endpoints are not being discovered. Which component is responsible for endpoint learning and tracking in ACI?

A) Spine switch

B) Leaf switch

C) APIC controller

D) Border leaf

Answer: B

Explanation:

Leaf switches are responsible for endpoint learning and tracking in Cisco ACI fabric. Leaf switches directly connect to endpoints including servers, storage devices, network devices, and other infrastructure, making them the natural location for endpoint discovery and tracking. When an endpoint connects to a leaf switch and begins communicating, the leaf learns the endpoint’s MAC address, IP address, VLAN or EPG association, and physical location. This endpoint information is stored in the leaf’s local endpoint database and reported to APIC for centralized visibility and policy enforcement.

ACI uses multiple mechanisms for endpoint learning depending on the traffic type and protocol. For Layer 2 endpoints, the leaf learns MAC addresses from the source MAC field of frames received on access ports. For Layer 3 endpoints, the leaf learns IP addresses from ARP packets, GARP announcements, or by examining IP headers in routed traffic. The leaf also tracks which EPG each endpoint belongs to based on VLAN tags for static binding or through protocols like LLDP, CDP, or VMM integration for dynamic discovery. All learned endpoint information includes timestamps for aging and mobility tracking.

The endpoint tracking system in ACI provides sophisticated capabilities beyond traditional MAC learning. Endpoints are associated with EPGs which determine which contracts and policies apply to their traffic. The system tracks endpoint mobility, detecting when endpoints move between leaf switches and updating forwarding information accordingly. It implements loop prevention by detecting duplicate MAC addresses and taking protective action. The distributed nature of endpoint learning means each leaf maintains its own endpoint table while APIC aggregates this information for global visibility and policy distribution across the fabric.

Spine switches in ACI do not learn endpoints because they do not connect to endpoints directly; they only interconnect leaf switches and perform transit switching based on VXLAN headers. APIC controllers receive endpoint information from leaf switches for centralized visibility and policy computation but do not directly participate in data plane learning. Border leaf switches are specialized leaf switches for external connectivity but endpoint learning functions identically to other leaf switches. Only leaf switches that physically connect to endpoints perform the actual endpoint discovery and learning process.

Question 199

An administrator needs to configure a Cisco Nexus switch to allow SSH access while disabling Telnet for security reasons. Which command enables SSH access?

A) feature ssh

B) ssh enable

C) ip ssh enable

D) service ssh

Answer: A

Explanation:

The feature ssh command enables SSH access on Cisco Nexus switches running NX-OS. The feature architecture in NX-OS requires explicitly enabling services before they can be configured or used, providing a modular approach that reduces resource consumption and attack surface by only loading necessary features. When the SSH feature is enabled, the switch starts the SSH server daemon, generates or loads cryptographic keys, and begins accepting SSH connections on the default port 22. This allows administrators to securely manage the switch remotely using encrypted communications.

After enabling the SSH feature, additional configuration steps ensure secure remote access. SSH keys should be generated if not already present using the ssh key rsa command, specifying an appropriate key length such as 2048 or 4096 bits. Strong authentication should be configured through local usernames and passwords or preferably through external authentication services like TACACS+ or RADIUS. Access control lists can restrict which IP addresses are permitted to connect via SSH. Version restrictions can enforce SSH version 2 only using the ssh version 2 command, as SSH version 1 has known security vulnerabilities.

Disabling Telnet while enabling SSH is a security best practice because Telnet transmits all data including usernames and passwords in clear text, making it vulnerable to eavesdropping. SSH encrypts all session data providing confidentiality and integrity protection. To completely disable Telnet, the feature telnet command should be used with the no prefix if Telnet was previously enabled. Additionally, VTY line access-class configurations can restrict or deny Telnet access even if the feature remains enabled. Management best practices recommend using SSH exclusively for remote CLI access in production environments.

The ssh enable command is not valid NX-OS syntax and would not enable SSH functionality. The ip ssh enable command does not exist in NX-OS. The service ssh command is not the correct NX-OS syntax for enabling SSH. NX-OS uses the feature command syntax for enabling major system services and protocols. Only feature ssh properly enables SSH server functionality on Nexus switches allowing secure remote management access.

Question 200

A data center is implementing multi-tenancy using VRFs on Cisco Nexus switches. Which command creates a VRF instance?

A) vrf definition tenant-a

B) vrf context tenant-a

C) ip vrf tenant-a

D) vrf instance tenant-a

Answer: B

Explanation:

The vrf context command creates a VRF instance on Cisco Nexus switches running NX-OS. VRF instances provide routing isolation by maintaining separate routing tables for different tenants, customers, or applications sharing the same physical infrastructure. Each VRF operates as an independent routing domain with its own routing table, routing protocols, and forwarding information. This enables multi-tenancy where different organizations or applications can use overlapping IP address spaces without conflict, and traffic from one VRF cannot leak into another VRF unless explicitly permitted through route leaking or inter-VRF routing policies.

Creating and using a VRF involves multiple configuration steps. First, the VRF is created using vrf context followed by the VRF name. Under the VRF configuration mode, optional parameters can be set including description, route distinguisher for MP-BGP, and address family configurations. Next, interfaces are assigned to the VRF using the vrf member command under interface configuration mode. Once interfaces belong to a VRF, IP addresses are configured on those interfaces within the VRF’s address space. Finally, routing protocols can be configured to operate within specific VRFs, maintaining separate routing protocol instances for each VRF.

VRFs provide essential capabilities for data center multi-tenancy and service separation. Different customers in a managed service provider environment can use the same IP addressing schemes without conflict. Different applications or environments like production, development, and testing can be isolated from each other. Storage networks can be separated from data networks even while sharing physical infrastructure. In VXLAN environments, VRFs extend across the overlay network providing Layer 3 multi-tenancy, with VNIs carrying Layer 2 segments and VRFs providing Layer 3 routing separation within those segments.

The vrf definition command is used in traditional Cisco IOS but not in NX-OS which uses vrf context syntax. The ip vrf command is also traditional IOS syntax not applicable to NX-OS. The vrf instance command is not valid syntax in either NX-OS or IOS. Different Cisco operating systems use different VRF configuration syntaxes, with NX-OS specifically using vrf context as the command to create VRF instances.

Question 201

An engineer is implementing Enhanced Transmission Selection in a data center to provide bandwidth guarantees for different traffic classes. Which DCB feature does ETS provide?

A) Per-priority pause functionality

B) Priority-based bandwidth allocation

C) Congestion notification

D) Flow control

Answer: B

Explanation:

Enhanced Transmission Selection provides priority-based bandwidth allocation as part of the Data Center Bridging suite of standards. ETS enables administrators to allocate minimum bandwidth percentages to different priority classes, ensuring that each traffic class receives its guaranteed share of link bandwidth even during congestion. This capability is essential in converged networks where storage, voice, video, management, and data traffic share the same physical infrastructure but have different bandwidth requirements. ETS ensures that high-priority traffic like storage receives adequate bandwidth while preventing lower-priority traffic from being completely starved.

ETS operates through a credit-based fair queuing scheduler that allocates bandwidth according to configured percentages. Each priority class is assigned to a traffic class, and each traffic class is given a minimum bandwidth guarantee expressed as a percentage of total link capacity. During congestion, the scheduler ensures each traffic class receives at least its configured minimum bandwidth. When a traffic class is not using its full allocation, the unused bandwidth is distributed among other active classes, preventing waste. Traffic classes can also be configured as strict priority, ensuring they are serviced before other classes, which is useful for extremely latency-sensitive traffic.

The implementation of ETS typically works alongside other DCB features to provide comprehensive QoS in converged networks. Priority Flow Control ensures lossless delivery for storage traffic, while ETS ensures adequate bandwidth is available. Together, these features enable FCoE and other storage protocols to coexist with data traffic on converged infrastructure. DCBX protocol automatically negotiates ETS parameters between adjacent devices, ensuring consistent configuration across the network. Proper ETS configuration requires understanding traffic patterns and requirements to allocate bandwidth appropriately across different classes.

Per-priority pause functionality is provided by Priority Flow Control, not ETS. Congestion notification is provided by Quantized Congestion Notification, another DCB component. Flow control is a general pause mechanism that affects all traffic, unlike the per-priority capabilities of PFC or the bandwidth allocation of ETS. Only ETS provides the priority-based minimum bandwidth guarantee functionality that ensures different traffic classes receive appropriate bandwidth shares on converged infrastructure.

Question 202

A network administrator is configuring port security on a Cisco Nexus switch to limit MAC addresses on an access port. Which violation action immediately shuts down the port when a violation occurs?

A) protect

B) restrict

C) shutdown

D) drop

Answer: C

Explanation:

The shutdown violation action immediately places the port into an error-disabled state when a port security violation occurs. This is the most restrictive and secure violation action available for port security, providing strong protection against unauthorized devices by completely disabling the port when policy violations are detected. When a port enters error-disabled state due to port security violation, it stops forwarding all traffic and requires manual intervention to recover, either through manual shutdown and no shutdown commands or through automatic error recovery if configured. This aggressive response ensures that security violations cannot go unnoticed and forces investigation before the port is restored.

Port security violations occur when the configured MAC address limits or specific allowed MAC addresses are exceeded or violated. Common violation scenarios include connecting unauthorized devices to secured ports, connecting hubs or switches that present multiple MAC addresses, MAC address spoofing attempts, or legitimate misconfigurations where too many MAC addresses appear on a port. The shutdown action ensures these violations result in immediate service disruption to the offending port, preventing any traffic from unauthorized sources and alerting administrators through SNMP traps and syslog messages about the security event.

The shutdown violation mode is appropriate for high-security environments where unauthorized access must be prevented at any cost, even if it causes service disruption. However, this strictness requires operational procedures for responding to violations and restoring service. Administrators must investigate why violations occurred, verify that security threats are addressed, and manually recover ports from error-disabled state. The auto-recovery feature can be configured to automatically restore error-disabled ports after a timeout period, though this should be used cautiously as it reduces the security benefit of requiring manual intervention.

The protect violation action drops packets from unauthorized MAC addresses but keeps the port operational, which is less secure but avoids service disruption. The restrict action also keeps the port up but generates security violation counters and SNMP traps, providing logging without full shutdown. The drop action is not a standard port security violation mode. Only the shutdown action provides the immediate port disabling response that ensures complete protection against unauthorized MAC addresses by taking the port offline when violations occur.

Question 203

An engineer is designing a VXLAN fabric and needs to minimize BUM traffic flooding. Which EVPN route type is used for efficient multicast and broadcast handling?

A) Type 1 – Ethernet Auto-Discovery

B) Type 2 – MAC/IP Advertisement

C) Type 3 – Inclusive Multicast Ethernet Tag

D) Type 5 – IP Prefix Route

Answer: C

Explanation:

EVPN Type 3 routes, known as Inclusive Multicast Ethernet Tag routes, are used for efficient handling of broadcast, unknown unicast, and multicast traffic in VXLAN fabrics. Type 3 routes enable VTEPs to advertise their participation in specific VNIs and establish distribution trees for BUM traffic without relying on underlay multicast. Each VTEP advertises a Type 3 route for every VNI it participates in, informing other VTEPs that it has endpoints in that VNI and should receive BUM traffic for that segment. This control plane-based approach is more efficient and scalable than data plane flooding or multicast-based distribution.

When BUM traffic needs to be forwarded in a VXLAN EVPN environment, the source VTEP uses the information from Type 3 routes to determine which remote VTEPs need to receive copies of the traffic. The implementation can use ingress replication where the source VTEP creates individual unicast copies to each interested VTEP, or it can leverage multicast in the underlay where available. Ingress replication is common in spine-leaf architectures because it eliminates the need for multicast protocol configuration in the underlay and works well with the equal-cost multipath characteristics of these topologies. The Type 3 routes ensure that BUM traffic only reaches VTEPs that actually have endpoints in the relevant VNI.

The efficiency gains from Type 3 routes are significant compared to traditional flooding mechanisms. Without EVPN, unknown unicast traffic would be flooded to all VTEPs in a VNI regardless of whether they have interested endpoints. Type 3 routes enable selective BUM traffic distribution only to VTEPs that have advertised membership in the VNI. As MAC addresses are learned through Type 2 routes, unknown unicast flooding decreases further because the fabric knows exactly where each MAC address is located. This combination of Type 2 and Type 3 routes dramatically reduces unnecessary flooding across the fabric.

Type 1 routes are used for Ethernet segment discovery and designated forwarder election in multi-homing scenarios but not for BUM traffic handling. Type 2 routes advertise specific MAC and IP addresses for unicast forwarding but do not handle BUM traffic distribution. Type 5 routes carry IP prefix information for inter-subnet routing and are not involved in Layer 2 BUM traffic forwarding. Only Type 3 routes provide the VNI membership advertisement needed for efficient BUM traffic distribution in VXLAN EVPN environments.

Question 204

A data center administrator needs to configure NTP on Cisco Nexus switches to ensure accurate time synchronization. Which command configures an NTP server?

A) ntp server 10.1.1.1

B) ntp source 10.1.1.1

C) ntp peer 10.1.1.1

D) clock set ntp 10.1.1.1

Answer: A

Explanation:

The ntp server command configures an NTP server that the Cisco Nexus switch will synchronize with for accurate time keeping. NTP is essential in data center environments because accurate and synchronized time across all devices is critical for log correlation, security event analysis, certificate validation, authentication protocols, and distributed application coordination. When an NTP server is configured, the switch periodically queries that server to adjust its local clock, maintaining synchronization within milliseconds of the authoritative time source. Multiple NTP servers can be configured for redundancy and reliability.

NTP operates in a hierarchical architecture with stratum levels indicating distance from authoritative time sources. Stratum 0 devices are atomic clocks or GPS receivers that provide the fundamental time reference. Stratum 1 servers synchronize directly with stratum 0 devices and serve as primary time sources. Stratum 2 devices synchronize with stratum 1 servers, and so on. When configuring NTP on data center switches, best practice is to synchronize with multiple stratum 1 or stratum 2 NTP servers, preferably from different physical locations or network paths for resilience against network partitions or server failures.

NTP configuration on Nexus switches supports additional options beyond basic server specification. The prefer keyword can designate a preferred NTP server that is chosen over others when available. Authentication can be enabled to verify NTP packets preventing time injection attacks. Source interface specification ensures NTP packets originate from specific interfaces rather than using the outgoing interface address. Access control can restrict which devices can query the switch’s NTP service. The show ntp peers command displays configured servers, their synchronization status, stratum levels, and offset values indicating time differences.

The ntp source command specifies which local interface address to use as the source for NTP packets but does not configure an NTP server to synchronize with. The ntp peer command configures symmetric peer relationships where both devices can synchronize with each other, used between switches of similar authority rather than for client-server relationships. The clock set command manually sets the system clock but does not configure NTP synchronization. Only ntp server configures the switch to synchronize its clock with an external NTP server for ongoing accurate time keeping.

Question 205

An engineer is implementing RBAC on Cisco Nexus switches to provide granular access control. Which component defines what actions a user can perform?

A) User account

B) User role

C) AAA server group

D) VLAN access list

Answer: B

Explanation:

User roles define what actions a user can perform in the Role-Based Access Control model on Cisco Nexus switches. RBAC provides granular access control by separating user identity from permissions through an intermediate role abstraction. Roles define sets of permitted operations and commands, and users are assigned to one or more roles that grant them specific capabilities. This separation enables flexible permission management where changing a role’s capabilities automatically affects all users assigned to that role, and assigning users to different roles immediately changes their access without modifying individual user accounts.

NX-OS includes several predefined roles with different privilege levels. The network-admin role has complete read-write access to the entire system equivalent to superuser privileges. The network-operator role has read-only access allowing monitoring and verification but preventing configuration changes. The vdc-admin and vdc-operator roles provide similar capabilities scoped to specific virtual device contexts in systems supporting VDCs. Custom roles can be created to provide precise privilege definitions, allowing administrators to grant specific command access while denying others, implementing least-privilege security principles.

Creating custom roles involves defining rule sets that permit or deny access to specific commands or command groups. Rules can match commands using exact syntax or wildcards, enabling flexible permission definitions. Commands can be permitted for reading but denied for configuration, allowing users to view settings without modifying them. Rules are processed in order with the first match determining the access decision. The feature-group mechanism provides convenient permission sets for common features like QoS, security, or routing, which can be granted to roles as complete units rather than defining individual command permissions.

User accounts identify individuals and include authentication credentials but do not themselves define permissions. AAA server groups provide external authentication and authorization services but the actual permission definitions still come from configured roles. VLAN access lists control network traffic forwarding and are unrelated to administrative access control. Only user roles provide the actual permission definitions that determine which commands and operations users can perform on the system based on their assigned roles.

Question 206

A network administrator needs to verify the operational status of all interfaces on a Cisco Nexus switch including port channel interfaces. Which command provides this comprehensive interface status information?

A) show interface status

B) show interface brief

C) show ip interface brief

D) show port-channel summary

Answer: B

Explanation:

The show interface brief command provides comprehensive operational status information for all interfaces on a Cisco Nexus switch including physical interfaces, port channels, loopback interfaces, management interfaces, and VLAN interfaces. This command displays a summary table showing each interface’s administrative state, operational status, hardware address, IP address if configured, and interface type. The brief format presents this essential information in a concise table that fits on screen and enables quick assessment of overall interface status across the switch, making it the preferred command for general interface status verification.

The output from show interface brief includes critical status indicators that administrators use for troubleshooting and verification. The Admin State column shows whether the interface is administratively enabled or disabled through configuration. The State column displays the operational status including up, down, or transitional states. The Reason column provides explanation for down states such as no cable, disabled by error detection, SFP not inserted, or XCVR not supported. This contextual information helps identify why interfaces are not operational without requiring detailed debugging.

For port channel interfaces, show interface brief displays each port channel as a single logical interface with its operational status reflecting the combined state of its member links. This provides quick visibility into whether aggregated links are functioning. The command also shows sub-interfaces, SVI interfaces for VLANs, and logical interfaces like loopback and tunnel interfaces, providing a complete view of all interface types. This comprehensive coverage makes it more useful than commands that only display physical interface status or specific interface types.

The show interface status command displays physical interface status including speed, duplex, and VLAN information but does not include logical interfaces like port channels or SVIs comprehensively. The show ip interface brief command is familiar from traditional Cisco IOS but in NX-OS the show interface brief command provides equivalent and more comprehensive information. The show port-channel summary command specifically displays port channel status but does not show other interface types. Only show interface brief provides the complete view across all interface types in a concise format.

Question 207

An engineer is configuring a Cisco Nexus switch to support jumbo frames for storage traffic. Which command sets the MTU size on an interface?

A) mtu 9216

B) system jumbomtu 9216

C) ip mtu 9216

D) interface mtu 9216

Answer: A

Explanation:

The mtu command configured under interface configuration mode sets the Maximum Transmission Unit size on a Cisco Nexus interface. The MTU determines the maximum frame size that can be transmitted on that interface, with standard Ethernet using 1500 bytes and jumbo frames supporting larger sizes up to 9216 bytes on most Nexus platforms. Configuring jumbo frames on storage networks improves performance by reducing packet count and CPU processing overhead for large data transfers. Storage protocols like iSCSI and NFS benefit significantly from jumbo frames through increased throughput and reduced latency.

Configuring jumbo frames requires attention to end-to-end MTU consistency. Every device and link in the path between communicating endpoints must support and be configured for the same MTU size, otherwise fragmentation occurs or traffic is dropped. In data center environments, this typically means configuring consistent MTU across server network adapters, access switches, aggregation switches, and storage arrays. The system jumbomtu command sets the global default MTU that applies to newly created interfaces, but the per-interface mtu command allows specific interfaces to use different sizes if needed.

Different interface types on Nexus switches may have different MTU requirements and behaviors. Layer 2 switchports typically use the system jumbomtu setting automatically. Layer 3 routed interfaces require explicit MTU configuration if jumbo frames are needed. VLAN interfaces SVIs also need MTU configuration matching the underlying VLANs. Port channel interfaces inherit MTU from their configuration but all member links should have consistent MTU settings. The show interface command displays the current MTU configuration and can help verify consistent settings across the path.

The system jumbomtu command sets the global default MTU for new interfaces but does not directly configure existing interface MTU values. The ip mtu command is used on some platforms to set MTU specifically for IP packets but on Nexus switches the interface mtu command applies to both Layer 2 and Layer 3. The syntax interface mtu is not valid as mtu is configured under interface mode, not as part of the interface command itself. Only the mtu command under interface configuration properly sets the Maximum Transmission Unit for specific interfaces.

Question 208

A data center is implementing Cisco ACI and needs to connect to external networks. Which ACI component provides Layer 3 connectivity to outside networks?

A) Spine switch

B) Standard leaf switch

C) Border leaf switch with L3Out

D) APIC controller

Answer: C

Explanation:

Border leaf switches with Layer 3 Outside connections provide Layer 3 connectivity from the Cisco ACI fabric to external networks. L3Out configurations define the connection parameters, routing protocols, and policies for integrating the ACI fabric with traditional networks, WAN connections, internet links, or other data center fabrics. Border leafs are regular leaf switches configured with L3Out functionality that peer with external routers using protocols like OSPF, BGP, or EIGRP to exchange routing information. This integration enables endpoints within ACI to communicate with external resources while maintaining ACI’s policy model.

L3Out configuration involves multiple components working together to establish external connectivity. The L3Out object defines the external routed connection including which VRF it belongs to, which border leaf switches participate, and the routing protocol configuration. Logical node profiles specify which border leaf switches host the external connectivity. Logical interface profiles define the physical or port-channel interfaces connecting to external routers along with IP addressing and routing protocol parameters. External EPGs represent destination networks reachable through the L3Out and can have contracts with internal EPGs to control traffic flow.

The policy enforcement model extends to external connectivity through contracts between internal EPGs and external EPGs. Traffic between the ACI fabric and external networks is controlled by contracts, maintaining consistent security policies across internal and external boundaries. Route maps can filter which prefixes are advertised or accepted from external peers. BGP configurations support features like route reflectors, peer groups, and various BGP attributes. Security zones can be implemented to classify external networks by trust level and apply appropriate policies based on traffic source and destination.

Spine switches in ACI do not connect to external networks and only provide transit between leaf switches. Standard leaf switches can technically connect to external networks but are not specifically designated or optimized for this role. Border leafs combine standard leaf functionality with enhanced routing capabilities and represent the architectural best practice for external connectivity. APIC controllers are management plane devices that do not participate in data plane forwarding to external networks. Only border leaf switches with L3Out provide the proper external Layer 3 connectivity from ACI fabrics.

Question 209

An administrator is troubleshooting HSRP configuration on a Cisco Nexus switch. Which HSRP state indicates that the router is actively forwarding traffic for the virtual IP address?

A) Standby

B) Listen

C) Active

D) Init

Answer: C

Explanation:

The Active state in HSRP indicates that the router is currently forwarding traffic for the virtual IP address and serving as the active gateway for hosts in that subnet. When an HSRP router is in Active state, it owns the virtual MAC address associated with the HSRP group, responds to ARP requests for the virtual IP address, and forwards all packets destined to the virtual MAC address. This router is the primary gateway providing actual forwarding services while other HSRP routers in the group remain in Standby or other states ready to take over if the Active router fails.

HSRP routers transition through several states during operation and failover scenarios. The Init state is the initial state where HSRP is being configured or the interface is down. The Listen state occurs when the router knows the virtual IP address but is neither Active nor Standby, monitoring HSRP hello messages to learn about other group members. The Standby state indicates the router is the backup ready to assume Active status if the current Active router fails. Only one router can be Active at a time for each HSRP group, while one router is Standby and others are in Listen state.

The Active router’s responsibilities include sending periodic hello messages to inform other group members of its health, maintaining the virtual MAC address, forwarding packets destined to the virtual IP, and responding to ARP requests for the virtual gateway. If the Active router fails and stops sending hellos, the Standby router detects the failure through hello timeout and transitions to Active state, assuming the virtual MAC address and gateway forwarding responsibilities. This failover process typically completes within seconds depending on hello and hold timer configuration.

The Standby state indicates a backup router ready to take over but not currently forwarding traffic. The Listen state represents a router that is aware of the HSRP group but is neither Active nor Standby. The Init state is the initialization state before HSRP is fully operational. Only the Active state indicates the router currently handling traffic forwarding for the virtual gateway IP address and serving as the functional default gateway for hosts in the subnet.

Question 210

A network engineer needs to configure SNMP on a Cisco Nexus switch to enable network monitoring. Which command configures an SNMP community string for read-only access?

A) snmp-server community public ro

B) snmp community public readonly

C) snmp-server enable public

D) snmp read-only public

Answer: A

Explanation:

The snmp-server community command with the ro parameter configures an SNMP community string for read-only access on Cisco Nexus switches. SNMP community strings function as passwords that authenticate SNMP managers when they query network devices. The read-only access level allows SNMP managers to retrieve information through SNMP GET operations but prevents them from modifying device configuration through SNMP SET operations. The community string itself should be changed from default values like “public” to more secure custom strings to prevent unauthorized access to device information.

SNMP configuration on Nexus switches supports multiple security and access control options. The ro parameter grants read-only access suitable for monitoring without configuration changes. The rw parameter grants read-write access allowing both queries and configuration modifications, which should be restricted to trusted management systems. Community strings can be associated with access control lists to restrict which IP addresses can use that community string, adding network-based security. Multiple community strings can be configured with different access levels and IP restrictions for different management purposes.

SNMPv2c using community strings provides basic authentication but transmits community strings in clear text, presenting security vulnerabilities. Best practices include using strong non-obvious community strings, applying ACLs to restrict access to trusted management subnets, using read-only access whenever possible, and considering migration to SNMPv3 which provides encryption and stronger authentication. SNMPv3 configuration uses user-based security model with authentication and privacy protocols like MD5, SHA, DES, and AES instead of simple community strings, providing significantly better security for network management.

The syntax snmp community public readonly is not valid NX-OS command syntax. The snmp-server enable command is used for enabling SNMP traps but not for configuring community strings. The syntax snmp read-only public does not match NX-OS command structure. Only snmp-server community with the ro parameter provides the correct syntax for configuring read-only SNMP community strings on Cisco Nexus switches for network monitoring access.