Cisco ACI is revolutionizing data center networking with its SDN approach. Skilled ACI professionals are highly sought-after. However, passing a Cisco ACI interview can be challenging. ACI interview questions and answers definitely would help.
This guide is your secret weapon, packed with the most common and critical Cisco ACI interview questions and their in-depth answers (click on the question to see its answer).
Basic ACI Interview Questions
The following questions are for the Cisco ACI entry-level job positions. Everyone working on the ACI technology should answer them correctly:
Q1: What is Cisco ACI? Why is it deployed in data centers?
Cisco ACI is a data center SDN solution. It delivers software with hardware performance (Nexus 9000 switches) that provides a robust overlay-based transport network (iVXLAN). ACI allows application requirements to define the network (hence the name).
Cisco ACI provides the following features:
– Application-driven policy modeling and centralized policy management.
– Visibility into infrastructure and application health.
– Automated infrastructure that allows configuration in mass.
– Integrated physical and virtual workloads.
– Use optimized forwarding and security enforcement. (ECMP & no STP)
– Supports stateless networking (Switches do not have the configuration).
For more information, click here: What and Why Cisco ACI? (The Easy Way)
Q2: What are the main ACI fabric components?
Cisco ACI fabric consists of :
– Cisco Nexus 9000 series switches run in ACI mode that forwards the traffic.
– A cluster of Application Policy Infrastructure Controllers (APIC) that manages the ACI fabric.
Q3: How are the ACI fabric components connected?
Cisco ACI employs a Clos topology, also known as a leaf-spine architecture.
– Leaf Switches: Form the access layer, supporting both Layer 2 and Layer 3 connectivity. End hosts are directly connected to these switches.
– Spine Switches: Constitute the aggregation layer, interconnecting multiple leaf switches.
– APIC (Application Policy Infrastructure Controller): The central management plane for the entire fabric. It is connected to the leaf switches.
– No Spine-to-Spine Links: Traffic does not directly traverse between spine switches.
– No Leaf-to-Leaf Links: Direct communication between leaf switches is not permitted (exception for 2-Tier leaf design).
– Traffic within the fabric follows an Equal-Cost Multi-Path (ECMP) routing scheme: Leaf > Spine > Leaf.
Q4: What are the ACI underlying control protocols?
The Cisco ACI fabric runs the following control plane protocols:
1- LLDP: for fabric discovery.
2- DHCP: for fabric nodes IP settings assignment from APIC.
3- IS-IS: for VTEPs infra network reachability.
4- COOP: for endpoints, reachability information from the leaf to the spine switches.
5- MP-BGP: for external route redistribution inside the ACI fabric.
6- IFM: for policy communication.
7- NTP: for time sync in the fabric.
For more information, click here: Cisco ACI Underlying Protocols (Data, Control & Mgmt Plane)
Q5: What will happen if all APIC controllers in the ACI fabric go down?
The APIC controllers are engaged only in the ACI management plane, and all the control plane protocols and data plane encapsulation happen in the ACI fabric nodes (leaves and spines).
If all APICs go down:
– Traffic forwarding continues for new and existing sessions.
– New VMM endpoint attachment and vMotion may or may not work depending on the configuration options.
For more information, click here: Tips You Need to Know About: ACI Clustering & Sharding
Q6: What is a tenant in Cisco ACI?
An ACI tenant refers to a set of configurations owned by a specific entity. This allows the management of those configurations to be kept separate from those of other tenants. Entities can be customers, departments, organizations, …etc.
– Tenants separate management and data-processing functions inside ACI.
– An ACI Tenant is a policy container analogous to a Sub-Org in Cisco UCS.
– Tenants provide a data-plane isolation function using VRF instances (contexts) and bridge domains (BDs).
– Resources such as L2 and L3 connections in and out of the fabric can be given to individual tenants, as well as access and control to L4-7 services.
– The ACI tenant is abstracted from the ACI hardware infrastructure.
For more information, click here: ACI Tenant: What Do You Need To Know About It?
Q7: What is the purpose of the default system-defined common tenant?
The common tenant is a special tenant that is used to create objects visible and shared with other user-defined tenants in the ACI fabric.
The ‘global re-usage’ is the core principle of the common tenant. Examples: shared L3Outs, shared VRFs, shared BDs, shared L4-7 services …etc.
Q8: What is an ACI Bridge Domain (BD)?
A Bridge Domain (BD) defines a unique L2 MAC address space and represents a Layer-2 forwarding boundary in the ACI fabric. A BD can be either a pure Layer-2 BD or a Layer-3 BD (GW in ACI). In ACI, the BD must be linked to a VRF instance, even if the BD operates in a Layer 2-only mode.
Q9: What is an ACI Endpoint Group (EPG)?
An EPG is an ACI-managed object containing a collection of endpoints with common policy requirements; EPGs are used to create logical groupings of endpoints that perform similar functions within the fabric.
By default, traffic between endpoints within the same EPG is allowed (intra-EPG traffic).
Q10: What is the ACI object analogous to the VLAN in legacy networks?
This is a tricky question; most ACI specialists think the correct answer is the BD; however, it is not true. Because ACI uses the 802.1Q VLAN tag to represent the EPG, not the BD.
ACI defines multiple EPGs within a Layer 2 domain (Bridge Domain) for security isolation purposes on top of Layer 2 network separation. So, here, I mean the Bridge domain is the layer-2 network segmentation in ACI, and the EPG is another security isolation on top of the Bridge domain. On the other hand, in traditional networking, Layer 2 network separation is the smallest segmentation, which is achieved via the VLAN ID.
Q11: What are the EPG types in ACI?
Cisco ACI has several types of endpoint groups, all of which have the same goal, which is to apply classification to the incoming traffic to deploy ACI policies onto it:
1- Application EPG (fvAEPg).
2- L2Out EPG; Layer 2 external outside network instance EPG (L2extInstP).
3- L3Out EPG; Layer 3 external outside network instance EPG (l3extInstP).
4- Out-of-band EPG (mgmtOoB).
5- In-band EPG (mgmtInB).
Q12: What is the AEP/AAEP, and Why is it used?
The AEP/AAEP (Attachable Access Entity Profile) is an ACI object that maps ACI domains to interface policies, aiming to map VLANs to interfaces. It allows the ACI admin to apply two or more domains (like Phy & VMM) to a single switch port, which can be seen in blade servers (like the Cisco UCS B series servers). So, AEPs are used to define which interfaces can be used by EPGs and L3Outs through domains. If desired, AEPs allow a one-to-many relationship to be formed between interface policy groups and domains.
For more information, click here: What is AEP in ACI? Learn ACI AEP Easily
Q13: What are the ACI Access Policies, and Why are they used?
The ACI access policies are a set of configurations and settings used to control parameters related to fabric access, such as:
– External-facing Interfaces that connect to devices like bare-metal servers, virtual machine controllers and hypervisors, hosts, network-attached storage, routers, and FEX interfaces.
– Ports such as individual ports, port channels, and virtual port channels (vPC).
– Protocols such as LLDP, CDP, and LACP.
– Features such as statistics gathering, monitoring, and diagnostics.
Q14: What happens when reusing the same VPC IPG with other interface selectors?
Reusing the same VPC Interface Policy Group (IPG) results in additional VPC member links being added to the same VPC link.
If we need to create a new VPC link, we must create a new VPC IPG, as every VPC link has a separate VPC policy group.
Q15: What are the VLAN pool types, and what is their difference?
– Dynamic VLAN Pools are managed internally by the APIC to allocate VLANs for EPGs automatically. They are primarily used in combination with VMM integration.
– Static VLAN Pools are managed manually through the static configuration of EPG bindings. They are generally used for connected devices that will be manually configured in the fabric, such as Bare-metal servers, routers, and L4-7 service devices.
Q16: What is the function of domains in ACI?
In Cisco ACI, a domain defines the type of connected devices for which the VLAN range will be used. A domain is associated with a single VLAN pool. There are several domain types:
– Physical Domains.
– External Bridged Domains.
– L3 Domains.
– VMM Domains.
– Fibre Channel Domains.
Q17: How does ACI classify the incoming traffic from the connected Endpoints?
Cisco ACI uses the 802.1Q VLAN tag with an ingress interface to represent the EPG by deploying the static path binding.
Q18: Explain the ACI whitelist security policy model.
ACI uses a whitelist security model, where, by default, EPs in different EPGs can’t communicate together. A contract object defines how an EPG can communicate with other EPGs. (or ESGs)
Q19: How can you run the ACI as a Layer-2 fabric?
Don’t configure the subnet under the Bridge domain, and keep the gateway outside the ACI fabric.
Q20: What is the ACI Endpoint? How does the ACI learn them?
ACI Endpoints (EPs) are physical or virtual end devices that are directly or indirectly connected to the ACI fabric. ACI endpoints are not connected behind a routed network.
ACI learns the endpoint information via data-plane traffic as the packet from the endpoints comes into ACI fabric. Each EP consists of one MAC address and zero or more (/32) IPv4 or (/128) IPv6 addresses.
Advanced ACI Interview Questions
The following questions are for advanced ACI topics, especially for the Cisco ACI professional services job positions.
Q21: Does having more APICs in the APIC cluster increase the redundancy? Why?
No. Cisco APICs are deployed as a cluster of servers based on the scalability requirements. The minimum APIC cluster size should be 3, and larger clusters increase fabric scalability, not high availability, because the ACI database is replicated and broken into smaller units called shards. A shard is replicated across 3 APICs regardless of the cluster size.
Q22: How can you ensure that the provided contract will not be applied to any consumer EPG outside the provider’s Application profile?
Set the contract scope to “Application Profile”.
Q23: What happens if the ingress EP’s traffic has a VXLAN header?
All traffic that comes in the ACI fabric is normalized as iVXLAN packets. At the ingress leaf, ACI encapsulates external untagged traffic, VLAN-tagged traffic, VXLAN, and NVGRE packets in an iVXLAN packet. ACI will preserve the VXLAN header.
With the iVXLAN encapsulation, every packet in the ACI fabric carries ACI policy attributes, which makes ACI able to enforce policy consistently and in a fully distributed manner.
For more information, click here: The Ultimate Guide to ACI Packet Encapsulation and Format
Q24: What is the difference between ACI’s encap-VLAN and PI-VLANs?
Cisco ACI has two VLAN types:
Access Encap VLAN.
– VLAN ID for external devices.
– VLAN ID is a user-configurable value (VLAN pools, static binding, L3Outs).
– Used to classify traffic from the endpoints into EPGs.
– Represented as vlan-id or encap-id in the show commands.
Platform Independent (PI-VLAN)
– Internal VLANs on the leaf switches.
– VLAN IDs are automatically assigned.
– Not shared across the leaf switches.
– Used for leaf internal representation of an EPG (FD VLAN) & BD (BD VLAN).
– Represented as vlan id (without a hyphen) in the show commands.
For more information, click here: ACI VLAN Types and Scopes Explained: The Ultimate Guide
Q25: Can the same encap-VLAN be applied to multiple EPGs on the same Leaf? If so, How?
Yes, it is applicable. However, we must apply the port Local scope option under the L2 Interface policy on the interfaces where the same access encap VLAN is used for different EPGs. Also, each EPG should be associated with a separate VLAN pool, domain, and bridge domain.
Q26: Which L3Out interface types will you use to utilize a physical interface for several L3Out connections in multiple VRFs?
To utilize a single physical interface for multiple L3Out connections in different VRFs within Cisco ACI, you must use either subinterfaces or SVIs. Because these two types apply VLANs to the interfaces which are required to separate VRF traffic.
Q27: What happens when an endpoint moves from the local leaf to another leaf switch in the ACI fabric?
Once the EP moves, the new leaf updates the spine COOP with its new local EP; then, the spine COOP updates the old leaf with a bounce entry.
Q28: What will the leaf switch do with the incoming L2 unicast packet if it hasn’t learned the destination MAC address?
By default, the leaf switch sends the packet to a spine switch for hardware proxy forwarding unless the BD is configured to flood the traffic. If the spines don’t know the destination MAC they will drop the packet.
Q29: In intra-VRF communication, when two application EPGs communicate, and the control enforcement direction is set to egress, where is the policy enforced?
The policy is enforced on the ingress leaf if the destination EP is learned and on the degree leaf if the destination EP is not learned.
Q30: Which ACI security feature divides the VRF into security zones, regardless of the layer-2 boundary?
The Endpoint Security Group (ESG):
– ESG is a network security component in ACI.
– ESG is a security zone not bound to a BD.
– ESG works across the entire VRF.
– ESG doesn’t have network-related config.
– ESG is a logical security object that can select a collection of Application EPGs, physical or virtual EPs, BDs, Internal or External IP subnets, and Service EPGs (shadow EPGs).
Q31: When using the BD out (L2Out) method, if we need to extend five VLANs outside the ACI fabric from two leaf switches and four interfaces per leaf, how many L2Outs are required?
Five L2Outs are required, one per VLAN.
Q32: Which ACI loop detection mechanisms can stop a layer-2 loop that traverses multiple external switches without depending on the behavior of those external switches?
Miscabling Protocol (MCP).
MCP is a lightweight protocol used to protect the ACI fabric against the loops that cannot be discovered by either STP or LLDP.
Q33: Describe a scenario where a Multisite deployment would be preferred over a Multipod deployment in an ACI fabric.
A company has multiple data centers located in different cities or even countries. The company wants to ensure high availability, disaster recovery, and seamless workload migration across these geographically dispersed data centers while separating management and policy enforcement.
On the other hand, a Multipod deployment is more suitable for scenarios where the data centers are located within the same region and require a single point of management and policy enforcement.
Q34: What is a Service Graph, and how can it be used within the ACI fabric? Provide a use case example.
A Service Graph in Cisco ACI is a logical representation of Layer 4-7 (L4-L7) services, such as firewalls, load balancers, and other network appliances, and their relationships to EPGs. It allows administrators to define and enforce traffic flows through these services in a consistent and automated manner.
Scenario: A company needs to secure its web application by inspecting traffic through a firewall. A service graph with a Policy-Based Redirect (PBR) policy should be applied to redirect web traffic to the firewall.
Q35: When should you use vzAny to permit all communication rather than applying the unenforced mode to the VRF?
You should use vzAny to permit all communication when you need to allow unrestricted traffic between endpoints while enforcing security policies for others (or plan to do so in the future). This scenario is particularly useful in environments where the primary focus is connectivity and unrestricted communication, such as during initial testing or migrating the workload to ACI.
In contrast, applying the unenforced mode to the VRF means that while communication is allowed, there is no ability for security policies to be defined to restrict some traffic. This approach is beneficial when you decide to disable the ACI whitelist security model.
Consider reading the Cisco Application Centric Infrastructure (ACI) Design Guide to dive deeper into ACI design concepts and best practices.
Want To Truly Master Cisco ACI?
This article will give you a strong foundation for your interview, but true mastery requires a deeper dive. My Cisco Data Centers | ACI Core course on Udemy provides a comprehensive learning experience, covering all the essential ACI concepts with in-depth explanations and real-world examples.
