350-601 Question #564: Real Exam Question with Answer & Explanation

Question

Refer to the exhibit. Three operational endpoints are deployed under the same application EPG. Only the ICMP traffic must be permitted within the Web_EPG. Which two actions must be taken to accomplish this goal? (Choose two.)

Options

• ACheck box of forward control proxy ARP.
• BSet VRF policy control preference to unenforced.
• CAdd Taboo contract on the Web_EPG.
• DConfigure intra EPG contract under Web_EPG.
• EMark intra EPG isolation as enforced.

Explanation

To permit only ICMP traffic between endpoints within the same Cisco ACI Web_EPG, two actions are required: configure an intra-EPG contract under the Web_EPG to allow ICMP, and enforce intra-EPG isolation for that EPG. This setup ensures granular control, blocking all but the explicitly allowed ICMP traffic.

Common mistakes.

• A. Forward control proxy ARP is used for specific Layer 2 forwarding scenarios and has no direct bearing on controlling intra-EPG traffic filtering policies for ICMP.
• B. Setting the VRF policy control preference to unenforced would disable policy enforcement at the VRF level, allowing all traffic by default within the VRF, which contradicts the goal of restricting traffic.
• C. A Taboo contract explicitly denies certain traffic, but it does not provide the mechanism to specifically allow only ICMP while denying everything else within the same EPG; an intra-EPG contract with enforcement is necessary for this precise control.

Concept tested. Cisco ACI intra-EPG contracts and isolation

Reference. https://www.cisco.com/c/en/us/td/docs/dcn/aci/apic/6x/config-guide/c_Cisco-APIC-Basic-Configuration-Guide-6x.html

No community discussion yet for this question.