DCACI Exam - Question 26

Question

DRAG DROP -Refer to the exhibit. A Cisco ACI fabric is newly deployed, and the security team requires more visibility of all inter EPG traffic flows. All traffic in a VRF must be forwarded to an existing firewall pair. During failover, the standby firewall must continue to use the same IP and MAC as the primary firewall. Drag and drop the steps from the left into the implementation order on the right to configure the service graph that meets the requirements. (Not all steps are used. )Select and Place:.

Examice · Accepted Answer

Reference:https://www. cisco. com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/3-x/L4-L7_services_deployment/3_2_1/b_L4L7_Deploy_321/ b_L4L7_Deploy_321_chapter_01001. html.

[Removed] · Answer

To configure Service Graph in managed or unmanaged mode , Configuration steps should be as follows :

1.Create a service bridge domain and a Layer 4 to Layer 7 device with on cluster interface.
2.Create a Layer 4 to Layer 7 service graph template .
3.Select a redirect policy with enabled any cast and the Layer 3 destination .
4.Apply a service a graph template and select vzAny EPG as the consumer and provider
5.Select the existing contract with customer IP Ether Type filter .
6.Select the same cluster interface under Consumer Connector and Provider connector .

Said75 · Answer

Correct Answer and verified on my lab :

1.Create a service bridge domain and a Layer 4 to Layer 7 device with on cluster interface.
2.Create a Layer 4 to Layer 7 service graph template .
3.Apply a service a graph template and select vzAny EPG as the consumer and provider
4.Select the existing contract with customer IP Ether Type filter .
5.Select a redirect policy with the Layer 3 destination .
6.Select the same cluster interface under Consumer Connector and Provider connector .

korthab · Answer

I think this is the correct answer based on the steps i watched on labminutes.com.

1. Create a service bridge domain and a Layer 4 to Layer 7 device with on cluster interface.
2. Create a Layer 4 to Layer 7 service graph template.
3. Apply a service a graph template and select vzAny EPG as the consumer and provider.
4. Select the existing contract with customer IP EtherType filter.
5. Select a redirect policy with Layer 3 destination.
6. Select the same cluster interface under Consumer Connector and Provider connector.

Labminutes LINK:
https://www.labminutes.com/dc0032_aci_service_graph_pbr_fw_1

Anycast LINK:
https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/cli/nx/cfg/b_APIC_NXOS_CLI_User_Guide/b_APIC_NXOS_CLI_User_Guide_chapter_011001.pdf

Quote:
" Anycast services are not supported with the following features and options:

• Two firewalls in an Active/Standby relationship (in this scenario, the Anycast service is active in only one pod and all traffic is sent using the active service) "

muhnator · Answer

1.Create a service bridge domain and a Layer 4 to Layer 7 device with on cluster interface.
2.Create a Layer 4 to Layer 7 service graph template .
3.Apply a service a graph template and select vzAny EPG as the consumer and provider
4.Select the existing contract with customer IP Ether Type filter .
5.Select a redirect policy with the Layer 3 destination .
6.Select the same cluster interface under Consumer Connector and Provider connector .

ciscoaci2022 · Answer

The correct answer should be:

1.Create a service bridge domain and a Layer 4 to Layer 7 device with on cluster interface.
2.Create a Layer 4 to Layer 7 service graph template .
3.Apply a service a graph template and select vzAny EPG as the consumer and provider
4.Select the existing contract with customer IP Ether Type filter .
5.Select a redirect policy with the Layer 3 destination .
6.Select the same cluster interface under Consumer Connector and Provider connector

since the Anycast services are not supported with the following features and options:
• Two firewalls in an Active/Standby relationship (in this scenario, the Anycast service is active in only
one pod and all traffic is sent using the active service)

So 3 should be: Select a redirect policy with the Layer 3 destination.

Kalpesh · Answer

I think anycast is also not needed as it's a active/standby setup not Active/Active.

thiyagas · Answer

not sure if this answer is correct... any comment.?

nabilzay · Answer

I think nikmski's answer is right based on this doc:

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/aci/apic/sw/1-x/L4-L7_Services_Deployment/guide/b_L4L7_Deploy_ver201/b_L4L7_Deploy_ver201_chapter_010100.html#id_27316

However not sure if anycast is needed, I'd say no

2eb1ea8 · Answer

1. Create a service bridge domain and a Layer 4 to Layer 7 device with on cluster interface.
2. Create a Layer 4 to Layer 7 service graph template.
3. Apply a service a graph template and select vzAny EPG as the consumer and provider.
4. Select the existing contract with customer IP EtherType filter.
5. Select a redirect policy with enabled anycast and the layer 3 destination (Enabling anycast ensures that the standby firewall can use the same IP and MAC address as the primary firewall during failover. The layer 3 destination specifies the firewall's IP address).
6. Select the same cluster interface under Consumer Connector and Provider connector.

DCACI Exam - Question 26

Discussion