Cisco braindumps ccnp Data Center 300-620 Exam Dumps by Pia q134 vce pdf

Page: 7 / 18

Exam Name:	Implementing Cisco Application Centric Infrastructure (300-620 DCACI)
Exam Code:	300-620 Dumps
Vendor:	Cisco	Certification:	CCNP Data Center
Questions:	247 Q&A's	Shared By:	pia

Question 28

In the context of VMM, which protocol between ACI leaf and compute hosts ensures that the policies are pushed to the leaf switches for immediate and on demand resolution immediacy?

Options:

VXLAN

LLDP

ISIS

STP

Discussion

Question 29

An engineer is implementing an out-of-band (OOB) management access for the Cisco ACI fabric. The secure access must meet these requirements:

• Only GUI and secure shell must be allowed to access the management interfaces of the ACIs.

• The only IP ranges that must be permitted to connect the fabric will be 10.10.10.0724 and 192.168.15.0/24.

Which configuration set meets these requirements?

Options:

Implement HTTPS and SSH protocol filters in the OOB contract. Add the required subnets to the external network instance profile.

Create an out-of-band EPG in the external management entity. Associate the management profile with the OOB contract.

Set up static IPs on the management interfaces from the required IP range. Add the required subnets to the external network instance profile.

Create an out-of-band EPG in the common tenant. Associate the external network instance profile with the OOB contract.

Discussion

Answer:

Explanation:

The engineer is implementing out-of-band (OOB) management access for the Cisco ACI fabric with the following requirements:

Only GUI (HTTPS) and Secure Shell (SSH) must be allowed to access the management interfaces.

Only IP ranges 10.10.10.0/24 and 192.168.15.0/24 must be permitted to connect.

This requires configuring access control and restricting IP ranges for OOB management.

Requirement Analysis

OOB management in ACI is typically handled via the Management Tenant (mgmt) and an OOB contract to define allowed protocols and sources.

The external network instance profile defines the permitted IP ranges for external access.

Option Evaluation

A. Implement HTTPS and SSH protocol filters in the OOB contract. Add the required subnets to the external network instance profile:

An OOB contract can specify allowed protocols (HTTPS on port 443 and SSH on port 22) to restrict access to GUI and SSH only. Adding the subnets 10.10.10.0/24 and 192.168.15.0/24 to the external network instance profile limits the source IP ranges, meeting both requirements.

[: Cisco APIC Management Guide, "Out-of-Band Management Configuration" and "Contract Configuration.", B. Create an out-of-band EPG in the external management entity. Associate the management profile with the OOB contract: , This approach creates an EPG for OOB management, but it does not specify protocol filters (HTTPS/SSH) or IP range restrictions. The management profile alone does not enforce these requirements., Reference: Cisco ACI External Management Configuration Guide., C. Set up static IPs on the management interfaces from the required IP range. Add the required subnets to the external network instance profile: , Assigning static IPs to management interfaces is a configuration step, but it does not enforce protocol restrictions (HTTPS/SSH) or limit source IP ranges via a contract. This is incomplete., Reference: Cisco APIC Interface Configuration Guide., D. Create an out-of-band EPG in the common tenant. Associate the external network instance profile with the OOB contract: , The common tenant can host an OOB EPG, but this option lacks explicit protocol filtering (HTTPS/SSH) and relies on the external network instance profile, which may not fully address the GUI/SSH restriction., Reference: Cisco ACI Tenant Configuration Guide., Final Answer Justification, A is correct because it directly addresses both requirements: using an OOB contract to filter HTTPS and SSH protocols and adding the specified subnets to the external network instance profile to restrict IP ranges., Primary Cisco References: , Cisco APIC Management Tenant Configuration Guide, "OOB Management Access.", Cisco ACI Security Guide, "Contract-Based Access Control.", , ]

Question 30

A company is implementing a new security policy to track system access, configuration, and changes. The network engineer must enable the log collection to track user login and logout attempts. In addition, any configuration changes such as a fabric node failure must be collected in the logs. The syslog policy is configured to send logs to the company SEIM appliance.

Which two log types must be enabled to meet the security requirements? (Choose two.)

Options:

error

audit

event

health

fault

Discussion

Ace

No problem! I highly recommend Cramkey Dumps to anyone looking to pass their certification exams. They will help you feel confident and prepared on exam day. Good luck!

Harris Oct 31, 2024

That sounds amazing. I'll definitely check them out. Thanks for the recommendation!

Anya

I must say they're considered the best dumps available and the questions are very similar to what you'll see in the actual exam. Recommended!!!

Cassius Nov 2, 2024

Yes, they offer a 100% success guarantee. And many students who have used them have reported passing their exams with flying colors.

Alaya

Best Dumps among other dumps providers. I like it so much because of their authenticity.

Kaiden Sep 16, 2024

That's great. I've used other dump providers in the past and they were often outdated or had incorrect information. This time I will try it.

Osian

Dumps are fantastic! I recently passed my certification exam using these dumps and I must say, they are 100% valid.

Azaan Aug 8, 2024

They are incredibly accurate and valid. I felt confident going into my exam because the dumps covered all the important topics and the questions were very similar to what I saw on the actual exam. The team of experts behind Cramkey Dumps make sure the information is relevant and up-to-date.

Question 31

A Cisco APIC is configured with RADIUS authentication as the default The network administrator must ensure that users can access the APIC GUI with a local account if the RADIUS server is unreachable. Which action must be taken to accomplish this goal?

Options:

Create an additional login domain that references local accounts

Enable the fallback check with the default authentication domain

Associate console authentication with the "RADIUS" realm.

Reference the local realm in the fallback domain