Implementing Cisco Application Centric Infrastructure (DCACI) — Question 131

A network engineer must allow secure access to the Cisco ACI out-of-band (OOB) management only from external subnets 10.0.0.0/24 and 192.168.20.0/25. Which configuration set accomplishes this goal?

Answer options

• A. Create a L3Out in the MGMT tenant in OOB VRF. Set External Management Network Instance Profile as a consumer of the OOB contract. Create an External EPG with two subnet entries with the external subnets.
• B. Create a PBR service graph in the MGMT tenant. Create a management Profile with the required OOB EPG. Redirect all traffic going into ACI management to the external firewall. Create two subnet entries under the OOB Bridge domain with the required subnets.
• C. Create an EPG and BD in the MGMT tenant in OOB VRF. Set OOB VRF to provide the contract. Set a new EPG to consume the OOB contract.
• D. Create an OOB contract that allows the required ports. Provide the contract from the OOB EPG. Consume the contract by the OOB External Management Network Instance Profile. Create two subnet entries in the External Management Network Profile with the required subnets.

Correct answer: D

Explanation

The correct answer is D because it involves creating an OOB contract that explicitly allows access to the specified ports and ensures that the external subnets can consume this contract. The other options do not directly configure the necessary contract for the specified subnets or do not adequately restrict access as required.