Skip to Content

Cisco 350-601: How to Restrict ICMP Traffic Within a Web EPG on Cisco ACI?

By: Author Alex Lim

Posted on

Categories Exam

Learn the two key steps to permit only ICMP traffic between endpoints in the same Web EPG on a Cisco ACI fabric, following Cisco 350-601 exam objectives.

Table of Contents

Question

Refer to the exhibit.

Learn the two key steps to permit only ICMP traffic between endpoints in the same Web EPG on a Cisco ACI fabric, following Cisco 350-601 exam objectives.

Three operational endpoints are deployed under the same application EPG. Only the ICMP traffic must be permitted within the Web_EPG. Which two actions must be taken to accomplish this goal? (Choose two.)

A. Check box of forward control proxy ARP.
B. Set VRF policy control preference to unenforced.
C. Add Taboo contract on the Web_EPG.
D. Configure intra EPG contract under Web_EPG.
E. Mark intra EPG isolation as enforced.

Answer

D. Configure intra EPG contract under Web_EPG.
E. Mark intra EPG isolation as enforced.

Explanation

To restrict communication between endpoints in the same Web_EPG to only allow ICMP traffic, you need to take the following two actions:

D. Configure an intra-EPG contract under the Web_EPG. An intra-EPG contract defines the traffic filtering rules for endpoints within the same EPG. By creating a contract that permits only ICMP and applying it as an intra-EPG contract to Web_EPG, you ensure only ICMP traffic is allowed between the endpoints.

E. Mark intra-EPG isolation as enforced on the Web_EPG. This enables endpoint isolation within the EPG. With isolation enforced, endpoints in Web_EPG can only communicate with each other based on the intra-EPG contract rules. Any traffic not explicitly allowed by the contract will be blocked.

The other options are incorrect or irrelevant:
A. Forwarding proxy ARP requests is unrelated to filtering endpoint traffic.
B. Leaving VRF policy control as enforced (the default) is recommended.
C. A taboo contract denies specific traffic but doesn’t help allow only ICMP.

In summary, configuring an intra-EPG contract allowing only ICMP traffic and enabling endpoint isolation on the Web_EPG will permit only ICMP communication between its endpoints, fulfilling the stated goal. Proper EPG design and contract usage are key topics for the Cisco 350-601 exam.

Cisco 350-601 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the Cisco 350-601 exam and earn Cisco 350-601 certification.