Section 1: Basic Cisco ACI L3Out Interview Questions
1. What is L3Out in Cisco ACI?
L3Out (Layer‑3 Outside) is the ACI construct that provides external Layer‑3 connectivity between the ACI fabric and networks outside the fabric.
2. Why do we need L3Out?
L3Out is used to:
- Connect ACI to external routers
- Integrate firewalls
- Provide north‑south traffic
- Advertise routes between ACI and external networks
3. Is L3Out mandatory in ACI?
No. L3Out is required only if the ACI fabric needs external Layer‑3 communication.
4. Where is L3Out configured?
L3Out is configured under a Tenant, associated with a VRF, and deployed on leaf switches.
5. Is L3Out Layer‑2 or Layer‑3?
L3Out is strictly a Layer‑3 construct.
Section 2: L3Out Components Interview Questions
6. What are the main components of L3Out?
- L3Out object
- Logical Node Profile
- Logical Interface Profile
- External EPG
- Contracts
7. What is a Logical Node Profile?
It defines which leaf nodes participate in the L3Out.
8. What is a Logical Interface Profile?
It defines:
- Interface type (routed, SVI)
- IP addressing
- Encapsulation (VLAN)
- Connectivity to external device
9. Can L3Out be deployed on multiple leafs?
Yes. L3Out is commonly deployed on multiple leaf switches for redundancy.
10. What happens if an L3Out leaf fails?
Traffic fails over to other L3Out‑enabled leafs, assuming proper design (ECMP / routing).
Section 3: L3Out and Routing Protocol Interview Questions
11. Which routing protocols are supported with L3Out?
- Static routing
- OSPF
- BGP
12. Which routing protocol is most commonly used?
BGP, due to scalability and flexibility.
13. Is OSPF supported in L3Out?
Yes, but less commonly used in large deployments.
14. Can static routes be used in L3Out?
Yes, for simple or small environments.
15. Can L3Out support ECMP?
Yes. ACI supports ECMP for L3Out when routing protocols allow it.
Section 4: L3Out and VRF Association Questions
16. Is L3Out associated with a VRF?
Yes. Every L3Out must be associated with exactly one VRF.
17. Can one L3Out be shared across multiple VRFs?
No. One L3Out belongs to only one VRF.
18. Can multiple L3Outs exist in the same VRF?
Yes. A VRF can have multiple L3Outs.
19. Why would you create multiple L3Outs in one VRF?
- Multiple external devices
- Separate routing domains
- Different security or routing policies
20. What happens if VRF association is wrong?
External routing will fail and traffic will be dropped.
Section 5: External EPG Interview Questions
21. What is an External EPG?
An External EPG represents external networks outside the ACI fabric.
22. Why is an External EPG required?
Because ACI is deny‑by‑default, and external networks must also follow ACI security policy.
23. How is traffic allowed between internal EPGs and External EPGs?
Using contracts.
24. Is External EPG similar to internal EPG?
Conceptually yes, but it represents external endpoints.
25. Can there be multiple External EPGs under one L3Out?
Yes.
Section 6: L3Out and Contracts (Very Important)
26. Is traffic allowed by default between ACI and external networks?
No. Traffic is denied by default.
27. How do you allow internal traffic to external networks?
Apply contracts between internal EPG and External EPG.
28. Can External EPG be provider or consumer?
It can be either or both, depending on traffic flow.
29. What happens if no contract is applied?
Traffic will be dropped, even though routing is correct.
30. Why do many L3Out issues occur?
Because routing works, but contracts are missing or incorrect.
Section 7: L3Out Design Interview Questions
31. Routed Interface vs SVI – what is preferred?
Routed interfaces are preferred for simplicity and scale.
32. When would you use SVI‑based L3Out?
When connecting to:
- Traditional VLAN‑based networks
- Legacy firewalls
33. Can L3Out connect to firewalls?
Yes, very commonly.
34. Can one firewall connect to multiple L3Outs?
Yes, depending on design.
35. Should L3Out be deployed on border leafs?
Yes. Border leafs are best practice.
Section 8: Advanced L3Out Interview Questions
36. How is route leaking handled in ACI?
Using Shared Services VRF and contracts.
37. Can L3Out be used with Shared Services VRF?
Yes, very commonly.
38. Can L3Out be stretched across sites?
- Multi‑Pod: Yes
- Multi‑Site: Via individual site L3Outs
39. How does L3Out behave in Multi‑Pod?
L3Out is shared across pods.
40. How does L3Out behave in Multi‑Site?
Each site has its own L3Out, orchestrated by NDO.
Section 9: L3Out and External Connectivity Troubleshooting Questions
41. Routing is correct but traffic fails – why?
Most likely contract or filter issue.
42. Endpoint can ping gateway but not internet – why?
External EPG contract missing or incorrect.
43. How to verify routes learned from L3Out?
- APIC routes view
- Leaf show commands
- moquery
44. How do you verify contract programming?
Use:
show zoning-rule
45. How do you verify L3Out operational status?
- APIC Health score
- Faults
- Leaf CLI
Section 10: MoQuery Commands for L3Out Verification
46. Verify L3Out configuration
moquery -c l3extOut
47. Verify External EPGs
moquery -c l3extInstP
48. Verify L3Out subnets
moquery -c l3extSubnet
49. Verify VRF association
moquery -c fvCtx
50. Check faults related to L3Out
moquery -c faultInst
Section 11: Common L3Out Mistakes (Interview Favorite)
51. Forgetting contracts
Most common mistake.
52. Wrong VRF association
Causes route blackholing.
53. Deploying L3Out on wrong leaf
Traffic won’t exit properly.
54. Using SVI instead of routed interface unnecessarily
Adds complexity.
55. Not planning for redundancy
Leads to single‑point failures.
Section 12: Scenario‑Based L3Out Interview Questions
56. When should you create multiple External EPGs?
When different external networks need different security policies.
57. Can multiple L3Outs advertise the same prefix?
Yes, but routing behavior must be carefully designed.
58. Can L3Out connect to non‑Cisco devices?
Yes. ACI is vendor‑agnostic at Layer‑3.
59. Can L3Out be used for Internet access?
Yes, with proper NAT/firewall integration.
60. What is the biggest design challenge in L3Out?
Balancing security, simplicity, and scalability.
Conclusion
Cisco ACI L3Out is the gateway between the ACI fabric and the external world. Interviews around L3Out focus on design understanding, security enforcement, VRF association, and troubleshooting approach, not just configuration steps.
If you understand:
- How routing works
- Why contracts are mandatory
- Where L3Out should be placed
- How to verify and troubleshoot
you will handle most Cisco ACI L3Out interview questions confidently.
✅ Interview Tip
When answering L3Out questions, always explain:
- Routing
- Security (contracts)
- Placement (leafs)
- Verification
No comments:
Post a Comment