Friday, 31 October 2025

Cisco Security questions

 

The role with the highest privilege in the system and is designed for users who need complete control over system configurations, indexes, and data.

Admin

Designed for advanced users who need more capabilities than regular users but do not require full administrative access.

Power

Allows for both administrative work and data management.

Select Match

The default role for most end users and provides access to basic search and reporting functionalities.

User

Which three common mandatory configuration fields apply to all Cisco security products when using the Application Setup page within the Cisco Security Cloud app? (Choose three.)

Top of Form

  • Host
  • Index
  • Input Name
  • Interval
  • Logging level
  • Name

Bottom of Form

What is the benefit of using Cisco Security Cloud app dashboards?

Top of Form

  • Dashboards can help the administrators monitor its performance and cloud connections.
  • Dashboards can help the administrators monitor resource performance, health, errors, product activities, and data integrity.
  • Dashboards can help the SOC teams monitor unauthorized administrative access.
  • Dashboards can help the SOC teams monitor users’ internal and external activities.

To install the Cisco Security Cloud app from a file, which of the following is a valid source location from which to get the file?

  • from Cisco Download Center
  • from Splunk Add-ons documentation page
  • from Splunk Download Center
  • from Splunkbase documentation page

Bottom of Form

 

 

Which of the following apps can be used to integrate different Cisco Security Solutions?

Top of Form

  • Cisco Cloud Security app
  • Cisco Security Cloud app
  • Cisco Splunk app
  • Cisco Splunk Security apps

Bottom of Form

 

Which of the following is a Cisco Security Cloud app dashboard?

Top of Form

  • Cisco AppDynamics
  • App Insights
  • Cisco Security Cloud App
  • Resource Utilization

Bottom of Form

 

Which of the following is an indicator for scaling Splunk?

Top of Form

  • CPU and Memory Utilization: Consistently high CPU (above 50 percent) and memory usage (above 50 percent) during peak times.
  • CPU and Memory Utilization: Consistently high CPU (above 55 percent) and memory usage (above 85 percent) during peak times.
  • CPU and Memory Utilization: Consistently high CPU (above 65 percent) and memory usage (above 60 percent) during peak times.
  • CPU and Memory Utilization: Consistently high CPU (above 75 percent) and memory usage (above 80 percent) during peak times.

When configuring the Cisco Secure Firewall eStreamer integration using the Cisco Security Cloud app, what is required with a corresponding password?

  • Cisco Secure Firewall Management Center eStreamer certificate
  • Cisco Secure Firewall Management Center self-signed certificate for accessing the Cisco Secure Firewall Management Center GUI
  • Cisco Secure Firewall Management Center eStreamer API Client ID
  • Cisco Secure Firewall Management Center eStreamer username

 

 

What is shown at the bottom of the Cisco Security Cloud App > Secure Firewall Dashboard page?

Top of Form

  • Event Details table
  • Connection Events table
  • Intrusion Events widgets
  • Timeline charts

Bottom of Form

 

Which UDP port number is used by Syslog by default?

Top of Form

  • 514
  • 22
  • 443
  • 8080

Bottom of Form

 

Which three types of data can be streamed using eStreamer in Cisco Secure Firewall Management Center? (Choose three.)

Top of Form

  • discovery events
  • correlation and allow list events
  • intrusion events, malware events, file events, connection events
  • CPU and Memory, high availability, Platform Logs firewall configuration settings
  • VPN session logs

 

In Splunk, what information can be viewed on the Data Integrity dashboard for the Cisco Security Cloud Application?

Top of Form

  • Analysis reports of historical malware.
  • Detailed logs of user activity.
  • Metrics of system performance.
  • Status of events for each integrated solution.

Bottom of Form

 

Over which method and TCP port do eStreamer server and client communicate?

Top of Form

  • HTTPS Secure TLS channel over TCP port 8302
  • HTTPS Secure TLS channel over TCP port 443
  • HTTP over TCP port 80
  • Syslog over UDP port 514
  • Syslog over TCP port 514

Bottom of Form

 

Which dashboard of Cisco Security Cloud Application in Splunk provides performance information such as CPU utilization, memory utilization, and input connection health monitoring?

Top of Form

  • Data Integrity
  • Diagnostics
  • Resource Utilization
  • Secure Firewall Dashboard

Bottom of Form

 

 

Which of the following dashboards provides a unified view of the Cisco Security Cloud performance, error handling, and health monitoring?

Top of Form

  • Data Integrity Dashboard
  • Health Monitoring Dashboard
  • Resource Utilization Dashboard
  • XDR Dashboard

Bottom of Form

 

Which two of the following options are valid authentication methods for integrating Cisco XDR with Splunk Enterprise by using the Cisco Security Cloud app? (Choose two.)

Top of Form

  • Client ID
  • Direct Database Connection
  • Message Broker
  • OAuth
  • SOAP APIs

 

Which of the following tiles can be found within the Cisco XDR dashboard on the Cisco Security Cloud app?

Top of Form

  • Mean Time To Engage, Mean Time To Resolution
  • XDR Cases
  • Unresolved Incidents
  • TTP Time Line Charts

Bottom of Form

 

Which of the following methods helps verify that the integration between Cisco XDR and Cisco Security Cloud App is successful?

Top of Form

  • Checking the app status on the Cisco Security Cloud app.
  • Checking the Splunk Health Connection tool.
  • Using the command line for validation.
  • Using the dedicated validation dashboard on the Cisco XDR app.

Bottom of Form

 

Which of the following options can generate user-specific credentials to access APIs programmatically?

Top of Form

  • API client credentials
  • OAuth code client credentials
  • Username client credentials
  • Token client credentials

Bottom of Form

 

Which of the following configuration fields is optional when configuring the Cisco XDR on the Cisco Security Cloud app?

Top of Form

  • Authentication Method
  • Region
  • Promote XDR Incidents to Enterprise Security Notables
  • Import Time Range

Bottom of Form

 

Which of the following authentication methods is used when integrating Cisco XDR with Splunk Cloud?

Top of Form

  • client certificate authentication
  • OAuth authentication
  • passwordless authentication
  • token-based authentication

Bottom of Form

 

Which dashboard helps an administrator ensure compliance with security policies such as MFA and locked-out users?

Top of Form

  • Cisco Multicloud Defense dashboard on Cisco Security Cloud app.
  • Duo Dashboard on Cisco Security Cloud app.
  • Secure Malware Analytics dashboard on Cisco Security Cloud app.
  • Secure Network Analytics dashboard on Cisco Security Cloud app.

Bottom of Form

 

How would you integrate the Cisco Secure Network Analytics with the Cisco Security Cloud app?

Top of Form

  • Create a Cisco Security Cloud app user with the needed permissions, and configure the Cisco Secure Network Analytics in the Cisco Security Cloud app.
  • Create a Cisco Secure Network Analytics SMC user with the needed permissions, determine the Cisco Secure Network Analytics Domain ID, and configure the Cisco Secure Network Analytics in the Cisco Security Cloud app.
  • Create the Cisco Secure Network Analytics Certificate and HTTPS connection settings and configure the Cisco Secure Network Analytics in the Cisco Security Cloud app.
  • Use the Cisco Secure Network Analytics API Key and configure Cisco Secure Network Analytics in the Cisco Security Cloud app.

Bottom of Form

 

What format does Multicloud Defense use when sending Security Events and Traffic Log information to Splunk?

Top of Form

  • structured data logs
  • semi-structured JSON data logs
  • syslogs
  • unstructured data logs

Bottom of Form

 

 

Which four attributes are mandatory, when configuring the Cisco Secure Email Threat Defense Connection configuration settings? (Choose four.)

Top of Form

  • API Key
  • Client ID
  • Email Threat Defense client certificate
  • Email Threat Defense IP address or hostname
  • Region name
  • Security Key

 

Which two of the following attributes are mandatory, when configuring the SNA Connection configuration settings? (Choose two.)

Top of Form

  • API Key
  • API Secret
  • Cisco Security Cloud app IP Address
  • Domain ID
  • SMC username

Which method is valid for verifying Cisco Duo's integration with Cisco Security Cloud app?

Top of Form

  • Checking the Duo Dashboard on the Cisco Security Cloud app.
  • Generating integration validation report from the Cisco Security Cloud app.
  • Using the Cisco Duo integration validation tool.
  • Using the Cisco Security Cloud app integration validation tool.

Bottom of Form

 

Which method does the Multicloud Defense use to communicate with Splunk?

Top of Form

  • APIs
  • DB connect
  • Universal forwarder
  • HEC

Bottom of Form

 

Bottom of Form

 

Which of the following is a Cisco Security Cloud app dashboard?

Top of Form

  • Cisco AppDynamics
  • App Insights
  • Cisco Security Cloud App
  • Resource Utilization

Bottom of Form

Bottom of Form

 

 

Posted by at No comments:

CESA, NVM Questions

 

Question 1 -  As your company's employees work both on and off-premises, you plan to collect flow context from the endpoints to gain visibility into user behaviors. Since you have already deployed Cisco Secure Client, you plan to add NVM and ingest the related events into Splunk for advanced security analytics. Which Splunk app/add-on should you use for this purpose?

Top of Form

  • The Cisco Security Cloud app
  • The Cisco SNA app
  • The Cisco Endpoint Threat Defense app and Cisco Endpoint Threat Defense add-on
  • The CESA app and CESA Add-OnBottom of Form

 

Question 2 - You are planning to transition the Cisco security legacy apps that you use in Splunk with the Cisco Secure Cloud app. Which three are benefits provided by the Cisco Security Cloud app? (Choose three.)

Top of Form

  • Consistent index creation and data parsing that ensures efficient processing of ingested data of each product.
  • One index that is used for the ingested data from the supported Cisco products.
  • A specific dashboard for each product that facilitates on-time and detailed analysis of ingested data.
  • One built-in dashboard that shows all the possible integrations in one place for events analysis.
  • Integration with Splunk SOAR for automated responses to threats.
  • Software updates and compatibility with the latest Splunk platform versions.

 

 

Question 3 - For which legacy app setup do you need to copy the certificate and specify the required certificate name in Splunk so it can authenticate with the server for data ingestion?

Top of Form

  • Duo Splunk Connector
  • Cisco Secure Network Analytics (Stealthwatch) App for Splunk Enterprise
  • Cisco Secure eStreamer Client Add-On for Splunk
  • Cisco Secure Malware Analytics

Bottom of Form

 

Question 4 - You are using Cisco Secure Network Analytics for contextual visibility and monitoring of your private network and public cloud. You plan to ingest data from the Secure Network Analytics Management Console into Splunk and want to try the legacy app first and explore built-in dashboards so you can compare it with the Cisco Security Cloud later on. Which legacy app can you use?

Top of Form

  • Cisco Cloud Security App
  • Cisco Secure Network Analytics (Stealthwatch) App
  • Cisco Stealthwatch App
  • Cisco Netflow Analytics App for Splunk

 

 

Question 5 - What is the primary function of a Splunk Technology Add-on (TA)?

Top of Form

  • To provide comprehensive dashboards and reports for end-users.
  • To manage user authentication and authorization within Splunk.
  • To execute ad-hoc searches and generate alerts based on raw data.
  • To facilitate the onboarding, parsing, and normalization of data from specific sources.

Question 6 - You are searching Splunkbase for the Cisco Secure Firewall app for Splunk to see whether this app has reached end-of-life. Which two provide information for the end-of-life notice on the app page in Splunkbase? (Choose two.)

Top of Form

  • In the description under the app name
  • In the Compatibility field
  • In the Support field
  • In the Version History tab
  • In the Summary tab
  • In the Installation tab

 

 

Question 7 - Which app requires a technology add-on for data ingestion of the supported Cisco security product?

Top of Form

  • Duo Splunk Connector
  • Splunk for Cisco ISE
  • Cisco Security Cloud  
  • Cisco Secure Malware Analytics
  • Cisco Email Threat Defense connector for Splunk

Bottom of Form

Question 8 - you have enabled ingestion of your Cisco ISE events into Splunk and installed the Splunk for Cisco ISE app for analyses. Which type of users can you inspect using this app?

Top of Form

  • Wired and wireless users
  • Wired and VPN users
  • Wireless and VPN users
  • Wired, wireless, and VPN users

 

Question 9 - Which three top level menu items are available in the Cisco ISE app in Splunk? (Choose three.)

Top of Form

  • Authentications
  • BYOD
  • ISE Profiler
  • TACACS+
  • TrustSec
  • Device Summary


Question 10 - You are setting up Cisco ISE to send Syslog events to Splunk. You have configured the Splunk server as a remote logging target, what else do you need to do?

Top of Form

  • Configure the shared secret password.
  • Install the Cisco ISE system certificate to be used for the Syslog service.
  • Choose the logging categories for the Splunk logging target.
  • Create the logging policy rules under the Admin Policy Set.

Bottom of Form

Question 11 - you are working as a SOC analyst, and you are integrating Cisco NVM on the endpoints with Splunk. You have set up the NVM Collector, and you need to configure Splunk to ingest the three feeds streamed from the collector. Which action should you take?

  • Configure three UDP data inputs, each with the port for the respective feed. 
  • Configure one UDP data input that includes all three ports for the feeds.
  •  Configure three TCP data inputs, each with the port for the respective feed. 
  • Configure one Syslog data input that includes all three ports for the feeds. 
  • Configure three Syslog data inputs, each with the port for the respective feed.

 

 

 

Question 12 - The employees in your organization connect to your corporate network through VPN from various locations, and you want to obtain insights into the traffic that is sent through the tunnel using the CESA app in Splunk. Which two options in the Zero Trust – VPN Split Tunneling/Network Monitor dashboard can you use to filter the display of information that is related to the traffic in the VPN tunnels? (Choose two.)

Top of Form

  • Wired
  • Untrusted
  • Virtual
  • VPN
  • Trusted

 

Question 13 - During the verification of the NVM integration with Splunk, you need to confirm that the NVM collector status is active (running). This will help you ensure that the NVM collector is continuously receiving IPFIX data from the NVM endpoints. Which command should you use on the NVM Collector?

Top of Form

  • sudo systemctl status acnvm.collector
  • sudo systemctl status nvm.collector
  • sudo systemctl status acnvm.service
  • sudo systemctl status nvm.service

Bottom of Form

Question 14 - You need to modify the Splunk IP address in the NVM Collector configuration file. Which two options specify the name of the configuration file and the path where it is located? (Choose two.)

Top of Form

  • /opt/cisco/nvm
  • /opt/acnvm/conf/
  • /opt/nvm/conf/
  • nvm.conf
  • nvm.xml
  • acnvm.conf

 

Question 16 - Which CESA App homepage category provides access to dashboards that visualize application behavior, such as top applications by volume and flow, top source and destination ports, as well as utilization data and integrated view of application processes?

Top of Form

  • Devices
  • Applications
  • Users
  • Locations

Bottom of Form

 

Bottom of Form

 

Question 17 - You have installed Cisco Enterprise Networking for Splunk Platform on Splunk to use the app's built-in dashboards to analyze events ingested from your enterprise environment. Which three Cisco products do the app dashboards support? (Choose three.)

Cisco ISE

Cisco Duo

Cisco Secure Endpoint

 Cisco Catalyst SD-WAN

Cisco Secure Firewall

Cisco Catalyst Center Bottom of Form

 

 

Question 18 - You have Cisco ISE and Splunk in your environment, and you want to try the Cisco ISE Data Connect to query Cisco ISE from Splunk for analysis and report creation. Which two components do you need for the integration? (Choose two.)

 Splunk DB Connect Splunk for Cisco ISE

Splunk Add-on for Cisco Identity Services

Splunk DBX Add-on for MySQL JDBC

Splunk DBX Add-on for Oracle JDBC

 

 

 

Question 19 - You have integrated Cisco NVM on the endpoints with Splunk to obtain deep endpoint visibility using the CESA app. Which two types of analyses can you perform with the built-in dashboards in the CESA app? (Choose two.)

Top of Form

  • CPU usage on endpoints
  • Data and traffic across VPN and split tunnels
  • Suspicious emails containing phishing links
  • Endpoints using unapproved or block listed applications
  • System performance metrics for virtual servers

 

Which file contains the three following ports used between the Cisco NVM Collector and Splunk? "syslog_flowdata_server_port" : 20519 "syslog_sysdata_server_port" : 20520 "syslog_intdata_server_port" : 20521

Top of Form

  • acnvm.conf file on the Cisco NVM Collector
  • NVM_ServiceProfile.xml file on the Cisco NVM Collector
  • acnvm.conf file on the Client running Cisco NVM
  • NVM_ServiceProfile.xml file on the Client running Cisco NVM

Bottom of Form

 

 

 

 

Posted by at No comments:

Tuesday, 23 September 2025

MD5 to SHA/AES Migration

1. Why Replace MD5?

- MD5 is vulnerable to collision attacks, allowing attackers to generate the same hash with different inputs.

- It is not resistant to brute-force attacks with modern compute power.

- Officially deprecated by IETF (RFC 6151).

Impact in Cisco Protocols:

- BGP/OSPF/HSRP: Forged packets could establish false adjacencies, hijack sessions, or disrupt routing.

- SNMPv3: MD5 + DES weakens management plane security, allowing interception/alteration of NMS traffic.

2. Cisco Cryptography Alternatives

BGP:

- Legacy: MD5 neighbor password.

- Modern: HMAC-SHA-256 key-chains or TCP-AO with SHA-256 (IOS-XE 17.x+, NX-OS 9.3+, IOS-XR 7.x+).

- For untrusted eBGP links: IPsec tunnel protection.

OSPF:

- Legacy: MD5 authentication.

- Modern: OSPFv2 with HMAC-SHA-256 key-chains, OSPFv3 with IPsec ESP/AH (SHA-2).

HSRP:

- Legacy: MD5 standby authentication.

- Modern: HSRPv2/v3 with HMAC-SHA-256 key-chains.

SNMPv3:

- Legacy: MD5 authentication with DES privacy.

- Modern: SHA authentication with AES-128/192/256 for privacy.

3. Technical Migration Principles

- Dual Authentication: Cisco supports key-chains with multiple keys/lifetimes (MD5 + SHA overlap).

- Protocol Dependency: Routing protocols (BGP, OSPF, HSRP) first; management plane (SNMPv3) last.

- Platform Considerations:

   * IOS-XE: HMAC-SHA-256 since 15.1(2)SY / XE 3.7.

   * NX-OS: SHA since 7.0(3)I7; TCP-AO in 9.3+.

   * IOS-XR: SHA/TCP-AO since 6.0+.

   * ASA/FTD: SNMPv3 with SHA/AES since 9.x.

4. Example – Dual Authentication with Key-Chain

key chain BGP_KEYS
 key 1
  key-string OLD-MD5-KEY
  cryptographic-algorithm md5
  accept-lifetime 00:00:00 Jan 1 2024 infinite
  send-lifetime 00:00:00 Jan 1 2024 23:59:59 Dec 31 2024
 key 2
  key-string NEW-SHA-KEY
  cryptographic-algorithm hmac-sha-256
  accept-lifetime 00:00:00 Jan 1 2024 infinite
  send-lifetime 00:00:00 Jan 1 2025 infinite

- During migration: both MD5 and SHA valid.
- After cutover: disable MD5 lifetime, leaving only SHA active.

5. Risks of Not Migrating

- Vulnerable to route hijacking (BGP).

- HSRP hijack: attacker takes over virtual IP.

- SNMPv3 downgrade: attacker reads/changes monitoring data.

- Non-compliance with NIST SP 800-131A, PCI-DSS, ISO 27001.

6. Operational Benefits After Migration

- Stronger compliance (SHA-256/AES-256).

- Reduced risk of cryptographic attacks.

- Consistent key rotation policies across protocols.

- Future-proof with TCP-AO, OSPFv3 IPsec, SNMP AES-256.

Part II – Migration Plan

1. Objectives

- Eliminate weak cryptography (MD5, DES/3DES).

- Standardize on SHA-256 (or higher) and AES.

- Ensure minimal disruption with staged rollout and rollback.

2. Scope

Protocols: BGP, OSPFv2/OSPFv3, HSRP, SNMPv3.

Platforms: IOS-XE (Cat9K, ISR, ASR1K), NX-OS (Nexus 9K/7K/3K), IOS-XR (ASR9K, NCS), ASA/FTD.

3. Phased Migration Approach

Phase 1 – Discovery & Assessment

1. Inventory devices (OS version, crypto configs).

2. Verify feature support for SHA-2/TCP-AO.

3. Identify OS upgrade needs.

4. Prioritize migration order: Core (BGP/OSPF), Edge (HSRP), Management (SNMPv3).

Phase 2 – Lab Validation

1. Build lab/DR setup.

2. Validate SHA-256 configs for BGP, OSPF, HSRP.

3. Validate OSPFv3 with IPsec ESP/AH.

4. Validate SNMPv3 with SHA/AES.

5. Test dual-auth fallback.

6. Check interoperability (multi-vendor if applicable).

Phase 3 – Pilot Rollout

1. Select low-risk sites.

2. Implement SHA configs in parallel with MD5.

3. Monitor adjacency/polling.

4. Rollback to MD5-only if needed.

Phase 4 – Production Migration

Step A: BGP – SHA-256 key-chain, validate, remove MD5.

Step B: OSPF – SHA-256 key-chain, validate adjacency, remove MD5.

Step C: HSRP – SHA-256, validate, remove MD5.

Step D: SNMPv3 – Add SHA/AES users, migrate NMS, remove MD5/DES users.

Phase 5 – Decommission & Hardening

1. Remove MD5/DES configs.

2. Standardize on SHA-256 and AES.

3. Update golden configs and DNAC/Prime templates.

4. Document cryptographic standards in LLD/HLD.

4. Rollback Plan

- Retain MD5 in parallel until stable.

- For BGP/OSPF, fallback to MD5-only key-chain.

- For HSRP, revert to MD5 authentication.

- For SNMPv3, retain MD5/DES users until migration confirmed.

5. Risk Mitigation

- Perform change in maintenance window.

- Stagger per protocol.

- Ensure console/OOB access.

- Monitor syslog, SNMP traps, debug logs.

6. Example Cisco Configurations

BGP (IOS-XE/NX-OS):

key chain BGP_KEYS
 key 1
  key-string <secure-key>
  cryptographic-algorithm hmac-sha-256
!
router bgp 65000
 neighbor 192.0.2.1 password keychain BGP_KEYS

OSPFv2 (IOS-XE):

key chain OSPF_KEYS
 key 1
  key-string <secure-key>
  cryptographic-algorithm hmac-sha-256
!
interface Gig0/0
 ip ospf authentication key-chain OSPF_KEYS

HSRP (IOS-XE):

key chain HSRP_KEYS
 key 1
  key-string <secure-key>
  cryptographic-algorithm hmac-sha-256
!
interface Gig0/1
 standby 1 ip 10.10.10.1
 standby 1 authentication md5 key-chain HSRP_KEYS

SNMPv3 (IOS-XE/NX-OS/ASA):

snmp-server group SECURE v3 priv
snmp-server user netops SECURE v3 auth sha <auth-pass> priv aes 256 <priv-pass>

Posted by at No comments:
Labels: ,

Sunday, 7 September 2025

Rogue Endpoint Detection in Cisco ACI

 🔐 Rogue Endpoint Detection in Cisco ACI

⚠️ Problem Addressed

Rogue endpoints or misconfigured devices can cause frequent MAC/IP moves across leaf switches, leading to:

  • Network instability
  • High CPU usage
  • Crashes in endpoint mapper (EPM) and client (EPMC)
  • Rapid log rollover, making debugging difficult

🛡️ How Rogue Endpoint Control Works

The feature helps mitigate these issues by:

  • Detecting rapidly moving endpoints (MAC/IP)
  • Quarantining them by making their entries static
  • Deleting the unauthorized MAC/IP after a set interval
  • Raising a fault for visibility
  • Generating a host tracking packet to re-learn the endpoint

🔄 Behavior Based on Software Version

Version

Quarantine Behavior

Traffic Handling

Final Action

Before 3.2(6)

Endpoint is made static

Traffic is dropped during quarantine

MAC/IP is deleted after the interval

3.2(6) and later

Endpoint is made static

Traffic is allowed during quarantine

MAC/IP is deleted after the interval

 Improvement: From 3.2(6) onwards, the system is less disruptive, allowing traffic to continue while still monitoring rogue behavior.

📝 Rogue/COOP Exception List

 Purpose

Allows higher tolerance for endpoint movement before marking as rogue.

📋 Behavior

  • Endpoints in the list are marked rogue only after 3,000 moves in 10 minutes
  • Once marked:
    • Endpoint is made static
    • Deleted after 30 seconds

🆕 From APIC 6.0(3) Onwards

  • You can:
    • Create global exception lists
    • Exclude MACs from rogue detection across all bridge domains or L3Outs
    • Exclude all MACs for a specific bridge domain or L3Out

 

Posted by at No comments:
Labels: ,

Cisco ACI Mis-Cabling Protocol (MCP) – Loop Detection Simplified

Cisco ACI uses Mis-Cabling Protocol (MCP) to detect and mitigate Layer 2 loops, replacing traditional STP participation. MCP sends special Layer 2 packets across access ports, VPCs, and virtual ports. If the fabric receives its own MCP packet, it identifies a loop and can either log the event or error-disable the port.

 Key Highlights:

  • Global MCP policies are disabled by default; port-level policies are enabled.
  • Global MCP Policy:
    This is the master switch that controls whether MCP is active across the entire fabric.
    • Disabled by default: Even though individual ports may be configured to support MCP, no MCP packets are sent unless this global policy is explicitly enabled.
  • Port-Level MCP Policy:
    These are the interface-specific settings that determine how each port behaves when MCP is active.
    • Enabled by default: Ports are ready to participate in MCP loop detection, but they won’t actually send or process MCP packets unless the global policy is turned on.
  • MCP works complementarily with STP on external switches.
  • BPDU filtering or disabling loopguard on external switches helps prevent loop-related issues.
  • Endpoint move loop detection is available but disabled by default.
  • MCP supports native VLAN mode and per-VLAN mode (from APIC 2.0(2)) for granular loop detection.
  • Faster detection introduced in APIC 3.2(1) with transmission intervals as low as 100 ms.
  • Scalability limits: 256 VLANs per interface and 2000 logical ports per leaf switch. Per-VLAN MCP will only run on 256 VLANs per interface. If there are more than 256 VLANs, then the first numerical 256 VLANs are chosen.

🔐 MCP Modes:

  • Non-Strict Mode: Allows traffic while monitoring for loops; default detection time is 7 seconds.
  • Strict Mode (from APIC 5.2(4)):
    • Performs early loop detection before allowing data traffic.
    • Uses initial delay and grace period timers for STP convergence and aggressive MCP checks.
    • Requires port flap to activate on already-up ports.

⚠️ Strict Mode Guidelines:

  • Not supported on FEX or QinQ edge ports.
  • Requires APIC 5.2(4) or later on all participating leaf switches.
  • May impact vPC convergence time.
  • Must be disabled before downgrading the fabric.
  • Can cause both ports to error-disable if loops are detected simultaneously.

MCP Mode Comparison Table

Feature

Non-Strict Mode

Strict Mode

Traffic Acceptance

Accepts data and control traffic immediately

Initially blocks data traffic; only control packets allowed

Loop Detection Timing

MCP packets sent every 2 seconds; loop detection in ~7 seconds

Aggressive MCP packet transmission during grace period (default 3 sec)

Early Loop Detection

Not performed

Performed before allowing data traffic

Port Behavior on Loop Detection

Port is error-disabled

Port is error-disabled and shut down

Activation Requirement

Active immediately

Requires port flap to activate if port is already up

Timers Used

Global MCP instance policy

Initial delay timer + grace period timer

Default Initial Delay

Not applicable

0 seconds (can be set to 45–60 sec for STP convergence)

Default Grace Period

Not applicable

3 seconds

STP Compatibility

Works with STP

Accepts STP BPDUs even if VLAN is not enabled

Use Case

General loop detection

Early and aggressive loop prevention before traffic forwarding

 

Posted by at No comments:
Labels: , ,
Subscribe to: Comments (Atom)