Question 338 of 500
NetworkhardMultiple ChoiceObjective-mapped

Quick Answer

The answer is that the leaf switches have not downloaded the updated policy. In Cisco ACI, the APIC serves as the centralized policy repository, but enforcement happens locally on the leaf switches, which must download and apply the contract rules to their hardware forwarding tables. When a contract is correctly configured on the APIC yet traffic is still permitted, the most likely cause is a delay in policy propagation—the leaf has not completed the policy resolution process, often due to a communication hiccup or processing backlog. This scenario directly tests your understanding of ACI’s distributed enforcement model on the Cisco DCCOR 350-601 exam, where a common trap is assuming that a correct APIC configuration guarantees immediate enforcement. Remember: the APIC dictates, but the leaf executes. Memory tip: “APIC writes the rules, but the leaf must read them.”

350-601 Network Practice Question

This 350-601 practice question tests your understanding of network. The scenario asks you to isolate a root cause — eliminate options that address a different problem before choosing. After answering, compare your reasoning against the explanation and wrong-answer breakdown below. Once you have made your selection, read the full explanation to reinforce the concept and understand why each distractor is designed to mislead on exam day.

A large cloud provider is building a new data center using Cisco ACI with multiple leaf and spine switches. They plan to host thousands of tenants with overlapping IP addresses in different VRFs. The network team has deployed the fabric with a common security policy. During testing, they discover that traffic from Tenant A to Tenant B is being allowed even though a contract should deny it. The APIC policy shows the contract is applied to the EPGs and the deny rule is present. What is the most likely cause of the policy not being enforced?

Clue words in this question

Noticing these words before you look at the options changes how you read each choice.

  • Clue: "most likely"

    Why it matters: Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

Question 1hardmultiple choice
Read the full VRF explanation →

Answer choices

Why each option matters

Answer the question above first, then reveal the full breakdown to understand why each option is right or wrong.

Correct answer & explanation

The leaf switches have not downloaded the updated policy.

In Cisco ACI, the leaf switches enforce contracts locally based on the policy downloaded from the APIC. If a contract is correctly configured on the APIC but traffic is still permitted, the most likely cause is that the leaf switches have not yet received or applied the updated policy. This can happen due to a delay in policy propagation, a communication issue between the APIC and leaf switches, or the leaf not having completed the policy resolution process.

Key principle: Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Answer analysis

Option-by-option breakdown

For each option: why learners choose it and why it is or isn't the right answer here.

  • The fabric is using VRF leaking that bypasses contracts.

    Why it's wrong here

    VRF leaking is not a standard feature and would be deliberate.

  • The contract is not configured with the correct subject.

    Why it's wrong here

    The subject would affect what traffic is allowed, but the contract exists.

  • The leaf switches have not downloaded the updated policy.

    Why this is correct

    Leaves may have stale policy if not refreshed.

    Clue confirmation

    The clue word "most likely" in the question point toward this answer.

    Related concept

    Read the scenario before looking for a memorised answer.

  • The EPGs are in the same bridge domain.

    Why it's wrong here

    EPGs in same BD still require contracts for inter-EPG traffic.

Common exam traps

Common exam trap: answer the scenario, not the keyword

Cisco often tests the misconception that once a contract is configured on the APIC, it is immediately enforced everywhere, ignoring the asynchronous policy download and local leaf switch policy resolution process.

Detailed technical explanation

How to think about this question

ACI uses a policy-driven architecture where the APIC compiles and pushes policy to leaf switches via the OpFlex protocol. Leaf switches maintain a local policy resolution cache; if a leaf fails to receive or process the updated policy (e.g., due to a fabric disruption or a stale cache), it may continue to use the previous forwarding rules. The `show zoning-rule` command on the leaf can be used to verify whether the contract rules are installed locally.

KKey Concepts to Remember

  • Read the scenario before looking for a memorised answer.
  • Find the constraint that changes the correct option.
  • Eliminate answers that are true in general but not in this case.

TExam Day Tips

  • Watch for words such as best, first, most likely and least administrative effort.
  • Review why wrong options are wrong, not only why the correct option is correct.

Key takeaway

Answer the scenario, not the keyword: identify the specific constraint before choosing the most familiar-sounding option.

Real-world example

How this comes up in practice

A security administrator must allow nursing staff to reach a patient records server while blocking access from the guest Wi-Fi VLAN. After applying an extended ACL, traffic is still blocked from nursing workstations. The ACL was applied outbound instead of inbound on the wrong interface. Questions like this test ACL direction and placement rules.

What to study next

Got this wrong? Here's your next step.

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Related practice questions

Related 350-601 practice-question pages

Use these pages to review the topic behind this question. This is how one missed question becomes focused revision.

Practice this exam

Start a free 350-601 practice session

Short sessions build daily habit. Longer sessions build exam-day stamina. Try a timed session to simulate real conditions.

FAQ

Questions learners often ask

What does this 350-601 question test?

Network — This question tests Network — Read the scenario before looking for a memorised answer..

What is the correct answer to this question?

The correct answer is: The leaf switches have not downloaded the updated policy. — In Cisco ACI, the leaf switches enforce contracts locally based on the policy downloaded from the APIC. If a contract is correctly configured on the APIC but traffic is still permitted, the most likely cause is that the leaf switches have not yet received or applied the updated policy. This can happen due to a delay in policy propagation, a communication issue between the APIC and leaf switches, or the leaf not having completed the policy resolution process.

What should I do if I get this 350-601 question wrong?

Identify which exam domain this question belongs to, review the core concept, then practise similar questions from the same domain.

Are there clue words in this question I should notice?

Yes — watch for: "most likely". Probability qualifier — the question wants the most probable cause or outcome, not a guaranteed one. Eliminate low-probability options.

What is the key concept behind this question?

Read the scenario before looking for a memorised answer.

About these practice questions

Courseiva creates original exam-style practice questions with explanations and wrong-answer analysis. It does not publish real exam questions, exam dumps, or protected exam content. Learn why practice questions differ from exam dumps →

How Courseiva writes practice questions · Editorial policy

Same concept, more angles

1 more ways this is tested on 350-601

These questions test the same concept from different angles. Work through them to make sure you can recognise it however the exam phrases it.

Variation 1. In a Cisco ACI fabric, a tenant has multiple bridge domains in the same VRF all with 'Unicast Routing' enabled and hardware proxy mode. However, endpoints in different BDs within the same VRF cannot communicate even with a contract. What is a possible reason?

hard
  • A.The 'L3 Unknown Multicast Flooding' is set to flood.
  • B.The 'ARP Flooding' is enabled.
  • C.The contracts are unidirectional.
  • D.The bridge domains are in different subnets.

Why B: When 'Unicast Routing' is enabled on a bridge domain (BD) in hardware proxy mode, the ACI fabric relies on the endpoint database to forward traffic between BDs within the same VRF. For inter-BD communication, the source BD must learn the destination endpoint's MAC address via ARP. If 'ARP Flooding' is disabled (the default when Unicast Routing is enabled), the fabric does not flood ARP requests to remote BDs; instead, it expects the ARP request to be resolved by the COOP database. However, in hardware proxy mode, the fabric does not automatically proxy ARP for endpoints in different BDs, so ARP requests are dropped, preventing communication even with a contract. Enabling 'ARP Flooding' allows ARP requests to flood across BDs, enabling endpoint discovery and thus inter-BD communication.

Keep practising

More 350-601 practice questions

Last reviewed: Jun 24, 2026

Question Discussion

Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.

Loading comments…

Sign in to join the discussion.

This 350-601 practice question is part of Courseiva's free Cisco certification practice question bank. Courseiva provides original exam-style practice questions with explanations, topic-based practice, mock exams, readiness tracking, and study analytics to help learners prepare for the 350-601 exam.