Cisco · Free Practice Questions · Last reviewed May 2026
30real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A data center engineer is troubleshooting intermittent connectivity between two servers in different VLANs. The servers are connected to different leaf switches in a VXLAN EVPN fabric. When checking the fabric, the engineer notices that the NVE interface on one leaf is up/up but the VNI for the server VLAN is not listed in 'show nve vni'. What is the most likely cause?
MTU mismatch on the underlay network
Anycast gateway is not configured on the leaf
BGP EVPN peers are not established
The VLAN-to-VNI mapping is missing under the VLAN configuration
The VNI must be mapped to a VLAN using 'vn-segment vlan-id' under the VLAN configuration; without it, the VNI does not appear in the NVE interface.
An organization is deploying a new ACI fabric. The design requires that traffic between EPGs in the same bridge domain be allowed by default, but traffic between EPGs in different bridge domains must be denied unless explicitly permitted. Which contract scope configuration meets this requirement?
Context (default)
Application-profile
Global
VRF
VRF scope allows contracts to apply across bridge domains within the same VRF; without a contract, traffic is denied, and with a contract, permitted.
A network engineer is configuring OSPF on a Cisco Nexus switch for a data center network. The requirement is to ensure that the switch does not become the Designated Router (DR) on a multi-access segment. Which OSPF configuration achieves this?
Set OSPF priority to 255 on the interface
Set OSPF priority to 0 on the interface
Priority 0 means the router will never become DR or BDR.
Change the OSPF network type to point-to-point
Configure the interface as passive under OSPF
During a maintenance window, a network engineer plans to upgrade the NX-OS software on a pair of Nexus 9000 switches configured as vPC peers. The engineer wants to minimize traffic disruption. Which upgrade sequence is recommended?
Upgrade both switches simultaneously using ISSU
Reload both switches to a previous version, then upgrade
Upgrade the primary vPC peer first, then the secondary
Upgrade the secondary vPC peer first, then the primary
Upgrading secondary first ensures the primary remains operational; after secondary upgrade, it can take over if needed during primary upgrade.
A data center uses Cisco ACI with multiple tenants. The security policy requires that all traffic between EPGs must be explicitly allowed via contracts. However, the operations team reports that communication between two EPGs in the same bridge domain is working even though no contract is applied. What is the most likely reason?
The default behavior in ACI allows communication between EPGs in the same bridge domain without a contract
ACI allows intra-BD communication by default; contracts are needed for inter-BD or inter-VRF traffic.
The contract is applied but not enforced due to a configuration error
The VRF has a default route that bypasses contract enforcement
A preferred group contract is applied to the VRF
Which TWO statements about VXLAN BGP EVPN control plane are true? (Choose two.)
The underlay network provides IP connectivity between VTEPs
Underlay routing (e.g., IS-IS, OSPF) enables VTEP-to-VTEP reachability.
BGP EVPN advertises MAC addresses and IP addresses as routes
EVPN Type-2 routes carry MAC/IP information.
VXLAN encapsulates Ethernet frames in IP packets using MPLS labels
VXLAN uses a 32-bit network identifier (VNI)
The control plane is responsible for actual data forwarding
Want more Network practice?
Practice this domainAn engineer is deploying a new UCS chassis with two Fabric Interconnects. The design requires that server traffic can fail over to the secondary FI if the primary FI fails, without requiring any changes to the server's network configuration. Which technology must be enabled on the uplink ports of the Fabric Interconnects to the upstream switches to ensure transparent failover of server traffic?
Configure a virtual PortChannel (vPC) between the Fabric Interconnects and upstream switches.
Apply QoS policies to prioritize failover traffic.
Enable pin groups with 'failover' mode on the server ports.
Pin groups with failover mode allow the secondary FI to assume the primary's MAC and IP, enabling transparent failover.
Implement Private VLANs on the uplink ports to isolate traffic.
A UCS administrator notices that a service profile associated with a vNIC template that uses 'fabric failover' is not failing over to the secondary Fabric Interconnect when the primary link goes down. The vNIC template is set to 'fabric failover' enabled, and both Fabric Interconnects are in the same VLAN. What is the most likely cause?
The 'Primary Fabric' setting is not defined in the vNIC template.
The primary fabric must be selected in the vNIC template for failover to function correctly.
The server is pinned to the primary Fabric Interconnect via a pin group.
The MTU size on the secondary Fabric Interconnect is set to 1500 instead of 9000.
The 'MAC Address' policy is set to 'pool-based' instead of 'static'.
An engineer is configuring a UCS server profile for a database application that requires low latency. The server will use a Cisco UCS VIC 1340 adapter. Which vNIC placement policy should be selected to minimize latency?
Assigned
Assigned placement pins the vNIC to a specific adapter port, reducing latency.
Any
Default
Round-Robin
Which TWO statements correctly describe the use of Cisco UCS Manager service profiles for server deployment?
Service profiles can only be applied to servers of the same model.
Service profiles decouple server identity from hardware, enabling rapid provisioning.
Service profiles abstract server identity, allowing quick redeployment.
A service profile can be associated with multiple servers simultaneously.
Service profiles are stored locally on the server's boot drive.
Service profiles include policies for firmware, BIOS, boot order, and network.
Service profiles encapsulate all server identity and policy settings.
Which THREE components are required to configure a Cisco UCS Direct-attached storage environment using SAS expanders?
SAS cables connecting the storage enclosure to the server's storage controller.
Direct SAS cabling is required for connectivity.
SAS expanders within the enclosure to connect multiple drives.
SAS expanders allow daisy-chaining of drives.
SAS hard drives installed in the storage enclosure.
SAS drives are the storage medium.
Fibre Channel over Ethernet (FCoE) uplinks from the storage enclosure to the Fabric Interconnect.
Fibre Channel switch for SAN connectivity.
Refer to the exhibit. A UCS administrator has configured vNIC templates as shown. Both Fabric Interconnects have identical uplink configurations. The vNIC templates have 'Failover: Enabled'. However, when Fabric Interconnect A fails, servers using vNIC-A do not fail over to Fabric Interconnect B. What is the most likely cause?
A pin group is configured that forces traffic to Fabric Interconnect A.
The native VLAN (10) is not allowed on Fabric Interconnect B's trunk.
The uplink interfaces are configured with 'spanning-tree port type edge trunk', which blocks failover traffic.
The server's service profile does not include a secondary vNIC for Fabric B.
Failover requires a secondary vNIC on the other fabric in the same service profile.
Want more Compute practice?
Practice this domainAn engineer is configuring a Fibre Channel over Ethernet (FCoE) SAN. Which statement about FCoE Initialization Protocol (FIP) is true?
FIP operates only over lossless Ethernet.
FIP uses Ethernet MAC addresses for communication.
FIP uses MAC addresses for discovery and login.
FIP is used only for FCoE initialization, not for maintenance.
FIP requires IP addresses to establish FCoE sessions.
A storage administrator needs to ensure that a Fibre Channel zone configuration is operationally effective without disrupting the current active zone set. Which approach should be used?
Create the new zone configuration in the defined configuration, then activate it as a new zone set.
Standard best practice.
Delete the active zone set and create a new one.
Edit the active zone set directly.
Use the 'commit' command to update the zone set.
A data center deployment uses NPV mode on a Cisco MDS switch to connect to a core Fibre Channel switch. After configuration, the NPV switch does not register with the core. What is the most likely cause?
Fibre Channel ports are in trunk mode.
The core switch has NPV mode enabled.
NPIV is not enabled on the core switch.
Core must have NPIV enabled for NPV.
The NPV switch has an incorrect domain ID.
An engineer is tuning performance for a storage network. Which two practices improve FC SAN performance?
Disabling flow control.
Using single-initiator zoning.
Reduces inter-initiator traffic.
Ensuring adequate buffer credits.
Prevents frame loss.
Enabling broadcast zoning.
Setting fabric login timeout to the maximum.
Which FCoE component is responsible for encapsulating Fibre Channel frames into Ethernet frames?
FCoE module on the switch or adapter
The FCoE module performs encapsulation/decapsulation.
FCoE Forwarder (FCF)
Virtual Fibre Channel interface (VFC)
VN interface
A SAN administrator notices intermittent connectivity issues between an initiator and target. The Fibre Channel link shows CRC errors. What is the most likely cause?
Incorrect domain ID.
Faulty SFP or fiber optic cable.
Physical layer issues cause CRC errors.
Buffer credit starvation.
Incorrect zone configuration.
Want more Storage Network practice?
Practice this domainA network engineer wants to automate the deployment of a new VLAN across all Cisco Nexus switches in a data center using Python scripts. Which tool is most appropriate for this task?
Cisco NX-API with Python requests
NX-API provides RESTful API for direct configuration via Python.
SSH CLI commands via Paramiko
Ansible playbook
SNMP SET commands
A data center team is troubleshooting an automation script that uses REST API to configure a Cisco Nexus 9000 switch. The script fails with a '401 Unauthorized' error. What is the most likely cause?
API rate limiting has been exceeded
Network connectivity issue between the script and the switch
The user account does not have admin privileges
Invalid or expired authentication token
401 Unauthorized indicates authentication failure.
An engineer is designing an automation solution for a large data center with multiple Cisco UCS Manager domains. Which approach best ensures idempotent configuration operations?
Writing imperative Python scripts that execute CLI commands
Using a declarative automation tool like Ansible with idempotent modules
Declarative tools ensure the desired state is achieved regardless of current state.
Directly calling UCS Manager XML API using POST requests
Using SNMP to set configuration parameters
A DevOps team uses Ansible to automate the configuration of Cisco Nexus switches. After running a playbook, some switches have the correct configuration but others do not. The playbook uses the 'nxos_config' module. Which action should be taken to ensure consistent configuration?
Set 'ignore_errors' to true in the playbook
Use the 'backup' option to save the running config before changes
Backup provides a restore point for rollback.
Use 'serial' directive to run the playbook on one switch at a time
Enable check mode to verify changes before applying
A network engineer is implementing automated configuration management using Cisco NSO (Network Services Orchestrator). The team wants to ensure that any configuration changes made directly on the devices (out-of-band) are detected and reconciled. Which NSO feature should be used?
Configuration Database (CDB) snapshots
Fast-map synchronization
Fast-map syncs device configurations with NSO and detects drift.
Service model templates
Rollback and recovery mechanism
Which TWO statements about Cisco NX-API are correct? (Choose two.)
NX-API uses SSH for transport.
NX-API only supports GET requests.
NX-API uses HTTP/HTTPS as the transport protocol.
NX-API is a RESTful API over HTTP/HTTPS.
NX-API is only available on Nexus 3000 series switches.
NX-API can output data in XML and JSON formats.
NX-API supports both XML and JSON.
Want more Automation practice?
Practice this domainAn engineer is configuring a new data center leaf switch to enforce micro-segmentation using Cisco ACI. The requirement is to permit traffic from web servers to application servers on TCP port 8080, but deny all other traffic. The web servers are in EPG 'web_EPG' and application servers in EPG 'app_EPG'. Which contract configuration should be applied?
Create a contract with subject 'web_to_app' and apply filter 'tcp_8080'. Use vzAny for both EPGs.
Create a contract with subject 'web_to_app' and apply filter 'tcp_8080'. Assign web_EPG as provider and app_EPG as consumer.
Create a contract with subject 'web_to_app' and apply filter 'tcp_8080' with direction 'both'. Assign web_EPG as provider and app_EPG as consumer.
Correct: provider sends traffic to consumer; filter permits TCP 8080; direction both allows response.
Create a contract with subject 'web_to_app' and apply filter 'ip'. Assign web_EPG as provider and app_EPG as consumer.
A customer is deploying Cisco ACI with a requirement to isolate tenant traffic in a multi-tenant environment. They want to ensure that a tenant admin can only manage their own tenant's objects. Which RBAC configuration should be implemented?
Assign the 'read-only' role to the user within the tenant.
Create a separate VRF for each tenant and assign admin to that VRF.
Create a security domain for each tenant and assign the 'tenant-admin' role to the user within that domain.
Security domains limit the scope of roles to specific tenants.
Assign the 'tenant-admin' role to the user globally.
An engineer needs to secure the management plane on a Cisco Nexus 9000 switch. Which feature should be configured to restrict access to the switch's management interface based on source IP?
Enable DHCP snooping on the management VLAN.
Enable port security on the management interface.
Configure AAA to require two-factor authentication.
Configure a management CoPP policy to rate-limit and permit only specific source IPs.
CoPP can filter management traffic to the switch.
An organization is deploying Cisco ACI in a brownfield data center. They have existing VLANs that need to be mapped to ACI EPGs. The network team notices that some VLANs are used across multiple tenants. How should the engineer design the VLAN pool to support overlapping VLANs?
Configure the VLANs as part of the EPG static binding without a pool.
Create separate VLAN pools per tenant, each containing the required VLANs.
Each tenant gets its own VLAN pool, allowing reuse.
Create one VLAN pool per physical domain and assign tenants to that domain.
Create a global VLAN pool with all VLANs and assign it to all tenants.
A network administrator suspects that a rogue DHCP server is active on the data center network. The switches are Cisco Nexus 9000 series running NX-OS. Which configuration should be applied to prevent DHCP spoofing?
Enable dynamic ARP inspection on all VLANs.
Enable IP source guard on all access ports.
Enable DHCP snooping globally and configure uplink ports as trusted.
DHCP snooping filters DHCP offers from untrusted ports.
Enable MAC port security on all access ports.
A data center switch is configured with 802.1X port-based authentication for edge ports. Users report authentication failures. The engineer wants to verify the authentication status of a specific interface. Which command should be used?
show aaa authentication
show dot1x
show authentication interface ethernet 1/1
Displays 802.1X and MAC authentication status.
show port-security interface ethernet 1/1
Want more Security practice?
Practice this domainThe 350-601 exam has 90 questions and must be completed in 120 minutes. Cisco passing scores vary by exam version and are not always publicly listed. Check the official Cisco exam page before booking.
CLI output interpretation, network topology analysis, routing behaviour, switching concepts, troubleshooting, and configuration questions.
The exam covers 5 domains: Network, Compute, Storage Network, Automation, Security. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Cisco 350-601 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.