Cisco · Free Practice Questions · Last reviewed May 2026
36real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.
A developer is designing a REST API that will be used by multiple client applications. The API must support versioning to ensure backward compatibility. Which approach should the developer use to implement API versioning?
Embed the version in the URI, e.g., /v1/resource
Correct: URI versioning is straightforward and widely adopted.
Use different HTTP methods for different versions
Pass the version as a query parameter, e.g., ?version=1
Use a custom HTTP header to specify the version
A development team is implementing a microservices architecture. They need to ensure that services can discover each other dynamically without hardcoding IP addresses. Which technology should they use?
A centralized load balancer
A service registry like Consul
Correct: Service registries enable dynamic discovery and health checks.
An API gateway
DNS-based service discovery
A developer is writing a Python script that uses the Cisco Meraki API to retrieve a list of networks for an organization. The API returns a JSON array. The developer wants to filter networks where the 'tags' field contains 'production'. Which code snippet correctly filters the results?
filtered = [net for net in networks if 'production' in net['tags']]
Correct: 'tags' is a list, and 'in' works for list membership.
filtered = [net for net in networks if 'production' in str(net['tags'])]
filtered = [net for net in networks if 'production' in net['tags'].split(',')]
filtered = [net for net in networks if any('production' in t for t in net['tags'])]
A developer is writing a Python script that uses the Cisco Catalyst Center (formerly DNA Center) API to get the list of sites. The API returns a response with a 'response' key containing a list of sites. The developer wants to access the 'response' field from the JSON response. Which code snippet correctly extracts the list?
sites = list(response)
sites = response['response']
Correct: Accessing the key 'response' returns the list.
sites = response[0]
sites = response.get('response')
A network automation engineer is using Ansible to manage Cisco IOS devices. The playbook includes a task that executes a 'show version' command and registers the output. The engineer then wants to parse the output to extract the IOS version. Which approach should be used?
Use the 'cisco.ios.ios_command' module and parse the output with regex
Use the 'cisco.ios.ios_command' module and the 'parse' option
Use the 'cisco.ios.ios_config' module to retrieve the version
Use the 'cisco.ios.ios_facts' module to get structured facts
Correct: 'ios_facts' returns structured data including the IOS version.
A developer is using the Cisco Webex API to create a room and add members. The API requires an access token with the appropriate scopes. The developer receives a 401 Unauthorized error when trying to create a room. What is the most likely cause?
The access token only has the 'spark:rooms_read' scope
Correct: The write scope is required for creating rooms.
The access token has the 'spark:memberships_write' scope but not 'spark:rooms_write'
The access token is not being sent in the Authorization header
The access token has expired
Want more Software Development and Design practice?
Practice this domainA network engineer is using the Cisco Meraki API to retrieve a list of SSIDs for a specific network. The API returns an HTTP 200 status but an empty array for the SSIDs. Which of the following is the most likely cause?
The network exists but has no SSIDs configured.
Empty array indicates no SSIDs, which is valid.
The network ID is incorrect.
The API key is invalid.
The request body is malformed.
When designing a REST API client for a Cisco DNA Center deployment, which authentication method should be used to obtain a token for subsequent API calls?
OAuth 2.0 client credentials grant.
API key in the request header.
HTTP Basic authentication to obtain a token.
Correct method: POST with basic auth to get token.
Client certificate in the request.
A Python script uses the Cisco Meraki API to create a new network and then immediately attempts to configure an SSID on that network. The SSID creation fails with a 400 error indicating 'network is not ready'. What is the most likely cause?
The network is not fully provisioned yet; a delay is needed.
Asynchronous provisioning requires waiting.
The API rate limit has been exceeded.
The API key does not have write access to networks.
The SSID name contains invalid characters.
Which TWO of the following are best practices when using REST APIs in Cisco networking environments?
Send credentials as plain text in every request.
Poll the API every second to get real-time updates.
Always handle HTTP error codes like 4xx and 5xx.
Error handling is critical for robustness.
Embed API keys directly in the URL query parameters.
Implement caching to reduce redundant API calls.
Caching improves performance.
Refer to the exhibit. A network engineer runs a script that queries the Cisco DNA Center site health API. The response shows Branch1 with a healthScore of 10. What is the most likely action to improve Branch1's health?
Investigate the network devices and connectivity at Branch1.
Low health score indicates problems at the site.
Increase the number of clients at Branch1.
Check the API authentication token.
Use a different API version.
A DevOps team manages a multi-site Cisco Meraki network with 50 MX appliances and 200 MR access points. They use a Python script that calls the Meraki API to collect device utilization data every hour and stores it in a CSV file. Recently, the script started failing intermittently with HTTP 429 status codes. The team suspects rate limiting but notices that the failures occur even when only one script instance runs. The script uses a single API key and makes requests to the /devices/{serial}/uplink endpoint for each MX and the /devices/{serial}/wireless/status endpoint for each MR. The script is scheduled via cron and runs sequentially. The team wants to resolve the rate limiting while minimizing changes to the script. Which course of action should the team take?
Introduce a delay between API calls to stay within the rate limit.
Adding a small delay reduces request rate and avoids 429 errors.
Distribute the API requests across multiple API keys.
Switch to a webhook-based approach to receive data instead of polling.
Use the bulk API request feature to collect data in fewer calls.
Want more Understanding and Using APIs practice?
Practice this domainA network engineer needs to automate the configuration of VLANs across 50 switches. Which approach best follows Cisco’s recommended practices for programmability?
Write an Ansible playbook using the ios_vlan module to configure VLANs on all switches.
Ansible with idempotent modules is a best practice for network automation.
Use a REST API on each switch to push the VLAN configuration individually.
Use a Python script that manually SSHes into each switch and applies CLI commands.
Configure all VLANs via SNMP MIBs.
A developer is building a chatbot that retrieves interface status from a Cisco Catalyst 9000 switch using RESTCONF. Which authentication method is most appropriate for programmatic access?
HTTP Basic Authentication over HTTPS.
RESTCONF on Cisco devices supports basic auth over HTTPS.
API key passed in the HTTP header.
OAuth 2.0 with client credentials grant.
Client certificate authentication.
During a migration from legacy to SD-Access, a network team wants to use Cisco DNA Center to automate policy deployment. They have defined a macro-level intent but need to ensure that the fabric devices are correctly configured. Which API call should they use to validate the fabric configuration?
PUT /dna/intent/api/v1/business/sda/fabric-device
POST /dna/intent/api/v1/business/sda/fabric-site
GET /dna/intent/api/v1/business/sda/fabric-site
Retrieves the fabric site configuration for validation.
GET /dna/intent/api/v1/business/sda/network-profile
A Python script uses the Cisco Meraki API to fetch the list of organizations. The script fails with a 401 HTTP status. What is the most likely cause?
The API key is invalid or missing.
401 Unauthorized means authentication failure.
The API request exceeded the rate limit.
The API key does not have permission to list organizations.
The API endpoint URL is incorrect.
A DevOps team is using Cisco NSO to manage network devices. They want to ensure that the configuration is compliant with corporate standards. Which NSO feature should they use?
Configuration Snapshots
NETCONF notifications
Configuration Database (CDB) rollback
Service reconciliation using FastMap
FastMap reconciles device config with service model to ensure compliance.
A developer is writing a Python script using the Cisco Webex Teams API to send a message to a specific room. The script works for some rooms but fails for others with a 404 error. What is the most likely reason?
The API rate limit has been exceeded for those rooms.
The access token is invalid for those rooms.
The bot does not have permission to send messages in those rooms.
The bot is not a member of those rooms.
Non-membership results in 404 when trying to send to a room.
Want more Cisco Platforms and Development practice?
Practice this domainA developer wants to ensure that a Docker container running a web application can only accept incoming traffic on port 443. Which Docker run option should be used?
docker run --port 443 myapp
docker run --net host myapp
docker run -p 443:443 myapp
-p 443:443 publishes container port 443 to host port 443, allowing external access only on that port.
docker run --expose 443 myapp
During a security audit, an engineer discovers that a CI/CD pipeline is storing API keys in plain text in environment variables. Which best practice should be implemented to mitigate this risk?
Store secrets in a .env file and add it to the repository with restricted access.
Encrypt the environment variables using a tool like openssl and store the key elsewhere.
Use a dedicated secrets management service like HashiCorp Vault or AWS Secrets Manager and retrieve secrets at runtime.
Secrets managers provide secure storage, rotation, and audit capabilities, preventing exposure in plaintext.
Remove the API keys from the pipeline and require manual entry each time a build runs.
A network engineer is troubleshooting a Kubernetes deployment where pods are failing to start with the error 'CrashLoopBackOff'. The pod log shows 'bind: address already in use'. The deployment runs multiple replicas of a container that listens on port 8080. What is the most likely cause?
The container is attempting to bind to a privileged port without the necessary capabilities.
The deployment has hostPort: 8080 specified, causing port conflict when multiple replicas are scheduled on the same node.
hostPort reserves the port on the host node, so only one pod per node can use it. With multiple replicas, subsequent pods fail with address in use.
The service is using NodePort and the node port is already in use.
Multiple containers in the same pod are trying to bind to the same port.
A developer needs to ensure that microservice A can securely communicate with microservice B over HTTPS within a Kubernetes cluster. What is the simplest approach?
Use a Kubernetes Ingress resource with TLS termination for microservice B.
Expose microservice B via a LoadBalancer Service and use HTTPS from microservice A.
Connect directly using the pod IP of microservice B over HTTP.
Create a Kubernetes Service of type ClusterIP for microservice B and configure microservice A to use HTTPS with the service DNS name.
ClusterIP services are internal and can be used with TLS termination within the cluster for secure communication.
An engineer is designing a CI/CD pipeline for a Python application. The pipeline should automatically run unit tests, build a Docker image, push it to a private registry, and deploy to a Kubernetes cluster. Which sequence of stages is correct?
Build -> Test -> Push -> Deploy
Test -> Push -> Deploy
Test -> Deploy -> Build -> Push
Test -> Build -> Push -> Deploy
Tests run first; if they pass, the image is built, pushed to registry, then deployed.
A security policy requires that all container images in a registry are scanned for vulnerabilities before deployment. Which approach best integrates this into a CI/CD pipeline without slowing down the pipeline?
Build the image, push it, then scan it, and if vulnerabilities are found, rebuild and repush.
Run the vulnerability scan on the image after pushing to the registry and block deployment if critical vulnerabilities are found.
Build the image, scan it locally, and if it passes, push it to the registry; run scans in parallel with the build if possible.
Local scanning before push catches vulnerabilities early and does not delay the pipeline if done in parallel.
Scan the source code dependencies before building the image, and skip image scanning.
Want more Application Deployment and Security practice?
Practice this domainAn engineer needs to automate the deployment of a new VLAN across multiple switches. Which tool is best suited for this task?
NetFlow
Syslog
Ansible
Ansible is designed for configuration management and automation.
SNMP
A DevOps team wants to version control their network configurations. Which tool should they use?
Puppet
Jenkins
Git
Git is the standard for version control.
Docker
During an automation script run, a network device returns HTTP 429. What does this indicate?
Internal server error
Rate limiting
429 means rate limit exceeded.
Authentication failure
Resource not found
A network automation engineer is writing a Python script to configure multiple devices. Which library is most appropriate for SSH-based interactions?
requests
socket
Netmiko
Netmiko is the standard library for network device SSH automation.
paramiko
In a CI/CD pipeline for network changes, which practice best ensures that a configuration push does not disrupt production traffic?
Disable rollback
Canary deployment
Canary deployment limits blast radius.
Push all changes at once
Skip validation
An engineer uses Ansible to push a configuration change to 100 switches. The playbook fails on 5 switches. What is the most efficient way to apply the change only to those 5?
Use Ansible's --limit with the retry file
This targets only the failed hosts.
Use --skip-tags on successful hosts
Re-run the playbook on all switches
Manually configure the 5 switches
Want more Infrastructure and Automation practice?
Practice this domainA network engineer is troubleshooting slow connectivity between two sites connected via a WAN link. The engineer suspects packet loss due to collisions. Which interface counter should be examined to confirm this?
Runts
CRC errors
CRC errors indicate frame checksum failures often caused by collisions.
Output errors
Giants
A DevOps team is deploying a containerized application across multiple hosts. They need to ensure that traffic between containers on the same host is isolated from other tenants. Which network implementation best meets this requirement?
Linux bridge with ebtables rules
NAT with port forwarding
VXLAN overlays with a distributed virtual switch
VXLAN provides scalable network isolation across hosts.
802.1Q VLANs on the host switch
An engineer notices that a switch port configured as an access port in VLAN 10 is not forwarding traffic. The switch shows the port is up/up. What is the most likely cause?
Spanning Tree Protocol blocking the port
The connected device is sending 802.1Q tagged frames
Access ports drop tagged frames.
Speed/duplex mismatch
VLAN 10 does not exist in the VLAN database
A network administrator is configuring SNMPv3 on a router for secure monitoring. Which combination of parameters is required to ensure authentication and encryption?
SNMPv3 with authPriv
Provides authentication and encryption.
SNMPv3 with noAuthNoPriv
SNMPv3 with authNoPriv
SNMPv2c with a complex community string
During a network migration, an engineer needs to replace a legacy core switch with a new one without disrupting the existing STP topology. The new switch supports RSTP and will be connected via two trunk links. Which configuration should be applied to the new switch to prevent it from becoming the root bridge?
Enable root guard on the trunk ports
Configure the bridge priority to 61440
High priority makes it less likely to become root.
Enable BPDU guard on the trunk ports
Set the bridge priority to 0
A technician needs to verify the IP address of a remote server using DNS. Which command should be used on a Cisco IOS device?
traceroute server.example.com
show hosts server.example.com
ping server.example.com
nslookup server.example.com
Performs DNS lookup and returns IP address.
Want more Network Fundamentals practice?
Practice this domainThe 200-901 exam has 95 questions and must be completed in 120 minutes. Cisco passing scores vary by exam version and are not always publicly listed. Check the official Cisco exam page before booking.
CLI output interpretation, network topology analysis, routing behaviour, switching concepts, troubleshooting, and configuration questions.
The exam covers 6 domains: Software Development and Design, Understanding and Using APIs, Cisco Platforms and Development, Application Deployment and Security, Infrastructure and Automation, Network Fundamentals. Questions are weighted by domain — higher-weight domains appear more on your actual exam.
No. These are original exam-style practice questions written against the official Cisco 200-901 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.
Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.