Courseiva
Knowledge + Practice
CertificationsVendorsCareer RoadmapsLabs & ToolsStudy GuidesGlossaryPractice Questions
C
Courseiva

Free IT certification practice questions with explained answers for CCNA, CompTIA, AWS, Azure, Google Cloud, and more.

Certification Practice Questions

CCNA practice questionsSecurity+ SY0-701 practice questionsAWS SAA-C03 practice questionsAZ-104 practice questionsAZ-900 practice questionsCLF-C02 practice questionsA+ Core 1 practice questionsGoogle Cloud ACE practice questionsCySA+ CS0-003 practice questionsNetwork+ N10-009 practice questions
View all certifications →

Product

CertificationsCertification PathsExam TopicsPractice TestsExam Dumps vs Practice TestsStudy HubComparisons

Company

AboutContactEditorial PolicyQuestion Writing PolicyTrust Center

Legal

Privacy PolicyTerms of Service

Courseiva is a free IT certification practice platform offering original exam-style practice questions, detailed explanations, topic-based practice, mock exams, readiness tracking, and study analytics for Cisco, CompTIA, Microsoft, AWS, and other technology certifications.

© 2026 Courseiva. Courseiva is operated by JTNetSolutions Ltd. All rights reserved.

Courseiva is an independent certification practice platform and is not affiliated with, endorsed by, or sponsored by Cisco, Microsoft, AWS, CompTIA, Google, ISC2, ISACA, or any other certification vendor. Vendor names and certification marks are used only to identify the exams learners are preparing for.

HomeCertifications200-901Exam Questions

Cisco · Free Practice Questions · Last reviewed May 2026

200-901 Exam Questions and Answers

36real exam-style questions organised by domain, each with the correct answer highlighted and a plain-English explanation of why it's right — and why the others are wrong.

95 exam questions
120 min time limit
Pass: Variable
6 exam domains
OverviewDomain BlueprintStudy GuideAll QuestionsSample by Domain
1. Software Development and Design2. Understanding and Using APIs3. Cisco Platforms and Development4. Application Deployment and Security5. Infrastructure and Automation6. Network Fundamentals
1

Domain 1: Software Development and Design

All Software Development and Design questions
Q1
easyFull explanation →

A developer is designing a REST API that will be used by multiple client applications. The API must support versioning to ensure backward compatibility. Which approach should the developer use to implement API versioning?

A

Embed the version in the URI, e.g., /v1/resource

Correct: URI versioning is straightforward and widely adopted.

B

Use different HTTP methods for different versions

C

Pass the version as a query parameter, e.g., ?version=1

D

Use a custom HTTP header to specify the version

Why: Embedding the version in the URI (e.g., /v1/resource) is the most common and straightforward approach for REST API versioning. It makes the version explicit in the URL, allowing clients to directly target a specific version without requiring special header handling or query parameter parsing. This method is widely adopted in industry APIs (e.g., GitHub, Twilio) and ensures backward compatibility by keeping older endpoints accessible under their original URI path.
Q2
mediumFull explanation →

A development team is implementing a microservices architecture. They need to ensure that services can discover each other dynamically without hardcoding IP addresses. Which technology should they use?

A

A centralized load balancer

B

A service registry like Consul

Correct: Service registries enable dynamic discovery and health checks.

C

An API gateway

D

DNS-based service discovery

Why: A service registry like Consul provides a centralized directory where microservices register their network locations (IP and port) and health status. Other services query the registry to discover available instances dynamically, eliminating the need for hardcoded addresses. Consul supports health checks, multi-datacenter replication, and integrates with tools like Envoy for service mesh functionality.
Q3
hardFull explanation →

A developer is writing a Python script that uses the Cisco Meraki API to retrieve a list of networks for an organization. The API returns a JSON array. The developer wants to filter networks where the 'tags' field contains 'production'. Which code snippet correctly filters the results?

A

filtered = [net for net in networks if 'production' in net['tags']]

Correct: 'tags' is a list, and 'in' works for list membership.

B

filtered = [net for net in networks if 'production' in str(net['tags'])]

C

filtered = [net for net in networks if 'production' in net['tags'].split(',')]

D

filtered = [net for net in networks if any('production' in t for t in net['tags'])]

Why: Option A is correct because the Meraki API returns the 'tags' field as a list of strings (e.g., ['production', 'critical']). The Python `in` operator directly checks membership in a list, so `'production' in net['tags']` efficiently filters networks where the exact string 'production' appears as an element in the list.
Q4
easyFull explanation →

A developer is writing a Python script that uses the Cisco Catalyst Center (formerly DNA Center) API to get the list of sites. The API returns a response with a 'response' key containing a list of sites. The developer wants to access the 'response' field from the JSON response. Which code snippet correctly extracts the list?

A

sites = list(response)

B

sites = response['response']

Correct: Accessing the key 'response' returns the list.

C

sites = response[0]

D

sites = response.get('response')

Why: Option B is correct because the Cisco Catalyst Center API returns a JSON response where the list of sites is nested under the 'response' key. Using dictionary-style indexing with `response['response']` directly retrieves that list, which is the standard way to access a known key in a Python dictionary parsed from JSON.
Q5
mediumFull explanation →

A network automation engineer is using Ansible to manage Cisco IOS devices. The playbook includes a task that executes a 'show version' command and registers the output. The engineer then wants to parse the output to extract the IOS version. Which approach should be used?

A

Use the 'cisco.ios.ios_command' module and parse the output with regex

B

Use the 'cisco.ios.ios_command' module and the 'parse' option

C

Use the 'cisco.ios.ios_config' module to retrieve the version

D

Use the 'cisco.ios.ios_facts' module to get structured facts

Correct: 'ios_facts' returns structured data including the IOS version.

Why: The 'cisco.ios.ios_facts' module retrieves structured data from Cisco IOS devices, including the IOS version as a key-value pair in the Ansible facts dictionary. This eliminates the need for manual parsing, as the module uses the device's CLI or NETCONF to gather structured output, making it the most efficient and reliable approach for extracting specific device attributes.
Q6
hardFull explanation →

A developer is using the Cisco Webex API to create a room and add members. The API requires an access token with the appropriate scopes. The developer receives a 401 Unauthorized error when trying to create a room. What is the most likely cause?

A

The access token only has the 'spark:rooms_read' scope

Correct: The write scope is required for creating rooms.

B

The access token has the 'spark:memberships_write' scope but not 'spark:rooms_write'

C

The access token is not being sent in the Authorization header

D

The access token has expired

Why: The 401 Unauthorized error indicates that the request lacks valid authentication credentials. Since the developer is using an access token but still getting a 401, the most likely cause is that the token does not have the required scopes to perform the operation. The 'spark:rooms_read' scope only allows reading room details, not creating them, so the API rejects the request with a 401 because the token is valid but insufficiently scoped.

Want more Software Development and Design practice?

Practice this domain
2

Domain 2: Understanding and Using APIs

All Understanding and Using APIs questions
Q1
mediumFull explanation →

A network engineer is using the Cisco Meraki API to retrieve a list of SSIDs for a specific network. The API returns an HTTP 200 status but an empty array for the SSIDs. Which of the following is the most likely cause?

A

The network exists but has no SSIDs configured.

Empty array indicates no SSIDs, which is valid.

B

The network ID is incorrect.

C

The API key is invalid.

D

The request body is malformed.

Why: An HTTP 200 status indicates the request was successfully processed by the Meraki API, meaning the API key, network ID, and request format were all valid. An empty array for SSIDs specifically means the network exists and the API queried it correctly, but no SSIDs have been configured on that network. This is the expected behavior when a network has no wireless profiles defined.
Q2
easyFull explanation →

When designing a REST API client for a Cisco DNA Center deployment, which authentication method should be used to obtain a token for subsequent API calls?

A

OAuth 2.0 client credentials grant.

B

API key in the request header.

C

HTTP Basic authentication to obtain a token.

Correct method: POST with basic auth to get token.

D

Client certificate in the request.

Why: Cisco DNA Center uses HTTP Basic authentication to obtain a token. The client sends a POST request to the /dna/system/api/v1/auth/token endpoint with a Base64-encoded string of the username and password in the Authorization header. The server returns a token that must be included in subsequent API calls via the X-Auth-Token header.
Q3
hardFull explanation →

A Python script uses the Cisco Meraki API to create a new network and then immediately attempts to configure an SSID on that network. The SSID creation fails with a 400 error indicating 'network is not ready'. What is the most likely cause?

A

The network is not fully provisioned yet; a delay is needed.

Asynchronous provisioning requires waiting.

B

The API rate limit has been exceeded.

C

The API key does not have write access to networks.

D

The SSID name contains invalid characters.

Why: The Meraki API returns a 400 error with 'network is not ready' because creating a network is an asynchronous operation. The network's underlying infrastructure (e.g., virtual LANs, DHCP scopes, firewall rules) must be fully provisioned before it can accept SSID configurations. Attempting to configure an SSID immediately after creation fails because the network is still in a 'pending' or 'provisioning' state, requiring a polling delay or retry logic.
Q4
mediumFull explanation →

Which TWO of the following are best practices when using REST APIs in Cisco networking environments?

A

Send credentials as plain text in every request.

B

Poll the API every second to get real-time updates.

C

Always handle HTTP error codes like 4xx and 5xx.

Error handling is critical for robustness.

D

Embed API keys directly in the URL query parameters.

E

Implement caching to reduce redundant API calls.

Caching improves performance.

Why: Option C is correct because handling HTTP error codes like 4xx (client errors) and 5xx (server errors) is essential for robust REST API integration. In Cisco environments, APIs such as those for DNA Center or Meraki return these codes to indicate issues like authentication failure (401), rate limiting (429), or server overload (503). Proper error handling allows the application to retry, log, or alert appropriately, preventing silent failures and ensuring reliable network automation.
Q5
mediumFull explanation →

Refer to the exhibit. A network engineer runs a script that queries the Cisco DNA Center site health API. The response shows Branch1 with a healthScore of 10. What is the most likely action to improve Branch1's health?

A

Investigate the network devices and connectivity at Branch1.

Low health score indicates problems at the site.

B

Increase the number of clients at Branch1.

C

Check the API authentication token.

D

Use a different API version.

Why: A healthScore of 10 on a scale of 0–100 indicates severe degradation, typically caused by network device failures, link flaps, or connectivity loss. Investigating the network devices and connectivity at Branch1 is the correct first step to identify and resolve the root cause, such as a down switch or a routing issue.
Q6
hardFull explanation →

A DevOps team manages a multi-site Cisco Meraki network with 50 MX appliances and 200 MR access points. They use a Python script that calls the Meraki API to collect device utilization data every hour and stores it in a CSV file. Recently, the script started failing intermittently with HTTP 429 status codes. The team suspects rate limiting but notices that the failures occur even when only one script instance runs. The script uses a single API key and makes requests to the /devices/{serial}/uplink endpoint for each MX and the /devices/{serial}/wireless/status endpoint for each MR. The script is scheduled via cron and runs sequentially. The team wants to resolve the rate limiting while minimizing changes to the script. Which course of action should the team take?

A

Introduce a delay between API calls to stay within the rate limit.

Adding a small delay reduces request rate and avoids 429 errors.

B

Distribute the API requests across multiple API keys.

C

Switch to a webhook-based approach to receive data instead of polling.

D

Use the bulk API request feature to collect data in fewer calls.

Why: The intermittent HTTP 429 errors indicate the script is exceeding the Meraki API rate limit, which applies per API key. Since the script runs sequentially with a single key, introducing a delay between API calls (e.g., using time.sleep()) is the simplest fix that stays within the rate limit without requiring architectural changes. This directly addresses the root cause while minimizing modifications to the existing script.

Want more Understanding and Using APIs practice?

Practice this domain
3

Domain 3: Cisco Platforms and Development

All Cisco Platforms and Development questions
Q1
easyFull explanation →

A network engineer needs to automate the configuration of VLANs across 50 switches. Which approach best follows Cisco’s recommended practices for programmability?

A

Write an Ansible playbook using the ios_vlan module to configure VLANs on all switches.

Ansible with idempotent modules is a best practice for network automation.

B

Use a REST API on each switch to push the VLAN configuration individually.

C

Use a Python script that manually SSHes into each switch and applies CLI commands.

D

Configure all VLANs via SNMP MIBs.

Why: Option A is correct because Ansible's ios_vlan module is purpose-built for automating VLAN configuration on Cisco IOS devices, aligning with Cisco's recommended practices for programmability by using a declarative, agentless automation tool that abstracts the underlying CLI and ensures idempotent configuration across multiple switches.
Q2
mediumFull explanation →

A developer is building a chatbot that retrieves interface status from a Cisco Catalyst 9000 switch using RESTCONF. Which authentication method is most appropriate for programmatic access?

A

HTTP Basic Authentication over HTTPS.

RESTCONF on Cisco devices supports basic auth over HTTPS.

B

API key passed in the HTTP header.

C

OAuth 2.0 with client credentials grant.

D

Client certificate authentication.

Why: RESTCONF on Cisco Catalyst 9000 switches supports HTTP Basic Authentication over HTTPS as a straightforward, standards-based method for programmatic access. Basic authentication sends the username and password in the HTTP Authorization header, and when combined with HTTPS, the credentials are encrypted in transit, providing adequate security for device management without requiring additional infrastructure like an OAuth provider or certificate authority.
Q3
hardFull explanation →

During a migration from legacy to SD-Access, a network team wants to use Cisco DNA Center to automate policy deployment. They have defined a macro-level intent but need to ensure that the fabric devices are correctly configured. Which API call should they use to validate the fabric configuration?

A

PUT /dna/intent/api/v1/business/sda/fabric-device

B

POST /dna/intent/api/v1/business/sda/fabric-site

C

GET /dna/intent/api/v1/business/sda/fabric-site

Retrieves the fabric site configuration for validation.

D

GET /dna/intent/api/v1/business/sda/network-profile

Why: The GET /dna/intent/api/v1/business/sda/fabric-site API call retrieves the current configuration of fabric sites, allowing the team to validate that fabric devices are correctly provisioned and associated with the intended site. This aligns with the intent-based API model where GET operations are used for validation and monitoring of deployed policies.
Q4
easyFull explanation →

A Python script uses the Cisco Meraki API to fetch the list of organizations. The script fails with a 401 HTTP status. What is the most likely cause?

A

The API key is invalid or missing.

401 Unauthorized means authentication failure.

B

The API request exceeded the rate limit.

C

The API key does not have permission to list organizations.

D

The API endpoint URL is incorrect.

Why: A 401 HTTP status indicates 'Unauthorized', which in the context of the Meraki API means the request lacks valid authentication credentials. The most common cause is an invalid or missing API key, as the Meraki API requires a valid API key in the `X-Cisco-Meraki-API-Key` header for all requests.
Q5
mediumFull explanation →

A DevOps team is using Cisco NSO to manage network devices. They want to ensure that the configuration is compliant with corporate standards. Which NSO feature should they use?

A

Configuration Snapshots

B

NETCONF notifications

C

Configuration Database (CDB) rollback

D

Service reconciliation using FastMap

FastMap reconciles device config with service model to ensure compliance.

Why: Service reconciliation using FastMap is the correct NSO feature for ensuring configuration compliance with corporate standards because it detects and corrects deviations between the intended service model (defined in YANG) and the actual device configuration. FastMap performs a diff and re-applies the service logic to bring the device back into compliance, making it ideal for continuous compliance enforcement.
Q6
hardFull explanation →

A developer is writing a Python script using the Cisco Webex Teams API to send a message to a specific room. The script works for some rooms but fails for others with a 404 error. What is the most likely reason?

A

The API rate limit has been exceeded for those rooms.

B

The access token is invalid for those rooms.

C

The bot does not have permission to send messages in those rooms.

D

The bot is not a member of those rooms.

Non-membership results in 404 when trying to send to a room.

Why: The 404 error indicates that the resource (the room) was not found by the API. In the Cisco Webex Teams API, a bot can only interact with rooms it has been added to as a member. If the bot is not a member of a room, the API cannot locate the room from the bot's perspective, resulting in a 404 error. This is the most common cause of intermittent 404 errors when the script works for some rooms but not others.

Want more Cisco Platforms and Development practice?

Practice this domain
4

Domain 4: Application Deployment and Security

All Application Deployment and Security questions
Q1
easyFull explanation →

A developer wants to ensure that a Docker container running a web application can only accept incoming traffic on port 443. Which Docker run option should be used?

A

docker run --port 443 myapp

B

docker run --net host myapp

C

docker run -p 443:443 myapp

-p 443:443 publishes container port 443 to host port 443, allowing external access only on that port.

D

docker run --expose 443 myapp

Why: Option C is correct because the `-p 443:443` flag publishes container port 443 to the host port 443, mapping incoming traffic on the host's port 443 to the container's port 443. This ensures the web application inside the container only accepts incoming traffic on port 443, as the host firewall and Docker's port mapping restrict access to that specific port.
Q2
mediumFull explanation →

During a security audit, an engineer discovers that a CI/CD pipeline is storing API keys in plain text in environment variables. Which best practice should be implemented to mitigate this risk?

A

Store secrets in a .env file and add it to the repository with restricted access.

B

Encrypt the environment variables using a tool like openssl and store the key elsewhere.

C

Use a dedicated secrets management service like HashiCorp Vault or AWS Secrets Manager and retrieve secrets at runtime.

Secrets managers provide secure storage, rotation, and audit capabilities, preventing exposure in plaintext.

D

Remove the API keys from the pipeline and require manual entry each time a build runs.

Why: Option C is correct because dedicated secrets management services like HashiCorp Vault or AWS Secrets Manager provide secure storage, access control, and audit logging for sensitive data. They allow the CI/CD pipeline to retrieve API keys at runtime via authenticated API calls, ensuring secrets are never stored in plain text in environment variables or configuration files. This approach aligns with the principle of least privilege and eliminates the risk of exposure through source code or build logs.
Q3
hardFull explanation →

A network engineer is troubleshooting a Kubernetes deployment where pods are failing to start with the error 'CrashLoopBackOff'. The pod log shows 'bind: address already in use'. The deployment runs multiple replicas of a container that listens on port 8080. What is the most likely cause?

A

The container is attempting to bind to a privileged port without the necessary capabilities.

B

The deployment has hostPort: 8080 specified, causing port conflict when multiple replicas are scheduled on the same node.

hostPort reserves the port on the host node, so only one pod per node can use it. With multiple replicas, subsequent pods fail with address in use.

C

The service is using NodePort and the node port is already in use.

D

Multiple containers in the same pod are trying to bind to the same port.

Why: The 'bind: address already in use' error indicates that the container's process cannot bind to port 8080 because it is already occupied. When `hostPort: 8080` is specified in the pod spec, Kubernetes instructs the container runtime to map the container port to the same port on the node's network namespace. If multiple replicas of the deployment are scheduled on the same node, each pod attempts to bind to port 8080 on the host, causing a conflict and the CrashLoopBackOff state. This is a common misconfiguration when using hostPort without ensuring that replicas are spread across different nodes.
Q4
easyFull explanation →

A developer needs to ensure that microservice A can securely communicate with microservice B over HTTPS within a Kubernetes cluster. What is the simplest approach?

A

Use a Kubernetes Ingress resource with TLS termination for microservice B.

B

Expose microservice B via a LoadBalancer Service and use HTTPS from microservice A.

C

Connect directly using the pod IP of microservice B over HTTP.

D

Create a Kubernetes Service of type ClusterIP for microservice B and configure microservice A to use HTTPS with the service DNS name.

ClusterIP services are internal and can be used with TLS termination within the cluster for secure communication.

Why: Option D is correct because using a ClusterIP Service for microservice B provides a stable DNS name within the cluster, allowing microservice A to communicate over HTTPS without exposing the service externally. This approach leverages Kubernetes' internal service discovery and can be paired with a service mesh or mutual TLS (mTLS) for secure communication, meeting the requirement for simplicity and security.
Q5
mediumFull explanation →

An engineer is designing a CI/CD pipeline for a Python application. The pipeline should automatically run unit tests, build a Docker image, push it to a private registry, and deploy to a Kubernetes cluster. Which sequence of stages is correct?

A

Build -> Test -> Push -> Deploy

B

Test -> Push -> Deploy

C

Test -> Deploy -> Build -> Push

D

Test -> Build -> Push -> Deploy

Tests run first; if they pass, the image is built, pushed to registry, then deployed.

Why: Option D is correct because a CI/CD pipeline for a Python application must first run unit tests to validate code quality, then build the Docker image from the tested code, push the image to a private registry, and finally deploy to Kubernetes. This sequence ensures that only tested and built artifacts are deployed, preventing deployment of broken or untested code.
Q6
hardFull explanation →

A security policy requires that all container images in a registry are scanned for vulnerabilities before deployment. Which approach best integrates this into a CI/CD pipeline without slowing down the pipeline?

A

Build the image, push it, then scan it, and if vulnerabilities are found, rebuild and repush.

B

Run the vulnerability scan on the image after pushing to the registry and block deployment if critical vulnerabilities are found.

C

Build the image, scan it locally, and if it passes, push it to the registry; run scans in parallel with the build if possible.

Local scanning before push catches vulnerabilities early and does not delay the pipeline if done in parallel.

D

Scan the source code dependencies before building the image, and skip image scanning.

Why: Option C is correct because it shifts the vulnerability scan left in the pipeline: the image is built and scanned locally before being pushed to the registry. If the scan passes, the image is pushed; if it fails, the pipeline stops early, avoiding the overhead of pushing a vulnerable image and then rebuilding. This approach minimizes pipeline latency by running scans in parallel with the build where possible, ensuring security without blocking the deployment flow.

Want more Application Deployment and Security practice?

Practice this domain
5

Domain 5: Infrastructure and Automation

All Infrastructure and Automation questions
Q1
easyFull explanation →

An engineer needs to automate the deployment of a new VLAN across multiple switches. Which tool is best suited for this task?

A

NetFlow

B

Syslog

C

Ansible

Ansible is designed for configuration management and automation.

D

SNMP

Why: Ansible is the correct tool because it is an agentless automation platform that uses SSH to push configuration changes, such as VLAN deployment, to network devices. It allows engineers to define the desired state of VLANs in YAML playbooks and apply them consistently across multiple switches without manual intervention.
Q2
easyFull explanation →

A DevOps team wants to version control their network configurations. Which tool should they use?

A

Puppet

B

Jenkins

C

Git

Git is the standard for version control.

D

Docker

Why: Git is a distributed version control system that tracks changes in source code and configuration files, making it the ideal tool for version controlling network configurations. Unlike configuration management tools, Git provides commit history, branching, and rollback capabilities specifically designed for version control.
Q3
mediumFull explanation →

During an automation script run, a network device returns HTTP 429. What does this indicate?

A

Internal server error

B

Rate limiting

429 means rate limit exceeded.

C

Authentication failure

D

Resource not found

Why: HTTP 429 (Too Many Requests) indicates the client has sent too many requests in a given amount of time, triggering rate limiting on the server. In network automation, devices like routers or switches enforce rate limits to prevent resource exhaustion, often based on RFC 6585. This is common when automation scripts exceed API call thresholds, requiring retry logic with exponential backoff.
Q4
mediumFull explanation →

A network automation engineer is writing a Python script to configure multiple devices. Which library is most appropriate for SSH-based interactions?

A

requests

B

socket

C

Netmiko

Netmiko is the standard library for network device SSH automation.

D

paramiko

Why: Netmiko is a Python library built on top of Paramiko that simplifies SSH connections to network devices. It provides high-level methods for sending commands, handling prompts, and managing device interactions, making it the most appropriate choice for automating configuration tasks across multiple devices.
Q5
hardFull explanation →

In a CI/CD pipeline for network changes, which practice best ensures that a configuration push does not disrupt production traffic?

A

Disable rollback

B

Canary deployment

Canary deployment limits blast radius.

C

Push all changes at once

D

Skip validation

Why: Canary deployment is the correct practice because it gradually introduces the configuration change to a small subset of devices or traffic before full rollout. This allows monitoring for adverse effects and automatic rollback if issues arise, minimizing the risk of production disruption. In a CI/CD pipeline for network changes, this approach aligns with incremental validation and risk mitigation.
Q6
hardFull explanation →

An engineer uses Ansible to push a configuration change to 100 switches. The playbook fails on 5 switches. What is the most efficient way to apply the change only to those 5?

A

Use Ansible's --limit with the retry file

This targets only the failed hosts.

B

Use --skip-tags on successful hosts

C

Re-run the playbook on all switches

D

Manually configure the 5 switches

Why: Ansible generates a retry file by default when a playbook fails on some hosts. Using `--limit @<retry-file>` re-runs the playbook only against the failed hosts, avoiding unnecessary execution on the 95 successful switches. This is the most efficient method because it targets only the problematic devices without manual intervention or full re-runs.

Want more Infrastructure and Automation practice?

Practice this domain
6

Domain 6: Network Fundamentals

All Network Fundamentals questions
Q1
mediumFull explanation →

A network engineer is troubleshooting slow connectivity between two sites connected via a WAN link. The engineer suspects packet loss due to collisions. Which interface counter should be examined to confirm this?

A

Runts

B

CRC errors

CRC errors indicate frame checksum failures often caused by collisions.

C

Output errors

D

Giants

Why: CRC (Cyclic Redundancy Check) errors indicate that frames received on an interface have failed the integrity check, which is often caused by physical-layer issues such as collisions, faulty cabling, or signal degradation. In the context of a WAN link, collisions are not typical (since full-duplex is standard), but if the link is misconfigured as half-duplex, collisions can occur and will manifest as CRC errors. Thus, examining the CRC errors counter is the correct way to confirm packet loss due to collisions.
Q2
hardFull explanation →

A DevOps team is deploying a containerized application across multiple hosts. They need to ensure that traffic between containers on the same host is isolated from other tenants. Which network implementation best meets this requirement?

A

Linux bridge with ebtables rules

B

NAT with port forwarding

C

VXLAN overlays with a distributed virtual switch

VXLAN provides scalable network isolation across hosts.

D

802.1Q VLANs on the host switch

Why: VXLAN overlays with a distributed virtual switch provide Layer 2 isolation across multiple hosts by encapsulating Ethernet frames in UDP packets (RFC 7348). This creates independent virtual networks (VXLAN segments) that can span hosts, ensuring traffic between containers on the same host is isolated from other tenants without relying on physical network topology.
Q3
easyFull explanation →

An engineer notices that a switch port configured as an access port in VLAN 10 is not forwarding traffic. The switch shows the port is up/up. What is the most likely cause?

A

Spanning Tree Protocol blocking the port

B

The connected device is sending 802.1Q tagged frames

Access ports drop tagged frames.

C

Speed/duplex mismatch

D

VLAN 10 does not exist in the VLAN database

Why: An access port expects to receive and send only untagged frames, as it belongs to a single VLAN (VLAN 10). If the connected device sends 802.1Q tagged frames, the switch will drop them because the access port does not process VLAN tags. This explains why the port is up/up but not forwarding traffic.
Q4
mediumFull explanation →

A network administrator is configuring SNMPv3 on a router for secure monitoring. Which combination of parameters is required to ensure authentication and encryption?

A

SNMPv3 with authPriv

Provides authentication and encryption.

B

SNMPv3 with noAuthNoPriv

C

SNMPv3 with authNoPriv

D

SNMPv2c with a complex community string

Why: SNMPv3 with authPriv is the correct combination because it enables both authentication (via HMAC-MD5 or HMAC-SHA) and encryption (via DES or AES) to ensure secure monitoring. The authPriv security level provides message integrity, origin authentication, and data confidentiality, meeting the requirement for both authentication and encryption.
Q5
hardFull explanation →

During a network migration, an engineer needs to replace a legacy core switch with a new one without disrupting the existing STP topology. The new switch supports RSTP and will be connected via two trunk links. Which configuration should be applied to the new switch to prevent it from becoming the root bridge?

A

Enable root guard on the trunk ports

B

Configure the bridge priority to 61440

High priority makes it less likely to become root.

C

Enable BPDU guard on the trunk ports

D

Set the bridge priority to 0

Why: Option B is correct because setting the bridge priority to 61440 (which is a valid priority value in increments of 4096) ensures the new switch has a higher numerical priority than the current root bridge, preventing it from becoming the root. In STP/RSTP, the switch with the lowest bridge priority becomes the root bridge; by configuring a high priority, the new switch will not disrupt the existing topology.
Q6
easyFull explanation →

A technician needs to verify the IP address of a remote server using DNS. Which command should be used on a Cisco IOS device?

A

traceroute server.example.com

B

show hosts server.example.com

C

ping server.example.com

D

nslookup server.example.com

Performs DNS lookup and returns IP address.

Why: The `nslookup` command is used to query DNS servers to resolve a hostname to an IP address. On a Cisco IOS device, `nslookup` sends a DNS query for the specified hostname and returns the corresponding IP address, making it the correct tool for verifying a remote server's IP via DNS.

Want more Network Fundamentals practice?

Practice this domain

Frequently asked questions

How many questions are on the 200-901 exam?

The 200-901 exam has 95 questions and must be completed in 120 minutes. Cisco passing scores vary by exam version and are not always publicly listed. Check the official Cisco exam page before booking.

What types of questions appear on the 200-901 exam?

CLI output interpretation, network topology analysis, routing behaviour, switching concepts, troubleshooting, and configuration questions.

How are 200-901 questions organised by domain?

The exam covers 6 domains: Software Development and Design, Understanding and Using APIs, Cisco Platforms and Development, Application Deployment and Security, Infrastructure and Automation, Network Fundamentals. Questions are weighted by domain — higher-weight domains appear more on your actual exam.

Are these the actual 200-901 exam questions?

No. These are original exam-style practice questions written against the official Cisco 200-901 exam objectives. They are not copied from the real exam. Courseiva focuses on genuine understanding, not memorisation of braindumps.

Ready to practice all 95 200-901 questions?

Courseiva tracks your accuracy per domain and routes you toward weak areas automatically. Free, no account required.

Browse all 200-901 questionsTake a timed practice test