Cisco DCCOR / CCNP Data Center Core 350-601 (350-601) — Questions 175

500 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
Multi-Selecthard

Which THREE components are required to configure a Cisco UCS Direct-attached storage environment using SAS expanders?

Select 3 answers
A.SAS cables connecting the storage enclosure to the server's storage controller.
B.SAS expanders within the enclosure to connect multiple drives.
C.SAS hard drives installed in the storage enclosure.
D.Fibre Channel over Ethernet (FCoE) uplinks from the storage enclosure to the Fabric Interconnect.
E.Fibre Channel switch for SAN connectivity.
AnswersA, B, C

Direct SAS cabling is required for connectivity.

Why this answer

Option A is correct because in a Cisco UCS Direct-attached storage environment using SAS expanders, SAS cables are required to physically connect the storage enclosure to the server's storage controller (typically an LSI-based SAS HBA). This direct cabling enables the SAS protocol to carry SCSI commands and data between the server and the drives without any intervening network fabric.

Exam trap

Cisco often tests the distinction between Direct-attached storage (SAS) and Fabric-attached storage (FCoE/Fibre Channel), so the trap here is assuming that any storage enclosure requires Fabric Interconnect or SAN components, when in fact Direct-attached storage uses only SAS cabling and expanders.

2
MCQhard

A data center network uses Cisco Nexus 9000 switches running NX-OS. The operations team notices that the CPU utilization on the supervisor module spikes intermittently, causing BGP session flaps. Analysis shows that the CPU spikes coincide with traceroute probes from external networks, which generate ICMP TTL exceeded messages that are process-switched. The engineer must implement a solution to protect the control plane without affecting normal ICMP functionality. The goal is to rate-limit ICMP traffic to a maximum of 1000 packets per second with a burst of 200 bytes, while allowing other control plane traffic without restriction. Which configuration should be applied?

A.Use the 'hardware rate-limiter' feature to limit ICMP globally.
B.class-map type control-plane match-any COPP-ICMP match access-group name ICMP-ACL policy-map type control-plane COPP class COPP-ICMP police rate 1000 pps burst 200 control-plane service-policy input COPP
C.Apply a QoS policy on the management interface to drop excess ICMP.
D.class-map type control-plane match-all COPP-ICMP match protocol icmp policy-map type control-plane COPP class COPP-ICMP police 1000 pps 200 byte burst control-plane service-policy type control-plane COPP
AnswerD

Correct syntax: using type control-plane class-map and policy-map, with police in pps and burst in bytes.

Why this answer

Option D is correct because it uses a Control Plane Policing (CoPP) policy with a class-map that matches ICMP protocol traffic in the control plane, then applies a police rate of 1000 pps with a 200-byte burst. This configuration rate-limits ICMP TTL-exceeded messages that are process-switched, protecting the supervisor CPU from spikes while allowing other control plane traffic unrestricted. The 'service-policy type control-plane' command applies the policy to the control plane, which is the proper method for NX-OS CoPP.

Exam trap

Cisco often tests the distinction between applying a policy-map with 'service-policy input' (which is for interface QoS) versus 'service-policy type control-plane' (which is for CoPP), and the correct police syntax including the 'byte' keyword for burst size.

How to eliminate wrong answers

Option A is wrong because 'hardware rate-limiter' is a legacy feature on some Cisco platforms that limits traffic in hardware, but it does not provide the granularity of matching ICMP protocol specifically and may affect all ICMP or other traffic; it is not the recommended CoPP approach for NX-OS. Option B is wrong because the police command syntax is incorrect: it uses 'police rate 1000 pps burst 200' without the 'byte' keyword, and the class-map uses 'match access-group name' which matches based on an ACL rather than the protocol directly, potentially missing ICMP TTL-exceeded messages that are not captured by the ACL; also, the policy-map is applied with 'service-policy input' instead of 'service-policy type control-plane', which is the correct NX-OS syntax for CoPP. Option C is wrong because applying a QoS policy on the management interface only affects traffic entering via that interface, not the control plane traffic from data interfaces; it would not protect the supervisor from ICMP TTL-exceeded messages arriving from external networks through data ports.

3
MCQeasy

A company wants to consolidate multiple physically separate Fibre Channel SANs into one switch infrastructure while keeping each SAN's traffic isolated. Which technology best achieves this?

A.Reduce the number of switches by using a single director
B.Virtual SANs (VSANs)
C.Use a single VSAN with extensive zoning
D.Deploy separate physical cabling for each SAN
AnswerB

VSANs create isolated logical fabrics over a physical infrastructure.

Why this answer

VSANs (Virtual SANs) allow multiple physically separate Fibre Channel SANs to be consolidated onto a single switch infrastructure by creating isolated virtual fabrics. Each VSAN maintains its own fabric services, such as name server and zone server, ensuring traffic isolation without requiring separate physical switches or cabling.

Exam trap

Cisco often tests the misconception that zoning alone provides the same isolation as VSANs, but zoning only controls device access within a single fabric, whereas VSANs provide complete fabric-level separation including separate control planes and fabric services.

How to eliminate wrong answers

Option A is wrong because reducing the number of switches by using a single director does not inherently isolate traffic; it simply consolidates hardware without providing logical separation. Option C is wrong because using a single VSAN with extensive zoning only controls which devices can communicate, but all traffic still shares the same fabric services and control plane, which can lead to instability and security risks. Option D is wrong because deploying separate physical cabling for each SAN defeats the purpose of consolidation and increases cost and complexity, whereas VSANs achieve isolation logically.

4
Matchingmedium

Match each Cisco data center technology to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Converged network for Fibre Channel and Ethernet

Network virtualization overlay for scaling Layer 2 networks

Layer 2 extension across Layer 3 boundaries

Location/identifier separation for routing scalability

Label switching for traffic engineering and VPNs

Why these pairings

These technologies are key for data center networking and virtualization.

5
MCQmedium

A financial services firm has deployed Cisco UCS C-Series rack servers running VMware vSphere 7.0. They use Cisco Intersight for management. Recently, a critical application server (Server-A) became unresponsive. The Intersight dashboard shows the server's health status as 'Warning' with a firmware compliance alert: the server's Cisco Integrated Management Controller (CIMC) firmware version is 4.0(1a), while the Intersight firmware baseline is 4.2(1c). The server is running ESXi 7.0u2 on a local datastore. The storage is provided by a Cisco MDS switch via Fibre Channel. The server has two 10GbE uplinks to the fabric interconnect. The engineer notices that the vCenter Server cannot communicate with Server-A, and all VMs on that host are isolated. The engineer suspects the issue is related to the firmware mismatch. What is the most appropriate first step to resolve this issue while minimizing downtime?

A.Check vCenter logs to determine why communication failed.
B.Reinstall ESXi on Server-A to ensure a clean operating system.
C.Upgrade the CIMC firmware on Server-A from 4.0(1a) to 4.2(1c) using Intersight's firmware update capability.
D.Change the Intersight firmware baseline to match the current CIMC version (4.0(1a)).
AnswerC

Directly upgrades the firmware to the compliant version, resolving the underlying issue.

Why this answer

The CIMC firmware mismatch (4.0(1a) vs. baseline 4.2(1c)) is a known cause of management-plane instability in Cisco UCS C-Series servers managed by Intersight. Upgrading the CIMC firmware to match the Intersight baseline using Intersight's built-in firmware update capability directly addresses the root cause, restoring proper communication between the server, Intersight, and vCenter, while minimizing downtime by avoiding disruptive OS-level changes.

Exam trap

Cisco often tests the misconception that a firmware mismatch only affects compliance reporting and not actual data-plane or management-plane functionality, leading candidates to choose a non-disruptive but ineffective option like changing the baseline (Option D) instead of performing the necessary firmware upgrade.

How to eliminate wrong answers

Option A is wrong because checking vCenter logs is a diagnostic step that does not resolve the firmware mismatch; the root cause is already identified (CIMC firmware version out of compliance). Option B is wrong because reinstalling ESXi is unnecessarily disruptive and does not fix the CIMC firmware version mismatch, which is the underlying cause of the management communication failure. Option D is wrong because changing the Intersight firmware baseline to match the outdated CIMC version (4.0(1a)) would bypass the compliance alert but leave the server running an unsupported and potentially buggy firmware version, failing to resolve the actual issue and risking future stability.

6
MCQhard

A large data center uses a Cisco Nexus 9000 switch with FCoE NPV feature. The switch is connected to an MDS 9700 upstream. The network team recently replaced the MDS 9700 with a new one. After the replacement, the FCoE hosts are unable to log in to the storage fabric. The Nexus switch shows that the FCoE NPV uplinks are up but no FLOGIs are being forwarded. The show npv flogi-table on the Nexus is empty. The upstream MDS shows that the uplinks are in VSAN 100, and the zoning is correct. The Nexus switch configuration includes 'feature npv' and 'npv enable' on the relevant interfaces. The FCoE VLAN 100 is mapped to VSAN 100. What is the most likely cause?

A.The upstream MDS is not configured to accept NPV connections
B.The FIP snooping policy is blocking the FLOGI traffic
C.The Nexus switch is missing the 'fcoe fka-adv-period' configuration
D.The FCoE hosts are not in the same VLAN as the FCoE NPV uplinks
AnswerA

The MDS needs NPIV enabled on the uplink interfaces to proxy FLOGIs from the Nexus.

Why this answer

The most likely cause is that the upstream MDS is not configured to accept NPV connections. For NPV to work, the upstream switch (MDS) must have NPIV enabled on the uplink interfaces. Without NPIV, the MDS will reject FLOGI requests from the Nexus.

Other options: FKA-adv-period affects keep-alives, not login; FIP snooping is on the Nexus but would not cause empty flogi-table if uplinks are up; VLAN mapping is correct.

7
MCQeasy

Refer to the exhibit. A network engineer notices that the NVE1 interface is up but VXLAN traffic is not being encapsulated. What is the most likely cause?

A.The VNI 10000 is not mapped to a VLAN.
B.The ingress replication protocol must be static.
C.The loopback0 interface is not configured.
D.The BGP EVPN address-family is not activated.
AnswerD

EVPN requires MP-BGP with the l2vpn evpn address-family to exchange routes; without it, VXLAN encapsulation cannot function.

Why this answer

Option D is correct because VXLAN traffic encapsulation on the NVE1 interface requires the BGP EVPN address-family to be activated under the BGP configuration to exchange VNI-to-VTEP mappings. Without this address-family, the NVE interface cannot learn remote VTEPs, so VXLAN packets are never encapsulated with the outer UDP/IP header.

Exam trap

Cisco often tests the misconception that an NVE interface being up means VXLAN encapsulation is fully functional, but the control plane (BGP EVPN) must be active to provide the necessary remote VTEP information.

How to eliminate wrong answers

Option A is wrong because VNI 10000 not being mapped to a VLAN would prevent local bridging, but the NVE interface can still encapsulate VXLAN traffic if the VNI is configured under the NVE and the BGP EVPN control plane is operational. Option B is wrong because ingress replication can be configured as static or dynamic (via BGP EVPN); the protocol does not need to be static—dynamic replication via BGP EVPN is standard. Option C is wrong because the loopback0 interface is likely already configured (the exhibit shows it as the source interface under NVE1), and if it were missing, the NVE interface would not come up at all.

8
MCQhard

A network engineer notices that when a host sends a packet to a destination on a different VTEP, the packet is flooded to all VTEPs even though the destination MAC is known. What is the most likely cause?

A.The BGP EVPN route table is missing the MAC/IP route for the destination.
B.The VNI is misconfigured.
C.The MTU exceeds 1500 bytes.
D.ARP suppression is disabled.
AnswerA

Without the route, the VTEP has no forwarding information and floods.

Why this answer

In a BGP EVPN VXLAN fabric, when a host sends a packet to a known destination MAC on a different VTEP, the ingress VTEP should perform MAC/IP route lookup in the BGP EVPN route table to determine the correct remote VTEP. If the MAC/IP route for the destination is missing (e.g., not advertised or withdrawn), the ingress VTEP has no mapping to a remote VTEP and must flood the packet to all VTEPs in the VNI, causing unnecessary broadcast traffic. This is the most likely cause of the described behavior.

Exam trap

The trap here is that candidates often confuse flooding due to an unknown MAC (which is normal) with flooding due to a missing EVPN route, or they incorrectly attribute the issue to ARP suppression or MTU problems, which are unrelated to the data-plane flooding of a known MAC across VTEPs.

How to eliminate wrong answers

Option B is wrong because a misconfigured VNI would typically prevent the packet from being encapsulated or forwarded at all, or cause it to be dropped, not flooded to all VTEPs. Option C is wrong because an MTU exceeding 1500 bytes would cause fragmentation or drop issues, not flooding behavior. Option D is wrong because ARP suppression is a control-plane optimization that reduces ARP broadcast traffic within a VNI; disabling it would cause ARP requests to be flooded, but the question describes flooding of a data packet with a known destination MAC, which is unrelated to ARP suppression.

9
MCQeasy

A network engineer is configuring OSPF on a pair of Nexus 9000 switches acting as spine switches in a VXLAN fabric. The engineer needs to ensure that the spine switches do not become the DR for any VLAN. Which configuration should be applied?

A.Configure passive-interface default under OSPF.
B.Set ospf network type to point-to-multipoint.
C.Set ospf priority to 0 on the spine interfaces.
D.Set ospf priority to 255 on the spine interfaces.
AnswerC

OSPF priority 0 prevents the router from participating in DR/BDR election.

Why this answer

Setting the OSPF priority to 0 on the spine interfaces prevents the spine switches from participating in the DR/BDR election process, ensuring they never become the Designated Router (DR) for any VLAN. This is the standard method to suppress DR election on a multi-access network segment.

Exam trap

Cisco often tests the misconception that setting OSPF priority to 0 disables OSPF on the interface entirely, when in fact it only prevents DR/BDR election while still allowing neighbor adjacency formation.

How to eliminate wrong answers

Option A is wrong because configuring passive-interface default under OSPF suppresses all OSPF hello packets on all interfaces, preventing neighbor adjacency formation entirely, which would break OSPF routing. Option B is wrong because setting the OSPF network type to point-to-multipoint does not inherently prevent a router from becoming DR; it changes the behavior to treat the network as a collection of point-to-point links but still allows DR election on multi-access segments. Option D is wrong because setting the OSPF priority to 255 (the highest possible value) makes the spine switch the most likely candidate to become the DR, which is the opposite of the desired outcome.

10
Multi-Selectmedium

A UCS administrator must ensure that a service profile can be updated without disrupting production traffic. Which two configuration options support this requirement? (Choose two.)

Select 2 answers
A.Use of a service profile template with 'Disruptive Update'
B.Maintenance policy with 'Immediate'
C.Use of a service profile template with 'Upgrade Policy'
D.Maintenance policy with 'User Ack' and 'Enable Fast Reboot'
E.Maintenance policy with 'On Next Boot'
AnswersD, E

User acknowledgment provides manual control; fast reboot minimizes downtime.

Why this answer

Option D is correct because a maintenance policy with 'User Ack' requires manual acknowledgment before the update proceeds, and enabling 'Fast Reboot' minimizes traffic disruption by reducing the reboot time. Option E is correct because a maintenance policy with 'On Next Boot' defers the update until the next scheduled reboot, allowing the administrator to control when the change takes effect and avoid impacting production traffic.

Exam trap

Cisco often tests the distinction between 'Disruptive Update' and non-disruptive maintenance policies, and the trap here is that candidates confuse 'Upgrade Policy' (a non-existent term) with 'Maintenance Policy', or assume 'Immediate' is acceptable because it is fast, ignoring the disruption requirement.

11
MCQeasy

Which tool provides a programmatic HTTP-based interface to execute CLI commands on Cisco Nexus switches and returns structured JSON data?

A.Ansible
B.pyATS
C.Netmiko
D.NX-API
AnswerD

NX-API is the HTTP/HTTPS interface that accepts CLI commands and returns JSON/XML.

Why this answer

NX-API (Option D) is the correct answer because it provides a programmatic HTTP/HTTPS-based interface that allows you to send CLI commands to Cisco Nexus switches and receive structured JSON (or XML) responses. This enables automation and integration without requiring an SSH session, directly fulfilling the question's requirement for an HTTP-based interface with structured JSON output.

Exam trap

Cisco often tests the distinction between tools that provide a direct HTTP-based API (like NX-API) versus automation or scripting libraries (like Ansible, pyATS, or Netmiko) that use other protocols (SSH) or are higher-level frameworks, leading candidates to confuse the interface layer with the tool that consumes it.

How to eliminate wrong answers

Option A is wrong because Ansible is an automation framework that uses playbooks to manage devices, but it does not itself provide an HTTP-based interface for executing CLI commands on Nexus switches; it typically relies on NX-API or SSH via modules like nxos_command. Option B is wrong because pyATS (Python Test Automation System) is a testing framework for network devices, not a tool that exposes an HTTP-based CLI execution interface; it uses other transports like SSH or NX-API to interact with devices. Option C is wrong because Netmiko is a Python library for simplifying SSH connections to network devices, not an HTTP-based interface; it uses SSH, not HTTP, and returns unstructured text, not structured JSON.

12
Multi-Selecteasy

A data center network uses Cisco Nexus switches with VXLAN EVPN. Which two components are essential for VXLAN EVPN operation? (Choose two.)

Select 2 answers
A.VXLAN VTEPs on leaf switches.
B.OSPF as underlay routing protocol.
C.MP-BGP EVPN control plane.
D.VPC for host-facing links.
E.PIM-SM for multicast replication.
AnswersA, C

VTEPs encapsulate and decapsulate VXLAN frames.

Why this answer

VXLAN VTEPs (VXLAN Tunnel Endpoints) on leaf switches are essential because they perform the encapsulation and decapsulation of VXLAN frames, enabling Layer 2 overlay networks over a Layer 3 underlay. Without VTEPs, there is no mechanism to create the VXLAN tunnels that carry traffic between endpoints across the IP fabric.

Exam trap

Cisco often tests the distinction between mandatory components (VTEPs and MP-BGP EVPN) and optional features (vPC, specific underlay protocols, or replication modes) to see if candidates understand that the underlay can be any IP-routed network and that multicast is not a requirement for VXLAN EVPN.

13
MCQhard

A network engineer is implementing automated configuration management using Cisco NSO (Network Services Orchestrator). The team wants to ensure that any configuration changes made directly on the devices (out-of-band) are detected and reconciled. Which NSO feature should be used?

A.Configuration Database (CDB) snapshots
B.Fast-map synchronization
C.Service model templates
D.Rollback and recovery mechanism
AnswerB

Fast-map syncs device configurations with NSO and detects drift.

Why this answer

Fast-map synchronization is the correct NSO feature because it is specifically designed to detect and reconcile configuration changes made directly on managed devices (out-of-band changes). It compares the device's running configuration against NSO's CDB and generates the necessary NETCONF or CLI operations to bring the device back into sync with NSO's desired state, ensuring consistency without manual intervention.

Exam trap

Cisco often tests the distinction between features that manage NSO's internal state (CDB snapshots, rollback) versus features that synchronize with external devices (fast-map), leading candidates to confuse backup mechanisms with reconciliation tools.

How to eliminate wrong answers

Option A is wrong because CDB snapshots are used for backup and restore of NSO's own configuration database, not for detecting or reconciling out-of-band device changes. Option C is wrong because service model templates define service-level configurations and are used for deploying services, not for detecting or reconciling direct device modifications. Option D is wrong because the rollback and recovery mechanism reverts NSO's own transaction history to a previous state, but it does not detect or reconcile out-of-band changes made directly on devices.

14
MCQhard

An engineer is designing an automation solution for a large data center with multiple Cisco UCS Manager domains. Which approach best ensures idempotent configuration operations?

A.Writing imperative Python scripts that execute CLI commands
B.Using a declarative automation tool like Ansible with idempotent modules
C.Directly calling UCS Manager XML API using POST requests
D.Using SNMP to set configuration parameters
AnswerB

Declarative tools ensure the desired state is achieved regardless of current state.

Why this answer

Option B is correct because Ansible's declarative modules for Cisco UCS Manager (e.g., `ucs_*` modules) are designed to be idempotent: they compare the current state of the configuration against the desired state defined in the playbook and only apply changes when necessary. This ensures that running the same playbook multiple times yields the same result without unintended side effects, which is critical for large-scale automation across multiple UCS domains.

Exam trap

Cisco often tests the misconception that any API or script-based approach (like XML API or Python CLI) is automatically idempotent, when in fact only declarative tools with built-in state reconciliation (like Ansible) guarantee idempotency without additional custom logic.

How to eliminate wrong answers

Option A is wrong because imperative Python scripts that execute CLI commands are not inherently idempotent; they blindly send commands each time they run, potentially causing errors or duplicate configurations unless the script explicitly checks the current state. Option C is wrong because directly calling the UCS Manager XML API using POST requests is a procedural method that requires custom logic to check existing state before applying changes; without such checks, repeated POST requests can create duplicate objects or overwrite configurations. Option D is wrong because SNMP is a monitoring protocol (RFC 1157) designed for reading MIB variables and sending traps, not for idempotent configuration operations; it lacks the state comparison and transactional guarantees needed for reliable configuration management.

15
Multi-Selecteasy

Which TWO methods are used to secure management plane access on Cisco Nexus 9000 series switches?

Select 2 answers
A.SNMPv3
B.CoPP
C.SSH
D.AAA
E.VRF
AnswersC, D

SSH encrypts management traffic, securing remote access.

Why this answer

SSH provides encrypted remote access, and AAA provides authentication and authorization for management users. SNMPv3 is for monitoring, CoPP protects the control plane, and VRF is for data plane segmentation.

16
Multi-Selectmedium

Which THREE statements about Cisco Network Services Orchestrator (NSO) are true?

Select 3 answers
A.It can manage both NX-OS and ACI
B.It uses NETCONF to communicate with devices
C.It can only be used for layer 3 services
D.It requires a separate database for device states
E.It uses YANG models for device configuration
AnswersA, B, E

NSO has NEDs for both NX-OS and ACI.

Why this answer

Cisco NSO is a multi-domain orchestration platform that can manage both NX-OS and ACI environments, making option A correct. It uses NETCONF as the primary southbound protocol to communicate with devices, and it leverages YANG models to define and enforce device configurations, which validates options B and E.

Exam trap

The trap here is that candidates often assume NSO requires an external database for state management, but it actually uses its own integrated CDB, and they may also mistakenly think NSO is limited to Layer 3 services when it is a multi-layer orchestrator.

17
MCQeasy

Refer to the exhibit. An Ansible playbook targeting an NX-OS switch fails with this error. What is the most likely cause?

A.The password is incorrect
B.The username is incorrect
C.SSH is not enabled on the switch
D.The Ansible version is incompatible with the switch
AnswerA

'authentication failed' indicates wrong password or username, and password is the most common issue.

Why this answer

The error message indicates an authentication failure during the SSH connection from Ansible to the NX-OS switch. Since Ansible uses SSH to execute tasks, a 'Permission denied' error most commonly points to incorrect credentials. The playbook likely specifies the wrong password for the given username, causing the SSH session to be rejected.

Exam trap

Cisco often tests the distinction between SSH connectivity errors (e.g., 'Connection refused') and authentication errors (e.g., 'Permission denied'), leading candidates to mistakenly blame SSH configuration when the real issue is incorrect credentials.

How to eliminate wrong answers

Option B is wrong because if the username were incorrect, the error would typically be 'Authentication failed' or 'User not found', but the error message shown does not distinguish between username and password; however, the most common cause in Ansible playbooks is a password mismatch, not a username typo. Option C is wrong because if SSH were not enabled, the error would be 'Connection refused' or 'No route to host', not 'Permission denied'. Option D is wrong because Ansible version incompatibility with NX-OS would manifest as module execution failures or unsupported features, not an SSH authentication error.

18
MCQeasy

A network engineer wants to automate the deployment of a new VLAN across all Cisco Nexus switches in a data center using Python scripts. Which tool is most appropriate for this task?

A.Cisco NX-API with Python requests
B.SSH CLI commands via Paramiko
C.Ansible playbook
D.SNMP SET commands
AnswerA

NX-API provides RESTful API for direct configuration via Python.

Why this answer

Cisco NX-API provides a RESTful API interface on Nexus switches, allowing direct HTTP/HTTPS calls to configure VLANs programmatically. Using Python's requests library, you can send structured JSON payloads to the API endpoint, making it the most direct and efficient method for script-driven automation without requiring intermediate tools or protocols.

Exam trap

Cisco often tests the distinction between direct programmatic APIs (NX-API) and higher-level automation tools (Ansible) or legacy methods (SNMP, SSH), expecting candidates to recognize that the question's emphasis on 'Python scripts' points to a library-based API call rather than a separate automation framework.

How to eliminate wrong answers

Option B is wrong because SSH CLI commands via Paramiko emulate a terminal session, which is slower, less reliable for large-scale automation, and requires parsing CLI output, whereas NX-API offers structured data exchange. Option C is wrong because Ansible is a configuration management tool that abstracts the underlying API or CLI, but the question specifically asks for a Python script-based tool; Ansible playbooks are written in YAML, not Python scripts, and while Ansible can use NX-API modules, the question's context demands a direct Python scripting approach. Option D is wrong because SNMP SET commands are designed for monitoring and simple configuration changes, not for complex tasks like VLAN deployment, and they lack the transactional reliability and structured data handling of NX-API.

19
MCQeasy

A network engineer is troubleshooting a slow backup performance between a backup server and a tape library connected via FC. The backup server is connected to a Cisco MDS switch at 8 Gbps, and the tape library is connected at 4 Gbps. The backup job is using hardware compression. Which factor is most likely limiting performance?

A.Port speed mismatch between the server and tape library
B.Insufficient buffer credits on the MDS switch
C.Hardware compression on the tape library
D.Half-duplex mode on the FC link
AnswerA

The slower device (4 Gbps) determines the link speed.

Why this answer

The backup server is connected at 8 Gbps while the tape library is connected at 4 Gbps. In Fibre Channel, the link speed is negotiated per port, and the end-to‑end flow is limited by the slowest link in the path. Even though the server can transmit at 8 Gbps, the tape library can only receive at 4 Gbps, creating a bottleneck that caps the backup throughput.

Hardware compression on the tape library does not cause this speed mismatch; it actually reduces the amount of data written to tape, but the physical link rate remains the limiting factor.

Exam trap

Cisco often tests the misconception that buffer credits are the primary cause of any FC performance issue, but here the persistent throughput limit is due to a static speed mismatch, not a dynamic credit starvation problem.

How to eliminate wrong answers

Option B is wrong because insufficient buffer credits typically cause frame drops and retransmissions under high load, not a consistent speed cap; the scenario describes a persistent throughput limit, not loss‑induced slowdown. Option C is wrong because hardware compression reduces the volume of data written to tape, which would improve backup performance, not limit it. Option D is wrong because Fibre Channel operates in full‑duplex mode by design; half‑duplex does not exist in FC standards (FC‑0 through FC‑4 all assume full‑duplex links).

20
MCQmedium

A large enterprise is deploying a new storage network for a VMware vSphere cluster with 200 VMs. The cluster uses vSphere 7 with vVols and requires a SAN that supports 16 Gbps FC. The storage team wants to use a Cisco MDS 9148S switch and has configured two VSANs: VSAN 100 for production and VSAN 200 for backup. The backup server is connected to VSAN 200. After the deployment, the backup administrator reports that backup jobs from the backup server to the storage array are failing. The storage array is connected to both VSANs via a single FC interface configured in 'auto' mode. The backup server is connected to an F-port in VSAN 200. The storage array's interface shows 'trunking' enabled and is in 'up' state. What is the most likely cause of the backup failure?

A.Configure the MDS switch interface connected to the storage array as a trunk port and ensure VSAN 200 is in the allowed list.
B.Move the backup server to VSAN 100 to match the production storage.
C.Change the storage array interface to 'F' mode to force it to be in a single VSAN.
D.Disable trunking on the storage array interface to prevent VSAN mismatch.
AnswerA

This allows the array to be in both VSANs and ensures the backup server can communicate with the array.

Why this answer

The storage array is connected to both VSANs via a single interface with trunking enabled, but the MDS switch interface connected to the array is not configured as a trunk port. Without trunking on the switch side, the interface can only belong to one VSAN (likely VSAN 100 by default), so traffic from the backup server in VSAN 200 cannot reach the storage array. Option A resolves this by configuring the switch interface as a trunk port and explicitly allowing VSAN 200 in the allowed VSAN list, enabling the array to communicate with both VSANs.

Exam trap

Cisco often tests the misconception that enabling trunking on the storage array alone is sufficient, when in fact both ends of the link must be configured as trunk ports for multi-VSAN traffic to pass.

How to eliminate wrong answers

Option B is wrong because moving the backup server to VSAN 100 would disrupt backup isolation and does not address the root cause—the switch interface is not trunking to carry VSAN 200 traffic. Option C is wrong because changing the storage array interface to 'F' mode would force it into a single VSAN, preventing it from serving both production and backup traffic, which is the opposite of what is needed. Option D is wrong because disabling trunking on the storage array interface would eliminate the ability to carry multiple VSANs, making the backup failure permanent; trunking is required to allow the single interface to participate in both VSANs.

21
Multi-Selectmedium

Which TWO statements correctly describe the use of Cisco UCS Manager service profiles for server deployment?

Select 2 answers
A.Service profiles can only be applied to servers of the same model.
B.Service profiles decouple server identity from hardware, enabling rapid provisioning.
C.A service profile can be associated with multiple servers simultaneously.
D.Service profiles are stored locally on the server's boot drive.
E.Service profiles include policies for firmware, BIOS, boot order, and network.
AnswersB, E

Service profiles abstract server identity, allowing quick redeployment.

Why this answer

Service profiles decouple the logical server identity (UUID, MAC addresses, WWPNs) from the physical hardware. This allows an administrator to rapidly provision or repurpose a server by simply associating the profile with a different blade or rack server, without reconfiguring the OS or SAN/NIC settings. This abstraction is the core value of Cisco UCS Manager for scalable, stateless computing.

Exam trap

The trap here is that candidates often confuse service profiles with server templates or think they are tied to specific hardware models (Option A), when in fact the entire purpose of UCS stateless computing is to abstract identity from hardware.

22
MCQeasy

A Cisco Intersight managed UCS domain has a policy that requires all firmware updates to be applied within 30 days of release. An engineer needs to check compliance for a specific server. Which Intersight feature should be used?

A.Software repository
B.Actions tab with pending updates
C.Compliance and drift management
D.Firmware update policy
AnswerC

This feature checks if firmware versions meet the defined baseline.

Why this answer

Compliance and drift management in Intersight continuously monitors the firmware versions of managed UCS servers against the defined baseline policies. When a policy requires updates within 30 days of release, this feature automatically detects servers that are out of compliance and reports the drift, allowing the engineer to verify compliance for a specific server without manual checks.

Exam trap

Cisco often tests the distinction between a policy that defines an action (like firmware update policy) and a monitoring/reporting feature (like compliance and drift management), leading candidates to confuse the policy that enforces updates with the tool that checks compliance.

How to eliminate wrong answers

Option A is wrong because the software repository is used to store and manage firmware images, not to check compliance against a time-based policy. Option B is wrong because the Actions tab with pending updates shows only immediate pending firmware actions, not historical or policy-based compliance status over a 30-day window. Option D is wrong because a firmware update policy defines the update schedule and target version, but it does not provide a compliance report or drift analysis for a specific server against a release-date-based policy.

23
MCQhard

A financial services company operates a multi-site data center with Cisco ACI. The automation team uses Ansible Tower to manage configurations. They have a playbook that configures EPGs using the 'aci_epg' module. The playbook runs successfully for most sites but fails on one site with the error 'Object 'uni/tn-Tenant1/ap-AP1/epg-EPG1' doesn't exist'. The engineer checks the ACI fabric and confirms that the tenant, application profile, and EPG exist on that site. The playbook uses the same credentials and variables across all sites. What is the most likely cause of the failure?

A.The Ansible Tower job runs with a different user that lacks permissions on that site
B.The ACI APIC version is incompatible with the Ansible module
C.The EPG name in the playbook has a typo that only affects this site
D.The fabric name in the Ansible inventory is incorrect for that site
AnswerD

Leads to connection to wrong APIC where EPG doesn't exist.

Why this answer

The error 'Object doesn't exist' despite the EPG being present on the ACI fabric indicates that Ansible is targeting the wrong fabric or APIC. Since the playbook uses the same credentials and variables across all sites, the most likely cause is an incorrect fabric name in the Ansible inventory for that specific site, causing the module to query a different APIC cluster where the object does not exist.

Exam trap

Cisco often tests the concept that Ansible inventory variables (like fabric hostname or APIC IP) must match the target site, and candidates mistakenly focus on credentials or module syntax instead of verifying the inventory configuration for each site.

How to eliminate wrong answers

Option A is wrong because the playbook uses the same credentials across all sites, and if a different user lacked permissions, the error would typically be an authentication or authorization failure, not an 'object doesn't exist' error. Option B is wrong because an APIC version incompatibility would likely cause module-level errors (e.g., missing parameters or API changes), not a specific object-not-found error for an existing EPG. Option C is wrong because a typo in the EPG name would cause the same error across all sites, not just one, and the engineer confirmed the EPG exists with the correct name on the failing site.

24
Multi-Selecteasy

Which THREE of the following are required to configure FCoE NPV on a Cisco Nexus switch?

Select 3 answers
A.Enable FIP snooping.
B.Associate the FCoE VLAN with the VSAN.
C.Configure a storage VLAN.
D.Configure a VSAN for FCoE.
E.Enable FCoE on the switch.
AnswersA, B, E

FIP snooping prevents rogue FCoE devices.

Why this answer

FIP snooping is required on the NPV switch to inspect and validate FCoE Initialization Protocol (FIP) frames, preventing unauthorized FCoE devices from joining the fabric. Without FIP snooping, the NPV switch cannot properly forward FCoE traffic between the ENode and the upstream FCF, making it a mandatory configuration step for FCoE NPV.

Exam trap

Cisco often tests the distinction between configuring a VSAN on the NPV switch (which is incorrect) versus associating the FCoE VLAN with a VSAN (which is correct), leading candidates to mistakenly select 'Configure a VSAN for FCoE' as a required step.

25
Multi-Selecteasy

Which TWO commands are used to verify zoning configuration on a Cisco MDS switch? (Choose two.)

Select 2 answers
A.show zone
B.show fcns database
C.show flogi database
D.show vsan membership
E.show zoneset active
AnswersA, E

Displays all configured zones.

Why this answer

The 'show zone' command displays the configured zone database, including zone members and their aliases, which is essential for verifying zoning configuration. The 'show zoneset active' command shows the currently active zoneset that is enforced by the switch, confirming which zones are actually applied to traffic. Both commands directly verify zoning configuration on a Cisco MDS switch.

Exam trap

Cisco often tests the distinction between commands that show device login status (fcns, flogi) versus commands that show the actual zoning configuration (zone, zoneset active), leading candidates to mistakenly choose login-related commands as zoning verification tools.

26
MCQmedium

A network administrator implements the ACL shown. After verifying the ACL statistics, all counters show 0 matches. What is the most likely cause?

A.The ACL entries are in the wrong order.
B.The ACL is applied to the wrong interface.
C.The 'permit ip any any' entry causes all traffic to be permitted before inspection.
D.The ACL is applied outbound instead of inbound.
AnswerB

Ethernet1/1 is a management interface; production traffic likely uses other interfaces.

Why this answer

Option B is correct because if the ACL is applied to the wrong interface, traffic never traverses that interface, so the ACL counters remain at 0. ACLs must be applied to the interface where traffic enters (inbound) or exits (outbound) the device; applying to an interface that does not carry the relevant traffic results in no matches.

Exam trap

Cisco often tests the misconception that ACL counters being 0 is always due to a missing 'permit ip any any' or wrong entry order, but the real trap is that the ACL may simply not be processing any traffic because it is applied to the wrong interface or direction.

How to eliminate wrong answers

Option A is wrong because the order of ACL entries affects which traffic is matched, but it does not cause all counters to be 0; even a misordered ACL would still match some traffic (e.g., a deny entry before a permit would still show matches for the deny). Option C is wrong because a 'permit ip any any' entry at the end of an ACL permits all unmatched traffic, but it would still match traffic and increment its own counter, not cause all counters to be 0. Option D is wrong because applying the ACL outbound instead of inbound would still match traffic exiting the interface; counters would increment if traffic flows out that interface, so 0 matches indicates no traffic is being evaluated, not a direction mismatch.

27
MCQmedium

A storage administrator notices that a Fiber Channel link between a server and a Cisco MDS switch is flapping every few minutes. The server's HBA and the switch port are both configured for 16 Gbps. Which action is most likely to resolve the issue?

A.Increase the link timeout interval on the switch port
B.Replace the SFP module on the switch port with a compatible Cisco SFP
C.Configure the switch port speed to auto-negotiate
D.Change the admin state of the interface to shut and no shut
AnswerB

Faulty SFP is a common cause of link flapping.

Why this answer

Option C is correct because the most common cause of link flapping is an incompatible or faulty SFP. Replacing it with a compatible, genuine Cisco SFP resolves the issue. Option A is wrong because changing the admin state does not address the physical layer problem.

Option B is wrong because increasing the timeout may mask the flapping but not fix it. Option D is wrong because setting auto-negotiation does not guarantee link stability if the SFP is faulty.

28
Multi-Selectmedium

Which TWO options are correct regarding Cisco UCS server profiles? (Select TWO.)

Select 2 answers
A.Service profiles can be updated while the server is in OS configuration.
B.Resource pools, such as UUID pools, can be shared across service profile templates.
C.A vHBA in a service profile inherits the boot policy automatically.
D.A service profile can be associated with multiple servers simultaneously to provide load balancing.
E.A service profile becomes operational only after it is associated with a physical server.
AnswersB, E

Pools are defined globally and can be used by multiple templates.

Why this answer

Option B is correct because resource pools like UUID pools, MAC pools, and WWN pools are global objects in Cisco UCS Manager that can be shared across multiple service profile templates. This allows administrators to define a pool once and reference it from any template, ensuring consistent allocation and avoiding conflicts.

Exam trap

The trap here is that candidates often confuse the one-to-one binding of service profiles to servers with load-balancing concepts, or assume that boot policies are automatically inherited by vHBAs, when in fact they must be explicitly linked via the service profile's boot policy configuration.

29
MCQmedium

A Python script using NX-API returns HTTP 401. What is the most likely cause?

A.Wrong NX-API version in URL
B.Firewall blocking port 443
C.NX-API not enabled on the switch
D.Invalid credentials
AnswerC

If NX-API is not enabled, the HTTP endpoint may return 401 (or 404) – but typically 401 due to lack of authentication context. In practice, enabling NX-API is required for authentication to work.

Why this answer

HTTP 401 indicates unauthorized access, which in the context of NX-API means the request lacks valid authentication credentials. However, if NX-API is not enabled on the switch, the API endpoint itself is not active, and the switch will reject the request with a 401 error because no authentication mechanism is available to process the credentials. Enabling NX-API via the 'feature nxapi' command is a prerequisite for any NX-API communication.

Exam trap

Cisco often tests the distinction between 'service not enabled' and 'authentication failure' by using HTTP 401 as a red herring, leading candidates to assume invalid credentials when the actual issue is that the feature is not activated.

How to eliminate wrong answers

Option A is wrong because an incorrect NX-API version in the URL would typically result in a 404 Not Found or a different HTTP error, not a 401 Unauthorized, as the request would reach a non-existent endpoint. Option B is wrong because a firewall blocking port 443 would cause a connection timeout or a TCP reset, not an HTTP 401 response, which requires the TCP handshake to complete and the HTTP server to respond. Option D is wrong because invalid credentials would indeed produce a 401 error, but the question asks for the 'most likely' cause; in practice, NX-API being disabled is a more common initial misconfiguration than entering wrong credentials, and the 401 in that case is a generic response from the switch's HTTP server when the API feature is off.

30
MCQmedium

Refer to the exhibit. An engineer configured a VXLAN tunnel endpoint (VTEP) but the VXLAN tunnel is not operational. The underlay OSPF adjacency is established. What is the missing configuration?

A.The NVE interface must be enabled with the no shutdown command.
B.The multicast group must be reachable via the underlay.
C.The loopback0 interface is not included in the OSPF process.
D.The VNI must be mapped to a VLAN.
AnswerC

The loopback0 interface, used as the NVE source, is not advertised via OSPF, so its IP is unreachable from other VTEPs.

Why this answer

Option B is correct because the loopback0 interface is the source interface for the NVE, but it is not included in the OSPF process, making its IP unreachable from other VTEPs. Option A is incorrect because NVE interfaces are typically administratively up by default. Option C is incorrect because multicast reachability is not directly related to the tunnel operational status.

Option D is incorrect because VNI-to-VLAN mapping is not shown in the exhibit and is required for Layer 2 forwarding, but the immediate issue is the unreachable source interface.

31
MCQmedium

A data center team is troubleshooting an automation script that uses REST API to configure a Cisco Nexus 9000 switch. The script fails with a '401 Unauthorized' error. What is the most likely cause?

A.API rate limiting has been exceeded
B.Network connectivity issue between the script and the switch
C.The user account does not have admin privileges
D.Invalid or expired authentication token
AnswerD

401 Unauthorized indicates authentication failure.

Why this answer

A 401 Unauthorized error in REST API communication indicates that the request lacks valid authentication credentials. For Cisco Nexus 9000 switches, REST API access typically requires a token-based authentication (e.g., using HTTP Basic Auth to obtain a session token or cookie). If the token is invalid or expired, the API server rejects the request with a 401 status code, as the script cannot prove its identity.

Exam trap

Cisco often tests the distinction between 401 Unauthorized (authentication failure) and 403 Forbidden (authorization failure), and candidates mistakenly choose 'insufficient privileges' (Option C) because they confuse authentication with authorization.

How to eliminate wrong answers

Option A is wrong because API rate limiting (e.g., exceeding requests per second) typically returns a 429 Too Many Requests error, not 401 Unauthorized. Option B is wrong because a network connectivity issue would result in a timeout or connection refused error (e.g., HTTP 0 or socket error), not a 401 HTTP status code. Option C is wrong because insufficient privileges (e.g., non-admin role) would cause a 403 Forbidden error after successful authentication, not a 401 Unauthorized error.

32
Multi-Selectmedium

Which THREE of the following are required for a successful FCoE deployment on a Cisco MDS switch?

Select 3 answers
A.Enable the FCoE feature globally
B.Configure DCB with Priority Flow Control on the FCoE VLAN interfaces
C.Enable FIP snooping on the FCoE VLAN
D.Set the MTU to 9216 bytes on all FCoE interfaces
E.Create a VSAN and map to the FCoE VLAN
AnswersA, B, E

Required to run FCoE.

Why this answer

FCoE requires: enable FCoE feature, configure a VSAN for FCoE, and ensure DCB with PFC is configured. FIP snooping is optional but not required for basic operation. Jumbo frames are necessary but not a switch config step.

Options A, B, and D are correct. Options C and E are not mandatory.

33
MCQmedium

Refer to the exhibit. An engineer is trying to automate configuration using NX-API on a Nexus 9000 switch. They have enabled 'feature nxapi' but when they attempt to send a POST request to the NX-API endpoint, they receive '400 Bad Request' with 'Invalid message format'. What is the most likely missing configuration?

A.The switch does not have the 'nxapi' feature enabled.
B.The NX-API HTTP/HTTPS server is not configured with a port (e.g., 'nxapi http port 80').
C.The engineer is using the wrong URL path; should be /ins instead of /api.
D.The authentication method is set to 'none' but should be 'basic'.
AnswerB

Enabling the feature alone does not start the server; a port must be configured.

Why this answer

The '400 Bad Request' with 'Invalid message format' error indicates the NX-API server is not listening on the expected port. Even with 'feature nxapi' enabled, the HTTP or HTTPS server must be explicitly configured with a port (e.g., 'nxapi http port 80') to accept REST API requests. Without this, the switch does not expose the NX-API endpoint, causing the client to receive a malformed response.

Exam trap

Cisco often tests the distinction between enabling a feature and configuring its operational parameters—candidates assume 'feature nxapi' alone is sufficient, but the HTTP/HTTPS server port must be explicitly set for REST API access.

How to eliminate wrong answers

Option A is wrong because 'feature nxapi' is already enabled per the scenario, so the feature is active. Option C is wrong because the correct NX-API REST endpoint path is '/api' (e.g., 'http://switch/api/...'), not '/ins'; '/ins' is used for the XML/JSON-RPC interface, not the REST API. Option D is wrong because NX-API authentication defaults to 'basic' or uses the device's AAA; setting it to 'none' would not cause a '400 Bad Request'—it would either allow unauthenticated access or fail with a different error.

34
Multi-Selecthard

When configuring BGP EVPN on spine switches functioning as route reflectors, which two address families must be configured? (Choose two.)

Select 2 answers
A.address-family link-state
B.address-family l2vpn evpn
C.address-family ipv6 unicast
D.address-family vpnv4
E.address-family ipv4 unicast
AnswersB, E

Required for EVPN route exchange.

Why this answer

B is correct because BGP EVPN (Ethernet VPN) uses the L2VPN address family (l2vpn evpn) to carry MAC/VXLAN routing information between spine and leaf switches. This address family is mandatory for EVPN control plane operation in a VXLAN fabric, enabling MAC address learning and advertisement via MP-BGP.

Exam trap

Cisco often tests the misconception that only the EVPN address family is needed, but the ipv4 unicast family is also required on the route reflector to advertise the underlay loopback routes that serve as VXLAN tunnel endpoints.

35
MCQhard

After adding a new spine switch to a VXLAN EVPN fabric with OSPF underlay, some leaf switches experience routing instability. Which action could resolve the instability?

A.Increase the OSPF cost on the leaf-to-spine links.
B.Configure OSPF neighbor authentication.
C.Decrease the OSPF hello timer.
D.Enable OSPF route summarization on the leaves.
AnswerA

Higher cost makes the new spine less preferred, stabilizing routing.

Why this answer

When a new spine switch is added to a VXLAN EVPN fabric with an OSPF underlay, the leaf switches may experience routing instability because the new spine advertises routes with a lower cost, causing traffic to shift abruptly. Increasing the OSPF cost on the leaf-to-spine links makes those paths less preferred, stabilizing the routing table by preventing flapping and ensuring a more gradual convergence.

Exam trap

Cisco often tests the misconception that routing instability is caused by security or timer issues, when in fact it is typically due to unequal cost paths causing SPF thrashing after a new device is added.

How to eliminate wrong answers

Option B is wrong because OSPF neighbor authentication secures routing updates but does not address routing instability caused by cost-based path selection changes. Option C is wrong because decreasing the OSPF hello timer would increase the frequency of hello packets, potentially exacerbating instability by causing faster neighbor state changes and more frequent SPF calculations. Option D is wrong because enabling OSPF route summarization on the leaves reduces the size of the routing table but does not prevent the instability from a new spine advertising lower-cost routes; summarization affects route propagation, not path preference.

36
MCQmedium

Refer to the exhibit. Which VLANs are allowed on the VPC peer-link?

A.VLANs 1-100 and native VLAN
B.Only VLAN 1
C.VLANs 1-100 only
D.All VLANs (1-4094)
AnswerC

The allowed VLAN range is 1-100.

Why this answer

In a vPC domain, the peer-link carries only specific VLANs that are allowed on the trunk. By default, the peer-link is configured as a trunk allowing VLANs 1-100, and the native VLAN is not included in this allowed list because the peer-link uses a dedicated VLAN for control traffic (typically VLAN 4094) and does not forward native VLAN traffic. Option C is correct because the default allowed VLAN list on a vPC peer-link is VLANs 1-100, as shown in the exhibit.

Exam trap

Cisco often tests the misconception that the vPC peer-link allows all VLANs or includes the native VLAN, when in fact it defaults to VLANs 1-100 and explicitly excludes the native VLAN to maintain control plane isolation.

How to eliminate wrong answers

Option A is wrong because the native VLAN is not allowed on the vPC peer-link; the peer-link uses a separate VLAN (often 4094) for control traffic and does not forward native VLAN frames. Option B is wrong because the peer-link allows more than just VLAN 1; it permits VLANs 1-100 by default. Option D is wrong because the peer-link does not allow all VLANs (1-4094); it is restricted to VLANs 1-100 by default to prevent unnecessary traffic and loops.

37
Multi-Selecteasy

Which TWO statements about NPV configuration on a Cisco MDS switch are true? (Choose two.)

Select 2 answers
A.The core switch must have NPV enabled as well.
B.NPV mode is enabled globally with the 'npv enable' command.
C.All downstream interfaces must be F ports.
D.Interfaces connecting to the core switch must be configured as NP ports.
E.NPV mode is configured per VSAN.
AnswersB, D

Yes, 'npv enable' in global config.

Why this answer

Options A and B are correct. Others are incorrect.

38
MCQmedium

Refer to the exhibit. A VXLAN VNI (10030) is operationally down. What is the most likely cause?

A.The source interface loopback0 is not up
B.The NVE mode should be L2VPN instead of L3VPN
C.The VLAN associated with VNI 10030 is not configured or mapped
D.The multicast group 239.1.1.1 is not reachable
AnswerC

The VNI must be mapped to a VLAN using 'vn-segment vlan-id' under the VLAN configuration; missing mapping causes operational down.

Why this answer

VXLAN VNI 10030 is operationally down because the VLAN that maps to this VNI is either not created or not associated with the VNI under the NVE interface. In Cisco NX-OS, a VNI becomes operationally up only when the corresponding VLAN exists and is properly mapped via the `member vni 10030 associate-vrf` or `member vni 10030` command under the NVE interface. Without this mapping, the NVE cannot forward traffic for that VNI, leaving it in a down state.

Exam trap

Cisco often tests the misconception that a VNI goes down due to multicast reachability or source interface issues, but the actual cause is the missing VLAN-to-VNI mapping, which is a common misconfiguration in VXLAN deployments.

How to eliminate wrong answers

Option A is wrong because if the source interface loopback0 were not up, the NVE interface itself would be down or the VXLAN tunnel would fail, but the VNI operational state would show as 'down' due to the source interface issue, not specifically because of a missing VLAN mapping. Option B is wrong because the NVE mode can be either L2VPN or L3VPN depending on the deployment; VXLAN VNI 10030 being operationally down is unrelated to the NVE mode, and L3VPN mode is correct for VXLAN EVPN with Layer 3 VNI. Option D is wrong because the multicast group 239.1.1.1 is used for BUM traffic replication; if it were unreachable, the VNI might still be operationally up but unable to forward broadcast traffic, so it would not cause the VNI to be operationally down.

39
MCQeasy

Which feature allows a single Fibre Channel port to log in with multiple N-port IDs, enabling a host to connect to multiple targets through one port?

A.FCoE
B.VSAN
C.NPIV
D.NPV
AnswerC

NPIV enables multiple N-port IDs per physical port.

Why this answer

NPIV (N_Port ID Virtualization) allows a single physical FC port to have multiple N_Port IDs, each with its own WWPN. This is used for virtualization. Option A is wrong because NPV is for switch-to-switch.

Option B is wrong because VSANs are for segmentation. Option D is wrong because FCoE is a different protocol.

40
MCQhard

A storage team is implementing zoning in a Fibre Channel fabric. They want a method where zone members are identified by their World Wide Port Name (WWPN) and the fabric enforces access based on that, without relying on switch port information. Which type is this?

A.Soft zoning using domain/port
B.Hard zoning using WWPN
C.Hard zoning using port WWN
D.Soft zoning using WWPN
AnswerD

Soft zoning filters by WWPN via name server.

Why this answer

Option A is correct: Soft zoning uses WWPN to define members and is enforced by the name server, not by the switch port. Hard zoning uses domain/port pairs. Option B is wrong because hard zoning uses port WWN is incorrect.

Option C is wrong: Hard zoning uses domain/port. Option D is wrong: Hard zoning does not use WWPN.

41
Multi-Selecthard

A UCS domain is configured with two fabric interconnects in end-host mode. The engineer needs to ensure that traffic from a specific VLAN is load-balanced across both uplinks to the upstream network. Which THREE of the following are valid methods to achieve load balancing on the uplink ports?

Select 3 answers
A.VLAN load balancing using the pin-groups
B.Configure SPAN on the uplink ports
C.Fabric port channel with LACP
D.MAC pinning to assign source-destination pairs to uplinks
E.vPC-host mode on the fabric interconnects
AnswersC, D, E

A fabric port channel aggregates multiple uplinks into a single logical link, load balancing traffic.

Why this answer

Option C is correct because a Fabric Port Channel with LACP allows multiple uplink ports to be aggregated into a single logical link, providing load balancing across the physical links based on a hash algorithm (e.g., source/destination MAC or IP). This is a standard method for distributing traffic from a specific VLAN across both uplinks to the upstream network in a UCS domain configured with two fabric interconnects in end-host mode.

Exam trap

Cisco often tests the distinction between Ethernet load-balancing methods (like Fabric Port Channel with LACP and MAC pinning) and Fibre Channel-specific features (like pin-groups), leading candidates to mistakenly select pin-groups for Ethernet traffic.

42
Matchingmedium

Match each Cisco data center security feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Packet filtering based on IP/port criteria

Limits MAC addresses per switchport

Prevents rogue DHCP server attacks

Validates ARP packets to prevent spoofing

Filters traffic based on IP/MAC binding

Why these pairings

These security features protect the data center network from Layer 2 attacks.

43
MCQeasy

A small business SAN consists of a single Cisco MDS 9148S switch with 16 Gb Fibre Channel ports. The storage array has four active paths to the switch, and four servers each have two HBAs. The administrator wants to ensure that all paths are utilized and that no single point of failure exists. Currently, all devices are in a single VSAN and zoning is permissive (default deny). After powering on all devices, the administrator notices that the storage array only logs in on two of its four ports. The other two ports show 'no light'. The switch has not been configured with any port settings. What is the most likely cause?

A.The switch ports need to have their speed manually configured to match the array.
B.The unused ports are in a different VSAN.
C.The zoning configuration prevents the array from logging in on those ports.
D.The storage array's other two ports are not physically connected or are disabled on the array end.
AnswerD

No light indicates the link is down; likely the cables are missing or ports disabled.

Why this answer

Default switch configuration does not disable ports; likely the other two ports on the storage array are not cabled or are administratively down. Option A is correct. Option B is wrong because port speed auto-negotiation usually works.

Option C is wrong because VSAN cannot disable ports. Option D is wrong because zoning does not affect link state.

44
MCQhard

In a Cisco UCS environment, which component provides the Fibre Channel connectivity to the SAN switches when using FCoE?

A.IOM (I/O Module)
B.Cisco VIC adapter
C.UCS Manager
D.UCS Fabric Interconnect
AnswerD

FI provides FCoE uplinks.

Why this answer

In a Cisco UCS environment, the Fabric Interconnect (FI) is the component that provides Fibre Channel connectivity to SAN switches when using FCoE. The FI integrates both Ethernet and Fibre Channel traffic, performing FCoE encapsulation and forwarding the Fibre Channel frames to the SAN via its native Fibre Channel uplink ports. This allows the UCS domain to connect directly to Fibre Channel SAN fabrics without requiring external FCoE-capable switches.

Exam trap

Cisco often tests the misconception that the IOM or VIC adapter directly provides Fibre Channel connectivity, when in fact the Fabric Interconnect is the central aggregation and conversion point for FCoE-to-FC traffic in a UCS domain.

How to eliminate wrong answers

Option A is wrong because the IOM (I/O Module) is a passive midplane or fabric extender that only aggregates traffic from the chassis to the Fabric Interconnects; it does not perform FCoE termination or provide native Fibre Channel uplinks to SAN switches. Option B is wrong because the Cisco VIC adapter is a server-side adapter that handles FCoE initialization and encapsulation at the host level, but it does not provide the final Fibre Channel connectivity to the SAN; that connectivity is provided upstream by the Fabric Interconnect. Option C is wrong because UCS Manager is the management plane software that configures and monitors the UCS domain, not a data-plane component that handles Fibre Channel connectivity.

45
MCQeasy

A network engineer needs to create a consistent QoS policy for all servers in a UCS service profile template. Which policy must be attached to the template to ensure uniform traffic management?

A.QoS Policy
B.Network Control Policy
C.LAN Connectivity Policy
D.Flow Control Policy
AnswerA

QoS policy defines traffic prioritization and is attached to vNICs.

Why this answer

A QoS Policy is the correct attachment because it defines traffic classification, marking, and queuing behavior at the interface level within a UCS service profile template. By applying a QoS Policy, the engineer ensures uniform traffic management across all servers by controlling bandwidth allocation, priority, and drop preferences consistently. This policy directly maps to the system class definitions in UCS Manager, enabling per-interface QoS settings that are inherited by all service profiles using the template.

Exam trap

Cisco often tests the distinction between QoS Policy (which controls traffic prioritization and queuing) and Flow Control Policy (which only manages Ethernet pause frames), leading candidates to confuse link-level flow control with end-to-end quality of service.

How to eliminate wrong answers

Option B is wrong because a Network Control Policy manages MAC address mode, VLAN port configuration, and CDP/LLDP settings, not traffic prioritization or bandwidth management. Option C is wrong because a LAN Connectivity Policy defines the number and order of vNICs and their failover relationships, but does not include QoS parameters like classification or scheduling. Option D is wrong because a Flow Control Policy controls Ethernet pause frames (IEEE 802.3x) for link-level congestion, not the classification, marking, or queuing required for consistent QoS across servers.

46
MCQeasy

What is the purpose of NPIV (N_Port ID Virtualization) in a Fibre Channel SAN?

A.Provide encryption on Fibre Channel links.
B.Allow a single physical port to register multiple N_port IDs.
C.Enable multiple paths between initiator and target.
D.Allow a switch to act as an NPV device.
AnswerB

Enables virtualization.

Why this answer

NPIV allows a single physical Fibre Channel N_Port to register multiple unique N_Port IDs (FCIDs) with the fabric. This is essential for virtualizing Fibre Channel connectivity, enabling multiple virtual machines or logical partitions to share one physical HBA port while each appearing as a distinct initiator to the SAN.

Exam trap

Cisco often tests NPIV by confusing it with NPV (N_Port Virtualization) — the trap is that candidates mix up the port-level virtualization (NPIV) with the switch-level proxy mode (NPV), or assume NPIV is about multipathing or security.

How to eliminate wrong answers

Option A is wrong because encryption on Fibre Channel links is provided by FC-SP (Fibre Channel Security Protocol) or hardware-level encryption, not by NPIV. Option C is wrong because enabling multiple paths between initiator and target is the function of multipathing software (e.g., EMC PowerPath, native MPIO), not NPIV. Option D is wrong because a switch acting as an NPV device is the definition of N_Port Virtualization (NPV), which is a different technology that uses NPIV to proxy multiple N_Port IDs upstream, but the switch itself is not an NPV device; NPV is a mode for edge switches to reduce FCIDs.

47
Multi-Selectmedium

A team is configuring FCoE on a Cisco Nexus switch. Which TWO steps are mandatory to establish a lossless FCoE link?

Select 2 answers
A.Enable FCoE on the interface using the 'fcoe' command
B.Enable Priority Flow Control (PFC) as a separate CLI
C.Create a VSAN and map it to an FCoE VLAN
D.Configure DCBX to advertise and negotiate FCoE capabilities
E.Set the MTU to 9216 bytes to accommodate FCoE frames
AnswersA, D

FCoE must be enabled per interface.

Why this answer

Options A and C are correct. FCoE must be explicitly enabled on the interface. DCBX must be configured (or enabled) to negotiate PFC and other parameters for lossless operation.

Option B is incorrect: VSAN creation is part of FCoE configuration, but not mandatory on the interface level (VSANs are created globally). Option D is incorrect: MTU must be set to 2500 bytes (jumbo) for FCoE, not 9216. Option E is incorrect: PFC is enabled via DCBX, not as a separate command on the interface.

48
Multi-Selectmedium

Which TWO conditions require the use of NPIV in a Fibre Channel SAN? (Choose two.)

Select 2 answers
A.Connecting a tape library that uses multiple LUNs to a single host.
B.Connecting an NPV switch to an upstream switch.
C.Enabling FCoE transit over a lossless Ethernet network.
D.Connecting two switches over an ISL.
E.Virtualizing a server with multiple virtual machines each needing a separate WWPN.
AnswersA, E

NPIV can present multiple identities for LUN masking.

Why this answer

Option A is correct because NPIV (N_Port ID Virtualization) allows a single physical Fibre Channel N_Port to register multiple unique WWPNs (World Wide Port Names), enabling a tape library with multiple LUNs to present each LUN as a separate target to the host. Without NPIV, the host would see only one WWPN for the tape library, limiting LUN access and management flexibility.

Exam trap

The trap here is that candidates confuse NPIV with NPV (N_Port Virtualization) or assume NPIV is required for any multi-LUN device, but NPIV is specifically for virtualizing N_Port identities, not for general multi-LUN access or switch-to-switch links.

49
MCQmedium

A storage administrator reports that an FC initiator cannot log in to the SAN. The FC switch shows the following on the interface connected to the initiator: 'VSAN 100, State: Offline'. Which action should be taken to resolve the issue?

A.Create a zone including the initiator and target
B.Change the interface VSAN to match the initiator
C.Increase the number of buffer credits on the interface
D.Configure port speed manually on the switch interface
AnswerD

Forcing the port speed can stop flapping and bring the link online.

Why this answer

The interface state 'Offline' in VSAN 100 indicates a Layer 1 or Layer 2 issue, often caused by a speed mismatch between the FC initiator and the switch interface. Configuring the port speed manually on the switch interface forces the link to negotiate at a specific speed, resolving the mismatch and bringing the interface online. This is a common fix when auto-negotiation fails or the initiator does not support the default speed settings.

Exam trap

Cisco often tests the distinction between link-level issues (offline state) and fabric-level issues (zoning, VSAN membership), leading candidates to incorrectly choose zoning or VSAN changes when the root cause is a physical or speed mismatch.

How to eliminate wrong answers

Option A is wrong because zoning controls which devices can communicate (security/fabric login), but the interface is offline, meaning the physical or link-level parameters are not established yet; zoning cannot fix a down interface. Option B is wrong because the interface is already in VSAN 100 (as shown in the output), so changing the VSAN would not address the offline state; the issue is at the physical or link layer, not the VSAN membership. Option C is wrong because buffer credits manage flow control and buffer-to-buffer credit starvation, but they do not cause an interface to be offline; an offline state indicates a link-level problem (e.g., speed/negotiation), not a credit exhaustion issue.

50
MCQhard

An FCoE link between a Nexus switch and a storage array fails to come up. The switch is configured as an FCF. The administrator runs 'show interface ethernet 1/1' and sees the interface is up/up. Which command will most likely reveal the root cause?

A.show vlan id 100
B.show lldp neighbors interface ethernet 1/1
C.show fcoe database
D.show spanning-tree interface ethernet 1/1
AnswerC

Correct: Shows FCoE session and VLAN status.

Why this answer

Option D is correct because FCoE initialization involves multiple steps; 'show fcoe database' shows FCoE VLAN and login status. Option A is incorrect because LLDP is used for DCBX, not FCoE state. Option B is incorrect because spanning-tree does not affect FCoE.

Option C is incorrect because VLAN status does not show FCoE negotiation.

51
MCQhard

A Cisco MDS switch has the above configuration on two 16 Gbps FC interfaces. An engineer connects an initiator to fc1/2 and a target to fc1/1. The initiator cannot discover the target. What is the most likely cause?

A.The fc1/2 interface is configured as an F-port but the initiator requires an FL-port.
B.The fc1/1 interface is configured as dedicated rate-mode but the target expects shared.
C.The fc1/2 interface is configured as shared rate-mode which prevents F-port operation.
D.The fc1/1 interface is configured as an E-port but is connected to a storage target.
AnswerD

An E-port is for inter-switch links; the target should be connected to an F-port.

Why this answer

Option D is correct because the configuration shows interface fc1/1 with the command 'switchport mode E', which explicitly configures it as an E-port (expansion port). E-ports are used to interconnect two Fibre Channel switches, not to connect a storage target. When a target is connected to an E-port, the link will not come up properly because the target expects to be connected to an F-port (fabric port) or FL-port, preventing discovery by the initiator.

Exam trap

Cisco often tests the distinction between port types (E-port vs. F-port) and their allowed connections, trapping candidates who overlook that an E-port is strictly for switch-to-switch links, not for attaching end devices like targets or initiators.

How to eliminate wrong answers

Option A is wrong because the fc1/2 interface is configured as an F-port (via 'switchport mode F'), which is the correct port type for connecting an initiator; an FL-port is only needed if the initiator is an NL_Port (loop device), and there is no indication of an arbitrated loop. Option B is wrong because rate-mode (dedicated or shared) affects bandwidth allocation, not port type or device discovery; a target can operate with either rate-mode setting. Option C is wrong because shared rate-mode does not prevent F-port operation; F-ports can operate in shared rate-mode, and the initiator's failure to discover the target is unrelated to rate-mode.

52
MCQeasy

What is the primary purpose of NX-API on Cisco Nexus switches in a data center automation context?

A.To replace SNMP for monitoring and alerting.
B.To enable direct configuration from a web browser without CLI.
C.To create a web-based GUI for manual switch configuration.
D.To provide a RESTful API that allows programmatic access to CLI commands and structured data output.
AnswerD

NX-API translates CLI commands into JSON/REST calls, returning structured data for automation.

Why this answer

NX-API provides a RESTful API interface on Cisco Nexus switches, enabling programmatic access to CLI commands and returning structured data in formats like JSON or XML. This is essential for data center automation because it allows external tools (e.g., Ansible, Python scripts) to configure and retrieve state from the switch without requiring interactive CLI sessions, directly supporting infrastructure-as-code workflows.

Exam trap

Cisco often tests the distinction between a programmatic API (NX-API) and a web-based GUI, leading candidates to confuse NX-API with the Device Manager web interface, which is a separate feature for manual browser-based management.

How to eliminate wrong answers

Option A is wrong because NX-API is not designed to replace SNMP for monitoring and alerting; SNMP remains the standard for trap-based alerts and performance monitoring, while NX-API focuses on configuration and operational data retrieval via REST. Option B is wrong because NX-API does not enable direct configuration from a web browser without CLI; it is an API endpoint consumed by programs, not a browser-based GUI. Option C is wrong because NX-API is not a web-based GUI for manual switch configuration; Cisco Nexus switches offer a separate web GUI (e.g., Device Manager), but NX-API is strictly a programmatic interface.

53
MCQhard

A network team is planning to automate configuration management of a brownfield Nexus 9000 fabric using YANG data models and NETCONF. Which consideration is critical when implementing this solution?

A.The operational state must be modeled against the device-specific YANG model to avoid configuration drift.
B.NETCONF replaces CLI entirely; no fallback necessary.
C.Using NETCONF for configuration ensures zero touch provisioning.
D.All NX-OS versions support the same YANG models; no compatibility check needed.
AnswerA

In brownfield, understanding the current state via YANG is needed to plan incremental changes and avoid drift.

Why this answer

In a brownfield Nexus 9000 fabric, the operational state (e.g., interface status, routing table) must be modeled against the device-specific YANG model to detect and correct configuration drift. NETCONF uses YANG models to define both configuration and operational data, but only the device-specific native model accurately reflects the actual running state. Without this alignment, automated remediation may push incorrect configurations, leading to network instability.

Exam trap

Cisco often tests the misconception that NETCONF is a complete CLI replacement, but the trap here is that operational state modeling against device-specific YANG is critical for drift detection in brownfield environments, not just configuration push.

How to eliminate wrong answers

Option B is wrong because NETCONF does not replace the CLI entirely; CLI remains a fallback for troubleshooting, emergency access, and operations not covered by YANG models. Option C is wrong because NETCONF is a configuration protocol that can be used for initial provisioning, but zero-touch provisioning (ZTP) typically relies on DHCP, TFTP, and scripts, not NETCONF alone. Option D is wrong because NX-OS versions support different YANG models (e.g., OpenConfig vs.

Cisco native), and compatibility must be verified; assuming uniform support can cause schema mismatches and failed operations.

54
MCQmedium

An organization is deploying Cisco ISE for 802.1X authentication on Cisco Nexus switches. Some endpoints fail authentication and fall back to the MAB. The security policy requires that endpoints failing both 802.1X and MAB be placed in a restricted VLAN. Which configuration is needed on the switch port?

A.authentication order dot1x mab
B.dot1x timeout tx-period 30
C.authentication failed action authorize vlan 999
D.authentication event server dead action authorize vlan 999
AnswerC

This command places the port into the specified VLAN (restricted) after authentication failure.

Why this answer

Option C is correct because the 'authentication failed action authorize vlan 999' command configures the switch port to place endpoints that fail both 802.1X and MAB into a restricted VLAN (VLAN 999). This directly meets the security policy requirement for endpoints that cannot authenticate via either method.

Exam trap

The trap here is confusing 'authentication failed action' (which handles authentication failure) with 'authentication event server dead action' (which handles server unavailability), leading candidates to pick Option D when the scenario explicitly describes endpoints failing authentication, not a server outage.

How to eliminate wrong answers

Option A is wrong because 'authentication order dot1x mab' only sets the sequence of authentication methods (802.1X first, then MAB), but does not define what happens when both fail. Option B is wrong because 'dot1x timeout tx-period 30' adjusts the interval between EAP-Request/Identity retransmissions, which affects authentication timing but not the fallback action for failed authentication. Option D is wrong because 'authentication event server dead action authorize vlan 999' handles the scenario when the RADIUS server is unreachable, not when authentication itself fails; this would place endpoints in VLAN 999 even if they could authenticate successfully, violating the policy.

55
MCQhard

An attacker attempts to spoof a legitimate client's IP address to intercept traffic. DHCP snooping is enabled. Which feature prevents this spoofing by validating source IP in data packets?

A.Port security
B.IP Source Guard
C.Dynamic ARP Inspection
D.DHCP Snooping binding database
AnswerB

IPSG validates source IP in data packets using the DHCP snooping binding table.

Why this answer

IP Source Guard (IPSG) uses the DHCP snooping binding database to validate the source IP address in data packets received on untrusted ports. If a packet's source IP does not match an entry in the binding table, IPSG drops the packet, preventing IP spoofing attacks.

Exam trap

Cisco often tests the distinction between features that validate IP addresses (IPSG) versus those that validate ARP (DAI) or MAC addresses (port security), leading candidates to confuse DAI as the answer for IP spoofing prevention.

How to eliminate wrong answers

Option A is wrong because port security limits MAC addresses on a switch port but does not inspect or validate the source IP address in Layer 3 packets. Option C is wrong because Dynamic ARP Inspection (DAI) validates ARP packets (IP-to-MAC bindings), not the source IP in data packets. Option D is wrong because the DHCP snooping binding database is a table of legitimate DHCP leases; it is not a feature that actively validates source IPs in data packets—IPSG uses this database to perform that validation.

56
Multi-Selecthard

Which TWO of the following are valid methods to recover from buffer credit loss on a Fibre Channel link?

Select 2 answers
A.Reduce the link speed.
B.Increase the BB_Credit value.
C.Enable WRED on the switch.
D.Use port channel to aggregate links.
E.Credit recovery using RDMA.
AnswersA, B

Lower speed reduces the number of credits needed to maintain the link.

Why this answer

Reducing the link speed is a valid method to recover from buffer credit loss because it decreases the number of frames transmitted per unit time, allowing the receiver's buffer credits to replenish and preventing further overrun. This is a temporary workaround that reduces the effective bandwidth but can stabilize the link when buffer credit starvation occurs due to distance or congestion.

Exam trap

Cisco often tests the misconception that increasing link speed or aggregating links (port channels) can solve buffer credit issues, but the correct approach is to either reduce speed or increase BB_Credits, as credit loss is a flow-control problem, not a bandwidth problem.

57
MCQmedium

A UCS C-Series rack server with a boot from SAN policy fails to discover the LUN during POST. The HBA is correctly zoned with the storage array. Which step should be taken to troubleshoot the issue?

A.Verify VSAN membership on the fabric interconnect
B.Update the server firmware to the latest version
C.Review the SAN boot target configuration in Cisco IMC
D.Check the service profile association in UCS Manager
AnswerC

CIMC stores the SAN boot settings for C-Series servers

Why this answer

Option C is correct because when a UCS C-Series rack server with a boot-from-SAN policy fails to discover the LUN during POST, the most direct troubleshooting step is to review the SAN boot target configuration in Cisco IMC. The HBA is already correctly zoned, so the issue likely lies in the boot target parameters (e.g., WWPN, LUN ID, or target name) configured in the IMC's SAN boot settings, which the HBA uses during the BIOS-level boot process. Verifying these settings ensures the HBA can properly address and log into the storage target.

Exam trap

Cisco often tests the distinction between UCS B-Series (managed via UCS Manager with service profiles) and C-Series (standalone with Cisco IMC) to trap candidates who apply B-Series troubleshooting steps to a C-Series scenario.

How to eliminate wrong answers

Option A is wrong because VSAN membership on the fabric interconnect applies to UCS B-Series blade servers and Fabric Interconnects, not to C-Series rack servers, which use Cisco IMC for direct SAN boot configuration. Option B is wrong because updating server firmware is a generic troubleshooting step that does not address the specific boot-from-SAN discovery failure; the issue is configuration-related, not a firmware bug. Option D is wrong because service profile association in UCS Manager is relevant for UCS B-Series blades managed by UCS Manager, not for standalone C-Series rack servers, which are managed independently via Cisco IMC.

58
MCQmedium

A data center engineer is troubleshooting intermittent connectivity between two servers in different VLANs. The servers are connected to different leaf switches in a VXLAN EVPN fabric. When checking the fabric, the engineer notices that the NVE interface on one leaf is up/up but the VNI for the server VLAN is not listed in 'show nve vni'. What is the most likely cause?

A.MTU mismatch on the underlay network
B.Anycast gateway is not configured on the leaf
C.BGP EVPN peers are not established
D.The VLAN-to-VNI mapping is missing under the VLAN configuration
AnswerD

The VNI must be mapped to a VLAN using 'vn-segment vlan-id' under the VLAN configuration; without it, the VNI does not appear in the NVE interface.

Why this answer

The NVE interface being up/up indicates the overlay tunnel is operational, but the absence of the VNI in 'show nve vni' means the VNI is not instantiated on the NVE. This typically occurs when the VLAN-to-VNI mapping is missing under the VLAN configuration (e.g., 'vlan 100' then 'vn-segment 10100'), which prevents the VNI from being associated with the NVE interface and advertised via BGP EVPN.

Exam trap

Cisco often tests the distinction between the NVE interface being operational (up/up) and the VNI being properly instantiated via VLAN-to-VNI mapping, leading candidates to incorrectly suspect BGP or underlay issues when the real problem is a missing local configuration step.

How to eliminate wrong answers

Option A is wrong because an MTU mismatch on the underlay network would cause packet drops or fragmentation, not the absence of a VNI from the NVE VNI list. Option B is wrong because anycast gateway configuration (e.g., 'ip virtual-router address' or 'fabric forwarding anycast-gateway-mac') is used for first-hop redundancy and does not affect whether a VNI appears in 'show nve vni'. Option C is wrong because BGP EVPN peers not being established would prevent route exchange but would not prevent the VNI from being locally instantiated on the NVE; the VNI would still appear in 'show nve vni' even if peers are down.

59
MCQeasy

An engineer is troubleshooting a Cisco UCS B-Series blade that fails to boot. The service profile is associated and the boot policy is set to 'SAN Boot'. The storage administrator confirms the LUN is properly mapped to the WWPN. Which check should the engineer perform first?

A.Verify that the UCS Fabric Interconnect is connected to the SAN switches
B.Reboot the chassis to reinitialize the IOM
C.Check that the vHBA has a dynamic WWPN assigned
D.Ensure the local disk is set as primary boot device
AnswerA

Without fabric connectivity, the server cannot reach the storage.

Why this answer

Since the service profile is associated, the boot policy is set to SAN Boot, and the LUN is properly mapped to the WWPN, the most likely cause is a physical or Layer 2 connectivity issue between the UCS Fabric Interconnect and the SAN switches. Without this link, the fabric interconnect cannot forward FCP frames to the storage array, preventing the blade from discovering the boot LUN. Verifying this connection is the logical first step before investigating other configuration or zoning issues.

Exam trap

Cisco often tests the misconception that a properly mapped LUN and associated service profile guarantee SAN boot success, leading candidates to overlook the physical or Layer 2 connectivity between the Fabric Interconnect and the SAN switches.

How to eliminate wrong answers

Option B is wrong because rebooting the chassis or reinitializing the IOM would disrupt all blades and is unnecessary when the issue is isolated to a single blade failing to boot from SAN; it also does not address the connectivity between the Fabric Interconnect and SAN switches. Option C is wrong because a dynamic WWPN is the default and recommended assignment for vHBAs in UCS, and changing it would not resolve a missing SAN path; the storage administrator has already confirmed the LUN is mapped to the correct WWPN. Option D is wrong because the boot policy is explicitly set to 'SAN Boot', meaning the local disk should not be the primary boot device; forcing local disk boot would bypass the intended SAN boot process and is not a troubleshooting step for SAN boot failures.

60
MCQhard

During a maintenance window, a network engineer plans to upgrade the NX-OS software on a pair of Nexus 9000 switches configured as vPC peers. The engineer wants to minimize traffic disruption. Which upgrade sequence is recommended?

A.Upgrade both switches simultaneously using ISSU
B.Reload both switches to a previous version, then upgrade
C.Upgrade the primary vPC peer first, then the secondary
D.Upgrade the secondary vPC peer first, then the primary
AnswerD

Upgrading secondary first ensures the primary remains operational; after secondary upgrade, it can take over if needed during primary upgrade.

Why this answer

In a vPC pair, the secondary peer is upgraded first to preserve the primary's role as the forwarding anchor. Upgrading the secondary peer allows it to reboot and rejoin the vPC domain without disrupting the data plane because the primary peer continues to forward traffic. Once the secondary is stable, the primary is upgraded, ensuring minimal traffic loss.

Exam trap

Cisco often tests the misconception that upgrading the primary first is safer because it is the 'leader,' but the correct sequence is to upgrade the secondary first to avoid a disruptive role transition.

How to eliminate wrong answers

Option A is wrong because ISSU (In-Service Software Upgrade) is not supported on Nexus 9000 switches in vPC mode; it requires non-disruptive upgrades which are not available for vPC peer links. Option B is wrong because reloading both switches to a previous version would cause a complete traffic outage, defeating the goal of minimizing disruption. Option C is wrong because upgrading the primary vPC peer first would cause the primary to reboot, leading to a vPC role change and potential traffic black-holing until the secondary takes over, increasing disruption.

61
Multi-Selecteasy

Which TWO UCS components are part of the unified fabric architecture?

Select 2 answers
A.Fabric Interconnect
B.Storage Array
C.I/O Module (IOM)
D.Control Plane
E.Blade Server
AnswersA, C

Central switching component

Why this answer

The Fabric Interconnect (A) is the core switching component in Cisco UCS, providing both network and storage connectivity over a unified fabric, typically using Fibre Channel over Ethernet (FCoE) to consolidate LAN and SAN traffic. The I/O Module (IOM) (C) connects blade servers to the Fabric Interconnects, extending the unified fabric by aggregating traffic from the chassis and forwarding it to the Fabric Interconnects, thereby eliminating the need for separate network and storage switches.

Exam trap

Cisco often tests the distinction between components that are part of the unified fabric (Fabric Interconnect and IOM) versus components that connect to or use the fabric (storage arrays, blade servers), leading candidates to mistakenly include endpoints or external devices as fabric components.

62
Multi-Selecthard

Which TWO troubleshooting steps should be taken when a UCS blade server fails to discover during the initial discovery process?

Select 2 answers
A.Verify the physical cabling between the IOM and fabric interconnect
B.Immediately replace the blade server
C.Power cycle the chassis
D.Reset the fabric interconnect to factory defaults
E.Check firmware compatibility between FI and chassis
AnswersA, E

Physical connectivity is essential

Why this answer

Option A is correct because the initial discovery process relies on the IOM (Fabric Interconnect) establishing a link to the blade server through the chassis midplane. If the physical cabling between the IOM and the fabric interconnect is faulty, loose, or using incorrect transceivers, the discovery will fail. Verifying this cabling is a fundamental first step in troubleshooting discovery failures.

Exam trap

Cisco often tests the misconception that a blade server discovery failure is always a hardware fault, leading candidates to choose 'replace the blade' or 'power cycle the chassis' instead of checking the physical and logical connectivity between the IOM and the FI.

63
MCQmedium

A DevOps team uses Ansible to automate the configuration of Cisco Nexus switches. After running a playbook, some switches have the correct configuration but others do not. The playbook uses the 'nxos_config' module. Which action should be taken to ensure consistent configuration?

A.Set 'ignore_errors' to true in the playbook
B.Use the 'backup' option to save the running config before changes
C.Use 'serial' directive to run the playbook on one switch at a time
D.Enable check mode to verify changes before applying
AnswerB

Backup provides a restore point for rollback.

Why this answer

The 'nxos_config' module's 'backup' option saves the running configuration to a file before applying changes. This ensures that if a switch fails to apply the configuration correctly, the original configuration is preserved for rollback, enabling consistent recovery across all switches. Without this, some switches may have partial or incorrect configurations that cannot be easily reverted.

Exam trap

The trap here is that candidates confuse 'backup' with a simple logging feature, when in fact it is a critical rollback mechanism that directly addresses configuration drift and failed deployments in network automation.

How to eliminate wrong answers

Option A is wrong because 'ignore_errors: true' would cause Ansible to continue executing tasks even if the 'nxos_config' module fails on a switch, masking configuration errors and leading to inconsistent states without any indication of failure. Option C is wrong because the 'serial' directive controls the number of hosts processed in parallel but does not address configuration consistency or rollback; it only affects execution order and can actually slow down deployment without solving the core issue. Option D is wrong because check mode (--check) only simulates changes without applying them, so it cannot ensure consistent configuration across switches; it is useful for validation but does not provide a mechanism to recover from failed applications.

64
Multi-Selectmedium

An engineer is troubleshooting a UCS B-Series blade that fails to boot from SAN. Which TWO actions should be verified first? (Choose TWO.)

Select 2 answers
A.Verify that the vHBA WWPN is correctly zoned on the SAN switches.
B.Confirm the boot policy includes the SAN target LUN.
C.Check the MAC address assigned to the vNIC.
D.Ensure the QoS policy for FC traffic is set to Platinum.
E.Verify the server's boot order lists local disk first.
AnswersA, B

Common issue: incorrect zoning.

Why this answer

Option A is correct because the vHBA WWPN must be properly zoned on the SAN switches to allow the blade to discover and connect to the storage target. Without correct zoning, the Fibre Channel initiator cannot communicate with the target, preventing SAN boot. This is a fundamental prerequisite for any Fibre Channel-based boot.

Exam trap

Cisco often tests the distinction between SAN boot prerequisites (WWPN zoning and boot policy LUN) versus performance or Ethernet-related settings, leading candidates to mistakenly select MAC address or QoS options.

65
MCQhard

In a Cisco HyperFlex cluster, the management plane uses vCenter, but the data plane uses which protocol to replicate data across nodes?

A.Fibre Channel
B.HX Data Platform
C.NFS
D.iSCSI
AnswerB

HyperFlex uses its own HX Data Platform protocol for data replication and distribution.

Why this answer

In a Cisco HyperFlex cluster, the data plane replication across nodes is handled by the HX Data Platform, which is a distributed, log-structured file system that synchronously replicates data at the hypervisor level. This platform manages all I/O operations and ensures data consistency across the cluster without relying on external storage protocols like Fibre Channel or iSCSI.

Exam trap

Cisco often tests the distinction between the management plane (vCenter) and the data plane (HX Data Platform), and the trap here is that candidates may confuse the data replication protocol with common storage protocols like NFS or iSCSI, which are used for external storage access but not for HyperFlex's internal replication.

How to eliminate wrong answers

Option A is wrong because Fibre Channel is a block-level storage protocol used in SAN environments, not for HyperFlex's distributed data replication which uses the HX Data Platform's own replication mechanism. Option C is wrong because NFS is a network file system protocol for accessing files over a network, not a replication protocol for HyperFlex's data plane. Option D is wrong because iSCSI is a block-level storage protocol that encapsulates SCSI commands over IP networks, but HyperFlex does not use iSCSI for its internal data replication; it relies on the HX Data Platform's proprietary replication.

66
MCQeasy

A UCS domain has two Fabric Interconnects in end-host mode. Which statement about server-side traffic is true?

A.Fabric Interconnects run IEEE 802.1D STP on the server-facing ports.
B.The Fabric Interconnect learns server MAC addresses on the server-facing ports.
C.The Fabric Interconnect performs VLAN-based load balancing to the upstream network.
D.Each Fabric Interconnect independently forwards frames to the upstream switches using the same uplink.
AnswerB

Yes, it learns host MAC addresses.

Why this answer

In end-host mode, the Fabric Interconnect (FI) acts as a Layer-2 forwarding device that learns server MAC addresses on the server-facing ports to build its forwarding table. This is required because the FI does not run Spanning Tree Protocol (STP) on those ports; instead, it relies on MAC learning to forward traffic correctly between servers and the upstream network.

Exam trap

The trap here is that candidates confuse end-host mode with switching mode, assuming STP is required on server ports, when in fact end-host mode disables STP and relies on MAC learning to maintain a loop-free topology.

How to eliminate wrong answers

Option A is wrong because Fabric Interconnects in end-host mode do not run IEEE 802.1D STP on server-facing ports; they use a pinning or forwarding mode that disables STP to avoid blocking server links. Option C is wrong because VLAN-based load balancing to the upstream network is not performed by the FI in end-host mode; instead, uplink load balancing is typically based on source/destination MAC or IP hashing, not VLAN. Option D is wrong because each Fabric Interconnect does not independently forward frames using the same uplink; in end-host mode, each FI uses its own dedicated uplinks and does not share forwarding paths with the other FI for the same frame.

67
MCQmedium

A storage administrator needs to configure zoning while minimizing administrative overhead and allowing multiple initiators to access multiple targets without having to change zones when new members are added. Which zoning approach is best?

A.Zoning by naming using a zone alias for initiators and another for targets
B.Multiple initiator-multiple target zoning (all devices in one zone)
C.Single initiator-single target zoning
D.Single initiator-multiple target zoning (initiator-based)
AnswerA

Using zone aliases groups initiators and targets; adding new members to the alias automatically includes them in the zone, reducing overhead.

Why this answer

Option A is correct because zoning by name using zone aliases decouples the zone configuration from the physical port or WWN, allowing administrators to group initiators and targets into separate aliases. When new members are added to an alias, the zone automatically includes them without manual zone reconfiguration, minimizing administrative overhead while supporting multiple initiators and multiple targets.

Exam trap

Cisco often tests the distinction between zoning by WWN (hard zoning) versus zoning by alias (soft zoning), and the trap here is that candidates mistakenly choose 'multiple initiator-multiple target zoning' (Option B) thinking it is the simplest, but they overlook that it eliminates all isolation and violates Fibre Channel security best practices, whereas alias-based zoning provides both scalability and proper segmentation.

How to eliminate wrong answers

Option B is wrong because placing all devices in a single zone violates Fibre Channel best practices by creating a flat, non-segmented fabric that increases the risk of RSCN storms and reduces security, and it does not minimize overhead when adding members (the zone still exists but offers no isolation). Option C is wrong because single initiator-single target zoning creates a one-to-one mapping, which requires creating and managing many zones for multiple initiators and targets, increasing administrative overhead and not allowing multiple initiators to access multiple targets without zone changes. Option D is wrong because single initiator-multiple target zoning (initiator-based) requires a separate zone for each initiator, so adding a new initiator still requires creating a new zone, and it does not allow multiple initiators to access the same targets without additional zone modifications.

68
MCQmedium

A data center engineer is designing a Fibre Channel SAN for high availability. The design includes two MDS 9710 directors connected to multiple storage arrays. Which best practice should be followed when configuring NPV mode on the switches connecting the hosts?

A.Enable VSAN interop on the NPV switch to support multiple storage arrays
B.Connect each NPV switch to a single core switch for simplicity
C.Use FC trunking between NPV and core switches to increase bandwidth
D.Dual-home each NPV switch to two separate core switches for redundancy
AnswerD

Dual-homing ensures high availability.

Why this answer

Option D is correct because dual-homing each NPV switch to two separate core switches ensures that if one core switch fails, the NPV switch can still forward traffic through the other core switch. In NPV mode, the switch acts as a passthrough, and connecting to two separate core directors provides path redundancy without requiring the NPV switch to perform full Fibre Channel routing. This design aligns with high-availability best practices for Fibre Channel SANs.

Exam trap

Cisco often tests the misconception that FC trunking alone provides redundancy, but trunking only increases bandwidth and link aggregation, not failover independence; dual-homing to separate core switches is required for true high availability.

How to eliminate wrong answers

Option A is wrong because VSAN interop is not a feature of NPV mode; NPV switches inherit the VSAN configuration from the core switch and do not need interop enabled to support multiple storage arrays. Option B is wrong because connecting each NPV switch to a single core switch creates a single point of failure, violating high-availability design principles. Option C is wrong because FC trunking is used to aggregate multiple physical links into a single logical link for bandwidth, but it does not provide the necessary redundancy; dual-homing is the correct method for redundancy.

69
MCQeasy

An engineer is configuring AAA authentication on a Cisco MDS 9000 series switch. The goal is to authenticate users via RADIUS first, then local as a fallback. Which command sequence should be used?

A.aaa authentication login default group radius local
B.aaa authentication login default local radius
C.aaa authentication login default radius local
D.aaa authentication login console radius local
AnswerA

Correct syntax: 'default' login method, 'group' keyword, radius then local fallback.

Why this answer

Option A is correct because the 'aaa authentication login default group radius local' command configures the switch to first attempt RADIUS authentication for all login methods (default), and if the RADIUS server is unreachable or returns an error (not a rejection), it falls back to the local user database. This matches the requirement of RADIUS first with local fallback.

Exam trap

Cisco often tests the distinction between 'default' (applies to all login methods) and specific method names like 'console' or 'ssh', and the requirement to use the 'group' keyword before the server group name, causing candidates to omit 'group' or choose a method-specific keyword incorrectly.

How to eliminate wrong answers

Option B is wrong because it places 'local' before 'radius', which would cause the switch to attempt local authentication first, not RADIUS first as required. Option C is wrong because it omits the 'group' keyword, which is required to specify a RADIUS server group; without 'group', the command is syntactically incorrect on Cisco MDS switches. Option D is wrong because it specifies 'console' instead of 'default', limiting the authentication method list to console logins only, rather than applying to all login methods (SSH, Telnet, console, etc.) as required.

70
MCQeasy

A data center engineer is planning a Cisco UCS deployment for a virtualized environment. The requirement is to maximize performance for virtual machine traffic while minimizing latency. Which feature should be enabled on the UCS Manager to offload packet processing from the host CPU?

A.Data Center Ethernet (DCE) priority flow control
B.vNIC failover policy
C.Hardware VLAN tagging and checksum offload
D.Fibre Channel over Ethernet (FCoE) offload
AnswerC

These offloads reduce CPU utilization and improve throughput.

Why this answer

Hardware VLAN tagging and checksum offload offloads packet processing tasks (VLAN insertion/stripping and checksum calculation) from the host CPU to the Cisco UCS virtual interface card (VIC) adapter. This reduces CPU overhead and minimizes latency for virtual machine traffic, directly meeting the requirement to maximize performance in a virtualized environment.

Exam trap

The trap here is that candidates confuse 'offload' with any feature that improves performance, but only hardware VLAN tagging and checksum offload directly offloads packet processing from the host CPU, while options like FCoE offload are storage-specific and not applicable to general VM traffic.

How to eliminate wrong answers

Option A is wrong because Data Center Ethernet (DCE) priority flow control (PFC) is a Layer 2 flow control mechanism that prevents packet loss due to congestion, but it does not offload packet processing from the host CPU. Option B is wrong because vNIC failover policy provides redundancy by switching traffic to a standby vNIC on link failure, but it does not reduce CPU overhead or latency for packet processing. Option D is wrong because Fibre Channel over Ethernet (FCoE) offload is specific to storage traffic (SAN) and does not address general VM packet processing offload; it offloads FCoE encapsulation, not general network packet processing.

71
MCQmedium

A Cisco UCS Manager administrator notices that a newly provisioned service profile is showing 'Config Error' for the vNIC. The vNIC is configured to use a dynamic MAC address from a pool that has no free addresses. What is the correct remediation?

A.Add more MAC addresses to the MAC pool used by the vNIC
B.Upgrade the firmware on the Fabric Interconnect
C.Change the vNIC to use a static MAC address
D.Reassociate the service profile to a different blade
AnswerA

Extending the pool provides available addresses for assignment.

Why this answer

The 'Config Error' for the vNIC indicates that the dynamic MAC address assignment failed because the MAC pool is exhausted. Adding more MAC addresses to the pool resolves the issue by providing available addresses for the vNIC to consume, allowing the service profile to deploy successfully.

Exam trap

Cisco often tests the misconception that a 'Config Error' on a vNIC is due to hardware or association issues, leading candidates to choose reassociation or firmware upgrades, when the actual cause is a resource pool exhaustion that requires pool expansion.

How to eliminate wrong answers

Option B is wrong because upgrading the Fabric Interconnect firmware does not address MAC pool exhaustion; it is unrelated to address allocation. Option C is wrong because changing to a static MAC address bypasses the pool but is not the correct remediation for a pool exhaustion issue—it is a workaround, not a fix. Option D is wrong because reassociating the service profile to a different blade does not resolve the underlying MAC pool depletion; the same error would occur on any blade if the pool has no free addresses.

72
MCQhard

A large enterprise uses Cisco Nexus 9000 switches in a VXLAN EVPN fabric. The underlay is OSPF. Each leaf switch has a loopback0 interface as the source interface for VXLAN tunnel endpoints. After a maintenance window, an engineer modifies the IP address of loopback0 on leaf-5 from 10.1.1.5/32 to 10.1.1.105/32. Subsequently, all VXLAN tunnels to leaf-5 go down. OSPF adjacencies between leaf-5 and the spines are still FULL. The engineer checks the NVE interface on leaf-5 and sees the source-interface is loopback0 but the interface status is up/up. However, pings from other leaves to 10.1.1.105 fail. What is the most likely cause?

A.The OSPF process on leaf-5 was not restarted after the IP change
B.The new loopback IP 10.1.1.105 is not included in the OSPF network statement under router ospf
C.The MTU on loopback0 is set too low causing OSPF hello drops
D.The VXLAN source-interface was automatically changed to a different loopback
AnswerB

The new IP subnet must be advertised via OSPF to be reachable by other leaves.

Why this answer

The correct answer is B. After changing the loopback0 IP address on leaf-5, the new IP 10.1.1.105/32 must be explicitly advertised into OSPF for other leaves to reach it. If the OSPF network statement under router ospf still references the old subnet or does not include 10.1.1.105/32, the route for this new loopback IP will not be installed in the OSPF database.

Consequently, other leaves cannot route to the new VTEP IP, causing VXLAN tunnels to fail even though OSPF adjacencies remain FULL (since adjacencies are formed over physical interfaces, not the loopback).

Exam trap

Cisco often tests the distinction between OSPF adjacency status (which relies on physical interfaces) and route advertisement (which depends on network statements covering the loopback IP), leading candidates to incorrectly assume that FULL adjacencies guarantee reachability to the VTEP IP.

How to eliminate wrong answers

Option A is wrong because restarting the OSPF process is not required after a loopback IP change; OSPF dynamically detects interface IP changes and updates LSAs accordingly, provided the new IP is covered by an existing network statement. Option C is wrong because MTU misconfiguration on loopback0 would not selectively cause OSPF hello drops only after an IP change; OSPF hellos are sent over the physical underlay interfaces, not the loopback, and a low MTU on loopback0 would not affect OSPF adjacencies that are already FULL. Option D is wrong because the VXLAN source-interface is explicitly configured under the NVE interface and does not automatically change; the engineer confirmed the source-interface remains loopback0 and the NVE interface is up/up.

73
MCQeasy

Which statement about Fibre Channel buffer credits is true?

A.They are used for load balancing across multiple paths.
B.They control the flow of frames between directly connected ports.
C.They are allocated per VSAN.
D.They detect CRC errors in frames.
AnswerB

Buffer credits manage the number of outstanding frames.

Why this answer

Fibre Channel buffer credits implement a credit-based flow control mechanism between directly connected ports (Nx_Port to Fx_Port or E_Port to E_Port). Each port advertises its available buffer credits (BB_Credit) to the directly attached peer, and the sender can only transmit a frame when it has a positive credit count. This prevents frame loss due to buffer overflow at the receiver, ensuring lossless transmission over the link.

Exam trap

Cisco often tests the distinction between flow control (buffer credits) and error detection (CRC) or fabric-level features (VSANs, load balancing), so the trap here is confusing a link-level mechanism with higher-layer or fabric-wide functions.

How to eliminate wrong answers

Option A is wrong because load balancing across multiple paths is handled by multipathing software (e.g., EMC PowerPath, native OS MPIO) or Fibre Channel fabric-level routing (e.g., FSPF), not by buffer credits. Option C is wrong because buffer credits are allocated per physical port or per virtual interface (e.g., NPIV), not per VSAN; VSANs are logical fabric partitions that do not directly affect port-level buffer credit allocation. Option D is wrong because CRC error detection is performed by the Fibre Channel frame header and CRC field, verified by the receiving port hardware; buffer credits are a flow control mechanism, not an error detection mechanism.

74
MCQmedium

In a Fibre Channel SAN, flow control is managed by buffer credits. Which statement about buffer credits is accurate?

A.Buffer credits are allocated per VSAN to isolate traffic
B.Increasing buffer credits always improves I/O performance
C.Buffer credits are used in FCoE to ensure lossless delivery
D.Buffer credits help manage congestion and ensure lossless delivery over distance
AnswerD

BB_credits allow a sender to send multiple frames without waiting for acknowledgment.

Why this answer

Buffer credits are a flow control mechanism in Fibre Channel that manage congestion by tracking the number of frames a sender can transmit before receiving an acknowledgment. They ensure lossless delivery over distance by preventing buffer overflow at the receiver, which is critical for maintaining data integrity in SANs. Option D correctly states this dual role of congestion management and lossless delivery.

Exam trap

Cisco often tests the distinction between Fibre Channel buffer credits and FCoE's Priority Flow Control (PFC), so the trap here is confusing the two lossless mechanisms and assuming buffer credits apply to FCoE.

How to eliminate wrong answers

Option A is wrong because buffer credits are allocated per port, not per VSAN; VSANs isolate traffic at the fabric level, but buffer credits operate at the physical link level to manage frame flow. Option B is wrong because increasing buffer credits does not always improve I/O performance; it can help over long distances but may waste memory if set too high for short links, and performance gains depend on other factors like link speed and application workload. Option C is wrong because FCoE uses a different lossless mechanism based on IEEE 802.1Qbb Priority Flow Control (PFC), not Fibre Channel buffer credits; buffer credits are native to Fibre Channel, not FCoE.

75
MCQhard

A company is deploying a new SAN with two MDS 9148S switches in a single VSAN. They want to ensure that a failure of one switch does not affect storage traffic. Which technology should be implemented?

A.Implement FCoE to Ethernet storage.
B.Enable NPIV on all ports.
C.Configure a port channel between the switches.
D.Create a redundant fabric by connecting both switches to each storage array and host via multiple paths.
AnswerD

This provides path redundancy; if one switch fails, the other continues.

Why this answer

For redundancy in a single VSAN, using Inter-Switch Links (ISLs) between the two switches and enabling NPV on the edge switches (or simply having the switches in a fabric) is typical. However, the question implies two switches. For high availability, they should connect both switches with multiple ISLs and use VSAN-based trunking.

Option A is wrong because port channels are for link aggregation, not switch failure. Option B is wrong because FCoE is not relevant. Option D is wrong because NPIV is for port virtualization.

Page 1 of 7

Page 2

All pages

Practice 350-601 by domain

Target a specific domain to shore up weak areas.

See all domains with question counts →