Cisco DCCOR / CCNP Data Center Core 350-601 (350-601) — Questions 676750

1000 questions total · 14pages · All types, answers revealed

Page 9

Page 10 of 14

Page 11
676
MCQeasy

A UCS C-series rack server is to be integrated into UCS Manager. The server will be managed by CIMC and must participate in compute pools. Which operating mode should be configured on the C-series server to allow UCS Manager to discover and manage it?

A.Cisco IMC Supervisor mode
B.UCS-managed mode
C.Direct connect mode
D.Standalone mode
AnswerB

This mode allows UCS Manager to discover and manage the server.

Why this answer

C-series servers can operate in standalone mode (IMC only) or UCS-managed mode. To be managed by UCS Manager, the server must be in UCS-managed mode, which requires enabling UCSM (Cisco UCS Manager) mode in CIMC.

677
Multi-Selecthard

A company is deploying a multi-site UCS environment with UCS Central. Which three capabilities does UCS Central provide over individual UCS Manager instances? (Choose three.)

Select 3 answers
A.Unified reporting and inventory across domains.
B.Direct management of individual blade server power states.
C.Global service profile templates that can be applied across multiple UCS domains.
D.Real-time performance monitoring of each server's CPU utilization.
E.Centralized firmware management for all domains.
AnswersA, C, E

UCS Central provides a single view of all resources.

Why this answer

UCS Central offers global service profile templates, cross-domain policies, and centralized firmware management across multiple UCS domains.

678
MCQeasy

An engineer is configuring a Fibre Channel over Ethernet (FCoE) SAN. Which statement about FCoE Initialization Protocol (FIP) is true?

A.FIP operates only over lossless Ethernet.
B.FIP uses Ethernet MAC addresses for communication.
C.FIP is used only for FCoE initialization, not for maintenance.
D.FIP requires IP addresses to establish FCoE sessions.
AnswerB

FIP uses MAC addresses for discovery and login.

Why this answer

FCoE Initialization Protocol (FIP) uses Ethernet MAC addresses for communication during the discovery, initialization, and maintenance phases of an FCoE session. FIP frames are encapsulated in standard Ethernet frames with a specific EtherType (0x8914), allowing FCoE-capable endpoints to discover each other and establish virtual links without relying on IP addresses.

Exam trap

Cisco often tests the misconception that FIP requires IP addresses or that it is only used during initialization, when in fact FIP uses MAC addresses and also handles ongoing session maintenance like keep-alives.

How to eliminate wrong answers

Option A is wrong because FIP operates over lossless Ethernet (using priority flow control, PFC), but it is not limited to lossless Ethernet; FIP can also run over lossy Ethernet for discovery and initialization, though data traffic requires lossless Ethernet. Option C is wrong because FIP is used not only for initialization but also for ongoing maintenance, such as keep-alive messages (FIP VLAN request, FIP keep-alive) to monitor and maintain the FCoE session. Option D is wrong because FIP does not require IP addresses; it uses Ethernet MAC addresses and FCoE-specific EtherTypes to establish and manage FCoE sessions, avoiding the IP layer entirely.

679
MCQeasy

Refer to the exhibit. The Fabric Interconnect cannot ping its default gateway. The management interface is configured and up. What is the most likely cause?

A.The default route is missing from the routing table.
B.The management VLAN is not allowed on the upstream switch.
C.The management interface is configured as DHCP instead of static.
D.The IP address is a duplicate on the network.
AnswerA

Without a default route, the FI cannot reach subnets beyond its own.

Why this answer

The Fabric Interconnect cannot ping its default gateway despite the management interface being up and configured, which indicates that the device lacks a route to reach the gateway subnet. A default route is required to forward traffic destined for networks not directly connected; without it, the Fabric Interconnect will drop packets to the gateway even if the interface is operational. This is the most likely cause because the exhibit shows no default route in the routing table, and the interface status confirms Layer 1 and Layer 2 connectivity.

Exam trap

Cisco often tests the distinction between interface-level connectivity (Layer 1/Layer 2) and routing (Layer 3), leading candidates to incorrectly blame VLAN pruning or IP conflicts when the real issue is a missing default route in the management VRF.

How to eliminate wrong answers

Option B is wrong because if the management VLAN were not allowed on the upstream switch, the interface would likely be in a down/down or err-disabled state, but the exhibit states the management interface is configured and up, indicating VLAN pruning is not the issue. Option C is wrong because the exhibit explicitly shows a static IP address configuration (e.g., IP address and subnet mask), so DHCP misconfiguration is not applicable. Option D is wrong because a duplicate IP address would cause intermittent connectivity or address conflict messages, but the interface would still be up and able to send ARP requests; the inability to ping the gateway points to a routing problem, not an IP conflict.

680
Multi-Selectmedium

An engineer is deploying a new VXLAN fabric and must ensure that the control plane can handle MAC advertisement without flooding. Which TWO protocols can be used for control plane learning in VXLAN? (Select two.)

Select 1 answer
A.IGMP Snooping
B.OpenFlow
C.VXLAN data plane learning
D.MP-BGP EVPN
E.OSPF
AnswersD

EVPN is the control plane for VXLAN that advertises MAC/IP routes.

Why this answer

MP-BGP EVPN is the standard control plane for VXLAN. OpenFlow is a software-defined networking protocol but not commonly used in production VXLAN fabrics. Other options are data plane or underlay protocols.

681
MCQhard

In an ACI environment, an automation script uses the acitoolkit Python library to create a new EPG. The script connects to the APIC using login credentials. After creating the EPG, what must be called to commit the changes?

A.session.save()
B.session.push_to_apic()
C.session.commit()
D.session.apply()
AnswerB

Correct method to push changes.

Why this answer

acitoolkit uses a Session object; after making changes, the session's push_to_apic method must be called to commit.

682
MCQhard

During FCoE initialization, which protocol is used by a CNA to discover FCoE-capable switches and establish a virtual link?

A.LLDP
B.DCBX
C.FIP
D.ARP
AnswerC

FIP is the standard protocol for FCoE initialization and discovery.

Why this answer

FIP (FCoE Initialization Protocol) is used by CNAs to discover FCoE switches (FCFs) and perform login to create VN-ports.

683
MCQhard

A data center architect is designing an ACI fabric with VMM integration to VMware vSphere. The goal is to allow dynamic policy assignment to virtual machines. What is the correct configuration hierarchy to enable this?

A.Create a VMM domain under the infra tenant and associate it with the physical domain.
B.Create a VMM domain under the tenant, integrate with vCenter, and map EPGs to port groups.
C.Use a Layer 4-Layer 7 service graph to connect VMs directly.
D.Configure VXLAN directly on the vSphere distributed switch.
AnswerB

This is the correct method for VMM integration.

Why this answer

In ACI, the VMM domain is created under the tenant, then integrated with vCenter, and EPGs are mapped to port groups. VMs are automatically assigned policies based on their port group.

684
MCQmedium

Which API uses RESTful principles and supports both XML and JSON encoding for network configuration, as defined in RFC 8040?

A.OpenConfig
B.RESTCONF
C.NETCONF
D.NX-API CLI
AnswerB

RESTCONF is RESTful and supports both XML and JSON.

Why this answer

RESTCONF (RFC 8040) is a REST-based protocol using HTTP methods and supports XML/JSON.

685
Multi-Selecteasy

A data center architect is designing a spine-leaf fabric with OSPF as the underlay routing protocol. Which two statements about OSPF in this design are correct? (Choose two.)

Select 3 answers
A.OSPF neighbors are formed between leaf and spine switches over the fabric links.
B.OSPF supports ECMP by default, which is essential for load balancing in the fabric.
C.Passive interfaces are configured on the server-facing ports of leaf switches.
D.OSPF must be replaced by BGP in a VXLAN EVPN fabric.
E.OSPF areas must be different for leaf and spine switches to prevent routing loops.
AnswersA, B, C

Correct. OSPF adjacencies are established over leaf-spine links.

Why this answer

In spine-leaf, OSPF is typically configured in a single area (area 0) on all interfaces, and passive interfaces are used on server-facing ports to avoid adjacency with servers.

686
MCQhard

An engineer is deploying a new UCS chassis with two Fabric Interconnects. The design requires that server traffic can fail over to the secondary FI if the primary FI fails, without requiring any changes to the server's network configuration. Which technology must be enabled on the uplink ports of the Fabric Interconnects to the upstream switches to ensure transparent failover of server traffic?

A.Configure a virtual PortChannel (vPC) between the Fabric Interconnects and upstream switches.
B.Apply QoS policies to prioritize failover traffic.
C.Enable pin groups with 'failover' mode on the server ports.
D.Implement Private VLANs on the uplink ports to isolate traffic.
AnswerC

Pin groups with failover mode allow the secondary FI to assume the primary's MAC and IP, enabling transparent failover.

Why this answer

Pin groups with 'failover' mode enable transparent server traffic failover by pinning server vNICs to a specific Fabric Interconnect (FI) and automatically repinning them to the secondary FI upon primary FI failure, without requiring any changes to the server's network configuration. This ensures that the server's MAC and IP addresses remain active on the secondary FI, maintaining connectivity without manual intervention.

Exam trap

Cisco often tests the distinction between upstream redundancy technologies (like vPC) and server-side failover mechanisms (like pin group failover mode), leading candidates to incorrectly choose vPC for transparent server failover when it only addresses link redundancy to the upstream network.

How to eliminate wrong answers

Option A is wrong because a virtual PortChannel (vPC) between Fabric Interconnects and upstream switches provides link-level redundancy and load balancing, but it does not handle server-side failover; vPC is an upstream switch technology, not a mechanism for transparent server failover between FIs. Option B is wrong because QoS policies prioritize traffic types but do not provide any failover mechanism; they are unrelated to transparent server failover. Option D is wrong because Private VLANs isolate traffic within a VLAN for security purposes and have no role in failover or repinning server traffic between Fabric Interconnects.

687
MCQmedium

Refer to the exhibit. A server connected to interface fc1/3 on the MDS switch cannot log in to the fabric. The server's HBA WWPN is 10:00:00:00:c9:2b:1a:62. What is the most likely reason for the login failure?

A.NPIV is disabled on the port
B.The server's WWPN is not in the active zone set
C.Interface fc1/3 is not assigned to VSAN 100
D.The link speed is mismatched between switch and HBA
AnswerC

Without correct VSAN, the port cannot participate.

Why this answer

The FLOGI database shows logins on fc1/1, fc1/2, and fc1/4, but no entry for fc1/3. The WWPN is not listed, indicating it never logged in. The most common cause is that the port is not in the same VSAN (100) or not configured correctly.

Since other ports on the same switch show VSAN 100, likely fc1/3 is in a different VSAN or not enabled. Option C is correct. Option A (zoning) would show FLOGI but then reject.

Option B (NPIV) not relevant. Option D (speed) would cause errors but not missing FLOGI.

688
MCQhard

A network administrator suspects that a rogue DHCP server is active on the data center network. The switches are Cisco Nexus 9000 series running NX-OS. Which configuration should be applied to prevent DHCP spoofing?

A.Enable dynamic ARP inspection on all VLANs.
B.Enable IP source guard on all access ports.
C.Enable DHCP snooping globally and configure uplink ports as trusted.
D.Enable MAC port security on all access ports.
AnswerC

DHCP snooping filters DHCP offers from untrusted ports.

Why this answer

DHCP snooping is the correct defense against rogue DHCP servers because it filters DHCP messages on untrusted ports and allows only DHCP replies from trusted uplink ports. By enabling DHCP snooping globally and configuring uplink ports as trusted, the switch will drop DHCPOFFER and DHCPACK messages received on access ports, preventing a rogue server from handing out malicious IP configurations.

Exam trap

Cisco often tests the distinction between DHCP snooping (which blocks rogue DHCP servers) and DAI or IPSG (which rely on DHCP snooping but address different threats), leading candidates to confuse the security feature with its prerequisite.

How to eliminate wrong answers

Option A is wrong because dynamic ARP inspection (DAI) validates ARP packets based on DHCP snooping bindings, but it does not directly prevent a rogue DHCP server from sending DHCP offers. Option B is wrong because IP source guard (IPSG) filters IP traffic based on the DHCP snooping binding table, but it does not block DHCP server messages; it only prevents IP spoofing on data traffic. Option D is wrong because MAC port security limits the number of MAC addresses per port and prevents MAC flooding, but it has no mechanism to detect or block unauthorized DHCP servers.

689
MCQmedium

An engineer is configuring OSPF in a data center fabric with multiple Nexus 9000 switches. To ensure fast convergence after a link failure, which OSPF feature should be enabled?

A.OSPF authentication
B.OSPF Fast Hello
C.OSPF LSA throttling
D.OSPF stub area
AnswerB

Fast Hello sends hellos at sub-second intervals for fast failure detection.

Why this answer

OSPF Fast Hello (or BFD) provides faster failure detection than default hello/dead intervals.

690
MCQeasy

A data center engineer is configuring 802.1X authentication on Cisco Nexus switches for wired endpoints. The requirement is to allow traffic on the port even if no EAPOL packet is received from the endpoint (e.g., a printer). Which authentication method should be used?

A.MAC Authentication Bypass (MAB)
B.802.1X using RADIUS server
C.Port security with sticky MAC addresses
D.Local authentication with a predefined list of users
AnswerA

MAB uses the device's MAC address to authenticate against the RADIUS server if no EAPOL is received.

Why this answer

MAC Authentication Bypass (MAB) is the correct method because it allows a port to authenticate endpoints that do not send EAPOL frames, such as printers or other legacy devices. When no EAPOL is received within a configurable timeout, the switch falls back to using the source MAC address of the first frame as the authentication credential, sending it to the RADIUS server for verification. This satisfies the requirement to permit traffic even without 802.1X supplicant capability.

Exam trap

Cisco often tests the distinction between authentication methods that require EAPOL (802.1X) and those that do not (MAB), and the trap here is that candidates confuse port security or local authentication with network access control, failing to recognize that MAB is the specific fallback for non-EAPOL endpoints.

How to eliminate wrong answers

Option B is wrong because 802.1X using a RADIUS server requires the endpoint to send EAPOL frames to initiate authentication; if no EAPOL is received, the port remains unauthorized and blocks traffic. Option C is wrong because port security with sticky MAC addresses is a Layer 2 access control mechanism that limits the number of learned MAC addresses but does not integrate with RADIUS-based authentication or handle the absence of EAPOL. Option D is wrong because local authentication with a predefined list of users is used for device administration (e.g., SSH or console login), not for port-based network access control of wired endpoints.

691
MCQmedium

Which Python library is part of the ACI SDK and provides a high-level object-oriented interface for interacting with the APIC?

A.pyats
B.cisco_nxapi
C.acitoolkit
D.Cobra SDK
AnswerD

Correct: Cobra SDK is the official Python SDK for ACI.

Why this answer

The Cobra SDK provides an object-oriented Python interface for ACI automation, wrapping the APIC REST API.

692
MCQmedium

In a UCS B-series chassis, which component provides the management connectivity between the blades and the Fabric Interconnects?

A.CIMC
B.IOM (Input/Output Module)
C.UCS Manager
D.Blade midplane
AnswerB

IOM handles both data and management traffic to FIs.

Why this answer

The chassis management controller (CMC) is not present in UCS; the IOM handles management traffic. However, the question is tricky: the IOM provides data connectivity, but management is via the Fabric Interconnect's management interface. Actually, the IOM forwards management traffic to the FI, but the correct answer is the IOM.

693
MCQeasy

Which UCS B-Series chassis component provides the physical slot for a blade server?

A.IOM
B.Fabric Interconnect
C.Blade slot (bay)
D.Midplane
AnswerC

Correct. Blade servers install into slots.

Why this answer

The UCS 5108 blade chassis has 8 half-width slots or 4 full-width slots. Blades are inserted into these slots and connect to the midplane.

694
MCQeasy

An engineer notices that the LED of an FC interface is off on a Cisco MDS switch. The interface is up/up. What is the most likely cause?

A.The port LED firmware is corrupted.
B.The interface is administratively down.
C.The link is up but the LED is disabled in software configuration.
D.The SFP is faulty.
AnswerC

On some MDS switches, the LED can be turned off via 'no led enable' interface command.

Why this answer

On Cisco MDS switches, the interface LED can be administratively disabled via the `no led` command in interface configuration mode, even when the interface is fully operational (up/up). This allows operators to selectively turn off LEDs for troubleshooting or to reduce visual noise in a data center, without affecting traffic. The LED being off while the interface shows up/up directly points to this software-based LED disablement.

Exam trap

Cisco often tests the misconception that an LED off always indicates a hardware or link issue, when in fact the LED can be software-disabled independently of the interface operational state.

How to eliminate wrong answers

Option A is wrong because LED firmware corruption would typically cause erratic behavior (e.g., blinking incorrectly or staying stuck in one state) rather than a consistent off state with a fully functional interface. Option B is wrong because an administratively down interface would show as 'down/down' in the show interface output, not 'up/up'. Option D is wrong because a faulty SFP would cause the link to be down (e.g., 'down/down' or 'up/down' with CRC errors), not an up/up state with the LED off.

695
MCQmedium

A company runs a multi-tenant data center using Cisco ACI with multiple tenants. Each tenant has its own VRF and EPGs. The security policy requires that tenant A's web servers (EPG web_tenantA) be accessible from tenant B's application servers (EPG app_tenantB) only via HTTPS (TCP 443). The ACI fabric is configured with contracts. The administrator has created a contract with a filter for HTTPS (tcp dstPort 443) and applied it as a provider contract on EPG web_tenantA and as a consumer contract on EPG app_tenantB. However, traffic from tenant B's app servers to tenant A's web servers is being dropped. The administrator has verified that the contracts are applied correctly and the filter is correct. What is the most likely cause of the traffic drop?

A.The EPGs are not in the same bridge domain; they must be in the same bridge domain to communicate.
B.The VRF of tenant A and tenant B must have route leaking configured to allow inter-VRF routing.
C.The contract is not marked as 'shared' between tenants; a shared contract must be created and both EPGs must be in the same VRF or use a shared VRF.
D.The filter for HTTPS must also include the source port range 49152-65535 for ephemeral ports.
AnswerC

ACI requires shared contracts for cross-tenant communication, and the EPGs must be in the same VRF or use a shared VRF.

Why this answer

In Cisco ACI, contracts are local to a VRF by default. For inter-tenant communication where each tenant has its own VRF, the contract must be explicitly marked as 'shared' and both EPGs must either be in the same VRF or use a shared VRF that allows cross-VRF policy enforcement. Without this, the contract filter is not applied across VRFs, causing traffic to be dropped even though the contract and filter are correctly configured.

Exam trap

Cisco often tests the misconception that contracts work across VRFs by default, when in fact they require explicit sharing configuration, leading candidates to overlook the 'shared contract' requirement.

How to eliminate wrong answers

Option A is wrong because EPGs do not need to be in the same bridge domain to communicate; ACI uses contracts to enable communication across different bridge domains and even across VRFs when properly configured. Option B is wrong because route leaking is not required for inter-VRF communication in ACI; contracts with a shared VRF handle the routing and policy enforcement between VRFs without explicit route leaking. Option D is wrong because the filter for HTTPS only needs to specify the destination port (tcp dstPort 443); source ports are ephemeral and automatically allowed by ACI's stateful nature, so specifying a source port range is unnecessary and would not cause traffic drops.

696
MCQmedium

A storage administrator is setting up iSCSI connectivity between a server and a storage array. To enhance security, the administrator wants to authenticate the initiator and target during the login process. Which authentication method should be configured?

A.IPsec
B.RADIUS
C.CHAP
D.Kerberos
AnswerC

CHAP provides authentication during the iSCSI login process, supporting both one-way and mutual authentication.

Why this answer

CHAP is a standard authentication protocol for iSCSI that provides mutual authentication between initiator and target.

697
MCQhard

You are a network engineer at a financial institution. The company has two data centers: DC1 and DC2, connected via a dark fiber link. Each data center has a pair of Nexus 7000 switches in a vPC configuration. The dark fiber link connects to a port on each Nexus 7000 pair using a Layer 2 port-channel. The requirement is to extend VLAN 100 between the two data centers for a critical application that requires a stretched Layer 2 domain. The current configuration has the port-channel on both sides set to mode 'active' with LACP. VLAN 100 is allowed on the trunk. The application servers report intermittent connectivity issues, with some packets being dropped. Upon inspection, you notice that the MAC address table on the Nexus 7000 in DC1 shows the MAC address of the server in DC2 on the dark fiber port-channel interface, but also on a local access port connected to a different server in the same VLAN. What is the most likely cause of the intermittent connectivity?

A.The dark fiber link is experiencing high latency, causing MAC address timeouts.
B.LACP is misconfigured on one side, causing the port-channel to operate as individual links.
C.There is an asymmetric routing issue between the data centers.
D.Spanning Tree Protocol is not blocking one of the redundant paths, creating a loop.
AnswerD

A loop causes MAC flapping and intermittent connectivity.

Why this answer

The MAC address table showing the same MAC address on both the dark fiber port-channel and a local access port indicates a Layer 2 loop. In a vPC environment with a Layer 2 extension between data centers, Spanning Tree Protocol (STP) should block one of the redundant paths to prevent loops. If STP fails to block the appropriate port, frames loop, causing MAC address flapping and intermittent packet drops.

Exam trap

The trap here is that candidates often attribute intermittent connectivity to LACP or routing issues, but the key clue is the MAC address appearing on two different interfaces in the same VLAN, which is a definitive sign of a Layer 2 loop that STP should have prevented.

How to eliminate wrong answers

Option A is wrong because high latency does not cause MAC address timeouts or flapping; MAC aging timers are independent of latency, and high latency would cause retransmissions, not MAC table instability. Option B is wrong because LACP misconfiguration would cause the port-channel to operate as individual links, which could lead to inconsistent forwarding but not the specific symptom of the same MAC appearing on both a port-channel and a local access port; this symptom is classic for a loop. Option C is wrong because asymmetric routing is a Layer 3 issue, but the problem occurs in a stretched Layer 2 domain where routing is not involved; asymmetric routing would not cause MAC address flapping on the same VLAN.

698
MCQmedium

In a spine-leaf architecture using eBGP as the routing protocol, what is the primary purpose of using eBGP rather than iBGP between spine and leaf switches?

A.To enable faster convergence than OSPF
B.To avoid the need for an IGP and simplify configuration
C.To support EVPN address families
D.To allow for unequal-cost load balancing
AnswerB

eBGP in a spine-leaf eliminates the need for an IGP and provides simple, scalable routing.

Why this answer

eBGP provides better path selection attributes and allows for loop-free topology without the need for a full mesh or route reflectors.

699
MCQhard

In an EVPN-VXLAN fabric, a network engineer notices that MAC addresses learned from an external router are not being advertised as EVPN type-2 routes. The external router is connected to a leaf switch via a Layer 3 port. Which additional configuration is needed on the leaf switch?

A.Configure `redistribute host-routes` under the BGP address-family l2vpn evpn.
B.Configure `evpn` under the VLAN interface associated with the external router's VLAN.
C.Configure `ip arp evpn` on the Layer 3 interface.
D.Configure `routing-config` under BGP to enable both MAC-VRF and IP-VRF.
AnswerC

Allows the switch to advertise the neighbor's MAC and IP via EVPN.

Why this answer

Option C is correct because when an external router is connected via a Layer 3 port, the leaf switch learns the router's MAC address through ARP, not through a VLAN. To advertise this MAC as an EVPN type-2 route, the `ip arp evpn` command must be configured on the Layer 3 interface. This command enables the switch to synchronize ARP entries into the EVPN BGP control plane, allowing MAC/IP advertisement for directly connected hosts on routed interfaces.

Exam trap

Cisco often tests the distinction between VLAN-based EVPN (where MACs are learned from the bridge domain) and routed interface EVPN (where MACs come from ARP), leading candidates to incorrectly choose VLAN-related options like `evpn` under the VLAN interface when the scenario involves a Layer 3 port.

How to eliminate wrong answers

Option A is wrong because `redistribute host-routes` under BGP address-family l2vpn evpn is used to redistribute host routes from the routing table into EVPN, not to advertise MAC addresses learned via ARP; it addresses IP prefix advertisement, not MAC-VRF type-2 routes. Option B is wrong because `evpn` under a VLAN interface is used to enable EVPN for a VLAN-based service (e.g., IRB), but the external router is connected via a Layer 3 port, not a VLAN; this configuration would not apply to a routed interface. Option D is wrong because `routing-config` under BGP is not a valid command; the correct approach for MAC-VRF and IP-VRF is to configure separate address-family contexts (e.g., `address-family l2vpn evpn` and `vrf definition`) and the `routing-config` keyword does not exist in Cisco NX-OS EVPN configuration.

700
Multi-Selecthard

Which TWO are best practices when automating ACI fabric configuration using Ansible?

Select 2 answers
A.Set validate_certs: no to avoid certificate errors
B.Use the cisco.aci collection
C.Store credentials in plain text in playbooks
D.Use state: query for idempotent checks
E.Use delegate_to: localhost for all tasks
AnswersB, D

The official collection provides idempotent modules for ACI.

Why this answer

The cisco.aci collection is the official Ansible collection for automating Cisco ACI fabric configuration. It provides modules that abstract the ACI REST API, ensuring idempotent and reliable configuration management. Using this collection is a best practice because it is maintained by Cisco and follows Ansible's recommended approach for interacting with ACI.

Exam trap

Cisco often tests the misconception that disabling certificate validation (validate_certs: no) is acceptable for lab environments, but the exam expects adherence to security best practices regardless of environment.

701
Multi-Selecthard

Which THREE factors should be considered when determining the number of upstream Ethernet uplinks from a UCS Fabric Interconnect to the core network? (Choose THREE.)

Select 3 answers
A.Number of VLANs defined on the Fabric Interconnect.
B.Server CPU oversubscription ratio.
C.The number of vNICs per service profile and their bandwidth limits.
D.Total expected traffic from server blades.
E.Redundancy and high availability requirements.
AnswersC, D, E

More vNICs may require more uplinks for queuing.

Why this answer

Option C is correct because the number of vNICs per service profile and their bandwidth limits directly determine the aggregate traffic that must be carried by the upstream Ethernet uplinks. Each vNIC is assigned a specific bandwidth cap (e.g., via QoS policy or vNIC template), and the sum of these caps across all service profiles on a Fabric Interconnect dictates the minimum uplink capacity required to avoid oversubscription.

Exam trap

Cisco often tests the distinction between Layer 2 constructs (VLANs) and actual bandwidth consumption, leading candidates to incorrectly select the number of VLANs as a factor for uplink sizing.

702
Multi-Selecteasy

Which THREE are best practices for securing a data center network? (Choose three.)

Select 3 answers
A.Apply device hardening, such as disabling unused services.
B.Use encryption (e.g., MACsec, IPsec) for sensitive traffic.
C.Implement role-based access control (RBAC) for management access.
D.Disable logging to reduce CPU load.
E.Use default SNMP community strings for simplicity.
AnswersA, B, C

Hardening reduces attack surface.

Why this answer

Device hardening, such as disabling unused services, is a fundamental best practice for securing a data center network. By reducing the attack surface, you eliminate potential entry points for exploits, which is a core principle of Cisco's secure network design. This aligns with the Cisco Nexus and IOS-XE hardening guidelines, where services like HTTP, Telnet, or CDP are disabled to prevent unauthorized access or reconnaissance.

Exam trap

Cisco often tests the concept that security best practices must never sacrifice security for performance or convenience, so traps like 'disable logging' or 'use default strings' are designed to lure candidates who prioritize operational simplicity over security.

703
MCQeasy

Which Cisco NX-OS feature allows automation and programmatic access to device configuration and monitoring using REST APIs?

A.NX-API
B.Python scripting
C.Bash shell access
D.SNMP
AnswerA

NX-API is the REST API interface for NX-OS.

Why this answer

NX-API provides a RESTful API for NX-OS devices.

704
MCQhard

A large cloud provider is building a new data center using Cisco ACI with multiple leaf and spine switches. They plan to host thousands of tenants with overlapping IP addresses in different VRFs. The network team has deployed the fabric with a common security policy. During testing, they discover that traffic from Tenant A to Tenant B is being allowed even though a contract should deny it. The APIC policy shows the contract is applied to the EPGs and the deny rule is present. What is the most likely cause of the policy not being enforced?

A.The fabric is using VRF leaking that bypasses contracts.
B.The contract is not configured with the correct subject.
C.The leaf switches have not downloaded the updated policy.
D.The EPGs are in the same bridge domain.
AnswerC

Leaves may have stale policy if not refreshed.

Why this answer

In Cisco ACI, the leaf switches enforce contracts locally based on the policy downloaded from the APIC. If a contract is correctly configured on the APIC but traffic is still permitted, the most likely cause is that the leaf switches have not yet received or applied the updated policy. This can happen due to a delay in policy propagation, a communication issue between the APIC and leaf switches, or the leaf not having completed the policy resolution process.

Exam trap

Cisco often tests the misconception that once a contract is configured on the APIC, it is immediately enforced everywhere, ignoring the asynchronous policy download and local leaf switch policy resolution process.

How to eliminate wrong answers

Option A is wrong because VRF leaking in ACI is explicitly controlled by contracts and does not bypass them; any inter-VRF traffic must still be permitted by a contract. Option B is wrong because the contract subject is only relevant for defining filters and actions; if the deny rule is present and applied to the EPGs, the subject configuration is not the cause of the policy not being enforced. Option D is wrong because EPGs in the same bridge domain can communicate only if a contract allows it; being in the same bridge domain does not automatically bypass contract enforcement.

705
MCQmedium

Refer to the exhibit. What is the effect of this configuration on traffic in VLAN 10?

A.Telnet traffic is permitted; all other traffic is denied.
B.All traffic is denied except telnet.
C.Telnet traffic is denied; all other traffic is permitted.
D.All traffic is permitted.
AnswerC

Correct: first sequence drops telnet, second forwards all else.

Why this answer

The VACL first matches telnet traffic and drops it. The second sequence forwards all other traffic. Thus, only telnet is denied; all other traffic is permitted.

706
MCQhard

An organization has deployed Cisco UCS Central to manage multiple UCS domains. A global service profile template is created in UCS Central. When a local UCS domain administrator tries to modify the service profile derived from this global template in UCS Manager, what happens?

A.The local administrator can modify the profile if granted specific RBAC permissions.
B.The local administrator can modify the profile, but changes are overwritten by UCS Central after 5 minutes.
C.The local administrator cannot modify the profile; it is read-only.
D.The local administrator can modify the profile, and changes sync back to UCS Central.
AnswerC

Global profiles are locked locally.

Why this answer

Global service profiles from UCS Central are read-only in local UCS Manager. They can only be modified in UCS Central, ensuring consistency across domains.

707
MCQmedium

An engineer configures zoning on a Cisco MDS switch to restrict access between storage arrays and servers. They use the command 'zone name ZONE1 vsan 10' and 'member pwwn 21:00:00:1b:32:12:34:56'. Which type of zoning is being configured?

A.VSAN zoning
B.Soft zoning by port
C.Lun zoning
D.Hard zoning by WWN
AnswerD

Hard zoning by WWN uses the pwwn keyword to specify WWPN.

Why this answer

Hard zoning uses WWN (pwwn) to define zone members, and traffic is permitted only between members in the same zone. Soft zoning uses port IDs and relies on name server lookups.

708
MCQeasy

Which management interface is used for out-of-band management of UCS C-Series rack servers, providing features like KVM, virtual media, and remote firmware upgrade?

A.Cisco IMC Supervisor
B.UCS Central
C.CIMC
D.UCS Manager
AnswerC

CIMC provides direct out-of-band management for each C-Series server.

Why this answer

The Cisco Integrated Management Controller (CIMC) is the out-of-band management interface for UCS C-Series servers, offering KVM, virtual media, and remote firmware management.

709
Matchingmedium

Match each Cisco storage protocol to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lossless, high-speed block storage over dedicated fabric

Block storage over TCP/IP networks

High-performance flash storage over RDMA

Fibre Channel frames encapsulated in Ethernet

File-level storage access over network

Why these pairings

Understanding storage protocols is critical for data center design.

710
MCQeasy

Which protocol is used by Cisco ACI fabric to distribute endpoint information among spines?

A.IS-IS
B.OSPF
C.BGP
D.COOP
AnswerD

COOP (Council of Oracles Protocol) is the ACI-specific protocol for endpoint database distribution.

Why this answer

D is correct because the Cisco ACI fabric uses the Council of Oracle Protocol (COOP) specifically to distribute endpoint information (such as IP-to-MAC bindings and location) among spine switches. COOP operates as a lightweight, publish-subscribe protocol that runs between leaf and spine switches, ensuring that all spines maintain a consistent endpoint database without the overhead of a full routing protocol.

Exam trap

Cisco often tests the distinction between the underlay routing protocol (IS-IS) and the overlay endpoint distribution protocol (COOP), so candidates mistakenly choose IS-IS because they recall it is used in ACI, but they fail to recognize that endpoint distribution is a separate function handled by COOP.

How to eliminate wrong answers

Option A is wrong because IS-IS is used as the underlay routing protocol in ACI to establish reachability between leaf and spine switches, not to distribute endpoint information. Option B is wrong because OSPF is not used in ACI fabric; the underlay is based on IS-IS with a link-state database, and OSPF would add unnecessary complexity and is not designed for endpoint distribution. Option C is wrong because BGP is used in ACI for external routing (e.g., connecting to outside networks via L3Out) and for the Overlay-1 control plane, but it does not distribute internal endpoint information among spines; that is the role of COOP.

711
MCQmedium

A company uses Cisco TrustSec in its data center to enforce segmentation. Servers in VLAN 10 (Finance) should only communicate with servers in VLAN 20 (ERP) via an application gateway. Which TrustSec component is used to assign a Security Group Tag (SGT) to traffic from the Finance servers?

A.Identity Services Engine (ISE) as the authentication and policy server
B.MACsec encryption on the links
C.802.1X port-based authentication
D.VLAN ACL (VACL) on the switch
AnswerA

ISE assigns SGTs based on user or device identity.

Why this answer

In Cisco TrustSec, the Identity Services Engine (ISE) acts as the authentication and policy server that assigns Security Group Tags (SGTs) to endpoints or traffic based on identity and policy. ISE uses 802.1X, MAB, or web authentication to identify the Finance servers and then dynamically assigns the appropriate SGT, which is then used for segmentation enforcement.

Exam trap

Cisco often tests the distinction between the authentication mechanism (802.1X) and the policy server (ISE) that actually assigns the SGT, leading candidates to mistakenly select 802.1X as the component that assigns the tag.

How to eliminate wrong answers

Option B is wrong because MACsec provides link-layer encryption and integrity, not SGT assignment; it is used to secure TrustSec links after SGTs are already assigned. Option C is wrong because 802.1X is an authentication method that can be used by ISE to identify endpoints, but it does not directly assign SGTs—ISE is the component that maps the authenticated identity to an SGT. Option D is wrong because VLAN ACLs (VACLs) filter traffic based on Layer 2/3/4 fields, not SGTs; they are not part of the TrustSec SGT assignment process.

712
MCQhard

A company is deploying a Cisco UCS Mini in a remote office. They need to support both VMware vSphere and Microsoft Hyper-V on the same UCS domain. What is the best practice for deploying compute resources for both hypervisors?

A.Create separate service profile templates for each hypervisor
B.Use a single service profile but assign different VLANs for management traffic
C.Place each hypervisor in a separate UCS Organization within the same service profile template
D.Create a single service profile template and use different identity pools for each hypervisor
AnswerA

Separate templates enable boot order, firmware, and BIOS settings per hypervisor.

Why this answer

Separate service profile templates are required because VMware vSphere and Microsoft Hyper-V have different boot and storage configuration requirements. Each hypervisor needs its own boot policy (e.g., SAN boot vs. local disk), firmware settings, and potentially different vNIC/vHBA configurations. Using distinct templates ensures that each hypervisor's compute resources are correctly provisioned without conflicts.

Exam trap

Cisco often tests the misconception that VLANs or identity pools alone can differentiate hypervisor configurations, when in fact the core differences lie in boot and storage policies that require separate service profile templates.

How to eliminate wrong answers

Option B is wrong because a single service profile cannot accommodate the different boot policies, firmware versions, and storage configurations required by two distinct hypervisors; VLAN assignment for management traffic does not address these fundamental differences. Option C is wrong because UCS Organizations are used for administrative separation and RBAC, not to define different compute resource configurations within a single service profile template; a single template still applies the same policies to all servers. Option D is wrong because identity pools (e.g., UUID, MAC, WWN) only manage unique identifiers, not the boot order, firmware, or storage policies that differ between hypervisors; a single template with different pools still enforces the same configuration.

713
MCQhard

A Cisco MDS switch has multiple Fibre Channel interfaces that need to be aggregated into a single logical interface to increase bandwidth and provide redundancy. Which technology should be used?

A.VSAN load balancing
B.NPV mode
C.EISL trunking
D.PortChannel
AnswerD

PortChannel provides link aggregation in FC.

Why this answer

PortChannels in Fibre Channel aggregate multiple physical links into one logical link.

714
Multi-Selecthard

Which THREE factors should be considered when designing an FCoE SAN to avoid traffic loss? (Choose three.)

Select 3 answers
A.Use standard Ethernet cut-through switching for all FCoE traffic.
B.Enable priority flow control (PFC) on all FCoE-enabled interfaces.
C.Use a dedicated FCoE VLAN that is not used for any other traffic.
D.Disable the FIP snooping feature to reduce latency.
E.Ensure that the FCoE Maximum Transmission Unit (MTU) is set to 2500 bytes.
AnswersB, C, E

PFC is essential to prevent frame loss due to congestion.

Why this answer

Options A, B, D are correct. C and E are incorrect.

715
MCQmedium

An administrator notices that a new server connected to a Fibre Channel switch cannot log in. The 'show flogi database' command does not show the server's WWPN. What is the most likely cause?

A.Trunking mode not enabled on the port
B.Incorrect zoning configuration
C.Speed mismatch between the server and switch
D.Port security enabled with WWN mismatch
AnswerD

Correct: Port security restricts which WWNs can log in.

Why this answer

The 'show flogi database' command lists all devices that have successfully completed the Fabric Login (FLOGI) process. If the server's WWPN is absent, it indicates that the FLOGI request was rejected by the switch. Port security with a WWN mismatch is the most likely cause because the switch is configured to allow only specific WWPNs, and the server's WWPN does not match the allowed list, causing the switch to silently drop the FLOGI request without logging the device.

Exam trap

Cisco often tests the distinction between FLOGI rejection (port security, fabric binding) and post-login restrictions (zoning, VSAN membership), so candidates mistakenly choose 'incorrect zoning' because they confuse zoning with port-level authentication.

How to eliminate wrong answers

Option A is wrong because trunking mode (E_port or TE_port) is used for inter-switch links (ISL), not for server-facing F_ports; a server connected to an F_port does not require trunking to perform FLOGI. Option B is wrong because incorrect zoning configuration would allow the server to log in (appear in 'show flogi database') but then prevent communication with other devices; zoning does not block the FLOGI process itself. Option C is wrong because a speed mismatch between the server and switch would prevent link initialization (the port would be in a non-operational state), but the 'show flogi database' command would not show the WWPN because the link would never come up; however, the question states the server is connected, implying link is up, and speed negotiation (auto-negotiation) typically handles mismatches without silently dropping FLOGI.

716
MCQhard

In a vPC domain, a consistency check failure is observed for the vPC keepalive link. What is the impact on the vPC domain operation?

A.The vPC peer link will be suspended.
B.The secondary switch will shutdown its vPC member ports.
C.The vPC domain will continue to operate but with reduced reliability.
D.Both switches will independently forward traffic via the vPC peer link.
AnswerC

The keepalive is a secondary monitoring mechanism; its loss increases risk of split-brain if the peer link fails.

Why this answer

The vPC keepalive link is used as a secondary heartbeat to detect dual-active scenarios when the peer link fails. A consistency check failure on the keepalive link does not directly affect data forwarding; the vPC domain continues to operate, but the loss of this redundancy mechanism reduces reliability because the switches can no longer reliably detect a split-brain condition without the peer link.

Exam trap

Cisco often tests the distinction between the keepalive link and the peer link; the trap here is that candidates assume any consistency check failure will suspend the vPC domain, but only failures on the peer link or critical parameters (like vPC VLAN consistency) cause suspension, while keepalive failures merely degrade redundancy.

How to eliminate wrong answers

Option A is wrong because the vPC peer link is suspended only when there is a peer-link failure or a consistency check failure on the peer link itself, not on the keepalive link. Option B is wrong because the secondary switch shuts down its vPC member ports only when a dual-active detection occurs (e.g., peer link fails and keepalive is also lost), not due to a keepalive consistency check failure alone. Option D is wrong because both switches independently forwarding traffic via the vPC peer link describes a split-brain scenario that happens when the peer link fails and the keepalive link is also lost, not when only the keepalive consistency check fails.

717
MCQhard

Refer to the exhibit. A server with vNIC eth0 is experiencing packet drops on its Ethernet interface. The server is sending jumbo frames (MTU 9000) on VLAN 100. The QoS system class 'Class-Platinum' has an MTU of 9216 and is configured with 'Drop'. The vNIC is not assigned to any QoS policy. What is the most likely reason for the drops?

A.The vNIC is not mapped to a QoS policy, so it uses the default best-effort class which has an MTU of 1500 and drops jumbo frames.
B.The QoS system class for jumbo frames requires a 'No Drop' policy to avoid drops.
C.The server is sending frames larger than 9216 bytes.
D.The native VLAN setting on the vNIC causes the QoS system class to be ignored.
AnswerA

Without a QoS policy, the default class (often Bronze) applies, which has MTU 1500.

Why this answer

When a vNIC is not assigned to a QoS policy, it defaults to the best-effair class, which typically has an MTU of 1500 bytes. Since the server is sending jumbo frames (MTU 9000) on VLAN 100, these frames exceed the default MTU and are dropped at the Ethernet interface. The 'Class-Platinum' system class with MTU 9216 is irrelevant because the vNIC is not mapped to it.

Exam trap

Cisco often tests the misconception that a system class with a higher MTU (like Class-Platinum) automatically applies to all traffic, when in fact the vNIC must be explicitly mapped to that QoS policy to use it.

How to eliminate wrong answers

Option B is wrong because a 'No Drop' policy (e.g., using pause frames or priority flow control) is not required for jumbo frames; the issue is the MTU mismatch, not the drop/no-drop setting. Option C is wrong because the server is sending frames of MTU 9000, which is less than the system class MTU of 9216, so the frames are not oversized for the system class. Option D is wrong because the native VLAN setting does not cause the QoS system class to be ignored; the vNIC's lack of a QoS policy assignment is the direct cause of defaulting to the best-effort class.

718
Multi-Selectmedium

When troubleshooting a VXLAN EVPN fabric with Cisco Nexus 9000 switches, which three commands provide information about the EVPN operation? (Choose three.)

Select 3 answers
A.show bgp l2vpn evpn summary.
B.show l2route mac all.
C.show running-config interface nve1.
D.show nve peers.
E.show ip interface brief.
AnswersA, B, D

Shows BGP EVPN session status.

Why this answer

The 'show bgp l2vpn evpn summary' command is correct because it displays the BGP session status for the L2VPN address family, which is the control plane protocol for VXLAN EVPN. This command shows neighbor states, prefixes received, and route table statistics, directly indicating whether EVPN route exchange is operational.

Exam trap

Cisco often tests the distinction between configuration commands (like 'show running-config interface nve1') and operational verification commands (like 'show nve peers'), leading candidates to mistakenly select configuration-only outputs as evidence of EVPN operation.

719
MCQmedium

A network engineer is automating a repetitive configuration task on a Nexus 9000 switch using Python scripts with NX-API. The script sends a CLI command via POST request but receives HTTP 400 status with error 'Invalid request payload'. What is the most likely cause?

A.The JSON payload does not include the required 'ins_api' wrapper with version and type fields.
B.The switch is running an unsupported NX-OS version.
C.The script is using HTTP instead of HTTPS.
D.The CLI command syntax is incorrect with too many spaces.
AnswerA

The NX-API requires a specific JSON format with 'ins_api' envelope containing attributes like version, type, chunk, sid, and input.

Why this answer

The NX-API expects a specific JSON structure. Option B correctly identifies that the payload must include 'ins_api' wrapper with version, type, chunk, sid, input parameters.

720
Multi-Selectmedium

An OSPF router in a broadcast network has not formed a neighbor relationship. What are three possible causes? (Choose three.)

Select 3 answers
A.Authentication incorrect
B.MTU mismatch
C.Area ID mismatch
D.Hello interval mismatch
E.Network type mismatch
AnswersB, D, E

Causes the routers to stay in ExStart state during database exchange.

Why this answer

In OSPF, an MTU mismatch prevents the formation of a neighbor relationship because OSPF routers compare the MTU value in Database Description (DBD) packets. If the receiving router's interface MTU is smaller than the DBD packet size, the packet is dropped, and the neighbor state remains stuck in EXSTART/EXCHANGE. This is a common issue on broadcast networks where different link types or misconfigured interfaces exist.

Exam trap

Cisco often tests the MTU mismatch as a subtle cause of OSPF neighbor failure, especially since it is less obvious than Hello/Dead interval or Area ID mismatches, and candidates may overlook it or confuse it with Layer 2 issues.

721
Multi-Selecteasy

A storage administrator reports that a Cisco UCS domain is not booting from the Fibre Channel SAN. The boot policy is correctly configured and the vHBA is associated. Which two alignment issues could cause this problem? (Choose two.)

Select 2 answers
A.The WWPN of the vHBA is not zoned on the SAN fabric.
B.The vHBA is assigned to an incorrect VSAN.
C.The Ethernet LAN is not configured on the FI.
D.The disk firmware on the server is outdated.
AnswersA, B

Proper WWPN zoning is critical for SAN boot.

Why this answer

Option A is correct because if the WWPN of the vHBA is not properly zoned on the SAN fabric, the Fibre Channel switch will not allow the server to log in to the target storage. Even with a correct boot policy and vHBA association, without zoning, the initiator cannot discover or communicate with the boot LUN, causing the boot to fail.

Exam trap

The trap here is that candidates often focus only on the UCS-side configuration (boot policy, vHBA association) and forget that SAN fabric-level settings like zoning and VSAN assignment are equally critical for Fibre Channel boot to succeed.

722
MCQhard

Based on the exhibited FLOGI database, what is the state of the interface fc1/1?

A.It is an F port with a hub attached.
B.It is an NP port (proxy FW) because multiple FCIDs appear on the same interface.
C.It is a trunking E port.
D.It is a disabled port because there are two WWNs.
AnswerB

Multiple FCIDs from different WWNs on a single interface indicate NPIV, which is typical for NPV uplink or FCoE.

Why this answer

The FLOGI database shows multiple FCIDs (0x010000, 0x010001) associated with the same interface fc1/1, which is characteristic of an NP port (proxy FW) in NPV mode. An NP port acts as a proxy for multiple end devices behind it, such as in a Fibre Channel NPV switch or a converged network adapter (CNA) in FCoE NPV mode, allowing multiple FCIDs to share a single physical link.

Exam trap

The trap here is that candidates often assume multiple FCIDs on one interface indicate a trunking E port or a misconfiguration, but in NPV mode, an NP port legitimately proxies multiple FCIDs, which is a key distinguishing feature tested in the 350-601 exam.

How to eliminate wrong answers

Option A is wrong because an F port connects to a single N port (end device) and would show only one FCID per interface; a hub attached to an F port would still present a single FCID from the hub's perspective, not multiple distinct FCIDs. Option C is wrong because a trunking E port connects two switches and would show multiple FCIDs only if multiple VSANs are trunked, but the FLOGI database would list the same FCID across different VSANs, not multiple FCIDs on the same interface within a single VSAN. Option D is wrong because having two WWNs does not disable a port; a disabled port would not appear in the FLOGI database at all, and multiple WWNs are normal for NP ports or multi-homed devices.

723
MCQmedium

A Cisco MDS switch is configured in NPV mode. A host connected to this switch fails to log into the SAN. Which command should be used to verify the host's FLOGI status?

A.show zone
B.show fcns database
C.show flogi database module <module>
D.show flogi database
E.show port-channel summary
AnswerC

This command shows FLOGIs on a specific module, which is more precise when troubleshooting a host on a known module.

Why this answer

In NPV mode, the MDS switch acts as a passthrough and does not maintain its own FLOGI database; instead, it forwards FLOGI requests to the upstream NPIV-capable switch. The 'show flogi database module <module>' command is used on the NPV switch to verify the host's FLOGI status because it displays the FLOGI entries learned from the upstream switch for the specific module where the host is connected, which is essential for troubleshooting login failures.

Exam trap

Cisco often tests the distinction between NPV mode and standard switch mode, where candidates mistakenly use 'show flogi database' without the module parameter, not realizing that NPV switches require the module keyword to display FLOGI entries.

How to eliminate wrong answers

Option A is wrong because 'show zone' displays zone configurations and members, not FLOGI or login status. Option B is wrong because 'show fcns database' shows the Fibre Channel Name Server database (registered FC-4 types and WWNs), which is populated after successful FLOGI and login, not the FLOGI status itself. Option D is wrong because 'show flogi database' without the module keyword is not valid on an NPV switch; the command requires the module parameter to specify the line card or port module.

Option E is wrong because 'show port-channel summary' displays port-channel interface status and load-balancing, not FLOGI or host login information.

724
MCQhard

A storage administrator notices that a host is unable to see a LUN after zoning is configured. The zone contains the host WWPN and the target WWPN. The LUN is not masked at the storage array. What is the most likely cause?

A.LUN masking is not configured on the storage array.
B.The host requires NPIV to be enabled.
C.The host is in a different VSAN.
D.The zone is incorrectly configured.
AnswerA

LUN masking is required to present LUNs to specific hosts.

Why this answer

The host cannot see the LUN because LUN masking is not configured on the storage array. Even with correct zoning (host WWPN to target WWPN), the storage array must explicitly grant access to specific LUNs for a given initiator WWPN. Without LUN masking, the target will not present the LUN to the host, regardless of zone membership.

Exam trap

Cisco often tests the distinction between fabric-level zoning (which controls which ports can communicate) and storage-array-level LUN masking (which controls which LUNs are visible to an initiator), leading candidates to incorrectly assume zoning alone grants LUN access.

How to eliminate wrong answers

Option B is wrong because NPIV (N_Port ID Virtualization) is used to allow multiple virtual initiators to share a single physical port, which is unrelated to LUN visibility after zoning. Option C is wrong because if the host were in a different VSAN, the zone would not be effective at all (zones are VSAN-specific), but the question states zoning is configured and the host cannot see the LUN, not that zoning fails. Option D is wrong because the zone is correctly configured (contains host WWPN and target WWPN), so incorrect zone configuration is not the cause.

725
MCQeasy

A startup company is deploying a new web application on UCS B-Series blades. They want to use PXE boot for rapid provisioning. The network team has configured a DHCP server and a PXE server on the same VLAN as the UCS service profiles. The system administrator creates a service profile for a blade and sets the boot policy to 'PXE' as the first boot device, and local disk as second. However, when the blade powers on, it boots from the local disk instead of PXE. The PXE server logs show no request from the blade's MAC address. The DHCP server logs show no activity. The fabric interconnect is configured with a default VLAN. What is the most likely cause?

A.The vNIC on the service profile is not configured with the correct native VLAN
B.The boot policy order lists local disk before PXE
C.The service profile is not properly associated with the blade
D.The fabric interconnect uplinks are not in trunk mode
AnswerA

Native VLAN mismatch prevents DHCP from reaching the server

Why this answer

Option A is correct because PXE boot requires the vNIC to have an untagged native VLAN that matches the PXE/DHCP subnet. If the native VLAN on the vNIC is different, DHCP requests are not forwarded. Option B wrong because PXE boot order is usually correct.

Option C wrong because it would cause different symptoms. Option D wrong because service profile association is fine.

726
MCQeasy

A data center architect is designing access control for a Cisco ACI fabric. The requirement is to allow HTTP traffic from the web tier (EPG web) to the app tier (EPG app), but deny SSH from the management EPG to the web EPG. Which construct should be used?

A.Create a contract between EPGs with appropriate filters.
B.Use a tenant to separate the EPGs logically.
C.Configure a VRF to isolate traffic between EPGs.
D.Define a bridge domain with L2 policies.
AnswerA

Contracts in ACI define allowed communication with filters for specific protocols/ports.

Why this answer

In Cisco ACI, contracts are the primary mechanism for enforcing policy-based communication between EPGs. By creating a contract between the web and app EPGs with a filter that permits HTTP (TCP/80), and another contract between management and web EPGs with a filter that denies SSH (TCP/22), the architect can precisely meet both requirements. Contracts allow granular control over which protocols and ports are allowed or denied, making them the correct construct for this access control scenario.

Exam trap

Cisco often tests the misconception that VRFs or bridge domains alone can provide security isolation, but in ACI, traffic filtering is always enforced via contracts, regardless of VRF or BD boundaries.

How to eliminate wrong answers

Option B is wrong because tenants are used for administrative and policy isolation between different customers or organizations, not for defining traffic rules between EPGs within the same tenant. Option C is wrong because VRFs (private L3 contexts) provide routing and forwarding isolation but do not enforce security policies like permitting or denying specific application traffic; contracts are still needed within a VRF. Option D is wrong because bridge domains define Layer 2 forwarding boundaries and subnets, not access control policies; they do not filter traffic based on protocols or ports.

727
MCQeasy

An administrator needs to reset the CIMC password on a Cisco UCS C-Series server without physical access. Which method can be used?

A.Use the front panel reset button
B.Use UCS Manager
C.Use the CIMC XML API
D.Connect via serial console during boot
AnswerC

Allows remote management commands, including password change.

Why this answer

The CIMC XML API allows remote management of Cisco UCS C-Series servers, including password resets, without physical access. This API provides a programmatic interface to CIMC functions, enabling administrators to send authenticated XML requests over HTTPS to reset the CIMC password. Physical access is not required because the API operates over the network, making it the correct method for this scenario.

Exam trap

Cisco often tests the distinction between UCS Manager (for B-Series and integrated environments) and CIMC (for C-Series standalone servers), leading candidates to incorrectly assume UCS Manager can manage C-Series servers directly.

How to eliminate wrong answers

Option A is wrong because the front panel reset button requires physical access to the server, which the administrator does not have. Option B is wrong because UCS Manager manages UCS B-Series blade servers and fabric interconnects, not C-Series standalone servers; C-Series servers are managed directly via CIMC, not through UCS Manager. Option D is wrong because connecting via serial console during boot requires physical access to the server's serial port or a remote console solution that is not available without physical presence.

728
Multi-Selectmedium

An organization is deploying UCS Central to manage multiple UCS domains. Which THREE benefits does UCS Central provide over using individual UCS Managers?

Select 3 answers
A.Automatic failover between Fabric Interconnects in different domains.
B.Simplified firmware management across multiple domains.
C.Single pane of glass for monitoring all UCS domains.
D.Direct management of blade chassis power supplies.
E.Global service profile and policy management across domains.
AnswersB, C, E

UCS Central coordinates firmware upgrades for multiple domains.

Why this answer

UCS Central offers global policy management, centralized monitoring, and multi-domain firmware upgrades.

729
MCQmedium

In ACI, which construct defines the set of endpoints that can communicate based on contracts?

A.VRF
B.Bridge Domain
C.Tenant
D.EPG
AnswerD

EPGs are the policy enforcement boundary.

Why this answer

An EPG (Endpoint Group) is a collection of endpoints with similar policy requirements. Contracts are applied between EPGs to allow traffic.

730
MCQeasy

Based on the exhibited output, what is the status of the interface?

A.The interface is up but has no license.
B.The interface is in trunk mode and licensed.
C.The interface is operational and licensed.
D.The interface is down due to no license.
AnswerA

The interface is up but lacks a license; it may be using grace period.

Why this answer

The interface is up (line protocol is up) but the output shows 'license not installed' or similar, meaning the port is administratively up but lacks the required license for full functionality. In Cisco MDS/Nexus storage networks, interfaces can be in an 'up' state without a license, but they will not pass traffic or operate in the licensed mode until the license is installed.

Exam trap

Cisco often tests the distinction between an interface being 'up/up' and being fully licensed, leading candidates to assume that an up interface is automatically operational and licensed, when in fact it may be in a 'no-license' state that prevents data forwarding.

How to eliminate wrong answers

Option B is wrong because the interface is not in trunk mode (the output shows access mode or no trunking) and it is not licensed. Option C is wrong because the interface is not operational in the sense of passing traffic; it is up but unlicensed, so it cannot forward data. Option D is wrong because the interface is not down; it is up (line protocol up) but lacks a license, which is a different state from being administratively or protocol down.

731
Multi-Selecteasy

A network engineer is verifying VPC configuration on a pair of Nexus switches. Which two commands should be used to check VPC status and consistency? (Choose two.)

Select 2 answers
A.show vpc role
B.show vpc consistency-parameters
C.show vpc peer-keepalive
D.show vpc
E.show vpc statistics
AnswersB, D

This checks for configuration mismatches between VPC peers.

Why this answer

Option D (show vpc) is correct because it displays the overall VPC status, including the local and peer VPC system MAC, role, and the operational state of each VPC member port. Option B (show vpc consistency-parameters) is correct because it verifies that critical parameters (e.g., STP mode, VLAN interfaces, MTU) are consistent between the two VPC peers, which is essential for VPC to function correctly and avoid traffic black-holing.

Exam trap

Cisco often tests the distinction between commands that show operational status (show vpc) versus those that verify configuration synchronization (show vpc consistency-parameters), leading candidates to mistakenly select 'show vpc role' or 'show vpc peer-keepalive' as sufficient for consistency checks.

732
MCQeasy

What is the purpose of jumbo frames in an iSCSI storage network?

A.To increase throughput by reducing protocol overhead
B.To reduce latency
C.To provide authentication
D.To enable flow control
AnswerA

Jumbo frames allow more data per packet, reducing the number of packets and overhead.

Why this answer

Jumbo frames (MTU 9000) reduce overhead by allowing larger payloads per packet, improving throughput and CPU efficiency for iSCSI traffic.

733
MCQeasy

A large financial institution has recently migrated its data center network to a new Cisco ACI fabric. The operations team is tasked with automating the provisioning of new application tenants, including EPGs, contracts, and bridge domains, using the APIC REST API. They have developed a comprehensive set of Python scripts that successfully performed these actions in their lab environment. However, when deploying the scripts to production, they receive an 'SSL: CERTIFICATE_VERIFY_FAILED' error from the requests library. The production APIC cluster uses a self-signed certificate for HTTPS, and the corporate security policy strictly prohibits the use of HTTP or disabling certificate verification. Additionally, the policy does not allow replacing the self-signed certificate with a CA-signed one without a lengthy approval process that could delay the automation project. The team needs an immediate solution that maintains security best practices. What should the team do?

A.Use HTTP instead of HTTPS for the API calls.
B.Add the self-signed certificate to the Python trust store by using the cert file in the verify parameter.
C.Disable SSL certificate verification in the Python requests by setting verify=False.
D.Request an exception to the security policy to allow a CA-signed certificate.
AnswerB

This enables verification against the specific certificate, maintaining security without policy changes.

Why this answer

Option C is correct because adding the self-signed certificate to the Python trust store allows verification to succeed while maintaining security. Option A disables verification, violating security. Option B requires policy change that is not immediate.

Option D uses HTTP, which is insecure.

734
MCQhard

A network engineer is configuring Cisco Nexus VXLAN with BGP EVPN. The VTEPs are using loopback0 as the NVE source. The physical interfaces are up, but the NVE interface remains down. What is the most likely cause?

A.The loopback0 interface is not reachable via the underlay network.
B.The NVE interface is not configured with source-interface.
C.The VLAN 1 is not associated with the NVE interface.
D.The loopback0 interface is not created.
AnswerA

The NVE source must be routable in the underlay. If loopback0 is not advertised by IGP, the NVE interface stays down.

Why this answer

The NVE interface requires the specified source interface (loopback0) to have IP reachability via the underlay network to establish VXLAN tunnels. If loopback0 is not reachable (e.g., due to missing OSPF/IS-IS routes or incorrect underlay configuration), the NVE interface will remain in a down state even if the physical interfaces are up. This is because the NVE interface depends on the underlay routing to encapsulate and forward VXLAN traffic.

Exam trap

Cisco often tests the dependency of the NVE interface on underlay IP reachability, tricking candidates into focusing on NVE-specific configuration errors (like missing source-interface) rather than verifying the underlay routing for the loopback address.

How to eliminate wrong answers

Option B is wrong because the NVE interface is already configured with source-interface loopback0 (as stated in the question), so the absence of that configuration is not the issue. Option C is wrong because VLAN 1 association with the NVE interface is not required for the NVE interface to come up; VLANs are mapped to VNIs after the NVE is operational. Option D is wrong because the loopback0 interface is explicitly mentioned as the NVE source, implying it exists; if it were not created, the NVE configuration would fail at the CLI level, not just keep the interface down.

735
MCQmedium

An engineer wants to automate the configuration of BGP on a Nexus switch using Ansible. Which module from the cisco.nxos collection is appropriate?

A.nxos_interface
B.nxos_config
C.nxos_bgp
D.nxos_vlan
AnswerC

Correct module for BGP.

Why this answer

The nxos_bgp module is designed to manage BGP configuration on NX-OS devices.

736
MCQeasy

Which FCoE feature allows multiple VLANs to be carried over a single physical link when using FIP snooping?

A.NPV
B.VSANs
C.FIP snooping
D.Port channels
AnswerC

FIP snooping enables multiple FCoE VLANs on a link.

Why this answer

FIP snooping (Fibre Channel over Ethernet Initialization Protocol snooping) is used in FCoE environments to enable multiple FCoE VLANs on a single link. Option A is wrong because VSANs are for Fibre Channel. Option B is wrong because NPV is for Fibre Channel.

Option D is wrong because port channels are for link aggregation, not VLAN support.

737
MCQmedium

Refer to the exhibit. After applying this configuration, the engineer activates the zoneset with 'zoneset activate name ZONESET1 vsan 10'. The host with pwwn 10:00:00:00:c9:aa:bb:01 can communicate with the target with pwwn 10:00:00:00:c9:aa:bb:02. However, the host reports that it cannot see a third target with pwwn 10:00:00:00:c9:aa:bb:03. What is the most likely reason?

A.The third target is in a different VSAN.
B.The third target is not a member of ZONE1.
C.The zone name is case-sensitive and does not match.
D.The zoneset was not activated successfully.
AnswerB

Zoning restricts access; only members of the same zone can communicate.

Why this answer

The host can communicate with the target in ZONE1 (pwwn 10:00:00:00:c9:aa:bb:02) but not with the third target (pwwn 10:00:00:00:c9:aa:bb:03). This indicates that the zoneset activation was successful and the host is in the correct VSAN. The most likely reason is that the third target is not a member of ZONE1; in Fibre Channel zoning, only members of the same zone can communicate, and a device not in the zone will be invisible to other zone members.

Exam trap

The trap here is that candidates may assume the third target is in a different VSAN or that the zoneset activation failed, but the key is that successful communication with one target proves the zoneset is active and the host is in the correct VSAN, so the issue must be that the third target is simply not a member of the zone.

How to eliminate wrong answers

Option A is wrong because the host can already communicate with one target in VSAN 10, and the zoneset was activated on VSAN 10; if the third target were in a different VSAN, it would not be part of the same zoneset and would be invisible, but the question states the host cannot see it, implying it might be in the same VSAN but not zoned. Option C is wrong because zone names in Cisco NX-OS are case-sensitive, but the exhibit shows the zone name as 'ZONE1' and the zoneset activation command uses 'ZONESET1' — the mismatch is between the zoneset name and the zone name, not a case issue; the zone name itself is correctly referenced in the zoneset membership. Option D is wrong because the host can communicate with the first target, which proves the zoneset was activated successfully; if activation had failed, no communication would occur.

738
Multi-Selectmedium

Which three components are part of the VXLAN overlay architecture? (Choose three.)

Select 3 answers
A.VTEP (Virtual Tunnel Endpoint)
B.VPC peer-link
C.Spine switches only in VXLAN
D.IP transport network (underlay)
E.VNI (VXLAN Network Identifier)
AnswersA, D, E

Correct. VTEPs encapsulate and decapsulate VXLAN frames.

Why this answer

VXLAN overlay includes VTEPs (endpoints), VNIs (network identifiers), and the transport IP network (underlay). The overlay is built on top of the underlay.

739
MCQeasy

What is the purpose of a cluster witness VM in a HyperFlex cluster?

A.To host the HyperFlex management interface
B.To provide additional storage capacity
C.To act as a tie-breaker for quorum in cluster splits
D.To provide compute resources for the cluster
AnswerC

The witness VM helps maintain quorum when there are an even number of nodes.

Why this answer

The witness VM is used to achieve quorum in a two-node cluster (or to maintain quorum in case of network partitions). It is a lightweight VM that participates in cluster decision-making.

740
MCQmedium

A Nexus administrator wants to apply an IPv4 ACL to filter traffic on a specific VLAN. Which command is correct?

A.ip access-group ACL_NAME in on VLAN interface
B.ip access-group ACL_NAME on VLAN
C.access-list ACL_NAME in on VLAN interface
D.vlan access-group ACL_NAME in
AnswerA

The correct syntax is applied to the VLAN interface.

Why this answer

ACLs on Nexus switches can be applied to VLANs using the 'ip access-group' command under the VLAN interface.

741
MCQhard

A data center design requires Layer 2 extension between two sites using OTV. The network engineer notices that MAC addresses from Site A are not learned at Site B. OTV adjacency is up, and both sites have the same overlay interface configured. Which configuration issue is most likely the cause?

A.The OTV control group is misconfigured on one side.
B.The spanning tree root bridge is different at each site.
C.The multicast group range for the overlay does not match.
D.The site VLAN is not allowed on the OTV join interface.
AnswerD

The join interface must be a trunk that carries the site VLAN for OTV to forward traffic.

Why this answer

D is correct because the OTV join interface must have the site VLAN allowed; if the site VLAN is not permitted on the join interface, the OTV edge device cannot send or receive encapsulated traffic for that VLAN, preventing MAC address learning between sites even though the OTV adjacency is up.

Exam trap

Cisco often tests the distinction between control-plane (adjacency) and data-plane (VLAN transport) issues, and the trap here is that candidates assume a working OTV adjacency guarantees all VLANs are extended, overlooking the need to explicitly allow the site VLAN on the join interface.

How to eliminate wrong answers

Option A is wrong because the OTV control group is used for control-plane communication (IS-IS adjacency), and if it were misconfigured, the OTV adjacency would not form; the question states adjacency is up, so the control group is correctly configured. Option B is wrong because OTV does not rely on spanning tree; it uses its own loop-prevention mechanism (authoritative edge device) and isolates STP domains, so different root bridges at each site do not affect MAC learning. Option C is wrong because the multicast group range for the overlay is used for data-plane transport; if it did not match, traffic would not be forwarded, but the question specifies the same overlay interface configuration, implying the multicast group range is consistent.

742
MCQmedium

When configuring a UCS service profile for a blade server that needs to boot from the local disk, which boot order setting is appropriate?

A.Enable PXE boot only.
B.Set the boot order to local disk first, with no other boot devices.
C.Configure boot from CD/DVD as first device.
D.Set the boot order to SAN first, then local disk.
AnswerB

Correct. Local disk is first and only boot device.

Why this answer

To boot from local disk, the boot policy should list the local disk as the first boot device. Other devices can be secondary or disabled.

743
MCQmedium

A network administrator configures DHCP snooping on a Nexus 9000 switch. The legitimate DHCP server is connected to Ethernet 1/1. An unauthorized DHCP server is detected on Ethernet 1/2. Which action should be taken to prevent the unauthorized server from offering IP addresses?

A.Enable the DHCP snooping information option
B.Set Ethernet 1/2 as a trusted port
C.Disable DHCP snooping globally
D.Set Ethernet 1/1 as a trusted port
AnswerD

The DHCP server port must be trusted to permit DHCP server messages such as OFFER and ACK.

Why this answer

Option D is correct because DHCP snooping uses the concept of trusted and untrusted ports. By default, all ports are untrusted. Setting Ethernet 1/1, where the legitimate DHCP server is connected, as a trusted port allows DHCP server messages (OFFER, ACK, etc.) from that port to be forwarded.

All other ports, including Ethernet 1/2, remain untrusted, so any DHCP server messages received on them are dropped, effectively blocking the unauthorized DHCP server.

Exam trap

Cisco often tests the common misconception that you must set the port connected to the unauthorized server as untrusted (which is the default) rather than explicitly setting the legitimate server's port as trusted, leading candidates to incorrectly select option B or C.

How to eliminate wrong answers

Option A is wrong because enabling the DHCP snooping information option (option 82) inserts circuit-id and remote-id information into DHCP packets, but it does not control which ports are allowed to send DHCP server messages; it is used for DHCP relay and security auditing, not for blocking unauthorized servers. Option B is wrong because setting Ethernet 1/2 as a trusted port would allow the unauthorized DHCP server's messages to be forwarded, which is the opposite of the desired action. Option C is wrong because disabling DHCP snooping globally would remove all protection, allowing both legitimate and unauthorized DHCP servers to operate freely, which does not prevent the unauthorized server from offering IP addresses.

744
MCQeasy

A network engineer is configuring OSPF on a Cisco Nexus switch for a data center network. The requirement is to ensure that the switch does not become the Designated Router (DR) on a multi-access segment. Which OSPF configuration achieves this?

A.Set OSPF priority to 255 on the interface
B.Set OSPF priority to 0 on the interface
C.Change the OSPF network type to point-to-point
D.Configure the interface as passive under OSPF
AnswerB

Priority 0 means the router will never become DR or BDR.

Why this answer

Setting the OSPF priority to 0 on the interface prevents the switch from participating in the DR/BDR election process, ensuring it will never become the Designated Router (DR) or Backup Designated Router (BDR) on a multi-access segment. This is the standard method per RFC 2328 to make a router ineligible for DR/BDR status while still allowing it to form full adjacencies with the DR and BDR.

Exam trap

Cisco often tests the misconception that setting a high priority (like 255) ensures a router does not become DR, when in fact it does the opposite; the trap here is confusing priority 0 (ineligible) with priority 255 (most likely to be elected).

How to eliminate wrong answers

Option A is wrong because setting OSPF priority to 255 (the highest possible value) makes the switch the most likely candidate to become the DR, which directly contradicts the requirement. Option C is wrong because changing the network type to point-to-point eliminates the DR/BDR election entirely, which may not be desirable if the segment is truly multi-access and other routers need to participate in elections; it also changes OSPF behavior (e.g., no hello/dead interval mismatches) and could break adjacency with neighbors expecting a broadcast network. Option D is wrong because configuring the interface as passive under OSPF suppresses OSPF hello packets entirely, preventing the switch from forming any OSPF adjacencies on that interface, which is more restrictive than simply avoiding DR status.

745
MCQmedium

In a UCS B-Series environment, where are vNICs and vHBAs defined to provide network and storage connectivity to a blade server?

A.In the server BIOS settings
B.In the I/O Module (IOM) configuration
C.In the Fabric Interconnect CLI
D.In the service profile associated with the blade
AnswerD

Service profiles define the identity and policies for the server, including vNICs and vHBAs.

Why this answer

vNICs and vHBAs are defined in a service profile, which is then applied to a blade server to abstract the hardware identity.

746
MCQmedium

A data center team is implementing FCoE and needs to ensure that FCoE traffic is not dropped during congestion. The network switches support Data Center Bridging (DCB). Which two DCB features are required for FCoE?

A.Enhanced Transmission Selection (ETS) and Data Center Bridging Exchange (DCBX)
B.Priority Flow Control (PFC) and Data Center Bridging Exchange (DCBX)
C.Enhanced Transmission Selection (ETS) and jumbo frames
D.Priority Flow Control (PFC) and jumbo frames
AnswerB

PFC ensures no-drop, and DCBX enables negotiation of DCB parameters.

Why this answer

PFC provides lossless transport, and DCBX is used for capability exchange between peers to configure PFC and other DCB features.

747
MCQmedium

Which Nexus security feature validates the source IP address of packets on a per-port basis and drops packets with invalid source IPs?

A.Port Security
B.ACL
C.Dynamic ARP Inspection
D.IP Source Guard
AnswerD

IP Source Guard prevents IP spoofing.

Why this answer

IP Source Guard uses DHCP snooping binding to validate source IP.

748
Multi-Selecthard

Which TWO statements are true about Control Plane Policing (CoPP) on a Cisco Nexus 9000 switch? (Choose two.)

Select 2 answers
A.CoPP can be used to limit the rate of ICMP unreachable messages.
B.CoPP automatically drops all unknown unicast traffic.
C.CoPP is configured using the 'control-plane' sub-mode with policy-maps.
D.CoPP applies only to traffic destined to the switch management IP.
E.CoPP can be used to prioritize OSPF traffic over SSH.
AnswersA, C

ICMP unreachable messages can be rate-limited with CoPP to prevent DoS.

Why this answer

Option A is correct because CoPP can rate-limit control-plane traffic such as ICMP unreachable messages. By applying a policy-map in the 'control-plane' sub-mode, you can define class-maps that match specific control-plane protocols (e.g., ICMP) and then police their rate to prevent CPU overload from floods of such packets.

Exam trap

Cisco often tests the misconception that CoPP is only for management IP traffic or that it can prioritize traffic, when in fact it is a policing mechanism for all control-plane traffic and does not provide prioritization.

749
MCQmedium

A large enterprise data center uses Cisco UCS Manager to manage hundreds of blade servers. The automation team has been using Python SDK scripts to provision service profiles. Recently, after a UCS Manager firmware upgrade, several scripts that previously worked are now failing with 'AttributeError: 'ServiceProfile' object has no attribute 'set_vnic_order''. The team confirms that the UCS Manager version changed from 4.0 to 4.2. Which course of action should the engineer take to resolve the issue?

A.Use the UCS Manager XML API directly without the SDK
B.Downgrade UCS Manager back to version 4.0 to restore compatibility
C.Replace Python scripts with Ansible modules that use the UCS API
D.Update the Python SDK to the version that supports UCS Manager 4.2 and modify scripts accordingly
AnswerD

Permanent fix; SDK update restores API compatibility.

Why this answer

The Python SDK for UCS Manager is version-specific; upgrading UCS Manager from 4.0 to 4.2 introduces API changes that can deprecate or remove methods like `set_vnic_order`. Updating the SDK to a version compatible with UCS Manager 4.2 ensures the Python scripts use the correct API calls, and modifying the scripts to align with any new method signatures or attributes resolves the AttributeError.

Exam trap

Cisco often tests the misconception that direct API usage (Option A) or alternative tools (Option C) bypass version compatibility issues, when in fact all API layers require version alignment.

How to eliminate wrong answers

Option A is wrong because using the UCS Manager XML API directly without the SDK would require rewriting all scripts from scratch, which is more labor-intensive and error-prone than updating the SDK; the XML API also undergoes version changes, so it would not inherently avoid compatibility issues. Option B is wrong because downgrading UCS Manager is a backward step that loses new features, security patches, and bug fixes, and it is not a sustainable solution for an enterprise environment. Option C is wrong because replacing Python scripts with Ansible modules is unnecessary and introduces a new toolchain; Ansible modules also rely on the UCS API and would require similar version compatibility updates.

750
MCQeasy

A multicast application requires that all receivers join the same group using PIM sparse mode. Which router is responsible for forwarding traffic from the source to the RP?

A.Rendezvous point (RP)
B.First-hop router
C.Last-hop router
D.Source-specific router
AnswerB

The source's DR unicasts the traffic to the RP.

Why this answer

In PIM sparse mode, the first-hop router (the router directly connected to the multicast source) is responsible for encapsulating the source's multicast traffic in unicast PIM register messages and forwarding them to the rendezvous point (RP). This process establishes the initial path and triggers the RP to join the source-specific tree (SPT) toward the source.

Exam trap

Cisco often tests the misconception that the RP originates or forwards traffic from the source, when in fact the first-hop router is the one that encapsulates and sends the source traffic to the RP using PIM register messages.

How to eliminate wrong answers

Option A is wrong because the RP is the meeting point for receivers and sources, but it does not forward traffic from the source to itself; it receives register messages from the first-hop router and then joins the SPT toward the source. Option C is wrong because the last-hop router (the router directly connected to receivers) is responsible for sending PIM join messages toward the RP and later switching to the SPT, not for forwarding traffic from the source to the RP. Option D is wrong because there is no standard 'source-specific router' in PIM sparse mode; the concept of source-specific multicast (SSM) uses a different model (PIM-SSM) where receivers join directly to the source via (S,G) state, bypassing the RP entirely.

Page 9

Page 10 of 14

Page 11

Practice 350-601 by domain

Target a specific domain to shore up weak areas.

See all domains with question counts →
Cisco DCCOR / CCNP Data Center Core 350-601 350-601 Questions 676–750 | Page 10/14 | Courseiva