Cisco DCCOR / CCNP Data Center Core 350-601 (350-601) — Questions 826900

1000 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQmedium

In a Cisco HyperFlex cluster, which component is responsible for ensuring data redundancy and consistency across nodes, and typically requires a separate VM for proper operation?

A.Cisco IMC
B.HyperFlex Data Platform (HXDP) controller
C.Cluster Witness VM
D.vCenter Server
AnswerC

The witness VM provides arbitration for cluster membership.

Why this answer

The cluster witness VM (arbiter) is used in HyperFlex for quorum decisions and to prevent split-brain scenarios, especially with RF2.

827
Multi-Selectmedium

Which TWO commands are used to verify Fibre Channel connectivity issues on a Cisco MDS switch? (Choose two.)

Select 2 answers
A.show ip interface brief
B.show mac address-table
C.show vlan
D.show interface fc <slot/port>
E.show flogi database
AnswersD, E

Shows interface status, errors.

Why this answer

Option D is correct because the 'show interface fc <slot/port>' command displays detailed status, errors, and operational state of a specific Fibre Channel interface, which is essential for diagnosing physical or link-level connectivity issues on a Cisco MDS switch. Option E is correct because the 'show flogi database' command lists all N-port (host) logins registered with the fabric via the Fabric Login (FLOGI) process, verifying that end devices have successfully established a session with the switch and are visible in the Fibre Channel fabric.

Exam trap

Cisco often tests the distinction between Ethernet-based troubleshooting commands (like 'show ip interface brief' or 'show mac address-table') and Fibre Channel-specific commands, leading candidates to mistakenly apply familiar IP/Ethernet commands to a storage networking context.

828
Multi-Selectmedium

Which TWO statements accurately describe Cisco UCS service profiles? (Choose two.)

Select 2 answers
A.They are bound to a specific physical blade and cannot be reassigned.
B.They can be created from templates to ensure consistency.
C.They enable stateless computing by abstracting hardware configuration.
D.They require individual configuration for each server without reuse.
E.They are used only for B-series blades, not C-series.
AnswersB, C

Templates provide standard configurations.

Why this answer

Service profiles abstract hardware and are template-based for consistency.

829
MCQeasy

A data center switch port is configured for 802.1X with MAB as fallback. A device that does not support 802.1X is connected. Which method will allow the device to authenticate?

A.EAP-TLS
B.Web authentication
C.Local authentication using a pre-shared key
D.MAC authentication bypass
AnswerD

MAB is the fallback method for devices that do not support 802.1X.

Why this answer

When a device that does not support 802.1X is connected to a port configured for 802.1X with MAB as fallback, the switch detects that no EAPOL frames are received from the device. It then initiates MAC authentication bypass (MAB), which uses the device's MAC address as the identity for authentication against the RADIUS server. If the MAC address is allowed, the port is authorized, providing a seamless fallback authentication method for non-802.1X-capable devices.

Exam trap

The trap here is that candidates often confuse MAB with web authentication or assume that any non-802.1X device will automatically trigger web authentication, but Cisco tests that MAB is the first fallback method when configured, and it uses the MAC address, not a pre-shared key or certificate.

How to eliminate wrong answers

Option A is wrong because EAP-TLS is an 802.1X authentication method that requires the device to support 802.1X and present a client certificate, which the non-802.1X-capable device cannot do. Option B is wrong because web authentication (WebAuth) is a separate fallback method that redirects HTTP traffic to a captive portal for user credentials, but it is not the default or automatic fallback when MAB is configured; MAB is tried first before WebAuth. Option C is wrong because local authentication using a pre-shared key is not a standard 802.1X or MAB mechanism; MAB relies on RADIUS server authentication using the MAC address, not a locally configured pre-shared key.

830
MCQhard

An engineer is troubleshooting a vPC consistency check failure. Which parameter must be identical on both vPC peer switches to avoid a consistency check violation for a vPC member port?

A.Allowed VLAN list on the port channel
B.STP root guard setting
C.MTU size
D.Spanning-tree port type
AnswerA

Mismatched allowed VLANs cause consistency check failure and may suspend the vPC.

Why this answer

vPC consistency checks ensure critical parameters match; allowed VLANs on the port channel are a common source of mismatch.

831
MCQeasy

A UCS blade server has two vHBAs configured. The storage array is connected to both Fabric Interconnects. Which multipathing configuration should be used on the host to provide path redundancy without needing additional storage ports?

A.Active/passive multipathing
B.Single path with failover
C.Active/active multipathing
D.Round-robin I/O scheduling
AnswerC

Active/active allows both paths to be used concurrently.

Why this answer

With two vHBAs connected to two separate FIs, the host can use active/active multipathing (e.g., ALUA or symmetric) to utilize both paths simultaneously for redundancy and load balancing.

832
MCQmedium

A financial services company is migrating its core banking application to a new data center built on Cisco Nexus 9000 switches with VXLAN EVPN. The application requires active-active multihoming for its servers, which are dual-homed to two leaf switches. The network team has configured vPC on the leaf switches for the server connections. After the migration, the application team reports that some packets are being dropped during failover events when one of the vPC member links goes down. The network team confirms that vPC is properly configured and the peer-keepalive is functioning. What is the most likely cause of packet drops during failure?

A.The vPC peer-gateway feature is not enabled.
B.The vPC orphan port configuration is missing.
C.The vPC role is not configured with preempt.
D.The vPC consistency parameters are not identical between the peer switches.
AnswerD

Mismatched parameters cause forwarding inconsistencies.

Why this answer

Option A is correct because vPC consistency parameters must match; if not, traffic may be dropped because the switches have different forwarding information. Option B is for gateway IP, not failover drops. Option C is for role election.

Option D is for ports not in vPC.

833
Multi-Selecthard

An engineer is deploying data encryption in a SAN environment. Which two methods provide at-rest encryption? (Choose two.)

Select 2 answers
A.MACsec encryption
B.FC-SP-2 encryption
C.IPsec encryption
D.Self-encrypting drives (SED)
E.EMC/NetApp at-rest encryption
AnswersD, E

SED provides at-rest encryption on the drive.

Why this answer

SED encrypts data on the drive; SAN array encryption encrypts data at the storage level.

834
MCQhard

A network administrator is configuring a Cisco Nexus switch to use NX-API for automation. Which statement about NX-API is true?

A.NX-API supports JSON-RPC and RESTful API calls
B.NX-API requires the use of Python scripts exclusively
C.NX-API only supports XML data format
D.NX-API requires a separate license and is not included in NX-OS
AnswerA

NX-API provides both JSON-RPC and REST interfaces.

Why this answer

NX-API on Cisco Nexus switches supports both XML and JSON as data formats. It uses HTTP/HTTPS (not CLI telnet) and provides a RESTful API. The 'nxapi' feature must be enabled, and authentication uses credentials, not certificates by default.

835
MCQmedium

An administrator needs to configure a Fibre Channel SAN to support two separate departments that must not see each other's storage. Each department has its own set of initiators and targets. Which technology should be used?

A.VSANs (Virtual SANs)
B.Port channels
C.NPV
D.IVR (Inter-VSAN Routing)
AnswerA

VSANs isolate traffic.

Why this answer

VSANs (Virtual SANs) provide isolation within a single Fibre Channel fabric by partitioning the physical SAN into multiple logical SANs. Each department's initiators and targets are placed in separate VSANs, ensuring they cannot see each other's storage traffic or devices, which meets the requirement for complete separation without additional physical hardware.

Exam trap

Cisco often tests the distinction between VSANs and IVR, where candidates mistakenly think IVR is needed for isolation, but IVR actually enables controlled sharing between VSANs, not isolation.

How to eliminate wrong answers

Option B (Port channels) is wrong because port channels aggregate multiple physical links into a single logical link for increased bandwidth and redundancy, but they do not provide any isolation or segmentation between different departments' storage traffic. Option C (NPV) is wrong because NPV (N_Port Virtualization) is used to reduce the number of Fibre Channel domain IDs in a SAN by allowing a switch to proxy logins for multiple initiators, but it does not create separate logical SANs or prevent inter-department visibility. Option D (IVR) is wrong because IVR (Inter-VSAN Routing) is specifically designed to selectively route traffic between different VSANs, which would allow the departments to see each other's storage, directly violating the requirement that they must not see each other's storage.

836
MCQhard

A Fibre Channel switch is experiencing high latency on a specific ISL. The link is operating at 16 Gbps and has high utilization. Which action will most likely reduce latency?

A.Reduce the buffer credit count.
B.Enable trunking on the ISL.
C.Disable flow control on the ISL.
D.Add an additional ISL and configure a port channel.
AnswerD

Load balancing reduces latency.

Why this answer

Adding an additional ISL and configuring a port channel increases the aggregate bandwidth between the two switches, reducing per-link utilization and thus lowering queuing latency. This directly addresses the root cause—high utilization on a single 16 Gbps link—by distributing traffic across multiple physical links, which also provides load balancing and redundancy.

Exam trap

Cisco often tests the misconception that trunking or flow control adjustments can solve bandwidth-related latency, when in fact only increasing aggregate bandwidth (via port channels) reduces queuing delay caused by high utilization.

How to eliminate wrong answers

Option A is wrong because reducing the buffer credit count would actually decrease the number of frames that can be in transit, potentially increasing latency due to credit starvation, especially on long-distance links. Option B is wrong because enabling trunking on the ISL (typically via VSAN trunking) does not increase bandwidth; it only allows multiple VSANs to share the same link, which does not reduce utilization or latency. Option C is wrong because disabling flow control (e.g., buffer-to-buffer credit flow control) would remove the mechanism that prevents frame loss, leading to retransmissions and higher latency, not lower.

837
MCQeasy

A storage administrator notices that a newly deployed Fibre Channel initiator cannot log in to the SAN switch. The switch is configured for NPV mode. Which condition is most likely causing the issue?

A.NPIV is disabled on the upstream switch.
B.The initiator is not using a device alias.
C.The switch is configured for NPIV mode instead of NPV.
D.The switch port is configured as an E port.
AnswerA

NPIV must be enabled on upstream switches for NPV mode to work.

Why this answer

In NPV mode, the switch acts as a transparent proxy, forwarding FLOGI requests from initiators to the upstream NPIV-capable core switch. If NPIV is disabled on the upstream switch, it will reject the FLOGI because it cannot register multiple N-Port IDs on a single physical link, causing the initiator to fail login.

Exam trap

Cisco often tests the distinction between NPV (a switch mode) and NPIV (a feature on the upstream switch), leading candidates to confuse the two or assume the issue is with the NPV switch's own configuration.

How to eliminate wrong answers

Option B is wrong because device aliases are used for zoning and management convenience, not for the FLOGI process; an initiator can log in without any alias. Option C is wrong because the question states the switch is configured for NPV mode, and NPIV mode is a feature of the upstream switch, not a conflicting mode. Option D is wrong because in NPV mode, the switch port facing the upstream switch is configured as an NP port (proxy N-port), not an E port; E ports are used for ISL links between switches in standard FC switching mode, not NPV.

838
MCQhard

A large enterprise data center uses Cisco ACI with a spine-leaf architecture. The security team requires that all traffic between the Web and App tiers be inspected by a firewall, but traffic within the same tier should be allowed directly. The Web EPG is in VRF PROD with Bridge Domain WEB-BD, and App EPG is in VRF PROD with Bridge Domain APP-BD. The firewall is connected as a service graph device in a different VRF (FW-VRF). The administrator configures a contract between Web and App EPGs that redirects traffic through the firewall. However, after implementation, traffic from Web to App is not passing through the firewall; instead, it is forwarded directly. The contract is applied correctly. What is the most likely cause?

A.The firewall is in a different VRF; service graphs require the firewall to be in the same VRF as the endpoints or use a shared VRF with appropriate route leaking.
B.The firewall is not reachable from the leaf switches due to a routing issue.
C.The contract filter is misconfigured, allowing direct communication without redirection.
D.The contract is applied only to intra-EPG traffic, not inter-EPG traffic.
AnswerA

ACI service graph redirection typically works within the same VRF or with PBR; different VRFs break the redirection.

Why this answer

In Cisco ACI, service graphs redirect traffic through firewall devices by inserting the firewall as a Layer 4-Layer 7 device in the traffic path. However, the service graph device must reside in the same VRF as the consumer and provider EPGs, or a shared VRF with proper route leaking must be configured, because ACI uses VRF isolation to enforce policy-based redirect (PBR). Since the firewall is in FW-VRF while both EPGs are in VRF PROD, the leaf switches cannot redirect traffic to the firewall without a common routing context, causing the contract to bypass the firewall and forward traffic directly.

Exam trap

Cisco often tests the misconception that a service graph device can be in any VRF as long as the contract is applied correctly, but in reality, the VRF alignment is mandatory for the redirect to function.

How to eliminate wrong answers

Option B is wrong because the question states the contract is applied correctly and the firewall is connected as a service graph device; a routing issue would typically manifest as unreachability or packet drops, not as direct forwarding without redirection. Option C is wrong because the contract filter controls which traffic is permitted or denied, not the redirection path; the service graph redirection is configured separately in the contract's service graph template. Option D is wrong because the contract is explicitly configured between Web and App EPGs, which is inter-EPG traffic, and intra-EPG traffic within the same tier is allowed directly by default without a contract.

839
MCQmedium

Which of the following correctly describes the role of Fabric Interconnects A and B in a UCS domain?

A.FI A is for UCS Manager access only, and FI B is for storage traffic only.
B.FI A and FI B provide redundancy and can be configured in an active-active or active-standby manner.
C.FI A handles all management traffic, while FI B handles all data traffic.
D.FI A and FI B are used in a standalone mode, each managing separate sets of blades.
AnswerB

Correct. They provide redundant connectivity and management.

Why this answer

Fabric Interconnects A and B operate in an active-active or active-standby configuration to provide redundancy for both management and data traffic. Each FI connects to all IOMs, but each IOM is associated with one FI (fabric A or B) for failover.

840
MCQmedium

Which MST configuration parameter must match across all switches in the same MST region?

A.Port cost
B.Root bridge
C.Region name, revision, and VLAN mapping
D.Bridge priority
AnswerC

These define the MST region.

Why this answer

The MST region includes the region name, revision number, and VLAN-to-instance mapping. All must match for switches to be in the same region.

841
MCQmedium

In ACI, a contract is defined between two EPGs. Which component specifies the type of traffic allowed?

A.VRF
B.Filter
C.Subject
D.Tenant
AnswerC

The subject in a contract contains one or more filters and defines the direction and applicability.

Why this answer

A contract contains subjects, which include filters that define traffic types.

842
MCQmedium

A Cisco MDS switch is configured with NPV mode. A host NPIV-capable HBA is connected to this switch. The HBA needs to log in with multiple N-port IDs to support multiple virtual machines. What must be configured on the MDS switch to allow this?

A.PortChannel
B.NPIV
C.VSAN trunking
D.Zoning
AnswerB

NPIV must be enabled on the switch and supported by the HBA to allow multiple FCIDs.

Why this answer

NPIV (N_Port ID Virtualization) allows multiple FCIDs on a single N-port. On an NPV switch, NPIV must be enabled to allow the HBA to register multiple IDs.

843
Multi-Selecteasy

Which TWO methods can be used to manage Cisco UCS C-series rack servers out-of-band? (Choose two.)

Select 2 answers
A.SSH to the server's OS
B.Cisco IMC Supervisor
C.CIMC web interface
D.Vic CLI
E.UCS Manager GUI
AnswersB, C

IMC Supervisor provides centralized management for multiple C-series.

Why this answer

CIMC and IMC Supervisor are out-of-band management tools for C-series.

844
MCQmedium

Which feature in NX-OS allows for direct API calls to the switch for automation purposes?

A.NX-API
B.Python scripting
C.Bash shell
D.SNMP
AnswerA

NX-API is the REST API for Nexus switches.

Why this answer

NX-API provides a RESTful API interface for automation.

845
Multi-Selecthard

Which THREE factors must be considered when implementing FCIP for SAN extension over a WAN? (Choose three.)

Select 3 answers
A.VSAN configuration on the remote MDS switch.
B.Jitter and packet loss characteristics.
C.Buffer-to-buffer credit count on the FCIP tunnel.
D.Round-trip time (RTT) latency of the WAN link.
E.Available bandwidth and potential congestion.
AnswersB, D, E

Jitter and loss impact TCP performance and retransmissions.

Why this answer

FCIP (Fibre Channel over IP) tunnels encapsulate Fibre Channel frames over IP networks. Jitter and packet loss directly cause Fibre Channel timeouts and retransmissions, severely impacting storage performance. Unlike Fibre Channel over dedicated links, WAN characteristics like jitter and loss must be explicitly accounted for in FCIP design.

Exam trap

Cisco often tests the distinction between Fibre Channel fabric parameters (like VSANs and B2B credits) and WAN-specific factors (jitter, loss, RTT, bandwidth) that directly impact FCIP tunnel performance, leading candidates to select local SAN parameters instead of WAN characteristics.

846
MCQhard

Which iSCSI authentication method provides mutual authentication between initiator and target using a shared secret?

A.Kerberos
B.CHAP
C.IPsec
D.RADIUS
AnswerB

CHAP can provide mutual authentication in iSCSI.

Why this answer

CHAP (Challenge Handshake Authentication Protocol) can be configured for one-way or mutual authentication. Mutual CHAP authenticates both sides using a shared secret.

847
MCQhard

A storage administrator is configuring a new storage array that supports thin provisioning. The array reports 10 TB of physical storage and 50 TB of thin-provisioned logical capacity. Which risk is most important to monitor to avoid out-of-space conditions?

A.High latency on the Fibre Channel links
B.The number of snapshots taken
C.The replication status
D.The rate of physical capacity consumption and remaining free space
AnswerD

If physical space is exhausted, writes may fail or data loss can occur.

Why this answer

Thin provisioning overcommits physical storage; monitoring actual physical usage and growth rate is critical to prevent running out of space.

848
Multi-Selectmedium

A network engineer is troubleshooting an OSPF adjacency that fails to reach FULL state between two Nexus 9000 switches. Which TWO are common causes for this issue?

Select 2 answers
A.Mismatched OSPF process ID
B.Mismatched area ID
C.Mismatched router ID
D.Mismatched hello/dead timers
E.Mismatched network type
AnswersB, D

OSPF neighbors must belong to the same area to form an adjacency.

Why this answer

Option B is correct because OSPF requires that both routers in a neighbor relationship belong to the same area. If the area IDs differ, the routers will not exchange routing information and the adjacency will stall at the EXSTART or EXCHANGE state, never reaching FULL. This is a fundamental OSPF neighbor requirement defined in RFC 2328.

Exam trap

Cisco often tests the misconception that the OSPF process ID must match between neighbors, but it is only locally significant and does not affect adjacency formation.

849
MCQhard

A data center engineer is implementing FCoE and must ensure lossless behavior for Fibre Channel traffic over Ethernet. Which Data Center Bridging (DCB) mechanism prevents frame loss by pausing traffic on a per-priority basis?

A.Data Center Bridging Exchange (DCBX)
B.Priority Flow Control (PFC)
C.FCoE Initialization Protocol (FIP)
D.Enhanced Transmission Selection (ETS)
AnswerB

PFC provides per-priority pause to enable lossless Ethernet.

Why this answer

Priority Flow Control (PFC) is a DCB mechanism that provides per-priority pause to prevent frame loss, ensuring lossless delivery for FCoE traffic.

850
MCQhard

A company has two Cisco MDS 9700 switches in a dual-fabric SAN. Each fabric has its own set of storage arrays and hosts. The company wants to enable selective communication between specific devices in Fabric A and Fabric B without merging the fabrics. Which Cisco technology should be used?

A.FCIP
B.NPV
C.IVR
D.Port channels
AnswerC

IVR enables selective communication between devices in different VSANs while keeping fabrics separate.

Why this answer

Cisco IVR (Inter-VSAN Routing) allows selective communication between devices in different VSANs without merging the fabrics. In this dual-fabric SAN scenario, IVR enables specific hosts in Fabric A to communicate with specific storage arrays in Fabric B while keeping the VSANs and fabrics logically isolated, preserving fault domains and administrative boundaries.

Exam trap

Cisco often tests the distinction between technologies that merge fabrics (like FCIP or trunking) versus those that enable selective inter-fabric communication without merging (like IVR), and the trap here is confusing FCIP's WAN extension capability with IVR's selective routing within a local dual-fabric design.

How to eliminate wrong answers

Option A is wrong because FCIP (Fibre Channel over IP) is used to interconnect geographically separated SAN islands over an IP network, not to enable selective communication between devices in the same physical location without merging fabrics. Option B is wrong because NPV (N_Port Virtualization) is a mode used by edge switches to aggregate multiple N_Ports into a single uplink to a core switch, reducing domain IDs; it does not provide inter-fabric routing. Option D is wrong because port channels aggregate multiple physical links into a single logical link for increased bandwidth and redundancy within a single fabric, not for routing traffic between separate fabrics.

851
MCQeasy

A UCS administrator needs to ensure that server boot order always starts from the local disk if available, and falls back to a SAN LUN if local disk fails. Which boot policy setting should be used?

A.Local Disk alone
B.SAN first, then Local Disk
C.SAN Boot Only
D.Local Disk first, then SAN
AnswerD

Matches the requirement.

Why this answer

Option D is correct because the UCS boot policy allows you to specify a boot order where the local disk is attempted first. If the local disk is unavailable or fails, the system automatically falls back to the next boot device in the list, which is the SAN LUN. This ensures high availability and aligns with the requirement to prefer local boot while providing a failover path.

Exam trap

Cisco often tests the misconception that 'SAN first, then Local Disk' provides a fallback to local disk, but the trap is that the order is reversed, causing the server to always boot from SAN first, which does not satisfy the requirement to prefer local disk when available.

How to eliminate wrong answers

Option A is wrong because 'Local Disk alone' provides no fallback if the local disk fails, leaving the server unable to boot. Option B is wrong because 'SAN first, then Local Disk' reverses the required order, causing the server to always attempt SAN boot before local disk, which does not meet the requirement to start from local disk if available. Option C is wrong because 'SAN Boot Only' forces boot exclusively from the SAN LUN with no option to boot from local disk, even if the local disk is functional.

852
MCQmedium

An engineer is designing a SAN extension over a WAN link using FCIP. The link has high latency (50 ms RTT). Which configuration is most critical to maintain performance?

A.Configure a large TCP window size.
B.Enable compression on the FCIP tunnel.
C.Increase the buffer-to-buffer credits.
D.Reduce the TCP MSS to 512 bytes.
AnswerA

Window scaling allows more data in flight, improving throughput over high-latency links.

Why this answer

FCIP encapsulates Fibre Channel frames over TCP/IP. High latency (50 ms RTT) means the TCP sender must wait longer for acknowledgments, which can stall the connection if the TCP window is too small. A large TCP window size (e.g., using window scaling per RFC 1323) allows more data to be in flight before requiring an ACK, thereby maintaining throughput and preventing performance collapse on high-latency WAN links.

Exam trap

Cisco often tests the misconception that buffer-to-buffer credits (BB_credits) are the primary flow control for FCIP, when in fact TCP window sizing is the critical parameter for high-latency WAN links.

How to eliminate wrong answers

Option B is wrong because compression reduces bandwidth usage but does not address the fundamental throughput limitation caused by high latency and small TCP windows; it may even add processing delay. Option C is wrong because buffer-to-buffer credits (BB_credits) are a Fibre Channel flow control mechanism used between directly connected FC ports, not over FCIP tunnels; they do not affect TCP windowing over WAN. Option D is wrong because reducing TCP MSS to 512 bytes increases header overhead and the number of segments, which can worsen performance on a high-latency link by requiring more ACKs per byte of data.

853
Multi-Selecthard

Which THREE statements are true regarding YANG models in the context of data center automation? (Choose three.)

Select 3 answers
A.YANG is a data modeling language used to define configuration and state data.
B.YANG is a communication protocol like NETCONF.
C.RESTCONF supports both JSON and XML encoding.
D.NETCONF uses XML encoding for YANG-modeled data.
E.OpenConfig YANG models are Cisco-proprietary.
AnswersA, C, D

Correct. YANG models define data.

Why this answer

YANG models define data structures for network configuration and state. NETCONF uses XML-based encoding, while RESTCONF uses JSON or XML. OpenConfig provides vendor-neutral YANG models.

YANG is a data modeling language, not a protocol.

854
MCQmedium

A storage administrator wants to implement Fibre Channel zoning to ensure that only specific initiators can access specific targets. The administrator prefers a method that does not require reconfiguration when a host's HBA is replaced with a new one with a different WWPN. Which zoning type meets this requirement?

A.Hard zoning by port
B.Soft zoning by port
C.Soft zoning by WWN
D.Hard zoning by WWN
AnswerB

Soft zoning by port uses the switch port number. If the same port is used for the new HBA, no reconfiguration is needed.

Why this answer

Soft zoning by port uses the physical port number, not the WWPN. If the HBA is replaced but the same port is used, the zoning remains valid. Hard zoning by WWN would require updating the zone if the WWPN changes.

855
MCQeasy

In a Cisco ACI fabric, which component is responsible for managing the policy repository, fault monitoring, and API endpoints?

A.DCNM
B.APIC controller
C.Spine switch
D.Leaf switch
AnswerB

The APIC is the central controller for policy, monitoring, and API access.

Why this answer

The APIC controller is the centralized policy and management controller in ACI, handling all these functions.

856
Drag & Dropmedium

Order the steps to configure FCoE on a Cisco Nexus switch with NPV mode.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

FCoE requires feature fcoe, VSAN mapping, VLAN config, NPV mode, and fabric login.

857
MCQmedium

An engineer is configuring vPC on a pair of Nexus switches. Which statement correctly describes the vPC peer-keepalive link?

A.It is used to forward data traffic between vPC peers
B.It must be a dedicated Layer 2 link between vPC peers
C.It carries BPDUs to prevent loops
D.It is a Layer 3 link used to verify the health of the vPC peer
AnswerD

The peer-keepalive is a Layer 3 heartbeat used to detect peer failure.

Why this answer

The peer-keepalive link is used to detect a split-brain scenario and is typically a Layer 3 link.

858
MCQmedium

A network engineer needs to replace a failed UCS B-Series blade server with a new blade of the same model. The original blade had a custom service profile with specific vNIC and vHBA settings. What is the most efficient method to apply the same configuration to the new blade without manual reconfiguration?

A.Create a new service profile from scratch for the new blade.
B.Use Cisco IMC Supervisor to import the configuration from the failed blade.
C.Disassociate the existing service profile from the failed blade and associate it with the new blade.
D.Manually configure the new blade using UCS Manager GUI with the same settings as the original blade.
AnswerC

Correct. This applies all settings automatically.

Why this answer

UCS service profiles abstract hardware configuration. By disassociating the profile from the failed blade and associating it with the new blade, all settings (vNICs, vHBAs, policies) are automatically applied, supporting stateless computing.

859
Matchingmedium

Match each Cisco data center automation tool to its primary use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Configuration management and orchestration

Scripting language for custom automation

Programmatic interface for device management

Infrastructure as code for server configuration

Declarative configuration management

Why these pairings

Automation tools streamline data center operations.

860
Multi-Selecteasy

Which TWO are important considerations when using Cisco UCS Central for multi-domain management? (Select TWO.)

Select 2 answers
A.UCS Central requires separate licensing per managed server.
B.Global policies can be defined in UCS Central and applied per domain with local overrides.
C.All domains must have identical hardware and firmware versions.
D.UCS Central communicates with both Fabric Interconnects in each domain for redundancy.
E.Local UCS Manager policies are always overridden by UCS Central policies.
AnswersB, D

This is a key feature of UCS Central.

Why this answer

Option B is correct because Cisco UCS Central allows administrators to define global policies that can be applied across multiple UCS domains, while still permitting local overrides at the UCS Manager level. This hierarchical policy model provides centralized control without sacrificing the flexibility needed for domain-specific configurations, such as unique VLANs or boot policies.

Exam trap

Cisco often tests the misconception that UCS Central enforces strict homogeneity across domains, but the correct understanding is that it supports heterogeneous environments with flexible policy inheritance and local overrides.

861
MCQhard

A HyperFlex cluster uses replication factor 3 (RF3) and consists of 4 all-flash nodes. One node fails permanently. After replacing the node, the cluster re-replicates data. What is the minimum number of additional node failures that can be tolerated without data loss after re-replication completes?

A.2
B.1
C.0
D.3
AnswerA

With RF3, two simultaneous failures are tolerable without data loss.

Why this answer

With RF3 (three copies of data), the cluster can tolerate up to two simultaneous failures (quorum requires at least two copies). After replacing the failed node, the cluster returns to full health, so again can tolerate two failures. However, if the cluster originally had 4 nodes and one fails, only 3 remain; if another fails during re-replication, data could be at risk.

But after re-replication, 4 nodes exist, so two failures are tolerable.

862
MCQmedium

Refer to the exhibit. An administrator notices the blade firmware is outdated. What is the recommended first step to update the blade firmware?

A.Upgrade the fabric interconnects first
B.Update each blade individually using the CIMC
C.Reboot all blades immediately
D.Create a firmware management policy to stage the update
AnswerD

Allows orchestrated update across all blades with minimal disruption.

Why this answer

Option D is correct because Cisco UCS Manager uses firmware management policies to stage firmware updates across blades in a controlled, non-disruptive manner. Staging the update allows the administrator to schedule the activation during a maintenance window, ensuring all blades receive the same firmware version consistently without immediate impact on production traffic.

Exam trap

The trap here is that candidates often assume a direct, immediate action like rebooting or manual updates is required, but Cisco tests the understanding that UCS Manager provides a policy-based staging mechanism to safely orchestrate firmware updates across multiple blades.

How to eliminate wrong answers

Option A is wrong because upgrading fabric interconnects first is not the recommended first step for blade firmware; fabric interconnect firmware updates are independent and should be coordinated but not necessarily performed before blade updates. Option B is wrong because updating each blade individually using the CIMC is inefficient, error-prone, and bypasses the centralized management capabilities of UCS Manager, which can automate and validate the update process. Option C is wrong because rebooting all blades immediately without staging the firmware could cause unexpected downtime and service disruption, and it does not address the need to actually update the firmware.

863
MCQeasy

Which of the following is a requirement for iSCSI storage connectivity to support jumbo frames?

A.Enable PFC on the switch
B.Configure MTU 9000 on all involved interfaces
C.Enable MPIO
D.Use CHAP authentication
AnswerB

Jumbo frames require MTU 9000 end-to-end.

Why this answer

Jumbo frames require an MTU of 9000 bytes on all interfaces in the path.

864
Multi-Selecthard

Which THREE factors should be considered when sizing buffer credits for a long-haul FC link?

Select 3 answers
A.Link speed
B.Number of targets
C.Frame size
D.Distance
E.Buffer-to-buffer credit pool size
AnswersA, C, D

Higher speed requires more credits to keep the link busy.

Why this answer

Link speed (A) is a critical factor because higher speeds require more buffer credits to maintain full throughput over a given distance. The buffer credit requirement scales linearly with link speed, as each credit represents the ability to send one frame before receiving an acknowledgment. For example, a 16 Gbps link needs twice as many buffer credits as an 8 Gbps link for the same distance.

Exam trap

Cisco often tests the misconception that the number of targets or initiators influences buffer credit requirements, when in fact only distance, speed, and frame size matter for the per-link calculation.

865
MCQmedium

A data center network uses MST with multiple instances. Different VLANs are mapped to different MST instances to utilize multiple spanning tree paths. Which MST parameter must be identical on all switches in the same region to ensure proper operation?

A.MST region name and revision number
B.Port path cost
C.Bridge priority
D.Max age timer
AnswerA

Correct: region name and revision must match for region consistency.

Why this answer

MST region requires consistent revision number, name, and VLAN-to-instance mapping on all switches in the region.

866
MCQmedium

Refer to the exhibit. An NX-API request returns this JSON error. What is the most likely cause?

A.The API version in the request is mismatched
B.Invalid credentials
C.The command is not allowed via NX-API
D.The switch is in maintenance mode
AnswerC

Some commands are restricted in NX-API. The error 'Invalid command' suggests a disallowed command.

Why this answer

The JSON error indicates that the NX-API request was rejected because the command is not permitted through the NX-API interface. NX-API enforces a strict allowlist of commands; any command not explicitly allowed (e.g., certain show commands or configuration commands that could destabilize the switch) will return this error. This is a security and stability feature of the NX-API RESTful interface.

Exam trap

Cisco often tests the misconception that any CLI command can be executed via NX-API, but in reality, NX-API has a restricted command set, and candidates may incorrectly attribute the error to credentials or API version mismatches.

How to eliminate wrong answers

Option A is wrong because an API version mismatch would typically return a different error, such as 'API version not supported' or a 400 Bad Request, not a generic JSON error about command permission. Option B is wrong because invalid credentials would result in an HTTP 401 Unauthorized response or an authentication failure message, not a command-level error. Option D is wrong because maintenance mode affects the switch's operational state and would generate a different error (e.g., 'switch is in maintenance mode'), not a command-specific rejection.

867
MCQmedium

In a Cisco HyperFlex cluster, a new ESXi host is being added. The host is discovered, but the cluster health status shows 'Degraded'. What should be the first troubleshooting step?

A.Reboot the new ESXi host.
B.Verify that the new host's controller VM has the same firmware version as the cluster.
C.Check if the vCenter Server is in maintenance mode.
D.Delete and re-create the cluster.
AnswerB

Firmware consistency is critical for cluster stability.

Why this answer

When adding a new ESXi host to a Cisco HyperFlex cluster, the controller VM (CVM) firmware version must match the cluster's version. A mismatch causes the cluster health status to show 'Degraded' because the CVMs cannot properly synchronize storage operations. Verifying and aligning the firmware version is the first troubleshooting step, as it directly impacts cluster stability.

Exam trap

Cisco often tests the misconception that a 'Degraded' cluster health status is due to network or vCenter issues, when in fact it frequently stems from firmware or software version mismatches in the HyperFlex storage layer.

How to eliminate wrong answers

Option A is wrong because rebooting the new ESXi host will not resolve a firmware version mismatch; it only restarts services without addressing the root cause. Option C is wrong because vCenter Server maintenance mode affects vCenter operations, not HyperFlex cluster health; a host in maintenance mode would not cause a 'Degraded' status due to firmware mismatch. Option D is wrong because deleting and re-creating the cluster is an extreme, unnecessary step that would disrupt operations; the issue is isolated to the new host's CVM firmware, not the cluster configuration.

868
Multi-Selecthard

Which THREE factors should be considered when calculating the required number of buffer credits for a long-distance Fibre Channel link? (Choose three.)

Select 3 answers
A.The link data rate (e.g., 16 Gbps).
B.The maximum frame size (e.g., 2148 bytes).
C.The number of VSANs configured.
D.The number of zones in the fabric.
E.The distance between the switches.
AnswersA, B, E

Higher data rates require more buffer credits to keep the link busy.

Why this answer

To calculate buffer credits, you need the distance, data rate, and frame size. Option A: distance affects propagation delay. Option C: data rate affects how many frames can be in flight.

Option E: frame size (maximum) determines how many bytes per credit. Option B is wrong because VSAN count does not matter. Option D is wrong because number of zones is irrelevant.

869
Multi-Selectmedium

A security engineer is deploying IP Source Guard on a Nexus switch. Which two components must be operational for IP Source Guard to function correctly?

Select 1 answer
A.Dynamic ARP Inspection
B.ACL
C.DHCP snooping
D.Cisco TrustSec
E.Port security
AnswersC

IP Source Guard uses DHCP snooping bindings.

Why this answer

IP Source Guard relies on DHCP snooping binding table and validates source IP against it.

870
Multi-Selectmedium

A storage administrator reports that a host cannot reach any of the targets on a Cisco MDS 9000 Series switch. The VSAN configuration is correct, and all interfaces are up. Which two commands should be used to verify the Fibre Channel name server database and zoning configuration?

Select 2 answers
A.show zoneset active
B.show zone
C.show flogi database
D.show fcns database
E.show fcns details
AnswersA, D

Shows the active zoneset and its member devices, verifying zoning.

Why this answer

Option A is correct because the 'show zoneset active' command displays the currently active zone set, which is essential for verifying which zones are enforced by the switch. Since the VSAN configuration is correct and interfaces are up, a missing or incorrect active zone set could prevent the host from reaching any targets, even if the name server database is populated.

Exam trap

Cisco often tests the distinction between 'show flogi database' (which shows fabric login state) and 'show fcns database' (which shows name server registrations), leading candidates to mistakenly choose 'show flogi database' when the question asks for name server verification.

871
Multi-Selecthard

Which two benefits does EVPN provide compared to traditional VPLS? (Choose two.)

Select 2 answers
A.Simpler BGP configuration
B.Load balancing of traffic across multiple active paths
C.Reduced MAC address learning
D.No need for MPLS
E.Support for IP routing
AnswersB, E

EVPN allows active-active multihoming, improving bandwidth utilization.

Why this answer

EVPN uses BGP to advertise MAC addresses and IP prefixes, enabling per-flow load balancing across multiple equal-cost paths via its all-active multi-homing capability. In contrast, traditional VPLS relies on a single active forwarder per site (using Spanning Tree Protocol or VPLS Multihoming), which prevents active-active load balancing and wastes bandwidth.

Exam trap

Cisco often tests the misconception that EVPN simplifies BGP configuration or eliminates MPLS, when in fact EVPN requires more BGP knobs and still relies on an MPLS or VXLAN transport layer.

872
Multi-Selecthard

An engineer is configuring a HyperFlex cluster with three nodes. Which three components are required for a functional cluster? (Choose three.)

Select 3 answers
A.A witness VM for quorum
B.VMware vSphere or other supported hypervisor
C.HyperFlex HX Data Platform software
D.Cisco UCS Manager for node management
E.At least three storage nodes (converged or compute+storage)
AnswersB, C, E

HyperFlex runs on a hypervisor; vSphere is the most common.

Why this answer

HyperFlex requires at least three storage nodes for RF2, a vSphere cluster, and the HX Data Platform. A witness is needed for clusters with even number of nodes or for RF3? Actually for 3 nodes, witness is optional if RF2? Standard deployment: 3 nodes form a cluster; the witness is optional for 3 nodes but often recommended. The question expects the core components: storage nodes, vSphere, and HXDP.

Witness is not mandatory for 3-node RF2 clusters.

873
MCQmedium

An engineer is configuring a UCS service profile for PXE boot. The server must obtain an IP address from a DHCP server and then download the OS image from a TFTP server. Which boot policy parameters must be configured?

A.Configure the boot policy to use iSCSI boot.
B.Specify the DHCP server IP and TFTP server IP in the boot policy.
C.Select the SAN boot option and specify the WWPN.
D.Add a LAN boot entry and select the appropriate vNIC for PXE.
AnswerD

The LAN boot entry enables PXE boot on the specified vNIC.

Why this answer

PXE boot requires specifying the LAN boot option with the appropriate vNIC. In UCS, the boot policy can include a PXE boot entry that references a vNIC. DHCP and TFTP servers are configured externally; the boot policy just needs to enable PXE on the correct interface.

874
MCQeasy

In Cisco TrustSec, what is used to tag traffic based on identity or group membership?

A.VLAN ID
B.Security Group Tag
C.MAC address
D.IP address
AnswerB

SGTs carry identity information.

Why this answer

Security Group Tags (SGTs) are used to classify traffic by identity.

875
MCQeasy

A mid-size organization is upgrading its data center network to support server virtualization. They have deployed two Nexus 9300 switches as access switches for their server racks. The servers are configured with VLAN tagging and connect to the switches using trunks. The network administrator needs to ensure that the switches can provide default gateway services to the servers to reduce latency. They have configured interface VLAN interfaces and HSRP for redundancy. After implementation, the servers can communicate within the same VLAN but fail to reach the default gateway. The network administrator checks the switch configuration and finds that "ip routing" is not enabled globally. What is the most likely impact of this missing configuration?

A.The switches will not forward traffic between VLANs.
B.The servers will not receive DHCP addresses.
C.HSRP will not elect an active router.
D.The VLAN interfaces will not come up.
AnswerA

ip routing is required for inter-VLAN forwarding.

Why this answer

Without the 'ip routing' command enabled globally, the Nexus 9300 switches operate as Layer 2 devices only. This means they can forward frames within the same VLAN (since that relies on MAC address learning and switching), but they cannot perform IP routing between VLANs or route traffic to the configured SVI (VLAN interface) default gateway. The servers can communicate within the same VLAN because that is purely Layer 2 switching, but any attempt to reach the default gateway (which requires Layer 3 forwarding) fails because the switch does not have IP routing enabled.

Exam trap

Cisco often tests the misconception that HSRP or SVI functionality requires global IP routing to be enabled, when in fact HSRP can operate and SVIs can come up without 'ip routing', but inter-VLAN routing and default gateway reachability will fail.

How to eliminate wrong answers

Option B is wrong because DHCP address assignment relies on DHCP snooping, IP helper-address, or a DHCP server; the absence of 'ip routing' does not prevent a switch from relaying DHCP requests or a server from obtaining an IP address via broadcast within the same VLAN. Option C is wrong because HSRP operates at Layer 3 using the SVI IP address and does not require global IP routing to be enabled; HSRP can still elect an active router and maintain virtual IP/MAC addresses as long as the SVI is up and the HSRP configuration is correct. Option D is wrong because VLAN interfaces (SVIs) come up as long as the VLAN exists and at least one port in that VLAN is up; the 'ip routing' command does not affect the operational state of an SVI.

876
MCQhard

In a Fibre Channel over Ethernet (FCoE) deployment, which Data Center Bridging (DCB) feature is responsible for preventing frame loss due to congestion and ensuring the lossless behavior required for FCoE traffic?

A.Priority Flow Control (PFC)
B.Data Center Bridging Exchange (DCBX)
C.Enhanced Transmission Selection (ETS)
D.Jumbo frames
AnswerA

PFC provides per-priority pause to ensure lossless delivery for FCoE traffic.

Why this answer

Priority Flow Control (PFC) is a per-priority pause mechanism that creates lossless links for specific traffic classes such as FCoE.

877
MCQeasy

What is a key advantage of using structured data (e.g., JSON or XML) from Cisco NX-API responses compared to traditional CLI scraping (e.g., using regular expressions)?

A.It automatically commits changes to running-config.
B.It provides machine-readable output that is less prone to parsing errors due to display changes.
C.It requires no software libraries to parse.
D.It eliminates the need for any authentication.
AnswerB

Structured data is consistent across versions, while CLI output can change with cosmetic updates.

Why this answer

Option B is correct because structured data is predictable and parsable, reducing errors compared to relying on raw text output.

878
MCQmedium

A Nexus 9000 switch is configured with VPC. The VPC keepalive link fails. What is the effect on the VPC domain?

A.Both switches suspend the VPC VLANs.
B.Both switches continue to forward traffic normally.
C.The secondary switch suspends its VPC member ports.
D.The primary switch becomes orphan.
AnswerC

To avoid split-brain, the secondary switch suspends its VPC member ports while keepalive is down.

Why this answer

In a VPC domain, the keepalive link is used to monitor the liveness of the peer switch, but it does not carry data traffic. When the keepalive link fails, the secondary switch cannot confirm the primary is alive, so it suspends its VPC member ports to prevent a dual-active scenario. The primary switch remains active and continues forwarding traffic normally because it assumes the secondary has failed.

Exam trap

Cisco often tests the misconception that a keepalive link failure causes both switches to stop forwarding or that the primary becomes orphan, but the correct behavior is that only the secondary suspends its VPC member ports to maintain a single active forwarding path.

How to eliminate wrong answers

Option A is wrong because both switches do not suspend VPC VLANs; only the secondary suspends its VPC member ports to avoid a split-brain condition. Option B is wrong because both switches do not continue forwarding traffic normally; the secondary suspends its VPC ports, disrupting traffic on that side. Option D is wrong because the primary switch does not become orphan; it remains active and continues to forward traffic, while the secondary suspends its ports.

879
MCQmedium

A storage administrator needs to monitor traffic between two specific storage arrays without causing any disruption. Which approach should be used?

A.Configure a SPAN session on the MDS switch to copy traffic between the storage ports.
B.Use FC traceroute to identify the path.
C.Enable FC ping between arrays.
D.Use IVR to route traffic through a monitoring zone.
E.Configure port channel between arrays.
AnswerA

SPAN (Switched Port Analyzer) copies traffic to a monitor port for analysis without disruption.

Why this answer

Option A is correct because configuring a SPAN session on the MDS switch allows copying traffic between the storage ports to a monitoring port without affecting the original traffic flow. Option B (FC traceroute) only shows path, not traffic. Option C (FC ping) tests connectivity.

Option D (port channel) does not monitor. Option E (IVR) is for routing, not monitoring.

880
MCQeasy

Which Fibre Channel frame field is used to identify the upper-layer protocol being carried?

A.Source FC ID
B.D_ID
C.CS_CTL
D.R_CTL
AnswerD

Routing Control field specifies the frame category and protocol.

Why this answer

Option B is correct. R_CTL indicates the frame's information category, including upper-layer protocol (e.g., SCSI-FCP).

881
MCQeasy

An engineer needs to create a VSAN on a Cisco MDS switch with VSAN ID 50. Which command correctly creates the VSAN?

A.switch(config-vsan)# vsan 50
B.switch(config)# vsan 50
C.switch(config)# interface vsan 50
D.switch(config)# vsan database
AnswerB

This command creates VSAN 50 in global config.

Why this answer

Option A is correct. 'vsan <id>' in global config creates the VSAN. Option D is not complete.

882
MCQmedium

A storage administrator needs to ensure that a Fibre Channel zone configuration is operationally effective without disrupting the current active zone set. Which approach should be used?

A.Create the new zone configuration in the defined configuration, then activate it as a new zone set.
B.Delete the active zone set and create a new one.
C.Edit the active zone set directly.
D.Use the 'commit' command to update the zone set.
AnswerA

Standard best practice.

Why this answer

Option A is correct because in Cisco MDS Fibre Channel SANs, zone configurations are created in the defined configuration and then activated as a new zone set. This approach ensures that the current active zone set remains operational and unaffected during the configuration process, preventing any disruption to existing traffic. Only when the new zone set is explicitly activated does it replace the active set, allowing for a controlled cutover.

Exam trap

Cisco often tests the misconception that you can directly edit the active zone set, similar to how you might edit a running configuration on a router, but in Fibre Channel zoning, the active set is immutable and must be replaced via activation.

How to eliminate wrong answers

Option B is wrong because deleting the active zone set would immediately disrupt all Fibre Channel zoning, causing all devices to lose connectivity and potentially causing a SAN outage. Option C is wrong because editing the active zone set directly is not supported in Cisco MDS; the active zone set is a read-only copy of the last activated configuration, and any changes must be made to the defined configuration. Option D is wrong because the 'commit' command is used in Cisco NX-OS to apply pending configuration changes in other contexts (e.g., interface or VLAN configurations), but it is not a valid command for updating Fibre Channel zone sets; zone set activation is performed using the 'activate' command.

883
Multi-Selecteasy

Which TWO of the following are valid methods to enforce security on a Cisco Nexus switch? (Choose two.)

Select 2 answers
A.SSHv2
B.NetFlow
C.Control Plane Policing (CoPP)
D.FabricPath
E.Private VLANs
AnswersC, E

CoPP protects the control plane by rate-limiting traffic.

Why this answer

Control Plane Policing (CoPP) is a valid security enforcement method on Cisco Nexus switches because it protects the control plane from excessive or malicious traffic by applying QoS policies that rate-limit packets destined for the supervisor module. By filtering traffic such as routing protocols, SSH, or ICMP, CoPP prevents CPU overload and DoS attacks, directly enforcing security at the control plane level.

Exam trap

Cisco often tests the distinction between security enforcement mechanisms (like CoPP and Private VLANs) and management protocols (like SSH) or monitoring tools (like NetFlow), leading candidates to mistakenly select SSHv2 as a security enforcement method.

884
MCQeasy

Which VXLAN component is responsible for encapsulating and decapsulating Ethernet frames into UDP packets for transport over the IP network?

A.VTEP
B.VXLAN Gateway
C.VXLAN Tunnel
D.VNI
AnswerA

VTEP is the tunnel endpoint that does encapsulation.

Why this answer

The VTEP (Virtual Tunnel Endpoint) performs encapsulation and decapsulation of VXLAN frames.

885
MCQmedium

An engineer is configuring AAA on a Cisco Nexus switch to authenticate management access via TACACS+. The switch is reachable, but login attempts repeatedly fail. Which action should the engineer take to isolate the issue?

A.Enable 'debug tacacs' on the switch to see detailed TACACS+ exchange.
B.Run 'test aaa authentication login <user> <password> legacy' to validate AAA configuration.
C.Verify IP connectivity to the TACACS+ server using ping.
D.Check if the TACACS+ server port (49) is open using Telnet.
AnswerB

This command directly tests the AAA authentication process.

Why this answer

Option B is correct because the 'test aaa authentication login' command with the 'legacy' keyword directly validates the AAA authentication configuration against the TACACS+ server without requiring a full login session. This isolates whether the issue is with the AAA configuration itself versus network connectivity or server reachability, as the command simulates the exact authentication flow the switch uses.

Exam trap

Cisco often tests the distinction between connectivity verification (ping, port checks) and actual AAA authentication validation, trapping candidates who assume that reachability implies correct AAA operation, when in fact the shared secret, server configuration, or authentication method may be misconfigured.

How to eliminate wrong answers

Option A is wrong because enabling 'debug tacacs' generates verbose output that can overwhelm the console and impact performance, and it is a reactive troubleshooting step that should be used after confirming basic configuration and connectivity, not as the first isolation action. Option C is wrong because while IP connectivity is necessary, the switch is already reachable per the scenario, and ping only tests ICMP reachability, not whether the TACACS+ service is properly responding to authentication requests. Option D is wrong because using Telnet to test port 49 is not a valid method; Telnet uses TCP port 23, and testing a TACACS+ server port requires a TACACS+ client or a tool like 'telnet <server> 49' to check if the port is open, but this only verifies TCP connectivity, not the AAA authentication logic or shared secret correctness.

886
MCQmedium

A company is deploying a new Cisco UCS Mini. They need to ensure that the chassis can be managed from either fabric interconnect. What configuration is required to achieve this?

A.Configure a private VLAN to isolate management traffic
B.Set the chassis to in-band management mode
C.Enable FC-Zoning on the fabric interconnects
D.Configure a management VLAN on both fabric interconnects and enable chassis management on that VLAN
AnswerD

This allows the chassis to be reachable from both FIs for management purposes.

Why this answer

Option D is correct because Cisco UCS Mini requires a dedicated management VLAN to be configured on both fabric interconnects, and chassis management must be enabled on that VLAN. This allows the chassis management controller (CMC) to be reachable from either FI, enabling active/standby management redundancy without relying on a single point of control.

Exam trap

The trap here is that candidates often confuse in-band management (Option B) with the required out-of-band management VLAN configuration, mistakenly thinking that using the data path is sufficient for redundant chassis management.

How to eliminate wrong answers

Option A is wrong because private VLANs are used to isolate traffic within a VLAN (e.g., for multi-tenant environments) and are not required for chassis management redundancy in UCS Mini. Option B is wrong because in-band management mode is used for managing the chassis through the data path (e.g., via a server's vNIC), not for enabling management from either fabric interconnect; the correct approach is out-of-band management via a dedicated management VLAN. Option C is wrong because FC-Zoning is a Fibre Channel storage networking concept used to control access in a SAN fabric and has no role in enabling chassis management from either FI.

887
MCQmedium

A UCS administrator needs to perform a firmware upgrade on a UCS B-Series blade server. Which management interface should be used to perform the upgrade remotely?

A.HyperFlex Connect
B.Cisco IMC Supervisor
C.UCS Manager
D.CIMC of the blade server
AnswerC

Correct. UCS Manager manages firmware for all components.

Why this answer

UCS Manager provides centralized firmware management for all blades and FIs. The administrator can initiate firmware updates through UCS Manager GUI or CLI, which handles the upgrade process across the domain.

888
MCQmedium

A data center team is configuring a Cisco MDS switch to support multiple isolated SAN environments on the same physical infrastructure. They need to create separate fabrics that are completely isolated at Layer 2. Which technology should be used?

A.NPV
B.VSANs
C.Zoning
D.PortChannels
AnswerB

VSANs create separate logical SANs, providing complete isolation.

Why this answer

VSANs provide isolation similar to VLANs in Ethernet, allowing multiple virtual Fibre Channel fabrics on the same physical switch.

889
MCQmedium

A data center administrator is implementing Cisco TrustSec on a Nexus 7000 switch to enforce role-based access control. After configuring a security group tag (SGT) classification policy, users report that traffic between two servers is not being tagged. What is the most likely cause?

A.DHCP snooping is not enabled on the VLAN.
B.The ingress interface is missing the 'sgt' or 'ip policy' command to classify traffic.
C.The switch ASIC does not support TrustSec in hardware.
D.The SGT is assigned on the egress interface instead of ingress.
AnswerB

Ingress interface must have 'sgt' or 'ip policy' to assign SGTs.

Why this answer

Option B is correct because Cisco TrustSec requires the ingress interface to be explicitly configured with either the 'sgt' command (for static SGT assignment) or an 'ip policy' command (for dynamic SGT classification via a security group ACL). Without this, the switch cannot classify traffic and apply the SGT tag. The scenario describes a classification policy that is not being applied, which directly points to a missing ingress classification command.

Exam trap

The trap here is that candidates often assume SGT classification is automatic once a policy is defined, but Cisco explicitly tests that the ingress interface must have the 'sgt' or 'ip policy' command to trigger classification.

How to eliminate wrong answers

Option A is wrong because DHCP snooping is unrelated to SGT classification; it is a security feature to prevent rogue DHCP servers and does not affect SGT tagging. Option C is wrong because the Nexus 7000 series switches (with the appropriate line cards, e.g., F2e, M3) support TrustSec in hardware; the question does not indicate a hardware limitation, and the issue is configuration-based. Option D is wrong because SGTs are assigned on the ingress interface, not egress; egress interfaces enforce policies based on the SGT but do not assign the tag.

890
MCQmedium

In a UCS environment, an administrator needs to restrict access to the UCS Manager so that only specific users can configure server policies. Which feature should be used?

A.CoPP
B.IP Source Guard
C.SED encryption
D.RBAC in UCS Manager
AnswerD

RBAC in UCS Manager defines roles and privileges for users.

Why this answer

UCS Manager role-based access control (RBAC) allows granular assignment of privileges to users.

891
MCQmedium

A VACL is configured to capture traffic between hosts in the same VLAN. The capture port is configured and the VACL is applied to the VLAN. However, no traffic is being captured. What is a likely reason?

A.The VACL is applied in the wrong direction
B.The capture port is a SPAN destination port
C.The VACL does not have a capture action
D.The capture port is not in the same VLAN
AnswerC

Without the capture action, the VACL will not copy packets to the capture port.

Why this answer

Option C is correct because a VACL (VLAN Access Control List) must explicitly include a capture action to forward matched traffic to a capture port. Without the capture action, the VACL only permits or denies traffic within the VLAN but does not trigger packet replication to the configured capture port. The capture action is configured using the `capture` keyword in the VACL configuration, and its absence is the most common reason for no traffic being captured.

Exam trap

The trap here is that candidates often assume a VACL applied to a VLAN will automatically send all matched traffic to a capture port, overlooking the explicit `capture` action required in the VACL configuration.

How to eliminate wrong answers

Option A is wrong because VACLs are applied to VLANs, not to interfaces, and they operate on traffic within the VLAN regardless of direction; direction-based ACLs are for router ACLs, not VACLs. Option B is wrong because a SPAN destination port cannot be used as a capture port for VACL capture; VACL capture requires a dedicated capture port configured with the `switchport capture` command, and SPAN and VACL capture are mutually exclusive on the same port. Option D is wrong because the capture port does not need to be in the same VLAN as the traffic being captured; VACL capture replicates traffic to the capture port regardless of its VLAN membership, as long as the capture port is configured correctly.

892
MCQhard

An engineer is configuring a UCS service profile for a blade server that will boot from SAN. The storage is connected via FC SAN. Which policy must be included in the service profile to define the WWPNs for the HBAs?

A.Network control policy
B.Boot policy
C.SAN connectivity policy
D.vNIC placement policy
AnswerC

SAN connectivity policy specifies the vHBA configuration, including WWPN assignment.

Why this answer

To boot from SAN, the service profile must include a SAN connectivity policy that defines the WWPNs (World Wide Port Names) for the vHBAs. This policy assigns WWPNs from a pool or statically.

893
MCQhard

A UCS domain is experiencing intermittent storage connectivity. The storage admin confirms the SAN is properly zoned and the VSANs are configured. The UCS admin finds that the host interface (HBAs) are showing 'Link Down' intermittently. Which of the following is a likely cause?

A.Incompatible HBA firmware
B.Mismatched fabric failover policy
C.Incorrect Fibre Channel interface mode on the FI
D.Faulty SFP or cable
AnswerD

Physical layer issues often cause intermittent link flapping.

Why this answer

Intermittent 'Link Down' on HBAs, despite correct SAN zoning and VSAN configuration, strongly points to a physical-layer issue. Faulty SFPs or damaged cables cause intermittent link flaps, which manifest as sporadic HBA link-down events. This is the most common cause of such symptoms in UCS environments.

Exam trap

Cisco often tests the distinction between physical-layer issues (SFP/cable) and configuration or policy errors, tempting candidates to overthink with fabric failover or interface mode when the symptom is a simple link flap.

How to eliminate wrong answers

Option A is wrong because incompatible HBA firmware typically causes persistent driver errors or failure to log in to the fabric, not intermittent link flaps. Option B is wrong because mismatched fabric failover policy affects how traffic is redirected during a failure, not the physical link state of the HBA. Option C is wrong because incorrect Fibre Channel interface mode on the FI (e.g., End Host vs.

Switching mode) impacts upstream FLOGI behavior and zoning, not the point-to-point link status between the HBA and the FI.

894
MCQmedium

An engineer is configuring zoning on a Cisco MDS switch. The requirement is to allow a single host HBA to access two storage array ports. Which zone configuration meets this requirement?

A.Create a zone with the host's port ID and both storage port IDs.
B.Create one zone with all three WWPNs.
C.Create one zone with the host's WWPN and one storage port WWPN, and another zone with the host's WWPN and the second storage port WWPN.
D.Create a zone with the host's WWPN and both storage ports as a single zone.
AnswerC

Both zones include the host and each storage port, allowing access to both.

Why this answer

A zone should include the host's WWPN and both storage ports' WWPNs. Zoning by WWPN is hardware-independent and more secure.

895
Multi-Selecthard

In a vPC environment, which two conditions must be identical on both vPC peer switches to ensure proper consistency? (Choose two.)

Select 2 answers
A.VLAN configuration on the member ports
B.System priority
C.Port channel mode (active/passive)
D.STP port type (edge, network, normal)
E.Peer-keepalive IP address
AnswersA, D

Allowed VLANs must match.

Why this answer

vPC consistency checks ensure that both peers have identical configurations for vPC member ports. Key parameters that must match include VLANs allowed on the port channel, STP settings (e.g., port type), MTU, and spanning-tree port settings. Port channel mode must be 'on' (no LACP) or LACP active/passive must match; typically both sides use the same mode.

The peer-keepalive IP addresses are different because they are on different switches.

896
MCQmedium

A network administrator needs to configure iSCSI multipath I/O (MPIO) for a host connecting to a storage array. Which requirement must be met to ensure that MPIO functions correctly with load balancing?

A.The iSCSI initiator must use CHAP authentication
B.Jumbo frames must be enabled on all switches
C.The host must have multiple network interfaces on different subnets
D.The storage array must support synchronous replication
AnswerC

Multiple distinct network paths are required for MPIO to provide redundancy and load balancing.

Why this answer

MPIO requires multiple paths between the initiator and target. Each path must be on a separate network interface and subnet to provide redundancy and load balancing.

897
MCQeasy

A network engineer is troubleshooting VXLAN connectivity between two VTEPs. The source VTEP is configured with `nve1` and member VNI 10000. The `show nve peers` command shows the remote VTEP IP but the status is 'Init'. What is a likely cause?

A.The multicast group is not reachable.
B.The remote VTEP is not configured with the same VNI.
C.The MTU is too low.
D.The VRF is mismatched between the VTEPs.
AnswerA

VXLAN relies on multicast for BUM traffic; if the multicast group is unreachable, the peer remains in 'Init'.

Why this answer

The 'Init' status in the output of 'show nve peers' indicates that the VXLAN tunnel endpoint (VTEP) has learned the remote VTEP IP address (likely via BGP EVPN or static configuration) but is unable to complete the tunnel establishment. In VXLAN multicast mode, the underlay multicast group is used for BUM traffic and for VTEP discovery. If the multicast group is not reachable (e.g., due to missing PIM configuration, incorrect RP, or firewall filtering), the source VTEP cannot receive the multicast join or data from the remote VTEP, leaving the peer stuck in 'Init' state.

Exam trap

Cisco often tests the distinction between control-plane and data-plane issues; the trap here is that candidates assume 'Init' means a configuration mismatch (like VNI or VRF) rather than an underlay multicast reachability problem, because they overlook that VXLAN multicast mode requires a functional underlay multicast tree for peer establishment.

How to eliminate wrong answers

Option B is wrong because a VNI mismatch would typically cause the remote VTEP to not advertise that VNI in BGP EVPN, resulting in the peer not being learned at all, or the VNI not being operational, but the peer status would not show 'Init' for a learned peer. Option C is wrong because an MTU issue would cause packet fragmentation or drops after the tunnel is established, not prevent the peer from leaving the 'Init' state; the 'Init' state is a control-plane issue, not a data-plane MTU problem. Option D is wrong because a VRF mismatch would affect traffic forwarding and route import/export in BGP EVPN, but the peer status is independent of VRF configuration; the VTEP peer can still be established even with mismatched VRFs, though traffic may not be forwarded correctly.

898
MCQhard

A UCS domain has two fabric interconnects in end-host mode. The engineer needs to implement a policy that ensures all traffic from a specific vNIC is load-balanced across both uplinks to the upstream switches. Which type of policy should be used?

A.Link aggregation policy
B.Pin group policy
C.QoS policy
D.Network control policy
AnswerB

Allows pinning a vNIC to specific uplinks or 'no-pin' for load balancing across all.

Why this answer

In a UCS domain with fabric interconnects in end-host mode, a Pin Group policy is used to explicitly map a vNIC's traffic to specific uplink ports, ensuring load balancing across the upstream switches. This policy overrides the default MAC-based hashing and allows the engineer to control traffic distribution, which is critical for consistent performance and redundancy.

Exam trap

Cisco often tests the distinction between Pin Group policies (which control per-vNIC traffic distribution) and Link Aggregation policies (which bundle ports), leading candidates to mistakenly choose the latter when the question emphasizes load balancing across individual uplinks rather than aggregated bandwidth.

How to eliminate wrong answers

Option A is wrong because a Link Aggregation policy (LACP) bundles multiple uplinks into a single logical link for increased bandwidth and redundancy, but it does not control per-vNIC traffic distribution across individual uplinks; it operates at the port-channel level. Option C is wrong because a QoS policy manages traffic prioritization and bandwidth allocation, not load balancing or path selection for a specific vNIC. Option D is wrong because a Network Control policy defines Layer 2 features like STP or LLDP, but it does not influence how vNIC traffic is pinned or load-balanced across uplinks.

899
MCQhard

An administrator is deploying a new application in a Cisco ACI fabric. The application requires multicast traffic between end hosts. Which configuration is necessary for multicast in ACI?

A.Enable PIM on the leaf switches.
B.Configure a multicast group in the EPG.
C.Create a multicast policy in the bridge domain.
D.Use IGMP snooping only.
AnswerC

A multicast policy in the bridge domain enables multicast forwarding.

Why this answer

In Cisco ACI, multicast forwarding is enabled at the bridge domain level using a multicast policy. This policy configures the necessary IGMP snooping and multicast group membership for the fabric, allowing end hosts to receive multicast traffic without requiring PIM on the leaf switches. Option C is correct because the bridge domain multicast policy is the required configuration for multicast in ACI.

Exam trap

Cisco often tests the misconception that PIM must be enabled for multicast in ACI, but the fabric's overlay uses head-end replication and IGMP snooping at the bridge domain level instead.

How to eliminate wrong answers

Option A is wrong because PIM is not required in ACI; the fabric uses a head-end replication model with IGMP snooping and a multicast policy, not traditional PIM routing. Option B is wrong because multicast groups are not configured in the EPG; the EPG defines endpoint groups and contracts, while multicast group membership is managed via the bridge domain multicast policy. Option D is wrong because IGMP snooping alone is insufficient; ACI requires the multicast policy in the bridge domain to enable the fabric's multicast forwarding behavior, including head-end replication.

900
MCQhard

In an ACI fabric, a contract between two EPGs uses a filter that permits TCP port 443. The provider EPG is configured with a VMM domain integration. Which statement about the contract's effect is true?

A.Both directions are allowed for TCP 443.
B.Traffic from the provider EPG to the consumer EPG on TCP 443 is allowed.
C.Traffic from the consumer EPG to the provider EPG on TCP 443 is allowed.
D.The VMM domain overrides the contract and permits all traffic.
AnswerB

Provider offers service; consumer accesses it, so traffic from provider to consumer is allowed.

Why this answer

Contracts in ACI allow the specified traffic direction from provider to consumer. The provider EPG is the one that offers the service. VMM integration allows EPGs to be mapped to VMware port groups.

Page 11

Page 12 of 14

Page 13

Practice 350-601 by domain

Target a specific domain to shore up weak areas.

See all domains with question counts →
Cisco DCCOR / CCNP Data Center Core 350-601 350-601 Questions 826–900 | Page 12/14 | Courseiva