Cisco DCCOR / CCNP Data Center Core 350-601 (350-601) — Questions 901975

1000 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQmedium

A company recently deployed Cisco UCS B-Series blades with a single Fabric Interconnect. During a maintenance window, the Fabric Interconnect must be upgraded. Which action ensures minimal disruption to running workloads?

A.Disassociate service profiles from blades, upgrade the Fabric Interconnect, then re-associate the service profiles.
B.Use the UCS Manager GUI to migrate all service profiles to a second Fabric Interconnect.
C.Shut down all blades gracefully, upgrade the Fabric Interconnect, then power on blades.
D.Change the boot order of blades to boot from NFS image, then upgrade FI.
AnswerA

Blades continue running; only management connectivity is lost temporarily.

Why this answer

Option A is correct because disassociating service profiles from the blades detaches the logical configuration from the physical hardware, allowing the single Fabric Interconnect to be upgraded without affecting the running workloads. The blades continue to run their current operating system and applications, and once the upgrade is complete, re-associating the service profiles restores management connectivity without requiring a reboot or workload interruption.

Exam trap

Cisco often tests the misconception that shutting down blades or migrating to a second Fabric Interconnect is required, but the key is that disassociating service profiles decouples management from the running workload, enabling a non-disruptive upgrade on a single Fabric Interconnect.

How to eliminate wrong answers

Option B is wrong because migrating service profiles to a second Fabric Interconnect requires a second Fabric Interconnect to be present, but the scenario specifies a single Fabric Interconnect, making this option technically impossible. Option C is wrong because shutting down all blades gracefully causes a complete outage for all running workloads, which is not minimal disruption. Option D is wrong because changing the boot order to boot from an NFS image does not address the Fabric Interconnect upgrade; the blades still rely on the Fabric Interconnect for network connectivity, and the upgrade would disrupt that connectivity.

902
MCQmedium

An engineer needs to deny all traffic between two EPGs in ACI while allowing other EPG communications. Which construct should be used?

A.Filter with action deny
B.Taboo contract
C.QoS policy
D.VRF with route leaking
AnswerB

Taboo contracts enforce a deny-all policy between EPGs.

Why this answer

Taboo contracts are used to explicitly deny traffic between EPGs.

903
MCQhard

A large enterprise data center is deploying a new application using Cisco ACI with a multi-pod design. The application requires low-latency communication between servers in different pods. The network team has configured the ACI fabric with two pods, each connected via inter-pod network (IPN) switches. After deployment, the application experiences intermittent latency spikes and packet loss. The APIC health scores remain high but the latency issue persists. The team has verified the underlay IP connectivity and MTU settings. What is the most likely cause of the latency issues?

A.The application servers are using different VLANs that are not stretched between pods.
B.The CoS settings for the application traffic are not properly mapped to the appropriate queue on the IPN switches.
C.The IPN switches are using a shared link aggregation group that is causing traffic congestion.
D.The inter-pod network is not configured with enough bandwidth due to oversubscription.
AnswerB

Improper CoS mapping leads to sporadic drops.

Why this answer

In a Cisco ACI multi-pod design, the IPN switches must properly trust and map the CoS values from the ACI fabric to the appropriate egress queues. If the CoS markings are not correctly configured on the IPN switches, application traffic can experience buffer drops and latency spikes even when the underlay has sufficient bandwidth and the APIC health scores are high. This is a common misconfiguration because the IPN switches are Layer 3 devices that require explicit QoS policies to preserve the ACI fabric's priority handling.

Exam trap

Cisco often tests the misconception that underlay connectivity and MTU settings are sufficient for multi-pod performance, when in fact the IPN switches require explicit QoS configuration to preserve ACI's priority handling across pods.

How to eliminate wrong answers

Option A is wrong because VLANs are not stretched between pods in ACI multi-pod; inter-pod traffic uses Layer 3 routing via the IPN, so different VLANs per pod do not cause latency or packet loss. Option C is wrong because a shared link aggregation group (LAG) on IPN switches would not inherently cause congestion; LAGs are used for bandwidth aggregation and redundancy, and the issue is about queue drops, not link bundling. Option D is wrong because oversubscription of the inter-pod network would manifest as consistent congestion and high APIC health degradation, not intermittent latency spikes with high health scores; the problem is QoS misconfiguration, not bandwidth shortage.

904
MCQmedium

An engineer is designing a UCS Mini deployment for a remote office. The chassis will contain four blade servers. Each server needs two 10GbE connections for data and one 1GbE for management. What is the minimum number of fabric interconnects required?

A.One
B.Three
C.Four
D.Two
AnswerA

UCS Mini can operate with a single FI for up to four blades, meeting the requirement.

Why this answer

A single UCS Mini fabric interconnect (FI) can provide both data and management connectivity for up to eight blade servers in a single chassis. Each blade server requires two 10GbE data connections (from the integrated VIC) and one 1GbE management connection (from the Cisco Integrated Management Controller, or CIMC). The FI aggregates these connections internally, so one FI is sufficient for a four-server deployment, as UCS Mini supports a single FI configuration for non-redundant setups.

Exam trap

Cisco often tests the misconception that each blade server's management connection requires a separate physical port or that two FIs are always needed for any UCS deployment, but UCS Mini's integrated architecture allows a single FI to handle both data and management for up to eight blades.

How to eliminate wrong answers

Option B is wrong because three fabric interconnects are not supported in UCS Mini; the architecture only supports one or two FIs for redundancy. Option C is wrong because four fabric interconnects exceed the maximum supported in any UCS Mini configuration (max two). Option D is wrong because two fabric interconnects are only required for redundancy (e.g., for high availability or dual-homing), not for meeting the minimum connectivity needs of four blade servers; the question asks for the minimum number.

905
MCQeasy

Which NX-OS command displays the current VLAN configuration on a Nexus switch?

A.show vlan
B.show running-config vlan
C.show vlan brief
D.show interface vlan
AnswerA

Correct command.

Why this answer

The 'show vlan' command displays VLAN IDs, names, and status.

906
Multi-Selectmedium

Which TWO statements about Cisco UCS service profiles are correct? (Choose TWO.)

Select 2 answers
A.Service profiles are only supported on B-Series blades.
B.Service profiles can include policies for firmware management.
C.A service profile can be associated with one server at a time.
D.Service profiles are tied to specific physical hardware.
E.A service profile does not include network identity settings such as MAC addresses.
AnswersB, C

Firmware policies can be included.

Why this answer

Option B is correct because Cisco UCS service profiles can include firmware management policies that specify the firmware versions to be applied to the associated server components, such as adaptors, BIOS, and storage controllers. This allows administrators to enforce consistent firmware levels across the infrastructure without manual intervention.

Exam trap

Cisco often tests the misconception that service profiles are hardware-specific or only apply to B-Series blades, when in fact they are designed to be hardware-agnostic and support both blade and rack server form factors.

907
MCQeasy

Which RAID level provides both striping and mirroring for high performance and fault tolerance?

A.RAID 0
B.RAID 5
C.RAID 10
D.RAID 6
AnswerC

RAID 10 combines mirroring and striping for performance and fault tolerance.

Why this answer

RAID 10 (also known as RAID 1+0) combines mirroring and striping to provide both high performance and redundancy.

908
MCQeasy

A network engineer is configuring a UCS service profile for a new blade server. The requirement is that if the blade fails, it can be replaced with any blade of the same model without reconfiguration. Which UCS feature enables this capability?

A.VLAN configuration
B.Stateless computing
C.RAID configuration
D.Firmware management policies
AnswerB

Stateless computing decouples the server identity from the hardware, enabling swap without reconfiguration.

Why this answer

Stateless computing in UCS abstracts the hardware identity and configuration via service profiles, allowing a replacement blade to inherit the same configuration without manual reconfiguration.

909
Multi-Selecthard

A data center engineer is implementing model-driven telemetry using Cisco NX-OS. Which three components are required in the telemetry configuration? (Choose three.)

Select 3 answers
A.A HTTPS certificate for authentication
B.An SNMP community string
C.A sensor path to specify the data to stream
D.A subscription to a YANG data model
E.A destination profile with collector IP and port
AnswersC, D, E

Specifies which data to collect.

Why this answer

Option C is correct because a sensor path defines the specific YANG data model paths or operational data that the device will stream to the collector. In model-driven telemetry on Cisco NX-OS, the sensor path is the fundamental component that tells the device exactly which data to monitor and stream, such as 'Cisco-NX-OS-device:System/clock-items' or interface statistics paths.

Exam trap

The trap here is that candidates confuse model-driven telemetry with SNMP or traditional monitoring, mistakenly thinking SNMP community strings or HTTPS certificates are core components, when in fact the three required components are the sensor path, subscription, and destination profile.

910
MCQmedium

A UCS domain has two Fabric Interconnects (FI-A and FI-B) in a redundant configuration. A blade server is configured with two vNICs: one for FI-A and one for FI-B. What happens if FI-A fails?

A.Traffic is automatically failed over to the vNIC connected to FI-B
B.The blade loses all network connectivity
C.Both vNICs are reconnected to FI-B automatically
D.The blade continues to use the vNIC on FI-A but without redundancy
AnswerA

The NIC teaming or failover mechanism (e.g., active-backup) will use the second vNIC.

Why this answer

With active-standby vNIC failover configuration (default), the vNIC connected to FI-A will fail, and the operating system will use the vNIC connected to FI-B, ensuring connectivity through the remaining fabric.

911
MCQhard

A storage administrator configures zoning on a Cisco MDS switch. The requirement is to prevent any changes to the zone set from taking effect unless explicitly activated. Which configuration is correct?

A.Create zones and directly add them to the database; activation is automatic.
B.Create zones and add them to the active zone set; deactivate the zone set to apply changes.
C.Create zones, add them to the zone set, then activate the zone set.
D.Create zones and add them to the full zone set; the switch automatically activates changes.
AnswerC

Zones must be added to a zone set, which is then activated to become the active zone set.

Why this answer

The active zone set is the only zone set that is enforced; changes must be activated to apply.

912
MCQmedium

A company wants to automate backup of running-configurations for 200 Nexus switches. Which solution provides the best combination of reliability and version history?

A.Manual backup via CLI
B.Custom Python script using TFTP
C.Ansible playbook with the nxos_config backup option
D.A cron job that SCPs config to a server
AnswerC

Idempotent, stores backups with timestamps, supports diffs.

Why this answer

An Ansible playbook with the nxos_config backup option is the best solution because it provides idempotent, version-controlled backups of running-configurations across 200 Nexus switches. The nxos_config module automatically creates a timestamped backup file on the Ansible control node, ensuring both reliability through automated, consistent execution and a built-in version history via the backup files. This approach scales efficiently without requiring manual intervention or fragile scripting.

Exam trap

Cisco often tests the misconception that any automated backup method is sufficient, but the trap here is that only Ansible's nxos_config backup option combines reliability, scalability, and built-in version history without requiring custom scripting or insecure protocols like TFTP.

How to eliminate wrong answers

Option A is wrong because manual backup via CLI is not scalable for 200 switches, lacks version history, and is prone to human error. Option B is wrong because a custom Python script using TFTP is unreliable due to TFTP's lack of authentication and encryption, and it does not inherently provide version history or idempotency. Option D is wrong because a cron job that SCPs config to a server offers no built-in version history or rollback capability, and it requires custom scripting to manage backups reliably across many devices.

913
MCQeasy

A data center has 100 Nexus switches in a fabric managed by Cisco Nexus Dashboard Orchestrator (NDO). The network team needs to automate the creation of a new network template that includes multiple VLANs and VRF configurations. They want to ensure that the template is applied consistently across all leaf switches without manual intervention. The engineer writes a Python script using the NDO REST API to create the template and deploy it. However, the deployment fails with an error 'Template validation failed: overlapping IP subnets'. Upon reviewing the template, the engineer notices that two VLANs have overlapping subnet definitions. Which action should the engineer take to resolve this issue efficiently?

A.Use the NDO GUI to edit the template and then re-run the script
B.Manually correct the overlapping subnets in the template and re-run the deployment script
C.Create separate templates for each VLAN to avoid overlaps
D.Modify the Python script to ignore validation errors and force the deployment
AnswerB

Directly fixes the root cause; then automation can proceed.

Why this answer

Option B is correct because the root cause of the deployment failure is overlapping IP subnets in the template definition. Manually correcting the overlapping subnets in the template and re-running the deployment script directly resolves the validation error without introducing unnecessary complexity or risk. This approach ensures the template is valid before deployment, maintaining consistency across all leaf switches.

Exam trap

Cisco often tests the candidate's ability to distinguish between fixing the root cause (overlapping subnets) versus workarounds that bypass validation or increase complexity, testing whether you understand that automation must still adhere to network design rules.

How to eliminate wrong answers

Option A is wrong because using the NDO GUI to edit the template is not efficient; it introduces manual steps that defeat the automation goal and does not leverage the script for consistent deployment. Option C is wrong because creating separate templates for each VLAN does not address the overlapping subnet issue; it adds administrative overhead and may still result in overlaps if not carefully managed. Option D is wrong because modifying the Python script to ignore validation errors would force deployment of an invalid configuration, potentially causing IP conflicts and network outages across the fabric.

914
Multi-Selecthard

An engineer is hardening a Nexus switch. Which THREE actions should be taken? (Choose three.)

Select 3 answers
A.Use SNMPv1 for monitoring
B.Disable unused services like HTTP and Telnet
C.Configure CoPP to protect the control plane
D.Enable LLDP on all interfaces
E.Enable SSH only for remote management
AnswersB, C, E

Reduces attack surface.

Why this answer

Disabling unused services, enabling SSH only, and configuring CoPP are standard hardening practices.

915
MCQmedium

An engineer is troubleshooting a BGP EVPN session between a leaf and a spine. The 'show bgp l2vpn evpn summary' output shows the peer state as 'Active'. What does this indicate?

A.The session is in the process of being established.
B.The session is up and exchanging prefixes.
C.There is a configuration mismatch.
D.The TCP connection is not established.
AnswerD

Active means BGP is trying to establish a TCP connection.

Why this answer

In BGP EVPN, the 'Active' state indicates that the BGP speaker is actively trying to establish a TCP connection with the peer but has not yet completed the three-way handshake. This means the TCP session is not established, which is a prerequisite for BGP session establishment. The peer remains in 'Active' until the TCP connection is successfully formed.

Exam trap

The trap here is that candidates often confuse 'Active' with 'Connect' or think it means the session is actively exchanging routes, when in fact it indicates a TCP connection failure that must be resolved before BGP can proceed.

How to eliminate wrong answers

Option A is wrong because the 'Active' state specifically indicates that the TCP connection is not yet established, not that the session is in the process of being established (which would be 'Connect' or 'OpenSent' states). Option B is wrong because a session that is up and exchanging prefixes would be in the 'Established' state, not 'Active'. Option C is wrong because a configuration mismatch typically results in the session flapping or staying in 'Idle' state, not 'Active'; 'Active' is a TCP connection issue, not a configuration mismatch.

916
MCQmedium

A UCS B-Series blade server shows high CPU latency when processing network I/O. The engineer suspects a bottleneck in the I/O subsystem. Which metric in UCS Manager should be examined first?

A.vNIC utilization percentage
B.Fabric port error counts
C.Memory usage statistics
D.Power consumption per server
AnswerB

Errors cause retransmissions and latency

Why this answer

Fabric port error counts directly reflect physical-layer issues (e.g., CRC errors, alignment errors, link flaps) that cause retransmissions and backpressure, leading to high CPU latency on the blade server. In UCS Manager, these counters are the first place to check when suspecting an I/O subsystem bottleneck because they pinpoint problems in the fabric interconnect or cabling before examining higher-layer metrics.

Exam trap

Cisco often tests the distinction between utilization metrics (which show load) and error metrics (which show health), so candidates mistakenly pick vNIC utilization thinking high usage equals a bottleneck, when the real issue is physical-layer errors causing retransmissions.

How to eliminate wrong answers

Option A is wrong because vNIC utilization percentage measures throughput usage, not errors or latency; high utilization alone does not cause CPU latency unless accompanied by errors or congestion. Option C is wrong because memory usage statistics indicate system memory pressure, which can affect overall performance but is not specific to the I/O subsystem or network latency. Option D is wrong because power consumption per server relates to thermal or power capacity issues, not to network I/O latency or fabric errors.

917
MCQeasy

An organization adopts Infrastructure as Code (IaC) for network automation. Which tool is commonly used to manage ACI fabric configuration declaratively?

A.Terraform
B.Python acitoolkit
C.NX-API CLI
D.Ansible
AnswerA

Terraform natively supports declarative configuration.

Why this answer

Terraform with the terraform-provider-aci allows declarative management of ACI objects.

918
Multi-Selectmedium

Which TWO statements correctly describe the benefits of thin provisioning in a storage array?

Select 2 answers
A.It eliminates the need for RAID protection
B.It improves performance by pre-allocating all storage upfront
C.It allows over-provisioning of logical capacity beyond physical capacity
D.It simplifies disaster recovery by replicating only allocated blocks
E.It reduces storage costs by allocating physical space only when data is written
AnswersC, E

Thin provisioning supports over-allocation, enabling administrators to present more capacity than physically available.

Why this answer

Thin provisioning allows over-allocation of storage capacity, reducing waste, and enables on-demand allocation of physical storage as data is written.

919
MCQhard

In an ACI fabric, a security policy requires that traffic from EPG1 to EPG2 be denied, but all other inter-EPG traffic is permitted by default. Which type of contract should be used?

A.Taboo contract
B.No contract
C.Regular contract with a deny filter
D.Intra-EPG contract
AnswerA

Taboo contracts explicitly deny specified traffic between EPGs.

Why this answer

Taboo contracts are used to explicitly deny traffic between EPGs, overriding the default permit of a contract? Actually, by default, no traffic is permitted between EPGs unless a contract is applied. A taboo contract denies traffic, even if a regular contract exists? In ACI, the default is no communication; contracts permit traffic. To deny specific traffic, you use a taboo contract that explicitly denies.

920
MCQeasy

An engineer is configuring a UCS server profile for a database application that requires low latency. The server will use a Cisco UCS VIC 1340 adapter. Which vNIC placement policy should be selected to minimize latency?

A.Assigned
B.Any
C.Default
D.Round-Robin
AnswerA

Assigned placement pins the vNIC to a specific adapter port, reducing latency.

Why this answer

The Assigned vNIC placement policy binds each vNIC to a specific physical port on the Cisco UCS VIC 1340 adapter, ensuring deterministic traffic flow and predictable latency. For low-latency database applications, this eliminates the variability introduced by dynamic placement, allowing the engineer to align vNICs with the most direct PCIe path to the CPU or memory.

Exam trap

Cisco often tests the misconception that Round-Robin provides load balancing for low latency, but the trap here is that Round-Robin optimizes for bandwidth distribution, not latency minimization, and the Assigned policy is the only one that guarantees fixed path placement for deterministic performance.

How to eliminate wrong answers

Option B (Any) is wrong because it allows the system to dynamically assign vNICs to any available physical port, which can introduce latency variation and suboptimal traffic distribution. Option C (Default) is wrong because it typically applies a system-defined policy that may not guarantee the deterministic placement required for low-latency workloads. Option D (Round-Robin) is wrong because it distributes vNICs sequentially across ports without considering latency sensitivity, potentially causing mismatched traffic patterns and increased jitter.

921
MCQeasy

Which type of I/O module (IOM) is installed in a UCS 5108 blade chassis to provide connectivity between blade servers and the fabric interconnects?

A.MDS switch
B.CIMC
C.Nexus 2000
D.FEX (Fabric Extender)
AnswerD

The IOMs in UCS chassis are essentially fabric extenders that extend the FI fabric to the blades.

Why this answer

The IOMs in a 5108 chassis connect the blade midplane to the fabric interconnects via server ports. There are typically two IOMs for redundancy.

922
MCQmedium

Refer to the exhibit. A UCS B-Series blade shows a failed power supply. The blade is currently running. Which action should the engineer take to replace the power supply without causing service disruption?

A.Replace the power supply only after the blade is isolated from the fabric.
B.Replace the failed power supply in the chassis without affecting the blade.
C.Shut down the blade, replace the power supply, then power on.
D.Replace the failed power supply while the blade remains powered on.
AnswerD

The blade has redundant power supplies; hot-swap is supported.

Why this answer

Option D is correct because UCS B-Series blades use a shared chassis power infrastructure with N+1 redundancy. The failed power supply can be hot-swapped while the blade remains powered on, as the remaining power supplies in the chassis will continue to provide power without interruption. No blade isolation or shutdown is required, as the chassis power subsystem is designed for concurrent maintenance.

Exam trap

Cisco often tests the misconception that a blade must be shut down or isolated before replacing a chassis-level component, but the key is understanding that UCS chassis power supplies are hot-swappable and redundant, so no blade-level action is needed.

How to eliminate wrong answers

Option A is wrong because isolating the blade from the fabric (disconnecting its virtual interfaces) is unnecessary for power supply replacement; the blade's power is independent of fabric connectivity. Option B is wrong because it implies the power supply can be replaced without any effect on the blade, but the correct procedure is to replace it while the blade is powered on, not just 'without affecting the blade' — the phrasing is misleading as the blade remains powered on during replacement. Option C is wrong because shutting down the blade is not required; the chassis power redundancy allows hot-swap of the power supply without powering down any blade.

923
Multi-Selecteasy

An engineer needs to collect streaming telemetry from a Nexus 9000 switch. Which two protocols can be used to transmit telemetry data to a collector? (Choose two.)

Select 2 answers
A.NETCONF
B.gNMI
C.HTTP
D.SNMP traps
E.gRPC
AnswersB, E

gNMI is designed for telemetry and management.

Why this answer

gNMI (gRPC Network Management Interface) and gRPC are both correct because they are the primary protocols used for streaming telemetry on Nexus 9000 switches. gNMI defines a standard model-driven telemetry subscription mechanism over gRPC, while gRPC provides the underlying high-performance transport for streaming telemetry data to collectors.

Exam trap

Cisco often tests the distinction between configuration protocols (NETCONF) and streaming telemetry protocols (gNMI/gRPC), and candidates mistakenly choose NETCONF because it supports YANG-push notifications, but the question specifically asks for 'streaming telemetry' which requires the persistent, high-frequency channel provided by gRPC/gNMI.

924
MCQmedium

In a private VLAN configuration, a host in a community VLAN needs to communicate with a host in the primary VLAN. What configuration is required on the switch?

A.The host in community VLAN must be on an isolated port
B.The host in primary VLAN must be on a promiscuous port
C.The host in community VLAN must be on a promiscuous port
D.The host in primary VLAN must be on a community port
AnswerB

The primary VLAN host must be on a promiscuous port to allow communication from community VLAN.

Why this answer

In a private VLAN configuration, a host in a community VLAN can communicate with a host in the primary VLAN only if the host in the primary VLAN is on a promiscuous port. The promiscuous port can communicate with all other ports in the private VLAN, including community and isolated ports, enabling inter-VLAN traffic through a Layer 3 gateway or a server connected to that port.

Exam trap

Cisco often tests the misconception that a community VLAN host can directly communicate with a primary VLAN host without a promiscuous port, or that the primary VLAN host must be on a community port, confusing the roles of promiscuous and community ports in private VLANs.

How to eliminate wrong answers

Option A is wrong because an isolated port can only communicate with promiscuous ports, not with community ports, so placing the community VLAN host on an isolated port would break its ability to communicate with the primary VLAN host. Option C is wrong because a community port can only communicate with other community ports in the same community VLAN and with promiscuous ports, but placing the community VLAN host on a promiscuous port would incorrectly allow it to communicate with all ports, violating the community VLAN's intended isolation. Option D is wrong because a primary VLAN host on a community port would restrict it to communicating only with other community ports in the same community VLAN and promiscuous ports, but it would not be able to communicate with hosts in other community VLANs or isolated ports, which is not the required behavior for a primary VLAN host.

925
MCQeasy

A network engineer wants to use Terraform to automate the creation of an Application Profile in ACI. Which provider should be used?

A.terraform-provider-aci
B.terraform-provider-apic
C.terraform-provider-nxos
D.terraform-provider-nexus
AnswerA

This provider is specifically for ACI automation.

Why this answer

The terraform-provider-aci is the official Terraform provider for Cisco ACI. terraform-provider-nxos is for Nexus switches. The other options are not valid.

926
MCQhard

A data center engineer is troubleshooting high CPU utilization on a Cisco Nexus 9000 switch. The engineer suspects a distributed denial-of-service (DDoS) attack targeting the switch. To mitigate the attack, the engineer configures a Control Plane Policing (CoPP) policy that drops all ICMP packets destined to the switch. The policy is applied to the control-plane using the 'service-policy input COPP' command. After applying the policy, the switch CPU utilization remains high, and ICMP traffic is still reaching the switch. The engineer verifies that the CoPP policy is applied and that the class-map matches ICMP. The policy-map has the correct police and drop actions. No other CoPP policies are applied. What is the most likely cause of the issue?

A.The switch requires a reload for the CoPP policy to take effect.
B.The attack traffic is entering through the management interface, which is not affected by CoPP.
C.The CoPP policy must be applied to the management VRF as well.
D.The class-map uses 'match protocol icmp' but the traffic uses a different protocol.
AnswerB

Management interfaces have separate control plane contexts; CoPP policies do not apply unless specifically configured for the management VRF.

Why this answer

CoPP policies are applied to the control plane in the ingress direction. However, traffic arriving on management interfaces is not subject to CoPP policies unless explicitly configured. Since the attack traffic likely enters via the management interface, CoPP does not filter it.

The correct solution is to configure a separate policy for the management interface or use management-plane protection.

927
MCQhard

In an ACI fabric, an EPG is configured with a contract that provides a service to another EPG. The contract has a filter for TCP port 80. Which component defines the directionality of the communication between the provider and consumer EPG?

A.The filter direction specified in the contract
B.The BD subnets
C.The provider and consumer labels in the contract
D.The subject of the contract
AnswerC

Correct: provider/consumer relationship defines direction.

Why this answer

In ACI contracts, the provider EPG offers the service and the consumer EPG initiates the communication. The contract is applied in the provider to consumer direction; return traffic is implicitly allowed.

928
MCQeasy

Which component connects a UCS 5108 blade chassis to the Fabric Interconnects?

A.CIMC
B.Midplane
C.IOM (Input/Output Module)
D.FEX (Fabric Extender)
AnswerC

IOMs link the chassis to Fabric Interconnects.

Why this answer

IOMs (Input/Output Modules) in the chassis provide connectivity to the FIs.

929
MCQhard

You manage a UCS domain with two fabric interconnects (FI-A and FI-B) in an cluster. The domain contains 8 blade servers. After a power failure, both FIs come back online, but the cluster experiences a split-brain situation where both FIs claim to be primary. The subordinate FI (FI-B) shows all blades as 'Discovery' state. You suspect configuration mismatch. You have console access to both FIs. Which recovery procedure should be performed to restore a stable cluster?

A.Reset both FIs to factory defaults and reconfigure from backup
B.Boot the FIs into the EFI shell and clear the flash
C.Perform a stateful switchover (SSO) on both FIs
D.On the subordinate FI (FI-B), enter the recovery mode and force a re-initialization, then reset the cluster
AnswerD

Standard UCS split-brain recovery procedure

Why this answer

Option D is correct because in a UCS split-brain scenario where the subordinate FI (FI-B) shows blades in 'Discovery' state due to a configuration mismatch, the proper recovery is to boot FI-B into recovery mode (using the 'recovery' boot option or pressing Ctrl+R at the appropriate prompt) and force a re-initialization, which resets its configuration to match the primary FI (FI-A). After re-initialization, resetting the cluster (via the 'cluster reset' command or equivalent) re-establishes the primary-subordinate relationship and synchronizes the configuration, restoring stable operation without affecting the primary FI's data or requiring a full factory reset.

Exam trap

Cisco often tests the misconception that a split-brain scenario requires a full factory reset or flash clearing, when in fact the targeted recovery of the subordinate FI via recovery mode and cluster reset is the correct, less destructive procedure.

How to eliminate wrong answers

Option A is wrong because resetting both FIs to factory defaults is overly destructive and unnecessary; it would lose all configuration on the primary FI (FI-A) and require a full backup restore, whereas the issue is isolated to the subordinate FI's configuration mismatch. Option B is wrong because booting into the EFI shell and clearing the flash is a low-level hardware recovery method typically used for unbootable FIs or firmware corruption, not for resolving a split-brain cluster state caused by configuration mismatch; it would erase all firmware and configuration, requiring a complete reimage. Option C is wrong because performing a stateful switchover (SSO) on both FIs is designed for planned maintenance or failover in a stable cluster, not for recovery from a split-brain scenario; SSO assumes both FIs are synchronized and operational, which they are not in this case.

930
MCQmedium

A Fibre Channel switch port is experiencing a high number of CRC errors. Which action should be taken to resolve this issue?

A.Replace the fiber optic cable between the switch and the storage device.
B.Reduce the port speed to 2 Gbps.
C.Reconfigure the zone to include only the affected device.
D.Increase the buffer credits on the port.
AnswerA

CRC errors typically indicate physical layer problems like bad cables.

Why this answer

CRC errors often indicate physical layer issues such as faulty cables or SFPs. Replacing the cable is the first step in troubleshooting. Option A is wrong because increasing the buffer credits does not fix CRC errors.

Option B is wrong because reducing speed may mask the issue. Option D is wrong because zoning changes do not affect CRC errors.

931
MCQhard

In a VXLAN EVPN fabric using BGP as the control plane, which BGP address family is used to exchange MAC/VTEP reachability information between VTEPs?

A.IPv4 unicast
B.IPv6 unicast
C.VPNv4 unicast
D.L2VPN EVPN
AnswerD

L2VPN EVPN is the correct address family for VXLAN EVPN.

Why this answer

BGP EVPN address family (L2VPN EVPN) carries MAC addresses, VTEP IPs, and VNI information for VXLAN overlay.

932
MCQmedium

In Cisco ACI, which component is responsible for translating EPG communication policies into concrete configuration on leaf switches?

A.Leaf switch
B.APIC controller
C.Spine switch
D.VMM domain
AnswerB

APIC translates the policy model into switch configurations.

Why this answer

The APIC controller centrally manages policies and programs them into the leaf switches via OpFlex.

933
MCQmedium

An administrator needs to replace a faulty UCS B200 M5 blade with a new blade of the same model. The original blade had a service profile associated. What is the minimum required action to allow the new blade to take over the workload with the same configuration?

A.Disassociate the service profile from the faulty blade and associate it with the new blade.
B.Clone the service profile and then associate the clone with the new blade.
C.Manually reconfigure the new blade via the KVM console.
D.Update the firmware on the new blade to match the service profile requirements.
AnswerA

This applies the same configuration to the new blade.

Why this answer

UCS service profiles provide hardware abstraction, making blades stateless. Simply inserting the new blade will not automatically associate the profile; the administrator must re-associate the service profile with the new blade. No other reconfiguration is needed if the new blade is identical.

934
MCQmedium

A storage administrator is configuring Fibre Channel zoning on a Cisco MDS switch. The administrator creates a zone, adds members, and activates the zone set. However, the hosts still cannot access the storage targets. What is the most likely cause?

A.The WWPNs are incorrectly typed.
B.The VSAN was not created.
C.The ports are in trunk mode.
D.The zone set was not activated.
AnswerD

The active zone set must be set; otherwise, zoning configuration is not applied.

Why this answer

Zoning changes only take effect when the zone set is activated. If the zone set is not activated, the zones are not enforced.

935
Multi-Selectmedium

Which two BGP features are commonly used in a Cisco Data Center spine-leaf fabric to achieve optimal ECMP load balancing? (Choose two.)

Select 2 answers
A.BGP add-path
B.BGP confederation
C.BGP multipath
D.BGP next-hop-self
E.BGP bestpath tie-break
AnswersA, C

Enables advertisement of multiple paths for load balancing.

Why this answer

BGP multipath enables multiple paths, and add-path allows advertisement of multiple paths to neighbors.

936
MCQmedium

A data center team is planning a Fibre Channel fabric with multiple Cisco MDS switches. They want to ensure that all switches share the same configuration and that zone changes are propagated automatically. Which feature should be enabled?

A.NPV mode
B.Fibre Channel Security Protocol (FC-SP)
C.VSAN trunking (EISL)
D.Cisco Fabric Services (CFS)
AnswerD

CFS enables automatic distribution of configurations like zoning.

Why this answer

Cisco Fabric Services (CFS) distributes configuration changes across all switches in the fabric, including zone changes.

937
Multi-Selecteasy

Which TWO components are required in a HyperFlex cluster to provide both compute and storage functionality?

Select 2 answers
A.UCS Manager
B.Storage Controller VM (SCVM)
C.Hypervisor (e.g., VMware ESXi)
D.CIMC
E.Witness VM
AnswersB, C

SCVM provides the storage data plane.

Why this answer

HyperFlex converged nodes provide both compute and storage. The controller VM (SCVM) manages storage, and the hypervisor (e.g., ESXi) runs workloads.

938
MCQhard

A Nexus switch configured with 'feature nxapi' and 'nxapi https port 443' fails to respond to REST API calls from a monitoring system. The engineer can ping the management IP. Which troubleshooting step should be taken first?

A.Check if the monitoring system is using the correct HTTP method
B.Review the switch's ACL for the management VRF
C.Verify that the NX-API process is running with 'show nxapi'
D.Confirm that the SSL certificate is trusted
AnswerC

Quick check of API status.

Why this answer

Option C is correct because the first step when NX-API is configured but not responding is to verify that the NX-API process is actually running. The 'feature nxapi' command enables the feature, but the NX-API service may not have started due to a configuration error, resource issue, or process crash. The 'show nxapi' command displays the operational status of the NX-API service, including whether it is listening on the configured port (443 in this case).

Since the engineer can ping the management IP, basic network connectivity exists, so the issue is likely at the application layer.

Exam trap

Cisco often tests the distinction between enabling a feature with a command and the actual process running; candidates assume that 'feature nxapi' guarantees the service is operational, but the trap is that the process may not start automatically, and 'show nxapi' is the correct verification step.

How to eliminate wrong answers

Option A is wrong because the HTTP method (GET, POST, etc.) is a client-side concern; if the NX-API service is not running, no HTTP method will work, so checking the method is premature. Option B is wrong because ACLs for the management VRF would block pings as well, but the engineer can ping the management IP, indicating that Layer 3 connectivity is intact and no ACL is blocking traffic at that level. Option D is wrong because SSL certificate trust is only relevant after the HTTPS connection is established; if the NX-API process is not running, the server never presents a certificate, so trust is not the issue.

939
MCQmedium

An engineer wants to run a Python script on a Nexus switch without copying it to the bootflash. The script interacts with the switch's CLI and file system. Which feature allows this?

A.OnEX
B.NX-API REST
C.Guest shell
D.EEM with Python applets
AnswerC

Guest shell provides bash environment for Python scripts.

Why this answer

Guest shell provides a Linux environment on Nexus where Python scripts can run directly.

940
MCQeasy

An engineer is configuring a Fibre Channel PortChannel between two Cisco MDS switches. What is the maximum number of physical links that can be aggregated into a single PortChannel in Fibre Channel?

A.8
B.32
C.4
D.16
AnswerD

Cisco MDS switches support up to 16 links per PortChannel.

Why this answer

Cisco MDS switches support up to 16 physical links per PortChannel for Fibre Channel.

941
MCQmedium

Refer to the exhibit. A host with WWPN 10:00:00:00:c9:29:3b:23 can only see its own WWPN but not the target. What is the likely cause?

A.The host is in a different VSAN.
B.The target is missing from the zone.
C.The zoneset is not the full zoneset.
D.The host's FLOGI is rejected.
E.The zone is not activated.
AnswerB

Zone_C has no target member, so the host cannot access any storage.

Why this answer

Option A is correct. Zone_C contains only the initiator (10:00:00:00:c9:29:3b:23) and no target members, so the host cannot communicate with any storage. Option B is incorrect; the zoneset is active and named ZS_1.

Option C is incorrect; all devices are in VSAN 1 per the command. Option D is incorrect; the zone is listed in the active zoneset. Option E is incorrect; there is no indication of FLOGI failure.

942
Multi-Selecthard

Which THREE of the following must be enabled to implement 802.1X authentication with MAB fallback on a Cisco Nexus switch for a mixed environment of 802.1X-capable and non-802.1X endpoints? (Choose three.)

Select 3 answers
A.MACsec encryption on the port
B.AAA authentication with a RADIUS server
C.A RADIUS server configured with the MAC addresses of non-802.1X devices
D.A VLAN ACL to redirect traffic
E.802.1X globally enabled on the switch
AnswersB, C, E

AAA is required to authenticate users and devices.

Why this answer

Option B is correct because 802.1X authentication requires AAA to communicate with a RADIUS server. The RADIUS server validates the credentials (EAP over RADIUS) and returns an Accept or Reject, which the switch uses to authorize the port. Without AAA and a RADIUS server, the switch has no external authentication authority to process 802.1X requests or MAB fallback.

Exam trap

Cisco often tests the misconception that MACsec or VLAN ACLs are prerequisites for 802.1X with MAB, when in fact they are optional features that can be layered on top of the authentication process.

943
Multi-Selectmedium

A network automation engineer is writing an Ansible playbook to configure Nexus switches. Which three modules are available to manage NX-OS configuration? (Choose three.)

Select 3 answers
A.eos_config
B.nxos_config
C.nxos_interface
D.nxos_vlan
E.ios_config
AnswersB, C, D

Manages NX-OS configuration.

Why this answer

The `nxos_config` module is the primary Ansible module for managing NX-OS device configurations, allowing you to apply, replace, or merge configuration snippets directly onto Nexus switches. It is part of the `cisco.nxos` collection and is specifically designed for NX-OS, unlike `ios_config` which targets Cisco IOS/IOS-XE devices.

Exam trap

Cisco often tests the distinction between platform-specific Ansible modules (e.g., `nxos_*` vs `ios_*` vs `eos_*`), and the trap here is that candidates may confuse `ios_config` as being compatible with NX-OS due to a superficial similarity in CLI syntax, ignoring the underlying platform-specific module requirements.

944
MCQeasy

An engineer wants to automate the configuration of VLANs on a Nexus switch using Ansible. Which module from the cisco.nxos collection should be used?

A.nxos_config
B.nxos_vlan
C.nxos_bgp
D.nxos_interface
AnswerB

Correct module for VLAN management.

Why this answer

The nxos_vlan module is specifically designed to manage VLANs on Cisco NX-OS devices.

945
MCQmedium

A UCS B-Series blade server (blade 5) has been running a database application for months. Recently, the storage team upgraded the SAN firmware. Since then, the blade experiences intermittent 'SCSI command timeout' errors in the system logs. The application performance degrades periodically. You check the UCS Manager performance data and see that the vHBA statistics show a high number of 'Link Reset' events. The storage array logs show no errors. The fibre channel cables are new. Which step should you take to resolve the issue?

A.Delete and recreate the vHBA in the service profile
B.Replace the fibre channel cables between the IOM and storage
C.Update the HBA firmware on the blade to match the SAN compatibility matrix
D.Rezone the SAN fabric to use a different target port
AnswerC

Firmware mismatch after SAN upgrade is a common cause

Why this answer

Option C is correct because the SAN firmware upgrade likely introduced a change in the Fibre Channel protocol behavior (e.g., link initialization or error recovery) that is incompatible with the current HBA firmware on the blade. The high 'Link Reset' events indicate that the vHBA is repeatedly reinitializing the link, which directly causes SCSI command timeouts. Updating the HBA firmware to match the SAN compatibility matrix ensures the HBA can properly negotiate and interoperate with the upgraded SAN fabric, resolving the intermittent timeouts.

Exam trap

The trap here is that candidates assume physical cabling or zoning is the cause of link resets, but Cisco often tests the concept that firmware mismatches after a SAN upgrade can cause intermittent FC link issues without any physical layer faults.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the vHBA would not address the underlying firmware incompatibility; it would only reset the vHBA configuration, which would likely result in the same link reset behavior. Option B is wrong because the fibre channel cables are new and the storage array logs show no errors, indicating the physical layer is not the issue. Option D is wrong because rezoning the SAN fabric to use a different target port would not fix the HBA-to-switch link reset problem; the issue is at the HBA level, not the zoning or target port selection.

946
MCQhard

An engineer is configuring Fibre Channel PortChannels on a Cisco MDS switch. Which statement about Fibre Channel PortChannels is true?

A.They require all member ports to be on the same VSAN.
B.They can include both E-ports and F-ports in the same PortChannel.
C.They load-balance based on the source and destination WWPNs.
D.They are supported only in NPV mode.
AnswerC

Fibre Channel PortChannels use a hash of source and destination IDs (WWPNs) for load balancing.

Why this answer

Fibre Channel PortChannels require all member ports to be of the same type (e.g., all E-ports). They load-balance across links and are compatible with VSAN trunking. They do not require the same speed on all ports, but it is recommended.

947
MCQhard

In Cisco ACI, when integrating with VMware vSphere via VMM domain, what is the purpose of the 'vCenter Domain' policy?

A.To replace the need for VXLAN overlay in the fabric
B.To automatically configure virtual switch port groups and EPGs based on VM attributes
C.To manage storage connectivity for VMware clusters
D.To enable virtual machine mobility (vMotion) across data centers
AnswerB

VMM domain automates network provisioning for VMs.

Why this answer

The VMM domain policy in ACI connects to vCenter and allows ACI to automatically deploy EPGs and port groups on the vDS. It also enables policy-driven networking for VMs. The policy does not provide vMotion directly (vMotion is handled by vSphere) and does not replace VXLAN or manage storage.

948
MCQhard

An Ansible playbook using the cisco.nxos.nxos_config module fails with the error: 'Unsupported parameters for (cisco.nxos.nxos_config) module: connection type setting'. What is the most likely cause?

A.The SSH key authentication is misconfigured.
B.The playbook includes an invalid parameter 'connection: network_cli' inside the task block.
C.The module is not installed correctly.
D.The playbook is targeting a device running an unsupported NX-OS version.
AnswerB

The 'connection' parameter is a play-level attribute, not a task parameter for nxos_config.

Why this answer

The error 'Unsupported parameters for (cisco.nxos.nxos_config) module: connection type setting' occurs because the `connection: network_cli` parameter is being passed inside the task block of the playbook. The `cisco.nxos.nxos_config` module does not accept a `connection` parameter at the task level; connection settings must be defined at the play or inventory level. This is a common syntax error when using Ansible network modules.

Exam trap

Cisco often tests the distinction between play-level and task-level parameters, specifically that `connection` is not a valid parameter for network modules at the task level, leading candidates to incorrectly attribute the error to module installation or device compatibility.

How to eliminate wrong answers

Option A is wrong because SSH key authentication misconfiguration would typically cause an authentication or permission denied error, not an 'unsupported parameters' error related to connection type. Option B is wrong because it is actually the correct answer; the error is caused by an invalid parameter inside the task block. Option C is wrong because if the module were not installed correctly, the error would be 'module not found' or 'could not locate module', not an unsupported parameters error.

Option D is wrong because an unsupported NX-OS version would result in a module execution failure or a device-specific error, not a parameter validation error from the Ansible controller.

949
MCQmedium

A data center engineer notices that a UCS B-Series blade server is failing to boot from a SAN LUN that is correctly mapped to the server's WWPN. The SAN switch shows that the LUN is accessible and the zone is configured correctly. The UCS Manager shows the server's vNIC is associated with a vHBA that has the correct WWPN, but the server's BIOS does not list the Fibre Channel boot target. Which configuration is most likely missing?

A.The SAN connectivity policy is missing the Fibre Channel uplink pinning.
B.The vNIC/vHBA placement policy is incorrectly set to 'Express' mode.
C.A QoS policy is not applied to the vHBA.
D.The boot policy is not defined or not attached to the service profile.
AnswerD

UCS B-Series requires a boot policy to specify the boot order and target LUN.

Why this answer

The boot policy defines the boot order and parameters (such as the SAN LUN target WWPN and LUN ID) for the server. If the boot policy is not defined or not attached to the service profile, the UCS Manager will not program the BIOS with the Fibre Channel boot target information, even though the SAN zoning and vHBA WWPN are correct. Without this policy, the server's BIOS has no instruction to attempt a SAN boot, resulting in the failure described.

Exam trap

Cisco often tests the distinction between SAN connectivity (zoning, WWPN) and the boot policy configuration, trapping candidates who assume that correct zoning and vHBA setup alone are sufficient for SAN boot.

How to eliminate wrong answers

Option A is wrong because the SAN connectivity policy with Fibre Channel uplink pinning controls how uplinks are mapped to fabric interconnects for load balancing or failover, not the boot target configuration. Option B is wrong because the vNIC/vHBA placement policy set to 'Express' mode affects how virtual interfaces are placed on the mezzanine cards or adapters, but does not prevent the BIOS from seeing a Fibre Channel boot target. Option C is wrong because a QoS policy applied to a vHBA manages traffic prioritization and bandwidth limits, not the presence or absence of a boot LUN in the BIOS boot list.

950
MCQmedium

A storage engineer needs to isolate two Fibre Channel fabrics within the same physical infrastructure using Cisco MDS switches. Which feature allows the creation of multiple logical Fibre Channel networks on the same set of switches?

A.NPV
B.PortChannels
C.Zoning
D.VSANs
AnswerD

VSANs create separate logical FC fabrics on the same physical switches.

Why this answer

VSANs (Virtual SANs) provide isolation similar to VLANs in Ethernet, allowing multiple separate FC fabrics to operate on the same physical switches.

951
MCQhard

Refer to the exhibit. An engineer is using an Ansible playbook to configure a Nexus switch. The playbook task uses the nxos_config module to set an MTU value on an interface. What is the most likely issue?

A.Add the 'provider' parameter with connection details.
B.Correct the spelling of the MTU parameter to 'mtu_size'.
C.Use the nxos_mtu module instead of nxos_config to configure MTU.
D.Verify that the switch supports MTU configuration via Ansible.
AnswerC

The nxos_config module does not support MTU; the nxos_mtu module is designed for this purpose.

Why this answer

The nxos_config module is designed for general NX-OS configuration commands but does not support the 'mtu' parameter directly. The correct approach is to use the dedicated nxos_mtu module for setting MTU. Option B is incorrect because the parameter is correctly spelled; the module simply does not support it.

Option C is incorrect because the switch does support MTU configuration via the appropriate module. Option D is incorrect because the provider parameter is not needed in modern Ansible versions.

952
MCQmedium

Refer to the exhibit. An automation script is used to configure a new VLAN 40 on Eth1/2 trunk. The script sends the following NX-API command: 'switchport trunk allowed vlan add 40'. After execution, the engineer runs 'show running-config interface eth1/2' and sees that the trunk allowed VLAN list shows '10,20,30,40'. However, the automation script logs indicate success for adding VLAN 40, but the running config does not show the change. What is the most likely issue?

A.The command syntax is incorrect; 'add' is not a valid keyword.
B.The engineer is viewing a different switch or the configuration was reverted by another process.
C.The script actually removed the existing VLANs and replaced them with only VLAN 40.
D.The NX-API command was sent to the wrong interface.
AnswerB

The running config shows the change, so the issue is likely that the engineer is looking at the wrong device or the config was changed after.

Why this answer

Option B is correct because the running config shows VLANs 10,20,30,40, indicating that VLAN 40 was successfully added. The script logs confirm success, so the command syntax and interface target are correct. The discrepancy between the logs and the running config is most likely due to the engineer viewing a different switch (e.g., a management console pointing to a different device) or the configuration being reverted by another process (e.g., a configuration rollback or a competing automation script).

Exam trap

Cisco often tests the candidate's ability to distinguish between a command that fails silently versus a command that succeeds but the result is not visible due to environmental factors (e.g., wrong device, configuration rollback), rather than a syntax or interface error.

How to eliminate wrong answers

Option A is wrong because 'switchport trunk allowed vlan add 40' is valid NX-OS syntax; the 'add' keyword is used to append VLANs to the existing allowed list. Option C is wrong because if the script had replaced the list with only VLAN 40, the running config would show '40' alone, not '10,20,30,40'. Option D is wrong because the running config shows the change on Eth1/2, confirming the command was sent to the correct interface.

953
Multi-Selecthard

Which three of the following are characteristics of the ACI Management Information Tree (MIT)? (Choose three.)

Select 3 answers
A.It is a hierarchical tree structure
B.The APIC REST API interacts with the MIT using JSON or XML
C.It can be accessed via SNMP
D.It is a flat database without hierarchy
E.Objects are identified by a distinguished name (DN)
AnswersA, B, E

The MIT is organized as a tree.

Why this answer

The MIT is a hierarchical tree with objects like Tenant, AP, EPG, BD. Each object has a distinguished name (DN). The APIC REST API uses JSON/XML.

SNMP is not used for ACI management. The MIT is not flat; it is hierarchical.

954
MCQhard

An organization is deploying a new ACI fabric. The design requires that traffic between EPGs in the same bridge domain be allowed by default, but traffic between EPGs in different bridge domains must be denied unless explicitly permitted. Which contract scope configuration meets this requirement?

A.Context (default)
B.Application-profile
C.Global
D.VRF
AnswerD

VRF scope allows contracts to apply across bridge domains within the same VRF; without a contract, traffic is denied, and with a contract, permitted.

Why this answer

The VRF (private L3 context) is the correct scope because contract scope determines the boundary within which a contract is effective. By setting the contract scope to VRF, the contract applies only to EPGs within the same VRF. Since EPGs in different bridge domains are typically in the same VRF, you must explicitly configure contracts to permit inter-EPG traffic; otherwise, it is denied by default.

This matches the requirement that traffic between EPGs in the same bridge domain is allowed by default (via the default intra-EPG and intra-bridge domain forwarding), while traffic between EPGs in different bridge domains requires an explicit contract.

Exam trap

Cisco often tests the misconception that 'context' is a separate scope option, when in fact the default contract scope is VRF (context), and the exam expects you to know that VRF is the correct term for the private L3 network boundary that enforces the deny-by-default inter-EPG behavior.

How to eliminate wrong answers

Option A (Context/default) is wrong because the default contract scope is actually 'context' (VRF), not a separate scope; the term 'Context' is ambiguous and not a distinct contract scope in ACI—the default behavior is VRF-level scoping, which already denies inter-EPG traffic without a contract. Option B (Application-profile) is wrong because contract scope at the application-profile level would restrict the contract to EPGs within the same application profile, but this does not address the requirement for bridge-domain-level isolation; it is too narrow and would not allow default intra-bridge domain traffic across different application profiles. Option C (Global) is wrong because a global contract scope makes the contract apply across all VRFs, which would permit traffic between EPGs in different VRFs (and thus different bridge domains) without explicit permission, violating the requirement that such traffic must be denied by default.

955
MCQmedium

A storage engineer is planning to migrate from an existing 2 Gbps Fibre Channel fabric to a new 16 Gbps fabric while maintaining connectivity during the cutover. The legacy and new switches are connected via ISL and use the same VSAN. What is a best practice to ensure a seamless migration?

A.Assign the new switches to a separate VSAN to prevent mixing
B.Set the ISL port speed to 2 Gbps on both sides until the migration is complete
C.Use a dedicated ISL for the migration and move zones gradually
D.Disable zoning on both fabrics and re-apply after migration
AnswerB

Ensures compatibility and stable fabric merge.

Why this answer

Option B is correct because setting the ISL port speed to 2 Gbps on both sides ensures that the new 16 Gbps switch negotiates down to the legacy fabric's speed, preventing buffer-to-buffer credit mismatches and frame corruption during the cutover. This allows both fabrics to operate at a common speed, maintaining stable connectivity until all devices are migrated and the ISL speed can be safely increased.

Exam trap

Cisco often tests the misconception that simply connecting a higher-speed switch to a lower-speed fabric via ISL will auto-negotiate correctly, but the trap here is that without manually setting the speed, the link may fail to establish or cause instability due to incompatible buffer-to-buffer credit management.

How to eliminate wrong answers

Option A is wrong because assigning the new switches to a separate VSAN would isolate them from the legacy fabric, preventing any communication or gradual migration of devices across the ISL. Option C is wrong because using a dedicated ISL does not address the fundamental speed mismatch; without speed negotiation, the 16 Gbps port may not properly interoperate with the 2 Gbps port, leading to link instability or failure. Option D is wrong because disabling zoning on both fabrics would expose all devices to each other, creating a security risk and potential data corruption; zoning should remain active and be migrated incrementally.

956
MCQhard

During an FCoE deployment, the server team reports that hosts can reach the storage array but performance is intermittent with periodic timeouts. The network team sees no errors on the FCoE VLAN. The DCB configuration on the upstream switch shows that PFC is enabled for CoS 3. What should the engineer check next?

A.Verify that jumbo frames are enabled on the storage array
B.Confirm that the VSAN is appropriately sized for the number of hosts
C.Ensure that the FCoE VLAN is enabled for FCoE on the server's vNIC
D.Check if the PFC configuration matches on both ends and that PFC is enabled on the FCoE VLAN interfaces
AnswerD

PFC must be consistent across all hops.

Why this answer

D is correct because PFC (Priority Flow Control) must be consistently configured on both ends of an FCoE link to prevent frame loss. If PFC is enabled for CoS 3 on the upstream switch but not on the server's vNIC or the FCoE VLAN interfaces, the lack of lossless behavior causes intermittent timeouts and performance degradation, even if the FCoE VLAN shows no errors.

Exam trap

Cisco often tests the misconception that FCoE performance issues are due to VLAN or VSAN misconfiguration, when the real culprit is mismatched PFC settings between endpoints.

How to eliminate wrong answers

Option A is wrong because jumbo frames are not required for FCoE; FCoE typically uses 2500-byte frames, but the issue is about lossless delivery, not MTU size. Option B is wrong because VSAN sizing relates to zoning and fabric management, not to PFC or link-level flow control; the problem is at Layer 2, not VSAN capacity. Option C is wrong because the FCoE VLAN must be enabled on the switch port, not the server's vNIC; the server team already reports reachability, indicating the VLAN is active, so this is a misdirection about where the configuration is applied.

957
MCQmedium

Refer to the exhibit. An engineer configured NX-API on a Nexus 9000 switch. The REST API client receives 'SSL_ERROR_BAD_CERT_DOMAIN'. What is the most likely cause?

A.HTTP is enabled which conflicts with HTTPS
B.The key file is missing
C.The certificate file is corrupted
D.The certificate does not match the switch's hostname
AnswerD

SSL_ERROR_BAD_CERT_DOMAIN specifically indicates domain mismatch.

Why this answer

The SSL_ERROR_BAD_CERT_DOMAIN error indicates that the certificate presented by the Nexus 9000 switch does not match the hostname used in the REST API client's request. When NX-API uses HTTPS, the client validates the server's certificate against the requested domain; a mismatch triggers this error. This is a common TLS/SSL certificate validation issue, not a problem with HTTP conflicts, missing keys, or corrupted files.

Exam trap

Cisco often tests the distinction between certificate validation errors (domain mismatch, expiry, untrusted CA) and other TLS/SSL failures (missing key, corrupted file), expecting candidates to recognize that 'SSL_ERROR_BAD_CERT_DOMAIN' specifically points to a hostname mismatch rather than a general certificate problem.

How to eliminate wrong answers

Option A is wrong because enabling HTTP alongside HTTPS does not cause SSL certificate domain validation errors; the error is specific to TLS handshake and certificate trust, not protocol conflicts. Option B is wrong because a missing key file would prevent the switch from establishing any HTTPS connection (e.g., 'no key' or 'unable to load private key' errors), not a domain mismatch error. Option C is wrong because a corrupted certificate file would typically cause a 'bad certificate' or 'certificate verify failed' error during the TLS handshake, not a domain mismatch error which is a hostname validation failure.

958
MCQhard

Refer to the exhibit. An engineer notices intermittent packet loss on interface Ethernet 1/1 of the Fabric Interconnect. Based on the transceiver statistics shown, which condition is the most likely cause?

A.The receive power is below the low warning threshold.
B.The supply voltage is out of range.
C.The transmit power is too low.
D.The transceiver temperature is too high.
AnswerA

-16.2 dBm is below Low Warning of -15.0 dBm, indicating potential cable or connector issue.

Why this answer

The exhibit shows that the receive power is -16.3 dBm, which is below the low warning threshold of -13.3 dBm. This indicates the incoming optical signal is too weak, causing intermittent packet loss due to bit errors or link flaps. The transceiver statistics confirm that the receive power is the only parameter breaching its threshold, making it the most likely cause.

Exam trap

Cisco often tests the distinction between warning and alarm thresholds, and candidates mistakenly assume any parameter outside a threshold causes the issue, but here only the receive power is below its warning threshold, while the other values are within normal ranges.

How to eliminate wrong answers

Option B is wrong because the supply voltage is 3.29 V, which is within the normal operating range (typically 3.1 V to 3.5 V for SFP+ optics), so it is not out of range. Option C is wrong because the transmit power is -2.4 dBm, which is above the low warning threshold of -5.3 dBm, indicating the transmitter is functioning correctly. Option D is wrong because the transceiver temperature is 42.5°C, which is well below the high warning threshold of 75°C, so overheating is not an issue.

959
Drag & Dropmedium

Order the steps for troubleshooting a Fibre Channel link that is not coming up.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting FC link starts with physical, then interface, VSAN/zoning, FLOGI, and logs.

960
MCQeasy

Which component in a UCS 5108 blade chassis provides the connectivity between the blade servers and the Fabric Interconnects?

A.Chassis management controller (CMC)
B.Midplane
C.I/O Module (IOM)
D.Fabric Extender (FEX)
AnswerC

IOMs provide the network connectivity between blades and FIs.

Why this answer

The I/O Module (IOM) in the UCS 5108 chassis provides the uplink ports that connect to the Fabric Interconnects and the downlink ports that connect to the blade servers.

961
MCQmedium

Refer to the exhibit. A network engineer notices that traffic for VNI 10000 is not being encapsulated. What is the most likely reason?

A.BGP EVPN is not configured.
B.VNI 10000 is not configured under the nve interface.
C.The VRF association is incorrect.
D.The source-interface is not reachable.
AnswerB

The show output clearly does not include member vni 10000.

Why this answer

VNI 10000 must be explicitly mapped to an NVE interface under the 'interface nve1' configuration using the 'member vni 10000' command. Without this mapping, the NVE interface does not know which VNI to encapsulate traffic for, even if the VNI exists in the network. Option B correctly identifies this missing configuration as the most likely cause.

Exam trap

Cisco often tests the distinction between control-plane (BGP EVPN) and data-plane (NVE interface) configurations, trapping candidates who assume that a VNI configured in the VRF or advertised via EVPN automatically enables encapsulation on the NVE interface.

How to eliminate wrong answers

Option A is wrong because BGP EVPN is the control plane protocol used to advertise VNI reachability, but traffic encapsulation itself is a data-plane function performed by the NVE interface; the absence of BGP EVPN would prevent route distribution but not directly block encapsulation if the VNI is already configured under NVE. Option C is wrong because VRF association is a Layer 3 construct that maps a VRF to a VNI for routing, but encapsulation failure for VNI 10000 specifically points to the NVE interface configuration, not the VRF mapping. Option D is wrong because if the source-interface were unreachable, no VNI traffic would be encapsulated at all, not just VNI 10000; the issue is isolated to a single VNI, indicating a configuration omission rather than a reachability problem.

962
MCQhard

A large financial institution has a Cisco ACI fabric with multiple tenants. The security team requires that all management access to the APIC controllers be authenticated via multi-factor authentication (MFA) using a RADIUS server. The RADIUS server is configured to send a One-Time Password (OTP) challenge during authentication. The current configuration uses local authentication. The engineer needs to implement RADIUS authentication with MFA for APIC GUI and CLI access. The RADIUS server is reachable at 10.10.10.10, shared secret 'SecureSecret123'. The APIC is running software version 4.2(3). The engineer must ensure that local authentication is used as fallback if the RADIUS server is unreachable. Which of the following actions should the engineer take?

A.Configure TACACS+ as the authentication protocol and set the server IP and secret.
B.Enable local authentication only and require strong passwords.
C.Add a RADIUS provider with IP 10.10.10.10 and secret 'SecureSecret123', create a login domain with realm 'radius', set fallback to 'local', and assign the domain to users.
D.Configure LDAP authentication with the RADIUS server acting as an LDAP proxy.
AnswerC

Correct: RADIUS with PAP is used for MFA and fallback to local.

Why this answer

Option C is correct because it follows the required steps to configure RADIUS authentication with MFA on Cisco APIC: adding a RADIUS provider with the correct IP and shared secret, creating a login domain with realm 'radius', setting fallback to 'local', and assigning the domain to users. This ensures that the APIC sends authentication requests to the RADIUS server, which can issue an OTP challenge for MFA, and falls back to local authentication if the RADIUS server is unreachable.

Exam trap

Cisco often tests the requirement to create a login domain and assign it to users, as many candidates mistakenly think simply adding a RADIUS provider is sufficient without configuring the domain and fallback.

How to eliminate wrong answers

Option A is wrong because TACACS+ is not supported for APIC authentication; APIC only supports RADIUS, LDAP, and local authentication for management access. Option B is wrong because enabling only local authentication with strong passwords does not implement MFA via RADIUS, which is a specific requirement. Option D is wrong because LDAP authentication cannot use a RADIUS server as an LDAP proxy; LDAP and RADIUS are separate protocols with different purposes and configurations.

963
MCQeasy

In ACI, which model is used for micro-segmentation to allow traffic between EPGs?

A.Blacklist model using taboo contracts
B.IP-based ACLs on leaf switches
C.VRF leaking
D.Whitelist model using contracts
AnswerD

Correct: ACI contracts define permitted traffic.

Why this answer

ACI uses a whitelist model via contracts to permit traffic between EPGs.

964
MCQeasy

A storage administrator wants to ensure that only designated initiators can access a specific target in a Fibre Channel SAN. Which mechanism enforces this policy?

A.IVR
B.Port channel
C.Zoning
D.VSAN
E.Credit recovery
AnswerC

Zoning defines which initiators can talk to which targets.

Why this answer

Zoning is the correct mechanism because it restricts Fibre Channel (FC) communication to only those initiators and targets that are members of the same zone. By defining a zone that includes only the designated initiator WWPNs and the target WWPN, the switch enforces access control at the fabric level, preventing any unauthorized device from discovering or communicating with the target.

Exam trap

Cisco often tests the distinction between VSAN (which isolates traffic at the fabric level) and zoning (which controls device-level access within a VSAN), leading candidates to incorrectly select VSAN when the question specifically asks about restricting access to a target.

How to eliminate wrong answers

Option A (IVR) is wrong because Inter-VSAN Routing (IVR) enables selective communication between devices in different VSANs, not access control within a single VSAN or target. Option B (Port channel) is wrong because it aggregates multiple physical links into a single logical link for bandwidth and redundancy, not for enforcing initiator-to-target access policies. Option D (VSAN) is wrong because a VSAN creates an isolated virtual fabric, but within a VSAN all devices can communicate unless further restricted by zoning; VSAN alone does not enforce per-initiator access to a specific target.

Option E (Credit recovery) is wrong because it is a buffer-to-buffer credit recovery mechanism (BB_CR) used to recover lost credits in FC links, unrelated to access control.

965
MCQmedium

A data center uses NPV to connect edge switches to a core Fibre Channel switch. The edge switches report that some servers cannot log in. What is a likely cause?

A.Overlapping VSAN IDs between edge and core
B.F port binding on the edge switch
C.Trunking mode not enabled on the core switch
D.NPIV not enabled on the core switch
AnswerD

Correct: NPIV must be enabled on core switches to support NPV.

Why this answer

Option C is correct because NPV requires the NPIV feature on the core switch to allow multiple FLOGIs from an NPV switch. Option A is incorrect because overlapping VSANs are fine. Option B is incorrect because trunking is independent of NPV.

Option D is incorrect because F port binding is not required for NPV.

966
MCQeasy

In a UCS service profile, which construct is used to abstract the network interface configuration so that the same profile can be used with different blade models?

A.Boot policy
B.Local disk policy
C.Server pool policy
D.vNIC template
AnswerD

vNIC templates provide standardized network interface configurations.

Why this answer

vNIC templates define network interface properties (MAC address, VLANs, fabric assignment) and can be policy-based, allowing hardware abstraction.

967
MCQmedium

A Cisco MDS 9000 switch is used in a storage network. The security policy requires that a junior administrator named 'user1' can view zone configurations but cannot make any changes. Currently, 'user1' is assigned the default 'network-operator' role, which allows read-only access to most configuration, but the engineer wants to ensure that zone modification is explicitly denied. The engineer creates a custom role named 'zone-viewer' and assigns it to 'user1'. The role should permit viewing of the running configuration related to zones but deny any command that modifies zone or zoneset configurations. Which configuration best achieves this objective?

A.role name zone-viewer feature zone; permit command configure terminal ; zone name etc.
B.role name zone-viewer permit command show zone*; permit command show zoneset*
C.role name zone-viewer rule 1 permit read-write; feature zone
D.role name zone-viewer permit command zone; permit command zoneset; permit command zone-create
AnswerB

Permits show commands for zone and zoneset, denying configuration commands by default.

Why this answer

Option B is correct because it uses the 'permit command' statements with wildcard patterns ('show zone*' and 'show zoneset*') to explicitly allow only show commands related to zones and zonesets. By not including any 'permit' or 'deny' statements for configuration commands (like 'configure terminal', 'zone', or 'zoneset'), the role implicitly denies all other commands, including those that modify zone or zoneset configurations. This matches the requirement to allow viewing but deny modifications.

Exam trap

Cisco often tests the implicit deny behavior of RBAC, where candidates mistakenly think they must explicitly deny modification commands, when in fact only permitting the desired show commands is sufficient to block all other commands.

How to eliminate wrong answers

Option A is wrong because it includes 'permit command configure terminal' and 'zone name etc.' which would allow the user to enter configuration mode and potentially modify zone configurations, violating the security policy. Option C is wrong because 'rule 1 permit read-write' grants full read-write access to the zone feature, allowing modifications, and does not restrict to read-only. Option D is wrong because it permits 'zone', 'zoneset', and 'zone-create' commands, which are used to create and modify zones and zonesets, directly contradicting the requirement to deny modifications.

968
MCQmedium

Which ECMP load-balancing method is recommended for data center spine-leaf fabrics to ensure optimal traffic distribution?

A.Per-flow load balancing based on src-dst IP
B.Per-packet load balancing
C.Weighted load balancing
D.Per-flow load balancing based on src-dst MAC
AnswerA

This ensures packets of the same flow take the same path.

Why this answer

Per-flow load balancing based on source and destination IP is the most common and effective for TCP traffic.

969
MCQeasy

A data center switch is configured with 802.1X port-based authentication for edge ports. Users report authentication failures. The engineer wants to verify the authentication status of a specific interface. Which command should be used?

A.show aaa authentication
B.show dot1x
C.show authentication interface ethernet 1/1
D.show port-security interface ethernet 1/1
AnswerC

Displays 802.1X and MAC authentication status.

Why this answer

Option C is correct because the 'show authentication interface ethernet 1/1' command displays the 802.1X authentication status, including the state machine, authorized status, and method list for a specific interface. This command is part of the Identity-Based Networking Services (IBNS) framework and provides a comprehensive view of all authentication methods (802.1X, MAB, WebAuth) configured on the port, which is essential for troubleshooting authentication failures on edge ports.

Exam trap

Cisco often tests the distinction between the legacy 'show dot1x' command and the modern unified 'show authentication interface' command, trapping candidates who memorize the older command without realizing that newer IOS versions (e.g., IOS-XE 16.x+) consolidate all authentication status under the 'show authentication' hierarchy.

How to eliminate wrong answers

Option A is wrong because 'show aaa authentication' displays the global AAA authentication method lists and their order, not the per-interface authentication status or 802.1X state. Option B is wrong because 'show dot1x' without an interface keyword shows global 802.1X parameters, not the detailed per-interface status; even 'show dot1x interface ethernet 1/1' is deprecated in favor of the unified 'show authentication interface' command in newer IOS versions. Option D is wrong because 'show port-security interface ethernet 1/1' shows port security violation counts and secure MAC addresses, which is unrelated to 802.1X authentication state machines or EAPOL exchanges.

970
MCQeasy

A network engineer is configuring a new UCS B-series blade server. The engineer wants the server to automatically inherit network and storage settings without manual configuration when replaced. Which UCS technology enables this capability?

A.Service profile template
B.Fabric Interconnect failover
C.Cisco IMC Supervisor
D.Cisco UCS Manager
AnswerA

Service profiles and templates provide hardware abstraction, enabling stateless computing.

Why this answer

Service profiles abstract hardware configuration, allowing a blade to be replaced and automatically reconfigured by applying the same service profile.

971
MCQhard

A large enterprise runs a multi-site Cisco ACI fabric with APICs in a cluster. The automation team uses Python scripts with the Cobra SDK to create and manage tenant policies. Recently, after upgrading the APIC firmware from version 4.2(3) to 5.2(1), a script that previously worked now fails with an 'Unauthorized' error when calling the APIC REST API. The script uses a service account with a locally stored password. The automation engineer verifies that the account credentials are correct and that the account is not locked. The script was not modified during the upgrade. Which action should the engineer take to resolve the issue?

A.Change the authentication method in the script from password-based to certificate-based authentication.
B.Upgrade the Python requests library to version 2.25.0 or later that supports TLS 1.3.
C.Regenerate the API key for the service account and update the script with the new key.
D.Disable TLS 1.3 on the APIC by setting the 'ssl-protocols' parameter to TLSv1.2 only.
AnswerB

Upgrading the library ensures TLS 1.3 compatibility, preserving security.

Why this answer

Option B is correct because APIC firmware 5.2(1) enforces TLS 1.3 by default, and older Python requests libraries (pre-2.25.0) do not support TLS 1.3, causing the handshake to fail with an 'Unauthorized' error despite valid credentials. Upgrading the requests library to version 2.25.0 or later adds TLS 1.3 support, allowing the script to authenticate successfully.

Exam trap

The trap here is that candidates assume the 'Unauthorized' error is due to invalid credentials or authentication method, when in fact it is caused by a TLS protocol version mismatch between the client library and the upgraded APIC.

How to eliminate wrong answers

Option A is wrong because changing from password-based to certificate-based authentication is unnecessary; the credentials are valid and the issue is a TLS version mismatch, not an authentication method problem. Option C is wrong because the service account uses a password, not an API key, and regenerating a non-existent key would not resolve the TLS 1.3 handshake failure. Option D is wrong because disabling TLS 1.3 on the APIC is a workaround that reduces security and is not the recommended fix; the proper solution is to update the client library to support the newer protocol.

972
MCQhard

An engineer is troubleshooting a BGP EVPN issue where leaf switches are not learning remote MAC addresses. The underlay is reachable and BGP sessions are established. What is a likely cause?

A.Missing 'address-family l2vpn evpn' under the BGP neighbor configuration
B.NVE interface not enabled
C.Incorrect VNI configuration
D.MTU mismatch on the underlay
AnswerA

This address family must be activated to exchange EVPN routes.

Why this answer

If the 'address-family l2vpn evpn' is not activated under the BGP neighbor, EVPN routes will not be exchanged.

973
MCQmedium

An engineer is configuring Cisco ACI to secure inter-tenant traffic. Tenants 'TenantA' and 'TenantB' need to communicate via a shared service, such as a DNS server in TenantA. How should the contract be configured?

A.Create a contract in TenantA and apply it to the VRF shared between tenants.
B.Create a contract in TenantA. Set the DNS EPG as provider. In TenantB, create a consumer EPG and provide the contract from TenantA.
C.Create a contract in TenantB. Set the DNS EPG as consumer. In TenantA, create a provider EPG and provide the contract from TenantB.
D.Create a contract in TenantA. Set both DNS EPG and TenantB EPG as providers.
AnswerB

Standard shared service design: provider's tenant contains the contract.

Why this answer

In Cisco ACI, inter-tenant communication via a shared service requires the contract to be created in the tenant that owns the shared service (provider). The provider EPG (DNS server in TenantA) is set as the provider, and the consumer EPG (in TenantB) consumes the contract from TenantA. This allows TenantB to access the DNS service without exposing its own EPGs, maintaining security isolation while enabling necessary traffic.

Exam trap

Cisco often tests the misconception that the contract must be created in the consumer's tenant or applied to the VRF, but the correct approach is to create the contract in the provider's tenant and explicitly define the provider EPG.

How to eliminate wrong answers

Option A is wrong because applying a contract to the VRF shared between tenants does not define the provider/consumer relationship; contracts must be applied to EPGs, not VRFs, and the provider EPG must be explicitly set. Option C is wrong because the contract should be created in the tenant that owns the shared service (TenantA), not TenantB, and the DNS EPG should be the provider, not the consumer. Option D is wrong because setting both EPGs as providers would create a symmetric relationship, which is incorrect for a shared service scenario where one EPG provides and the other consumes; this would also break the intended unidirectional traffic flow.

974
MCQeasy

A financial services company operates a Cisco UCS 6454 Fabric Interconnect cluster with two FI-A and FI-B, connected to multiple UCS B-Series blades. The environment uses UCS Manager 4.2(1a). Recently, the company migrated to a new storage array connected via Fibre Channel. The storage team configured 8 virtual SANs (VSANs) and created a new VSAN 400 for a critical application. After the migration, the application server running on a UCS blade cannot discover the storage LUNs. The server's vHBA is configured correctly with the proper WWPN, and the zone set is active on the SAN switches. The engineer checks the UCS Manager and sees that the vHBA is down. Which action should the engineer take to resolve the issue?

A.Upgrade UCS Manager to the latest version to fix a known bug.
B.Verify that the uplink Fibre Channel ports on the fabric interconnects are configured to allow VSAN 400.
C.Reboot the server blade to force re-discovery of the storage.
D.Recreate the vHBA in the service profile with a different WWPN.
AnswerB

The FC uplink ports must be members of the VSAN for traffic to pass.

Why this answer

Option B is correct because the vHBA being down indicates no Fibre Channel connectivity. The most likely cause is that the FC uplink ports on the fabric interconnects are not configured to allow VSAN 400. Option A is not appropriate because rebooting the server does not address the underlying connectivity issue.

Option C is unnecessary and would require re-zoning. Option D is an escalation step not justified without evidence of a bug.

975
MCQeasy

A network engineer is configuring device access control for Cisco NX-OS switches. The requirement is to use a protocol that separates authentication, authorization, and accounting, and encrypts all communication except the header. Which solution meets this requirement?

A.RADIUS
B.LDAP
C.SSH
D.TACACS+
AnswerD

TACACS+ encrypts entire packet except header and separates AAA functions.

Why this answer

TACACS+ is the correct choice because it separates authentication, authorization, and accounting (AAA) into distinct processes, and it encrypts the entire packet body, leaving only the standard TACACS+ header unencrypted. This meets the requirement for a protocol that provides granular AAA control with encrypted communication, unlike RADIUS which does not encrypt the full payload.

Exam trap

Cisco often tests the misconception that RADIUS encrypts all communication because it uses a shared secret, but in reality RADIUS only encrypts the password field, not the entire payload, making TACACS+ the correct choice for full-packet encryption beyond the header.

How to eliminate wrong answers

Option A (RADIUS) is wrong because it combines authentication and authorization into a single process, does not separate them, and only encrypts the password field in the Access-Request packet, leaving other attributes like username and accounting data in cleartext. Option B (LDAP) is wrong because it is a directory access protocol used for querying and modifying directory services, not a AAA protocol; it does not natively separate authentication, authorization, and accounting, nor does it encrypt all communication beyond the header by default. Option C (SSH) is wrong because it is a secure transport protocol for remote CLI access and file transfer, not a AAA protocol; it does not provide separate authentication, authorization, and accounting functions as a service.

Page 12

Page 13 of 14

Page 14

Practice 350-601 by domain

Target a specific domain to shore up weak areas.

See all domains with question counts →
Cisco DCCOR / CCNP Data Center Core 350-601 350-601 Questions 901–975 | Page 13/14 | Courseiva