Cisco DCCOR / CCNP Data Center Core 350-601 (350-601) — Questions 76150

500 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
MCQmedium

A company is deploying FCoE in their data center. The design includes a Cisco Nexus 9000 switch with FEX modules. The storage team insists on using dedicated FCoE VLANs. Which best practice should be followed to ensure lossless behavior for FCoE traffic?

A.Configure traffic shaping on FCoE interfaces
B.Use the same VLAN for FCoE and IP traffic to reduce VLAN count
C.Disable flow control on all interfaces
D.Enable PFC on the switch for the FCoE VLAN
AnswerD

PFC provides lossless behavior for the CoS used by FCoE.

Why this answer

Option D is correct because FCoE requires lossless transport to prevent frame drops that could corrupt Fibre Channel frames. Priority Flow Control (PFC), defined in IEEE 802.1Qbb, enables pause frames on a per-priority basis, allowing the FCoE VLAN to be configured with a dedicated priority class that receives no-drop treatment. On Cisco Nexus 9000 switches, this is achieved by enabling PFC on the specific VLAN used for FCoE traffic, ensuring lossless behavior without affecting other traffic classes.

Exam trap

Cisco often tests the misconception that flow control (IEEE 802.3x) is sufficient for FCoE, but the trap here is that standard link-level flow control pauses all traffic on the link, whereas PFC provides granular per-priority lossless handling required for FCoE.

How to eliminate wrong answers

Option A is wrong because traffic shaping is a rate-limiting mechanism that smooths bursts but does not guarantee lossless delivery; FCoE relies on PFC for per-priority pause, not shaping. Option B is wrong because using the same VLAN for FCoE and IP traffic would mix lossless and lossy traffic, causing congestion and frame drops for FCoE; dedicated FCoE VLANs are a best practice to isolate lossless traffic. Option C is wrong because disabling flow control entirely removes the ability to pause traffic, which would cause FCoE frames to be dropped under congestion, violating the lossless requirement.

77
Multi-Selectmedium

An engineer is designing a SAN for a virtualized environment. Which two best practices should be followed for Fibre Channel zoning?

Select 2 answers
A.Use single-initiator zoning.
B.Use multiple initiators in a single zone.
C.Use soft zoning exclusively.
D.Disable zoning for performance.
E.Zone by WWPN rather than WWNN.
AnswersA, E

Simplifies troubleshooting and security.

Why this answer

Single-initiator zoning (also known as one-to-one zoning) is a best practice because it restricts each Fibre Channel zone to exactly one initiator (host HBA) and one or more target ports. This eliminates the risk of RSCN storms propagating across multiple initiators, reduces fabric instability, and simplifies troubleshooting by ensuring clear, predictable paths between each host and its storage.

Exam trap

Cisco often tests the misconception that soft zoning is sufficient for security, but the trap here is that soft zoning only filters name server queries and does not prevent a device from directly addressing another device's port if it knows the Fibre Channel address.

78
MCQhard

In a Cisco Application Centric Infrastructure (ACI) fabric, a tenant has two EPGs: Web and App. A contract is created between Web (consumer) and App (provider) with a filter that permits TCP port 8080 (the only port used by the application). However, traffic from App to Web is failing. The application requires bidirectional communication: Web initiates requests to App on TCP 8080, and App responds on the same connection (stateful). The engineer verifies that the filter is correctly applied and that both EPGs are in the same VRF. The contract is applied in the direction Web -> App. What is the most efficient way to resolve this issue without compromising security?

A.Verify that no higher-priority contract is overriding; if not, the issue is elsewhere.
B.Set the contract to 'allow any' between the EPGs to bypass filtering.
C.Create a second contract from App to Web with the same filter, and apply it to App as consumer and Web as provider.
D.Modify the existing filter to allow TCP 8080 from App to Web as well.
AnswerC

This adds the reverse direction explicitly, allowing return traffic.

Why this answer

In Cisco ACI, contracts are unidirectional by default. Even though the filter permits TCP 8080 from Web to App, the return traffic from App to Web is not implicitly allowed because ACI does not perform stateful inspection for TCP connections; it relies on explicit contract rules for each direction. Option C correctly creates a second contract from App (consumer) to Web (provider) with the same filter, allowing the bidirectional communication required for the application's stateful TCP session without over-permitting.

Exam trap

Cisco often tests the misconception that ACI contracts are stateful like a firewall, leading candidates to assume return traffic is automatically allowed; the trap here is that ACI requires explicit contracts for each direction, even for TCP connections.

How to eliminate wrong answers

Option A is wrong because the issue is not about contract priority; the filter is correctly applied and no override is needed—the fundamental problem is the lack of a return direction contract. Option B is wrong because setting the contract to 'allow any' would bypass all security filtering, violating the principle of least privilege and unnecessarily exposing the EPGs. Option D is wrong because modifying the existing filter to allow TCP 8080 from App to Web would still not create a contract in the reverse direction; filters are applied per contract direction, and without a contract from App to Web, the filter change has no effect.

79
MCQmedium

Refer to the exhibit. A network engineer notices that the VPC peer status is down, and the peer-keepalive is not reachable. Based on the configuration, what is the likely issue?

A.The peer-link port-channel10 has VLAN 100-110 allowed, but the peer-keepalive uses a separate VLAN.
B.The peer-keepalive destination must be on the management VRF.
C.The VPC domain priority should be lower.
D.The peer-keepalive source and destination are swapped.
AnswerB

Nexus requires the peer-keepalive to be sent via the management VRF, which is not specified here. The command should include 'vrf management'.

Why this answer

The peer-keepalive link must be routed via the management VRF to ensure it remains independent of the data-plane and peer-link state. If the peer-keepalive destination is not in the management VRF, the keepalive packets may be dropped or unreachable, causing the VPC peer status to remain down. The configuration shown likely omits the 'vrf member management' under the peer-keepalive configuration, or the destination IP is not reachable through the management interface.

Exam trap

Cisco often tests the requirement that peer-keepalive must use the management VRF (or a dedicated VRF) and not rely on the peer-link or any data VLAN, leading candidates to incorrectly focus on VLAN allowed lists or priority values instead of the VRF configuration.

How to eliminate wrong answers

Option A is wrong because the peer-link port-channel VLAN allowed list does not affect peer-keepalive reachability; peer-keepalive uses a separate Layer 3 path (typically management VRF) and is not dependent on the VLANs allowed on the peer-link. Option C is wrong because the VPC domain priority determines which switch is the primary for role election, not the peer-keepalive status; a lower priority would not fix an unreachable peer-keepalive destination. Option D is wrong because swapping the source and destination IP addresses would still result in an unreachable path if the destination is not in the correct VRF; the core issue is the VRF mismatch, not the direction of the addresses.

80
Multi-Selectmedium

An engineer is configuring a storage network with FCoE and must ensure that the FCoE traffic does not interfere with standard LAN traffic. Which two mechanisms should be implemented?

Select 2 answers
A.Use the same VLAN for FCoE and LAN.
B.Disable flow control on FCoE VLAN.
C.Enable PFC on the FCoE VLAN.
D.Assign FCoE traffic to a dedicated VLAN.
E.Use jumbo frames for LAN traffic only.
AnswersC, D

Provides lossless Ethernet.

Why this answer

Option C is correct because FCoE requires lossless transport to prevent frame drops that would corrupt Fibre Channel frames. Priority Flow Control (PFC), defined by IEEE 802.1Qbb, enables pause frames on a per-priority basis, allowing the FCoE VLAN to be configured as lossless while standard LAN traffic remains best-effort. This ensures FCoE traffic does not interfere with LAN traffic by isolating the flow control behavior.

Exam trap

The trap here is that candidates often think disabling flow control (Option B) is necessary to avoid interference, but FCoE actually requires flow control (PFC) to be enabled, and the key is to isolate it to a dedicated VLAN.

81
MCQhard

A CCNP engineer is troubleshooting a UCS environment where a server is stuck in 'Discovery: In Progress' state. The chassis has been power-cycled, but the issue persists. FEX fabric port is configured correctly. What is the most likely cause?

A.Incorrect IP address on the Fabric Interconnect management interface.
B.Firmware version mismatch between the server's CIMC and the Fabric Interconnect.
C.The chassis is not connected to the FI via a valid fabric cable.
D.The server's service profile is not associated.
AnswerB

CIMC firmware must match the FI's supported version for discovery to complete.

Why this answer

When a server is stuck in 'Discovery: In Progress' state and the chassis has been power-cycled with correct FEX fabric port configuration, the most likely cause is a firmware version mismatch between the server's Cisco Integrated Management Controller (CIMC) and the Fabric Interconnect (FI). During discovery, the FI attempts to inventory and manage the server via CIMC; if the firmware versions are incompatible, the discovery process cannot complete, leaving the server in a perpetual 'In Progress' state.

Exam trap

Cisco often tests the misconception that a server stuck in discovery is due to a physical connectivity issue (Option C) or a service profile association problem (Option D), when in fact the root cause is a firmware version mismatch that prevents the FI from completing the inventory handshake.

How to eliminate wrong answers

Option A is wrong because the Fabric Interconnect management interface IP address is used for out-of-band management access (e.g., SSH, GUI) and does not affect server discovery, which occurs over the fabric data path. Option C is wrong because the chassis is already connected to the FI via a valid fabric cable (as stated in the question), and power-cycling the chassis would have resolved any transient connectivity issues. Option D is wrong because a service profile association is required for the server to be operational, but the server must first complete discovery before it can be associated; being stuck in discovery prevents association, not the other way around.

82
MCQeasy

Which of the following is a required characteristic of an FCoE SAN?

A.Jumbo frames must be enabled.
B.Spanning Tree Protocol must be disabled.
C.Link aggregation (LACP) is required.
D.Lossless Ethernet (PFC) must be enabled.
AnswerD

FCoE requires no-drop.

Why this answer

FCoE (Fibre Channel over Ethernet) requires a lossless Ethernet fabric to prevent frame drops, which would corrupt Fibre Channel frames. Priority Flow Control (PFC), defined in IEEE 802.1Qbb, enables lossless operation by pausing traffic on individual CoS queues, ensuring no-drop behavior for FCoE traffic. Without PFC, standard Ethernet's best-effort delivery would cause frame loss, breaking FCoE's reliability requirements.

Exam trap

Cisco often tests the misconception that jumbo frames are mandatory for FCoE, but the actual required characteristic is lossless Ethernet via PFC, as jumbo frames are optional and only improve efficiency.

How to eliminate wrong answers

Option A is wrong because jumbo frames are not a required characteristic of an FCoE SAN; while they can improve efficiency by reducing per-frame overhead, FCoE can operate with standard 1500-byte MTU, and the mandatory requirement is lossless Ethernet via PFC. Option B is wrong because Spanning Tree Protocol (STP) is not required to be disabled for FCoE; in fact, FCoE can run over STP-enabled networks, though dedicated FCoE SANs often use STP-disabled designs (e.g., vPC or FabricPath) for convergence, but disabling STP is not a mandatory characteristic. Option C is wrong because link aggregation (LACP) is not required for FCoE; FCoE can operate over single links or port channels, and while LACP can provide redundancy and bandwidth, it is not a prerequisite for FCoE functionality.

83
Multi-Selectmedium

Which TWO statements about VXLAN BGP EVPN control plane are true? (Choose two.)

Select 2 answers
A.The underlay network provides IP connectivity between VTEPs
B.BGP EVPN advertises MAC addresses and IP addresses as routes
C.VXLAN encapsulates Ethernet frames in IP packets using MPLS labels
D.VXLAN uses a 32-bit network identifier (VNI)
E.The control plane is responsible for actual data forwarding
AnswersA, B

Underlay routing (e.g., IS-IS, OSPF) enables VTEP-to-VTEP reachability.

Why this answer

Option A is correct because the VXLAN underlay network (typically an IP-based fabric using protocols like OSPF or IS-IS) provides IP connectivity between VTEPs, enabling them to encapsulate and decapsulate VXLAN packets. Without this underlay reachability, VTEPs cannot communicate, making it a foundational requirement for VXLAN operation.

Exam trap

Cisco often tests the distinction between the 24-bit VNI (VXLAN Network Identifier) and the 32-bit VXLAN segment ID used in some older documentation, leading candidates to mistakenly select a 32-bit identifier.

84
MCQhard

In a Cisco ACI fabric, the administrator notices that traffic between two endpoints in different EPGs but on the same leaf switch is being dropped when a contract is applied. The endpoints are in the same VRF but different bridge domains. What is the likely cause?

A.The VRF is not configured correctly.
B.The bridge domains are not in the same network.
C.The leaf switch is missing a route to the destination.
D.The contract does not allow communication between those EPGs.
AnswerD

Contracts must explicitly permit inter-EPG traffic.

Why this answer

In Cisco ACI, inter-EPG communication is governed by contracts. Even when endpoints reside on the same leaf switch, same VRF, and different bridge domains, traffic is dropped unless a contract explicitly permits the communication between the source and destination EPGs. The contract defines the filter (e.g., IP protocol, ports) and the direction (provider/consumer) required for traffic to flow.

Exam trap

Cisco often tests the misconception that endpoints in the same VRF can always communicate, but in ACI, contracts override Layer 3 reachability, and candidates mistakenly blame routing or subnet mismatches instead of the missing contract.

How to eliminate wrong answers

Option A is wrong because the VRF configuration is irrelevant; both endpoints are in the same VRF, and the issue is not about VRF reachability but about policy enforcement. Option B is wrong because bridge domains can be in different subnets; ACI routes between them using the VRF, and the contract is the gatekeeper, not the subnet. Option C is wrong because the leaf switch does not need a separate route; ACI uses a distributed anycast gateway and the leaf already has the endpoint's location learned via COOP, so routing is not the issue.

85
MCQmedium

A storage network engineer notices high buffer credit starvation counters on an inter-switch link. What is the most effective solution to reduce this issue?

A.Change the ISL port mode from E to F.
B.Reduce the ISL speed to 1 Gbps.
C.Increase the number of buffer credits on the ISL.
D.Enable QoS to prioritize buffer credit recovery.
AnswerC

More buffer credits accommodate longer distances and reduce starvation.

Why this answer

Buffer credit starvation indicates insufficient credits for the distance. Option B is correct. Option A is wrong because ISL ports should be E ports, not F.

Option C is wrong because reducing speed may not help. Option D is wrong because QoS can prioritize but not increase credits.

86
Matchingmedium

Match each Cisco data center high availability feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

First-hop redundancy for default gateway

Multi-chassis link aggregation with loop prevention

Transparent interconnection of lots of links (TRILL-based)

Non-Stop Forwarding during supervisor switchover

Stateful Switchover for control plane redundancy

Why these pairings

These features ensure network resilience in data centers.

87
MCQeasy

Refer to the exhibit. What is the intended effect of this Ansible playbook task?

A.It deletes VLAN 10 from all switches.
B.It saves the running configuration to startup.
C.It reboots the Nexus switches after applying the configuration.
D.It ensures VLAN 10 exists with the name 'Automation_VLAN' on the target switches.
AnswerD

The nxos_config module pushes the provided lines, ensuring they are present.

Why this answer

The Ansible playbook task uses the `cisco.nxos.nxos_vlans` module with the `state: merged` directive, which ensures that the specified VLAN configuration (VLAN 10 with name 'Automation_VLAN') is present on the target Nexus switches. If VLAN 10 does not exist, it will be created; if it exists with a different name, it will be updated. The `merged` operation does not delete or reboot; it only applies the configuration to align the device's state with the playbook's desired state.

Exam trap

Cisco often tests the distinction between `merged`, `replaced`, `overridden`, and `deleted` states in Ansible modules, and the trap here is that candidates mistakenly associate any configuration task with a reboot or save operation, or assume `merged` implies deletion of existing configuration.

How to eliminate wrong answers

Option A is wrong because the `state: merged` operation adds or updates configuration, not deletes; deleting VLANs would require `state: absent` or a separate task. Option B is wrong because saving the running configuration to startup is not part of the `nxos_vlans` module; it would require a separate task using `cisco.nxos.nxos_config` with `save_when: always` or the `nxos_command` module to issue `copy running-config startup-config`. Option C is wrong because rebooting switches is not an action of the `nxos_vlans` module; a reboot would require a task using `nxos_reboot` or `nxos_command` with a reload command, and the `merged` state does not trigger any reboot.

88
MCQeasy

An engineer needs to isolate storage traffic for different departments using Fibre Channel switches. Which technology should be used?

A.Zoning
B.Trunking
C.NPV (N-Port Virtualization)
D.VSAN (Virtual SAN)
AnswerD

Correct: VSANs create separate Fibre Channel fabrics for isolation.

Why this answer

VSAN (Virtual SAN) is the correct technology because it allows the engineer to create multiple isolated virtual SANs on a single physical Fibre Channel fabric. Each VSAN operates as an independent SAN with its own fabric services, security policies, and traffic isolation, enabling different departments to have dedicated storage traffic without interference.

Exam trap

Cisco often tests the distinction between zoning and VSANs, where candidates mistakenly believe that zoning alone provides full traffic isolation, but zoning only controls device communication within a single VSAN and does not isolate fabric services or management domains.

How to eliminate wrong answers

Option A is wrong because zoning only controls which devices can communicate within a single VSAN, but does not provide the complete isolation of fabric services and traffic that is required for separate departments. Option B is wrong because trunking in Fibre Channel refers to carrying multiple VSANs over a single ISL (Inter-Switch Link), not to isolating storage traffic for different departments. Option C is wrong because NPV (N-Port Virtualization) is used to aggregate multiple N-Ports into a single physical link to reduce domain IDs in a fabric, not to isolate traffic between departments.

89
MCQeasy

An administrator wants to ensure that a specific initiator can only access a single target LUN. Which zoning approach satisfies this requirement?

A.Use LUN zoning to map the initiator to a specific LUN ID.
B.Implement soft zoning based on domain IDs.
C.Configure a zone with the initiator WWPN and the target WWPN.
D.Place the initiator and target in different VSANs.
AnswerA

LUN zoning restricts access to a specific LUN on the target.

Why this answer

LUN zoning restricts access to specific LUNs. Option C is correct. Option A is wrong because WWPN zoning allows access to all LUNs on the target.

Option B is wrong because VSANs separate traffic but don't restrict LUNs. Option D is wrong because soft zoning is not enforced.

90
MCQhard

Refer to the exhibit. A server connected to Ethernet1/1 is experiencing intermittent connectivity. The server sends BPDUs, causing the switch to place the port into a blocking state. Which configuration change should be made to prevent this while maintaining rapid convergence?

A.Add 'spanning-tree guard loop' to the interface.
B.Remove the 'spanning-tree port type edge trunk' command and configure 'spanning-tree port type normal'.
C.Add 'spanning-tree bpdufilter enable' on the interface.
D.Change the port type to 'spanning-tree port type network trunk'.
AnswerC

BPDU filter on an edge port prevents the switch from sending/receiving BPDUs, maintaining edge status.

Why this answer

Option C is correct because enabling BPDU filter on the interface prevents the switch from processing BPDUs received from the server, which stops the port from being placed into a blocking state due to BPDU reception. This maintains rapid convergence because the port remains configured as an edge port (spanning-tree port type edge trunk), allowing it to transition directly to forwarding without spanning-tree negotiation.

Exam trap

Cisco often tests the distinction between BPDU guard and BPDU filter, where candidates mistakenly choose BPDU guard (which errdisables the port) instead of BPDU filter (which silently ignores BPDUs) when the goal is to maintain connectivity while preventing spanning-tree disruption.

How to eliminate wrong answers

Option A is wrong because 'spanning-tree guard loop' is not a valid command; the correct command is 'spanning-tree guard loopguard', which prevents alternate or root ports from becoming designated in the absence of BPDUs, but does not address BPDUs received from a server causing blocking. Option B is wrong because removing 'spanning-tree port type edge trunk' and configuring 'spanning-tree port type normal' would cause the port to participate in spanning-tree convergence, potentially leading to blocking states and slower convergence, not solving the issue of BPDUs from the server. Option D is wrong because 'spanning-tree port type network trunk' is used for ports connected to other switches (network-facing) and would cause the port to participate in spanning-tree, likely resulting in blocking when BPDUs are received from the server, and it does not prevent the issue.

91
MCQeasy

A network engineer is implementing QoS on a Nexus 9000 switch. The requirement is to prioritize storage traffic (iSCSI) and ensure lossless behavior. Which queuing strategy should be applied to the egress interface?

A.Tail drop with DSCP-based classification.
B.Weighted Round Robin (WRR) with three queues.
C.Priority Flow Control (PFC) with a no-drop queue for iSCSI.
D.Policing at the ingress and marking at the egress.
AnswerC

PFC enables lossless Ethernet by pausing traffic when buffers are full.

Why this answer

Option C is correct because Priority Flow Control (PFC) is the IEEE 802.1Qbb mechanism designed to provide lossless behavior for specific traffic classes, such as iSCSI storage traffic, on Nexus 9000 switches. By creating a no-drop queue for iSCSI, PFC uses pause frames on a per-priority basis to prevent buffer overflow, ensuring zero packet loss required by storage protocols.

Exam trap

Cisco often tests the misconception that any queuing or scheduling algorithm (like WRR or tail drop) can provide lossless behavior, but the trap here is that only PFC with a dedicated no-drop queue satisfies the strict no-loss requirement for storage traffic like iSCSI or FCoE.

How to eliminate wrong answers

Option A is wrong because tail drop is a simple congestion avoidance mechanism that drops packets indiscriminately when a queue is full, which cannot guarantee lossless behavior for iSCSI; DSCP-based classification alone does not prevent drops. Option B is wrong because Weighted Round Robin (WRR) is a scheduling algorithm that services multiple queues based on weights, but it does not provide per-priority pause or lossless guarantees; iSCSI requires a no-drop queue, not just weighted servicing. Option D is wrong because policing at the ingress drops excess traffic to enforce a rate limit, which contradicts the requirement for lossless behavior; marking at the egress only sets QoS markings and does not prevent drops.

92
MCQhard

Refer to the exhibit. A Python script is processing the response from NX-API. It attempts to extract the interface state using `response['ins_api']['outputs']['output']['body']['ROW_interface']['state']` but receives a KeyError. What is the most likely reason?

A.The 'output' key is a list, not a dictionary.
B.The JSON structure has an extra level 'TABLE_interface' before 'ROW_interface'.
C.The 'ins_api' key is nested inside another object.
D.The 'body' key is missing because the command failed.
AnswerB

Some NX-API outputs wrap rows in a table key; the script missed that level.

Why this answer

The NX-API response for interface commands includes a 'TABLE_interface' key that wraps the 'ROW_interface' key. The script attempts to access 'ROW_interface' directly under 'body', but the correct path is `response['ins_api']['outputs']['output']['body']['TABLE_interface']['ROW_interface']['state']`. Option B correctly identifies this missing intermediate level.

Exam trap

The trap here is that candidates assume the JSON path directly mirrors the CLI output structure, forgetting that NX-API wraps tabular data in an intermediate 'TABLE_' key that must be included in the dictionary traversal.

How to eliminate wrong answers

Option A is wrong because the 'output' key is a dictionary, not a list; if it were a list, the error would be a TypeError, not a KeyError. Option C is wrong because the 'ins_api' key is at the top level of the JSON response, not nested inside another object. Option D is wrong because if the command had failed, the 'body' key would still exist but contain an error message or be empty; a missing 'body' would cause a different error, not a KeyError on 'ROW_interface'.

93
MCQeasy

A network engineer is implementing port security on a Cisco Nexus 9000 switch to limit the number of MAC addresses learned on a single access port. The switchport is configured as follows: interface Ethernet 1/2 switchport mode access switchport port-security switchport port-security maximum 2 switchport port-security violation shutdown switchport port-security mac-address sticky After connecting two authorized devices, a third unauthorized device is connected, causing the port to enter the err-disabled state. The engineer needs to restore connectivity for the two authorized devices as quickly as possible, while maintaining the security posture. What is the best practice to recover the port automatically in the future?

A.Manually shut down and then no shutdown the interface to recover from err-disabled state.
B.Remove port-security configuration entirely to prevent future err-disables.
C.Configure 'errdisable recovery cause psecure-violation' to automatically recover the port after the configured interval.
D.Increase the maximum MAC address limit to 3 to accommodate the third device.
AnswerC

This automatically brings the port out of errdisabled state after a timer, maintaining security while enabling quick recovery.

Why this answer

Option C is correct because the 'errdisable recovery cause psecure-violation' command enables automatic recovery from the err-disabled state caused by a port-security violation. This allows the port to come back up after a default or configured interval (typically 300 seconds) without manual intervention, restoring connectivity for the two authorized devices while maintaining the security posture of limiting MAC addresses to two.

Exam trap

Cisco often tests the distinction between manual recovery (shut/no shut) and automatic recovery (errdisable recovery), and the trap here is that candidates may choose manual recovery as 'quickest' without realizing the question asks for automatic future recovery, or they may incorrectly think increasing the MAC limit is a valid security compromise.

How to eliminate wrong answers

Option A is wrong because manually shutting down and then no shutting the interface is a manual recovery method, not an automatic one, and does not address the requirement to recover the port automatically in the future. Option B is wrong because removing port-security configuration entirely eliminates the security posture, which contradicts the requirement to maintain security while restoring connectivity. Option D is wrong because increasing the maximum MAC address limit to 3 would allow the unauthorized device, violating the security policy and not maintaining the intended security posture.

94
MCQeasy

A data center runs OSPF as the underlay for an EVPN-VXLAN fabric. The fabric includes two spine switches and eight leaf switches. After adding a new leaf switch, the network team notices that some EVPN routes are missing from the other leaves. The new leaf has established BGP EVPN sessions to both spines and the BGP sessions are up. The spines report receiving all routes from the new leaf, but the other leaves do not receive certain prefixes. The engineer checks the BGP configuration on the new leaf and sees the address-family l2vpn evpn is configured under router bgp. Which action should the engineer take to resolve the issue?

A.Check the new leaf's BGP router ID for uniqueness
B.Verify the new leaf has the address-family l2vpn evpn activated under the neighbor configuration
C.Ensure the new leaf's BGP next-hop-self is enabled
D.Verify the cluster ID on the route reflectors is consistent
AnswerB

The address-family must be activated under each neighbor to advertise routes.

Why this answer

The issue is that the new leaf has BGP EVPN sessions to both spines, but other leaves do not receive certain prefixes. Since the spines (acting as route reflectors) receive all routes from the new leaf but do not propagate them to other leaves, the most likely cause is that the address-family l2vpn evpn is not activated under the neighbor configuration on the new leaf. Without this activation, the new leaf does not advertise its EVPN routes to the spines, even though the BGP session is up and the address-family is configured globally under router bgp.

Exam trap

Cisco often tests the distinction between configuring the address-family globally under router bgp versus activating it under a specific neighbor, leading candidates to assume global configuration is sufficient.

How to eliminate wrong answers

Option A is wrong because a duplicate BGP router ID would cause session flapping or instability, not a selective missing of certain prefixes while the BGP sessions remain up. Option C is wrong because next-hop-self is not required in an EVPN-VXLAN fabric with an OSPF underlay; the spines (route reflectors) typically handle next-hop processing, and the issue is about route advertisement, not next-hop reachability. Option D is wrong because the cluster ID on route reflectors must be consistent to prevent loops, but inconsistent cluster IDs would cause all reflected routes to be affected, not just certain prefixes, and the spines are already receiving all routes from the new leaf.

95
MCQeasy

Which feature in UCS Manager allows centralized management of firmware policies across multiple chassis without creating a separate policy for each chassis?

A.Maintenance Policy
B.Firmware Policy
C.Host Firmware Package
D.Adapter Policy
AnswerB

Can be shared across many service profiles.

Why this answer

B is correct because a Firmware Policy in UCS Manager allows you to define a single firmware version and package that can be applied to multiple chassis or service profiles. This centralized approach eliminates the need to create a separate firmware policy for each chassis, as the policy is simply associated with the desired chassis or service profile templates.

Exam trap

Cisco often tests the distinction between a Firmware Policy (which defines the firmware version) and a Host Firmware Package (which is applied to a server within a service profile), causing candidates to confuse the scope of each object.

How to eliminate wrong answers

Option A is wrong because a Maintenance Policy controls the reboot behavior (e.g., immediate or user-acknowledged) during firmware updates, not the firmware version or package selection. Option C is wrong because a Host Firmware Package is used to specify the firmware bundle for a server (compute node) within a service profile, not for centralized management across multiple chassis. Option D is wrong because an Adapter Policy configures the properties of the virtual interface card (VIC) adapter, such as failover and offload settings, and has no role in firmware version management.

96
MCQhard

During a SAN performance analysis, a Fibre Channel link shows a high number of CRC errors. The link operates at 16 Gbps over a 10 km dark fiber. Which corrective action is least likely to resolve the issue?

A.Increase the buffer-to-buffer credit count on the link.
B.Replace the fiber cable with a single-mode fiber cable if multimode is used.
C.Clean all fiber connectors and inspect for damage.
D.Verify that the SFP+ optics match the fiber type and distance.
AnswerA

Buffer credits affect flow control, not physical errors.

Why this answer

CRC errors are often due to signal integrity. Option D is least likely because increasing credits does not fix physical layer issues. Option A corrects possible mismatch.

Option B can reduce attenuation. Option C proper cleaning.

97
Multi-Selectmedium

Which three EVPN route types are essential for VXLAN EVPN operation in a typical data center fabric? (Choose three.)

Select 3 answers
A.Type-3 (Inclusive Multicast Ethernet Tag)
B.Type-2 (MAC/IP Advertisement)
C.Type-4 (Ethernet Segment)
D.Type-5 (IP Prefix Advertisement)
E.Type-1 (Ethernet Auto-Discovery)
AnswersA, B, D

Required for BUM traffic forwarding.

Why this answer

Type-3 (Inclusive Multicast Ethernet Tag) routes are essential for VXLAN EVPN because they enable BUM traffic replication across the underlay network by advertising the VNI and multicast group mapping, allowing VTEPs to join the correct multicast tree for flooding unknown unicast, broadcast, and multicast frames.

Exam trap

Cisco often tests the misconception that Type-1 and Type-4 are required for all VXLAN EVPN deployments, but they are only mandatory for multi-homing (EVPN-MH) or MPLS interworking, not for a typical single-homed data center fabric.

98
MCQhard

In an ACI fabric, an automation engineer needs to deploy tenant policies in an idempotent manner. Which approach is most aligned with best practices?

A.Use the REST API with POST method for each creation
B.Use Ansible with state: present in the cisco.aci collections
C.Write CLI scripts using expect or pexpect
D.Use Python SDK with a check-and-create loop
AnswerB

Ansible modules are idempotent and widely used in ACI automation.

Why this answer

Option B is correct because Ansible's `state: present` in the `cisco.aci` collection inherently provides idempotency: it checks the current state of the ACI object and only applies changes if the desired state differs, ensuring no duplicate or conflicting configurations. This aligns with best practices for automation, as it avoids manual error handling and guarantees consistent policy deployment without side effects.

Exam trap

The trap here is that candidates often assume any API-based approach (like REST POST or Python SDK) is inherently idempotent, but Cisco tests the understanding that true idempotency requires a declarative or state-checking mechanism, which Ansible's `state: present` provides out-of-the-box.

How to eliminate wrong answers

Option A is wrong because the REST API POST method is not idempotent by default; repeated POST requests create duplicate objects or cause errors unless the client implements explicit pre-checks, which violates the principle of idempotent deployment. Option C is wrong because CLI scripts using expect or pexpect are inherently non-idempotent; they rely on screen scraping and sequential commands, which can fail unpredictably due to timing issues or state changes, and they lack built-in state reconciliation. Option D is wrong because while a Python SDK with a check-and-create loop can achieve idempotency, it requires custom error handling and is less maintainable than using a declarative tool like Ansible, which abstracts the idempotency logic and is a recognized best practice in ACI automation.

99
MCQeasy

An engineer needs to connect a new server to an existing FC SAN. The server is located 50 km away from the data center. Which technology should be used to extend the FC SAN over this distance?

A.iSCSI
B.FCIP
C.FCoE
D.Direct FC connection with 10km optics
AnswerB

FCIP is designed to extend FC over long distances using IP networks.

Why this answer

FCIP (Fibre Channel over IP) is the correct choice because it encapsulates Fibre Channel frames inside TCP/IP packets, enabling the extension of FC SANs over long distances (beyond the 10 km limit of standard optics) by leveraging existing IP WAN infrastructure. This allows the 50 km connection while preserving native Fibre Channel semantics and fabric services.

Exam trap

Cisco often tests the distinction between FC extension protocols (FCIP) and alternative storage protocols (iSCSI, FCoE), trapping candidates who confuse 'extending FC' with 'replacing FC' or who assume long-reach optics can overcome distance limits without protocol adaptation.

How to eliminate wrong answers

Option A (iSCSI) is wrong because it is a storage networking protocol that carries SCSI commands over IP networks, not Fibre Channel frames, so it cannot extend an existing FC SAN; it would require native iSCSI initiators and targets. Option C (FCoE) is wrong because it maps Fibre Channel over Ethernet but is limited to data center bridging (DCB) environments with a maximum reach of typically 10 km over dark fiber, not 50 km. Option D (Direct FC connection with 10km optics) is wrong because standard Fibre Channel optics (e.g., 10 km SFP+) cannot achieve a 50 km link; even long-reach optics (e.g., 40 km) are impractical without repeaters, and FC is not designed for such distances without protocol extension.

100
MCQhard

A company uses Cisco ISE for 802.1X authentication on data center edge switches. After a recent upgrade, some endpoints that previously authenticated successfully now fail. The ISE logs show the endpoint is in the wrong authorization profile. What is the most likely cause?

A.The switch port is in multi-authentication mode
B.The switch has incorrect RADIUS shared secret
C.The endpoint posture assessment is failing
D.The ISE policy is using a different identity source
AnswerC

Posture assessment can change the authorization result, assigning a restricted profile if requirements aren't met.

Why this answer

Option C is correct because a failing posture assessment can cause ISE to apply a different authorization profile (e.g., a quarantine or remediation profile) instead of the expected one, even though the endpoint previously authenticated successfully. Posture checks occur after 802.1X authentication and can change the authorization result based on endpoint compliance, which aligns with the symptom of the endpoint being in the wrong profile after an upgrade.

Exam trap

The trap here is that candidates often confuse authentication success with authorization success, overlooking that posture assessment is a separate step that can override the initial authorization profile, especially after an upgrade that changes posture requirements.

How to eliminate wrong answers

Option A is wrong because multi-authentication mode allows multiple endpoints on a single port with individual authentication, but it does not cause an endpoint to be placed in the wrong authorization profile; it affects how many devices can authenticate, not which profile is applied. Option B is wrong because an incorrect RADIUS shared secret would cause authentication failures (Access-Reject) or no response, not a successful authentication with the wrong authorization profile; the logs show the endpoint is in the wrong profile, not failing authentication. Option D is wrong because using a different identity source would typically result in authentication failure (if the endpoint is not found) or a different identity group, but the logs indicate the endpoint is in the wrong authorization profile, not that authentication succeeded with a different identity; the identity source affects who is authenticated, not the authorization profile directly.

101
MCQmedium

An MDS switch is configured with VSANs 100 and 200. The engineer wants to isolate traffic between two storage arrays on the same physical fabric. Which best practice should be applied?

A.Use zones within the same VSAN to separate arrays.
B.Place each array in a different VSAN.
C.Enable QoS to prioritize storage traffic.
D.Configure a port channel between the switches.
AnswerB

VSANs provide complete isolation.

Why this answer

Option B is correct because VSANs provide complete isolation of traffic at Layer 2, creating separate fabric topologies within the same physical infrastructure. Placing each storage array in a different VSAN ensures that Fibre Channel frames from one array never reach the other, even though they share the same MDS switch hardware. This is the recommended best practice for separating storage traffic that must not interact.

Exam trap

The trap here is that candidates confuse zoning with VSAN isolation, thinking that zones within a single VSAN provide the same level of separation, when in fact zones only restrict end-device communication while leaving fabric services and control traffic shared across the entire VSAN.

How to eliminate wrong answers

Option A is wrong because zones within the same VSAN only control which initiators can talk to which targets; they do not isolate broadcast traffic, fabric services, or control-plane frames, so the arrays would still share the same VSAN domain and could be affected by each other's events. Option C is wrong because QoS prioritizes traffic but does not provide isolation; it only manages bandwidth and latency, not security or Layer 2 separation. Option D is wrong because a port channel aggregates bandwidth and provides link-level redundancy between switches; it does not separate traffic between storage arrays on the same physical fabric.

102
MCQhard

Refer to the exhibit. A web server in VLAN 10 with IP 10.0.0.5 is experiencing connectivity issues. Clients from subnet 10.0.0.0/24 can access the server, but clients from other subnets cannot. What is the most likely cause?

A.The ACL is missing a permit for return traffic
B.The server's default gateway is incorrect
C.The ACL denies all traffic from other subnets
D.The ACL permits HTTP only from the local subnet
AnswerC

The ACL only permits traffic from 10.0.0.0/24; all other traffic is implicitly denied.

Why this answer

The exhibit shows an ACL applied to the VLAN 10 SVI that permits HTTP traffic only from the 10.0.0.0/24 subnet. Since clients from other subnets are denied, the ACL is explicitly blocking all traffic from those subnets, which matches option C. This is the most likely cause because the server is reachable from the local subnet but not from elsewhere, indicating a filtering issue rather than a routing or gateway problem.

Exam trap

Cisco often tests the concept that an ACL with a single permit statement implicitly denies all other traffic, and candidates may mistakenly think the issue is a missing return traffic permit or a default gateway problem instead of recognizing the ACL's implicit deny behavior.

How to eliminate wrong answers

Option A is wrong because the ACL is configured with an implicit deny at the end, but the issue is not about missing return traffic; the ACL explicitly permits only HTTP from the local subnet, so return traffic for permitted sessions would be allowed by the stateful nature of the ACL (if reflexive or with established keyword) or by the permit statement itself. Option B is wrong because if the server's default gateway were incorrect, clients from the local subnet (10.0.0.0/24) would also fail to reach the server, as they rely on the same gateway for Layer 3 forwarding. Option D is wrong because it describes the actual behavior but is not the root cause; the ACL permits HTTP only from the local subnet, which is the mechanism causing the issue, but the question asks for the most likely cause, which is that the ACL denies all traffic from other subnets (the implicit deny after the permit statement).

103
MCQeasy

A UCS administrator needs to deploy 20 identical servers with the same firmware, BIOS, and boot order. Which approach is the most efficient?

A.Use a UUID suffix pool to auto-generate identities.
B.Use a Cisco UCS Central 'Gold' template to deploy the servers.
C.Create a service profile template and then generate service profiles from it.
D.Create a service profile for each server manually.
AnswerC

Templates allow centralized management and quick deployment.

Why this answer

Creating a service profile template and then generating service profiles from it is the most efficient approach because it allows you to define the firmware, BIOS, and boot order once in a reusable template, then automatically create multiple service profiles with unique identities (e.g., UUID, MAC, WWN) for each of the 20 identical servers. This leverages Cisco UCS Manager's built-in template-to-instance workflow, ensuring consistency and reducing manual effort.

Exam trap

Cisco often tests the distinction between a service profile template (used to generate multiple instances) and a UUID suffix pool (a component that only handles identity generation), leading candidates to mistakenly choose the pool as a complete deployment solution.

How to eliminate wrong answers

Option A is wrong because a UUID suffix pool auto-generates only the UUID portion of a service profile's identity, but it does not address the need to deploy firmware, BIOS, and boot order settings across multiple servers; it is a component within a service profile, not a deployment method. Option B is wrong because Cisco UCS Central is a multi-domain management tool, not a mechanism for deploying individual server configurations within a single UCS domain; a 'Gold' template in UCS Central is used for policy-based configuration across domains, not for generating service profiles for local server deployment. Option D is wrong because creating a service profile for each server manually is inefficient and error-prone for 20 identical servers, as it requires repetitive configuration of the same firmware, BIOS, and boot order settings, defeating the purpose of automation.

104
MCQhard

An engineer is writing a Python script to automate ACI fabric discovery using the APIC SDK. The script needs to wait until the fabric formation is complete before proceeding. Which approach is most reliable?

A.Implement asynchronous callbacks using the SDK
B.Periodically poll the fabric membership state via REST API
C.Use the configExportP object to monitor discovery
D.Use time.sleep() for a fixed duration
AnswerB

Polling is reliable and adaptive to actual state changes.

Why this answer

Option B is correct because the most reliable method to wait for ACI fabric formation to complete is to periodically poll the fabric membership state via the REST API. The APIC SDK provides access to the fabric membership endpoint (e.g., /api/node/class/fabricNode.json), which returns the current state of each node. By polling this endpoint until all expected nodes report an 'active' or 'in-pod' status, the script can accurately determine when the fabric is fully formed, avoiding race conditions or incomplete discovery.

Exam trap

Cisco often tests the misconception that a fixed delay (time.sleep) or a configuration export object can reliably synchronize with asynchronous fabric discovery, when in fact only direct polling of the fabric membership state provides deterministic confirmation.

How to eliminate wrong answers

Option A is wrong because asynchronous callbacks in the APIC SDK are not designed for monitoring fabric discovery completion; they are typically used for event-driven notifications on specific object changes, not for polling the overall fabric formation state, and they may miss transient states or require complex setup. Option C is wrong because the configExportP object is used for exporting configuration snapshots, not for monitoring fabric discovery; it has no mechanism to indicate fabric formation status. Option D is wrong because using time.sleep() for a fixed duration is unreliable; fabric discovery time varies based on network conditions, hardware, and scale, so a fixed sleep may either waste time or proceed before discovery is complete, leading to script failures.

105
MCQeasy

Which of the following is a benefit of using Fibre Channel over Ethernet (FCoE) in a data center?

A.It increases the maximum distance of Fibre Channel links.
B.It reduces cabling complexity by using a unified fabric.
C.It provides native Fibre Channel security.
D.It eliminates the need for zoning.
AnswerB

Convergence reduces cabling.

Why this answer

FCoE encapsulates Fibre Channel frames over Ethernet networks, allowing storage and data traffic to share the same physical infrastructure. This consolidation reduces cabling complexity and the number of required switches, adapters, and power/cooling overhead, which is the core benefit of a unified fabric.

Exam trap

Cisco often tests the misconception that FCoE eliminates Fibre Channel management features like zoning or security, when in fact it preserves them while only consolidating the physical transport layer.

How to eliminate wrong answers

Option A is wrong because FCoE does not increase the maximum distance of Fibre Channel links; native Fibre Channel can already reach up to 10 km (standard) or more with repeaters, while FCoE is typically limited to the same data center or campus Ethernet distance constraints (100 m for copper, up to 10 km with fiber). Option C is wrong because FCoE does not provide native Fibre Channel security; it inherits Ethernet security mechanisms (e.g., ACLs, 802.1AE MACsec) but does not include FC-SP (Fibre Channel Security Protocol) natively. Option D is wrong because FCoE still requires zoning (via ENode or FCoE-specific constructs like FCoE VLANs and FCoE Initialization Protocol) to control which initiators can access which targets, just as in native Fibre Channel.

106
Multi-Selecteasy

Which TWO of the following are required components for a Cisco ACI contract to allow communication between EPGs?

Select 2 answers
A.A filter that specifies the traffic parameters.
B.A subject that defines the filter.
C.A tenant.
D.A QoS class.
E.A VRF.
AnswersA, B

Filter defines allowed traffic.

Why this answer

Option A is correct because a filter in Cisco ACI defines the specific traffic parameters—such as IP protocol, source/destination ports, and EtherType—that are permitted or denied between EPGs. Without a filter, the contract has no criteria to match traffic, so communication cannot be allowed. Option B is correct because a subject binds one or more filters to a contract and specifies the direction (consumer-to-provider or bidirectional) in which the filter is applied, making it an essential component for the contract to function.

Exam trap

Cisco often tests the misconception that a tenant or VRF is a required component of a contract, when in fact the contract only requires a filter and a subject to define the traffic rules, while tenants and VRFs are separate constructs that provide logical isolation and routing context.

107
MCQmedium

A data center uses Cisco ACI with multiple tenants. The security policy requires that all traffic between EPGs must be explicitly allowed via contracts. However, the operations team reports that communication between two EPGs in the same bridge domain is working even though no contract is applied. What is the most likely reason?

A.The default behavior in ACI allows communication between EPGs in the same bridge domain without a contract
B.The contract is applied but not enforced due to a configuration error
C.The VRF has a default route that bypasses contract enforcement
D.A preferred group contract is applied to the VRF
AnswerA

ACI allows intra-BD communication by default; contracts are needed for inter-BD or inter-VRF traffic.

Why this answer

In Cisco ACI, the default behavior for EPGs within the same bridge domain (BD) is that they can communicate without a contract. This is because EPGs in the same BD share the same Layer 2 domain, and ACI does not enforce contract-based filtering for intra-BD traffic unless a contract is explicitly applied. The security policy requiring contracts applies only to inter-BD or inter-VRF traffic, not to intra-BD communication.

Exam trap

Cisco often tests the misconception that contracts are required for all EPG-to-EPG communication, but the trap here is that intra-BD traffic is an exception where no contract is needed by default.

How to eliminate wrong answers

Option B is wrong because if a contract were applied but not enforced due to a configuration error, the traffic would still be blocked or behave unpredictably, not consistently work; ACI enforces contracts at the leaf switch level, and a misconfiguration would typically cause a deny, not an allow. Option C is wrong because a default route in the VRF does not bypass contract enforcement; contracts are enforced at the EPG level regardless of routing, and a default route only affects Layer 3 forwarding, not policy enforcement. Option D is wrong because a preferred group contract would explicitly allow all traffic within the VRF, but the question states no contract is applied; a preferred group contract is a contract that must be explicitly configured, and its absence means it cannot be the reason.

108
MCQmedium

An organization is migrating from traditional SNMP monitoring to model-driven telemetry on their Nexus 9000 switches. They have configured a telemetry destination using gRPC and have defined sensor paths for interface statistics. After several hours, the collector (a Linux server running Telegraf) reports no data received. The engineer verifies that the switch can reach the collector via ICMP. On the switch, 'show telemetry data collector details' indicates the destination is 'connected', but the 'last data sent' timestamp is several hours old. Which action should the engineer take next?

A.Change the transport protocol from gRPC to HTTP
B.Reboot the switch to reset the telemetry process
C.Verify that the sensor paths are correct and that the data is being generated
D.Increase the telemetry sampling interval to reduce load
AnswerC

Most likely cause: sensor path not matching actual data.

Why this answer

The 'show telemetry data collector details' output shows the destination is 'connected' and the switch can reach the collector, ruling out network or connectivity issues. The stale 'last data sent' timestamp indicates the telemetry process is running but no data is being published, which typically means the configured sensor paths are not producing data—either because the paths are incorrect, the MIB objects are not supported, or the interfaces are not generating the expected statistics. Option C is correct because verifying the sensor paths and ensuring data generation addresses the root cause without unnecessary changes or reboots.

Exam trap

Cisco often tests the misconception that a 'connected' telemetry destination implies data is flowing, when in fact the connection state only reflects the gRPC session, not the subscription health—candidates may waste time on transport or connectivity fixes instead of verifying the sensor paths.

How to eliminate wrong answers

Option A is wrong because changing the transport protocol from gRPC to HTTP would not fix the issue; the problem is that no data is being sent, not that the transport is failing (the collector is reachable and the destination shows 'connected'). Option B is wrong because rebooting the switch is an extreme, unnecessary step that would disrupt operations and does not address the likely misconfiguration of sensor paths; the telemetry process is already running (destination 'connected'). Option D is wrong because increasing the sampling interval would reduce the frequency of data collection, but if no data is being generated at all, changing the interval will not cause data to appear—it would only delay the problem further.

109
MCQeasy

A Cisco MDS switch is connected to a Fibre Channel storage array and a host. The host cannot see the storage LUNs. The 'show flogi database' command on the MDS shows the host's WWPN, but the 'show fcns database' does not show the storage target. What is the most likely cause?

A.The zone configuration is incorrect.
B.The host and target are in different VSANs.
C.The storage target is not logged into the fabric.
D.The host is not in the name server database.
AnswerC

The 'show fcns database' shows only devices that have logged into the fabric; if the target is not logged in, it won't appear.

Why this answer

The 'show flogi database' command displays all devices that have completed the Fabric Login (FLOGI) process, which the host has done. However, the 'show fcns database' command lists only devices that have registered with the Fabric Name Server (via FDISC or FLOGI with PLOGI). Since the storage target is not in the name server database, it means the target has not logged into the fabric (or has not registered its FC-4 type/SCSI features), preventing the host from discovering its LUNs.

This is the most likely cause because the host can see its own WWPN in the FLOGI database but cannot see the target in the FCNS database.

Exam trap

Cisco often tests the distinction between FLOGI (physical login) and FCNS registration (name server entry), leading candidates to incorrectly assume that a device visible in 'show flogi database' must also be in the fabric name server database.

How to eliminate wrong answers

Option A is wrong because an incorrect zone configuration would still allow the host and target to appear in the FCNS database (zoning only restricts access, not registration); the issue is that the target is not even registered. Option B is wrong because if the host and target were in different VSANs, the host's FLOGI would not appear in the same VSAN's FLOGI database as the target's VSAN, but the host's WWPN is visible, implying they are in the same VSAN. Option D is wrong because the host is already in the name server database (as shown by the FLOGI entry, which typically triggers name server registration), so the problem is the target's absence, not the host's.

110
Multi-Selectmedium

Which TWO of the following are best practices when interconnecting two Cisco MDS 9700 directors via Fibre Channel ISLs?

Select 2 answers
A.Enable NPIV on the ISL ports to allow multiple FCIDs
B.Use Fibre Channel port channels to bundle multiple ISLs
C.Configure the ISL ports as trunking E_ports
D.Configure the ISL ports as F_ports to increase scalability
E.Use E_port configuration (not F_port) for inter-switch links
AnswersC, E

Trunking E_ports allow multiple VSANs on a single link.

Why this answer

Options A and C are correct. Using trunk mode allows multiple VSANs over a single ISL (E_port trunking). E_ports are the standard port type for ISLs.

Option B is incorrect because FC port channels are not used for ISLs (E_port trunking is used). Option D is incorrect: NPIV is used for host virtualization, not ISLs. Option E is incorrect: F_ports are for connecting hosts or targets.

111
MCQmedium

A network engineer is configuring a Fabric Extender (FEX) to connect to a parent switch. Which best practice should be followed for FEX host interfaces?

A.Configure all host interfaces as trunk ports.
B.Use the same FEX ID for redundancy.
C.Use LACP for the FEX uplinks.
D.Enable Virtual Port Channel (vPC) on the parent switch.
E.Disable spanning-tree on FEX host interfaces.
AnswerD

vPC provides active-active redundancy for FEX uplinks.

Why this answer

Enabling Virtual Port Channel (vPC) on the parent switch is a best practice for FEX host interfaces because it allows the FEX to be dual-homed to two separate parent switches, providing link-level redundancy and active-active forwarding. Without vPC, the FEX would rely on a single parent switch, creating a single point of failure and potentially causing traffic black-holing during a parent switch failure.

Exam trap

Cisco often tests the misconception that FEX uplinks require LACP or that FEX IDs can be shared for redundancy, when in fact FEX uplinks use static fabric channels and each FEX must have a unique ID.

How to eliminate wrong answers

Option A is wrong because configuring all host interfaces as trunk ports is not a best practice; FEX host interfaces should typically be configured as access ports or host-facing ports (using the 'switchport host' macro) to optimize STP and port-channel settings, and trunk ports are only needed if the downstream device requires multiple VLANs. Option B is wrong because using the same FEX ID for redundancy is not possible; each FEX must have a unique FEX ID to be properly identified by the parent switch, and redundancy is achieved through vPC or dual-homing, not by sharing IDs. Option C is wrong because LACP is not used for FEX uplinks; FEX uplinks use a proprietary fabric channel (FabricPortChannel) that does not support LACP, and the FEX-to-parent switch link is a static port-channel or individual fabric links.

Option E is wrong because disabling spanning-tree on FEX host interfaces is dangerous and not a best practice; while FEX host interfaces can use the 'spanning-tree portfast' feature to bypass listening/learning states, completely disabling spanning-tree would risk loops if a downstream device is misconfigured or a cable is looped.

112
Multi-Selecthard

An engineer is configuring a UCS server for VMware ESXi. The service profile must support NPIV for virtual machine SAN connectivity. Which two conditions must be met? (Choose two.)

Select 2 answers
A.The WWPN must be unique per virtual machine
B.The vHBA must be associated with a VSAN
C.The vHBA must be set to 'Fabric: A' only
D.The vHBA must be set to 'Fabric: dual' mode
E.The vHBA must be created with a fabric failover policy
AnswersA, B

NPIV assigns unique WWPNs to each VM for SAN access.

Why this answer

Option A is correct because NPIV (N_Port ID Virtualization) requires each virtual machine to have a unique World Wide Port Name (WWPN) so that the SAN fabric can distinguish and manage each VM's storage traffic independently. This allows multiple virtual machines to share a single physical HBA while each appears as a separate initiator to the SAN.

Exam trap

Cisco often tests the misconception that NPIV requires a fabric failover policy or dual-fabric mode, when in fact NPIV only requires unique WWPNs and proper VSAN association, with failover handled at the fabric level or by the hypervisor.

113
MCQeasy

An engineer needs to secure the management plane on a Cisco Nexus 9000 switch. Which feature should be configured to restrict access to the switch's management interface based on source IP?

A.Enable DHCP snooping on the management VLAN.
B.Enable port security on the management interface.
C.Configure AAA to require two-factor authentication.
D.Configure a management CoPP policy to rate-limit and permit only specific source IPs.
AnswerD

CoPP can filter management traffic to the switch.

Why this answer

Option D is correct because a management Control Plane Policing (CoPP) policy on a Cisco Nexus 9000 switch allows the engineer to explicitly permit or deny traffic destined to the management interface based on source IP addresses. CoPP applies QoS policies to control plane traffic, effectively restricting management plane access by rate-limiting or dropping packets from unauthorized sources before they reach the CPU.

Exam trap

Cisco often tests the distinction between data-plane security features (DHCP snooping, port security) and control-plane security mechanisms (CoPP), leading candidates to mistakenly choose a Layer 2 feature for a management plane access restriction question.

How to eliminate wrong answers

Option A is wrong because DHCP snooping is a Layer 2 security feature that filters untrusted DHCP messages and builds a binding database to prevent rogue DHCP servers; it does not restrict access to the management interface based on source IP. Option B is wrong because port security limits the number of MAC addresses allowed on a switchport and prevents MAC flooding attacks, but it operates at Layer 2 and cannot filter management plane access based on source IP addresses. Option C is wrong because AAA with two-factor authentication controls user authentication and authorization after a connection is established, but it does not restrict which source IPs can initiate a connection to the management interface.

114
MCQeasy

A Fibre Channel switch port is experiencing high latency due to insufficient buffer credits. What is the most likely cause?

A.CRC errors on the fibre optic cable
B.High oversubscription ratio on the port
C.Long-distance link between switches
D.VSAN ID mismatch between end devices
AnswerC

Correct: Long-distance links require more buffer credits to maintain throughput.

Why this answer

Option A is correct because buffer credits are used to manage the flow of frames across long-distance links. Option B is incorrect because oversubscription affects bandwidth, not buffer credits. Option C is incorrect because CRC errors indicate data corruption.

Option D is incorrect because VSAN mismatch prevents communication.

115
MCQmedium

Ansible playbook that deploys VLANs on NX-OS fails on a particular switch with 'privilege escalation required'. What should be checked first?

A.The 'host_key_checking' setting
B.The 'ansible_become_password' or 'enable' password in the playbook
C.The 'ansible_user' variable
D.The inventory file syntax
AnswerB

This is required for privilege escalation on NX-OS.

Why this answer

Privilege escalation typically requires an enable password. Option A is the correct parameter. Option B is the SSH user.

Option C is for host key checking. Option D is for inventory.

116
MCQmedium

A server connected to Ethernet1/1 is unable to communicate on VLAN 1. The server is configured to send untagged frames. Based on the exhibit, what is the most likely cause?

A.The spanning-tree port type edge trunk is causing BPDU guard to block the port.
B.The port is in err-disabled state due to a loop.
C.VLAN 1 is not allowed on the trunk, so untagged frames are dropped.
D.The port is administratively down.
AnswerC

Untagged frames are placed in native VLAN 1, but VLAN 1 is not in the allowed list.

Why this answer

The server sends untagged frames, which are placed into the native VLAN of the trunk port. By default, the native VLAN is VLAN 1. However, if VLAN 1 is explicitly removed from the allowed VLAN list on the trunk (e.g., with 'switchport trunk allowed vlan remove 1'), the switch will drop all frames belonging to that VLAN, including untagged frames that would otherwise be classified into VLAN 1.

This matches the exhibit where the port is configured as a trunk but VLAN 1 is not allowed, causing the server's traffic to be dropped.

Exam trap

Cisco often tests the misconception that untagged frames are always allowed on a trunk port, but the trap here is that the native VLAN must be explicitly permitted in the allowed VLAN list; otherwise, untagged frames are dropped even if the port is up and configured as a trunk.

How to eliminate wrong answers

Option A is wrong because spanning-tree port type edge trunk enables PortFast and BPDU guard on a trunk, but BPDU guard would only block the port if a BPDU is received, not because of VLAN 1 untagged traffic. Option B is wrong because the port is not in err-disabled state; the exhibit shows the port is up/up, and a loop would cause a different error condition like a spanning-tree loop or err-disable due to a loop guard violation. Option D is wrong because the port is administratively up; the exhibit shows the port status as 'connected' or 'up/up', not 'administratively down'.

117
MCQeasy

A data center network uses VXLAN EVPN for network virtualization. Which component is responsible for advertising MAC addresses and host routes across the fabric?

A.Static routing.
B.MP-BGP EVPN address family.
C.OSPF.
D.VXLAN VTEP.
AnswerB

MP-BGP EVPN is the control plane for VXLAN EVPN.

Why this answer

In a VXLAN EVPN fabric, the MP-BGP EVPN address family (AFI L2VPN / SAFI EVPN) is the control plane protocol that distributes MAC addresses, IP-to-MAC bindings, and host routes (Type-2 routes) across all VTEPs. This enables each VTEP to build its forwarding table dynamically without relying on data-plane learning or flooding, ensuring optimal east-west traffic forwarding.

Exam trap

Cisco often tests the distinction between the data-plane function (VTEP encapsulation) and the control-plane function (MP-BGP EVPN), so the trap here is that candidates mistakenly think the VTEP itself advertises MAC addresses, when in fact it relies on MP-BGP EVPN for that role.

How to eliminate wrong answers

Option A is wrong because static routing is a manual configuration method that cannot dynamically advertise MAC addresses or host routes across a VXLAN EVPN fabric; it lacks the control-plane intelligence needed for EVPN route distribution. Option C is wrong because OSPF is an interior gateway protocol (IGP) designed for IPv4/IPv6 unicast routing, not for advertising Layer 2 MAC addresses or EVPN-specific routes like Type-2 or Type-3. Option D is wrong because a VXLAN VTEP is a data-plane endpoint that encapsulates/decapsulates VXLAN frames; it does not itself advertise MAC addresses or host routes—that function is performed by the control plane (MP-BGP EVPN).

118
Multi-Selecteasy

Which TWO of the following Fibre Channel port types are used to connect end devices such as hosts or storage?

Select 2 answers
A.FL port
B.E port
C.N port
D.F port
E.NP port
AnswersC, D

N port is on the end device.

Why this answer

Port types: N port (host) and F port (switch facing host) connect end devices. E port is for ISL, NP port for NPV, and FL port for loop. Options A and D are correct.

Options B, C, and E are incorrect.

119
MCQhard

Refer to the exhibit. An engineer applies this QoS policy to a Cisco Nexus 9000 switch in a data center. After applying the policy, storage traffic (iSCSI) is experiencing high latency and occasional drops. The engineer verifies that the iSCSI traffic is not matching the 'BulkData' class. What is the most likely cause of the issue?

A.The policy-map does not specify a priority queue for latency-sensitive traffic.
B.The policy-map is applied at the system level, but iSCSI traffic is not classified under any class-map.
C.The bandwidth percent for class-default is too low, causing iSCSI to be starved.
D.The class-map 'BulkData' does not match the correct traffic because the match statement uses qos-group instead of dscp.
AnswerA

iSCSI requires low latency; without a priority queue, it competes with other traffic.

Why this answer

The correct answer is A because iSCSI is a latency-sensitive storage protocol that requires a strict priority queue to ensure low latency and minimal jitter. Without a priority queue configured in the policy-map, iSCSI traffic competes with other traffic classes on a best-effort basis, leading to high latency and drops even if it is not matching the 'BulkData' class.

Exam trap

Cisco often tests the misconception that simply classifying traffic into a class-map is sufficient, but the trap here is that without a priority queue, latency-sensitive traffic like iSCSI will still suffer from high latency and drops even if correctly classified.

How to eliminate wrong answers

Option B is wrong because the policy-map is applied at the system level, but iSCSI traffic not being classified under any class-map would cause it to fall into class-default, not directly cause high latency if bandwidth is properly allocated. Option C is wrong because the bandwidth percent for class-default being too low would affect all default traffic equally, but the issue is specifically with iSCSI latency and drops, not starvation. Option D is wrong because the class-map 'BulkData' uses a match statement that is irrelevant to iSCSI traffic; the issue is not about incorrect matching but the lack of a priority queue for latency-sensitive traffic.

120
Multi-Selectmedium

Which TWO of these are best practices for securing the Cisco ACI fabric?

Select 2 answers
A.Use security domains to control RBAC.
B.Use in-band management for APIC connectivity.
C.Enable certificate-based authentication for APIC access.
D.Leave default passwords for fabric discovery.
E.Place APIC controllers in a DMZ.
AnswersA, C

Security domains isolate tenant administration.

Why this answer

Security domains in Cisco ACI provide role-based access control (RBAC) by partitioning the fabric into logical groups, allowing administrators to restrict user permissions to specific tenants, EPGs, or policies. This is a core best practice to enforce least-privilege access and prevent unauthorized configuration changes across the fabric.

Exam trap

Cisco often tests the misconception that in-band management is acceptable for APIC connectivity, but the correct practice is to use out-of-band management to keep APIC traffic separate from the data plane and reduce attack surface.

121
MCQhard

During a security audit, you discover that a Cisco Nexus 9000 switch is allowing traffic between two ports in the same VLAN despite having a VLAN ACL that should deny it. The VACL is applied correctly, and the ACL entries are properly configured. What is the most likely reason for this behavior?

A.VACLs only filter traffic between VLANs, not within the same VLAN.
B.The VACL requires Layer 3 inspection to be enabled.
C.The switch does not support hardware VACL processing.
D.Spanning-tree is bypassing the VACL for PortFast ports.
AnswerA

VACLs filter inter-VLAN traffic; intra-VLAN traffic is not affected.

Why this answer

VLAN ACLs (VACLs) operate at Layer 2 and filter traffic entering or leaving a VLAN, but they only apply to traffic that crosses VLAN boundaries (i.e., inter-VLAN routing). Traffic between two ports within the same VLAN is bridged at Layer 2 and never traverses the VACL enforcement point, so the ACL entries have no effect on intra-VLAN communication. This is a fundamental design limitation of VACLs on Cisco Nexus switches.

Exam trap

Cisco often tests the misconception that VACLs filter all traffic within a VLAN, when in fact they only apply to traffic crossing VLAN boundaries, leading candidates to overlook the intra-VLAN limitation.

How to eliminate wrong answers

Option B is wrong because VACLs do not require Layer 3 inspection; they are applied at Layer 2 and filter based on MAC addresses, IP addresses, or other fields without needing routing or Layer 3 forwarding. Option C is wrong because the Cisco Nexus 9000 series fully supports hardware-based VACL processing using TCAM, and this is not a limitation that would cause the described behavior. Option D is wrong because Spanning Tree Protocol (STP) and PortFast do not bypass VACLs; PortFast only accelerates the transition to forwarding state and does not affect ACL enforcement.

122
Multi-Selectmedium

Which TWO security features rely on the DHCP snooping binding table? (Select exactly 2)

Select 2 answers
A.Port Security
B.IP Source Guard
C.Private VLANs
D.Dynamic ARP Inspection
E.MACsec
AnswersB, D

IP Source Guard uses the DHCP snooping binding to permit only valid IP/MAC addresses.

Why this answer

IP Source Guard (IPSG) uses the DHCP snooping binding table to validate the source IP address of packets received on untrusted ports. It drops any packet whose source IP does not match an entry in the binding table, preventing IP spoofing attacks. Dynamic ARP Inspection (DAI) also relies on the DHCP snooping binding table to validate ARP packets, ensuring that the sender MAC and IP addresses match a legitimate binding, thereby blocking ARP poisoning attacks.

Exam trap

Cisco often tests the dependency of IP Source Guard and Dynamic ARP Inspection on the DHCP snooping binding table, and the trap here is that candidates confuse Port Security or MACsec as features that also rely on DHCP snooping, when in fact they operate independently.

123
Drag & Dropmedium

Arrange the steps to configure a port-channel (LAG) on a Cisco Nexus switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Port-channel creation involves interface creation, mode setting, member addition, and verification.

124
MCQhard

A large enterprise uses Cisco Nexus 5548UP switches in FCoE mode. The storage array is connected via native FC to an MDS 9700. The FCoE switches are connected to the MDS via FC uplinks. Recently, the storage team deployed a new FCoE initiator that requires access to a specific LUN. After configuring the zone and VSAN, the initiator cannot discover the target. The zone includes the pWWN of the target and the FCoE initiator's pWWN (derived from its MAC address). The initiator is in VSAN 100, and the target is in the same VSAN. The MDS show flogi database shows the initiator. The show fcoe database on the Nexus shows the initiator but the session is not active (state: FIP-VN_Port not logged in). The engineer checks the FIP snooping policy and notices that the FCoE VLAN to VSAN mapping is correct. What is the most likely issue?

A.The MDS does not have a route to the FCoE initiator's VSAN
B.The FCoE initiator is not using the correct VN_Port MAC address
C.The FIP snooping policy is blocking the FLOGI
D.The FCoE NPV is not enabled on the Nexus
AnswerC

FIP snooping uses ACLs to enforce zoning; if misconfigured, it can drop FLOGI frames.

Why this answer

The FCoE initiator appears in the FCoE database but is not logged in, indicating the FLOGI is being dropped. The FIP snooping policy on the Nexus switch may be blocking the FLOGI traffic because the initiator's MAC address is not in the allowed FCoE MAC list or the policy is misconfigured. Incorrect VN_Port MAC would prevent FCoE database entry, NPV is not required for FCoE native mode, and routing is not an issue within the same VSAN.

125
MCQeasy

Which command displays the VLANs allowed on a trunk interface?

A.show running-config interface
B.show vlan
C.show interface switchport
D.show interface trunk
AnswerD

This command directly shows trunk status and allowed VLANs.

Why this answer

The 'show interface trunk' command displays trunk parameters, including the VLANs allowed on the trunk interface. This command shows the trunking mode, encapsulation (e.g., 802.1Q), and the allowed VLAN list for each trunk port. It is the direct command to verify which VLANs are permitted on a specific trunk link.

Exam trap

The trap here is that candidates often confuse 'show interface switchport' (which shows trunking status and native VLAN) with 'show interface trunk' (which shows the allowed VLAN list), leading them to choose option C instead of D.

How to eliminate wrong answers

Option A is wrong because 'show running-config interface' displays the running configuration for an interface, which may include the 'switchport trunk allowed vlan' command if configured, but it does not show the dynamic or negotiated allowed VLAN list, and it is not the standard command to view active trunk parameters. Option B is wrong because 'show vlan' displays VLAN information and which ports are members of each VLAN, but it does not show the allowed VLAN list on a trunk interface; it shows access VLAN membership. Option C is wrong because 'show interface switchport' displays administrative and operational switchport modes, including trunking status, but it does not show the allowed VLAN list; it shows the native VLAN and trunk encapsulation but not the permitted VLANs.

126
MCQhard

A data center uses FCoE on Nexus 9000 switches. The storage team reports inconsistent performance during peak times. Queuing drops are seen on the FCoE-enabled interfaces. Which QoS configuration change would best address the issue?

A.Enable WRED on the FCoE class
B.Increase MTU on the FCoE VLAN
C.Ensure sufficient buffer allocation for the no-drop class
D.Increase the number of pause frames on the no-drop class
AnswerC

Correct: Allocating more buffers to the no-drop class prevents drops.

Why this answer

In FCoE networks, lossless behavior is required for storage traffic, which is enforced by priority flow control (PFC) on the no-drop class. Queuing drops on FCoE-enabled interfaces indicate that the no-drop class is experiencing buffer exhaustion under congestion. Increasing buffer allocation for the no-drop class ensures that FCoE frames are not dropped, maintaining the lossless fabric required by Fibre Channel over Ethernet.

Exam trap

Cisco often tests the misconception that pause frames alone guarantee lossless delivery, but the trap is that insufficient buffer allocation for the no-drop class will still cause drops under burst conditions, regardless of pause frame configuration.

How to eliminate wrong answers

Option A is wrong because WRED (Weighted Random Early Detection) is a congestion avoidance mechanism for drop-tolerant traffic (e.g., best-effort), and enabling it on the FCoE no-drop class would cause random drops, violating the lossless requirement of FCoE. Option B is wrong because increasing MTU on the FCoE VLAN does not address queuing drops caused by buffer congestion; FCoE already uses jumbo frames (typically 2500 bytes), and MTU changes affect frame size, not buffer allocation or drop behavior. Option D is wrong because increasing the number of pause frames on the no-drop class would not solve buffer exhaustion; pause frames are used by PFC to signal backpressure, but if the buffer is already full, additional pause frames cannot prevent drops—proper buffer sizing is needed to absorb bursts.

127
Multi-Selecthard

Which THREE statements about Cisco UCS Manager automation using XML API are correct? (Choose three.)

Select 3 answers
A.Operations can be made idempotent by using the 'dn' (distinguished name) to specify the exact object.
B.The XML API is based on a management information model (MIT) similar to ACI.
C.The API uses XML for both request and response payloads.
D.The API uses SNMP for configuration changes.
E.The UCS Manager XML API uses RESTful JSON format.
AnswersA, B, C

Idempotency is achieved by targeting specific objects.

Why this answer

Option A is correct because the Cisco UCS Manager XML API allows operations to be idempotent by using the 'dn' (distinguished name) attribute to target a specific managed object. When you include the 'dn' in an XML request, the operation applies only to that exact object, so repeating the same request produces the same result without side effects. This is a key design principle of the management information model (MIT) that ensures predictable and safe automation.

Exam trap

Cisco often tests the distinction between XML-based APIs (like UCS Manager) and RESTful JSON APIs (like Cisco DNA Center or ACI REST API), so the trap here is assuming that UCS Manager uses JSON or SNMP for configuration, when it strictly uses XML over HTTP/HTTPS.

128
MCQhard

A data center architect is designing security for a Cisco ACI fabric that must comply with PCI DSS. The requirement is to encrypt all traffic between EPGs within the same tenant. Which solution should be used?

A.Enable port security on the leaf switch interfaces.
B.Use a contract with the 'encrypt' flag enabled between the EPGs.
C.Create separate VRFs for each EPG and route traffic through a firewall.
D.Configure a site-to-site VPN between the leaf switches.
AnswerB

ACI contracts support encryption enforcement using MACsec or IPsec.

Why this answer

Option B is correct because Cisco ACI supports encryption of traffic between EPGs within the same tenant using a contract with the 'encrypt' flag enabled. This leverages the ACI fabric's built-in capability to apply AES-based encryption (e.g., AES-256-GCM) at the leaf switch level, ensuring data confidentiality for PCI DSS compliance without requiring external devices or complex routing changes.

Exam trap

The trap here is that candidates may assume encryption requires an external firewall or VPN, but Cisco ACI natively supports contract-based encryption using MACsec, which is the correct and simplest solution for intra-tenant EPG traffic encryption.

How to eliminate wrong answers

Option A is wrong because port security on leaf switch interfaces controls MAC address flooding and prevents MAC spoofing, but it does not provide any encryption of traffic between EPGs. Option C is wrong because creating separate VRFs and routing through a firewall adds complexity and potential latency, but it does not inherently encrypt traffic within the ACI fabric; encryption would require additional VPN or IPsec configuration on the firewall, which is not a native ACI solution. Option D is wrong because a site-to-site VPN between leaf switches is not a supported or practical configuration in ACI; VPNs are designed for inter-site or remote connectivity, not for intra-fabric EPG-to-EPG traffic encryption.

129
MCQmedium

You are a data center engineer at a financial company. The production environment uses UCS B-Series blades with fabric interconnects in a clustered configuration. One of the blades (blade 3) is running a critical trading application. The server is associated with a service profile that boots from SAN using a single HBA path. During a routine network upgrade, the storage administrator reports that LUN 0 on the primary storage array is no longer accessible from blade 3. The server is still powered on, but the application is unresponsive. You check UCS Manager and see that the vHBA for blade 3 is in an 'Unavailable' state. The fabric interconnect ports show no errors. The storage array logs show that the target port is active. Which action should you take to restore connectivity with minimal downtime?

A.Change the boot policy to use a secondary LUN on the same array
B.Unassign and reassign the vHBA's WWPN from the pool in the service profile
C.Reset the fabric interconnect to restore cluster state
D.Reboot the server to force re-initialization of the HBA
AnswerB

This forces the fabric to re-establish zoning and access

Why this answer

The vHBA being in an 'Unavailable' state while the fabric interconnect ports and storage target are healthy indicates a WWPN (World Wide Port Name) conflict or corruption at the fabric level. Unassigning and reassigning the vHBA's WWPN from the pool forces UCS Manager to generate a new WWPN and re-login to the SAN fabric, re-establishing the Fibre Channel session without requiring a server reboot or service profile re-association, minimizing downtime for the critical trading application.

Exam trap

Cisco often tests the misconception that a vHBA 'Unavailable' state requires a server reboot or fabric interconnect reset, when in fact the solution is to reassign the WWPN from the pool to resolve fabric login issues without disrupting the server's power state.

How to eliminate wrong answers

Option A is wrong because changing the boot policy to use a secondary LUN does not resolve the vHBA's 'Unavailable' state; the issue is at the HBA fabric login level, not the LUN path, and the application is already unresponsive due to lost connectivity. Option C is wrong because resetting the fabric interconnect would disrupt all blades and storage traffic in the cluster, causing widespread downtime, and the logs show no port errors or cluster state issues, so this is an unnecessary and destructive action. Option D is wrong because rebooting the server would force a re-initialization of the HBA, but it would still use the same problematic WWPN, likely resulting in the same 'Unavailable' state, and it would cause application downtime that can be avoided with a WWPN reassignment.

130
Multi-Selecthard

Which TWO are valid methods to configure a Cisco UCS service profile for stateless computing? (Choose two.)

Select 2 answers
A.Create a service profile from a template
B.Use boot from SAN to store OS images
C.Assign persistent WWPNs to vHBAs
D.Configure local storage on the blade
E.Update the service profile template and re-apply to existing profiles
AnswersA, E

A derived template inherits settings that can be updated centrally.

Why this answer

Option A is correct because creating a service profile from a template is a core method for stateless computing in Cisco UCS. Stateless computing abstracts hardware identity (e.g., WWPNs, MAC addresses, UUIDs) from physical blades, allowing a service profile to be applied to any compatible blade without reconfiguration. Templates enable rapid, consistent deployment of these stateless profiles across multiple servers.

Exam trap

Cisco often tests the distinction between a method to configure a service profile (e.g., using a template) versus a specific attribute or feature within a profile (e.g., persistent WWPNs or boot from SAN), leading candidates to confuse configuration methods with profile properties.

131
MCQeasy

An engineer notices that a Fibre Channel link between two Cisco MDS 9000 series switches is flapping every few minutes. The interface counters show a high number of CRC errors. What is the most likely cause of this issue?

A.NPV mode enabled on the switch
B.Incorrect zoning configuration
C.Faulty SFP or optical cable
D.VSAN mismatch between switches
AnswerC

CRC errors point to physical layer problems.

Why this answer

CRC errors on a Fibre Channel link indicate physical-layer corruption of frames, typically caused by faulty optics, dirty or damaged fiber cables, or marginal signal integrity. Flapping occurs because the link repeatedly fails to maintain proper synchronization due to excessive bit errors, triggering port reset or re-initialization. A faulty SFP or optical cable directly introduces noise or attenuation that corrupts the data stream, leading to CRC errors and link instability.

Exam trap

Cisco often tests the distinction between physical-layer issues (CRC errors, flapping) and logical/configuration issues (VSAN mismatch, zoning, NPV), tempting candidates to select a configuration-based answer when the symptoms clearly point to a hardware fault.

How to eliminate wrong answers

Option A is wrong because NPV (N_Port Virtualization) mode is a switch feature that allows a switch to act as a proxy for end devices, reducing domain IDs; it does not cause physical-layer CRC errors or link flapping. Option B is wrong because incorrect zoning configuration affects which devices can communicate (access control) but does not introduce bit errors or physical-layer corruption on the link. Option D is wrong because a VSAN mismatch between switches prevents the link from coming up at all (the port will be isolated or disabled), not cause intermittent flapping with CRC errors.

132
MCQeasy

Refer to the exhibit. The TACACS+ server at 10.1.1.1 is unreachable. What will happen when a user tries to authenticate to the switch using SSH?

A.Authentication will use the local user database as a fallback.
B.Authentication will be denied immediately.
C.Authentication will be attempted against the TACACS+ server repeatedly until timeout.
D.Authentication will be attempted against the TACACS+ server without fallback because 'fallback-to-local' is not configured.
AnswerA

The 'local' keyword provides fallback.

Why this answer

When the TACACS+ server at 10.1.1.1 is unreachable, the switch will fall back to the local user database for authentication because the 'fallback-to-local' feature is enabled by default in Cisco IOS/IOS-XE for TACACS+ configurations. This behavior ensures that administrative access is not completely blocked if the remote AAA server becomes unavailable, allowing authentication against locally configured usernames and passwords.

Exam trap

Cisco often tests the misconception that 'fallback-to-local' must be explicitly configured for TACACS+ fallback to work, when in reality the fallback is determined by the order of methods in the AAA authentication command, and 'local' as a subsequent method provides the fallback automatically.

How to eliminate wrong answers

Option B is wrong because authentication is not denied immediately; Cisco switches are designed to attempt fallback mechanisms to maintain availability. Option C is wrong because the switch does not repeatedly attempt TACACS+ authentication until timeout; instead, it will fail over to the local database after a single failed attempt or after the server is marked dead. Option D is wrong because 'fallback-to-local' is enabled by default for TACACS+ in Cisco IOS/IOS-XE, so even without explicit configuration, the switch will use the local database as a fallback when the TACACS+ server is unreachable.

133
MCQhard

Refer to the exhibit. An engineer is creating a service profile template in Cisco UCSM. What is the effect of setting the vnet to 'VM_Network' for vNIC_A?

A.The VM_Network VLAN is a pre-defined FCoE VLAN for storage traffic.
B.The vNIC_A will be placed in VLAN 1 (default) if VM_Network does not exist.
C.The VM_Network VLAN will be created automatically as a standard VLAN.
D.The VM_Network VLAN must be previously defined in the global VLAN database.
AnswerD

UCS requires VLANs to be defined globally before they can be assigned to vNICs.

Why this answer

Option A is correct because UCS requires that any VLAN referenced in a vNIC must already exist in the global VLAN database. Option B is false because VLANs are not created automatically; they must be defined manually beforehand. Option C is false because if the VLAN does not exist, the vNIC will not come up.

Option D is false because VM_Network is a typical naming convention for data VLANs, not FCoE.

134
MCQeasy

A network engineer is designing a Cisco HyperFlex cluster for a virtualized environment. The cluster will run VDI workloads. Which storage policy should be selected to ensure that all VMs have the highest possible performance while maintaining data redundancy?

A.Triple replication with RAID 5 parity
B.Erasure coding with deduplication
C.Dual replication with deduplication and compression
D.No replication with compression
AnswerC

Dual replication provides redundancy, and deduplication/compression reduce capacity, while caching maintains performance.

Why this answer

For VDI workloads in a Cisco HyperFlex cluster, the storage policy must balance performance and data redundancy. Dual replication with deduplication and compression provides the highest performance by using two copies of data (mirroring) for redundancy, while deduplication and compression reduce storage overhead without the write penalty of parity-based schemes. This avoids the performance degradation of RAID 5 parity or erasure coding, which are unsuitable for latency-sensitive VDI.

Exam trap

Cisco often tests the misconception that erasure coding or RAID parity is always better for space efficiency, but in VDI scenarios, the write penalty of these methods makes dual replication the correct choice for performance-sensitive workloads.

How to eliminate wrong answers

Option A is wrong because triple replication with RAID 5 parity introduces significant write overhead and latency due to parity calculations, which is detrimental to VDI performance. Option B is wrong because erasure coding, while space-efficient, imposes a high computational and I/O penalty on writes, making it unsuitable for the random write-heavy nature of VDI workloads. Option D is wrong because no replication provides zero data redundancy, violating the requirement for data protection in a production VDI environment.

135
MCQhard

A company has two data centers connected via a WAN link using an FCIP tunnel between two Cisco MDS 9700 switches. The FCIP link is configured on a GigabitEthernet port with an MTU of 1500 bytes and uses IPSec for encryption. Recently, storage replication traffic has become slow, and the administrator notices high TCP retransmissions on the FCIP interface. The administrator checks the bandwidth utilization and sees it is only 50% of the link capacity. The storage arrays report no errors or performance issues on their local switches. The administrator also verifies that the FCIP profile is configured correctly and that compression is enabled but not causing any errors. What is the most likely cause of the TCP retransmissions?

A.The WAN link has packet loss due to a duplex mismatch.
B.IPSec encryption introduces too much overhead.
C.The FCIP profile is configured with compression that is causing delays.
D.The TCP window size is too small for the latency.
AnswerA

Duplex mismatch causes errors and retransmissions, even at moderate utilization.

Why this answer

High TCP retransmissions indicate packet loss. A duplex mismatch between the MDS switch and the WAN router can cause packet loss, even if bandwidth utilization is moderate. Option D is correct.

Option A would cause low throughput without retransmissions. Option B adds overhead but typically does not cause retransmissions. Option C (compression) can add delay but not packet loss.

136
Multi-Selecthard

Which three actions can be taken when a port security violation occurs? (Choose three.)

Select 3 answers
A.Shutdown
B.Restrict
C.Protect
D.Errdisable recovery
E.Log
AnswersA, B, C

Disables the port in errdisable state.

Why this answer

When a port security violation occurs, the switch can be configured to take one of three actions: shutdown, restrict, or protect. The shutdown action (A) immediately disables the port and places it in an errdisable state, which is the default behavior. This is correct because it provides the most secure response by completely blocking traffic from the violating MAC address.

Exam trap

Cisco often tests the distinction that errdisable recovery is a recovery mechanism, not a violation action, and that logging is a behavior of restrict, not a separate configurable action.

137
MCQmedium

An engineer needs to deploy a new UCS C-Series standalone server in a remote branch without local IT staff. Which technology allows remote firmware upgrade and hardware monitoring without requiring a dedicated management IP?

A.Cisco Integrated Management Controller (CIMC) GUI
B.UCS Manager
C.Data Center Network Manager (DCNM)
D.Cisco Intersight
AnswerD

Intersight can manage C-Series servers remotely via device connector.

Why this answer

Cisco Intersight is a cloud-based management platform that provides out-of-band management for UCS C-Series standalone servers without requiring a dedicated management IP address. It uses a device connector embedded in the CIMC to establish a secure connection to the Intersight cloud, enabling remote firmware upgrades, hardware monitoring, and lifecycle management over the internet. This eliminates the need for a separate management network or local IT staff at the remote branch.

Exam trap

Cisco often tests the distinction between traditional out-of-band management (CIMC GUI requiring a dedicated IP) and cloud-based management (Intersight using a device connector without a dedicated IP), leading candidates to incorrectly choose CIMC GUI for remote management scenarios.

How to eliminate wrong answers

Option A is wrong because the CIMC GUI requires a dedicated management IP address to be accessed locally or remotely, which contradicts the requirement of not needing a dedicated management IP. Option B is wrong because UCS Manager is designed for managing UCS B-Series blade servers and fabric interconnects in a centralized domain, not for standalone C-Series servers, and it also requires a dedicated management IP. Option C is wrong because Data Center Network Manager (DCNM) is a network management tool for Cisco Nexus switches and ACI fabrics, not for UCS server management or firmware upgrades.

138
Drag & Dropmedium

Sequence the steps to configure a Cisco UCS Fabric Interconnect (FI) for the first time.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Initial FI setup involves IP assignment, cluster mode, user creation, uplink config, and verification.

139
MCQhard

In a multipath Fibre Channel SAN, which component is responsible for selecting the active path for I/O operations?

A.The storage target
B.The Fibre Channel switch
C.The fabric name server
D.The initiator (host HBA and multipath driver)
AnswerD

Multipath software on the host decides which path to use.

Why this answer

In a multipath Fibre Channel SAN, the initiator (host HBA and multipath driver) is responsible for selecting the active path for I/O operations. The multipath driver, such as Cisco MDS N-Port Virtualization or native OS multipathing (e.g., Linux DM-Multipath), uses path selection policies (e.g., round-robin, least-queued, or active/passive) to choose the path for each I/O request. The storage target, switch, and fabric name server do not make per-I/O path decisions; they only provide connectivity or discovery services.

Exam trap

Cisco often tests the misconception that the Fibre Channel switch or storage array controls path selection, but in reality, the initiator's multipath driver is the sole decision-maker for active I/O paths.

How to eliminate wrong answers

Option A is wrong because the storage target (LUN or array controller) presents logical units but does not select the active path for I/O; it responds to commands sent by the initiator. Option B is wrong because the Fibre Channel switch forwards frames based on destination addresses and does not perform per-I/O path selection; it is unaware of multipath policies. Option C is wrong because the fabric name server provides device discovery and address resolution (e.g., FCNS queries) but does not participate in I/O path selection.

140
MCQhard

An ACI fabric administrator wants to enable microsegmentation for workloads in a Virtual Routing and Forwarding (VRF) instance. The security policy must allow communication between two endpoints based on their EPG (Endpoint Group) membership, regardless of IP address. Which construct must be used?

A.Contract with filter and subject
B.vzAny
C.VRF
D.Bridge Domain (BD)
AnswerA

Contracts in ACI define allowed traffic between EPGs based on filters.

Why this answer

A contract with a filter and subject is required to enable microsegmentation in ACI because it defines the explicit rules for communication between EPGs. The contract specifies which EPGs can talk to each other, the filter defines the L4/L7 parameters (e.g., protocol, ports), and the subject binds the filter to the contract, allowing policy enforcement regardless of IP address. This is the only construct that supports EPG-based security policies for intra-VRF microsegmentation.

Exam trap

Cisco often tests the misconception that vzAny or the VRF itself can replace a contract for EPG-to-EPG microsegmentation, but the trap is that vzAny is a global policy object and the VRF is only a routing context—neither provides the granular, EPG-specific permit/deny rules that a contract with filter and subject enforces.

How to eliminate wrong answers

Option B (vzAny) is wrong because vzAny is a special object that represents all endpoints in a VRF, used to apply contracts to all EPGs at once, but it does not enable microsegmentation between specific EPGs based on their membership; it is a shortcut for global policy, not a granular EPG-to-EPG rule. Option C (VRF) is wrong because a VRF is a Layer 3 routing and forwarding domain that isolates traffic at the network layer, but it does not contain security policy constructs; contracts and EPGs are applied within a VRF, not by the VRF itself. Option D (Bridge Domain) is wrong because a Bridge Domain defines a Layer 2 forwarding boundary and subnet configuration, but it has no role in security policy enforcement; microsegmentation is a Layer 3+ policy function handled by contracts, not BDs.

141
Multi-Selecthard

Which THREE components are required to successfully use NETCONF for configuration automation on a Nexus 9000 switch?

Select 3 answers
A.The NX-API must be enabled as a fallback
B.SSH connectivity must be established to the switch
C.The NETCONF agent must be enabled via 'feature netconf' configuration
D.YANG models must be installed or supported for the target configurations
E.The switch must be running the NX-OS Essentials license
AnswersB, C, D

NETCONF uses SSH as its transport protocol (RFC 6242).

Why this answer

B is correct because NETCONF operates over SSH as its transport protocol (RFC 6242), so SSH connectivity to the switch is mandatory for establishing the NETCONF session. Without SSH, the NETCONF client cannot connect to the NETCONF server running on the Nexus 9000.

Exam trap

Cisco often tests the misconception that NX-API is a prerequisite or fallback for NETCONF, but in reality they are independent automation interfaces with different transport and data encoding methods.

142
Multi-Selecteasy

A UCS administrator is configuring a service profile for a VMware ESXi host. Which TWO of the following configuration items must be included to enable Fibre Channel SAN boot?

Select 2 answers
A.QoS policy for vHBA
B.WWPN pool for vHBA
C.vNIC with MAC pool
D.FCoE VLAN configuration
E.SAN boot policy with target WWPN
AnswersB, E

A WWPN pool provides the WWPNs for the vHBA that connects to the SAN.

Why this answer

For Fibre Channel SAN boot on a UCS-managed VMware ESXi host, the service profile must include a WWPN pool for the vHBA (Option B) to assign unique World Wide Port Names, and a SAN boot policy specifying the target WWPN (Option E) to define the storage target from which the host boots. These two elements are essential because the vHBA requires a WWPN for fabric login, and the boot policy directs the host to the correct LUN on the SAN.

Exam trap

Cisco often tests the distinction between Fibre Channel SAN boot and FCoE SAN boot, leading candidates to incorrectly select FCoE VLAN configuration (Option D) when the question explicitly states 'Fibre Channel SAN boot' without mentioning FCoE.

143
MCQeasy

A data center switch has DHCP snooping enabled globally. Which of the following is a best practice to ensure DHCP server legitimacy?

A.Configure the port connected to the DHCP server as trusted
B.Disable DHCP snooping on the DHCP server VLAN
C.Set the DHCP server IP address in the binding database
D.Enable DHCP snooping on all VLANs
AnswerA

Trusted ports are allowed to forward DHCP server messages, preventing rogue servers.

Why this answer

Configuring the port connected to the DHCP server as trusted is a best practice because DHCP snooping treats all ports as untrusted by default. Only trusted ports are allowed to forward DHCP server messages (OFFER, ACK, NAK), preventing rogue DHCP server attacks. This ensures that only the legitimate DHCP server can assign IP addresses, maintaining network integrity.

Exam trap

Cisco often tests the misconception that enabling DHCP snooping globally or on all VLANs is sufficient for server legitimacy, when the actual requirement is to explicitly configure the server-facing port as trusted.

How to eliminate wrong answers

Option B is wrong because disabling DHCP snooping on the DHCP server VLAN would remove all protection against rogue DHCP servers in that VLAN, defeating the purpose of the feature. Option C is wrong because the binding database is used to store DHCP client lease information (MAC-to-IP bindings), not to designate the DHCP server's IP address; the server is identified by trusted port configuration. Option D is wrong because while enabling DHCP snooping on all VLANs is a common practice, it does not by itself ensure DHCP server legitimacy; the critical step is marking the server-facing port as trusted.

144
Multi-Selectmedium

A data center engineer is configuring VLANs in a Cisco UCS domain. Which TWO statements are true regarding VLAN configuration?

Select 2 answers
A.VLANs can be created directly within a service profile without prior global definition.
B.VLANs can be created only through the CLI of UCS Manager.
C.Service profiles can override the VLAN ID of a global VLAN definition.
D.Each vNIC must have a native VLAN specified for untagged traffic on that vNIC.
E.VLANs must be defined in the global VLAN database before they can be used in a service profile.
AnswersD, E

A native VLAN is required for untagged frames on a vNIC.

Why this answer

Option A is correct because VLANs must be defined in the global VLAN database before they can be used in service profiles. Option D is correct because each vNIC must have a native VLAN specified for untagged traffic. Option B is false because VLANs cannot be created directly in service profiles.

Option C is false because service profiles use VLANs from the global pool and cannot override the VLAN ID. Option E is false because VLANs can be created via both CLI and GUI.

145
MCQeasy

A data center uses VPC between two Nexus switches. Which statement is true about the VPC peer-link?

A.It must be a single link.
B.It carries only control traffic.
C.It is used only for orphan ports.
D.It carries both data and control traffic.
AnswerD

The VPC peer-link is used for both control plane communication (e.g., configuration synchronization) and data plane forwarding (e.g., for orphan ports or traffic requiring cross-peer forwarding).

Why this answer

The VPC peer-link is a critical component in a vPC domain, carrying both data traffic (e.g., traffic from orphan ports or traffic that must traverse the peer-link for forwarding) and control traffic (e.g., vPC keepalive messages and Cisco Fabric Services (CFS) synchronization). This dual role ensures that the two Nexus switches operate as a single logical entity for the downstream devices, providing loop-free Layer 2 multipathing.

Exam trap

Cisco often tests the misconception that the peer-link is only for control traffic, but the trap here is that candidates forget the peer-link also carries data traffic for orphan ports and for forwarding when a vPC member link fails.

How to eliminate wrong answers

Option A is wrong because the peer-link can consist of up to eight physical links bundled into a single port-channel (using LACP or static on), not a single link. Option B is wrong because the peer-link carries both control traffic (e.g., vPC keepalive, CFS) and data traffic (e.g., traffic for orphan ports, multicast, or broadcast frames). Option C is wrong because the peer-link is used for many purposes beyond orphan ports, including forwarding traffic for vPC member ports when the local link fails and synchronizing MAC address tables.

146
MCQhard

An engineer is troubleshooting a SAN that uses FCoE. The FCoE Initialization Protocol (FIP) discovery phase is failing for one server. The server is connected to a Cisco Nexus switch configured for FCoE. Which command should be checked first?

A.show vlan fcoe
B.show npv status
C.show dcbx parameters
D.show priority-flow-control
AnswerA

This command shows FCoE VLANs and VSAN mappings, which are critical for FIP.

Why this answer

FIP discovery requires VLAN and VSAN mapping. Option A is correct. Option B is wrong because DCBX is for link-level.

Option C is wrong because NPV is for FC. Option D is wrong because priority flow control is separate.

147
MCQhard

Your company integrates UCS B-Series blades with VMware vSphere using UCS Manager and vCenter. You have configured a UCS service profile with a boot policy that boots from SAN. The virtual infrastructure administrator reports that a new ESXi host (blade 6) fails to meet host profile compliance for the 'Boot Device' policy. The host profile requires the boot LUN to be set to 'VMware LUN' but the UCS boot policy uses a generic 'SAN Target' setting. The ESXi host boots and runs, but compliance checks fail. You cannot modify the host profile because it is managed by a separate team. Which action should you take to resolve the compliance failure while maintaining boot functionality?

A.Create a new vCenter cluster with a different host profile
B.Use a local disk boot policy and install ESXi locally
C.Request the host profile to be updated to accept generic SAN targets
D.Change the UCS boot policy to use the 'VMware LUN' target type and ensure the LUN is presented correctly
AnswerD

Aligns with host profile requirement

Why this answer

Option D is correct because the host profile compliance failure is caused by the UCS boot policy using a generic 'SAN Target' type instead of the 'VMware LUN' target type. By changing the boot policy to 'VMware LUN' and ensuring the correct LUN is presented, the ESXi host will boot from the same LUN but now the boot device name will match what the host profile expects, resolving the compliance check without affecting boot functionality.

Exam trap

Cisco often tests the distinction between 'functional boot' and 'compliance check'—candidates may assume that because the host boots fine, no change is needed, but the question explicitly requires resolving the compliance failure while maintaining boot functionality, meaning the boot policy must be adjusted to match the host profile's expected target type.

How to eliminate wrong answers

Option A is wrong because creating a new vCenter cluster with a different host profile does not address the root cause—the mismatch between the UCS boot policy and the existing host profile; it also introduces unnecessary administrative overhead and does not fix the compliance issue for the current host. Option B is wrong because using a local disk boot policy would require a complete reinstallation of ESXi and would change the boot method entirely, which is not required and would break the existing SAN boot configuration; the host profile still expects a specific boot LUN type, not local storage. Option C is wrong because the host profile is managed by a separate team and cannot be modified per the question constraints; requesting a change may be a valid long-term process but is not an immediate action the engineer can take to resolve the compliance failure.

148
Multi-Selecteasy

Which TWO of the following are valid methods to configure zoning in a Cisco MDS 9000 series switch?

Select 2 answers
A.IP address zoning
B.MAC address zoning
C.Domain/port (DID) zoning
D.Interface (fc-port) zoning
E.pWWN zoning
AnswersC, E

Uses FC domain ID and port number, another standard method.

Why this answer

Valid zoning methods are pWWN (World Wide Name) and domain/port (DID) zoning. Interface zoning is not standard; IP and MAC addresses are not used in FC zoning.

149
MCQmedium

Refer to the exhibit. The interface showed a security violation 15 seconds ago and has a violation count of 5. What would happen if a frame with source MAC 0011.2233.4477 arrived now?

A.The frame will be dropped but the port remains up.
B.The port will be placed into errdisable state.
C.The frame will be allowed because sticky MACs are learned dynamically.
D.The frame will be dropped and the violation counter will increment, but the port stays up.
AnswerB

A violation in 'shutdown' mode causes the port to shut down (errdisable).

Why this answer

The correct answer is B because the port security violation mode is configured as 'shutdown' (the default), and the violation count has reached 5, which exceeds the allowed maximum of 1 (the default). When a security violation occurs and the port is in shutdown mode, the port immediately transitions to the errdisable state, blocking all traffic. Since the frame with source MAC 0011.2233.4477 is not the allowed MAC (0011.2233.4455), it triggers a violation, and the port is placed into errdisable state, as indicated by the violation counter incrementing to 5.

Exam trap

Cisco often tests the default violation mode (shutdown) and the fact that the port enters errdisable state immediately upon the first violation, not after multiple violations, and that the violation counter increments even after the port is down, which can confuse candidates into thinking the port remains up.

How to eliminate wrong answers

Option A is wrong because the port is not configured in 'restrict' or 'protect' violation mode; it is in 'shutdown' mode (default), which causes the port to enter errdisable state, not remain up. Option C is wrong because sticky MAC learning does not allow a new MAC address when the maximum MAC count is already reached (1 in this case); sticky MACs are learned dynamically but still enforce the maximum limit, and the frame would be dropped with a violation. Option D is wrong because while the frame would be dropped and the violation counter would increment, the port would not stay up; in 'shutdown' mode, the port is placed into errdisable state after the violation, not left operational.

150
MCQhard

In a Cisco ACI fabric, a tenant has multiple bridge domains in the same VRF all with 'Unicast Routing' enabled and hardware proxy mode. However, endpoints in different BDs within the same VRF cannot communicate even with a contract. What is a possible reason?

A.The 'L3 Unknown Multicast Flooding' is set to flood.
B.The 'ARP Flooding' is enabled.
C.The contracts are unidirectional.
D.The bridge domains are in different subnets.
AnswerB

In hardware proxy mode, ARP flooding should be disabled to enable proxy ARP. If enabled, the leaf will flood ARP requests and proxy behavior may not function, potentially breaking communication.

Why this answer

When 'Unicast Routing' is enabled on a bridge domain (BD) in hardware proxy mode, the ACI fabric relies on the endpoint database to forward traffic between BDs within the same VRF. For inter-BD communication, the source BD must learn the destination endpoint's MAC address via ARP. If 'ARP Flooding' is disabled (the default when Unicast Routing is enabled), the fabric does not flood ARP requests to remote BDs; instead, it expects the ARP request to be resolved by the COOP database.

However, in hardware proxy mode, the fabric does not automatically proxy ARP for endpoints in different BDs, so ARP requests are dropped, preventing communication even with a contract. Enabling 'ARP Flooding' allows ARP requests to flood across BDs, enabling endpoint discovery and thus inter-BD communication.

Exam trap

Cisco often tests the misconception that enabling 'Unicast Routing' and a contract is sufficient for inter-BD communication, but the trap is that ARP flooding must also be enabled to allow endpoint discovery across bridge domains in hardware proxy mode.

How to eliminate wrong answers

Option A is wrong because 'L3 Unknown Multicast Flooding' set to flood controls how unknown multicast traffic is handled at Layer 3, not ARP or unicast routing between BDs; it does not affect inter-BD unicast communication. Option C is wrong because contracts in ACI are inherently unidirectional by design (a contract provides a direction from provider to consumer), but this does not prevent communication; a contract must be applied correctly with both directions considered, but the issue here is ARP resolution, not contract directionality. Option D is wrong because bridge domains in different subnets are expected for inter-BD routing; the problem is not subnet mismatch but the lack of ARP flooding to resolve endpoints across BDs.

Page 1

Page 2 of 7

Page 3

All pages

Practice 350-601 by domain

Target a specific domain to shore up weak areas.

See all domains with question counts →