Cisco DCCOR / CCNP Data Center Core 350-601 (350-601) — Questions 151225

500 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQeasy

In a VXLAN EVPN fabric, which protocol is used to exchange MAC and IP address reachability information among VTEPs?

A.BGP
B.IS-IS
C.EIGRP
D.OSPF
AnswerA

BGP EVPN is the standard control plane for VXLAN.

Why this answer

In a VXLAN EVPN fabric, BGP (Border Gateway Protocol) is used as the control plane protocol to exchange MAC and IP address reachability information among VTEPs. Specifically, MP-BGP (Multiprotocol BGP) with EVPN address family (AFI L2VPN / SAFI EVPN) carries Type-2 routes (MAC/IP advertisement) to distribute host reachability across the overlay network, enabling efficient MAC learning and ARP suppression.

Exam trap

Cisco often tests the distinction between underlay routing protocols (OSPF, IS-IS, EIGRP) and the overlay control plane (MP-BGP EVPN), leading candidates to mistakenly select an IGP that handles only underlay IP reachability rather than the protocol that actually exchanges MAC/IP information in the overlay.

How to eliminate wrong answers

Option B (IS-IS) is wrong because IS-IS is a link-state IGP used for underlay routing (e.g., IP reachability between VTEPs) but does not carry MAC/IP reachability information in the overlay; EVPN requires MP-BGP for this purpose. Option C (EIGRP) is wrong because EIGRP is a Cisco-proprietary distance-vector IGP that operates only in the underlay and lacks the multiprotocol extensions and EVPN address family needed to exchange MAC/IP routes. Option D (OSPF) is wrong because OSPF is a link-state IGP used for underlay IP routing and cannot transport Layer 2 MAC or host IP information; it does not support the EVPN NLRI or BGP-based control plane required for VXLAN EVPN fabrics.

152
Multi-Selecteasy

An engineer is troubleshooting a VXLAN network where traffic between two VTEPs in the same VNI is not being forwarded. The underlay network is operational and IP connectivity exists between the VTEPs. Which two actions should the engineer take to verify the VXLAN configuration?

Select 2 answers
A.Verify that the multicast group for BUM traffic is reachable.
B.Verify that the NVE interface is configured with the correct source-interface.
C.Verify that the VXLAN tunnel endpoint IP addresses are in the same subnet.
D.Verify that the VNI is mapped to the correct VLAN on the local VTEP.
E.Verify that the VXLAN routing table is populated correctly.
AnswersB, D

The NVE interface must have a valid source-interface to encapsulate VXLAN packets.

Why this answer

A and B are correct because the NVE interface must have a valid source-interface to encapsulate VXLAN packets, and the VNI must be mapped to the correct VLAN to forward traffic. Option C is incorrect because multicast group reachability is only required for BUM traffic, not unicast. Option D is incorrect because VTEP IPs can be on different subnets.

Option E is incorrect because VXLAN is a Layer 2 overlay and does not involve routing.

153
Multi-Selecthard

Which TWO statements about Cisco TrustSec in a data center are true?

Select 2 answers
A.TrustSec can replace 802.1X authentication in the data center.
B.SGTs are 32-bit values assigned to users or devices.
C.SXP (SGT Exchange Protocol) is used to propagate SGTs across network devices that do not support inline tagging.
D.TrustSec is primarily designed for wireless networks.
E.TrustSec uses Security Group Tags (SGTs) to enforce access control policies.
AnswersC, E

SXP allows SGT propagation without hardware support.

Why this answer

Option C is correct because SXP (SGT Exchange Protocol) is specifically designed to propagate Security Group Tag (SGT) information between network devices that do not support hardware-based inline tagging (e.g., older switches or routers). SXP allows these devices to participate in TrustSec policy enforcement by exchanging SGT-to-IP bindings over TCP, enabling consistent access control across heterogeneous environments.

Exam trap

Cisco often tests the distinction between SGT size (16-bit vs 32-bit) and the role of SXP as a propagation mechanism for non-inline devices, leading candidates to confuse SGT values with other metadata or assume TrustSec replaces authentication protocols like 802.1X.

154
MCQmedium

A data center engineer configures an ACL on a Nexus 9000 switch to block all traffic from the management network (10.10.0.0/16) to the production servers (192.168.1.0/24) except for SSH access from a specific jump host (10.10.1.100). The ACL is applied inbound on the management interface. Which ACL entry is correctly ordered to achieve this requirement?

A.permit ip any any deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255 permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22
B.permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22 permit ip any any deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255
C.permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22 deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255 permit ip any any
D.deny ip 10.10.0.0 0.0.255.255 192.168.1.0 0.0.0.255 permit tcp host 10.10.1.100 192.168.1.0 0.0.0.255 eq 22 permit ip any any
AnswerC

Correct order: permit specific, deny source, permit rest.

Why this answer

Option C is correct because ACLs are processed top-down, and the first match wins. The explicit permit for SSH from the jump host (10.10.1.100) must come before the deny for the entire 10.10.0.0/16 range to ensure the exception is honored. The final permit ip any any allows all other non-management traffic, which is necessary to avoid dropping legitimate traffic on the management interface.

Exam trap

The trap here is that candidates often place the deny rule first, forgetting that ACLs are first-match and that the exception for the jump host must be evaluated before the broader deny rule.

How to eliminate wrong answers

Option A is wrong because the 'permit ip any any' at the top would match all traffic first, including the management traffic that should be denied, making the subsequent deny and permit entries irrelevant. Option B is wrong because the 'permit ip any any' in the middle would match all traffic before the deny rule, again bypassing the intended restriction. Option D is wrong because the 'deny ip 10.10.0.0/16 to 192.168.1.0/24' is placed first, which would block SSH from the jump host (10.10.1.100) before the permit rule for that host is evaluated, violating the requirement to allow SSH from the jump host.

155
MCQmedium

An organization is deploying Cisco UCS and needs to ensure that server personality is maintained even after a new server is added to the chassis. Which policy should be configured to achieve this?

A.UUID Suffix Pool
B.Maintenance Policy
C.Boot Policy
D.Server Pool Policy
AnswerD

Server pool allows assigning a specific server to a profile, maintaining identity.

Why this answer

The Server Pool Policy is correct because it defines a logical grouping of servers that can be dynamically assigned to service profiles. When a new server is added to the chassis and matches the pool criteria, the policy ensures that the server automatically inherits the correct personality (e.g., UUID, WWN, MAC addresses) from the associated service profile template, maintaining consistency without manual intervention.

Exam trap

Cisco often tests the distinction between policies that manage identity (UUID Suffix Pool) versus policies that manage assignment (Server Pool Policy), leading candidates to confuse the UUID pool as the mechanism for maintaining personality when it is actually the server pool that drives the assignment and inheritance.

How to eliminate wrong answers

Option A is wrong because a UUID Suffix Pool only provides unique UUIDs for server identity but does not control server assignment or personality retention when a new server is added. Option B is wrong because a Maintenance Policy defines how the server handles firmware upgrades or reboots (e.g., user acknowledgment or immediate reboot), not server personality persistence. Option C is wrong because a Boot Policy specifies the boot order and boot parameters (e.g., SAN, local disk, network) but does not manage server assignment or personality inheritance.

156
MCQeasy

A Cisco UCS C-Series rack server requires remote management with KVM and virtual media. Which feature must be enabled?

A.vMedia
B.CIMC
C.BIOS
D.SOL
AnswerB

CIMC is the base management interface that offers KVM and virtual media.

Why this answer

The Cisco Integrated Management Controller (CIMC) is the dedicated management interface on UCS C-Series rack servers that provides out-of-band remote management capabilities, including KVM console access and virtual media (vMedia) for mounting ISO images. Without CIMC enabled, these remote management features are unavailable, as they rely on its embedded web GUI, CLI, or API.

Exam trap

Cisco often tests the distinction between a feature (vMedia) and the platform that provides it (CIMC), leading candidates to select vMedia as the answer when the question asks which feature must be enabled to support both KVM and virtual media.

How to eliminate wrong answers

Option A is wrong because vMedia is a feature of CIMC that enables virtual media mounting (e.g., ISO, floppy), not a standalone management feature that must be enabled separately. Option C is wrong because the BIOS handles hardware initialization and boot settings, not remote KVM or virtual media services. Option D is wrong because SOL (Serial Over LAN) provides serial console redirection via IPMI, not KVM video or virtual media functionality.

157
MCQhard

A Cisco MDS switch is configured as an NPV switch to connect to a core switch. Which statement about NPV operation is true?

A.The NPV switch allocates FC IDs to end devices from its own pool.
B.The NPV switch uses FDISC to register multiple N-Port IDs from a single physical link.
C.The NPV switch requires at least one VSAN to be defined as a fabric VSAN.
D.The NPV switch performs fabric login (FLOGI) on behalf of all attached end devices.
AnswerB

NPV uses FDISC to multiplex multiple N-Port IDs over the NP uplink to the core.

Why this answer

In N_Port Virtualization (NPV) mode, a Cisco MDS switch acts as a passthrough device that aggregates multiple end-device N_Ports onto a single uplink to a core Fibre Channel switch. The NPV switch uses the Fabric Discovery (FDISC) protocol to register multiple N_Port IDs (NPIV) from a single physical link, allowing each end device to obtain its own FC ID from the core switch. This is correct because NPV does not assign FC IDs itself but relies on the core switch for fabric login and address assignment.

Exam trap

Cisco often tests the misconception that an NPV switch performs fabric login or assigns FC IDs locally, when in fact it only forwards FLOGI/FDISC requests to the core switch and never allocates addresses itself.

How to eliminate wrong answers

Option A is wrong because an NPV switch does not allocate FC IDs from its own pool; it forwards FLOGI/FDISC requests to the core switch, which assigns FC IDs from the fabric's address space. Option C is wrong because NPV does not require any VSAN to be defined as a fabric VSAN; NPV switches operate in a passthrough mode and do not participate in fabric services like VSAN-based zoning or name server. Option D is wrong because the NPV switch does not perform FLOGI on behalf of end devices; each end device performs its own FLOGI (or FDISC for NPIV) to the core switch, and the NPV switch merely forwards these requests.

158
MCQmedium

An organization is deploying Cisco ACI in a brownfield data center. They have existing VLANs that need to be mapped to ACI EPGs. The network team notices that some VLANs are used across multiple tenants. How should the engineer design the VLAN pool to support overlapping VLANs?

A.Configure the VLANs as part of the EPG static binding without a pool.
B.Create separate VLAN pools per tenant, each containing the required VLANs.
C.Create one VLAN pool per physical domain and assign tenants to that domain.
D.Create a global VLAN pool with all VLANs and assign it to all tenants.
AnswerB

Each tenant gets its own VLAN pool, allowing reuse.

Why this answer

Option B is correct because in Cisco ACI, VLAN pools are scoped to a physical domain, and overlapping VLANs across tenants require separate VLAN pools per tenant. Each tenant's EPG is statically bound to its own VLAN pool, ensuring isolation and preventing VLAN conflicts. This design aligns with ACI's multi-tenant architecture where VLAN IDs must be unique within a domain but can be reused across different domains.

Exam trap

Cisco often tests the misconception that a single VLAN pool can be shared across tenants with overlapping VLANs, but in reality, VLAN pools are domain-scoped and overlapping IDs require separate pools to maintain isolation.

How to eliminate wrong answers

Option A is wrong because EPG static binding without a pool does not support overlapping VLANs; static bindings still require a VLAN pool for encapsulation and cannot bypass the pool's scope. Option C is wrong because creating one VLAN pool per physical domain and assigning multiple tenants to that domain would cause VLAN ID conflicts if the same VLAN is used across tenants, as the pool is shared. Option D is wrong because a global VLAN pool assigned to all tenants would force all tenants to use unique VLAN IDs, preventing overlapping VLANs and violating the requirement.

159
MCQhard

A UCS Manager administrator is deploying a service profile for a boot-from-SAN environment. The SAN switch is configured with NPV mode. The administrator notices that the WWPN of the vHBA in the service profile is not being recognized by the SAN switch. What is the most likely cause?

A.The WWPN pool has been exhausted and the server cannot obtain a new WWPN
B.The vHBA is not bound to a SAN pin-group
C.The vHBA speed is set to auto-negotiation but the SAN switch is set to a fixed speed
D.The upstream SAN switch has NPIV disabled
AnswerD

In NPV mode, the SAN switch requires NPIV on the upstream switch to register the initiator WWPNs.

Why this answer

In a boot-from-SAN environment with NPV mode on the SAN switch, the upstream switch must have NPIV (N_Port ID Virtualization) enabled to allow multiple FCIDs to be assigned to a single physical link. Without NPIV, the upstream switch rejects the WWPN of the vHBA because it cannot support the virtualized N_Port IDs required for the service profile's vHBA to log in. This is the most likely cause of the WWPN not being recognized.

Exam trap

Cisco often tests the distinction between NPV and NPIV, where candidates mistakenly think NPV alone enables virtualized logins, but NPIV must be explicitly enabled on the upstream switch for vHBA WWPNs to be recognized.

How to eliminate wrong answers

Option A is wrong because a WWPN pool exhaustion would prevent a new WWPN from being assigned, but the administrator notes the WWPN is not being recognized by the SAN switch, not that it is unavailable. Option B is wrong because pin-groups are used for fabric failover or path selection in UCS, not for WWPN recognition; a vHBA does not need to be bound to a pin-group to be recognized by the SAN switch. Option C is wrong because speed mismatch between the vHBA and SAN switch would cause link issues or performance degradation, not a failure of the SAN switch to recognize the WWPN; WWPN recognition is independent of negotiated speed.

160
MCQmedium

During a network upgrade, an engineer applies a new OSPF configuration on a Nexus 9000 spine. After the change, several leaf switches lose connectivity to each other. The engineer examines the logs and sees OSPF adjacency flapping. What is the most likely cause?

A.Duplicate router IDs.
B.OSPF hello timer mismatch.
C.MTU mismatch on the fabric links.
D.Incorrect area configuration.
AnswerA

Duplicate router IDs cause OSPF neighbors to flap.

Why this answer

Duplicate router IDs cause OSPF adjacency flapping because OSPF uses the Router ID (RID) to uniquely identify each router in the OSPF domain. When two routers share the same RID, they reject each other's Hello packets, leading to repeated adjacency resets. In a Nexus 9000 spine-leaf topology, this often occurs when the spine's RID is accidentally configured to match an existing leaf's RID, disrupting the entire fabric's OSPF convergence.

Exam trap

Cisco often tests the distinction between 'adjacency flapping' (caused by duplicate RIDs or mismatched authentication) and 'failure to form adjacency' (caused by hello/dead timer or MTU mismatches), so candidates mistakenly choose MTU or timer issues when the symptom is flapping rather than non-formation.

How to eliminate wrong answers

Option B is wrong because an OSPF hello timer mismatch prevents adjacency formation entirely (neighbors remain in INIT state), not flapping; flapping implies adjacency is established and then breaks. Option C is wrong because an MTU mismatch on fabric links typically causes OSPF to fail to form adjacency (stuck in EXSTART/EXCHANGE) due to database descriptor packet rejection, not flapping. Option D is wrong because an incorrect area configuration would cause a type mismatch in Hello packets (area ID field), preventing adjacency from forming at all, not causing established adjacencies to flap.

161
MCQhard

An engineer notices that a UCS server with a service profile using a QoS policy for FC traffic experiences excessive latency during heavy workloads. The Fibre Channel fabric is configured for lossless operation. Which design issue is most likely causing the latency?

A.The MTU on the Ethernet uplink from the FI is set to 1500 bytes.
B.The QoS policy for FC traffic does not allocate enough buffer for the no-drop class.
C.Fibre Channel buffer-to-buffer credit recovery is disabled on the upstream switch.
D.The vHBA is configured for 16 Gbps but the upstream switch port is 8 Gbps.
AnswerB

Insufficient buffer allocation in the no-drop class can cause pause frames and increased latency.

Why this answer

The excessive latency during heavy workloads in a lossless Fibre Channel fabric is most likely due to insufficient buffer allocation for the no-drop class in the QoS policy. In UCS, the no-drop class (typically class-fcoe) must have adequate buffer space to prevent frame drops that trigger retransmissions and latency. Without enough buffer, the switch cannot absorb bursts, leading to congestion and increased latency even though the fabric is lossless.

Exam trap

Cisco often tests the misconception that latency in a lossless fabric is caused by external factors like MTU or speed mismatches, rather than the internal QoS buffer allocation for the no-drop class, which is the critical design parameter for FC traffic in UCS.

How to eliminate wrong answers

Option A is wrong because the MTU on the Ethernet uplink from the FI being set to 1500 bytes would affect jumbo frame support for Ethernet traffic, but Fibre Channel over Ethernet (FCoE) traffic uses a separate encapsulation and is not directly impacted by the Ethernet MTU; the FCoE MTU is typically 2500 bytes and is handled independently. Option C is wrong because Fibre Channel buffer-to-buffer credit recovery is a mechanism to recover lost credits and is not directly related to QoS buffer allocation; disabling it could cause credit starvation but not the specific latency issue described. Option D is wrong because a speed mismatch between the vHBA (16 Gbps) and the upstream switch port (8 Gbps) would cause link negotiation to the lower speed, not excessive latency; the link would operate at 8 Gbps, which might reduce throughput but not inherently cause latency due to buffer exhaustion.

162
MCQhard

An engineer is troubleshooting a DHCP issue in a data center VLAN. Clients are unable to obtain IP addresses from the DHCP server. The switch has DHCP snooping enabled on the VLAN, and the DHCP server is connected to a trusted port. The clients are on untrusted ports. Which additional security feature is most likely causing the problem if the DHCP server is on a different subnet and the switch is not configured as a DHCP relay?

A.DHCP snooping with no IP helper address configured
B.Dynamic ARP Inspection (DAI)
C.Control Plane Policing (CoPP) dropping DHCP packets
D.Port security with maximum MAC limit
AnswerA

DHCP snooping on untrusted ports drops DHCPOFFER from outside the subnet unless relay is set up.

Why this answer

When the DHCP server resides on a different subnet and the switch lacks an IP helper address (ip helper-address) configuration, DHCP snooping will not forward the DHCP broadcast from the client to the server. DHCP snooping relies on the switch to relay DHCP packets across subnets; without the helper address, the broadcast is dropped at the VLAN interface, preventing clients from obtaining IP addresses.

Exam trap

Cisco often tests the misconception that DHCP snooping alone handles cross-subnet DHCP, when in fact it requires an IP helper address or a dedicated DHCP relay agent to forward broadcasts between subnets.

How to eliminate wrong answers

Option B is wrong because Dynamic ARP Inspection (DAI) validates ARP packets based on DHCP snooping bindings, but it does not affect DHCP packet forwarding between subnets; it only prevents ARP spoofing. Option C is wrong because Control Plane Policing (CoPP) protects the control plane from excessive traffic, but it is not a common cause of DHCP failure in this scenario unless misconfigured to rate-limit DHCP packets, which is less likely than the missing relay. Option D is wrong because port security with a maximum MAC limit restricts the number of MAC addresses on a port, but it does not block DHCP broadcasts or prevent relay across subnets.

163
MCQeasy

Refer to the exhibit. The interface fc1/1 is configured as an E_port. The connected switch also has an E_port configured. However, the interface shows an 'init' state. What is the most likely cause?

A.The domain ID is not configured on either switch.
B.The speed on the remote switch interface is set to 8000 Mbps.
C.The port VSAN on the local interface is different from the remote.
D.The remote switch interface is not configured as a trunk.
AnswerB

E_ports require matching speed settings to establish a link.

Why this answer

The 'init' state on an E_port indicates that the link is up but the port is still initializing the Exchange Link Parameters (ELP) and Exchange Switch Capabilities (ESC) protocols. If the remote switch interface speed is set to 8000 Mbps (8 Gbps) while the local interface is configured for a different speed (e.g., 4 Gbps or 16 Gbps), the speed negotiation will fail, preventing the E_port from transitioning to the 'online' state. Cisco MDS switches require matching speed settings on both ends of an E_port for successful initialization.

Exam trap

Cisco often tests the distinction between 'init' and 'isolated' states, where candidates mistakenly attribute VSAN mismatch or domain ID issues to 'init', but the correct cause is often a speed mismatch or incompatible port parameters during ELP negotiation.

How to eliminate wrong answers

Option A is wrong because the domain ID is assigned dynamically via the principal switch selection process during fabric formation; an unconfigured domain ID does not prevent E_port initialization but may cause a domain ID conflict later. Option C is wrong because a mismatched port VSAN between local and remote interfaces would cause the port to enter an 'isolated' state, not 'init', as VSAN mismatch is detected after ELP exchange. Option D is wrong because E_ports are inherently trunk ports in Fibre Channel; the concept of a 'trunk' in this context refers to VSAN trunking, which is optional and not required for basic E_port operation.

164
MCQmedium

A UCS domain is configured with multiple service profile templates. An engineer wants to ensure that when a template is updated, all associated service profiles are automatically updated. Which property must be enabled in the template?

A.'Auto update'
B.'Update on deployment'
C.'Enforce consistency'
D.'Synchronize to templates'
AnswerB

When enabled, profiles derived from the template are automatically updated upon template changes.

Why this answer

The 'Update on deployment' property, when enabled in a service profile template, ensures that any changes made to the template are automatically applied to all associated service profiles during the next deployment or re-deployment. This is the correct mechanism in Cisco UCS Manager to propagate template updates to existing service profiles without manual intervention.

Exam trap

Cisco often tests the distinction between 'Update on deployment' and 'Enforce consistency', where candidates may confuse the automatic update mechanism with a compliance-checking policy, leading them to select the wrong option.

How to eliminate wrong answers

Option A is wrong because 'Auto update' is not a valid property in UCS service profile templates; it is a generic term that does not correspond to any specific UCS feature. Option C is wrong because 'Enforce consistency' is a policy used in UCS to validate configuration compliance, not to automatically update service profiles from a template. Option D is wrong because 'Synchronize to templates' is not a real property; the correct direction is from template to service profiles, and this option implies the reverse, which is not supported.

165
MCQmedium

Refer to the exhibit. A new host is connected to interface fc1/3. It is not appearing in the flogi database. The switch is in NPV mode. What is the most likely reason?

A.The FCID is already allocated.
B.The host's WWPN is already in use by another device.
C.The interface is configured as an NP port.
D.The interface is in a different VSAN than the host's FLOGI.
E.The host's HBA is not compatible with NPV.
AnswerC

An NP port expects connection to a core switch, not a host; thus hosts cannot log in through it.

Why this answer

In NPV mode, a switch does not perform FLOGI processing locally; instead, it forwards FLOGI requests upstream to the core switch. For an interface to participate in NPV, it must be configured as an NP port (N_Port proxy). If interface fc1/3 is not explicitly configured as an NP port, it will not accept or forward FLOGI frames from the host, so the host never appears in the flogi database.

Exam trap

Cisco often tests the distinction between NPV mode and standard Fibre Channel switching, where candidates mistakenly assume that simply connecting a host to an NPV switch will automatically result in a FLOGI entry, ignoring the mandatory NP port configuration on the interface.

How to eliminate wrong answers

Option A is wrong because an FCID allocation conflict would generate a specific error during FLOGI, but the host is not even appearing in the flogi database, indicating the FLOGI never reached the fabric. Option B is wrong because a duplicate WWPN would cause a login rejection or conflict, but again the host would still attempt FLOGI and appear briefly; the absence from the database suggests no FLOGI was processed. Option D is wrong because VSAN mismatch would cause the FLOGI to be dropped or rejected, but the host would still attempt to send a FLOGI and the interface would show some activity; the complete lack of appearance points to a port-mode issue.

Option E is wrong because HBA compatibility with NPV is not a common restriction; NPV is designed to work with standard Fibre Channel HBAs, and incompatibility would manifest as link issues, not a silent failure to appear in the flogi database.

166
MCQmedium

Refer to the exhibit. The interface shows CRC errors. What is the most likely cause of these errors?

A.Insufficient buffer credits for the distance.
B.The port is configured as F port but should be E port.
C.Speed mismatch between the ports.
D.Faulty SFP or fiber cable.
AnswerD

CRC errors are typically caused by signal degradation from hardware.

Why this answer

CRC errors often indicate physical layer issues such as optics or cable problems. Option B is correct. Option A is wrong because credit starvation would show credit timeouts.

Option C is wrong because speed mismatch would cause link failures. Option D is wrong because the port is operational mode F.

167
MCQhard

On a Cisco MDS 9700, an engineer configures an FC port channel with 4 member interfaces. The connected storage array also supports port channels. Which load-balancing algorithm provides the best distribution of I/O when the array uses multiple LUNs per target?

A.Source ID (SID) and Destination ID (DID)
B.Source and destination port ID
C.Source FC ID (OXID) and destination FC ID (RXID)
D.Source and destination WWPN
AnswerC

Using exchange IDs (OXID/RXID) provides per-exchange load balancing, spreading I/O across LUNs better.

Why this answer

Option B is correct because per-exchange load balancing distributes I/Os between same initiator-target pair, ideal for multiple LUNs. Other options may not distribute well.

168
MCQhard

A customer is deploying Cisco ACI with a requirement to isolate tenant traffic in a multi-tenant environment. They want to ensure that a tenant admin can only manage their own tenant's objects. Which RBAC configuration should be implemented?

A.Assign the 'read-only' role to the user within the tenant.
B.Create a separate VRF for each tenant and assign admin to that VRF.
C.Create a security domain for each tenant and assign the 'tenant-admin' role to the user within that domain.
D.Assign the 'tenant-admin' role to the user globally.
AnswerC

Security domains limit the scope of roles to specific tenants.

Why this answer

Option C is correct because Cisco ACI uses security domains to enforce Role-Based Access Control (RBAC) boundaries. By creating a security domain for each tenant and assigning the 'tenant-admin' role to a user within that domain, the tenant admin is restricted to managing only the objects (e.g., EPGs, contracts, policies) that belong to that specific tenant. This ensures isolation of tenant traffic management in a multi-tenant environment without granting global or cross-tenant privileges.

Exam trap

Cisco often tests the distinction between network-level segmentation (e.g., VRFs) and administrative-level isolation (e.g., security domains), and the trap here is that candidates mistakenly choose VRF-based isolation for RBAC, not realizing that VRFs only separate data plane traffic, not management access.

How to eliminate wrong answers

Option A is wrong because the 'read-only' role only permits viewing objects, not managing them, so it fails to meet the requirement for a tenant admin to manage their own tenant's objects. Option B is wrong because VRFs (Virtual Routing and Forwarding) are used for network segmentation of traffic, not for RBAC or administrative access control; assigning an admin to a VRF does not restrict their ability to manage objects outside that VRF. Option D is wrong because assigning the 'tenant-admin' role globally grants the user administrative privileges across all tenants, violating the requirement to isolate tenant traffic management to a single tenant.

169
Matchingmedium

Match each Cisco UCS component to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Unified I/O and management for server chassis

Connects blade servers to fabric interconnects

Virtual interface card supporting multiple adapters

Out-of-band management controller for UCS servers

Enclosure that houses blade servers and IOMs

Why these pairings

These components form the building blocks of UCS infrastructure.

170
Matchingmedium

Match each Cisco NX-OS feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual device context for partitioning a switch

Virtual routing and forwarding for network segmentation

Virtual PortChannel for multi-homing with loop prevention

Fabric Extender for remote linecard connectivity

Power-On Auto Provisioning for zero-touch deployment

Why these pairings

These features are essential for NX-OS configuration and management.

171
MCQhard

A Nexus 7000 switch is experiencing high CPU utilization due to control plane traffic. The engineer notices that many packets are being punted to the CPU from the data plane, particularly ARP packets. After examining the CoPP configuration, the engineer sees that the 'arp' class-map is matched in a policy-map with a police rate of 1000 pps and a conform-action of 'transmit'. The current ARP rate is 2000 pps. What is the immediate impact?

A.All ARP packets are transmitted normally because the conform-action is 'transmit'.
B.Approximately half of the ARP packets are dropped, reducing CPU load but potentially causing reachability issues.
C.The switch applies an ACL to drop all ARP packets.
D.Packets are marked down and transmitted.
AnswerB

With 2000 pps against 1000 pps limit, half are dropped.

Why this answer

The CoPP policy is configured with a police rate of 1000 pps for ARP packets, but the current ARP rate is 2000 pps. Since the rate exceeds the policer, the conform-action 'transmit' only applies to packets within the rate; excess packets are dropped by default (drop action is implicit when no exceed-action is specified). This results in approximately half of the ARP packets being dropped, which reduces CPU load but can cause ARP resolution failures and reachability issues.

Exam trap

Cisco often tests the implicit default action for excess traffic in CoPP policers—candidates mistakenly assume that only the conform-action matters and that all traffic is transmitted, overlooking that the exceed-action defaults to 'drop' when not explicitly configured.

How to eliminate wrong answers

Option A is wrong because the conform-action 'transmit' only applies to packets that conform to the police rate (1000 pps); packets exceeding the rate are dropped, not transmitted normally. Option C is wrong because CoPP does not apply ACLs to drop packets; it uses a policer within a policy-map to rate-limit traffic, and no ACL is automatically applied to drop all ARP packets. Option D is wrong because the policy-map does not specify a 'markdown' action (such as 'set-dscp' or 'set-cos') or a 'transmit' action for exceed traffic; the default behavior for excess packets is to drop them, not mark and transmit.

172
MCQhard

Refer to the exhibit. A server with WWPN 10:00:00:00:c9:2b:1a:5f is zoned to two storage ports in zone Server1_Storage1 and to one storage port in zone Server1_Storage2. The server can access the LUNs through the first zone but not through the second. What is the most likely cause?

A.The second zone does not include the second storage controller's port
B.The storage port 20:00:00:00:c9:2b:1a:6c is in a different VSAN
C.The zone set has not been activated
D.The server is not allowed to be in multiple zones
AnswerA

The server may need both storage paths to access LUNs; missing port causes no path.

Why this answer

The second zone Server1_Storage2 only has the server and one storage port. The server should have also a member for the second storage controller path. Option D best fits: the zone is missing the other storage controller's WWPN.

Option A (zone set activation) unlikely as the other zone works. Option B (multiple zones per server) is fine. Option C (VSAN mismatch) not indicated.

173
Multi-Selectmedium

A storage administrator is troubleshooting a Fibre Channel SAN where initiators cannot log in to a target. The administrator verifies that the VSAN is configured correctly and that zoning is in place. Which two additional checks should be performed to resolve the issue?

Select 2 answers
A.Ensure NPIV is enabled on the F-port.
B.Confirm that FCID persistence is not enabled with invalid static FCIDs.
C.Verify that port security is not blocking the initiator WWPN.
D.Verify the FCoE VLAN ID matches on both ends.
E.Check that LUN masking has been applied on the target.
AnswersB, C

Invalid static FCID persistence can cause login failures if the FCID is already in use or conflicting.

Why this answer

In a Fibre Channel SAN, FCID persistence assigns a specific FCID to a device each time it logs in. If an invalid static FCID is configured (e.g., an FCID that conflicts with another device or is outside the allowed range), the initiator may fail to log in because the switch cannot assign the requested address. This is a common cause of login failures even when VSAN and zoning are correctly configured.

Exam trap

Cisco often tests the distinction between fabric-level login issues (like FCID persistence or port security) and storage-level issues (like LUN masking), leading candidates to incorrectly select LUN masking as a cause of login failure.

174
MCQmedium

A Fibre Channel fabric has multiple initiators and targets. The engineer wants to ensure that only specific hosts can access specific storage volumes. Which zoning practice is most secure?

A.Zoning by storage array aliases
B.Single-initiator zoning with WWPNs
C.Using VSANs instead of zones
D.Soft zoning with domain/port IDs
AnswerB

Correct: Single-initiator zoning is the most secure practice.

Why this answer

Option A is correct because single-initiator zoning restricts each initiator to its own zone, preventing unauthorized access. Option B is incorrect because zone aliases don't affect security. Option C is incorrect because VSANs provide broad isolation, not granular.

Option D is incorrect because soft zoning is less secure (no RSCN filtering).

175
Multi-Selectmedium

A company is planning to deploy Cisco Intersight to manage a hybrid environment including on-premises UCS domains and AWS EC2 instances. Which THREE of the following are required components for integrating AWS with Intersight?

Select 3 answers
A.An Intersight account with appropriate licenses
B.An Intersight Virtual Appliance deployed in AWS
C.A VPN tunnel between the on-premises network and AWS
D.An AWS IAM role with read-write access to EC2 and CloudFormation
E.Network connectivity from Intersight to the AWS public endpoints
AnswersA, D, E

An Intersight account is required to manage devices and use features.

Why this answer

Option A is correct because a valid Intersight account with the appropriate licenses (e.g., Intersight Essentials or Premier) is required to enable the AWS integration feature. Without the proper license tier, the Intersight account cannot access the cloud orchestration or management capabilities needed to connect and manage external cloud providers like AWS.

Exam trap

Cisco often tests the misconception that a virtual appliance or VPN tunnel is required for cloud provider integration, but Intersight uses direct API calls over the internet, making network connectivity to AWS public endpoints the only network requirement.

176
MCQmedium

A server administrator reports that a newly provisioned application server cannot access its LUN on the storage array. The SAN zoning uses WWPNs. The administrator verifies that the server's HBA WWPN is correctly zoned with the storage port's WWPN. Which additional check should the engineer perform to isolate the issue?

A.Confirm that VSAN interop is enabled on the MDS switch
B.Verify that the zone set is activated and that the zones are in the active zone set
C.Ensure that the switch port is configured in F mode and local switching is enabled
D.Check whether FCIP is configured on the storage array
AnswerB

Zone set must be active for zoning to take effect.

Why this answer

Even if the WWPNs are correctly configured in the zone, the zone set must be activated for the zoning to take effect. Without activation, the zone configuration remains in the pending or offline zone set, and the Fibre Channel fabric will not enforce the access controls. The engineer should verify that the zone set is activated and that the zones appear in the active zone set using commands like 'show zoneset active' on the MDS switch.

Exam trap

Cisco often tests the distinction between configuring a zone and activating the zone set, because candidates assume that creating a zone automatically applies it to the fabric.

How to eliminate wrong answers

Option A is wrong because VSAN interop is not a standard feature on MDS switches; VSANs are isolated by default and inter-VSAN routing (IVR) would be needed for communication between VSANs, but this is unrelated to a LUN access issue within the same VSAN. Option C is wrong because switch ports in F mode (fabric port) are used to connect to N-port devices like HBAs, and local switching is enabled by default on MDS switches; neither setting would prevent a correctly zoned HBA from accessing its LUN. Option D is wrong because FCIP is used for extending Fibre Channel over IP networks, not for local SAN connectivity; it is irrelevant to a server accessing its LUN on a directly connected storage array.

177
MCQmedium

A network engineer is troubleshooting inter-VLAN routing on a Cisco Nexus 9000 switch. The switch is configured with VLAN 10 and VLAN 20. Hosts in VLAN 10 cannot ping hosts in VLAN 20. The engineer checks the VLAN ACL (VACL) applied to VLAN 10 and finds the following configuration: ip access-list VACL-FILTER 10 permit ip any any ... vlan access-map VACL-MAP 10 match ip address VACL-FILTER action forward vlan filter VACL-MAP vlan-list 10 What is the most likely reason for the connectivity failure?

A.The access-list permits all, so the VACL should work; perhaps the access-map is missing a default action.
B.The 'vlan filter' command is applied to VLAN 10 only, but the access-map is misconfigured.
C.The VACL is applied only to VLAN 10, so traffic from VLAN 20 to VLAN 10 is not filtered, but this should not cause a failure.
D.The VACL does not apply to traffic routed through the SVI; a Router ACL (RACL) must be used instead.
AnswerD

Correct. VACLs are only for Layer 2 bridging. For inter-VLAN routing, apply a RACL on the SVI interface.

Why this answer

VACLs filter traffic at the ingress of a VLAN, but they only apply to traffic that is bridged within the same VLAN. When traffic is routed between VLANs (inter-VLAN routing), it passes through the SVI (Switch Virtual Interface), and VACLs do not inspect routed traffic. To filter inter-VLAN routed traffic, a Router ACL (RACL) must be applied to the SVI.

Since the hosts in VLAN 10 cannot ping VLAN 20, the VACL on VLAN 10 is not blocking the traffic; rather, the traffic is being routed and is not subject to the VACL, so the failure is likely due to a missing or misconfigured RACL or routing issue.

Exam trap

The trap here is that candidates assume VACLs can filter all traffic within a VLAN, including traffic that is routed to another VLAN, but Cisco specifically tests that VACLs only apply to bridged traffic, not to traffic that is routed through an SVI.

How to eliminate wrong answers

Option A is wrong because the access-map does have a default action (the implicit deny at the end of the access-map sequence), and the permit all entry would forward traffic, so the VACL itself is not misconfigured; the issue is that VACLs do not apply to routed traffic. Option B is wrong because applying the filter to VLAN 10 only is correct for filtering traffic entering VLAN 10, but the problem is that inter-VLAN routed traffic bypasses VACL inspection entirely. Option C is wrong because while it correctly notes that traffic from VLAN 20 to VLAN 10 is not filtered by this VACL, the statement that 'this should not cause a failure' is misleading; the actual failure is due to the VACL not applying to routed traffic in either direction, not a one-way filtering issue.

178
MCQhard

During a UCS firmware upgrade, the upgrade fails on a few servers in a chassis. The administrators notice that the management plane is still responsive, but the data plane is disrupted. What is the most likely cause?

A.The secondary Fabric Interconnect did not synchronize the firmware image before the upgrade.
B.The boot policy was changed during maintenance.
C.The server memory is exhausted due to high traffic.
D.The service profiles were not updated after the upgrade.
AnswerA

Incomplete sync causes differing firmware versions between FIs, leading to data plane issues.

Why this answer

The most likely cause is that the secondary Fabric Interconnect did not synchronize the firmware image before the upgrade. In a UCS domain, firmware upgrades are typically performed in a hitless manner by first upgrading the secondary Fabric Interconnect, which requires the firmware image to be synchronized from the primary. If synchronization fails, the secondary may boot with an incompatible or missing firmware, causing data plane disruption while the management plane remains responsive because the primary still handles management traffic.

Exam trap

Cisco often tests the misconception that a failed upgrade always results in a complete loss of connectivity, but the trap here is that the management plane can remain operational even when the data plane is disrupted due to a firmware synchronization failure on the secondary Fabric Interconnect.

How to eliminate wrong answers

Option B is wrong because changing the boot policy during maintenance would affect the server's boot order or boot parameters, not cause a partial failure where management is up but data plane is down; boot policy changes do not directly impact firmware upgrade synchronization. Option C is wrong because server memory exhaustion due to high traffic would manifest as performance degradation or crashes, not a specific scenario where management plane is responsive and data plane is disrupted after a firmware upgrade; memory exhaustion is unrelated to firmware image synchronization. Option D is wrong because service profiles not being updated after the upgrade would cause configuration mismatches or policy application failures, but the immediate symptom of management plane up and data plane down points to a firmware image synchronization issue on the Fabric Interconnect, not a service profile update problem.

179
Multi-Selectmedium

Which THREE security features are commonly used on Cisco Nexus switches to prevent DHCP-based attacks? (Choose three.)

Select 3 answers
A.Control Plane Policing (CoPP)
B.DHCP snooping
C.Port security
D.IP Source Guard
E.Dynamic ARP Inspection (DAI)
AnswersB, D, E

DHCP snooping filters untrusted DHCP messages.

Why this answer

DHCP snooping is a security feature that acts as a firewall between untrusted hosts and DHCP servers. It filters DHCP messages by validating DHCP packets received on untrusted ports, dropping those that are invalid (e.g., DHCP server messages from a client port), and building a DHCP snooping binding database that maps client MAC addresses, IP addresses, VLAN, and port information. This database is then used by other features like IP Source Guard and Dynamic ARP Inspection to prevent IP spoofing and ARP poisoning attacks.

Exam trap

Cisco often tests the distinction between features that directly prevent DHCP-based attacks (DHCP snooping, IP Source Guard, DAI) versus general security features like CoPP or Port security, which address different attack vectors and do not inspect DHCP protocol messages.

180
MCQhard

In a BGP EVPN deployment, route type 2 (MAC/IP advertisement) is used to advertise MAC addresses. What additional information is carried in route type 2 for IP routing?

A.IP address and route distinguisher
B.IP address and MAC address
C.IP prefix and next-hop
D.MAC address and VNI
AnswerB

Route type 2 contains the MAC address and optionally the IP address for host routing.

Why this answer

In BGP EVPN, route type 2 (MAC/IP Advertisement Route) is used to advertise both MAC addresses and their associated IP addresses. The additional information carried for IP routing is the IP address and the MAC address, enabling the control plane to support both Layer 2 bridging and Layer 3 routing (e.g., host route advertisement for IP-based forwarding). This is defined in RFC 7432, where the route type 2 NLRI includes a MAC address field and an optional IP address field.

Exam trap

Cisco often tests the distinction between route type 2 (MAC/IP advertisement) and route type 5 (IP prefix route), trapping candidates who confuse the IP address field in type 2 with an IP prefix or next-hop information.

How to eliminate wrong answers

Option A is wrong because the route distinguisher (RD) is part of the EVPN NLRI prefix, not an additional field carried specifically for IP routing; it is used to distinguish overlapping IP prefixes across different VRFs. Option C is wrong because route type 2 carries a single IP address (e.g., a /32 host route), not an IP prefix and next-hop; IP prefix and next-hop are associated with route type 5 (IP prefix route). Option D is wrong because while the MAC address and VNI are present in route type 2, the VNI is part of the EVPN NLRI for identifying the broadcast domain, not an additional element for IP routing; the question specifically asks for the additional information carried for IP routing, which is the IP address.

181
MCQeasy

An engineer wants to prevent unauthorized devices from connecting to access ports. Which port security violation mode will disable the port and generate a syslog message?

A.protect
B.shutdown
C.restrict
D.shutdown vlan
AnswerB

Shutdown disables the port and logs the violation.

Why this answer

The 'shutdown' violation mode is the only port security mode that both disables the port (placing it in an err-disabled state) and generates a syslog message when a violation occurs. This mode immediately shuts down the interface upon detecting an unauthorized MAC address, providing both a clear security alert and a physical disconnection of the offending device.

Exam trap

Cisco often tests the distinction between 'shutdown' and 'shutdown vlan' modes, where candidates mistakenly think 'shutdown vlan' disables the entire port, but it only disables the specific VLAN on that port, leaving other VLANs operational.

How to eliminate wrong answers

Option A is wrong because 'protect' mode drops packets from unauthorized MAC addresses but does not disable the port or generate a syslog message, silently discarding traffic. Option C is wrong because 'restrict' mode drops packets from unauthorized MAC addresses and generates a syslog message, but it does not disable the port; the port remains operational. Option D is wrong because 'shutdown vlan' mode disables only the offending VLAN on the port (placing it in an err-disabled state) and generates a syslog message, but it does not shut down the entire physical port, which is required by the question's condition of disabling the port.

182
MCQmedium

Refer to the exhibit. A client connected to Ethernet1/2 cannot obtain an IP address via DHCP. What is the most likely cause?

A.The DHCP snooping information option is disabled
B.The DHCP server is on a different VLAN
C.The DHCP snooping trust configuration is missing on the server port
D.IP source guard is enabled on the client port
AnswerC

Without trust, DHCP server messages are dropped on the untrusted port.

Why this answer

The client cannot obtain an IP address via DHCP because the DHCP server port (Ethernet1/1) is not configured as a DHCP snooping trusted port. By default, all ports are untrusted, and DHCP snooping drops all DHCP server responses (OFFER, ACK) received on untrusted ports. Configuring the port connecting to the DHCP server as trusted is required to allow these messages to reach the client.

Exam trap

Cisco often tests the default untrusted state of all ports in DHCP snooping, leading candidates to overlook that the server port must be explicitly trusted, even when the server is on the same VLAN or reachable.

How to eliminate wrong answers

Option A is wrong because disabling the DHCP snooping information option (option 82) would only affect the insertion or removal of relay agent information, not the basic forwarding of DHCP messages; DHCP snooping still operates and drops server responses on untrusted ports. Option B is wrong because a DHCP server on a different VLAN is a common and valid deployment; DHCP snooping does not require the server to be on the same VLAN, and the issue is about trust, not VLAN placement. Option D is wrong because IP source guard (IPSG) filters traffic based on IP-to-MAC bindings after a client obtains an IP address, but it does not prevent the initial DHCP exchange; the client cannot even get an IP address due to DHCP snooping dropping server responses.

183
MCQhard

A Cisco HyperFlex cluster is experiencing performance issues during peak hours. The cluster uses a 4-node all-flash configuration. The engineer notices that the vSphere DRS cluster is heavily imbalanced. Which HyperFlex feature should be used to improve performance by balancing the storage load across nodes?

A.Enable Storage DRS on the HyperFlex datastore
B.Enable the IOPS-based workload rebalancing feature
C.VM vMotion to move VMs to less busy nodes
D.Adjust the deduplication and compression settings to reduce write amplification
AnswerB

This feature automatically rebalances data across nodes based on IOPS, improving performance.

Why this answer

Option B is correct because the IOPS-based workload rebalancing feature in Cisco HyperFlex automatically redistributes storage I/O load across cluster nodes based on real-time IOPS metrics. This directly addresses the performance issue during peak hours by ensuring no single node becomes a storage bottleneck, which is the root cause of the vSphere DRS imbalance in a HyperFlex environment.

Exam trap

Cisco often tests the distinction between compute load balancing (vSphere DRS/VM vMotion) and storage I/O load balancing (HyperFlex IOPS rebalancing), leading candidates to mistakenly choose VM vMotion when the issue is storage-side, not compute-side, contention.

How to eliminate wrong answers

Option A is wrong because Storage DRS operates at the vSphere datastore level and manages VM placement across datastores, not the underlying HyperFlex storage node load; HyperFlex presents a single distributed datastore, making Storage DRS irrelevant for node-level I/O balancing. Option C is wrong because VM vMotion moves VMs between ESXi hosts to balance compute load, but it does not affect the storage I/O distribution across HyperFlex nodes, which is the actual performance bottleneck. Option D is wrong because adjusting deduplication and compression settings reduces write amplification and improves storage efficiency, but it does not dynamically rebalance existing I/O load across nodes during peak hours.

184
Multi-Selectmedium

Which THREE of the following are valid UCS Manager RBAC roles?

Select 3 answers
A.Storage Administrator
B.Network Administrator
C.UCS Administrator
D.Operations Administrator
E.Server Administrator
AnswersB, C, E

Manages network-related configurations

Why this answer

Option B (Network Administrator) is correct because UCS Manager defines RBAC roles with specific privileges. The Network Administrator role is a built-in role that grants permissions to manage network-related configurations such as VLANs, VSANs, and QoS policies within the UCS domain.

Exam trap

Cisco often tests the distinction between default built-in roles and custom roles, and the trap here is that 'Storage Administrator' sounds plausible but is not a default role, while 'Operations Administrator' is a default role but is not one of the three correct answers in this specific question.

185
MCQmedium

A data center administrator reports that traffic from a specific UCS server is not flowing through the expected Fabric Interconnect (FI) A. The pin group is configured, but traffic is still sent to FI B. What should the administrator check?

A.Verify that the server is associated with the correct service profile.
B.Reboot the Fabric Interconnect.
C.Check if the pin group is deleted.
D.Ensure the vNIC's fabric ID is set to match the pin group's preferred fabric.
AnswerD

The vNIC must have the fabric ID set to force traffic to the desired FI.

Why this answer

The pin group configuration determines which Fabric Interconnect a vNIC should use for upstream traffic. If the vNIC's fabric ID is not set to match the pin group's preferred fabric, the server will ignore the pin group and send traffic to the other FI. Option D is correct because the fabric ID mismatch causes the pin group to be ineffective, and verifying this alignment ensures traffic flows through the expected FI A.

Exam trap

Cisco often tests the subtle distinction between a pin group being configured and the vNIC's fabric ID being misaligned, leading candidates to assume the pin group is automatically applied without checking the vNIC-level fabric assignment.

How to eliminate wrong answers

Option A is wrong because the service profile association controls the server's identity and policies, not the specific fabric path selection for traffic; a correctly associated service profile can still have a vNIC fabric ID mismatch. Option B is wrong because rebooting the Fabric Interconnect is a disruptive action that does not address the configuration mismatch between the vNIC fabric ID and the pin group's preferred fabric. Option C is wrong because the pin group is confirmed to be configured; checking if it is deleted is irrelevant when the issue is that the vNIC is not honoring the existing pin group due to fabric ID mismatch.

186
MCQmedium

A medium-sized enterprise has a Cisco UCS environment with two Fabric Interconnects (FIs) in a cluster. There are 10 blade servers, each with a VIC 1340 adapter. The SAN consists of two MDS 9148S switches in a VSAN for storage. Each server is configured with two vHBAs (primary and secondary) connecting to the SAN via the FIs. Recently, after a firmware upgrade on the MDS switches, several servers are unable to boot from SAN. The storage administrator confirms that the storage array LUNs are accessible from the MDS switches. The UCS administrator reports that the vHBAs show a 'link down' status on the FI. Which action should be taken to resolve the issue?

A.Reconfigure the vHBAs on the UCS Manager with new WWPNs.
B.Check the storage array LUN masking and re-apply LUN access.
C.Verify the active zone set on the MDS switches and re-activate it if necessary.
D.Downgrade the MDS firmware to the previous version.
AnswerC

Firmware upgrade may deactivate the zone set.

Why this answer

The 'link down' status on the vHBAs indicates that the Fibre Channel fabric is not properly delivering the FLOGI (Fabric Login) response to the initiators. Since the storage LUNs are accessible from the MDS switches, the issue is likely that the active zone set was deactivated or not saved after the firmware upgrade, preventing the vHBAs from logging into the fabric. Re-activating the zone set on the MDS switches will re-establish the FC zones and allow the vHBAs to complete FLOGI and resume boot from SAN.

Exam trap

Cisco often tests the distinction between storage array LUN masking (target-side) and FC fabric zoning (switch-side); the trap here is that candidates assume a 'link down' on the vHBA must be a physical or HBA configuration issue, when in fact it is a fabric-level problem caused by missing or inactive zone sets after a switch upgrade.

How to eliminate wrong answers

Option A is wrong because changing WWPNs would require re-zoning and re-masking on both the MDS and storage array, and the problem is not related to WWPN exhaustion or duplication. Option B is wrong because the storage administrator confirmed LUNs are accessible from the MDS, so LUN masking is already correct; the issue is at the FC fabric layer, not the storage array. Option D is wrong because downgrading firmware is a disruptive workaround that does not address the root cause (zone set activation state), and the problem is likely a configuration persistence issue after upgrade, not a firmware bug.

187
MCQeasy

A data center network engineer wants to encrypt all traffic between two top-of-rack (ToR) switches that are connected via a direct link. The encryption should be transparent to upper-layer protocols and operate at Layer 2. Which technology should be used?

A.MACsec (802.1AE)
B.IPsec VPN
C.MKA (MACsec Key Agreement)
D.TLS/SSL
AnswerA

MACsec encrypts at Layer 2, ideal for direct links.

Why this answer

MACsec (802.1AE) is the correct choice because it provides hop-by-hop encryption at Layer 2, encrypting the entire Ethernet frame (excluding the source/destination MAC and VLAN tag) to secure traffic between two directly connected switches. It operates transparently to upper-layer protocols (Layer 3 and above) and requires no IP-level configuration, making it ideal for encrypting a direct link between ToR switches.

Exam trap

Cisco often tests the distinction between the encryption protocol (MACsec/802.1AE) and its key management protocol (MKA), leading candidates to mistakenly select MKA as the encryption technology.

How to eliminate wrong answers

Option B (IPsec VPN) is wrong because it operates at Layer 3 (network layer) and requires IP routing, which adds overhead and is not transparent to upper-layer protocols; it is designed for site-to-site or remote-access VPNs, not for direct Layer 2 link encryption. Option C (MKA - MACsec Key Agreement) is wrong because MKA is the key management protocol used to establish and maintain MACsec keys (as defined in 802.1X-2010), not the encryption technology itself; it is a component of MACsec, not a standalone encryption solution. Option D (TLS/SSL) is wrong because it operates at Layer 4 (transport layer) and is used to encrypt application-layer traffic (e.g., HTTPS), not Layer 2 frames; it requires TCP sessions and is not suitable for transparent link encryption between switches.

188
MCQhard

A Python script uses NX-API's XML output to extract interface status. Which method is most robust and recommended for parsing the XML?

A.Split the string by tags
B.Use regular expressions to find patterns
C.Use BeautifulSoup
D.Use xml.etree.ElementTree
AnswerD

ElementTree is built-in and efficient for XML parsing.

Why this answer

xml.etree.ElementTree is the recommended method because it is part of Python's standard library, provides robust tree-based parsing that handles XML namespaces and nested structures correctly, and is specifically designed for programmatic XML manipulation. For NX-API XML output, which follows a consistent schema, ElementTree allows reliable extraction of interface status using XPath or tag traversal without fragility.

Exam trap

Cisco often tests the distinction between built-in vs. third-party libraries and between string manipulation vs. proper parsing, leading candidates to choose BeautifulSoup (which is overkill and non-standard for XML) or regex (which seems flexible but is technically incorrect for XML).

How to eliminate wrong answers

Option A is wrong because splitting by tags is brittle and fails if the XML contains whitespace, attributes, or nested elements; it cannot handle the structured hierarchy of NX-API responses. Option B is wrong because regular expressions are not designed for parsing XML's nested tree structure and will break on attribute order changes, CDATA sections, or escaped characters, leading to incorrect or incomplete data extraction. Option C is wrong because BeautifulSoup is a third-party library primarily for HTML parsing and requires additional installation, whereas the exam expects a built-in, lightweight solution for XML parsing in automation scripts.

189
MCQeasy

A network engineer is configuring a VPC peer-link on a Nexus switch. Which interface configuration is required for the peer-link port-channel?

A.switchport mode trunk
B.spanning-tree port type edge trunk
C.switchport mode access
D.no switchport
AnswerA

Trunk mode allows multiple VLANs to traverse the peer-link.

Why this answer

A VPC peer-link is a special port-channel that carries control traffic (e.g., Cisco Fabric Services over Ethernet) and data traffic between VPC peer switches. It must be configured as a trunk (switchport mode trunk) to allow multiple VLANs, including the VPC VLAN and the peer-keepalive link VLAN, to traverse the link. Without trunk mode, the peer-link cannot properly forward the necessary VLAN traffic for VPC operation.

Exam trap

Cisco often tests the distinction between a VPC peer-link (which must be a Layer 2 trunk) and a VPC peer-keepalive link (which is a Layer 3 routed link), causing candidates to confuse the two and incorrectly apply 'no switchport' to the peer-link.

How to eliminate wrong answers

Option B is wrong because 'spanning-tree port type edge trunk' is used for access ports connected to end hosts to enable PortFast and BPDU guard, not for a VPC peer-link which is a core infrastructure link that should use a normal spanning-tree port type (e.g., network or normal). Option C is wrong because 'switchport mode access' restricts the interface to a single VLAN, which would prevent the peer-link from carrying the multiple VLANs required for VPC data and control traffic. Option D is wrong because 'no switchport' places the interface into routed (Layer 3) mode, but a VPC peer-link must operate at Layer 2 to forward VLAN-tagged frames between the VPC peers.

190
MCQmedium

Which statement is true about the VLANs carried on a VPC peer-link?

A.The peer-link carries only the VLANs allowed on the member interfaces.
B.The peer-link carries all VLANs that are allowed on the trunk interface.
C.The peer-link requires spanning-tree port type edge trunk configuration.
D.The peer-link must be configured as a layer 3 interface.
AnswerB

The peer-link is a trunk that can carry any VLAN allowed on it.

Why this answer

In a vPC domain, the peer-link is a special trunk that carries all VLANs allowed on the trunk interface, including those not present on any member port. This ensures that orphaned traffic (traffic arriving on the peer-link destined for a device connected to the other vPC peer) can be forwarded correctly. The peer-link must carry all VLANs to maintain Layer 2 connectivity and loop-free behavior without relying on spanning tree.

Exam trap

Cisco often tests the misconception that the peer-link only carries VLANs present on member ports, when in fact it must carry all VLANs allowed on the trunk to support orphan port traffic and maintain vPC loop-free operation.

How to eliminate wrong answers

Option A is wrong because the peer-link carries all VLANs allowed on the trunk interface, not only those allowed on the member interfaces; restricting VLANs would break traffic for orphan ports. Option C is wrong because the peer-link does not require spanning-tree port type edge trunk; it typically uses a regular trunk with spanning-tree BPDU filtering or guard enabled, but edge trunk is not a requirement. Option D is wrong because the peer-link must be a Layer 2 trunk interface, not a Layer 3 interface, as it carries VLAN traffic between vPC peers.

191
MCQmedium

A data center engineer is deploying a new application on Cisco UCS Manager. The application requires consistent low-latency access to storage. The engineer decides to use SAN boot from a Fibre Channel SAN. Which configuration change is necessary on the UCS service profile to enable SAN boot?

A.Enable VIF (Virtual Interface) on the vHBA
B.Configure a QoS policy for the vHBA
C.Set the vNIC to use dynamic MAC address
D.Assign a persistent WWPN to the vHBA
AnswerD

Persistent WWPN ensures the SAN target recognizes the server.

Why this answer

To enable SAN boot from a Fibre Channel SAN, the UCS service profile must assign a persistent WWPN to the vHBA. The WWPN is used by the Fibre Channel fabric to identify the initiator and to zone the storage LUNs; a persistent WWPN ensures that after a server reboot or vHBA reconfiguration, the same WWPN is presented to the SAN, allowing the boot LUN to remain accessible. Without a persistent WWPN, the vHBA would use a dynamically generated WWPN, which would break the SAN zoning and boot path.

Exam trap

Cisco often tests the distinction between vNIC (Ethernet) and vHBA (Fibre Channel) configurations, and the trap here is that candidates confuse MAC address persistence (for vNICs) with WWPN persistence (for vHBAs), leading them to incorrectly select Option C.

How to eliminate wrong answers

Option A is wrong because VIF (Virtual Interface) is a concept related to FCoE (Fibre Channel over Ethernet) and is not required for SAN boot over native Fibre Channel; enabling VIF on the vHBA is not a necessary configuration for SAN boot. Option B is wrong because a QoS policy for the vHBA controls traffic prioritization and bandwidth, but it does not affect the ability to boot from a SAN; QoS is optional and unrelated to SAN boot functionality. Option C is wrong because setting the vNIC to use a dynamic MAC address is relevant for Ethernet networking, not for Fibre Channel SAN boot; the vNIC is used for IP/Ethernet traffic, while SAN boot relies on the vHBA and its WWPN.

192
MCQeasy

Which statement describes how firmware management works for UCS B-Series blade servers?

A.Firmware must be manually upgraded on each blade individually
B.Firmware is managed through host firmware packages in service profiles
C.Firmware is automatically updated via Cisco TAC
D.Firmware is stored on the fabric interconnect and loaded directly to the server
AnswerB

Host firmware packages define the firmware versions for each server

Why this answer

In Cisco UCS Manager, firmware for B-Series blade servers is managed through host firmware packages that are included in service profiles. These packages define the exact firmware versions for components like the BIOS, adapter, storage controller, and CIMC, and are automatically applied to the blade when the service profile is associated. This ensures consistent firmware levels across blades without manual intervention on each server.

Exam trap

Cisco often tests the misconception that firmware is applied directly from the fabric interconnect, when in fact it is staged locally on the blade and applied during reboot, and that manual per-blade updates are required in UCS Manager, which is incorrect due to the service profile abstraction.

How to eliminate wrong answers

Option A is wrong because firmware is not manually upgraded on each blade individually; UCS Manager automates firmware updates via service profile associations and host firmware packages. Option C is wrong because firmware is not automatically updated via Cisco TAC; TAC provides support but does not push firmware updates, and updates are initiated by the administrator through UCS Manager or Intersight. Option D is wrong because firmware is not stored on the fabric interconnect and loaded directly to the server; firmware images are stored in the UCS Manager repository and are applied to the blade's local storage or adapter memory during the boot process, not streamed directly from the FI.

193
MCQhard

A network administrator is configuring copp (Control Plane Policing) on a Cisco Nexus 9300 to protect the control plane from high-rate traffic. After applying the policy, the switch becomes unresponsive to SSH sessions, but ICMP still works. What is the most likely misconfiguration?

A.The control plane rate limit is set too low because the switch has many interfaces.
B.CoPP is not supported on the Nexus 9300 platform.
C.The default action of the policy-map is to drop traffic not explicitly matched.
D.In the class-map for SSH, the 'match' statement is incorrectly configured, causing SSH traffic to fall under a drop class.
AnswerD

If SSH traffic is not matched or falls into a drop class, SSH would be blocked.

Why this answer

Option D is correct because if the class-map for SSH traffic uses an incorrect match statement (e.g., matching on the wrong protocol or port), SSH packets will not be classified into the intended permit class. Instead, they fall through to a default drop class in the policy-map, causing SSH sessions to fail while ICMP (which may be matched by a different class or the default permit action) still works. CoPP relies on precise class-map matching; a misconfiguration here directly explains the selective loss of SSH access.

Exam trap

Cisco often tests the nuance that CoPP policy-maps have an implicit 'permit' default unless a 'class class-default' with a drop action is explicitly configured, leading candidates to incorrectly assume a default drop is the cause when the real issue is a misclassification in the class-map.

How to eliminate wrong answers

Option A is wrong because a low rate limit would affect all control-plane traffic, not just SSH; ICMP would also be impacted, and the symptom is SSH failure with ICMP working. Option B is wrong because CoPP is fully supported on Nexus 9300 switches running NX-OS, and this is a standard feature for control-plane protection. Option C is wrong because the default action in a CoPP policy-map is to permit traffic not explicitly matched (unless a 'class class-default' with a drop action is configured); a default drop would affect all unmatched traffic, including ICMP, which contradicts the symptom that ICMP still works.

194
MCQmedium

An engineer is troubleshooting connectivity between two Nexus 9000 switches configured with vPC. The vPC peer link is up, but the vPC peer-keepalive link is failing. Which action should be taken to ensure vPC convergence in the event of a peer-link failure?

A.Ensure the peer-keepalive link uses a dedicated management interface or a separate VRF.
B.Disable vPC on both switches and reconfigure the port channels.
C.Reconfigure the vPC domain with a lower priority on the secondary switch.
D.Increase the vPC peer-keepalive hold timeout to 5 seconds.
AnswerA

A dedicated keepalive link ensures reliable communication and prevents split-brain.

Why this answer

When the vPC peer link fails, the peer-keepalive link is used by the secondary switch to detect that the primary is still alive and to avoid becoming the primary (which would cause a split-brain scenario). Using a dedicated management interface or a separate VRF ensures the keepalive messages are isolated from the data plane and remain reachable even if the peer link goes down, allowing the secondary to correctly keep its vPC member ports in a suspended state and maintain convergence.

Exam trap

Cisco often tests the misconception that the peer-keepalive link is only for role negotiation during normal operation, when in fact it is critical for preventing split-brain during peer-link failures, and candidates may overlook the need for its isolation from the data plane.

How to eliminate wrong answers

Option B is wrong because disabling vPC and reconfiguring port channels is a disruptive, manual process that does not address the keepalive failure and would cause unnecessary downtime; vPC convergence relies on the keepalive link to prevent split-brain, not on reconfiguration. Option C is wrong because changing the vPC domain priority on the secondary switch does not affect the keepalive link's functionality; priority determines the role (primary/secondary) but does not fix a failing keepalive path. Option D is wrong because increasing the hold timeout to 5 seconds only delays the detection of a keepalive failure, potentially prolonging a split-brain scenario; it does not ensure the keepalive link is reliable or isolated.

195
MCQhard

An engineer is designing a SAN to connect hosts to two storage arrays for redundancy. The hosts are dual-attached to two MDS switches. Each storage array has two controllers, each with a single FC port. The engineer wants to avoid a single point of failure and ensure that each host can reach both storage controllers. Which design should be used?

A.Connect both HBAs of each host to the same switch, and create zones that include both HBAs and both storage ports.
B.Connect each host HBA to a separate switch, and zone each HBA to one storage controller port.
C.Use NPV mode to simplify connectivity.
D.Connect each host HBA to a different switch, and zone each HBA to a specific storage controller, using zones that cross VSANs.
E.Connect each host HBA to a different switch, and zone each HBA to both storage controller ports.
AnswerE

This provides redundant paths at every layer: HBA, switch, and controller.

Why this answer

Option E is correct because it provides full redundancy: each host HBA connects to a different MDS switch, and each HBA is zoned to both storage controller ports. This ensures that if a switch, HBA, or storage controller fails, the host can still reach at least one storage controller via the remaining path. The dual-zoning per HBA allows each host to access both controllers without a single point of failure, meeting the requirement for host-to-controller reachability.

Exam trap

Cisco often tests the misconception that connecting both HBAs to the same switch is acceptable for redundancy, but the trap here is that a single switch failure would cause complete loss of connectivity, so each HBA must be on a different switch to eliminate that single point of failure.

How to eliminate wrong answers

Option A is wrong because connecting both HBAs of each host to the same switch creates a single point of failure at the switch level; if that switch fails, the host loses all connectivity. Option B is wrong because zoning each HBA to only one storage controller port means that if that specific controller port fails, the host cannot reach the other controller, violating the requirement for full redundancy. Option C is wrong because NPV (N_Port Virtualization) mode is used to simplify Fibre Channel fabric connectivity by reducing domain IDs, but it does not address the zoning or redundancy requirements for host-to-controller access.

Option D is wrong because zoning across VSANs is unnecessary and adds complexity; VSANs are used for isolation, not for providing redundant paths, and this design does not ensure each host can reach both storage controllers.

196
Multi-Selectmedium

An engineer is tuning performance for a storage network. Which two practices improve FC SAN performance?

Select 2 answers
A.Disabling flow control.
B.Using single-initiator zoning.
C.Ensuring adequate buffer credits.
D.Enabling broadcast zoning.
E.Setting fabric login timeout to the maximum.
AnswersB, C

Reduces inter-initiator traffic.

Why this answer

Single-initiator zoning (Option B) reduces inter-switch link (ISL) traffic and prevents fabric-wide disruptions by ensuring that only one initiator can communicate with a specific set of target ports. This minimizes the number of Registered State Change Notifications (RSCNs) and simplifies troubleshooting, directly improving FC SAN performance by reducing control-plane overhead.

Exam trap

Cisco often tests the misconception that disabling flow control improves performance by reducing overhead, but in FC SANs, flow control (BB_Credit) is mandatory for lossless operation, and disabling it causes frame drops and retransmissions.

197
MCQeasy

A data center administrator needs to deploy a new blade server in a Cisco UCS chassis. The server must automatically inherit the correct service profile based on its slot location. Which feature should be configured?

A.Static service profile association
B.Qualifier-based service profile association
C.Service profile template with pool
D.Default service profile
AnswerB

Uses server attributes like slot ID to automatically map a profile, enabling zero-touch deployment.

Why this answer

Qualifier-based service profile association allows a service profile to be automatically applied to a blade server based on its slot location within the UCS chassis. This is achieved by configuring a qualifier that matches the chassis ID and slot number, enabling automatic inheritance without manual intervention.

Exam trap

The trap here is that candidates often confuse qualifier-based association with static association or service profile templates, mistakenly thinking that a template alone can automatically assign profiles based on location without a qualifier.

How to eliminate wrong answers

Option A is wrong because static service profile association requires manual assignment of a service profile to a specific server and does not support automatic inheritance based on slot location. Option C is wrong because a service profile template with pool is used for creating service profiles from a template with a pool of names or UUIDs, but it does not automatically associate profiles based on slot location. Option D is wrong because a default service profile is a fallback profile applied when no other profile is associated, but it is not designed to match specific slot locations for automatic inheritance.

198
MCQhard

A large enterprise is using Cisco UCS Manager to manage a chassis with 8 B-Series blades. The environment uses a combination of Ethernet and Fibre Channel traffic. The UCS fabric interconnect (FI) is configured in end-host mode with two uplinks to the core network. Recently, the engineering team deployed a new service profile for a high-performance computing workload that requires 40Gbps Ethernet per vNIC and 16Gbps Fibre Channel per vHBA. The server has two vNICs and two vHBAs. After deployment, the server's OS shows only 10Gbps connectivity on each vNIC. The engineer checks UCS Manager and sees that the vNIC templates are set to '10 Gbps' and the vHBA templates are set to '16 Gbps' but the actual link speed for vNICs is only 10Gbps. The fabric interconnect ports are configured as 40Gbps uplinks. The engineer has verified that the server adapter supports 40Gbps. What is the most likely cause of the speed mismatch?

A.The fabric interconnect uplinks are configured as 40Gbps, but the port channel is not configured correctly, causing speed negotiation to fail.
B.The vNIC template used in the service profile specifies a requested speed of '10 Gbps' instead of '40 Gbps'.
C.The server's adapter policy is set to 'Windows' mode, which limits Ethernet speeds to 10Gbps.
D.The QoS policy applied to the vNIC limits the bandwidth to 10Gbps.
AnswerB

The vNIC template's speed setting determines the allocated speed; it must be set to 40Gbps.

Why this answer

The vNIC template in the service profile defines the requested speed for the virtual NIC. If the template is set to '10 Gbps', the UCS Manager will allocate only 10 Gbps of bandwidth per vNIC, regardless of the physical adapter's capability or the uplink speed. Since the engineer verified the adapter supports 40 Gbps and the uplinks are 40 Gbps, the mismatch is directly caused by the template configuration.

Exam trap

Cisco often tests the misconception that the physical adapter or uplink speed automatically determines the vNIC speed, when in fact the vNIC template's requested speed is the controlling parameter in UCS Manager.

How to eliminate wrong answers

Option A is wrong because the fabric interconnect uplinks are configured as 40 Gbps and the issue is not related to port channel misconfiguration; speed negotiation for vNICs is independent of uplink port channels. Option C is wrong because the server adapter policy (e.g., 'Windows' mode) does not limit Ethernet speeds to 10 Gbps; it affects driver behavior and failover settings, not link speed. Option D is wrong because a QoS policy applied to a vNIC can shape or limit bandwidth, but the question states the vNIC templates are set to '10 Gbps', and the OS shows 10 Gbps connectivity; QoS policies typically enforce maximum bandwidth after the link is established, not the negotiated link speed.

199
Multi-Selecteasy

Which TWO characteristics are true about Cisco VPC? (Choose two)

Select 2 answers
A.VPC allows dual-homing of a server to two different switches.
B.VPC keepalive uses Layer 2 connectivity.
C.VPC requires a dedicated management VLAN.
D.VPC peer-link can be a single link or EtherChannel.
E.VPC member ports can be on different VLANs on each peer.
AnswersA, D

VPC enables a server to connect to two switches simultaneously, treating them as a single logical node.

Why this answer

Option A is correct because Cisco Virtual PortChannel (vPC) allows a server to be dual-homed to two different switches, enabling active-active load balancing and link redundancy. This is achieved by making the two switches appear as a single logical switch to the downstream device using the vPC protocol, which synchronizes state and forwarding information across the peer link.

Exam trap

Cisco often tests the misconception that vPC keepalive uses Layer 2 connectivity, when in fact it requires Layer 3 reachability, and that vPC member ports can have mismatched VLANs, which is not allowed because the VLAN configuration must be consistent across both peers for the vPC to operate correctly.

200
MCQhard

A network engineer is troubleshooting CoPP drops on a Cisco Nexus 9000 switch. The 'show control-plane' output indicates that packets are being dropped due to 'CoPP' on the 'default' control-plane class. Which action is most likely to resolve the issue without affecting routing protocol stability?

A.Disable CoPP globally to allow all control-plane traffic.
B.Increase the policer rate for the 'default' class in the CoPP policy.
C.Modify the class-map to reclassify the dropped packets to a higher priority class.
D.Increase the ingress buffer size on the control-plane interface.
AnswerB

Raising the policer rate allows more packets to pass, reducing drops.

Why this answer

The 'default' class in a CoPP policy catches all control-plane traffic not explicitly matched by higher-priority classes. Drops in this class indicate that the aggregate policer rate for unmatched traffic is too low. Increasing the policer rate for the 'default' class allows more legitimate control-plane packets (e.g., ARP, BFD, or management traffic) to pass without impacting the dedicated policers for critical protocols like OSPF or BGP, thus preserving routing stability.

Exam trap

Cisco often tests the misconception that all CoPP drops indicate a need to reclassify traffic to a higher priority class, when in fact the 'default' class drop is a classic sign of an undersized catch-all policer that simply needs a rate adjustment.

How to eliminate wrong answers

Option A is wrong because disabling CoPP globally removes all control-plane protection, exposing the CPU to DoS attacks and potentially causing routing instability from excessive traffic. Option C is wrong because reclassifying dropped packets to a higher priority class would bypass the intended CoPP hierarchy, potentially starving critical protocol traffic and violating the principle of least privilege. Option D is wrong because the control-plane interface does not have a configurable ingress buffer; buffer tuning applies to data-plane interfaces, not to the control-plane policing mechanism.

201
MCQeasy

A new storage administrator is configuring LUN masking on a Cisco MDS switch. The storage array presents two LUNs to the fabric with the same LUN ID (0) but to different target ports. The administrator wants to ensure that a specific host can access both LUNs. The host is connected to a single HBA port. The host will see both target ports in the same zone. After zoning, the host discovers both target ports but only sees the first LUN. The show flogi database shows the host's pWWN with two FC IDs assigned. What is the most likely issue?

A.The zone is misconfigured
B.The host is not configured for multipathing
C.There is a LUN ID conflict
D.The target LUNs are not masked to the host's pWWN
AnswerD

The storage array likely has LUN masking that only allows the first LUN for this host.

Why this answer

The host discovers both target ports via FLOGI but only sees the first LUN because the storage array has not been configured to mask the LUNs to the host's pWWN. LUN masking is an array-side access control that determines which initiator WWNs can see which LUNs; without it, the array defaults to presenting only the first LUN (LUN 0) to any initiator. The zone is correctly configured (both target ports are in the same zone and the host sees them), and the LUN ID conflict is irrelevant because the LUNs are on different target ports, so they can share the same LUN ID without conflict.

Exam trap

Cisco often tests the distinction between zoning (fabric-level connectivity) and LUN masking (array-level access control), trapping candidates who assume zoning alone grants LUN visibility.

How to eliminate wrong answers

Option A is wrong because the zone is correctly configured: the host discovers both target ports, proving the zone includes both target ports and the host's pWWN. Option B is wrong because multipathing is a host-side driver configuration that affects path failover and load balancing, not the visibility of LUNs; the host already sees both target ports, so multipathing would not cause one LUN to be hidden. Option C is wrong because a LUN ID conflict occurs when two LUNs with the same ID are presented to the same initiator from the same target port, but here the LUNs are on different target ports, so sharing LUN ID 0 is allowed and does not cause one LUN to disappear.

202
MCQmedium

Refer to the exhibit. An administrator connects a new server to Ethernet1/1 and the port immediately goes into errdisable state. The previous device was connected to that port. What is the most likely cause?

A.The new server has a different MAC address than the sticky MAC
B.The port security violation mode is set to protect
C.The port security maximum MAC addresses is set too high
D.The port is configured as a trunk
AnswerA

Sticky MAC learned the previous server's MAC; new server's MAC is different, causing a violation and port shutdown.

Why this answer

The port immediately entering errdisable state upon connecting a new server indicates a port security violation. When port security is enabled with sticky MAC addresses, the switch dynamically learns and 'sticks' the MAC address of the first connected device to the running configuration. Connecting a device with a different MAC address triggers a security violation, and if the violation mode is 'shutdown' (the default), the port is placed into errdisable state.

This matches the scenario where the previous device's MAC was learned as sticky, and the new server's MAC differs.

Exam trap

Cisco often tests the misconception that any port security violation immediately causes errdisable, but the trap here is that only the 'shutdown' and 'restrict' modes can lead to errdisable (restrict does not errdisable but logs and drops), while 'protect' silently drops traffic without disabling the port.

How to eliminate wrong answers

Option B is wrong because the 'protect' violation mode drops packets from unknown MAC addresses but does not place the port into errdisable state; it simply discards traffic without disabling the port. Option C is wrong because setting the maximum MAC addresses too high would allow more MAC addresses than intended, but it would not cause an immediate errdisable state upon connecting a new device; a violation occurs only when the limit is exceeded, not when a single new MAC appears. Option D is wrong because configuring the port as a trunk does not inherently cause errdisable; trunk ports can carry multiple VLANs and are not directly related to port security violations unless combined with other features like DTP misconfiguration.

203
Multi-Selectmedium

Which TWO benefits does NPIV (N_Port ID Virtualization) provide in a Fibre Channel SAN? (Choose two.)

Select 2 answers
A.Enhances security by isolating traffic at the port level
B.Enables Fibre Channel connectivity for virtual machines
C.Increases throughput by aggregating bandwidth
D.Allows multiple VSANs on a single link
E.Reduces the number of physical ports needed for virtualized servers
AnswersB, E

Correct: VMs can have dedicated WWPNs.

Why this answer

Options A and D are correct. NPIV allows multiple virtual ports on a single physical port, reducing cabling and enabling virtualization. Option B is incorrect because NPIV does not improve security.

Option C is incorrect because NPIV does not create separate VSANs. Option E is incorrect because NPIV does not increase throughput.

204
MCQeasy

Which feature allows a Fibre Channel switch to use multiple links between two switches as a single logical link?

A.NPIV
B.NPV
C.SAN port channel
D.SPAN
E.FCIP
AnswerC

SAN port channels bundle multiple ISL links into a single logical link.

Why this answer

SAN port channel (C) is correct because it allows multiple physical Fibre Channel links between two switches to be aggregated into a single logical link, providing load balancing and redundancy. This is achieved by bundling up to 16 physical ISLs into one logical interface, using a proprietary hashing algorithm to distribute frames across the member links while maintaining in-order delivery.

Exam trap

Cisco often tests the distinction between SAN port channel (link aggregation) and NPV/NPIV (virtualization features), so the trap here is confusing link aggregation with virtualization or tunneling protocols like FCIP.

How to eliminate wrong answers

Option A is wrong because NPIV (N_Port ID Virtualization) allows a single Fibre Channel N_Port to register multiple FC IDs, enabling virtualization, but it does not aggregate links. Option B is wrong because NPV (N_Port Virtualization) allows a switch to behave as a host to upstream switches, reducing domain IDs, but it does not bundle links. Option D is wrong because SPAN (Switched Port Analyzer) is a Cisco feature for mirroring traffic to a monitor port, not for link aggregation.

Option E is wrong because FCIP (Fibre Channel over IP) tunnels FC frames over IP networks for long-distance connectivity, but it does not combine multiple physical links into a single logical link between two FC switches.

205
MCQhard

Refer to the exhibit. What is the most likely cause of the NVE interface being down?

A.The VXLAN destination UDP port is incorrect.
B.The overlay VLAN is not configured.
C.The source interface is not configured.
D.The VNI list is empty.
AnswerC

The output shows 'Source Interface: not configured', which prevents NVE from coming up.

Why this answer

The NVE (Network Virtualization Edge) interface requires a valid source interface (typically a loopback) to establish VXLAN tunnels. If the source interface is not configured under the NVE interface, the interface remains in a down state because it cannot form VXLAN overlay adjacencies. This is the most common cause of an NVE interface being down in Cisco NX-OS.

Exam trap

Cisco often tests the specific requirement that the NVE interface must have a source interface configured to come up, and candidates mistakenly think an empty VNI list or incorrect UDP port would cause the interface to be down, but those affect traffic forwarding, not the interface state.

How to eliminate wrong answers

Option A is wrong because the VXLAN destination UDP port (default 4789) is a static value used for encapsulation and does not affect the operational state of the NVE interface itself; an incorrect port would cause packet drops but not bring the interface down. Option B is wrong because the overlay VLAN is configured under the bridge domain or VNI mapping, not directly on the NVE interface, and its absence would prevent traffic forwarding but not cause the NVE interface to be down. Option D is wrong because an empty VNI list means no VNIs are mapped to the NVE, which would prevent VXLAN traffic but the NVE interface can still be up/up if the source interface is properly configured.

206
MCQmedium

A Cisco ACI fabric administrator wants to implement microsegmentation using Cisco Group-Based Policy (GBP) in a network that hosts virtual machines and bare-metal servers. Which component must be used to enforce microsegmentation policies for bare-metal servers?

A.Application Policy Infrastructure Controller (APIC)
B.Virtual Switch (e.g., Cisco AVS)
C.External firewall appliance
D.Leaf switch
AnswerD

Leaf switches enforce microsegmentation for bare-metal servers via PCAM.

Why this answer

In Cisco ACI, microsegmentation for bare-metal servers is enforced at the leaf switch using Cisco Group-Based Policy (GBP). Unlike virtual machines that rely on a virtual switch (e.g., Cisco AVS) to apply policies, bare-metal servers connect directly to the leaf switch via physical interfaces. The leaf switch uses the opflex protocol to receive policy definitions from the APIC and applies them at the port level, enabling microsegmentation without requiring a hypervisor or virtual switch.

Exam trap

Cisco often tests the misconception that microsegmentation policies are enforced by the APIC or a virtual switch, but the trap here is that for bare-metal servers, the leaf switch is the enforcement point because there is no hypervisor to host a virtual switch.

How to eliminate wrong answers

Option A is wrong because the APIC is the centralized controller that defines and manages policies, but it does not enforce them at the data plane; enforcement occurs on the leaf switches. Option B is wrong because a virtual switch (e.g., Cisco AVS) is used for microsegmentation of virtual machines, not for bare-metal servers, which lack a hypervisor and thus cannot leverage a virtual switch. Option C is wrong because an external firewall appliance is not a native component of ACI microsegmentation; ACI uses its own policy enforcement at the leaf switch, and relying on an external firewall would introduce latency and complexity, defeating the purpose of GBP.

207
MCQhard

Refer to the exhibit. A Python script using the Cisco ACI Cobra SDK fails with 'AuthenticationError'. Which of the following is the most likely cause?

A.The APIC URL is incorrect
B.The user does not have API access
C.The username or password is incorrect
D.The script is missing required imports
AnswerC

AuthenticationError directly indicates failed login due to credentials.

Why this answer

The 'AuthenticationError' in the Cisco ACI Cobra SDK indicates that the APIC rejected the login credentials. This error is raised specifically when the username or password provided in the script's login method (e.g., 'Login('apic_url', 'username', 'password')') does not match a valid APIC local or AAA-authenticated user. The SDK performs an HTTP POST to the APIC's '/api/aaaLogin.json' endpoint, and a non-200 response with an authentication failure triggers this exception.

Exam trap

Cisco often tests the distinction between authentication failures (wrong credentials) and authorization failures (no API access), so candidates mistakenly choose 'user does not have API access' when the error message clearly points to the login phase.

How to eliminate wrong answers

Option A is wrong because an incorrect APIC URL would typically result in a connection timeout or HTTP 404 error, not an 'AuthenticationError' — the SDK would fail to reach the APIC before authentication is attempted. Option B is wrong because if the user lacks API access, the APIC would still authenticate the user (returning a token) but then deny subsequent API operations with a 403 Forbidden error; the 'AuthenticationError' occurs at login, not during API calls. Option D is wrong because missing imports would cause a Python ImportError or NameError at script startup, not an 'AuthenticationError' at runtime — the SDK would not even execute the login call.

208
MCQmedium

A Python script using the pyATS framework to parse 'show interface' output on a Nexus 9000 switch fails with a parsing error, even though the CLI command runs successfully. What is the most likely missing component?

A.The script does not include the correct authentication method.
B.The Genie parser for the specific NX-OS version is not installed or imported.
C.The script uses the wrong device type (e.g., iosxe instead of nxos).
D.The switch is not configured with NETCONF.
AnswerB

pyATS uses Genie parsers that are version-specific; missing parser leads to parse error.

Why this answer

The pyATS framework relies on Genie parsers to convert raw CLI output into structured data. If the Genie parser for the specific NX-OS version is missing or not imported, the script cannot parse the 'show interface' output, resulting in a parsing error even though the CLI command itself runs successfully. This is the most likely missing component because pyATS/Genie parsers are version-specific and must be installed for the exact platform and OS version.

Exam trap

Cisco often tests the distinction between command execution success and parsing success, trapping candidates who assume a working CLI command guarantees pyATS/Genie parsing will work without the correct version-specific parser installed.

How to eliminate wrong answers

Option A is wrong because authentication methods (e.g., SSH credentials, API tokens) are used for device connection, not for parsing CLI output; a parsing error occurs after successful connection and command execution. Option C is wrong because using the wrong device type (e.g., iosxe instead of nxos) would cause a different error—either a connection failure or a mismatch in command syntax—not a parsing error on a command that runs successfully. Option D is wrong because NETCONF is not required for pyATS/Genie parsing; pyATS can parse CLI output over SSH or Telnet without any NETCONF configuration.

209
MCQeasy

A network engineer wants to automate the deployment of VLANs across 50 Nexus switches in a data center. Which approach provides the most consistent and repeatable results with minimal manual effort?

A.Python script using netmiko
B.Manual CLI on each switch
C.Bash script with SSH
D.Ansible playbook with nxos_vlan module
AnswerD

Declarative and idempotent, ensures consistent configuration.

Why this answer

Ansible playbook with the nxos_vlan module is the correct choice because it provides idempotent, declarative automation that ensures consistent VLAN configuration across all 50 Nexus switches with minimal manual effort. Ansible handles SSH connectivity and state management natively, eliminating the need for custom scripting and reducing the risk of human error.

Exam trap

Cisco often tests the distinction between ad-hoc scripting (like netmiko or Bash) and declarative automation tools (like Ansible) that provide idempotency and state management, leading candidates to choose a technically functional but less robust scripting approach.

How to eliminate wrong answers

Option A is wrong because a Python script using netmiko, while programmatic, requires custom error handling, idempotency logic, and manual loop management for 50 switches, making it less consistent and more effort than Ansible's built-in modules. Option B is wrong because manual CLI on each switch is error-prone, time-consuming, and does not scale to 50 switches, offering no repeatability or automation. Option C is wrong because a Bash script with SSH relies on fragile expect-like constructs or raw SSH commands, lacks idempotency, and requires extensive custom logic to handle device differences and failures, leading to inconsistent results.

210
MCQmedium

Refer to the exhibit. A UCS administrator applies a service profile with this boot policy to a blade. The blade boots from the SAN LUN successfully. However, after a reboot due to a firmware update, the blade boots from the local disk instead of the SAN. What is the most likely reason?

A.The WWPN of the SAN target is incorrect.
B.The SAN target LUN ID changed after the firmware update.
C.The boot order has local disk before the SAN target.
D.The local disk was not present at initial association.
AnswerC

Exhibit shows local-disk listed first.

Why this answer

The most likely reason is that the boot order in the service profile's boot policy lists the local disk before the SAN target. After a firmware update, the UCS Manager re-evaluates the boot policy, and if the local disk is present and has a higher priority, the blade will boot from it instead of the SAN LUN. The initial successful boot from SAN occurred because the local disk was not present at that time, but after the reboot, the local disk became available and took precedence.

Exam trap

The trap here is that candidates often assume a firmware update changes SAN parameters (like WWPN or LUN ID), but Cisco tests the concept that the boot order policy itself, not the SAN configuration, determines which device boots first when multiple bootable devices are present.

How to eliminate wrong answers

Option A is wrong because an incorrect WWPN of the SAN target would prevent any successful boot from the SAN LUN, not just after a reboot. Option B is wrong because a change in the SAN target LUN ID after a firmware update is unlikely and would cause a persistent boot failure, not a switch to local disk. Option D is wrong because the local disk not being present at initial association explains why the SAN boot worked initially, but it does not explain why the boot order policy itself would change; the boot order is static unless modified.

211
Multi-Selectmedium

Which TWO statements about Fibre Channel zoning are correct? (Choose two.)

Select 2 answers
A.Zoning can be used to prevent unauthorized access to storage targets.
B.Zoning is required to increase the distance between a host and storage.
C.Zoning can only be applied within a single VSAN.
D.Zoning is used to load balance traffic across multiple paths.
E.Hard zoning uses ACLs to enforce membership at the frame level.
AnswersA, E

Zoning restricts communication between specific ports.

Why this answer

Zoning is used for security and access control. Option A is correct because zoning restricts which devices can communicate. Option B is wrong because zoning does not provide load balancing.

Option C is correct because hard zoning enforces access at the switch level even if the initiator attempts to bypass. Option D is wrong because zoning is not for distance; flow control deals with distance. Option E is wrong because zoning is per VSAN, but can be across VSANs if using inter-VSAN routing, but not inherently.

212
MCQmedium

In a centralized anycast gateway VXLAN EVPN design, which is a requirement?

A.Each VTEP has a unique anycast IP address.
B.All VTEPs share a common anycast IP address for the default gateway.
C.The anycast gateway is configured on the spine switches.
D.The route reflector is an external BGP speaker.
AnswerB

This is the definition of centralized anycast gateway.

Why this answer

In a centralized anycast gateway VXLAN EVPN design, all VTEPs share a common anycast IP address and MAC address for the default gateway. This allows any VTEP to serve as the first-hop router for hosts, enabling optimal east-west traffic forwarding without requiring a separate gateway device. The anycast IP is configured on each VTEP's VLAN interface, and the same IP/MAC is advertised via EVPN Type-2 routes.

Exam trap

Cisco often tests the misconception that the anycast gateway is configured on spine switches or that each VTEP uses a unique anycast IP, when in fact the shared anycast IP/MAC on leaf VTEPs is the defining requirement.

How to eliminate wrong answers

Option A is wrong because each VTEP does not have a unique anycast IP address; instead, all VTEPs share the same anycast IP and MAC for the default gateway. Option C is wrong because the anycast gateway is configured on the leaf switches (VTEPs), not on the spine switches, which act as route reflectors or underlay forwarders. Option D is wrong because the route reflector can be an internal BGP speaker (e.g., a spine switch) and does not have to be an external BGP speaker; in fact, iBGP is commonly used within the fabric.

213
MCQhard

Refer to the exhibit. An automation script queries the Cisco Nexus 9000 using the NX-API JSON format and receives the above output. The script is designed to validate that interface Eth1/1 is in access mode with VLAN 100. However, the script reports a failure. What is the most likely reason?

A.The script uses strict type checking, and the values are returned as strings instead of integers.
B.The JSON output is malformed and cannot be parsed.
C.The interface is administratively down.
D.The JSON output is missing the 'switchportMode' field.
AnswerA

JSON returns numbers as strings in this context; a type mismatch causes failure.

Why this answer

The NX-API returns all values as strings in JSON output, including numeric fields like VLAN IDs. If the script uses strict type checking (e.g., `===` in Python or JavaScript), comparing the string '100' to the integer 100 will fail, even though the interface is correctly configured in access mode with VLAN 100. This is a common pitfall when parsing NX-API responses without explicit type conversion.

Exam trap

Cisco often tests the nuance that NX-API returns all values as strings, tricking candidates who assume numeric fields are returned as integers and overlook the need for type conversion in validation logic.

How to eliminate wrong answers

Option B is wrong because the JSON output shown is well-formed (valid key-value pairs, proper brackets), so parsing would succeed. Option C is wrong because the output includes 'adminState: up', indicating the interface is administratively up, not down. Option D is wrong because the output clearly contains the 'switchportMode' field with value 'access', so the field is not missing.

214
MCQmedium

An engineer is troubleshooting high CPU utilization on a Nexus 7700 switch. The output of 'show process cpu' shows high usage from the 'netstack' process. Which action should the engineer take to identify the cause?

A.Enable 'feature netstack' to get more details.
B.Reboot the switch to clear the process.
C.Check for broadcast storms using 'show interface'.
D.Use 'show system internal netstack stats'.
AnswerD

This command shows internal netstack counters and helps isolate the issue.

Why this answer

The 'netstack' process handles network stack operations, including packet processing and forwarding. The 'show system internal netstack stats' command provides detailed internal statistics about the netstack process, such as packet drops, buffer usage, and error counters, which help pinpoint the root cause of high CPU utilization.

Exam trap

Cisco often tests the distinction between generic interface troubleshooting and process-specific internal diagnostics, leading candidates to choose a broad command like 'show interface' instead of the targeted internal command for the identified process.

How to eliminate wrong answers

Option A is wrong because 'feature netstack' is not a valid command; netstack is an internal process, not a feature that can be enabled. Option B is wrong because rebooting the switch is a disruptive, temporary fix that does not identify the underlying cause and may mask the issue. Option C is wrong while broadcast storms can cause high CPU, the question specifically identifies the 'netstack' process, and 'show interface' does not provide netstack-specific statistics; the correct diagnostic command targets the process directly.

215
MCQhard

A data center engineer is designing a UCS Manager solution that requires VLAN segmentation across multiple fabric interconnects. The network team requires that each VLAN is assigned a unique native VLAN ID per fabric. Which pool configuration supports this requirement?

A.Use derived VLAN pools based on chassis location
B.Create separate VLAN pools for each fabric with non-overlapping ranges
C.Create a single VLAN pool that includes all required VLANs
D.Configure VLANs directly in the service profile using inline pools
AnswerB

Separate pools enable unique native VLAN IDs per fabric

Why this answer

Option B is correct because UCS Manager allows separate VLAN pools to be assigned per fabric interconnect, enabling unique native VLAN IDs per fabric. By creating non-overlapping VLAN pools for each fabric, the engineer ensures that each fabric has its own native VLAN ID without conflict, meeting the requirement for VLAN segmentation across multiple fabric interconnects.

Exam trap

Cisco often tests the misconception that a single VLAN pool can be used for both fabrics, but the requirement for unique native VLAN IDs per fabric demands separate pools with non-overlapping ranges to avoid conflict.

How to eliminate wrong answers

Option A is wrong because derived VLAN pools based on chassis location do not provide per-fabric native VLAN differentiation; they are used for chassis-specific VLAN assignment, not for separating VLANs across fabrics. Option C is wrong because a single VLAN pool that includes all required VLANs would assign the same native VLAN ID to both fabrics, violating the requirement for unique native VLAN IDs per fabric. Option D is wrong because configuring VLANs directly in the service profile using inline pools does not allow per-fabric native VLAN assignment; inline pools are used for individual service profiles and cannot enforce separate native VLAN IDs across fabrics.

216
MCQmedium

An administrator is troubleshooting a performance issue in an FC SAN. The initiator and target are in the same VSAN. The link is 16 Gbps but throughput is only 4 Gbps. The engineer checks the BB_Credit utilization and sees a high count of BB_Credit zero. What is the most likely cause?

A.Congestion on the target port
B.High link error rates
C.Incorrect zoning configuration
D.Buffer-to-buffer credit exhaustion
AnswerD

BB_Credit zero means the port has run out of credits, causing pauses and low throughput.

Why this answer

BB_Credit zero indicates buffer-to-buffer credit exhaustion, which pauses transmission and reduces throughput. This is typically due to distance or small credit pool. Link errors would show CRC errors, congestion would cause other symptoms, and zoning is unrelated.

217
MCQmedium

Refer to the exhibit. A UCS administrator has configured vNIC templates as shown. Both Fabric Interconnects have identical uplink configurations. The vNIC templates have 'Failover: Enabled'. However, when Fabric Interconnect A fails, servers using vNIC-A do not fail over to Fabric Interconnect B. What is the most likely cause?

A.A pin group is configured that forces traffic to Fabric Interconnect A.
B.The native VLAN (10) is not allowed on Fabric Interconnect B's trunk.
C.The uplink interfaces are configured with 'spanning-tree port type edge trunk', which blocks failover traffic.
D.The server's service profile does not include a secondary vNIC for Fabric B.
AnswerD

Failover requires a secondary vNIC on the other fabric in the same service profile.

Why this answer

Option D is correct because the server's service profile must include both a primary vNIC (for Fabric Interconnect A) and a secondary vNIC (for Fabric Interconnect B) to enable failover. The 'Failover: Enabled' setting on the vNIC template only allows the vNIC to use the other fabric's uplink if a secondary vNIC is explicitly defined in the service profile; without it, the vNIC is pinned to its original fabric and cannot fail over.

Exam trap

Cisco often tests the misconception that enabling 'Failover' on a vNIC template alone is sufficient for failover, when in reality a secondary vNIC must be explicitly added to the service profile to provide the alternate fabric path.

How to eliminate wrong answers

Option A is wrong because a pin group that forces traffic to Fabric Interconnect A would prevent failover, but the question states that vNIC templates have 'Failover: Enabled', and a pin group would override that setting only if explicitly configured; the scenario does not mention any pin group, so this is an unlikely cause. Option B is wrong because the native VLAN (10) not being allowed on Fabric Interconnect B's trunk would cause connectivity issues for VLAN 10 traffic, but it would not prevent the vNIC from failing over to Fabric B's uplinks; failover is a fabric-level path selection, not a VLAN-specific behavior. Option C is wrong because 'spanning-tree port type edge trunk' (PortFast trunk) does not block failover traffic; it enables faster convergence by skipping STP on the uplink ports, and failover traffic is not blocked by this configuration.

218
MCQmedium

A data center uses a Cisco MDS 9710 director with multiple line cards. The storage network includes several host servers connected to the director via 16 Gbps FC connections. Recently, the engineering team deployed a new storage array that supports 32 Gbps FC. To take advantage of the higher speed, they upgraded the host HBAs to 32 Gbps. However, after the upgrade, some hosts are experiencing intermittent connection drops. The team notices that when a host disconnects, it takes approximately 30 seconds to reconnect. The link lights on the host and switch ports are green. The switch logs show 'VSAN 100: Port fc1/1 is down (link failure)' messages. No other errors are reported. The MDS line cards support 32 Gbps, and the ports are configured with the 'speed 32000' command. What is the most likely cause of the intermittent drops?

A.Insufficient buffer credits on the host ports
B.Incompatible SFP+ modules
C.Inconsistent zoning configuration
D.Mismatched port speed configuration between host and switch
AnswerD

A mismatch (e.g., host at 16 Gbps, switch at 32 Gbps) can cause intermittent link drops.

Why this answer

The most likely cause is a speed mismatch between the host HBA and the switch port. Although the switch port is set to 32 Gbps, the HBA might be set to auto-negotiate or default to 16 Gbps, causing instability. The 30-second reconnect time is typical of speed negotiation failures.

Incompatible SFPs would cause persistent link failure, buffer credits cause throughput drops but not disconnects, and zoning would block connectivity.

219
MCQmedium

An engineer is troubleshooting a SAN performance issue. The show interface counters command shows high output discard counts on a particular Fibre Channel interface. What is the most likely cause?

A.High CRC errors on the link.
B.Insufficient buffer credits on the transmitting port.
C.Insufficient bandwidth due to latency.
D.Mismatched zone configurations.
AnswerB

Output discards happen when the port runs out of buffer credits.

Why this answer

Output discards on an FC interface typically indicate that the port is out of buffer credits and frames are being discarded. Option A is wrong because CRC errors are different. Option B is wrong because high latency doesn't directly cause discards.

Option D is wrong because zoning mismatch would cause login issues, not discards.

220
MCQeasy

A company is deploying a new storage array with dual controllers. Each controller has two 16 Gbps Fibre Channel ports. The engineer wants to connect each controller to two separate MDS switches for redundancy. What is the recommended port type configuration on the MDS switches for the storage-facing ports?

A.F port
B.Configure the port as auto to allow negotiation
C.NP port
D.E port
AnswerA

F ports connect N ports of end devices.

Why this answer

Storage array ports typically operate as target ports, so the switch ports should be configured as F ports (fabric ports). Option A is correct. Option B (E port) is for ISL.

Option C (NP port) is for NPV. Option D (auto) may work but not recommended.

221
MCQhard

A data center engineer is designing a storage network for a virtualized environment with 100 hosts and 50 storage arrays. Each host requires 4 Gbps of bandwidth to storage, and each storage array provides 8 Gbps. All devices use 16 Gbps FC links. What is the minimum number of 16 Gbps FC links required to support the total bandwidth demand without oversubscription?

A.50
B.200
C.100
D.25
AnswerD

25 links provide 400 Gbps of bandwidth (16 Gbps each) to meet total demand.

Why this answer

The total bandwidth demand from hosts is 100 hosts × 4 Gbps = 400 Gbps. Each storage array provides 8 Gbps, so total storage bandwidth is 50 arrays × 8 Gbps = 400 Gbps. Since all links are 16 Gbps FC, the minimum number of links required to carry 400 Gbps without oversubscription is 400 / 16 = 25 links.

This assumes full-duplex links and no oversubscription in the fabric.

Exam trap

Cisco often tests the concept of aggregate bandwidth versus per-device bandwidth, leading candidates to incorrectly multiply host count by link speed or storage array count by link speed instead of summing the total bandwidth demand and dividing by link speed.

How to eliminate wrong answers

Option A (50) is wrong because it incorrectly assumes each storage array needs a dedicated 16 Gbps link, ignoring that the total bandwidth demand is 400 Gbps and 50 links would provide 800 Gbps, which is overkill and not minimal. Option B (200) is wrong because it mistakenly multiplies the number of hosts (100) by the per-host bandwidth (4 Gbps) and then divides by 8 Gbps (storage array bandwidth) or confuses link count with host count, leading to a gross overestimate. Option C (100) is wrong because it assumes each host requires a dedicated 16 Gbps link, ignoring that the aggregate demand is 400 Gbps and 100 links would provide 1600 Gbps, far exceeding the need.

222
Multi-Selectmedium

Which TWO statements about Cisco NX-API are correct? (Choose two.)

Select 2 answers
A.NX-API uses SSH for transport.
B.NX-API only supports GET requests.
C.NX-API uses HTTP/HTTPS as the transport protocol.
D.NX-API is only available on Nexus 3000 series switches.
E.NX-API can output data in XML and JSON formats.
AnswersC, E

NX-API is a RESTful API over HTTP/HTTPS.

Why this answer

Cisco NX-API is a programmatic interface that uses HTTP/HTTPS as the transport protocol, allowing RESTful API calls to configure and monitor Nexus switches. It supports both XML and JSON output formats, enabling flexible data parsing in automation scripts. This makes options C and E correct.

Exam trap

Cisco often tests the misconception that NX-API uses SSH (like NETCONF) or is limited to specific hardware, when in fact it uses HTTP/HTTPS and is widely supported across Nexus platforms.

223
Multi-Selecthard

Which THREE of the following are best practices for Fibre Channel zoning on Cisco MDS switches?

Select 3 answers
A.Make zones as specific as possible, avoiding device inclusion across multiple zones unnecessarily
B.Use WWPN-based zoning instead of port-based zoning
C.Always activate the zone set using the 'zone activate' command in configuration mode
D.Use hard zoning (access control list enforcement)
E.Use soft zoning with name server response filtering
AnswersA, B, C

Specific zones reduce complexity and security risks.

Why this answer

Zoning best practices: use WWPN zoning for stability, use read-only zone sets for audit, and minimize zone aliasing for clarity. Option A (hard zoning) is correct but not a best practice per se; hard zoning is default. The best practices are options B, C, and D.

Option E (soft zoning) is less secure.

224
MCQmedium

A data center administrator is troubleshooting slow storage performance on a UCS B-Series blade server. The server is connected to a Cisco UCS 6300 Series Fabric Interconnect and uses local SAS drives. The administrator checks the UCS Manager and sees that the storage adapter has a driver version that is not recommended. What is the most likely impact of using a non-recommended driver version?

A.Degraded storage performance or instability
B.Loss of redundancy on the fabric interconnect
C.Inability to boot the server
D.Increased security vulnerabilities
AnswerA

Non-recommended drivers are not validated and can cause performance issues or system instability.

Why this answer

Using a non-recommended driver version for the storage adapter in a UCS B-Series blade server can lead to degraded storage performance or system instability. Cisco validates specific driver versions for compatibility with the UCS 6300 Series Fabric Interconnect and local SAS drives; deviations may cause suboptimal I/O handling, increased latency, or unexpected errors. This is a common issue in compute environments where driver- firmware mismatches affect storage throughput.

Exam trap

Cisco often tests the distinction between a 'non-recommended' driver (which causes performance or stability issues) versus a 'non-supported' driver (which could cause boot failure or complete non-functionality), tempting candidates to overestimate the impact.

How to eliminate wrong answers

Option B is wrong because loss of redundancy on the fabric interconnect is typically caused by misconfigured port channels, link failures, or fabric-level issues, not by a storage adapter driver version. Option C is wrong because while a severely incompatible driver could prevent boot, the question specifies a 'non-recommended' driver, which usually causes performance issues rather than complete boot failure; UCS servers can still boot with non-optimal drivers. Option D is wrong because driver versions primarily affect functionality and performance, not security posture; security vulnerabilities are addressed through firmware and software patches, not driver version recommendations.

225
MCQeasy

Which protocol is recommended for streaming model-driven telemetry from NX-OS to a collector?

A.FTP
B.SNMP
C.HTTP
D.gRPC
AnswerD

gRPC with protobuf is the recommended transport for MDT.

Why this answer

gRPC (Google Remote Procedure Call) is the recommended protocol for streaming model-driven telemetry from NX-OS to a collector because it provides efficient, bidirectional streaming over HTTP/2, supports structured data encoding (e.g., Protobuf or JSON), and is natively supported in NX-OS for high-frequency, push-based telemetry. Unlike polling-based protocols, gRPC enables the device to continuously stream operational data to the collector with low latency and minimal overhead.

Exam trap

Cisco often tests the misconception that HTTP or SNMP can handle streaming telemetry, but the trap is that SNMP is pull-based and HTTP lacks the persistent, bidirectional streaming capabilities of gRPC, which is the only option that natively supports the push-based, subscription-driven model required for NX-OS telemetry.

How to eliminate wrong answers

Option A (FTP) is wrong because FTP is a file transfer protocol designed for bulk file uploads/downloads, not for real-time streaming of telemetry data, and it lacks the bidirectional streaming and structured data capabilities required for model-driven telemetry. Option B (SNMP) is wrong because SNMP is a traditional polling-based protocol that uses a pull model (manager requests data from agents), which is inefficient for high-frequency telemetry and does not support the push-based, subscription-driven streaming model that NX-OS telemetry requires. Option C (HTTP) is wrong because while HTTP can be used for telemetry (e.g., via RESTCONF), it is not optimized for streaming; gRPC, which uses HTTP/2 as a transport, provides persistent connections, multiplexing, and server push, making it the superior choice for streaming telemetry in NX-OS.

Page 2

Page 3 of 7

Page 4

All pages

Practice 350-601 by domain

Target a specific domain to shore up weak areas.

See all domains with question counts →