Cisco DCCOR / CCNP Data Center Core 350-601 (350-601) — Questions 226300

500 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQhard

A large financial institution operates a dual-fabric Fibre Channel SAN with two separate MDS 9710 directors. Each fabric has multiple storage arrays and hundreds of hosts. The SAN is configured with VSANs to isolate different environments (production, development, backup). Recently, the backup VSAN has been experiencing slow performance during backup windows. Analysis shows that the ISLs between the directors in the backup VSAN are heavily utilized (near 100%) while other ISLs have spare capacity. The backup traffic consists of large sequential reads and writes. The SAN administrator has confirmed that there are no CRC errors or link issues. The backup VSAN uses a single 16 Gbps ISL. Which of the following is the best solution to improve backup performance?

A.Add an additional 16 Gbps ISL and configure a port channel for the backup VSAN.
B.Reduce the buffer credit count on the backup VSAN ISLs to reduce latency.
C.Enable QoS to prioritize backup traffic over other traffic.
D.Implement IVR to route backup traffic through the other fabric.
AnswerA

Increases bandwidth and load balancing.

Why this answer

Adding an additional 16 Gbps ISL and configuring a port channel for the backup VSAN increases the available bandwidth for backup traffic, which consists of large sequential reads and writes that can fully utilize the link. Port channels provide load balancing across member links based on source/destination IDs, effectively distributing the backup traffic and reducing congestion on the single ISL. This directly addresses the near-100% utilization without introducing complexity or relying on other fabrics.

Exam trap

Cisco often tests the misconception that QoS or buffer tuning can solve bandwidth saturation issues, but the core problem here is insufficient aggregate bandwidth, which only adding physical links (via port channels) can resolve.

How to eliminate wrong answers

Option B is wrong because reducing buffer credits on the ISL would actually increase latency and potentially cause frame drops, worsening performance, especially for long-distance links; buffer credits are used to absorb link latency, not to reduce it. Option C is wrong because QoS prioritization does not increase available bandwidth; it only reorders traffic, and since backup traffic is already the only traffic on that VSAN, prioritizing it would have no effect on the high utilization. Option D is wrong because IVR (Inter-VSAN Routing) would route backup traffic through the other fabric, but that fabric's ISLs are also shared with other VSANs and may not have spare capacity; moreover, IVR introduces additional complexity and potential security risks without guaranteeing improved performance, and the problem is bandwidth scarcity within the backup VSAN itself.

227
MCQeasy

An enterprise requires that all virtual machines using a specific service profile must have the same MAC address pool. Which policy should be configured on the service profile template?

A.MAC Pool Policy
B.UUID Pool Policy
C.Server Pool Policy
D.WWPN Pool Policy
AnswerA

MAC pool defines the range and is attached to the vNIC in the profile.

Why this answer

A MAC Pool Policy is correct because it defines a range of MAC addresses that are dynamically assigned to virtual network adapters in a service profile. When multiple VMs use the same service profile template, configuring a MAC Pool Policy ensures all VMs derive their MAC addresses from the same pool, guaranteeing consistency and avoiding address conflicts across the cluster.

Exam trap

The trap here is that candidates confuse MAC Pool Policy with UUID Pool Policy, assuming both handle identity assignment, but only MAC Pool Policy controls the Ethernet address pool for virtual NICs.

How to eliminate wrong answers

Option B is wrong because a UUID Pool Policy assigns unique identifiers to virtual machines, not MAC addresses, and does not control network interface addressing. Option C is wrong because a Server Pool Policy manages physical server selection for service profile association, not MAC address assignment. Option D is wrong because a WWPN Pool Policy assigns World Wide Port Names for Fibre Channel adapters, not Ethernet MAC addresses.

228
Multi-Selecthard

Which THREE conditions can cause Fibre Channel buffer credit starvation? (Choose three.)

Select 3 answers
A.Frequent CRC errors causing retransmissions
B.Long-distance links with insufficient credits allocated
C.High oversubscription ratio on the ISL
D.Multiple VSANs configured on the same trunk
E.Inadequate number of credits allocated to the port
AnswersA, B, E

Correct: Retransmissions consume credits without releasing them.

Why this answer

Options A, C, and E are correct. Long distances require more credits; link errors cause credits to be consumed; small credit pools limit available credits. Option B is incorrect because oversubscription affects bandwidth, not credits.

Option D is incorrect because multiple VSANs don't directly starve credits.

229
MCQeasy

A network engineer is configuring a VPC on a pair of Nexus 9000 switches. Which command is required to synchronize the configuration between the VPC peers?

A.auto-recovery.
B.peer-keepalive destination <ip>.
C.vpc domain <id>.
D.role preempt.
AnswerB

Peer-keepalive is mandatory for VPC to monitor peer liveliness.

Why this answer

Option B is correct because the `peer-keepalive destination <ip>` command configures a Layer 3 keepalive link between VPC peers, which is essential for monitoring peer liveness and synchronizing configuration states. Without this keepalive, the VPC peers cannot detect failures or maintain consistent forwarding, making it a mandatory component for VPC configuration on Nexus 9000 switches.

Exam trap

Cisco often tests the distinction between the peer-keepalive (Layer 3) and the peer-link (Layer 2) — candidates mistakenly think the peer-link alone synchronizes configurations, but the keepalive is mandatory for liveness detection and configuration sync initiation.

How to eliminate wrong answers

Option A is wrong because `auto-recovery` is used to automatically bring a VPC member port out of suspension after a peer failure, not for synchronizing configurations between peers. Option C is wrong because `vpc domain <id>` creates the VPC domain and enables VPC functionality, but it does not directly synchronize configurations; it is a prerequisite command, not the synchronization mechanism. Option D is wrong because `role preempt` controls which peer assumes the primary role after a failure, but it does not handle configuration synchronization; it affects role election, not data consistency.

230
MCQhard

Refer to the exhibit. A UCS manager profile is configured with two vNICs on separate fabrics. The server is failing to communicate with the default gateway on VLAN 100. Both vNICs are up. What is the most likely issue?

A.The MAC pool is exhausted
B.The VLAN 100 is not defined on the fabric interconnects
C.The boot policy is missing
D.The server is using active-standby NIC teaming and the active vNIC is on a fabric that does not have the VLAN
AnswerB

If VLAN 100 is absent on the FIs, traffic cannot be forwarded to the gateway.

Why this answer

The most likely issue is that VLAN 100 is not defined on the fabric interconnects. In UCS Manager, even if the vNICs are up and the MAC pool is available, the server cannot communicate with the default gateway if the VLAN is not present on the fabric interconnect's VLAN database. The fabric interconnect must have VLAN 100 created and assigned to the appropriate uplink ports or port-channels for traffic to be forwarded.

Exam trap

Cisco often tests the misconception that a vNIC being 'up' implies full Layer 2 connectivity, when in fact the VLAN must be defined on the fabric interconnect for traffic to be switched.

How to eliminate wrong answers

Option A is wrong because a MAC pool exhaustion would prevent vNICs from being assigned a MAC address, but both vNICs are up, indicating MAC addresses are already assigned. Option C is wrong because the boot policy determines the boot order and storage connectivity, not Layer 2/3 network communication to a default gateway. Option D is wrong because active-standby NIC teaming (e.g., using MAC pinning or vPC) would still allow communication if the active vNIC is on the fabric with VLAN 100; the issue is that VLAN 100 is missing on both fabrics, not a teaming misconfiguration.

231
MCQhard

During a SAN migration, an engineer connects new storage to an existing MDS switch. The new storage array is configured with WWPNs that were previously used by decommissioned servers. After zoning is updated, some servers fail to see the correct LUNs. What is the most likely cause?

A.The NPV feature is enabled on the switch causing proxy login issues.
B.Duplicate WWPNs exist in the fabric, causing device login conflicts.
C.The new storage is not in the same VSAN as the servers.
D.The switch is running an older firmware that does not support the new storage.
AnswerB

Reusing WWPNs without clearing the old entries leads to duplicate registrations.

Why this answer

Duplicate WWPNs cause confusion in the fabric. Option A is correct. Option B is wrong because zoning was updated.

Option C is wrong because NPV does not cause LUN issues. Option D is wrong because FLOGI would fail if there was a conflict.

232
MCQmedium

A network engineer is troubleshooting a VXLAN EVPN problem where some endpoints are not reachable. The output of 'show bgp l2vpn evpn' shows Type-3 routes but no Type-2 routes for a specific VNI. What should the engineer check?

A.The route-target import/export is misconfigured.
B.BGP session is not established.
C.The VNI is not configured under the NVE interface.
D.The VLAN corresponding to the VNI has no active ports.
AnswerD

Type-2 routes carry MAC/IP information. Without active ports in the VLAN, no MACs are learned, so no Type-2 routes are advertised.

Why this answer

Type-3 routes (IMET routes) are used for BUM traffic forwarding and are advertised when the VNI is configured under the NVE interface, even if no endpoints are active. Type-2 routes (MAC/IP advertisement routes) are only generated when the switch learns a MAC address on a VLAN associated with that VNI. If Type-3 routes exist but Type-2 routes are missing, the VNI is correctly configured for the overlay, but no active ports in the corresponding VLAN are learning MAC addresses, preventing Type-2 route generation.

Exam trap

Cisco often tests the distinction between control-plane (BGP route types) and data-plane (VNI/NVE configuration) readiness, trapping candidates who assume Type-3 routes imply full VNI functionality without checking for active MAC learning on the access side.

How to eliminate wrong answers

Option A is wrong because a route-target import/export misconfiguration would prevent the reception or advertisement of all EVPN route types (including Type-3), not selectively block Type-2 routes while allowing Type-3. Option B is wrong because if the BGP session were not established, no EVPN routes (neither Type-2 nor Type-3) would appear in the 'show bgp l2vpn evpn' output. Option C is wrong because if the VNI were not configured under the NVE interface, the switch would not generate any EVPN routes for that VNI, including Type-3 routes.

233
MCQeasy

A NETCONF session to an NX-OS switch fails with 'Connection refused'. What is the most likely cause?

A.All of the above
B.Wrong SSH port (default 830)
C.The switch is unreachable
D.NETCONF is not enabled on the switch
AnswerD

Without 'feature netconf', the NETCONF server does not start.

Why this answer

NETCONF uses SSH port 830 by default, but the 'Connection refused' error specifically indicates that the TCP connection was actively rejected by the switch, not that it timed out or was unreachable. This occurs when the NETCONF subsystem is not available because the 'netconf' feature has not been enabled on the NX-OS device, which is required to start the NETCONF server process.

Exam trap

Cisco often tests the distinction between 'Connection refused' (service not running) and 'Connection timed out' (host unreachable or firewall blocking), leading candidates to incorrectly select 'wrong port' or 'unreachable' when the real issue is that the NETCONF feature is not enabled.

How to eliminate wrong answers

Option A is wrong because 'All of the above' cannot be correct since only one option is the most likely cause. Option B is wrong because while the default NETCONF SSH port is 830, a wrong port would result in a timeout or 'Connection timed out', not an active 'Connection refused' — the switch would not reject the connection on a different port unless that port is closed. Option C is wrong because if the switch were unreachable, the error would be 'No route to host' or 'Connection timed out', not 'Connection refused', which requires the switch to be reachable and actively rejecting the connection.

234
MCQmedium

An organization uses VXLAN EVPN for network segmentation. Which component provides per-tenant isolation of control plane traffic?

A.VLAN
B.VNI
C.VXLAN tunnel
D.VRF
AnswerD

VRF creates separate routing instances for each tenant, isolating control plane traffic.

Why this answer

In VXLAN EVPN, per-tenant isolation of control plane traffic is achieved through the use of VRFs (Virtual Routing and Forwarding instances). Each tenant is assigned a unique VRF, which maintains its own separate routing table and forwarding decisions, ensuring that control plane information (such as MAC/IP routes advertised via MP-BGP EVPN) is isolated between tenants. This is distinct from data plane isolation, which is provided by VXLAN Network Identifiers (VNIs).

Exam trap

Cisco often tests the distinction between data plane isolation (VNI) and control plane isolation (VRF), leading candidates to mistakenly choose VNI because it is the most visible segmentation identifier in VXLAN.

How to eliminate wrong answers

Option A is wrong because VLANs operate at Layer 2 and provide broadcast domain isolation within a physical network, but they do not isolate control plane traffic in a VXLAN EVPN overlay; VLANs are mapped to VNIs for data plane segmentation. Option B is wrong because a VNI (VXLAN Network Identifier) is used to identify and isolate data plane traffic (VXLAN segments) at Layer 2, not the control plane; control plane isolation requires separate routing contexts. Option C is wrong because a VXLAN tunnel is simply the encapsulation mechanism that carries VXLAN packets between VTEPs; it does not provide any per-tenant isolation of control plane signaling or routing information.

235
MCQeasy

Refer to the exhibit. The blade server is unassociated. Which action is required to assign a service profile to this server?

A.Configure the server's BIOS settings
B.Create a service profile and associate it with the server
C.Create a boot policy
D.Create a vNIC template
AnswerB

Directly associates the server with a profile, enabling configuration.

Why this answer

A service profile defines the server identity, firmware, policies, and connectivity settings for a UCS blade server. When a server is unassociated, you must create a service profile and then associate it with the server to apply those configurations and bring the server into operation.

Exam trap

Cisco often tests the distinction between creating a component policy (like boot policy or vNIC template) versus creating and associating the service profile itself, leading candidates to mistake a sub-component for the primary action.

How to eliminate wrong answers

Option A is wrong because BIOS settings are configured within the service profile or BIOS policy, not as a standalone prerequisite for association. Option C is wrong because a boot policy is a component that can be included in a service profile, but creating one alone does not assign a service profile to the server. Option D is wrong because a vNIC template is used to define network interface properties within a service profile, but it is not the action required to associate a service profile with the server.

236
Multi-Selecthard

Which THREE conditions must be met before a UCS Fabric Interconnect can be part of a port channel? (Select THREE.)

Select 3 answers
A.Ports should come from different FEX modules for redundancy.
B.All ports must be on the same side of the switch (either all uplink or all server-facing).
C.Ports should be configured as admin down until the port channel is formed.
D.The ports must belong to the same virtual port channel (vPC) domain.
E.All ports in the port channel must have the same speed and duplex settings.
AnswersB, D, E

Port channels cannot mix uplink and server ports.

Why this answer

Option B is correct because in a UCS Fabric Interconnect, a port channel can only be formed using ports that are all on the same side of the switch—either all uplink ports (connecting to the upstream network) or all server-facing ports (connecting to FEX or servers). Mixing uplink and server-facing ports in a single port channel is not supported due to the distinct forwarding behaviors and VLAN configurations applied to each port type.

Exam trap

Cisco often tests the misconception that port channel member ports can be from any combination of port types (e.g., uplink and server-facing), but the correct requirement is that they must all be on the same side of the switch to ensure consistent forwarding behavior.

237
MCQmedium

An engineer is troubleshooting a UCS B-Series server that fails to boot from SAN. The SAN boot LUN is correctly zoned and presented. The service profile has WWPNs configured. What is a likely cause?

A.Server firmware mismatch
B.Missing vNIC template
C.VLAN mismatch
D.Incorrect boot policy order
AnswerD

The server will attempt boot devices in the order defined; if SAN is not first, it may fail.

Why this answer

The SAN boot LUN is correctly zoned and presented, and the WWPNs are configured in the service profile, so the connectivity and identity are set. However, if the boot policy order is incorrect (e.g., the SAN boot target is listed after a local disk or another boot device), the server will attempt to boot from the wrong device first and fail to boot from the SAN. The boot policy defines the sequence of boot devices, and a misconfigured order is a common cause of boot failures in UCS B-Series.

Exam trap

Cisco often tests the misconception that SAN boot failures are always due to zoning or WWPN misconfiguration, when in fact the boot policy order is a separate, critical setting that must be correctly configured in the service profile.

How to eliminate wrong answers

Option A is wrong because a server firmware mismatch would typically cause compatibility issues or boot failures at a lower level, but the question states the LUN is correctly zoned and presented, and the issue is specifically about boot order, not firmware version mismatch. Option B is wrong because a missing vNIC template would prevent the vNIC from being created in the service profile, but the service profile already has WWPNs configured, implying the vNIC is present. Option C is wrong because a VLAN mismatch would affect network connectivity after boot, not the ability to boot from SAN, which uses Fibre Channel (FC) zoning, not VLANs.

238
MCQmedium

A storage administrator configures a new Cisco MDS switch and enables NPV mode. However, the upstream switch shows the NPV switch as an end device instead of a switch. What is the most likely reason?

A.The upstream switch port is configured as an E port.
B.NPIV is not enabled on the upstream switch.
C.The NPV switch has a domain ID that conflicts with the upstream switch.
D.The NPV switch is configured with N port mode.
AnswerB

Without NPIV, the upstream switch treats the NPV device as a regular end device.

Why this answer

NPV mode requires the upstream switch to have NPIV enabled. Option C is correct. Option A is wrong because NPV switches do not have their own domain ID.

Option B is wrong because F ports are correct. Option D is wrong because N port is initiator mode; NPV uses NP ports.

239
MCQhard

A storage network using Cisco MDS 9700 switches has two VSANs (100 and 200). The engineer wants to share a physical ISL between both VSANs while maintaining traffic isolation. Which feature should be used?

A.VSAN trunking
B.PortChannel with trunk mode on
C.Inter-VSAN Routing (IVR)
D.FSPF metric manipulation
AnswerA

VSAN trunking allows multiple VSANs over a single link with isolation.

Why this answer

VSAN trunking allows multiple VSANs over a single ISL, maintaining isolation. PortChannel aggregates bandwidth, not VSANs. FSPF is routing, and IVR routes between VSANs, not sharing a link.

240
MCQmedium

An engineer is configuring a new data center leaf switch to enforce micro-segmentation using Cisco ACI. The requirement is to permit traffic from web servers to application servers on TCP port 8080, but deny all other traffic. The web servers are in EPG 'web_EPG' and application servers in EPG 'app_EPG'. Which contract configuration should be applied?

A.Create a contract with subject 'web_to_app' and apply filter 'tcp_8080'. Use vzAny for both EPGs.
B.Create a contract with subject 'web_to_app' and apply filter 'tcp_8080'. Assign web_EPG as provider and app_EPG as consumer.
C.Create a contract with subject 'web_to_app' and apply filter 'tcp_8080' with direction 'both'. Assign web_EPG as provider and app_EPG as consumer.
D.Create a contract with subject 'web_to_app' and apply filter 'ip'. Assign web_EPG as provider and app_EPG as consumer.
AnswerC

Correct: provider sends traffic to consumer; filter permits TCP 8080; direction both allows response.

Why this answer

Option C is correct because in Cisco ACI, contracts define the rules for communication between EPGs. The provider EPG offers a service, and the consumer EPG accesses it. By setting the filter direction to 'both', the contract enforces bidirectional traffic on TCP port 8080, which is necessary for web-to-application communication (e.g., HTTP responses).

This configuration ensures that only traffic matching the filter is permitted, while all other traffic is implicitly denied by ACI's default deny behavior.

Exam trap

The trap here is that candidates assume the default filter direction (consumer to provider) is sufficient for bidirectional TCP communication, but Cisco tests the understanding that the 'both' direction is required for return traffic in ACI contracts.

How to eliminate wrong answers

Option A is wrong because vzAny is a special object representing all EPGs, not a specific EPG assignment; using vzAny for both EPGs would apply the contract to all traffic, violating the micro-segmentation requirement. Option B is wrong because it assigns web_EPG as provider and app_EPG as consumer, but the filter direction is not specified; by default, ACI applies the filter only from consumer to provider, which would block return traffic from app_EPG to web_EPG, breaking the bidirectional communication needed for TCP port 8080. Option D is wrong because the filter 'ip' permits all IP traffic, which is too permissive and does not restrict traffic to TCP port 8080, failing the requirement to deny all other traffic.

241
Multi-Selecthard

A Cisco MDS switch is configured for NPV mode. An upstream NPIV-enabled switch is connected. The administrator notices that the NPV switch is not logging in to the NPIV switch. The NPV switch shows the following: 'show npv status' indicates NPV is enabled but no traffic. Which three conditions could cause this issue?

Select 3 answers
A.FSPF is not enabled on the NPV switch.
B.The uplink interface on the NPV switch is not configured as an NP port.
C.The upstream switch is not configured for NPIV mode.
D.The NPV switch does not have the proper license for NPV mode.
E.The VSAN on the NPV uplink does not match the VSAN on the core switch.
AnswersB, C, E

NPV uplinks must be configured as NP ports to connect to the core NPIV switch.

Why this answer

Option B is correct because in NPV mode, the uplink interface on the NPV switch must be explicitly configured as an NP port (np). If the interface is left as a default F port or another port type, it cannot establish a connection to the upstream NPIV-enabled switch. The 'show npv status' output showing NPV enabled but no traffic indicates that the NPV switch is operational but the uplink is not properly configured to initiate the FLOGIN process.

Exam trap

Cisco often tests the misconception that NPV requires a license or that FSPF must be enabled, when in fact NPV is license-free and does not use FSPF; the real issue is typically an incorrect port mode or VSAN mismatch.

242
MCQmedium

A team is using Cisco DCNM for fabric management. They need to integrate with an external CI/CD pipeline. Which API should they use to trigger a network configuration change?

A.SNMP SET
B.DCNM REST API
C.NX-API on each switch
D.CLI via SSH
AnswerB

Centralized northbound API, ideal for CI/CD.

Why this answer

The DCNM REST API is the correct choice because it provides a programmatic, northbound interface specifically designed for integrating Cisco DCNM with external CI/CD pipelines. This API allows you to trigger network configuration changes at the fabric level, abstracting the complexity of individual switches and ensuring consistency across the entire fabric, which is essential for automated, version-controlled deployments.

Exam trap

Cisco often tests the distinction between device-level APIs (like NX-API) and fabric-level management APIs (like DCNM REST API), leading candidates to choose NX-API because they assume it is the most direct way to configure switches, but they miss that the question specifically requires integration with a CI/CD pipeline for fabric management, which demands a centralized, orchestrated approach.

How to eliminate wrong answers

Option A is wrong because SNMP SET is a legacy, device-level protocol that is not designed for fabric-wide orchestration or CI/CD integration; it is slow, lacks transactional guarantees, and does not support the declarative model needed for automated pipelines. Option C is wrong because NX-API on each switch operates at the individual device level, requiring the pipeline to manage each switch separately, which defeats the purpose of fabric-level management and introduces risk of configuration drift. Option D is wrong because CLI via SSH is a manual, non-scalable method that cannot be reliably integrated into an automated CI/CD pipeline; it lacks idempotency, audit trails, and the ability to roll back changes atomically.

243
Matchingmedium

Match each Cisco UCS Manager CLI command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Displays hardware details of servers

Enters organization configuration mode

Creates a logical server definition

Configures virtual network interface card

Applies pending configuration changes

Why these pairings

These commands are used in UCS Manager CLI for server management.

244
MCQeasy

An engineer needs to automate configuration backups on NX-OS switches using Python. Which Python library is specifically designed for this purpose?

A.requests
B.paramiko
C.cli
D.nxapi
AnswerD

nxapi is the official Python library for NX-OS NX-API.

Why this answer

The `nxapi` library is specifically designed for automating configuration backups and other management tasks on Cisco NX-OS switches. It provides a Pythonic interface to the NX-API, which uses HTTP/HTTPS-based REST or XML/JSON-RPC calls to execute CLI commands and retrieve structured output, making it the correct choice for this purpose.

Exam trap

Cisco often tests the distinction between generic libraries (like `requests` or `paramiko`) and platform-specific libraries (like `nxapi`), trapping candidates who overlook that `nxapi` provides built-in NX-OS command formatting and authentication, whereas `requests` would require manual construction of NX-API payloads.

How to eliminate wrong answers

Option A is wrong because the `requests` library is a generic HTTP client library for Python; it can be used to send HTTP requests to NX-API but lacks the NX-OS-specific abstractions, authentication handling, and command formatting that `nxapi` provides. Option B is wrong because `paramiko` is an SSHv2 implementation for Python; while it can be used to automate CLI commands over SSH, it is not purpose-built for NX-OS and requires manual handling of SSH sessions, command parsing, and error handling. Option C is wrong because `cli` is not a standard Python library; it is a module within Cisco's NX-OS Python environment (e.g., `from cli import cli`) that runs CLI commands locally on the switch, but it is not a library for external automation of configuration backups.

245
MCQhard

A large enterprise runs a Cisco HyperFlex cluster with three nodes, managed through Intersight. After a planned maintenance window, the administrator notices that one of the nodes is in a 'Degraded' state and the cluster is running in 'Read-Only' mode. The administrator checks the Intersight dashboard and sees that the node's disk status shows 'Missing' for one of the SSDs. The administrator also notices that the node's IP address is reachable and the ESXi host is still operational. The administrator reviews the cluster health and sees no other alerts. What is the most likely root cause and the recommended action to restore full cluster health?

A.The SSD failed due to a hardware fault; the administrator should replace the SSD and then use Intersight to rebuild the node's disk group.
B.The node lost connectivity to the cluster's internal network; the administrator should check the network switches and restore the VLAN configuration.
C.The node's controller VM (stCVM) is not running; the administrator should reboot the node and wait for the CVM to start.
D.The cluster has split-brain due to a partition; the administrator should force a cluster consensus by shutting down the other nodes.
AnswerA

A failed SSD is a common cause of a missing disk. Replacing the SSD and rebuilding the disk group restores redundancy and cluster health.

Why this answer

A is correct because a missing SSD in a HyperFlex node triggers a 'Degraded' state and forces the cluster into 'Read-Only' mode to prevent data corruption. Since the node's IP is reachable and ESXi is operational, the issue is a hardware fault, not a network or CVM problem. Replacing the SSD and using Intersight to rebuild the disk group restores the node's storage capacity and cluster health.

Exam trap

The trap here is that candidates may assume a 'Degraded' state with reachable ESXi implies a network or CVM issue, but the specific 'Missing' disk status points directly to a hardware fault, not a software or connectivity problem.

How to eliminate wrong answers

Option B is wrong because the node's IP is reachable and ESXi is operational, indicating no network connectivity loss; a VLAN misconfiguration would cause unreachability, not a missing SSD status. Option C is wrong because if the stCVM were not running, the node would likely be unreachable or show a different alert, and the disk status would not specifically show 'Missing' for an SSD. Option D is wrong because split-brain occurs when nodes lose quorum, typically due to network partition, not a single missing SSD; forcing consensus by shutting down other nodes would cause data loss and is not a recommended recovery step.

246
Multi-Selecteasy

Which three components are required to boot a UCS blade server from SAN? (Choose three.)

Select 3 answers
A.SAN boot target LUN
B.vHBA
C.Boot policy
D.iSCSI adapter
E.vNIC
AnswersA, B, C

The actual storage unit from which to boot.

Why this answer

A SAN boot target LUN is required because the UCS blade server needs a specific logical unit number (LUN) on the storage array from which to boot the operating system. Without a designated boot LUN, the server has no target storage device to load the OS from over the Fibre Channel (FC) or FCoE SAN fabric.

Exam trap

Cisco often tests the distinction between vNIC (LAN) and vHBA (SAN), so candidates mistakenly select vNIC for SAN boot, not realizing that storage traffic requires a dedicated HBA abstraction.

247
Multi-Selectmedium

Which THREE methods can be used to propagate Cisco TrustSec Security Group Tags (SGTs) across a network? (Choose three.)

Select 3 answers
A.VXLAN with group-based policy
B.SXP (SGT Exchange Protocol)
C.802.1Q tag (inline tagging)
D.CDP (Cisco Discovery Protocol)
E.LLDP
AnswersA, B, C

VXLAN can carry SGTs in the Group Policy ID (GPI) field.

Why this answer

VXLAN with group-based policy (GBP) is a valid method for propagating SGTs because it embeds the SGT into the VXLAN Group Policy ID (GPID) field within the VXLAN header. This allows the SGT to be carried across an overlay network, enabling scalable, policy-based segmentation in a fabric environment without requiring inline tagging or SXP.

Exam trap

Cisco often tests the distinction between discovery protocols (CDP/LLDP) and actual SGT propagation mechanisms; the trap here is assuming that any Cisco proprietary protocol can carry SGTs, when in fact only SXP, inline tagging, and VXLAN GBP are valid.

248
Multi-Selecthard

Which TWO statements are true about Cisco ACI contracts? (Choose two)

Select 2 answers
A.Contracts can be reused across multiple EPGs.
B.Contracts are unidirectional from consumer to provider.
C.A contract can include multiple subjects.
D.Subjects within a contract specify only the destination ports.
E.Contracts are always bidirectional.
AnswersA, C

A contract can be applied to many EPG pairs, allowing reuse and simplified policy management.

Why this answer

Option A is correct because Cisco ACI contracts are designed as reusable policy constructs. Once a contract is defined, it can be applied to multiple EPGs (Endpoint Groups) without redefining the rules, promoting consistency and reducing administrative overhead. This reusability is a core principle of ACI's policy-based networking model.

Exam trap

Cisco often tests the misconception that contracts are strictly unidirectional from consumer to provider, when in fact they are bidirectional by default, with filters providing granular control over traffic direction.

249
MCQmedium

Refer to the exhibit. An administrator updates template-B but its associated profile SP2 shows 'unassigned'. The administrator wants SP2 to reflect the changes. What should be done first?

A.Disable and re-enable template-B
B.Wait for the automatic association to occur
C.Associate SP2 with template-B using the 'bind' operation
D.Rebind all profiles to template-B
AnswerC

Binding creates the link between profile and template.

Why this answer

In Cisco UCS Manager, a service profile (SP2) must be explicitly bound to a template (template-B) to inherit updates. The 'bind' operation associates the profile with the template, allowing changes made to the template to propagate to the profile. Simply disabling and re-enabling the template or waiting for automatic association does not establish this binding; the profile remains 'unassigned' until it is bound.

Exam trap

Cisco often tests the distinction between 'updating templates' and 'initial templates', where candidates mistakenly assume that simply enabling or refreshing a template will automatically update associated profiles, overlooking the explicit bind requirement.

How to eliminate wrong answers

Option A is wrong because disabling and re-enabling a template does not change the association state of a service profile; it only toggles the template's operational status without affecting the binding. Option B is wrong because Cisco UCS Manager does not automatically associate a service profile with a template; the administrator must manually perform a bind operation to link the profile to the template. Option D is wrong because rebinding all profiles to template-B is unnecessary and could disrupt other profiles; only SP2 needs to be bound to template-B to reflect the changes.

250
MCQhard

Refer to the exhibit. An engineer notices that traffic is not load-balanced across all four links. What is the most likely cause?

A.The minimum links set to 2 prevents load balancing.
B.LACP is not supported on Fibre Channel.
C.The load-balancing algorithm is based on source-dest-id, which may not evenly distribute traffic.
D.The port channel is in admin down state.
E.The links are not in the same VSAN.
AnswerC

Source-dest-id can lead to polarization if many flows share the same pair; other algorithms like source-dest-ox-id provide better distribution.

Why this answer

Option C is correct because the load-balancing algorithm for Fibre Channel port channels uses source-dest-id (SID and DID) by default. If the traffic flows are between a small number of source-destination pairs, the hash results will map most flows to the same link, preventing even distribution across all four links. This is a common cause of perceived load imbalance even when all links are operational.

Exam trap

Cisco often tests the misconception that load imbalance is always due to a configuration error or link failure, when in fact the default hash algorithm's behavior with limited source-destination pairs is the root cause.

How to eliminate wrong answers

Option A is wrong because the minimum-links setting (e.g., 2) only prevents the port channel from coming up if fewer than that number of links are active; it does not affect load balancing once the channel is up. Option B is wrong because LACP (IEEE 802.3ad) is not used on Fibre Channel; Fibre Channel port channels use the Fibre Channel standard (FC-BB-5/6) or Cisco's proprietary PAgP for FCoE, but LACP is irrelevant here. Option D is wrong because if the port channel were in admin down state, no traffic would pass at all, not just uneven load balancing.

Option E is wrong because all links in a Fibre Channel port channel must be in the same VSAN; if they were not, the port channel would not form or would have errors, but the exhibit shows the channel is up.

251
MCQmedium

An engineer is configuring VXLAN bridging and routing on a Cisco Nexus 9000 switch. Which configuration is required to enable inter-VNI routing?

A.Configure a VLAN interface under the bridge domain.
B.Enable ip routing under VRF.
C.Configure anycast gateway MAC.
D.Configure a VRF and associate the VLAN interface to it.
AnswerC

Provides a common gateway MAC across all leaf switches, enabling seamless routing between VNIs.

Why this answer

Inter-VNI routing requires a shared anycast gateway MAC address across all VTEPs in the same VXLAN fabric. This allows the switch to respond to ARP requests for the gateway IP and forward traffic between different VNIs without relying on a traditional routed interface. The anycast gateway MAC is configured under the VLAN interface (SVI) using the 'fabric forwarding anycast-gateway-mac' command.

Exam trap

Cisco often tests the misconception that simply enabling IP routing or associating an SVI to a VRF is sufficient for inter-VNI routing, when in fact the anycast gateway MAC is the mandatory configuration that enables the distributed gateway functionality.

How to eliminate wrong answers

Option A is wrong because configuring a VLAN interface under the bridge domain is part of VXLAN bridging, not routing; inter-VNI routing requires an SVI with anycast gateway, not just a VLAN interface in the bridge domain. Option B is wrong because enabling 'ip routing' under VRF is a prerequisite for any L3 forwarding but does not specifically enable inter-VNI routing; the critical missing piece is the anycast gateway MAC. Option D is wrong because associating a VLAN interface to a VRF is necessary for VRF-based routing but alone does not enable inter-VNI routing; the anycast gateway MAC must be configured on the SVI to allow the switch to act as a distributed gateway.

252
MCQmedium

An engineer is configuring intelligent zoning and wants to use device aliases to simplify zone membership. What is a characteristic of device aliases compared to zone aliases?

A.Device aliases require a specific DNS entry.
B.Device aliases are restricted to a single VSAN.
C.Device aliases are automatically assigned to the default zone.
D.Device aliases can be used in multiple zones across different VSANs.
AnswerD

Device aliases are global and can be reused across VSANs.

Why this answer

Option B is correct. Device aliases are fabric-wide (or switch-wide) and can be used across multiple zones and VSANs. Zone aliases are per-zone.

253
MCQeasy

An engineer notices that the CPU utilization on a Cisco Nexus 5548UP switch is consistently above 80%. The switch is used for FCoE storage traffic. Which action is most likely to reduce CPU utilization?

A.Configure DCBx will-say mode
B.Enable FCoE NPV mode
C.Disable FIP snooping
D.Reduce the number of FCoE VLANs
AnswerD

Fewer VLANs means less FIP snooping processing, reducing CPU load.

Why this answer

Reducing the number of FCoE VLANs decreases the amount of FIP snooping processing, which is a common cause of high CPU. Disabling FIP snooping would break FCoE. Enabling NPV or changing DCBx does not directly reduce CPU.

254
MCQeasy

A storage administrator reports that a new host cannot log into the SAN. The host is connected to a Cisco MDS switch. The switch interface shows up/up but the host is not in the active zone. What is the most likely cause?

A.The zone set is not activated.
B.The switch port is in an isolated state.
C.The FC cable is faulty.
D.The host's WWPN is not in the zone configuration.
E.The host's driver is not installed.
AnswerA

If the zone set is not activated, even if the WWPN is in the zone, it won't be effective. The host is not in the active zone because the active zone set may not include the zone.

Why this answer

The host cannot log into the SAN despite the interface showing up/up because the zone set is not activated. In Cisco MDS Fibre Channel SANs, zone configurations are stored in the zone database but only take effect when the zone set is activated (using the 'zone activate' command). Without an active zone set, no zoning is enforced, and the host's WWPN is effectively invisible to other devices, preventing login even though the physical link is operational.

Exam trap

Cisco often tests the distinction between configuring a zone (adding WWPNs) and activating the zone set; candidates mistakenly assume that simply adding a WWPN to a zone is sufficient, overlooking the mandatory activation step that enforces the zoning policy.

How to eliminate wrong answers

Option B is wrong because an isolated state occurs in PortChannel configurations when ports are incompatible (e.g., speed or mode mismatch), not due to zoning issues, and the interface shows up/up, ruling out isolation. Option C is wrong because a faulty FC cable would cause the interface to be down/down or flap, not up/up. Option D is wrong because the host's WWPN not being in the zone configuration would still allow the host to log into the fabric (FLOGI) and appear in the active zone database; the issue is that no zone set is active, so even if the WWPN were configured, it would not be enforced.

Option E is wrong because the host's driver not being installed would prevent the host from initiating a fabric login (FLOGI), but the switch interface shows up/up, indicating physical and link-level connectivity is present.

255
Multi-Selecthard

Which THREE of the following are valid methods to secure the control plane on a Cisco Nexus 9000 switch?

Select 3 answers
A.Enable control plane policing (CoPP) to rate-limit control plane traffic.
B.Configure management access lists to restrict SSH/SNMP access.
C.Disable unused services such as HTTP/HTTPS server.
D.Enable Bidirectional Forwarding Detection (BFD) on all interfaces.
E.Implement routing protocol authentication (e.g., OSPF MD5).
AnswersA, B, C

CoPP protects the control plane from DoS attacks.

Why this answer

Control plane policing (CoPP) is a valid method to secure the control plane on a Cisco Nexus 9000 switch. CoPP uses a policy map applied to the control plane to rate-limit or drop traffic destined to the supervisor module, protecting the CPU from excessive or malicious traffic. This is a direct control plane security mechanism defined in Cisco NX-OS.

Exam trap

Cisco often tests the distinction between control plane security (CoPP, management ACLs, disabling services) and other security features like BFD or routing authentication, which protect different planes or functions.

256
MCQeasy

An engineer needs to design a resilient Fibre Channel SAN that eliminates single points of failure between two MDS switches and a storage array with two controllers. What is the minimum number of FC port channels required to achieve this goal?

A.Three
B.Two
C.One
D.Four
AnswerB

Two port channels allow each controller to connect to both switches.

Why this answer

For redundancy, each storage controller connects to both switches. Two port channels (each from a controller to a switch) are needed. Option A (1) provides only one link per controller.

Option C (3) and D (4) are overkill. Option B is correct.

257
MCQeasy

An engineer needs to implement port security on a Cisco Nexus 1000v virtual switch to prevent MAC flooding attacks. The requirement is to allow only the first MAC address learned on the port. Which command sequence accomplishes this?

A.interface ethernet 1/1 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict
B.interface ethernet 1/1 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown
C.interface ethernet 1/1 switchport port-security switchport port-security maximum 10 switchport port-security violation protect
D.interface ethernet 1/1 switchport port-security manual switchport port-security mac-address 0000.1111.2222
AnswerB

This sets the maximum MAC addresses to 1 and violation action to shutdown.

Why this answer

Option B is correct because the command sequence sets the maximum number of MAC addresses to 1, which ensures only the first learned MAC address is allowed on the port. The 'violation shutdown' action disables the port if a violation occurs, effectively preventing MAC flooding attacks by stopping any additional MAC addresses from being learned.

Exam trap

Cisco often tests the distinction between 'violation protect' (silently drops unknown traffic) and 'violation shutdown' (disables the port), and candidates may mistakenly choose 'protect' thinking it is sufficient, but only 'shutdown' fully prevents MAC flooding by stopping all traffic on the port.

How to eliminate wrong answers

Option A is wrong because it sets the maximum to 2, allowing two MAC addresses instead of the required one, and uses 'restrict' which only drops traffic from unknown MACs without disabling the port. Option C is wrong because it sets the maximum to 10, allowing multiple MAC addresses, and uses 'protect' which silently drops unknown traffic but does not prevent the port from learning multiple MACs. Option D is wrong because 'switchport port-security manual' is not a valid command on Cisco Nexus switches; the correct command is 'switchport port-security mac-address sticky' or a static MAC assignment, and it does not enforce the 'first learned' behavior.

258
MCQmedium

When using Cisco NSO (Network Services Orchestrator) to automate service creation across a data center network, what is a key consideration regarding device compatibility?

A.NSO requires NETCONF for all devices.
B.Each device must have a corresponding NED that matches its OS version.
C.Device YANG models must be hand-coded by the team.
D.NSO only supports Cisco devices.
AnswerB

NSO requires a compatible NED for each device model and OS version to translate service models.

Why this answer

B is correct because Cisco NSO uses Network Element Drivers (NEDs) to translate service models into device-specific CLI, SNMP, or NETCONF commands. Each NED is tied to a specific device OS version (e.g., IOS-XE 16.12, NX-OS 9.3), so mismatched NEDs cause configuration failures or incomplete deployments. Without a compatible NED, NSO cannot communicate with or configure the device.

Exam trap

The trap here is that candidates assume NSO relies exclusively on NETCONF or YANG for all devices, overlooking the critical role of OS-version-specific NEDs in enabling multi-protocol, multi-vendor automation.

How to eliminate wrong answers

Option A is wrong because NSO does not require NETCONF for all devices; it supports multiple southbound protocols including CLI, SNMP, and RESTCONF, with NEDs abstracting the protocol details. Option C is wrong because YANG models are not hand-coded by the team for each device; NSO uses pre-built NEDs that contain YANG models, and custom YANG models are only needed for service design, not device compatibility. Option D is wrong because NSO is vendor-agnostic and supports multi-vendor environments through NEDs for devices from Cisco, Juniper, Arista, and others.

259
MCQmedium

A company is consolidating its storage network into a single fabric using a Cisco MDS 9509. They want to use VSANs to isolate different departments. The VSANs will be 10, 20, and 30. They have a single ISL between two MDS switches. The engineers want to carry all three VSANs over the ISL. They configure both ends of the ISL as E ports and enable trunking. After configuration, they notice that only VSAN 10 traffic passes over the ISL. The other VSANs appear isolated. The show vsan membership shows all three VSANs are present on both switches. The show interface trunk on the ISL shows that the trunk is up but only VSAN 10 is allowed. What is the most likely cause?

A.The other VSANs are not configured on the trunk interface
B.The allowed VSAN list on the trunk port is limited to only VSAN 10
C.The trunk mode is set to 'on' instead of 'desirable'/'auto'
D.The ISL is in an error-disabled state for VSAN 20 and 30
AnswerB

The allowed VSAN list must be explicitly configured to include VSAN 20 and 30.

Why this answer

The show interface trunk output indicates that only VSAN 10 is in the allowed list. The allowed VSAN list on the trunk port must be configured to include all three VSANs. The trunk mode (on/desirable) does not limit VSANs.

Error-disabled would show in different status. VSAN membership on the interface is not applicable for trunk ports.

260
MCQmedium

A Cisco MDS switch is configured with two VSANs. Hosts in VSAN 1 cannot communicate with hosts in VSAN 2. What is the most likely reason?

A.The IVR is not configured.
B.The VSANs are not connected through an IVR zone.
C.The FC domain ID is conflicting.
D.The switch does not support multi VSAN.
E.The hosts are on different switches.
AnswerB

IVR zones define which devices can communicate across VSANs. Without these zones, traffic is isolated.

Why this answer

By default, VSANs are isolated from each other, meaning traffic cannot cross VSAN boundaries. Inter-VSAN Routing (IVR) must be explicitly configured to allow communication between hosts in different VSANs. Without IVR, hosts in VSAN 1 and VSAN 2 remain in separate fabrics and cannot communicate, even if they are connected to the same switch.

Exam trap

Cisco often tests the misconception that VSANs are like VLANs and can communicate by default, but in Fibre Channel fabrics, VSANs are fully isolated unless IVR is explicitly configured.

How to eliminate wrong answers

Option A is wrong because IVR not being configured is not the most likely reason; the question asks for the most likely reason, and the absence of an IVR zone is a more specific and direct cause. Option C is wrong because conflicting FC domain IDs would cause issues within a single VSAN or between switches in the same VSAN, not between different VSANs. Option D is wrong because the Cisco MDS switch supports multiple VSANs natively; the inability to communicate between VSANs is by design, not a lack of support.

Option E is wrong because hosts on different switches can still communicate if they are in the same VSAN or if IVR is configured; the issue here is the VSAN boundary, not the physical switch location.

261
MCQhard

An engineer is designing a SAN for a virtualized environment with 20 hosts and 4 storage arrays. Each host requires a separate zone per storage array for security. What is the minimum number of zones required?

A.40
B.20
C.80
D.100
AnswerC

20 hosts * 4 arrays = 80 zones.

Why this answer

Each host needs a zone per array, so 20 hosts * 4 arrays = 80 zones. However, if using single initiator zones (best practice), each zone has one host and one target, so indeed 80 zones. Option A assumes one zone per host, which would include all arrays in one zone, violating security.

Option B is too low. Option D is too high.

262
MCQhard

Refer to the exhibit. An engineer is troubleshooting poor FCoE performance. The exhibit shows output from the FCoE interface. Which observation indicates a potential issue?

A.PFC frames received is high compared to PFC frames sent
B.The CRC error count is zero
C.Data frames are 1500 bytes, which is too small for FCoE
D.The admin port mode is F instead of NP
AnswerA

Receiving many pause frames implies the peer is congested or PFC mismatch.

Why this answer

PFC frames received (152) with zero sent suggests the interface is receiving pause frames from the peer, possibly due to congestion or a PFC configuration mismatch. Option B is correct. Option A (CRC errors) none.

Option C (mode) is fine. Option D (MTU) default 1500 for data frames is consistent.

263
MCQmedium

In an FCoE deployment, a storage administrator needs to ensure that FCoE traffic is carried over a dedicated VLAN. Which configuration is required on a Cisco Nexus switch?

A.Configure the VLAN as a private VLAN.
B.Assign the VLAN as an access VLAN to the interface.
C.Enable FIP snooping and map the FCoE VLAN to a VSAN.
D.Configure the VLAN as a native VLAN on the FCoE interface.
AnswerC

FIP snooping is needed for FCoE; mapping FCoE VLAN to VSAN isolates traffic.

Why this answer

Option B is correct. FIP snooping and VSAN mapping are required for FCoE VLAN. Other options are incorrect.

264
MCQhard

A storage administrator is troubleshooting FCoE performance issues between a Cisco UCS FI and a storage array. The fabric is configured with FIP snooping and DCB. The administrator checks the FCoE interface counters and sees many dropped frames due to 'no buffer space'. What is the most likely root cause?

A.Jumbo frames are disabled on the switch ports
B.The FCoE VLAN is not trunked to the storage array
C.FIP snooping is not enabled on the FCoE VLAN
D.Priority flow control settings are mismatched between the upstream switch and the storage array
AnswerD

PFC mismatch can cause buffer exhaustion and drops.

Why this answer

The 'no buffer space' drops on FCoE interfaces indicate that the receive buffers are being exhausted, which is a classic symptom of Priority Flow Control (PFC) being misconfigured or mismatched between the upstream switch and the storage array. PFC (IEEE 802.1Qbb) is essential for lossless FCoE transport; if one side sends pause frames that the other does not honor, or if the PFC priorities are not aligned, buffers overflow and frames are dropped. This directly explains the observed counter behavior.

Exam trap

Cisco often tests the distinction between 'no buffer space' drops (caused by PFC/flow control mismatches) and other drop types like 'output drops' or 'CRC errors', leading candidates to incorrectly blame jumbo frames or VLAN issues.

How to eliminate wrong answers

Option A is wrong because jumbo frames (typically 9216 bytes) are required for FCoE to encapsulate large SCSI data payloads, but disabling them would cause frame oversize drops, not 'no buffer space' drops. Option B is wrong because the FCoE VLAN not being trunked would result in no connectivity or VLAN mismatch errors, not buffer exhaustion drops. Option C is wrong because FIP snooping is a security feature that prevents unauthorized FCoE devices from joining the fabric; its absence could allow rogue devices but does not cause buffer drops due to PFC mismatches.

265
MCQmedium

For consistent multi-data-center automation, which tool is best suited to orchestrate both NX-OS and ACI across sites?

A.Cisco NSO
B.Puppet
C.Ansible
D.Chef
AnswerA

NSO is built for service orchestration across multiple domains including NX-OS and ACI.

Why this answer

Cisco NSO (Network Services Orchestrator) is the correct tool because it provides multi-domain, multi-vendor orchestration with native support for both NX-OS and ACI through its Network Element Drivers (NEDs). NSO uses a model-driven approach with YANG data models and NETCONF/RESTCONF protocols to manage configuration consistency across distributed data centers, enabling service-level abstraction and closed-loop automation that other tools lack.

Exam trap

Cisco often tests the distinction between configuration management tools (Puppet, Chef, Ansible) and true orchestration platforms (NSO), trapping candidates who assume any automation tool can handle multi-site consistency without understanding NSO's model-driven, stateful orchestration and NED architecture.

How to eliminate wrong answers

Option B (Puppet) is wrong because it is a configuration management tool that relies on a master-agent model with its own DSL, lacking native support for ACI's APIC REST API or NX-OS's NX-API without extensive custom modules, and it does not provide multi-site orchestration capabilities. Option C (Ansible) is wrong because while it can automate NX-OS and ACI via modules, it is a task-based automation tool without a centralized state database or service orchestration layer, making it unsuitable for consistent multi-data-center orchestration across sites. Option D (Chef) is wrong because it is a configuration management tool using Ruby-based recipes and cookbooks, which requires significant custom development to interface with ACI's REST API and NX-OS, and it lacks the built-in multi-site service orchestration and network abstraction that NSO provides.

266
MCQhard

An engineer is configuring FCoE on a Cisco Nexus 5000 switch. The switch connects to a Fibre Channel storage array. The FCoE Initialization Protocol (FIP) snooping must be enabled. What is the effect of enabling FIP snooping?

A.It enables the switch to terminate FCoE VLANs.
B.It provides FC-BB_6 compliant FCoE traffic forwarding.
C.It enables the switch to act as an FCoE forwarder.
D.It constructs a database of ENode MAC addresses and FC-MAPs.
E.It allows the switch to enforce zone-based policy for FCoE traffic.
AnswerD

FIP snooping monitors FIP frames to build a database of authorized devices.

Why this answer

FIP snooping on a Cisco Nexus 5000 switch constructs a database of ENode MAC addresses and FC-MAPs by inspecting FIP discovery, advertisement, and login frames. This database is used to enforce FCoE traffic only between authorized ENodes and FCFs, preventing rogue devices from injecting FCoE traffic. It does not terminate FCoE VLANs, act as an FCoE forwarder, or enforce zone-based policies directly.

Exam trap

Cisco often tests the distinction between FIP snooping (a security feature that builds a database of MAC-to-FC-MAP bindings) and FCoE forwarding (which requires an FCF), leading candidates to mistakenly think snooping enables forwarding or termination.

How to eliminate wrong answers

Option A is wrong because FIP snooping does not terminate FCoE VLANs; VLAN termination is a function of an FCoE forwarder (FCF) or a bridge, not a snooping feature. Option B is wrong because FC-BB_6 compliance is a standard for FCoE operation, but FIP snooping itself does not provide compliant forwarding; it only monitors and filters FIP frames to secure the fabric. Option C is wrong because FIP snooping does not enable the switch to act as an FCoE forwarder; an FCoE forwarder is a separate entity that performs encapsulation and forwarding, while snooping is a passive security mechanism.

Option E is wrong because zone-based policy enforcement for FCoE traffic is handled by the Fibre Channel zoning configuration on the FCF or SAN fabric, not by FIP snooping on the switch.

267
Multi-Selectmedium

Which TWO security features are used to prevent MAC address flooding attacks on a Cisco Nexus switch? (Choose two.)

Select 2 answers
A.Port Security
B.IP Source Guard
C.Control Plane Policing
D.DHCP Snooping
E.BPDU Guard
AnswersA, D

Port Security limits the number of MAC addresses per port.

Why this answer

Port Security (A) is correct because it limits the number of MAC addresses allowed on a switch port, preventing MAC flooding attacks by dropping frames from unknown source MACs once the limit is exceeded. DHCP Snooping (D) is correct because it builds a trusted database of IP-to-MAC bindings from DHCP messages, which can be used to validate traffic and prevent MAC spoofing that often accompanies flooding attacks.

Exam trap

Cisco often tests the distinction between features that directly prevent MAC flooding (Port Security, DHCP Snooping) versus features that mitigate related spoofing attacks (IP Source Guard, Dynamic ARP Inspection), leading candidates to mistakenly select IP Source Guard.

268
MCQmedium

An engineer notices that after a reboot of one UCS fabric interconnect (FI-A), the server traffic fails over to FI-B but never fails back to FI-A even after FI-A is fully operational. Which configuration change would ensure automatic failback?

A.Change the 'Backup Link' policy to 'Active/Active'
B.Change the 'Backup Link' policy to 'Primary/Secondary'
C.Change the 'Backup Link' policy to 'Active/Standby'
D.Change the 'Backup Link' policy to 'Failover Only'
AnswerA

Active/Active mode allows automatic failback

Why this answer

The 'Backup Link' policy in UCS determines how uplink ports behave during failover and failback. Setting it to 'Active/Active' allows both FIs to actively forward traffic, and when the failed FI recovers, the server traffic automatically fails back because the policy does not designate a permanent primary or standby role. This ensures symmetric traffic flow without manual intervention.

Exam trap

Cisco often tests the misconception that 'Active/Standby' is a valid Backup Link policy, when in fact the only two options are 'Active/Active' and 'Primary/Secondary', and candidates confuse the failover behavior of the server vNIC policy with the uplink Backup Link policy.

How to eliminate wrong answers

Option B is wrong because 'Primary/Secondary' designates one FI as primary and the other as secondary, which prevents automatic failback after the primary recovers; traffic remains on the secondary until manual action is taken. Option C is wrong because 'Active/Standby' is not a valid UCS Backup Link policy; the correct term is 'Active/Active' or 'Primary/Secondary', and 'Active/Standby' would imply a standby role that blocks automatic failback. Option D is wrong because 'Failover Only' is not a valid UCS Backup Link policy; the actual options are 'Active/Active' and 'Primary/Secondary', and a 'Failover Only' concept would not allow failback at all.

269
MCQeasy

A network engineer is configuring DHCP snooping on a Cisco Nexus 9000 switch to prevent rogue DHCP server attacks. The switch connects to the legitimate DHCP server on Ethernet 1/1. Clients are connected to ports Ethernet 1/2 through 1/24. The engineer enables DHCP snooping globally and on VLAN 10, but clients are unable to obtain IP addresses from the DHCP server. Other connectivity between clients and the server works (e.g., static IPs). What is the most likely cause and solution?

A.Disable DHCP snooping as it is not needed in this topology.
B.Configure a static DHCP binding for each client on the switch.
C.Ethernet 1/1 is untrusted by default. Configure it as trusted with 'ip dhcp snooping trust' and verify DHCP snooping is enabled on VLAN 10.
D.Add 'ip dhcp snooping information option' on Ethernet 1/1 to allow DHCP option 82.
AnswerC

Correct. DHCP snooping requires the port towards the trusted server to be set as trusted to allow server messages.

Why this answer

By default, all interfaces on a Cisco Nexus 9000 switch are untrusted for DHCP snooping. The legitimate DHCP server is connected to Ethernet 1/1, which must be explicitly configured as trusted using the 'ip dhcp snooping trust' interface command. Without this, the switch discards DHCP server messages (OFFER, ACK) received on that port, preventing clients from obtaining IP addresses even though DHCP snooping is enabled globally and on VLAN 10.

Exam trap

Cisco often tests the default untrusted state of all interfaces in DHCP snooping, leading candidates to assume that enabling snooping globally and on a VLAN is sufficient without configuring trust on the server-facing port.

How to eliminate wrong answers

Option A is wrong because DHCP snooping is a necessary security feature to block rogue DHCP servers; disabling it would leave the network vulnerable and does not address the misconfiguration. Option B is wrong because static DHCP bindings are used for IP Source Guard or to map client MAC addresses to IP addresses, not to allow DHCP server messages through an untrusted port. Option D is wrong because the 'ip dhcp snooping information option' (DHCP option 82) is used to insert relay agent information and is not required for basic DHCP snooping trust; it is typically used in DHCP relay scenarios, not for directly connected servers.

270
MCQmedium

A company is deploying a new storage network using Cisco MDS 9700 switches. They have multiple host servers and storage arrays. The security policy requires that each host can only access its own LUNs. The solution must be efficient and not require reconfiguration when new hosts are added. Which approach best meets these requirements?

A.Traditional zone-based zoning with pWWNs
B.VSAN zoning
C.FSPF metric tuning
D.Smart Zoning
AnswerD

Smart Zoning reduces zone objects and simplifies management by automatically handling LUN masking.

Why this answer

Smart Zoning reduces the number of zone objects and simplifies management by automatically handling LUN masking based on initiator-target pairs. Traditional zoning would require manual zone creation for each new host. VSAN zoning is not a real concept, and FSPF is a routing protocol.

271
Multi-Selectmedium

A data center team is implementing configuration automation for a fleet of Nexus 9000 switches. They need a solution that supports idempotent configuration, works well with version control, and does not require an agent on the switches. Which two tools should they consider?

Select 2 answers
A.Puppet
B.Chef
C.Ansible
D.Python with Paramiko
E.Cisco NSO
AnswersC, E

Ansible is agentless, uses SSH/NX-API, and its playbooks are idempotent and version-controllable.

Why this answer

Ansible and Cisco NSO are both agentless and support idempotent configurations with version control. Puppet and Chef require agents, and Python with Paramiko does not inherently support idempotency.

272
MCQhard

An iSCSI SAN is experiencing performance issues. The storage array and initiators are connected via a dedicated VLAN. The network team notices high jitter. What is the most effective mitigation?

A.Use multiple iSCSI sessions per initiator
B.Configure link aggregation between switches
C.Enable jumbo frames on all switches
D.Implement QoS to give iSCSI traffic higher priority
AnswerD

Correct: QoS reduces jitter by prioritizing iSCSI traffic.

Why this answer

Option A is correct because iSCSI depends on TCP; jitter causes retransmissions. QoS can prioritize iSCSI traffic to reduce jitter. Option B is incorrect because jumbo frames help throughput, not jitter.

Option C is incorrect because LAGs improve bandwidth, not jitter. Option D is incorrect because multipathing is for redundancy, not jitter.

273
MCQhard

An engineer receives an error 'XML namespace mismatch' when using NETCONF to configure a Nexus switch. The YANG model used is from the Cisco NX-OS openconfig model. What is the most likely cause?

A.The namespace in the XML payload does not match the YANG model
B.The switch is running in VM mode
C.The YANG model is not supported on this switch version
D.The NETCONF session is not authenticated
AnswerA

Directly causes the namespace mismatch error.

Why this answer

The 'XML namespace mismatch' error occurs when the namespace URI declared in the XML payload does not match the namespace defined in the YANG module. NETCONF uses the namespace to identify the correct YANG model for parsing the configuration data. If the namespace in the XML does not exactly match the one in the Cisco NX-OS openconfig YANG model, the switch rejects the operation with this specific error.

Exam trap

Cisco often tests the distinction between namespace mismatch errors and other NETCONF failures (like unsupported model or authentication), so candidates mistakenly choose 'unsupported model' when the error message explicitly points to a namespace issue.

How to eliminate wrong answers

Option B is wrong because VM mode (virtual machine mode) does not affect XML namespace validation; it is a licensing or operational mode that does not change NETCONF protocol behavior. Option C is wrong because if the YANG model were unsupported, the error would typically be 'data model not supported' or 'capability not advertised', not a namespace mismatch. Option D is wrong because an unauthenticated NETCONF session would fail at the session establishment phase (e.g., 'authentication failed' or 'session rejected'), not during payload processing with a namespace-specific error.

274
MCQhard

An organization deploys compute resources using both UCS B-Series blades and C-Series rack servers. The network uses Cisco ACI. Which approach ensures consistent connectivity policies across both compute types?

A.Use a single EPG with appropriate encapsulation for both
B.Create separate EPGs for blade and rack servers
C.It is not possible to have consistent policies between blade and rack
D.Use a physical domain for blades and a VMM domain for rack servers
AnswerA

Single EPG ensures consistent policy application

Why this answer

Option A is correct because Cisco ACI allows a single Endpoint Group (EPG) to span both UCS B-Series blades and C-Series rack servers by using the appropriate encapsulation (e.g., VLAN or VXLAN) and associating the EPG with both a physical domain (for blades connected via Fabric Interconnects) and a VMM domain (for rack servers managed by VMware vCenter). This ensures consistent connectivity policies, such as contracts and QoS, are applied uniformly across all compute types without requiring separate EPGs.

Exam trap

Cisco often tests the misconception that different compute types (blade vs. rack) require separate EPGs, when in fact a single EPG can span multiple domains to enforce consistent policies, and the trap here is assuming that physical and VMM domains are mutually exclusive rather than complementary.

How to eliminate wrong answers

Option B is wrong because creating separate EPGs for blade and rack servers would fragment policy enforcement, requiring duplicate contracts and filters, which contradicts the goal of consistent connectivity policies. Option C is wrong because it is entirely possible to have consistent policies between blade and rack servers using a single EPG with appropriate domain associations, as supported by Cisco ACI's unified policy model. Option D is wrong because using a physical domain for blades and a VMM domain for rack servers is a valid approach to associate the EPG with both compute types, but the statement incorrectly implies they must be used separately; in fact, both domains can be attached to the same EPG to achieve consistency.

275
MCQeasy

Which best practice should be followed when creating a UCS service profile template for stateless computing?

A.Assign MAC and WWN addresses from pools
B.Use local storage on each server for boot images
C.Configure Windows Server NIC teaming for all vNICs
D.Define MAC addresses directly in the service profile
AnswerA

Pools enable auto-assignment and stateless operation

Why this answer

Stateless computing in UCS requires that all server identity information, such as MAC addresses and WWNs, be abstracted away from the hardware and assigned dynamically from pools. This allows the service profile to be applied to any compatible blade or rack server without manual reconfiguration, enabling rapid provisioning and seamless hardware replacement. Defining these addresses directly in the profile or using static assignments would break the stateless model by tying the profile to specific hardware.

Exam trap

Cisco often tests the misconception that stateless computing means you can hardcode identities like MAC addresses for consistency, when in fact the opposite is true—pools are essential to maintain the stateless abstraction.

How to eliminate wrong answers

Option B is wrong because stateless computing relies on centralized boot from SAN or network storage, not local storage, to ensure that server identity and data are independent of the physical hardware; using local storage would reintroduce statefulness. Option C is wrong because Windows Server NIC teaming is a guest OS-level configuration that should be handled separately from the UCS service profile, which manages vNIC failover via fabric failover or pinning at the infrastructure layer. Option D is wrong because defining MAC addresses directly in the service profile defeats the purpose of stateless computing by creating a hard dependency on specific addresses, preventing the profile from being reused across different servers without conflict.

276
MCQmedium

In a Cisco ACI fabric, a new EPG is created and associated with a bridge domain that has 'Unicast Routing' enabled. However, endpoints in that EPG cannot communicate with endpoints in other EPGs in the same VRF. What is missing?

A.The EPG must be attached to a Layer 3 outside
B.The bridge domain must have 'L3 Unknown Multicast Flooding' set
C.A contract between the EPGs
D.A route leak between bridge domains
AnswerC

Inter-EPG communication requires a contract; without it, packets are dropped.

Why this answer

In Cisco ACI, communication between EPGs within the same VRF is not allowed by default; it requires a contract. A contract defines the policies (allow/deny) and filters for traffic between EPGs. Without a contract, all traffic is dropped, even if the bridge domain has unicast routing enabled.

Option C is correct because the missing element is the contract that explicitly permits inter-EPG communication.

Exam trap

Cisco often tests the misconception that enabling unicast routing on a bridge domain is sufficient for inter-EPG communication, when in fact contracts are mandatory in ACI to allow any traffic between EPGs.

How to eliminate wrong answers

Option A is wrong because attaching a Layer 3 outside is used for external connectivity (e.g., to a router or WAN), not for enabling communication between EPGs within the same VRF. Option B is wrong because 'L3 Unknown Multicast Flooding' controls how unknown multicast traffic is handled (flood or forward to a multicast router), not unicast routing between EPGs. Option D is wrong because route leaking between bridge domains is not a native ACI concept; inter-EPG routing within the same VRF is handled by the ACI fabric automatically via the contract policy, not by explicit route leaks.

277
MCQmedium

Refer to the exhibit. The server in slot 2 is associated and working. A new server is inserted into slot 1, but after 30 minutes it remains in 'Unassigned' state. What is the most likely reason?

A.The service profile is already associated with another server.
B.The server is not powered on.
C.The server's CIMC firmware is not compatible with the Fabric Interconnect firmware.
D.The Fabric Interconnect ports are not configured as server ports.
AnswerC

Incompatibility can cause discovery to fail, leaving the slot unassigned.

Why this answer

The server in slot 1 remains in 'Unassigned' state because its CIMC firmware is incompatible with the Fabric Interconnect firmware. In Cisco UCS, the CIMC on each blade must match a supported firmware version for the Fabric Interconnect to discover and manage the server. When firmware versions are mismatched, the server cannot transition to the 'Associated' state and stays 'Unassigned'.

Exam trap

Cisco often tests the distinction between 'Unassigned' (server not discovered/manageable) and 'Unassociated' (server discovered but not bound to a service profile), leading candidates to incorrectly attribute the issue to service profile association or power state.

How to eliminate wrong answers

Option A is wrong because if the service profile were already associated with another server, the new server would show as 'Unassociated' (available for association) or would fail association, not remain 'Unassigned' — the 'Unassigned' state indicates the server is not yet discovered or manageable. Option B is wrong because a server not powered on would still be discovered by the Fabric Interconnect and appear in a 'Discovered' or 'Unassociated' state; power state does not prevent the server from being assigned a service profile. Option D is wrong because Fabric Interconnect ports configured as server ports are required for server connectivity, but if they were misconfigured, the existing server in slot 2 would also be affected and not working — the exhibit shows slot 2 is associated and working, so port configuration is correct.

278
MCQeasy

Refer to the exhibit. What is the current state of the VPC domain?

A.VPC domain not configured
B.Peer-link down
C.Consistency check failed
D.Operational
AnswerD

All fields indicate normal operation.

Why this answer

The exhibit shows the output of 'show vpc' with the vPC domain ID set to 100, the peer-keepalive link status as 'Active', and the peer-link status as 'up'. The vPC role is 'primary' and the operational status is listed as 'operational', which indicates that the vPC domain is fully functional and all consistency checks have passed. Therefore, the current state is operational.

Exam trap

Cisco often tests the distinction between the peer-link being 'up' and the vPC domain being 'operational', where candidates may incorrectly assume a peer-link failure when the domain is actually operational, or confuse a consistency check failure with a peer-link issue.

How to eliminate wrong answers

Option A is wrong because the output clearly shows a vPC domain ID of 100, peer-keepalive link status as 'Active', and peer-link status as 'up', indicating the domain is configured. Option B is wrong because the peer-link status is explicitly shown as 'up' in the output, not down. Option C is wrong because the operational status is 'operational' and there is no indication of a consistency check failure; a failed consistency check would show a 'failed' or 'suspended' status for the vPC.

279
MCQhard

Refer to the exhibit. The configuration is intended to provide Layer 2 isolation within VLAN 100 while allowing the promiscuous port (Ethernet 1/1) to communicate with all ports in the community VLAN. However, hosts in VLAN 100 cannot communicate with each other. What is the most likely misconfiguration?

A.The SVI interface needs 'ip address' to be removed.
B.The SVI interface should have 'private-vlan mapping' to the primary VLAN, not the community VLAN.
C.The 'switchport private-vlan association trunk' command on Ethernet 1/1 is incorrect; it should be 'switchport private-vlan association mapping' or similar.
D.The command 'no ip redirects' should not be applied to the SVI.
AnswerC

The association command syntax is likely wrong; it should map the secondary VLAN to the promiscuous port.

Why this answer

The command 'switchport private-vlan association trunk' is invalid for configuring a promiscuous port in a private VLAN. The correct command is 'switchport private-vlan mapping primary-vlan-id secondary-vlan-id' to map the promiscuous port to the primary VLAN and the secondary community VLAN. Without this correct mapping, the promiscuous port cannot forward traffic to hosts in the community VLAN, causing Layer 2 isolation to fail.

Exam trap

Cisco often tests the distinction between 'private-vlan association' (used on trunk ports) and 'private-vlan mapping' (used on promiscuous or host ports), leading candidates to confuse the two commands and misapply them.

How to eliminate wrong answers

Option A is wrong because removing the IP address from the SVI would break Layer 3 routing for VLAN 100, which is not required for Layer 2 isolation; the SVI IP is needed for management or routing, and its presence does not affect private VLAN behavior. Option B is wrong because the 'private-vlan mapping' on the SVI should map the primary VLAN to the secondary community VLAN (e.g., 'private-vlan mapping 100 200'), not the community VLAN to the primary; the given syntax is correct in intent, but the issue is on the promiscuous port, not the SVI. Option D is wrong because 'no ip redirects' is a security feature that disables ICMP redirects and does not impact private VLAN isolation or host-to-host communication within a community VLAN.

280
Matchingmedium

Match each Cisco ACI component to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Central controller for policy management

Leaf-to-leaf connectivity and fabric backplane

Top-of-rack switch connecting servers to fabric

Endpoint group for policy application

Bridge domain for Layer 2 forwarding context

Why these pairings

ACI architecture is built on these components for policy-driven automation.

281
Drag & Dropmedium

Arrange the steps to create a service profile template in Cisco UCS Manager.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Service profile template requires UUID pool, vNIC template, profile creation, server pool association, and assignment.

282
Multi-Selectmedium

Which THREE are benefits of using Cisco UCS Manager to manage compute resources? (Choose three.)

Select 3 answers
A.Centralized management of multiple chassis
B.Direct management of virtual machines
C.Policy-based provisioning to automate server deployment
D.Improved performance by disabling hardware features
E.Unified fabric for LAN and SAN traffic
AnswersA, C, E

UCS Manager manages up to 160 chassis.

Why this answer

Option A is correct because Cisco UCS Manager provides a single-pane-of-glass management interface that can centrally manage up to 160 chassis (including UCS 5108 and UCS 9508) in a single domain. This eliminates the need to configure each chassis individually, reducing operational overhead and ensuring consistent configuration across the entire compute infrastructure.

Exam trap

Cisco often tests the distinction between what UCS Manager directly manages (physical compute and fabric) versus what it integrates with (hypervisors for VMs), so candidates mistakenly think UCS Manager can manage VMs because of its integration with VMware vCenter.

283
MCQmedium

An organization is deploying a new leaf-spine fabric with Cisco ACI. The requirement is to allow inter-tenant communication between two EPGs in different tenants. Which configuration object is necessary to enable this communication?

A.A common VRF that spans both tenants.
B.A filter that permits the required traffic.
C.A bridge domain that connects both EPGs.
D.A shared contract between the two EPGs.
AnswerD

Contracts define allowed communication; shared contracts work across tenants.

Why this answer

In Cisco ACI, inter-tenant communication between EPGs in different tenants requires a shared contract. A contract defines the rules (filters) that permit traffic between EPGs, and when it is marked as 'shared,' it can be consumed by EPGs across tenant boundaries. This allows the provider EPG in one tenant to expose services to a consumer EPG in another tenant without merging the tenants' VRFs or bridge domains.

Exam trap

Cisco often tests the misconception that a shared VRF or bridge domain is required for inter-tenant communication, but the correct mechanism is a shared contract that applies policy across tenant boundaries without merging the underlying network constructs.

How to eliminate wrong answers

Option A is wrong because a common VRF spanning both tenants is not a configuration object for inter-tenant communication; VRFs are tenant-scoped and cannot be shared across tenants—each tenant has its own private VRF namespace. Option B is wrong because a filter alone only defines the traffic type (e.g., TCP port 80) but does not provide the policy framework (contract) needed to permit traffic between EPGs; a filter must be part of a contract. Option C is wrong because a bridge domain connects EPGs within the same tenant and VRF, not across tenants; inter-tenant communication requires a contract, not a shared bridge domain.

284
Drag & Dropmedium

Order the steps to upgrade the software on a Cisco Nexus switch using ISSU.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

ISSU requires image copy, boot variable, compatibility check, upgrade command, and reload.

285
MCQeasy

An organization has deployed a Cisco UCS B-Series blade server with a Fabric Interconnect pair. The administrator is tasked with deploying a new server for a critical application. The administrator creates a service profile from an existing template that includes vNIC, vHBA, and storage policies. The blade is located in chassis 2, slot 1. The administrator attempts to associate the profile with this blade but fails with the error: 'No suitable compute resource available.' The administrator verifies that the blade's firmware is updated, that the blade is not already associated with another profile, and that it has sufficient memory and CPU. What is the most likely cause?

A.The blade's firmware version is incompatible with the service profile.
B.The blade is in the wrong chassis slot.
C.The server pool policy is not assigned to the service profile template.
D.The vNIC/vHBA policies in the service profile have invalid MAC/WWN assignments.
AnswerC

Without a server pool, UCS Manager cannot determine which blade to use for the association, leading to the 'No suitable compute resource available' error.

Why this answer

The error 'No suitable compute resource available' typically occurs when the service profile is configured to use a server pool, but no server pool policy is assigned to the service profile template. Without a server pool, the Fabric Interconnect cannot identify which blades are eligible for association, even if the blade itself is available and meets hardware requirements. Assigning a server pool policy to the template ensures that blades in the specified pool (e.g., chassis 2, slot 1) are considered as valid compute resources.

Exam trap

Cisco often tests the concept that 'No suitable compute resource available' is not about hardware faults or firmware mismatches but about the absence of a server pool policy in the service profile template, which candidates may overlook because they focus on verifying blade hardware readiness.

How to eliminate wrong answers

Option A is wrong because the administrator already verified that the blade's firmware is updated, and firmware incompatibility would typically generate a different error (e.g., 'Firmware version mismatch') rather than 'No suitable compute resource available.' Option B is wrong because the blade's location (chassis 2, slot 1) is explicitly specified in the service profile association attempt, and the error is not about physical slot constraints but about logical resource selection. Option D is wrong because invalid MAC/WWN assignments would cause a policy validation failure or association error related to network/storage configuration, not a 'no suitable compute resource' error, which is specifically about the blade not being found in the available resource pool.

286
Multi-Selecteasy

Which two VXLAN control plane options are supported on Cisco Nexus 9000 switches? (Choose two.)

Select 2 answers
A.Multicast
B.OTV
C.Static VXLAN tunnel
D.OpenFlow
E.MP-BGP EVPN
AnswersA, E

Traditional VXLAN uses multicast for BUM traffic and MAC learning.

Why this answer

VXLAN on Cisco Nexus 9000 switches supports both multicast-based control plane (using IGMP/PIM to flood BUM traffic) and MP-BGP EVPN (RFC 7432) as the control plane for distributing MAC/VTEP reachability. Multicast is the traditional method for handling BUM traffic in VXLAN fabrics, while MP-BGP EVPN provides a more scalable, standards-based control plane with host route advertisement and multi-tenancy.

Exam trap

Cisco often tests the distinction between VXLAN control plane options and other overlay technologies (like OTV) or configuration methods (like static tunnels), leading candidates to confuse supported control planes with unrelated features.

287
Multi-Selecteasy

A storage network engineer is designing a Fibre Channel SAN with two Cisco MDS switches in a single VSAN. The design requires that if one switch fails, the storage traffic continues to flow without manual intervention. Which two technologies should be implemented?

Select 2 answers
A.NPV
B.Port channels
C.VSAN trunking
D.IVR
E.Fibre Channel multipathing
AnswersB, E

Port channels provide link redundancy but not switch-level redundancy.

Why this answer

Fibre Channel multipathing (E) is correct because it enables multiple physical paths between initiators and targets, allowing storage traffic to continue automatically if one switch fails. This is typically implemented using multipathing software (e.g., EMC PowerPath, native OS MPIO) that load-balances and fails over across redundant SAN fabrics without manual intervention.

Exam trap

Cisco often tests the misconception that Port channels (B) provide switch-level redundancy, but they only protect against link failures, not a complete switch failure, which requires multipathing across separate fabrics.

288
MCQhard

Refer to the exhibit. The CoPP policy above is applied. Which traffic is most likely to be dropped?

A.Both ICMP and class-default traffic that exceed their rates
B.ICMP traffic that exceeds 1000 bps
C.class-default traffic that exceeds 20000 bps
D.OSPF traffic that exceeds 5000 bps
AnswerB

The ICMP class drops packets that exceed the police rate.

Why this answer

Option B is correct because the CoPP policy explicitly defines a class-map for ICMP traffic with a police rate of 1000 bps. Any ICMP traffic exceeding this rate is dropped due to the 'drop' action in the police command. The other classes (OSPF and class-default) have higher rates and are not as constrained, making ICMP the most likely to be dropped when exceeded.

Exam trap

Cisco often tests the misconception that all traffic exceeding its policed rate is equally likely to be dropped, but the trap here is that the lowest policed rate (ICMP at 1000 bps) is the most restrictive and thus the most likely to be exceeded and dropped, not the higher-rate classes.

How to eliminate wrong answers

Option A is wrong because the class-default traffic is policed at 20000 bps, which is a much higher rate than ICMP's 1000 bps, so class-default is less likely to be dropped unless it significantly exceeds its rate; ICMP is the primary concern. Option C is wrong because class-default traffic has a police rate of 20000 bps, which is 20 times higher than ICMP's rate, making it less likely to be dropped under typical traffic loads. Option D is wrong because OSPF traffic is policed at 5000 bps, which is 5 times higher than ICMP's rate, and OSPF control traffic is typically low-volume, so it is not the most likely to be dropped.

289
MCQhard

A UCS administrator notices that a server in a UCS domain is not booting from SAN after a firmware upgrade. The service profile shows the correct WWPN and boot policy. The SAN switch sees the initiator login. However, the storage array does not see any initiator attempts. What is the most likely issue?

A.The boot policy is missing the primary SAN target
B.The WWPN is duplicated on another initiator
C.The zone alias on the SAN switch does not match the initiator WWPN
D.The VSAN membership is incorrect on the fabric interconnect
AnswerC

The zone alias mismatch would allow login (since zoning is based on WWPN) but the storage may not see the initiator if zones are misconfigured.

Why this answer

The SAN switch sees the initiator login, but the storage array does not see any initiator attempts. This indicates that the Fibre Channel fabric is blocking the initiator's WWPN from reaching the storage target, typically because the zone configuration on the SAN switch does not include the initiator's WWPN or the zone alias does not match the actual WWPN. Since the service profile and boot policy are correct, and the VSAN membership is functional (the switch sees the login), the most likely issue is a zoning mismatch on the SAN switch.

Exam trap

Cisco often tests the distinction between fabric-level visibility (FLOGI success) and zone-level communication (PLOGI/PRLI failure) to trick candidates into assuming the issue is with the boot policy or VSAN membership rather than zoning.

How to eliminate wrong answers

Option A is wrong because the boot policy is confirmed correct in the question, and a missing primary SAN target would cause the server to fail to find the boot LUN, but the storage array would still see initiator attempts if zoning were correct. Option B is wrong because a duplicate WWPN would cause login conflicts or fabric segmentation, but the SAN switch sees the initiator login successfully, ruling out duplication. Option D is wrong because incorrect VSAN membership would prevent the fabric interconnect from seeing the initiator login at all, but the SAN switch does see the login, indicating VSAN membership is functional.

290
Matchingmedium

Match each Cisco MDS FC switch feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual SAN for isolating Fibre Channel traffic

Access control between initiators and targets

Routing protocol for Fibre Channel fabric

Fibre Channel over IP for remote connectivity

Inter-VSAN routing for selective communication

Why these pairings

These features are key for managing Fibre Channel SANs.

291
MCQhard

An engineer is troubleshooting a SAN performance issue. The MDS switch shows high CRC errors on an F port. The host is connected via a 16 Gbps FC link. The errors increase when the host sends large I/O. What is the most likely cause?

A.The host's HBA firmware is outdated.
B.The zone configuration is incorrect.
C.The host is experiencing buffer credit starvation.
D.The switch port is configured for 8 Gbps.
E.The cable length exceeds the supported distance for 16 Gbps.
AnswerE

16 Gbps FC has shorter reach; long cables cause CRC errors, especially under heavy load.

Why this answer

At 16 Gbps Fibre Channel, signal integrity degrades over long cable distances, causing bit errors that manifest as CRC errors on the F port. The error increase with large I/O is characteristic of marginal signal quality, as larger frames are more likely to encounter corrupted bits. Option E correctly identifies that the cable length exceeds the supported distance for 16 Gbps, typically 10 meters for OM3 multimode fiber or 100 meters for OM4, depending on the transceiver type.

Exam trap

Cisco often tests the distinction between physical-layer errors (CRC, running disparity) and higher-layer issues (buffer credits, zoning), so the trap here is that candidates confuse buffer credit starvation (a flow-control problem) with CRC errors (a signal-integrity problem).

How to eliminate wrong answers

Option A is wrong because outdated HBA firmware typically causes link instability or negotiation failures, not CRC errors that scale with I/O size. Option B is wrong because zone configuration errors cause connectivity or login issues, not CRC errors on an established link. Option C is wrong because buffer credit starvation causes performance degradation (e.g., reduced throughput) due to lack of credits, not CRC errors; CRC errors indicate physical-layer issues.

Option D is wrong because if the switch port were configured for 8 Gbps, the link would negotiate to 8 Gbps and CRC errors would not increase with large I/O at 16 Gbps; the symptom would be a speed mismatch, not CRC errors.

292
Multi-Selecthard

Which THREE statements accurately describe FCIP (Fibre Channel over IP) configurations on Cisco MDS switches?

Select 3 answers
A.FCIP uses VE_port (Virtual E_port) interfaces to connect to the FC fabric
B.FCIP requires IPsec for security over public networks
C.FCIP can be used in conjunction with Fibre Channel port channels
D.FCIP compression reduces the latency of the IP transport
E.FCIP can be configured on a GigabitEthernet interface
AnswersA, C, E

VE_ports terminate FCIP tunnels.

Why this answer

Options B, D, and E are correct. FCIP can operate over Gigabit Ethernet interfaces (B). FCIP can be combined with FC port channels to provide redundancy and load balancing (D).

FCIP uses Virtual E_ports (VE_ports) to connect to the FC fabric (E). Option A is wrong: Compression reduces bandwidth usage, not reduces bandwidth. Option C is wrong: IPsec is optional, not required.

293
MCQmedium

Two Cisco Nexus 9000 switches are connected via Ethernet interface 1/1. The engineer wishes to secure the link using MACsec (IEEE 802.1ae) with a pre-shared key for connectivity association key (CAK) protection. Both switches have the same hardware and software version supporting MACsec. The engineer configures the following on both switches: feature macsec macsec policy MACSEC_POLICY cipher-suite gcm-aes-128 security-mode no-encrypt mka sak-rekey-time 30 interface ethernet 1/1 macsec policy MACSEC_POLICY However, the link comes up without MACsec encryption (the port counter shows MACsec frames dropped). The engineer checks that the pre-shared key is configured correctly via 'macsec key-chain' but notices it was not explicitly applied. What is the most likely reason for MACsec failing to establish?

A.Both switches must have the same MACsec profile name.
B.The interface must be put in a 'macsec' mode with 'switchport macsec'.
C.The MACsec key chain must be created and referenced in the macsec policy, and the MKA policy must be applied to the interface with 'macsec mka policy'.
D.The 'feature macsec' command is not enabled, so MACsec is not operational.
AnswerC

Correct. A key chain must be defined and linked to the policy, and the MKA policy must be explicitly applied under the interface.

Why this answer

Option C is correct because MACsec on Cisco Nexus 9000 switches requires a key chain to be defined and explicitly referenced within the MACsec policy. Without the 'key-chain' command under the 'macsec policy', the pre-shared key (CAK) is not available for MKA (MACsec Key Agreement) to derive session keys. Additionally, the MKA policy must be applied to the interface using 'macsec mka policy' to enable the key agreement protocol; simply enabling MACsec on the interface without these steps leaves the link unsecured, causing MACsec frames to be dropped.

Exam trap

Cisco often tests the requirement that a key chain must be explicitly referenced in the MACsec policy and that an MKA policy must be applied to the interface, tricking candidates into thinking that simply enabling MACsec on the interface with a policy is sufficient.

How to eliminate wrong answers

Option A is wrong because the MACsec profile name does not need to match on both switches; only the key chain parameters (e.g., key string) must match for MKA to succeed. Option B is wrong because 'switchport macsec' is not a valid command on Nexus 9000; the interface is placed into MACsec mode by applying the MACsec policy directly with 'macsec policy' under the interface. Option D is wrong because 'feature macsec' is correctly enabled in the configuration, so MACsec is operational at the feature level; the failure is due to missing key chain and MKA policy application, not the feature being disabled.

294
MCQhard

In a VXLAN EVPN multi-tier design, which feature ensures traffic between leaf switches takes the optimal path without hair-pinning through a spine?

A.Anycast gateway
B.Type-2 routes
C.ECMP
D.ARP suppression
AnswerC

ECMP enables load distribution across multiple spines, avoiding hair-pinning.

Why this answer

C is correct because Equal-Cost Multipath (ECMP) in a VXLAN EVPN multi-tier design allows leaf switches to load-balance traffic across multiple equal-cost spine paths, ensuring that traffic between leaf switches takes the most direct route without being forced to hair-pin through a spine. ECMP leverages the underlying IP fabric's routing to forward VXLAN-encapsulated packets over any available spine, avoiding suboptimal forwarding that would occur if a single spine were used as a relay.

Exam trap

Cisco often tests the misconception that Anycast Gateway or ARP suppression directly influences inter-leaf forwarding paths, when in fact ECMP is the mechanism that enables optimal multi-path routing in the underlay to avoid hair-pinning.

How to eliminate wrong answers

Option A is wrong because Anycast Gateway (e.g., using the same IP and MAC on multiple VTEPs) is designed to provide first-hop redundancy and optimal host-to-gateway forwarding, not to prevent hair-pinning of leaf-to-leaf traffic through a spine. Option B is wrong because Type-2 routes (MAC/IP advertisement routes) are used in EVPN to advertise host reachability and MAC-to-IP bindings, not to influence the path selection between leaf switches. Option D is wrong because ARP suppression is a feature that reduces broadcast traffic by caching ARP replies on the VTEP, but it does not affect the forwarding path or prevent hair-pinning through a spine.

295
Multi-Selecthard

Which THREE are characteristics of Cisco TrustSec? (Select exactly 3)

Select 3 answers
A.Uses SGTs to enforce policy
B.Requires Cisco ISE
C.Operates at Layer 2
D.Uses CTS auth-proxy
E.Requires MACsec encryption
AnswersA, C, D

SGTs are central to TrustSec for classifying and enforcing access policies.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) to enforce access control policies based on user, device, or workload identity rather than IP addresses. SGTs are assigned during authentication and carried in Ethernet frames (via Cisco Meta Data or inline tagging) to allow scalable, identity-based policy enforcement throughout the network.

Exam trap

Cisco often tests the misconception that TrustSec requires ISE or MACsec, but the core characteristics are SGT-based policy enforcement, Layer 2 operation, and the CTS auth-proxy mechanism for legacy device support.

296
Multi-Selecthard

An engineer is troubleshooting a performance issue on a Cisco MDS 9700 switch. The 'show interface fc1/1' output shows CRC errors incrementing slowly. The interface is connected to a storage array. Which two actions should the engineer take to resolve the issue?

Select 2 answers
A.Increase the MTU size on the interface.
B.Replace the fiber optic cable and SFP.
C.Enable BB_credit recovery on the interface.
D.Clear the interface counters.
E.Change the interface speed from auto to a fixed value.
AnswersB, C

Faulty cables or SFPs are common causes of CRC errors.

Why this answer

CRC errors on a Fibre Channel interface typically indicate physical-layer issues such as faulty cabling, damaged SFPs, or dirty optical connectors. Replacing the fiber optic cable and SFP (Option B) directly addresses the most common root cause of CRC errors. Additionally, enabling BB_credit recovery (Option C) helps mitigate performance degradation caused by buffer credit starvation, which can manifest as CRC-like symptoms in some scenarios.

Exam trap

Cisco often tests the distinction between physical-layer errors (CRC) and flow-control issues (BB_credit), tempting candidates to choose a single answer when both a physical fix and a protocol-level tuning are required.

297
MCQhard

Refer to the exhibit. What is the most likely cause of neighbor 10.1.1.3 being stuck in EXSTART?

A.Duplicate router ID.
B.OSPF network type mismatch.
C.MTU mismatch between the interfaces.
D.The interface is configured as passive.
AnswerC

MTU mismatch prevents DBD packets from being sent successfully.

Why this answer

In OSPF, the EXSTART state indicates that neighbors are negotiating the master/slave relationship and exchanging Database Description (DBD) packets. If the MTU of the interface on one side is larger than the MTU on the other, the larger DBD packet will be silently dropped, preventing the neighbor from progressing past EXSTART. This is a classic symptom of an MTU mismatch, as the OSPF adjacency will remain stuck in EXSTART or EXCHANGE.

Exam trap

Cisco often tests the MTU mismatch trap by having candidates confuse it with a network type mismatch, but the key differentiator is that MTU issues cause the adjacency to stall specifically in EXSTART/EXCHANGE, while network type mismatches prevent the adjacency from forming past INIT/2WAY.

How to eliminate wrong answers

Option A is wrong because a duplicate router ID would cause the adjacency to flap or remain in INIT/2WAY, not EXSTART, as OSPF detects the duplicate during the Hello exchange. Option B is wrong because an OSPF network type mismatch (e.g., broadcast vs. point-to-point) typically results in neighbors stuck in INIT or 2WAY, not EXSTART, due to mismatched Hello/dead intervals or DR/BDR election issues. Option D is wrong because a passive interface suppresses OSPF Hellos entirely, preventing any neighbor discovery, so the adjacency would never reach EXSTART.

298
MCQmedium

A data center engineer is configuring a Cisco UCS C-Series server with a hardware RAID controller. The server will host a critical database. The RAID controller supports RAID 0, 1, 5, 6, and 10. Which RAID level should be chosen to provide the best combination of performance and fault tolerance?

A.RAID 10
B.RAID 6
C.RAID 5
D.RAID 0
AnswerA

RAID 10 combines mirroring and striping, offering both performance and fault tolerance.

Why this answer

RAID 10 (striping of mirrors) provides the best combination of performance and fault tolerance for a critical database workload. It offers high read/write performance through striping and full redundancy via mirroring, allowing up to one disk failure per mirrored pair without data loss. This is ideal for a Cisco UCS C-Series server with a hardware RAID controller where both I/O throughput and availability are paramount.

Exam trap

Cisco often tests the misconception that RAID 5 or RAID 6 offer 'good enough' performance for databases, but the trap is that parity-based RAIDs introduce significant write penalties that degrade transactional throughput, making RAID 10 the correct choice for critical database workloads.

How to eliminate wrong answers

Option B (RAID 6) is wrong because while it offers dual parity and can tolerate two disk failures, its write performance is significantly degraded due to double parity calculations, making it unsuitable for a performance-sensitive database. Option C (RAID 5) is wrong because its single parity provides lower fault tolerance and suffers from a write penalty during parity updates, which can bottleneck database transactions. Option D (RAID 0) is wrong because it offers no fault tolerance; any single disk failure results in complete data loss, which is unacceptable for a critical database.

299
MCQmedium

A network administrator wants to prevent IP spoofing attacks on a data center access switch. The switch has IP Source Guard enabled on the client-facing ports. Which condition must be met for IP Source Guard to work properly?

A.DHCP snooping must be disabled on the VLAN.
B.DHCP snooping must be enabled on the VLAN and the port must be untrusted.
C.All clients must use DHCP; static IPs are not supported.
D.Dynamic ARP Inspection must be enabled first.
AnswerB

IP Source Guard uses the DHCP snooping binding table on untrusted ports.

Why this answer

IP Source Guard uses a binding table created by DHCP snooping to validate the source IP address of packets received on a port. For IP Source Guard to work, DHCP snooping must be enabled on the VLAN, and the client-facing port must be configured as an untrusted port so that DHCP snooping can populate the binding table with valid DHCP lease information. Without this binding table, IP Source Guard has no source IP-to-MAC mapping to enforce.

Exam trap

Cisco often tests the dependency between IP Source Guard and DHCP snooping, specifically that DHCP snooping must be enabled on the VLAN and the port must be untrusted, leading candidates to incorrectly assume DHCP snooping must be disabled or that static IPs are unsupported.

How to eliminate wrong answers

Option A is wrong because DHCP snooping must be enabled on the VLAN to build the IP-to-MAC binding table that IP Source Guard relies on; disabling DHCP snooping would leave the binding table empty, causing IP Source Guard to drop all traffic. Option C is wrong because IP Source Guard supports static IP assignments if a static binding is manually configured using the 'ip source binding' command; it does not require all clients to use DHCP. Option D is wrong because Dynamic ARP Inspection (DAI) is a separate security feature that also depends on DHCP snooping, but IP Source Guard does not require DAI to be enabled first; both features can operate independently as long as DHCP snooping is active.

300
MCQeasy

A network engineer is configuring VLAN ACLs on a Cisco Nexus 9000 switch to enforce traffic filtering between VLANs. Which configuration step is required to apply a VACL to a VLAN?

A.Apply the VACL to a Layer 3 interface using 'ip access-group'.
B.Apply the VACL to a physical port using 'mac access-group'.
C.Define a VLAN access-map and then apply it under the VLAN configuration.
D.Use the 'vlan filter' command in global configuration mode.
AnswerD

'vlan filter' applies the VACL to a specific VLAN.

Why this answer

Option D is correct because VACLs on Cisco Nexus 9000 switches are applied using the 'vlan filter' command in global configuration mode, which references a VLAN access-map. This command binds the access-map to a specific VLAN, enabling Layer 2 traffic filtering between VLANs without requiring a Layer 3 interface.

Exam trap

Cisco often tests the distinction between applying an ACL to an interface versus applying a VACL to a VLAN, and the trap here is that candidates mistakenly think a VLAN access-map is applied directly under the VLAN configuration (like 'vlan 10' mode) rather than using the global 'vlan filter' command.

How to eliminate wrong answers

Option A is wrong because 'ip access-group' applies an IP ACL to a Layer 3 interface (SVI or routed port), not a VACL, and VACLs are not applied to Layer 3 interfaces. Option B is wrong because 'mac access-group' applies a MAC ACL to a physical port for Layer 2 traffic filtering on that port, not to a VLAN for inter-VLAN filtering. Option C is wrong because while defining a VLAN access-map is a necessary step, it must be applied using the 'vlan filter' command in global configuration mode, not under the VLAN configuration (the 'vlan' config mode does not support applying access-maps directly).

Page 3

Page 4 of 7

Page 5

All pages

Practice 350-601 by domain

Target a specific domain to shore up weak areas.

See all domains with question counts →