Cisco DCCOR / CCNP Data Center Core 350-601 (350-601) — Questions 301375

500 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
Drag & Dropmedium

Sequence the steps to configure a VXLAN with BGP EVPN on a Cisco Nexus switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VXLAN EVPN requires overlay feature, VNI mapping, VTEP loopback, BGP peering, and verification.

302
MCQhard

A large enterprise data center has a disaster recovery site 100 km away. The SAN uses two MDS 9700 series switches at each site, connected via a dedicated dark fiber. Each link operates at 16 Gbps with a round-trip time of 2 ms. Recently, backup jobs to the remote storage array have been failing with timeout errors. The backup server is local to Site A, but the backup target is in Site B. The link utilization never exceeds 40%, and no errors are reported on the interfaces. The engineer suspects the issue is related to buffer credits. The current buffer credit count on the ISL is 16. The engineer calculates that for 16 Gbps over 100 km (2 ms RTT), they need at least 200 credits to maintain full throughput. Which action is most appropriate to resolve the issue?

A.Enable NPIV on the ISL ports to allow multiple logins.
B.Increase the buffer-to-buffer credit count to 300 on the ISL interfaces.
C.Configure the ISL to operate at 8 Gbps to reduce the buffer credit requirement.
D.Implement FCIP over the existing dark fiber to offload buffer credit management.
AnswerB

More credits allow more frames in flight, avoiding timeout and maintaining throughput.

Why this answer

Increasing buffer credits resolves the timeout issue due to credit starvation. Option D is correct. Option A is wrong because the links are physically direct; FCIP is not needed.

Option B is wrong because NPIV is not related to buffer credits. Option C is wrong because reducing speed lowers performance.

303
Multi-Selecteasy

Which TWO features are used to validate ARP packets and prevent ARP spoofing attacks? (Select exactly 2)

Select 2 answers
A.IP Source Guard
B.Private VLANs
C.Dynamic ARP Inspection
D.Port Security
E.DHCP Snooping
AnswersC, E

DAI intercepts and validates ARP packets.

Why this answer

Dynamic ARP Inspection (DAI) is correct because it validates ARP packets by checking them against the DHCP snooping binding database, ensuring that only legitimate ARP replies and requests are forwarded. This prevents ARP spoofing attacks where an attacker sends falsified ARP messages to associate their MAC address with the IP address of a legitimate device.

Exam trap

Cisco often tests the distinction between features that validate ARP packets (DAI) versus features that validate IP packets (IP Source Guard) or limit MAC addresses (Port Security), causing candidates to confuse the scope of each security mechanism.

304
MCQmedium

A company is deploying a new Cisco UCS Mini with a single Fabric Interconnect 6324. They need to connect to an existing Fibre Channel SAN. Which action is required to enable Fibre Channel connectivity?

A.Enable NPV mode on the Fabric Interconnect to connect to the SAN.
B.Install a Fibre Channel module in the Fabric Interconnect.
C.Add a Cisco MDS 9148S Fibre Channel switch and connect it to the Fabric Interconnect via FC uplinks.
D.Configure the uplink Ethernet ports as unified ports to support Fibre Channel.
AnswerC

A dedicated FC switch provides SAN connectivity for UCS Mini.

Why this answer

The Cisco UCS Mini with a single Fabric Interconnect 6324 does not have native Fibre Channel ports; it only supports Ethernet uplinks. To connect to an existing Fibre Channel SAN, an external Fibre Channel switch (such as the Cisco MDS 9148S) must be added, and the Fabric Interconnect connects to it via FC uplinks, which are typically configured as unified ports. This allows the UCS Mini to leverage the MDS switch for Fibre Channel connectivity, as the 6324 itself cannot directly terminate Fibre Channel links.

Exam trap

Cisco often tests the misconception that the UCS Fabric Interconnect 6324 can directly connect to a Fibre Channel SAN by simply enabling NPV mode or using unified ports, but the key trap is that the 6324 lacks native Fibre Channel ports and requires an external Fibre Channel switch (like the MDS) to bridge the FCoE traffic to the FC SAN.

How to eliminate wrong answers

Option A is wrong because NPV (N_Port Virtualization) mode is used on a Fibre Channel switch to connect to an upstream SAN fabric, but the Fabric Interconnect 6324 does not have native Fibre Channel ports to run NPV; NPV is configured on the MDS switch, not the UCS Fabric Interconnect. Option B is wrong because the Fabric Interconnect 6324 does not support a Fibre Channel module; it only has fixed Ethernet ports and unified ports that can be configured for Fibre Channel, but no expansion module slot for FC. Option D is wrong because while unified ports can be configured on the 6324 to support Fibre Channel, they only provide connectivity to a downstream FCoE or FC device, not directly to a Fibre Channel SAN; the unified ports must be connected to an external Fibre Channel switch (like the MDS) to reach the SAN fabric.

305
MCQhard

In an ACI fabric, an EPG is configured with a contract that allows HTTP traffic to an external network. The external network is reachable via a Layer 3 Outside. However, HTTP traffic from the EPG fails. What is the most likely cause?

A.The subject action is set to deny
B.The L3Out and the EPG are in different VRFs
C.The filter uses the wrong direction
D.The contract is applied to the consumer EPG instead of the provider
AnswerB

ACI contracts only work within the same VRF. If the L3Out is in a different VRF, route leaking is required.

Why this answer

Option B is correct because in Cisco ACI, communication between an EPG and an external network via a Layer 3 Outside requires both to be in the same VRF. If the EPG and the L3Out are in different VRFs, the contract cannot be enforced, and traffic will fail even if the contract allows HTTP. The VRF provides the routing and policy enforcement boundary for the contract.

Exam trap

Cisco often tests the misconception that a contract alone is sufficient for inter-VRF communication, but in ACI, contracts are VRF-scoped and cannot bridge different VRFs without additional configuration like a VRF route leak or a shared service contract.

How to eliminate wrong answers

Option A is wrong because if the subject action were set to deny, the contract would explicitly block HTTP traffic, but the question states the contract allows HTTP, so the action is not deny. Option C is wrong because the filter direction (e.g., from consumer to provider) is correctly configured in the contract; the issue is not about direction but about VRF mismatch preventing any policy application. Option D is wrong because applying the contract to the consumer EPG instead of the provider is a valid configuration; the consumer EPG typically consumes the contract, and the provider EPG provides the service, so this would not cause a failure if the contract is correctly applied to the consumer.

306
MCQeasy

A data center architect is designing a SAN with two MDS switches using VSANs. Which method ensures traffic isolation between departments while allowing sharing of a tape library?

A.Use FCIP tunnels for each department.
B.Create separate VSANs and merge them for the tape library.
C.Create separate VSANs for each department and a shared VSAN for the tape library with inter-VSAN routing (IVR).
D.Use one VSAN for all departments and one zone for each department.
AnswerC

IVR allows selective sharing between VSANs.

Why this answer

Multiple VSANs isolate traffic, and a shared tape library can be placed in a common VSAN with appropriate zones. Option D is correct. Option A is wrong because a single VSAN does not isolate.

Option B is wrong because merging VSANs loses isolation. Option C is wrong because FCIP is for distance.

307
MCQhard

A Cisco UCS upgrade from release 3.1(1) to 4.0(4) is planned. The current release has a known issue that affects NVRAM backup. What is the best practice to avoid an outage during this upgrade?

A.Perform a cold reboot of all Fabric Interconnects before starting.
B.Upgrade all components simultaneously to reduce transition time.
C.Upgrade the firmware on the chassis first, then the Fabric Interconnects.
D.Upgrade to an intermediate release that is recommended for the upgrade path.
AnswerD

Most major upgrades require stepping through an intermediate release.

Why this answer

Option D is correct because Cisco UCS firmware upgrades must follow a supported upgrade path to avoid incompatibilities and known issues. Skipping directly from 3.1(1) to 4.0(4) is not supported; an intermediate release (e.g., 3.2(x) or 4.0(1)) is required to resolve the NVRAM backup issue and ensure a seamless upgrade without service disruption.

Exam trap

Cisco often tests the concept of supported upgrade paths and intermediate releases, trapping candidates who assume direct upgrades are always possible or that component order can be rearranged arbitrarily.

How to eliminate wrong answers

Option A is wrong because a cold reboot of all Fabric Interconnects before starting would cause an immediate outage, defeating the purpose of avoiding downtime; the upgrade process itself handles reboots gracefully. Option B is wrong because upgrading all components simultaneously violates Cisco's recommended sequential upgrade order (Fabric Interconnects first, then chassis IOMs, then servers) and increases the risk of configuration mismatches and extended downtime. Option C is wrong because the chassis firmware should be upgraded after the Fabric Interconnects, not before, as the Fabric Interconnects control the management plane and must be at a compatible version first.

308
MCQmedium

A UCS administrator notices that a service profile associated with a vNIC template that uses 'fabric failover' is not failing over to the secondary Fabric Interconnect when the primary link goes down. The vNIC template is set to 'fabric failover' enabled, and both Fabric Interconnects are in the same VLAN. What is the most likely cause?

A.The 'Primary Fabric' setting is not defined in the vNIC template.
B.The server is pinned to the primary Fabric Interconnect via a pin group.
C.The MTU size on the secondary Fabric Interconnect is set to 1500 instead of 9000.
D.The 'MAC Address' policy is set to 'pool-based' instead of 'static'.
AnswerA

The primary fabric must be selected in the vNIC template for failover to function correctly.

Why this answer

When 'fabric failover' is enabled on a vNIC template, the UCS Manager requires the 'Primary Fabric' setting to be explicitly defined to determine which Fabric Interconnect (FI-A or FI-B) should be the active path. Without this setting, the system cannot properly orchestrate the failover behavior, causing the vNIC to remain pinned to the primary FI even when its link goes down. This is a common misconfiguration because the 'fabric failover' checkbox alone does not imply a primary fabric assignment.

Exam trap

Cisco often tests the misconception that enabling 'fabric failover' alone is sufficient for automatic failover, when in fact the 'Primary Fabric' field must also be explicitly configured to define the active path.

How to eliminate wrong answers

Option B is wrong because a pin group explicitly pins a server to a specific Fabric Interconnect, which would prevent failover by design; however, the question states the vNIC template uses 'fabric failover' enabled, and a pin group would override that setting, but the most likely cause is the missing 'Primary Fabric' definition, not the presence of a pin group. Option C is wrong because MTU size mismatch (1500 vs 9000) affects jumbo frame support and packet fragmentation, not the failover mechanism between Fabric Interconnects. Option D is wrong because the MAC Address policy (pool-based vs static) determines how MAC addresses are assigned to vNICs, but it has no impact on fabric failover behavior.

309
MCQeasy

Which control plane protection mechanism should be configured to limit the rate of BGP updates destined to the CPU of a Nexus 9000 switch to prevent CPU overload?

A.VLAN Access Control Lists (VACLs)
B.Control Plane Policing (CoPP)
C.EtherChannel load balancing
D.Switched Port Analyzer (SPAN)
AnswerB

CoPP rate-limits control plane packets.

Why this answer

Control Plane Policing (CoPP) is the correct mechanism because it directly filters and rate-limits control plane traffic, such as BGP updates, before it reaches the CPU of a Nexus 9000 switch. By applying a CoPP policy, you can protect the CPU from being overwhelmed by excessive BGP updates, ensuring stability and preventing denial-of-service conditions.

Exam trap

Cisco often tests the distinction between data plane and control plane mechanisms, and the trap here is that candidates may confuse VACLs (data plane filtering) with CoPP (control plane policing), assuming any ACL can protect the CPU.

How to eliminate wrong answers

Option A is wrong because VLAN Access Control Lists (VACLs) filter traffic within the data plane at the VLAN level, not the control plane, and cannot rate-limit BGP updates destined to the CPU. Option C is wrong because EtherChannel load balancing distributes data traffic across aggregated links to improve bandwidth and redundancy, but it has no mechanism to police or limit control plane traffic like BGP updates. Option D is wrong because Switched Port Analyzer (SPAN) is used for port mirroring traffic to a monitoring device for analysis, not for filtering or rate-limiting control plane packets to the CPU.

310
Drag & Dropmedium

Arrange the steps to recover a lost admin password on a Cisco Nexus switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password recovery involves boot interruption, register change, boot, password reset, and save.

311
MCQeasy

A network engineer is troubleshooting high CPU utilization on a Nexus 9000 switch. Which command is most useful to identify the process consuming the most CPU?

A.show processes cpu history
B.show process cpu sort
C.show system resources
D.show cpu usage
AnswerB

This command sorts processes by CPU usage, allowing identification of the most intensive process.

Why this answer

Option B is correct because the 'show process cpu sort' command on Nexus 9000 switches displays the current CPU utilization sorted by the process consuming the most CPU, allowing the engineer to quickly identify the top CPU consumer. This command provides a real-time, sorted list of processes with their CPU usage percentages, which is directly useful for troubleshooting high CPU utilization.

Exam trap

Cisco often tests the distinction between 'show processes cpu' (which lists all processes unsorted) and 'show process cpu sort' (which sorts by CPU usage), and the trap here is that candidates may confuse 'show cpu usage' with a valid command or assume 'show system resources' provides process-level detail.

How to eliminate wrong answers

Option A is wrong because 'show processes cpu history' shows historical CPU utilization data in a graphical format over time, not the current processes consuming CPU, so it cannot identify the specific process causing the spike. Option C is wrong because 'show system resources' displays overall system resource usage (memory, CPU, buffers) but does not break down CPU usage by individual process, making it insufficient for pinpointing the culprit process. Option D is wrong because 'show cpu usage' is not a valid command on Nexus 9000 switches; the correct command for a summary of CPU usage is 'show processes cpu', which lists all processes but not sorted by CPU consumption.

312
MCQeasy

An NFS client is unable to write to a mounted export. The client can read files. What is the most likely cause?

A.Export permissions are read-only for the client
B.Network latency causing timeouts
C.Incorrect mount options (e.g., ro instead of rw)
D.NFS version mismatch
AnswerA

Correct: Read-only export allows reads but denies writes.

Why this answer

Option C is correct because write access requires proper permissions on both the export and the user. Option A is incorrect because NFS version does not affect read/write. Option B is incorrect because mount options affect mounting, not file operations.

Option D is incorrect because network issues would prevent both read and write.

313
MCQmedium

A Cisco ACI fabric has contracts configured to allow traffic between two EPGs. After deployment, traffic between endpoints in these EPGs is being dropped, but contract statistics show no packets have been permitted. The administrator checks the contract configuration and it looks correct. What is the most likely cause?

A.The contract is configured only on the provider EPG, but the consumer EPG is not consuming the contract.
B.The contract is applied to the wrong VRF.
C.The filter direction is set to both, but the contract is using an incorrect filter.
D.The endpoints are in different VMM domains.
AnswerA

The consumer EPG must also consume the contract; otherwise, traffic is denied.

Why this answer

The most likely cause is that the contract is configured on the provider EPG but the consumer EPG is not configured to consume it. In Cisco ACI, a contract must be explicitly provided by one EPG and consumed by another for traffic to be permitted. If the consumer EPG does not have the contract applied, the contract will not be enforced, and traffic will be dropped even if the contract configuration appears correct.

The contract statistics showing no permitted packets confirm that the contract is not being applied to the traffic flow.

Exam trap

Cisco often tests the misconception that configuring a contract on the provider EPG alone is enough to permit traffic, when in fact the consumer EPG must also explicitly consume the contract for the policy to take effect.

How to eliminate wrong answers

Option B is wrong because applying a contract to the wrong VRF would prevent any communication between EPGs in different VRFs, but the contract statistics would show no packets at all, and the administrator would likely notice the VRF mismatch during configuration review. Option C is wrong because an incorrect filter direction or filter would still result in some packets being counted in contract statistics (e.g., denied packets), but the question states no packets have been permitted, indicating the contract itself is not being consumed. Option D is wrong because endpoints in different VMM domains can still communicate if the EPGs are in the same VRF and a contract is properly configured; VMM domain mismatch affects endpoint discovery and policy enforcement but does not directly cause contract statistics to show zero permitted packets.

314
MCQmedium

A Cisco MDS switch is configured with fabric binding to restrict which switches can join the fabric. A new switch is added, but it fails to establish an E-port connection. What is the most likely cause?

A.Incompatible SFP modules between the switches
B.Incorrect zoning configuration on the existing switch
C.The new switch has a higher priority than the principal switch
D.The new switch's WWN is not included in the fabric binding configuration
AnswerD

Fabric binding rejects unauthorized switches.

Why this answer

Option B is correct: Fabric binding uses the switch WWN to allow or deny switches. If the new switch's WWN is not in the allowed list, the E-port will not come up. Option A is wrong: Incompatible SFP would cause link issues regardless of fabric binding.

Option C is wrong: Zoning does not affect E-port formation. Option D is wrong: Switch priority affects principal switch selection, not E-port formation.

315
MCQhard

A data center deployment uses NPV mode on a Cisco MDS switch to connect to a core Fibre Channel switch. After configuration, the NPV switch does not register with the core. What is the most likely cause?

A.Fibre Channel ports are in trunk mode.
B.The core switch has NPV mode enabled.
C.NPIV is not enabled on the core switch.
D.The NPV switch has an incorrect domain ID.
AnswerC

Core must have NPIV enabled for NPV.

Why this answer

NPV (N_Port Virtualization) mode requires NPIV (N_Port ID Virtualization) to be enabled on the core Fibre Channel switch. NPIV allows a single physical N_Port to register multiple FCIDs (Fibre Channel IDs) for multiple virtual initiators behind the NPV switch. Without NPIV on the core, the NPV switch cannot complete the FLOGI (Fabric Login) process and will not register with the fabric.

Exam trap

Cisco often tests the distinction between NPV and NPIV, trapping candidates who confuse the two or assume that enabling NPV on both sides is required.

How to eliminate wrong answers

Option A is wrong because trunk mode on Fibre Channel ports (E_Port or TE_Port) is used for ISL (Inter-Switch Link) connections between core switches, not for NPV uplinks, which use NP_Ports. Option B is wrong because enabling NPV mode on the core switch would break the NPV architecture; NPV is only enabled on the edge switch (the NPV switch), while the core must operate in standard Fibre Channel switch mode (with NPIV enabled). Option D is wrong because domain IDs are assigned by the principal switch in the fabric and are not configured manually on NPV switches; NPV switches do not participate in domain ID distribution as they are not full switches in the fabric.

316
Multi-Selecteasy

Which two statements are true about Cisco TrustSec? (Choose two.)

Select 2 answers
A.It requires a Cisco ISE policy server
B.It requires 802.1X authentication
C.It provides encryption at Layer 2
D.It uses VLANs for segmentation
E.It uses SGTs for access control
AnswersA, E

ISE is the policy server that defines and distributes SGT-based policies.

Why this answer

Cisco TrustSec relies on a Cisco ISE policy server to define and enforce security policies based on Security Group Tags (SGTs). ISE acts as the centralized policy decision point, dynamically assigning SGTs to authenticated endpoints and distributing the SGT-to-IP bindings to network devices via SXP or inline tagging.

Exam trap

Cisco often tests the misconception that TrustSec requires 802.1X or provides mandatory encryption, when in fact 802.1X is just one of several authentication methods and encryption (MACsec) is an optional enhancement.

317
MCQeasy

Which FCoE component is responsible for encapsulating Fibre Channel frames into Ethernet frames?

A.FCoE module on the switch or adapter
B.FCoE Forwarder (FCF)
C.Virtual Fibre Channel interface (VFC)
D.VN interface
AnswerA

The FCoE module performs encapsulation/decapsulation.

Why this answer

The FCoE module on the switch or adapter is the component that performs the encapsulation of native Fibre Channel frames into Ethernet frames. This module handles the conversion by adding an Ethernet header, including the EtherType 0x8906 for FCoE, and managing the mapping of Fibre Channel constructs (e.g., VSANs) to VLANs. Without this module, Fibre Channel traffic cannot traverse an Ethernet network.

Exam trap

Cisco often tests the distinction between the component that performs encapsulation (FCoE module) and the logical interfaces or forwarding entities (VFC, VN, FCF) that rely on that encapsulation, leading candidates to confuse the control-plane role of the FCF or the logical nature of VFC/VN interfaces with the actual encapsulation function.

How to eliminate wrong answers

Option B (FCoE Forwarder or FCF) is wrong because the FCF is a control-plane device that provides Fibre Channel forwarding services (e.g., fabric login, name server) and connects FCoE VLANs to Fibre Channel SANs, but it does not perform the actual encapsulation of frames; that is done by the FCoE module. Option C (Virtual Fibre Channel interface or VFC) is wrong because a VFC is a logical interface that binds to an Ethernet interface and represents a Fibre Channel port in software, but it does not encapsulate frames; it relies on the underlying FCoE module for encapsulation. Option D (VN interface) is wrong because a VN interface is a virtual N_port (node port) that appears to the Fibre Channel stack as a standard N_port, but it is a logical construct that uses the FCoE module for encapsulation; it does not perform the encapsulation itself.

318
Multi-Selecteasy

Which TWO methods are supported for authenticating to the APIC REST API?

Select 2 answers
A.SAML authentication
B.Certificate-based authentication
C.Local AAA user (username/password)
D.RADIUS/TACACS+ authentication
E.LDAP authentication
AnswersB, C

X.509 certificates can be used for API authentication.

Why this answer

The APIC REST API supports certificate-based authentication (option B) and local AAA user authentication with a username and password (option C). Certificate-based authentication uses X.509 certificates for secure, non-interactive API access, while local AAA authentication relies on credentials stored directly on the APIC. Both methods are explicitly documented as valid for REST API calls.

Exam trap

Cisco often tests the distinction between authentication methods supported for the REST API versus those supported for management access (SSH, web GUI), leading candidates to incorrectly select RADIUS/TACACS+ or LDAP as valid REST API options.

319
Drag & Dropmedium

Arrange the steps to configure a vPC domain on a pair of Cisco Nexus switches.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

vPC requires feature vPC, then domain creation, keepalive link, peer-link, and member ports.

320
MCQhard

A company is deploying a multi-tenant environment with several virtualized hosts using NPIV. Each virtual machine requires its own WWPN. During testing, some VMs cannot log into the SAN. The MDS switch logs show 'FLOGI rejected: no available resources'. What is the most likely cause?

A.The maximum FC frame size is set incorrectly on the switch
B.The VSAN maximum number of devices has been reached
C.The zone set is full and cannot accept more members
D.The NPIV limit or the number of allowed logins has been exceeded on the upstream switch
AnswerD

By default, NPIV max logins may be hit with many VMs.

Why this answer

The error 'FLOGI rejected: no available resources' on an MDS switch in an NPIV environment indicates that the switch has exhausted its allocated resources for handling fabric logins (FLOGIs) from N_Port ID Virtualization (NPIV) initiators. NPIV allows multiple virtual WWPNs to share a single physical FC port, but each virtual login consumes a login resource on the upstream switch. When the NPIV limit or the maximum number of allowed logins per interface or per VSAN is exceeded, the switch rejects new FLOGIs, preventing VMs from logging into the SAN.

Exam trap

Cisco often tests the distinction between resource exhaustion (NPIV login limits) and configuration errors (zoning or VSAN device limits) by using the specific error message 'FLOGI rejected: no available resources', which candidates mistakenly attribute to zoning or VSAN device limits instead of NPIV login resource depletion.

How to eliminate wrong answers

Option A is wrong because the maximum FC frame size (e.g., 2112 bytes vs. 1024 bytes) affects data transmission efficiency and fragmentation, not the ability to perform a fabric login (FLOGI), which is a control-plane operation. Option B is wrong because the VSAN maximum number of devices (configurable via 'fabric-limit device-login-limit') would cause a different error, such as 'device not allowed' or 'login denied', not a resource exhaustion error for FLOGI. Option C is wrong because a full zone set prevents new zone members from being added or activated, but it does not block an existing zone member's FLOGI; the error 'FLOGI rejected: no available resources' is a login resource issue, not a zoning configuration issue.

321
MCQmedium

A network engineer is troubleshooting an OSPF adjacency issue between two Nexus switches. The neighbors are stuck in the EXSTART state. What is the most likely cause?

A.Hold timer mismatch
B.Incorrect area ID
C.MTU mismatch
D.Duplicate router ID
AnswerC

MTU mismatch leads to DBD packet rejection, keeping the neighbor in EXSTART.

Why this answer

An MTU mismatch prevents the exchange of Database Description packets, causing neighbors to remain in EXSTART. Other options cause different adjacency states.

322
MCQeasy

A small business has a Cisco MDS 9148S switch with a single fabric. Two hosts are connected to ports fc1/1 and fc1/2, and a storage array is connected to ports fc1/3 and fc1/4. The administrator wants to ensure that each host can only see its own assigned LUNs on the array. They have configured a zone for each host containing the host pWWN and the target pWWN for the respective LUNs. However, Host A is able to see Host B's LUNs. What is the most likely cause?

A.The zone is not active
B.The zones are not in the same VSAN
C.The target ports are using soft zoning
D.The zoning configuration is using a zone alias that includes both hosts
AnswerD

A zone alias containing both hosts would place them in the same zone, allowing cross-access.

Why this answer

The most likely cause is that the zoning configuration uses a zone alias that includes both hosts, causing unintended access. If zones were not active, no access would occur. Soft zoning is not a concept in MDS (hard zoning is used), and VSAN misconfiguration would isolate at a higher level.

323
Multi-Selecthard

Which TWO statements about Cisco TrustSec in a data center environment are true? (Choose two.)

Select 2 answers
A.TrustSec requires MACsec encryption on all links to function.
B.Cisco ISE can dynamically assign SGTs to endpoints during authentication.
C.TrustSec uses Security Group Tags (SGTs) to enforce access control policies.
D.SGTs are assigned based on the source IP address of the traffic.
E.TrustSec policies are enforced at Layer 3 only.
AnswersB, C

ISE assigns SGTs as part of policy after authentication.

Why this answer

Cisco ISE can dynamically assign Security Group Tags (SGTs) to endpoints during authentication via 802.1X or MAB, enabling role-based access control. This is a core TrustSec feature where the SGT is propagated to the network infrastructure to enforce policies.

Exam trap

Cisco often tests the misconception that TrustSec requires MACsec or IP-based tagging, when in fact SGTs are identity-based and MACsec is optional; candidates may also incorrectly assume TrustSec is Layer 3 only, ignoring its Layer 2 enforcement capabilities.

324
MCQmedium

A data center engineer is using Cisco Intersight to manage a hybrid infrastructure that includes UCS servers and HyperFlex clusters. The engineer needs to deploy a new server profile to a UCS domain that is claimed in Intersight. The profile includes a firmware policy that specifies version 4.1(3c) for the motherboard and 5.0(3a) for the storage controller. The target server is a C-Series rack mount server currently running firmware version 4.0(2a) on the motherboard. After deploying the profile, the server goes into a 'Pending' state and does not become 'Selectable'. The engineer checks the UCS Manager and sees that the server is in 'Discovery Failed' state. The engineer has verified that network connectivity is fine and the CIMC is accessible. What should the engineer do to resolve this?

A.Ensure that the firmware policy in Intersight is consistent with the current firmware on the server.
B.Remove the server from Intersight inventory and re-claim it.
C.Reset the server's CIMC to factory defaults and re-discover it.
D.Update the firmware manually on the server using UCS Manager before deploying the profile.
AnswerD

Manually updating the firmware to a version compatible with the UCS domain will allow the server to be discovered, after which the profile can be applied.

Why this answer

Option D is correct because when a firmware policy in Intersight specifies a version that is not compatible with the current firmware on the server, the server may enter a 'Discovery Failed' state. In this scenario, the motherboard firmware must be updated to a version that supports the storage controller firmware 5.0(3a) before the profile can be applied. Manually updating the firmware via UCS Manager ensures the server meets the prerequisite firmware baseline, allowing Intersight to complete the deployment.

Exam trap

Cisco often tests the concept that firmware policies have dependency chains, and candidates mistakenly think that a simple re-claim or reset will fix a 'Discovery Failed' state, when in fact the root cause is an incompatible firmware version that must be manually updated first.

How to eliminate wrong answers

Option A is wrong because ensuring consistency between the firmware policy and the current firmware would defeat the purpose of the policy, which is to enforce a target version; the issue is not consistency but compatibility. Option B is wrong because removing and re-claiming the server would not resolve the underlying firmware incompatibility; it would only reset the inventory state without addressing the firmware version mismatch. Option C is wrong because resetting the CIMC to factory defaults would erase configuration but not change the firmware version; the server would still fail discovery due to the incompatible firmware.

325
MCQeasy

An engineer is configuring a Fibre Channel over Ethernet (FCoE) SAN. Which statement about FCoE Initialization Protocol (FIP) is true?

A.FIP operates only over lossless Ethernet.
B.FIP uses Ethernet MAC addresses for communication.
C.FIP is used only for FCoE initialization, not for maintenance.
D.FIP requires IP addresses to establish FCoE sessions.
AnswerB

FIP uses MAC addresses for discovery and login.

Why this answer

FCoE Initialization Protocol (FIP) uses Ethernet MAC addresses for communication during the discovery, initialization, and maintenance phases of an FCoE session. FIP frames are encapsulated in standard Ethernet frames with a specific EtherType (0x8914), allowing FCoE-capable endpoints to discover each other and establish virtual links without relying on IP addresses.

Exam trap

Cisco often tests the misconception that FIP requires IP addresses or that it is only used during initialization, when in fact FIP uses MAC addresses and also handles ongoing session maintenance like keep-alives.

How to eliminate wrong answers

Option A is wrong because FIP operates over lossless Ethernet (using priority flow control, PFC), but it is not limited to lossless Ethernet; FIP can also run over lossy Ethernet for discovery and initialization, though data traffic requires lossless Ethernet. Option C is wrong because FIP is used not only for initialization but also for ongoing maintenance, such as keep-alive messages (FIP VLAN request, FIP keep-alive) to monitor and maintain the FCoE session. Option D is wrong because FIP does not require IP addresses; it uses Ethernet MAC addresses and FCoE-specific EtherTypes to establish and manage FCoE sessions, avoiding the IP layer entirely.

326
MCQeasy

Refer to the exhibit. The Fabric Interconnect cannot ping its default gateway. The management interface is configured and up. What is the most likely cause?

A.The default route is missing from the routing table.
B.The management VLAN is not allowed on the upstream switch.
C.The management interface is configured as DHCP instead of static.
D.The IP address is a duplicate on the network.
AnswerA

Without a default route, the FI cannot reach subnets beyond its own.

Why this answer

The Fabric Interconnect cannot ping its default gateway despite the management interface being up and configured, which indicates that the device lacks a route to reach the gateway subnet. A default route is required to forward traffic destined for networks not directly connected; without it, the Fabric Interconnect will drop packets to the gateway even if the interface is operational. This is the most likely cause because the exhibit shows no default route in the routing table, and the interface status confirms Layer 1 and Layer 2 connectivity.

Exam trap

Cisco often tests the distinction between interface-level connectivity (Layer 1/Layer 2) and routing (Layer 3), leading candidates to incorrectly blame VLAN pruning or IP conflicts when the real issue is a missing default route in the management VRF.

How to eliminate wrong answers

Option B is wrong because if the management VLAN were not allowed on the upstream switch, the interface would likely be in a down/down or err-disabled state, but the exhibit states the management interface is configured and up, indicating VLAN pruning is not the issue. Option C is wrong because the exhibit explicitly shows a static IP address configuration (e.g., IP address and subnet mask), so DHCP misconfiguration is not applicable. Option D is wrong because a duplicate IP address would cause intermittent connectivity or address conflict messages, but the interface would still be up and able to send ARP requests; the inability to ping the gateway points to a routing problem, not an IP conflict.

327
MCQhard

An engineer is deploying a new UCS chassis with two Fabric Interconnects. The design requires that server traffic can fail over to the secondary FI if the primary FI fails, without requiring any changes to the server's network configuration. Which technology must be enabled on the uplink ports of the Fabric Interconnects to the upstream switches to ensure transparent failover of server traffic?

A.Configure a virtual PortChannel (vPC) between the Fabric Interconnects and upstream switches.
B.Apply QoS policies to prioritize failover traffic.
C.Enable pin groups with 'failover' mode on the server ports.
D.Implement Private VLANs on the uplink ports to isolate traffic.
AnswerC

Pin groups with failover mode allow the secondary FI to assume the primary's MAC and IP, enabling transparent failover.

Why this answer

Pin groups with 'failover' mode enable transparent server traffic failover by pinning server vNICs to a specific Fabric Interconnect (FI) and automatically repinning them to the secondary FI upon primary FI failure, without requiring any changes to the server's network configuration. This ensures that the server's MAC and IP addresses remain active on the secondary FI, maintaining connectivity without manual intervention.

Exam trap

Cisco often tests the distinction between upstream redundancy technologies (like vPC) and server-side failover mechanisms (like pin group failover mode), leading candidates to incorrectly choose vPC for transparent server failover when it only addresses link redundancy to the upstream network.

How to eliminate wrong answers

Option A is wrong because a virtual PortChannel (vPC) between Fabric Interconnects and upstream switches provides link-level redundancy and load balancing, but it does not handle server-side failover; vPC is an upstream switch technology, not a mechanism for transparent server failover between FIs. Option B is wrong because QoS policies prioritize traffic types but do not provide any failover mechanism; they are unrelated to transparent server failover. Option D is wrong because Private VLANs isolate traffic within a VLAN for security purposes and have no role in failover or repinning server traffic between Fabric Interconnects.

328
MCQmedium

Refer to the exhibit. A server connected to interface fc1/3 on the MDS switch cannot log in to the fabric. The server's HBA WWPN is 10:00:00:00:c9:2b:1a:62. What is the most likely reason for the login failure?

A.NPIV is disabled on the port
B.The server's WWPN is not in the active zone set
C.Interface fc1/3 is not assigned to VSAN 100
D.The link speed is mismatched between switch and HBA
AnswerC

Without correct VSAN, the port cannot participate.

Why this answer

The FLOGI database shows logins on fc1/1, fc1/2, and fc1/4, but no entry for fc1/3. The WWPN is not listed, indicating it never logged in. The most common cause is that the port is not in the same VSAN (100) or not configured correctly.

Since other ports on the same switch show VSAN 100, likely fc1/3 is in a different VSAN or not enabled. Option C is correct. Option A (zoning) would show FLOGI but then reject.

Option B (NPIV) not relevant. Option D (speed) would cause errors but not missing FLOGI.

329
MCQhard

A network administrator suspects that a rogue DHCP server is active on the data center network. The switches are Cisco Nexus 9000 series running NX-OS. Which configuration should be applied to prevent DHCP spoofing?

A.Enable dynamic ARP inspection on all VLANs.
B.Enable IP source guard on all access ports.
C.Enable DHCP snooping globally and configure uplink ports as trusted.
D.Enable MAC port security on all access ports.
AnswerC

DHCP snooping filters DHCP offers from untrusted ports.

Why this answer

DHCP snooping is the correct defense against rogue DHCP servers because it filters DHCP messages on untrusted ports and allows only DHCP replies from trusted uplink ports. By enabling DHCP snooping globally and configuring uplink ports as trusted, the switch will drop DHCPOFFER and DHCPACK messages received on access ports, preventing a rogue server from handing out malicious IP configurations.

Exam trap

Cisco often tests the distinction between DHCP snooping (which blocks rogue DHCP servers) and DAI or IPSG (which rely on DHCP snooping but address different threats), leading candidates to confuse the security feature with its prerequisite.

How to eliminate wrong answers

Option A is wrong because dynamic ARP inspection (DAI) validates ARP packets based on DHCP snooping bindings, but it does not directly prevent a rogue DHCP server from sending DHCP offers. Option B is wrong because IP source guard (IPSG) filters IP traffic based on the DHCP snooping binding table, but it does not block DHCP server messages; it only prevents IP spoofing on data traffic. Option D is wrong because MAC port security limits the number of MAC addresses per port and prevents MAC flooding, but it has no mechanism to detect or block unauthorized DHCP servers.

330
MCQeasy

A data center engineer is configuring 802.1X authentication on Cisco Nexus switches for wired endpoints. The requirement is to allow traffic on the port even if no EAPOL packet is received from the endpoint (e.g., a printer). Which authentication method should be used?

A.MAC Authentication Bypass (MAB)
B.802.1X using RADIUS server
C.Port security with sticky MAC addresses
D.Local authentication with a predefined list of users
AnswerA

MAB uses the device's MAC address to authenticate against the RADIUS server if no EAPOL is received.

Why this answer

MAC Authentication Bypass (MAB) is the correct method because it allows a port to authenticate endpoints that do not send EAPOL frames, such as printers or other legacy devices. When no EAPOL is received within a configurable timeout, the switch falls back to using the source MAC address of the first frame as the authentication credential, sending it to the RADIUS server for verification. This satisfies the requirement to permit traffic even without 802.1X supplicant capability.

Exam trap

Cisco often tests the distinction between authentication methods that require EAPOL (802.1X) and those that do not (MAB), and the trap here is that candidates confuse port security or local authentication with network access control, failing to recognize that MAB is the specific fallback for non-EAPOL endpoints.

How to eliminate wrong answers

Option B is wrong because 802.1X using a RADIUS server requires the endpoint to send EAPOL frames to initiate authentication; if no EAPOL is received, the port remains unauthorized and blocks traffic. Option C is wrong because port security with sticky MAC addresses is a Layer 2 access control mechanism that limits the number of learned MAC addresses but does not integrate with RADIUS-based authentication or handle the absence of EAPOL. Option D is wrong because local authentication with a predefined list of users is used for device administration (e.g., SSH or console login), not for port-based network access control of wired endpoints.

331
MCQeasy

An engineer notices that the LED of an FC interface is off on a Cisco MDS switch. The interface is up/up. What is the most likely cause?

A.The port LED firmware is corrupted.
B.The interface is administratively down.
C.The link is up but the LED is disabled in software configuration.
D.The SFP is faulty.
AnswerC

On some MDS switches, the LED can be turned off via 'no led enable' interface command.

Why this answer

On Cisco MDS switches, the interface LED can be administratively disabled via the `no led` command in interface configuration mode, even when the interface is fully operational (up/up). This allows operators to selectively turn off LEDs for troubleshooting or to reduce visual noise in a data center, without affecting traffic. The LED being off while the interface shows up/up directly points to this software-based LED disablement.

Exam trap

Cisco often tests the misconception that an LED off always indicates a hardware or link issue, when in fact the LED can be software-disabled independently of the interface operational state.

How to eliminate wrong answers

Option A is wrong because LED firmware corruption would typically cause erratic behavior (e.g., blinking incorrectly or staying stuck in one state) rather than a consistent off state with a fully functional interface. Option B is wrong because an administratively down interface would show as 'down/down' in the show interface output, not 'up/up'. Option D is wrong because a faulty SFP would cause the link to be down (e.g., 'down/down' or 'up/down' with CRC errors), not an up/up state with the LED off.

332
MCQmedium

A company runs a multi-tenant data center using Cisco ACI with multiple tenants. Each tenant has its own VRF and EPGs. The security policy requires that tenant A's web servers (EPG web_tenantA) be accessible from tenant B's application servers (EPG app_tenantB) only via HTTPS (TCP 443). The ACI fabric is configured with contracts. The administrator has created a contract with a filter for HTTPS (tcp dstPort 443) and applied it as a provider contract on EPG web_tenantA and as a consumer contract on EPG app_tenantB. However, traffic from tenant B's app servers to tenant A's web servers is being dropped. The administrator has verified that the contracts are applied correctly and the filter is correct. What is the most likely cause of the traffic drop?

A.The EPGs are not in the same bridge domain; they must be in the same bridge domain to communicate.
B.The VRF of tenant A and tenant B must have route leaking configured to allow inter-VRF routing.
C.The contract is not marked as 'shared' between tenants; a shared contract must be created and both EPGs must be in the same VRF or use a shared VRF.
D.The filter for HTTPS must also include the source port range 49152-65535 for ephemeral ports.
AnswerC

ACI requires shared contracts for cross-tenant communication, and the EPGs must be in the same VRF or use a shared VRF.

Why this answer

In Cisco ACI, contracts are local to a VRF by default. For inter-tenant communication where each tenant has its own VRF, the contract must be explicitly marked as 'shared' and both EPGs must either be in the same VRF or use a shared VRF that allows cross-VRF policy enforcement. Without this, the contract filter is not applied across VRFs, causing traffic to be dropped even though the contract and filter are correctly configured.

Exam trap

Cisco often tests the misconception that contracts work across VRFs by default, when in fact they require explicit sharing configuration, leading candidates to overlook the 'shared contract' requirement.

How to eliminate wrong answers

Option A is wrong because EPGs do not need to be in the same bridge domain to communicate; ACI uses contracts to enable communication across different bridge domains and even across VRFs when properly configured. Option B is wrong because route leaking is not required for inter-VRF communication in ACI; contracts with a shared VRF handle the routing and policy enforcement between VRFs without explicit route leaking. Option D is wrong because the filter for HTTPS only needs to specify the destination port (tcp dstPort 443); source ports are ephemeral and automatically allowed by ACI's stateful nature, so specifying a source port range is unnecessary and would not cause traffic drops.

333
MCQhard

You are a network engineer at a financial institution. The company has two data centers: DC1 and DC2, connected via a dark fiber link. Each data center has a pair of Nexus 7000 switches in a vPC configuration. The dark fiber link connects to a port on each Nexus 7000 pair using a Layer 2 port-channel. The requirement is to extend VLAN 100 between the two data centers for a critical application that requires a stretched Layer 2 domain. The current configuration has the port-channel on both sides set to mode 'active' with LACP. VLAN 100 is allowed on the trunk. The application servers report intermittent connectivity issues, with some packets being dropped. Upon inspection, you notice that the MAC address table on the Nexus 7000 in DC1 shows the MAC address of the server in DC2 on the dark fiber port-channel interface, but also on a local access port connected to a different server in the same VLAN. What is the most likely cause of the intermittent connectivity?

A.The dark fiber link is experiencing high latency, causing MAC address timeouts.
B.LACP is misconfigured on one side, causing the port-channel to operate as individual links.
C.There is an asymmetric routing issue between the data centers.
D.Spanning Tree Protocol is not blocking one of the redundant paths, creating a loop.
AnswerD

A loop causes MAC flapping and intermittent connectivity.

Why this answer

The MAC address table showing the same MAC address on both the dark fiber port-channel and a local access port indicates a Layer 2 loop. In a vPC environment with a Layer 2 extension between data centers, Spanning Tree Protocol (STP) should block one of the redundant paths to prevent loops. If STP fails to block the appropriate port, frames loop, causing MAC address flapping and intermittent packet drops.

Exam trap

The trap here is that candidates often attribute intermittent connectivity to LACP or routing issues, but the key clue is the MAC address appearing on two different interfaces in the same VLAN, which is a definitive sign of a Layer 2 loop that STP should have prevented.

How to eliminate wrong answers

Option A is wrong because high latency does not cause MAC address timeouts or flapping; MAC aging timers are independent of latency, and high latency would cause retransmissions, not MAC table instability. Option B is wrong because LACP misconfiguration would cause the port-channel to operate as individual links, which could lead to inconsistent forwarding but not the specific symptom of the same MAC appearing on both a port-channel and a local access port; this symptom is classic for a loop. Option C is wrong because asymmetric routing is a Layer 3 issue, but the problem occurs in a stretched Layer 2 domain where routing is not involved; asymmetric routing would not cause MAC address flapping on the same VLAN.

334
MCQhard

In an EVPN-VXLAN fabric, a network engineer notices that MAC addresses learned from an external router are not being advertised as EVPN type-2 routes. The external router is connected to a leaf switch via a Layer 3 port. Which additional configuration is needed on the leaf switch?

A.Configure `redistribute host-routes` under the BGP address-family l2vpn evpn.
B.Configure `evpn` under the VLAN interface associated with the external router's VLAN.
C.Configure `ip arp evpn` on the Layer 3 interface.
D.Configure `routing-config` under BGP to enable both MAC-VRF and IP-VRF.
AnswerC

Allows the switch to advertise the neighbor's MAC and IP via EVPN.

Why this answer

Option C is correct because when an external router is connected via a Layer 3 port, the leaf switch learns the router's MAC address through ARP, not through a VLAN. To advertise this MAC as an EVPN type-2 route, the `ip arp evpn` command must be configured on the Layer 3 interface. This command enables the switch to synchronize ARP entries into the EVPN BGP control plane, allowing MAC/IP advertisement for directly connected hosts on routed interfaces.

Exam trap

Cisco often tests the distinction between VLAN-based EVPN (where MACs are learned from the bridge domain) and routed interface EVPN (where MACs come from ARP), leading candidates to incorrectly choose VLAN-related options like `evpn` under the VLAN interface when the scenario involves a Layer 3 port.

How to eliminate wrong answers

Option A is wrong because `redistribute host-routes` under BGP address-family l2vpn evpn is used to redistribute host routes from the routing table into EVPN, not to advertise MAC addresses learned via ARP; it addresses IP prefix advertisement, not MAC-VRF type-2 routes. Option B is wrong because `evpn` under a VLAN interface is used to enable EVPN for a VLAN-based service (e.g., IRB), but the external router is connected via a Layer 3 port, not a VLAN; this configuration would not apply to a routed interface. Option D is wrong because `routing-config` under BGP is not a valid command; the correct approach for MAC-VRF and IP-VRF is to configure separate address-family contexts (e.g., `address-family l2vpn evpn` and `vrf definition`) and the `routing-config` keyword does not exist in Cisco NX-OS EVPN configuration.

335
Multi-Selecthard

Which TWO are best practices when automating ACI fabric configuration using Ansible?

Select 2 answers
A.Set validate_certs: no to avoid certificate errors
B.Use the cisco.aci collection
C.Store credentials in plain text in playbooks
D.Use state: query for idempotent checks
E.Use delegate_to: localhost for all tasks
AnswersB, D

The official collection provides idempotent modules for ACI.

Why this answer

The cisco.aci collection is the official Ansible collection for automating Cisco ACI fabric configuration. It provides modules that abstract the ACI REST API, ensuring idempotent and reliable configuration management. Using this collection is a best practice because it is maintained by Cisco and follows Ansible's recommended approach for interacting with ACI.

Exam trap

Cisco often tests the misconception that disabling certificate validation (validate_certs: no) is acceptable for lab environments, but the exam expects adherence to security best practices regardless of environment.

336
Multi-Selecthard

Which THREE factors should be considered when determining the number of upstream Ethernet uplinks from a UCS Fabric Interconnect to the core network? (Choose THREE.)

Select 3 answers
A.Number of VLANs defined on the Fabric Interconnect.
B.Server CPU oversubscription ratio.
C.The number of vNICs per service profile and their bandwidth limits.
D.Total expected traffic from server blades.
E.Redundancy and high availability requirements.
AnswersC, D, E

More vNICs may require more uplinks for queuing.

Why this answer

Option C is correct because the number of vNICs per service profile and their bandwidth limits directly determine the aggregate traffic that must be carried by the upstream Ethernet uplinks. Each vNIC is assigned a specific bandwidth cap (e.g., via QoS policy or vNIC template), and the sum of these caps across all service profiles on a Fabric Interconnect dictates the minimum uplink capacity required to avoid oversubscription.

Exam trap

Cisco often tests the distinction between Layer 2 constructs (VLANs) and actual bandwidth consumption, leading candidates to incorrectly select the number of VLANs as a factor for uplink sizing.

337
Multi-Selecteasy

Which THREE are best practices for securing a data center network? (Choose three.)

Select 3 answers
A.Apply device hardening, such as disabling unused services.
B.Use encryption (e.g., MACsec, IPsec) for sensitive traffic.
C.Implement role-based access control (RBAC) for management access.
D.Disable logging to reduce CPU load.
E.Use default SNMP community strings for simplicity.
AnswersA, B, C

Hardening reduces attack surface.

Why this answer

Device hardening, such as disabling unused services, is a fundamental best practice for securing a data center network. By reducing the attack surface, you eliminate potential entry points for exploits, which is a core principle of Cisco's secure network design. This aligns with the Cisco Nexus and IOS-XE hardening guidelines, where services like HTTP, Telnet, or CDP are disabled to prevent unauthorized access or reconnaissance.

Exam trap

Cisco often tests the concept that security best practices must never sacrifice security for performance or convenience, so traps like 'disable logging' or 'use default strings' are designed to lure candidates who prioritize operational simplicity over security.

338
MCQhard

A large cloud provider is building a new data center using Cisco ACI with multiple leaf and spine switches. They plan to host thousands of tenants with overlapping IP addresses in different VRFs. The network team has deployed the fabric with a common security policy. During testing, they discover that traffic from Tenant A to Tenant B is being allowed even though a contract should deny it. The APIC policy shows the contract is applied to the EPGs and the deny rule is present. What is the most likely cause of the policy not being enforced?

A.The fabric is using VRF leaking that bypasses contracts.
B.The contract is not configured with the correct subject.
C.The leaf switches have not downloaded the updated policy.
D.The EPGs are in the same bridge domain.
AnswerC

Leaves may have stale policy if not refreshed.

Why this answer

In Cisco ACI, the leaf switches enforce contracts locally based on the policy downloaded from the APIC. If a contract is correctly configured on the APIC but traffic is still permitted, the most likely cause is that the leaf switches have not yet received or applied the updated policy. This can happen due to a delay in policy propagation, a communication issue between the APIC and leaf switches, or the leaf not having completed the policy resolution process.

Exam trap

Cisco often tests the misconception that once a contract is configured on the APIC, it is immediately enforced everywhere, ignoring the asynchronous policy download and local leaf switch policy resolution process.

How to eliminate wrong answers

Option A is wrong because VRF leaking in ACI is explicitly controlled by contracts and does not bypass them; any inter-VRF traffic must still be permitted by a contract. Option B is wrong because the contract subject is only relevant for defining filters and actions; if the deny rule is present and applied to the EPGs, the subject configuration is not the cause of the policy not being enforced. Option D is wrong because EPGs in the same bridge domain can communicate only if a contract allows it; being in the same bridge domain does not automatically bypass contract enforcement.

339
MCQmedium

Refer to the exhibit. What is the effect of this configuration on traffic in VLAN 10?

A.Telnet traffic is permitted; all other traffic is denied.
B.All traffic is denied except telnet.
C.Telnet traffic is denied; all other traffic is permitted.
D.All traffic is permitted.
AnswerC

Correct: first sequence drops telnet, second forwards all else.

Why this answer

The VACL first matches telnet traffic and drops it. The second sequence forwards all other traffic. Thus, only telnet is denied; all other traffic is permitted.

340
Matchingmedium

Match each Cisco storage protocol to its characteristic.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Lossless, high-speed block storage over dedicated fabric

Block storage over TCP/IP networks

High-performance flash storage over RDMA

Fibre Channel frames encapsulated in Ethernet

File-level storage access over network

Why these pairings

Understanding storage protocols is critical for data center design.

341
MCQeasy

Which protocol is used by Cisco ACI fabric to distribute endpoint information among spines?

A.IS-IS
B.OSPF
C.BGP
D.COOP
AnswerD

COOP (Council of Oracles Protocol) is the ACI-specific protocol for endpoint database distribution.

Why this answer

D is correct because the Cisco ACI fabric uses the Council of Oracle Protocol (COOP) specifically to distribute endpoint information (such as IP-to-MAC bindings and location) among spine switches. COOP operates as a lightweight, publish-subscribe protocol that runs between leaf and spine switches, ensuring that all spines maintain a consistent endpoint database without the overhead of a full routing protocol.

Exam trap

Cisco often tests the distinction between the underlay routing protocol (IS-IS) and the overlay endpoint distribution protocol (COOP), so candidates mistakenly choose IS-IS because they recall it is used in ACI, but they fail to recognize that endpoint distribution is a separate function handled by COOP.

How to eliminate wrong answers

Option A is wrong because IS-IS is used as the underlay routing protocol in ACI to establish reachability between leaf and spine switches, not to distribute endpoint information. Option B is wrong because OSPF is not used in ACI fabric; the underlay is based on IS-IS with a link-state database, and OSPF would add unnecessary complexity and is not designed for endpoint distribution. Option C is wrong because BGP is used in ACI for external routing (e.g., connecting to outside networks via L3Out) and for the Overlay-1 control plane, but it does not distribute internal endpoint information among spines; that is the role of COOP.

342
MCQmedium

A company uses Cisco TrustSec in its data center to enforce segmentation. Servers in VLAN 10 (Finance) should only communicate with servers in VLAN 20 (ERP) via an application gateway. Which TrustSec component is used to assign a Security Group Tag (SGT) to traffic from the Finance servers?

A.Identity Services Engine (ISE) as the authentication and policy server
B.MACsec encryption on the links
C.802.1X port-based authentication
D.VLAN ACL (VACL) on the switch
AnswerA

ISE assigns SGTs based on user or device identity.

Why this answer

In Cisco TrustSec, the Identity Services Engine (ISE) acts as the authentication and policy server that assigns Security Group Tags (SGTs) to endpoints or traffic based on identity and policy. ISE uses 802.1X, MAB, or web authentication to identify the Finance servers and then dynamically assigns the appropriate SGT, which is then used for segmentation enforcement.

Exam trap

Cisco often tests the distinction between the authentication mechanism (802.1X) and the policy server (ISE) that actually assigns the SGT, leading candidates to mistakenly select 802.1X as the component that assigns the tag.

How to eliminate wrong answers

Option B is wrong because MACsec provides link-layer encryption and integrity, not SGT assignment; it is used to secure TrustSec links after SGTs are already assigned. Option C is wrong because 802.1X is an authentication method that can be used by ISE to identify endpoints, but it does not directly assign SGTs—ISE is the component that maps the authenticated identity to an SGT. Option D is wrong because VLAN ACLs (VACLs) filter traffic based on Layer 2/3/4 fields, not SGTs; they are not part of the TrustSec SGT assignment process.

343
MCQhard

A company is deploying a Cisco UCS Mini in a remote office. They need to support both VMware vSphere and Microsoft Hyper-V on the same UCS domain. What is the best practice for deploying compute resources for both hypervisors?

A.Create separate service profile templates for each hypervisor
B.Use a single service profile but assign different VLANs for management traffic
C.Place each hypervisor in a separate UCS Organization within the same service profile template
D.Create a single service profile template and use different identity pools for each hypervisor
AnswerA

Separate templates enable boot order, firmware, and BIOS settings per hypervisor.

Why this answer

Separate service profile templates are required because VMware vSphere and Microsoft Hyper-V have different boot and storage configuration requirements. Each hypervisor needs its own boot policy (e.g., SAN boot vs. local disk), firmware settings, and potentially different vNIC/vHBA configurations. Using distinct templates ensures that each hypervisor's compute resources are correctly provisioned without conflicts.

Exam trap

Cisco often tests the misconception that VLANs or identity pools alone can differentiate hypervisor configurations, when in fact the core differences lie in boot and storage policies that require separate service profile templates.

How to eliminate wrong answers

Option B is wrong because a single service profile cannot accommodate the different boot policies, firmware versions, and storage configurations required by two distinct hypervisors; VLAN assignment for management traffic does not address these fundamental differences. Option C is wrong because UCS Organizations are used for administrative separation and RBAC, not to define different compute resource configurations within a single service profile template; a single template still applies the same policies to all servers. Option D is wrong because identity pools (e.g., UUID, MAC, WWN) only manage unique identifiers, not the boot order, firmware, or storage policies that differ between hypervisors; a single template with different pools still enforces the same configuration.

344
Multi-Selecthard

Which THREE factors should be considered when designing an FCoE SAN to avoid traffic loss? (Choose three.)

Select 3 answers
A.Use standard Ethernet cut-through switching for all FCoE traffic.
B.Enable priority flow control (PFC) on all FCoE-enabled interfaces.
C.Use a dedicated FCoE VLAN that is not used for any other traffic.
D.Disable the FIP snooping feature to reduce latency.
E.Ensure that the FCoE Maximum Transmission Unit (MTU) is set to 2500 bytes.
AnswersB, C, E

PFC is essential to prevent frame loss due to congestion.

Why this answer

Options A, B, D are correct. C and E are incorrect.

345
MCQmedium

An administrator notices that a new server connected to a Fibre Channel switch cannot log in. The 'show flogi database' command does not show the server's WWPN. What is the most likely cause?

A.Trunking mode not enabled on the port
B.Incorrect zoning configuration
C.Speed mismatch between the server and switch
D.Port security enabled with WWN mismatch
AnswerD

Correct: Port security restricts which WWNs can log in.

Why this answer

The 'show flogi database' command lists all devices that have successfully completed the Fabric Login (FLOGI) process. If the server's WWPN is absent, it indicates that the FLOGI request was rejected by the switch. Port security with a WWN mismatch is the most likely cause because the switch is configured to allow only specific WWPNs, and the server's WWPN does not match the allowed list, causing the switch to silently drop the FLOGI request without logging the device.

Exam trap

Cisco often tests the distinction between FLOGI rejection (port security, fabric binding) and post-login restrictions (zoning, VSAN membership), so candidates mistakenly choose 'incorrect zoning' because they confuse zoning with port-level authentication.

How to eliminate wrong answers

Option A is wrong because trunking mode (E_port or TE_port) is used for inter-switch links (ISL), not for server-facing F_ports; a server connected to an F_port does not require trunking to perform FLOGI. Option B is wrong because incorrect zoning configuration would allow the server to log in (appear in 'show flogi database') but then prevent communication with other devices; zoning does not block the FLOGI process itself. Option C is wrong because a speed mismatch between the server and switch would prevent link initialization (the port would be in a non-operational state), but the 'show flogi database' command would not show the WWPN because the link would never come up; however, the question states the server is connected, implying link is up, and speed negotiation (auto-negotiation) typically handles mismatches without silently dropping FLOGI.

346
MCQhard

In a vPC domain, a consistency check failure is observed for the vPC keepalive link. What is the impact on the vPC domain operation?

A.The vPC peer link will be suspended.
B.The secondary switch will shutdown its vPC member ports.
C.The vPC domain will continue to operate but with reduced reliability.
D.Both switches will independently forward traffic via the vPC peer link.
AnswerC

The keepalive is a secondary monitoring mechanism; its loss increases risk of split-brain if the peer link fails.

Why this answer

The vPC keepalive link is used as a secondary heartbeat to detect dual-active scenarios when the peer link fails. A consistency check failure on the keepalive link does not directly affect data forwarding; the vPC domain continues to operate, but the loss of this redundancy mechanism reduces reliability because the switches can no longer reliably detect a split-brain condition without the peer link.

Exam trap

Cisco often tests the distinction between the keepalive link and the peer link; the trap here is that candidates assume any consistency check failure will suspend the vPC domain, but only failures on the peer link or critical parameters (like vPC VLAN consistency) cause suspension, while keepalive failures merely degrade redundancy.

How to eliminate wrong answers

Option A is wrong because the vPC peer link is suspended only when there is a peer-link failure or a consistency check failure on the peer link itself, not on the keepalive link. Option B is wrong because the secondary switch shuts down its vPC member ports only when a dual-active detection occurs (e.g., peer link fails and keepalive is also lost), not due to a keepalive consistency check failure alone. Option D is wrong because both switches independently forwarding traffic via the vPC peer link describes a split-brain scenario that happens when the peer link fails and the keepalive link is also lost, not when only the keepalive consistency check fails.

347
MCQhard

Refer to the exhibit. A server with vNIC eth0 is experiencing packet drops on its Ethernet interface. The server is sending jumbo frames (MTU 9000) on VLAN 100. The QoS system class 'Class-Platinum' has an MTU of 9216 and is configured with 'Drop'. The vNIC is not assigned to any QoS policy. What is the most likely reason for the drops?

A.The vNIC is not mapped to a QoS policy, so it uses the default best-effort class which has an MTU of 1500 and drops jumbo frames.
B.The QoS system class for jumbo frames requires a 'No Drop' policy to avoid drops.
C.The server is sending frames larger than 9216 bytes.
D.The native VLAN setting on the vNIC causes the QoS system class to be ignored.
AnswerA

Without a QoS policy, the default class (often Bronze) applies, which has MTU 1500.

Why this answer

When a vNIC is not assigned to a QoS policy, it defaults to the best-effair class, which typically has an MTU of 1500 bytes. Since the server is sending jumbo frames (MTU 9000) on VLAN 100, these frames exceed the default MTU and are dropped at the Ethernet interface. The 'Class-Platinum' system class with MTU 9216 is irrelevant because the vNIC is not mapped to it.

Exam trap

Cisco often tests the misconception that a system class with a higher MTU (like Class-Platinum) automatically applies to all traffic, when in fact the vNIC must be explicitly mapped to that QoS policy to use it.

How to eliminate wrong answers

Option B is wrong because a 'No Drop' policy (e.g., using pause frames or priority flow control) is not required for jumbo frames; the issue is the MTU mismatch, not the drop/no-drop setting. Option C is wrong because the server is sending frames of MTU 9000, which is less than the system class MTU of 9216, so the frames are not oversized for the system class. Option D is wrong because the native VLAN setting does not cause the QoS system class to be ignored; the vNIC's lack of a QoS policy assignment is the direct cause of defaulting to the best-effort class.

348
Multi-Selectmedium

When troubleshooting a VXLAN EVPN fabric with Cisco Nexus 9000 switches, which three commands provide information about the EVPN operation? (Choose three.)

Select 3 answers
A.show bgp l2vpn evpn summary.
B.show l2route mac all.
C.show running-config interface nve1.
D.show nve peers.
E.show ip interface brief.
AnswersA, B, D

Shows BGP EVPN session status.

Why this answer

The 'show bgp l2vpn evpn summary' command is correct because it displays the BGP session status for the L2VPN address family, which is the control plane protocol for VXLAN EVPN. This command shows neighbor states, prefixes received, and route table statistics, directly indicating whether EVPN route exchange is operational.

Exam trap

Cisco often tests the distinction between configuration commands (like 'show running-config interface nve1') and operational verification commands (like 'show nve peers'), leading candidates to mistakenly select configuration-only outputs as evidence of EVPN operation.

349
MCQmedium

A network engineer is automating a repetitive configuration task on a Nexus 9000 switch using Python scripts with NX-API. The script sends a CLI command via POST request but receives HTTP 400 status with error 'Invalid request payload'. What is the most likely cause?

A.The JSON payload does not include the required 'ins_api' wrapper with version and type fields.
B.The switch is running an unsupported NX-OS version.
C.The script is using HTTP instead of HTTPS.
D.The CLI command syntax is incorrect with too many spaces.
AnswerA

The NX-API requires a specific JSON format with 'ins_api' envelope containing attributes like version, type, chunk, sid, and input.

Why this answer

The NX-API expects a specific JSON structure. Option B correctly identifies that the payload must include 'ins_api' wrapper with version, type, chunk, sid, input parameters.

350
Multi-Selectmedium

An OSPF router in a broadcast network has not formed a neighbor relationship. What are three possible causes? (Choose three.)

Select 3 answers
A.Authentication incorrect
B.MTU mismatch
C.Area ID mismatch
D.Hello interval mismatch
E.Network type mismatch
AnswersB, D, E

Causes the routers to stay in ExStart state during database exchange.

Why this answer

In OSPF, an MTU mismatch prevents the formation of a neighbor relationship because OSPF routers compare the MTU value in Database Description (DBD) packets. If the receiving router's interface MTU is smaller than the DBD packet size, the packet is dropped, and the neighbor state remains stuck in EXSTART/EXCHANGE. This is a common issue on broadcast networks where different link types or misconfigured interfaces exist.

Exam trap

Cisco often tests the MTU mismatch as a subtle cause of OSPF neighbor failure, especially since it is less obvious than Hello/Dead interval or Area ID mismatches, and candidates may overlook it or confuse it with Layer 2 issues.

351
Multi-Selecteasy

A storage administrator reports that a Cisco UCS domain is not booting from the Fibre Channel SAN. The boot policy is correctly configured and the vHBA is associated. Which two alignment issues could cause this problem? (Choose two.)

Select 2 answers
A.The WWPN of the vHBA is not zoned on the SAN fabric.
B.The vHBA is assigned to an incorrect VSAN.
C.The Ethernet LAN is not configured on the FI.
D.The disk firmware on the server is outdated.
AnswersA, B

Proper WWPN zoning is critical for SAN boot.

Why this answer

Option A is correct because if the WWPN of the vHBA is not properly zoned on the SAN fabric, the Fibre Channel switch will not allow the server to log in to the target storage. Even with a correct boot policy and vHBA association, without zoning, the initiator cannot discover or communicate with the boot LUN, causing the boot to fail.

Exam trap

The trap here is that candidates often focus only on the UCS-side configuration (boot policy, vHBA association) and forget that SAN fabric-level settings like zoning and VSAN assignment are equally critical for Fibre Channel boot to succeed.

352
MCQhard

Based on the exhibited FLOGI database, what is the state of the interface fc1/1?

A.It is an F port with a hub attached.
B.It is an NP port (proxy FW) because multiple FCIDs appear on the same interface.
C.It is a trunking E port.
D.It is a disabled port because there are two WWNs.
AnswerB

Multiple FCIDs from different WWNs on a single interface indicate NPIV, which is typical for NPV uplink or FCoE.

Why this answer

The FLOGI database shows multiple FCIDs (0x010000, 0x010001) associated with the same interface fc1/1, which is characteristic of an NP port (proxy FW) in NPV mode. An NP port acts as a proxy for multiple end devices behind it, such as in a Fibre Channel NPV switch or a converged network adapter (CNA) in FCoE NPV mode, allowing multiple FCIDs to share a single physical link.

Exam trap

The trap here is that candidates often assume multiple FCIDs on one interface indicate a trunking E port or a misconfiguration, but in NPV mode, an NP port legitimately proxies multiple FCIDs, which is a key distinguishing feature tested in the 350-601 exam.

How to eliminate wrong answers

Option A is wrong because an F port connects to a single N port (end device) and would show only one FCID per interface; a hub attached to an F port would still present a single FCID from the hub's perspective, not multiple distinct FCIDs. Option C is wrong because a trunking E port connects two switches and would show multiple FCIDs only if multiple VSANs are trunked, but the FLOGI database would list the same FCID across different VSANs, not multiple FCIDs on the same interface within a single VSAN. Option D is wrong because having two WWNs does not disable a port; a disabled port would not appear in the FLOGI database at all, and multiple WWNs are normal for NP ports or multi-homed devices.

353
MCQmedium

A Cisco MDS switch is configured in NPV mode. A host connected to this switch fails to log into the SAN. Which command should be used to verify the host's FLOGI status?

A.show zone
B.show fcns database
C.show flogi database module <module>
D.show flogi database
E.show port-channel summary
AnswerC

This command shows FLOGIs on a specific module, which is more precise when troubleshooting a host on a known module.

Why this answer

In NPV mode, the MDS switch acts as a passthrough and does not maintain its own FLOGI database; instead, it forwards FLOGI requests to the upstream NPIV-capable switch. The 'show flogi database module <module>' command is used on the NPV switch to verify the host's FLOGI status because it displays the FLOGI entries learned from the upstream switch for the specific module where the host is connected, which is essential for troubleshooting login failures.

Exam trap

Cisco often tests the distinction between NPV mode and standard switch mode, where candidates mistakenly use 'show flogi database' without the module parameter, not realizing that NPV switches require the module keyword to display FLOGI entries.

How to eliminate wrong answers

Option A is wrong because 'show zone' displays zone configurations and members, not FLOGI or login status. Option B is wrong because 'show fcns database' shows the Fibre Channel Name Server database (registered FC-4 types and WWNs), which is populated after successful FLOGI and login, not the FLOGI status itself. Option D is wrong because 'show flogi database' without the module keyword is not valid on an NPV switch; the command requires the module parameter to specify the line card or port module.

Option E is wrong because 'show port-channel summary' displays port-channel interface status and load-balancing, not FLOGI or host login information.

354
MCQhard

A storage administrator notices that a host is unable to see a LUN after zoning is configured. The zone contains the host WWPN and the target WWPN. The LUN is not masked at the storage array. What is the most likely cause?

A.LUN masking is not configured on the storage array.
B.The host requires NPIV to be enabled.
C.The host is in a different VSAN.
D.The zone is incorrectly configured.
AnswerA

LUN masking is required to present LUNs to specific hosts.

Why this answer

The host cannot see the LUN because LUN masking is not configured on the storage array. Even with correct zoning (host WWPN to target WWPN), the storage array must explicitly grant access to specific LUNs for a given initiator WWPN. Without LUN masking, the target will not present the LUN to the host, regardless of zone membership.

Exam trap

Cisco often tests the distinction between fabric-level zoning (which controls which ports can communicate) and storage-array-level LUN masking (which controls which LUNs are visible to an initiator), leading candidates to incorrectly assume zoning alone grants LUN access.

How to eliminate wrong answers

Option B is wrong because NPIV (N_Port ID Virtualization) is used to allow multiple virtual initiators to share a single physical port, which is unrelated to LUN visibility after zoning. Option C is wrong because if the host were in a different VSAN, the zone would not be effective at all (zones are VSAN-specific), but the question states zoning is configured and the host cannot see the LUN, not that zoning fails. Option D is wrong because the zone is correctly configured (contains host WWPN and target WWPN), so incorrect zone configuration is not the cause.

355
MCQeasy

A startup company is deploying a new web application on UCS B-Series blades. They want to use PXE boot for rapid provisioning. The network team has configured a DHCP server and a PXE server on the same VLAN as the UCS service profiles. The system administrator creates a service profile for a blade and sets the boot policy to 'PXE' as the first boot device, and local disk as second. However, when the blade powers on, it boots from the local disk instead of PXE. The PXE server logs show no request from the blade's MAC address. The DHCP server logs show no activity. The fabric interconnect is configured with a default VLAN. What is the most likely cause?

A.The vNIC on the service profile is not configured with the correct native VLAN
B.The boot policy order lists local disk before PXE
C.The service profile is not properly associated with the blade
D.The fabric interconnect uplinks are not in trunk mode
AnswerA

Native VLAN mismatch prevents DHCP from reaching the server

Why this answer

Option A is correct because PXE boot requires the vNIC to have an untagged native VLAN that matches the PXE/DHCP subnet. If the native VLAN on the vNIC is different, DHCP requests are not forwarded. Option B wrong because PXE boot order is usually correct.

Option C wrong because it would cause different symptoms. Option D wrong because service profile association is fine.

356
MCQeasy

A data center architect is designing access control for a Cisco ACI fabric. The requirement is to allow HTTP traffic from the web tier (EPG web) to the app tier (EPG app), but deny SSH from the management EPG to the web EPG. Which construct should be used?

A.Create a contract between EPGs with appropriate filters.
B.Use a tenant to separate the EPGs logically.
C.Configure a VRF to isolate traffic between EPGs.
D.Define a bridge domain with L2 policies.
AnswerA

Contracts in ACI define allowed communication with filters for specific protocols/ports.

Why this answer

In Cisco ACI, contracts are the primary mechanism for enforcing policy-based communication between EPGs. By creating a contract between the web and app EPGs with a filter that permits HTTP (TCP/80), and another contract between management and web EPGs with a filter that denies SSH (TCP/22), the architect can precisely meet both requirements. Contracts allow granular control over which protocols and ports are allowed or denied, making them the correct construct for this access control scenario.

Exam trap

Cisco often tests the misconception that VRFs or bridge domains alone can provide security isolation, but in ACI, traffic filtering is always enforced via contracts, regardless of VRF or BD boundaries.

How to eliminate wrong answers

Option B is wrong because tenants are used for administrative and policy isolation between different customers or organizations, not for defining traffic rules between EPGs within the same tenant. Option C is wrong because VRFs (private L3 contexts) provide routing and forwarding isolation but do not enforce security policies like permitting or denying specific application traffic; contracts are still needed within a VRF. Option D is wrong because bridge domains define Layer 2 forwarding boundaries and subnets, not access control policies; they do not filter traffic based on protocols or ports.

357
MCQeasy

An administrator needs to reset the CIMC password on a Cisco UCS C-Series server without physical access. Which method can be used?

A.Use the front panel reset button
B.Use UCS Manager
C.Use the CIMC XML API
D.Connect via serial console during boot
AnswerC

Allows remote management commands, including password change.

Why this answer

The CIMC XML API allows remote management of Cisco UCS C-Series servers, including password resets, without physical access. This API provides a programmatic interface to CIMC functions, enabling administrators to send authenticated XML requests over HTTPS to reset the CIMC password. Physical access is not required because the API operates over the network, making it the correct method for this scenario.

Exam trap

Cisco often tests the distinction between UCS Manager (for B-Series and integrated environments) and CIMC (for C-Series standalone servers), leading candidates to incorrectly assume UCS Manager can manage C-Series servers directly.

How to eliminate wrong answers

Option A is wrong because the front panel reset button requires physical access to the server, which the administrator does not have. Option B is wrong because UCS Manager manages UCS B-Series blade servers and fabric interconnects, not C-Series standalone servers; C-Series servers are managed directly via CIMC, not through UCS Manager. Option D is wrong because connecting via serial console during boot requires physical access to the server's serial port or a remote console solution that is not available without physical presence.

358
MCQeasy

Based on the exhibited output, what is the status of the interface?

A.The interface is up but has no license.
B.The interface is in trunk mode and licensed.
C.The interface is operational and licensed.
D.The interface is down due to no license.
AnswerA

The interface is up but lacks a license; it may be using grace period.

Why this answer

The interface is up (line protocol is up) but the output shows 'license not installed' or similar, meaning the port is administratively up but lacks the required license for full functionality. In Cisco MDS/Nexus storage networks, interfaces can be in an 'up' state without a license, but they will not pass traffic or operate in the licensed mode until the license is installed.

Exam trap

Cisco often tests the distinction between an interface being 'up/up' and being fully licensed, leading candidates to assume that an up interface is automatically operational and licensed, when in fact it may be in a 'no-license' state that prevents data forwarding.

How to eliminate wrong answers

Option B is wrong because the interface is not in trunk mode (the output shows access mode or no trunking) and it is not licensed. Option C is wrong because the interface is not operational in the sense of passing traffic; it is up but unlicensed, so it cannot forward data. Option D is wrong because the interface is not down; it is up (line protocol up) but lacks a license, which is a different state from being administratively or protocol down.

359
Multi-Selecteasy

A network engineer is verifying VPC configuration on a pair of Nexus switches. Which two commands should be used to check VPC status and consistency? (Choose two.)

Select 2 answers
A.show vpc role
B.show vpc consistency-parameters
C.show vpc peer-keepalive
D.show vpc
E.show vpc statistics
AnswersB, D

This checks for configuration mismatches between VPC peers.

Why this answer

Option D (show vpc) is correct because it displays the overall VPC status, including the local and peer VPC system MAC, role, and the operational state of each VPC member port. Option B (show vpc consistency-parameters) is correct because it verifies that critical parameters (e.g., STP mode, VLAN interfaces, MTU) are consistent between the two VPC peers, which is essential for VPC to function correctly and avoid traffic black-holing.

Exam trap

Cisco often tests the distinction between commands that show operational status (show vpc) versus those that verify configuration synchronization (show vpc consistency-parameters), leading candidates to mistakenly select 'show vpc role' or 'show vpc peer-keepalive' as sufficient for consistency checks.

360
MCQeasy

A large financial institution has recently migrated its data center network to a new Cisco ACI fabric. The operations team is tasked with automating the provisioning of new application tenants, including EPGs, contracts, and bridge domains, using the APIC REST API. They have developed a comprehensive set of Python scripts that successfully performed these actions in their lab environment. However, when deploying the scripts to production, they receive an 'SSL: CERTIFICATE_VERIFY_FAILED' error from the requests library. The production APIC cluster uses a self-signed certificate for HTTPS, and the corporate security policy strictly prohibits the use of HTTP or disabling certificate verification. Additionally, the policy does not allow replacing the self-signed certificate with a CA-signed one without a lengthy approval process that could delay the automation project. The team needs an immediate solution that maintains security best practices. What should the team do?

A.Use HTTP instead of HTTPS for the API calls.
B.Add the self-signed certificate to the Python trust store by using the cert file in the verify parameter.
C.Disable SSL certificate verification in the Python requests by setting verify=False.
D.Request an exception to the security policy to allow a CA-signed certificate.
AnswerB

This enables verification against the specific certificate, maintaining security without policy changes.

Why this answer

Option C is correct because adding the self-signed certificate to the Python trust store allows verification to succeed while maintaining security. Option A disables verification, violating security. Option B requires policy change that is not immediate.

Option D uses HTTP, which is insecure.

361
MCQhard

A network engineer is configuring Cisco Nexus VXLAN with BGP EVPN. The VTEPs are using loopback0 as the NVE source. The physical interfaces are up, but the NVE interface remains down. What is the most likely cause?

A.The loopback0 interface is not reachable via the underlay network.
B.The NVE interface is not configured with source-interface.
C.The VLAN 1 is not associated with the NVE interface.
D.The loopback0 interface is not created.
AnswerA

The NVE source must be routable in the underlay. If loopback0 is not advertised by IGP, the NVE interface stays down.

Why this answer

The NVE interface requires the specified source interface (loopback0) to have IP reachability via the underlay network to establish VXLAN tunnels. If loopback0 is not reachable (e.g., due to missing OSPF/IS-IS routes or incorrect underlay configuration), the NVE interface will remain in a down state even if the physical interfaces are up. This is because the NVE interface depends on the underlay routing to encapsulate and forward VXLAN traffic.

Exam trap

Cisco often tests the dependency of the NVE interface on underlay IP reachability, tricking candidates into focusing on NVE-specific configuration errors (like missing source-interface) rather than verifying the underlay routing for the loopback address.

How to eliminate wrong answers

Option B is wrong because the NVE interface is already configured with source-interface loopback0 (as stated in the question), so the absence of that configuration is not the issue. Option C is wrong because VLAN 1 association with the NVE interface is not required for the NVE interface to come up; VLANs are mapped to VNIs after the NVE is operational. Option D is wrong because the loopback0 interface is explicitly mentioned as the NVE source, implying it exists; if it were not created, the NVE configuration would fail at the CLI level, not just keep the interface down.

362
MCQeasy

Which FCoE feature allows multiple VLANs to be carried over a single physical link when using FIP snooping?

A.NPV
B.VSANs
C.FIP snooping
D.Port channels
AnswerC

FIP snooping enables multiple FCoE VLANs on a link.

Why this answer

FIP snooping (Fibre Channel over Ethernet Initialization Protocol snooping) is used in FCoE environments to enable multiple FCoE VLANs on a single link. Option A is wrong because VSANs are for Fibre Channel. Option B is wrong because NPV is for Fibre Channel.

Option D is wrong because port channels are for link aggregation, not VLAN support.

363
MCQmedium

Refer to the exhibit. After applying this configuration, the engineer activates the zoneset with 'zoneset activate name ZONESET1 vsan 10'. The host with pwwn 10:00:00:00:c9:aa:bb:01 can communicate with the target with pwwn 10:00:00:00:c9:aa:bb:02. However, the host reports that it cannot see a third target with pwwn 10:00:00:00:c9:aa:bb:03. What is the most likely reason?

A.The third target is in a different VSAN.
B.The third target is not a member of ZONE1.
C.The zone name is case-sensitive and does not match.
D.The zoneset was not activated successfully.
AnswerB

Zoning restricts access; only members of the same zone can communicate.

Why this answer

The host can communicate with the target in ZONE1 (pwwn 10:00:00:00:c9:aa:bb:02) but not with the third target (pwwn 10:00:00:00:c9:aa:bb:03). This indicates that the zoneset activation was successful and the host is in the correct VSAN. The most likely reason is that the third target is not a member of ZONE1; in Fibre Channel zoning, only members of the same zone can communicate, and a device not in the zone will be invisible to other zone members.

Exam trap

The trap here is that candidates may assume the third target is in a different VSAN or that the zoneset activation failed, but the key is that successful communication with one target proves the zoneset is active and the host is in the correct VSAN, so the issue must be that the third target is simply not a member of the zone.

How to eliminate wrong answers

Option A is wrong because the host can already communicate with one target in VSAN 10, and the zoneset was activated on VSAN 10; if the third target were in a different VSAN, it would not be part of the same zoneset and would be invisible, but the question states the host cannot see it, implying it might be in the same VSAN but not zoned. Option C is wrong because zone names in Cisco NX-OS are case-sensitive, but the exhibit shows the zone name as 'ZONE1' and the zoneset activation command uses 'ZONESET1' — the mismatch is between the zoneset name and the zone name, not a case issue; the zone name itself is correctly referenced in the zoneset membership. Option D is wrong because the host can communicate with the first target, which proves the zoneset was activated successfully; if activation had failed, no communication would occur.

364
MCQhard

A data center design requires Layer 2 extension between two sites using OTV. The network engineer notices that MAC addresses from Site A are not learned at Site B. OTV adjacency is up, and both sites have the same overlay interface configured. Which configuration issue is most likely the cause?

A.The OTV control group is misconfigured on one side.
B.The spanning tree root bridge is different at each site.
C.The multicast group range for the overlay does not match.
D.The site VLAN is not allowed on the OTV join interface.
AnswerD

The join interface must be a trunk that carries the site VLAN for OTV to forward traffic.

Why this answer

D is correct because the OTV join interface must have the site VLAN allowed; if the site VLAN is not permitted on the join interface, the OTV edge device cannot send or receive encapsulated traffic for that VLAN, preventing MAC address learning between sites even though the OTV adjacency is up.

Exam trap

Cisco often tests the distinction between control-plane (adjacency) and data-plane (VLAN transport) issues, and the trap here is that candidates assume a working OTV adjacency guarantees all VLANs are extended, overlooking the need to explicitly allow the site VLAN on the join interface.

How to eliminate wrong answers

Option A is wrong because the OTV control group is used for control-plane communication (IS-IS adjacency), and if it were misconfigured, the OTV adjacency would not form; the question states adjacency is up, so the control group is correctly configured. Option B is wrong because OTV does not rely on spanning tree; it uses its own loop-prevention mechanism (authoritative edge device) and isolates STP domains, so different root bridges at each site do not affect MAC learning. Option C is wrong because the multicast group range for the overlay is used for data-plane transport; if it did not match, traffic would not be forwarded, but the question specifies the same overlay interface configuration, implying the multicast group range is consistent.

365
MCQmedium

A network administrator configures DHCP snooping on a Nexus 9000 switch. The legitimate DHCP server is connected to Ethernet 1/1. An unauthorized DHCP server is detected on Ethernet 1/2. Which action should be taken to prevent the unauthorized server from offering IP addresses?

A.Enable the DHCP snooping information option
B.Set Ethernet 1/2 as a trusted port
C.Disable DHCP snooping globally
D.Set Ethernet 1/1 as a trusted port
AnswerD

The DHCP server port must be trusted to permit DHCP server messages such as OFFER and ACK.

Why this answer

Option D is correct because DHCP snooping uses the concept of trusted and untrusted ports. By default, all ports are untrusted. Setting Ethernet 1/1, where the legitimate DHCP server is connected, as a trusted port allows DHCP server messages (OFFER, ACK, etc.) from that port to be forwarded.

All other ports, including Ethernet 1/2, remain untrusted, so any DHCP server messages received on them are dropped, effectively blocking the unauthorized DHCP server.

Exam trap

Cisco often tests the common misconception that you must set the port connected to the unauthorized server as untrusted (which is the default) rather than explicitly setting the legitimate server's port as trusted, leading candidates to incorrectly select option B or C.

How to eliminate wrong answers

Option A is wrong because enabling the DHCP snooping information option (option 82) inserts circuit-id and remote-id information into DHCP packets, but it does not control which ports are allowed to send DHCP server messages; it is used for DHCP relay and security auditing, not for blocking unauthorized servers. Option B is wrong because setting Ethernet 1/2 as a trusted port would allow the unauthorized DHCP server's messages to be forwarded, which is the opposite of the desired action. Option C is wrong because disabling DHCP snooping globally would remove all protection, allowing both legitimate and unauthorized DHCP servers to operate freely, which does not prevent the unauthorized server from offering IP addresses.

366
MCQeasy

A network engineer is configuring OSPF on a Cisco Nexus switch for a data center network. The requirement is to ensure that the switch does not become the Designated Router (DR) on a multi-access segment. Which OSPF configuration achieves this?

A.Set OSPF priority to 255 on the interface
B.Set OSPF priority to 0 on the interface
C.Change the OSPF network type to point-to-point
D.Configure the interface as passive under OSPF
AnswerB

Priority 0 means the router will never become DR or BDR.

Why this answer

Setting the OSPF priority to 0 on the interface prevents the switch from participating in the DR/BDR election process, ensuring it will never become the Designated Router (DR) or Backup Designated Router (BDR) on a multi-access segment. This is the standard method per RFC 2328 to make a router ineligible for DR/BDR status while still allowing it to form full adjacencies with the DR and BDR.

Exam trap

Cisco often tests the misconception that setting a high priority (like 255) ensures a router does not become DR, when in fact it does the opposite; the trap here is confusing priority 0 (ineligible) with priority 255 (most likely to be elected).

How to eliminate wrong answers

Option A is wrong because setting OSPF priority to 255 (the highest possible value) makes the switch the most likely candidate to become the DR, which directly contradicts the requirement. Option C is wrong because changing the network type to point-to-point eliminates the DR/BDR election entirely, which may not be desirable if the segment is truly multi-access and other routers need to participate in elections; it also changes OSPF behavior (e.g., no hello/dead interval mismatches) and could break adjacency with neighbors expecting a broadcast network. Option D is wrong because configuring the interface as passive under OSPF suppresses OSPF hello packets entirely, preventing the switch from forming any OSPF adjacencies on that interface, which is more restrictive than simply avoiding DR status.

367
Multi-Selecthard

Which TWO statements are true about Control Plane Policing (CoPP) on a Cisco Nexus 9000 switch? (Choose two.)

Select 2 answers
A.CoPP can be used to limit the rate of ICMP unreachable messages.
B.CoPP automatically drops all unknown unicast traffic.
C.CoPP is configured using the 'control-plane' sub-mode with policy-maps.
D.CoPP applies only to traffic destined to the switch management IP.
E.CoPP can be used to prioritize OSPF traffic over SSH.
AnswersA, C

ICMP unreachable messages can be rate-limited with CoPP to prevent DoS.

Why this answer

Option A is correct because CoPP can rate-limit control-plane traffic such as ICMP unreachable messages. By applying a policy-map in the 'control-plane' sub-mode, you can define class-maps that match specific control-plane protocols (e.g., ICMP) and then police their rate to prevent CPU overload from floods of such packets.

Exam trap

Cisco often tests the misconception that CoPP is only for management IP traffic or that it can prioritize traffic, when in fact it is a policing mechanism for all control-plane traffic and does not provide prioritization.

368
MCQmedium

A large enterprise data center uses Cisco UCS Manager to manage hundreds of blade servers. The automation team has been using Python SDK scripts to provision service profiles. Recently, after a UCS Manager firmware upgrade, several scripts that previously worked are now failing with 'AttributeError: 'ServiceProfile' object has no attribute 'set_vnic_order''. The team confirms that the UCS Manager version changed from 4.0 to 4.2. Which course of action should the engineer take to resolve the issue?

A.Use the UCS Manager XML API directly without the SDK
B.Downgrade UCS Manager back to version 4.0 to restore compatibility
C.Replace Python scripts with Ansible modules that use the UCS API
D.Update the Python SDK to the version that supports UCS Manager 4.2 and modify scripts accordingly
AnswerD

Permanent fix; SDK update restores API compatibility.

Why this answer

The Python SDK for UCS Manager is version-specific; upgrading UCS Manager from 4.0 to 4.2 introduces API changes that can deprecate or remove methods like `set_vnic_order`. Updating the SDK to a version compatible with UCS Manager 4.2 ensures the Python scripts use the correct API calls, and modifying the scripts to align with any new method signatures or attributes resolves the AttributeError.

Exam trap

Cisco often tests the misconception that direct API usage (Option A) or alternative tools (Option C) bypass version compatibility issues, when in fact all API layers require version alignment.

How to eliminate wrong answers

Option A is wrong because using the UCS Manager XML API directly without the SDK would require rewriting all scripts from scratch, which is more labor-intensive and error-prone than updating the SDK; the XML API also undergoes version changes, so it would not inherently avoid compatibility issues. Option B is wrong because downgrading UCS Manager is a backward step that loses new features, security patches, and bug fixes, and it is not a sustainable solution for an enterprise environment. Option C is wrong because replacing Python scripts with Ansible modules is unnecessary and introduces a new toolchain; Ansible modules also rely on the UCS API and would require similar version compatibility updates.

369
MCQeasy

A multicast application requires that all receivers join the same group using PIM sparse mode. Which router is responsible for forwarding traffic from the source to the RP?

A.Rendezvous point (RP)
B.First-hop router
C.Last-hop router
D.Source-specific router
AnswerB

The source's DR unicasts the traffic to the RP.

Why this answer

In PIM sparse mode, the first-hop router (the router directly connected to the multicast source) is responsible for encapsulating the source's multicast traffic in unicast PIM register messages and forwarding them to the rendezvous point (RP). This process establishes the initial path and triggers the RP to join the source-specific tree (SPT) toward the source.

Exam trap

Cisco often tests the misconception that the RP originates or forwards traffic from the source, when in fact the first-hop router is the one that encapsulates and sends the source traffic to the RP using PIM register messages.

How to eliminate wrong answers

Option A is wrong because the RP is the meeting point for receivers and sources, but it does not forward traffic from the source to itself; it receives register messages from the first-hop router and then joins the SPT toward the source. Option C is wrong because the last-hop router (the router directly connected to receivers) is responsible for sending PIM join messages toward the RP and later switching to the SPT, not for forwarding traffic from the source to the RP. Option D is wrong because there is no standard 'source-specific router' in PIM sparse mode; the concept of source-specific multicast (SSM) uses a different model (PIM-SSM) where receivers join directly to the source via (S,G) state, bypassing the RP entirely.

370
Multi-Selecthard

An engineer is designing a Cisco ACI multi-site solution. Which two considerations are critical for inter-site connectivity? (Choose two.)

Select 2 answers
A.Configure a stretch VLAN across sites.
B.Use a separate OSPF process per site.
C.Deploy a L3Out at each site for external connectivity.
D.Use a single APIC cluster for both sites.
E.Ensure IP connectivity between the sites for the underlay.
AnswersC, E

Each site typically has its own L3Out.

Why this answer

In Cisco ACI Multi-Site, each site operates with its own APIC cluster and independent fabric. A L3Out at each site is critical because it provides external connectivity for that site's endpoints, allowing traffic to exit locally rather than being hair-pinned across the inter-site network. This design optimizes traffic flow and aligns with the Multi-Site architecture where sites are managed separately but interconnected via the Inter-Site Network (ISN).

Exam trap

Cisco often tests the misconception that a single APIC cluster can manage multiple sites, but in reality, each site requires its own APIC cluster for independent operation and fault isolation.

371
Multi-Selecteasy

Which TWO are required for FCoE communication on a Nexus switch configured as an FCF? (Choose two.)

Select 2 answers
A.Jumbo frame support on the VLAN
B.VSAN configuration for the FCoE VLAN
C.NPV enabled on the switch
D.A dedicated FCoE VLAN
E.DCBX exchange to enable priority flow control
AnswersD, E

Correct: FCoE traffic is mapped to a specific VLAN.

Why this answer

In an FCoE FCF (Fabric Connect) configuration on a Nexus switch, a dedicated FCoE VLAN is required to carry FCoE traffic. This VLAN must be separate from standard Ethernet VLANs to prevent FCoE frames from being processed as regular Ethernet frames. Additionally, DCBX (Data Center Bridging Exchange) must be used to negotiate and enable Priority Flow Control (PFC) on the link, ensuring lossless behavior for FCoE traffic.

Exam trap

Cisco often tests the distinction between a dedicated FCoE VLAN (required) and jumbo frame support (optional), leading candidates to mistakenly select jumbo frames as a requirement when they are not mandatory for basic FCoE operation.

372
MCQeasy

An engineer notices that AAA authentication using RADIUS is failing, and the RADIUS server logs show no incoming authentication requests. Which of the following is the most likely cause?

A.The device has not been configured with any RADIUS server host
B.The device is using TACACS+ instead of RADIUS
C.The RADIUS server is not reachable due to a firewall
D.The RADIUS shared secret is incorrect
AnswerA

Without a configured server host, no RADIUS requests are generated, so no logs appear.

Why this answer

If the RADIUS server logs show no incoming authentication requests, the issue is that the device is not sending any traffic to the server. This occurs when no RADIUS server host is configured on the device, meaning the device has no IP address or hostname to which it can send authentication packets. Without a configured server host, the device will not attempt any RADIUS communication, resulting in zero requests reaching the server.

Exam trap

Cisco often tests the distinction between configuration errors that prevent packet generation (like missing server host) versus errors that cause packet rejection or timeout (like wrong secret or firewall), and the trap here is assuming that any authentication failure must involve network-level issues rather than a missing fundamental configuration element.

How to eliminate wrong answers

Option B is wrong because if the device were using TACACS+ instead of RADIUS, the RADIUS server would still not see requests, but the device would be sending TACACS+ traffic to a different server or port, and the question states RADIUS authentication is failing, implying RADIUS is configured but not working. Option C is wrong because if the RADIUS server were unreachable due to a firewall, the device would still send authentication requests (which would be dropped), and the server logs would show incoming requests that are blocked or not responded to, not zero requests. Option D is wrong because an incorrect shared secret would cause authentication failures (e.g., Access-Reject or no response), but the device would still send RADIUS Access-Request packets to the server, which would appear in the server logs.

373
MCQhard

An engineer is troubleshooting BGP EVPN control plane. They issue 'show bgp l2vpn evpn' and see Type-3 routes but no Type-2 routes for any VNI. Which condition is most likely?

A.The VTEP has not learned any MAC addresses
B.The overlay VNI is not mapped to a VLAN
C.The BGP neighbor is not from the same AS
D.The EVPN address-family is not enabled
AnswerA

Type-2 routes carry MAC/IP information. Without any MACs learned, no Type-2 routes are generated.

Why this answer

Type-3 routes (Inclusive Multicast Ethernet Tag routes) are generated automatically when an EVPN VNI is configured, regardless of MAC learning. Type-2 routes (MAC/IP Advertisement routes) are only generated after the VTEP learns MAC addresses from data-plane traffic or from local endpoints. The absence of Type-2 routes with Type-3 present indicates the VTEP has not yet learned any MAC addresses for that VNI.

Exam trap

Cisco often tests the distinction between control-plane-generated routes (Type-3) and data-plane-triggered routes (Type-2), trapping candidates who assume both route types appear simultaneously upon VNI configuration.

How to eliminate wrong answers

Option B is wrong because an unmapped overlay VNI would prevent Type-3 routes from being generated as well, but the question states Type-3 routes are present. Option C is wrong because BGP EVPN sessions can operate between different AS numbers (eBGP) or the same AS (iBGP); AS mismatch does not selectively suppress Type-2 routes while allowing Type-3 routes. Option D is wrong because if the EVPN address-family were not enabled, no EVPN routes (including Type-3) would appear in the BGP table.

374
MCQhard

In a Cisco MDS switch, what is the effect of the command 'fcdomain restart vsan 100'?

A.It enables NPV mode on VSAN 100.
B.It clears the zone configuration for VSAN 100.
C.It reboots the switch.
D.It causes a fabric reconfiguration, which may disrupt traffic.
AnswerD

Domain restart disrupts traffic.

Why this answer

The 'fcdomain restart vsan 100' command triggers a fabric reconfiguration (RCF) on VSAN 100. This process resets the principal switch selection and domain ID distribution, causing all switches in the VSAN to renegotiate their roles and domain IDs, which disrupts existing Fibre Channel traffic during the reconfiguration.

Exam trap

Cisco often tests the distinction between fabric-level commands (like 'fcdomain restart') and switch-level commands (like 'reload'), leading candidates to mistakenly think a fabric reconfiguration is equivalent to a switch reboot.

How to eliminate wrong answers

Option A is wrong because enabling NPV mode requires the 'feature npv' command and 'npv enable' on the interface, not 'fcdomain restart'. Option B is wrong because clearing the zone configuration is done with 'zone commit' or 'no zone' commands, not 'fcdomain restart', which only affects the fabric domain parameters. Option C is wrong because 'fcdomain restart' only restarts the fabric domain service for the specified VSAN, not the entire switch; a switch reboot would require the 'reload' command.

375
MCQhard

Two data center switches are connected via a fiber link. They need to encrypt all traffic at Layer 2. Which configuration is required on both switches to establish MACsec?

A.Configure the interface as a trunk
B.Enable MACsec and configure a pre-shared key or CA
C.Enable IPsec on the interface
D.Enable 802.1X on the interface
AnswerB

MACsec must be enabled and a security key configured (PSK or CA) to establish secure links.

Why this answer

MACsec (IEEE 802.1AE) provides hop-by-hop Layer 2 encryption between directly connected switches. To establish a MACsec session, both switches must enable MACsec on the interface and either configure a pre-shared key (PSK) or use a CA (Connectivity Association) key agreement protocol like MKA (MACsec Key Agreement, IEEE 802.1X-2010). This ensures all Ethernet frames are encrypted at the data link layer.

Exam trap

Cisco often tests the distinction between Layer 2 encryption (MACsec) and Layer 3 encryption (IPsec), and candidates mistakenly choose IPsec because they associate 'encryption' with IPsec, forgetting that MACsec is the correct solution for Layer 2 traffic.

How to eliminate wrong answers

Option A is wrong because configuring the interface as a trunk (802.1Q) is unrelated to encryption; trunking allows multiple VLANs but does not provide any security or encryption. Option C is wrong because IPsec operates at Layer 3 (Network layer) and is used for encrypting IP packets, not Layer 2 Ethernet frames; MACsec is the correct Layer 2 encryption protocol. Option D is wrong because 802.1X is a port-based network access control (NAC) protocol used for authentication, not encryption; while 802.1X can be used in conjunction with MKA for key exchange, simply enabling 802.1X does not enable MACsec encryption.

Page 4

Page 5 of 7

Page 6

All pages

Practice 350-601 by domain

Target a specific domain to shore up weak areas.

See all domains with question counts →