Cisco DCCOR / CCNP Data Center Core 350-601 (350-601) — Questions 376450

500 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
Multi-Selectmedium

Which TWO of the following are characteristics of NPV (N-Port Virtualization) in a Cisco MDS fabric?

Select 2 answers
A.It enables multiple hosts to share the same physical uplink.
B.It reduces the number of domain IDs required.
C.It allows the edge switch to appear as a virtual host to the core switch.
D.It requires FC-SP authentication.
E.It is only supported on 8 Gbps or higher ports.
AnswersA, B

NPIV allows multiple FLOGIs over a single NP port.

Why this answer

NPV (N-Port Virtualization) allows multiple hosts to share a single physical uplink from an NPV switch to a core NPIV-enabled switch. This is achieved by multiplexing multiple Fibre Channel N-Port IDs over the same physical link, reducing the number of domain IDs required in the fabric because the NPV switch does not participate in principal switch selection or domain ID distribution. The core switch sees each host as a separate virtual N_Port, but the NPV switch itself does not consume a domain ID.

Exam trap

Cisco often tests the misconception that NPV requires the edge switch to appear as a virtual host to the core, when in fact it is the hosts that appear as virtual N_Ports, not the switch itself.

377
MCQeasy

In a Fibre Channel SAN, a technique is used to allow multiple initiators to share a single physical FC port by assigning multiple N-port IDs. What is this technique called?

A.N_Port ID Virtualization (NPIV)
B.NPIV is exclusive to FCoE environments
C.NPIV is only available on initiator HBAs
D.N_Port Virtualization (NPV)
AnswerA

NPIV allows multiple FCIDs per physical port.

Why this answer

Option B is correct: NPIV (N_Port ID Virtualization) assigns multiple FCIDs per physical port, enabling virtualized initiators. Option A is wrong because NPV (N_Port Virtualization) reduces domain IDs but does not allocate multiple N-port IDs per port. Option C is wrong because NPIV works on native FC, not just FCoE.

Option D is wrong because NPIV is supported on both switches and HBAs.

378
MCQhard

An organization is deploying Ansible for network automation across multiple Nexus 9000 leaf switches. They need to ensure that configuration tasks are idempotent and only apply changes when necessary. Which best practice should be followed when using the cisco.nxos.nxos_config module?

A.Write idempotent playbooks by checking 'show running-config' before each task.
B.Use the 'replace' option with a provided configuration file to enforce desired state.
C.Set 'always_run' parameter to 'yes' to force execution.
D.Use the 'backup' option to always restore previous configuration.
AnswerB

The 'replace' option in the nxos_config module compares the running config with the provided config and applies only necessary changes, ensuring idempotency.

Why this answer

Option D is correct because setting the 'replace' option in nxos_config module ensures the switch configuration matches the intended state, making the operation idempotent. Options A and B are generally not recommended for idempotency, and C is not a standard practice.

379
MCQhard

Two Nexus switches are configured for MACsec using MKA. The link between them is up, but MKA does not establish. Which issue is most likely?

A.Different MTU sizes
B.Mismatched cipher suites
C.Switches are in different VLANs
D.Mismatched MKA key strings
AnswerB

MACsec requires the same cipher suite on both ends for MKA to succeed.

Why this answer

MKA (MACsec Key Agreement) requires both endpoints to agree on a cipher suite during the CAK (Connectivity Association Key) exchange. If the cipher suites are mismatched (e.g., one switch uses GCM-AES-128 and the other uses GCM-AES-256), the MKA negotiation will fail, and the link will remain up but unsecured. This is the most common cause of MKA not establishing on an otherwise functional Layer 2 link.

Exam trap

Cisco often tests the distinction between MKA not establishing (cipher suite mismatch) versus MKA establishing but failing authentication (key string mismatch), leading candidates to incorrectly choose the key string option when the question specifically says 'does not establish'.

How to eliminate wrong answers

Option A is wrong because different MTU sizes can cause fragmentation or packet drops at Layer 2, but MKA control frames are small and MTU mismatch does not prevent MKA from establishing; the link would still be up and MKA would attempt to negotiate. Option C is wrong because MKA operates at Layer 2 and is not dependent on VLAN membership; switches in different VLANs can still communicate via trunk links, and MKA frames are tagged appropriately. Option D is wrong because mismatched MKA key strings (pre-shared keys) would cause MKA to fail at the authentication step, but the question states MKA does not establish at all; a key string mismatch typically results in MKA being established but then failing to authenticate, not a complete failure to establish the protocol.

380
MCQeasy

A storage administrator has been tasked with integrating a new Cisco MDS 9706 switch into an existing Fibre Channel SAN. The existing SAN consists of two Cisco MDS 9148S switches configured in a VSAN 100 with a single zone set that contains all initiator and target WWPNs. The administrator connects the new switch to one of the existing switches using an ISL and configures the new switch with VSAN 100 and the same zone configuration. The administrator activates the zone set on the new switch and verifies that the ISL is up and both switches see each other's Fibre Channel IDs. However, servers attached to the existing switches still cannot discover the storage targets that are connected to the new switch. The administrator has confirmed that the ISL is operational and that the zone set on the new switch is activated with the correct WWPNs. What should the administrator check next?

A.Confirm that the zone set on the new switch is activated and contains correct WWPNs.
B.Ensure that the trunk protocol is enabled on the ISL and that allowed VSANs include VSAN 100.
C.Check that the new switch's domain ID is unique and not conflicting.
D.Verify that the new switch's target-facing interfaces are not in shutdown state.
AnswerD

Interfaces must be administratively enabled to allow login.

Why this answer

The most likely cause is that the target-facing interfaces on the new switch are in administrative shutdown. The first logical next step is to verify that the interfaces to the storage targets are not shutdown (Option A). Option B is already confirmed.

Option C is not necessary in a single VSAN environment. Option D is unlikely because the ISL is operational, indicating no domain ID conflict.

381
MCQhard

An organization is deploying Cisco Nexus 9000 switches with NX-OS and needs to prevent ARP spoofing attacks. The network engineer enables Dynamic ARP Inspection (DAI) on all VLANs. However, some legitimate hosts are unable to obtain IP addresses via DHCP. What is the most likely reason?

A.The ARP rate limit on the port is too low, causing all ARP requests to be dropped.
B.IP Source Guard is enabled and is blocking ARP packets.
C.DHCP snooping is not enabled, so DAI lacks the DHCP snooping binding table.
D.An ARP ACL is not configured to allow static IP bindings.
AnswerC

DAI validates ARP against DHCP snooping database; without it, DAI drops all ARP on untrusted ports.

Why this answer

DAI relies on the DHCP snooping binding table to validate ARP packets. Without DHCP snooping enabled, the binding table is empty, so DAI cannot determine which ARP packets are legitimate, causing it to drop all ARP packets, including DHCP discovery and request messages. This prevents hosts from obtaining IP addresses via DHCP.

Exam trap

Cisco often tests the dependency of DAI on DHCP snooping, and the trap here is that candidates assume DAI can function independently without understanding that it requires the DHCP snooping binding table for validation.

How to eliminate wrong answers

Option A is wrong because the ARP rate limit on the port would cause excessive ARP packets to be dropped, not all ARP requests, and it would not specifically prevent DHCP address acquisition. Option B is wrong because IP Source Guard blocks IP traffic based on the DHCP snooping binding table, not ARP packets directly; it does not interfere with ARP unless combined with DAI. Option D is wrong because an ARP ACL is used to permit or deny ARP packets for static IP hosts, but it is not required for DHCP-based hosts; the core issue is the missing DHCP snooping binding table.

382
Multi-Selectmedium

Which THREE components are part of an EVPN VXLAN fabric? (Choose three)

Select 3 answers
A.IS-IS
B.MP-BGP
C.VRF
D.NVE interface
E.VPC
AnswersB, C, D

MP-BGP is the standard control plane for EVPN, advertising MAC/IP routes and other attributes.

Why this answer

MP-BGP is the control plane protocol for EVPN VXLAN fabrics. It advertises MAC/VPN reachability information using EVPN address families (L2VPN AFI/SAFI 70/128) and enables overlay route distribution between VTEPs. Without MP-BGP, the fabric cannot dynamically learn remote MAC addresses or maintain a scalable, loop-free control plane.

Exam trap

Cisco often tests the distinction between underlay protocols (like IS-IS or OSPF) and overlay components (like MP-BGP, NVE, VRF), and candidates mistakenly select an underlay protocol as part of the EVPN VXLAN fabric.

383
MCQhard

An organization has deployed a pair of Nexus 93180YC-EX switches as vPC peers in a data center. The switches are connected to a server with two 10GbE interfaces configured as an LACP port-channel. The vPC configuration has been verified and was working correctly for months. After a scheduled maintenance window that included upgrading the NX-OS software from version 7.0(3)I7(1) to 7.0(3)I7(5), the server begins experiencing frequent link flaps on the port-channel. The server administrator reports that every 5-10 minutes, the link goes down for about 2 seconds and then recovers. The network team checks the logs on the Nexus switches and sees repeated messages: 'LACP-3-MISCONFIG: Port-channel <channel> is misconfigured: partner not on same aggregator.' The 'show vpc brief' output shows all vPCs in the 'up' state. The 'show port-channel summary' shows the port-channel is up with both member ports in the bundle. What is the most likely root cause?

A.The LACP fast rate timer default changed to slow in the new software, causing a timeout mismatch with the server.
B.The vPC delay-restore timer is set too low, causing the vPC to prematurely come up before LACP is fully up.
C.The vPC peer-link VLAN allowed list does not include the server's VLAN, causing intermittent drops.
D.The LACP system priority is not configured consistently between the vPC peers, causing the LACP system identifier to differ.
AnswerD

In a vPC, the LACP system identifier must be identical on both peers to appear as a single partner to the server. Inconsistent system priority leads to different identifiers, triggering the misconfiguration log and link flaps.

Why this answer

Option C is correct because in a vPC setup, both peer switches must have the same LACP system identifier (derived from system priority and MAC address) so the server sees a single logical partner. If the LACP system priority is not consistent across the peers, the system identifiers will differ, causing the server to detect multiple partners, leading to the 'partner not on same aggregator' error and link flaps. Option A is incorrect because the LACP rate timer mismatch would cause constant timeout issues, not intermittent flaps with the specific log message.

Option B is incorrect because VLAN mismatch would cause persistent connectivity failures, not intermittent flaps. Option D is incorrect because delay-restore timer affects recovery after link failure, not during steady-state operation.

384
MCQeasy

Refer to the exhibit. Two Nexus switches are connected via Ethernet1/1. MKA does not initiate. What is the issue?

A.The interface is not administratively up
B.The policy is not applied to the interface
C.The cipher-suite is not supported
D.The MACsec key chain is missing
AnswerB

The interface must have 'macsec policy MACSEC' to associate the policy.

Why this answer

The exhibit shows that the MACsec policy is defined but not applied to interface Ethernet1/1. Without applying the policy using the `macsec policy` command under the interface configuration, MKA (MACsec Key Agreement) cannot initiate because the switch does not know which security policy to enforce on that link.

Exam trap

Cisco often tests the distinction between defining a MACsec policy globally and applying it to an interface, knowing that candidates may assume a defined policy is automatically active on all interfaces.

How to eliminate wrong answers

Option A is wrong because the interface is administratively up (state is 'up/up'), so the issue is not administrative shutdown. Option C is wrong because the cipher-suite 'GCM-AES-128' is a standard and supported cipher for MACsec on Nexus switches; unsupported ciphers would cause a configuration rejection, not a silent MKA failure. Option D is wrong because MACsec key chains are used for pre-shared key authentication but are not required for MKA initiation; MKA can use a fallback key or EAP-based authentication, and the absence of a key chain would not prevent MKA from starting.

385
MCQmedium

Refer to the exhibit. An engineer sees this error on a Cisco MDS switch. What is the best action to resolve the issue?

A.Reload both switches to reset domain IDs.
B.Shut and no shut the ISL between the switches.
C.Assign a different domain ID to one of the switches.
D.Change the VSAN on one of the switches.
AnswerC

Each switch in a fabric must have a unique domain ID.

Why this answer

The error indicates a domain ID conflict between two switches in the same VSAN. In Fibre Channel fabrics, each switch must have a unique domain ID to build a correct forwarding table. Assigning a different domain ID to one of the switches resolves the conflict without disrupting the fabric.

Exam trap

Cisco often tests the misconception that a link flap or reboot will fix a domain ID conflict, when in fact the root cause is a duplicate domain ID that must be manually changed on one switch.

How to eliminate wrong answers

Option A is wrong because reloading both switches would temporarily clear the conflict but does not prevent it from recurring once the switches come back up with the same domain IDs. Option B is wrong because shutting and no shutting the ISL only resets the link state; it does not address the underlying domain ID duplication, so the conflict will persist. Option D is wrong because changing the VSAN would isolate the switches into different fabrics, which is an overly disruptive solution and not necessary when a simple domain ID reassignment resolves the issue.

386
MCQmedium

An organization has four Cisco MDS 9700 directors connected in a full-mesh topology. They use VSANs to separate production, backup, and management traffic. The backup VSAN is experiencing high latency and occasional timeouts. The engineer runs the 'show fcspf routes' command and notices that the path from the backup host to the backup target has an uneven hop count across different paths. The links are all 16 Gbps. The engineer also notes that the backup target is connected to a different director than the backup host. Which action is most likely to improve performance?

A.Configure IVR to route backup traffic over a dedicated path
B.Decrease the FSPF cost on the direct links
C.Increase the FSPF cost on the direct links
D.Implement load balancing using multiple PortChannels
AnswerB

Lowering cost makes the direct path more preferred, reducing hop count and latency.

Why this answer

Decreasing the FSPF cost on the direct links encourages traffic to take shorter paths, reducing hop count and latency. Increasing cost would push traffic away, making it worse. IVR is for inter-VSAN routing, not intra-VSAN.

Load balancing via PortChannels increases bandwidth but does not directly reduce latency from long paths.

387
Multi-Selecteasy

Which TWO statements are true regarding the differences between REST API (NX-API) and NETCONF for automating Nexus switches?

Select 2 answers
A.NETCONF can only be used for configuration, not for operational state
B.NX-API uses HTTP/HTTPS as the transport protocol
C.NETCONF primarily uses JSON for data encoding
D.NETCONF provides a standardized data model (YANG) for configuration
E.Both use SSH as their default transport
AnswersB, D

NX-API is a REST-based interface over HTTP/HTTPS.

Why this answer

NX-API (REST API) uses HTTP or HTTPS as its transport protocol, allowing RESTful operations (GET, POST, PUT, DELETE) over standard web ports. This is in contrast to NETCONF, which uses SSH as its transport (RFC 6241). Therefore, option B is correct.

Exam trap

Cisco often tests the misconception that NETCONF only handles configuration (ignoring its <get> operation for operational state) and that NX-API uses SSH, when in fact NX-API uses HTTP/HTTPS and NETCONF uses SSH.

388
Multi-Selectmedium

Which TWO are benefits of using the Cisco NX-API for network automation compared to traditional SSH-based scripting?

Select 2 answers
A.Enables batching multiple CLI commands in a single HTTP request
B.Returns structured data (JSON/XML) that is version-independent
C.Supports direct configuration of IPSec and SSL VPNs
D.Eliminates the need for any authentication
E.Allows for real-time streaming of syslog messages
AnswersA, B

The NX-API supports the 'chunk' parameter to batch commands, reducing round-trips.

Why this answer

Option A is correct because the Cisco NX-API allows batching multiple CLI commands into a single HTTP request, which reduces the number of round trips and improves automation efficiency. This is a key advantage over traditional SSH-based scripting, where each command typically requires a separate connection or session.

Exam trap

Cisco often tests the distinction between NX-API's structured output and SSH's text-based output, and the trap here is that candidates may confuse NX-API's command batching with real-time streaming features like telemetry or syslog, which are separate technologies.

389
MCQmedium

A network engineer is deploying FCoE in a top-of-rack design. Which statement about the required lossless Ethernet fabric is correct?

A.Data Center Bridging Exchange (DCBX) automatically enables PFC when FCoE is configured
B.FCoE uses VLAN 1002 by default for all traffic
C.FCoE frames are limited to 1500 bytes to avoid fragmentation
D.Priority Flow Control (PFC) must be enabled to create lossless CoS
AnswerD

PFC ensures lossless behavior for FCoE frames.

Why this answer

Option A is correct: Priority Flow Control (PFC) is mandatory for FCoE to ensure no frames are dropped due to congestion. Option B is wrong because DCBX is used to negotiate PFC, but PFC itself is the mechanism. Option C is wrong: FCoE uses a dedicated VLAN (typically 1002–1003 but can be assigned).

Option D is wrong: FCoE maximum frame size is 2240 bytes (or 2500 with jumbo).

390
Multi-Selectmedium

An engineer is configuring a Cisco UCS Manager deployment. The goal is to enforce the organization's security policy by limiting administrative access based on job roles. Which two actions should the engineer take? (Select two.)

Select 2 answers
A.Disable the default password policy for all local users.
B.Use the default maintenance policy for all service profiles.
C.Implement role-based access control using LDAP groups mapped to roles.
D.Configure RBAC by defining roles and assigning users to those roles.
E.Create a local user with the admin role and assign it to all service profiles.
AnswersC, D

Integrating with LDAP allows centralized management of user groups and roles, simplifying administration and security.

Why this answer

C is correct because integrating LDAP groups with RBAC allows the organization to enforce security policies by mapping directory groups to UCS roles, centralizing authentication and authorization. This approach ensures that administrative access is limited based on job roles without managing local users, aligning with the goal of role-based access control.

Exam trap

The trap here is that candidates often confuse RBAC with local user management or maintenance policies, assuming that disabling password defaults or using default policies somehow restricts access, when in fact RBAC requires explicit role definitions and user-to-role mappings.

391
Multi-Selecthard

Which THREE conditions must be met for a Cisco Nexus switch to form a vPC? (Choose three.)

Select 3 answers
A.Both switches must use the same routing protocol
B.The peer-keepalive link must be carried over the peer-link
C.Both switches must run the same NX-OS software version
D.A dedicated peer-link port-channel must be configured
E.The vPC domain ID must be identical on both switches
AnswersC, D, E

Same version ensures feature compatibility and stability.

Why this answer

Option C is correct because Cisco vPC requires both peer switches to run the same NX-OS software version to ensure consistent feature support, protocol behavior, and configuration syntax. Version mismatches can lead to unexpected failures, such as the vPC not forming or inconsistent forwarding states across the peer-link.

Exam trap

Cisco often tests the misconception that the peer-keepalive link must traverse the peer-link, when in fact it must be a separate Layer 3 path to avoid a single point of failure for vPC health monitoring.

392
MCQmedium

A data center switch is experiencing high CPU due to excessive BGP updates. Which action can mitigate this without affecting legitimate BGP traffic?

A.Apply a CoPP policy that rate-limits BGP traffic
B.Apply a CoPP policy that drops all BGP traffic
C.Disable BGP route filtering
D.Increase BGP timers globally
AnswerA

CoPP can rate-limit specific control plane protocols, protecting CPU while allowing legitimate BGP updates.

Why this answer

Control Plane Policing (CoPP) protects the control plane by rate-limiting specific traffic classes. Applying a CoPP policy that rate-limits BGP traffic (option A) reduces CPU load from excessive BGP updates while still allowing legitimate BGP sessions to function, as the rate-limit only drops packets exceeding a configured threshold. This preserves BGP neighbor reachability and route exchange, unlike dropping all BGP traffic.

Exam trap

Cisco often tests the distinction between 'rate-limit' and 'drop' in CoPP policies, where candidates mistakenly choose to drop all BGP traffic (option B) thinking it solves the CPU issue, but this breaks routing entirely.

How to eliminate wrong answers

Option B is wrong because dropping all BGP traffic would terminate all BGP sessions, causing complete loss of routing updates and potentially isolating the router. Option C is wrong because disabling BGP route filtering would increase the number of BGP updates processed, worsening the CPU issue by allowing all routes without any filtering. Option D is wrong because increasing BGP timers globally (e.g., keepalive and hold timers) reduces the frequency of updates but does not mitigate a flood of updates from external sources; it may also cause neighbor timeouts if timers are set too high.

393
Multi-Selecthard

Which TWO configuration steps are necessary to enable VXLAN EVPN on a Cisco Nexus 9000 switch using the centralized anycast gateway model?

Select 2 answers
A.Enable the address-family l2vpn evpn under the BGP configuration.
B.Enable IGMP snooping on all VLANs extended over VXLAN.
C.Configure the same anycast gateway MAC and IP address on all VTEPs in the VLAN.
D.Set the VXLAN destination UDP port to 8472.
E.Create an NVE interface with a loopback interface as the source.
AnswersA, C

BGP EVPN is required for route distribution.

Why this answer

Option A is correct because in VXLAN EVPN, BGP is used as the control plane to exchange MAC and IP reachability information. Enabling the address-family l2vpn evpn under BGP configuration is mandatory to advertise EVPN routes (type-2 and type-3) between VTEPs, which is the foundation of the centralized anycast gateway model.

Exam trap

Cisco often tests the distinction between mandatory EVPN control plane steps (BGP address-family l2vpn evpn) and generic VXLAN data plane steps (NVE interface, UDP port), leading candidates to select options like creating the NVE interface or setting the UDP port as 'necessary' for EVPN, when they are actually prerequisites for VXLAN itself but not the two specific steps asked for enabling VXLAN EVPN with centralized anycast gateway.

394
MCQhard

Refer to the exhibit. A network administrator configured VXLAN EVPN as above. The VTEP can communicate with neighbors on VNI 5001, but cannot reach the default gateway for VNI 5002. What is the problem?

A.The default route in VRF TenantA is not exported.
B.The route-target for VNI 5002 is missing.
C.The VNI 5002 does not have an associated VLAN.
D.The NVE interface does not have ingress-replication configured.
AnswerB

The configuration lacks a separate RD and route-target for VNI 5002, preventing EVPN route exchange for that VNI.

Why this answer

The VXLAN EVPN configuration for VNI 5002 is missing the route-target import/export statements under the VRF TenantA address-family l2vpn evpn. Without the route-target, the VTEP cannot import EVPN type-2 and type-3 routes for VNI 5002, preventing it from learning the default gateway's MAC/IP or the IMET route needed for BUM traffic. This explains why the VTEP can communicate on VNI 5001 (which has route-targets) but not reach the gateway on VNI 5002.

Exam trap

Cisco often tests the distinction between Layer 2 VNI (which needs VLAN association and ingress-replication) and Layer 3 VNI (which needs route-target configuration), and the trap here is that candidates assume a missing VLAN or ingress-replication is the root cause, when the real issue is the missing route-target for the Layer 3 VNI under the VRF.

How to eliminate wrong answers

Option A is wrong because the default route in VRF TenantA is not relevant; the issue is with EVPN route import for VNI 5002, not with route leaking or export of a default route. Option C is wrong because VNI 5002 can operate without an associated VLAN if it is used for Layer 3 VNI (IRB) or if the VLAN mapping is done elsewhere; the exhibit shows no VLAN association, but that is not the cause of the gateway unreachability. Option D is wrong because ingress-replication is configured under the NVE interface for VNI 5001 and 5002 (as shown in the exhibit), so the problem is not missing replication; the missing route-target prevents the VTEP from learning the gateway's MAC/IP via EVPN.

395
MCQhard

During a fabric reconfigure event, which behavior is expected if all switches are running the same Cisco SAN-OS version and have the same domain ID configuration?

A.The principal switch selection will re-elect based on highest WWN.
B.The principal switch will force a new domain ID assignment.
C.A domain ID conflict will cause a segmentation of the fabric.
D.The fabric will merge without any issues as long as VSANs match.
AnswerC

Duplicate domain IDs cause fabric segmentation; the switches will not merge.

Why this answer

Option B is correct. Duplicate domain IDs cause fabric segmentation. Options A, C, D are incorrect.

396
MCQhard

An organization uses FCIP to extend their SAN between two data centers over a 100 Mbps WAN link with 80 ms latency. The storage traffic includes large sequential writes. Which statement best describes the benefit of enabling compression on the FCIP tunnel?

A.Compression reduces end-to-end latency
B.Compression improves effective throughput over the WAN link
C.Compression is recommended only when the link has high packet loss
D.Compression eliminates the need for jumbo frames
AnswerB

Reduces data volume, so more data can be sent within the limited bandwidth.

Why this answer

Option C is correct: Compression reduces the amount of data sent over the WAN, effectively improving throughput when bandwidth is limited. Option A is wrong: Compression adds latency due to processing. Option B is wrong: While compression reduces bandwidth usage, the benefit here is throughput improvement, not latency reduction.

Option D is wrong: Compression is not recommended on lossy links because it can cause issues.

397
MCQhard

During a capacity planning review, an engineer notices that a UCS domain with 8 blades (each with 16 cores) is using 70% CPU average. The environment runs VDI workloads. Each VM requires 2 vCPUs and 4 GB RAM. The hypervisor uses 1:1 CPU oversubscription. How many additional VMs can be deployed before reaching 100% CPU utilization?

A.19
B.23
C.17
D.21
AnswerA

38 remaining vCPUs / 2 per VM = 19.

Why this answer

The UCS domain has 8 blades × 16 cores = 128 cores. With 1:1 CPU oversubscription, the hypervisor can allocate 128 vCPUs. Each VM requires 2 vCPUs, so the maximum VMs are 128 / 2 = 64.

Currently at 70% CPU, 0.70 × 128 = 89.6 vCPUs are used, meaning 89.6 / 2 = 44.8 VMs (round to 45 VMs). The remaining vCPUs are 128 - 89.6 = 38.4, allowing 38.4 / 2 = 19.2 additional VMs, so 19 VMs can be deployed before hitting 100% CPU utilization.

Exam trap

Cisco often tests the trap of confusing CPU utilization percentage with the number of vCPUs already allocated, leading candidates to incorrectly calculate remaining capacity by applying the percentage to the total VM count rather than to the total vCPU count.

How to eliminate wrong answers

Option B (23) is wrong because it incorrectly assumes a higher oversubscription ratio (e.g., 1.5:1) or miscalculates the remaining vCPUs. Option C (17) is wrong because it likely uses a lower total core count (e.g., 112 cores) or misapplies the 70% utilization to total VMs instead of vCPUs. Option D (21) is wrong because it might result from rounding errors or using 75% utilization instead of 70%.

398
MCQeasy

Refer to the exhibit. A DHCP server is connected to Ethernet1/1 and a client in VLAN 10 is connected to Ethernet1/2. The client obtains an IP address. Which statement is best supported?

A.The DHCP server is in VLAN 20
B.The DHCP client is using a static IP address
C.The DHCP server port is trusted for all VLANs
D.The DHCP client MAC address is not verified
AnswerC

The 'ip dhcp snooping trust' command on the interface makes it trusted for all snooped VLANs.

Why this answer

Option C is correct because when a DHCP server is connected to a switch port and clients in different VLANs (like VLAN 10) obtain IP addresses, the switch must trust the DHCP server port for all VLANs. This is typically achieved by configuring the port as a DHCP snooping trusted port or by using an IP helper address on the VLAN interface. Without trust, DHCP snooping would drop server responses on untrusted ports, preventing the client from obtaining an address.

Exam trap

Cisco often tests the misconception that a DHCP server must be in the same VLAN as the client, when in fact a trusted port or IP helper address allows cross-VLAN DHCP communication.

How to eliminate wrong answers

Option A is wrong because the DHCP server is connected to Ethernet1/1, which is not necessarily in VLAN 20; the client in VLAN 10 obtains an IP address, implying the server can communicate with VLAN 10, likely via an IP helper address or trunk, not that the server itself is in VLAN 20. Option B is wrong because the client obtains an IP address via DHCP, which contradicts the use of a static IP address; a static IP would not require DHCP. Option D is wrong because the DHCP client MAC address is verified by DHCP snooping by default on untrusted ports; the fact that the client obtains an IP address suggests the MAC address is verified and not spoofed, or the port is trusted.

399
Multi-Selecthard

Which TWO statements about NPV (N_Port Virtualization) mode in FC networks are correct?

Select 2 answers
A.NPV is commonly used in top-of-rack (ToR) deployments to simplify SAN cabling.
B.An NPV switch connects to the core switch using E-ports.
C.NPV switches can be used to connect FC and FCoE devices without a separate FCoE VLAN.
D.NPV reduces the number of FC domain IDs required in the fabric.
E.NPV switches perform fabric login (FLOGI) on behalf of attached devices.
AnswersA, D

NPV switches are placed at the top of the rack to aggregate server connections.

Why this answer

Option A is correct because NPV is specifically designed for top-of-rack (ToR) deployments to reduce the number of physical cables and simplify SAN cabling. In NPV mode, the ToR switch acts as a transparent proxy, forwarding FLOGI requests from end devices to the core NPV-enabled switch, which handles all fabric services. This eliminates the need for each ToR switch to have its own domain ID, reducing management complexity.

Exam trap

Cisco often tests the distinction between NP-ports and E-ports, and the trap here is that candidates mistakenly think NPV switches use E-ports for uplinks, when in fact they use NP-ports to avoid introducing additional domain IDs.

400
Multi-Selectmedium

Which two mechanisms are used by Dynamic ARP Inspection to prevent ARP spoofing? (Choose two.)

Select 2 answers
A.DHCP snooping binding table
B.ARP access lists
C.Port security
D.ARP rate limiting
E.ARP inspection VLAN configuration
AnswersA, B

DAI compares ARP packet MAC-IP pair with the binding table to detect spoofing.

Why this answer

Dynamic ARP Inspection (DAI) validates ARP packets by comparing the sender MAC and IP addresses against the DHCP snooping binding table. If an ARP packet's MAC-IP binding does not match an entry in the binding table, DAI drops the packet, preventing ARP spoofing attacks. Additionally, DAI can use ARP access lists (ARP ACLs) to statically define valid MAC-IP bindings for hosts that do not use DHCP, providing an alternative validation mechanism.

Exam trap

The trap here is that candidates often confuse the enabling configuration (ARP inspection VLAN configuration) with the actual validation mechanism, or they mistakenly think port security or rate limiting directly prevent ARP spoofing, when in fact they serve different security purposes.

401
MCQhard

A UCS administrator is deploying a 3-node HyperFlex cluster with vSphere. Each node has a single vNIC for management and two vNICs for storage data traffic. During the cluster creation, the storage vNIC MTU must be configured. What is the recommended MTU value for the storage data vNICs in HyperFlex?

A.1500
B.9216
C.9000
D.4096
AnswerC

Recommended for HyperFlex storage data.

Why this answer

C is correct because HyperFlex storage data vNICs require jumbo frame support to optimize storage traffic performance. The recommended MTU value for these vNICs is 9000, which allows larger packet sizes and reduces CPU overhead for storage I/O operations. This value is consistent with Cisco's best practices for HyperFlex cluster deployments.

Exam trap

Cisco often tests the specific recommended MTU value of 9000 for HyperFlex storage vNICs, and the trap here is that candidates may confuse it with the maximum jumbo frame size of 9216 supported by some switches, or assume the standard 1500 MTU is sufficient for storage traffic.

How to eliminate wrong answers

Option A is wrong because an MTU of 1500 is the standard Ethernet MTU and does not support jumbo frames, which are necessary for efficient storage traffic in HyperFlex. Option B is wrong because 9216 is a common jumbo frame MTU value for some Cisco switches, but HyperFlex specifically recommends 9000, not 9216, for storage vNICs. Option D is wrong because 4096 is not a standard jumbo frame MTU value; it is too small to provide the benefits of jumbo frames and is not recommended by Cisco for HyperFlex storage data traffic.

402
MCQmedium

A SAN administrator notices intermittent connectivity issues between an initiator and target. The Fibre Channel link shows CRC errors. What is the most likely cause?

A.Incorrect domain ID.
B.Faulty SFP or fiber optic cable.
C.Buffer credit starvation.
D.Incorrect zone configuration.
AnswerB

Physical layer issues cause CRC errors.

Why this answer

CRC errors on a Fibre Channel link indicate physical-layer issues such as signal degradation, dirty connectors, or faulty hardware. The most common cause is a faulty SFP module or damaged fiber optic cable, which introduces bit errors that the CRC check detects. This is the first component to verify when troubleshooting intermittent connectivity with CRC errors.

Exam trap

Cisco often tests the distinction between physical-layer errors (CRC) and higher-layer issues (zoning, domain ID, buffer credits) to see if candidates can map symptoms to the correct OSI layer.

How to eliminate wrong answers

Option A is wrong because an incorrect domain ID would cause fabric segmentation or routing issues, not physical-layer CRC errors. Option C is wrong because buffer credit starvation results in frame drops and credit recovery delays, not CRC errors. Option D is wrong because an incorrect zone configuration would cause access control failures (e.g., frames being discarded at the switch), not CRC errors on the link.

403
MCQeasy

Refer to the exhibit. An engineer is configuring a server-facing interface on a Nexus switch. The server is running VMware ESXi with multiple virtual machines in VLANs 10, 20, and 30. After applying the configuration, the ESXi host reports that it cannot communicate on VLAN 30. Which configuration change should be made?

A.Remove the 'spanning-tree port type edge trunk' command
B.Change the native VLAN to 30
C.Create VLAN 30 in the global VLAN database
D.Configure the port as an access port in VLAN 30
AnswerC

If VLAN 30 does not exist, the switch will not forward traffic for it even if allowed on the trunk.

Why this answer

Option C is correct because VLAN 30 must exist in the global VLAN database before it can be used on any interface. Even though the interface configuration allows VLAN 30 as a trunked VLAN, the switch will not forward traffic for a VLAN that has not been created globally. Without the 'vlan 30' command in global configuration mode, the VLAN is not present in the switch's VLAN database, and the interface will not pass traffic for that VLAN.

Exam trap

Cisco often tests the misconception that configuring a VLAN on an interface (e.g., 'switchport trunk allowed vlan add 30') automatically creates the VLAN in the global database, but in NX-OS, the VLAN must be explicitly created first.

How to eliminate wrong answers

Option A is wrong because removing 'spanning-tree port type edge trunk' would disable PortFast and BPDU guard on the trunk, which is unrelated to VLAN 30 communication failure; it would only affect STP convergence and loop prevention. Option B is wrong because changing the native VLAN to 30 would cause all untagged traffic to be placed in VLAN 30, but the issue is that VLAN 30 does not exist globally, and the native VLAN mismatch could also cause connectivity problems for other VLANs. Option D is wrong because configuring the port as an access port in VLAN 30 would remove the trunk and prevent the ESXi host from carrying multiple VLANs (10, 20, 30) to the virtual machines, breaking the required trunking behavior.

404
MCQmedium

An engineer has configured a service profile with a WWPN pool that has exhausted its assigned range. The server boots from SAN. What happens when the server is associated?

A.The server associates but fails to boot because no WWPN is assigned.
B.The administrator is prompted to manually enter a WWPN.
C.The association fails until new WWPNs are added to the pool.
D.The server associates with a temporary WWPN from the conflict-free range.
AnswerD

Correct behavior.

Why this answer

When a WWPN pool is exhausted, Cisco UCS automatically assigns a temporary WWPN from the conflict-free range (00:00:00:00:00:00 to 00:00:00:00:00:FF) to allow the server to associate and boot from SAN. This temporary WWPN is used only until a permanent WWPN becomes available from the pool, ensuring the server can still access storage during the interim period.

Exam trap

Cisco often tests the misconception that pool exhaustion causes association failure, but the correct behavior is that UCS uses a temporary WWPN from the conflict-free range to maintain boot-from-SAN functionality.

How to eliminate wrong answers

Option A is wrong because the server does associate and boot successfully using a temporary WWPN from the conflict-free range, not fail due to no WWPN assignment. Option B is wrong because Cisco UCS does not prompt for manual entry; it automatically assigns a temporary WWPN from the conflict-free range. Option C is wrong because the association does not fail; it proceeds with a temporary WWPN, and new WWPNs can be added to the pool later without disrupting the association.

405
MCQmedium

A UCS administrator needs to update the firmware on a UCS 5108 chassis that contains eight B-Series blades. The firmware update must be performed with minimal downtime. Which update method should be used?

A.Fast-Impact update
B.Non-Impactful update with a forced reboot
C.User Acknowledged update with a maintenance policy that reboots blades sequentially
D.System-Impactful update with a single reboot
AnswerC

This method allows the administrator to control when blades reboot, minimizing downtime by staggering reboots.

Why this answer

Option C is correct because the User Acknowledged update method, combined with a maintenance policy that reboots blades sequentially, allows the firmware update to proceed blade by blade with minimal downtime. This approach ensures that only one blade is offline at a time, while the remaining blades continue to serve traffic, making it ideal for a chassis with eight B-Series blades where service continuity is critical.

Exam trap

Cisco often tests the distinction between 'User Acknowledged' and 'Non-Impactful' updates, trapping candidates who mistakenly think that a non-impactful update can include a forced reboot, when in fact any reboot makes the update impactful.

How to eliminate wrong answers

Option A is wrong because Fast-Impact update is designed for scenarios where immediate, disruptive updates are acceptable, not for minimizing downtime. Option B is wrong because Non-Impactful update with a forced reboot contradicts the definition of a non-impactful update, which should not require a reboot; a forced reboot would cause unnecessary downtime. Option D is wrong because System-Impactful update with a single reboot would take the entire chassis or all blades offline simultaneously, resulting in maximum downtime, which is the opposite of the requirement.

406
Multi-Selecteasy

Which TWO statements about NPV (N_Port Virtualization) are correct? (Choose two.)

Select 2 answers
A.NPV allows a NPV switch to forward traffic from multiple host ports to the core switch via a few uplinks.
B.NPV helps scale the fabric by reducing the number of FC domain IDs required.
C.NPV uses Inter-VSAN Routing (IVR) to forward traffic between VSANs.
D.NPV requires FCoE encapsulation.
E.NPV allows a single physical port to have multiple N-port IDs.
AnswersA, B

NPV aggregates multiple ports to uplinks.

Why this answer

NPV allows a switch to act as a proxy for N-port login to a core switch. Option A is correct: NPV reduces the number of domain IDs. Option B is wrong: NPV does not require FCoE; it works with native FC.

Option C is correct: NPV is used in edge switches to connect many hosts to a core fabric. Option D is wrong: NPIV is for multiple N-port IDs on a single physical port, not NPV. Option E is wrong: NPV does not need IVR; it uses a single uplink.

407
MCQmedium

Based on the exhibited output, what can be concluded about the fabric?

A.The fabric contains a domain ID conflict.
B.The device with FCID 0x010002 is a disk array.
C.There are three initiators and one target.
D.The device with FCID 0x010003 is a loop-attached device.
AnswerD

The 'NL' type indicates a loop-attached node (public loop).

Why this answer

Option B is correct. 'NL' indicates loop-attached. Others are incorrect based on output.

408
Multi-Selectmedium

Which TWO commands are used to verify Fibre Channel connectivity issues on a Cisco MDS switch? (Choose two.)

Select 2 answers
A.show ip interface brief
B.show mac address-table
C.show vlan
D.show interface fc <slot/port>
E.show flogi database
AnswersD, E

Shows interface status, errors.

Why this answer

Option D is correct because the 'show interface fc <slot/port>' command displays detailed status, errors, and operational state of a specific Fibre Channel interface, which is essential for diagnosing physical or link-level connectivity issues on a Cisco MDS switch. Option E is correct because the 'show flogi database' command lists all N-port (host) logins registered with the fabric via the Fabric Login (FLOGI) process, verifying that end devices have successfully established a session with the switch and are visible in the Fibre Channel fabric.

Exam trap

Cisco often tests the distinction between Ethernet-based troubleshooting commands (like 'show ip interface brief' or 'show mac address-table') and Fibre Channel-specific commands, leading candidates to mistakenly apply familiar IP/Ethernet commands to a storage networking context.

409
MCQeasy

A data center switch port is configured for 802.1X with MAB as fallback. A device that does not support 802.1X is connected. Which method will allow the device to authenticate?

A.EAP-TLS
B.Web authentication
C.Local authentication using a pre-shared key
D.MAC authentication bypass
AnswerD

MAB is the fallback method for devices that do not support 802.1X.

Why this answer

When a device that does not support 802.1X is connected to a port configured for 802.1X with MAB as fallback, the switch detects that no EAPOL frames are received from the device. It then initiates MAC authentication bypass (MAB), which uses the device's MAC address as the identity for authentication against the RADIUS server. If the MAC address is allowed, the port is authorized, providing a seamless fallback authentication method for non-802.1X-capable devices.

Exam trap

The trap here is that candidates often confuse MAB with web authentication or assume that any non-802.1X device will automatically trigger web authentication, but Cisco tests that MAB is the first fallback method when configured, and it uses the MAC address, not a pre-shared key or certificate.

How to eliminate wrong answers

Option A is wrong because EAP-TLS is an 802.1X authentication method that requires the device to support 802.1X and present a client certificate, which the non-802.1X-capable device cannot do. Option B is wrong because web authentication (WebAuth) is a separate fallback method that redirects HTTP traffic to a captive portal for user credentials, but it is not the default or automatic fallback when MAB is configured; MAB is tried first before WebAuth. Option C is wrong because local authentication using a pre-shared key is not a standard 802.1X or MAB mechanism; MAB relies on RADIUS server authentication using the MAC address, not a locally configured pre-shared key.

410
MCQmedium

A financial services company is migrating its core banking application to a new data center built on Cisco Nexus 9000 switches with VXLAN EVPN. The application requires active-active multihoming for its servers, which are dual-homed to two leaf switches. The network team has configured vPC on the leaf switches for the server connections. After the migration, the application team reports that some packets are being dropped during failover events when one of the vPC member links goes down. The network team confirms that vPC is properly configured and the peer-keepalive is functioning. What is the most likely cause of packet drops during failure?

A.The vPC peer-gateway feature is not enabled.
B.The vPC orphan port configuration is missing.
C.The vPC role is not configured with preempt.
D.The vPC consistency parameters are not identical between the peer switches.
AnswerD

Mismatched parameters cause forwarding inconsistencies.

Why this answer

Option A is correct because vPC consistency parameters must match; if not, traffic may be dropped because the switches have different forwarding information. Option B is for gateway IP, not failover drops. Option C is for role election.

Option D is for ports not in vPC.

411
MCQmedium

An administrator needs to configure a Fibre Channel SAN to support two separate departments that must not see each other's storage. Each department has its own set of initiators and targets. Which technology should be used?

A.VSANs (Virtual SANs)
B.Port channels
C.NPV
D.IVR (Inter-VSAN Routing)
AnswerA

VSANs isolate traffic.

Why this answer

VSANs (Virtual SANs) provide isolation within a single Fibre Channel fabric by partitioning the physical SAN into multiple logical SANs. Each department's initiators and targets are placed in separate VSANs, ensuring they cannot see each other's storage traffic or devices, which meets the requirement for complete separation without additional physical hardware.

Exam trap

Cisco often tests the distinction between VSANs and IVR, where candidates mistakenly think IVR is needed for isolation, but IVR actually enables controlled sharing between VSANs, not isolation.

How to eliminate wrong answers

Option B (Port channels) is wrong because port channels aggregate multiple physical links into a single logical link for increased bandwidth and redundancy, but they do not provide any isolation or segmentation between different departments' storage traffic. Option C (NPV) is wrong because NPV (N_Port Virtualization) is used to reduce the number of Fibre Channel domain IDs in a SAN by allowing a switch to proxy logins for multiple initiators, but it does not create separate logical SANs or prevent inter-department visibility. Option D (IVR) is wrong because IVR (Inter-VSAN Routing) is specifically designed to selectively route traffic between different VSANs, which would allow the departments to see each other's storage, directly violating the requirement that they must not see each other's storage.

412
MCQhard

A Fibre Channel switch is experiencing high latency on a specific ISL. The link is operating at 16 Gbps and has high utilization. Which action will most likely reduce latency?

A.Reduce the buffer credit count.
B.Enable trunking on the ISL.
C.Disable flow control on the ISL.
D.Add an additional ISL and configure a port channel.
AnswerD

Load balancing reduces latency.

Why this answer

Adding an additional ISL and configuring a port channel increases the aggregate bandwidth between the two switches, reducing per-link utilization and thus lowering queuing latency. This directly addresses the root cause—high utilization on a single 16 Gbps link—by distributing traffic across multiple physical links, which also provides load balancing and redundancy.

Exam trap

Cisco often tests the misconception that trunking or flow control adjustments can solve bandwidth-related latency, when in fact only increasing aggregate bandwidth (via port channels) reduces queuing delay caused by high utilization.

How to eliminate wrong answers

Option A is wrong because reducing the buffer credit count would actually decrease the number of frames that can be in transit, potentially increasing latency due to credit starvation, especially on long-distance links. Option B is wrong because enabling trunking on the ISL (typically via VSAN trunking) does not increase bandwidth; it only allows multiple VSANs to share the same link, which does not reduce utilization or latency. Option C is wrong because disabling flow control (e.g., buffer-to-buffer credit flow control) would remove the mechanism that prevents frame loss, leading to retransmissions and higher latency, not lower.

413
MCQeasy

A storage administrator notices that a newly deployed Fibre Channel initiator cannot log in to the SAN switch. The switch is configured for NPV mode. Which condition is most likely causing the issue?

A.NPIV is disabled on the upstream switch.
B.The initiator is not using a device alias.
C.The switch is configured for NPIV mode instead of NPV.
D.The switch port is configured as an E port.
AnswerA

NPIV must be enabled on upstream switches for NPV mode to work.

Why this answer

In NPV mode, the switch acts as a transparent proxy, forwarding FLOGI requests from initiators to the upstream NPIV-capable core switch. If NPIV is disabled on the upstream switch, it will reject the FLOGI because it cannot register multiple N-Port IDs on a single physical link, causing the initiator to fail login.

Exam trap

Cisco often tests the distinction between NPV (a switch mode) and NPIV (a feature on the upstream switch), leading candidates to confuse the two or assume the issue is with the NPV switch's own configuration.

How to eliminate wrong answers

Option B is wrong because device aliases are used for zoning and management convenience, not for the FLOGI process; an initiator can log in without any alias. Option C is wrong because the question states the switch is configured for NPV mode, and NPIV mode is a feature of the upstream switch, not a conflicting mode. Option D is wrong because in NPV mode, the switch port facing the upstream switch is configured as an NP port (proxy N-port), not an E port; E ports are used for ISL links between switches in standard FC switching mode, not NPV.

414
MCQhard

A large enterprise data center uses Cisco ACI with a spine-leaf architecture. The security team requires that all traffic between the Web and App tiers be inspected by a firewall, but traffic within the same tier should be allowed directly. The Web EPG is in VRF PROD with Bridge Domain WEB-BD, and App EPG is in VRF PROD with Bridge Domain APP-BD. The firewall is connected as a service graph device in a different VRF (FW-VRF). The administrator configures a contract between Web and App EPGs that redirects traffic through the firewall. However, after implementation, traffic from Web to App is not passing through the firewall; instead, it is forwarded directly. The contract is applied correctly. What is the most likely cause?

A.The firewall is in a different VRF; service graphs require the firewall to be in the same VRF as the endpoints or use a shared VRF with appropriate route leaking.
B.The firewall is not reachable from the leaf switches due to a routing issue.
C.The contract filter is misconfigured, allowing direct communication without redirection.
D.The contract is applied only to intra-EPG traffic, not inter-EPG traffic.
AnswerA

ACI service graph redirection typically works within the same VRF or with PBR; different VRFs break the redirection.

Why this answer

In Cisco ACI, service graphs redirect traffic through firewall devices by inserting the firewall as a Layer 4-Layer 7 device in the traffic path. However, the service graph device must reside in the same VRF as the consumer and provider EPGs, or a shared VRF with proper route leaking must be configured, because ACI uses VRF isolation to enforce policy-based redirect (PBR). Since the firewall is in FW-VRF while both EPGs are in VRF PROD, the leaf switches cannot redirect traffic to the firewall without a common routing context, causing the contract to bypass the firewall and forward traffic directly.

Exam trap

Cisco often tests the misconception that a service graph device can be in any VRF as long as the contract is applied correctly, but in reality, the VRF alignment is mandatory for the redirect to function.

How to eliminate wrong answers

Option B is wrong because the question states the contract is applied correctly and the firewall is connected as a service graph device; a routing issue would typically manifest as unreachability or packet drops, not as direct forwarding without redirection. Option C is wrong because the contract filter controls which traffic is permitted or denied, not the redirection path; the service graph redirection is configured separately in the contract's service graph template. Option D is wrong because the contract is explicitly configured between Web and App EPGs, which is inter-EPG traffic, and intra-EPG traffic within the same tier is allowed directly by default without a contract.

415
Multi-Selecthard

Which THREE factors must be considered when implementing FCIP for SAN extension over a WAN? (Choose three.)

Select 3 answers
A.VSAN configuration on the remote MDS switch.
B.Jitter and packet loss characteristics.
C.Buffer-to-buffer credit count on the FCIP tunnel.
D.Round-trip time (RTT) latency of the WAN link.
E.Available bandwidth and potential congestion.
AnswersB, D, E

Jitter and loss impact TCP performance and retransmissions.

Why this answer

FCIP (Fibre Channel over IP) tunnels encapsulate Fibre Channel frames over IP networks. Jitter and packet loss directly cause Fibre Channel timeouts and retransmissions, severely impacting storage performance. Unlike Fibre Channel over dedicated links, WAN characteristics like jitter and loss must be explicitly accounted for in FCIP design.

Exam trap

Cisco often tests the distinction between Fibre Channel fabric parameters (like VSANs and B2B credits) and WAN-specific factors (jitter, loss, RTT, bandwidth) that directly impact FCIP tunnel performance, leading candidates to select local SAN parameters instead of WAN characteristics.

416
Multi-Selectmedium

A network engineer is troubleshooting an OSPF adjacency that fails to reach FULL state between two Nexus 9000 switches. Which TWO are common causes for this issue?

Select 2 answers
A.Mismatched OSPF process ID
B.Mismatched area ID
C.Mismatched router ID
D.Mismatched hello/dead timers
E.Mismatched network type
AnswersB, D

OSPF neighbors must belong to the same area to form an adjacency.

Why this answer

Option B is correct because OSPF requires that both routers in a neighbor relationship belong to the same area. If the area IDs differ, the routers will not exchange routing information and the adjacency will stall at the EXSTART or EXCHANGE state, never reaching FULL. This is a fundamental OSPF neighbor requirement defined in RFC 2328.

Exam trap

Cisco often tests the misconception that the OSPF process ID must match between neighbors, but it is only locally significant and does not affect adjacency formation.

417
MCQhard

A company has two Cisco MDS 9700 switches in a dual-fabric SAN. Each fabric has its own set of storage arrays and hosts. The company wants to enable selective communication between specific devices in Fabric A and Fabric B without merging the fabrics. Which Cisco technology should be used?

A.FCIP
B.NPV
C.IVR
D.Port channels
AnswerC

IVR enables selective communication between devices in different VSANs while keeping fabrics separate.

Why this answer

Cisco IVR (Inter-VSAN Routing) allows selective communication between devices in different VSANs without merging the fabrics. In this dual-fabric SAN scenario, IVR enables specific hosts in Fabric A to communicate with specific storage arrays in Fabric B while keeping the VSANs and fabrics logically isolated, preserving fault domains and administrative boundaries.

Exam trap

Cisco often tests the distinction between technologies that merge fabrics (like FCIP or trunking) versus those that enable selective inter-fabric communication without merging (like IVR), and the trap here is confusing FCIP's WAN extension capability with IVR's selective routing within a local dual-fabric design.

How to eliminate wrong answers

Option A is wrong because FCIP (Fibre Channel over IP) is used to interconnect geographically separated SAN islands over an IP network, not to enable selective communication between devices in the same physical location without merging fabrics. Option B is wrong because NPV (N_Port Virtualization) is a mode used by edge switches to aggregate multiple N_Ports into a single uplink to a core switch, reducing domain IDs; it does not provide inter-fabric routing. Option D is wrong because port channels aggregate multiple physical links into a single logical link for increased bandwidth and redundancy within a single fabric, not for routing traffic between separate fabrics.

418
MCQeasy

A UCS administrator needs to ensure that server boot order always starts from the local disk if available, and falls back to a SAN LUN if local disk fails. Which boot policy setting should be used?

A.Local Disk alone
B.SAN first, then Local Disk
C.SAN Boot Only
D.Local Disk first, then SAN
AnswerD

Matches the requirement.

Why this answer

Option D is correct because the UCS boot policy allows you to specify a boot order where the local disk is attempted first. If the local disk is unavailable or fails, the system automatically falls back to the next boot device in the list, which is the SAN LUN. This ensures high availability and aligns with the requirement to prefer local boot while providing a failover path.

Exam trap

Cisco often tests the misconception that 'SAN first, then Local Disk' provides a fallback to local disk, but the trap is that the order is reversed, causing the server to always boot from SAN first, which does not satisfy the requirement to prefer local disk when available.

How to eliminate wrong answers

Option A is wrong because 'Local Disk alone' provides no fallback if the local disk fails, leaving the server unable to boot. Option B is wrong because 'SAN first, then Local Disk' reverses the required order, causing the server to always attempt SAN boot before local disk, which does not meet the requirement to start from local disk if available. Option C is wrong because 'SAN Boot Only' forces boot exclusively from the SAN LUN with no option to boot from local disk, even if the local disk is functional.

419
MCQmedium

An engineer is designing a SAN extension over a WAN link using FCIP. The link has high latency (50 ms RTT). Which configuration is most critical to maintain performance?

A.Configure a large TCP window size.
B.Enable compression on the FCIP tunnel.
C.Increase the buffer-to-buffer credits.
D.Reduce the TCP MSS to 512 bytes.
AnswerA

Window scaling allows more data in flight, improving throughput over high-latency links.

Why this answer

FCIP encapsulates Fibre Channel frames over TCP/IP. High latency (50 ms RTT) means the TCP sender must wait longer for acknowledgments, which can stall the connection if the TCP window is too small. A large TCP window size (e.g., using window scaling per RFC 1323) allows more data to be in flight before requiring an ACK, thereby maintaining throughput and preventing performance collapse on high-latency WAN links.

Exam trap

Cisco often tests the misconception that buffer-to-buffer credits (BB_credits) are the primary flow control for FCIP, when in fact TCP window sizing is the critical parameter for high-latency WAN links.

How to eliminate wrong answers

Option B is wrong because compression reduces bandwidth usage but does not address the fundamental throughput limitation caused by high latency and small TCP windows; it may even add processing delay. Option C is wrong because buffer-to-buffer credits (BB_credits) are a Fibre Channel flow control mechanism used between directly connected FC ports, not over FCIP tunnels; they do not affect TCP windowing over WAN. Option D is wrong because reducing TCP MSS to 512 bytes increases header overhead and the number of segments, which can worsen performance on a high-latency link by requiring more ACKs per byte of data.

420
Drag & Dropmedium

Order the steps to configure FCoE on a Cisco Nexus switch with NPV mode.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

FCoE requires feature fcoe, VSAN mapping, VLAN config, NPV mode, and fabric login.

421
Matchingmedium

Match each Cisco data center automation tool to its primary use.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Configuration management and orchestration

Scripting language for custom automation

Programmatic interface for device management

Infrastructure as code for server configuration

Declarative configuration management

Why these pairings

Automation tools streamline data center operations.

422
Multi-Selecteasy

Which TWO are important considerations when using Cisco UCS Central for multi-domain management? (Select TWO.)

Select 2 answers
A.UCS Central requires separate licensing per managed server.
B.Global policies can be defined in UCS Central and applied per domain with local overrides.
C.All domains must have identical hardware and firmware versions.
D.UCS Central communicates with both Fabric Interconnects in each domain for redundancy.
E.Local UCS Manager policies are always overridden by UCS Central policies.
AnswersB, D

This is a key feature of UCS Central.

Why this answer

Option B is correct because Cisco UCS Central allows administrators to define global policies that can be applied across multiple UCS domains, while still permitting local overrides at the UCS Manager level. This hierarchical policy model provides centralized control without sacrificing the flexibility needed for domain-specific configurations, such as unique VLANs or boot policies.

Exam trap

Cisco often tests the misconception that UCS Central enforces strict homogeneity across domains, but the correct understanding is that it supports heterogeneous environments with flexible policy inheritance and local overrides.

423
MCQmedium

Refer to the exhibit. An administrator notices the blade firmware is outdated. What is the recommended first step to update the blade firmware?

A.Upgrade the fabric interconnects first
B.Update each blade individually using the CIMC
C.Reboot all blades immediately
D.Create a firmware management policy to stage the update
AnswerD

Allows orchestrated update across all blades with minimal disruption.

Why this answer

Option D is correct because Cisco UCS Manager uses firmware management policies to stage firmware updates across blades in a controlled, non-disruptive manner. Staging the update allows the administrator to schedule the activation during a maintenance window, ensuring all blades receive the same firmware version consistently without immediate impact on production traffic.

Exam trap

The trap here is that candidates often assume a direct, immediate action like rebooting or manual updates is required, but Cisco tests the understanding that UCS Manager provides a policy-based staging mechanism to safely orchestrate firmware updates across multiple blades.

How to eliminate wrong answers

Option A is wrong because upgrading fabric interconnects first is not the recommended first step for blade firmware; fabric interconnect firmware updates are independent and should be coordinated but not necessarily performed before blade updates. Option B is wrong because updating each blade individually using the CIMC is inefficient, error-prone, and bypasses the centralized management capabilities of UCS Manager, which can automate and validate the update process. Option C is wrong because rebooting all blades immediately without staging the firmware could cause unexpected downtime and service disruption, and it does not address the need to actually update the firmware.

424
Multi-Selecthard

Which THREE factors should be considered when sizing buffer credits for a long-haul FC link?

Select 3 answers
A.Link speed
B.Number of targets
C.Frame size
D.Distance
E.Buffer-to-buffer credit pool size
AnswersA, C, D

Higher speed requires more credits to keep the link busy.

Why this answer

Link speed (A) is a critical factor because higher speeds require more buffer credits to maintain full throughput over a given distance. The buffer credit requirement scales linearly with link speed, as each credit represents the ability to send one frame before receiving an acknowledgment. For example, a 16 Gbps link needs twice as many buffer credits as an 8 Gbps link for the same distance.

Exam trap

Cisco often tests the misconception that the number of targets or initiators influences buffer credit requirements, when in fact only distance, speed, and frame size matter for the per-link calculation.

425
MCQmedium

Refer to the exhibit. An NX-API request returns this JSON error. What is the most likely cause?

A.The API version in the request is mismatched
B.Invalid credentials
C.The command is not allowed via NX-API
D.The switch is in maintenance mode
AnswerC

Some commands are restricted in NX-API. The error 'Invalid command' suggests a disallowed command.

Why this answer

The JSON error indicates that the NX-API request was rejected because the command is not permitted through the NX-API interface. NX-API enforces a strict allowlist of commands; any command not explicitly allowed (e.g., certain show commands or configuration commands that could destabilize the switch) will return this error. This is a security and stability feature of the NX-API RESTful interface.

Exam trap

Cisco often tests the misconception that any CLI command can be executed via NX-API, but in reality, NX-API has a restricted command set, and candidates may incorrectly attribute the error to credentials or API version mismatches.

How to eliminate wrong answers

Option A is wrong because an API version mismatch would typically return a different error, such as 'API version not supported' or a 400 Bad Request, not a generic JSON error about command permission. Option B is wrong because invalid credentials would result in an HTTP 401 Unauthorized response or an authentication failure message, not a command-level error. Option D is wrong because maintenance mode affects the switch's operational state and would generate a different error (e.g., 'switch is in maintenance mode'), not a command-specific rejection.

426
MCQmedium

In a Cisco HyperFlex cluster, a new ESXi host is being added. The host is discovered, but the cluster health status shows 'Degraded'. What should be the first troubleshooting step?

A.Reboot the new ESXi host.
B.Verify that the new host's controller VM has the same firmware version as the cluster.
C.Check if the vCenter Server is in maintenance mode.
D.Delete and re-create the cluster.
AnswerB

Firmware consistency is critical for cluster stability.

Why this answer

When adding a new ESXi host to a Cisco HyperFlex cluster, the controller VM (CVM) firmware version must match the cluster's version. A mismatch causes the cluster health status to show 'Degraded' because the CVMs cannot properly synchronize storage operations. Verifying and aligning the firmware version is the first troubleshooting step, as it directly impacts cluster stability.

Exam trap

Cisco often tests the misconception that a 'Degraded' cluster health status is due to network or vCenter issues, when in fact it frequently stems from firmware or software version mismatches in the HyperFlex storage layer.

How to eliminate wrong answers

Option A is wrong because rebooting the new ESXi host will not resolve a firmware version mismatch; it only restarts services without addressing the root cause. Option C is wrong because vCenter Server maintenance mode affects vCenter operations, not HyperFlex cluster health; a host in maintenance mode would not cause a 'Degraded' status due to firmware mismatch. Option D is wrong because deleting and re-creating the cluster is an extreme, unnecessary step that would disrupt operations; the issue is isolated to the new host's CVM firmware, not the cluster configuration.

427
Multi-Selecthard

Which THREE factors should be considered when calculating the required number of buffer credits for a long-distance Fibre Channel link? (Choose three.)

Select 3 answers
A.The link data rate (e.g., 16 Gbps).
B.The maximum frame size (e.g., 2148 bytes).
C.The number of VSANs configured.
D.The number of zones in the fabric.
E.The distance between the switches.
AnswersA, B, E

Higher data rates require more buffer credits to keep the link busy.

Why this answer

To calculate buffer credits, you need the distance, data rate, and frame size. Option A: distance affects propagation delay. Option C: data rate affects how many frames can be in flight.

Option E: frame size (maximum) determines how many bytes per credit. Option B is wrong because VSAN count does not matter. Option D is wrong because number of zones is irrelevant.

428
Multi-Selectmedium

A storage administrator reports that a host cannot reach any of the targets on a Cisco MDS 9000 Series switch. The VSAN configuration is correct, and all interfaces are up. Which two commands should be used to verify the Fibre Channel name server database and zoning configuration?

Select 2 answers
A.show zoneset active
B.show zone
C.show flogi database
D.show fcns database
E.show fcns details
AnswersA, D

Shows the active zoneset and its member devices, verifying zoning.

Why this answer

Option A is correct because the 'show zoneset active' command displays the currently active zone set, which is essential for verifying which zones are enforced by the switch. Since the VSAN configuration is correct and interfaces are up, a missing or incorrect active zone set could prevent the host from reaching any targets, even if the name server database is populated.

Exam trap

Cisco often tests the distinction between 'show flogi database' (which shows fabric login state) and 'show fcns database' (which shows name server registrations), leading candidates to mistakenly choose 'show flogi database' when the question asks for name server verification.

429
Multi-Selecthard

Which two benefits does EVPN provide compared to traditional VPLS? (Choose two.)

Select 2 answers
A.Simpler BGP configuration
B.Load balancing of traffic across multiple active paths
C.Reduced MAC address learning
D.No need for MPLS
E.Support for IP routing
AnswersB, E

EVPN allows active-active multihoming, improving bandwidth utilization.

Why this answer

EVPN uses BGP to advertise MAC addresses and IP prefixes, enabling per-flow load balancing across multiple equal-cost paths via its all-active multi-homing capability. In contrast, traditional VPLS relies on a single active forwarder per site (using Spanning Tree Protocol or VPLS Multihoming), which prevents active-active load balancing and wastes bandwidth.

Exam trap

Cisco often tests the misconception that EVPN simplifies BGP configuration or eliminates MPLS, when in fact EVPN requires more BGP knobs and still relies on an MPLS or VXLAN transport layer.

430
MCQeasy

A mid-size organization is upgrading its data center network to support server virtualization. They have deployed two Nexus 9300 switches as access switches for their server racks. The servers are configured with VLAN tagging and connect to the switches using trunks. The network administrator needs to ensure that the switches can provide default gateway services to the servers to reduce latency. They have configured interface VLAN interfaces and HSRP for redundancy. After implementation, the servers can communicate within the same VLAN but fail to reach the default gateway. The network administrator checks the switch configuration and finds that "ip routing" is not enabled globally. What is the most likely impact of this missing configuration?

A.The switches will not forward traffic between VLANs.
B.The servers will not receive DHCP addresses.
C.HSRP will not elect an active router.
D.The VLAN interfaces will not come up.
AnswerA

ip routing is required for inter-VLAN forwarding.

Why this answer

Without the 'ip routing' command enabled globally, the Nexus 9300 switches operate as Layer 2 devices only. This means they can forward frames within the same VLAN (since that relies on MAC address learning and switching), but they cannot perform IP routing between VLANs or route traffic to the configured SVI (VLAN interface) default gateway. The servers can communicate within the same VLAN because that is purely Layer 2 switching, but any attempt to reach the default gateway (which requires Layer 3 forwarding) fails because the switch does not have IP routing enabled.

Exam trap

Cisco often tests the misconception that HSRP or SVI functionality requires global IP routing to be enabled, when in fact HSRP can operate and SVIs can come up without 'ip routing', but inter-VLAN routing and default gateway reachability will fail.

How to eliminate wrong answers

Option B is wrong because DHCP address assignment relies on DHCP snooping, IP helper-address, or a DHCP server; the absence of 'ip routing' does not prevent a switch from relaying DHCP requests or a server from obtaining an IP address via broadcast within the same VLAN. Option C is wrong because HSRP operates at Layer 3 using the SVI IP address and does not require global IP routing to be enabled; HSRP can still elect an active router and maintain virtual IP/MAC addresses as long as the SVI is up and the HSRP configuration is correct. Option D is wrong because VLAN interfaces (SVIs) come up as long as the VLAN exists and at least one port in that VLAN is up; the 'ip routing' command does not affect the operational state of an SVI.

431
MCQeasy

What is a key advantage of using structured data (e.g., JSON or XML) from Cisco NX-API responses compared to traditional CLI scraping (e.g., using regular expressions)?

A.It automatically commits changes to running-config.
B.It provides machine-readable output that is less prone to parsing errors due to display changes.
C.It requires no software libraries to parse.
D.It eliminates the need for any authentication.
AnswerB

Structured data is consistent across versions, while CLI output can change with cosmetic updates.

Why this answer

Option B is correct because structured data is predictable and parsable, reducing errors compared to relying on raw text output.

432
MCQmedium

A Nexus 9000 switch is configured with VPC. The VPC keepalive link fails. What is the effect on the VPC domain?

A.Both switches suspend the VPC VLANs.
B.Both switches continue to forward traffic normally.
C.The secondary switch suspends its VPC member ports.
D.The primary switch becomes orphan.
AnswerC

To avoid split-brain, the secondary switch suspends its VPC member ports while keepalive is down.

Why this answer

In a VPC domain, the keepalive link is used to monitor the liveness of the peer switch, but it does not carry data traffic. When the keepalive link fails, the secondary switch cannot confirm the primary is alive, so it suspends its VPC member ports to prevent a dual-active scenario. The primary switch remains active and continues forwarding traffic normally because it assumes the secondary has failed.

Exam trap

Cisco often tests the misconception that a keepalive link failure causes both switches to stop forwarding or that the primary becomes orphan, but the correct behavior is that only the secondary suspends its VPC member ports to maintain a single active forwarding path.

How to eliminate wrong answers

Option A is wrong because both switches do not suspend VPC VLANs; only the secondary suspends its VPC member ports to avoid a split-brain condition. Option B is wrong because both switches do not continue forwarding traffic normally; the secondary suspends its VPC ports, disrupting traffic on that side. Option D is wrong because the primary switch does not become orphan; it remains active and continues to forward traffic, while the secondary suspends its ports.

433
MCQmedium

A storage administrator needs to monitor traffic between two specific storage arrays without causing any disruption. Which approach should be used?

A.Configure a SPAN session on the MDS switch to copy traffic between the storage ports.
B.Use FC traceroute to identify the path.
C.Enable FC ping between arrays.
D.Use IVR to route traffic through a monitoring zone.
E.Configure port channel between arrays.
AnswerA

SPAN (Switched Port Analyzer) copies traffic to a monitor port for analysis without disruption.

Why this answer

Option A is correct because configuring a SPAN session on the MDS switch allows copying traffic between the storage ports to a monitoring port without affecting the original traffic flow. Option B (FC traceroute) only shows path, not traffic. Option C (FC ping) tests connectivity.

Option D (port channel) does not monitor. Option E (IVR) is for routing, not monitoring.

434
MCQeasy

Which Fibre Channel frame field is used to identify the upper-layer protocol being carried?

A.Source FC ID
B.D_ID
C.CS_CTL
D.R_CTL
AnswerD

Routing Control field specifies the frame category and protocol.

Why this answer

Option B is correct. R_CTL indicates the frame's information category, including upper-layer protocol (e.g., SCSI-FCP).

435
MCQeasy

An engineer needs to create a VSAN on a Cisco MDS switch with VSAN ID 50. Which command correctly creates the VSAN?

A.switch(config-vsan)# vsan 50
B.switch(config)# vsan 50
C.switch(config)# interface vsan 50
D.switch(config)# vsan database
AnswerB

This command creates VSAN 50 in global config.

Why this answer

Option A is correct. 'vsan <id>' in global config creates the VSAN. Option D is not complete.

436
MCQmedium

A storage administrator needs to ensure that a Fibre Channel zone configuration is operationally effective without disrupting the current active zone set. Which approach should be used?

A.Create the new zone configuration in the defined configuration, then activate it as a new zone set.
B.Delete the active zone set and create a new one.
C.Edit the active zone set directly.
D.Use the 'commit' command to update the zone set.
AnswerA

Standard best practice.

Why this answer

Option A is correct because in Cisco MDS Fibre Channel SANs, zone configurations are created in the defined configuration and then activated as a new zone set. This approach ensures that the current active zone set remains operational and unaffected during the configuration process, preventing any disruption to existing traffic. Only when the new zone set is explicitly activated does it replace the active set, allowing for a controlled cutover.

Exam trap

Cisco often tests the misconception that you can directly edit the active zone set, similar to how you might edit a running configuration on a router, but in Fibre Channel zoning, the active set is immutable and must be replaced via activation.

How to eliminate wrong answers

Option B is wrong because deleting the active zone set would immediately disrupt all Fibre Channel zoning, causing all devices to lose connectivity and potentially causing a SAN outage. Option C is wrong because editing the active zone set directly is not supported in Cisco MDS; the active zone set is a read-only copy of the last activated configuration, and any changes must be made to the defined configuration. Option D is wrong because the 'commit' command is used in Cisco NX-OS to apply pending configuration changes in other contexts (e.g., interface or VLAN configurations), but it is not a valid command for updating Fibre Channel zone sets; zone set activation is performed using the 'activate' command.

437
Multi-Selecteasy

Which TWO of the following are valid methods to enforce security on a Cisco Nexus switch? (Choose two.)

Select 2 answers
A.SSHv2
B.NetFlow
C.Control Plane Policing (CoPP)
D.FabricPath
E.Private VLANs
AnswersC, E

CoPP protects the control plane by rate-limiting traffic.

Why this answer

Control Plane Policing (CoPP) is a valid security enforcement method on Cisco Nexus switches because it protects the control plane from excessive or malicious traffic by applying QoS policies that rate-limit packets destined for the supervisor module. By filtering traffic such as routing protocols, SSH, or ICMP, CoPP prevents CPU overload and DoS attacks, directly enforcing security at the control plane level.

Exam trap

Cisco often tests the distinction between security enforcement mechanisms (like CoPP and Private VLANs) and management protocols (like SSH) or monitoring tools (like NetFlow), leading candidates to mistakenly select SSHv2 as a security enforcement method.

438
MCQmedium

An engineer is configuring AAA on a Cisco Nexus switch to authenticate management access via TACACS+. The switch is reachable, but login attempts repeatedly fail. Which action should the engineer take to isolate the issue?

A.Enable 'debug tacacs' on the switch to see detailed TACACS+ exchange.
B.Run 'test aaa authentication login <user> <password> legacy' to validate AAA configuration.
C.Verify IP connectivity to the TACACS+ server using ping.
D.Check if the TACACS+ server port (49) is open using Telnet.
AnswerB

This command directly tests the AAA authentication process.

Why this answer

Option B is correct because the 'test aaa authentication login' command with the 'legacy' keyword directly validates the AAA authentication configuration against the TACACS+ server without requiring a full login session. This isolates whether the issue is with the AAA configuration itself versus network connectivity or server reachability, as the command simulates the exact authentication flow the switch uses.

Exam trap

Cisco often tests the distinction between connectivity verification (ping, port checks) and actual AAA authentication validation, trapping candidates who assume that reachability implies correct AAA operation, when in fact the shared secret, server configuration, or authentication method may be misconfigured.

How to eliminate wrong answers

Option A is wrong because enabling 'debug tacacs' generates verbose output that can overwhelm the console and impact performance, and it is a reactive troubleshooting step that should be used after confirming basic configuration and connectivity, not as the first isolation action. Option C is wrong because while IP connectivity is necessary, the switch is already reachable per the scenario, and ping only tests ICMP reachability, not whether the TACACS+ service is properly responding to authentication requests. Option D is wrong because using Telnet to test port 49 is not a valid method; Telnet uses TCP port 23, and testing a TACACS+ server port requires a TACACS+ client or a tool like 'telnet <server> 49' to check if the port is open, but this only verifies TCP connectivity, not the AAA authentication logic or shared secret correctness.

439
MCQmedium

A company is deploying a new Cisco UCS Mini. They need to ensure that the chassis can be managed from either fabric interconnect. What configuration is required to achieve this?

A.Configure a private VLAN to isolate management traffic
B.Set the chassis to in-band management mode
C.Enable FC-Zoning on the fabric interconnects
D.Configure a management VLAN on both fabric interconnects and enable chassis management on that VLAN
AnswerD

This allows the chassis to be reachable from both FIs for management purposes.

Why this answer

Option D is correct because Cisco UCS Mini requires a dedicated management VLAN to be configured on both fabric interconnects, and chassis management must be enabled on that VLAN. This allows the chassis management controller (CMC) to be reachable from either FI, enabling active/standby management redundancy without relying on a single point of control.

Exam trap

The trap here is that candidates often confuse in-band management (Option B) with the required out-of-band management VLAN configuration, mistakenly thinking that using the data path is sufficient for redundant chassis management.

How to eliminate wrong answers

Option A is wrong because private VLANs are used to isolate traffic within a VLAN (e.g., for multi-tenant environments) and are not required for chassis management redundancy in UCS Mini. Option B is wrong because in-band management mode is used for managing the chassis through the data path (e.g., via a server's vNIC), not for enabling management from either fabric interconnect; the correct approach is out-of-band management via a dedicated management VLAN. Option C is wrong because FC-Zoning is a Fibre Channel storage networking concept used to control access in a SAN fabric and has no role in enabling chassis management from either FI.

440
MCQmedium

A data center administrator is implementing Cisco TrustSec on a Nexus 7000 switch to enforce role-based access control. After configuring a security group tag (SGT) classification policy, users report that traffic between two servers is not being tagged. What is the most likely cause?

A.DHCP snooping is not enabled on the VLAN.
B.The ingress interface is missing the 'sgt' or 'ip policy' command to classify traffic.
C.The switch ASIC does not support TrustSec in hardware.
D.The SGT is assigned on the egress interface instead of ingress.
AnswerB

Ingress interface must have 'sgt' or 'ip policy' to assign SGTs.

Why this answer

Option B is correct because Cisco TrustSec requires the ingress interface to be explicitly configured with either the 'sgt' command (for static SGT assignment) or an 'ip policy' command (for dynamic SGT classification via a security group ACL). Without this, the switch cannot classify traffic and apply the SGT tag. The scenario describes a classification policy that is not being applied, which directly points to a missing ingress classification command.

Exam trap

The trap here is that candidates often assume SGT classification is automatic once a policy is defined, but Cisco explicitly tests that the ingress interface must have the 'sgt' or 'ip policy' command to trigger classification.

How to eliminate wrong answers

Option A is wrong because DHCP snooping is unrelated to SGT classification; it is a security feature to prevent rogue DHCP servers and does not affect SGT tagging. Option C is wrong because the Nexus 7000 series switches (with the appropriate line cards, e.g., F2e, M3) support TrustSec in hardware; the question does not indicate a hardware limitation, and the issue is configuration-based. Option D is wrong because SGTs are assigned on the ingress interface, not egress; egress interfaces enforce policies based on the SGT but do not assign the tag.

441
MCQmedium

A VACL is configured to capture traffic between hosts in the same VLAN. The capture port is configured and the VACL is applied to the VLAN. However, no traffic is being captured. What is a likely reason?

A.The VACL is applied in the wrong direction
B.The capture port is a SPAN destination port
C.The VACL does not have a capture action
D.The capture port is not in the same VLAN
AnswerC

Without the capture action, the VACL will not copy packets to the capture port.

Why this answer

Option C is correct because a VACL (VLAN Access Control List) must explicitly include a capture action to forward matched traffic to a capture port. Without the capture action, the VACL only permits or denies traffic within the VLAN but does not trigger packet replication to the configured capture port. The capture action is configured using the `capture` keyword in the VACL configuration, and its absence is the most common reason for no traffic being captured.

Exam trap

The trap here is that candidates often assume a VACL applied to a VLAN will automatically send all matched traffic to a capture port, overlooking the explicit `capture` action required in the VACL configuration.

How to eliminate wrong answers

Option A is wrong because VACLs are applied to VLANs, not to interfaces, and they operate on traffic within the VLAN regardless of direction; direction-based ACLs are for router ACLs, not VACLs. Option B is wrong because a SPAN destination port cannot be used as a capture port for VACL capture; VACL capture requires a dedicated capture port configured with the `switchport capture` command, and SPAN and VACL capture are mutually exclusive on the same port. Option D is wrong because the capture port does not need to be in the same VLAN as the traffic being captured; VACL capture replicates traffic to the capture port regardless of its VLAN membership, as long as the capture port is configured correctly.

442
MCQhard

A UCS domain is experiencing intermittent storage connectivity. The storage admin confirms the SAN is properly zoned and the VSANs are configured. The UCS admin finds that the host interface (HBAs) are showing 'Link Down' intermittently. Which of the following is a likely cause?

A.Incompatible HBA firmware
B.Mismatched fabric failover policy
C.Incorrect Fibre Channel interface mode on the FI
D.Faulty SFP or cable
AnswerD

Physical layer issues often cause intermittent link flapping.

Why this answer

Intermittent 'Link Down' on HBAs, despite correct SAN zoning and VSAN configuration, strongly points to a physical-layer issue. Faulty SFPs or damaged cables cause intermittent link flaps, which manifest as sporadic HBA link-down events. This is the most common cause of such symptoms in UCS environments.

Exam trap

Cisco often tests the distinction between physical-layer issues (SFP/cable) and configuration or policy errors, tempting candidates to overthink with fabric failover or interface mode when the symptom is a simple link flap.

How to eliminate wrong answers

Option A is wrong because incompatible HBA firmware typically causes persistent driver errors or failure to log in to the fabric, not intermittent link flaps. Option B is wrong because mismatched fabric failover policy affects how traffic is redirected during a failure, not the physical link state of the HBA. Option C is wrong because incorrect Fibre Channel interface mode on the FI (e.g., End Host vs.

Switching mode) impacts upstream FLOGI behavior and zoning, not the point-to-point link status between the HBA and the FI.

443
MCQeasy

A network engineer is troubleshooting VXLAN connectivity between two VTEPs. The source VTEP is configured with `nve1` and member VNI 10000. The `show nve peers` command shows the remote VTEP IP but the status is 'Init'. What is a likely cause?

A.The multicast group is not reachable.
B.The remote VTEP is not configured with the same VNI.
C.The MTU is too low.
D.The VRF is mismatched between the VTEPs.
AnswerA

VXLAN relies on multicast for BUM traffic; if the multicast group is unreachable, the peer remains in 'Init'.

Why this answer

The 'Init' status in the output of 'show nve peers' indicates that the VXLAN tunnel endpoint (VTEP) has learned the remote VTEP IP address (likely via BGP EVPN or static configuration) but is unable to complete the tunnel establishment. In VXLAN multicast mode, the underlay multicast group is used for BUM traffic and for VTEP discovery. If the multicast group is not reachable (e.g., due to missing PIM configuration, incorrect RP, or firewall filtering), the source VTEP cannot receive the multicast join or data from the remote VTEP, leaving the peer stuck in 'Init' state.

Exam trap

Cisco often tests the distinction between control-plane and data-plane issues; the trap here is that candidates assume 'Init' means a configuration mismatch (like VNI or VRF) rather than an underlay multicast reachability problem, because they overlook that VXLAN multicast mode requires a functional underlay multicast tree for peer establishment.

How to eliminate wrong answers

Option B is wrong because a VNI mismatch would typically cause the remote VTEP to not advertise that VNI in BGP EVPN, resulting in the peer not being learned at all, or the VNI not being operational, but the peer status would not show 'Init' for a learned peer. Option C is wrong because an MTU issue would cause packet fragmentation or drops after the tunnel is established, not prevent the peer from leaving the 'Init' state; the 'Init' state is a control-plane issue, not a data-plane MTU problem. Option D is wrong because a VRF mismatch would affect traffic forwarding and route import/export in BGP EVPN, but the peer status is independent of VRF configuration; the VTEP peer can still be established even with mismatched VRFs, though traffic may not be forwarded correctly.

444
MCQhard

A UCS domain has two fabric interconnects in end-host mode. The engineer needs to implement a policy that ensures all traffic from a specific vNIC is load-balanced across both uplinks to the upstream switches. Which type of policy should be used?

A.Link aggregation policy
B.Pin group policy
C.QoS policy
D.Network control policy
AnswerB

Allows pinning a vNIC to specific uplinks or 'no-pin' for load balancing across all.

Why this answer

In a UCS domain with fabric interconnects in end-host mode, a Pin Group policy is used to explicitly map a vNIC's traffic to specific uplink ports, ensuring load balancing across the upstream switches. This policy overrides the default MAC-based hashing and allows the engineer to control traffic distribution, which is critical for consistent performance and redundancy.

Exam trap

Cisco often tests the distinction between Pin Group policies (which control per-vNIC traffic distribution) and Link Aggregation policies (which bundle ports), leading candidates to mistakenly choose the latter when the question emphasizes load balancing across individual uplinks rather than aggregated bandwidth.

How to eliminate wrong answers

Option A is wrong because a Link Aggregation policy (LACP) bundles multiple uplinks into a single logical link for increased bandwidth and redundancy, but it does not control per-vNIC traffic distribution across individual uplinks; it operates at the port-channel level. Option C is wrong because a QoS policy manages traffic prioritization and bandwidth allocation, not load balancing or path selection for a specific vNIC. Option D is wrong because a Network Control policy defines Layer 2 features like STP or LLDP, but it does not influence how vNIC traffic is pinned or load-balanced across uplinks.

445
MCQhard

An administrator is deploying a new application in a Cisco ACI fabric. The application requires multicast traffic between end hosts. Which configuration is necessary for multicast in ACI?

A.Enable PIM on the leaf switches.
B.Configure a multicast group in the EPG.
C.Create a multicast policy in the bridge domain.
D.Use IGMP snooping only.
AnswerC

A multicast policy in the bridge domain enables multicast forwarding.

Why this answer

In Cisco ACI, multicast forwarding is enabled at the bridge domain level using a multicast policy. This policy configures the necessary IGMP snooping and multicast group membership for the fabric, allowing end hosts to receive multicast traffic without requiring PIM on the leaf switches. Option C is correct because the bridge domain multicast policy is the required configuration for multicast in ACI.

Exam trap

Cisco often tests the misconception that PIM must be enabled for multicast in ACI, but the fabric's overlay uses head-end replication and IGMP snooping at the bridge domain level instead.

How to eliminate wrong answers

Option A is wrong because PIM is not required in ACI; the fabric uses a head-end replication model with IGMP snooping and a multicast policy, not traditional PIM routing. Option B is wrong because multicast groups are not configured in the EPG; the EPG defines endpoint groups and contracts, while multicast group membership is managed via the bridge domain multicast policy. Option D is wrong because IGMP snooping alone is insufficient; ACI requires the multicast policy in the bridge domain to enable the fabric's multicast forwarding behavior, including head-end replication.

446
MCQmedium

A company recently deployed Cisco UCS B-Series blades with a single Fabric Interconnect. During a maintenance window, the Fabric Interconnect must be upgraded. Which action ensures minimal disruption to running workloads?

A.Disassociate service profiles from blades, upgrade the Fabric Interconnect, then re-associate the service profiles.
B.Use the UCS Manager GUI to migrate all service profiles to a second Fabric Interconnect.
C.Shut down all blades gracefully, upgrade the Fabric Interconnect, then power on blades.
D.Change the boot order of blades to boot from NFS image, then upgrade FI.
AnswerA

Blades continue running; only management connectivity is lost temporarily.

Why this answer

Option A is correct because disassociating service profiles from the blades detaches the logical configuration from the physical hardware, allowing the single Fabric Interconnect to be upgraded without affecting the running workloads. The blades continue to run their current operating system and applications, and once the upgrade is complete, re-associating the service profiles restores management connectivity without requiring a reboot or workload interruption.

Exam trap

Cisco often tests the misconception that shutting down blades or migrating to a second Fabric Interconnect is required, but the key is that disassociating service profiles decouples management from the running workload, enabling a non-disruptive upgrade on a single Fabric Interconnect.

How to eliminate wrong answers

Option B is wrong because migrating service profiles to a second Fabric Interconnect requires a second Fabric Interconnect to be present, but the scenario specifies a single Fabric Interconnect, making this option technically impossible. Option C is wrong because shutting down all blades gracefully causes a complete outage for all running workloads, which is not minimal disruption. Option D is wrong because changing the boot order to boot from an NFS image does not address the Fabric Interconnect upgrade; the blades still rely on the Fabric Interconnect for network connectivity, and the upgrade would disrupt that connectivity.

447
MCQhard

A large enterprise data center is deploying a new application using Cisco ACI with a multi-pod design. The application requires low-latency communication between servers in different pods. The network team has configured the ACI fabric with two pods, each connected via inter-pod network (IPN) switches. After deployment, the application experiences intermittent latency spikes and packet loss. The APIC health scores remain high but the latency issue persists. The team has verified the underlay IP connectivity and MTU settings. What is the most likely cause of the latency issues?

A.The application servers are using different VLANs that are not stretched between pods.
B.The CoS settings for the application traffic are not properly mapped to the appropriate queue on the IPN switches.
C.The IPN switches are using a shared link aggregation group that is causing traffic congestion.
D.The inter-pod network is not configured with enough bandwidth due to oversubscription.
AnswerB

Improper CoS mapping leads to sporadic drops.

Why this answer

In a Cisco ACI multi-pod design, the IPN switches must properly trust and map the CoS values from the ACI fabric to the appropriate egress queues. If the CoS markings are not correctly configured on the IPN switches, application traffic can experience buffer drops and latency spikes even when the underlay has sufficient bandwidth and the APIC health scores are high. This is a common misconfiguration because the IPN switches are Layer 3 devices that require explicit QoS policies to preserve the ACI fabric's priority handling.

Exam trap

Cisco often tests the misconception that underlay connectivity and MTU settings are sufficient for multi-pod performance, when in fact the IPN switches require explicit QoS configuration to preserve ACI's priority handling across pods.

How to eliminate wrong answers

Option A is wrong because VLANs are not stretched between pods in ACI multi-pod; inter-pod traffic uses Layer 3 routing via the IPN, so different VLANs per pod do not cause latency or packet loss. Option C is wrong because a shared link aggregation group (LAG) on IPN switches would not inherently cause congestion; LAGs are used for bandwidth aggregation and redundancy, and the issue is about queue drops, not link bundling. Option D is wrong because oversubscription of the inter-pod network would manifest as consistent congestion and high APIC health degradation, not intermittent latency spikes with high health scores; the problem is QoS misconfiguration, not bandwidth shortage.

448
MCQmedium

An engineer is designing a UCS Mini deployment for a remote office. The chassis will contain four blade servers. Each server needs two 10GbE connections for data and one 1GbE for management. What is the minimum number of fabric interconnects required?

A.One
B.Three
C.Four
D.Two
AnswerA

UCS Mini can operate with a single FI for up to four blades, meeting the requirement.

Why this answer

A single UCS Mini fabric interconnect (FI) can provide both data and management connectivity for up to eight blade servers in a single chassis. Each blade server requires two 10GbE data connections (from the integrated VIC) and one 1GbE management connection (from the Cisco Integrated Management Controller, or CIMC). The FI aggregates these connections internally, so one FI is sufficient for a four-server deployment, as UCS Mini supports a single FI configuration for non-redundant setups.

Exam trap

Cisco often tests the misconception that each blade server's management connection requires a separate physical port or that two FIs are always needed for any UCS deployment, but UCS Mini's integrated architecture allows a single FI to handle both data and management for up to eight blades.

How to eliminate wrong answers

Option B is wrong because three fabric interconnects are not supported in UCS Mini; the architecture only supports one or two FIs for redundancy. Option C is wrong because four fabric interconnects exceed the maximum supported in any UCS Mini configuration (max two). Option D is wrong because two fabric interconnects are only required for redundancy (e.g., for high availability or dual-homing), not for meeting the minimum connectivity needs of four blade servers; the question asks for the minimum number.

449
Multi-Selectmedium

Which TWO statements about Cisco UCS service profiles are correct? (Choose TWO.)

Select 2 answers
A.Service profiles are only supported on B-Series blades.
B.Service profiles can include policies for firmware management.
C.A service profile can be associated with one server at a time.
D.Service profiles are tied to specific physical hardware.
E.A service profile does not include network identity settings such as MAC addresses.
AnswersB, C

Firmware policies can be included.

Why this answer

Option B is correct because Cisco UCS service profiles can include firmware management policies that specify the firmware versions to be applied to the associated server components, such as adaptors, BIOS, and storage controllers. This allows administrators to enforce consistent firmware levels across the infrastructure without manual intervention.

Exam trap

Cisco often tests the misconception that service profiles are hardware-specific or only apply to B-Series blades, when in fact they are designed to be hardware-agnostic and support both blade and rack server form factors.

450
Multi-Selecthard

A data center engineer is implementing model-driven telemetry using Cisco NX-OS. Which three components are required in the telemetry configuration? (Choose three.)

Select 3 answers
A.A HTTPS certificate for authentication
B.An SNMP community string
C.A sensor path to specify the data to stream
D.A subscription to a YANG data model
E.A destination profile with collector IP and port
AnswersC, D, E

Specifies which data to collect.

Why this answer

Option C is correct because a sensor path defines the specific YANG data model paths or operational data that the device will stream to the collector. In model-driven telemetry on Cisco NX-OS, the sensor path is the fundamental component that tells the device exactly which data to monitor and stream, such as 'Cisco-NX-OS-device:System/clock-items' or interface statistics paths.

Exam trap

The trap here is that candidates confuse model-driven telemetry with SNMP or traditional monitoring, mistakenly thinking SNMP community strings or HTTPS certificates are core components, when in fact the three required components are the sensor path, subscription, and destination profile.

Page 5

Page 6 of 7

Page 7

All pages

Practice 350-601 by domain

Target a specific domain to shore up weak areas.

See all domains with question counts →