Cisco DCCOR / CCNP Data Center Core 350-601 (350-601) — Questions 451500

500 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
MCQmedium

A company wants to automate backup of running-configurations for 200 Nexus switches. Which solution provides the best combination of reliability and version history?

A.Manual backup via CLI
B.Custom Python script using TFTP
C.Ansible playbook with the nxos_config backup option
D.A cron job that SCPs config to a server
AnswerC

Idempotent, stores backups with timestamps, supports diffs.

Why this answer

An Ansible playbook with the nxos_config backup option is the best solution because it provides idempotent, version-controlled backups of running-configurations across 200 Nexus switches. The nxos_config module automatically creates a timestamped backup file on the Ansible control node, ensuring both reliability through automated, consistent execution and a built-in version history via the backup files. This approach scales efficiently without requiring manual intervention or fragile scripting.

Exam trap

Cisco often tests the misconception that any automated backup method is sufficient, but the trap here is that only Ansible's nxos_config backup option combines reliability, scalability, and built-in version history without requiring custom scripting or insecure protocols like TFTP.

How to eliminate wrong answers

Option A is wrong because manual backup via CLI is not scalable for 200 switches, lacks version history, and is prone to human error. Option B is wrong because a custom Python script using TFTP is unreliable due to TFTP's lack of authentication and encryption, and it does not inherently provide version history or idempotency. Option D is wrong because a cron job that SCPs config to a server offers no built-in version history or rollback capability, and it requires custom scripting to manage backups reliably across many devices.

452
MCQeasy

A data center has 100 Nexus switches in a fabric managed by Cisco Nexus Dashboard Orchestrator (NDO). The network team needs to automate the creation of a new network template that includes multiple VLANs and VRF configurations. They want to ensure that the template is applied consistently across all leaf switches without manual intervention. The engineer writes a Python script using the NDO REST API to create the template and deploy it. However, the deployment fails with an error 'Template validation failed: overlapping IP subnets'. Upon reviewing the template, the engineer notices that two VLANs have overlapping subnet definitions. Which action should the engineer take to resolve this issue efficiently?

A.Use the NDO GUI to edit the template and then re-run the script
B.Manually correct the overlapping subnets in the template and re-run the deployment script
C.Create separate templates for each VLAN to avoid overlaps
D.Modify the Python script to ignore validation errors and force the deployment
AnswerB

Directly fixes the root cause; then automation can proceed.

Why this answer

Option B is correct because the root cause of the deployment failure is overlapping IP subnets in the template definition. Manually correcting the overlapping subnets in the template and re-running the deployment script directly resolves the validation error without introducing unnecessary complexity or risk. This approach ensures the template is valid before deployment, maintaining consistency across all leaf switches.

Exam trap

Cisco often tests the candidate's ability to distinguish between fixing the root cause (overlapping subnets) versus workarounds that bypass validation or increase complexity, testing whether you understand that automation must still adhere to network design rules.

How to eliminate wrong answers

Option A is wrong because using the NDO GUI to edit the template is not efficient; it introduces manual steps that defeat the automation goal and does not leverage the script for consistent deployment. Option C is wrong because creating separate templates for each VLAN does not address the overlapping subnet issue; it adds administrative overhead and may still result in overlaps if not carefully managed. Option D is wrong because modifying the Python script to ignore validation errors would force deployment of an invalid configuration, potentially causing IP conflicts and network outages across the fabric.

453
MCQmedium

An engineer is troubleshooting a BGP EVPN session between a leaf and a spine. The 'show bgp l2vpn evpn summary' output shows the peer state as 'Active'. What does this indicate?

A.The session is in the process of being established.
B.The session is up and exchanging prefixes.
C.There is a configuration mismatch.
D.The TCP connection is not established.
AnswerD

Active means BGP is trying to establish a TCP connection.

Why this answer

In BGP EVPN, the 'Active' state indicates that the BGP speaker is actively trying to establish a TCP connection with the peer but has not yet completed the three-way handshake. This means the TCP session is not established, which is a prerequisite for BGP session establishment. The peer remains in 'Active' until the TCP connection is successfully formed.

Exam trap

The trap here is that candidates often confuse 'Active' with 'Connect' or think it means the session is actively exchanging routes, when in fact it indicates a TCP connection failure that must be resolved before BGP can proceed.

How to eliminate wrong answers

Option A is wrong because the 'Active' state specifically indicates that the TCP connection is not yet established, not that the session is in the process of being established (which would be 'Connect' or 'OpenSent' states). Option B is wrong because a session that is up and exchanging prefixes would be in the 'Established' state, not 'Active'. Option C is wrong because a configuration mismatch typically results in the session flapping or staying in 'Idle' state, not 'Active'; 'Active' is a TCP connection issue, not a configuration mismatch.

454
MCQmedium

A UCS B-Series blade server shows high CPU latency when processing network I/O. The engineer suspects a bottleneck in the I/O subsystem. Which metric in UCS Manager should be examined first?

A.vNIC utilization percentage
B.Fabric port error counts
C.Memory usage statistics
D.Power consumption per server
AnswerB

Errors cause retransmissions and latency

Why this answer

Fabric port error counts directly reflect physical-layer issues (e.g., CRC errors, alignment errors, link flaps) that cause retransmissions and backpressure, leading to high CPU latency on the blade server. In UCS Manager, these counters are the first place to check when suspecting an I/O subsystem bottleneck because they pinpoint problems in the fabric interconnect or cabling before examining higher-layer metrics.

Exam trap

Cisco often tests the distinction between utilization metrics (which show load) and error metrics (which show health), so candidates mistakenly pick vNIC utilization thinking high usage equals a bottleneck, when the real issue is physical-layer errors causing retransmissions.

How to eliminate wrong answers

Option A is wrong because vNIC utilization percentage measures throughput usage, not errors or latency; high utilization alone does not cause CPU latency unless accompanied by errors or congestion. Option C is wrong because memory usage statistics indicate system memory pressure, which can affect overall performance but is not specific to the I/O subsystem or network latency. Option D is wrong because power consumption per server relates to thermal or power capacity issues, not to network I/O latency or fabric errors.

455
MCQeasy

An engineer is configuring a UCS server profile for a database application that requires low latency. The server will use a Cisco UCS VIC 1340 adapter. Which vNIC placement policy should be selected to minimize latency?

A.Assigned
B.Any
C.Default
D.Round-Robin
AnswerA

Assigned placement pins the vNIC to a specific adapter port, reducing latency.

Why this answer

The Assigned vNIC placement policy binds each vNIC to a specific physical port on the Cisco UCS VIC 1340 adapter, ensuring deterministic traffic flow and predictable latency. For low-latency database applications, this eliminates the variability introduced by dynamic placement, allowing the engineer to align vNICs with the most direct PCIe path to the CPU or memory.

Exam trap

Cisco often tests the misconception that Round-Robin provides load balancing for low latency, but the trap here is that Round-Robin optimizes for bandwidth distribution, not latency minimization, and the Assigned policy is the only one that guarantees fixed path placement for deterministic performance.

How to eliminate wrong answers

Option B (Any) is wrong because it allows the system to dynamically assign vNICs to any available physical port, which can introduce latency variation and suboptimal traffic distribution. Option C (Default) is wrong because it typically applies a system-defined policy that may not guarantee the deterministic placement required for low-latency workloads. Option D (Round-Robin) is wrong because it distributes vNICs sequentially across ports without considering latency sensitivity, potentially causing mismatched traffic patterns and increased jitter.

456
MCQmedium

Refer to the exhibit. A UCS B-Series blade shows a failed power supply. The blade is currently running. Which action should the engineer take to replace the power supply without causing service disruption?

A.Replace the power supply only after the blade is isolated from the fabric.
B.Replace the failed power supply in the chassis without affecting the blade.
C.Shut down the blade, replace the power supply, then power on.
D.Replace the failed power supply while the blade remains powered on.
AnswerD

The blade has redundant power supplies; hot-swap is supported.

Why this answer

Option D is correct because UCS B-Series blades use a shared chassis power infrastructure with N+1 redundancy. The failed power supply can be hot-swapped while the blade remains powered on, as the remaining power supplies in the chassis will continue to provide power without interruption. No blade isolation or shutdown is required, as the chassis power subsystem is designed for concurrent maintenance.

Exam trap

Cisco often tests the misconception that a blade must be shut down or isolated before replacing a chassis-level component, but the key is understanding that UCS chassis power supplies are hot-swappable and redundant, so no blade-level action is needed.

How to eliminate wrong answers

Option A is wrong because isolating the blade from the fabric (disconnecting its virtual interfaces) is unnecessary for power supply replacement; the blade's power is independent of fabric connectivity. Option B is wrong because it implies the power supply can be replaced without any effect on the blade, but the correct procedure is to replace it while the blade is powered on, not just 'without affecting the blade' — the phrasing is misleading as the blade remains powered on during replacement. Option C is wrong because shutting down the blade is not required; the chassis power redundancy allows hot-swap of the power supply without powering down any blade.

457
Multi-Selecteasy

An engineer needs to collect streaming telemetry from a Nexus 9000 switch. Which two protocols can be used to transmit telemetry data to a collector? (Choose two.)

Select 2 answers
A.NETCONF
B.gNMI
C.HTTP
D.SNMP traps
E.gRPC
AnswersB, E

gNMI is designed for telemetry and management.

Why this answer

gNMI (gRPC Network Management Interface) and gRPC are both correct because they are the primary protocols used for streaming telemetry on Nexus 9000 switches. gNMI defines a standard model-driven telemetry subscription mechanism over gRPC, while gRPC provides the underlying high-performance transport for streaming telemetry data to collectors.

Exam trap

Cisco often tests the distinction between configuration protocols (NETCONF) and streaming telemetry protocols (gNMI/gRPC), and candidates mistakenly choose NETCONF because it supports YANG-push notifications, but the question specifically asks for 'streaming telemetry' which requires the persistent, high-frequency channel provided by gRPC/gNMI.

458
MCQmedium

In a private VLAN configuration, a host in a community VLAN needs to communicate with a host in the primary VLAN. What configuration is required on the switch?

A.The host in community VLAN must be on an isolated port
B.The host in primary VLAN must be on a promiscuous port
C.The host in community VLAN must be on a promiscuous port
D.The host in primary VLAN must be on a community port
AnswerB

The primary VLAN host must be on a promiscuous port to allow communication from community VLAN.

Why this answer

In a private VLAN configuration, a host in a community VLAN can communicate with a host in the primary VLAN only if the host in the primary VLAN is on a promiscuous port. The promiscuous port can communicate with all other ports in the private VLAN, including community and isolated ports, enabling inter-VLAN traffic through a Layer 3 gateway or a server connected to that port.

Exam trap

Cisco often tests the misconception that a community VLAN host can directly communicate with a primary VLAN host without a promiscuous port, or that the primary VLAN host must be on a community port, confusing the roles of promiscuous and community ports in private VLANs.

How to eliminate wrong answers

Option A is wrong because an isolated port can only communicate with promiscuous ports, not with community ports, so placing the community VLAN host on an isolated port would break its ability to communicate with the primary VLAN host. Option C is wrong because a community port can only communicate with other community ports in the same community VLAN and with promiscuous ports, but placing the community VLAN host on a promiscuous port would incorrectly allow it to communicate with all ports, violating the community VLAN's intended isolation. Option D is wrong because a primary VLAN host on a community port would restrict it to communicating only with other community ports in the same community VLAN and promiscuous ports, but it would not be able to communicate with hosts in other community VLANs or isolated ports, which is not the required behavior for a primary VLAN host.

459
MCQhard

A data center engineer is troubleshooting high CPU utilization on a Cisco Nexus 9000 switch. The engineer suspects a distributed denial-of-service (DDoS) attack targeting the switch. To mitigate the attack, the engineer configures a Control Plane Policing (CoPP) policy that drops all ICMP packets destined to the switch. The policy is applied to the control-plane using the 'service-policy input COPP' command. After applying the policy, the switch CPU utilization remains high, and ICMP traffic is still reaching the switch. The engineer verifies that the CoPP policy is applied and that the class-map matches ICMP. The policy-map has the correct police and drop actions. No other CoPP policies are applied. What is the most likely cause of the issue?

A.The switch requires a reload for the CoPP policy to take effect.
B.The attack traffic is entering through the management interface, which is not affected by CoPP.
C.The CoPP policy must be applied to the management VRF as well.
D.The class-map uses 'match protocol icmp' but the traffic uses a different protocol.
AnswerB

Management interfaces have separate control plane contexts; CoPP policies do not apply unless specifically configured for the management VRF.

Why this answer

CoPP policies are applied to the control plane in the ingress direction. However, traffic arriving on management interfaces is not subject to CoPP policies unless explicitly configured. Since the attack traffic likely enters via the management interface, CoPP does not filter it.

The correct solution is to configure a separate policy for the management interface or use management-plane protection.

460
MCQhard

You manage a UCS domain with two fabric interconnects (FI-A and FI-B) in an cluster. The domain contains 8 blade servers. After a power failure, both FIs come back online, but the cluster experiences a split-brain situation where both FIs claim to be primary. The subordinate FI (FI-B) shows all blades as 'Discovery' state. You suspect configuration mismatch. You have console access to both FIs. Which recovery procedure should be performed to restore a stable cluster?

A.Reset both FIs to factory defaults and reconfigure from backup
B.Boot the FIs into the EFI shell and clear the flash
C.Perform a stateful switchover (SSO) on both FIs
D.On the subordinate FI (FI-B), enter the recovery mode and force a re-initialization, then reset the cluster
AnswerD

Standard UCS split-brain recovery procedure

Why this answer

Option D is correct because in a UCS split-brain scenario where the subordinate FI (FI-B) shows blades in 'Discovery' state due to a configuration mismatch, the proper recovery is to boot FI-B into recovery mode (using the 'recovery' boot option or pressing Ctrl+R at the appropriate prompt) and force a re-initialization, which resets its configuration to match the primary FI (FI-A). After re-initialization, resetting the cluster (via the 'cluster reset' command or equivalent) re-establishes the primary-subordinate relationship and synchronizes the configuration, restoring stable operation without affecting the primary FI's data or requiring a full factory reset.

Exam trap

Cisco often tests the misconception that a split-brain scenario requires a full factory reset or flash clearing, when in fact the targeted recovery of the subordinate FI via recovery mode and cluster reset is the correct, less destructive procedure.

How to eliminate wrong answers

Option A is wrong because resetting both FIs to factory defaults is overly destructive and unnecessary; it would lose all configuration on the primary FI (FI-A) and require a full backup restore, whereas the issue is isolated to the subordinate FI's configuration mismatch. Option B is wrong because booting into the EFI shell and clearing the flash is a low-level hardware recovery method typically used for unbootable FIs or firmware corruption, not for resolving a split-brain cluster state caused by configuration mismatch; it would erase all firmware and configuration, requiring a complete reimage. Option C is wrong because performing a stateful switchover (SSO) on both FIs is designed for planned maintenance or failover in a stable cluster, not for recovery from a split-brain scenario; SSO assumes both FIs are synchronized and operational, which they are not in this case.

461
MCQmedium

A Fibre Channel switch port is experiencing a high number of CRC errors. Which action should be taken to resolve this issue?

A.Replace the fiber optic cable between the switch and the storage device.
B.Reduce the port speed to 2 Gbps.
C.Reconfigure the zone to include only the affected device.
D.Increase the buffer credits on the port.
AnswerA

CRC errors typically indicate physical layer problems like bad cables.

Why this answer

CRC errors often indicate physical layer issues such as faulty cables or SFPs. Replacing the cable is the first step in troubleshooting. Option A is wrong because increasing the buffer credits does not fix CRC errors.

Option B is wrong because reducing speed may mask the issue. Option D is wrong because zoning changes do not affect CRC errors.

462
MCQhard

A Nexus switch configured with 'feature nxapi' and 'nxapi https port 443' fails to respond to REST API calls from a monitoring system. The engineer can ping the management IP. Which troubleshooting step should be taken first?

A.Check if the monitoring system is using the correct HTTP method
B.Review the switch's ACL for the management VRF
C.Verify that the NX-API process is running with 'show nxapi'
D.Confirm that the SSL certificate is trusted
AnswerC

Quick check of API status.

Why this answer

Option C is correct because the first step when NX-API is configured but not responding is to verify that the NX-API process is actually running. The 'feature nxapi' command enables the feature, but the NX-API service may not have started due to a configuration error, resource issue, or process crash. The 'show nxapi' command displays the operational status of the NX-API service, including whether it is listening on the configured port (443 in this case).

Since the engineer can ping the management IP, basic network connectivity exists, so the issue is likely at the application layer.

Exam trap

Cisco often tests the distinction between enabling a feature with a command and the actual process running; candidates assume that 'feature nxapi' guarantees the service is operational, but the trap is that the process may not start automatically, and 'show nxapi' is the correct verification step.

How to eliminate wrong answers

Option A is wrong because the HTTP method (GET, POST, etc.) is a client-side concern; if the NX-API service is not running, no HTTP method will work, so checking the method is premature. Option B is wrong because ACLs for the management VRF would block pings as well, but the engineer can ping the management IP, indicating that Layer 3 connectivity is intact and no ACL is blocking traffic at that level. Option D is wrong because SSL certificate trust is only relevant after the HTTPS connection is established; if the NX-API process is not running, the server never presents a certificate, so trust is not the issue.

463
MCQmedium

Refer to the exhibit. A host with WWPN 10:00:00:00:c9:29:3b:23 can only see its own WWPN but not the target. What is the likely cause?

A.The host is in a different VSAN.
B.The target is missing from the zone.
C.The zoneset is not the full zoneset.
D.The host's FLOGI is rejected.
E.The zone is not activated.
AnswerB

Zone_C has no target member, so the host cannot access any storage.

Why this answer

Option A is correct. Zone_C contains only the initiator (10:00:00:00:c9:29:3b:23) and no target members, so the host cannot communicate with any storage. Option B is incorrect; the zoneset is active and named ZS_1.

Option C is incorrect; all devices are in VSAN 1 per the command. Option D is incorrect; the zone is listed in the active zoneset. Option E is incorrect; there is no indication of FLOGI failure.

464
Multi-Selecthard

Which THREE of the following must be enabled to implement 802.1X authentication with MAB fallback on a Cisco Nexus switch for a mixed environment of 802.1X-capable and non-802.1X endpoints? (Choose three.)

Select 3 answers
A.MACsec encryption on the port
B.AAA authentication with a RADIUS server
C.A RADIUS server configured with the MAC addresses of non-802.1X devices
D.A VLAN ACL to redirect traffic
E.802.1X globally enabled on the switch
AnswersB, C, E

AAA is required to authenticate users and devices.

Why this answer

Option B is correct because 802.1X authentication requires AAA to communicate with a RADIUS server. The RADIUS server validates the credentials (EAP over RADIUS) and returns an Accept or Reject, which the switch uses to authorize the port. Without AAA and a RADIUS server, the switch has no external authentication authority to process 802.1X requests or MAB fallback.

Exam trap

Cisco often tests the misconception that MACsec or VLAN ACLs are prerequisites for 802.1X with MAB, when in fact they are optional features that can be layered on top of the authentication process.

465
Multi-Selectmedium

A network automation engineer is writing an Ansible playbook to configure Nexus switches. Which three modules are available to manage NX-OS configuration? (Choose three.)

Select 3 answers
A.eos_config
B.nxos_config
C.nxos_interface
D.nxos_vlan
E.ios_config
AnswersB, C, D

Manages NX-OS configuration.

Why this answer

The `nxos_config` module is the primary Ansible module for managing NX-OS device configurations, allowing you to apply, replace, or merge configuration snippets directly onto Nexus switches. It is part of the `cisco.nxos` collection and is specifically designed for NX-OS, unlike `ios_config` which targets Cisco IOS/IOS-XE devices.

Exam trap

Cisco often tests the distinction between platform-specific Ansible modules (e.g., `nxos_*` vs `ios_*` vs `eos_*`), and the trap here is that candidates may confuse `ios_config` as being compatible with NX-OS due to a superficial similarity in CLI syntax, ignoring the underlying platform-specific module requirements.

466
MCQmedium

A UCS B-Series blade server (blade 5) has been running a database application for months. Recently, the storage team upgraded the SAN firmware. Since then, the blade experiences intermittent 'SCSI command timeout' errors in the system logs. The application performance degrades periodically. You check the UCS Manager performance data and see that the vHBA statistics show a high number of 'Link Reset' events. The storage array logs show no errors. The fibre channel cables are new. Which step should you take to resolve the issue?

A.Delete and recreate the vHBA in the service profile
B.Replace the fibre channel cables between the IOM and storage
C.Update the HBA firmware on the blade to match the SAN compatibility matrix
D.Rezone the SAN fabric to use a different target port
AnswerC

Firmware mismatch after SAN upgrade is a common cause

Why this answer

Option C is correct because the SAN firmware upgrade likely introduced a change in the Fibre Channel protocol behavior (e.g., link initialization or error recovery) that is incompatible with the current HBA firmware on the blade. The high 'Link Reset' events indicate that the vHBA is repeatedly reinitializing the link, which directly causes SCSI command timeouts. Updating the HBA firmware to match the SAN compatibility matrix ensures the HBA can properly negotiate and interoperate with the upgraded SAN fabric, resolving the intermittent timeouts.

Exam trap

The trap here is that candidates assume physical cabling or zoning is the cause of link resets, but Cisco often tests the concept that firmware mismatches after a SAN upgrade can cause intermittent FC link issues without any physical layer faults.

How to eliminate wrong answers

Option A is wrong because deleting and recreating the vHBA would not address the underlying firmware incompatibility; it would only reset the vHBA configuration, which would likely result in the same link reset behavior. Option B is wrong because the fibre channel cables are new and the storage array logs show no errors, indicating the physical layer is not the issue. Option D is wrong because rezoning the SAN fabric to use a different target port would not fix the HBA-to-switch link reset problem; the issue is at the HBA level, not the zoning or target port selection.

467
MCQhard

An Ansible playbook using the cisco.nxos.nxos_config module fails with the error: 'Unsupported parameters for (cisco.nxos.nxos_config) module: connection type setting'. What is the most likely cause?

A.The SSH key authentication is misconfigured.
B.The playbook includes an invalid parameter 'connection: network_cli' inside the task block.
C.The module is not installed correctly.
D.The playbook is targeting a device running an unsupported NX-OS version.
AnswerB

The 'connection' parameter is a play-level attribute, not a task parameter for nxos_config.

Why this answer

The error 'Unsupported parameters for (cisco.nxos.nxos_config) module: connection type setting' occurs because the `connection: network_cli` parameter is being passed inside the task block of the playbook. The `cisco.nxos.nxos_config` module does not accept a `connection` parameter at the task level; connection settings must be defined at the play or inventory level. This is a common syntax error when using Ansible network modules.

Exam trap

Cisco often tests the distinction between play-level and task-level parameters, specifically that `connection` is not a valid parameter for network modules at the task level, leading candidates to incorrectly attribute the error to module installation or device compatibility.

How to eliminate wrong answers

Option A is wrong because SSH key authentication misconfiguration would typically cause an authentication or permission denied error, not an 'unsupported parameters' error related to connection type. Option B is wrong because it is actually the correct answer; the error is caused by an invalid parameter inside the task block. Option C is wrong because if the module were not installed correctly, the error would be 'module not found' or 'could not locate module', not an unsupported parameters error.

Option D is wrong because an unsupported NX-OS version would result in a module execution failure or a device-specific error, not a parameter validation error from the Ansible controller.

468
MCQmedium

A data center engineer notices that a UCS B-Series blade server is failing to boot from a SAN LUN that is correctly mapped to the server's WWPN. The SAN switch shows that the LUN is accessible and the zone is configured correctly. The UCS Manager shows the server's vNIC is associated with a vHBA that has the correct WWPN, but the server's BIOS does not list the Fibre Channel boot target. Which configuration is most likely missing?

A.The SAN connectivity policy is missing the Fibre Channel uplink pinning.
B.The vNIC/vHBA placement policy is incorrectly set to 'Express' mode.
C.A QoS policy is not applied to the vHBA.
D.The boot policy is not defined or not attached to the service profile.
AnswerD

UCS B-Series requires a boot policy to specify the boot order and target LUN.

Why this answer

The boot policy defines the boot order and parameters (such as the SAN LUN target WWPN and LUN ID) for the server. If the boot policy is not defined or not attached to the service profile, the UCS Manager will not program the BIOS with the Fibre Channel boot target information, even though the SAN zoning and vHBA WWPN are correct. Without this policy, the server's BIOS has no instruction to attempt a SAN boot, resulting in the failure described.

Exam trap

Cisco often tests the distinction between SAN connectivity (zoning, WWPN) and the boot policy configuration, trapping candidates who assume that correct zoning and vHBA setup alone are sufficient for SAN boot.

How to eliminate wrong answers

Option A is wrong because the SAN connectivity policy with Fibre Channel uplink pinning controls how uplinks are mapped to fabric interconnects for load balancing or failover, not the boot target configuration. Option B is wrong because the vNIC/vHBA placement policy set to 'Express' mode affects how virtual interfaces are placed on the mezzanine cards or adapters, but does not prevent the BIOS from seeing a Fibre Channel boot target. Option C is wrong because a QoS policy applied to a vHBA manages traffic prioritization and bandwidth limits, not the presence or absence of a boot LUN in the BIOS boot list.

469
MCQhard

Refer to the exhibit. An engineer is using an Ansible playbook to configure a Nexus switch. The playbook task uses the nxos_config module to set an MTU value on an interface. What is the most likely issue?

A.Add the 'provider' parameter with connection details.
B.Correct the spelling of the MTU parameter to 'mtu_size'.
C.Use the nxos_mtu module instead of nxos_config to configure MTU.
D.Verify that the switch supports MTU configuration via Ansible.
AnswerC

The nxos_config module does not support MTU; the nxos_mtu module is designed for this purpose.

Why this answer

The nxos_config module is designed for general NX-OS configuration commands but does not support the 'mtu' parameter directly. The correct approach is to use the dedicated nxos_mtu module for setting MTU. Option B is incorrect because the parameter is correctly spelled; the module simply does not support it.

Option C is incorrect because the switch does support MTU configuration via the appropriate module. Option D is incorrect because the provider parameter is not needed in modern Ansible versions.

470
MCQmedium

Refer to the exhibit. An automation script is used to configure a new VLAN 40 on Eth1/2 trunk. The script sends the following NX-API command: 'switchport trunk allowed vlan add 40'. After execution, the engineer runs 'show running-config interface eth1/2' and sees that the trunk allowed VLAN list shows '10,20,30,40'. However, the automation script logs indicate success for adding VLAN 40, but the running config does not show the change. What is the most likely issue?

A.The command syntax is incorrect; 'add' is not a valid keyword.
B.The engineer is viewing a different switch or the configuration was reverted by another process.
C.The script actually removed the existing VLANs and replaced them with only VLAN 40.
D.The NX-API command was sent to the wrong interface.
AnswerB

The running config shows the change, so the issue is likely that the engineer is looking at the wrong device or the config was changed after.

Why this answer

Option B is correct because the running config shows VLANs 10,20,30,40, indicating that VLAN 40 was successfully added. The script logs confirm success, so the command syntax and interface target are correct. The discrepancy between the logs and the running config is most likely due to the engineer viewing a different switch (e.g., a management console pointing to a different device) or the configuration being reverted by another process (e.g., a configuration rollback or a competing automation script).

Exam trap

Cisco often tests the candidate's ability to distinguish between a command that fails silently versus a command that succeeds but the result is not visible due to environmental factors (e.g., wrong device, configuration rollback), rather than a syntax or interface error.

How to eliminate wrong answers

Option A is wrong because 'switchport trunk allowed vlan add 40' is valid NX-OS syntax; the 'add' keyword is used to append VLANs to the existing allowed list. Option C is wrong because if the script had replaced the list with only VLAN 40, the running config would show '40' alone, not '10,20,30,40'. Option D is wrong because the running config shows the change on Eth1/2, confirming the command was sent to the correct interface.

471
MCQhard

An organization is deploying a new ACI fabric. The design requires that traffic between EPGs in the same bridge domain be allowed by default, but traffic between EPGs in different bridge domains must be denied unless explicitly permitted. Which contract scope configuration meets this requirement?

A.Context (default)
B.Application-profile
C.Global
D.VRF
AnswerD

VRF scope allows contracts to apply across bridge domains within the same VRF; without a contract, traffic is denied, and with a contract, permitted.

Why this answer

The VRF (private L3 context) is the correct scope because contract scope determines the boundary within which a contract is effective. By setting the contract scope to VRF, the contract applies only to EPGs within the same VRF. Since EPGs in different bridge domains are typically in the same VRF, you must explicitly configure contracts to permit inter-EPG traffic; otherwise, it is denied by default.

This matches the requirement that traffic between EPGs in the same bridge domain is allowed by default (via the default intra-EPG and intra-bridge domain forwarding), while traffic between EPGs in different bridge domains requires an explicit contract.

Exam trap

Cisco often tests the misconception that 'context' is a separate scope option, when in fact the default contract scope is VRF (context), and the exam expects you to know that VRF is the correct term for the private L3 network boundary that enforces the deny-by-default inter-EPG behavior.

How to eliminate wrong answers

Option A (Context/default) is wrong because the default contract scope is actually 'context' (VRF), not a separate scope; the term 'Context' is ambiguous and not a distinct contract scope in ACI—the default behavior is VRF-level scoping, which already denies inter-EPG traffic without a contract. Option B (Application-profile) is wrong because contract scope at the application-profile level would restrict the contract to EPGs within the same application profile, but this does not address the requirement for bridge-domain-level isolation; it is too narrow and would not allow default intra-bridge domain traffic across different application profiles. Option C (Global) is wrong because a global contract scope makes the contract apply across all VRFs, which would permit traffic between EPGs in different VRFs (and thus different bridge domains) without explicit permission, violating the requirement that such traffic must be denied by default.

472
MCQmedium

A storage engineer is planning to migrate from an existing 2 Gbps Fibre Channel fabric to a new 16 Gbps fabric while maintaining connectivity during the cutover. The legacy and new switches are connected via ISL and use the same VSAN. What is a best practice to ensure a seamless migration?

A.Assign the new switches to a separate VSAN to prevent mixing
B.Set the ISL port speed to 2 Gbps on both sides until the migration is complete
C.Use a dedicated ISL for the migration and move zones gradually
D.Disable zoning on both fabrics and re-apply after migration
AnswerB

Ensures compatibility and stable fabric merge.

Why this answer

Option B is correct because setting the ISL port speed to 2 Gbps on both sides ensures that the new 16 Gbps switch negotiates down to the legacy fabric's speed, preventing buffer-to-buffer credit mismatches and frame corruption during the cutover. This allows both fabrics to operate at a common speed, maintaining stable connectivity until all devices are migrated and the ISL speed can be safely increased.

Exam trap

Cisco often tests the misconception that simply connecting a higher-speed switch to a lower-speed fabric via ISL will auto-negotiate correctly, but the trap here is that without manually setting the speed, the link may fail to establish or cause instability due to incompatible buffer-to-buffer credit management.

How to eliminate wrong answers

Option A is wrong because assigning the new switches to a separate VSAN would isolate them from the legacy fabric, preventing any communication or gradual migration of devices across the ISL. Option C is wrong because using a dedicated ISL does not address the fundamental speed mismatch; without speed negotiation, the 16 Gbps port may not properly interoperate with the 2 Gbps port, leading to link instability or failure. Option D is wrong because disabling zoning on both fabrics would expose all devices to each other, creating a security risk and potential data corruption; zoning should remain active and be migrated incrementally.

473
MCQhard

During an FCoE deployment, the server team reports that hosts can reach the storage array but performance is intermittent with periodic timeouts. The network team sees no errors on the FCoE VLAN. The DCB configuration on the upstream switch shows that PFC is enabled for CoS 3. What should the engineer check next?

A.Verify that jumbo frames are enabled on the storage array
B.Confirm that the VSAN is appropriately sized for the number of hosts
C.Ensure that the FCoE VLAN is enabled for FCoE on the server's vNIC
D.Check if the PFC configuration matches on both ends and that PFC is enabled on the FCoE VLAN interfaces
AnswerD

PFC must be consistent across all hops.

Why this answer

D is correct because PFC (Priority Flow Control) must be consistently configured on both ends of an FCoE link to prevent frame loss. If PFC is enabled for CoS 3 on the upstream switch but not on the server's vNIC or the FCoE VLAN interfaces, the lack of lossless behavior causes intermittent timeouts and performance degradation, even if the FCoE VLAN shows no errors.

Exam trap

Cisco often tests the misconception that FCoE performance issues are due to VLAN or VSAN misconfiguration, when the real culprit is mismatched PFC settings between endpoints.

How to eliminate wrong answers

Option A is wrong because jumbo frames are not required for FCoE; FCoE typically uses 2500-byte frames, but the issue is about lossless delivery, not MTU size. Option B is wrong because VSAN sizing relates to zoning and fabric management, not to PFC or link-level flow control; the problem is at Layer 2, not VSAN capacity. Option C is wrong because the FCoE VLAN must be enabled on the switch port, not the server's vNIC; the server team already reports reachability, indicating the VLAN is active, so this is a misdirection about where the configuration is applied.

474
MCQmedium

Refer to the exhibit. An engineer configured NX-API on a Nexus 9000 switch. The REST API client receives 'SSL_ERROR_BAD_CERT_DOMAIN'. What is the most likely cause?

A.HTTP is enabled which conflicts with HTTPS
B.The key file is missing
C.The certificate file is corrupted
D.The certificate does not match the switch's hostname
AnswerD

SSL_ERROR_BAD_CERT_DOMAIN specifically indicates domain mismatch.

Why this answer

The SSL_ERROR_BAD_CERT_DOMAIN error indicates that the certificate presented by the Nexus 9000 switch does not match the hostname used in the REST API client's request. When NX-API uses HTTPS, the client validates the server's certificate against the requested domain; a mismatch triggers this error. This is a common TLS/SSL certificate validation issue, not a problem with HTTP conflicts, missing keys, or corrupted files.

Exam trap

Cisco often tests the distinction between certificate validation errors (domain mismatch, expiry, untrusted CA) and other TLS/SSL failures (missing key, corrupted file), expecting candidates to recognize that 'SSL_ERROR_BAD_CERT_DOMAIN' specifically points to a hostname mismatch rather than a general certificate problem.

How to eliminate wrong answers

Option A is wrong because enabling HTTP alongside HTTPS does not cause SSL certificate domain validation errors; the error is specific to TLS handshake and certificate trust, not protocol conflicts. Option B is wrong because a missing key file would prevent the switch from establishing any HTTPS connection (e.g., 'no key' or 'unable to load private key' errors), not a domain mismatch error. Option C is wrong because a corrupted certificate file would typically cause a 'bad certificate' or 'certificate verify failed' error during the TLS handshake, not a domain mismatch error which is a hostname validation failure.

475
MCQhard

Refer to the exhibit. An engineer notices intermittent packet loss on interface Ethernet 1/1 of the Fabric Interconnect. Based on the transceiver statistics shown, which condition is the most likely cause?

A.The receive power is below the low warning threshold.
B.The supply voltage is out of range.
C.The transmit power is too low.
D.The transceiver temperature is too high.
AnswerA

-16.2 dBm is below Low Warning of -15.0 dBm, indicating potential cable or connector issue.

Why this answer

The exhibit shows that the receive power is -16.3 dBm, which is below the low warning threshold of -13.3 dBm. This indicates the incoming optical signal is too weak, causing intermittent packet loss due to bit errors or link flaps. The transceiver statistics confirm that the receive power is the only parameter breaching its threshold, making it the most likely cause.

Exam trap

Cisco often tests the distinction between warning and alarm thresholds, and candidates mistakenly assume any parameter outside a threshold causes the issue, but here only the receive power is below its warning threshold, while the other values are within normal ranges.

How to eliminate wrong answers

Option B is wrong because the supply voltage is 3.29 V, which is within the normal operating range (typically 3.1 V to 3.5 V for SFP+ optics), so it is not out of range. Option C is wrong because the transmit power is -2.4 dBm, which is above the low warning threshold of -5.3 dBm, indicating the transmitter is functioning correctly. Option D is wrong because the transceiver temperature is 42.5°C, which is well below the high warning threshold of 75°C, so overheating is not an issue.

476
Drag & Dropmedium

Order the steps for troubleshooting a Fibre Channel link that is not coming up.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting FC link starts with physical, then interface, VSAN/zoning, FLOGI, and logs.

477
MCQmedium

Refer to the exhibit. A network engineer notices that traffic for VNI 10000 is not being encapsulated. What is the most likely reason?

A.BGP EVPN is not configured.
B.VNI 10000 is not configured under the nve interface.
C.The VRF association is incorrect.
D.The source-interface is not reachable.
AnswerB

The show output clearly does not include member vni 10000.

Why this answer

VNI 10000 must be explicitly mapped to an NVE interface under the 'interface nve1' configuration using the 'member vni 10000' command. Without this mapping, the NVE interface does not know which VNI to encapsulate traffic for, even if the VNI exists in the network. Option B correctly identifies this missing configuration as the most likely cause.

Exam trap

Cisco often tests the distinction between control-plane (BGP EVPN) and data-plane (NVE interface) configurations, trapping candidates who assume that a VNI configured in the VRF or advertised via EVPN automatically enables encapsulation on the NVE interface.

How to eliminate wrong answers

Option A is wrong because BGP EVPN is the control plane protocol used to advertise VNI reachability, but traffic encapsulation itself is a data-plane function performed by the NVE interface; the absence of BGP EVPN would prevent route distribution but not directly block encapsulation if the VNI is already configured under NVE. Option C is wrong because VRF association is a Layer 3 construct that maps a VRF to a VNI for routing, but encapsulation failure for VNI 10000 specifically points to the NVE interface configuration, not the VRF mapping. Option D is wrong because if the source-interface were unreachable, no VNI traffic would be encapsulated at all, not just VNI 10000; the issue is isolated to a single VNI, indicating a configuration omission rather than a reachability problem.

478
MCQhard

A large financial institution has a Cisco ACI fabric with multiple tenants. The security team requires that all management access to the APIC controllers be authenticated via multi-factor authentication (MFA) using a RADIUS server. The RADIUS server is configured to send a One-Time Password (OTP) challenge during authentication. The current configuration uses local authentication. The engineer needs to implement RADIUS authentication with MFA for APIC GUI and CLI access. The RADIUS server is reachable at 10.10.10.10, shared secret 'SecureSecret123'. The APIC is running software version 4.2(3). The engineer must ensure that local authentication is used as fallback if the RADIUS server is unreachable. Which of the following actions should the engineer take?

A.Configure TACACS+ as the authentication protocol and set the server IP and secret.
B.Enable local authentication only and require strong passwords.
C.Add a RADIUS provider with IP 10.10.10.10 and secret 'SecureSecret123', create a login domain with realm 'radius', set fallback to 'local', and assign the domain to users.
D.Configure LDAP authentication with the RADIUS server acting as an LDAP proxy.
AnswerC

Correct: RADIUS with PAP is used for MFA and fallback to local.

Why this answer

Option C is correct because it follows the required steps to configure RADIUS authentication with MFA on Cisco APIC: adding a RADIUS provider with the correct IP and shared secret, creating a login domain with realm 'radius', setting fallback to 'local', and assigning the domain to users. This ensures that the APIC sends authentication requests to the RADIUS server, which can issue an OTP challenge for MFA, and falls back to local authentication if the RADIUS server is unreachable.

Exam trap

Cisco often tests the requirement to create a login domain and assign it to users, as many candidates mistakenly think simply adding a RADIUS provider is sufficient without configuring the domain and fallback.

How to eliminate wrong answers

Option A is wrong because TACACS+ is not supported for APIC authentication; APIC only supports RADIUS, LDAP, and local authentication for management access. Option B is wrong because enabling only local authentication with strong passwords does not implement MFA via RADIUS, which is a specific requirement. Option D is wrong because LDAP authentication cannot use a RADIUS server as an LDAP proxy; LDAP and RADIUS are separate protocols with different purposes and configurations.

479
MCQeasy

A storage administrator wants to ensure that only designated initiators can access a specific target in a Fibre Channel SAN. Which mechanism enforces this policy?

A.IVR
B.Port channel
C.Zoning
D.VSAN
E.Credit recovery
AnswerC

Zoning defines which initiators can talk to which targets.

Why this answer

Zoning is the correct mechanism because it restricts Fibre Channel (FC) communication to only those initiators and targets that are members of the same zone. By defining a zone that includes only the designated initiator WWPNs and the target WWPN, the switch enforces access control at the fabric level, preventing any unauthorized device from discovering or communicating with the target.

Exam trap

Cisco often tests the distinction between VSAN (which isolates traffic at the fabric level) and zoning (which controls device-level access within a VSAN), leading candidates to incorrectly select VSAN when the question specifically asks about restricting access to a target.

How to eliminate wrong answers

Option A (IVR) is wrong because Inter-VSAN Routing (IVR) enables selective communication between devices in different VSANs, not access control within a single VSAN or target. Option B (Port channel) is wrong because it aggregates multiple physical links into a single logical link for bandwidth and redundancy, not for enforcing initiator-to-target access policies. Option D (VSAN) is wrong because a VSAN creates an isolated virtual fabric, but within a VSAN all devices can communicate unless further restricted by zoning; VSAN alone does not enforce per-initiator access to a specific target.

Option E (Credit recovery) is wrong because it is a buffer-to-buffer credit recovery mechanism (BB_CR) used to recover lost credits in FC links, unrelated to access control.

480
MCQmedium

A data center uses NPV to connect edge switches to a core Fibre Channel switch. The edge switches report that some servers cannot log in. What is a likely cause?

A.Overlapping VSAN IDs between edge and core
B.F port binding on the edge switch
C.Trunking mode not enabled on the core switch
D.NPIV not enabled on the core switch
AnswerD

Correct: NPIV must be enabled on core switches to support NPV.

Why this answer

Option C is correct because NPV requires the NPIV feature on the core switch to allow multiple FLOGIs from an NPV switch. Option A is incorrect because overlapping VSANs are fine. Option B is incorrect because trunking is independent of NPV.

Option D is incorrect because F port binding is not required for NPV.

481
MCQmedium

A Cisco MDS 9000 switch is used in a storage network. The security policy requires that a junior administrator named 'user1' can view zone configurations but cannot make any changes. Currently, 'user1' is assigned the default 'network-operator' role, which allows read-only access to most configuration, but the engineer wants to ensure that zone modification is explicitly denied. The engineer creates a custom role named 'zone-viewer' and assigns it to 'user1'. The role should permit viewing of the running configuration related to zones but deny any command that modifies zone or zoneset configurations. Which configuration best achieves this objective?

A.role name zone-viewer feature zone; permit command configure terminal ; zone name etc.
B.role name zone-viewer permit command show zone*; permit command show zoneset*
C.role name zone-viewer rule 1 permit read-write; feature zone
D.role name zone-viewer permit command zone; permit command zoneset; permit command zone-create
AnswerB

Permits show commands for zone and zoneset, denying configuration commands by default.

Why this answer

Option B is correct because it uses the 'permit command' statements with wildcard patterns ('show zone*' and 'show zoneset*') to explicitly allow only show commands related to zones and zonesets. By not including any 'permit' or 'deny' statements for configuration commands (like 'configure terminal', 'zone', or 'zoneset'), the role implicitly denies all other commands, including those that modify zone or zoneset configurations. This matches the requirement to allow viewing but deny modifications.

Exam trap

Cisco often tests the implicit deny behavior of RBAC, where candidates mistakenly think they must explicitly deny modification commands, when in fact only permitting the desired show commands is sufficient to block all other commands.

How to eliminate wrong answers

Option A is wrong because it includes 'permit command configure terminal' and 'zone name etc.' which would allow the user to enter configuration mode and potentially modify zone configurations, violating the security policy. Option C is wrong because 'rule 1 permit read-write' grants full read-write access to the zone feature, allowing modifications, and does not restrict to read-only. Option D is wrong because it permits 'zone', 'zoneset', and 'zone-create' commands, which are used to create and modify zones and zonesets, directly contradicting the requirement to deny modifications.

482
MCQeasy

A data center switch is configured with 802.1X port-based authentication for edge ports. Users report authentication failures. The engineer wants to verify the authentication status of a specific interface. Which command should be used?

A.show aaa authentication
B.show dot1x
C.show authentication interface ethernet 1/1
D.show port-security interface ethernet 1/1
AnswerC

Displays 802.1X and MAC authentication status.

Why this answer

Option C is correct because the 'show authentication interface ethernet 1/1' command displays the 802.1X authentication status, including the state machine, authorized status, and method list for a specific interface. This command is part of the Identity-Based Networking Services (IBNS) framework and provides a comprehensive view of all authentication methods (802.1X, MAB, WebAuth) configured on the port, which is essential for troubleshooting authentication failures on edge ports.

Exam trap

Cisco often tests the distinction between the legacy 'show dot1x' command and the modern unified 'show authentication interface' command, trapping candidates who memorize the older command without realizing that newer IOS versions (e.g., IOS-XE 16.x+) consolidate all authentication status under the 'show authentication' hierarchy.

How to eliminate wrong answers

Option A is wrong because 'show aaa authentication' displays the global AAA authentication method lists and their order, not the per-interface authentication status or 802.1X state. Option B is wrong because 'show dot1x' without an interface keyword shows global 802.1X parameters, not the detailed per-interface status; even 'show dot1x interface ethernet 1/1' is deprecated in favor of the unified 'show authentication interface' command in newer IOS versions. Option D is wrong because 'show port-security interface ethernet 1/1' shows port security violation counts and secure MAC addresses, which is unrelated to 802.1X authentication state machines or EAPOL exchanges.

483
MCQhard

A large enterprise runs a multi-site Cisco ACI fabric with APICs in a cluster. The automation team uses Python scripts with the Cobra SDK to create and manage tenant policies. Recently, after upgrading the APIC firmware from version 4.2(3) to 5.2(1), a script that previously worked now fails with an 'Unauthorized' error when calling the APIC REST API. The script uses a service account with a locally stored password. The automation engineer verifies that the account credentials are correct and that the account is not locked. The script was not modified during the upgrade. Which action should the engineer take to resolve the issue?

A.Change the authentication method in the script from password-based to certificate-based authentication.
B.Upgrade the Python requests library to version 2.25.0 or later that supports TLS 1.3.
C.Regenerate the API key for the service account and update the script with the new key.
D.Disable TLS 1.3 on the APIC by setting the 'ssl-protocols' parameter to TLSv1.2 only.
AnswerB

Upgrading the library ensures TLS 1.3 compatibility, preserving security.

Why this answer

Option B is correct because APIC firmware 5.2(1) enforces TLS 1.3 by default, and older Python requests libraries (pre-2.25.0) do not support TLS 1.3, causing the handshake to fail with an 'Unauthorized' error despite valid credentials. Upgrading the requests library to version 2.25.0 or later adds TLS 1.3 support, allowing the script to authenticate successfully.

Exam trap

The trap here is that candidates assume the 'Unauthorized' error is due to invalid credentials or authentication method, when in fact it is caused by a TLS protocol version mismatch between the client library and the upgraded APIC.

How to eliminate wrong answers

Option A is wrong because changing from password-based to certificate-based authentication is unnecessary; the credentials are valid and the issue is a TLS version mismatch, not an authentication method problem. Option C is wrong because the service account uses a password, not an API key, and regenerating a non-existent key would not resolve the TLS 1.3 handshake failure. Option D is wrong because disabling TLS 1.3 on the APIC is a workaround that reduces security and is not the recommended fix; the proper solution is to update the client library to support the newer protocol.

484
MCQmedium

An engineer is configuring Cisco ACI to secure inter-tenant traffic. Tenants 'TenantA' and 'TenantB' need to communicate via a shared service, such as a DNS server in TenantA. How should the contract be configured?

A.Create a contract in TenantA and apply it to the VRF shared between tenants.
B.Create a contract in TenantA. Set the DNS EPG as provider. In TenantB, create a consumer EPG and provide the contract from TenantA.
C.Create a contract in TenantB. Set the DNS EPG as consumer. In TenantA, create a provider EPG and provide the contract from TenantB.
D.Create a contract in TenantA. Set both DNS EPG and TenantB EPG as providers.
AnswerB

Standard shared service design: provider's tenant contains the contract.

Why this answer

In Cisco ACI, inter-tenant communication via a shared service requires the contract to be created in the tenant that owns the shared service (provider). The provider EPG (DNS server in TenantA) is set as the provider, and the consumer EPG (in TenantB) consumes the contract from TenantA. This allows TenantB to access the DNS service without exposing its own EPGs, maintaining security isolation while enabling necessary traffic.

Exam trap

Cisco often tests the misconception that the contract must be created in the consumer's tenant or applied to the VRF, but the correct approach is to create the contract in the provider's tenant and explicitly define the provider EPG.

How to eliminate wrong answers

Option A is wrong because applying a contract to the VRF shared between tenants does not define the provider/consumer relationship; contracts must be applied to EPGs, not VRFs, and the provider EPG must be explicitly set. Option C is wrong because the contract should be created in the tenant that owns the shared service (TenantA), not TenantB, and the DNS EPG should be the provider, not the consumer. Option D is wrong because setting both EPGs as providers would create a symmetric relationship, which is incorrect for a shared service scenario where one EPG provides and the other consumes; this would also break the intended unidirectional traffic flow.

485
MCQeasy

A financial services company operates a Cisco UCS 6454 Fabric Interconnect cluster with two FI-A and FI-B, connected to multiple UCS B-Series blades. The environment uses UCS Manager 4.2(1a). Recently, the company migrated to a new storage array connected via Fibre Channel. The storage team configured 8 virtual SANs (VSANs) and created a new VSAN 400 for a critical application. After the migration, the application server running on a UCS blade cannot discover the storage LUNs. The server's vHBA is configured correctly with the proper WWPN, and the zone set is active on the SAN switches. The engineer checks the UCS Manager and sees that the vHBA is down. Which action should the engineer take to resolve the issue?

A.Upgrade UCS Manager to the latest version to fix a known bug.
B.Verify that the uplink Fibre Channel ports on the fabric interconnects are configured to allow VSAN 400.
C.Reboot the server blade to force re-discovery of the storage.
D.Recreate the vHBA in the service profile with a different WWPN.
AnswerB

The FC uplink ports must be members of the VSAN for traffic to pass.

Why this answer

Option B is correct because the vHBA being down indicates no Fibre Channel connectivity. The most likely cause is that the FC uplink ports on the fabric interconnects are not configured to allow VSAN 400. Option A is not appropriate because rebooting the server does not address the underlying connectivity issue.

Option C is unnecessary and would require re-zoning. Option D is an escalation step not justified without evidence of a bug.

486
MCQeasy

A network engineer is configuring device access control for Cisco NX-OS switches. The requirement is to use a protocol that separates authentication, authorization, and accounting, and encrypts all communication except the header. Which solution meets this requirement?

A.RADIUS
B.LDAP
C.SSH
D.TACACS+
AnswerD

TACACS+ encrypts entire packet except header and separates AAA functions.

Why this answer

TACACS+ is the correct choice because it separates authentication, authorization, and accounting (AAA) into distinct processes, and it encrypts the entire packet body, leaving only the standard TACACS+ header unencrypted. This meets the requirement for a protocol that provides granular AAA control with encrypted communication, unlike RADIUS which does not encrypt the full payload.

Exam trap

Cisco often tests the misconception that RADIUS encrypts all communication because it uses a shared secret, but in reality RADIUS only encrypts the password field, not the entire payload, making TACACS+ the correct choice for full-packet encryption beyond the header.

How to eliminate wrong answers

Option A (RADIUS) is wrong because it combines authentication and authorization into a single process, does not separate them, and only encrypts the password field in the Access-Request packet, leaving other attributes like username and accounting data in cleartext. Option B (LDAP) is wrong because it is a directory access protocol used for querying and modifying directory services, not a AAA protocol; it does not natively separate authentication, authorization, and accounting, nor does it encrypt all communication beyond the header by default. Option C (SSH) is wrong because it is a secure transport protocol for remote CLI access and file transfer, not a AAA protocol; it does not provide separate authentication, authorization, and accounting functions as a service.

487
MCQeasy

An administrator configures 'aaa authentication login default group tacacs+ local'. What happens if the TACACS+ server is unreachable?

A.The switch uses no authentication
B.Authentication fails
C.The switch tries the next method in the group
D.Local username database is used
AnswerD

The config includes 'local' as a fallback method after group tacacs+.

Why this answer

The command 'aaa authentication login default group tacacs+ local' configures a method list where the first method is TACACS+ and the second is local. If the TACACS+ server is unreachable (not responding, not rejecting), the switch falls back to the next method in the list, which is local authentication using the local username database. This fallback behavior is defined by Cisco IOS/IOS-XE authentication method lists, where 'local' acts as a backup when the primary method is unavailable.

Exam trap

Cisco often tests the distinction between a server being unreachable (fallback occurs) versus a server rejecting credentials (authentication fails immediately), causing candidates to incorrectly assume that any TACACS+ issue results in authentication failure.

How to eliminate wrong answers

Option A is wrong because the switch does not use 'no authentication'; the 'default' method list requires authentication, and fallback to local ensures authentication still occurs. Option B is wrong because authentication does not fail outright; failure only occurs if all methods in the list are exhausted or if the server explicitly rejects the credentials (e.g., via a 'DENIED' response). Option C is wrong because 'group tacacs+' is a single method group; the switch does not try 'the next method in the group'—it tries the next method in the list, which is 'local', not another server within the same group.

488
MCQeasy

An engineer needs to ensure that only authorized servers can connect to a specific switch port in a data center. The port connects to a critical database server with fixed MAC address 00:1a:2b:3c:4d:5e. Which configuration is most appropriate?

A.switchport port-security switchport port-security mac-address 001a.2b3c.4d5e switchport port-security violation shutdown
B.switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown
C.no switchport port-security spanning-tree portfast
D.switchport port-security switchport port-security maximum 2 switchport port-security violation protect
AnswerA

Statically configures the authorized MAC, exactly meeting the requirement.

Why this answer

Option A is correct because it explicitly binds the specific MAC address 001a.2b3c.4d5e to the port using port security, and sets the violation mode to shutdown, which disables the port if any unauthorized device attempts to connect. This ensures only the authorized database server can use the port, meeting the requirement precisely.

Exam trap

Cisco often tests the distinction between specifying a static MAC address versus relying on dynamic learning with a maximum count, where candidates mistakenly think limiting to one MAC is sufficient without binding the specific authorized address.

How to eliminate wrong answers

Option B is wrong because it only limits the maximum number of MAC addresses to 1 without specifying the allowed MAC address, so the port will learn the first MAC it sees, which could be an unauthorized device if it connects first. Option C is wrong because it disables port security entirely and enables spanning-tree portfast, which provides no MAC-based access control and allows any device to connect. Option D is wrong because it sets the maximum to 2, allowing two MAC addresses, and uses the protect violation mode, which simply drops frames from unauthorized sources without alerting or disabling the port, failing to ensure only the authorized server can connect.

489
MCQeasy

A data center switch has multiple access ports configured with spanning-tree portfast. A new server is connected to one of these ports and immediately causes a network loop. What is the most likely cause?

A.The portfast feature is disabled by default on the switch.
B.The server sends BPDUs.
C.The port is not configured with BPDUguard.
D.The switch is running MSTP instead of PVST+.
AnswerC

Without BPDUguard, the port stays up when a BPDU is received, potentially causing a loop.

Why this answer

Option C is correct because Spanning Tree Protocol (STP) PortFast immediately transitions a port to the forwarding state, bypassing the listening and learning phases. However, PortFast alone does not protect against loops if a rogue device (like a server) inadvertently connects two switch ports or sends BPDUs. BPDUguard must be explicitly configured on the port to disable it upon receiving any BPDU, preventing a loop.

Without BPDUguard, the switch will process the BPDU and may re-enter STP convergence, potentially causing a loop if the server is misconfigured or bridging traffic.

Exam trap

Cisco often tests the misconception that PortFast alone prevents loops, but the trap here is that PortFast only speeds up initial convergence; without BPDUguard, a PortFast port can still participate in STP and cause a loop if it receives a BPDU.

How to eliminate wrong answers

Option A is wrong because PortFast is not disabled by default on a switch; it is a per-port feature that must be explicitly enabled with the 'spanning-tree portfast' interface command. Option B is wrong because the server sending BPDUs is the trigger for the loop, not the cause of the loop itself—the root cause is the lack of BPDUguard to protect the PortFast port from those BPDUs. Option D is wrong because MSTP (Multiple Spanning Tree Protocol) and PVST+ (Per-VLAN Spanning Tree Plus) both support PortFast and BPDUguard; the protocol variant does not inherently cause loops when PortFast is enabled without BPDUguard.

490
Multi-Selectmedium

Which TWO of the following are benefits of using Smart Zoning in Cisco MDS switches?

Select 2 answers
A.Reduces number of zone objects
B.Provides faster FLOGI processing
C.Simplifies zone management for large fabrics
D.Eliminates the need for VSANs
E.Allows automatic LUN masking
AnswersA, C

Smart Zoning combines multiple zones into a single object, reducing overhead.

Why this answer

Smart Zoning reduces the number of zone objects by automatically grouping initiator-target pairs into a single zone entry, rather than requiring a separate zone for each pair. This minimizes the size of the zone database and reduces the processing overhead on the switch during fabric reconfigurations.

Exam trap

Cisco often tests the misconception that Smart Zoning improves FLOGI processing speed or eliminates VSANs, when in reality it only optimizes zone object management and does not alter fundamental fabric services.

491
MCQmedium

An engineer is designing a Layer 3 network for a data center using OSPF. The core switches are connected to aggregation switches. To optimize convergence, which OSPF network type should be used on the links between core and aggregation?

A.broadcast
B.non-broadcast
C.point-to-multipoint
D.point-to-point
AnswerD

Eliminates DR election, reduces convergence time.

Why this answer

In a data center spine-leaf architecture, the links between core (spine) and aggregation (leaf) switches are typically point-to-point Layer 3 links. Configuring OSPF network type point-to-point (option D) on these interfaces eliminates the need for DR/BDR election, reduces hello and dead timers (default 10s/40s vs 30s/120s for broadcast), and allows faster convergence because OSPF immediately forms a neighbor adjacency without waiting for election delays.

Exam trap

Cisco often tests the misconception that broadcast is the default and therefore best for Ethernet links, but in a data center spine-leaf design, point-to-point is preferred because it eliminates DR/BDR election overhead and provides faster convergence.

How to eliminate wrong answers

Option A is wrong because broadcast network type requires a Designated Router (DR) and Backup Designated Router (BDR) election, which adds unnecessary convergence delay and overhead on point-to-point links between core and aggregation switches. Option B is wrong because non-broadcast network type is used for NBMA environments (e.g., Frame Relay) where neighbors must be manually configured and DR/BDR election still occurs, making it unsuitable for direct point-to-point Ethernet links. Option C is wrong because point-to-multipoint is designed for hub-and-spoke topologies where a single interface connects to multiple neighbors, not for the direct point-to-point links between core and aggregation switches.

492
Drag & Dropmedium

Sequence the steps for configuring OSPF on a Cisco Nexus switch in a data center fabric.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

OSPF configuration involves creating the process, setting router ID, enabling on interfaces, and verification.

493
MCQhard

Refer to the exhibit. A UCS domain shows a 'Major' NVRAM backup failure alarm in Intersight. What is the best immediate action?

A.Attempt a manual NVRAM configuration backup from the primary Fabric Interconnect to the secondary.
B.Perform a factory reset on both Fabric Interconnects.
C.Reboot the primary Fabric Interconnect.
D.Reclaim the UCS domain from Intersight and register again.
AnswerA

Manual backup can jumpstart the failed backup process and clear the alarm.

Why this answer

A 'Major' NVRAM backup failure alarm in Intersight indicates that the automatic periodic backup of the UCS domain's configuration from the primary Fabric Interconnect (FI) to the secondary FI has failed. The best immediate action is to attempt a manual NVRAM configuration backup from the primary FI to the secondary, as this directly addresses the backup failure without disrupting domain operations or requiring re-registration.

Exam trap

Cisco often tests the distinction between a configuration backup failure and a hardware or connectivity failure, leading candidates to choose disruptive actions like rebooting or factory resetting when a simple manual backup retry is the correct first step.

How to eliminate wrong answers

Option B is wrong because performing a factory reset on both Fabric Interconnects is a drastic, destructive action that would erase all configuration and cause significant downtime, which is unnecessary for a backup failure that can be resolved manually. Option C is wrong because rebooting the primary Fabric Interconnect would disrupt traffic and may not resolve the backup failure; the issue is likely with the backup process or connectivity, not the FI's operational state. Option D is wrong because reclaiming the UCS domain from Intersight and registering again would remove the domain from management and require re-establishing connectivity, which is an overreaction for a backup failure that can be addressed with a manual backup attempt.

494
MCQmedium

A server team reports that after connecting a new server to a switchport, the server can receive traffic but cannot send traffic. The port is configured with port security. What is the most likely cause?

A.The port is in errdisable state
B.The port security violation mode is set to protect
C.The port security maximum is set to 1 and another device is connected
D.The server MAC address is not in the allowed list
AnswerB

Protect mode drops offending frames silently, allowing the server to receive but not send traffic from an unknown MAC.

Why this answer

When port security violation mode is set to 'protect', the switch drops traffic from unauthorized MAC addresses without generating a syslog message or incrementing the violation counter. In this scenario, the server can receive traffic because the switch still forwards broadcast and unknown unicast frames to the port, but the server's transmitted frames are silently dropped because the switch does not learn the server's MAC address or forward its frames. This matches the symptom of one-way communication where the server can receive but not send.

Exam trap

Cisco often tests the distinction between the three port security violation modes (protect, restrict, shutdown) by presenting a symptom of one-way traffic, which candidates mistakenly attribute to a shutdown or restrict mode rather than the silent dropping behavior of protect.

How to eliminate wrong answers

Option A is wrong because an errdisable state would cause the port to be completely shut down, preventing both sending and receiving traffic, not just one-way communication. Option C is wrong because if the maximum MAC count is set to 1 and another device is connected, the violation action would trigger based on the configured mode (shutdown, restrict, or protect), but the symptom described (receive but not send) is specific to the protect mode, not a simple count limit. Option D is wrong because port security does not use an 'allowed list' of MAC addresses by default; it learns MAC addresses dynamically unless a static secure MAC address is configured, and even then, a mismatch would trigger the violation mode, not result in one-way traffic.

495
MCQeasy

A data center automation script uses Python's requests library to call the NX-API for a Nexus 9000 switch. The script works but returns HTTP 400. Which is a likely cause?

A.The request payload is malformed
B.The switch has no management IP
C.The script uses HTTP instead of HTTPS
D.The API is not enabled
AnswerA

400 Bad Request is client error.

Why this answer

HTTP 400 indicates a bad request, which in the context of NX-API typically means the JSON or XML payload sent to the switch does not conform to the expected schema. Common issues include missing required fields (e.g., 'ins_api' version, 'type', 'chunk', 'sid', 'input', 'outputformat'), incorrect JSON syntax, or invalid values for parameters like 'version' or 'type'. The requests library successfully delivered the HTTP request, but the NX-API rejected it due to malformed content.

Exam trap

Cisco often tests the distinction between HTTP status codes (400 vs. 404 vs. connection errors) to see if candidates understand that a 400 specifically points to payload issues, not network or configuration problems.

How to eliminate wrong answers

Option B is wrong because if the switch had no management IP, the script would fail with a connection error (e.g., 'No route to host' or timeout), not an HTTP 400 response. Option C is wrong because using HTTP instead of HTTPS would result in a different error, such as a redirect (301/302) or a connection refused if HTTPS is enforced, but the NX-API can accept HTTP requests if configured; HTTP 400 is unrelated to protocol choice. Option D is wrong because if the API were not enabled, the switch would return an HTTP 404 (Not Found) or a connection reset, not a 400 Bad Request.

496
MCQmedium

A data center engineer is troubleshooting connectivity issues between two EPGs in the same tenant on a Cisco ACI fabric. The first EPG 'web_epg' is in VLAN 100 and the second EPG 'db_epg' is in VLAN 200. The contract 'web_to_db' allows TCP port 3306 from web_epg to db_epg. The EPGs are in the same VRF. The engineer has verified that the physical connectivity is correct and the endpoints are learning their IP addresses. However, traffic from web_epg to db_epg is not reaching the destination. The engineer checks the contract and sees that the subject 'mysql_access' has filter 'mysql' with direction 'both'. The provider is db_epg and consumer is web_epg. The engineer also notices that the default action in the contract is 'deny'. What is the most likely cause of the issue?

A.The contract direction is reversed: the provider should be the destination of the traffic. Since web_epg initiates to db_epg, web_epg should be the provider.
B.The VRF is not correctly associated with the EPGs.
C.A Layer 3 Outside (L3Out) is required for communication between EPGs in the same VRF.
D.The filter 'mysql' does not match TCP port 3306.
AnswerA

In ACI, the provider offers a service; the consumer initiates. Here web_epg initiates, so web_epg should be provider.

Why this answer

In Cisco ACI, the provider EPG is the one that offers a service (the destination of the traffic), and the consumer EPG is the one that initiates the connection. Since web_epg initiates TCP traffic to db_epg, db_epg should be the provider and web_epg the consumer. The contract is reversed, so the default deny action blocks the traffic because the consumer (web_epg) is not allowed to initiate toward the provider (db_epg) under the reversed roles.

Exam trap

Cisco often tests the provider/consumer directionality in ACI contracts, and the trap here is that candidates assume the provider is the source (initiator) of traffic, when in fact the provider is the destination (service offerer).

How to eliminate wrong answers

Option B is wrong because the VRF association is correct—both EPGs are in the same VRF, and the endpoints are learning IP addresses, indicating the VRF is properly configured. Option C is wrong because an L3Out is only needed for communication with external networks (outside the fabric), not between EPGs in the same VRF; intra-VRF communication uses contracts directly. Option D is wrong because the filter 'mysql' is a predefined filter that matches TCP port 3306, so it correctly permits the required traffic.

497
MCQhard

A Nexus switch experiences high CPU utilization due to excessive ICMP traffic. An engineer applies a CoPP policy that includes a class matching ICMP with a drop action. After applying, legitimate OSPF hello packets are also being dropped. What is the most likely cause?

A.The CoPP policy is applied to the wrong interface
B.The CoPP policy rate-limits all traffic including OSPF below its needed rate
C.OSPF packets match the default class which has a drop action
D.The class-map matches multiple protocols including OSPF
AnswerC

If the default class action is drop, any traffic not explicitly matched (including OSPF) will be dropped. This is a common misconfiguration.

Why this answer

Option C is correct because when a CoPP policy is applied, traffic that does not match any explicit class-map falls into the default class. If the default class has a drop action, all unmatched traffic—including OSPF hello packets (which use IP protocol 89)—will be dropped. The class-map matching ICMP (typically based on protocol or DSCP) does not match OSPF, so OSPF packets are handled by the default class, causing the observed behavior.

Exam trap

Cisco often tests the concept that the default class in CoPP is not automatically 'permit' and must be explicitly configured; the trap here is assuming that only the matched class (ICMP) is affected, while forgetting that unmatched traffic falls to the default class, which can have a drop action.

How to eliminate wrong answers

Option A is wrong because CoPP policies are applied globally to the control plane (via 'control-plane' and 'service-policy input'), not to individual interfaces; applying to the wrong interface would not affect control-plane traffic. Option B is wrong because the policy explicitly drops ICMP traffic, not rate-limits it; OSPF packets are not rate-limited but dropped entirely due to the default class action, not because of insufficient rate. Option D is wrong because the class-map matches only ICMP (e.g., match protocol icmp or match ip dscp cs0), and OSPF uses IP protocol 89, which is distinct; the class-map does not include OSPF.

498
MCQmedium

An engineer is deploying FCoE on a Cisco Nexus 9000v switch in a converged network. The storage array is connected via native Fibre Channel to an MDS switch, and the MDS is connected to the Nexus using an FCoE link. The engineer creates a virtual Fibre Channel (VFC) interface on the Nexus, binds it to an Ethernet interface, and maps VSAN 200 to VLAN 200. The MDS side has an FCoE port configured and enabled. Servers connected to the Nexus with FCoE initiators can successfully log into the storage targets, but performance is very poor and intermittent. The engineer checks for drops on all interfaces and finds none. The engineer also verifies that the FCoE VLAN is not blocked by spanning tree. What is the most likely cause of the performance issue?

A.The Ethernet interface MTU is set to 1500 instead of 2500.
B.The FCoE VLAN is blocking spanning tree.
C.The MDS has not enabled FCoE on the interface.
D.The VFC interface is not bound to the correct port-channel.
AnswerA

FCoE requires jumbo frames; 1500 MTU causes fragmentation.

Why this answer

FCoE requires a larger MTU (typically 2500 bytes) to encapsulate Fibre Channel frames without fragmentation. An MTU of 1500 causes fragmentation and retransmissions, leading to poor performance. Option B is correct.

Option A would prevent login entirely. Option C is not required for basic connectivity. Option D was already verified as not causing the issue.

499
MCQeasy

Refer to the exhibit. A network engineer has configured a port-channel for OSPF adjacency. What additional configuration is required for the port-channel to operate correctly?

A.Set the OSPF priority.
B.No additional configuration needed.
C.Enable OSPF on the port-channel with `ip router ospf process`.
D.Configure the channel-group mode on member interfaces.
AnswerD

Member interfaces must be assigned to the port-channel using `channel-group`.

Why this answer

Option D is correct because for a port-channel to form an OSPF adjacency, the member interfaces must be configured with a channel-group mode (e.g., 'channel-group 1 mode active') to bundle them into a logical port-channel interface. Without this, the interfaces remain individual Layer 2 or Layer 3 links, and OSPF cannot establish adjacency over the port-channel as a single logical link.

Exam trap

Cisco often tests the misconception that creating the port-channel interface alone is sufficient, when in fact the member interfaces must be explicitly assigned to the port-channel using the channel-group command.

How to eliminate wrong answers

Option A is wrong because OSPF priority is used for Designated Router (DR) and Backup Designated Router (BDR) election on multiaccess networks, not for enabling or operating a port-channel. Option B is wrong because additional configuration is indeed required: the member interfaces must be assigned to the port-channel using the channel-group command; simply creating the port-channel interface does not bundle the physical links. Option C is wrong because 'ip router ospf process' is used to enable OSPF on an interface, but the port-channel interface itself must first exist and be properly formed; the missing step is bundling the member interfaces, not enabling OSPF on the port-channel.

500
MCQhard

An engineer observes that ARP packets are being dropped. Based on the exhibit, what is the drop rate percentage for ARP packets?

A.75%
B.25%
C.50%
D.100%
AnswerC

Half of the packets exceed the police rate and are dropped.

Why this answer

The exhibit shows that out of 1000 total ARP packets, 500 were dropped. The drop rate percentage is calculated as (dropped packets / total packets) * 100, which is (500/1000)*100 = 50%. Therefore, option C is correct.

Exam trap

Cisco often tests the ability to correctly compute a percentage from raw drop and total counts, where candidates might misread the exhibit or confuse drop rate with success rate, leading to incorrect answers like 25% or 75%.

How to eliminate wrong answers

Option A is wrong because 75% would require 750 dropped packets out of 1000, not 500. Option B is wrong because 25% would require 250 dropped packets out of 1000, not 500. Option D is wrong because 100% would require all 1000 packets to be dropped, but only 500 were dropped.

Page 6

Page 7 of 7

All pages

Practice 350-601 by domain

Target a specific domain to shore up weak areas.

See all domains with question counts →