Cisco DCCOR / CCNP Data Center Core 350-601 (350-601) — Questions 526600

1000 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQmedium

Refer to the exhibit. An administrator updates template-B but its associated profile SP2 shows 'unassigned'. The administrator wants SP2 to reflect the changes. What should be done first?

A.Disable and re-enable template-B
B.Wait for the automatic association to occur
C.Associate SP2 with template-B using the 'bind' operation
D.Rebind all profiles to template-B
AnswerC

Binding creates the link between profile and template.

Why this answer

In Cisco UCS Manager, a service profile (SP2) must be explicitly bound to a template (template-B) to inherit updates. The 'bind' operation associates the profile with the template, allowing changes made to the template to propagate to the profile. Simply disabling and re-enabling the template or waiting for automatic association does not establish this binding; the profile remains 'unassigned' until it is bound.

Exam trap

Cisco often tests the distinction between 'updating templates' and 'initial templates', where candidates mistakenly assume that simply enabling or refreshing a template will automatically update associated profiles, overlooking the explicit bind requirement.

How to eliminate wrong answers

Option A is wrong because disabling and re-enabling a template does not change the association state of a service profile; it only toggles the template's operational status without affecting the binding. Option B is wrong because Cisco UCS Manager does not automatically associate a service profile with a template; the administrator must manually perform a bind operation to link the profile to the template. Option D is wrong because rebinding all profiles to template-B is unnecessary and could disrupt other profiles; only SP2 needs to be bound to template-B to reflect the changes.

527
MCQhard

Refer to the exhibit. An engineer notices that traffic is not load-balanced across all four links. What is the most likely cause?

A.The minimum links set to 2 prevents load balancing.
B.LACP is not supported on Fibre Channel.
C.The load-balancing algorithm is based on source-dest-id, which may not evenly distribute traffic.
D.The port channel is in admin down state.
E.The links are not in the same VSAN.
AnswerC

Source-dest-id can lead to polarization if many flows share the same pair; other algorithms like source-dest-ox-id provide better distribution.

Why this answer

Option C is correct because the load-balancing algorithm for Fibre Channel port channels uses source-dest-id (SID and DID) by default. If the traffic flows are between a small number of source-destination pairs, the hash results will map most flows to the same link, preventing even distribution across all four links. This is a common cause of perceived load imbalance even when all links are operational.

Exam trap

Cisco often tests the misconception that load imbalance is always due to a configuration error or link failure, when in fact the default hash algorithm's behavior with limited source-destination pairs is the root cause.

How to eliminate wrong answers

Option A is wrong because the minimum-links setting (e.g., 2) only prevents the port channel from coming up if fewer than that number of links are active; it does not affect load balancing once the channel is up. Option B is wrong because LACP (IEEE 802.3ad) is not used on Fibre Channel; Fibre Channel port channels use the Fibre Channel standard (FC-BB-5/6) or Cisco's proprietary PAgP for FCoE, but LACP is irrelevant here. Option D is wrong because if the port channel were in admin down state, no traffic would pass at all, not just uneven load balancing.

Option E is wrong because all links in a Fibre Channel port channel must be in the same VSAN; if they were not, the port channel would not form or would have errors, but the exhibit shows the channel is up.

528
MCQhard

A data center architect needs to enforce role-based access control for UCS Manager. What is the correct approach?

A.Create user roles with specific privileges in UCS Manager
B.Enable CoPP for management access
C.Use TACACS+ to assign roles
D.Use RADIUS for authentication only
AnswerA

UCS Manager native RBAC allows granular control.

Why this answer

UCS Manager provides RBAC by allowing administrators to create custom roles with specific privileges and assign them to users.

529
MCQhard

A data center administrator is configuring a Cisco UCS C-series rack server in standalone mode using CIMC. Which interface must be used to mount an ISO image for OS installation over the network?

A.Cisco IMC Supervisor
B.UCS Manager GUI
C.UCS Central
D.CIMC web interface (KVM or Virtual Media)
AnswerD

CIMC provides KVM and virtual media for remote ISO mounting.

Why this answer

CIMC provides virtual media capabilities, allowing remote mounting of ISO images via KVM or virtual media session.

530
MCQmedium

An engineer is configuring VXLAN bridging and routing on a Cisco Nexus 9000 switch. Which configuration is required to enable inter-VNI routing?

A.Configure a VLAN interface under the bridge domain.
B.Enable ip routing under VRF.
C.Configure anycast gateway MAC.
D.Configure a VRF and associate the VLAN interface to it.
AnswerC

Provides a common gateway MAC across all leaf switches, enabling seamless routing between VNIs.

Why this answer

Inter-VNI routing requires a shared anycast gateway MAC address across all VTEPs in the same VXLAN fabric. This allows the switch to respond to ARP requests for the gateway IP and forward traffic between different VNIs without relying on a traditional routed interface. The anycast gateway MAC is configured under the VLAN interface (SVI) using the 'fabric forwarding anycast-gateway-mac' command.

Exam trap

Cisco often tests the misconception that simply enabling IP routing or associating an SVI to a VRF is sufficient for inter-VNI routing, when in fact the anycast gateway MAC is the mandatory configuration that enables the distributed gateway functionality.

How to eliminate wrong answers

Option A is wrong because configuring a VLAN interface under the bridge domain is part of VXLAN bridging, not routing; inter-VNI routing requires an SVI with anycast gateway, not just a VLAN interface in the bridge domain. Option B is wrong because enabling 'ip routing' under VRF is a prerequisite for any L3 forwarding but does not specifically enable inter-VNI routing; the critical missing piece is the anycast gateway MAC. Option D is wrong because associating a VLAN interface to a VRF is necessary for VRF-based routing but alone does not enable inter-VNI routing; the anycast gateway MAC must be configured on the SVI to allow the switch to act as a distributed gateway.

531
Multi-Selecthard

In an ACI fabric, which THREE components are required to define a policy that allows communication between two EPGs?

Select 3 answers
A.Contract
B.Consumer EPG
C.L3Out
D.Tenant
E.Provider EPG
AnswersA, B, E

Contract defines the allowed communication.

Why this answer

A contract with a subject and filter, provider EPG, and consumer EPG are needed.

532
MCQmedium

An engineer is configuring intelligent zoning and wants to use device aliases to simplify zone membership. What is a characteristic of device aliases compared to zone aliases?

A.Device aliases require a specific DNS entry.
B.Device aliases are restricted to a single VSAN.
C.Device aliases are automatically assigned to the default zone.
D.Device aliases can be used in multiple zones across different VSANs.
AnswerD

Device aliases are global and can be reused across VSANs.

Why this answer

Option B is correct. Device aliases are fabric-wide (or switch-wide) and can be used across multiple zones and VSANs. Zone aliases are per-zone.

533
Multi-Selectmedium

A network engineer is configuring FCoE on a Cisco Nexus switch. Which two DCB features must be enabled to support lossless Ethernet for FCoE traffic? (Choose two.)

Select 2 answers
A.PFC (Priority Flow Control)
B.IGMP snooping
C.STP (Spanning Tree Protocol)
D.ETS (Enhanced Transmission Selection)
E.LACP (Link Aggregation Control Protocol)
AnswersA, D

PFC ensures no-loss for FCoE traffic.

Why this answer

PFC (Priority Flow Control) provides per-priority pause to prevent frame loss, and ETS (Enhanced Transmission Selection) allocates bandwidth among traffic classes.

534
MCQmedium

A UCS B-Series chassis has four IOM modules installed. The chassis is connected to two Fabric Interconnects. How many uplink connections are typically used from each IOM to the Fabric Interconnects to ensure full bandwidth redundancy?

A.One uplink from the chassis to each FI
B.Four uplinks per IOM to a single FI
C.One uplink per IOM to each FI
D.Two uplinks per IOM to each FI
AnswerD

Each IOM has four ports, typically two are connected to FI-A and two to FI-B, ensuring full bandwidth and redundancy.

Why this answer

Each IOM has four uplink ports (two per fabric). To achieve full bandwidth and redundancy, typically all four uplinks are used (two to FI-A and two to FI-B).

535
MCQeasy

An engineer notices that the CPU utilization on a Cisco Nexus 5548UP switch is consistently above 80%. The switch is used for FCoE storage traffic. Which action is most likely to reduce CPU utilization?

A.Configure DCBx will-say mode
B.Enable FCoE NPV mode
C.Disable FIP snooping
D.Reduce the number of FCoE VLANs
AnswerD

Fewer VLANs means less FIP snooping processing, reducing CPU load.

Why this answer

Reducing the number of FCoE VLANs decreases the amount of FIP snooping processing, which is a common cause of high CPU. Disabling FIP snooping would break FCoE. Enabling NPV or changing DCBx does not directly reduce CPU.

536
MCQeasy

A storage administrator reports that a new host cannot log into the SAN. The host is connected to a Cisco MDS switch. The switch interface shows up/up but the host is not in the active zone. What is the most likely cause?

A.The zone set is not activated.
B.The switch port is in an isolated state.
C.The FC cable is faulty.
D.The host's WWPN is not in the zone configuration.
E.The host's driver is not installed.
AnswerA

If the zone set is not activated, even if the WWPN is in the zone, it won't be effective. The host is not in the active zone because the active zone set may not include the zone.

Why this answer

The host cannot log into the SAN despite the interface showing up/up because the zone set is not activated. In Cisco MDS Fibre Channel SANs, zone configurations are stored in the zone database but only take effect when the zone set is activated (using the 'zone activate' command). Without an active zone set, no zoning is enforced, and the host's WWPN is effectively invisible to other devices, preventing login even though the physical link is operational.

Exam trap

Cisco often tests the distinction between configuring a zone (adding WWPNs) and activating the zone set; candidates mistakenly assume that simply adding a WWPN to a zone is sufficient, overlooking the mandatory activation step that enforces the zoning policy.

How to eliminate wrong answers

Option B is wrong because an isolated state occurs in PortChannel configurations when ports are incompatible (e.g., speed or mode mismatch), not due to zoning issues, and the interface shows up/up, ruling out isolation. Option C is wrong because a faulty FC cable would cause the interface to be down/down or flap, not up/up. Option D is wrong because the host's WWPN not being in the zone configuration would still allow the host to log into the fabric (FLOGI) and appear in the active zone database; the issue is that no zone set is active, so even if the WWPN were configured, it would not be enforced.

Option E is wrong because the host's driver not being installed would prevent the host from initiating a fabric login (FLOGI), but the switch interface shows up/up, indicating physical and link-level connectivity is present.

537
Multi-Selecthard

Which THREE of the following are valid methods to secure the control plane on a Cisco Nexus 9000 switch?

Select 3 answers
A.Enable control plane policing (CoPP) to rate-limit control plane traffic.
B.Configure management access lists to restrict SSH/SNMP access.
C.Disable unused services such as HTTP/HTTPS server.
D.Enable Bidirectional Forwarding Detection (BFD) on all interfaces.
E.Implement routing protocol authentication (e.g., OSPF MD5).
AnswersA, B, C

CoPP protects the control plane from DoS attacks.

Why this answer

Control plane policing (CoPP) is a valid method to secure the control plane on a Cisco Nexus 9000 switch. CoPP uses a policy map applied to the control plane to rate-limit or drop traffic destined to the supervisor module, protecting the CPU from excessive or malicious traffic. This is a direct control plane security mechanism defined in Cisco NX-OS.

Exam trap

Cisco often tests the distinction between control plane security (CoPP, management ACLs, disabling services) and other security features like BFD or routing authentication, which protect different planes or functions.

538
MCQeasy

An engineer needs to design a resilient Fibre Channel SAN that eliminates single points of failure between two MDS switches and a storage array with two controllers. What is the minimum number of FC port channels required to achieve this goal?

A.Three
B.Two
C.One
D.Four
AnswerB

Two port channels allow each controller to connect to both switches.

Why this answer

For redundancy, each storage controller connects to both switches. Two port channels (each from a controller to a switch) are needed. Option A (1) provides only one link per controller.

Option C (3) and D (4) are overkill. Option B is correct.

539
MCQeasy

An engineer needs to implement port security on a Cisco Nexus 1000v virtual switch to prevent MAC flooding attacks. The requirement is to allow only the first MAC address learned on the port. Which command sequence accomplishes this?

A.interface ethernet 1/1 switchport port-security switchport port-security maximum 2 switchport port-security violation restrict
B.interface ethernet 1/1 switchport port-security switchport port-security maximum 1 switchport port-security violation shutdown
C.interface ethernet 1/1 switchport port-security switchport port-security maximum 10 switchport port-security violation protect
D.interface ethernet 1/1 switchport port-security manual switchport port-security mac-address 0000.1111.2222
AnswerB

This sets the maximum MAC addresses to 1 and violation action to shutdown.

Why this answer

Option B is correct because the command sequence sets the maximum number of MAC addresses to 1, which ensures only the first learned MAC address is allowed on the port. The 'violation shutdown' action disables the port if a violation occurs, effectively preventing MAC flooding attacks by stopping any additional MAC addresses from being learned.

Exam trap

Cisco often tests the distinction between 'violation protect' (silently drops unknown traffic) and 'violation shutdown' (disables the port), and candidates may mistakenly choose 'protect' thinking it is sufficient, but only 'shutdown' fully prevents MAC flooding by stopping all traffic on the port.

How to eliminate wrong answers

Option A is wrong because it sets the maximum to 2, allowing two MAC addresses instead of the required one, and uses 'restrict' which only drops traffic from unknown MACs without disabling the port. Option C is wrong because it sets the maximum to 10, allowing multiple MAC addresses, and uses 'protect' which silently drops unknown traffic but does not prevent the port from learning multiple MACs. Option D is wrong because 'switchport port-security manual' is not a valid command on Cisco Nexus switches; the correct command is 'switchport port-security mac-address sticky' or a static MAC assignment, and it does not enforce the 'first learned' behavior.

540
MCQmedium

An administrator needs to perform a remote firmware upgrade on a UCS C220 rack server. The server has CIMC configured with an IP address. Which method should the administrator use to upgrade the CIMC firmware?

A.Use the KVM console to boot from a firmware upgrade ISO.
B.Use UCS Manager to upgrade the firmware of the C-series server.
C.Use Cisco IMC Supervisor to upgrade firmware across multiple servers.
D.Use the CIMC web interface to upload and apply the firmware image.
AnswerD

CIMC provides direct firmware upgrade capability.

Why this answer

CIMC supports firmware upgrade via its web interface or CLI using protocols like HTTP, TFTP, or SCP. The recommended method is to use the CIMC GUI or the 'update firmware' command in CIMC.

541
MCQmedium

When using Cisco NSO (Network Services Orchestrator) to automate service creation across a data center network, what is a key consideration regarding device compatibility?

A.NSO requires NETCONF for all devices.
B.Each device must have a corresponding NED that matches its OS version.
C.Device YANG models must be hand-coded by the team.
D.NSO only supports Cisco devices.
AnswerB

NSO requires a compatible NED for each device model and OS version to translate service models.

Why this answer

B is correct because Cisco NSO uses Network Element Drivers (NEDs) to translate service models into device-specific CLI, SNMP, or NETCONF commands. Each NED is tied to a specific device OS version (e.g., IOS-XE 16.12, NX-OS 9.3), so mismatched NEDs cause configuration failures or incomplete deployments. Without a compatible NED, NSO cannot communicate with or configure the device.

Exam trap

The trap here is that candidates assume NSO relies exclusively on NETCONF or YANG for all devices, overlooking the critical role of OS-version-specific NEDs in enabling multi-protocol, multi-vendor automation.

How to eliminate wrong answers

Option A is wrong because NSO does not require NETCONF for all devices; it supports multiple southbound protocols including CLI, SNMP, and RESTCONF, with NEDs abstracting the protocol details. Option C is wrong because YANG models are not hand-coded by the team for each device; NSO uses pre-built NEDs that contain YANG models, and custom YANG models are only needed for service design, not device compatibility. Option D is wrong because NSO is vendor-agnostic and supports multi-vendor environments through NEDs for devices from Cisco, Juniper, Arista, and others.

542
MCQeasy

Which protocol is used by NETCONF for transport?

A.SSH
B.Telnet
C.HTTP
D.HTTPS
AnswerA

NETCONF uses SSH for secure transport.

Why this answer

NETCONF (RFC 6241) uses SSH as its transport protocol.

543
MCQmedium

An administrator wants to create separate FC fabrics on a single Cisco MDS switch for isolation of production and backup traffic. Which technology should they use?

A.PortChannel
B.NPV
C.Zoning
D.VSAN
AnswerD

VSAN creates separate logical fabrics for full isolation.

Why this answer

VSANs (Virtual SANs) provide fabric isolation on the same physical switch, similar to VLANs. Each VSAN has its own fabric services, zoning, and domain ID.

544
MCQmedium

A company is consolidating its storage network into a single fabric using a Cisco MDS 9509. They want to use VSANs to isolate different departments. The VSANs will be 10, 20, and 30. They have a single ISL between two MDS switches. The engineers want to carry all three VSANs over the ISL. They configure both ends of the ISL as E ports and enable trunking. After configuration, they notice that only VSAN 10 traffic passes over the ISL. The other VSANs appear isolated. The show vsan membership shows all three VSANs are present on both switches. The show interface trunk on the ISL shows that the trunk is up but only VSAN 10 is allowed. What is the most likely cause?

A.The other VSANs are not configured on the trunk interface
B.The allowed VSAN list on the trunk port is limited to only VSAN 10
C.The trunk mode is set to 'on' instead of 'desirable'/'auto'
D.The ISL is in an error-disabled state for VSAN 20 and 30
AnswerB

The allowed VSAN list must be explicitly configured to include VSAN 20 and 30.

Why this answer

The show interface trunk output indicates that only VSAN 10 is in the allowed list. The allowed VSAN list on the trunk port must be configured to include all three VSANs. The trunk mode (on/desirable) does not limit VSANs.

Error-disabled would show in different status. VSAN membership on the interface is not applicable for trunk ports.

545
MCQmedium

An engineer is configuring a UCS service profile for a blade server that will use FCoE to connect to a Fibre Channel SAN. What must be configured in the service profile to support FCoE traffic?

A.Configure the vNIC with FCoE personality and specify the FCoE VLAN
B.Assign a WWPN to the vNIC
C.Enable the FCoE flag on the vHBA
D.Set the vNIC to use the native VLAN for FCoE
AnswerA

This enables the vNIC to carry FCoE traffic.

Why this answer

To carry FCoE traffic, the vNIC must be configured to use the FCoE VLAN and have the FCoE personality enabled. This allows the adapter to parse FCoE frames.

546
MCQmedium

A Cisco MDS switch is configured with two VSANs. Hosts in VSAN 1 cannot communicate with hosts in VSAN 2. What is the most likely reason?

A.The IVR is not configured.
B.The VSANs are not connected through an IVR zone.
C.The FC domain ID is conflicting.
D.The switch does not support multi VSAN.
E.The hosts are on different switches.
AnswerB

IVR zones define which devices can communicate across VSANs. Without these zones, traffic is isolated.

Why this answer

By default, VSANs are isolated from each other, meaning traffic cannot cross VSAN boundaries. Inter-VSAN Routing (IVR) must be explicitly configured to allow communication between hosts in different VSANs. Without IVR, hosts in VSAN 1 and VSAN 2 remain in separate fabrics and cannot communicate, even if they are connected to the same switch.

Exam trap

Cisco often tests the misconception that VSANs are like VLANs and can communicate by default, but in Fibre Channel fabrics, VSANs are fully isolated unless IVR is explicitly configured.

How to eliminate wrong answers

Option A is wrong because IVR not being configured is not the most likely reason; the question asks for the most likely reason, and the absence of an IVR zone is a more specific and direct cause. Option C is wrong because conflicting FC domain IDs would cause issues within a single VSAN or between switches in the same VSAN, not between different VSANs. Option D is wrong because the Cisco MDS switch supports multiple VSANs natively; the inability to communicate between VSANs is by design, not a lack of support.

Option E is wrong because hosts on different switches can still communicate if they are in the same VSAN or if IVR is configured; the issue here is the VSAN boundary, not the physical switch location.

547
MCQmedium

A storage administrator needs to isolate Fibre Channel traffic between two departments in a data center using a single MDS switch. The administrator decides to create separate VSANs. Which statement about VSANs is true?

A.VSANs share the same fabric services across all VSANs.
B.VSANs provide isolation similar to VLANs in Ethernet networks.
C.VSANs require separate physical interfaces for each VSAN.
D.VSANs cannot be used with FCoE.
AnswerB

VSANs create separate logical Fibre Channel fabrics on the same physical infrastructure.

Why this answer

VSANs provide isolation similar to VLANs in Ethernet. Each VSAN has its own fabric services and does not share traffic with other VSANs.

548
MCQhard

An engineer is designing a SAN for a virtualized environment with 20 hosts and 4 storage arrays. Each host requires a separate zone per storage array for security. What is the minimum number of zones required?

A.40
B.20
C.80
D.100
AnswerC

20 hosts * 4 arrays = 80 zones.

Why this answer

Each host needs a zone per array, so 20 hosts * 4 arrays = 80 zones. However, if using single initiator zones (best practice), each zone has one host and one target, so indeed 80 zones. Option A assumes one zone per host, which would include all arrays in one zone, violating security.

Option B is too low. Option D is too high.

549
MCQhard

Refer to the exhibit. An engineer is troubleshooting poor FCoE performance. The exhibit shows output from the FCoE interface. Which observation indicates a potential issue?

A.PFC frames received is high compared to PFC frames sent
B.The CRC error count is zero
C.Data frames are 1500 bytes, which is too small for FCoE
D.The admin port mode is F instead of NP
AnswerA

Receiving many pause frames implies the peer is congested or PFC mismatch.

Why this answer

PFC frames received (152) with zero sent suggests the interface is receiving pause frames from the peer, possibly due to congestion or a PFC configuration mismatch. Option B is correct. Option A (CRC errors) none.

Option C (mode) is fine. Option D (MTU) default 1500 for data frames is consistent.

550
MCQmedium

In an FCoE deployment, a storage administrator needs to ensure that FCoE traffic is carried over a dedicated VLAN. Which configuration is required on a Cisco Nexus switch?

A.Configure the VLAN as a private VLAN.
B.Assign the VLAN as an access VLAN to the interface.
C.Enable FIP snooping and map the FCoE VLAN to a VSAN.
D.Configure the VLAN as a native VLAN on the FCoE interface.
AnswerC

FIP snooping is needed for FCoE; mapping FCoE VLAN to VSAN isolates traffic.

Why this answer

Option B is correct. FIP snooping and VSAN mapping are required for FCoE VLAN. Other options are incorrect.

551
MCQhard

A storage administrator is troubleshooting FCoE performance issues between a Cisco UCS FI and a storage array. The fabric is configured with FIP snooping and DCB. The administrator checks the FCoE interface counters and sees many dropped frames due to 'no buffer space'. What is the most likely root cause?

A.Jumbo frames are disabled on the switch ports
B.The FCoE VLAN is not trunked to the storage array
C.FIP snooping is not enabled on the FCoE VLAN
D.Priority flow control settings are mismatched between the upstream switch and the storage array
AnswerD

PFC mismatch can cause buffer exhaustion and drops.

Why this answer

The 'no buffer space' drops on FCoE interfaces indicate that the receive buffers are being exhausted, which is a classic symptom of Priority Flow Control (PFC) being misconfigured or mismatched between the upstream switch and the storage array. PFC (IEEE 802.1Qbb) is essential for lossless FCoE transport; if one side sends pause frames that the other does not honor, or if the PFC priorities are not aligned, buffers overflow and frames are dropped. This directly explains the observed counter behavior.

Exam trap

Cisco often tests the distinction between 'no buffer space' drops (caused by PFC/flow control mismatches) and other drop types like 'output drops' or 'CRC errors', leading candidates to incorrectly blame jumbo frames or VLAN issues.

How to eliminate wrong answers

Option A is wrong because jumbo frames (typically 9216 bytes) are required for FCoE to encapsulate large SCSI data payloads, but disabling them would cause frame oversize drops, not 'no buffer space' drops. Option B is wrong because the FCoE VLAN not being trunked would result in no connectivity or VLAN mismatch errors, not buffer exhaustion drops. Option C is wrong because FIP snooping is a security feature that prevents unauthorized FCoE devices from joining the fabric; its absence could allow rogue devices but does not cause buffer drops due to PFC mismatches.

552
Multi-Selecthard

Which three components are part of the ACI Management Information Tree (MIT)? (Choose three.)

Select 3 answers
A.Interface
B.Tenant
C.Application Profile
D.VLAN
E.EPG
AnswersB, C, E

Tenant is a top-level object in MIT.

Why this answer

MIT includes objects like tenants, application profiles, EPGs, and bridge domains.

553
MCQmedium

For consistent multi-data-center automation, which tool is best suited to orchestrate both NX-OS and ACI across sites?

A.Cisco NSO
B.Puppet
C.Ansible
D.Chef
AnswerA

NSO is built for service orchestration across multiple domains including NX-OS and ACI.

Why this answer

Cisco NSO (Network Services Orchestrator) is the correct tool because it provides multi-domain, multi-vendor orchestration with native support for both NX-OS and ACI through its Network Element Drivers (NEDs). NSO uses a model-driven approach with YANG data models and NETCONF/RESTCONF protocols to manage configuration consistency across distributed data centers, enabling service-level abstraction and closed-loop automation that other tools lack.

Exam trap

Cisco often tests the distinction between configuration management tools (Puppet, Chef, Ansible) and true orchestration platforms (NSO), trapping candidates who assume any automation tool can handle multi-site consistency without understanding NSO's model-driven, stateful orchestration and NED architecture.

How to eliminate wrong answers

Option B (Puppet) is wrong because it is a configuration management tool that relies on a master-agent model with its own DSL, lacking native support for ACI's APIC REST API or NX-OS's NX-API without extensive custom modules, and it does not provide multi-site orchestration capabilities. Option C (Ansible) is wrong because while it can automate NX-OS and ACI via modules, it is a task-based automation tool without a centralized state database or service orchestration layer, making it unsuitable for consistent multi-data-center orchestration across sites. Option D (Chef) is wrong because it is a configuration management tool using Ruby-based recipes and cookbooks, which requires significant custom development to interface with ACI's REST API and NX-OS, and it lacks the built-in multi-site service orchestration and network abstraction that NSO provides.

554
MCQhard

An engineer is configuring FCoE on a Cisco Nexus 5000 switch. The switch connects to a Fibre Channel storage array. The FCoE Initialization Protocol (FIP) snooping must be enabled. What is the effect of enabling FIP snooping?

A.It enables the switch to terminate FCoE VLANs.
B.It provides FC-BB_6 compliant FCoE traffic forwarding.
C.It enables the switch to act as an FCoE forwarder.
D.It constructs a database of ENode MAC addresses and FC-MAPs.
E.It allows the switch to enforce zone-based policy for FCoE traffic.
AnswerD

FIP snooping monitors FIP frames to build a database of authorized devices.

Why this answer

FIP snooping on a Cisco Nexus 5000 switch constructs a database of ENode MAC addresses and FC-MAPs by inspecting FIP discovery, advertisement, and login frames. This database is used to enforce FCoE traffic only between authorized ENodes and FCFs, preventing rogue devices from injecting FCoE traffic. It does not terminate FCoE VLANs, act as an FCoE forwarder, or enforce zone-based policies directly.

Exam trap

Cisco often tests the distinction between FIP snooping (a security feature that builds a database of MAC-to-FC-MAP bindings) and FCoE forwarding (which requires an FCF), leading candidates to mistakenly think snooping enables forwarding or termination.

How to eliminate wrong answers

Option A is wrong because FIP snooping does not terminate FCoE VLANs; VLAN termination is a function of an FCoE forwarder (FCF) or a bridge, not a snooping feature. Option B is wrong because FC-BB_6 compliance is a standard for FCoE operation, but FIP snooping itself does not provide compliant forwarding; it only monitors and filters FIP frames to secure the fabric. Option C is wrong because FIP snooping does not enable the switch to act as an FCoE forwarder; an FCoE forwarder is a separate entity that performs encapsulation and forwarding, while snooping is a passive security mechanism.

Option E is wrong because zone-based policy enforcement for FCoE traffic is handled by the Fibre Channel zoning configuration on the FCF or SAN fabric, not by FIP snooping on the switch.

555
MCQmedium

Which command is used on a Cisco Nexus switch to display the VXLAN network identifier (VNI) associated with a specific VLAN?

A.show vxlan vni
B.show vlan id 100
C.show interface nve 1
D.show running-config vxlan
AnswerA

This command lists VNIs and their associated VLANs.

Why this answer

'show vlan' displays VLAN information but not VNI. 'show vxlan vni' shows VNI details and mapping to VLANs.

556
MCQhard

An administrator needs to replace a faulty blade server in a UCS chassis. The blade is associated with a service profile that has a persistent WWPN pool. What is the correct procedure to maintain stateless computing?

A.Remove the faulty blade, insert the new blade, and auto-associate the service profile
B.Replace the blade and delete the old service profile to create a new one
C.Replace the blade and update the WWPN pool to match the new hardware
D.Replace the blade and manually reconfigure the service profile with new WWPNs
AnswerA

The service profile will be automatically associated if the blade is discovered, or the administrator can manually associate it. The WWPNs remain the same.

Why this answer

UCS stateless computing allows a blade replacement without reconfiguration by simply disassociating the service profile from the faulty blade, removing the blade, inserting the new blade, and re-associating the same service profile. The WWPNs from the pool are retained.

557
Multi-Selectmedium

Which three components are required for a basic Cisco UCS B-Series deployment? (Choose three.)

Select 3 answers
A.UCS C-Series Rack Server
B.Blade Servers (B-Series)
C.Fabric Interconnects
D.HyperFlex Cluster
E.UCS 5108 Blade Chassis
AnswersB, C, E

Correct. Blades provide compute.

Why this answer

A basic UCS B-Series deployment includes Fabric Interconnects for network connectivity, a UCS 5108 chassis to house blades, and blade servers. UCS Manager is software that typically runs on the FIs.

558
Multi-Selectmedium

Which TWO security features are used to prevent MAC address flooding attacks on a Cisco Nexus switch? (Choose two.)

Select 2 answers
A.Port Security
B.IP Source Guard
C.Control Plane Policing
D.DHCP Snooping
E.BPDU Guard
AnswersA, D

Port Security limits the number of MAC addresses per port.

Why this answer

Port Security (A) is correct because it limits the number of MAC addresses allowed on a switch port, preventing MAC flooding attacks by dropping frames from unknown source MACs once the limit is exceeded. DHCP Snooping (D) is correct because it builds a trusted database of IP-to-MAC bindings from DHCP messages, which can be used to validate traffic and prevent MAC spoofing that often accompanies flooding attacks.

Exam trap

Cisco often tests the distinction between features that directly prevent MAC flooding (Port Security, DHCP Snooping) versus features that mitigate related spoofing attacks (IP Source Guard, Dynamic ARP Inspection), leading candidates to mistakenly select IP Source Guard.

559
Multi-Selecteasy

Which three features are used on Nexus switches to mitigate Layer 2 attacks? (Choose three.)

Select 3 answers
A.DHCP Snooping
B.RBAC
C.IP Source Guard
D.Dynamic ARP Inspection
E.CoPP
AnswersA, C, D

Prevents rogue DHCP servers.

Why this answer

DHCP snooping, DAI, and IP Source Guard work together to prevent various Layer 2 attacks.

560
MCQmedium

An engineer notices that after a reboot of one UCS fabric interconnect (FI-A), the server traffic fails over to FI-B but never fails back to FI-A even after FI-A is fully operational. Which configuration change would ensure automatic failback?

A.Change the 'Backup Link' policy to 'Active/Active'
B.Change the 'Backup Link' policy to 'Primary/Secondary'
C.Change the 'Backup Link' policy to 'Active/Standby'
D.Change the 'Backup Link' policy to 'Failover Only'
AnswerA

Active/Active mode allows automatic failback

Why this answer

The 'Backup Link' policy in UCS determines how uplink ports behave during failover and failback. Setting it to 'Active/Active' allows both FIs to actively forward traffic, and when the failed FI recovers, the server traffic automatically fails back because the policy does not designate a permanent primary or standby role. This ensures symmetric traffic flow without manual intervention.

Exam trap

Cisco often tests the misconception that 'Active/Standby' is a valid Backup Link policy, when in fact the only two options are 'Active/Active' and 'Primary/Secondary', and candidates confuse the failover behavior of the server vNIC policy with the uplink Backup Link policy.

How to eliminate wrong answers

Option B is wrong because 'Primary/Secondary' designates one FI as primary and the other as secondary, which prevents automatic failback after the primary recovers; traffic remains on the secondary until manual action is taken. Option C is wrong because 'Active/Standby' is not a valid UCS Backup Link policy; the correct term is 'Active/Active' or 'Primary/Secondary', and 'Active/Standby' would imply a standby role that blocks automatic failback. Option D is wrong because 'Failover Only' is not a valid UCS Backup Link policy; the actual options are 'Active/Active' and 'Primary/Secondary', and a 'Failover Only' concept would not allow failback at all.

561
MCQeasy

A network engineer is configuring DHCP snooping on a Cisco Nexus 9000 switch to prevent rogue DHCP server attacks. The switch connects to the legitimate DHCP server on Ethernet 1/1. Clients are connected to ports Ethernet 1/2 through 1/24. The engineer enables DHCP snooping globally and on VLAN 10, but clients are unable to obtain IP addresses from the DHCP server. Other connectivity between clients and the server works (e.g., static IPs). What is the most likely cause and solution?

A.Disable DHCP snooping as it is not needed in this topology.
B.Configure a static DHCP binding for each client on the switch.
C.Ethernet 1/1 is untrusted by default. Configure it as trusted with 'ip dhcp snooping trust' and verify DHCP snooping is enabled on VLAN 10.
D.Add 'ip dhcp snooping information option' on Ethernet 1/1 to allow DHCP option 82.
AnswerC

Correct. DHCP snooping requires the port towards the trusted server to be set as trusted to allow server messages.

Why this answer

By default, all interfaces on a Cisco Nexus 9000 switch are untrusted for DHCP snooping. The legitimate DHCP server is connected to Ethernet 1/1, which must be explicitly configured as trusted using the 'ip dhcp snooping trust' interface command. Without this, the switch discards DHCP server messages (OFFER, ACK) received on that port, preventing clients from obtaining IP addresses even though DHCP snooping is enabled globally and on VLAN 10.

Exam trap

Cisco often tests the default untrusted state of all interfaces in DHCP snooping, leading candidates to assume that enabling snooping globally and on a VLAN is sufficient without configuring trust on the server-facing port.

How to eliminate wrong answers

Option A is wrong because DHCP snooping is a necessary security feature to block rogue DHCP servers; disabling it would leave the network vulnerable and does not address the misconfiguration. Option B is wrong because static DHCP bindings are used for IP Source Guard or to map client MAC addresses to IP addresses, not to allow DHCP server messages through an untrusted port. Option D is wrong because the 'ip dhcp snooping information option' (DHCP option 82) is used to insert relay agent information and is not required for basic DHCP snooping trust; it is typically used in DHCP relay scenarios, not for directly connected servers.

562
MCQmedium

A company is deploying a new storage network using Cisco MDS 9700 switches. They have multiple host servers and storage arrays. The security policy requires that each host can only access its own LUNs. The solution must be efficient and not require reconfiguration when new hosts are added. Which approach best meets these requirements?

A.Traditional zone-based zoning with pWWNs
B.VSAN zoning
C.FSPF metric tuning
D.Smart Zoning
AnswerD

Smart Zoning reduces zone objects and simplifies management by automatically handling LUN masking.

Why this answer

Smart Zoning reduces the number of zone objects and simplifies management by automatically handling LUN masking based on initiator-target pairs. Traditional zoning would require manual zone creation for each new host. VSAN zoning is not a real concept, and FSPF is a routing protocol.

563
Multi-Selectmedium

A data center team is implementing configuration automation for a fleet of Nexus 9000 switches. They need a solution that supports idempotent configuration, works well with version control, and does not require an agent on the switches. Which two tools should they consider?

Select 2 answers
A.Puppet
B.Chef
C.Ansible
D.Python with Paramiko
E.Cisco NSO
AnswersC, E

Ansible is agentless, uses SSH/NX-API, and its playbooks are idempotent and version-controllable.

Why this answer

Ansible and Cisco NSO are both agentless and support idempotent configurations with version control. Puppet and Chef require agents, and Python with Paramiko does not inherently support idempotency.

564
MCQeasy

Which protocol is used to carry VXLAN encapsulation and facilitates the exchange of MAC reachability information between VTEPs in a VXLAN EVPN fabric?

A.eBGP
B.OSPF
C.MP-BGP
D.PIM
AnswerC

MP-BGP with EVPN address family carries MAC/VNI routes between VTEPs.

Why this answer

MP-BGP (Multiprotocol BGP) is used to advertise MAC/VTEP mappings in VXLAN EVPN architectures, enabling control-plane learning instead of data-plane flooding.

565
MCQhard

An iSCSI SAN is experiencing performance issues. The storage array and initiators are connected via a dedicated VLAN. The network team notices high jitter. What is the most effective mitigation?

A.Use multiple iSCSI sessions per initiator
B.Configure link aggregation between switches
C.Enable jumbo frames on all switches
D.Implement QoS to give iSCSI traffic higher priority
AnswerD

Correct: QoS reduces jitter by prioritizing iSCSI traffic.

Why this answer

Option A is correct because iSCSI depends on TCP; jitter causes retransmissions. QoS can prioritize iSCSI traffic to reduce jitter. Option B is incorrect because jumbo frames help throughput, not jitter.

Option C is incorrect because LAGs improve bandwidth, not jitter. Option D is incorrect because multipathing is for redundancy, not jitter.

566
MCQhard

An engineer receives an error 'XML namespace mismatch' when using NETCONF to configure a Nexus switch. The YANG model used is from the Cisco NX-OS openconfig model. What is the most likely cause?

A.The namespace in the XML payload does not match the YANG model
B.The switch is running in VM mode
C.The YANG model is not supported on this switch version
D.The NETCONF session is not authenticated
AnswerA

Directly causes the namespace mismatch error.

Why this answer

The 'XML namespace mismatch' error occurs when the namespace URI declared in the XML payload does not match the namespace defined in the YANG module. NETCONF uses the namespace to identify the correct YANG model for parsing the configuration data. If the namespace in the XML does not exactly match the one in the Cisco NX-OS openconfig YANG model, the switch rejects the operation with this specific error.

Exam trap

Cisco often tests the distinction between namespace mismatch errors and other NETCONF failures (like unsupported model or authentication), so candidates mistakenly choose 'unsupported model' when the error message explicitly points to a namespace issue.

How to eliminate wrong answers

Option B is wrong because VM mode (virtual machine mode) does not affect XML namespace validation; it is a licensing or operational mode that does not change NETCONF protocol behavior. Option C is wrong because if the YANG model were unsupported, the error would typically be 'data model not supported' or 'capability not advertised', not a namespace mismatch. Option D is wrong because an unauthenticated NETCONF session would fail at the session establishment phase (e.g., 'authentication failed' or 'session rejected'), not during payload processing with a namespace-specific error.

567
Multi-Selecteasy

Which two statements about the NX-API REST interface on Nexus switches are true? (Choose two.)

Select 2 answers
A.It supports JSON and XML encoding.
B.It uses YANG models exclusively.
C.It only supports read-only operations.
D.It requires enabling 'feature nxapi' on the switch.
E.It uses SSH for transport.
AnswersA, D

Both formats are supported.

Why this answer

NX-API REST supports JSON and XML and uses HTTPS for secure communication.

568
MCQmedium

A UCS administrator is creating a boot policy for a service profile that will be used for B-series blades. The requirement is to boot from a LUN on a SAN-attached storage array. Which boot order should be configured in the service profile boot policy?

A.Local disk and SAN with equal priority
B.PXE first, then SAN
C.Local disk first, then SAN
D.SAN only with vHBA
AnswerD

Correct. Boot from SAN requires the vHBA as the primary (and only) boot device in the policy.

Why this answer

Boot from SAN uses a vHBA to connect to a storage LUN. The boot policy should list the SAN target first.

569
MCQhard

An organization deploys compute resources using both UCS B-Series blades and C-Series rack servers. The network uses Cisco ACI. Which approach ensures consistent connectivity policies across both compute types?

A.Use a single EPG with appropriate encapsulation for both
B.Create separate EPGs for blade and rack servers
C.It is not possible to have consistent policies between blade and rack
D.Use a physical domain for blades and a VMM domain for rack servers
AnswerA

Single EPG ensures consistent policy application

Why this answer

Option A is correct because Cisco ACI allows a single Endpoint Group (EPG) to span both UCS B-Series blades and C-Series rack servers by using the appropriate encapsulation (e.g., VLAN or VXLAN) and associating the EPG with both a physical domain (for blades connected via Fabric Interconnects) and a VMM domain (for rack servers managed by VMware vCenter). This ensures consistent connectivity policies, such as contracts and QoS, are applied uniformly across all compute types without requiring separate EPGs.

Exam trap

Cisco often tests the misconception that different compute types (blade vs. rack) require separate EPGs, when in fact a single EPG can span multiple domains to enforce consistent policies, and the trap here is assuming that physical and VMM domains are mutually exclusive rather than complementary.

How to eliminate wrong answers

Option B is wrong because creating separate EPGs for blade and rack servers would fragment policy enforcement, requiring duplicate contracts and filters, which contradicts the goal of consistent connectivity policies. Option C is wrong because it is entirely possible to have consistent policies between blade and rack servers using a single EPG with appropriate domain associations, as supported by Cisco ACI's unified policy model. Option D is wrong because using a physical domain for blades and a VMM domain for rack servers is a valid approach to associate the EPG with both compute types, but the statement incorrectly implies they must be used separately; in fact, both domains can be attached to the same EPG to achieve consistency.

570
MCQeasy

A storage administrator connects a host to an MDS switch via Fibre Channel. The host has an HBA with WWPN 21:00:00:1b:32:12:34:56. Which port type does the MDS switch automatically configure on the interface connecting to the host?

A.F-port
B.Trunk port
C.NP-port
D.E-port
AnswerA

F-port connects to an N-port (host or target) and provides fabric services.

Why this answer

When a host (N-port) connects to a switch, the switch operates as an F-port (fabric port) to provide fabric services. Cisco MDS switches auto-detect and configure the port as F-port unless specifically set otherwise.

571
MCQeasy

Which best practice should be followed when creating a UCS service profile template for stateless computing?

A.Assign MAC and WWN addresses from pools
B.Use local storage on each server for boot images
C.Configure Windows Server NIC teaming for all vNICs
D.Define MAC addresses directly in the service profile
AnswerA

Pools enable auto-assignment and stateless operation

Why this answer

Stateless computing in UCS requires that all server identity information, such as MAC addresses and WWNs, be abstracted away from the hardware and assigned dynamically from pools. This allows the service profile to be applied to any compatible blade or rack server without manual reconfiguration, enabling rapid provisioning and seamless hardware replacement. Defining these addresses directly in the profile or using static assignments would break the stateless model by tying the profile to specific hardware.

Exam trap

Cisco often tests the misconception that stateless computing means you can hardcode identities like MAC addresses for consistency, when in fact the opposite is true—pools are essential to maintain the stateless abstraction.

How to eliminate wrong answers

Option B is wrong because stateless computing relies on centralized boot from SAN or network storage, not local storage, to ensure that server identity and data are independent of the physical hardware; using local storage would reintroduce statefulness. Option C is wrong because Windows Server NIC teaming is a guest OS-level configuration that should be handled separately from the UCS service profile, which manages vNIC failover via fabric failover or pinning at the infrastructure layer. Option D is wrong because defining MAC addresses directly in the service profile defeats the purpose of stateless computing by creating a hard dependency on specific addresses, preventing the profile from being reused across different servers without conflict.

572
MCQmedium

In a Cisco ACI fabric, a new EPG is created and associated with a bridge domain that has 'Unicast Routing' enabled. However, endpoints in that EPG cannot communicate with endpoints in other EPGs in the same VRF. What is missing?

A.The EPG must be attached to a Layer 3 outside
B.The bridge domain must have 'L3 Unknown Multicast Flooding' set
C.A contract between the EPGs
D.A route leak between bridge domains
AnswerC

Inter-EPG communication requires a contract; without it, packets are dropped.

Why this answer

In Cisco ACI, communication between EPGs within the same VRF is not allowed by default; it requires a contract. A contract defines the policies (allow/deny) and filters for traffic between EPGs. Without a contract, all traffic is dropped, even if the bridge domain has unicast routing enabled.

Option C is correct because the missing element is the contract that explicitly permits inter-EPG communication.

Exam trap

Cisco often tests the misconception that enabling unicast routing on a bridge domain is sufficient for inter-EPG communication, when in fact contracts are mandatory in ACI to allow any traffic between EPGs.

How to eliminate wrong answers

Option A is wrong because attaching a Layer 3 outside is used for external connectivity (e.g., to a router or WAN), not for enabling communication between EPGs within the same VRF. Option B is wrong because 'L3 Unknown Multicast Flooding' controls how unknown multicast traffic is handled (flood or forward to a multicast router), not unicast routing between EPGs. Option D is wrong because route leaking between bridge domains is not a native ACI concept; inter-EPG routing within the same VRF is handled by the ACI fabric automatically via the contract policy, not by explicit route leaks.

573
MCQmedium

Refer to the exhibit. The server in slot 2 is associated and working. A new server is inserted into slot 1, but after 30 minutes it remains in 'Unassigned' state. What is the most likely reason?

A.The service profile is already associated with another server.
B.The server is not powered on.
C.The server's CIMC firmware is not compatible with the Fabric Interconnect firmware.
D.The Fabric Interconnect ports are not configured as server ports.
AnswerC

Incompatibility can cause discovery to fail, leaving the slot unassigned.

Why this answer

The server in slot 1 remains in 'Unassigned' state because its CIMC firmware is incompatible with the Fabric Interconnect firmware. In Cisco UCS, the CIMC on each blade must match a supported firmware version for the Fabric Interconnect to discover and manage the server. When firmware versions are mismatched, the server cannot transition to the 'Associated' state and stays 'Unassigned'.

Exam trap

Cisco often tests the distinction between 'Unassigned' (server not discovered/manageable) and 'Unassociated' (server discovered but not bound to a service profile), leading candidates to incorrectly attribute the issue to service profile association or power state.

How to eliminate wrong answers

Option A is wrong because if the service profile were already associated with another server, the new server would show as 'Unassociated' (available for association) or would fail association, not remain 'Unassigned' — the 'Unassigned' state indicates the server is not yet discovered or manageable. Option B is wrong because a server not powered on would still be discovered by the Fabric Interconnect and appear in a 'Discovered' or 'Unassociated' state; power state does not prevent the server from being assigned a service profile. Option D is wrong because Fabric Interconnect ports configured as server ports are required for server connectivity, but if they were misconfigured, the existing server in slot 2 would also be affected and not working — the exhibit shows slot 2 is associated and working, so port configuration is correct.

574
MCQmedium

In ACI automation, the APIC REST API interacts with the Management Information Tree (MIT). Which of the following represents a typical hierarchical object path in the MIT?

A./api/node/class/topSystem.json
B./api/mo/sys/intf.json
C./api/mo/uni/fabric/protpol.json
D./api/mo/uni/tn-{tenant}/ap-{app}/epg-{epg}.json
AnswerD

Correct: This represents the MIT path for an EPG under an application profile under a tenant.

Why this answer

The MIT follows a hierarchy: Tenant > Application Profile (AP) > Endpoint Group (EPG).

575
MCQmedium

A UCS service profile includes a vHBA that is bound to a WWPN. The blade server fails and is replaced with a new blade of the same model. What happens to the WWPN configuration after the replacement?

A.The WWPN must be re-imported from the SAN fabric
B.The WWPN is automatically applied from the service profile to the new blade
C.The WWPN is generated by the CIMC of the new blade
D.The WWPN is lost and must be reconfigured manually on the new blade
AnswerB

Correct. The service profile abstracts the WWPN, so the new blade inherits it.

Why this answer

Stateless computing ensures that the WWPN is inherited from the service profile, so the replacement blade uses the same WWPN.

576
MCQmedium

What is the purpose of FIP (FCoE Initialization Protocol) in an FCoE network?

A.To discover FCoE-capable devices and establish virtual links
B.To provide flow control for FCoE traffic
C.To negotiate DCB parameters
D.To encapsulate FC frames into Ethernet frames
AnswerA

FIP handles discovery and initialization.

Why this answer

FIP is used to discover and initialize FCoE devices and establish virtual links before FCoE data frames can be sent.

577
Multi-Selectmedium

Which THREE are correct about using Ansible with Cisco NX-OS? (Choose three.)

Select 3 answers
A.Ansible requires an agent installed on the Nexus switch.
B.The cisco.nxos collection includes the nxos_vlan module.
C.Playbooks are written in YAML format.
D.Ansible uses a proprietary protocol to communicate with Nexus switches.
E.The nxos_config module is used to manage configuration on NX-OS.
AnswersB, C, E

Correct. nxos_vlan is part of cisco.nxos.

Why this answer

The cisco.nxos collection includes modules like nxos_vlan, nxos_interface, nxos_bgp, and nxos_config. Playbooks are written in YAML. Ansible uses SSH (or NX-API) to connect, not a dedicated agent. 'nxos_facts' is a module for gathering facts.

578
MCQeasy

Refer to the exhibit. What is the current state of the VPC domain?

A.VPC domain not configured
B.Peer-link down
C.Consistency check failed
D.Operational
AnswerD

All fields indicate normal operation.

Why this answer

The exhibit shows the output of 'show vpc' with the vPC domain ID set to 100, the peer-keepalive link status as 'Active', and the peer-link status as 'up'. The vPC role is 'primary' and the operational status is listed as 'operational', which indicates that the vPC domain is fully functional and all consistency checks have passed. Therefore, the current state is operational.

Exam trap

Cisco often tests the distinction between the peer-link being 'up' and the vPC domain being 'operational', where candidates may incorrectly assume a peer-link failure when the domain is actually operational, or confuse a consistency check failure with a peer-link issue.

How to eliminate wrong answers

Option A is wrong because the output clearly shows a vPC domain ID of 100, peer-keepalive link status as 'Active', and peer-link status as 'up', indicating the domain is configured. Option B is wrong because the peer-link status is explicitly shown as 'up' in the output, not down. Option C is wrong because the operational status is 'operational' and there is no indication of a consistency check failure; a failed consistency check would show a 'failed' or 'suspended' status for the vPC.

579
MCQhard

Refer to the exhibit. The configuration is intended to provide Layer 2 isolation within VLAN 100 while allowing the promiscuous port (Ethernet 1/1) to communicate with all ports in the community VLAN. However, hosts in VLAN 100 cannot communicate with each other. What is the most likely misconfiguration?

A.The SVI interface needs 'ip address' to be removed.
B.The SVI interface should have 'private-vlan mapping' to the primary VLAN, not the community VLAN.
C.The 'switchport private-vlan association trunk' command on Ethernet 1/1 is incorrect; it should be 'switchport private-vlan association mapping' or similar.
D.The command 'no ip redirects' should not be applied to the SVI.
AnswerC

The association command syntax is likely wrong; it should map the secondary VLAN to the promiscuous port.

Why this answer

The command 'switchport private-vlan association trunk' is invalid for configuring a promiscuous port in a private VLAN. The correct command is 'switchport private-vlan mapping primary-vlan-id secondary-vlan-id' to map the promiscuous port to the primary VLAN and the secondary community VLAN. Without this correct mapping, the promiscuous port cannot forward traffic to hosts in the community VLAN, causing Layer 2 isolation to fail.

Exam trap

Cisco often tests the distinction between 'private-vlan association' (used on trunk ports) and 'private-vlan mapping' (used on promiscuous or host ports), leading candidates to confuse the two commands and misapply them.

How to eliminate wrong answers

Option A is wrong because removing the IP address from the SVI would break Layer 3 routing for VLAN 100, which is not required for Layer 2 isolation; the SVI IP is needed for management or routing, and its presence does not affect private VLAN behavior. Option B is wrong because the 'private-vlan mapping' on the SVI should map the primary VLAN to the secondary community VLAN (e.g., 'private-vlan mapping 100 200'), not the community VLAN to the primary; the given syntax is correct in intent, but the issue is on the promiscuous port, not the SVI. Option D is wrong because 'no ip redirects' is a security feature that disables ICMP redirects and does not impact private VLAN isolation or host-to-host communication within a community VLAN.

580
Multi-Selectmedium

An administrator is configuring a UCS service profile for a blade that will run a database workload. The requirements: high network throughput and redundancy. Which TWO vNIC features should be enabled in the service profile?

Select 2 answers
A.Enable VLAN trunking on the vNIC.
B.Increase the number of receive queues.
C.Enable vNIC teaming (active-backup or LACP).
D.Enable fabric failover on the vNIC.
E.Enable jumbo frames (MTU 9000) on the vNIC.
AnswersC, E

Teaming provides link redundancy and load balancing.

Why this answer

vNIC teaming (e.g., active-backup or LACP) provides redundancy, and MTU jumbo frames increase throughput by reducing overhead.

581
Matchingmedium

Match each Cisco ACI component to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Central controller for policy management

Leaf-to-leaf connectivity and fabric backplane

Top-of-rack switch connecting servers to fabric

Endpoint group for policy application

Bridge domain for Layer 2 forwarding context

Why these pairings

ACI architecture is built on these components for policy-driven automation.

582
MCQhard

In an FCoE environment, which protocol is responsible for discovering and initializing FCoE-capable endpoints, including the exchange of MAC addresses and establishing virtual links?

A.ARP
B.DCBX
C.FCoE
D.FIP
AnswerD

FIP handles discovery and initialization for FCoE.

Why this answer

The FCoE Initialization Protocol (FIP) is used to discover FCoE devices and establish virtual links before FCoE data frames are sent.

583
MCQmedium

Which feature on a Nexus switch uses DHCP snooping binding information to filter IP traffic on a per-port basis?

A.Port Security
B.IP Source Guard
C.Dynamic ARP Inspection
D.CoPP
AnswerB

IP Source Guard filters IP traffic based on DHCP snooping bindings.

Why this answer

IP Source Guard uses DHCP snooping bindings to filter IP traffic, allowing only traffic from valid IP-MAC pairs.

584
Drag & Dropmedium

Arrange the steps to create a service profile template in Cisco UCS Manager.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Service profile template requires UUID pool, vNIC template, profile creation, server pool association, and assignment.

585
MCQhard

During a UCS service profile configuration, an engineer needs to specify that the server should boot from a SAN LUN. Which boot policy type should be configured?

A.SAN boot policy
B.Local disk boot policy
C.PXE boot policy
D.Virtual media boot policy
AnswerA

SAN boot policy enables booting from a Fibre Channel or FCoE LUN.

Why this answer

A SAN boot policy specifies the WWPN of the target and LUN ID to boot from a SAN LUN.

586
MCQeasy

In a Cisco NX-OS environment, which command is used to verify the operational state of a virtual Port Channel (vPC) peer link?

A.show vpc brief
B.show port-channel summary
C.show running-config vpc
D.show vpc consistency-parameters
AnswerA

Displays vPC peer status, peer-link status, and consistency.

Why this answer

The 'show vpc brief' command displays vPC peer status, peer-link status, and consistency parameters. The other options are incorrect: 'show port-channel summary' shows port-channel information but not vPC specifics, 'show vpc consistency-parameters' shows consistency checks, and 'show running-config vpc' shows configuration.

587
Multi-Selectmedium

Which THREE are benefits of using Cisco UCS Manager to manage compute resources? (Choose three.)

Select 3 answers
A.Centralized management of multiple chassis
B.Direct management of virtual machines
C.Policy-based provisioning to automate server deployment
D.Improved performance by disabling hardware features
E.Unified fabric for LAN and SAN traffic
AnswersA, C, E

UCS Manager manages up to 160 chassis.

Why this answer

Option A is correct because Cisco UCS Manager provides a single-pane-of-glass management interface that can centrally manage up to 160 chassis (including UCS 5108 and UCS 9508) in a single domain. This eliminates the need to configure each chassis individually, reducing operational overhead and ensuring consistent configuration across the entire compute infrastructure.

Exam trap

Cisco often tests the distinction between what UCS Manager directly manages (physical compute and fabric) versus what it integrates with (hypervisors for VMs), so candidates mistakenly think UCS Manager can manage VMs because of its integration with VMware vCenter.

588
MCQmedium

An engineer is configuring OSPF on a Cisco Nexus switch in a data center. The network consists of multiple point-to-point links. To improve convergence, the engineer wants to reduce the dead interval to 10 seconds. Which command sets the dead interval correctly?

A.ip ospf dead-interval 30
B.ip ospf hello-interval 10
C.ip ospf dead-interval 10
D.ip ospf dead-interval 40
AnswerC

Sets dead interval to 10 seconds.

Why this answer

The 'ip ospf dead-interval' command sets the dead interval in seconds.

589
MCQmedium

In a Cisco ACI fabric, which object represents a collection of endpoints that share the same forwarding behavior and security policies?

A.VRF
B.Tenant
C.Endpoint Group (EPG)
D.Bridge Domain (BD)
AnswerC

EPG is a collection of endpoints with shared policies.

Why this answer

An Endpoint Group (EPG) is a logical grouping of endpoints (e.g., VMs, physical servers) that share common policies such as forwarding, QoS, and security. A Bridge Domain (BD) defines a Layer 2 forwarding boundary, a VRFs is a Layer 3 domain, and a Tenant is a logical container for policies.

590
MCQeasy

An engineer is configuring iSCSI multipath I/O (MPIO) for a storage array. The initiator has two NICs connected to two different switches, and the target has two iSCSI ports on different subnets. Which condition must be met for MPIO to function correctly?

A.CHAP authentication must be disabled.
B.Each path must be on a separate subnet.
C.Both paths must be on the same subnet.
D.Jumbo frames must be enabled on all interfaces.
AnswerB

Separate subnets ensure distinct paths for MPIO.

Why this answer

MPIO requires that the initiator and target have multiple paths that are not on the same subnet to avoid routing issues. Typically, each path should be on a separate subnet.

591
MCQmedium

An organization is deploying a new leaf-spine fabric with Cisco ACI. The requirement is to allow inter-tenant communication between two EPGs in different tenants. Which configuration object is necessary to enable this communication?

A.A common VRF that spans both tenants.
B.A filter that permits the required traffic.
C.A bridge domain that connects both EPGs.
D.A shared contract between the two EPGs.
AnswerD

Contracts define allowed communication; shared contracts work across tenants.

Why this answer

In Cisco ACI, inter-tenant communication between EPGs in different tenants requires a shared contract. A contract defines the rules (filters) that permit traffic between EPGs, and when it is marked as 'shared,' it can be consumed by EPGs across tenant boundaries. This allows the provider EPG in one tenant to expose services to a consumer EPG in another tenant without merging the tenants' VRFs or bridge domains.

Exam trap

Cisco often tests the misconception that a shared VRF or bridge domain is required for inter-tenant communication, but the correct mechanism is a shared contract that applies policy across tenant boundaries without merging the underlying network constructs.

How to eliminate wrong answers

Option A is wrong because a common VRF spanning both tenants is not a configuration object for inter-tenant communication; VRFs are tenant-scoped and cannot be shared across tenants—each tenant has its own private VRF namespace. Option B is wrong because a filter alone only defines the traffic type (e.g., TCP port 80) but does not provide the policy framework (contract) needed to permit traffic between EPGs; a filter must be part of a contract. Option C is wrong because a bridge domain connects EPGs within the same tenant and VRF, not across tenants; inter-tenant communication requires a contract, not a shared bridge domain.

592
Multi-Selecthard

An organization is deploying a new Fibre Channel SAN with Cisco MDS switches. The design requires high availability and load sharing over multiple ISLs. Which three features should be implemented? (Choose three.)

Select 3 answers
A.NPIV
B.Fibre Channel PortChannels
C.Multiple equal-cost paths via FSPF
D.Hard zoning by WWPN
E.VSAN trunking (EISL)
AnswersB, C, E

PortChannels combine multiple ISLs for increased bandwidth and redundancy.

Why this answer

VSAN trunking (EISL) allows multiple VSANs over a single ISL; PortChannels aggregate multiple physical ISLs into a logical link with load balancing; multiple active equal-cost paths (FSPF) provide load sharing and redundancy.

593
Drag & Dropmedium

Order the steps to upgrade the software on a Cisco Nexus switch using ISSU.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

ISSU requires image copy, boot variable, compatibility check, upgrade command, and reload.

594
MCQhard

A data center uses HyperFlex HX Data Platform with a 3-node cluster configured with replication factor 2 (RF2). One node fails permanently. What is the impact on data availability and cluster operation?

A.Data is unavailable until the failed node is replaced
B.The witness VM takes over the failed node's storage role
C.The cluster automatically changes to RF3 to maintain protection
D.All data remains accessible but the cluster is degraded and requires a new node to restore RF2
AnswerD

Correct. Data is available, but redundancy is lost until a new node is added.

Why this answer

With RF2, each data block is stored on two nodes. If one node fails, the remaining two nodes have all data, but the cluster becomes degraded. A new node must be added to restore redundancy.

595
Multi-Selectmedium

A network administrator is planning a UCS C-Series rack server deployment. Which two statements correctly describe the integration modes with UCS Manager? (Choose two.)

Select 2 answers
A.In Cisco IMC Supervisor mode, the server is managed by the IMC Supervisor but can also be integrated into UCS Manager.
B.In Cisco IMC Supervisor mode, the server's CIMC is managed directly by UCS Manager.
C.In Direct Connect mode, the server must be connected to a Fabric Interconnect via a supported adapter.
D.In Direct Connect mode, the server is managed directly by UCS Manager via the Fabric Interconnect.
E.Standalone mode allows the server to be managed by UCS Manager without any additional configuration.
AnswersC, D

Direct Connect requires a VIC adapter that connects to the FI.

Why this answer

Direct Connect mode connects servers directly to FI for management; IMC Supervisor mode manages via IMC Supervisor; standalone mode is independent.

596
MCQeasy

An organization has deployed a Cisco UCS B-Series blade server with a Fabric Interconnect pair. The administrator is tasked with deploying a new server for a critical application. The administrator creates a service profile from an existing template that includes vNIC, vHBA, and storage policies. The blade is located in chassis 2, slot 1. The administrator attempts to associate the profile with this blade but fails with the error: 'No suitable compute resource available.' The administrator verifies that the blade's firmware is updated, that the blade is not already associated with another profile, and that it has sufficient memory and CPU. What is the most likely cause?

A.The blade's firmware version is incompatible with the service profile.
B.The blade is in the wrong chassis slot.
C.The server pool policy is not assigned to the service profile template.
D.The vNIC/vHBA policies in the service profile have invalid MAC/WWN assignments.
AnswerC

Without a server pool, UCS Manager cannot determine which blade to use for the association, leading to the 'No suitable compute resource available' error.

Why this answer

The error 'No suitable compute resource available' typically occurs when the service profile is configured to use a server pool, but no server pool policy is assigned to the service profile template. Without a server pool, the Fabric Interconnect cannot identify which blades are eligible for association, even if the blade itself is available and meets hardware requirements. Assigning a server pool policy to the template ensures that blades in the specified pool (e.g., chassis 2, slot 1) are considered as valid compute resources.

Exam trap

Cisco often tests the concept that 'No suitable compute resource available' is not about hardware faults or firmware mismatches but about the absence of a server pool policy in the service profile template, which candidates may overlook because they focus on verifying blade hardware readiness.

How to eliminate wrong answers

Option A is wrong because the administrator already verified that the blade's firmware is updated, and firmware incompatibility would typically generate a different error (e.g., 'Firmware version mismatch') rather than 'No suitable compute resource available.' Option B is wrong because the blade's location (chassis 2, slot 1) is explicitly specified in the service profile association attempt, and the error is not about physical slot constraints but about logical resource selection. Option D is wrong because invalid MAC/WWN assignments would cause a policy validation failure or association error related to network/storage configuration, not a 'no suitable compute resource' error, which is specifically about the blade not being found in the available resource pool.

597
MCQmedium

An engineer is configuring a Cisco MDS switch to connect to a core switch in NPV mode. The edge switch will be connected to the core via an ISL. What port mode should be configured on the edge switch's interface connecting to the core?

A.F-port
B.E-port
C.NP-port
D.auto
AnswerC

NP-port is the correct mode for an edge switch interface connecting to the core fabric in NPV mode.

Why this answer

In NPV mode, the edge switch uses NP-ports to connect to the core switch's F-ports. This allows the edge switch to appear as a host to the core fabric.

598
Multi-Selecteasy

Which two VXLAN control plane options are supported on Cisco Nexus 9000 switches? (Choose two.)

Select 2 answers
A.Multicast
B.OTV
C.Static VXLAN tunnel
D.OpenFlow
E.MP-BGP EVPN
AnswersA, E

Traditional VXLAN uses multicast for BUM traffic and MAC learning.

Why this answer

VXLAN on Cisco Nexus 9000 switches supports both multicast-based control plane (using IGMP/PIM to flood BUM traffic) and MP-BGP EVPN (RFC 7432) as the control plane for distributing MAC/VTEP reachability. Multicast is the traditional method for handling BUM traffic in VXLAN fabrics, while MP-BGP EVPN provides a more scalable, standards-based control plane with host route advertisement and multi-tenancy.

Exam trap

Cisco often tests the distinction between VXLAN control plane options and other overlay technologies (like OTV) or configuration methods (like static tunnels), leading candidates to confuse supported control planes with unrelated features.

599
Multi-Selecthard

Which three checks are part of the vPC type-1 consistency check? (Choose three.)

Select 3 answers
A.Port-channel load-balancing method
B.STP mode
C.VLAN interface state
D.MTU on the peer-link
E.MST region name
AnswersB, C, E

STP mode (e.g., RSTP, MST) must match.

Why this answer

Type-1 consistency parameters are critical and must match on both vPC peers; they include STP mode, MST region, VLAN configuration, and vPC-related parameters like role priority. STP mode, MST region name, and VLAN interface configuration are type-1.

600
Multi-Selecteasy

A storage network engineer is designing a Fibre Channel SAN with two Cisco MDS switches in a single VSAN. The design requires that if one switch fails, the storage traffic continues to flow without manual intervention. Which two technologies should be implemented?

Select 2 answers
A.NPV
B.Port channels
C.VSAN trunking
D.IVR
E.Fibre Channel multipathing
AnswersB, E

Port channels provide link redundancy but not switch-level redundancy.

Why this answer

Fibre Channel multipathing (E) is correct because it enables multiple physical paths between initiators and targets, allowing storage traffic to continue automatically if one switch fails. This is typically implemented using multipathing software (e.g., EMC PowerPath, native OS MPIO) that load-balances and fails over across redundant SAN fabrics without manual intervention.

Exam trap

Cisco often tests the misconception that Port channels (B) provide switch-level redundancy, but they only protect against link failures, not a complete switch failure, which requires multipathing across separate fabrics.

Page 7

Page 8 of 14

Page 9

Practice 350-601 by domain

Target a specific domain to shore up weak areas.

See all domains with question counts →
Cisco DCCOR / CCNP Data Center Core 350-601 350-601 Questions 526–600 | Page 8/14 | Courseiva