In Cisco TrustSec, which technology is used to enforce east-west traffic policies based on identity without relying on IP addresses?
SGACLs use SGTs for policy.
Why this answer
SGACLs enforce policies based on SGTs, not IP addresses.
1000 questions total · 14pages · All types, answers revealed
In Cisco TrustSec, which technology is used to enforce east-west traffic policies based on identity without relying on IP addresses?
SGACLs use SGTs for policy.
Why this answer
SGACLs enforce policies based on SGTs, not IP addresses.
A DevOps team wants to version control network device configurations. Which tool is best suited for tracking changes and collaborating on configuration files?
Git provides distributed version control.
Why this answer
Git is the industry standard for version control, enabling history, branching, and collaboration.
Refer to the exhibit. The CoPP policy above is applied. Which traffic is most likely to be dropped?
The ICMP class drops packets that exceed the police rate.
Why this answer
Option B is correct because the CoPP policy explicitly defines a class-map for ICMP traffic with a police rate of 1000 bps. Any ICMP traffic exceeding this rate is dropped due to the 'drop' action in the police command. The other classes (OSPF and class-default) have higher rates and are not as constrained, making ICMP the most likely to be dropped when exceeded.
Exam trap
Cisco often tests the misconception that all traffic exceeding its policed rate is equally likely to be dropped, but the trap here is that the lowest policed rate (ICMP at 1000 bps) is the most restrictive and thus the most likely to be exceeded and dropped, not the higher-rate classes.
How to eliminate wrong answers
Option A is wrong because the class-default traffic is policed at 20000 bps, which is a much higher rate than ICMP's 1000 bps, so class-default is less likely to be dropped unless it significantly exceeds its rate; ICMP is the primary concern. Option C is wrong because class-default traffic has a police rate of 20000 bps, which is 20 times higher than ICMP's rate, making it less likely to be dropped under typical traffic loads. Option D is wrong because OSPF traffic is policed at 5000 bps, which is 5 times higher than ICMP's rate, and OSPF control traffic is typically low-volume, so it is not the most likely to be dropped.
A UCS administrator notices that a server in a UCS domain is not booting from SAN after a firmware upgrade. The service profile shows the correct WWPN and boot policy. The SAN switch sees the initiator login. However, the storage array does not see any initiator attempts. What is the most likely issue?
The zone alias mismatch would allow login (since zoning is based on WWPN) but the storage may not see the initiator if zones are misconfigured.
Why this answer
The SAN switch sees the initiator login, but the storage array does not see any initiator attempts. This indicates that the Fibre Channel fabric is blocking the initiator's WWPN from reaching the storage target, typically because the zone configuration on the SAN switch does not include the initiator's WWPN or the zone alias does not match the actual WWPN. Since the service profile and boot policy are correct, and the VSAN membership is functional (the switch sees the login), the most likely issue is a zoning mismatch on the SAN switch.
Exam trap
Cisco often tests the distinction between fabric-level visibility (FLOGI success) and zone-level communication (PLOGI/PRLI failure) to trick candidates into assuming the issue is with the boot policy or VSAN membership rather than zoning.
How to eliminate wrong answers
Option A is wrong because the boot policy is confirmed correct in the question, and a missing primary SAN target would cause the server to fail to find the boot LUN, but the storage array would still see initiator attempts if zoning were correct. Option B is wrong because a duplicate WWPN would cause login conflicts or fabric segmentation, but the SAN switch sees the initiator login successfully, ruling out duplication. Option D is wrong because incorrect VSAN membership would prevent the fabric interconnect from seeing the initiator login at all, but the SAN switch does see the login, indicating VSAN membership is functional.
A network administrator is troubleshooting a vPC pair and needs to verify the operational status of the vPC peer-link. Which NX-OS command displays vPC status including peer-link and member port states?
Shows vPC status, peer-link status, and member ports.
Why this answer
The 'show vpc' command provides comprehensive vPC status information.
In a Cisco ACI fabric, an external L3Out is configured to advertise a subnet to the outside. Which object must be created in the tenant to define the Layer 3 outside network connection?
L3Out is the object that defines the external connection.
Why this answer
An L3Out (Layer 3 Outside) object is defined under the tenant to connect the ACI fabric to external Layer 3 networks.
Match each Cisco MDS FC switch feature to its purpose.
Drag a concept onto its matching description — or click a concept then click the description.
Virtual SAN for isolating Fibre Channel traffic
Access control between initiators and targets
Routing protocol for Fibre Channel fabric
Fibre Channel over IP for remote connectivity
Inter-VSAN routing for selective communication
Why these pairings
These features are key for managing Fibre Channel SANs.
An engineer is troubleshooting a SAN performance issue. The MDS switch shows high CRC errors on an F port. The host is connected via a 16 Gbps FC link. The errors increase when the host sends large I/O. What is the most likely cause?
16 Gbps FC has shorter reach; long cables cause CRC errors, especially under heavy load.
Why this answer
At 16 Gbps Fibre Channel, signal integrity degrades over long cable distances, causing bit errors that manifest as CRC errors on the F port. The error increase with large I/O is characteristic of marginal signal quality, as larger frames are more likely to encounter corrupted bits. Option E correctly identifies that the cable length exceeds the supported distance for 16 Gbps, typically 10 meters for OM3 multimode fiber or 100 meters for OM4, depending on the transceiver type.
Exam trap
Cisco often tests the distinction between physical-layer errors (CRC, running disparity) and higher-layer issues (buffer credits, zoning), so the trap here is that candidates confuse buffer credit starvation (a flow-control problem) with CRC errors (a signal-integrity problem).
How to eliminate wrong answers
Option A is wrong because outdated HBA firmware typically causes link instability or negotiation failures, not CRC errors that scale with I/O size. Option B is wrong because zone configuration errors cause connectivity or login issues, not CRC errors on an established link. Option C is wrong because buffer credit starvation causes performance degradation (e.g., reduced throughput) due to lack of credits, not CRC errors; CRC errors indicate physical-layer issues.
Option D is wrong because if the switch port were configured for 8 Gbps, the link would negotiate to 8 Gbps and CRC errors would not increase with large I/O at 16 Gbps; the symptom would be a speed mismatch, not CRC errors.
Which VPC component is used to send Layer 2 control plane traffic between peer switches?
The peer-link is a Layer 2 port-channel that carries control and data traffic between peers.
Why this answer
The VPC peer-link is a Layer 2 link that carries control plane traffic (e.g., BPDUs, HSRP hellos) and data traffic for orphan ports.
Which THREE statements accurately describe FCIP (Fibre Channel over IP) configurations on Cisco MDS switches?
VE_ports terminate FCIP tunnels.
Why this answer
Options B, D, and E are correct. FCIP can operate over Gigabit Ethernet interfaces (B). FCIP can be combined with FC port channels to provide redundancy and load balancing (D).
FCIP uses Virtual E_ports (VE_ports) to connect to the FC fabric (E). Option A is wrong: Compression reduces bandwidth usage, not reduces bandwidth. Option C is wrong: IPsec is optional, not required.
Two Cisco Nexus 9000 switches are connected via Ethernet interface 1/1. The engineer wishes to secure the link using MACsec (IEEE 802.1ae) with a pre-shared key for connectivity association key (CAK) protection. Both switches have the same hardware and software version supporting MACsec. The engineer configures the following on both switches: feature macsec macsec policy MACSEC_POLICY cipher-suite gcm-aes-128 security-mode no-encrypt mka sak-rekey-time 30 interface ethernet 1/1 macsec policy MACSEC_POLICY However, the link comes up without MACsec encryption (the port counter shows MACsec frames dropped). The engineer checks that the pre-shared key is configured correctly via 'macsec key-chain' but notices it was not explicitly applied. What is the most likely reason for MACsec failing to establish?
Correct. A key chain must be defined and linked to the policy, and the MKA policy must be explicitly applied under the interface.
Why this answer
Option C is correct because MACsec on Cisco Nexus 9000 switches requires a key chain to be defined and explicitly referenced within the MACsec policy. Without the 'key-chain' command under the 'macsec policy', the pre-shared key (CAK) is not available for MKA (MACsec Key Agreement) to derive session keys. Additionally, the MKA policy must be applied to the interface using 'macsec mka policy' to enable the key agreement protocol; simply enabling MACsec on the interface without these steps leaves the link unsecured, causing MACsec frames to be dropped.
Exam trap
Cisco often tests the requirement that a key chain must be explicitly referenced in the MACsec policy and that an MKA policy must be applied to the interface, tricking candidates into thinking that simply enabling MACsec on the interface with a policy is sufficient.
How to eliminate wrong answers
Option A is wrong because the MACsec profile name does not need to match on both switches; only the key chain parameters (e.g., key string) must match for MKA to succeed. Option B is wrong because 'switchport macsec' is not a valid command on Nexus 9000; the interface is placed into MACsec mode by applying the MACsec policy directly with 'macsec policy' under the interface. Option D is wrong because 'feature macsec' is correctly enabled in the configuration, so MACsec is operational at the feature level; the failure is due to missing key chain and MKA policy application, not the feature being disabled.
In a VXLAN EVPN multi-tier design, which feature ensures traffic between leaf switches takes the optimal path without hair-pinning through a spine?
ECMP enables load distribution across multiple spines, avoiding hair-pinning.
Why this answer
C is correct because Equal-Cost Multipath (ECMP) in a VXLAN EVPN multi-tier design allows leaf switches to load-balance traffic across multiple equal-cost spine paths, ensuring that traffic between leaf switches takes the most direct route without being forced to hair-pin through a spine. ECMP leverages the underlying IP fabric's routing to forward VXLAN-encapsulated packets over any available spine, avoiding suboptimal forwarding that would occur if a single spine were used as a relay.
How to eliminate wrong answers
Option A is wrong because Anycast Gateway (e.g., using the same IP and MAC on multiple VTEPs) is designed to provide first-hop redundancy and optimal host-to-gateway forwarding, not to prevent hair-pinning of leaf-to-leaf traffic through a spine. Option B is wrong because Type-2 routes (MAC/IP advertisement routes) are used in EVPN to advertise host reachability and MAC-to-IP bindings, not to influence the path selection between leaf switches. Option D is wrong because ARP suppression is a feature that reduces broadcast traffic by caching ARP replies on the VTEP, but it does not affect the forwarding path or prevent hair-pinning through a spine.
What is the purpose of the Cisco Integrated Management Controller (CIMC) for UCS C-Series rack servers?
Correct. CIMC allows remote management.
Why this answer
CIMC provides out-of-band management for rack servers, including remote KVM, virtual media, and firmware updates, independent of the host OS.
Which THREE are characteristics of Cisco TrustSec? (Select exactly 3)
SGTs are central to TrustSec for classifying and enforcing access policies.
Why this answer
Cisco TrustSec uses Security Group Tags (SGTs) to enforce access control policies based on user, device, or workload identity rather than IP addresses. SGTs are assigned during authentication and carried in Ethernet frames (via Cisco Meta Data or inline tagging) to allow scalable, identity-based policy enforcement throughout the network.
Exam trap
Cisco often tests the misconception that TrustSec requires ISE or MACsec, but the core characteristics are SGT-based policy enforcement, Layer 2 operation, and the CTS auth-proxy mechanism for legacy device support.
A UCS B-series blade server is experiencing boot issues. The service profile is configured to boot from local disk first, then SAN. The blade has local disks but they are not recognized. Which TWO actions should be taken to diagnose the issue?
Improper RAID configuration can cause disks to be unrecognized.
Why this answer
Possible causes: local disk not connected, or RAID configuration missing. Checking physical presence in CIMC and verifying RAID configuration are logical first steps.
An organization has deployed a 4-node HyperFlex cluster with all-flash storage and replication factor 3 (RF3). One node fails. How many nodes are required to remain operational for the cluster to continue serving data without interruption?
Three nodes still hold all three replicas of data.
Why this answer
For RF3, data is replicated three times. With 4 nodes, if one fails, three remain, which still have all data copies. The cluster remains operational.
An engineer is troubleshooting a performance issue on a Cisco MDS 9700 switch. The 'show interface fc1/1' output shows CRC errors incrementing slowly. The interface is connected to a storage array. Which two actions should the engineer take to resolve the issue?
Faulty cables or SFPs are common causes of CRC errors.
Why this answer
CRC errors on a Fibre Channel interface typically indicate physical-layer issues such as faulty cabling, damaged SFPs, or dirty optical connectors. Replacing the fiber optic cable and SFP (Option B) directly addresses the most common root cause of CRC errors. Additionally, enabling BB_credit recovery (Option C) helps mitigate performance degradation caused by buffer credit starvation, which can manifest as CRC-like symptoms in some scenarios.
Exam trap
Cisco often tests the distinction between physical-layer errors (CRC) and flow-control issues (BB_credit), tempting candidates to choose a single answer when both a physical fix and a protocol-level tuning are required.
An engineer notices that a vPC peer link is flapping. Which vPC component must be operational for the vPC to function correctly?
Peer link must be up for vPC to operate.
Why this answer
The vPC peer link is essential for synchronizing states between peers; if it goes down, vPC ports may be suspended.
Refer to the exhibit. What is the most likely cause of neighbor 10.1.1.3 being stuck in EXSTART?
MTU mismatch prevents DBD packets from being sent successfully.
Why this answer
In OSPF, the EXSTART state indicates that neighbors are negotiating the master/slave relationship and exchanging Database Description (DBD) packets. If the MTU of the interface on one side is larger than the MTU on the other, the larger DBD packet will be silently dropped, preventing the neighbor from progressing past EXSTART. This is a classic symptom of an MTU mismatch, as the OSPF adjacency will remain stuck in EXSTART or EXCHANGE.
Exam trap
Cisco often tests the MTU mismatch trap by having candidates confuse it with a network type mismatch, but the key differentiator is that MTU issues cause the adjacency to stall specifically in EXSTART/EXCHANGE, while network type mismatches prevent the adjacency from forming past INIT/2WAY.
How to eliminate wrong answers
Option A is wrong because a duplicate router ID would cause the adjacency to flap or remain in INIT/2WAY, not EXSTART, as OSPF detects the duplicate during the Hello exchange. Option B is wrong because an OSPF network type mismatch (e.g., broadcast vs. point-to-point) typically results in neighbors stuck in INIT or 2WAY, not EXSTART, due to mismatched Hello/dead intervals or DR/BDR election issues. Option D is wrong because a passive interface suppresses OSPF Hellos entirely, preventing any neighbor discovery, so the adjacency would never reach EXSTART.
A data center engineer is configuring a Cisco UCS C-Series server with a hardware RAID controller. The server will host a critical database. The RAID controller supports RAID 0, 1, 5, 6, and 10. Which RAID level should be chosen to provide the best combination of performance and fault tolerance?
RAID 10 combines mirroring and striping, offering both performance and fault tolerance.
Why this answer
RAID 10 (striping of mirrors) provides the best combination of performance and fault tolerance for a critical database workload. It offers high read/write performance through striping and full redundancy via mirroring, allowing up to one disk failure per mirrored pair without data loss. This is ideal for a Cisco UCS C-Series server with a hardware RAID controller where both I/O throughput and availability are paramount.
Exam trap
Cisco often tests the misconception that RAID 5 or RAID 6 offer 'good enough' performance for databases, but the trap is that parity-based RAIDs introduce significant write penalties that degrade transactional throughput, making RAID 10 the correct choice for critical database workloads.
How to eliminate wrong answers
Option B (RAID 6) is wrong because while it offers dual parity and can tolerate two disk failures, its write performance is significantly degraded due to double parity calculations, making it unsuitable for a performance-sensitive database. Option C (RAID 5) is wrong because its single parity provides lower fault tolerance and suffers from a write penalty during parity updates, which can bottleneck database transactions. Option D (RAID 0) is wrong because it offers no fault tolerance; any single disk failure results in complete data loss, which is unacceptable for a critical database.
A UCS administrator needs to ensure that only the fabric interconnect management plane is accessible from the management network. Which feature should be implemented?
Management plane isolation restricts management access to dedicated interfaces.
Why this answer
Management plane isolation ensures that management traffic is separate from data traffic, often using dedicated management interfaces or VRFs.
An engineer is configuring a pair of Nexus 9000 switches as vPC peers. The vPC peer keepalive link is established. Which statement about the vPC peer keepalive is true?
Correct: peer keepalive is a Layer 3 heartbeat, often over mgmt0 or dedicated interface.
Why this answer
The vPC peer keepalive monitors liveness of the peer switch; it is recommended to use a separate Layer 3 link (out-of-band) to avoid dependency on the peer-link.
A storage administrator is configuring a new Fibre Channel fabric using Cisco MDS switches. The edge switches must connect to the core without participating in the full routing domain to conserve domain IDs. Which Fibre Channel feature should be configured on the edge switches?
NPV mode allows edge switches to proxy login through the core switch, eliminating the need for a domain ID.
Why this answer
N-Port Virtualization (NPV) mode allows an edge switch to connect to a core switch without consuming a Fibre Channel domain ID, scaling the fabric while reducing administrative overhead.
A network administrator wants to prevent IP spoofing attacks on a data center access switch. The switch has IP Source Guard enabled on the client-facing ports. Which condition must be met for IP Source Guard to work properly?
IP Source Guard uses the DHCP snooping binding table on untrusted ports.
Why this answer
IP Source Guard uses a binding table created by DHCP snooping to validate the source IP address of packets received on a port. For IP Source Guard to work, DHCP snooping must be enabled on the VLAN, and the client-facing port must be configured as an untrusted port so that DHCP snooping can populate the binding table with valid DHCP lease information. Without this binding table, IP Source Guard has no source IP-to-MAC mapping to enforce.
Exam trap
Cisco often tests the dependency between IP Source Guard and DHCP snooping, specifically that DHCP snooping must be enabled on the VLAN and the port must be untrusted, leading candidates to incorrectly assume DHCP snooping must be disabled or that static IPs are unsupported.
How to eliminate wrong answers
Option A is wrong because DHCP snooping must be enabled on the VLAN to build the IP-to-MAC binding table that IP Source Guard relies on; disabling DHCP snooping would leave the binding table empty, causing IP Source Guard to drop all traffic. Option C is wrong because IP Source Guard supports static IP assignments if a static binding is manually configured using the 'ip source binding' command; it does not require all clients to use DHCP. Option D is wrong because Dynamic ARP Inspection (DAI) is a separate security feature that also depends on DHCP snooping, but IP Source Guard does not require DAI to be enabled first; both features can operate independently as long as DHCP snooping is active.
A network engineer is configuring VLAN ACLs on a Cisco Nexus 9000 switch to enforce traffic filtering between VLANs. Which configuration step is required to apply a VACL to a VLAN?
'vlan filter' applies the VACL to a specific VLAN.
Why this answer
Option D is correct because VACLs on Cisco Nexus 9000 switches are applied using the 'vlan filter' command in global configuration mode, which references a VLAN access-map. This command binds the access-map to a specific VLAN, enabling Layer 2 traffic filtering between VLANs without requiring a Layer 3 interface.
Exam trap
Cisco often tests the distinction between applying an ACL to an interface versus applying a VACL to a VLAN, and the trap here is that candidates mistakenly think a VLAN access-map is applied directly under the VLAN configuration (like 'vlan 10' mode) rather than using the global 'vlan filter' command.
How to eliminate wrong answers
Option A is wrong because 'ip access-group' applies an IP ACL to a Layer 3 interface (SVI or routed port), not a VACL, and VACLs are not applied to Layer 3 interfaces. Option B is wrong because 'mac access-group' applies a MAC ACL to a physical port for Layer 2 traffic filtering on that port, not to a VLAN for inter-VLAN filtering. Option C is wrong because while defining a VLAN access-map is a necessary step, it must be applied using the 'vlan filter' command in global configuration mode, not under the VLAN configuration (the 'vlan' config mode does not support applying access-maps directly).
An engineer is configuring a VXLAN EVPN fabric. Which address family must be enabled under BGP to exchange MAC/VTEP reachability information?
This is the correct address family for EVPN.
Why this answer
MP-BGP EVPN uses the L2VPN address family (afi l2vpn safi evpn) to advertise MAC addresses, VNI mappings, and VTEP reachability.
Sequence the steps to configure a VXLAN with BGP EVPN on a Cisco Nexus switch.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
VXLAN EVPN requires overlay feature, VNI mapping, VTEP loopback, BGP peering, and verification.
Which TWO of the following are components of the Cisco ACI Management Information Tree (MIT)? (Choose two.)
Correct. Application Profile is a MIT object under tenant.
Why this answer
The MIT includes objects like tenants, application profiles (AP), EPGs, and bridge domains (BD). VRF is also part of MIT. 'fvTenant', 'fvAp', 'fvAEPg', 'fvBD' are object classes. 'l3extOut' is for L3 out, not part of the core MIT hierarchy for tenant networking.
A large enterprise data center has a disaster recovery site 100 km away. The SAN uses two MDS 9700 series switches at each site, connected via a dedicated dark fiber. Each link operates at 16 Gbps with a round-trip time of 2 ms. Recently, backup jobs to the remote storage array have been failing with timeout errors. The backup server is local to Site A, but the backup target is in Site B. The link utilization never exceeds 40%, and no errors are reported on the interfaces. The engineer suspects the issue is related to buffer credits. The current buffer credit count on the ISL is 16. The engineer calculates that for 16 Gbps over 100 km (2 ms RTT), they need at least 200 credits to maintain full throughput. Which action is most appropriate to resolve the issue?
More credits allow more frames in flight, avoiding timeout and maintaining throughput.
Why this answer
Increasing buffer credits resolves the timeout issue due to credit starvation. Option D is correct. Option A is wrong because the links are physically direct; FCIP is not needed.
Option B is wrong because NPIV is not related to buffer credits. Option C is wrong because reducing speed lowers performance.
Which TWO features are used to validate ARP packets and prevent ARP spoofing attacks? (Select exactly 2)
DAI intercepts and validates ARP packets.
Why this answer
Dynamic ARP Inspection (DAI) is correct because it validates ARP packets by checking them against the DHCP snooping binding database, ensuring that only legitimate ARP replies and requests are forwarded. This prevents ARP spoofing attacks where an attacker sends falsified ARP messages to associate their MAC address with the IP address of a legitimate device.
Exam trap
Cisco often tests the distinction between features that validate ARP packets (DAI) versus features that validate IP packets (IP Source Guard) or limit MAC addresses (Port Security), causing candidates to confuse the scope of each security mechanism.
A company is deploying a new Cisco UCS Mini with a single Fabric Interconnect 6324. They need to connect to an existing Fibre Channel SAN. Which action is required to enable Fibre Channel connectivity?
A dedicated FC switch provides SAN connectivity for UCS Mini.
Why this answer
The Cisco UCS Mini with a single Fabric Interconnect 6324 does not have native Fibre Channel ports; it only supports Ethernet uplinks. To connect to an existing Fibre Channel SAN, an external Fibre Channel switch (such as the Cisco MDS 9148S) must be added, and the Fabric Interconnect connects to it via FC uplinks, which are typically configured as unified ports. This allows the UCS Mini to leverage the MDS switch for Fibre Channel connectivity, as the 6324 itself cannot directly terminate Fibre Channel links.
Exam trap
Cisco often tests the misconception that the UCS Fabric Interconnect 6324 can directly connect to a Fibre Channel SAN by simply enabling NPV mode or using unified ports, but the key trap is that the 6324 lacks native Fibre Channel ports and requires an external Fibre Channel switch (like the MDS) to bridge the FCoE traffic to the FC SAN.
How to eliminate wrong answers
Option A is wrong because NPV (N_Port Virtualization) mode is used on a Fibre Channel switch to connect to an upstream SAN fabric, but the Fabric Interconnect 6324 does not have native Fibre Channel ports to run NPV; NPV is configured on the MDS switch, not the UCS Fabric Interconnect. Option B is wrong because the Fabric Interconnect 6324 does not support a Fibre Channel module; it only has fixed Ethernet ports and unified ports that can be configured for Fibre Channel, but no expansion module slot for FC. Option D is wrong because while unified ports can be configured on the 6324 to support Fibre Channel, they only provide connectivity to a downstream FCoE or FC device, not directly to a Fibre Channel SAN; the unified ports must be connected to an external Fibre Channel switch (like the MDS) to reach the SAN fabric.
In an ACI fabric, an EPG is configured with a contract that allows HTTP traffic to an external network. The external network is reachable via a Layer 3 Outside. However, HTTP traffic from the EPG fails. What is the most likely cause?
ACI contracts only work within the same VRF. If the L3Out is in a different VRF, route leaking is required.
Why this answer
Option B is correct because in Cisco ACI, communication between an EPG and an external network via a Layer 3 Outside requires both to be in the same VRF. If the EPG and the L3Out are in different VRFs, the contract cannot be enforced, and traffic will fail even if the contract allows HTTP. The VRF provides the routing and policy enforcement boundary for the contract.
Exam trap
Cisco often tests the misconception that a contract alone is sufficient for inter-VRF communication, but in ACI, contracts are VRF-scoped and cannot bridge different VRFs without additional configuration like a VRF route leak or a shared service contract.
How to eliminate wrong answers
Option A is wrong because if the subject action were set to deny, the contract would explicitly block HTTP traffic, but the question states the contract allows HTTP, so the action is not deny. Option C is wrong because the filter direction (e.g., from consumer to provider) is correctly configured in the contract; the issue is not about direction but about VRF mismatch preventing any policy application. Option D is wrong because applying the contract to the consumer EPG instead of the provider is a valid configuration; the consumer EPG typically consumes the contract, and the provider EPG provides the service, so this would not cause a failure if the contract is correctly applied to the consumer.
A network engineer is configuring a new Fibre Channel switch to connect to an existing storage fabric. The switch will be used to aggregate multiple edge switches and must appear as a single Fibre Channel device to the core. Which port type should be used on the edge switch facing the core switch to achieve this?
Correct. NP-port is used in NPV mode to connect an edge switch to the core fabric.
Why this answer
NP-port (N-Port Virtualization) is used on an edge switch in NPV mode to connect to the core fabric; it behaves like an N-port but allows multiple N-port IDs behind it.
A data center architect is designing a SAN with two MDS switches using VSANs. Which method ensures traffic isolation between departments while allowing sharing of a tape library?
IVR allows selective sharing between VSANs.
Why this answer
Multiple VSANs isolate traffic, and a shared tape library can be placed in a common VSAN with appropriate zones. Option D is correct. Option A is wrong because a single VSAN does not isolate.
Option B is wrong because merging VSANs loses isolation. Option C is wrong because FCIP is for distance.
A Cisco UCS upgrade from release 3.1(1) to 4.0(4) is planned. The current release has a known issue that affects NVRAM backup. What is the best practice to avoid an outage during this upgrade?
Most major upgrades require stepping through an intermediate release.
Why this answer
Option D is correct because Cisco UCS firmware upgrades must follow a supported upgrade path to avoid incompatibilities and known issues. Skipping directly from 3.1(1) to 4.0(4) is not supported; an intermediate release (e.g., 3.2(x) or 4.0(1)) is required to resolve the NVRAM backup issue and ensure a seamless upgrade without service disruption.
Exam trap
Cisco often tests the concept of supported upgrade paths and intermediate releases, trapping candidates who assume direct upgrades are always possible or that component order can be rearranged arbitrarily.
How to eliminate wrong answers
Option A is wrong because a cold reboot of all Fabric Interconnects before starting would cause an immediate outage, defeating the purpose of avoiding downtime; the upgrade process itself handles reboots gracefully. Option B is wrong because upgrading all components simultaneously violates Cisco's recommended sequential upgrade order (Fabric Interconnects first, then chassis IOMs, then servers) and increases the risk of configuration mismatches and extended downtime. Option C is wrong because the chassis firmware should be upgraded after the Fabric Interconnects, not before, as the Fabric Interconnects control the management plane and must be at a compatible version first.
In a Cisco UCS B-Series deployment, which component provides the physical connectivity between blade server mezzanine cards and the Fabric Interconnects?
Correct. The IOM connects blade mezzanine cards to Fabric Interconnects.
Why this answer
The I/O Module (IOM) in the UCS 5108 chassis provides the connectivity between blade server mezzanine cards and the Fabric Interconnects via server ports.
An engineer is connecting a Cisco UCS C-Series rack server to the network. The server must be managed by UCS Manager alongside existing B-Series blades. Which mode should the C-Series server be configured in?
UCS Manager mode allows unified management of C-Series in UCS Manager.
Why this answer
C-Series rack servers can be integrated into UCS Manager using UCS Manager mode (sometimes called C-Series Integrated mode), where they are managed through the Fabric Interconnects.
A UCS administrator notices that a service profile associated with a vNIC template that uses 'fabric failover' is not failing over to the secondary Fabric Interconnect when the primary link goes down. The vNIC template is set to 'fabric failover' enabled, and both Fabric Interconnects are in the same VLAN. What is the most likely cause?
The primary fabric must be selected in the vNIC template for failover to function correctly.
Why this answer
When 'fabric failover' is enabled on a vNIC template, the UCS Manager requires the 'Primary Fabric' setting to be explicitly defined to determine which Fabric Interconnect (FI-A or FI-B) should be the active path. Without this setting, the system cannot properly orchestrate the failover behavior, causing the vNIC to remain pinned to the primary FI even when its link goes down. This is a common misconfiguration because the 'fabric failover' checkbox alone does not imply a primary fabric assignment.
Exam trap
Cisco often tests the misconception that enabling 'fabric failover' alone is sufficient for automatic failover, when in fact the 'Primary Fabric' field must also be explicitly configured to define the active path.
How to eliminate wrong answers
Option B is wrong because a pin group explicitly pins a server to a specific Fabric Interconnect, which would prevent failover by design; however, the question states the vNIC template uses 'fabric failover' enabled, and a pin group would override that setting, but the most likely cause is the missing 'Primary Fabric' definition, not the presence of a pin group. Option C is wrong because MTU size mismatch (1500 vs 9000) affects jumbo frame support and packet fragmentation, not the failover mechanism between Fabric Interconnects. Option D is wrong because the MAC Address policy (pool-based vs static) determines how MAC addresses are assigned to vNICs, but it has no impact on fabric failover behavior.
In the context of Ansible automation for Cisco Nexus switches, which module can be used to manage VLAN configurations?
Correct: nxos_vlan is designed for VLAN management.
Why this answer
The cisco.nxos collection includes the nxos_vlan module specifically for managing VLANs on NX-OS devices.
An organization wants to encrypt Fibre Channel traffic in-flight between storage and servers. Which standard should be used?
FC-SP-2 encrypts FC frames.
Why this answer
FC-SP-2 provides encryption for Fibre Channel data in transit.
Which control plane protection mechanism should be configured to limit the rate of BGP updates destined to the CPU of a Nexus 9000 switch to prevent CPU overload?
CoPP rate-limits control plane packets.
Why this answer
Control Plane Policing (CoPP) is the correct mechanism because it directly filters and rate-limits control plane traffic, such as BGP updates, before it reaches the CPU of a Nexus 9000 switch. By applying a CoPP policy, you can protect the CPU from being overwhelmed by excessive BGP updates, ensuring stability and preventing denial-of-service conditions.
Exam trap
Cisco often tests the distinction between data plane and control plane mechanisms, and the trap here is that candidates may confuse VACLs (data plane filtering) with CoPP (control plane policing), assuming any ACL can protect the CPU.
How to eliminate wrong answers
Option A is wrong because VLAN Access Control Lists (VACLs) filter traffic within the data plane at the VLAN level, not the control plane, and cannot rate-limit BGP updates destined to the CPU. Option C is wrong because EtherChannel load balancing distributes data traffic across aggregated links to improve bandwidth and redundancy, but it has no mechanism to police or limit control plane traffic like BGP updates. Option D is wrong because Switched Port Analyzer (SPAN) is used for port mirroring traffic to a monitoring device for analysis, not for filtering or rate-limiting control plane packets to the CPU.
Which NX-OS command displays the vPC consistency parameters and status on a Cisco Nexus switch?
Correct: displays type-1 and type-2 consistency.
Why this answer
The command 'show vpc consistency-parameters' verifies vPC consistency across peers.
Arrange the steps to recover a lost admin password on a Cisco Nexus switch.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
Password recovery involves boot interruption, register change, boot, password reset, and save.
A network engineer is troubleshooting high CPU utilization on a Nexus 9000 switch. Which command is most useful to identify the process consuming the most CPU?
This command sorts processes by CPU usage, allowing identification of the most intensive process.
Why this answer
Option B is correct because the 'show process cpu sort' command on Nexus 9000 switches displays the current CPU utilization sorted by the process consuming the most CPU, allowing the engineer to quickly identify the top CPU consumer. This command provides a real-time, sorted list of processes with their CPU usage percentages, which is directly useful for troubleshooting high CPU utilization.
Exam trap
Cisco often tests the distinction between 'show processes cpu' (which lists all processes unsorted) and 'show process cpu sort' (which sorts by CPU usage), and the trap here is that candidates may confuse 'show cpu usage' with a valid command or assume 'show system resources' provides process-level detail.
How to eliminate wrong answers
Option A is wrong because 'show processes cpu history' shows historical CPU utilization data in a graphical format over time, not the current processes consuming CPU, so it cannot identify the specific process causing the spike. Option C is wrong because 'show system resources' displays overall system resource usage (memory, CPU, buffers) but does not break down CPU usage by individual process, making it insufficient for pinpointing the culprit process. Option D is wrong because 'show cpu usage' is not a valid command on Nexus 9000 switches; the correct command for a summary of CPU usage is 'show processes cpu', which lists all processes but not sorted by CPU consumption.
What is the primary benefit of using UCS service profiles for server deployment?
Service profiles decouple the logical server identity from physical hardware.
Why this answer
Service profiles abstract hardware configuration, allowing rapid provisioning and stateless computing. A server can be replaced without reconfiguration by simply associating the same service profile.
Which Cisco UCS component is responsible for aggregating traffic from multiple blade servers in a 5108 chassis to the Fabric Interconnect?
The IOM aggregates blade server traffic and connects to Fabric Interconnects.
Why this answer
The I/O Module (IOM) in the 5108 chassis connects to the midplane and uplinks to the Fabric Interconnect via server ports.
In UCS service profile templates, when you update the template, how do the changes propagate to the service profiles derived from it?
By default, templates update derived profiles automatically, though this can be overridden.
Why this answer
When a service profile is created from a template, it can be set to update automatically when the template changes, or manually. The default behavior is that changes are propagated automatically unless the profile is set to manual update.
An organization wants to integrate their UCS C-series rack servers into an existing UCS Manager domain. Which mode should be used to achieve centralized management of the C-series servers through UCS Manager?
In UCS Managed mode, the C-series server appears as a compute resource in UCS Manager and can be assigned service profiles.
Why this answer
C-series servers can be managed by UCS Manager when they are in UCS Managed mode, which requires the server to be connected via a Fabric Interconnect and have the appropriate license.
An NFS client is unable to write to a mounted export. The client can read files. What is the most likely cause?
Correct: Read-only export allows reads but denies writes.
Why this answer
Option C is correct because write access requires proper permissions on both the export and the user. Option A is incorrect because NFS version does not affect read/write. Option B is incorrect because mount options affect mounting, not file operations.
Option D is incorrect because network issues would prevent both read and write.
Which TWO statements correctly describe active zone sets in a Cisco MDS Fibre Channel fabric?
When a zone set is activated, it is distributed to all switches in the VSAN.
Why this answer
An active zone set is the set of zones that are enforced in the fabric. Only one zone set can be active at a time, and it is propagated to all switches in the fabric.
A Cisco ACI fabric has contracts configured to allow traffic between two EPGs. After deployment, traffic between endpoints in these EPGs is being dropped, but contract statistics show no packets have been permitted. The administrator checks the contract configuration and it looks correct. What is the most likely cause?
The consumer EPG must also consume the contract; otherwise, traffic is denied.
Why this answer
The most likely cause is that the contract is configured on the provider EPG but the consumer EPG is not configured to consume it. In Cisco ACI, a contract must be explicitly provided by one EPG and consumed by another for traffic to be permitted. If the consumer EPG does not have the contract applied, the contract will not be enforced, and traffic will be dropped even if the contract configuration appears correct.
The contract statistics showing no permitted packets confirm that the contract is not being applied to the traffic flow.
Exam trap
Cisco often tests the misconception that configuring a contract on the provider EPG alone is enough to permit traffic, when in fact the consumer EPG must also explicitly consume the contract for the policy to take effect.
How to eliminate wrong answers
Option B is wrong because applying a contract to the wrong VRF would prevent any communication between EPGs in different VRFs, but the contract statistics would show no packets at all, and the administrator would likely notice the VRF mismatch during configuration review. Option C is wrong because an incorrect filter direction or filter would still result in some packets being counted in contract statistics (e.g., denied packets), but the question states no packets have been permitted, indicating the contract itself is not being consumed. Option D is wrong because endpoints in different VMM domains can still communicate if the EPGs are in the same VRF and a contract is properly configured; VMM domain mismatch affects endpoint discovery and policy enforcement but does not directly cause contract statistics to show zero permitted packets.
In a data center running MST, which region configuration parameter must match on all switches for them to be part of the same region?
All three must match for consistent region membership.
Why this answer
MST region configuration includes revision number, name, and VLAN-to-instance mapping; if any mismatch, switches consider different regions.
A Cisco MDS switch is configured with fabric binding to restrict which switches can join the fabric. A new switch is added, but it fails to establish an E-port connection. What is the most likely cause?
Fabric binding rejects unauthorized switches.
Why this answer
Option B is correct: Fabric binding uses the switch WWN to allow or deny switches. If the new switch's WWN is not in the allowed list, the E-port will not come up. Option A is wrong: Incompatible SFP would cause link issues regardless of fabric binding.
Option C is wrong: Zoning does not affect E-port formation. Option D is wrong: Switch priority affects principal switch selection, not E-port formation.
In a spine-leaf architecture, what is the primary advantage of using a full mesh between spines and leaves?
Each leaf is one hop from any spine, ensuring low latency.
Why this answer
A full mesh where every leaf connects to every spine provides any-to-any connectivity, low latency (all paths are single hop), and high bandwidth with ECMP. It simplifies routing and provides predictable performance. It does not reduce the number of ports (it increases ports), and it does not eliminate the need for VLANs or STP in the underlay (though often STP is not needed due to routing).
A data center deployment uses NPV mode on a Cisco MDS switch to connect to a core Fibre Channel switch. After configuration, the NPV switch does not register with the core. What is the most likely cause?
Core must have NPIV enabled for NPV.
Why this answer
NPV (N_Port Virtualization) mode requires NPIV (N_Port ID Virtualization) to be enabled on the core Fibre Channel switch. NPIV allows a single physical N_Port to register multiple FCIDs (Fibre Channel IDs) for multiple virtual initiators behind the NPV switch. Without NPIV on the core, the NPV switch cannot complete the FLOGI (Fabric Login) process and will not register with the fabric.
Exam trap
Cisco often tests the distinction between NPV and NPIV, trapping candidates who confuse the two or assume that enabling NPV on both sides is required.
How to eliminate wrong answers
Option A is wrong because trunk mode on Fibre Channel ports (E_Port or TE_Port) is used for ISL (Inter-Switch Link) connections between core switches, not for NPV uplinks, which use NP_Ports. Option B is wrong because enabling NPV mode on the core switch would break the NPV architecture; NPV is only enabled on the edge switch (the NPV switch), while the core must operate in standard Fibre Channel switch mode (with NPIV enabled). Option D is wrong because domain IDs are assigned by the principal switch in the fabric and are not configured manually on NPV switches; NPV switches do not participate in domain ID distribution as they are not full switches in the fabric.
A DevOps team is implementing CI/CD for network configuration changes on Nexus switches. Which tool is most suitable for version control of network configuration files?
Git provides version control for configuration files.
Why this answer
Git is a distributed version control system widely used for managing infrastructure as code, including network configurations. Ansible is for automation, Jenkins for CI/CD pipelines, and Docker for containers.
Which two statements are true about Cisco TrustSec? (Choose two.)
ISE is the policy server that defines and distributes SGT-based policies.
Why this answer
Cisco TrustSec relies on a Cisco ISE policy server to define and enforce security policies based on Security Group Tags (SGTs). ISE acts as the centralized policy decision point, dynamically assigning SGTs to authenticated endpoints and distributing the SGT-to-IP bindings to network devices via SXP or inline tagging.
Exam trap
Cisco often tests the misconception that TrustSec requires 802.1X or provides mandatory encryption, when in fact 802.1X is just one of several authentication methods and encryption (MACsec) is an optional enhancement.
Which FCoE component is responsible for encapsulating Fibre Channel frames into Ethernet frames?
The FCoE module performs encapsulation/decapsulation.
Why this answer
The FCoE module on the switch or adapter is the component that performs the encapsulation of native Fibre Channel frames into Ethernet frames. This module handles the conversion by adding an Ethernet header, including the EtherType 0x8906 for FCoE, and managing the mapping of Fibre Channel constructs (e.g., VSANs) to VLANs. Without this module, Fibre Channel traffic cannot traverse an Ethernet network.
Exam trap
Cisco often tests the distinction between the component that performs encapsulation (FCoE module) and the logical interfaces or forwarding entities (VFC, VN, FCF) that rely on that encapsulation, leading candidates to confuse the control-plane role of the FCF or the logical nature of VFC/VN interfaces with the actual encapsulation function.
How to eliminate wrong answers
Option B (FCoE Forwarder or FCF) is wrong because the FCF is a control-plane device that provides Fibre Channel forwarding services (e.g., fabric login, name server) and connects FCoE VLANs to Fibre Channel SANs, but it does not perform the actual encapsulation of frames; that is done by the FCoE module. Option C (Virtual Fibre Channel interface or VFC) is wrong because a VFC is a logical interface that binds to an Ethernet interface and represents a Fibre Channel port in software, but it does not encapsulate frames; it relies on the underlying FCoE module for encapsulation. Option D (VN interface) is wrong because a VN interface is a virtual N_port (node port) that appears to the Fibre Channel stack as a standard N_port, but it is a logical construct that uses the FCoE module for encapsulation; it does not perform the encapsulation itself.
Which TWO methods are supported for authenticating to the APIC REST API?
X.509 certificates can be used for API authentication.
Why this answer
The APIC REST API supports certificate-based authentication (option B) and local AAA user authentication with a username and password (option C). Certificate-based authentication uses X.509 certificates for secure, non-interactive API access, while local AAA authentication relies on credentials stored directly on the APIC. Both methods are explicitly documented as valid for REST API calls.
Which component in a UCS domain is responsible for aggregating and forwarding all management traffic between the chassis and the fabric interconnects?
The CMC manages the chassis and communicates with the FIs over the management network.
Why this answer
The system controller (also known as the chassis management controller) in the UCS chassis handles management traffic for the blades, including communication with UCS Manager via the FIs.
Arrange the steps to configure a vPC domain on a pair of Cisco Nexus switches.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Why this order
vPC requires feature vPC, then domain creation, keepalive link, peer-link, and member ports.
A company is deploying a multi-tenant environment with several virtualized hosts using NPIV. Each virtual machine requires its own WWPN. During testing, some VMs cannot log into the SAN. The MDS switch logs show 'FLOGI rejected: no available resources'. What is the most likely cause?
By default, NPIV max logins may be hit with many VMs.
Why this answer
The error 'FLOGI rejected: no available resources' on an MDS switch in an NPIV environment indicates that the switch has exhausted its allocated resources for handling fabric logins (FLOGIs) from N_Port ID Virtualization (NPIV) initiators. NPIV allows multiple virtual WWPNs to share a single physical FC port, but each virtual login consumes a login resource on the upstream switch. When the NPIV limit or the maximum number of allowed logins per interface or per VSAN is exceeded, the switch rejects new FLOGIs, preventing VMs from logging into the SAN.
Exam trap
Cisco often tests the distinction between resource exhaustion (NPIV login limits) and configuration errors (zoning or VSAN device limits) by using the specific error message 'FLOGI rejected: no available resources', which candidates mistakenly attribute to zoning or VSAN device limits instead of NPIV login resource depletion.
How to eliminate wrong answers
Option A is wrong because the maximum FC frame size (e.g., 2112 bytes vs. 1024 bytes) affects data transmission efficiency and fragmentation, not the ability to perform a fabric login (FLOGI), which is a control-plane operation. Option B is wrong because the VSAN maximum number of devices (configurable via 'fabric-limit device-login-limit') would cause a different error, such as 'device not allowed' or 'login denied', not a resource exhaustion error for FLOGI. Option C is wrong because a full zone set prevents new zone members from being added or activated, but it does not block an existing zone member's FLOGI; the error 'FLOGI rejected: no available resources' is a login resource issue, not a zoning configuration issue.
A storage array supports both synchronous and asynchronous replication. The application requires zero data loss in case of a site failure. Which replication type should be chosen?
Synchronous replication guarantees zero data loss as data must be written to both sites.
Why this answer
Synchronous replication writes data to the primary and secondary storage before acknowledging the write, ensuring zero data loss (RPO=0). Asynchronous replication may have some lag.
In a UCS environment, which method provides management plane isolation for the fabric interconnects?
The management port is physically separate from data ports.
Why this answer
UCS fabric interconnects have a dedicated management interface that can be placed in a separate management VLAN for isolation.
An administrator wants to prevent a rogue DHCP server from assigning IP addresses on a Nexus switch. Which feature should be enabled?
DHCP snooping blocks rogue DHCP servers.
Why this answer
DHCP snooping filters DHCP server messages on untrusted ports.
An organization wants to adopt Infrastructure as Code (IaC) principles for their data center network. Which practice best aligns with IaC for network configuration?
This is a core IaC practice.
Why this answer
IaC involves managing and provisioning network infrastructure through machine-readable definition files, rather than manual processes. Storing configurations in version control (like Git) and using automated tools is key.
A network engineer is troubleshooting an OSPF adjacency issue between two Nexus switches. The neighbors are stuck in the EXSTART state. What is the most likely cause?
MTU mismatch leads to DBD packet rejection, keeping the neighbor in EXSTART.
Why this answer
An MTU mismatch prevents the exchange of Database Description packets, causing neighbors to remain in EXSTART. Other options cause different adjacency states.
Which TWO of the following are characteristics of the NETCONF protocol? (Choose two.)
Correct: NETCONF typically uses SSH (RFC 6242) or TLS.
Why this answer
NETCONF uses XML for data encoding and provides operations like get, edit-config, etc., based on YANG models.
Which THREE components are part of a HyperFlex HX Data Platform (HXDP) cluster? (Choose three.)
Witness provides quorum.
Why this answer
HXDP cluster includes controller VMs, storage nodes, and a witness VM for quorum.
Which Cisco Data Center Network Manager component is used for centralized fabric management and automation of Nexus switches?
Correct: DCNM manages Nexus switches.
Why this answer
DCNM (Data Center Network Manager) provides centralized management for Nexus fabrics, including provisioning, monitoring, and troubleshooting.
A small business has a Cisco MDS 9148S switch with a single fabric. Two hosts are connected to ports fc1/1 and fc1/2, and a storage array is connected to ports fc1/3 and fc1/4. The administrator wants to ensure that each host can only see its own assigned LUNs on the array. They have configured a zone for each host containing the host pWWN and the target pWWN for the respective LUNs. However, Host A is able to see Host B's LUNs. What is the most likely cause?
A zone alias containing both hosts would place them in the same zone, allowing cross-access.
Why this answer
The most likely cause is that the zoning configuration uses a zone alias that includes both hosts, causing unintended access. If zones were not active, no access would occur. Soft zoning is not a concept in MDS (hard zoning is used), and VSAN misconfiguration would isolate at a higher level.
A service profile is configured to boot from local disk, but the blade server has no local storage. What will happen when the blade is associated with this service profile?
Without a boot device, the blade will not boot.
Why this answer
UCS Manager does not validate hardware capabilities at association time. The blade will boot and fail to find a boot device, resulting in a boot failure. The service profile can still be associated.
In a spine-leaf data center architecture, what is the primary purpose of using equal-cost multipath (ECMP) routing?
ECMP distributes traffic across multiple equal-cost paths, increasing throughput and redundancy.
Why this answer
ECMP allows load balancing across multiple equal-cost paths, improving bandwidth utilization and redundancy.
Which TWO statements about Cisco TrustSec in a data center environment are true? (Choose two.)
ISE assigns SGTs as part of policy after authentication.
Why this answer
Cisco ISE can dynamically assign Security Group Tags (SGTs) to endpoints during authentication via 802.1X or MAB, enabling role-based access control. This is a core TrustSec feature where the SGT is propagated to the network infrastructure to enforce policies.
Exam trap
Cisco often tests the misconception that TrustSec requires MACsec or IP-based tagging, when in fact SGTs are identity-based and MACsec is optional; candidates may also incorrectly assume TrustSec is Layer 3 only, ignoring its Layer 2 enforcement capabilities.
A data center engineer is using Cisco Intersight to manage a hybrid infrastructure that includes UCS servers and HyperFlex clusters. The engineer needs to deploy a new server profile to a UCS domain that is claimed in Intersight. The profile includes a firmware policy that specifies version 4.1(3c) for the motherboard and 5.0(3a) for the storage controller. The target server is a C-Series rack mount server currently running firmware version 4.0(2a) on the motherboard. After deploying the profile, the server goes into a 'Pending' state and does not become 'Selectable'. The engineer checks the UCS Manager and sees that the server is in 'Discovery Failed' state. The engineer has verified that network connectivity is fine and the CIMC is accessible. What should the engineer do to resolve this?
Manually updating the firmware to a version compatible with the UCS domain will allow the server to be discovered, after which the profile can be applied.
Why this answer
Option D is correct because when a firmware policy in Intersight specifies a version that is not compatible with the current firmware on the server, the server may enter a 'Discovery Failed' state. In this scenario, the motherboard firmware must be updated to a version that supports the storage controller firmware 5.0(3a) before the profile can be applied. Manually updating the firmware via UCS Manager ensures the server meets the prerequisite firmware baseline, allowing Intersight to complete the deployment.
Exam trap
Cisco often tests the concept that firmware policies have dependency chains, and candidates mistakenly think that a simple re-claim or reset will fix a 'Discovery Failed' state, when in fact the root cause is an incompatible firmware version that must be manually updated first.
How to eliminate wrong answers
Option A is wrong because ensuring consistency between the firmware policy and the current firmware would defeat the purpose of the policy, which is to enforce a target version; the issue is not consistency but compatibility. Option B is wrong because removing and re-claiming the server would not resolve the underlying firmware incompatibility; it would only reset the inventory state without addressing the firmware version mismatch. Option C is wrong because resetting the CIMC to factory defaults would erase configuration but not change the firmware version; the server would still fail discovery due to the incompatible firmware.
Practice 350-601 by domain
Target a specific domain to shore up weak areas.
See all domains with question counts →