Cisco DCCOR / CCNP Data Center Core 350-601 (350-601) — Questions 601675

1000 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQhard

In Cisco TrustSec, which technology is used to enforce east-west traffic policies based on identity without relying on IP addresses?

A.SGT
B.SGACL
C.ACLs
D.VLAN ACLs
AnswerB

SGACLs use SGTs for policy.

Why this answer

SGACLs enforce policies based on SGTs, not IP addresses.

602
MCQmedium

A DevOps team wants to version control network device configurations. Which tool is best suited for tracking changes and collaborating on configuration files?

A.Python virtual environment
B.Ansible Tower
C.Cisco Prime Infrastructure
D.Git
AnswerD

Git provides distributed version control.

Why this answer

Git is the industry standard for version control, enabling history, branching, and collaboration.

603
MCQhard

Refer to the exhibit. The CoPP policy above is applied. Which traffic is most likely to be dropped?

A.Both ICMP and class-default traffic that exceed their rates
B.ICMP traffic that exceeds 1000 bps
C.class-default traffic that exceeds 20000 bps
D.OSPF traffic that exceeds 5000 bps
AnswerB

The ICMP class drops packets that exceed the police rate.

Why this answer

Option B is correct because the CoPP policy explicitly defines a class-map for ICMP traffic with a police rate of 1000 bps. Any ICMP traffic exceeding this rate is dropped due to the 'drop' action in the police command. The other classes (OSPF and class-default) have higher rates and are not as constrained, making ICMP the most likely to be dropped when exceeded.

Exam trap

Cisco often tests the misconception that all traffic exceeding its policed rate is equally likely to be dropped, but the trap here is that the lowest policed rate (ICMP at 1000 bps) is the most restrictive and thus the most likely to be exceeded and dropped, not the higher-rate classes.

How to eliminate wrong answers

Option A is wrong because the class-default traffic is policed at 20000 bps, which is a much higher rate than ICMP's 1000 bps, so class-default is less likely to be dropped unless it significantly exceeds its rate; ICMP is the primary concern. Option C is wrong because class-default traffic has a police rate of 20000 bps, which is 20 times higher than ICMP's rate, making it less likely to be dropped under typical traffic loads. Option D is wrong because OSPF traffic is policed at 5000 bps, which is 5 times higher than ICMP's rate, and OSPF control traffic is typically low-volume, so it is not the most likely to be dropped.

604
MCQhard

A UCS administrator notices that a server in a UCS domain is not booting from SAN after a firmware upgrade. The service profile shows the correct WWPN and boot policy. The SAN switch sees the initiator login. However, the storage array does not see any initiator attempts. What is the most likely issue?

A.The boot policy is missing the primary SAN target
B.The WWPN is duplicated on another initiator
C.The zone alias on the SAN switch does not match the initiator WWPN
D.The VSAN membership is incorrect on the fabric interconnect
AnswerC

The zone alias mismatch would allow login (since zoning is based on WWPN) but the storage may not see the initiator if zones are misconfigured.

Why this answer

The SAN switch sees the initiator login, but the storage array does not see any initiator attempts. This indicates that the Fibre Channel fabric is blocking the initiator's WWPN from reaching the storage target, typically because the zone configuration on the SAN switch does not include the initiator's WWPN or the zone alias does not match the actual WWPN. Since the service profile and boot policy are correct, and the VSAN membership is functional (the switch sees the login), the most likely issue is a zoning mismatch on the SAN switch.

Exam trap

Cisco often tests the distinction between fabric-level visibility (FLOGI success) and zone-level communication (PLOGI/PRLI failure) to trick candidates into assuming the issue is with the boot policy or VSAN membership rather than zoning.

How to eliminate wrong answers

Option A is wrong because the boot policy is confirmed correct in the question, and a missing primary SAN target would cause the server to fail to find the boot LUN, but the storage array would still see initiator attempts if zoning were correct. Option B is wrong because a duplicate WWPN would cause login conflicts or fabric segmentation, but the SAN switch sees the initiator login successfully, ruling out duplication. Option D is wrong because incorrect VSAN membership would prevent the fabric interconnect from seeing the initiator login at all, but the SAN switch does see the login, indicating VSAN membership is functional.

605
MCQmedium

A network administrator is troubleshooting a vPC pair and needs to verify the operational status of the vPC peer-link. Which NX-OS command displays vPC status including peer-link and member port states?

A.show vpc brief
B.show vpc consistency-parameters
C.show vpc peer-keepalive
D.show vpc
AnswerD

Shows vPC status, peer-link status, and member ports.

Why this answer

The 'show vpc' command provides comprehensive vPC status information.

606
MCQhard

In a Cisco ACI fabric, an external L3Out is configured to advertise a subnet to the outside. Which object must be created in the tenant to define the Layer 3 outside network connection?

A.L3Out
B.External EPG
C.Contract
D.Bridge Domain
AnswerA

L3Out is the object that defines the external connection.

Why this answer

An L3Out (Layer 3 Outside) object is defined under the tenant to connect the ACI fabric to external Layer 3 networks.

607
Matchingmedium

Match each Cisco MDS FC switch feature to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Virtual SAN for isolating Fibre Channel traffic

Access control between initiators and targets

Routing protocol for Fibre Channel fabric

Fibre Channel over IP for remote connectivity

Inter-VSAN routing for selective communication

Why these pairings

These features are key for managing Fibre Channel SANs.

608
MCQhard

An engineer is troubleshooting a SAN performance issue. The MDS switch shows high CRC errors on an F port. The host is connected via a 16 Gbps FC link. The errors increase when the host sends large I/O. What is the most likely cause?

A.The host's HBA firmware is outdated.
B.The zone configuration is incorrect.
C.The host is experiencing buffer credit starvation.
D.The switch port is configured for 8 Gbps.
E.The cable length exceeds the supported distance for 16 Gbps.
AnswerE

16 Gbps FC has shorter reach; long cables cause CRC errors, especially under heavy load.

Why this answer

At 16 Gbps Fibre Channel, signal integrity degrades over long cable distances, causing bit errors that manifest as CRC errors on the F port. The error increase with large I/O is characteristic of marginal signal quality, as larger frames are more likely to encounter corrupted bits. Option E correctly identifies that the cable length exceeds the supported distance for 16 Gbps, typically 10 meters for OM3 multimode fiber or 100 meters for OM4, depending on the transceiver type.

Exam trap

Cisco often tests the distinction between physical-layer errors (CRC, running disparity) and higher-layer issues (buffer credits, zoning), so the trap here is that candidates confuse buffer credit starvation (a flow-control problem) with CRC errors (a signal-integrity problem).

How to eliminate wrong answers

Option A is wrong because outdated HBA firmware typically causes link instability or negotiation failures, not CRC errors that scale with I/O size. Option B is wrong because zone configuration errors cause connectivity or login issues, not CRC errors on an established link. Option C is wrong because buffer credit starvation causes performance degradation (e.g., reduced throughput) due to lack of credits, not CRC errors; CRC errors indicate physical-layer issues.

Option D is wrong because if the switch port were configured for 8 Gbps, the link would negotiate to 8 Gbps and CRC errors would not increase with large I/O at 16 Gbps; the symptom would be a speed mismatch, not CRC errors.

609
MCQeasy

Which VPC component is used to send Layer 2 control plane traffic between peer switches?

A.VPC consistency check
B.VPC peer keepalive
C.VPC member port
D.VPC peer-link
AnswerD

The peer-link is a Layer 2 port-channel that carries control and data traffic between peers.

Why this answer

The VPC peer-link is a Layer 2 link that carries control plane traffic (e.g., BPDUs, HSRP hellos) and data traffic for orphan ports.

610
Multi-Selecthard

Which THREE statements accurately describe FCIP (Fibre Channel over IP) configurations on Cisco MDS switches?

Select 3 answers
A.FCIP uses VE_port (Virtual E_port) interfaces to connect to the FC fabric
B.FCIP requires IPsec for security over public networks
C.FCIP can be used in conjunction with Fibre Channel port channels
D.FCIP compression reduces the latency of the IP transport
E.FCIP can be configured on a GigabitEthernet interface
AnswersA, C, E

VE_ports terminate FCIP tunnels.

Why this answer

Options B, D, and E are correct. FCIP can operate over Gigabit Ethernet interfaces (B). FCIP can be combined with FC port channels to provide redundancy and load balancing (D).

FCIP uses Virtual E_ports (VE_ports) to connect to the FC fabric (E). Option A is wrong: Compression reduces bandwidth usage, not reduces bandwidth. Option C is wrong: IPsec is optional, not required.

611
MCQmedium

Two Cisco Nexus 9000 switches are connected via Ethernet interface 1/1. The engineer wishes to secure the link using MACsec (IEEE 802.1ae) with a pre-shared key for connectivity association key (CAK) protection. Both switches have the same hardware and software version supporting MACsec. The engineer configures the following on both switches: feature macsec macsec policy MACSEC_POLICY cipher-suite gcm-aes-128 security-mode no-encrypt mka sak-rekey-time 30 interface ethernet 1/1 macsec policy MACSEC_POLICY However, the link comes up without MACsec encryption (the port counter shows MACsec frames dropped). The engineer checks that the pre-shared key is configured correctly via 'macsec key-chain' but notices it was not explicitly applied. What is the most likely reason for MACsec failing to establish?

A.Both switches must have the same MACsec profile name.
B.The interface must be put in a 'macsec' mode with 'switchport macsec'.
C.The MACsec key chain must be created and referenced in the macsec policy, and the MKA policy must be applied to the interface with 'macsec mka policy'.
D.The 'feature macsec' command is not enabled, so MACsec is not operational.
AnswerC

Correct. A key chain must be defined and linked to the policy, and the MKA policy must be explicitly applied under the interface.

Why this answer

Option C is correct because MACsec on Cisco Nexus 9000 switches requires a key chain to be defined and explicitly referenced within the MACsec policy. Without the 'key-chain' command under the 'macsec policy', the pre-shared key (CAK) is not available for MKA (MACsec Key Agreement) to derive session keys. Additionally, the MKA policy must be applied to the interface using 'macsec mka policy' to enable the key agreement protocol; simply enabling MACsec on the interface without these steps leaves the link unsecured, causing MACsec frames to be dropped.

Exam trap

Cisco often tests the requirement that a key chain must be explicitly referenced in the MACsec policy and that an MKA policy must be applied to the interface, tricking candidates into thinking that simply enabling MACsec on the interface with a policy is sufficient.

How to eliminate wrong answers

Option A is wrong because the MACsec profile name does not need to match on both switches; only the key chain parameters (e.g., key string) must match for MKA to succeed. Option B is wrong because 'switchport macsec' is not a valid command on Nexus 9000; the interface is placed into MACsec mode by applying the MACsec policy directly with 'macsec policy' under the interface. Option D is wrong because 'feature macsec' is correctly enabled in the configuration, so MACsec is operational at the feature level; the failure is due to missing key chain and MKA policy application, not the feature being disabled.

612
MCQhard

In a VXLAN EVPN multi-tier design, which feature ensures traffic between leaf switches takes the optimal path without hair-pinning through a spine?

A.Anycast gateway
B.Type-2 routes
C.ECMP
D.ARP suppression
AnswerC

ECMP enables load distribution across multiple spines, avoiding hair-pinning.

Why this answer

C is correct because Equal-Cost Multipath (ECMP) in a VXLAN EVPN multi-tier design allows leaf switches to load-balance traffic across multiple equal-cost spine paths, ensuring that traffic between leaf switches takes the most direct route without being forced to hair-pin through a spine. ECMP leverages the underlying IP fabric's routing to forward VXLAN-encapsulated packets over any available spine, avoiding suboptimal forwarding that would occur if a single spine were used as a relay.

Exam trap

Cisco often tests the misconception that Anycast Gateway or ARP suppression directly influences inter-leaf forwarding paths, when in fact ECMP is the mechanism that enables optimal multi-path routing in the underlay to avoid hair-pinning.

How to eliminate wrong answers

Option A is wrong because Anycast Gateway (e.g., using the same IP and MAC on multiple VTEPs) is designed to provide first-hop redundancy and optimal host-to-gateway forwarding, not to prevent hair-pinning of leaf-to-leaf traffic through a spine. Option B is wrong because Type-2 routes (MAC/IP advertisement routes) are used in EVPN to advertise host reachability and MAC-to-IP bindings, not to influence the path selection between leaf switches. Option D is wrong because ARP suppression is a feature that reduces broadcast traffic by caching ARP replies on the VTEP, but it does not affect the forwarding path or prevent hair-pinning through a spine.

613
MCQeasy

What is the purpose of the Cisco Integrated Management Controller (CIMC) for UCS C-Series rack servers?

A.To provide high-speed data switching between servers
B.To enable out-of-band management for remote server control
C.To manage storage arrays
D.To replace the need for a Fabric Interconnect
AnswerB

Correct. CIMC allows remote management.

Why this answer

CIMC provides out-of-band management for rack servers, including remote KVM, virtual media, and firmware updates, independent of the host OS.

614
Multi-Selecthard

Which THREE are characteristics of Cisco TrustSec? (Select exactly 3)

Select 3 answers
A.Uses SGTs to enforce policy
B.Requires Cisco ISE
C.Operates at Layer 2
D.Uses CTS auth-proxy
E.Requires MACsec encryption
AnswersA, C, D

SGTs are central to TrustSec for classifying and enforcing access policies.

Why this answer

Cisco TrustSec uses Security Group Tags (SGTs) to enforce access control policies based on user, device, or workload identity rather than IP addresses. SGTs are assigned during authentication and carried in Ethernet frames (via Cisco Meta Data or inline tagging) to allow scalable, identity-based policy enforcement throughout the network.

Exam trap

Cisco often tests the misconception that TrustSec requires ISE or MACsec, but the core characteristics are SGT-based policy enforcement, Layer 2 operation, and the CTS auth-proxy mechanism for legacy device support.

615
Multi-Selectmedium

A UCS B-series blade server is experiencing boot issues. The service profile is configured to boot from local disk first, then SAN. The blade has local disks but they are not recognized. Which TWO actions should be taken to diagnose the issue?

Select 2 answers
A.Verify the boot policy in the service profile.
B.Re-associate the service profile.
C.Check the Fibre Channel fabric connectivity.
D.Review the local disk configuration policy and RAID settings.
E.Check the blade's CIMC for disk presence.
AnswersD, E

Improper RAID configuration can cause disks to be unrecognized.

Why this answer

Possible causes: local disk not connected, or RAID configuration missing. Checking physical presence in CIMC and verifying RAID configuration are logical first steps.

616
MCQmedium

An organization has deployed a 4-node HyperFlex cluster with all-flash storage and replication factor 3 (RF3). One node fails. How many nodes are required to remain operational for the cluster to continue serving data without interruption?

A.1
B.2
C.4
D.3
AnswerD

Three nodes still hold all three replicas of data.

Why this answer

For RF3, data is replicated three times. With 4 nodes, if one fails, three remain, which still have all data copies. The cluster remains operational.

617
Multi-Selecthard

An engineer is troubleshooting a performance issue on a Cisco MDS 9700 switch. The 'show interface fc1/1' output shows CRC errors incrementing slowly. The interface is connected to a storage array. Which two actions should the engineer take to resolve the issue?

Select 2 answers
A.Increase the MTU size on the interface.
B.Replace the fiber optic cable and SFP.
C.Enable BB_credit recovery on the interface.
D.Clear the interface counters.
E.Change the interface speed from auto to a fixed value.
AnswersB, C

Faulty cables or SFPs are common causes of CRC errors.

Why this answer

CRC errors on a Fibre Channel interface typically indicate physical-layer issues such as faulty cabling, damaged SFPs, or dirty optical connectors. Replacing the fiber optic cable and SFP (Option B) directly addresses the most common root cause of CRC errors. Additionally, enabling BB_credit recovery (Option C) helps mitigate performance degradation caused by buffer credit starvation, which can manifest as CRC-like symptoms in some scenarios.

Exam trap

Cisco often tests the distinction between physical-layer errors (CRC) and flow-control issues (BB_credit), tempting candidates to choose a single answer when both a physical fix and a protocol-level tuning are required.

618
MCQmedium

An engineer notices that a vPC peer link is flapping. Which vPC component must be operational for the vPC to function correctly?

A.vPC member port
B.vPC consistency check
C.vPC peer link
D.vPC peer keepalive link
AnswerC

Peer link must be up for vPC to operate.

Why this answer

The vPC peer link is essential for synchronizing states between peers; if it goes down, vPC ports may be suspended.

619
MCQhard

Refer to the exhibit. What is the most likely cause of neighbor 10.1.1.3 being stuck in EXSTART?

A.Duplicate router ID.
B.OSPF network type mismatch.
C.MTU mismatch between the interfaces.
D.The interface is configured as passive.
AnswerC

MTU mismatch prevents DBD packets from being sent successfully.

Why this answer

In OSPF, the EXSTART state indicates that neighbors are negotiating the master/slave relationship and exchanging Database Description (DBD) packets. If the MTU of the interface on one side is larger than the MTU on the other, the larger DBD packet will be silently dropped, preventing the neighbor from progressing past EXSTART. This is a classic symptom of an MTU mismatch, as the OSPF adjacency will remain stuck in EXSTART or EXCHANGE.

Exam trap

Cisco often tests the MTU mismatch trap by having candidates confuse it with a network type mismatch, but the key differentiator is that MTU issues cause the adjacency to stall specifically in EXSTART/EXCHANGE, while network type mismatches prevent the adjacency from forming past INIT/2WAY.

How to eliminate wrong answers

Option A is wrong because a duplicate router ID would cause the adjacency to flap or remain in INIT/2WAY, not EXSTART, as OSPF detects the duplicate during the Hello exchange. Option B is wrong because an OSPF network type mismatch (e.g., broadcast vs. point-to-point) typically results in neighbors stuck in INIT or 2WAY, not EXSTART, due to mismatched Hello/dead intervals or DR/BDR election issues. Option D is wrong because a passive interface suppresses OSPF Hellos entirely, preventing any neighbor discovery, so the adjacency would never reach EXSTART.

620
MCQmedium

A data center engineer is configuring a Cisco UCS C-Series server with a hardware RAID controller. The server will host a critical database. The RAID controller supports RAID 0, 1, 5, 6, and 10. Which RAID level should be chosen to provide the best combination of performance and fault tolerance?

A.RAID 10
B.RAID 6
C.RAID 5
D.RAID 0
AnswerA

RAID 10 combines mirroring and striping, offering both performance and fault tolerance.

Why this answer

RAID 10 (striping of mirrors) provides the best combination of performance and fault tolerance for a critical database workload. It offers high read/write performance through striping and full redundancy via mirroring, allowing up to one disk failure per mirrored pair without data loss. This is ideal for a Cisco UCS C-Series server with a hardware RAID controller where both I/O throughput and availability are paramount.

Exam trap

Cisco often tests the misconception that RAID 5 or RAID 6 offer 'good enough' performance for databases, but the trap is that parity-based RAIDs introduce significant write penalties that degrade transactional throughput, making RAID 10 the correct choice for critical database workloads.

How to eliminate wrong answers

Option B (RAID 6) is wrong because while it offers dual parity and can tolerate two disk failures, its write performance is significantly degraded due to double parity calculations, making it unsuitable for a performance-sensitive database. Option C (RAID 5) is wrong because its single parity provides lower fault tolerance and suffers from a write penalty during parity updates, which can bottleneck database transactions. Option D (RAID 0) is wrong because it offers no fault tolerance; any single disk failure results in complete data loss, which is unacceptable for a critical database.

621
MCQhard

A UCS administrator needs to ensure that only the fabric interconnect management plane is accessible from the management network. Which feature should be implemented?

A.SED encryption
B.CoPP
C.Management plane isolation
D.RBAC
AnswerC

Management plane isolation restricts management access to dedicated interfaces.

Why this answer

Management plane isolation ensures that management traffic is separate from data traffic, often using dedicated management interfaces or VRFs.

622
MCQmedium

An engineer is configuring a pair of Nexus 9000 switches as vPC peers. The vPC peer keepalive link is established. Which statement about the vPC peer keepalive is true?

A.It carries data traffic between vPC peers.
B.It is used to synchronize MAC address tables between peers.
C.It is a Layer 3 keepalive using the management or a dedicated interface to ensure peer reachability.
D.It provides a Layer 3 keepalive to detect peer failure and should be on a separate VLAN.
AnswerC

Correct: peer keepalive is a Layer 3 heartbeat, often over mgmt0 or dedicated interface.

Why this answer

The vPC peer keepalive monitors liveness of the peer switch; it is recommended to use a separate Layer 3 link (out-of-band) to avoid dependency on the peer-link.

623
MCQmedium

A storage administrator is configuring a new Fibre Channel fabric using Cisco MDS switches. The edge switches must connect to the core without participating in the full routing domain to conserve domain IDs. Which Fibre Channel feature should be configured on the edge switches?

A.PortChannels
B.VSANs
C.NPV mode
D.EISL trunking
AnswerC

NPV mode allows edge switches to proxy login through the core switch, eliminating the need for a domain ID.

Why this answer

N-Port Virtualization (NPV) mode allows an edge switch to connect to a core switch without consuming a Fibre Channel domain ID, scaling the fabric while reducing administrative overhead.

624
MCQmedium

A network administrator wants to prevent IP spoofing attacks on a data center access switch. The switch has IP Source Guard enabled on the client-facing ports. Which condition must be met for IP Source Guard to work properly?

A.DHCP snooping must be disabled on the VLAN.
B.DHCP snooping must be enabled on the VLAN and the port must be untrusted.
C.All clients must use DHCP; static IPs are not supported.
D.Dynamic ARP Inspection must be enabled first.
AnswerB

IP Source Guard uses the DHCP snooping binding table on untrusted ports.

Why this answer

IP Source Guard uses a binding table created by DHCP snooping to validate the source IP address of packets received on a port. For IP Source Guard to work, DHCP snooping must be enabled on the VLAN, and the client-facing port must be configured as an untrusted port so that DHCP snooping can populate the binding table with valid DHCP lease information. Without this binding table, IP Source Guard has no source IP-to-MAC mapping to enforce.

Exam trap

Cisco often tests the dependency between IP Source Guard and DHCP snooping, specifically that DHCP snooping must be enabled on the VLAN and the port must be untrusted, leading candidates to incorrectly assume DHCP snooping must be disabled or that static IPs are unsupported.

How to eliminate wrong answers

Option A is wrong because DHCP snooping must be enabled on the VLAN to build the IP-to-MAC binding table that IP Source Guard relies on; disabling DHCP snooping would leave the binding table empty, causing IP Source Guard to drop all traffic. Option C is wrong because IP Source Guard supports static IP assignments if a static binding is manually configured using the 'ip source binding' command; it does not require all clients to use DHCP. Option D is wrong because Dynamic ARP Inspection (DAI) is a separate security feature that also depends on DHCP snooping, but IP Source Guard does not require DAI to be enabled first; both features can operate independently as long as DHCP snooping is active.

625
MCQeasy

A network engineer is configuring VLAN ACLs on a Cisco Nexus 9000 switch to enforce traffic filtering between VLANs. Which configuration step is required to apply a VACL to a VLAN?

A.Apply the VACL to a Layer 3 interface using 'ip access-group'.
B.Apply the VACL to a physical port using 'mac access-group'.
C.Define a VLAN access-map and then apply it under the VLAN configuration.
D.Use the 'vlan filter' command in global configuration mode.
AnswerD

'vlan filter' applies the VACL to a specific VLAN.

Why this answer

Option D is correct because VACLs on Cisco Nexus 9000 switches are applied using the 'vlan filter' command in global configuration mode, which references a VLAN access-map. This command binds the access-map to a specific VLAN, enabling Layer 2 traffic filtering between VLANs without requiring a Layer 3 interface.

Exam trap

Cisco often tests the distinction between applying an ACL to an interface versus applying a VACL to a VLAN, and the trap here is that candidates mistakenly think a VLAN access-map is applied directly under the VLAN configuration (like 'vlan 10' mode) rather than using the global 'vlan filter' command.

How to eliminate wrong answers

Option A is wrong because 'ip access-group' applies an IP ACL to a Layer 3 interface (SVI or routed port), not a VACL, and VACLs are not applied to Layer 3 interfaces. Option B is wrong because 'mac access-group' applies a MAC ACL to a physical port for Layer 2 traffic filtering on that port, not to a VLAN for inter-VLAN filtering. Option C is wrong because while defining a VLAN access-map is a necessary step, it must be applied using the 'vlan filter' command in global configuration mode, not under the VLAN configuration (the 'vlan' config mode does not support applying access-maps directly).

626
MCQmedium

An engineer is configuring a VXLAN EVPN fabric. Which address family must be enabled under BGP to exchange MAC/VTEP reachability information?

A.address-family ipv4 unicast
B.address-family l2vpn vpls
C.address-family vpnv4
D.address-family l2vpn evpn
AnswerD

This is the correct address family for EVPN.

Why this answer

MP-BGP EVPN uses the L2VPN address family (afi l2vpn safi evpn) to advertise MAC addresses, VNI mappings, and VTEP reachability.

627
Drag & Dropmedium

Sequence the steps to configure a VXLAN with BGP EVPN on a Cisco Nexus switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VXLAN EVPN requires overlay feature, VNI mapping, VTEP loopback, BGP peering, and verification.

628
Multi-Selectmedium

Which TWO of the following are components of the Cisco ACI Management Information Tree (MIT)? (Choose two.)

Select 2 answers
A.l3extOut
B.fvAp
C.fvTenant
D.vlan
E.interface
AnswersB, C

Correct. Application Profile is a MIT object under tenant.

Why this answer

The MIT includes objects like tenants, application profiles (AP), EPGs, and bridge domains (BD). VRF is also part of MIT. 'fvTenant', 'fvAp', 'fvAEPg', 'fvBD' are object classes. 'l3extOut' is for L3 out, not part of the core MIT hierarchy for tenant networking.

629
MCQhard

A large enterprise data center has a disaster recovery site 100 km away. The SAN uses two MDS 9700 series switches at each site, connected via a dedicated dark fiber. Each link operates at 16 Gbps with a round-trip time of 2 ms. Recently, backup jobs to the remote storage array have been failing with timeout errors. The backup server is local to Site A, but the backup target is in Site B. The link utilization never exceeds 40%, and no errors are reported on the interfaces. The engineer suspects the issue is related to buffer credits. The current buffer credit count on the ISL is 16. The engineer calculates that for 16 Gbps over 100 km (2 ms RTT), they need at least 200 credits to maintain full throughput. Which action is most appropriate to resolve the issue?

A.Enable NPIV on the ISL ports to allow multiple logins.
B.Increase the buffer-to-buffer credit count to 300 on the ISL interfaces.
C.Configure the ISL to operate at 8 Gbps to reduce the buffer credit requirement.
D.Implement FCIP over the existing dark fiber to offload buffer credit management.
AnswerB

More credits allow more frames in flight, avoiding timeout and maintaining throughput.

Why this answer

Increasing buffer credits resolves the timeout issue due to credit starvation. Option D is correct. Option A is wrong because the links are physically direct; FCIP is not needed.

Option B is wrong because NPIV is not related to buffer credits. Option C is wrong because reducing speed lowers performance.

630
Multi-Selecteasy

Which TWO features are used to validate ARP packets and prevent ARP spoofing attacks? (Select exactly 2)

Select 2 answers
A.IP Source Guard
B.Private VLANs
C.Dynamic ARP Inspection
D.Port Security
E.DHCP Snooping
AnswersC, E

DAI intercepts and validates ARP packets.

Why this answer

Dynamic ARP Inspection (DAI) is correct because it validates ARP packets by checking them against the DHCP snooping binding database, ensuring that only legitimate ARP replies and requests are forwarded. This prevents ARP spoofing attacks where an attacker sends falsified ARP messages to associate their MAC address with the IP address of a legitimate device.

Exam trap

Cisco often tests the distinction between features that validate ARP packets (DAI) versus features that validate IP packets (IP Source Guard) or limit MAC addresses (Port Security), causing candidates to confuse the scope of each security mechanism.

631
MCQmedium

A company is deploying a new Cisco UCS Mini with a single Fabric Interconnect 6324. They need to connect to an existing Fibre Channel SAN. Which action is required to enable Fibre Channel connectivity?

A.Enable NPV mode on the Fabric Interconnect to connect to the SAN.
B.Install a Fibre Channel module in the Fabric Interconnect.
C.Add a Cisco MDS 9148S Fibre Channel switch and connect it to the Fabric Interconnect via FC uplinks.
D.Configure the uplink Ethernet ports as unified ports to support Fibre Channel.
AnswerC

A dedicated FC switch provides SAN connectivity for UCS Mini.

Why this answer

The Cisco UCS Mini with a single Fabric Interconnect 6324 does not have native Fibre Channel ports; it only supports Ethernet uplinks. To connect to an existing Fibre Channel SAN, an external Fibre Channel switch (such as the Cisco MDS 9148S) must be added, and the Fabric Interconnect connects to it via FC uplinks, which are typically configured as unified ports. This allows the UCS Mini to leverage the MDS switch for Fibre Channel connectivity, as the 6324 itself cannot directly terminate Fibre Channel links.

Exam trap

Cisco often tests the misconception that the UCS Fabric Interconnect 6324 can directly connect to a Fibre Channel SAN by simply enabling NPV mode or using unified ports, but the key trap is that the 6324 lacks native Fibre Channel ports and requires an external Fibre Channel switch (like the MDS) to bridge the FCoE traffic to the FC SAN.

How to eliminate wrong answers

Option A is wrong because NPV (N_Port Virtualization) mode is used on a Fibre Channel switch to connect to an upstream SAN fabric, but the Fabric Interconnect 6324 does not have native Fibre Channel ports to run NPV; NPV is configured on the MDS switch, not the UCS Fabric Interconnect. Option B is wrong because the Fabric Interconnect 6324 does not support a Fibre Channel module; it only has fixed Ethernet ports and unified ports that can be configured for Fibre Channel, but no expansion module slot for FC. Option D is wrong because while unified ports can be configured on the 6324 to support Fibre Channel, they only provide connectivity to a downstream FCoE or FC device, not directly to a Fibre Channel SAN; the unified ports must be connected to an external Fibre Channel switch (like the MDS) to reach the SAN fabric.

632
MCQhard

In an ACI fabric, an EPG is configured with a contract that allows HTTP traffic to an external network. The external network is reachable via a Layer 3 Outside. However, HTTP traffic from the EPG fails. What is the most likely cause?

A.The subject action is set to deny
B.The L3Out and the EPG are in different VRFs
C.The filter uses the wrong direction
D.The contract is applied to the consumer EPG instead of the provider
AnswerB

ACI contracts only work within the same VRF. If the L3Out is in a different VRF, route leaking is required.

Why this answer

Option B is correct because in Cisco ACI, communication between an EPG and an external network via a Layer 3 Outside requires both to be in the same VRF. If the EPG and the L3Out are in different VRFs, the contract cannot be enforced, and traffic will fail even if the contract allows HTTP. The VRF provides the routing and policy enforcement boundary for the contract.

Exam trap

Cisco often tests the misconception that a contract alone is sufficient for inter-VRF communication, but in ACI, contracts are VRF-scoped and cannot bridge different VRFs without additional configuration like a VRF route leak or a shared service contract.

How to eliminate wrong answers

Option A is wrong because if the subject action were set to deny, the contract would explicitly block HTTP traffic, but the question states the contract allows HTTP, so the action is not deny. Option C is wrong because the filter direction (e.g., from consumer to provider) is correctly configured in the contract; the issue is not about direction but about VRF mismatch preventing any policy application. Option D is wrong because applying the contract to the consumer EPG instead of the provider is a valid configuration; the consumer EPG typically consumes the contract, and the provider EPG provides the service, so this would not cause a failure if the contract is correctly applied to the consumer.

633
MCQeasy

A network engineer is configuring a new Fibre Channel switch to connect to an existing storage fabric. The switch will be used to aggregate multiple edge switches and must appear as a single Fibre Channel device to the core. Which port type should be used on the edge switch facing the core switch to achieve this?

A.F-port
B.N-port
C.NP-port
D.E-port
AnswerC

Correct. NP-port is used in NPV mode to connect an edge switch to the core fabric.

Why this answer

NP-port (N-Port Virtualization) is used on an edge switch in NPV mode to connect to the core fabric; it behaves like an N-port but allows multiple N-port IDs behind it.

634
MCQeasy

A data center architect is designing a SAN with two MDS switches using VSANs. Which method ensures traffic isolation between departments while allowing sharing of a tape library?

A.Use FCIP tunnels for each department.
B.Create separate VSANs and merge them for the tape library.
C.Create separate VSANs for each department and a shared VSAN for the tape library with inter-VSAN routing (IVR).
D.Use one VSAN for all departments and one zone for each department.
AnswerC

IVR allows selective sharing between VSANs.

Why this answer

Multiple VSANs isolate traffic, and a shared tape library can be placed in a common VSAN with appropriate zones. Option D is correct. Option A is wrong because a single VSAN does not isolate.

Option B is wrong because merging VSANs loses isolation. Option C is wrong because FCIP is for distance.

635
MCQhard

A Cisco UCS upgrade from release 3.1(1) to 4.0(4) is planned. The current release has a known issue that affects NVRAM backup. What is the best practice to avoid an outage during this upgrade?

A.Perform a cold reboot of all Fabric Interconnects before starting.
B.Upgrade all components simultaneously to reduce transition time.
C.Upgrade the firmware on the chassis first, then the Fabric Interconnects.
D.Upgrade to an intermediate release that is recommended for the upgrade path.
AnswerD

Most major upgrades require stepping through an intermediate release.

Why this answer

Option D is correct because Cisco UCS firmware upgrades must follow a supported upgrade path to avoid incompatibilities and known issues. Skipping directly from 3.1(1) to 4.0(4) is not supported; an intermediate release (e.g., 3.2(x) or 4.0(1)) is required to resolve the NVRAM backup issue and ensure a seamless upgrade without service disruption.

Exam trap

Cisco often tests the concept of supported upgrade paths and intermediate releases, trapping candidates who assume direct upgrades are always possible or that component order can be rearranged arbitrarily.

How to eliminate wrong answers

Option A is wrong because a cold reboot of all Fabric Interconnects before starting would cause an immediate outage, defeating the purpose of avoiding downtime; the upgrade process itself handles reboots gracefully. Option B is wrong because upgrading all components simultaneously violates Cisco's recommended sequential upgrade order (Fabric Interconnects first, then chassis IOMs, then servers) and increases the risk of configuration mismatches and extended downtime. Option C is wrong because the chassis firmware should be upgraded after the Fabric Interconnects, not before, as the Fabric Interconnects control the management plane and must be at a compatible version first.

636
MCQeasy

In a Cisco UCS B-Series deployment, which component provides the physical connectivity between blade server mezzanine cards and the Fabric Interconnects?

A.UCS Manager
B.Fabric Extender (FEX)
C.I/O Module (IOM)
D.Cisco Integrated Management Controller (CIMC)
AnswerC

Correct. The IOM connects blade mezzanine cards to Fabric Interconnects.

Why this answer

The I/O Module (IOM) in the UCS 5108 chassis provides the connectivity between blade server mezzanine cards and the Fabric Interconnects via server ports.

637
MCQmedium

An engineer is connecting a Cisco UCS C-Series rack server to the network. The server must be managed by UCS Manager alongside existing B-Series blades. Which mode should the C-Series server be configured in?

A.Direct Connect mode
B.UCS Manager mode
C.Standalone mode
D.Cisco IMC Supervisor mode
AnswerB

UCS Manager mode allows unified management of C-Series in UCS Manager.

Why this answer

C-Series rack servers can be integrated into UCS Manager using UCS Manager mode (sometimes called C-Series Integrated mode), where they are managed through the Fabric Interconnects.

638
MCQmedium

A UCS administrator notices that a service profile associated with a vNIC template that uses 'fabric failover' is not failing over to the secondary Fabric Interconnect when the primary link goes down. The vNIC template is set to 'fabric failover' enabled, and both Fabric Interconnects are in the same VLAN. What is the most likely cause?

A.The 'Primary Fabric' setting is not defined in the vNIC template.
B.The server is pinned to the primary Fabric Interconnect via a pin group.
C.The MTU size on the secondary Fabric Interconnect is set to 1500 instead of 9000.
D.The 'MAC Address' policy is set to 'pool-based' instead of 'static'.
AnswerA

The primary fabric must be selected in the vNIC template for failover to function correctly.

Why this answer

When 'fabric failover' is enabled on a vNIC template, the UCS Manager requires the 'Primary Fabric' setting to be explicitly defined to determine which Fabric Interconnect (FI-A or FI-B) should be the active path. Without this setting, the system cannot properly orchestrate the failover behavior, causing the vNIC to remain pinned to the primary FI even when its link goes down. This is a common misconfiguration because the 'fabric failover' checkbox alone does not imply a primary fabric assignment.

Exam trap

Cisco often tests the misconception that enabling 'fabric failover' alone is sufficient for automatic failover, when in fact the 'Primary Fabric' field must also be explicitly configured to define the active path.

How to eliminate wrong answers

Option B is wrong because a pin group explicitly pins a server to a specific Fabric Interconnect, which would prevent failover by design; however, the question states the vNIC template uses 'fabric failover' enabled, and a pin group would override that setting, but the most likely cause is the missing 'Primary Fabric' definition, not the presence of a pin group. Option C is wrong because MTU size mismatch (1500 vs 9000) affects jumbo frame support and packet fragmentation, not the failover mechanism between Fabric Interconnects. Option D is wrong because the MAC Address policy (pool-based vs static) determines how MAC addresses are assigned to vNICs, but it has no impact on fabric failover behavior.

639
MCQmedium

In the context of Ansible automation for Cisco Nexus switches, which module can be used to manage VLAN configurations?

A.nxos_interface
B.nxos_vlan
C.nxos_bgp
D.nxos_config
AnswerB

Correct: nxos_vlan is designed for VLAN management.

Why this answer

The cisco.nxos collection includes the nxos_vlan module specifically for managing VLANs on NX-OS devices.

640
MCQhard

An organization wants to encrypt Fibre Channel traffic in-flight between storage and servers. Which standard should be used?

A.IPsec
B.MACsec
C.FC-SP-2
D.SED
AnswerC

FC-SP-2 encrypts FC frames.

Why this answer

FC-SP-2 provides encryption for Fibre Channel data in transit.

641
MCQeasy

Which control plane protection mechanism should be configured to limit the rate of BGP updates destined to the CPU of a Nexus 9000 switch to prevent CPU overload?

A.VLAN Access Control Lists (VACLs)
B.Control Plane Policing (CoPP)
C.EtherChannel load balancing
D.Switched Port Analyzer (SPAN)
AnswerB

CoPP rate-limits control plane packets.

Why this answer

Control Plane Policing (CoPP) is the correct mechanism because it directly filters and rate-limits control plane traffic, such as BGP updates, before it reaches the CPU of a Nexus 9000 switch. By applying a CoPP policy, you can protect the CPU from being overwhelmed by excessive BGP updates, ensuring stability and preventing denial-of-service conditions.

Exam trap

Cisco often tests the distinction between data plane and control plane mechanisms, and the trap here is that candidates may confuse VACLs (data plane filtering) with CoPP (control plane policing), assuming any ACL can protect the CPU.

How to eliminate wrong answers

Option A is wrong because VLAN Access Control Lists (VACLs) filter traffic within the data plane at the VLAN level, not the control plane, and cannot rate-limit BGP updates destined to the CPU. Option C is wrong because EtherChannel load balancing distributes data traffic across aggregated links to improve bandwidth and redundancy, but it has no mechanism to police or limit control plane traffic like BGP updates. Option D is wrong because Switched Port Analyzer (SPAN) is used for port mirroring traffic to a monitoring device for analysis, not for filtering or rate-limiting control plane packets to the CPU.

642
MCQeasy

Which NX-OS command displays the vPC consistency parameters and status on a Cisco Nexus switch?

A.show vpc peerlink
B.show vpc brief
C.show vpc consistency-parameters
D.show running-config vpc
AnswerC

Correct: displays type-1 and type-2 consistency.

Why this answer

The command 'show vpc consistency-parameters' verifies vPC consistency across peers.

643
Drag & Dropmedium

Arrange the steps to recover a lost admin password on a Cisco Nexus switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password recovery involves boot interruption, register change, boot, password reset, and save.

644
MCQeasy

A network engineer is troubleshooting high CPU utilization on a Nexus 9000 switch. Which command is most useful to identify the process consuming the most CPU?

A.show processes cpu history
B.show process cpu sort
C.show system resources
D.show cpu usage
AnswerB

This command sorts processes by CPU usage, allowing identification of the most intensive process.

Why this answer

Option B is correct because the 'show process cpu sort' command on Nexus 9000 switches displays the current CPU utilization sorted by the process consuming the most CPU, allowing the engineer to quickly identify the top CPU consumer. This command provides a real-time, sorted list of processes with their CPU usage percentages, which is directly useful for troubleshooting high CPU utilization.

Exam trap

Cisco often tests the distinction between 'show processes cpu' (which lists all processes unsorted) and 'show process cpu sort' (which sorts by CPU usage), and the trap here is that candidates may confuse 'show cpu usage' with a valid command or assume 'show system resources' provides process-level detail.

How to eliminate wrong answers

Option A is wrong because 'show processes cpu history' shows historical CPU utilization data in a graphical format over time, not the current processes consuming CPU, so it cannot identify the specific process causing the spike. Option C is wrong because 'show system resources' displays overall system resource usage (memory, CPU, buffers) but does not break down CPU usage by individual process, making it insufficient for pinpointing the culprit process. Option D is wrong because 'show cpu usage' is not a valid command on Nexus 9000 switches; the correct command for a summary of CPU usage is 'show processes cpu', which lists all processes but not sorted by CPU consumption.

645
MCQeasy

What is the primary benefit of using UCS service profiles for server deployment?

A.Hardware abstraction and stateless computing
B.Increased network bandwidth
C.Reduced power consumption
D.Simplified storage zoning
AnswerA

Service profiles decouple the logical server identity from physical hardware.

Why this answer

Service profiles abstract hardware configuration, allowing rapid provisioning and stateless computing. A server can be replaced without reconfiguration by simply associating the same service profile.

646
MCQmedium

Which Cisco UCS component is responsible for aggregating traffic from multiple blade servers in a 5108 chassis to the Fabric Interconnect?

A.Cisco UCS 2200 Series Fabric Extender
B.Cisco UCS 5108 Chassis I/O Module (IOM)
C.Cisco UCS 6300 Series Fabric Interconnect
D.Cisco UCS 2100 Series Fabric Extender
AnswerB

The IOM aggregates blade server traffic and connects to Fabric Interconnects.

Why this answer

The I/O Module (IOM) in the 5108 chassis connects to the midplane and uplinks to the Fabric Interconnect via server ports.

647
MCQmedium

In UCS service profile templates, when you update the template, how do the changes propagate to the service profiles derived from it?

A.Changes are applied only if the service profile is not associated with a server.
B.Changes are automatically applied to all derived service profiles immediately.
C.Changes are applied only during server reboot.
D.Changes must be manually applied to each derived service profile.
AnswerB

By default, templates update derived profiles automatically, though this can be overridden.

Why this answer

When a service profile is created from a template, it can be set to update automatically when the template changes, or manually. The default behavior is that changes are propagated automatically unless the profile is set to manual update.

648
MCQmedium

An organization wants to integrate their UCS C-series rack servers into an existing UCS Manager domain. Which mode should be used to achieve centralized management of the C-series servers through UCS Manager?

A.Direct Connect mode
B.UCS Managed mode
C.Standalone mode
D.Cisco IMC Supervisor mode
AnswerB

In UCS Managed mode, the C-series server appears as a compute resource in UCS Manager and can be assigned service profiles.

Why this answer

C-series servers can be managed by UCS Manager when they are in UCS Managed mode, which requires the server to be connected via a Fabric Interconnect and have the appropriate license.

649
MCQeasy

An NFS client is unable to write to a mounted export. The client can read files. What is the most likely cause?

A.Export permissions are read-only for the client
B.Network latency causing timeouts
C.Incorrect mount options (e.g., ro instead of rw)
D.NFS version mismatch
AnswerA

Correct: Read-only export allows reads but denies writes.

Why this answer

Option C is correct because write access requires proper permissions on both the export and the user. Option A is incorrect because NFS version does not affect read/write. Option B is incorrect because mount options affect mounting, not file operations.

Option D is incorrect because network issues would prevent both read and write.

650
Multi-Selectmedium

Which TWO statements correctly describe active zone sets in a Cisco MDS Fibre Channel fabric?

Select 2 answers
A.The active zone set is propagated to all switches in the fabric
B.Only one zone set can be active per VSAN
C.Zones within the active zone set can be selectively deactivated
D.The active zone set is stored in the running configuration only
E.Multiple zone sets can be active simultaneously
AnswersA, B

When a zone set is activated, it is distributed to all switches in the VSAN.

Why this answer

An active zone set is the set of zones that are enforced in the fabric. Only one zone set can be active at a time, and it is propagated to all switches in the fabric.

651
MCQmedium

A Cisco ACI fabric has contracts configured to allow traffic between two EPGs. After deployment, traffic between endpoints in these EPGs is being dropped, but contract statistics show no packets have been permitted. The administrator checks the contract configuration and it looks correct. What is the most likely cause?

A.The contract is configured only on the provider EPG, but the consumer EPG is not consuming the contract.
B.The contract is applied to the wrong VRF.
C.The filter direction is set to both, but the contract is using an incorrect filter.
D.The endpoints are in different VMM domains.
AnswerA

The consumer EPG must also consume the contract; otherwise, traffic is denied.

Why this answer

The most likely cause is that the contract is configured on the provider EPG but the consumer EPG is not configured to consume it. In Cisco ACI, a contract must be explicitly provided by one EPG and consumed by another for traffic to be permitted. If the consumer EPG does not have the contract applied, the contract will not be enforced, and traffic will be dropped even if the contract configuration appears correct.

The contract statistics showing no permitted packets confirm that the contract is not being applied to the traffic flow.

Exam trap

Cisco often tests the misconception that configuring a contract on the provider EPG alone is enough to permit traffic, when in fact the consumer EPG must also explicitly consume the contract for the policy to take effect.

How to eliminate wrong answers

Option B is wrong because applying a contract to the wrong VRF would prevent any communication between EPGs in different VRFs, but the contract statistics would show no packets at all, and the administrator would likely notice the VRF mismatch during configuration review. Option C is wrong because an incorrect filter direction or filter would still result in some packets being counted in contract statistics (e.g., denied packets), but the question states no packets have been permitted, indicating the contract itself is not being consumed. Option D is wrong because endpoints in different VMM domains can still communicate if the EPGs are in the same VRF and a contract is properly configured; VMM domain mismatch affects endpoint discovery and policy enforcement but does not directly cause contract statistics to show zero permitted packets.

652
MCQmedium

In a data center running MST, which region configuration parameter must match on all switches for them to be part of the same region?

A.Spanning-tree mode
B.Bridge priority
C.Max-age and hello time
D.Region name, revision number, and VLAN-to-instance mapping
AnswerD

All three must match for consistent region membership.

Why this answer

MST region configuration includes revision number, name, and VLAN-to-instance mapping; if any mismatch, switches consider different regions.

653
MCQmedium

A Cisco MDS switch is configured with fabric binding to restrict which switches can join the fabric. A new switch is added, but it fails to establish an E-port connection. What is the most likely cause?

A.Incompatible SFP modules between the switches
B.Incorrect zoning configuration on the existing switch
C.The new switch has a higher priority than the principal switch
D.The new switch's WWN is not included in the fabric binding configuration
AnswerD

Fabric binding rejects unauthorized switches.

Why this answer

Option B is correct: Fabric binding uses the switch WWN to allow or deny switches. If the new switch's WWN is not in the allowed list, the E-port will not come up. Option A is wrong: Incompatible SFP would cause link issues regardless of fabric binding.

Option C is wrong: Zoning does not affect E-port formation. Option D is wrong: Switch priority affects principal switch selection, not E-port formation.

654
MCQmedium

In a spine-leaf architecture, what is the primary advantage of using a full mesh between spines and leaves?

A.It provides uniform low-latency paths between any two leaves
B.It reduces the total number of ports required
C.It removes the requirement for Spanning Tree Protocol
D.It eliminates the need for VLANs in the data center
AnswerA

Each leaf is one hop from any spine, ensuring low latency.

Why this answer

A full mesh where every leaf connects to every spine provides any-to-any connectivity, low latency (all paths are single hop), and high bandwidth with ECMP. It simplifies routing and provides predictable performance. It does not reduce the number of ports (it increases ports), and it does not eliminate the need for VLANs or STP in the underlay (though often STP is not needed due to routing).

655
MCQhard

A data center deployment uses NPV mode on a Cisco MDS switch to connect to a core Fibre Channel switch. After configuration, the NPV switch does not register with the core. What is the most likely cause?

A.Fibre Channel ports are in trunk mode.
B.The core switch has NPV mode enabled.
C.NPIV is not enabled on the core switch.
D.The NPV switch has an incorrect domain ID.
AnswerC

Core must have NPIV enabled for NPV.

Why this answer

NPV (N_Port Virtualization) mode requires NPIV (N_Port ID Virtualization) to be enabled on the core Fibre Channel switch. NPIV allows a single physical N_Port to register multiple FCIDs (Fibre Channel IDs) for multiple virtual initiators behind the NPV switch. Without NPIV on the core, the NPV switch cannot complete the FLOGI (Fabric Login) process and will not register with the fabric.

Exam trap

Cisco often tests the distinction between NPV and NPIV, trapping candidates who confuse the two or assume that enabling NPV on both sides is required.

How to eliminate wrong answers

Option A is wrong because trunk mode on Fibre Channel ports (E_Port or TE_Port) is used for ISL (Inter-Switch Link) connections between core switches, not for NPV uplinks, which use NP_Ports. Option B is wrong because enabling NPV mode on the core switch would break the NPV architecture; NPV is only enabled on the edge switch (the NPV switch), while the core must operate in standard Fibre Channel switch mode (with NPIV enabled). Option D is wrong because domain IDs are assigned by the principal switch in the fabric and are not configured manually on NPV switches; NPV switches do not participate in domain ID distribution as they are not full switches in the fabric.

656
MCQeasy

A DevOps team is implementing CI/CD for network configuration changes on Nexus switches. Which tool is most suitable for version control of network configuration files?

A.Git
B.Jenkins
C.Ansible
D.Docker
AnswerA

Git provides version control for configuration files.

Why this answer

Git is a distributed version control system widely used for managing infrastructure as code, including network configurations. Ansible is for automation, Jenkins for CI/CD pipelines, and Docker for containers.

657
Multi-Selecteasy

Which two statements are true about Cisco TrustSec? (Choose two.)

Select 2 answers
A.It requires a Cisco ISE policy server
B.It requires 802.1X authentication
C.It provides encryption at Layer 2
D.It uses VLANs for segmentation
E.It uses SGTs for access control
AnswersA, E

ISE is the policy server that defines and distributes SGT-based policies.

Why this answer

Cisco TrustSec relies on a Cisco ISE policy server to define and enforce security policies based on Security Group Tags (SGTs). ISE acts as the centralized policy decision point, dynamically assigning SGTs to authenticated endpoints and distributing the SGT-to-IP bindings to network devices via SXP or inline tagging.

Exam trap

Cisco often tests the misconception that TrustSec requires 802.1X or provides mandatory encryption, when in fact 802.1X is just one of several authentication methods and encryption (MACsec) is an optional enhancement.

658
MCQeasy

Which FCoE component is responsible for encapsulating Fibre Channel frames into Ethernet frames?

A.FCoE module on the switch or adapter
B.FCoE Forwarder (FCF)
C.Virtual Fibre Channel interface (VFC)
D.VN interface
AnswerA

The FCoE module performs encapsulation/decapsulation.

Why this answer

The FCoE module on the switch or adapter is the component that performs the encapsulation of native Fibre Channel frames into Ethernet frames. This module handles the conversion by adding an Ethernet header, including the EtherType 0x8906 for FCoE, and managing the mapping of Fibre Channel constructs (e.g., VSANs) to VLANs. Without this module, Fibre Channel traffic cannot traverse an Ethernet network.

Exam trap

Cisco often tests the distinction between the component that performs encapsulation (FCoE module) and the logical interfaces or forwarding entities (VFC, VN, FCF) that rely on that encapsulation, leading candidates to confuse the control-plane role of the FCF or the logical nature of VFC/VN interfaces with the actual encapsulation function.

How to eliminate wrong answers

Option B (FCoE Forwarder or FCF) is wrong because the FCF is a control-plane device that provides Fibre Channel forwarding services (e.g., fabric login, name server) and connects FCoE VLANs to Fibre Channel SANs, but it does not perform the actual encapsulation of frames; that is done by the FCoE module. Option C (Virtual Fibre Channel interface or VFC) is wrong because a VFC is a logical interface that binds to an Ethernet interface and represents a Fibre Channel port in software, but it does not encapsulate frames; it relies on the underlying FCoE module for encapsulation. Option D (VN interface) is wrong because a VN interface is a virtual N_port (node port) that appears to the Fibre Channel stack as a standard N_port, but it is a logical construct that uses the FCoE module for encapsulation; it does not perform the encapsulation itself.

659
Multi-Selecteasy

Which TWO methods are supported for authenticating to the APIC REST API?

Select 2 answers
A.SAML authentication
B.Certificate-based authentication
C.Local AAA user (username/password)
D.RADIUS/TACACS+ authentication
E.LDAP authentication
AnswersB, C

X.509 certificates can be used for API authentication.

Why this answer

The APIC REST API supports certificate-based authentication (option B) and local AAA user authentication with a username and password (option C). Certificate-based authentication uses X.509 certificates for secure, non-interactive API access, while local AAA authentication relies on credentials stored directly on the APIC. Both methods are explicitly documented as valid for REST API calls.

Exam trap

Cisco often tests the distinction between authentication methods supported for the REST API versus those supported for management access (SSH, web GUI), leading candidates to incorrectly select RADIUS/TACACS+ or LDAP as valid REST API options.

660
MCQmedium

Which component in a UCS domain is responsible for aggregating and forwarding all management traffic between the chassis and the fabric interconnects?

A.CIMC
B.Blade BMC
C.IOM (FEX)
D.System controller (CMC)
AnswerD

The CMC manages the chassis and communicates with the FIs over the management network.

Why this answer

The system controller (also known as the chassis management controller) in the UCS chassis handles management traffic for the blades, including communication with UCS Manager via the FIs.

661
Drag & Dropmedium

Arrange the steps to configure a vPC domain on a pair of Cisco Nexus switches.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

vPC requires feature vPC, then domain creation, keepalive link, peer-link, and member ports.

662
MCQhard

A company is deploying a multi-tenant environment with several virtualized hosts using NPIV. Each virtual machine requires its own WWPN. During testing, some VMs cannot log into the SAN. The MDS switch logs show 'FLOGI rejected: no available resources'. What is the most likely cause?

A.The maximum FC frame size is set incorrectly on the switch
B.The VSAN maximum number of devices has been reached
C.The zone set is full and cannot accept more members
D.The NPIV limit or the number of allowed logins has been exceeded on the upstream switch
AnswerD

By default, NPIV max logins may be hit with many VMs.

Why this answer

The error 'FLOGI rejected: no available resources' on an MDS switch in an NPIV environment indicates that the switch has exhausted its allocated resources for handling fabric logins (FLOGIs) from N_Port ID Virtualization (NPIV) initiators. NPIV allows multiple virtual WWPNs to share a single physical FC port, but each virtual login consumes a login resource on the upstream switch. When the NPIV limit or the maximum number of allowed logins per interface or per VSAN is exceeded, the switch rejects new FLOGIs, preventing VMs from logging into the SAN.

Exam trap

Cisco often tests the distinction between resource exhaustion (NPIV login limits) and configuration errors (zoning or VSAN device limits) by using the specific error message 'FLOGI rejected: no available resources', which candidates mistakenly attribute to zoning or VSAN device limits instead of NPIV login resource depletion.

How to eliminate wrong answers

Option A is wrong because the maximum FC frame size (e.g., 2112 bytes vs. 1024 bytes) affects data transmission efficiency and fragmentation, not the ability to perform a fabric login (FLOGI), which is a control-plane operation. Option B is wrong because the VSAN maximum number of devices (configurable via 'fabric-limit device-login-limit') would cause a different error, such as 'device not allowed' or 'login denied', not a resource exhaustion error for FLOGI. Option C is wrong because a full zone set prevents new zone members from being added or activated, but it does not block an existing zone member's FLOGI; the error 'FLOGI rejected: no available resources' is a login resource issue, not a zoning configuration issue.

663
MCQmedium

A storage array supports both synchronous and asynchronous replication. The application requires zero data loss in case of a site failure. Which replication type should be chosen?

A.Synchronous replication
B.Asynchronous replication
C.Thin provisioning
D.Snapshot-based replication
AnswerA

Synchronous replication guarantees zero data loss as data must be written to both sites.

Why this answer

Synchronous replication writes data to the primary and secondary storage before acknowledging the write, ensuring zero data loss (RPO=0). Asynchronous replication may have some lag.

664
MCQhard

In a UCS environment, which method provides management plane isolation for the fabric interconnects?

A.Enabling CoPP on the fabric interconnect
B.Configuring the management IP on a dedicated management port
C.Using RBAC roles in UCS Manager
D.Using a separate VRF for management traffic
AnswerB

The management port is physically separate from data ports.

Why this answer

UCS fabric interconnects have a dedicated management interface that can be placed in a separate management VLAN for isolation.

665
MCQmedium

An administrator wants to prevent a rogue DHCP server from assigning IP addresses on a Nexus switch. Which feature should be enabled?

A.Dynamic ARP Inspection
B.DHCP Snooping
C.IP Source Guard
D.Port Security
AnswerB

DHCP snooping blocks rogue DHCP servers.

Why this answer

DHCP snooping filters DHCP server messages on untrusted ports.

666
MCQhard

An organization wants to adopt Infrastructure as Code (IaC) principles for their data center network. Which practice best aligns with IaC for network configuration?

A.Using spreadsheets to track changes
B.Manually configuring devices via CLI
C.Using a web GUI for each device
D.Storing configuration files in Git and applying them with automation tools
AnswerD

This is a core IaC practice.

Why this answer

IaC involves managing and provisioning network infrastructure through machine-readable definition files, rather than manual processes. Storing configurations in version control (like Git) and using automated tools is key.

667
MCQmedium

A network engineer is troubleshooting an OSPF adjacency issue between two Nexus switches. The neighbors are stuck in the EXSTART state. What is the most likely cause?

A.Hold timer mismatch
B.Incorrect area ID
C.MTU mismatch
D.Duplicate router ID
AnswerC

MTU mismatch leads to DBD packet rejection, keeping the neighbor in EXSTART.

Why this answer

An MTU mismatch prevents the exchange of Database Description packets, causing neighbors to remain in EXSTART. Other options cause different adjacency states.

668
Multi-Selectmedium

Which TWO of the following are characteristics of the NETCONF protocol? (Choose two.)

Select 2 answers
A.Operates over SSH or TLS.
B.Supports JSON encoding as well as XML.
C.Uses XML for data representation.
D.Uws a single RPC for all operations.
E.Uses RESTful HTTP methods.
AnswersA, C

Correct: NETCONF typically uses SSH (RFC 6242) or TLS.

Why this answer

NETCONF uses XML for data encoding and provides operations like get, edit-config, etc., based on YANG models.

669
Multi-Selecthard

Which THREE components are part of a HyperFlex HX Data Platform (HXDP) cluster? (Choose three.)

Select 3 answers
A.Fabric Interconnect
B.Witness VM
C.IOM module
D.Storage node
E.Controller VM (CVM)
AnswersB, D, E

Witness provides quorum.

Why this answer

HXDP cluster includes controller VMs, storage nodes, and a witness VM for quorum.

670
MCQeasy

Which Cisco Data Center Network Manager component is used for centralized fabric management and automation of Nexus switches?

A.DCNM
B.Cisco ISE
C.Prime Infrastructure
D.APIC
AnswerA

Correct: DCNM manages Nexus switches.

Why this answer

DCNM (Data Center Network Manager) provides centralized management for Nexus fabrics, including provisioning, monitoring, and troubleshooting.

671
MCQeasy

A small business has a Cisco MDS 9148S switch with a single fabric. Two hosts are connected to ports fc1/1 and fc1/2, and a storage array is connected to ports fc1/3 and fc1/4. The administrator wants to ensure that each host can only see its own assigned LUNs on the array. They have configured a zone for each host containing the host pWWN and the target pWWN for the respective LUNs. However, Host A is able to see Host B's LUNs. What is the most likely cause?

A.The zone is not active
B.The zones are not in the same VSAN
C.The target ports are using soft zoning
D.The zoning configuration is using a zone alias that includes both hosts
AnswerD

A zone alias containing both hosts would place them in the same zone, allowing cross-access.

Why this answer

The most likely cause is that the zoning configuration uses a zone alias that includes both hosts, causing unintended access. If zones were not active, no access would occur. Soft zoning is not a concept in MDS (hard zoning is used), and VSAN misconfiguration would isolate at a higher level.

672
MCQmedium

A service profile is configured to boot from local disk, but the blade server has no local storage. What will happen when the blade is associated with this service profile?

A.The service profile will automatically change the boot policy to SAN.
B.The association will fail with an error message.
C.The blade will boot from SAN automatically as a fallback.
D.The blade will fail to boot and the operating system will not load.
AnswerD

Without a boot device, the blade will not boot.

Why this answer

UCS Manager does not validate hardware capabilities at association time. The blade will boot and fail to find a boot device, resulting in a boot failure. The service profile can still be associated.

673
MCQeasy

In a spine-leaf data center architecture, what is the primary purpose of using equal-cost multipath (ECMP) routing?

A.To enable VXLAN encapsulation between VTEPs
B.To ensure loop-free Layer 2 topology
C.To provide load balancing across multiple paths between leaf and spine switches
D.To reduce the number of VLANs required in the fabric
AnswerC

ECMP distributes traffic across multiple equal-cost paths, increasing throughput and redundancy.

Why this answer

ECMP allows load balancing across multiple equal-cost paths, improving bandwidth utilization and redundancy.

674
Multi-Selecthard

Which TWO statements about Cisco TrustSec in a data center environment are true? (Choose two.)

Select 2 answers
A.TrustSec requires MACsec encryption on all links to function.
B.Cisco ISE can dynamically assign SGTs to endpoints during authentication.
C.TrustSec uses Security Group Tags (SGTs) to enforce access control policies.
D.SGTs are assigned based on the source IP address of the traffic.
E.TrustSec policies are enforced at Layer 3 only.
AnswersB, C

ISE assigns SGTs as part of policy after authentication.

Why this answer

Cisco ISE can dynamically assign Security Group Tags (SGTs) to endpoints during authentication via 802.1X or MAB, enabling role-based access control. This is a core TrustSec feature where the SGT is propagated to the network infrastructure to enforce policies.

Exam trap

Cisco often tests the misconception that TrustSec requires MACsec or IP-based tagging, when in fact SGTs are identity-based and MACsec is optional; candidates may also incorrectly assume TrustSec is Layer 3 only, ignoring its Layer 2 enforcement capabilities.

675
MCQmedium

A data center engineer is using Cisco Intersight to manage a hybrid infrastructure that includes UCS servers and HyperFlex clusters. The engineer needs to deploy a new server profile to a UCS domain that is claimed in Intersight. The profile includes a firmware policy that specifies version 4.1(3c) for the motherboard and 5.0(3a) for the storage controller. The target server is a C-Series rack mount server currently running firmware version 4.0(2a) on the motherboard. After deploying the profile, the server goes into a 'Pending' state and does not become 'Selectable'. The engineer checks the UCS Manager and sees that the server is in 'Discovery Failed' state. The engineer has verified that network connectivity is fine and the CIMC is accessible. What should the engineer do to resolve this?

A.Ensure that the firmware policy in Intersight is consistent with the current firmware on the server.
B.Remove the server from Intersight inventory and re-claim it.
C.Reset the server's CIMC to factory defaults and re-discover it.
D.Update the firmware manually on the server using UCS Manager before deploying the profile.
AnswerD

Manually updating the firmware to a version compatible with the UCS domain will allow the server to be discovered, after which the profile can be applied.

Why this answer

Option D is correct because when a firmware policy in Intersight specifies a version that is not compatible with the current firmware on the server, the server may enter a 'Discovery Failed' state. In this scenario, the motherboard firmware must be updated to a version that supports the storage controller firmware 5.0(3a) before the profile can be applied. Manually updating the firmware via UCS Manager ensures the server meets the prerequisite firmware baseline, allowing Intersight to complete the deployment.

Exam trap

Cisco often tests the concept that firmware policies have dependency chains, and candidates mistakenly think that a simple re-claim or reset will fix a 'Discovery Failed' state, when in fact the root cause is an incompatible firmware version that must be manually updated first.

How to eliminate wrong answers

Option A is wrong because ensuring consistency between the firmware policy and the current firmware would defeat the purpose of the policy, which is to enforce a target version; the issue is not consistency but compatibility. Option B is wrong because removing and re-claiming the server would not resolve the underlying firmware incompatibility; it would only reset the inventory state without addressing the firmware version mismatch. Option C is wrong because resetting the CIMC to factory defaults would erase configuration but not change the firmware version; the server would still fail discovery due to the incompatible firmware.

Page 8

Page 9 of 14

Page 10

Practice 350-601 by domain

Target a specific domain to shore up weak areas.

See all domains with question counts →
Cisco DCCOR / CCNP Data Center Core 350-601 350-601 Questions 601–675 | Page 9/14 | Courseiva