CCNA Automation Questions

61 questions · Automation · All types, answers revealed

1
MCQeasy

Which tool provides a programmatic HTTP-based interface to execute CLI commands on Cisco Nexus switches and returns structured JSON data?

A.Ansible
B.pyATS
C.Netmiko
D.NX-API
AnswerD

NX-API is the HTTP/HTTPS interface that accepts CLI commands and returns JSON/XML.

Why this answer

NX-API (Option D) is the correct answer because it provides a programmatic HTTP/HTTPS-based interface that allows you to send CLI commands to Cisco Nexus switches and receive structured JSON (or XML) responses. This enables automation and integration without requiring an SSH session, directly fulfilling the question's requirement for an HTTP-based interface with structured JSON output.

Exam trap

Cisco often tests the distinction between tools that provide a direct HTTP-based API (like NX-API) versus automation or scripting libraries (like Ansible, pyATS, or Netmiko) that use other protocols (SSH) or are higher-level frameworks, leading candidates to confuse the interface layer with the tool that consumes it.

How to eliminate wrong answers

Option A is wrong because Ansible is an automation framework that uses playbooks to manage devices, but it does not itself provide an HTTP-based interface for executing CLI commands on Nexus switches; it typically relies on NX-API or SSH via modules like nxos_command. Option B is wrong because pyATS (Python Test Automation System) is a testing framework for network devices, not a tool that exposes an HTTP-based CLI execution interface; it uses other transports like SSH or NX-API to interact with devices. Option C is wrong because Netmiko is a Python library for simplifying SSH connections to network devices, not an HTTP-based interface; it uses SSH, not HTTP, and returns unstructured text, not structured JSON.

2
MCQhard

A network engineer is implementing automated configuration management using Cisco NSO (Network Services Orchestrator). The team wants to ensure that any configuration changes made directly on the devices (out-of-band) are detected and reconciled. Which NSO feature should be used?

A.Configuration Database (CDB) snapshots
B.Fast-map synchronization
C.Service model templates
D.Rollback and recovery mechanism
AnswerB

Fast-map syncs device configurations with NSO and detects drift.

Why this answer

Fast-map synchronization is the correct NSO feature because it is specifically designed to detect and reconcile configuration changes made directly on managed devices (out-of-band changes). It compares the device's running configuration against NSO's CDB and generates the necessary NETCONF or CLI operations to bring the device back into sync with NSO's desired state, ensuring consistency without manual intervention.

Exam trap

Cisco often tests the distinction between features that manage NSO's internal state (CDB snapshots, rollback) versus features that synchronize with external devices (fast-map), leading candidates to confuse backup mechanisms with reconciliation tools.

How to eliminate wrong answers

Option A is wrong because CDB snapshots are used for backup and restore of NSO's own configuration database, not for detecting or reconciling out-of-band device changes. Option C is wrong because service model templates define service-level configurations and are used for deploying services, not for detecting or reconciling direct device modifications. Option D is wrong because the rollback and recovery mechanism reverts NSO's own transaction history to a previous state, but it does not detect or reconcile out-of-band changes made directly on devices.

3
MCQhard

An engineer is designing an automation solution for a large data center with multiple Cisco UCS Manager domains. Which approach best ensures idempotent configuration operations?

A.Writing imperative Python scripts that execute CLI commands
B.Using a declarative automation tool like Ansible with idempotent modules
C.Directly calling UCS Manager XML API using POST requests
D.Using SNMP to set configuration parameters
AnswerB

Declarative tools ensure the desired state is achieved regardless of current state.

Why this answer

Option B is correct because Ansible's declarative modules for Cisco UCS Manager (e.g., `ucs_*` modules) are designed to be idempotent: they compare the current state of the configuration against the desired state defined in the playbook and only apply changes when necessary. This ensures that running the same playbook multiple times yields the same result without unintended side effects, which is critical for large-scale automation across multiple UCS domains.

Exam trap

Cisco often tests the misconception that any API or script-based approach (like XML API or Python CLI) is automatically idempotent, when in fact only declarative tools with built-in state reconciliation (like Ansible) guarantee idempotency without additional custom logic.

How to eliminate wrong answers

Option A is wrong because imperative Python scripts that execute CLI commands are not inherently idempotent; they blindly send commands each time they run, potentially causing errors or duplicate configurations unless the script explicitly checks the current state. Option C is wrong because directly calling the UCS Manager XML API using POST requests is a procedural method that requires custom logic to check existing state before applying changes; without such checks, repeated POST requests can create duplicate objects or overwrite configurations. Option D is wrong because SNMP is a monitoring protocol (RFC 1157) designed for reading MIB variables and sending traps, not for idempotent configuration operations; it lacks the state comparison and transactional guarantees needed for reliable configuration management.

4
Multi-Selectmedium

Which THREE statements about Cisco Network Services Orchestrator (NSO) are true?

Select 3 answers
A.It can manage both NX-OS and ACI
B.It uses NETCONF to communicate with devices
C.It can only be used for layer 3 services
D.It requires a separate database for device states
E.It uses YANG models for device configuration
AnswersA, B, E

NSO has NEDs for both NX-OS and ACI.

Why this answer

Cisco NSO is a multi-domain orchestration platform that can manage both NX-OS and ACI environments, making option A correct. It uses NETCONF as the primary southbound protocol to communicate with devices, and it leverages YANG models to define and enforce device configurations, which validates options B and E.

Exam trap

The trap here is that candidates often assume NSO requires an external database for state management, but it actually uses its own integrated CDB, and they may also mistakenly think NSO is limited to Layer 3 services when it is a multi-layer orchestrator.

5
MCQeasy

Refer to the exhibit. An Ansible playbook targeting an NX-OS switch fails with this error. What is the most likely cause?

A.The password is incorrect
B.The username is incorrect
C.SSH is not enabled on the switch
D.The Ansible version is incompatible with the switch
AnswerA

'authentication failed' indicates wrong password or username, and password is the most common issue.

Why this answer

The error message indicates an authentication failure during the SSH connection from Ansible to the NX-OS switch. Since Ansible uses SSH to execute tasks, a 'Permission denied' error most commonly points to incorrect credentials. The playbook likely specifies the wrong password for the given username, causing the SSH session to be rejected.

Exam trap

Cisco often tests the distinction between SSH connectivity errors (e.g., 'Connection refused') and authentication errors (e.g., 'Permission denied'), leading candidates to mistakenly blame SSH configuration when the real issue is incorrect credentials.

How to eliminate wrong answers

Option B is wrong because if the username were incorrect, the error would typically be 'Authentication failed' or 'User not found', but the error message shown does not distinguish between username and password; however, the most common cause in Ansible playbooks is a password mismatch, not a username typo. Option C is wrong because if SSH were not enabled, the error would be 'Connection refused' or 'No route to host', not 'Permission denied'. Option D is wrong because Ansible version incompatibility with NX-OS would manifest as module execution failures or unsupported features, not an SSH authentication error.

6
MCQeasy

A network engineer wants to automate the deployment of a new VLAN across all Cisco Nexus switches in a data center using Python scripts. Which tool is most appropriate for this task?

A.Cisco NX-API with Python requests
B.SSH CLI commands via Paramiko
C.Ansible playbook
D.SNMP SET commands
AnswerA

NX-API provides RESTful API for direct configuration via Python.

Why this answer

Cisco NX-API provides a RESTful API interface on Nexus switches, allowing direct HTTP/HTTPS calls to configure VLANs programmatically. Using Python's requests library, you can send structured JSON payloads to the API endpoint, making it the most direct and efficient method for script-driven automation without requiring intermediate tools or protocols.

Exam trap

Cisco often tests the distinction between direct programmatic APIs (NX-API) and higher-level automation tools (Ansible) or legacy methods (SNMP, SSH), expecting candidates to recognize that the question's emphasis on 'Python scripts' points to a library-based API call rather than a separate automation framework.

How to eliminate wrong answers

Option B is wrong because SSH CLI commands via Paramiko emulate a terminal session, which is slower, less reliable for large-scale automation, and requires parsing CLI output, whereas NX-API offers structured data exchange. Option C is wrong because Ansible is a configuration management tool that abstracts the underlying API or CLI, but the question specifically asks for a Python script-based tool; Ansible playbooks are written in YAML, not Python scripts, and while Ansible can use NX-API modules, the question's context demands a direct Python scripting approach. Option D is wrong because SNMP SET commands are designed for monitoring and simple configuration changes, not for complex tasks like VLAN deployment, and they lack the transactional reliability and structured data handling of NX-API.

7
MCQhard

A financial services company operates a multi-site data center with Cisco ACI. The automation team uses Ansible Tower to manage configurations. They have a playbook that configures EPGs using the 'aci_epg' module. The playbook runs successfully for most sites but fails on one site with the error 'Object 'uni/tn-Tenant1/ap-AP1/epg-EPG1' doesn't exist'. The engineer checks the ACI fabric and confirms that the tenant, application profile, and EPG exist on that site. The playbook uses the same credentials and variables across all sites. What is the most likely cause of the failure?

A.The Ansible Tower job runs with a different user that lacks permissions on that site
B.The ACI APIC version is incompatible with the Ansible module
C.The EPG name in the playbook has a typo that only affects this site
D.The fabric name in the Ansible inventory is incorrect for that site
AnswerD

Leads to connection to wrong APIC where EPG doesn't exist.

Why this answer

The error 'Object doesn't exist' despite the EPG being present on the ACI fabric indicates that Ansible is targeting the wrong fabric or APIC. Since the playbook uses the same credentials and variables across all sites, the most likely cause is an incorrect fabric name in the Ansible inventory for that specific site, causing the module to query a different APIC cluster where the object does not exist.

Exam trap

Cisco often tests the concept that Ansible inventory variables (like fabric hostname or APIC IP) must match the target site, and candidates mistakenly focus on credentials or module syntax instead of verifying the inventory configuration for each site.

How to eliminate wrong answers

Option A is wrong because the playbook uses the same credentials across all sites, and if a different user lacked permissions, the error would typically be an authentication or authorization failure, not an 'object doesn't exist' error. Option B is wrong because an APIC version incompatibility would likely cause module-level errors (e.g., missing parameters or API changes), not a specific object-not-found error for an existing EPG. Option C is wrong because a typo in the EPG name would cause the same error across all sites, not just one, and the engineer confirmed the EPG exists with the correct name on the failing site.

8
MCQmedium

A Python script using NX-API returns HTTP 401. What is the most likely cause?

A.Wrong NX-API version in URL
B.Firewall blocking port 443
C.NX-API not enabled on the switch
D.Invalid credentials
AnswerC

If NX-API is not enabled, the HTTP endpoint may return 401 (or 404) – but typically 401 due to lack of authentication context. In practice, enabling NX-API is required for authentication to work.

Why this answer

HTTP 401 indicates unauthorized access, which in the context of NX-API means the request lacks valid authentication credentials. However, if NX-API is not enabled on the switch, the API endpoint itself is not active, and the switch will reject the request with a 401 error because no authentication mechanism is available to process the credentials. Enabling NX-API via the 'feature nxapi' command is a prerequisite for any NX-API communication.

Exam trap

Cisco often tests the distinction between 'service not enabled' and 'authentication failure' by using HTTP 401 as a red herring, leading candidates to assume invalid credentials when the actual issue is that the feature is not activated.

How to eliminate wrong answers

Option A is wrong because an incorrect NX-API version in the URL would typically result in a 404 Not Found or a different HTTP error, not a 401 Unauthorized, as the request would reach a non-existent endpoint. Option B is wrong because a firewall blocking port 443 would cause a connection timeout or a TCP reset, not an HTTP 401 response, which requires the TCP handshake to complete and the HTTP server to respond. Option D is wrong because invalid credentials would indeed produce a 401 error, but the question asks for the 'most likely' cause; in practice, NX-API being disabled is a more common initial misconfiguration than entering wrong credentials, and the 401 in that case is a generic response from the switch's HTTP server when the API feature is off.

9
MCQmedium

A data center team is troubleshooting an automation script that uses REST API to configure a Cisco Nexus 9000 switch. The script fails with a '401 Unauthorized' error. What is the most likely cause?

A.API rate limiting has been exceeded
B.Network connectivity issue between the script and the switch
C.The user account does not have admin privileges
D.Invalid or expired authentication token
AnswerD

401 Unauthorized indicates authentication failure.

Why this answer

A 401 Unauthorized error in REST API communication indicates that the request lacks valid authentication credentials. For Cisco Nexus 9000 switches, REST API access typically requires a token-based authentication (e.g., using HTTP Basic Auth to obtain a session token or cookie). If the token is invalid or expired, the API server rejects the request with a 401 status code, as the script cannot prove its identity.

Exam trap

Cisco often tests the distinction between 401 Unauthorized (authentication failure) and 403 Forbidden (authorization failure), and candidates mistakenly choose 'insufficient privileges' (Option C) because they confuse authentication with authorization.

How to eliminate wrong answers

Option A is wrong because API rate limiting (e.g., exceeding requests per second) typically returns a 429 Too Many Requests error, not 401 Unauthorized. Option B is wrong because a network connectivity issue would result in a timeout or connection refused error (e.g., HTTP 0 or socket error), not a 401 HTTP status code. Option C is wrong because insufficient privileges (e.g., non-admin role) would cause a 403 Forbidden error after successful authentication, not a 401 Unauthorized error.

10
MCQmedium

Refer to the exhibit. An engineer is trying to automate configuration using NX-API on a Nexus 9000 switch. They have enabled 'feature nxapi' but when they attempt to send a POST request to the NX-API endpoint, they receive '400 Bad Request' with 'Invalid message format'. What is the most likely missing configuration?

A.The switch does not have the 'nxapi' feature enabled.
B.The NX-API HTTP/HTTPS server is not configured with a port (e.g., 'nxapi http port 80').
C.The engineer is using the wrong URL path; should be /ins instead of /api.
D.The authentication method is set to 'none' but should be 'basic'.
AnswerB

Enabling the feature alone does not start the server; a port must be configured.

Why this answer

The '400 Bad Request' with 'Invalid message format' error indicates the NX-API server is not listening on the expected port. Even with 'feature nxapi' enabled, the HTTP or HTTPS server must be explicitly configured with a port (e.g., 'nxapi http port 80') to accept REST API requests. Without this, the switch does not expose the NX-API endpoint, causing the client to receive a malformed response.

Exam trap

Cisco often tests the distinction between enabling a feature and configuring its operational parameters—candidates assume 'feature nxapi' alone is sufficient, but the HTTP/HTTPS server port must be explicitly set for REST API access.

How to eliminate wrong answers

Option A is wrong because 'feature nxapi' is already enabled per the scenario, so the feature is active. Option C is wrong because the correct NX-API REST endpoint path is '/api' (e.g., 'http://switch/api/...'), not '/ins'; '/ins' is used for the XML/JSON-RPC interface, not the REST API. Option D is wrong because NX-API authentication defaults to 'basic' or uses the device's AAA; setting it to 'none' would not cause a '400 Bad Request'—it would either allow unauthenticated access or fail with a different error.

11
MCQeasy

What is the primary purpose of NX-API on Cisco Nexus switches in a data center automation context?

A.To replace SNMP for monitoring and alerting.
B.To enable direct configuration from a web browser without CLI.
C.To create a web-based GUI for manual switch configuration.
D.To provide a RESTful API that allows programmatic access to CLI commands and structured data output.
AnswerD

NX-API translates CLI commands into JSON/REST calls, returning structured data for automation.

Why this answer

NX-API provides a RESTful API interface on Cisco Nexus switches, enabling programmatic access to CLI commands and returning structured data in formats like JSON or XML. This is essential for data center automation because it allows external tools (e.g., Ansible, Python scripts) to configure and retrieve state from the switch without requiring interactive CLI sessions, directly supporting infrastructure-as-code workflows.

Exam trap

Cisco often tests the distinction between a programmatic API (NX-API) and a web-based GUI, leading candidates to confuse NX-API with the Device Manager web interface, which is a separate feature for manual browser-based management.

How to eliminate wrong answers

Option A is wrong because NX-API is not designed to replace SNMP for monitoring and alerting; SNMP remains the standard for trap-based alerts and performance monitoring, while NX-API focuses on configuration and operational data retrieval via REST. Option B is wrong because NX-API does not enable direct configuration from a web browser without CLI; it is an API endpoint consumed by programs, not a browser-based GUI. Option C is wrong because NX-API is not a web-based GUI for manual switch configuration; Cisco Nexus switches offer a separate web GUI (e.g., Device Manager), but NX-API is strictly a programmatic interface.

12
MCQhard

A network team is planning to automate configuration management of a brownfield Nexus 9000 fabric using YANG data models and NETCONF. Which consideration is critical when implementing this solution?

A.The operational state must be modeled against the device-specific YANG model to avoid configuration drift.
B.NETCONF replaces CLI entirely; no fallback necessary.
C.Using NETCONF for configuration ensures zero touch provisioning.
D.All NX-OS versions support the same YANG models; no compatibility check needed.
AnswerA

In brownfield, understanding the current state via YANG is needed to plan incremental changes and avoid drift.

Why this answer

In a brownfield Nexus 9000 fabric, the operational state (e.g., interface status, routing table) must be modeled against the device-specific YANG model to detect and correct configuration drift. NETCONF uses YANG models to define both configuration and operational data, but only the device-specific native model accurately reflects the actual running state. Without this alignment, automated remediation may push incorrect configurations, leading to network instability.

Exam trap

Cisco often tests the misconception that NETCONF is a complete CLI replacement, but the trap here is that operational state modeling against device-specific YANG is critical for drift detection in brownfield environments, not just configuration push.

How to eliminate wrong answers

Option B is wrong because NETCONF does not replace the CLI entirely; CLI remains a fallback for troubleshooting, emergency access, and operations not covered by YANG models. Option C is wrong because NETCONF is a configuration protocol that can be used for initial provisioning, but zero-touch provisioning (ZTP) typically relies on DHCP, TFTP, and scripts, not NETCONF alone. Option D is wrong because NX-OS versions support different YANG models (e.g., OpenConfig vs.

Cisco native), and compatibility must be verified; assuming uniform support can cause schema mismatches and failed operations.

13
MCQmedium

A DevOps team uses Ansible to automate the configuration of Cisco Nexus switches. After running a playbook, some switches have the correct configuration but others do not. The playbook uses the 'nxos_config' module. Which action should be taken to ensure consistent configuration?

A.Set 'ignore_errors' to true in the playbook
B.Use the 'backup' option to save the running config before changes
C.Use 'serial' directive to run the playbook on one switch at a time
D.Enable check mode to verify changes before applying
AnswerB

Backup provides a restore point for rollback.

Why this answer

The 'nxos_config' module's 'backup' option saves the running configuration to a file before applying changes. This ensures that if a switch fails to apply the configuration correctly, the original configuration is preserved for rollback, enabling consistent recovery across all switches. Without this, some switches may have partial or incorrect configurations that cannot be easily reverted.

Exam trap

The trap here is that candidates confuse 'backup' with a simple logging feature, when in fact it is a critical rollback mechanism that directly addresses configuration drift and failed deployments in network automation.

How to eliminate wrong answers

Option A is wrong because 'ignore_errors: true' would cause Ansible to continue executing tasks even if the 'nxos_config' module fails on a switch, masking configuration errors and leading to inconsistent states without any indication of failure. Option C is wrong because the 'serial' directive controls the number of hosts processed in parallel but does not address configuration consistency or rollback; it only affects execution order and can actually slow down deployment without solving the core issue. Option D is wrong because check mode (--check) only simulates changes without applying them, so it cannot ensure consistent configuration across switches; it is useful for validation but does not provide a mechanism to recover from failed applications.

14
Matchingmedium

Match each Cisco data center high availability feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

First-hop redundancy for default gateway

Multi-chassis link aggregation with loop prevention

Transparent interconnection of lots of links (TRILL-based)

Non-Stop Forwarding during supervisor switchover

Stateful Switchover for control plane redundancy

Why these pairings

These features ensure network resilience in data centers.

15
MCQeasy

Refer to the exhibit. What is the intended effect of this Ansible playbook task?

A.It deletes VLAN 10 from all switches.
B.It saves the running configuration to startup.
C.It reboots the Nexus switches after applying the configuration.
D.It ensures VLAN 10 exists with the name 'Automation_VLAN' on the target switches.
AnswerD

The nxos_config module pushes the provided lines, ensuring they are present.

Why this answer

The Ansible playbook task uses the `cisco.nxos.nxos_vlans` module with the `state: merged` directive, which ensures that the specified VLAN configuration (VLAN 10 with name 'Automation_VLAN') is present on the target Nexus switches. If VLAN 10 does not exist, it will be created; if it exists with a different name, it will be updated. The `merged` operation does not delete or reboot; it only applies the configuration to align the device's state with the playbook's desired state.

Exam trap

Cisco often tests the distinction between `merged`, `replaced`, `overridden`, and `deleted` states in Ansible modules, and the trap here is that candidates mistakenly associate any configuration task with a reboot or save operation, or assume `merged` implies deletion of existing configuration.

How to eliminate wrong answers

Option A is wrong because the `state: merged` operation adds or updates configuration, not deletes; deleting VLANs would require `state: absent` or a separate task. Option B is wrong because saving the running configuration to startup is not part of the `nxos_vlans` module; it would require a separate task using `cisco.nxos.nxos_config` with `save_when: always` or the `nxos_command` module to issue `copy running-config startup-config`. Option C is wrong because rebooting switches is not an action of the `nxos_vlans` module; a reboot would require a task using `nxos_reboot` or `nxos_command` with a reload command, and the `merged` state does not trigger any reboot.

16
MCQhard

Refer to the exhibit. A Python script is processing the response from NX-API. It attempts to extract the interface state using `response['ins_api']['outputs']['output']['body']['ROW_interface']['state']` but receives a KeyError. What is the most likely reason?

A.The 'output' key is a list, not a dictionary.
B.The JSON structure has an extra level 'TABLE_interface' before 'ROW_interface'.
C.The 'ins_api' key is nested inside another object.
D.The 'body' key is missing because the command failed.
AnswerB

Some NX-API outputs wrap rows in a table key; the script missed that level.

Why this answer

The NX-API response for interface commands includes a 'TABLE_interface' key that wraps the 'ROW_interface' key. The script attempts to access 'ROW_interface' directly under 'body', but the correct path is `response['ins_api']['outputs']['output']['body']['TABLE_interface']['ROW_interface']['state']`. Option B correctly identifies this missing intermediate level.

Exam trap

The trap here is that candidates assume the JSON path directly mirrors the CLI output structure, forgetting that NX-API wraps tabular data in an intermediate 'TABLE_' key that must be included in the dictionary traversal.

How to eliminate wrong answers

Option A is wrong because the 'output' key is a dictionary, not a list; if it were a list, the error would be a TypeError, not a KeyError. Option C is wrong because the 'ins_api' key is at the top level of the JSON response, not nested inside another object. Option D is wrong because if the command had failed, the 'body' key would still exist but contain an error message or be empty; a missing 'body' would cause a different error, not a KeyError on 'ROW_interface'.

17
MCQhard

In an ACI fabric, an automation engineer needs to deploy tenant policies in an idempotent manner. Which approach is most aligned with best practices?

A.Use the REST API with POST method for each creation
B.Use Ansible with state: present in the cisco.aci collections
C.Write CLI scripts using expect or pexpect
D.Use Python SDK with a check-and-create loop
AnswerB

Ansible modules are idempotent and widely used in ACI automation.

Why this answer

Option B is correct because Ansible's `state: present` in the `cisco.aci` collection inherently provides idempotency: it checks the current state of the ACI object and only applies changes if the desired state differs, ensuring no duplicate or conflicting configurations. This aligns with best practices for automation, as it avoids manual error handling and guarantees consistent policy deployment without side effects.

Exam trap

The trap here is that candidates often assume any API-based approach (like REST POST or Python SDK) is inherently idempotent, but Cisco tests the understanding that true idempotency requires a declarative or state-checking mechanism, which Ansible's `state: present` provides out-of-the-box.

How to eliminate wrong answers

Option A is wrong because the REST API POST method is not idempotent by default; repeated POST requests create duplicate objects or cause errors unless the client implements explicit pre-checks, which violates the principle of idempotent deployment. Option C is wrong because CLI scripts using expect or pexpect are inherently non-idempotent; they rely on screen scraping and sequential commands, which can fail unpredictably due to timing issues or state changes, and they lack built-in state reconciliation. Option D is wrong because while a Python SDK with a check-and-create loop can achieve idempotency, it requires custom error handling and is less maintainable than using a declarative tool like Ansible, which abstracts the idempotency logic and is a recognized best practice in ACI automation.

18
MCQhard

An engineer is writing a Python script to automate ACI fabric discovery using the APIC SDK. The script needs to wait until the fabric formation is complete before proceeding. Which approach is most reliable?

A.Implement asynchronous callbacks using the SDK
B.Periodically poll the fabric membership state via REST API
C.Use the configExportP object to monitor discovery
D.Use time.sleep() for a fixed duration
AnswerB

Polling is reliable and adaptive to actual state changes.

Why this answer

Option B is correct because the most reliable method to wait for ACI fabric formation to complete is to periodically poll the fabric membership state via the REST API. The APIC SDK provides access to the fabric membership endpoint (e.g., /api/node/class/fabricNode.json), which returns the current state of each node. By polling this endpoint until all expected nodes report an 'active' or 'in-pod' status, the script can accurately determine when the fabric is fully formed, avoiding race conditions or incomplete discovery.

Exam trap

Cisco often tests the misconception that a fixed delay (time.sleep) or a configuration export object can reliably synchronize with asynchronous fabric discovery, when in fact only direct polling of the fabric membership state provides deterministic confirmation.

How to eliminate wrong answers

Option A is wrong because asynchronous callbacks in the APIC SDK are not designed for monitoring fabric discovery completion; they are typically used for event-driven notifications on specific object changes, not for polling the overall fabric formation state, and they may miss transient states or require complex setup. Option C is wrong because the configExportP object is used for exporting configuration snapshots, not for monitoring fabric discovery; it has no mechanism to indicate fabric formation status. Option D is wrong because using time.sleep() for a fixed duration is unreliable; fabric discovery time varies based on network conditions, hardware, and scale, so a fixed sleep may either waste time or proceed before discovery is complete, leading to script failures.

19
MCQmedium

An organization is migrating from traditional SNMP monitoring to model-driven telemetry on their Nexus 9000 switches. They have configured a telemetry destination using gRPC and have defined sensor paths for interface statistics. After several hours, the collector (a Linux server running Telegraf) reports no data received. The engineer verifies that the switch can reach the collector via ICMP. On the switch, 'show telemetry data collector details' indicates the destination is 'connected', but the 'last data sent' timestamp is several hours old. Which action should the engineer take next?

A.Change the transport protocol from gRPC to HTTP
B.Reboot the switch to reset the telemetry process
C.Verify that the sensor paths are correct and that the data is being generated
D.Increase the telemetry sampling interval to reduce load
AnswerC

Most likely cause: sensor path not matching actual data.

Why this answer

The 'show telemetry data collector details' output shows the destination is 'connected' and the switch can reach the collector, ruling out network or connectivity issues. The stale 'last data sent' timestamp indicates the telemetry process is running but no data is being published, which typically means the configured sensor paths are not producing data—either because the paths are incorrect, the MIB objects are not supported, or the interfaces are not generating the expected statistics. Option C is correct because verifying the sensor paths and ensuring data generation addresses the root cause without unnecessary changes or reboots.

Exam trap

Cisco often tests the misconception that a 'connected' telemetry destination implies data is flowing, when in fact the connection state only reflects the gRPC session, not the subscription health—candidates may waste time on transport or connectivity fixes instead of verifying the sensor paths.

How to eliminate wrong answers

Option A is wrong because changing the transport protocol from gRPC to HTTP would not fix the issue; the problem is that no data is being sent, not that the transport is failing (the collector is reachable and the destination shows 'connected'). Option B is wrong because rebooting the switch is an extreme, unnecessary step that would disrupt operations and does not address the likely misconfiguration of sensor paths; the telemetry process is already running (destination 'connected'). Option D is wrong because increasing the sampling interval would reduce the frequency of data collection, but if no data is being generated at all, changing the interval will not cause data to appear—it would only delay the problem further.

20
MCQmedium

Ansible playbook that deploys VLANs on NX-OS fails on a particular switch with 'privilege escalation required'. What should be checked first?

A.The 'host_key_checking' setting
B.The 'ansible_become_password' or 'enable' password in the playbook
C.The 'ansible_user' variable
D.The inventory file syntax
AnswerB

This is required for privilege escalation on NX-OS.

Why this answer

Privilege escalation typically requires an enable password. Option A is the correct parameter. Option B is the SSH user.

Option C is for host key checking. Option D is for inventory.

21
Drag & Dropmedium

Arrange the steps to configure a port-channel (LAG) on a Cisco Nexus switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Port-channel creation involves interface creation, mode setting, member addition, and verification.

22
Multi-Selecthard

Which THREE statements about Cisco UCS Manager automation using XML API are correct? (Choose three.)

Select 3 answers
A.Operations can be made idempotent by using the 'dn' (distinguished name) to specify the exact object.
B.The XML API is based on a management information model (MIT) similar to ACI.
C.The API uses XML for both request and response payloads.
D.The API uses SNMP for configuration changes.
E.The UCS Manager XML API uses RESTful JSON format.
AnswersA, B, C

Idempotency is achieved by targeting specific objects.

Why this answer

Option A is correct because the Cisco UCS Manager XML API allows operations to be idempotent by using the 'dn' (distinguished name) attribute to target a specific managed object. When you include the 'dn' in an XML request, the operation applies only to that exact object, so repeating the same request produces the same result without side effects. This is a key design principle of the management information model (MIT) that ensures predictable and safe automation.

Exam trap

Cisco often tests the distinction between XML-based APIs (like UCS Manager) and RESTful JSON APIs (like Cisco DNA Center or ACI REST API), so the trap here is assuming that UCS Manager uses JSON or SNMP for configuration, when it strictly uses XML over HTTP/HTTPS.

23
Multi-Selecthard

Which THREE components are required to successfully use NETCONF for configuration automation on a Nexus 9000 switch?

Select 3 answers
A.The NX-API must be enabled as a fallback
B.SSH connectivity must be established to the switch
C.The NETCONF agent must be enabled via 'feature netconf' configuration
D.YANG models must be installed or supported for the target configurations
E.The switch must be running the NX-OS Essentials license
AnswersB, C, D

NETCONF uses SSH as its transport protocol (RFC 6242).

Why this answer

B is correct because NETCONF operates over SSH as its transport protocol (RFC 6242), so SSH connectivity to the switch is mandatory for establishing the NETCONF session. Without SSH, the NETCONF client cannot connect to the NETCONF server running on the Nexus 9000.

Exam trap

Cisco often tests the misconception that NX-API is a prerequisite or fallback for NETCONF, but in reality they are independent automation interfaces with different transport and data encoding methods.

24
MCQhard

A Python script uses NX-API's XML output to extract interface status. Which method is most robust and recommended for parsing the XML?

A.Split the string by tags
B.Use regular expressions to find patterns
C.Use BeautifulSoup
D.Use xml.etree.ElementTree
AnswerD

ElementTree is built-in and efficient for XML parsing.

Why this answer

xml.etree.ElementTree is the recommended method because it is part of Python's standard library, provides robust tree-based parsing that handles XML namespaces and nested structures correctly, and is specifically designed for programmatic XML manipulation. For NX-API XML output, which follows a consistent schema, ElementTree allows reliable extraction of interface status using XPath or tag traversal without fragility.

Exam trap

Cisco often tests the distinction between built-in vs. third-party libraries and between string manipulation vs. proper parsing, leading candidates to choose BeautifulSoup (which is overkill and non-standard for XML) or regex (which seems flexible but is technically incorrect for XML).

How to eliminate wrong answers

Option A is wrong because splitting by tags is brittle and fails if the XML contains whitespace, attributes, or nested elements; it cannot handle the structured hierarchy of NX-API responses. Option B is wrong because regular expressions are not designed for parsing XML's nested tree structure and will break on attribute order changes, CDATA sections, or escaped characters, leading to incorrect or incomplete data extraction. Option C is wrong because BeautifulSoup is a third-party library primarily for HTML parsing and requires additional installation, whereas the exam expects a built-in, lightweight solution for XML parsing in automation scripts.

25
MCQhard

Refer to the exhibit. A Python script using the Cisco ACI Cobra SDK fails with 'AuthenticationError'. Which of the following is the most likely cause?

A.The APIC URL is incorrect
B.The user does not have API access
C.The username or password is incorrect
D.The script is missing required imports
AnswerC

AuthenticationError directly indicates failed login due to credentials.

Why this answer

The 'AuthenticationError' in the Cisco ACI Cobra SDK indicates that the APIC rejected the login credentials. This error is raised specifically when the username or password provided in the script's login method (e.g., 'Login('apic_url', 'username', 'password')') does not match a valid APIC local or AAA-authenticated user. The SDK performs an HTTP POST to the APIC's '/api/aaaLogin.json' endpoint, and a non-200 response with an authentication failure triggers this exception.

Exam trap

Cisco often tests the distinction between authentication failures (wrong credentials) and authorization failures (no API access), so candidates mistakenly choose 'user does not have API access' when the error message clearly points to the login phase.

How to eliminate wrong answers

Option A is wrong because an incorrect APIC URL would typically result in a connection timeout or HTTP 404 error, not an 'AuthenticationError' — the SDK would fail to reach the APIC before authentication is attempted. Option B is wrong because if the user lacks API access, the APIC would still authenticate the user (returning a token) but then deny subsequent API operations with a 403 Forbidden error; the 'AuthenticationError' occurs at login, not during API calls. Option D is wrong because missing imports would cause a Python ImportError or NameError at script startup, not an 'AuthenticationError' at runtime — the SDK would not even execute the login call.

26
MCQmedium

A Python script using the pyATS framework to parse 'show interface' output on a Nexus 9000 switch fails with a parsing error, even though the CLI command runs successfully. What is the most likely missing component?

A.The script does not include the correct authentication method.
B.The Genie parser for the specific NX-OS version is not installed or imported.
C.The script uses the wrong device type (e.g., iosxe instead of nxos).
D.The switch is not configured with NETCONF.
AnswerB

pyATS uses Genie parsers that are version-specific; missing parser leads to parse error.

Why this answer

The pyATS framework relies on Genie parsers to convert raw CLI output into structured data. If the Genie parser for the specific NX-OS version is missing or not imported, the script cannot parse the 'show interface' output, resulting in a parsing error even though the CLI command itself runs successfully. This is the most likely missing component because pyATS/Genie parsers are version-specific and must be installed for the exact platform and OS version.

Exam trap

Cisco often tests the distinction between command execution success and parsing success, trapping candidates who assume a working CLI command guarantees pyATS/Genie parsing will work without the correct version-specific parser installed.

How to eliminate wrong answers

Option A is wrong because authentication methods (e.g., SSH credentials, API tokens) are used for device connection, not for parsing CLI output; a parsing error occurs after successful connection and command execution. Option C is wrong because using the wrong device type (e.g., iosxe instead of nxos) would cause a different error—either a connection failure or a mismatch in command syntax—not a parsing error on a command that runs successfully. Option D is wrong because NETCONF is not required for pyATS/Genie parsing; pyATS can parse CLI output over SSH or Telnet without any NETCONF configuration.

27
MCQeasy

A network engineer wants to automate the deployment of VLANs across 50 Nexus switches in a data center. Which approach provides the most consistent and repeatable results with minimal manual effort?

A.Python script using netmiko
B.Manual CLI on each switch
C.Bash script with SSH
D.Ansible playbook with nxos_vlan module
AnswerD

Declarative and idempotent, ensures consistent configuration.

Why this answer

Ansible playbook with the nxos_vlan module is the correct choice because it provides idempotent, declarative automation that ensures consistent VLAN configuration across all 50 Nexus switches with minimal manual effort. Ansible handles SSH connectivity and state management natively, eliminating the need for custom scripting and reducing the risk of human error.

Exam trap

Cisco often tests the distinction between ad-hoc scripting (like netmiko or Bash) and declarative automation tools (like Ansible) that provide idempotency and state management, leading candidates to choose a technically functional but less robust scripting approach.

How to eliminate wrong answers

Option A is wrong because a Python script using netmiko, while programmatic, requires custom error handling, idempotency logic, and manual loop management for 50 switches, making it less consistent and more effort than Ansible's built-in modules. Option B is wrong because manual CLI on each switch is error-prone, time-consuming, and does not scale to 50 switches, offering no repeatability or automation. Option C is wrong because a Bash script with SSH relies on fragile expect-like constructs or raw SSH commands, lacks idempotency, and requires extensive custom logic to handle device differences and failures, leading to inconsistent results.

28
MCQhard

Refer to the exhibit. An automation script queries the Cisco Nexus 9000 using the NX-API JSON format and receives the above output. The script is designed to validate that interface Eth1/1 is in access mode with VLAN 100. However, the script reports a failure. What is the most likely reason?

A.The script uses strict type checking, and the values are returned as strings instead of integers.
B.The JSON output is malformed and cannot be parsed.
C.The interface is administratively down.
D.The JSON output is missing the 'switchportMode' field.
AnswerA

JSON returns numbers as strings in this context; a type mismatch causes failure.

Why this answer

The NX-API returns all values as strings in JSON output, including numeric fields like VLAN IDs. If the script uses strict type checking (e.g., `===` in Python or JavaScript), comparing the string '100' to the integer 100 will fail, even though the interface is correctly configured in access mode with VLAN 100. This is a common pitfall when parsing NX-API responses without explicit type conversion.

Exam trap

Cisco often tests the nuance that NX-API returns all values as strings, tricking candidates who assume numeric fields are returned as integers and overlook the need for type conversion in validation logic.

How to eliminate wrong answers

Option B is wrong because the JSON output shown is well-formed (valid key-value pairs, proper brackets), so parsing would succeed. Option C is wrong because the output includes 'adminState: up', indicating the interface is administratively up, not down. Option D is wrong because the output clearly contains the 'switchportMode' field with value 'access', so the field is not missing.

29
Multi-Selectmedium

Which TWO statements about Cisco NX-API are correct? (Choose two.)

Select 2 answers
A.NX-API uses SSH for transport.
B.NX-API only supports GET requests.
C.NX-API uses HTTP/HTTPS as the transport protocol.
D.NX-API is only available on Nexus 3000 series switches.
E.NX-API can output data in XML and JSON formats.
AnswersC, E

NX-API is a RESTful API over HTTP/HTTPS.

Why this answer

Cisco NX-API is a programmatic interface that uses HTTP/HTTPS as the transport protocol, allowing RESTful API calls to configure and monitor Nexus switches. It supports both XML and JSON output formats, enabling flexible data parsing in automation scripts. This makes options C and E correct.

Exam trap

Cisco often tests the misconception that NX-API uses SSH (like NETCONF) or is limited to specific hardware, when in fact it uses HTTP/HTTPS and is widely supported across Nexus platforms.

30
MCQeasy

Which protocol is recommended for streaming model-driven telemetry from NX-OS to a collector?

A.FTP
B.SNMP
C.HTTP
D.gRPC
AnswerD

gRPC with protobuf is the recommended transport for MDT.

Why this answer

gRPC (Google Remote Procedure Call) is the recommended protocol for streaming model-driven telemetry from NX-OS to a collector because it provides efficient, bidirectional streaming over HTTP/2, supports structured data encoding (e.g., Protobuf or JSON), and is natively supported in NX-OS for high-frequency, push-based telemetry. Unlike polling-based protocols, gRPC enables the device to continuously stream operational data to the collector with low latency and minimal overhead.

Exam trap

Cisco often tests the misconception that HTTP or SNMP can handle streaming telemetry, but the trap is that SNMP is pull-based and HTTP lacks the persistent, bidirectional streaming capabilities of gRPC, which is the only option that natively supports the push-based, subscription-driven model required for NX-OS telemetry.

How to eliminate wrong answers

Option A (FTP) is wrong because FTP is a file transfer protocol designed for bulk file uploads/downloads, not for real-time streaming of telemetry data, and it lacks the bidirectional streaming and structured data capabilities required for model-driven telemetry. Option B (SNMP) is wrong because SNMP is a traditional polling-based protocol that uses a pull model (manager requests data from agents), which is inefficient for high-frequency telemetry and does not support the push-based, subscription-driven streaming model that NX-OS telemetry requires. Option C (HTTP) is wrong because while HTTP can be used for telemetry (e.g., via RESTCONF), it is not optimized for streaming; gRPC, which uses HTTP/2 as a transport, provides persistent connections, multiplexing, and server push, making it the superior choice for streaming telemetry in NX-OS.

31
MCQeasy

A NETCONF session to an NX-OS switch fails with 'Connection refused'. What is the most likely cause?

A.All of the above
B.Wrong SSH port (default 830)
C.The switch is unreachable
D.NETCONF is not enabled on the switch
AnswerD

Without 'feature netconf', the NETCONF server does not start.

Why this answer

NETCONF uses SSH port 830 by default, but the 'Connection refused' error specifically indicates that the TCP connection was actively rejected by the switch, not that it timed out or was unreachable. This occurs when the NETCONF subsystem is not available because the 'netconf' feature has not been enabled on the NX-OS device, which is required to start the NETCONF server process.

Exam trap

Cisco often tests the distinction between 'Connection refused' (service not running) and 'Connection timed out' (host unreachable or firewall blocking), leading candidates to incorrectly select 'wrong port' or 'unreachable' when the real issue is that the NETCONF feature is not enabled.

How to eliminate wrong answers

Option A is wrong because 'All of the above' cannot be correct since only one option is the most likely cause. Option B is wrong because while the default NETCONF SSH port is 830, a wrong port would result in a timeout or 'Connection timed out', not an active 'Connection refused' — the switch would not reject the connection on a different port unless that port is closed. Option C is wrong because if the switch were unreachable, the error would be 'No route to host' or 'Connection timed out', not 'Connection refused', which requires the switch to be reachable and actively rejecting the connection.

32
MCQmedium

A team is using Cisco DCNM for fabric management. They need to integrate with an external CI/CD pipeline. Which API should they use to trigger a network configuration change?

A.SNMP SET
B.DCNM REST API
C.NX-API on each switch
D.CLI via SSH
AnswerB

Centralized northbound API, ideal for CI/CD.

Why this answer

The DCNM REST API is the correct choice because it provides a programmatic, northbound interface specifically designed for integrating Cisco DCNM with external CI/CD pipelines. This API allows you to trigger network configuration changes at the fabric level, abstracting the complexity of individual switches and ensuring consistency across the entire fabric, which is essential for automated, version-controlled deployments.

Exam trap

Cisco often tests the distinction between device-level APIs (like NX-API) and fabric-level management APIs (like DCNM REST API), leading candidates to choose NX-API because they assume it is the most direct way to configure switches, but they miss that the question specifically requires integration with a CI/CD pipeline for fabric management, which demands a centralized, orchestrated approach.

How to eliminate wrong answers

Option A is wrong because SNMP SET is a legacy, device-level protocol that is not designed for fabric-wide orchestration or CI/CD integration; it is slow, lacks transactional guarantees, and does not support the declarative model needed for automated pipelines. Option C is wrong because NX-API on each switch operates at the individual device level, requiring the pipeline to manage each switch separately, which defeats the purpose of fabric-level management and introduces risk of configuration drift. Option D is wrong because CLI via SSH is a manual, non-scalable method that cannot be reliably integrated into an automated CI/CD pipeline; it lacks idempotency, audit trails, and the ability to roll back changes atomically.

33
MCQeasy

An engineer needs to automate configuration backups on NX-OS switches using Python. Which Python library is specifically designed for this purpose?

A.requests
B.paramiko
C.cli
D.nxapi
AnswerD

nxapi is the official Python library for NX-OS NX-API.

Why this answer

The `nxapi` library is specifically designed for automating configuration backups and other management tasks on Cisco NX-OS switches. It provides a Pythonic interface to the NX-API, which uses HTTP/HTTPS-based REST or XML/JSON-RPC calls to execute CLI commands and retrieve structured output, making it the correct choice for this purpose.

Exam trap

Cisco often tests the distinction between generic libraries (like `requests` or `paramiko`) and platform-specific libraries (like `nxapi`), trapping candidates who overlook that `nxapi` provides built-in NX-OS command formatting and authentication, whereas `requests` would require manual construction of NX-API payloads.

How to eliminate wrong answers

Option A is wrong because the `requests` library is a generic HTTP client library for Python; it can be used to send HTTP requests to NX-API but lacks the NX-OS-specific abstractions, authentication handling, and command formatting that `nxapi` provides. Option B is wrong because `paramiko` is an SSHv2 implementation for Python; while it can be used to automate CLI commands over SSH, it is not purpose-built for NX-OS and requires manual handling of SSH sessions, command parsing, and error handling. Option C is wrong because `cli` is not a standard Python library; it is a module within Cisco's NX-OS Python environment (e.g., `from cli import cli`) that runs CLI commands locally on the switch, but it is not a library for external automation of configuration backups.

34
MCQmedium

When using Cisco NSO (Network Services Orchestrator) to automate service creation across a data center network, what is a key consideration regarding device compatibility?

A.NSO requires NETCONF for all devices.
B.Each device must have a corresponding NED that matches its OS version.
C.Device YANG models must be hand-coded by the team.
D.NSO only supports Cisco devices.
AnswerB

NSO requires a compatible NED for each device model and OS version to translate service models.

Why this answer

B is correct because Cisco NSO uses Network Element Drivers (NEDs) to translate service models into device-specific CLI, SNMP, or NETCONF commands. Each NED is tied to a specific device OS version (e.g., IOS-XE 16.12, NX-OS 9.3), so mismatched NEDs cause configuration failures or incomplete deployments. Without a compatible NED, NSO cannot communicate with or configure the device.

Exam trap

The trap here is that candidates assume NSO relies exclusively on NETCONF or YANG for all devices, overlooking the critical role of OS-version-specific NEDs in enabling multi-protocol, multi-vendor automation.

How to eliminate wrong answers

Option A is wrong because NSO does not require NETCONF for all devices; it supports multiple southbound protocols including CLI, SNMP, and RESTCONF, with NEDs abstracting the protocol details. Option C is wrong because YANG models are not hand-coded by the team for each device; NSO uses pre-built NEDs that contain YANG models, and custom YANG models are only needed for service design, not device compatibility. Option D is wrong because NSO is vendor-agnostic and supports multi-vendor environments through NEDs for devices from Cisco, Juniper, Arista, and others.

35
MCQmedium

For consistent multi-data-center automation, which tool is best suited to orchestrate both NX-OS and ACI across sites?

A.Cisco NSO
B.Puppet
C.Ansible
D.Chef
AnswerA

NSO is built for service orchestration across multiple domains including NX-OS and ACI.

Why this answer

Cisco NSO (Network Services Orchestrator) is the correct tool because it provides multi-domain, multi-vendor orchestration with native support for both NX-OS and ACI through its Network Element Drivers (NEDs). NSO uses a model-driven approach with YANG data models and NETCONF/RESTCONF protocols to manage configuration consistency across distributed data centers, enabling service-level abstraction and closed-loop automation that other tools lack.

Exam trap

Cisco often tests the distinction between configuration management tools (Puppet, Chef, Ansible) and true orchestration platforms (NSO), trapping candidates who assume any automation tool can handle multi-site consistency without understanding NSO's model-driven, stateful orchestration and NED architecture.

How to eliminate wrong answers

Option B (Puppet) is wrong because it is a configuration management tool that relies on a master-agent model with its own DSL, lacking native support for ACI's APIC REST API or NX-OS's NX-API without extensive custom modules, and it does not provide multi-site orchestration capabilities. Option C (Ansible) is wrong because while it can automate NX-OS and ACI via modules, it is a task-based automation tool without a centralized state database or service orchestration layer, making it unsuitable for consistent multi-data-center orchestration across sites. Option D (Chef) is wrong because it is a configuration management tool using Ruby-based recipes and cookbooks, which requires significant custom development to interface with ACI's REST API and NX-OS, and it lacks the built-in multi-site service orchestration and network abstraction that NSO provides.

36
Multi-Selectmedium

A data center team is implementing configuration automation for a fleet of Nexus 9000 switches. They need a solution that supports idempotent configuration, works well with version control, and does not require an agent on the switches. Which two tools should they consider?

Select 2 answers
A.Puppet
B.Chef
C.Ansible
D.Python with Paramiko
E.Cisco NSO
AnswersC, E

Ansible is agentless, uses SSH/NX-API, and its playbooks are idempotent and version-controllable.

Why this answer

Ansible and Cisco NSO are both agentless and support idempotent configurations with version control. Puppet and Chef require agents, and Python with Paramiko does not inherently support idempotency.

37
MCQhard

An engineer receives an error 'XML namespace mismatch' when using NETCONF to configure a Nexus switch. The YANG model used is from the Cisco NX-OS openconfig model. What is the most likely cause?

A.The namespace in the XML payload does not match the YANG model
B.The switch is running in VM mode
C.The YANG model is not supported on this switch version
D.The NETCONF session is not authenticated
AnswerA

Directly causes the namespace mismatch error.

Why this answer

The 'XML namespace mismatch' error occurs when the namespace URI declared in the XML payload does not match the namespace defined in the YANG module. NETCONF uses the namespace to identify the correct YANG model for parsing the configuration data. If the namespace in the XML does not exactly match the one in the Cisco NX-OS openconfig YANG model, the switch rejects the operation with this specific error.

Exam trap

Cisco often tests the distinction between namespace mismatch errors and other NETCONF failures (like unsupported model or authentication), so candidates mistakenly choose 'unsupported model' when the error message explicitly points to a namespace issue.

How to eliminate wrong answers

Option B is wrong because VM mode (virtual machine mode) does not affect XML namespace validation; it is a licensing or operational mode that does not change NETCONF protocol behavior. Option C is wrong because if the YANG model were unsupported, the error would typically be 'data model not supported' or 'capability not advertised', not a namespace mismatch. Option D is wrong because an unauthenticated NETCONF session would fail at the session establishment phase (e.g., 'authentication failed' or 'session rejected'), not during payload processing with a namespace-specific error.

38
Matchingmedium

Match each Cisco ACI component to its role.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Central controller for policy management

Leaf-to-leaf connectivity and fabric backplane

Top-of-rack switch connecting servers to fabric

Endpoint group for policy application

Bridge domain for Layer 2 forwarding context

Why these pairings

ACI architecture is built on these components for policy-driven automation.

39
Drag & Dropmedium

Arrange the steps to recover a lost admin password on a Cisco Nexus switch.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Password recovery involves boot interruption, register change, boot, password reset, and save.

40
Multi-Selecteasy

Which TWO methods are supported for authenticating to the APIC REST API?

Select 2 answers
A.SAML authentication
B.Certificate-based authentication
C.Local AAA user (username/password)
D.RADIUS/TACACS+ authentication
E.LDAP authentication
AnswersB, C

X.509 certificates can be used for API authentication.

Why this answer

The APIC REST API supports certificate-based authentication (option B) and local AAA user authentication with a username and password (option C). Certificate-based authentication uses X.509 certificates for secure, non-interactive API access, while local AAA authentication relies on credentials stored directly on the APIC. Both methods are explicitly documented as valid for REST API calls.

Exam trap

Cisco often tests the distinction between authentication methods supported for the REST API versus those supported for management access (SSH, web GUI), leading candidates to incorrectly select RADIUS/TACACS+ or LDAP as valid REST API options.

41
Multi-Selecthard

Which TWO are best practices when automating ACI fabric configuration using Ansible?

Select 2 answers
A.Set validate_certs: no to avoid certificate errors
B.Use the cisco.aci collection
C.Store credentials in plain text in playbooks
D.Use state: query for idempotent checks
E.Use delegate_to: localhost for all tasks
AnswersB, D

The official collection provides idempotent modules for ACI.

Why this answer

The cisco.aci collection is the official Ansible collection for automating Cisco ACI fabric configuration. It provides modules that abstract the ACI REST API, ensuring idempotent and reliable configuration management. Using this collection is a best practice because it is maintained by Cisco and follows Ansible's recommended approach for interacting with ACI.

Exam trap

Cisco often tests the misconception that disabling certificate validation (validate_certs: no) is acceptable for lab environments, but the exam expects adherence to security best practices regardless of environment.

42
MCQmedium

A network engineer is automating a repetitive configuration task on a Nexus 9000 switch using Python scripts with NX-API. The script sends a CLI command via POST request but receives HTTP 400 status with error 'Invalid request payload'. What is the most likely cause?

A.The JSON payload does not include the required 'ins_api' wrapper with version and type fields.
B.The switch is running an unsupported NX-OS version.
C.The script is using HTTP instead of HTTPS.
D.The CLI command syntax is incorrect with too many spaces.
AnswerA

The NX-API requires a specific JSON format with 'ins_api' envelope containing attributes like version, type, chunk, sid, and input.

Why this answer

The NX-API expects a specific JSON structure. Option B correctly identifies that the payload must include 'ins_api' wrapper with version, type, chunk, sid, input parameters.

43
MCQeasy

A large financial institution has recently migrated its data center network to a new Cisco ACI fabric. The operations team is tasked with automating the provisioning of new application tenants, including EPGs, contracts, and bridge domains, using the APIC REST API. They have developed a comprehensive set of Python scripts that successfully performed these actions in their lab environment. However, when deploying the scripts to production, they receive an 'SSL: CERTIFICATE_VERIFY_FAILED' error from the requests library. The production APIC cluster uses a self-signed certificate for HTTPS, and the corporate security policy strictly prohibits the use of HTTP or disabling certificate verification. Additionally, the policy does not allow replacing the self-signed certificate with a CA-signed one without a lengthy approval process that could delay the automation project. The team needs an immediate solution that maintains security best practices. What should the team do?

A.Use HTTP instead of HTTPS for the API calls.
B.Add the self-signed certificate to the Python trust store by using the cert file in the verify parameter.
C.Disable SSL certificate verification in the Python requests by setting verify=False.
D.Request an exception to the security policy to allow a CA-signed certificate.
AnswerB

This enables verification against the specific certificate, maintaining security without policy changes.

Why this answer

Option C is correct because adding the self-signed certificate to the Python trust store allows verification to succeed while maintaining security. Option A disables verification, violating security. Option B requires policy change that is not immediate.

Option D uses HTTP, which is insecure.

44
MCQmedium

A large enterprise data center uses Cisco UCS Manager to manage hundreds of blade servers. The automation team has been using Python SDK scripts to provision service profiles. Recently, after a UCS Manager firmware upgrade, several scripts that previously worked are now failing with 'AttributeError: 'ServiceProfile' object has no attribute 'set_vnic_order''. The team confirms that the UCS Manager version changed from 4.0 to 4.2. Which course of action should the engineer take to resolve the issue?

A.Use the UCS Manager XML API directly without the SDK
B.Downgrade UCS Manager back to version 4.0 to restore compatibility
C.Replace Python scripts with Ansible modules that use the UCS API
D.Update the Python SDK to the version that supports UCS Manager 4.2 and modify scripts accordingly
AnswerD

Permanent fix; SDK update restores API compatibility.

Why this answer

The Python SDK for UCS Manager is version-specific; upgrading UCS Manager from 4.0 to 4.2 introduces API changes that can deprecate or remove methods like `set_vnic_order`. Updating the SDK to a version compatible with UCS Manager 4.2 ensures the Python scripts use the correct API calls, and modifying the scripts to align with any new method signatures or attributes resolves the AttributeError.

Exam trap

Cisco often tests the misconception that direct API usage (Option A) or alternative tools (Option C) bypass version compatibility issues, when in fact all API layers require version alignment.

How to eliminate wrong answers

Option A is wrong because using the UCS Manager XML API directly without the SDK would require rewriting all scripts from scratch, which is more labor-intensive and error-prone than updating the SDK; the XML API also undergoes version changes, so it would not inherently avoid compatibility issues. Option B is wrong because downgrading UCS Manager is a backward step that loses new features, security patches, and bug fixes, and it is not a sustainable solution for an enterprise environment. Option C is wrong because replacing Python scripts with Ansible modules is unnecessary and introduces a new toolchain; Ansible modules also rely on the UCS API and would require similar version compatibility updates.

45
MCQhard

An organization is deploying Ansible for network automation across multiple Nexus 9000 leaf switches. They need to ensure that configuration tasks are idempotent and only apply changes when necessary. Which best practice should be followed when using the cisco.nxos.nxos_config module?

A.Write idempotent playbooks by checking 'show running-config' before each task.
B.Use the 'replace' option with a provided configuration file to enforce desired state.
C.Set 'always_run' parameter to 'yes' to force execution.
D.Use the 'backup' option to always restore previous configuration.
AnswerB

The 'replace' option in the nxos_config module compares the running config with the provided config and applies only necessary changes, ensuring idempotency.

Why this answer

Option D is correct because setting the 'replace' option in nxos_config module ensures the switch configuration matches the intended state, making the operation idempotent. Options A and B are generally not recommended for idempotency, and C is not a standard practice.

46
Multi-Selecteasy

Which TWO statements are true regarding the differences between REST API (NX-API) and NETCONF for automating Nexus switches?

Select 2 answers
A.NETCONF can only be used for configuration, not for operational state
B.NX-API uses HTTP/HTTPS as the transport protocol
C.NETCONF primarily uses JSON for data encoding
D.NETCONF provides a standardized data model (YANG) for configuration
E.Both use SSH as their default transport
AnswersB, D

NX-API is a REST-based interface over HTTP/HTTPS.

Why this answer

NX-API (REST API) uses HTTP or HTTPS as its transport protocol, allowing RESTful operations (GET, POST, PUT, DELETE) over standard web ports. This is in contrast to NETCONF, which uses SSH as its transport (RFC 6241). Therefore, option B is correct.

Exam trap

Cisco often tests the misconception that NETCONF only handles configuration (ignoring its <get> operation for operational state) and that NX-API uses SSH, when in fact NX-API uses HTTP/HTTPS and NETCONF uses SSH.

47
Multi-Selectmedium

Which TWO are benefits of using the Cisco NX-API for network automation compared to traditional SSH-based scripting?

Select 2 answers
A.Enables batching multiple CLI commands in a single HTTP request
B.Returns structured data (JSON/XML) that is version-independent
C.Supports direct configuration of IPSec and SSL VPNs
D.Eliminates the need for any authentication
E.Allows for real-time streaming of syslog messages
AnswersA, B

The NX-API supports the 'chunk' parameter to batch commands, reducing round-trips.

Why this answer

Option A is correct because the Cisco NX-API allows batching multiple CLI commands into a single HTTP request, which reduces the number of round trips and improves automation efficiency. This is a key advantage over traditional SSH-based scripting, where each command typically requires a separate connection or session.

Exam trap

Cisco often tests the distinction between NX-API's structured output and SSH's text-based output, and the trap here is that candidates may confuse NX-API's command batching with real-time streaming features like telemetry or syslog, which are separate technologies.

48
MCQmedium

Refer to the exhibit. An NX-API request returns this JSON error. What is the most likely cause?

A.The API version in the request is mismatched
B.Invalid credentials
C.The command is not allowed via NX-API
D.The switch is in maintenance mode
AnswerC

Some commands are restricted in NX-API. The error 'Invalid command' suggests a disallowed command.

Why this answer

The JSON error indicates that the NX-API request was rejected because the command is not permitted through the NX-API interface. NX-API enforces a strict allowlist of commands; any command not explicitly allowed (e.g., certain show commands or configuration commands that could destabilize the switch) will return this error. This is a security and stability feature of the NX-API RESTful interface.

Exam trap

Cisco often tests the misconception that any CLI command can be executed via NX-API, but in reality, NX-API has a restricted command set, and candidates may incorrectly attribute the error to credentials or API version mismatches.

How to eliminate wrong answers

Option A is wrong because an API version mismatch would typically return a different error, such as 'API version not supported' or a 400 Bad Request, not a generic JSON error about command permission. Option B is wrong because invalid credentials would result in an HTTP 401 Unauthorized response or an authentication failure message, not a command-level error. Option D is wrong because maintenance mode affects the switch's operational state and would generate a different error (e.g., 'switch is in maintenance mode'), not a command-specific rejection.

49
MCQeasy

What is a key advantage of using structured data (e.g., JSON or XML) from Cisco NX-API responses compared to traditional CLI scraping (e.g., using regular expressions)?

A.It automatically commits changes to running-config.
B.It provides machine-readable output that is less prone to parsing errors due to display changes.
C.It requires no software libraries to parse.
D.It eliminates the need for any authentication.
AnswerB

Structured data is consistent across versions, while CLI output can change with cosmetic updates.

Why this answer

Option B is correct because structured data is predictable and parsable, reducing errors compared to relying on raw text output.

50
Multi-Selecthard

A data center engineer is implementing model-driven telemetry using Cisco NX-OS. Which three components are required in the telemetry configuration? (Choose three.)

Select 3 answers
A.A HTTPS certificate for authentication
B.An SNMP community string
C.A sensor path to specify the data to stream
D.A subscription to a YANG data model
E.A destination profile with collector IP and port
AnswersC, D, E

Specifies which data to collect.

Why this answer

Option C is correct because a sensor path defines the specific YANG data model paths or operational data that the device will stream to the collector. In model-driven telemetry on Cisco NX-OS, the sensor path is the fundamental component that tells the device exactly which data to monitor and stream, such as 'Cisco-NX-OS-device:System/clock-items' or interface statistics paths.

Exam trap

The trap here is that candidates confuse model-driven telemetry with SNMP or traditional monitoring, mistakenly thinking SNMP community strings or HTTPS certificates are core components, when in fact the three required components are the sensor path, subscription, and destination profile.

51
MCQmedium

A company wants to automate backup of running-configurations for 200 Nexus switches. Which solution provides the best combination of reliability and version history?

A.Manual backup via CLI
B.Custom Python script using TFTP
C.Ansible playbook with the nxos_config backup option
D.A cron job that SCPs config to a server
AnswerC

Idempotent, stores backups with timestamps, supports diffs.

Why this answer

An Ansible playbook with the nxos_config backup option is the best solution because it provides idempotent, version-controlled backups of running-configurations across 200 Nexus switches. The nxos_config module automatically creates a timestamped backup file on the Ansible control node, ensuring both reliability through automated, consistent execution and a built-in version history via the backup files. This approach scales efficiently without requiring manual intervention or fragile scripting.

Exam trap

Cisco often tests the misconception that any automated backup method is sufficient, but the trap here is that only Ansible's nxos_config backup option combines reliability, scalability, and built-in version history without requiring custom scripting or insecure protocols like TFTP.

How to eliminate wrong answers

Option A is wrong because manual backup via CLI is not scalable for 200 switches, lacks version history, and is prone to human error. Option B is wrong because a custom Python script using TFTP is unreliable due to TFTP's lack of authentication and encryption, and it does not inherently provide version history or idempotency. Option D is wrong because a cron job that SCPs config to a server offers no built-in version history or rollback capability, and it requires custom scripting to manage backups reliably across many devices.

52
MCQeasy

A data center has 100 Nexus switches in a fabric managed by Cisco Nexus Dashboard Orchestrator (NDO). The network team needs to automate the creation of a new network template that includes multiple VLANs and VRF configurations. They want to ensure that the template is applied consistently across all leaf switches without manual intervention. The engineer writes a Python script using the NDO REST API to create the template and deploy it. However, the deployment fails with an error 'Template validation failed: overlapping IP subnets'. Upon reviewing the template, the engineer notices that two VLANs have overlapping subnet definitions. Which action should the engineer take to resolve this issue efficiently?

A.Use the NDO GUI to edit the template and then re-run the script
B.Manually correct the overlapping subnets in the template and re-run the deployment script
C.Create separate templates for each VLAN to avoid overlaps
D.Modify the Python script to ignore validation errors and force the deployment
AnswerB

Directly fixes the root cause; then automation can proceed.

Why this answer

Option B is correct because the root cause of the deployment failure is overlapping IP subnets in the template definition. Manually correcting the overlapping subnets in the template and re-running the deployment script directly resolves the validation error without introducing unnecessary complexity or risk. This approach ensures the template is valid before deployment, maintaining consistency across all leaf switches.

Exam trap

Cisco often tests the candidate's ability to distinguish between fixing the root cause (overlapping subnets) versus workarounds that bypass validation or increase complexity, testing whether you understand that automation must still adhere to network design rules.

How to eliminate wrong answers

Option A is wrong because using the NDO GUI to edit the template is not efficient; it introduces manual steps that defeat the automation goal and does not leverage the script for consistent deployment. Option C is wrong because creating separate templates for each VLAN does not address the overlapping subnet issue; it adds administrative overhead and may still result in overlaps if not carefully managed. Option D is wrong because modifying the Python script to ignore validation errors would force deployment of an invalid configuration, potentially causing IP conflicts and network outages across the fabric.

53
Multi-Selecteasy

An engineer needs to collect streaming telemetry from a Nexus 9000 switch. Which two protocols can be used to transmit telemetry data to a collector? (Choose two.)

Select 2 answers
A.NETCONF
B.gNMI
C.HTTP
D.SNMP traps
E.gRPC
AnswersB, E

gNMI is designed for telemetry and management.

Why this answer

gNMI (gRPC Network Management Interface) and gRPC are both correct because they are the primary protocols used for streaming telemetry on Nexus 9000 switches. gNMI defines a standard model-driven telemetry subscription mechanism over gRPC, while gRPC provides the underlying high-performance transport for streaming telemetry data to collectors.

Exam trap

Cisco often tests the distinction between configuration protocols (NETCONF) and streaming telemetry protocols (gNMI/gRPC), and candidates mistakenly choose NETCONF because it supports YANG-push notifications, but the question specifically asks for 'streaming telemetry' which requires the persistent, high-frequency channel provided by gRPC/gNMI.

54
MCQhard

A Nexus switch configured with 'feature nxapi' and 'nxapi https port 443' fails to respond to REST API calls from a monitoring system. The engineer can ping the management IP. Which troubleshooting step should be taken first?

A.Check if the monitoring system is using the correct HTTP method
B.Review the switch's ACL for the management VRF
C.Verify that the NX-API process is running with 'show nxapi'
D.Confirm that the SSL certificate is trusted
AnswerC

Quick check of API status.

Why this answer

Option C is correct because the first step when NX-API is configured but not responding is to verify that the NX-API process is actually running. The 'feature nxapi' command enables the feature, but the NX-API service may not have started due to a configuration error, resource issue, or process crash. The 'show nxapi' command displays the operational status of the NX-API service, including whether it is listening on the configured port (443 in this case).

Since the engineer can ping the management IP, basic network connectivity exists, so the issue is likely at the application layer.

Exam trap

Cisco often tests the distinction between enabling a feature with a command and the actual process running; candidates assume that 'feature nxapi' guarantees the service is operational, but the trap is that the process may not start automatically, and 'show nxapi' is the correct verification step.

How to eliminate wrong answers

Option A is wrong because the HTTP method (GET, POST, etc.) is a client-side concern; if the NX-API service is not running, no HTTP method will work, so checking the method is premature. Option B is wrong because ACLs for the management VRF would block pings as well, but the engineer can ping the management IP, indicating that Layer 3 connectivity is intact and no ACL is blocking traffic at that level. Option D is wrong because SSL certificate trust is only relevant after the HTTPS connection is established; if the NX-API process is not running, the server never presents a certificate, so trust is not the issue.

55
Multi-Selectmedium

A network automation engineer is writing an Ansible playbook to configure Nexus switches. Which three modules are available to manage NX-OS configuration? (Choose three.)

Select 3 answers
A.eos_config
B.nxos_config
C.nxos_interface
D.nxos_vlan
E.ios_config
AnswersB, C, D

Manages NX-OS configuration.

Why this answer

The `nxos_config` module is the primary Ansible module for managing NX-OS device configurations, allowing you to apply, replace, or merge configuration snippets directly onto Nexus switches. It is part of the `cisco.nxos` collection and is specifically designed for NX-OS, unlike `ios_config` which targets Cisco IOS/IOS-XE devices.

Exam trap

Cisco often tests the distinction between platform-specific Ansible modules (e.g., `nxos_*` vs `ios_*` vs `eos_*`), and the trap here is that candidates may confuse `ios_config` as being compatible with NX-OS due to a superficial similarity in CLI syntax, ignoring the underlying platform-specific module requirements.

56
MCQhard

An Ansible playbook using the cisco.nxos.nxos_config module fails with the error: 'Unsupported parameters for (cisco.nxos.nxos_config) module: connection type setting'. What is the most likely cause?

A.The SSH key authentication is misconfigured.
B.The playbook includes an invalid parameter 'connection: network_cli' inside the task block.
C.The module is not installed correctly.
D.The playbook is targeting a device running an unsupported NX-OS version.
AnswerB

The 'connection' parameter is a play-level attribute, not a task parameter for nxos_config.

Why this answer

The error 'Unsupported parameters for (cisco.nxos.nxos_config) module: connection type setting' occurs because the `connection: network_cli` parameter is being passed inside the task block of the playbook. The `cisco.nxos.nxos_config` module does not accept a `connection` parameter at the task level; connection settings must be defined at the play or inventory level. This is a common syntax error when using Ansible network modules.

Exam trap

Cisco often tests the distinction between play-level and task-level parameters, specifically that `connection` is not a valid parameter for network modules at the task level, leading candidates to incorrectly attribute the error to module installation or device compatibility.

How to eliminate wrong answers

Option A is wrong because SSH key authentication misconfiguration would typically cause an authentication or permission denied error, not an 'unsupported parameters' error related to connection type. Option B is wrong because it is actually the correct answer; the error is caused by an invalid parameter inside the task block. Option C is wrong because if the module were not installed correctly, the error would be 'module not found' or 'could not locate module', not an unsupported parameters error.

Option D is wrong because an unsupported NX-OS version would result in a module execution failure or a device-specific error, not a parameter validation error from the Ansible controller.

57
MCQhard

Refer to the exhibit. An engineer is using an Ansible playbook to configure a Nexus switch. The playbook task uses the nxos_config module to set an MTU value on an interface. What is the most likely issue?

A.Add the 'provider' parameter with connection details.
B.Correct the spelling of the MTU parameter to 'mtu_size'.
C.Use the nxos_mtu module instead of nxos_config to configure MTU.
D.Verify that the switch supports MTU configuration via Ansible.
AnswerC

The nxos_config module does not support MTU; the nxos_mtu module is designed for this purpose.

Why this answer

The nxos_config module is designed for general NX-OS configuration commands but does not support the 'mtu' parameter directly. The correct approach is to use the dedicated nxos_mtu module for setting MTU. Option B is incorrect because the parameter is correctly spelled; the module simply does not support it.

Option C is incorrect because the switch does support MTU configuration via the appropriate module. Option D is incorrect because the provider parameter is not needed in modern Ansible versions.

58
MCQmedium

Refer to the exhibit. An automation script is used to configure a new VLAN 40 on Eth1/2 trunk. The script sends the following NX-API command: 'switchport trunk allowed vlan add 40'. After execution, the engineer runs 'show running-config interface eth1/2' and sees that the trunk allowed VLAN list shows '10,20,30,40'. However, the automation script logs indicate success for adding VLAN 40, but the running config does not show the change. What is the most likely issue?

A.The command syntax is incorrect; 'add' is not a valid keyword.
B.The engineer is viewing a different switch or the configuration was reverted by another process.
C.The script actually removed the existing VLANs and replaced them with only VLAN 40.
D.The NX-API command was sent to the wrong interface.
AnswerB

The running config shows the change, so the issue is likely that the engineer is looking at the wrong device or the config was changed after.

Why this answer

Option B is correct because the running config shows VLANs 10,20,30,40, indicating that VLAN 40 was successfully added. The script logs confirm success, so the command syntax and interface target are correct. The discrepancy between the logs and the running config is most likely due to the engineer viewing a different switch (e.g., a management console pointing to a different device) or the configuration being reverted by another process (e.g., a configuration rollback or a competing automation script).

Exam trap

Cisco often tests the candidate's ability to distinguish between a command that fails silently versus a command that succeeds but the result is not visible due to environmental factors (e.g., wrong device, configuration rollback), rather than a syntax or interface error.

How to eliminate wrong answers

Option A is wrong because 'switchport trunk allowed vlan add 40' is valid NX-OS syntax; the 'add' keyword is used to append VLANs to the existing allowed list. Option C is wrong because if the script had replaced the list with only VLAN 40, the running config would show '40' alone, not '10,20,30,40'. Option D is wrong because the running config shows the change on Eth1/2, confirming the command was sent to the correct interface.

59
MCQmedium

Refer to the exhibit. An engineer configured NX-API on a Nexus 9000 switch. The REST API client receives 'SSL_ERROR_BAD_CERT_DOMAIN'. What is the most likely cause?

A.HTTP is enabled which conflicts with HTTPS
B.The key file is missing
C.The certificate file is corrupted
D.The certificate does not match the switch's hostname
AnswerD

SSL_ERROR_BAD_CERT_DOMAIN specifically indicates domain mismatch.

Why this answer

The SSL_ERROR_BAD_CERT_DOMAIN error indicates that the certificate presented by the Nexus 9000 switch does not match the hostname used in the REST API client's request. When NX-API uses HTTPS, the client validates the server's certificate against the requested domain; a mismatch triggers this error. This is a common TLS/SSL certificate validation issue, not a problem with HTTP conflicts, missing keys, or corrupted files.

Exam trap

Cisco often tests the distinction between certificate validation errors (domain mismatch, expiry, untrusted CA) and other TLS/SSL failures (missing key, corrupted file), expecting candidates to recognize that 'SSL_ERROR_BAD_CERT_DOMAIN' specifically points to a hostname mismatch rather than a general certificate problem.

How to eliminate wrong answers

Option A is wrong because enabling HTTP alongside HTTPS does not cause SSL certificate domain validation errors; the error is specific to TLS handshake and certificate trust, not protocol conflicts. Option B is wrong because a missing key file would prevent the switch from establishing any HTTPS connection (e.g., 'no key' or 'unable to load private key' errors), not a domain mismatch error. Option C is wrong because a corrupted certificate file would typically cause a 'bad certificate' or 'certificate verify failed' error during the TLS handshake, not a domain mismatch error which is a hostname validation failure.

60
MCQhard

A large enterprise runs a multi-site Cisco ACI fabric with APICs in a cluster. The automation team uses Python scripts with the Cobra SDK to create and manage tenant policies. Recently, after upgrading the APIC firmware from version 4.2(3) to 5.2(1), a script that previously worked now fails with an 'Unauthorized' error when calling the APIC REST API. The script uses a service account with a locally stored password. The automation engineer verifies that the account credentials are correct and that the account is not locked. The script was not modified during the upgrade. Which action should the engineer take to resolve the issue?

A.Change the authentication method in the script from password-based to certificate-based authentication.
B.Upgrade the Python requests library to version 2.25.0 or later that supports TLS 1.3.
C.Regenerate the API key for the service account and update the script with the new key.
D.Disable TLS 1.3 on the APIC by setting the 'ssl-protocols' parameter to TLSv1.2 only.
AnswerB

Upgrading the library ensures TLS 1.3 compatibility, preserving security.

Why this answer

Option B is correct because APIC firmware 5.2(1) enforces TLS 1.3 by default, and older Python requests libraries (pre-2.25.0) do not support TLS 1.3, causing the handshake to fail with an 'Unauthorized' error despite valid credentials. Upgrading the requests library to version 2.25.0 or later adds TLS 1.3 support, allowing the script to authenticate successfully.

Exam trap

The trap here is that candidates assume the 'Unauthorized' error is due to invalid credentials or authentication method, when in fact it is caused by a TLS protocol version mismatch between the client library and the upgraded APIC.

How to eliminate wrong answers

Option A is wrong because changing from password-based to certificate-based authentication is unnecessary; the credentials are valid and the issue is a TLS version mismatch, not an authentication method problem. Option C is wrong because the service account uses a password, not an API key, and regenerating a non-existent key would not resolve the TLS 1.3 handshake failure. Option D is wrong because disabling TLS 1.3 on the APIC is a workaround that reduces security and is not the recommended fix; the proper solution is to update the client library to support the newer protocol.

61
MCQeasy

A data center automation script uses Python's requests library to call the NX-API for a Nexus 9000 switch. The script works but returns HTTP 400. Which is a likely cause?

A.The request payload is malformed
B.The switch has no management IP
C.The script uses HTTP instead of HTTPS
D.The API is not enabled
AnswerA

400 Bad Request is client error.

Why this answer

HTTP 400 indicates a bad request, which in the context of NX-API typically means the JSON or XML payload sent to the switch does not conform to the expected schema. Common issues include missing required fields (e.g., 'ins_api' version, 'type', 'chunk', 'sid', 'input', 'outputformat'), incorrect JSON syntax, or invalid values for parameters like 'version' or 'type'. The requests library successfully delivered the HTTP request, but the NX-API rejected it due to malformed content.

Exam trap

Cisco often tests the distinction between HTTP status codes (400 vs. 404 vs. connection errors) to see if candidates understand that a 400 specifically points to payload issues, not network or configuration problems.

How to eliminate wrong answers

Option B is wrong because if the switch had no management IP, the script would fail with a connection error (e.g., 'No route to host' or timeout), not an HTTP 400 response. Option C is wrong because using HTTP instead of HTTPS would result in a different error, such as a redirect (301/302) or a connection refused if HTTPS is enforced, but the NX-API can accept HTTP requests if configured; HTTP 400 is unrelated to protocol choice. Option D is wrong because if the API were not enabled, the switch would return an HTTP 404 (Not Found) or a connection reset, not a 400 Bad Request.

Ready to test yourself?

Try a timed practice session using only Automation questions.