Sample questions
Cisco DevNet Associate 200-901 practice questions
A company uses a CI/CD pipeline to deploy network configurations. The pipeline includes a stage that runs automated tests against a simulated network environment. Which testing strategy does this represent?
Trap 1: Regression testing
Regression testing ensures that new changes do not adversely affect existing functionality, but the scenario is about testing in a simulated environment before deployment.
Trap 2: Unit testing
Unit testing tests individual functions or modules, not integrated configurations in a simulated environment.
Trap 3: Smoke testing
Smoke testing is a preliminary test to check basic functionality, not a full test against a simulated environment.
- A
Regression testing
Why wrong: Regression testing ensures that new changes do not adversely affect existing functionality, but the scenario is about testing in a simulated environment before deployment.
- B
Unit testing
Why wrong: Unit testing tests individual functions or modules, not integrated configurations in a simulated environment.
- C
Integration testing
Integration testing validates the interaction between components in a simulated or staging environment.
- D
Smoke testing
Why wrong: Smoke testing is a preliminary test to check basic functionality, not a full test against a simulated environment.
Which TWO statements about REST API design best practices are correct?
Trap 1: API versioning should be implemented using query parameters only
Versioning via query parameters is uncommon; path or header versioning is preferred.
Trap 2: HTTP PUT method should be used for partial updates to a resource
PUT is for full replacement; PATCH is for partial updates.
Trap 3: Responses should return only HTTP status codes without a body
Responses typically include a body with details or representation of the resource.
- A
API versioning should be implemented using query parameters only
Why wrong: Versioning via query parameters is uncommon; path or header versioning is preferred.
- B
HTTP PUT method should be used for partial updates to a resource
Why wrong: PUT is for full replacement; PATCH is for partial updates.
- C
Resources should be represented using nouns in the URI
Using nouns for resources (e.g., /devices) is a REST best practice.
- D
Responses should return only HTTP status codes without a body
Why wrong: Responses typically include a body with details or representation of the resource.
- E
HTTP verbs should describe the action performed on the resource
Verbs like GET, POST, PUT, DELETE define the action.
A network engineer is using the Cisco Meraki API to retrieve a list of SSIDs for a specific network. The API returns an HTTP 200 status but an empty array for the SSIDs. Which of the following is the most likely cause?
Trap 1: The network ID is incorrect.
Wrong network ID returns 404, not empty array.
Trap 2: The API key is invalid.
Invalid API key results in 401/403, not empty array.
Trap 3: The request body is malformed.
Malformed request returns 400, not empty array.
- A
The network exists but has no SSIDs configured.
Empty array indicates no SSIDs, which is valid.
- B
The network ID is incorrect.
Why wrong: Wrong network ID returns 404, not empty array.
- C
The API key is invalid.
Why wrong: Invalid API key results in 401/403, not empty array.
- D
The request body is malformed.
Why wrong: Malformed request returns 400, not empty array.
When designing a REST API client for a Cisco DNA Center deployment, which authentication method should be used to obtain a token for subsequent API calls?
Trap 1: OAuth 2.0 client credentials grant.
DNA Center does not use OAuth 2.0.
Trap 2: API key in the request header.
DNA Center does not use API keys.
Trap 3: Client certificate in the request.
Certificates are not the standard authentication.
- A
OAuth 2.0 client credentials grant.
Why wrong: DNA Center does not use OAuth 2.0.
- B
API key in the request header.
Why wrong: DNA Center does not use API keys.
- C
HTTP Basic authentication to obtain a token.
Correct method: POST with basic auth to get token.
- D
Client certificate in the request.
Why wrong: Certificates are not the standard authentication.
A Python script uses the Cisco Meraki API to create a new network and then immediately attempts to configure an SSID on that network. The SSID creation fails with a 400 error indicating 'network is not ready'. What is the most likely cause?
Trap 1: The API rate limit has been exceeded.
Rate limiting returns 429, not 400.
Trap 2: The API key does not have write access to networks.
Insufficient permissions return 403.
Trap 3: The SSID name contains invalid characters.
Invalid format returns a different 400 error.
- A
The network is not fully provisioned yet; a delay is needed.
Asynchronous provisioning requires waiting.
- B
The API rate limit has been exceeded.
Why wrong: Rate limiting returns 429, not 400.
- C
The API key does not have write access to networks.
Why wrong: Insufficient permissions return 403.
- D
The SSID name contains invalid characters.
Why wrong: Invalid format returns a different 400 error.
A DevOps team manages a multi-site Cisco Meraki network with 50 MX appliances and 200 MR access points. They use a Python script that calls the Meraki API to collect device utilization data every hour and stores it in a CSV file. Recently, the script started failing intermittently with HTTP 429 status codes. The team suspects rate limiting but notices that the failures occur even when only one script instance runs. The script uses a single API key and makes requests to the /devices/{serial}/uplink endpoint for each MX and the /devices/{serial}/wireless/status endpoint for each MR. The script is scheduled via cron and runs sequentially. The team wants to resolve the rate limiting while minimizing changes to the script. Which course of action should the team take?
Trap 1: Distribute the API requests across multiple API keys.
The issue is rate limiting per key, but adding delays is simpler.
Trap 2: Switch to a webhook-based approach to receive data instead of…
Requires significant re-architecture and is not minimal.
Trap 3: Use the bulk API request feature to collect data in fewer calls.
Meraki does not have a bulk endpoint for these data.
- A
Introduce a delay between API calls to stay within the rate limit.
Adding a small delay reduces request rate and avoids 429 errors.
- B
Distribute the API requests across multiple API keys.
Why wrong: The issue is rate limiting per key, but adding delays is simpler.
- C
Switch to a webhook-based approach to receive data instead of polling.
Why wrong: Requires significant re-architecture and is not minimal.
- D
Use the bulk API request feature to collect data in fewer calls.
Why wrong: Meraki does not have a bulk endpoint for these data.
Refer to the exhibit. A network engineer applies this JSON-based QoS policy to a Cisco device using NETCONF/YANG. Which statement best describes the expected behavior for traffic from 10.0.0.0/24 with DSCP EF?
Exhibit
Refer to the exhibit.
{
"policy": {
"name": "QoS-Policy",
"match": {
"dscp": "EF",
"source_ip": "10.0.0.0/24"
},
"action": {
"set_dscp": "AF41",
"police": {
"cir": "100000000",
"bc": "10000000",
"conform_action": "transmit",
"exceed_action": "drop"
}
}
}
}Trap 1: Traffic with DSCP EF from any source is re-marked to AF41 and…
The policy only matches source 10.0.0.0/24.
Trap 2: The policy is invalid because DSCP values cannot be changed in a…
DSCP re-marking is a common QoS action.
Trap 3: Traffic from 10.0.0.0/24 is re-marked to DSCP EF, then policed at…
The policy matches DSCP EF, not sets it.
- A
Traffic with DSCP EF from any source is re-marked to AF41 and dropped if exceeding 100 Mbps.
Why wrong: The policy only matches source 10.0.0.0/24.
- B
The policy is invalid because DSCP values cannot be changed in a QoS policy.
Why wrong: DSCP re-marking is a common QoS action.
- C
Traffic from 10.0.0.0/24 with DSCP EF is re-marked to AF41 and limited to 100 Mbps; excess is dropped.
The policy matches both conditions, then re-marks and polices.
- D
Traffic from 10.0.0.0/24 is re-marked to DSCP EF, then policed at 100 Mbps.
Why wrong: The policy matches DSCP EF, not sets it.
Which TWO of the following are characteristics of Model-Driven Programmability with YANG models?
Trap 1: YANG models are only used with the Python library ncclient.
ncclient is one tool, not exclusive.
Trap 2: The controller directly pushes configurations to network devices…
YANG models enable validation before pushing.
Trap 3: NETCONF requires JSON encoding for configuration data.
NETCONF uses XML, not JSON.
- A
YANG models define a hierarchical data tree.
YANG models represent data as a tree structure.
- B
YANG models are only used with the Python library ncclient.
Why wrong: ncclient is one tool, not exclusive.
- C
NETCONF and RESTCONF use YANG models to manipulate device configurations.
Both protocols rely on YANG for data modeling.
- D
The controller directly pushes configurations to network devices without validation.
Why wrong: YANG models enable validation before pushing.
- E
NETCONF requires JSON encoding for configuration data.
Why wrong: NETCONF uses XML, not JSON.
Refer to the exhibit. A developer sends a PUT request to the RESTCONF endpoint with the above JSON payload. The device already has interface GigabitEthernet1/0/1 configured with IP address 10.10.10.1/24. What is the expected outcome?
Exhibit
Refer to the exhibit.
{
"Cisco-IOS-XE-native:interface": {
"GigabitEthernet": [
{
"name": "1/0/1",
"description": "Link to Core",
"ip": {
"address": {
"primary": {
"address": "10.10.10.1",
"mask": "255.255.255.0"
}
}
}
}
]
}
}Trap 1: The request fails because the interface already exists.
PUT is idempotent; it can replace existing resources.
Trap 2: The request creates a new interface with the same configuration.
PUT targets a specific resource; it does not create a new one if the URI identifies an existing resource.
Trap 3: The request fails because the JSON is malformed.
The JSON is valid.
- A
The request fails because the interface already exists.
Why wrong: PUT is idempotent; it can replace existing resources.
- B
The request creates a new interface with the same configuration.
Why wrong: PUT targets a specific resource; it does not create a new one if the URI identifies an existing resource.
- C
The request fails because the JSON is malformed.
Why wrong: The JSON is valid.
- D
The request succeeds and the interface configuration remains unchanged.
PUT replaces the resource with the given data; since it matches, no change occurs but the operation succeeds.
A network engineer is troubleshooting slow connectivity between two sites connected via a WAN link. The engineer suspects packet loss due to collisions. Which interface counter should be examined to confirm this?
Trap 1: Runts
Runts are frames smaller than 64 bytes, not collision-specific.
Trap 2: Output errors
Output errors are a general category, not specific to collisions.
Trap 3: Giants
Giants are frames larger than maximum size, not collision-specific.
- A
Runts
Why wrong: Runts are frames smaller than 64 bytes, not collision-specific.
- B
CRC errors
CRC errors indicate frame checksum failures often caused by collisions.
- C
Output errors
Why wrong: Output errors are a general category, not specific to collisions.
- D
Giants
Why wrong: Giants are frames larger than maximum size, not collision-specific.
A Python script used for network automation requires storing an API secret. Which approach is the most secure and recommended best practice?
Trap 1: Hardcode the secret in the Python script
Hardcoding exposes secrets in version control and is insecure.
Trap 2: Store the secret in a plain text file in the repository
Plain text files in repos are insecure and can be accidentally committed.
Trap 3: Encrypt the secret and store it in the script
Encryption keys still need to be stored somewhere, and decryption at runtime adds complexity without clear benefit over env vars.
- A
Hardcode the secret in the Python script
Why wrong: Hardcoding exposes secrets in version control and is insecure.
- B
Store the secret in a plain text file in the repository
Why wrong: Plain text files in repos are insecure and can be accidentally committed.
- C
Encrypt the secret and store it in the script
Why wrong: Encryption keys still need to be stored somewhere, and decryption at runtime adds complexity without clear benefit over env vars.
- D
Use environment variables
Environment variables keep secrets out of code and are configurable per deployment.
A company has a three-tier data center architecture with access, aggregation, and core layers. The network team is migrating to a leaf-spine architecture to support increasing east-west traffic. The current network uses STP for loop prevention, and the team wants to eliminate STP in the new design. They plan to use VXLAN overlays with BGP EVPN for control plane. During a pilot deployment, the team notices that some legacy servers that rely on traditional VLANs are not reachable across the new fabric. The servers are connected to access switches that are part of the leaf layer. The access switches are configured as VXLAN tunnel endpoints (VTEPs) but the legacy servers are still using traditional VLANs. The team needs to ensure connectivity between the legacy VLAN-based servers and the new VXLAN-based network. What is the best approach to integrate these legacy servers without changing their configuration?
Trap 1: Create a separate VRF for legacy VLANs and redistribute into BGP…
This adds complexity and does not solve L2 connectivity.
Trap 2: Configure the same VLAN on all leaf switches and use VXLAN to…
Stretching VLANs is not recommended for large fabrics.
Trap 3: Reconfigure the legacy servers to use VXLAN encapsulation
Server configuration change is to be avoided.
- A
Create a separate VRF for legacy VLANs and redistribute into BGP EVPN
Why wrong: This adds complexity and does not solve L2 connectivity.
- B
Implement a Layer 2 gateway (L2GW) on the leaf switches to bridge VLANs to VXLAN using IRB
IRB provides seamless bridging between VLAN and VXLAN.
- C
Configure the same VLAN on all leaf switches and use VXLAN to stretch the VLAN across the fabric
Why wrong: Stretching VLANs is not recommended for large fabrics.
- D
Reconfigure the legacy servers to use VXLAN encapsulation
Why wrong: Server configuration change is to be avoided.
Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to troubleshoot a network connectivity issue using the OSI model from bottom to top.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to deploy a Python script to a Cisco device via RESTCONF into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
Drag and drop the steps to set up a Python virtual environment for a DevNet project into the correct order.
Drag steps to the numbered slots on the right, or tap a step then tap a slot.
An engineer configures a trunk port as shown. A device connected to this port sends an untagged frame. Which VLAN will the switch associate the frame with?
Exhibit
Refer to the exhibit. ``` interface GigabitEthernet0/1 switchport mode trunk switchport trunk native vlan 99 switchport trunk allowed vlan 10,20,30 ```
Trap 1: VLAN 1
Native VLAN is configured as 99.
Trap 2: The frame is dropped
Untagged frames are accepted on trunk.
Trap 3: VLAN 10
Only tagged frames use allowed VLANs.
- A
VLAN 1
Why wrong: Native VLAN is configured as 99.
- B
The frame is dropped
Why wrong: Untagged frames are accepted on trunk.
- C
VLAN 10
Why wrong: Only tagged frames use allowed VLANs.
- D
VLAN 99
Untagged frames are placed in native VLAN.
Based on the routing table, what type of OSPF route is the default route (0.0.0.0/0)?
Exhibit
Refer to the exhibit.
```
R1# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route
Gateway of last resort is 10.0.0.1 to network 0.0.0.0
O*E2 0.0.0.0/0 [110/1] via 10.0.0.1, 00:00:34, GigabitEthernet0/0
O 10.0.0.0/8 [110/2] via 10.0.0.1, 00:00:34, GigabitEthernet0/0
O 172.16.0.0/16 [110/3] via 192.168.1.1, 00:00:34, GigabitEthernet0/1
C 192.168.1.0/24 is directly connected, GigabitEthernet0/1
```Trap 1: OSPF inter-area route
Inter-area routes show as O IA.
Trap 2: OSPF NSSA external type 1 route
NSSA routes display as N1 or N2.
Trap 3: OSPF intra-area route
Intra-area routes show as O without asterisk.
- A
OSPF inter-area route
Why wrong: Inter-area routes show as O IA.
- B
OSPF NSSA external type 1 route
Why wrong: NSSA routes display as N1 or N2.
- C
OSPF intra-area route
Why wrong: Intra-area routes show as O without asterisk.
- D
OSPF external type 2 route
O*E2 indicates external type 2 default.
An engineer notices that a switch port configured as an access port in VLAN 10 is not forwarding traffic. The switch shows the port is up/up. What is the most likely cause?
Trap 1: Spanning Tree Protocol blocking the port
STP blocking would show in show spanning-tree.
Trap 2: Speed/duplex mismatch
Would cause errors or down state.
Trap 3: VLAN 10 does not exist in the VLAN database
VLAN 10 would be created automatically if not present.
- A
Spanning Tree Protocol blocking the port
Why wrong: STP blocking would show in show spanning-tree.
- B
The connected device is sending 802.1Q tagged frames
Access ports drop tagged frames.
- C
Speed/duplex mismatch
Why wrong: Would cause errors or down state.
- D
VLAN 10 does not exist in the VLAN database
Why wrong: VLAN 10 would be created automatically if not present.
Which TWO statements are true about VXLAN? (Choose two.)
Trap 1: VXLAN requires MPLS in the underlay
VXLAN can run over any IP network.
Trap 2: VXLAN uses IP-in-IP encapsulation
VXLAN uses MAC-in-UDP.
Trap 3: VXLAN operates at Layer 2 only
VXLAN is an overlay over Layer 3.
- A
VXLAN requires MPLS in the underlay
Why wrong: VXLAN can run over any IP network.
- B
VXLAN encapsulates Ethernet frames in UDP packets
VXLAN uses UDP encapsulation.
- C
VXLAN uses IP-in-IP encapsulation
Why wrong: VXLAN uses MAC-in-UDP.
- D
VXLAN operates at Layer 2 only
Why wrong: VXLAN is an overlay over Layer 3.
- E
VXLAN supports up to 16 million logical networks
24-bit VNI provides 16 million segments.
Which THREE factors influence the convergence time of OSPF in a large enterprise network? (Choose three.)
Trap 1: Bidirectional Forwarding Detection (BFD) implementation
BFD is not part of OSPF itself.
Trap 2: DUAL algorithm processing time
DUAL is used by EIGRP, not OSPF.
- A
CPU processing power for SPF calculations
SPF computation time affects convergence.
- B
Hello and dead interval timers
Shorter timers speed failure detection.
- C
Bidirectional Forwarding Detection (BFD) implementation
Why wrong: BFD is not part of OSPF itself.
- D
DUAL algorithm processing time
Why wrong: DUAL is used by EIGRP, not OSPF.
- E
LSA propagation delay across the network
Flooding LSAs takes time.
A developer is using the Cisco Webex API to create a room and add members. The API requires an access token with the appropriate scopes. The developer receives a 401 Unauthorized error when trying to create a room. What is the most likely cause?
Trap 1: The access token has the 'spark:memberships_write' scope but not…
Incorrect: While lacking room write scope is an issue, the correct answer is C.
Trap 2: The access token is not being sent in the Authorization header
Incorrect: This would also cause 401, but the question implies the token is present.
Trap 3: The access token has expired
Incorrect: Expired tokens typically return 401, but the scope issue is more specific.
- A
The access token only has the 'spark:rooms_read' scope
Correct: The write scope is required for creating rooms.
- B
The access token has the 'spark:memberships_write' scope but not 'spark:rooms_write'
Why wrong: Incorrect: While lacking room write scope is an issue, the correct answer is C.
- C
The access token is not being sent in the Authorization header
Why wrong: Incorrect: This would also cause 401, but the question implies the token is present.
- D
The access token has expired
Why wrong: Incorrect: Expired tokens typically return 401, but the scope issue is more specific.
Which TWO statements about REST API design best practices are true? (Choose two.)
Trap 1: Avoid API versioning to keep the API simple
Incorrect: Versioning is important for evolution.
Trap 2: Include the HTTP method in the URI path, e.g., /getDevices
Incorrect: The HTTP method should be used via the verb, not the path.
Trap 3: Always use file-based transfer for large payloads
Incorrect: REST can handle large payloads via streaming or chunking.
- A
Avoid API versioning to keep the API simple
Why wrong: Incorrect: Versioning is important for evolution.
- B
Include the HTTP method in the URI path, e.g., /getDevices
Why wrong: Incorrect: The HTTP method should be used via the verb, not the path.
- C
Always use file-based transfer for large payloads
Why wrong: Incorrect: REST can handle large payloads via streaming or chunking.
- D
Use nouns for resource endpoints, e.g., /devices instead of /getDevices
Correct: Nouns represent resources.
- E
Use HTTP methods appropriately: GET for retrieval, POST for creation, etc.
Correct: This aligns with REST principles.
A development team is implementing a microservices architecture. They need to ensure that services can discover each other dynamically without hardcoding IP addresses. Which technology should they use?
Trap 1: A centralized load balancer
Incorrect: Load balancers do not provide dynamic service discovery.
Trap 2: An API gateway
Incorrect: API gateways can use registries but are not the discovery mechanism themselves.
Trap 3: DNS-based service discovery
Incorrect: DNS is not dynamic enough for microservices.
- A
A centralized load balancer
Why wrong: Incorrect: Load balancers do not provide dynamic service discovery.
- B
A service registry like Consul
Correct: Service registries enable dynamic discovery and health checks.
- C
An API gateway
Why wrong: Incorrect: API gateways can use registries but are not the discovery mechanism themselves.
- D
DNS-based service discovery
Why wrong: Incorrect: DNS is not dynamic enough for microservices.
Question Discussion
Share a tip, memory trick, or ask about the reasoning behind this question. Do not post real exam questions, leaked content, braindumps, or copyrighted exam material. Comments are moderated and may be removed without notice.
Sign in to join the discussion.