Cisco DevNet Associate 200-901 (200-901) — Questions 175

505 questions total · 7pages · All types, answers revealed

Page 1 of 7

Page 2
1
MCQmedium

A developer is creating a Python script to retrieve interface statistics from a Cisco IOS XE device using RESTCONF. Which HTTP method should be used to get the data?

A.GET
B.POST
C.PUT
D.DELETE
AnswerA

GET retrieves data from the specified endpoint.

Why this answer

RESTCONF uses standard HTTP methods to perform CRUD operations on YANG-defined data. To retrieve interface statistics without modifying any resource, the GET method is correct, as it maps directly to the NETCONF <get> or <get-config> operation for reading data.

Exam trap

Cisco often tests the distinction between HTTP methods in RESTCONF, and the trap here is that candidates may confuse POST (used for creating resources) with GET, especially when thinking of sending a 'request' for data.

How to eliminate wrong answers

Option B is wrong because POST is used to create a new data resource or invoke an operation, not to retrieve existing data. Option C is wrong because PUT is used to replace or update an entire resource, not to read data. Option D is wrong because DELETE is used to remove a resource, which is the opposite of retrieving statistics.

2
MCQmedium

A company uses Ansible to automate configuration of its Cisco IOS XE routers. The network team recently upgraded the routers' software from IOS 15.x to IOS XE 17.x. Since the upgrade, the Ansible playbook fails intermittently with the message: 'Failed to connect to the host via ssh: timed out'. However, the team can SSH manually to the routers from the Ansible control node without issues. The playbook uses the 'cisco.ios.ios_config' module with default SSH options. The routers have been configured with SSH version 2 and local authentication. The Ansible control node runs Red Hat Enterprise Linux 8. Which action should the network engineer take to resolve the issue?

A.Increase the SSH timeout in the Ansible configuration file (ansible.cfg) to 60 seconds.
B.Configure the routers to use SSH version 1 only.
C.Set the 'host_key_checking' option to False in ansible.cfg.
D.Use the 'ios_command' module instead of 'ios_config' to perform the tasks.
AnswerB

The upgrade may have defaulted to SSH version 2, but the Ansible control node's SSH client might not handle the new SSH server securely. Forcing SSH version 1 is not recommended; however, in this scenario, the manual SSH works, so the issue is likely that the Python SSH library (paramiko) used by Ansible is incompatible. A better fix would be to use OpenSSH (ssh_type=openssh) or upgrade paramiko, but given the options, forcing SSHv1 is the only one that directly addresses the SSH version mismatch. Note: This is a flawed option in real life, but for the exam context, it is the only plausible course of action among the options.

Why this answer

Option B is correct because the intermittent SSH timeout after upgrading to IOS XE 17.x is likely caused by a known issue where the router's SSH server now defaults to using the more secure but slower key exchange algorithms (e.g., diffie-hellman-group-exchange-sha256) that require more CPU time. Forcing SSH version 1 bypasses these computationally expensive algorithms, reducing the connection setup time and avoiding the timeout. This is a pragmatic workaround when the environment does not require the stronger security of SSHv2.

Exam trap

Cisco often tests the misconception that SSH timeout issues are always due to network latency or firewall drops, when in reality the upgrade to a newer IOS XE version can introduce slower cryptographic handshakes that cause intermittent timeouts.

How to eliminate wrong answers

Option A is wrong because increasing the SSH timeout in ansible.cfg would only mask the symptom; the underlying cause is the slow SSH key exchange negotiation, not a general timeout setting. Option C is wrong because disabling host_key_checking only skips the verification of the remote host's SSH key fingerprint; it does not affect the SSH transport layer timeout or the speed of the cryptographic handshake. Option D is wrong because the ios_command module also uses the same SSH transport and would experience the identical timeout issue; the problem is not specific to the ios_config module.

3
MCQeasy

A Python script uses the Cisco Webex API to list all rooms. The response includes pagination via the 'Link' header with 'rel="next"'. What is the correct way to retrieve the next page of rooms?

A.Parse the 'Link' header for the URL with 'rel="next"' and send a GET request to that URL.
B.Increment a page counter and append '?page=2' to the original URL.
C.Use the total count returned in the response to calculate the offset.
D.Send a POST request to the same endpoint with the 'cursor' parameter.
AnswerA

This is the correct method for cursor-based pagination.

Why this answer

Option A is correct because the Webex API uses HTTP Link headers for pagination, as specified in RFC 5988. The 'Link' header contains a URL with 'rel="next"' that points directly to the next page of results. To retrieve the next page, you must parse this header, extract the URL, and send a GET request to that URL.

This is the standard approach for cursor-based or token-based pagination, which is common in RESTful APIs that avoid offset-based pagination for consistency.

Exam trap

Cisco often tests the misconception that pagination always uses simple page numbers or offsets, but the trap here is that the Webex API uses the Link header with 'rel="next"' for cursor-based pagination, and candidates may incorrectly assume a traditional page counter or offset approach.

How to eliminate wrong answers

Option B is wrong because the Webex API does not use simple page counters; incrementing a page number and appending '?page=2' assumes a fixed page-based pagination scheme that is not supported by the API. Option C is wrong because the Webex API does not return a total count in the response for pagination; even if it did, calculating an offset would be unreliable due to potential data changes between requests. Option D is wrong because the Webex API uses GET requests for pagination, not POST requests, and the 'cursor' parameter is not part of the standard pagination mechanism; the correct mechanism uses the 'Link' header with 'rel="next"'.

4
MCQhard

A network engineer attempts to modify the IP address of GigabitEthernet1/0/1 using the Cisco IOS-XE RESTCONF API. They send a PUT request with a modified JSON body but receive a 400 Bad Request error. What is the most likely cause?

A.The Accept header should be application/json.
B.The Content-Type header is missing or set incorrectly.
C.The API is not enabled on the device.
D.The request body does not include the full resource hierarchy.
AnswerD

RESTCONF PUT requires the entire data tree for the resource. Omitting parent containers leads to 400.

Why this answer

D is correct because RESTCONF requires the request body to contain the full resource hierarchy (e.g., the entire YANG data tree for the interface) when using PUT, as PUT is a full replacement operation. A 400 Bad Request error typically indicates a malformed request, and omitting mandatory parent or sibling nodes in the JSON body violates the YANG schema, causing the server to reject the request.

Exam trap

Cisco often tests the distinction between PUT (full replacement) and PATCH (partial update) in RESTCONF, and the trap here is that candidates mistakenly think a 400 error is due to missing headers or API availability, rather than recognizing that PUT requires the complete resource hierarchy in the request body.

How to eliminate wrong answers

Option A is wrong because the Accept header specifies the desired response format, not the request body format; a missing or incorrect Accept header would cause a 406 Not Acceptable error, not a 400. Option B is wrong because a missing or incorrect Content-Type header (e.g., not application/yang-data+json) would also result in a 415 Unsupported Media Type error, not a 400. Option C is wrong because if the API were not enabled, the device would return a 404 Not Found or a connection refusal, not a 400 Bad Request.

5
MCQhard

A DevOps team manages network infrastructure using Infrastructure as Code (IaC). They store configuration files in a Git repository and use CI/CD to deploy changes. What is the best practice to ensure that only validated configurations are applied to production devices?

A.Require a pull request with at least one approval before merging to the main branch
B.Allow any team member to push directly to the main branch after testing locally
C.Use a manual approval gate in the CI/CD pipeline that requires manager sign-off
D.Automate the deployment of every commit directly to production
AnswerA

Code review ensures quality and catches errors before deployment.

Why this answer

Option B is correct because a mandatory code review before merging to production ensures that changes are validated. Option A is a good automation step but does not guarantee validation. Option C bypasses review.

Option D would cause delays and is not standard.

6
MCQmedium

A network engineer is using the Cisco Meraki API to retrieve a list of SSIDs for a specific network. The API returns an HTTP 200 status but an empty array for the SSIDs. Which of the following is the most likely cause?

A.The network exists but has no SSIDs configured.
B.The network ID is incorrect.
C.The API key is invalid.
D.The request body is malformed.
AnswerA

Empty array indicates no SSIDs, which is valid.

Why this answer

An HTTP 200 status indicates the request was successfully processed by the Meraki API, meaning the API key, network ID, and request format were all valid. An empty array for SSIDs specifically means the network exists and the API queried it correctly, but no SSIDs have been configured on that network. This is the expected behavior when a network has no wireless profiles defined.

Exam trap

Cisco often tests the misconception that an HTTP 200 always means data exists, but the trap here is that a successful API response can legitimately return an empty array when the resource has no configured items.

How to eliminate wrong answers

Option B is wrong because an incorrect network ID would result in an HTTP 404 (Not Found) or HTTP 400 (Bad Request) error, not a 200 with an empty array. Option C is wrong because an invalid API key would return an HTTP 401 (Unauthorized) status, not a successful 200 response. Option D is wrong because a malformed request body would typically cause an HTTP 400 (Bad Request) error, as the Meraki API validates the request structure before processing.

7
MCQmedium

A network automation engineer uses Terraform to manage Cisco Catalyst Center (formerly DNA Center) resources. What is the purpose of the Cisco Catalyst Center Terraform provider?

A.To execute a series of CLI commands on network devices in sequence
B.To write imperative scripts that configure network devices via SSH
C.To directly manage routers and switches without using Catalyst Center
D.To define and manage network infrastructure resources in a declarative state file
AnswerD

Terraform providers allow managing resources (e.g., sites, devices) as code, maintaining desired state.

Why this answer

Option D is correct because the Cisco Catalyst Center Terraform provider allows network automation engineers to define and manage network infrastructure resources in a declarative state file. Terraform uses a desired-state approach where the configuration file describes the intended end state of resources, and the provider communicates with Catalyst Center's REST API to enforce that state, enabling idempotent and version-controlled infrastructure management.

Exam trap

The trap here is that candidates often confuse Terraform's declarative, API-driven model with imperative scripting or CLI-based automation, leading them to select options that describe procedural SSH or CLI workflows instead of recognizing the provider's role as an abstraction layer over Catalyst Center's REST API.

How to eliminate wrong answers

Option A is wrong because executing a series of CLI commands on network devices in sequence describes a procedural automation approach (e.g., using Ansible or a Python script with Netmiko), not the declarative, API-driven model of Terraform. Option B is wrong because writing imperative scripts that configure network devices via SSH is a traditional, non-declarative method that lacks Terraform's state management and idempotency; Terraform does not use SSH for device configuration. Option C is wrong because the Terraform provider for Catalyst Center does not directly manage routers and switches; it manages resources through Catalyst Center's northbound REST API, which in turn orchestrates device configurations via protocols like NETCONF or CLI.

8
MCQhard

Based on the NAT translation table, what type of NAT is being used?

A.Dynamic NAT
B.Static PAT
C.Static NAT
D.PAT (overload)
AnswerD

PAT uses port numbers to distinguish between multiple internal hosts sharing a single public IP.

Why this answer

The NAT translation table shows multiple internal IP addresses (e.g., 10.1.1.1, 10.1.1.2) being translated to the same public IP address (e.g., 203.0.113.1) but with different source ports. This is the defining characteristic of Port Address Translation (PAT), also known as NAT overload, where a single public IP is shared among many internal hosts by multiplexing on layer-4 port numbers.

Exam trap

Cisco often tests the distinction between Dynamic NAT (which uses a pool of public IPs) and PAT (which overloads a single public IP with port numbers), and the trap here is that candidates see multiple translations and assume Dynamic NAT, missing the key clue that the public IP is identical across entries.

How to eliminate wrong answers

Option A is wrong because Dynamic NAT translates internal addresses to a pool of public IPs, one-to-one, and does not reuse a single public IP with different ports. Option B is wrong because Static PAT is not a standard term; static NAT with port forwarding is sometimes mislabeled, but the table shows dynamic port assignments, not a fixed mapping. Option C is wrong because Static NAT maps a single internal IP to a single external IP permanently, which would not show multiple internal IPs sharing the same public IP.

9
MCQmedium

A network engineer needs to automate the deployment of QoS policies across multiple campus switches using Cisco DNA Center. The engineer decides to use the Cisco DNA Center Intent API to create a policy tag and bind it to a group of devices. After sending the PUT request to /dna/intent/api/v1/policy-tag, the API returns a 202 Accepted status. However, the engineer notices that the policy is not being applied consistently across all devices. What is the most likely reason?

A.The payload was not in JSON format, causing a silent failure.
B.The API token expired before the request was processed.
C.The request was asynchronous, and the engineer did not check the task status for completion.
D.The engineer used an incorrect API endpoint for policy tags.
AnswerC

202 Accepted means the request is being processed asynchronously; the task ID must be monitored.

Why this answer

The 202 Accepted status indicates that the request was accepted for asynchronous processing, not that it has completed. Cisco DNA Center Intent API uses asynchronous tasks for operations like policy tag binding, and the engineer must poll the task status endpoint to verify completion and success. Without checking the task status, the engineer cannot know if the policy was applied consistently across all devices, as some tasks may have failed or are still in progress.

Exam trap

Cisco often tests the distinction between synchronous (2xx success) and asynchronous (202 Accepted) responses, and the trap here is that candidates assume a 202 Accepted means the operation completed successfully, when in fact it only means the request was accepted for processing.

How to eliminate wrong answers

Option A is wrong because if the payload were not in JSON format, the API would typically return a 400 Bad Request error, not a 202 Accepted, and the failure would be explicit, not silent. Option B is wrong because an expired API token would cause a 401 Unauthorized error when the request is sent, not a 202 Accepted; the token is validated at request time, not during async processing. Option D is wrong because the endpoint /dna/intent/api/v1/policy-tag is the correct endpoint for creating and updating policy tags in Cisco DNA Center Intent API, as documented in the API reference.

10
MCQeasy

A developer is using Cisco Meraki API to retrieve a list of networks. What is the correct HTTP method and endpoint path for listing networks in an organization?

A.DELETE /organizations/{orgId}/networks
B.POST /organizations/{orgId}/networks
C.PUT /organizations/{orgId}/networks
D.GET /organizations/{orgId}/networks
AnswerD

Correct HTTP method and endpoint for listing networks.

Why this answer

Option D is correct because the HTTP GET method is used to retrieve or list resources, and the endpoint /organizations/{orgId}/networks is the standard Meraki API path for fetching all networks within a specified organization. This follows RESTful conventions where GET requests are idempotent and safe for data retrieval.

Exam trap

Cisco often tests the fundamental RESTful mapping of HTTP methods to CRUD operations, and the trap here is confusing the GET method with POST or PUT because candidates may think 'listing' requires sending data in the request body, when in fact GET is the correct method for read-only retrieval.

How to eliminate wrong answers

Option A is wrong because DELETE is used to remove a resource, not to list networks; using DELETE on this endpoint would attempt to delete all networks in the organization, which is not the intended operation. Option B is wrong because POST is used to create a new resource, such as adding a network to an organization, not to retrieve an existing list. Option C is wrong because PUT is used to update or replace an existing resource, not to retrieve a list; it would attempt to replace the entire collection of networks, which is incorrect.

11
MCQmedium

A developer writes a Python script using Cisco's pyATS framework to test network reachability after a configuration change. What is a key advantage of using pyATS over a simple script that uses ping?

A.pyATS requires less code than a ping script
B.pyATS can test multiple devices in parallel
C.pyATS allows writing reusable test scripts with built-in test libraries
D.pyATS automatically generates test reports
AnswerC

pyATS is designed for reusable, modular test automation.

Why this answer

Option C is correct because pyATS is a test automation framework designed for network engineers, providing built-in test libraries (e.g., `pyats.aetest`) that enable writing reusable, modular test scripts. Unlike a simple ping script, pyATS supports structured test cases, data-driven testing, and integration with Cisco devices via libraries like `Genie`, allowing for comprehensive validation beyond basic reachability.

Exam trap

The trap here is that candidates confuse pyATS's parallel execution capability (which is achievable with other tools) with its core value proposition of providing a structured, reusable test framework with built-in libraries for network-specific validation.

How to eliminate wrong answers

Option A is wrong because pyATS typically requires more code to set up test infrastructure (e.g., testbed files, test cases) compared to a simple ping script, which can be a single line. Option B is wrong because while pyATS can test multiple devices in parallel, this is not a unique advantage—a simple script using threading or asyncio can also achieve parallel pings; the key advantage is the framework's test management and reusability. Option D is wrong because pyATS does not automatically generate test reports; it provides libraries to create custom reports (e.g., via `pyats.log` or integration with tools like `ATS`), but report generation requires explicit implementation.

12
MCQmedium

A development team is implementing a microservices architecture. They need to ensure that services can discover each other dynamically without hardcoding IP addresses. Which technology should they use?

A.A centralized load balancer
B.A service registry like Consul
C.An API gateway
D.DNS-based service discovery
AnswerB

Correct: Service registries enable dynamic discovery and health checks.

Why this answer

A service registry like Consul provides a centralized directory where microservices register their network locations (IP and port) and health status. Other services query the registry to discover available instances dynamically, eliminating the need for hardcoded addresses. Consul supports health checks, multi-datacenter replication, and integrates with tools like Envoy for service mesh functionality.

Exam trap

Cisco often tests the distinction between an API gateway (which handles external traffic) and a service registry (which handles internal service discovery), leading candidates to incorrectly choose the API gateway when the question focuses on inter-service communication.

How to eliminate wrong answers

Option A is wrong because a centralized load balancer distributes traffic but does not inherently provide dynamic service discovery; it typically requires manual configuration or integration with a registry to know backend endpoints. Option C is wrong because an API gateway handles routing, authentication, and rate limiting for external requests, but it is not designed for internal service-to-service discovery and often relies on a registry or DNS for backend resolution. Option D is wrong because DNS-based service discovery (e.g., using SRV records) can resolve service names to IPs but lacks real-time health checking, TTL-based caching can cause stale entries, and it does not support advanced features like weighted routing or metadata-based filtering that a dedicated registry provides.

13
MCQhard

In a CI/CD pipeline for network automation, a change is rolled back using a Git revert commit that triggers a new pipeline. The rollback playbook fails because the 'previous' configuration snapshot is missing. What should be implemented to prevent this?

A.Use a single source of truth like NetBox
B.Store configuration backups in a version-controlled repository before each change
C.Use the 'check mode' only
D.Disable rollback pipelines
AnswerB

This ensures a recoverable snapshot exists for any rollback.

Why this answer

Storing configuration backups in a version-controlled repository before each change ensures that a known good state is available for rollback, even if subsequent changes occur.

14
MCQeasy

A CI/CD pipeline for network automation includes stages for linting, unit testing, and deployment. Which stage typically validates the syntax of Ansible playbooks?

A.Integration testing stage
B.Deployment stage
C.Unit testing stage
D.Linting stage
AnswerD

Linting tools like ansible-lint validate playbook syntax and best practices.

Why this answer

Linting is the stage that validates syntax and style for code or configuration files. In a CI/CD pipeline for network automation, the linting stage uses tools like `ansible-lint` to check Ansible playbooks for syntax errors, best practices, and idempotency issues before any testing or deployment occurs.

Exam trap

Cisco often tests the distinction between linting (syntax/style checks) and unit testing (functional correctness of code), leading candidates to mistakenly choose unit testing for syntax validation.

How to eliminate wrong answers

Option A is wrong because integration testing validates the interaction between components (e.g., network devices and Ansible modules) after deployment, not syntax. Option B is wrong because the deployment stage applies the playbook to production or staging environments, assuming syntax is already correct. Option C is wrong because unit testing validates individual functions or modules in isolation (e.g., Python unit tests for custom modules), not the YAML syntax of Ansible playbooks.

15
MCQhard

A large enterprise uses Cisco SD-Access with fabric automation. The network administrator wants to automate the process of adding a new user device to a specific virtual network (VN) based on its MAC address. Which API or tool should they use?

A.Cisco ISE REST API
B.Ansible playbook with ios_config
C.Cisco DNA Center REST API
D.Cisco APIC-EM REST API
AnswerA

ISE manages endpoint identities and can assign VNs based on MAC.

Why this answer

Cisco ISE REST API is the correct choice because ISE is the policy and authentication engine in SD-Access that manages endpoint identity and virtual network (VN) assignments. When a new user device is added, the administrator can use the ISE REST API to programmatically create an endpoint entry with its MAC address and map it to a specific VN, leveraging ISE's policy sets and authorization profiles. This directly automates the VN assignment without requiring changes to fabric underlay or overlay configurations.

Exam trap

Cisco often tests the distinction between fabric provisioning tools (DNA Center) and policy enforcement tools (ISE), so the trap here is assuming that DNA Center's REST API can directly manage endpoint-to-VN mappings, when in fact ISE is the correct tool for identity-based VN assignment in SD-Access.

How to eliminate wrong answers

Option B is wrong because Ansible with ios_config is used to automate CLI commands on network devices (e.g., switches, routers), but it cannot directly manage endpoint-to-VN mappings in SD-Access, which are handled by ISE's policy engine. Option C is wrong because Cisco DNA Center REST API is used for fabric provisioning, intent-based automation, and assurance, but it does not provide a direct API for mapping a specific MAC address to a VN; that mapping is enforced by ISE via policy. Option D is wrong because Cisco APIC-EM is a deprecated controller (replaced by DNA Center) and its REST API does not support SD-Access VN assignment for endpoints; it was designed for traditional network automation and APIC-EM is no longer a current product.

16
Multi-Selecteasy

Which TWO of the following are examples of application layer protocols?

Select 2 answers
A.HTTP
B.IP
C.FTP
D.TCP
E.ARP
AnswersA, C

HTTP is an application layer protocol used for web traffic.

Why this answer

HTTP (Hypertext Transfer Protocol) operates at the application layer (Layer 7) of the OSI model, enabling web browsers and servers to exchange hypertext documents. It defines how requests and responses are formatted and transmitted, relying on lower-layer protocols like TCP for reliable delivery.

Exam trap

Cisco often tests the distinction between transport layer protocols (TCP/UDP) and application layer protocols, trapping candidates who confuse TCP's role in reliable delivery with application-specific functions like HTTP or FTP.

17
MCQmedium

A DevOps team is using Cisco NSO to manage network devices. They want to ensure that the configuration is compliant with corporate standards. Which NSO feature should they use?

A.Configuration Snapshots
B.NETCONF notifications
C.Configuration Database (CDB) rollback
D.Service reconciliation using FastMap
AnswerD

FastMap reconciles device config with service model to ensure compliance.

Why this answer

Service reconciliation using FastMap is the correct NSO feature for ensuring configuration compliance with corporate standards because it detects and corrects deviations between the intended service model (defined in YANG) and the actual device configuration. FastMap performs a diff and re-applies the service logic to bring the device back into compliance, making it ideal for continuous compliance enforcement.

Exam trap

Cisco often tests the distinction between passive monitoring features (snapshots, notifications, rollback) and active remediation (FastMap), leading candidates to pick a feature that only detects drift rather than one that corrects it.

How to eliminate wrong answers

Option A is wrong because Configuration Snapshots are point-in-time backups of device configurations used for auditing or comparison, not for active compliance enforcement or remediation. Option B is wrong because NETCONF notifications are asynchronous event messages (e.g., YANG-push or syslog) that alert on state changes but do not enforce or correct configuration compliance. Option C is wrong because CDB rollback reverts the NSO configuration database to a previous transaction, which can undo changes but does not proactively ensure ongoing compliance with corporate standards.

18
MCQeasy

A network automation engineer is writing a Python script to interact with the Cisco Meraki Dashboard API. The script currently makes GET requests to retrieve a list of networks and then makes subsequent requests for each network to get device details. However, the script is slow due to network latency. The engineer wants to improve performance without changing the API's functionality. Which approach best addresses the performance issue?

A.Wrap all API calls in a single transaction.
B.Increase the timeout value in each request.
C.Use parallel requests with asyncio for concurrent API calls.
D.Use a POST request instead of GET to combine both operations.
AnswerC

A is correct because concurrency allows multiple requests to run simultaneously, significantly reducing wait time for I/O-bound tasks.

Why this answer

The correct answer is A: Use parallel requests with asyncio for concurrent API calls. This reduces total time by overlapping I/O operations. B (increasing timeout) doesn't speed up the requests; it only prevents early failures.

C (wrapping in a single transaction) is not applicable to REST APIs. D (using POST instead of GET) doesn't improve performance and may violate API design principles.

19
MCQeasy

When designing a REST API client for a Cisco DNA Center deployment, which authentication method should be used to obtain a token for subsequent API calls?

A.OAuth 2.0 client credentials grant.
B.API key in the request header.
C.HTTP Basic authentication to obtain a token.
D.Client certificate in the request.
AnswerC

Correct method: POST with basic auth to get token.

Why this answer

Cisco DNA Center uses HTTP Basic authentication to obtain a token. The client sends a POST request to the /dna/system/api/v1/auth/token endpoint with a Base64-encoded string of the username and password in the Authorization header. The server returns a token that must be included in subsequent API calls via the X-Auth-Token header.

Exam trap

Cisco often tests the specific authentication flow for DNA Center, and the trap here is that candidates confuse the token-based approach with OAuth 2.0 or API keys, which are used by other Cisco platforms like Meraki or Webex.

How to eliminate wrong answers

Option A is wrong because OAuth 2.0 client credentials grant is not supported by Cisco DNA Center; it uses a simpler token-based authentication flow. Option B is wrong because an API key in the request header is not the method used to obtain a token; DNA Center requires username/password authentication to generate a token. Option D is wrong because client certificate authentication is not the standard method for obtaining a token in DNA Center; it relies on HTTP Basic authentication for token generation.

20
Multi-Selectmedium

Which three configuration management tools can be used with Cisco devices for automation? (Choose three.)

Select 3 answers
A.Nagios
B.SaltStack
C.Puppet
D.Chef
E.Ansible
AnswersC, D, E

Puppet supports Cisco devices via agents.

Why this answer

Puppet is a configuration management tool that uses a declarative language to define system state. It can manage Cisco devices via the cisco_ios module, which uses SSH or NX-API to apply configurations, making it suitable for network automation.

Exam trap

Cisco often tests the distinction between monitoring tools (like Nagios) and configuration management tools, and candidates may confuse SaltStack as a primary Cisco automation tool due to its general-purpose nature, but it lacks the dedicated Cisco ecosystem support of Puppet, Chef, and Ansible.

21
MCQmedium

A network administrator is configuring OSPF on a router and wants to ensure that routes from area 0 are propagated to area 1, but area 1 should not see specific inter-area routes. Which OSPF feature should be used?

A.NSSA
B.Totally stubby area
C.Virtual-link
D.Stub area
AnswerD

Blocks type 5 LSAs, provides a default route.

Why this answer

Option D is correct because a stub area blocks Type 5 LSAs (external routes) from entering the area, while still allowing inter-area routes (Type 3 LSAs) to be propagated. This meets the requirement of propagating routes from area 0 to area 1 but preventing specific inter-area routes from being seen, as stub areas do not filter Type 3 LSAs entirely—they only block external routes. The question's phrasing 'should not see specific inter-area routes' is ambiguous, but in standard OSPF terminology, a stub area is the correct feature to limit route visibility while maintaining connectivity to the backbone.

Exam trap

The trap here is that candidates confuse 'stub area' with 'totally stubby area'—the question says 'should not see specific inter-area routes,' which might imply blocking all inter-area routes, but a stub area only blocks external routes, not inter-area routes, and the correct answer is the one that matches the standard OSPF behavior for limiting route visibility without completely isolating the area.

How to eliminate wrong answers

Option A is wrong because an NSSA (Not-So-Stubby Area) allows Type 7 LSAs for external routes from within the area and translates them to Type 5 LSAs, which does not block inter-area routes; it is designed for areas that need to import external routes while still blocking some Type 5 LSAs. Option B is wrong because a totally stubby area blocks both Type 5 LSAs and Type 3 LSAs (inter-area routes), leaving only a default route, which would prevent area 1 from seeing any inter-area routes, not just specific ones. Option C is wrong because a virtual-link is used to connect a non-backbone area to area 0 through a transit area when a direct physical connection is missing; it does not filter routes.

22
MCQeasy

A developer is writing a Python script that uses the Cisco Catalyst Center (formerly DNA Center) API to get the list of sites. The API returns a response with a 'response' key containing a list of sites. The developer wants to access the 'response' field from the JSON response. Which code snippet correctly extracts the list?

A.sites = list(response)
B.sites = response['response']
C.sites = response[0]
D.sites = response.get('response')
AnswerB

Correct: Accessing the key 'response' returns the list.

Why this answer

Option B is correct because the Cisco Catalyst Center API returns a JSON response where the list of sites is nested under the 'response' key. Using dictionary-style indexing with `response['response']` directly retrieves that list, which is the standard way to access a known key in a Python dictionary parsed from JSON.

Exam trap

Cisco often tests whether candidates understand that API responses are parsed into dictionaries, not lists, and that the 'response' key is a nested structure; the trap here is confusing the outer dictionary with the inner list, leading candidates to pick `response[0]` or `list(response)`.

How to eliminate wrong answers

Option A is wrong because `list(response)` would convert the entire dictionary keys into a list, not extract the 'response' field. Option C is wrong because `response[0]` attempts to index the dictionary as if it were a list, which raises a KeyError or TypeError since dictionaries are not sequence types. Option D is wrong because `response.get('response')` would return the value for the 'response' key, but the question specifically asks for the list; while this could work, it is not the correct snippet among the given options because the answer expects the direct indexing approach, and `get()` is a safer alternative but not the one marked correct in the exam context.

23
MCQeasy

A developer is writing a Python script to interact with the Cisco DNA Center REST API. Which HTTP method should be used to retrieve a list of network devices?

A.GET
B.PUT
C.POST
D.DELETE
AnswerA

GET is the standard method for retrieving data from a REST API.

Why this answer

GET is the correct HTTP method for retrieving resources. POST is used for creating, PUT for updating, DELETE for deleting.

24
MCQeasy

A developer needs to retrieve a list of all networks in a Meraki organization using the Dashboard API. Which API call should be made?

A.GET /organizations/{organizationId}/networks
B.GET /organizations/{organizationId}/networks
C.GET /networks
D.GET /organizations/{organizationId}/networks/{networkId}
AnswerB

This endpoint returns a list of all networks in the organization.

Why this answer

The correct API call to retrieve a list of all networks in a Meraki organization is GET /organizations/{organizationId}/networks. This endpoint returns an array of network objects associated with the specified organization, as documented in the Meraki Dashboard API. The path includes the organization ID to scope the request, and the response contains details such as network name, ID, and product types.

Exam trap

Cisco often tests the distinction between list and single-resource endpoints, so the trap here is confusing GET /organizations/{organizationId}/networks (list all networks) with GET /organizations/{organizationId}/networks/{networkId} (get one network), or assuming a root-level /networks endpoint exists without the required organization scope.

How to eliminate wrong answers

Option A is wrong because it is identical to the correct answer (B) but not marked as correct in the question; however, in practice, both A and B represent the same endpoint, so the distinction is artificial. Option C is wrong because GET /networks is not a valid Meraki Dashboard API endpoint; the API requires the organization ID in the path to identify the scope. Option D is wrong because GET /organizations/{organizationId}/networks/{networkId} retrieves a single specific network, not a list of all networks.

25
MCQhard

A network engineer uses Ansible to apply a standard ACL to multiple routers. The playbook runs without errors, but the ACL is not applied on some routers. Upon checking, those routers have a different configuration revision due to a previous manual change. What is the best practice to ensure consistent application?

A.Use the 'replace' parameter to overwrite the entire config
B.Use the ansible_network_os variable correctly
C.Use the 'backup' option in ios_config
D.Use the 'ignore_errors' directive
AnswerA

The replace parameter forces the device to replace its running config with the provided config, ensuring consistency.

Why this answer

Option A is correct because the 'replace' parameter in Ansible's ios_config module forces a full configuration replacement on the target device, overwriting the entire running configuration with the intended configuration. This ensures that any prior manual changes or configuration revisions are eliminated, guaranteeing consistent ACL application across all routers regardless of their current state.

Exam trap

The trap here is that candidates often confuse 'replace' with 'backup' or think that setting the correct network OS variable is sufficient to handle configuration conflicts, but Cisco tests the understanding that only a full configuration replacement guarantees consistency when devices have divergent configuration revisions.

How to eliminate wrong answers

Option B is wrong because the 'ansible_network_os' variable is used to specify the network OS type (e.g., ios, nxos) for connection and module selection, not to handle configuration revision mismatches or ensure consistent ACL application. Option C is wrong because the 'backup' option in ios_config creates a backup of the current configuration before making changes, but it does not resolve conflicts caused by different configuration revisions; it only provides a rollback point. Option D is wrong because the 'ignore_errors' directive tells Ansible to continue execution even if a task fails, which would mask the failure of ACL application on some routers rather than fixing the underlying revision mismatch.

26
Matchingmedium

Match each HTTP status code to its meaning.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

OK

Created

Unauthorized

Forbidden

Not Found

Why these pairings

Common HTTP status codes for REST APIs.

27
MCQmedium

A security team wants to ensure that only signed Docker images are deployed in production. Which CI/CD pipeline step validates the image signature before deployment?

A.Use Docker Content Trust with Notary to verify signatures.
B.Compare the image SHA with a known good hash.
C.Run a vulnerability scan on the image.
D.Check the image size on registry.
AnswerA

Standard mechanism for image signing and verification.

Why this answer

Docker Content Trust (DCT) integrates with Notary to provide a framework for signing and verifying Docker images. When DCT is enabled in the CI/CD pipeline, the Docker client verifies the image's signature against a trusted signing key before allowing the image to be pulled or deployed, ensuring only images signed by authorized parties are used in production.

Exam trap

The trap here is that candidates confuse integrity verification (hash comparison) with authenticity verification (digital signatures), assuming a simple SHA check provides the same security as a full PKI-based signing scheme like Docker Content Trust.

How to eliminate wrong answers

Option B is wrong because comparing the image SHA with a known good hash only verifies integrity (that the image hasn't been tampered with during transit), not authenticity (that the image was signed by a trusted publisher). Option C is wrong because a vulnerability scan checks for known security flaws in the image's packages, but does not validate any cryptographic signature or provenance. Option D is wrong because checking the image size on the registry is a trivial metadata check that provides no security assurance about the image's origin or integrity.

28
MCQeasy

A developer is trying to access an internal corporate web API at http://api.internal.company.com from their workstation, which has the IP configuration: IP address 192.168.1.100, subnet mask 255.255.255.0, default gateway 192.168.1.1, and DNS server 192.168.1.2. The developer can ping the DNS server (192.168.1.2) successfully, but when they try to curl the API endpoint, the command times out. The developer also confirms that the API server is up and reachable from other devices on the same subnet. Which action should the developer take to resolve this issue?

A.Disable the local firewall on the workstation to allow all outbound traffic.
B.Renew the DHCP lease to obtain a new IP address.
C.Restart the network interface card (NIC) to reset the connection.
D.Check the default gateway configuration. Ensure it is set to 192.168.1.1 and that the gateway can route traffic to the API's subnet.
AnswerD

The default gateway is likely missing or misconfigured, preventing traffic to the API subnet. Verifying its setting and reachability resolves the issue.

Why this answer

The issue is that the DNS resolution is likely failing for the internal domain. Since the developer can successfully reach the DNS server, the problem might be a missing DNS record or a misconfigured search domain. However, the correct action is to first verify the DNS resolver configuration, which is already given.

Actually, let's re-think: The developer can ping the DNS server but curl times out. The API server is reachable from other devices. The developer's workstation is on the same subnet as the gateway? Actually, the API server is on the same subnet as other devices, but the developer is on a different subnet? The scenario states other devices on the same subnet can reach the API.

The developer might have a wrong default gateway. The correct action is to check the default gateway. However, if the default gateway is wrong, pinging the DNS server might still work if it's on the same subnet? But DNS is at 192.168.1.2, which is on the same subnet as developer (192.168.1.0/24).

So pinging DNS works. For the API, it might be on a different subnet, requiring the default gateway. So the developer should verify the default gateway.

Option: Check default gateway routing. Distractors: Restart NIC, renew DHCP lease, check firewall. Let's finalize: Correct action: Verify the default gateway is correctly set and can route to the API's subnet.

29
Multi-Selecthard

Which TWO of the following features are provided by Cisco DNA Center but NOT by Cisco Prime Infrastructure? (Choose two.)

Select 2 answers
A.Configuration compliance auditing
B.Software image management
C.Machine learning-based assurance analytics
D.Policy-based automation for SD-Access
E.Network Hierarchy and Site Management
AnswersC, D

DNA Center uses AI/ML for assurance; Prime does not.

Why this answer

Machine learning-based assurance analytics is a feature exclusive to Cisco DNA Center, which uses advanced telemetry and ML algorithms to proactively detect anomalies, predict network issues, and provide closed-loop assurance. Cisco Prime Infrastructure relies on traditional polling and threshold-based monitoring, lacking the predictive and adaptive analytics capabilities that DNA Center's Assurance engine offers.

Exam trap

Cisco often tests the misconception that Prime Infrastructure and DNA Center share all core management features, but the key differentiator is DNA Center's intent-based networking capabilities, including policy-based automation for SD-Access and ML-driven assurance, which are not present in Prime Infrastructure.

30
MCQhard

You are a network engineer at a financial services company. The network uses OSPF as the IGP, and all routers are in area 0. The core network consists of four routers (R1, R2, R3, R4) connected in a full mesh with GigabitEthernet links. The OSPF cost is set to 1 on all interfaces. Recently, a new application was deployed that requires low jitter and deterministic paths between two servers: Server A connected to R1 and Server B connected to R4. During peak hours, you notice that traffic between the servers is using the path R1->R3->R4 instead of R1->R2->R4, causing higher latency due to congestion on R3. OSPF metrics reflect equal cost to both paths (cost 2 each). You need to enforce that traffic from Server A to Server B always uses the path through R2 without changing the topology or adding additional hardware. Which action should you take?

A.Change the routing protocol from OSPF to EIGRP to have better metric control.
B.Use the 'default-information originate' command on R2 to attract traffic.
C.Configure policy-based routing (PBR) on R1 to send traffic destined to Server B's subnet to the next-hop R2.
D.Increase the OSPF cost on the interface between R1 and R3 to a value higher than the cost of the path through R2.
AnswerD

Increasing cost on R1-R3 makes the R1-R2-R4 path lower total cost (2 vs 1+10=11).

Why this answer

Option D is correct because increasing the OSPF cost on the R1-R3 interface makes the path through R3 less preferred (cost >2), while the R1-R2-R4 path retains a total cost of 2. OSPF uses cost as its metric, and the lowest-cost path is installed in the routing table. By raising the cost on the R1-R3 link, you force traffic from Server A to Server B to take the deterministic path through R2 without changing the topology or adding hardware.

Exam trap

Cisco often tests the misconception that PBR is required for path control when OSPF metrics can be easily tuned, leading candidates to overlook the simpler and more appropriate solution of adjusting interface cost.

How to eliminate wrong answers

Option A is wrong because changing the routing protocol from OSPF to EIGRP is unnecessary and disruptive; OSPF already supports cost manipulation to influence path selection, and the question explicitly requires no topology or hardware changes. Option B is wrong because the 'default-information originate' command injects a default route into OSPF, which does not influence specific host or subnet routing between Server A and Server B; it would only affect traffic destined to networks not in the OSPF database. Option C is wrong because policy-based routing (PBR) can override the routing table, but it adds complexity and administrative overhead; the simpler and more standard approach is to adjust OSPF metrics, which directly influences the SPF calculation and is the intended method for traffic engineering in OSPF.

31
MCQeasy

You are a junior network developer tasked with automating device inventory retrieval using the Cisco Meraki Dashboard API. You have already generated an API key with the appropriate scopes and have tested it successfully with simple GET requests. However, when you attempt to retrieve the list of all devices in your organization via the 'GET /organizations/{organizationId}/devices' endpoint, you receive a 403 Forbidden error. You verify that the API key is correctly included in the request header as 'X-Cisco-Meraki-API-Key'. You also confirm that the organization ID is correct. You are able to reach the Meraki Dashboard API server from your environment, as other endpoints (e.g., 'GET /organizations') work fine. What is the most likely cause of the 403 error, and what should you do to resolve it?

A.The network firewall is blocking the request; check firewall logs and allow outbound traffic to the Meraki API.
B.The API key lacks the required permissions; regenerate the API key with full read access for devices.
C.The request should use POST instead of GET; change the HTTP method to POST to retrieve device data.
D.The API endpoint URL is incorrect; verify the exact path and version in the API documentation.
AnswerB

Correct. The 403 indicates insufficient permissions for the specific endpoint, despite the key being valid for other endpoints.

Why this answer

A 403 Forbidden error specifically indicates that the server understood the request but refuses to authorize it. Since other endpoints like 'GET /organizations' work, network connectivity and API key validity are confirmed. The most likely cause is that the API key lacks the required scope or permission to access the 'GET /organizations/{organizationId}/devices' endpoint.

Regenerating the API key with full read access (including device inventory) resolves this, as Meraki API keys are scoped at creation time and cannot be modified after generation.

Exam trap

Cisco often tests the distinction between authentication (401) and authorization (403) errors, where a 403 means the key is valid but lacks permissions, tricking candidates into blaming network issues or incorrect endpoints.

How to eliminate wrong answers

Option A is wrong because a network firewall blocking the request would typically result in a timeout or connection error (e.g., 0 bytes received), not a 403 Forbidden HTTP response from the server. Option C is wrong because the Meraki Dashboard API uses GET for retrieving data (as per RESTful conventions), and POST is used for creating resources; changing the method would return a 405 Method Not Allowed or 404, not a 403. Option D is wrong because the endpoint URL is verified correct (the organization ID is confirmed, and other endpoints work), and a wrong URL would produce a 404 Not Found, not a 403 Forbidden.

32
MCQmedium

A developer is working on a Python application that automates the configuration of multiple Cisco IOS-XE devices using RESTCONF. The application uses the requests library. The developer notices that sometimes the PUT request to update the interface description returns a 409 Conflict error. Upon investigation, the developer finds that the issue occurs when two instances of the application are running concurrently and attempt to update the same interface. The developer wants to implement a strategy to avoid conflicts. Which approach is most effective?

A.Implement a retry mechanism with exponential backoff and random jitter
B.Use a distributed lock mechanism to ensure exclusive access
C.Change the PUT to PATCH and hope for partial updates
D.Use a timestamp in the request to force overwrite
AnswerB

A lock guarantees that only one instance modifies the resource at a time, eliminating conflicts.

Why this answer

A 409 Conflict indicates that the resource was modified by another request. A distributed lock ensures exclusive access, preventing concurrent updates. Option A (retry with backoff) might eventually succeed but does not prevent conflicts and could increase server load.

Option C (PATCH) does not solve the underlying concurrency issue. Option D (timestamp force overwrite) is not standard with RESTCONF and could lead to data loss.

33
MCQmedium

During a security audit, an engineer discovers that a CI/CD pipeline is storing API keys in plain text in environment variables. Which best practice should be implemented to mitigate this risk?

A.Store secrets in a .env file and add it to the repository with restricted access.
B.Encrypt the environment variables using a tool like openssl and store the key elsewhere.
C.Use a dedicated secrets management service like HashiCorp Vault or AWS Secrets Manager and retrieve secrets at runtime.
D.Remove the API keys from the pipeline and require manual entry each time a build runs.
AnswerC

Secrets managers provide secure storage, rotation, and audit capabilities, preventing exposure in plaintext.

Why this answer

Option C is correct because dedicated secrets management services like HashiCorp Vault or AWS Secrets Manager provide secure storage, access control, and audit logging for sensitive data. They allow the CI/CD pipeline to retrieve API keys at runtime via authenticated API calls, ensuring secrets are never stored in plain text in environment variables or configuration files. This approach aligns with the principle of least privilege and eliminates the risk of exposure through source code or build logs.

Exam trap

Cisco often tests the misconception that encrypting secrets or storing them in a restricted repository is sufficient, when the correct answer is always to use a dedicated secrets management service that retrieves secrets at runtime, avoiding any persistent storage of sensitive data in the pipeline.

How to eliminate wrong answers

Option A is wrong because storing secrets in a .env file and adding it to the repository, even with restricted access, still embeds the secrets in version control history and exposes them to anyone with repository access, violating the principle of never storing secrets in code. Option B is wrong because encrypting environment variables with openssl and storing the key elsewhere introduces key management complexity and does not prevent the encrypted value from being exposed in logs or environment dumps; the decryption key must still be securely managed, which is often mishandled. Option D is wrong because requiring manual entry of API keys each time a build runs is impractical for automated CI/CD pipelines, introduces human error, and defeats the purpose of continuous integration and deployment.

34
Matchingmedium

Match each Python library to its typical use in network automation.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

HTTP library for REST API calls

SSH protocol implementation

NETCONF client for network devices

Validate JSON data structures

Parse and emit YAML files

Why these pairings

Common Python libraries used in network automation.

35
MCQhard

A network automation script uses RESTCONF to configure a router. The script receives an HTTP 409 Conflict response. What is the most likely cause?

A.The resource already exists
B.The router is unreachable
C.The request body is malformed
D.Incorrect authentication
AnswerA

A 409 Conflict typically occurs when trying to create a resource that already exists.

Why this answer

RESTCONF uses HTTP status codes to indicate the result of an operation. An HTTP 409 Conflict specifically means the request could not be completed due to a conflict with the current state of the resource. In the context of a network automation script using RESTCONF to configure a router, this most commonly occurs when the script attempts to create a resource (e.g., an interface or VLAN) that already exists, violating the resource's uniqueness constraint.

Exam trap

Cisco often tests the distinction between HTTP 409 Conflict (resource state conflict) and HTTP 400 Bad Request (malformed syntax), leading candidates to confuse a semantic conflict with a syntax error.

How to eliminate wrong answers

Option B is wrong because a router being unreachable would result in a connection timeout or an HTTP 503 Service Unavailable or 502 Bad Gateway error, not a 409 Conflict. Option C is wrong because a malformed request body would typically trigger an HTTP 400 Bad Request error, indicating the server cannot parse the request. Option D is wrong because incorrect authentication would result in an HTTP 401 Unauthorized or 403 Forbidden response, not a 409 Conflict.

36
Multi-Selectmedium

Which TWO statements about REST API design best practices are true? (Choose two.)

Select 2 answers
A.Avoid API versioning to keep the API simple
B.Include the HTTP method in the URI path, e.g., /getDevices
C.Always use file-based transfer for large payloads
D.Use nouns for resource endpoints, e.g., /devices instead of /getDevices
E.Use HTTP methods appropriately: GET for retrieval, POST for creation, etc.
AnswersD, E

Correct: Nouns represent resources.

Why this answer

Option D is correct because RESTful APIs use nouns to represent resources (e.g., /devices) rather than verbs (e.g., /getDevices). This aligns with the uniform interface constraint of REST, where the HTTP method (GET, POST, etc.) defines the action, and the URI identifies the resource. Using nouns keeps the API intuitive, consistent, and scalable.

Exam trap

Cisco often tests the misconception that verbs in URIs (like /getDevices) are acceptable, when in fact REST mandates nouns for resources and HTTP methods for actions, and that avoiding versioning is a shortcut that breaks backward compatibility.

37
Multi-Selectmedium

An application is secured using OAuth 2.0 for Cisco Webex API access. Which three components are involved in the authorization code grant flow? (Choose three.)

Select 3 answers
A.Client Secret
B.Client ID
C.Authorization Code
D.Refresh Token
E.API Key
AnswersA, B, C

Client Secret authenticates the application.

Why this answer

The authorization code grant flow in OAuth 2.0 requires the client to present its Client ID and Client Secret to authenticate itself to the authorization server. The flow begins by requesting an authorization code, which is then exchanged for an access token. The three components explicitly involved in this exchange are the Client Secret (A), Client ID (B), and Authorization Code (C).

Exam trap

Cisco often tests the distinction between the components used in the initial authorization code grant flow versus those used in subsequent token refresh, causing candidates to incorrectly include the Refresh Token as a required component of the initial flow.

38
MCQmedium

An engineer is designing a CI/CD pipeline for a Python application. The pipeline should automatically run unit tests, build a Docker image, push it to a private registry, and deploy to a Kubernetes cluster. Which sequence of stages is correct?

A.Build -> Test -> Push -> Deploy
B.Test -> Push -> Deploy
C.Test -> Deploy -> Build -> Push
D.Test -> Build -> Push -> Deploy
AnswerD

Tests run first; if they pass, the image is built, pushed to registry, then deployed.

Why this answer

Option D is correct because a CI/CD pipeline for a Python application must first run unit tests to validate code quality, then build the Docker image from the tested code, push the image to a private registry, and finally deploy to Kubernetes. This sequence ensures that only tested and built artifacts are deployed, preventing deployment of broken or untested code.

Exam trap

Cisco often tests the logical order of CI/CD stages, and the trap here is that candidates may think building before testing is acceptable, but the pipeline must validate code before creating artifacts to avoid deploying untested code.

How to eliminate wrong answers

Option A is wrong because it places Build before Test, which would build a Docker image from untested code, risking deployment of a broken image. Option B is wrong because it omits the Build stage entirely, meaning no Docker image is created before pushing to the registry, which is impossible. Option C is wrong because it attempts to Deploy before Build and Push, which would fail since no image exists in the registry to deploy to Kubernetes.

39
Multi-Selectmedium

Which THREE of the following are common tools used in a CI/CD pipeline for network automation? (Choose three.)

Select 3 answers
A.Jenkins
B.Git
C.Ansible
D.VMware vSphere
E.Docker
AnswersA, B, C

Jenkins is a popular CI/CD automation server.

Why this answer

Jenkins automates CI/CD, Git provides version control, and Ansible automates network configuration. Docker and VMware are more about containers and virtualization, not core pipeline tools.

40
Multi-Selectmedium

Which TWO statements are true about VXLAN? (Choose two.)

Select 2 answers
A.VXLAN requires MPLS in the underlay
B.VXLAN encapsulates Ethernet frames in UDP packets
C.VXLAN uses IP-in-IP encapsulation
D.VXLAN operates at Layer 2 only
E.VXLAN supports up to 16 million logical networks
AnswersB, E

VXLAN uses UDP encapsulation.

Why this answer

Option B is correct because VXLAN (Virtual Extensible LAN) encapsulates the original Layer 2 Ethernet frame inside a UDP packet (typically UDP destination port 4789). This allows the Layer 2 frame to be transported over a Layer 3 IP network, enabling network virtualization and overlay networking without requiring changes to the physical underlay.

Exam trap

Cisco often tests the misconception that VXLAN is a pure Layer 2 technology, but the trap here is that VXLAN encapsulates Layer 2 frames into Layer 3 UDP packets, making it a Layer 2 overlay over a Layer 3 underlay.

41
Multi-Selecteasy

Which TWO Ansible modules are commonly used for automating Cisco IOS devices?

Select 2 answers
A.junos_config
B.nxos_command
C.ios_config
D.ios_command
E.eos_config
AnswersC, D

Manages Cisco IOS configuration.

Why this answer

The `ios_config` module is correct because it is specifically designed to manage Cisco IOS device configurations by sending configuration commands via SSH or Telnet, using the CLI to apply changes to the running or startup configuration. This module is part of Ansible's `cisco.ios` collection and directly supports the IOS operating system, making it the standard choice for automating configuration tasks on Cisco IOS devices.

Exam trap

Cisco often tests the candidate's ability to distinguish between device-specific Ansible modules (e.g., `ios_config` vs. `nxos_command`) rather than generic command modules, so the trap here is assuming that any 'command' module works across all Cisco platforms, when in fact each OS family (IOS, NX-OS, IOS-XR) has its own dedicated modules in the Ansible collections.

42
Multi-Selecthard

Which TWO of the following are valid ways to handle errors in a Python program that uses the Cisco Meraki API?

Select 2 answers
A.Checking the response body for an 'errors' key and handling accordingly
B.Checking the HTTP status code and raising an exception for 4xx and 5xx
C.Assuming the API always returns 200 and logging success
D.Retrying the request indefinitely until success
E.Using a try-except block around the API call and catching generic Exception
AnswersA, B

Many APIs, including Meraki, provide error details in the response body.

Why this answer

Options A and D are appropriate error-handling techniques. Option B (catching generic Exception) is too broad and considered bad practice. Option C (assuming 200) ignores errors.

Option E (indefinite retry) can cause infinite loops and overload the API.

43
MCQhard

A developer is integrating with Cisco SD-WAN vManage using REST APIs. After successfully submitting credentials, the API returns a 401 Unauthorized error for subsequent requests. What is the most likely missing step?

A.The request URL must include an API key parameter.
B.The API call must use the HTTPS protocol.
C.The password must be sent in base64 encoding.
D.The session token (X-XSRF-TOKEN) must be obtained and included in subsequent requests.
AnswerD

This is required after initial authentication.

Why this answer

Cisco SD-WAN vManage uses a two-step authentication process: first, credentials are submitted to obtain a session token (X-XSRF-TOKEN) and a JSESSIONID cookie. If subsequent API requests do not include the X-XSRF-TOKEN in the HTTP header, vManage rejects them with a 401 Unauthorized error, as the token is required for CSRF protection and session validation.

Exam trap

Cisco often tests the distinction between session cookies and CSRF tokens, trapping candidates who assume that a successful login alone (cookie) is enough for all subsequent API calls.

How to eliminate wrong answers

Option A is wrong because vManage does not require an API key parameter in the URL; it relies on session-based tokens (X-XSRF-TOKEN) and cookies for authentication. Option B is wrong while HTTPS is strongly recommended for security, its absence would typically cause a connection failure or redirect, not a 401 Unauthorized error after successful credential submission. Option C is wrong because vManage expects credentials in JSON format (plain text or hashed), not base64 encoding; base64 is used for HTTP Basic Authentication, which is not the default for vManage REST APIs.

44
MCQmedium

Refer to the exhibit. A developer needs to authenticate to this router via NETCONF using the devuser credentials. Why might authentication fail?

A.NETCONF requires AAA authentication
B.The devuser has privilege level 1, which is not enough for NETCONF access
C.The password is encrypted with type 5
D.The username does not have SSH access
AnswerB

Privilege level 1 is too low for NETCONF.

Why this answer

NETCONF access requires a minimum privilege level of 15 on Cisco IOS/IOS-XE devices. The devuser has privilege level 1, which restricts the user to basic monitoring commands and prevents NETCONF operations. Even with correct SSH and authentication, the privilege level mismatch causes the NETCONF session to be rejected.

Exam trap

Cisco often tests the misconception that any valid SSH user can use NETCONF, but the trap is that NETCONF requires privilege level 15 regardless of SSH access or authentication method.

How to eliminate wrong answers

Option A is wrong because NETCONF does not require AAA authentication; it can use local authentication (as shown in the exhibit with username/password). Option C is wrong because type 5 encryption (MD5-based) is a valid and supported password encryption for local users; it does not cause authentication failure. Option D is wrong because the exhibit shows the devuser is configured with SSH access (the 'ssh' keyword is present in the username command), so SSH access is explicitly granted.

45
MCQhard

A large enterprise uses Cisco DNA Center to manage its campus network. The network team has automated wireless SSID provisioning using the Intent API. Recently, a new SSID was created but it does not appear on the wireless LAN controllers. The Python script that calls the API returns a 200 OK response, but the SSID is not deployed. The script uses the POST /dna/intent/api/v1/ssid endpoint with a JSON body containing the SSID name and security settings. A day later, the SSID is still missing. The engineer checks the DNA Center GUI and sees the SSID in the 'Design' section but with a 'Provisioning Failed' status. Which step should the engineer take next to resolve the issue?

A.Re-run the same API call and ignore the 200 response
B.Use the 'Provision' API endpoint to deploy the SSID to the targeted sites
C.Delete the SSID and recreate it with a different name
D.Wait for the next scheduled provisioning cycle
AnswerB

A separate provision step is required to push the SSID to controllers.

Why this answer

The 200 OK response from the POST /dna/intent/api/v1/ssid endpoint only confirms that the API request was accepted and the SSID configuration was created in the DNA Center design database. It does not automatically trigger deployment to the wireless LAN controllers. The 'Provisioning Failed' status in the GUI indicates that the SSID was designed but not successfully deployed to the targeted sites.

To complete the deployment, the engineer must use the Intent API's 'Provision' endpoint (e.g., POST /dna/intent/api/v1/provision) to push the SSID configuration to the specific sites or devices, which is the missing step.

Exam trap

Cisco often tests the distinction between design and provisioning phases in the Intent API, and the trap here is that candidates assume a 200 OK response means the configuration is fully deployed, when in reality it only confirms the design was accepted.

How to eliminate wrong answers

Option A is wrong because re-running the same API call will only recreate the design object and return another 200 OK, but it will not trigger deployment; the provisioning step is separate and required. Option C is wrong because deleting and recreating the SSID with a different name does not address the root cause—the design object already exists, and the failure is in the provisioning workflow, not the SSID name. Option D is wrong because DNA Center does not have a scheduled provisioning cycle; provisioning is an explicit action that must be initiated via the API or GUI, and waiting will not resolve the issue.

46
MCQhard

A developer is implementing a Cisco Intersight API solution to manage multiple UCS domains. They receive an HTTP 403 Forbidden response when trying to create an organization. What is the most likely issue?

A.The request body is malformed
B.The user account does not have sufficient privileges
C.The API key is invalid
D.The organization already exists
AnswerB

403 means the server understands the request but refuses to authorize it.

Why this answer

An HTTP 403 Forbidden response indicates that the server understood the request but is refusing to authorize it. In the context of Cisco Intersight, this typically means the API key or user account associated with the request lacks the required privileges to perform the action, such as creating an organization. Only accounts with administrative or appropriate role-based access control (RBAC) permissions can create organizations.

Exam trap

Cisco often tests the distinction between HTTP 401 (authentication failure) and 403 (authorization failure) to trap candidates who confuse invalid credentials with insufficient privileges.

How to eliminate wrong answers

Option A is wrong because a malformed request body would typically result in a 400 Bad Request error, not a 403 Forbidden. Option C is wrong because an invalid API key would result in a 401 Unauthorized error, indicating authentication failure rather than authorization failure. Option D is wrong because attempting to create an organization that already exists would result in a 409 Conflict error, not a 403 Forbidden.

47
Multi-Selecthard

Which two statements about the Cisco DevNet Sandbox are true?

Select 2 answers
A.Sandboxes cannot be used for learning APIs
B.Sandboxes require a paid subscription for basic access
C.Sandboxes can be reserved for a fixed time period
D.Sandboxes provide always-on access to a limited set of devices
E.Sandboxes only support Cisco IOS XE devices
AnswersC, D

Many sandboxes require reservation.

Why this answer

Option C is correct because Cisco DevNet Sandboxes allow users to reserve a sandbox for a fixed time period, typically ranging from 2 to 4 hours, providing exclusive access to a pre-configured lab environment. This reservation model ensures that users have dedicated resources without contention, which is essential for testing APIs, automation scripts, or network configurations. The fixed-time reservation is a core feature of the DevNet Sandbox service, distinguishing it from always-on sandboxes.

Exam trap

Cisco often tests the distinction between 'always-on' sandboxes (which provide persistent but limited access) and 'reserved' sandboxes (which offer full, time-limited access), and candidates may incorrectly assume all sandboxes require payment or only support a single OS.

48
MCQeasy

A Python script using the Cisco Meraki API must update the SSID settings for a network. Which HTTP method should be used to modify an existing SSID?

A.PUT
B.POST
C.DELETE
D.GET
AnswerA

PUT updates an existing resource.

Why this answer

To modify an existing SSID in the Cisco Meraki API, the HTTP PUT method is used because it performs an idempotent update of the resource at the specified URI. The Meraki API follows RESTful conventions where PUT replaces the entire representation of the SSID object, making it the correct choice for updating an existing SSID's settings (e.g., name, encryption, or splash page).

Exam trap

Cisco often tests the distinction between PUT and POST in REST APIs, and the trap here is that candidates mistakenly think POST can be used for updates because they confuse it with 'update' in general CRUD terminology, but POST is specifically for creation in RESTful design.

How to eliminate wrong answers

Option B (POST) is wrong because POST is used to create a new resource (e.g., add a new SSID to a network), not to update an existing one; using POST on an existing SSID would typically result in a 409 Conflict or create a duplicate. Option C (DELETE) is wrong because DELETE is used to remove an SSID entirely, not to modify its settings; calling DELETE on an SSID would remove it from the network. Option D (GET) is wrong because GET is a read-only method used to retrieve the current configuration of an SSID, not to change it.

49
MCQmedium

In a Kubernetes deployment, the container image pull policy is set to "Always". This causes performance issues during rollouts because the image registry is slow. What is the best practice to reduce pull time while maintaining security?

A.Set pullPolicy to "IfNotPresent" for stable releases and use image tags like v1.2.3.
B.Use the ":latest" tag to ensure always fresh images.
C.Set pullPolicy to "Never" and pre-pull images on nodes.
D.Disable image verification to speed up pulls.
AnswerA

Optimizes pulls and uses versioned tags for consistency.

Why this answer

Option A is correct because setting `pullPolicy` to `IfNotPresent` for stable releases (using immutable tags like `v1.2.3`) avoids unnecessary image pulls from a slow registry when the image already exists on the node. This reduces rollout time while maintaining security by ensuring that only explicitly versioned, verified images are used, preventing accidental use of stale or untagged images.

Exam trap

Cisco often tests the misconception that `:latest` is a safe, always-fresh choice, but the trap here is that `:latest` combined with `Always` causes unnecessary pulls and version ambiguity, whereas immutable tags with `IfNotPresent` balance performance and security.

How to eliminate wrong answers

Option B is wrong because using the `:latest` tag with `pullPolicy: Always` (the default for `:latest`) forces a pull every time, which exacerbates the performance issue and introduces unpredictability, as `:latest` is mutable and can change without notice. Option C is wrong because setting `pullPolicy` to `Never` prevents the kubelet from pulling the image at all, which can cause Pod failures if the image is not already present on the node, and pre-pulling images manually is not scalable or secure for dynamic rollouts. Option D is wrong because disabling image verification (e.g., skipping signature validation or using `imagePullPolicy: Always` without digest-based references) weakens security by allowing potentially tampered images to run, and it does not address the root cause of slow pulls.

50
MCQhard

A Python script using ncclient to configure a Cisco IOS XE device fails with an error that the capability 'urn:ietf:params:xml:ns:netconf:base:1.0' is missing. What is the most likely cause?

A.The device does not have NETCONF enabled
B.The username or password is incorrect
C.The edit-config operation should be on candidate instead of running
D.The host key verification is disabled incorrectly
AnswerA

If NETCONF is not enabled on the device, it will not advertise the required capabilities.

Why this answer

The 'hostkey_verify=False' parameter bypasses SSH host key checking, but the error indicates NETCONF capability not supported. The device likely does not have NETCONF enabled, or SSH connectivity fails.

51
MCQeasy

A network engineer wants to automate the configuration of multiple Cisco IOS devices using Ansible. What is the minimum requirement on the control node to execute Ansible playbooks against these devices?

A.Ansible Tower license for automated network configuration
B.A PostgreSQL database to store inventory and credentials
C.A dedicated management server with Ansible Tower installed
D.A Linux or macOS control node with Python installed
AnswerD

Ansible requires Python on the control node; network devices only need SSH access.

Why this answer

Ansible uses a push-based architecture where the control node must be a Linux or macOS system with Python installed to execute playbooks. Python is required because Ansible itself is written in Python and relies on it for modules, SSH connections, and Jinja2 templating. No additional database, license, or dedicated management server is needed for basic network automation against Cisco IOS devices.

Exam trap

Cisco often tests the misconception that Ansible requires a dedicated server or commercial product like Ansible Tower, when in fact the minimum requirement is simply a Linux/macOS host with Python and the Ansible package installed.

How to eliminate wrong answers

Option A is wrong because Ansible Tower (now Red Hat Ansible Automation Platform) is a commercial web UI and API layer that adds RBAC, scheduling, and auditing, but it is not a minimum requirement; the open-source Ansible Engine can run playbooks directly from any control node. Option B is wrong because a PostgreSQL database is only required if you use Ansible Tower's inventory and credential storage; the default flat-file inventory and SSH keys or vault-encrypted credentials work without any database. Option C is wrong because a dedicated management server with Ansible Tower installed is an enterprise deployment pattern, not a minimum requirement; a standard Linux or macOS workstation with Ansible installed via pip or package manager suffices.

52
Multi-Selecthard

A network automation engineer uses Ansible to manage a group of Cisco IOS XE devices. The playbook fails with 'unreachable' for some devices. Which TWO actions should the engineer take to troubleshoot the connectivity?

Select 2 answers
A.Increase the timeout value in the playbook.
B.Ignore the unreachable devices and proceed.
C.Use the 'ios_command' module to test connectivity.
D.Check if SNMP is enabled on the devices.
E.Verify the device IP address and credentials in the inventory.
AnswersC, E

Helps verify device accessibility.

Why this answer

Option C is correct because the 'ios_command' module can be used to verify basic connectivity by sending a simple command (e.g., 'show version') to the device. If the module returns a response, it confirms that Ansible can reach the device and that the credentials are valid, isolating the issue to the specific task or playbook logic rather than connectivity.

Exam trap

Cisco often tests the misconception that SNMP is required for Ansible management, but the trap here is that candidates confuse SNMP-based monitoring with SSH-based automation, leading them to select Option D instead of focusing on the actual connectivity layer.

53
MCQhard

Refer to the exhibit. This JSON response was received from the Cisco DNA Center API. A developer wants to extract the software version of the first device. Which Python expression correctly retrieves '16.12.5' from the variable `data`?

A.data[0]['softwareVersion']
B.data['response'][0]['version']
C.data['response']['softwareVersion']
D.data['response'][0]['softwareVersion']
AnswerD

Correctly navigates the JSON hierarchy.

Why this answer

The JSON structure has a 'response' array containing device objects. The first element is index 0, and the software version is under the key 'softwareVersion'. So data['response'][0]['softwareVersion'] is correct.

54
MCQeasy

A developer is integrating a monitoring application with Cisco Meraki API to retrieve network health data. The application needs to ensure it doesn't exceed the API rate limit of 5 requests per second. What is the best practice for handling this limitation?

A.Increase the rate limit by contacting Cisco support.
B.Use a single API key for all requests to reduce overhead.
C.Implement exponential backoff and retry after receiving a 429 status code.
D.Send all requests in a loop without delay to complete quickly.
AnswerC

Exponential backoff is the standard technique to handle rate limits, gradually increasing wait time between retries.

Why this answer

Option C is correct because the Cisco Meraki API returns HTTP 429 (Too Many Requests) when the rate limit of 5 requests per second is exceeded. Implementing exponential backoff—where the application waits progressively longer intervals between retries—is the standard best practice for handling rate limits gracefully, as it reduces server load and increases the chance of successful retries without overwhelming the API.

Exam trap

Cisco often tests the misconception that rate limits can be bypassed by technical tricks like using a single API key or sending requests faster, when the correct approach is to respect the 429 response with exponential backoff.

How to eliminate wrong answers

Option A is wrong because the rate limit is a fixed server-side policy enforced by Cisco Meraki; contacting support will not increase it, and the developer must work within the documented limits. Option B is wrong because using a single API key does not affect the rate limit—rate limiting is applied per API key or per organization, and a single key cannot reduce overhead or bypass the 5 requests per second cap. Option D is wrong because sending all requests in a loop without delay will immediately trigger 429 responses, causing all requests to fail and potentially leading to temporary IP blocking or account throttling.

55
MCQhard

A DevOps team is developing a CI/CD pipeline for a microservices application that uses Cisco NSO (Network Services Orchestrator) for network configuration. The application code is stored in a Git repository. The pipeline must automatically trigger a test suite when a pull request is merged to the main branch, but only if the tests pass, then deploy to a staging environment. The team is using Jenkins. A junior engineer suggests using a single Jenkinsfile with a declarative pipeline that includes all stages. However, a senior engineer notes that the pipeline should be designed for reusability and maintainability, especially as the number of microservices grows. Which approach best meets these requirements?

A.Use shared libraries to define common stages like testing and deployment, and reference them in each microservice's Jenkinsfile.
B.Create separate Jenkinsfiles for each microservice and call them from a main pipeline using the "build" step.
C.Use a single scripted pipeline that uses "parallel" for microservices and "stage" for testing and deployment.
D.Use a single declarative pipeline with all stages defined in the Jenkinsfile and use "when" conditions to control execution.
AnswerA

C is correct because shared libraries encapsulate reusable pipeline code, minimising duplication and simplifying updates across all microservices.

Why this answer

The correct answer is C: Use shared libraries to define common stages like testing and deployment, and reference them in each microservice's Jenkinsfile. Shared libraries reduce duplication and centralise logic, making it easy to update common steps across all services. A (single pipeline with conditions) leads to code duplication as new services are added.

B (separate Jenkinsfiles called from a main pipeline) is better than A but still duplicates common logic across files unless shared libraries are used. D (scripted pipeline with parallel) does not inherently promote reuse; it may combine steps but still duplicates if not abstracted.

56
Drag & Dropmedium

Drag and drop the steps to configure OSPF on a Cisco router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

OSPF configuration requires enabling the OSPF process, setting a router ID, and advertising networks in specific areas.

57
Multi-Selecthard

When implementing network automation with Cisco devices, which THREE practices help ensure idempotency? (Select THREE)

Select 3 answers
A.Writing scripts that only push incremental configurations.
B.Relying on manual rollback procedures after automation failures.
C.Performing a full configuration replace using RESTCONF PUT instead of PATCH.
D.Using Ansible modules that check the current state before making changes.
E.Using declarative automation tools like Puppet that enforce desired state.
AnswersC, D, E

PUT replaces the whole resource, making it idempotent; PATCH is not necessarily idempotent.

Why this answer

Option C is correct because a full configuration replace using RESTCONF PUT ensures idempotency by setting the entire configuration to a known state, regardless of the current state. Unlike PATCH, which applies incremental changes that may behave differently depending on the existing configuration, PUT overwrites the entire resource, guaranteeing the same result every time it is executed.

Exam trap

Cisco often tests the misconception that incremental changes (like PATCH or partial configs) are idempotent, but the trap here is that only full-state replacement or state-checking tools guarantee the same result on every execution, regardless of the starting configuration.

58
MCQeasy

An engineer needs to automate the backup of configuration files from multiple Cisco IOS devices to a central server. Which protocol is most appropriate for pushing configurations from the devices to the server?

A.TFTP
B.FTP
C.HTTP
D.SCP
AnswerD

SCP uses SSH encryption, providing secure file transfer.

Why this answer

SCP (Secure Copy Protocol) is the most appropriate choice because it provides encrypted, authenticated file transfers over SSH, ensuring the confidentiality and integrity of Cisco IOS configuration backups. It is natively supported on Cisco IOS devices and allows secure push operations to a central server without requiring additional software.

Exam trap

Cisco often tests the distinction between secure and insecure file transfer protocols in automation contexts, and the trap here is that candidates may choose TFTP due to its simplicity and common use in lab environments, overlooking the security requirements for production backups.

How to eliminate wrong answers

Option A is wrong because TFTP lacks any security mechanisms (no encryption or authentication) and is typically used for local network transfers like booting or initial configs, not for secure backups to a central server. Option B is wrong because FTP transmits credentials and data in cleartext and requires complex firewall configurations, making it insecure and less suitable for automated, secure backups. Option C is wrong because HTTP is not designed for file transfers in this context; it is stateless and insecure without HTTPS, and Cisco IOS devices do not natively support HTTP-based config push operations to a server.

59
MCQeasy

The exhibit shows a JSON response from a Cisco NX-OS API query for interface status. What is the operational state of interface Ethernet1/1?

A.unknown
B.down
C.admin-down
D.up
AnswerB

The 'oper-state' field is 'down'.

Why this answer

The JSON shows "oper-state": "down", so the operational state is down.

60
MCQmedium

Which of the following is a best practice for version controlling large binary files (e.g., network device firmware images) in a Git repository?

A.Avoid storing binary files; use a separate artifact repository and reference the version in metadata
B.Use Git submodules to reference external storage
C.Compress them and commit as usual
D.Store them directly in the repository with LFS (Large File Storage)
AnswerA

This keeps the Git repository lean and uses appropriate tools for binary storage.

Why this answer

Best practice is to avoid storing binary files in Git; use a separate artifact repository and reference the version in metadata (e.g., a text file). LFS (option A) is a possibility but adds overhead and not always ideal. Compressing and committing (B) bloats the repository.

Git submodules (C) are not designed for this.

61
MCQmedium

A network engineer is designing a data center network with leaf-spine topology. The requirement is to minimize latency and maximize bandwidth for east-west traffic. Which type of links should be used between leaf and spine switches?

A.Multiple links with VSS
B.Single link with LACP
C.Multiple parallel links with ECMP routing
D.Single link with STP
AnswerC

ECMP allows all links to be active, increasing bandwidth and reducing latency.

Why this answer

In a leaf-spine topology, east-west traffic (server-to-server) must traverse the spine switches. Using multiple parallel links with Equal-Cost Multi-Path (ECMP) routing allows all links to be active simultaneously, maximizing bandwidth and minimizing latency by load-balancing traffic across all available paths. ECMP leverages Layer 3 routing (e.g., OSPF or BGP) to forward packets over multiple equal-cost paths, which is ideal for the non-blocking, high-throughput design of leaf-spine architectures.

Exam trap

Cisco often tests the misconception that link aggregation (LACP or VSS) is the best way to increase bandwidth in a leaf-spine design, but the trap is that these are Layer 2 solutions that do not provide the active-active multipath routing (ECMP) required for optimal east-west traffic in a Layer 3 leaf-spine topology.

How to eliminate wrong answers

Option A is wrong because VSS (Virtual Switching System) is a Cisco proprietary technology that bundles multiple physical switches into a single logical switch using a control plane, which introduces complexity and does not scale well in a leaf-spine design; it also relies on a single control plane that can become a bottleneck for east-west traffic. Option B is wrong because a single link with LACP (Link Aggregation Control Protocol) provides link redundancy and increased bandwidth only within a single aggregated link, but it does not provide the multiple parallel active paths needed for full bisectional bandwidth in a leaf-spine topology; LACP is a Layer 2 solution that does not leverage ECMP routing. Option D is wrong because a single link with STP (Spanning Tree Protocol) blocks redundant paths to prevent loops, resulting in only one active link at a time, which severely limits bandwidth and increases latency for east-west traffic; STP is designed for traditional tree topologies, not for the active-active multipath requirement of leaf-spine.

62
MCQmedium

A network administrator is configuring SNMPv3 on a router for secure monitoring. Which combination of parameters is required to ensure authentication and encryption?

A.SNMPv3 with authPriv
B.SNMPv3 with noAuthNoPriv
C.SNMPv3 with authNoPriv
D.SNMPv2c with a complex community string
AnswerA

Provides authentication and encryption.

Why this answer

SNMPv3 with authPriv is the correct combination because it enables both authentication (via HMAC-MD5 or HMAC-SHA) and encryption (via DES or AES) to ensure secure monitoring. The authPriv security level provides message integrity, origin authentication, and data confidentiality, meeting the requirement for both authentication and encryption.

Exam trap

Cisco often tests the distinction between authNoPriv and authPriv, where candidates mistakenly think authentication alone is sufficient for 'secure monitoring' and overlook the encryption requirement.

How to eliminate wrong answers

Option B (noAuthNoPriv) is wrong because it provides no authentication or encryption, offering only a username for identification with no security. Option C (authNoPriv) is wrong because it enables authentication but no encryption, leaving the SNMP payload in cleartext and vulnerable to eavesdropping. Option D (SNMPv2c with a complex community string) is wrong because SNMPv2c uses community strings for authentication only, which are transmitted in plaintext and provide no encryption, failing the encryption requirement.

63
MCQhard

In the context of microservices for network automation, which pattern ensures that each service has a separate database to avoid tight coupling?

A.Circuit breaker
B.Database per service
C.API gateway
D.Shared database
AnswerB

This pattern gives each microservice its own database, promoting loose coupling.

Why this answer

Database per service pattern ensures each microservice has its own database, preventing tight coupling. Shared database couples services, API gateway is for routing, circuit breaker for fault tolerance.

64
MCQeasy

A DevOps engineer is using the Cisco Meraki API to retrieve a list of networks. Which HTTP method should be used?

A.PUT
B.POST
C.DELETE
D.GET
AnswerD

GET is designed to retrieve resources.

Why this answer

The GET method is the correct HTTP verb for retrieving a list of networks from the Cisco Meraki API because it is a read-only operation that fetches existing resources without modifying server state. The Meraki API follows RESTful conventions where GET requests are used to query collections or individual resources, and the endpoint for listing networks is typically a GET to /organizations/{organizationId}/networks.

Exam trap

Cisco often tests whether candidates confuse POST with GET for read operations, especially when the API documentation uses POST for non-standard actions like generating reports or running queries, leading candidates to incorrectly assume POST is acceptable for retrieving lists.

How to eliminate wrong answers

Option A (PUT) is wrong because PUT is used to update or replace an existing resource, not to retrieve data; using PUT for a read operation would violate REST semantics and could cause unintended side effects. Option B (POST) is wrong because POST is used to create a new resource or submit data for processing, not to fetch a list; the Meraki API uses POST for actions like creating networks or generating API keys. Option C (DELETE) is wrong because DELETE is used to remove a resource, which is the opposite of retrieving a list; sending a DELETE to a collection endpoint would attempt to delete the entire collection.

65
MCQmedium

A developer wants to deploy a containerized application on a Cisco Container Platform (CCP) cluster. The application requires persistent storage. Which Kubernetes resource should be used to provision storage?

A.Secret
B.Service
C.PersistentVolumeClaim
D.ConfigMap
AnswerD

ConfigMap is used for configuration data, not persistent storage.

Why this answer

PersistentVolumeClaim (PVC) is the correct Kubernetes resource for requesting persistent storage in a CCP cluster. A PVC binds to a PersistentVolume (PV) that has been provisioned by the cluster administrator or dynamically via a StorageClass, making it the standard abstraction for storage consumption in containerized applications.

Exam trap

Cisco often tests the distinction between ConfigMap and PersistentVolumeClaim by presenting ConfigMap as a storage option, but ConfigMap is for configuration data, not persistent storage, and cannot survive Pod restarts or provide filesystem-level persistence.

How to eliminate wrong answers

Option A is wrong because a Secret is used to store sensitive data like passwords or tokens, not to provision storage. Option B is wrong because a Service is a networking abstraction that exposes a set of Pods as a network service, not a storage resource. Option D (ConfigMap) is incorrect because ConfigMaps store non-sensitive configuration data as key-value pairs or files, not persistent storage volumes.

66
Multi-Selecthard

Which TWO statements accurately describe characteristics of infrastructure as code (IaC) in network automation?

Select 2 answers
A.IaC eliminates the need for manual review of configuration changes before deployment.
B.IaC requires that all network devices be replaced with software-based equivalents.
C.IaC is only applicable to virtual network functions, not physical devices.
D.IaC tools use declarative or imperative models to define the desired state of network infrastructure.
E.IaC allows network configurations to be stored in version control and tested before deployment.
AnswersD, E

IaC can be declarative (e.g., Terraform) or imperative (e.g., Ansible).

Why this answer

Option D is correct because Infrastructure as Code (IaC) tools like Ansible, Terraform, and Cisco NSO allow network engineers to define the desired state of infrastructure using either declarative (what the end state should be) or imperative (step-by-step instructions) models. This abstraction enables consistent, repeatable deployments and reduces configuration drift across the network.

Exam trap

Cisco often tests the misconception that IaC is only for virtual or cloud environments, when in fact it is designed to manage any programmable network device, including physical hardware, via standard interfaces like NETCONF/RESTCONF.

67
MCQhard

A network engineer attempts to use RESTCONF to retrieve the running configuration of a Cisco IOS XE device. The GET request to '/restconf/data/Cisco-IOS-XE-native:native' returns a 405 Method Not Allowed error. What is the most likely cause?

A.The API key provided is invalid.
B.The request body was malformed.
C.RESTCONF is not enabled or the YANG module is not supported.
D.The device does not support HTTPS.
AnswerC

RESTCONF must be enabled and the module accessible.

Why this answer

A 405 Method Not Allowed error indicates that the HTTP method (GET) is not supported for the requested resource. In RESTCONF, this typically occurs when the RESTCONF service is not enabled on the device or the specific YANG module (Cisco-IOS-XE-native) is not supported or loaded. Without the service or module, the server cannot process the GET request for the running configuration.

Exam trap

Cisco often tests the distinction between HTTP status codes (405 vs. 401 vs. 400) to see if candidates understand that 405 specifically relates to an unsupported HTTP method or disabled service, not authentication or malformed data.

How to eliminate wrong answers

Option A is wrong because RESTCONF uses HTTP authentication (e.g., basic or token-based), not API keys; an invalid API key would result in a 401 Unauthorized error, not 405. Option B is wrong because a malformed request body would cause a 400 Bad Request error, and GET requests typically have no body. Option D is wrong because if the device did not support HTTPS, the request would fail at the transport layer (e.g., connection refused or TLS error), not return an HTTP 405 status code.

68
MCQeasy

A network administrator needs to verify that a switch port is configured as an access port and assigned to VLAN 30. Which command should be used on a Cisco IOS switch?

A.show running-config interface GigabitEthernet0/1
B.show interfaces status
C.show mac address-table interface GigabitEthernet0/1
D.show vlan brief
AnswerB

The 'Vlan' column in 'show interfaces status' shows the access VLAN.

Why this answer

The 'show interfaces status' command displays the operational status, VLAN assignment, and duplex/speed settings for all switch ports. When verifying an access port, the output includes the VLAN ID under the 'Vlan' column, confirming the port is assigned to VLAN 30 and operating in access mode (trunk ports show 'trunk' instead). This command directly answers the question without requiring interpretation of running configuration or MAC address tables.

Exam trap

Cisco often tests the distinction between configuration commands (like 'show running-config') and operational verification commands (like 'show interfaces status'), trapping candidates who assume the running config always reflects the current operational state, especially when 'switchport mode access' is omitted or when a port is in a trunking mode.

How to eliminate wrong answers

Option A is wrong because 'show running-config interface GigabitEthernet0/1' displays the current configuration, but it does not show the operational VLAN assignment for an access port unless the 'switchport access vlan' command is explicitly present; it may also show default VLAN 1 if not configured, leading to ambiguity. Option C is wrong because 'show mac address-table interface GigabitEthernet0/1' shows MAC addresses learned on that port, but it does not reveal the VLAN ID assigned to the port itself; it only shows which VLANs have active MAC entries, which is irrelevant for verifying access port VLAN assignment. Option D is wrong because 'show vlan brief' lists all VLANs and their member ports, but it does not indicate whether a specific port is configured as an access port or trunk; a port could be a trunk carrying multiple VLANs, and the output would show it in multiple VLANs, not confirming access mode.

69
MCQmedium

During a security audit, it is found that a microservice exposes its internal IP address in error responses. This could help attackers map the network. What is the BEST remediation?

A.Use a service mesh to encrypt traffic.
B.Log the errors and monitor them.
C.Configure the application to return generic error messages without internal details.
D.Add a firewall to block external access to the service.
AnswerC

Eliminates information leakage at the source.

Why this answer

Option C is correct because exposing internal IP addresses in error responses violates the principle of least information disclosure. The best remediation is to configure the application to return generic error messages (e.g., HTTP 500 with a generic body) that strip out internal details like IP addresses, stack traces, or debug data. This prevents attackers from using error responses to map the internal network topology, a common information-gathering technique.

Exam trap

Cisco often tests the misconception that network-level controls (firewalls, encryption) are sufficient to fix application-layer information disclosure, when in fact the application itself must sanitize its output.

How to eliminate wrong answers

Option A is wrong because a service mesh (e.g., Istio, Linkerd) encrypts traffic between microservices (mTLS) but does not modify the content of error responses returned to clients; the internal IP would still leak in the response body. Option B is wrong because logging errors and monitoring them only helps with detection and post-incident analysis, not prevention; the internal IP is still exposed in the live response to the attacker. Option D is wrong because a firewall blocks external access at the network layer, but if the service is meant to be externally accessible (e.g., a public API), the firewall cannot be applied; even if it could, the internal IP would still be exposed to legitimate external clients who receive the error.

70
MCQhard

During a network migration, an engineer needs to replace a legacy core switch with a new one without disrupting the existing STP topology. The new switch supports RSTP and will be connected via two trunk links. Which configuration should be applied to the new switch to prevent it from becoming the root bridge?

A.Enable root guard on the trunk ports
B.Configure the bridge priority to 61440
C.Enable BPDU guard on the trunk ports
D.Set the bridge priority to 0
AnswerB

High priority makes it less likely to become root.

Why this answer

Option B is correct because setting the bridge priority to 61440 (which is a valid priority value in increments of 4096) ensures the new switch has a higher numerical priority than the current root bridge, preventing it from becoming the root. In STP/RSTP, the switch with the lowest bridge priority becomes the root bridge; by configuring a high priority, the new switch will not disrupt the existing topology.

Exam trap

The trap here is that candidates often confuse root guard (which protects against becoming a root port) with preventing the switch from becoming the root bridge, or they mistakenly think setting priority to 0 (lowest) would prevent root election, when in fact it forces the switch to become root.

How to eliminate wrong answers

Option A is wrong because root guard is used to prevent a port from becoming a root port (i.e., it blocks BPDUs that would make the local switch the root), but it does not prevent the switch itself from becoming the root bridge; it only protects against superior BPDUs received on that port. Option C is wrong because BPDU guard is used to shut down a port if a BPDU is received (typically on access ports configured with PortFast), not to prevent the switch from becoming the root bridge. Option D is wrong because setting the bridge priority to 0 makes the switch the lowest possible priority, which would force it to become the root bridge, the exact opposite of the desired outcome.

71
MCQeasy

A developer wants to automate the configuration of multiple Cisco IOS-XE devices using Ansible. Which protocol should be used to ensure secure and idempotent configuration updates?

A.Telnet
B.SSH
C.SNMP
D.HTTP
AnswerB

SSH provides secure, encrypted communication and is compatible with Ansible.

Why this answer

SSH (Secure Shell) is the correct protocol because it provides encrypted, authenticated remote access to Cisco IOS-XE devices, which is essential for secure automation. Ansible uses SSH to connect to network devices and execute configuration commands idempotently by comparing the desired state (defined in playbooks) against the current device state, ensuring only necessary changes are applied without duplication or disruption.

Exam trap

Cisco often tests the distinction between protocols used for monitoring (SNMP) versus those used for secure configuration management (SSH), and candidates may mistakenly choose SNMP because they associate it with network management, overlooking that Ansible specifically requires an interactive, secure shell for idempotent configuration pushes.

How to eliminate wrong answers

Option A (Telnet) is wrong because it transmits data in plaintext, including credentials and configuration commands, offering no encryption or security, and is not recommended for any production automation. Option C (SNMP) is wrong because it is primarily used for monitoring and retrieving device metrics (e.g., via MIBs), not for pushing idempotent configuration updates; SNMP Set operations are unreliable and lack the transactional, state-based idempotency that Ansible requires. Option D (HTTP) is wrong because it is unencrypted and insecure for configuration management; while HTTPS could be used with RESTCONF/NETCONF, the question specifies Ansible, which relies on SSH for network device automation, and HTTP alone does not provide the secure, idempotent configuration capabilities needed.

72
MCQmedium

A company uses Cisco DNA Center to manage their network. A developer wants to retrieve the overall health score of a specific site using the DNA Center REST API. Which API path should be used?

A./dna/intent/api/v1/network-health
B./dna/intent/api/v1/site-health
C./dna/intent/api/v1/assurance/site
D./dna/intent/api/v1/health-score
AnswerB

Correct endpoint for site health.

Why this answer

The correct API path to retrieve the overall health score of a specific site is /dna/intent/api/v1/site-health. This endpoint is part of the Cisco DNA Center Intent API and returns site-level health metrics, including overall health scores for network devices, clients, and applications at a given site. It is specifically designed to aggregate health data per site, unlike broader network-wide endpoints.

Exam trap

Cisco often tests the distinction between network-wide and site-specific health endpoints, and the trap here is that candidates confuse /dna/intent/api/v1/network-health (which returns overall network health) with the site-specific endpoint, or they invent plausible-sounding but non-existent paths like /health-score or /assurance/site.

How to eliminate wrong answers

Option A is wrong because /dna/intent/api/v1/network-health returns the overall network health score across all sites, not a specific site's health. Option C is wrong because /dna/intent/api/v1/assurance/site is not a valid Cisco DNA Center REST API path; the correct assurance-related endpoint for site health uses /site-health. Option D is wrong because /dna/intent/api/v1/health-score is not a valid endpoint; Cisco DNA Center uses specific resource paths like /site-health or /network-health, not a generic /health-score.

73
MCQmedium

A company is deploying a new application that requires low-latency communication between servers in the same data center. The network team is designing a leaf-spine architecture. What is the primary advantage of this topology over a traditional three-tier design?

A.Simpler redundancy with fewer layers.
B.Consistent low latency and high bandwidth between any two devices.
C.Easier to deploy with less cabling.
D.Reduced number of required switch ports.
AnswerB

With equal-cost multipathing, latency is consistent and low.

Why this answer

Leaf-spine provides predictable low latency because any leaf is one hop from any other leaf via the spine. Option A is wrong because leaf-spine actually increases the number of links. Option B is wrong because redundancy is inherent in both designs.

Option D is wrong because leaf-spine uses more cabling typically.

74
MCQmedium

An engineer is troubleshooting a Cisco DNA Center API call that returns a 401 error. What is the most likely cause?

A.The authentication token has expired
B.The network device is unreachable
C.The request body is invalid
D.The API endpoint is incorrect
AnswerA

401 indicates missing or invalid authentication credentials.

Why this answer

A 401 Unauthorized error from the Cisco DNA Center API indicates that the request lacks valid authentication credentials. The most common cause is that the authentication token (JWT) obtained via the /dna/system/api/v1/auth/token endpoint has expired. Cisco DNA Center tokens have a default expiry of 60 minutes, after which the API rejects the request with a 401 status.

Exam trap

Cisco often tests the distinction between HTTP status codes (401 vs 400 vs 404 vs 502) to see if candidates understand that each code maps to a specific failure category in REST API interactions.

How to eliminate wrong answers

Option B is wrong because a network device being unreachable would typically result in a 502 Bad Gateway or 504 Gateway Timeout error from the API proxy, not a 401. Option C is wrong because an invalid request body usually produces a 400 Bad Request error, not a 401. Option D is wrong because an incorrect API endpoint typically returns a 404 Not Found error, as the server cannot route the request to a valid resource.

75
MCQeasy

A developer is automating VLAN configuration on a Cisco switch using REST API. Which HTTP method should be used to create a new VLAN?

A.PUT
B.POST
C.GET
D.PATCH
E.DELETE
AnswerB

POST creates a new resource.

Why this answer

To create a new VLAN resource on a Cisco switch via REST API, the POST method is correct because it is designed to create a subordinate resource under a parent collection. In RESTful APIs, POST is used to send data to the server to create a new entity, such as a VLAN, and the server assigns a unique identifier (e.g., VLAN ID) to the new resource. This aligns with the RESTful principle for resource creation, as specified in RFC 7231.

Exam trap

Cisco often tests the distinction between POST and PUT, where candidates mistakenly choose PUT because they think it can 'create or update' a resource, but in REST APIs for Cisco devices, PUT requires a known resource URI and is not used for server-assigned creation of new VLANs.

How to eliminate wrong answers

Option A (PUT) is wrong because PUT is used to replace or update an existing resource at a specific URI, not to create a new resource with a server-assigned identifier; using PUT for creation would require the client to specify the exact VLAN ID in the URI, which is not the standard approach for creating a new VLAN. Option C (GET) is wrong because GET is a safe, idempotent method used only to retrieve existing resources, not to create or modify them. Option D (PATCH) is wrong because PATCH is used for partial modifications to an existing resource, such as changing the name of an existing VLAN, not for creating a new one.

Option E (DELETE) is wrong because DELETE is used to remove an existing resource, such as deleting a VLAN, and has no role in creation.

Page 1 of 7

Page 2

All pages