Cisco DevNet Associate 200-901 (200-901) — Questions 751825

992 questions total · 14pages · All types, answers revealed

Page 10

Page 11 of 14

Page 12
751
Multi-Selecteasy

Which TWO are benefits of using VLANs in a network? (Choose two.)

Select 2 answers
A.Reducing the size of broadcast domains
B.Simplifying Layer 3 routing
C.Improving network security by isolating traffic
D.Reducing the number of collision domains
E.Guaranteeing faster routing performance
AnswersA, C

VLANs segment the network into smaller broadcast domains.

Why this answer

VLANs segment a Layer 2 network into isolated broadcast domains. By default, all ports on a switch belong to a single broadcast domain; VLANs restrict broadcast frames (e.g., ARP requests) to only those ports within the same VLAN, reducing unnecessary traffic and improving network performance.

Exam trap

Cisco often tests the misconception that VLANs reduce collision domains, but collision domains are a Layer 1 concept eliminated by switches, not by VLANs; the correct benefit is reducing broadcast domains.

752
Multi-Selecthard

A developer is writing a CI/CD pipeline using Jenkins Declarative Pipeline. They want to ensure that sensitive credentials (e.g., API keys) are never exposed in console logs. Which two security practices should be implemented? (Choose two.)

Select 2 answers
A.Store the API key in a Jenkins 'Secret text' credential and use the withCredentials step in the pipeline.
B.Hardcode the API key in the Jenkinsfile and use the sh step to echo it.
C.Pass the API key as a command-line argument to the build script.
D.Print the API key to the console for debugging.
E.Set the API key as an environment variable using the environment directive, referencing a Jenkins credential.
AnswersA, E

withCredentials masks the secret in logs.

Why this answer

Option A is correct because Jenkins' `withCredentials` step securely binds a 'Secret text' credential to a variable, masking the value in console logs and preventing exposure. This is the standard practice for handling sensitive data in Declarative Pipeline, as it integrates with Jenkins' credential store and automatically redacts the secret from output.

Exam trap

Cisco often tests the distinction between using the `environment` directive with `credentials()` (which is secure) versus setting environment variables manually (which is not), and the trap here is that candidates may think any environment variable is safe, but only those sourced from Jenkins credentials are masked.

753
MCQeasy

What is the purpose of the 'Authorization' header in a REST API request?

A.To enable caching of the response
B.To authenticate the client
C.To specify the desired response format
D.To specify the format of the request body
AnswerB

Authorization header carries authentication credentials.

Why this answer

The Authorization header carries credentials (e.g., Bearer token, Basic auth) to authenticate the client. Content-Type specifies body format. Accept specifies response format.

754
MCQmedium

An engineer needs to authenticate to the Cisco DNA Center API to obtain a token. What is the correct authentication method and endpoint?

A.POST /dna/system/api/v1/token with Bearer auth
B.GET /dna/intent/api/v1/auth/token with Basic auth header
C.POST /dna/system/api/v1/auth/token with API key in header
D.POST /dna/system/api/v1/auth/token with Basic auth header
AnswerD

This is the correct authentication endpoint and method.

Why this answer

Cisco DNA Center uses Basic authentication (with username:password) to POST to /dna/system/api/v1/auth/token to obtain a token.

755
Multi-Selecthard

A developer is using a REST API and receives HTTP status codes. Which two codes indicate a client-side error that the developer should fix? (Choose two.)

Select 2 answers
A.401 Unauthorized
B.500 Internal Server Error
C.400 Bad Request
D.200 OK
E.404 Not Found
AnswersA, C

401 indicates missing or invalid authentication.

Why this answer

A 401 Unauthorized status code indicates that the request lacks valid authentication credentials for the target resource. This is a client-side error because the developer must provide correct credentials (e.g., API key, OAuth token) or fix the authentication header in the request. A 400 Bad Request status code means the server cannot process the request due to malformed syntax, invalid request message framing, or deceptive request routing — all issues the developer must correct on the client side.

Exam trap

Cisco often tests the distinction between client-side (4xx) and server-side (5xx) errors, and the trap here is that 404 Not Found is also a client-side error, but the question asks for two specific codes (401 and 400) that directly indicate the developer must fix the request, not just that the resource is missing.

756
MCQmedium

A developer is deploying a Python web application on Cisco UCS servers using a CI/CD pipeline that runs on Jenkins. The application uses a PostgreSQL database. The security team mandates that all database credentials must be rotated every 30 days. Currently, credentials are stored as plaintext in a configuration file in the application repository. Which approach should the developer take to meet the rotation requirement without storing secrets in the repository?

A.Integrate with HashiCorp Vault to dynamically generate credentials for each deployment
B.Set the credentials as environment variables in the Jenkins pipeline and generate a new set every month manually
C.Store the credentials in Jenkins credentials store and reference them in the pipeline
D.Store the credentials in a Kubernetes ConfigMap and update it every 30 days
AnswerA

Vault can generate short-lived credentials and rotate them automatically, meeting the rotation requirement.

Why this answer

Integrating with HashiCorp Vault allows the CI/CD pipeline to dynamically generate short-lived database credentials for each deployment, eliminating the need to store secrets in the repository. Vault can be configured to automatically rotate credentials every 30 days (or less) and inject them into the application at runtime via sidecar containers or API calls, meeting the security mandate without manual intervention.

Exam trap

Cisco often tests the distinction between static secret storage (e.g., Jenkins credentials store or ConfigMaps) and dynamic secret generation (e.g., Vault), where the key requirement is automatic rotation without manual intervention.

How to eliminate wrong answers

Option B is wrong because manually generating and setting environment variables every 30 days is not automated, error-prone, and still exposes credentials in the Jenkins pipeline configuration, which may be stored in the Jenkins home directory or logs. Option C is wrong because storing credentials in the Jenkins credentials store avoids plaintext in the repo but does not provide automatic rotation; the credentials would still need to be manually updated every 30 days, and they remain static within the pipeline. Option D is wrong because storing credentials in a Kubernetes ConfigMap is insecure (ConfigMaps are not designed for secrets) and does not support automatic rotation; updating it every 30 days would require manual intervention or additional scripting, and the credentials would still be stored in plaintext within the cluster.

757
MCQmedium

A developer wants to perform a rolling update of a Kubernetes Deployment. Which command will update the image and initiate the rollout?

A.kubectl update deployment myapp --image=myapp:v2
B.kubectl set image deployment/myapp myapp=myapp:v2
C.kubectl edit deployment myapp --image=myapp:v2
D.kubectl apply -f deployment.yaml --image=myapp:v2
AnswerB

This updates the image for the container named 'myapp' in the deployment.

Why this answer

kubectl set image deployment updates the container image and triggers a rolling update if the deployment strategy is RollingUpdate (default).

758
MCQmedium

A developer uses RESTCONF to configure a network device. What is the correct content-type header to send in the request?

A.application/json
B.application/xml
C.application/yang-data+json
D.text/plain
AnswerC

This is the standard media type for RESTCONF with JSON.

Why this answer

RESTCONF uses application/yang-data+json for JSON encoding of YANG data.

759
MCQhard

A network engineer configures an HTTP/2 server. Which feature of HTTP/2 reduces overhead by compressing headers using HPACK?

A.Server push
B.Binary framing layer
C.HPACK
D.Multiplexed streams
AnswerC

HPACK is specifically designed for HTTP/2 header compression.

Why this answer

HPACK is the header compression mechanism specified for HTTP/2 (RFC 7541). It reduces overhead by encoding HTTP headers into a compact binary format using static and dynamic tables, eliminating redundant header data across requests. This directly addresses the question's focus on reducing overhead through header compression.

Exam trap

Cisco often tests the distinction between features that improve performance (multiplexing, server push) versus the specific mechanism for header compression (HPACK), leading candidates to confuse multiplexing or binary framing with compression.

How to eliminate wrong answers

Option A is wrong because server push is a feature that allows the server to send resources proactively before the client requests them, but it does not involve header compression. Option B is wrong because the binary framing layer is the foundation of HTTP/2 that encodes frames into binary format for efficient parsing, but it is not responsible for header compression; HPACK operates within this layer. Option D is wrong because multiplexed streams enable multiple concurrent requests and responses over a single TCP connection, reducing head-of-line blocking, but they do not compress headers.

760
MCQhard

A developer is building a real-time video streaming application that must minimize delay, even if some packets are lost. Which transport protocol is most appropriate, and why?

A.TCP, because it provides flow control to avoid congestion.
B.UDP, because it guarantees packet delivery.
C.TCP, because it ensures all packets arrive in order.
D.UDP, because it has lower overhead and no retransmission delay.
AnswerD

UDP minimizes delay, which is crucial for real-time streaming.

Why this answer

UDP is suitable for real-time streaming because it is connectionless and does not retransmit lost packets, reducing latency. TCP's retransmission and ordering would cause delays.

761
MCQmedium

An application uses OAuth 2.0 client credentials grant to authenticate with a Cisco API. Which of the following best describes this flow?

A.The application uses a username and password in the request body.
B.The application sends its client ID and secret to obtain a token directly.
C.The user provides their credentials via a consent screen.
D.A device code is displayed for the user to enter on a separate device.
AnswerB

Client credentials grant uses the application's own credentials.

Why this answer

Client credentials grant is used for server-to-server authentication without user involvement.

762
MCQmedium

A developer is using the Meraki Dashboard API to retrieve a list of clients for a given network. The initial GET request returns a 429 HTTP status. What should the developer do to handle this response appropriately?

A.Convert the request to a POST method to bypass the rate limit
B.Check the Retry-After header and wait that many seconds before retrying
C.Ignore the 429 and send the request again with a different API key
D.Send a DELETE request to clear the rate limit counter
AnswerB

Correct. The Retry-After header tells the client how long to wait.

Why this answer

The Meraki API rate limits at 5 requests per second. A 429 response includes a Retry-After header indicating the number of seconds to wait before retrying.

763
MCQmedium

A team uses Ansible Tower for network automation. They need to restrict a user to only view job results without making any changes. Which Tower role should be assigned?

A.Execute
B.Read
C.Auditor
D.Admin
AnswerB

The Read role provides view-only permissions for jobs, inventories, and other resources.

Why this answer

The Read role in Ansible Tower grants read-only access to all resources, including job results, without allowing any modifications. This is the correct choice because the requirement is to restrict the user to viewing job results only, and Read provides exactly that level of access without any write or execute permissions.

Exam trap

Cisco often tests the distinction between Read and Auditor roles, where candidates may mistakenly choose Auditor thinking it is more restrictive, but Auditor actually provides broader read access to all objects including credentials, while Read is the correct role for limiting to job results only.

How to eliminate wrong answers

Option A is wrong because the Execute role allows a user to run jobs and launch playbooks, which would enable changes to the network, not just view results. Option C is wrong because the Auditor role provides read-only access to all objects, including sensitive data like credentials and inventory, but it is designed for auditing purposes and is more permissive than necessary for simply viewing job results; however, the Read role is more appropriate for restricting to job results only. Option D is wrong because the Admin role grants full administrative privileges, including the ability to modify configurations, manage users, and execute jobs, which would allow changes and violate the restriction.

764
MCQmedium

A DevOps engineer runs a container using 'docker run -d -p 8080:80 nginx'. The host firewall blocks incoming traffic on port 8080 from external networks but allows from the local host. Which command would allow the engineer to test the container's web server from the same machine?

A.curl 10.0.0.1:8080
B.docker exec -it <container> bash
C.docker logs <container>
D.curl localhost:8080
AnswerD

Correct. Localhost traffic is allowed, so this will work.

Why this answer

Since the host firewall allows local traffic, using curl localhost:8080 will reach the container via the mapped port.

765
MCQmedium

In the context of SDN, which API is used between the SDN controller and the network devices to configure forwarding behavior?

A.Northbound API
B.Eastbound API
C.Southbound API
D.REST API
AnswerC

Correct. Southbound APIs communicate with network devices.

Why this answer

Southbound APIs like OpenFlow, NETCONF, or gRPC communicate from controller to devices.

766
Matchingmedium

Match each Cisco platform to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Intent-based networking management

Cloud-managed network administration

Collaboration and messaging integration

Unified infrastructure management

Application performance monitoring

Why these pairings

These are key Cisco platforms relevant to the exam.

767
MCQmedium

A developer is using the Meraki Dashboard API to retrieve a list of devices in an organization. The API response is paginated. Which HTTP header does Meraki use to indicate the next page of results?

A.Link
B.X-Cisco-Meraki-API-Key
C.Retry-After
D.X-Next-Page
AnswerA

Correct. Meraki uses the Link header with rel="next" to indicate the next page URL.

Why this answer

Meraki uses the Link header with rel="next" for pagination, or alternatively the startingAfter/endingBefore parameters.

768
MCQmedium

A company has a DHCP server that assigns IP addresses from a scope of 192.168.10.0/24. A new device receives IP 192.168.10.100/24 but cannot access the internet. The default gateway is 192.168.10.1. What is the most likely issue?

A.DNS server is unreachable.
B.The DHCP scope is exhausted.
C.The device has a duplicate IP address.
D.The default gateway is not reachable from the device.
E.The device's subnet mask is incorrect.
AnswerD

This is the most direct cause: if the gateway is down or not on the same VLAN, traffic cannot exit.

Why this answer

The device received a valid IP address (192.168.10.100/24) and subnet mask from the DHCP server, but it cannot access the internet. Since the default gateway is 192.168.10.1, the most likely cause is that the device cannot reach the gateway, which is required to route traffic outside the local subnet. Without connectivity to the default gateway, the device cannot forward packets to external networks, even though its IP configuration is otherwise correct.

Exam trap

Cisco often tests the concept that a valid IP address and subnet mask do not guarantee internet access; the default gateway must be reachable, and candidates may mistakenly blame DNS or DHCP exhaustion when the real issue is Layer 3 connectivity to the gateway.

How to eliminate wrong answers

Option A is wrong because the question does not mention any DNS-related symptoms (e.g., name resolution failures), and a DNS server being unreachable would prevent domain name resolution but not necessarily all internet access (IP-based access could still work). Option B is wrong because the device successfully received IP 192.168.10.100, which is within the /24 scope, indicating the DHCP scope is not exhausted. Option C is wrong because a duplicate IP address would typically cause an address conflict error or connectivity issues for both devices, but the question does not describe such symptoms, and the device received a valid lease.

Option E is wrong because the device was assigned a /24 subnet mask (255.255.255.0) via DHCP, which is correct for the 192.168.10.0/24 network, so the mask is not the issue.

769
MCQhard

An engineer sees that a DNS query for 'www.example.com' returns a CNAME record. What does this mean?

A.The domain has multiple IP addresses
B.The domain uses IPv6
C.The IP address is directly provided
D.The domain is an alias for another domain
AnswerD

The CNAME points to the canonical name.

Why this answer

A CNAME (Canonical Name) record maps an alias domain name to another canonical domain name. When a DNS query for 'www.example.com' returns a CNAME record, it means 'www.example.com' is an alias for another domain (e.g., 'example.com'), and the resolver must perform a second query to obtain the actual A or AAAA record. This is defined in RFC 1035 and is used to simplify domain management.

Exam trap

Cisco often tests the misconception that a CNAME record directly provides an IP address, when in fact it only provides an alias that requires further resolution.

How to eliminate wrong answers

Option A is wrong because multiple IP addresses for a domain are indicated by multiple A or AAAA records, not by a CNAME record. Option B is wrong because IPv6 support is indicated by AAAA records, not CNAME records. Option C is wrong because a CNAME record does not directly provide an IP address; it redirects the query to another domain name, which then must be resolved to an IP address via an A or AAAA record.

770
MCQeasy

Which YANG model type is defined by industry standards and supported by multiple vendors, offering interoperability?

A.MIB-based models
B.IETF YANG models
C.Cisco native YANG models
D.OpenConfig YANG models
AnswerD

Correct. OpenConfig models are designed for multi-vendor interoperability.

Why this answer

OpenConfig models are vendor-neutral, community-driven YANG models that promote interoperability across different network devices.

771
Multi-Selectmedium

An engineer is using the Cisco Meraki Dashboard API to retrieve a list of all network clients for a specific network. Which TWO of the following are required to successfully make this API call?

Select 2 answers
A.Network ID in the URL path
B.Bearer token in the Authorization header
C.Organization ID in the URL path
D.API key as a query parameter
E.X-Cisco-Meraki-API-Key header with the API key
AnswersA, E

The network ID is required in the URL to identify the network.

Why this answer

Option A is correct because the Meraki Dashboard API endpoint for listing network clients (GET /networks/{networkId}/clients) requires the network ID as a path parameter to identify the specific network from which to retrieve client data. Without the network ID in the URL, the API cannot determine which network's clients to return, making it a mandatory component of the request.

Exam trap

Cisco often tests the distinction between authentication methods (API key header vs. Bearer token) and the correct placement of identifiers (network ID vs. organization ID) to see if candidates understand the specific Meraki API authentication and resource hierarchy.

772
MCQhard

A developer is designing a data model for network device configurations using YANG. They need to represent a list of interfaces where each interface has a name (string) and speed (enumeration). Which YANG statement correctly defines this structure?

A.leaf interface-list { type string; }
B.leaf-list interface { type string; }
C.list interface { key name; leaf name { type string; } leaf speed { type enumeration; } }
D.list interface { leaf name { type string; } leaf speed { type enumeration; } }
AnswerC

This defines a list with a key, and two leaves for name and speed.

Why this answer

Option C is correct because YANG requires a `list` statement to define a collection of entries with multiple leafs, and a `key` statement to uniquely identify each list entry. The `list interface` with `key name` allows multiple interfaces, each having both a `name` (string) and `speed` (enumeration), matching the requirement exactly.

Exam trap

Cisco often tests the requirement of the `key` statement in a YANG `list`; candidates may forget that a list without a key is syntactically invalid, leading them to choose option D.

How to eliminate wrong answers

Option A is wrong because `leaf` defines a single scalar value, not a list of interfaces with multiple properties. Option B is wrong because `leaf-list` defines an ordered list of simple values (e.g., strings), not entries with multiple leafs like name and speed. Option D is wrong because it omits the mandatory `key` statement, which is required by YANG for any `list` to uniquely identify each entry; without a key, the list is invalid.

773
MCQhard

An organization uses Cisco ISE for network access control. A user reports inability to access the network. The switch port shows the authenticator state as 'connecting'. What does this indicate?

A.The client is in the process of 802.1X authentication
B.The client has successfully authenticated
C.The port is in a held state due to multiple failures
D.Authentication has failed
AnswerA

'Connecting' means authentication is ongoing.

Why this answer

In Cisco ISE and 802.1X, the authenticator state 'connecting' indicates that the switch (authenticator) has detected a new client on the port and has initiated the 802.1X authentication process. This state means the port is actively sending EAP-Request/Identity frames and waiting for the client to respond, so the client is in the process of authentication, not yet authenticated or failed.

Exam trap

Cisco often tests the distinction between the 'connecting' state (meaning the process is ongoing) and the 'authenticated' or 'failed' states, so candidates mistakenly think 'connecting' implies a problem or failure rather than normal progress.

How to eliminate wrong answers

Option B is wrong because 'connecting' is a transitional state; successful authentication would show the port in the 'authenticated' state, not 'connecting'. Option C is wrong because a held state due to multiple failures is represented by the 'held' or 'auth_fail' state, not 'connecting'. Option D is wrong because authentication failure results in the port moving to a 'failed' or 'unauthorized' state, not remaining in 'connecting'.

774
MCQmedium

A developer is writing a Postman test to verify that a Meraki API response returns HTTP status 200 and contains a list of networks. Which code snippet correctly implements this test?

A.pm.response.to.have.status(200);
B.pm.test("Status 200", function() { pm.response.to.have.status(200); });
C.pm.test("Check networks", function() { pm.expect(pm.response.json()).to.have.property('networks'); pm.response.to.have.status(200); });
D.pm.test("Success", function() { pm.expect(pm.response.code).to.equal(200); });
AnswerC

Correctly checks both status and body.

Why this answer

pm.test with pm.response.to.have.status and pm.expect checks the status and response body.

775
MCQeasy

A network engineer needs to automate the configuration of VLANs across 50 switches. Which approach best follows Cisco’s recommended practices for programmability?

A.Write an Ansible playbook using the ios_vlan module to configure VLANs on all switches.
B.Use a REST API on each switch to push the VLAN configuration individually.
C.Use a Python script that manually SSHes into each switch and applies CLI commands.
D.Configure all VLANs via SNMP MIBs.
AnswerA

Ansible with idempotent modules is a best practice for network automation.

Why this answer

Option A is correct because Ansible's ios_vlan module is purpose-built for automating VLAN configuration on Cisco IOS devices, aligning with Cisco's recommended practices for programmability by using a declarative, agentless automation tool that abstracts the underlying CLI and ensures idempotent configuration across multiple switches.

Exam trap

Cisco often tests the misconception that REST APIs are universally available on all network devices, but in reality, many legacy switches lack REST API support, making Ansible (which uses SSH/CLI abstraction) the more practical and recommended choice for multi-vendor or mixed-platform environments.

How to eliminate wrong answers

Option B is wrong because most Cisco switches do not expose a native REST API for VLAN configuration; REST APIs are typically available on newer platforms like IOS-XE via NETCONF/RESTCONF, but using them individually on each switch is inefficient and not a scalable approach for 50 switches. Option C is wrong because manually SSHing into each switch with a Python script is a legacy, non-programmable approach that lacks idempotency, error handling, and scalability, and does not follow Cisco's recommended practices for network automation. Option D is wrong because SNMP MIBs for VLAN configuration (like BRIDGE-MIB or Q-BRIDGE-MIB) are outdated, cumbersome, and not recommended for modern automation; they require complex OID manipulation and lack the declarative, idempotent capabilities of tools like Ansible.

776
MCQmedium

In DNA Center, which API endpoint is used to retrieve a list of current network issues?

A.GET /dna/intent/api/v1/topology
B.POST /dna/system/api/v1/auth/token
C.GET /dna/intent/api/v1/issues
D.GET /dna/intent/api/v1/network-device
AnswerC

Correct. This endpoint returns a list of network issues.

Why this answer

DNA Center's issues API is at /dna/intent/api/v1/issues.

777
MCQhard

A Python script uses the requests library to authenticate to Cisco DNA Center. The script receives a 401 Unauthorized error even though the credentials are correct. Which of the following is a likely cause?

A.The request is using HTTP instead of HTTPS
B.The Content-Type header is not set to application/json
C.The API endpoint is incorrect
D.The token has expired
AnswerD

Cisco DNA Center uses token-based authentication; an expired token returns 401.

Why this answer

In Cisco DNA Center, API authentication uses a token-based mechanism. The script first obtains a token via POST to /dna/system/api/v1/auth/token, then uses that token in subsequent requests. A 401 error with correct credentials typically means the token has expired (default lifetime is 1 hour) or was not included in the Authorization header.

Option D is correct because the token, not the credentials, is being validated for each API call.

Exam trap

Cisco often tests the distinction between credential-based authentication (which returns 401 if credentials are wrong) and token-based authentication (which returns 401 if the token is expired or missing), leading candidates to incorrectly focus on the credentials themselves rather than the token lifecycle.

How to eliminate wrong answers

Option A is wrong because using HTTP instead of HTTPS would cause a connection error or redirect, not a 401 Unauthorized; Cisco DNA Center enforces HTTPS and would reject plain HTTP at the transport layer. Option B is wrong because the Content-Type header is only required for POST/PUT requests with a body, not for token-based authentication where the token is sent in the Authorization header; a missing Content-Type would cause a 400 Bad Request, not 401. Option C is wrong because an incorrect API endpoint would result in a 404 Not Found or 405 Method Not Allowed, not a 401 Unauthorized; the 401 specifically indicates authentication failure, not routing.

778
MCQmedium

Refer to the exhibit. Which Cisco DNA Center Intent API request produced this response?

A.GET /dna/intent/api/v1/network-device/{id}
B.GET /dna/intent/api/v1/network-device
C.POST /dna/intent/api/v1/network-device
D.PUT /dna/intent/api/v1/network-device/{id}
AnswerA

This would return a single object, not an array.

Why this answer

The response shows detailed information for a single network device, including its management IP address, platform ID, and serial number. The GET /dna/intent/api/v1/network-device/{id} request retrieves details for a specific device identified by its unique ID, which matches the granular, single-device data in the exhibit. This is the correct Intent API endpoint for fetching a device by ID.

Exam trap

Cisco often tests the distinction between a collection endpoint (GET without ID) and a specific resource endpoint (GET with ID), where candidates mistakenly choose the list endpoint when the response clearly shows a single device's details.

How to eliminate wrong answers

Option B is wrong because GET /dna/intent/api/v1/network-device (without an ID) returns a list of all network devices, not the detailed single-device response shown. Option C is wrong because POST /dna/intent/api/v1/network-device is used to add or provision a new device, not to retrieve existing device details. Option D is wrong because PUT /dna/intent/api/v1/network-device/{id} is used to update or modify an existing device's configuration, not to fetch its information.

779
MCQeasy

A network engineer needs to automate the configuration of VLANs on a set of Cisco switches using Ansible. Which API should be targeted to ensure idempotent configuration updates?

A.NETCONF/YANG
B.REST API of Cisco DNA Center
C.SNMP
D.CLI with SSH
AnswerA

NETCONF/YANG supports idempotent operations through data model validation and transaction support.

Why this answer

NETCONF/YANG is the correct choice because NETCONF provides a transactional, lock-based mechanism that ensures idempotent configuration updates—applying the desired state exactly once without side effects from repeated runs. YANG models define the VLAN configuration structure, allowing Ansible to compare the current device state against the desired state and only push changes when necessary, which is the essence of idempotency.

Exam trap

Cisco often tests the misconception that CLI with SSH is sufficient for automation, but the trap here is that CLI commands are not idempotent by default—candidates overlook the need for a structured, transactional protocol like NETCONF to guarantee repeatable, safe configuration updates.

How to eliminate wrong answers

Option B is wrong because the REST API of Cisco DNA Center is a controller-based intent API that abstracts device-level configuration; it is not designed for direct, idempotent per-device VLAN updates and introduces dependency on the DNA Center controller. Option C is wrong because SNMP is a polling-based monitoring protocol that lacks transactional semantics and write operations for VLAN configuration are not idempotent—repeated SETs can cause duplicate entries or errors. Option D is wrong because CLI with SSH is imperative and stateful; running the same VLAN configuration commands multiple times can result in duplicate VLANs or errors, and there is no built-in mechanism to compare current vs. desired state without custom scripting.

780
MCQhard

A Cisco Catalyst Center API uses OAuth 2.0 with the client credentials grant for server-to-server communication. Which token endpoint parameter should the client include to identify itself?

A.scope=admin
B.grant_type=client_credentials
C.response_type=token
D.grant_type=authorization_code
AnswerB

Client credentials grant uses this grant type.

Why this answer

In client credentials, the client sends client_id and client_secret (often as Basic auth or form parameters) to authenticate.

781
MCQmedium

In Postman, you want to run a collection of API requests automatically and test responses. Which feature should you use?

A.Postman Workspaces
B.Postman Monitors
C.Postman Interceptor
D.Collection Runner
AnswerD

This runs collections with tests.

Why this answer

The Collection Runner runs all requests in a collection sequentially and allows tests to be evaluated.

782
MCQeasy

A developer is using Cisco DNA Center API to add a new device to the inventory. Which HTTP method should be used for this operation?

A.PATCH
B.GET
C.DELETE
D.POST
AnswerD

POST is the standard HTTP method to create a new resource in REST APIs.

Why this answer

The POST HTTP method is used to create a new resource on the server. When adding a new device to the Cisco DNA Center inventory, you are creating a new device entry, which aligns with the POST method as defined by RESTful API conventions. Cisco DNA Center's device onboarding API endpoint (e.g., /dna/intent/api/v1/network-device) specifically requires a POST request to add a device.

Exam trap

Cisco often tests the distinction between POST and PUT, where candidates mistakenly choose PUT for creation, but PUT is typically used for full replacement of an existing resource, while POST is the correct method for creating a new resource in Cisco DNA Center's API design.

How to eliminate wrong answers

Option A is wrong because PATCH is used for partial updates to an existing resource, not for creating a new device. Option B is wrong because GET is used to retrieve existing data, not to create new resources. Option C is wrong because DELETE is used to remove an existing resource, not to add one.

783
MCQhard

A developer is writing a Python script that uses the Cisco Meraki API to retrieve a list of networks for an organization. The API returns a JSON array. The developer wants to filter networks where the 'tags' field contains 'production'. Which code snippet correctly filters the results?

A.filtered = [net for net in networks if 'production' in net['tags']]
B.filtered = [net for net in networks if 'production' in str(net['tags'])]
C.filtered = [net for net in networks if 'production' in net['tags'].split(',')]
D.filtered = [net for net in networks if any('production' in t for t in net['tags'])]
AnswerA

Correct: 'tags' is a list, and 'in' works for list membership.

Why this answer

Option A is correct because the Meraki API returns the 'tags' field as a list of strings (e.g., ['production', 'critical']). The Python `in` operator directly checks membership in a list, so `'production' in net['tags']` efficiently filters networks where the exact string 'production' appears as an element in the list.

Exam trap

Cisco often tests the distinction between list membership (`in` on a list) and substring matching (`in` on a string), leading candidates to overcomplicate the filter with `split()` or `any()` when the API already returns a list.

How to eliminate wrong answers

Option B is wrong because converting the list to a string with `str()` produces a string like "['production', 'critical']", and then checking `'production' in` that string would match substrings (e.g., 'production' would also match 'production-backup'), leading to false positives. Option C is wrong because `net['tags'].split(',')` assumes 'tags' is a comma-separated string, but the Meraki API returns a list, not a string; calling `.split()` on a list raises an AttributeError. Option D is wrong because `any('production' in t for t in net['tags'])` checks if the substring 'production' exists within any tag string (e.g., 'production-backup' would match), which is overly broad and not an exact match; the simple `in` on the list already performs exact membership.

784
MCQmedium

A network administrator is configuring a new subnet for a branch office that requires 50 usable host addresses. The corporate network uses the 192.168.10.0/24 block. Which subnet mask should be used to meet the requirement with minimal waste?

A.255.255.255.128 (/25)
B.255.255.255.0 (/24)
C.255.255.255.192 (/26)
D.255.255.255.224 (/27)
AnswerC

/26 provides 62 usable hosts, sufficient for 50 hosts with minimal waste.

Why this answer

Option C is correct because a /26 subnet mask (255.255.255.192) provides 2^(32-26) = 64 total addresses, of which 62 are usable (subtracting network and broadcast addresses). This meets the requirement of 50 usable hosts with minimal waste, as the next smaller mask (/27) only offers 30 usable addresses, which is insufficient.

Exam trap

The trap here is that candidates often forget to subtract the two reserved addresses (network and broadcast) from the total host count, leading them to incorrectly select a /27 mask (which has 32 total addresses but only 30 usable) thinking it is sufficient for 50 hosts.

How to eliminate wrong answers

Option A is wrong because a /25 mask (255.255.255.128) provides 126 usable addresses, which far exceeds the requirement of 50 and wastes 76 addresses, contradicting the 'minimal waste' condition. Option B is wrong because a /24 mask (255.255.255.0) provides 254 usable addresses, which is the original subnet size and wastes 204 addresses, failing the minimal waste requirement. Option D is wrong because a /27 mask (255.255.255.224) provides only 30 usable addresses (2^5 - 2 = 30), which is insufficient for the required 50 hosts.

785
MCQeasy

In Cisco DNA Center's intent API, which endpoint would you use to retrieve the list of all network devices?

A.GET /dna/intent/api/v1/topology
B.GET /dna/intent/api/v1/network-device
C.GET /dna/intent/api/v1/site
D.GET /dna/intent/api/v1/issues
AnswerB

Returns a list of network devices.

Why this answer

The correct endpoint is GET /dna/intent/api/v1/network-device. Other options are incorrect or refer to other areas like topology or site hierarchy.

786
MCQhard

A DevOps team manages a multi-site Cisco Meraki network with 50 MX appliances and 200 MR access points. They use a Python script that calls the Meraki API to collect device utilization data every hour and stores it in a CSV file. Recently, the script started failing intermittently with HTTP 429 status codes. The team suspects rate limiting but notices that the failures occur even when only one script instance runs. The script uses a single API key and makes requests to the /devices/{serial}/uplink endpoint for each MX and the /devices/{serial}/wireless/status endpoint for each MR. The script is scheduled via cron and runs sequentially. The team wants to resolve the rate limiting while minimizing changes to the script. Which course of action should the team take?

A.Introduce a delay between API calls to stay within the rate limit.
B.Distribute the API requests across multiple API keys.
C.Switch to a webhook-based approach to receive data instead of polling.
D.Use the bulk API request feature to collect data in fewer calls.
AnswerA

Adding a small delay reduces request rate and avoids 429 errors.

Why this answer

The intermittent HTTP 429 errors indicate the script is exceeding the Meraki API rate limit, which applies per API key. Since the script runs sequentially with a single key, introducing a delay between API calls (e.g., using time.sleep()) is the simplest fix that stays within the rate limit without requiring architectural changes. This directly addresses the root cause while minimizing modifications to the existing script.

Exam trap

Cisco often tests the misconception that rate limiting can be solved by distributing requests across multiple keys, but the trap here is that the rate limit applies per key and the script's sequential nature means a single key is sufficient if delays are added.

How to eliminate wrong answers

Option B is wrong because distributing requests across multiple API keys does not change the per-key rate limit; the script still makes the same number of calls in the same time window, so 429 errors would persist. Option C is wrong because switching to webhooks requires significant infrastructure changes (e.g., setting up a listener, handling payloads) and does not address the immediate rate-limiting issue with the existing polling script. Option D is wrong because the Meraki API does not support a 'bulk' endpoint for the specific /devices/{serial}/uplink and /devices/{serial}/wireless/status endpoints; these are per-device calls, so batching is not possible.

787
MCQmedium

A network engineer is developing a Python script to automate the collection of interface statistics from multiple Cisco Catalyst switches using NETCONF. The engineer uses the 'ncclient' library to connect to each switch. The script works for most switches, but for one switch, the connection consistently fails with an authentication error. The engineer has verified that the username and password are correct and that the switch has NETCONF enabled. The engineer suspects the issue might be related to SSH host key checking. The engineer wants to modify the script to bypass host key checking for this specific switch. Which approach should the engineer use?

A.Set the 'hostkey_verify' parameter to False in the connect method
B.Disable SSH key-based authentication by setting 'look_for_keys=False'
C.Use the 'allow_agent' parameter set to False
D.Set the 'known_hosts' parameter to an empty file in the connect method
AnswerA

Correct: This disables host key verification.

Why this answer

Option A is correct because the 'ncclient' library's connect method accepts a 'hostkey_verify' parameter. Setting it to False disables SSH host key checking, which bypasses the verification of the switch's host key against the known_hosts file. This resolves authentication errors caused by host key mismatches, such as when the switch's host key has changed or is not present in the known_hosts file.

Exam trap

Cisco often tests the distinction between SSH host key verification and SSH key-based authentication, leading candidates to confuse parameters like 'look_for_keys' (which controls key-based login) with 'hostkey_verify' (which controls host key trust).

How to eliminate wrong answers

Option B is wrong because 'look_for_keys=False' disables SSH key-based authentication (public/private key pairs), but the engineer is using username/password authentication, and the error is about host key verification, not key-based authentication. Option C is wrong because 'allow_agent=False' prevents the use of an SSH agent for key-based authentication, which is unrelated to host key checking. Option D is wrong because the 'known_hosts' parameter is not a valid parameter in the ncclient connect method; the correct way to bypass host key checking is via 'hostkey_verify=False', not by pointing to an empty file.

788
MCQmedium

Which Cisco platform provides an API to retrieve a list of issues affecting the network?

A.Cisco IOS XE
B.Cisco Meraki
C.Cisco Webex
D.Cisco DNA Center
AnswerD

Correct. DNA Center provides GET /dna/intent/api/v1/issues.

Why this answer

Cisco DNA Center includes issues API under the 'run your network' category.

789
Multi-Selecthard

Which THREE are valid Kubernetes Service types? (Select three.)

Select 3 answers
A.NodePort
B.Deployment
C.ClusterIP
D.LoadBalancer
E.Ingress
AnswersA, C, D

Exposes service on each Node's IP at a static port.

Why this answer

A is correct because NodePort is a standard Kubernetes Service type that exposes a service on a static port (30000-32767) on each node's IP address, allowing external traffic to reach the service by targeting <NodeIP>:<NodePort>. It builds on top of ClusterIP and is commonly used for development or direct access scenarios.

Exam trap

Cisco often tests the distinction between Kubernetes resource types (e.g., Deployment, Ingress) and actual Service types, so candidates mistakenly select Ingress or Deployment because they associate them with external access, but only NodePort, ClusterIP, and LoadBalancer are valid Service types.

790
MCQmedium

Refer to the exhibit. An application is deployed on a server at 192.168.1.10, listening on TCP port 8080. The ACL is applied inbound on the server's network interface. Which clients will be able to access the application?

A.Clients from any network, because the permit statement overrides the deny
B.Only clients from the 192.168.1.0/24 network
C.No clients, because the deny statement blocks all TCP traffic to port 8080
D.Only clients sending UDP traffic to port 53
AnswerC

The first rule denies all TCP traffic to port 8080, making the subsequent permit ineffective for TCP.

Why this answer

Option C is correct because the ACL is applied inbound on the server's network interface, meaning it filters traffic before it reaches the server. The second ACE explicitly denies all TCP traffic to port 8080, which is the port the application listens on. Since ACLs are processed sequentially and the deny statement matches the application's traffic, no TCP clients can access the application, regardless of their source IP.

Exam trap

The trap here is that candidates often assume a permit statement for a source network automatically allows all traffic from that network, ignoring that a later deny statement for a specific port can block that traffic due to the sequential processing of ACLs.

How to eliminate wrong answers

Option A is wrong because ACLs are processed top-down; the permit statement only permits traffic from 192.168.1.0/24, but the subsequent deny statement blocks all TCP traffic to port 8080, overriding the permit for that specific port. Option B is wrong because even though clients from 192.168.1.0/24 are permitted by the first ACE, the second ACE explicitly denies all TCP traffic to port 8080, which includes traffic from that subnet. Option D is wrong because the ACL only filters TCP traffic to port 8080; UDP traffic to port 53 is not relevant to accessing the application on TCP port 8080, and the ACL does not permit or deny it for that purpose.

791
MCQmedium

A developer runs 'docker run -d -p 8080:80 --name web nginx:alpine'. The container fails to start. Which command is the most appropriate to investigate the issue?

A.docker inspect web
B.docker exec -it web bash
C.docker logs -f web
AnswerC

docker logs -f web streams the logs, revealing any errors during startup.

Why this answer

Option C is correct because `docker logs -f web` streams the container's stdout and stderr output, which typically contains the error message explaining why the container failed to start (e.g., port conflict, missing configuration, or process crash). Since the container is not running, `docker logs` is the primary diagnostic tool to retrieve its exit logs without requiring the container to be active.

Exam trap

Cisco often tests the distinction between `docker inspect` (metadata) and `docker logs` (runtime output), and the trap here is that candidates assume `docker inspect` shows error messages, but it only shows configuration and state, not application logs.

How to eliminate wrong answers

Option A is wrong because `docker inspect web` returns low-level JSON metadata about the container (e.g., mount points, network settings, state), but it does not show the application's runtime logs or the specific error that caused the failure to start. Option B is wrong because `docker exec -it web bash` attempts to run a command inside a running container, but the container has failed and is not running, so this command will fail with an error like 'Container is not running' and cannot provide diagnostic information.

792
MCQmedium

Which Git command is used to create a new branch and switch to it in one step?

A.git branch <branch>
B.git branch -d <branch>
C.git checkout <branch>
D.git checkout -b <branch>
AnswerD

This creates and switches to the new branch in one command.

Why this answer

The 'git checkout -b <branch>' command creates a new branch and switches to it immediately.

793
MCQhard

Refer to the exhibit. A security audit reveals that the authentication mechanism is vulnerable. Which attack is most likely possible?

A.Cross-site scripting (XSS) via the token.
B.Token forgery if the secret key is weak.
C.Man-in-the-middle attack due to missing HTTPS.
D.SQL injection through the login endpoint.
AnswerB

The weak secret 'my-secret' can be easily guessed, allowing attacker to forge valid tokens.

Why this answer

The exhibit shows a JSON Web Token (JWT) being used for authentication. If the secret key used to sign the JWT is weak or easily guessable, an attacker can forge a valid token by brute-forcing the secret and then crafting a token with arbitrary claims (e.g., elevated privileges). This is a classic token forgery attack, not a cross-site scripting or injection attack, because the vulnerability lies in the signing mechanism, not in input handling or transport security.

Exam trap

Cisco often tests the distinction between attacks that target the authentication mechanism itself (like token forgery) versus attacks that exploit input handling (XSS, SQLi) or transport security (MITM), leading candidates to pick a wrong option because they focus on a general security flaw (e.g., missing HTTPS) rather than the specific vulnerability implied by the token's weak secret.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) exploits the injection of malicious scripts into web pages, not the forging of authentication tokens; the token itself is not rendered as HTML or executed in a browser context. Option C is wrong because while missing HTTPS is a security concern, the question specifically asks about an attack made possible by the authentication mechanism's vulnerability, and a man-in-the-middle attack would exploit the lack of encryption, not the token's signing secret. Option D is wrong because SQL injection targets database queries through unsanitized input, whereas the token-based authentication shown does not involve direct SQL queries at the login endpoint; the vulnerability is in the token's cryptographic integrity, not in query construction.

794
Multi-Selecthard

Which TWO of the following are valid security considerations when deploying an application to a Kubernetes cluster managed by Cisco Intersight? (Choose two.)

Select 2 answers
A.Store secrets in ConfigMaps for easy retrieval.
B.Define Network Policies to isolate pods and control traffic flow.
C.Disable RBAC to simplify management and reduce overhead.
D.Use default service accounts for all pods to avoid misconfiguration.
E.Implement Pod Security Policies to restrict privileged containers.
AnswersB, E

Network policies enforce micro-segmentation and limit lateral movement.

Why this answer

Option B is correct because Network Policies in Kubernetes act as a firewall at the pod level, using label selectors and namespace selectors to control ingress and egress traffic. In a Cisco Intersight-managed cluster, defining these policies is a critical security consideration to enforce micro-segmentation and prevent lateral movement of threats. Option E is correct because Pod Security Policies (PSPs) are a cluster-level resource that control security-sensitive aspects of pod specification, such as preventing privileged containers, which is a key security best practice in Kubernetes.

Exam trap

Cisco often tests the misconception that ConfigMaps are suitable for secrets (they are not) and that disabling RBAC simplifies management (it actually creates a massive security hole), while candidates may overlook that Network Policies require a compatible CNI plugin to be effective.

795
MCQhard

A company has a microservices application deployed on Kubernetes. There are three services: frontend, backend, and database. The frontend is exposed via an Ingress. The API gateway is used for authentication. Recently, after updating the backend service, users are experiencing 401 Unauthorized errors when accessing endpoints that previously worked. The authentication mechanism uses JWT tokens issued by an external identity provider. The JWT tokens are validated by the API gateway. The backend service itself does not validate tokens; it relies on the gateway to forward user identity via headers. The development team checked the logs and found that the backend is receiving requests with the correct JWT from the gateway but still returning 401. What is the most likely cause?

A.The Ingress controller is stripping the Authorization header before forwarding to the backend.
B.The API gateway's JWT signing key has changed and the backend is using the old key.
C.The new backend version uses a different HTTP method for the affected endpoints.
D.The backend service code now attempts to validate the JWT itself and fails.
AnswerD

Likely the update added token validation code that is not properly configured.

Why this answer

The scenario states that the backend service relies on the gateway to forward user identity via headers and does not validate JWT tokens itself. If the new backend version now attempts to validate the JWT, it would likely fail because the backend lacks the necessary signing key or validation logic, causing 401 errors even though the gateway correctly forwards the token. This matches option D, as the change in backend behavior introduces a new validation step that was not present before.

Exam trap

Cisco often tests the misconception that JWT validation must happen at the backend, but here the trap is that the backend was never supposed to validate tokens, and a code change introducing such validation causes the 401 errors, not a problem with the gateway or Ingress.

How to eliminate wrong answers

Option A is wrong because the Ingress controller is not involved in JWT validation; the issue occurs after the gateway forwards the request, and the backend receives the correct JWT, so stripping the Authorization header would prevent the token from reaching the backend, contradicting the log evidence. Option B is wrong because the backend does not validate JWT tokens; it relies on the gateway, so a key change would affect the gateway's validation, not the backend's response, and the logs show the gateway is forwarding the correct JWT. Option C is wrong because HTTP method changes would cause 405 Method Not Allowed errors, not 401 Unauthorized, and the problem is specifically about authentication failure.

796
Multi-Selecthard

Which THREE of the following are characteristics of HTTP/2 compared to HTTP/1.1?

Select 3 answers
A.Header compression using HPACK
B.Binary framing layer
C.Plaintext headers for debugging
D.Requires multiple TCP connections for parallel requests
E.Multiplexed streams over a single TCP connection
AnswersA, B, E

HPACK reduces header overhead.

Why this answer

HPACK compression reduces header overhead by encoding header fields, which is a key improvement over HTTP/1.1's uncompressed headers. This minimizes latency and bandwidth usage, especially for repeated headers like cookies and user-agent.

Exam trap

Cisco often tests the misconception that HTTP/2 is purely a performance upgrade without structural changes, leading candidates to incorrectly select plaintext headers or assume multiple TCP connections are still required.

797
MCQeasy

An engineer wants to verify that a switch port is configured as an access port in VLAN 10. Which command provides this information?

A.show running-config interface
B.show interfaces status
C.show ip interface brief
D.show vlan brief
AnswerA

This displays the running configuration of the interface, including switchport settings.

Why this answer

The `show running-config interface` command displays the current operational configuration of a specific interface, including whether it is configured as an access port and which VLAN it is assigned to. For a switch port in VLAN 10, the output will show `switchport mode access` and `switchport access vlan 10`, directly confirming the desired configuration.

Exam trap

Cisco often tests the distinction between commands that show operational status (like `show interfaces status`) versus those that show configuration (like `show running-config interface`), leading candidates to pick a command that only shows interface state rather than the actual VLAN assignment and port mode.

How to eliminate wrong answers

Option B is wrong because `show interfaces status` shows the administrative and operational status of interfaces (e.g., up/down, speed, duplex) but does not display the VLAN assignment or port mode configuration. Option C is wrong because `show ip interface brief` lists IP addresses and interface status for Layer 3 interfaces, not Layer 2 switch port VLAN details. Option D is wrong because `show vlan brief` lists all VLANs and their member ports, but it does not show the port mode (access vs. trunk) or confirm that a specific port is configured as an access port in VLAN 10.

798
MCQeasy

A Python script uses the 'requests' library to make a POST request to create a new resource. Which HTTP status code indicates successful creation?

A.204 No Content
B.200 OK
C.301 Moved Permanently
D.201 Created
AnswerD

201 Created is the standard response for a successful POST request that creates a resource.

Why this answer

According to the REST API conventions, a successful POST request returns status code 201 Created.

799
MCQhard

Refer to the exhibit. A developer receives this response when attempting to send a PATCH request to modify a YANG data node via RESTCONF. What is the most likely cause?

A.The resource does not exist
B.The authentication token is expired
C.The YANG model is not supported
D.The JSON payload is malformed
AnswerD

The error-tag 'malformed-message' indicates JSON syntax error.

Why this answer

A PATCH request to modify a YANG data node via RESTCONF returns a 400 Bad Request status when the JSON payload is malformed. RESTCONF (RFC 8040) requires the request body to conform to the YANG module's data model; if the JSON syntax is invalid or the data does not match the schema (e.g., missing required fields, incorrect data types), the server rejects the request with a 400 error. The 400 status code specifically indicates a client-side error in the request payload, not an authentication or resource existence issue.

Exam trap

Cisco often tests the distinction between HTTP status codes for RESTCONF errors, and the trap here is that candidates confuse a 400 Bad Request (payload issue) with a 404 Not Found (resource missing) or a 401 Unauthorized (auth issue), especially when the question describes a 'modify' operation that might imply the resource exists.

How to eliminate wrong answers

Option A is wrong because a 400 Bad Request does not indicate a missing resource; a nonexistent resource would return a 404 Not Found. Option B is wrong because an expired authentication token would result in a 401 Unauthorized or 403 Forbidden, not a 400. Option C is wrong because an unsupported YANG model would cause a 501 Not Implemented or a 404 if the model is not available, not a 400 Bad Request.

800
MCQeasy

A developer wants to use Cisco Webex Teams API to send a message to a specific room. Which of the following request JSON body fields is required?

A."toPersonId"
B."toPersonEmail"
C."roomId"
D."text"
AnswerC

Required to specify the target room.

Why this answer

The Cisco Webex Teams API requires the 'roomId' field in the request body to identify the specific room where the message will be sent. Without this field, the API cannot determine the destination, and the request will fail with a 400 Bad Request error. The 'roomId' is a mandatory parameter for sending messages to a room, as documented in the Webex API reference.

Exam trap

Cisco often tests the distinction between room messages and direct messages, and the trap here is that candidates may assume 'text' is required because it is the most obvious content field, but the API allows messages without text (e.g., only a file), making 'roomId' the only truly required field for room-targeted messages.

How to eliminate wrong answers

Option A is wrong because 'toPersonId' is used to send a direct message to a specific person, not to a room, and is not required when targeting a room. Option B is wrong because 'toPersonEmail' is also for direct messages to a person by email address, and is mutually exclusive with 'roomId' for room messages. Option D is wrong because 'text' is optional; the message can be sent with other content types like markdown or file attachments, and the API does not require a 'text' field.

801
MCQhard

A large enterprise is migrating to a DevOps model and needs to automate the provisioning of network devices. The team has chosen Ansible for configuration management and is using a Git repository for version control. The network includes Cisco IOS routers, Catalyst switches running IOS-XE, and ASA firewalls. The team has written Ansible playbooks for each device type. The goal is to have a CI/CD pipeline that automatically deploys configuration changes to the production network after the changes are merged into the main branch. However, during a recent deployment, a misconfiguration was pushed to a core router, causing a 10-minute outage. The root cause was that the playbook that was executed was not the correct one for that device model. The team wants to implement a mechanism to prevent similar incidents. Which approach should the team adopt?

A.Implement a CI/CD pipeline that runs playbooks against a staging environment with similar devices, and only deploy to production after successful validation
B.Require all changes to be approved by a change advisory board before merging
C.Require two-person peer review for all playbook changes
D.Use a pre-commit hook that checks the playbook syntax and device compatibility
AnswerA

Correct: Automated testing in staging catches misconfigurations.

Why this answer

Option A is correct because a staging environment with similar devices allows the team to validate playbooks against representative hardware before production deployment. This catches model-specific incompatibilities (e.g., a playbook written for IOS-XE being applied to a classic IOS router) without risking production outages. The CI/CD pipeline can run the same playbooks in staging, verify the resulting device state, and only promote changes to production after successful validation.

Exam trap

Cisco often tests the distinction between static validation (syntax checks, peer review) and dynamic validation (staging environment testing), and the trap here is assuming that code review or pre-commit hooks alone can prevent runtime device-model mismatches.

How to eliminate wrong answers

Option B is wrong because requiring a change advisory board (CAB) approval before merging introduces manual delays and does not automatically prevent the execution of an incorrect playbook for a specific device model; it only gates the merge, not the deployment. Option C is wrong because two-person peer review of playbook changes can catch syntax errors but cannot guarantee that the playbook is compatible with every target device model in production, especially when device types vary. Option D is wrong because a pre-commit hook that checks playbook syntax and device compatibility can only validate static code against predefined rules; it cannot test the actual behavior of the playbook on real hardware or detect runtime issues like model-specific command differences.

802
Multi-Selecthard

Which THREE statements about RESTful APIs are true?

Select 3 answers
A.They require WebSockets for communication.
B.They use HTTP methods to perform CRUD operations.
C.They use SOAP as the message format.
D.They use stateless communication.
E.They expose resources via URLs.
AnswersB, D, E

GET, POST, PUT, DELETE map to read, create, update, delete.

Why this answer

Option B is correct because RESTful APIs use standard HTTP methods (GET, POST, PUT, PATCH, DELETE) to map directly to CRUD (Create, Read, Update, Delete) operations. For example, POST creates a resource, GET retrieves it, PUT/PATCH updates it, and DELETE removes it, aligning with the REST architectural constraint of uniform interface.

Exam trap

Cisco often tests the misconception that REST requires WebSockets for real-time communication or that REST is tied to SOAP, when in fact REST is protocol-agnostic but typically uses HTTP, and SOAP is a distinct, heavier-weight alternative.

803
MCQmedium

A DevOps engineer is designing a REST API for a custom network automation tool. Which principle is essential for a RESTful design?

A.Maintain session state on the server between requests.
B.Use HTTP methods to perform CRUD operations on resources.
C.Use a single URI for all operations with different method names.
D.Return XML responses by default for compatibility.
AnswerB

This is a core REST principle, mapping operations to HTTP methods like GET, POST, PUT, DELETE.

Why this answer

RESTful APIs are designed around resources, and HTTP methods (GET, POST, PUT, DELETE, PATCH) directly map to CRUD operations (Create, Read, Update, Delete). This stateless, resource-oriented approach is a core principle of REST as defined by Roy Fielding's dissertation, enabling uniform interfaces and predictable interactions.

Exam trap

Cisco often tests the misconception that REST APIs can maintain server-side session state (like traditional web apps) or that a single URI with different method names is acceptable, confusing REST with RPC-style designs.

How to eliminate wrong answers

Option A is wrong because REST requires statelessness; each request from a client must contain all necessary information, and session state should be stored on the client, not the server. Option C is wrong because RESTful design uses distinct URIs for each resource, not a single URI with different method names; using a single URI for all operations violates the principle of resource identification and leads to RPC-style APIs. Option D is wrong because REST APIs should support content negotiation (e.g., via the Accept header) and typically return JSON by default for modern web services; forcing XML responses by default reduces flexibility and violates the principle of using standard media types.

804
Matchingmedium

Match each network automation tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Configuration management and automation

API testing and development

Network test automation framework

SSH-based network device interaction

Python automation framework for networking

Why these pairings

Tools commonly used in Cisco DevNet environments.

805
MCQhard

A network engineer wants to programmatically enable an interface using the YANG model shown. Which XPath expression correctly targets the 'shutdown' leaf for GigabitEthernet0/1?

A.//shut
B./interfaces/GigabitEthernet[name='0/1']/shutdown
C./Cisco-IOS-XE-interface:interfaces/GigabitEthernet[0/1]/shutdown
D./native/interface/GigabitEthernet0/1/shutdown
AnswerB

Correctly uses list instance selection.

Why this answer

Option B is correct because it uses the correct XPath syntax to target the 'shutdown' leaf under a specific GigabitEthernet interface instance. The path starts from the root, navigates to the 'interfaces' container, selects the 'GigabitEthernet' list entry where the 'name' key equals '0/1', and then accesses the 'shutdown' leaf. This matches the YANG model structure where list entries are filtered using a predicate with the key leaf.

Exam trap

Cisco often tests the distinction between using a key-based predicate (e.g., [name='0/1']) versus a positional index (e.g., [0/1]) or a concatenated name (e.g., GigabitEthernet0/1), which are invalid in YANG XPath expressions.

How to eliminate wrong answers

Option A is wrong because '//shut' is an abbreviated XPath that searches for any element named 'shut' anywhere in the document, but the YANG model defines the leaf as 'shutdown', not 'shut', and the path is not scoped to the correct interface. Option C is wrong because it uses '[0/1]' as a positional predicate on a list, but YANG lists are keyed by the 'name' leaf, not by index; the correct predicate is '[name='0/1']'. Option D is wrong because it uses a non-standard root path '/native/interface' which does not match the YANG model's top-level container 'interfaces' and incorrectly concatenates the interface name without a predicate.

806
MCQeasy

In a Python script using the 'requests' library to interact with Cisco DNA Center API, which function call is used to send a POST request with JSON data?

A.requests.post(url, json=data)
B.requests.patch(url, json=data)
C.requests.get(url, json=data)
D.requests.put(url, json=data)
AnswerA

post() sends POST with JSON.

Why this answer

Option A is correct because the `requests.post()` function is specifically designed to send HTTP POST requests, and passing the `json=data` parameter automatically serializes the Python dictionary to JSON and sets the `Content-Type` header to `application/json`. This is the standard way to create a resource via Cisco DNA Center's REST API endpoints that expect JSON payloads.

Exam trap

Cisco often tests the distinction between POST and PUT by having candidates confuse resource creation (POST) with resource replacement (PUT), especially when both methods accept a JSON body.

How to eliminate wrong answers

Option B is wrong because `requests.patch()` sends an HTTP PATCH request, which is used for partial updates to an existing resource, not for creating a new resource via POST. Option C is wrong because `requests.get()` sends an HTTP GET request, which is used to retrieve data, not to send a JSON payload to create a resource. Option D is wrong because `requests.put()` sends an HTTP PUT request, which is used to replace an entire resource, not to create a new one; POST is the correct HTTP method for resource creation in RESTful APIs.

807
MCQhard

A developer needs to retrieve the hostname of a Cisco IOS XE device using RESTCONF. Which URI path is correct?

A./restconf/data/Cisco-IOS-XE-native:hostname
B./api/v1/device/hostname
C./restconf/data/Cisco-IOS-XE-native:native/hostname
D./restconf/data/hostname
AnswerC

Correct. This path accesses the hostname leaf.

Why this answer

RESTCONF uses the YANG module namespace. The native hostname is at /restconf/data/Cisco-IOS-XE-native:native/hostname.

808
MCQhard

A microservices application deployed on Kubernetes uses Istio service mesh. After a recent update, some services cannot communicate with each other. Which diagnostic step is most likely to identify the issue?

A.Verify that Istio sidecar injection is enabled for the affected pods.
B.Review the Istio destination rules for the services.
C.All of the above.
D.Check the logs of the pods that are failing.
AnswerC

Each step is valid; a comprehensive approach is needed to isolate Istio-related issues.

Why this answer

Option C is correct because both verifying sidecar injection and reviewing destination rules are essential diagnostic steps when services in an Istio service mesh cannot communicate after an update. Sidecar injection ensures that the Envoy proxy is present to enforce traffic policies, while destination rules define how traffic is routed and can cause connectivity failures if misconfigured. Checking pod logs alone may reveal symptoms but not the root cause, which is often a policy or proxy configuration issue.

Exam trap

The trap here is that candidates often pick a single option (A or B) thinking one diagnostic step is sufficient, but Cisco tests the understanding that multiple layers (proxy presence and policy configuration) must be verified in a service mesh environment.

How to eliminate wrong answers

Option A is wrong because while verifying sidecar injection is a valid step, it alone may not identify issues caused by misconfigured destination rules or traffic policies. Option B is wrong because reviewing destination rules is important but insufficient if sidecar injection is missing, as the Envoy proxy is required to enforce those rules. Option D is wrong because checking pod logs may show application-level errors but will not directly reveal Istio-specific configuration problems like missing sidecars or incorrect routing rules.

809
MCQmedium

A developer is building a script to retrieve a list of network devices from Cisco DNA Center. The API response includes a 'nextToken' field in the body to indicate more results. What pagination method is being used?

A.Cursor-based pagination
B.Page-based pagination
C.Offset/Limit pagination
D.Link header pagination
AnswerA

A token like 'nextToken' indicates cursor-based pagination.

Why this answer

Cursor-based pagination uses a token (e.g., nextToken) to point to the next set of results, unlike offset/limit which uses page numbers.

810
MCQmedium

Refer to the exhibit. A Python script parses this JSON response to check if NetFlow is enabled on the network. Which code snippet correctly checks the NetFlow status?

A.if response['netflow'].get('enabled', False):
B.if response['netflow']['enabled'] == 'true':
C.if response.netflow.enabled:
D.if response['netflow']['enabled']:
AnswerA

Safely checks for the 'enabled' key with a default of False.

Why this answer

Option A is correct because it uses the `.get()` method with a default value of `False` to safely access the `enabled` key within the `netflow` dictionary. This handles cases where the key might be missing or the value is `False`, avoiding a `KeyError` and correctly evaluating the boolean condition. In JSON, the `enabled` field is typically a boolean, so checking truthiness directly is the proper approach.

Exam trap

Cisco often tests the difference between JSON boolean values and their string representations, trapping candidates who treat `true`/`false` as strings instead of Python booleans, and also tests safe dictionary access methods versus direct key access that can raise exceptions.

How to eliminate wrong answers

Option B is wrong because it compares the value to the string `'true'`, but JSON booleans are lowercase `true` (which Python parses as `True`, not a string). This comparison will always be `False` even when NetFlow is enabled. Option C is wrong because it uses dot notation (`response.netflow.enabled`), which is not valid for a Python dictionary; dictionaries require bracket or `.get()` access.

Option D is wrong because it directly accesses `response['netflow']['enabled']` without a fallback; if the `enabled` key is missing or the `netflow` key is absent, this will raise a `KeyError` and crash the script.

811
MCQeasy

A network administrator is troubleshooting a connectivity issue. A PC with IP address 192.168.1.10/24 cannot ping a server at 192.168.1.20/24. Both are on the same VLAN and connected to the same switch. What is the most likely cause of the issue?

A.The ARP cache on the PC needs to be cleared.
B.The subnet mask on the PC is incorrect.
C.The switch port is in the wrong VLAN.
D.The server has a firewall blocking ICMP echo requests.
E.The default gateway is misconfigured on the PC.
AnswerD

A firewall can block ping, which is a common troubleshooting scenario.

Why this answer

Since both devices are on the same subnet (192.168.1.0/24) and same VLAN, Layer 2 connectivity should work without a default gateway. The PC can ARP for the server's IP and send frames directly. If the server has a firewall blocking ICMP echo requests (ping), the PC's ARP request succeeds, but the server drops the ICMP packets, causing a ping failure while other services might still work.

Exam trap

Cisco often tests the misconception that same-subnet communication requires a default gateway, or that ARP cache issues are the primary cause of ping failures, when in reality a host firewall blocking ICMP is a frequent real-world problem that candidates overlook.

How to eliminate wrong answers

Option A is wrong because clearing the ARP cache would only help if the PC had a stale or incorrect ARP entry; here, the PC would simply re-ARP and get the correct MAC, so it wouldn't resolve the issue if the server is blocking ICMP. Option B is wrong because both devices use /24, so the subnet mask is correct for same-subnet communication. Option C is wrong because both devices are on the same VLAN and connected to the same switch; if the switch port were in the wrong VLAN, they would be in different broadcast domains and ARP would fail entirely.

Option E is wrong because a default gateway is only needed for traffic destined outside the local subnet; for same-subnet communication, the PC sends frames directly to the server's MAC address, so a misconfigured gateway has no effect.

812
MCQmedium

An engineer uses the Cisco Webex Teams API to send a message to a room. The API returns HTTP 403 Forbidden. What is the most likely cause?

A.The message payload is too large.
B.The bot token has expired.
C.The room ID is incorrect.
D.The token does not have permission to post to that room.
AnswerD

A 403 error indicates the token is valid but lacks authorization for the action.

Why this answer

HTTP 403 Forbidden indicates the server understood the request but refuses to authorize it. In the context of the Cisco Webex Teams API, this status code most commonly means the access token provided does not have the required scopes or permissions to post messages to the specified room. The token may be valid and not expired, but it lacks the authorization (e.g., the `spark:rooms_write` scope) needed for the action.

Exam trap

Cisco often tests the distinction between HTTP 401 (authentication failure, e.g., expired or invalid token) and HTTP 403 (authorization failure, e.g., valid token but insufficient permissions), so candidates must not confuse the two.

How to eliminate wrong answers

Option A is wrong because a payload that is too large would typically result in HTTP 413 Payload Too Large, not 403 Forbidden. Option B is wrong because an expired token would return HTTP 401 Unauthorized, not 403 Forbidden. Option C is wrong because an incorrect room ID would return HTTP 404 Not Found, as the API cannot locate the resource; a 403 indicates the resource exists but the token lacks permission.

813
MCQeasy

In Docker, which command is used to build an image from a Dockerfile and tag it as 'myapp:v1'?

A.docker run -t myapp:v1 .
B.docker build -t myapp:v1 .
C.docker create myapp:v1 .
D.docker commit myapp:v1 .
AnswerB

Correct. The -t flag assigns the tag 'myapp:v1'.

Why this answer

The `docker build -t myapp:v1 .` command builds a Docker image from the Dockerfile in the current directory and tags it with the name `myapp` and version tag `v1`. The `-t` flag assigns the tag, and the dot (`.`) specifies the build context (the current directory). This is the standard Docker command for building and tagging images.

Exam trap

Cisco often tests the distinction between `docker build` (for creating images from a Dockerfile) and `docker run` (for starting containers), and the trap here is that candidates confuse the `-t` flag in `docker run` (which allocates a TTY) with the `-t` flag in `docker build` (which tags the image).

How to eliminate wrong answers

Option A is wrong because `docker run` is used to create and start a container from an existing image, not to build an image from a Dockerfile; the `-t` flag in `docker run` allocates a pseudo-TTY, not a tag. Option C is wrong because `docker create` creates a new container from an image but does not build an image or accept a tag in that syntax; it also requires an image name, not a build context. Option D is wrong because `docker commit` creates a new image from a container's changes, not from a Dockerfile, and the syntax `docker commit myapp:v1 .` is invalid (it expects a container ID or name, not a tag and build context).

814
Multi-Selecthard

Which THREE of the following are benefits of using event-driven architecture in a distributed system? (Choose three.)

Select 3 answers
A.Loose coupling between services
B.Real-time data processing
C.Scalability through independent processing
D.Eliminates the need for message brokers
E.Simpler debugging due to synchronous communication
AnswersA, B, C

Services communicate via events without direct dependencies.

Why this answer

Event-driven architecture promotes loose coupling, scalability, and real-time responsiveness.

815
MCQeasy

Refer to the exhibit. A developer is trying to access the REST API on a Cisco IOS XE device but receives a 401 Unauthorized error. What is the most likely cause?

A.The device does not support REST API
B.Authentication requires local credentials, but none were provided
C.HTTPS is not configured
D.HTTP server is not enabled
AnswerB

With 'ip http authentication local', the device requires valid local username/password, which if missing results in 401.

Why this answer

A 401 Unauthorized error specifically indicates that authentication is required but was either missing or invalid. For Cisco IOS XE REST API access, the device requires local credentials (username and password) to be provided in the request, typically via HTTP Basic Authentication. Without these credentials, the server rejects the request with a 401 status.

Exam trap

Cisco often tests the distinction between a 401 Unauthorized error (authentication failure) and a 403 Forbidden error (authorization failure), or between connectivity issues (e.g., HTTP server not enabled) and authentication issues, leading candidates to confuse missing credentials with missing server configuration.

How to eliminate wrong answers

Option A is wrong because Cisco IOS XE devices support REST API via the 'restconf' or 'native REST API' feature, which is available on many platforms. Option C is wrong because HTTPS is not required for REST API access; HTTP can be used, though HTTPS is recommended for security. Option D is wrong because the HTTP server (or HTTPS server) must be enabled for the REST API to function, but a missing HTTP server would result in a connection failure (e.g., timeout or 404), not a 401 Unauthorized error.

816
Multi-Selectmedium

Which TWO HTTP status codes indicate client errors?

Select 2 answers
A.500 Internal Server Error
B.404 Not Found
C.400 Bad Request
D.200 OK
E.201 Created
AnswersB, C

The server cannot find the requested resource.

Why this answer

400 Bad Request and 404 Not Found are both client error statuses (4xx).

817
MCQhard

Based on the routing table, what type of OSPF route is the default route (0.0.0.0/0)?

A.OSPF inter-area route
B.OSPF NSSA external type 1 route
C.OSPF intra-area route
D.OSPF external type 2 route
AnswerD

O*E2 indicates external type 2 default.

Why this answer

The default route (0.0.0.0/0) in OSPF is typically redistributed from another routing protocol or statically configured and then advertised into OSPF. When a default route is injected via the 'default-information originate' command, it is advertised as an OSPF external type 2 (E2) route by default, meaning the metric does not change as it traverses OSPF areas. This matches option D.

Exam trap

Cisco often tests the misconception that a default route in OSPF is always an intra-area or inter-area route, when in fact it is an external route injected via redistribution or the 'default-information originate' command, and candidates confuse the route type with the LSA type.

How to eliminate wrong answers

Option A is wrong because an OSPF inter-area route (O IA) is a route learned from another area via an Area Border Router (ABR), but a default route is not learned as an inter-area route unless it is specifically originated as a type 3 LSA summary, which is not the default behavior. Option B is wrong because an OSPF NSSA external type 1 route (N1) is used in Not-So-Stubby Areas (NSSA) for redistributed routes, but the default route in a standard OSPF configuration is not an NSSA route unless the area is configured as NSSA and the default route is explicitly generated as type 1. Option C is wrong because an OSPF intra-area route (O) is a route within the same area learned via type 1 or type 2 LSAs, but the default route is not an intra-area route as it is not part of the area's internal topology.

818
MCQeasy

An engineer is troubleshooting a network issue and needs to verify the MAC address of the next-hop router on a directly connected segment. Which layer of the OSI model does the engineer need to examine to find this information?

A.Data Link layer (Layer 2)
B.Transport layer (Layer 4)
C.Physical layer (Layer 1)
D.Network layer (Layer 3)
AnswerA

MAC addresses are used at Layer 2 for local network communication.

Why this answer

The MAC address of the next-hop router is found in the Data Link layer (Layer 2) header of a frame. When a device sends an IP packet to a next-hop router on the same segment, it encapsulates the packet in a frame with the destination MAC address of that router's interface. To verify this address, you examine Layer 2 information, such as by using the `show arp` command on Cisco devices to view the MAC-to-IP mapping.

Exam trap

Cisco often tests the misconception that MAC addresses belong to the Network layer because they are used in routing decisions, but the trap is that MAC addresses are strictly a Data Link layer construct used for local segment delivery, not for end-to-end path determination.

How to eliminate wrong answers

Option B is wrong because the Transport layer (Layer 4) handles end-to-end communication, segmentation, and port numbers (e.g., TCP/UDP), not MAC addresses. Option C is wrong because the Physical layer (Layer 1) deals with raw bit transmission, electrical signals, and media specifications, not addressing or frame headers. Option D is wrong because the Network layer (Layer 3) uses logical IP addresses for routing and packet forwarding, but the MAC address is a Layer 2 identifier used for delivery on the local segment.

819
MCQmedium

A company has a web application running on Cisco DNA Center. The application uses OAuth 2.0 for authentication with an external identity provider (IdP). Recently, users have reported that they are being logged out unexpectedly after a few minutes of inactivity, even though the IdP token has a 1-hour expiration. The application developer wants to maintain usability while keeping security controls. What is the most likely cause and solution?

A.The application session timeout is shorter than the token lifetime; align the application session timeout to the token expiration or implement silent token refresh
B.The application is not properly validating the token expiry and needs to refresh tokens proactively
C.The IdP is configured to log out users automatically after 5 minutes; reconfigure IdP session settings
D.The OAuth 2.0 access token is set to expire in 5 minutes; increase it to 1 hour
AnswerA

Short application session timeout causes early logout; aligning or using silent refresh solves it.

Why this answer

The most likely cause is that the application's session timeout is set to a shorter duration than the OAuth 2.0 token's 1-hour expiration. When the application session expires, the user is logged out even though the IdP token is still valid. The solution is to align the application session timeout with the token expiration or implement silent token refresh using a refresh token, which allows the application to obtain a new access token without user interaction, maintaining usability while preserving security.

Exam trap

Cisco often tests the distinction between token expiration and session timeout, where candidates mistakenly focus on token refresh or IdP configuration instead of recognizing that the application's session management is the root cause.

How to eliminate wrong answers

Option B is wrong because the issue is not about token validation or proactive refresh; the token is valid for 1 hour, but the application session expires earlier, causing logout. Option C is wrong because the IdP is not configured to log out users after 5 minutes; the IdP token has a 1-hour expiration, so the problem lies in the application session management. Option D is wrong because the access token expiration is already set to 1 hour, not 5 minutes; increasing it further would not fix the mismatch between the application session timeout and token lifetime.

820
MCQeasy

A developer wants to use Cisco Modeling Labs (CML) API to control a lab session. Which base URL structure is correct for the CML REST API?

A.https://cml-server/labapi/v1
B.https://cml-server/api/v0
C.https://cml-server/api/v2
D.https://cml-server/rest/v1
AnswerB

Correct base URL for CML API.

Why this answer

The correct base URL for the Cisco Modeling Labs (CML) REST API is `https://cml-server/api/v0`. This is the documented and stable endpoint for interacting with CML lab sessions, including starting, stopping, and managing topologies. The `/api/v0` path is specific to CML and reflects its API versioning scheme, which differs from other Cisco platforms like DNA Center or Meraki.

Exam trap

Cisco often tests the specific API versioning and base URL patterns for each platform (CML vs. DNA Center vs. Meraki), and the trap here is confusing the `/api/v0` of CML with the more common `/api/v2` of DNA Center or `/rest/v1` of Meraki.

How to eliminate wrong answers

Option A is wrong because `/labapi/v1` is not a valid base URL for CML; it resembles the legacy API path used in Cisco VIRL (the predecessor to CML), not the current CML REST API. Option C is wrong because `/api/v2` is the base URL for Cisco DNA Center's REST API, not CML. Option D is wrong because `/rest/v1` is the base URL for Cisco Meraki's REST API, which uses a different versioning and resource structure.

821
MCQmedium

An administrator is automating the deployment of a new switch using Cisco DNA Center. Which API category should they use to provision the device with a configuration template?

A.Change your network
B.Platform
C.Know your network
D.Run your network
AnswerA

Template deployment and plug and play are part of this category.

Why this answer

Template deployment falls under the 'change your network' API category in Cisco DNA Center.

822
Multi-Selectmedium

When designing a REST API for managing network devices, which two principles should be followed to ensure statelessness?

Select 2 answers
A.All state information is stored on the client.
B.The server maintains session data and identifies clients via cookies.
C.API endpoints include version numbers to support backward compatibility.
D.Each request from client to server must contain all information needed to understand and complete the request.
E.Responses are idempotent for all POST requests.
AnswersA, D

This is a key principle of statelessness: the client holds session state.

Why this answer

Option A is correct because statelessness in REST requires that all session state be stored on the client, not the server. Each request must be self-contained, meaning the server does not retain any client context between requests. This aligns with the REST architectural constraint defined by Roy Fielding, where the server treats each request independently.

Exam trap

Cisco often tests the distinction between statelessness and other REST principles like idempotency or versioning; the trap here is that candidates confuse 'statelessness' with 'idempotency' or 'backward compatibility', leading them to select options that are valid REST practices but do not address the statelessness constraint.

823
MCQmedium

A Webex API request returns a 401 Unauthorized error. The developer has already obtained an access token. What is the most likely cause?

A.Invalid access token or expired token
B.Resource not found
C.Rate limit exceeded
D.Server internal error
AnswerA

401 indicates authentication failure.

Why this answer

A 401 error typically indicates an invalid or expired token, or missing Authorization header.

824
MCQhard

Refer to the exhibit. Both switches are configured with EtherChannel. Which statement is true about VLAN traffic across the trunk?

A.VLAN 150 traffic is allowed across the trunk.
B.VLAN 50 traffic is blocked across the trunk.
C.VLAN 200 traffic is allowed across the trunk.
D.VLAN 100 traffic is allowed across the trunk.
AnswerD

VLAN 100 is allowed on both switches (1-100 on A, 100-199 on B).

Why this answer

The correct answer is D because the exhibit shows that VLAN 100 is configured on both switches and is included in the allowed VLAN list on the trunk. EtherChannel does not affect VLAN filtering; the trunk's allowed VLAN list determines which VLANs can traverse the link. Since VLAN 100 is explicitly permitted, its traffic is allowed across the trunk.

Exam trap

Cisco often tests the misconception that EtherChannel overrides or bypasses VLAN trunk filtering, but in reality, the allowed VLAN list on the port-channel interface still controls which VLANs are permitted across the aggregated link.

How to eliminate wrong answers

Option A is wrong because VLAN 150 is not shown in the allowed VLAN list on either switch, so it is implicitly denied on the trunk. Option B is wrong because VLAN 50 is listed in the allowed VLAN list on both switches, so its traffic is permitted, not blocked. Option C is wrong because VLAN 200 is not present in the allowed VLAN list on either switch, meaning it is not allowed across the trunk.

825
MCQmedium

A developer is using the Webex API to create a webhook that triggers when a new message is posted in a room. What information is typically included in the webhook payload sent by Webex to the callback URL?

A.The full message content and all room members
B.The OAuth token for the bot
C.The resource type, event type, and relevant IDs (e.g., message ID, room ID)
D.The complete list of webhooks configured on the account
AnswerC

Webhooks notify about events with IDs to retrieve details via API.

Why this answer

Webhook payloads contain event details such as resource, event type, and relevant data like message ID and room ID. The full message content is not included; the application must fetch it via API.

Page 10

Page 11 of 14

Page 12
Cisco DevNet Associate 200-901 200-901 Questions 751–825 | Page 11/14 | Courseiva