Cisco DevNet Associate 200-901 (200-901) — Questions 826900

992 questions total · 14pages · All types, answers revealed

Page 11

Page 12 of 14

Page 13
826
MCQhard

Which DNS record type is used to verify domain ownership for email security protocols like SPF and DKIM?

A.CNAME
B.TXT
C.MX
D.NS
AnswerB

Correct. TXT records store arbitrary text, used for SPF and DKIM.

Why this answer

SPF and DKIM records are stored as TXT records in DNS. SPF records specify which mail servers are authorized to send email for a domain, while DKIM records contain a public key used to verify email signatures. Both are implemented via TXT records, not other record types.

Exam trap

Cisco often tests the misconception that SPF or DKIM use a dedicated record type like SPF or DKIM, when in fact both rely on TXT records, and candidates may incorrectly choose MX or CNAME due to their association with email or aliasing.

How to eliminate wrong answers

Option A is wrong because CNAME records create an alias for a domain name and cannot contain the arbitrary text data required for SPF or DKIM policies. Option C is wrong because MX records specify mail exchange servers for routing email, not for storing authentication or verification data. Option D is wrong because NS records delegate a domain to authoritative name servers and have no role in email security protocol verification.

827
MCQmedium

Refer to the exhibit. A Python script uses the Cisco IOS-XE RESTCONF API to retrieve the device configuration. The returned JSON is shown. What must be done to enable the GigabitEthernet0/1 interface using the API?

A.Send a PATCH request to the interface resource with the JSON payload {"enabled": true}.
B.Send a DELETE request to the interface resource.
C.Send a GET request to the interface resource and parse the response.
D.Send a PUT request to the interface resource with the entire JSON payload.
AnswerA

PATCH partially updates the resource; changing enabled to true will enable the interface.

Why this answer

Option A is correct because RESTCONF uses PATCH for partial updates. To enable an interface, you only need to send the specific field that changes ({"enabled": true}) to the interface resource URI, which modifies the configuration without replacing the entire resource.

Exam trap

Cisco often tests the distinction between PUT (full replace) and PATCH (partial update) in RESTCONF, where candidates mistakenly choose PUT thinking it can be used for single-field changes, but that would require sending the entire resource payload.

How to eliminate wrong answers

Option B is wrong because a DELETE request would remove the entire interface resource, not enable it. Option C is wrong because a GET request only retrieves data; it does not modify the configuration. Option D is wrong because a PUT request replaces the entire resource with the provided JSON payload, which would require sending the full interface configuration, not just the enabled field, and could overwrite other settings.

828
Multi-Selecthard

Which THREE of the following are characteristics of RESTCONF compared to NETCONF? (Select three.)

Select 3 answers
A.Uses HTTP as the transport protocol
B.Supports JSON encoding for YANG data
C.Employs XML Remote Procedure Calls (RPCs)
D.Uses SSH for secure transport
E.Uses YANG data models
AnswersA, B, E

RESTCONF is HTTP-based.

Why this answer

RESTCONF uses HTTP and supports JSON encoding, while NETCONF uses SSH and XML RPCs. Both use YANG data models.

829
MCQmedium

A docker-compose.yml defines a web service with environment variables. Which key in the service definition should be used to set environment variables?

A.args
B.volumes
C.environment
D.env_file
AnswerC

The 'environment' key allows setting environment variables directly.

Why this answer

Option C is correct because the `environment` key in a Docker Compose service definition is the standard way to set environment variables directly within the YAML file. This key accepts a list of key-value pairs (e.g., `- KEY=VALUE`) or a mapping, and the variables are injected into the container at runtime, overriding any default values in the Docker image.

Exam trap

Cisco often tests the distinction between build-time (`args`) and runtime (`environment`) configuration, so the trap here is confusing `args` (used in `docker build`) with `environment` (used in `docker run` or `docker-compose up`), especially since both can pass key-value pairs but serve entirely different lifecycle stages.

How to eliminate wrong answers

Option A is wrong because `args` is used to pass build-time arguments to the Dockerfile during image building (via the `build` context), not to set runtime environment variables in a running container. Option B is wrong because `volumes` mounts host directories or named volumes into the container for persistent data storage, not for environment configuration. Option D is wrong because `env_file` is a separate key that loads environment variables from an external file, but the question specifically asks for a key that defines variables directly within the service definition, not from an external source.

830
Multi-Selecteasy

A developer needs to create a Python script that makes a GET request to a REST API to retrieve a list of network devices. The API uses query parameters to filter by device type and status. Which TWO code snippets correctly include query parameters using the requests library? (Choose two.)

Select 2 answers
A.requests.get('https://api.example.com/devices', params={'type': 'router', 'status': 'active'})
B.requests.get('https://api.example.com/devices', data={'type': 'router', 'status': 'active'})
C.requests.get('https://api.example.com/devices?type=router&status=active')
D.requests.get('https://api.example.com/devices', json={'type': 'router', 'status': 'active'})
E.requests.get('https://api.example.com/devices', headers={'type': 'router', 'status': 'active'})
AnswersA, C

Correct use of params.

Why this answer

The params parameter accepts a dict; also can pass dict directly.

831
MCQhard

A security policy requires that all container images in a registry are scanned for vulnerabilities before deployment. Which approach best integrates this into a CI/CD pipeline without slowing down the pipeline?

A.Build the image, push it, then scan it, and if vulnerabilities are found, rebuild and repush.
B.Run the vulnerability scan on the image after pushing to the registry and block deployment if critical vulnerabilities are found.
C.Build the image, scan it locally, and if it passes, push it to the registry; run scans in parallel with the build if possible.
D.Scan the source code dependencies before building the image, and skip image scanning.
AnswerC

Local scanning before push catches vulnerabilities early and does not delay the pipeline if done in parallel.

Why this answer

Option C is correct because it shifts the vulnerability scan left in the pipeline: the image is built and scanned locally before being pushed to the registry. If the scan passes, the image is pushed; if it fails, the pipeline stops early, avoiding the overhead of pushing a vulnerable image and then rebuilding. This approach minimizes pipeline latency by running scans in parallel with the build where possible, ensuring security without blocking the deployment flow.

Exam trap

Cisco often tests the concept of 'shifting left' security — candidates mistakenly think scanning after pushing (Option B) is acceptable because it blocks deployment, but the trap is that the policy requires scanning before deployment, not before push, and Option B still allows vulnerable images to reside in the registry.

How to eliminate wrong answers

Option A is wrong because it pushes the image first, then scans it, and if vulnerabilities are found, rebuilds and repushes — this wastes time and registry storage by pushing a vulnerable image that must be replaced, and it introduces a slow feedback loop. Option B is wrong because it scans after pushing to the registry and only blocks deployment for critical vulnerabilities, which still allows non-critical vulnerabilities to be deployed and does not prevent the vulnerable image from being stored in the registry, violating the policy that all images must be scanned before deployment. Option D is wrong because scanning only source code dependencies misses vulnerabilities introduced by the base image, runtime libraries, or configuration files in the container image, leaving the image itself unscanned and failing the security policy requirement.

832
MCQeasy

A developer needs to send a diagnostic request to a network device to verify if it supports a specific MIB object. Which protocol and operation should be used?

A.ICMP ping
B.HTTP GET
C.SNMP SET
D.NETCONF get-config
E.SNMP GET
AnswerE

GET retrieves the value of a MIB object.

Why this answer

SNMP GET is the correct operation to retrieve the value of a specific MIB object from a network device. It sends a diagnostic request to verify if the device supports that object by checking whether a valid response is returned. This is the standard SNMP operation for reading a single managed object's value.

Exam trap

Cisco often tests the distinction between SNMP GET (read) and SNMP SET (write), and candidates may confuse them or think SET can verify support, but SET only modifies values and requires the object to already exist.

How to eliminate wrong answers

Option A is wrong because ICMP ping is used for basic reachability testing and does not interact with MIB objects or SNMP. Option B is wrong because HTTP GET is used for web-based APIs or RESTCONF, not for querying SNMP MIB objects. Option C is wrong because SNMP SET is used to modify the value of a MIB object, not to read or verify its existence.

Option D is wrong because NETCONF get-config retrieves device configuration data, not MIB objects, and uses YANG data models instead of SNMP.

833
MCQhard

During a security audit of a microservices application deployed on Cisco Container Platform, the auditor discovers that some containers are running with privileged access. The development team argues that certain containers need to modify kernel parameters. Which security best practice should be recommended to minimize risk while allowing necessary kernel adjustments?

A.Set the container security context to add only the necessary Linux capabilities, e.g., CAP_SYS_ADMIN
B.Set the container to privileged: false and add the SYS_ADMIN capability only for containers that need it
C.Run the container as root user but remove the CAP_SYS_ADMIN capability
D.Drop all Linux capabilities and run the container as a non-root user
AnswerA

This grants only the required capabilities, reducing the attack surface compared to privileged mode.

Why this answer

Option A is correct because it follows the principle of least privilege by granting only the specific Linux capability (CAP_SYS_ADMIN) needed to modify kernel parameters, rather than full privileged access. In Kubernetes (used by Cisco Container Platform), a security context with `capabilities.add: ['SYS_ADMIN']` allows the container to perform privileged operations like sysctl modifications without exposing the host or other containers to the broader risks of privileged mode.

Exam trap

Cisco often tests the distinction between privileged mode and individual capabilities, where candidates mistakenly think setting `privileged: false` is required alongside capability addition, or that running as root is necessary for kernel modifications.

How to eliminate wrong answers

Option B is wrong because setting `privileged: false` is redundant when adding SYS_ADMIN capability; the security context already defaults to non-privileged, and the phrasing implies a separate privileged flag is needed, which is not the case. Option C is wrong because running as root user with CAP_SYS_ADMIN removed would prevent the container from modifying kernel parameters, directly contradicting the requirement. Option D is wrong because dropping all capabilities and running as non-root would completely block any kernel parameter changes, failing to meet the development team's need.

834
MCQeasy

A developer is writing a Python script to interact with a Cisco device using RESTCONF. The script sends a PUT request to modify an interface configuration. Which HTTP response code indicates that the resource was successfully created?

A.404 Not Found
B.201 Created
C.200 OK
D.204 No Content
AnswerB

201 Created indicates the resource was successfully created.

Why this answer

In RESTCONF, a successful PUT request that creates a new resource returns HTTP 201 Created. This aligns with RFC 8040, where PUT can be used for both creation and replacement; the 201 response specifically indicates the resource did not exist before and was created by the request.

Exam trap

Cisco often tests the subtle difference between 200 OK (successful operation with response body) and 201 Created (successful creation of a new resource), leading candidates to mistakenly choose 200 OK when the question explicitly asks about resource creation.

How to eliminate wrong answers

Option A is wrong because 404 Not Found indicates the requested resource does not exist at the URI, not a successful creation. Option C is wrong because 200 OK is typically returned for successful GET, PUT, or POST operations that return a representation of the resource, but it does not specifically signal that a new resource was created. Option D is wrong because 204 No Content is used when the server successfully processes a request but returns no response body, often for DELETE operations or PUT updates that do not return content, not for resource creation.

835
MCQhard

Based on the exhibit, what is the most likely reason for the connection timeout?

A.The URL is incorrect; the correct endpoint is /api/system/v1/auth/token
B.The username and password are invalid, causing the server to drop the connection
C.The verify=False parameter causes SSL handshake failure and timeout
D.The network is not able to reach the sandbox server due to firewall or DNS issues
AnswerD

Connection timeout indicates network unreachability.

Why this answer

The connection timeout indicates that the client cannot establish a TCP connection to the server at all. This is most likely caused by a network-level issue such as a firewall blocking the port or DNS resolution failure, which prevents the HTTP request from reaching the sandbox server. Options A, B, and C would produce different HTTP error responses (e.g., 404, 401, or SSL certificate errors), not a timeout.

Exam trap

Cisco often tests the distinction between network-level failures (timeout) and application-level errors (HTTP status codes), trapping candidates who confuse a timeout with authentication or SSL issues.

How to eliminate wrong answers

Option A is wrong because an incorrect URL would result in an HTTP 404 Not Found error, not a connection timeout. Option B is wrong because invalid credentials would return an HTTP 401 Unauthorized response after the TCP connection is established, not a timeout. Option C is wrong because the verify=False parameter disables SSL certificate verification; it does not cause an SSL handshake failure—rather, it allows the handshake to proceed even with an invalid certificate, so a timeout would not occur from this parameter alone.

836
MCQeasy

Refer to the exhibit. An Ansible playbook is intended to set the description on GigabitEthernet0/1. However, the playbook fails because the device does not have that interface. What is the most likely reason?

A.The module requires gather_facts to be yes
B.The hosts group is incorrect
C.The lines attribute is misconfigured
D.The specified interface does not exist on the device
AnswerD

If the interface is not present, the module cannot apply configuration under it.

Why this answer

Option D is correct because the playbook explicitly targets GigabitEthernet0/1 using the `interface` attribute under `lines`, and the error indicates the device does not have that interface. Ansible's ios_config module will fail if the specified interface does not exist on the device, as it cannot apply configuration to a non-existent logical or physical interface.

Exam trap

Cisco often tests the distinction between a syntactically correct playbook and a playbook that fails due to device-specific constraints, such as a non-existent interface, to see if candidates confuse configuration syntax errors with device state issues.

How to eliminate wrong answers

Option A is wrong because `gather_facts` is not required for the ios_config module to work; it is optional and only collects device facts, not a prerequisite for configuring interfaces. Option B is wrong because the hosts group being incorrect would cause a connection failure or no matching hosts, not a specific error about a missing interface on a reachable device. Option C is wrong because the `lines` attribute is correctly structured with the `interface GigabitEthernet0/1` line and the `description` line; the misconfiguration is not in the syntax of `lines` but in the target interface name.

837
MCQmedium

During a CI/CD pipeline, a security scan reveals that a Docker image contains a vulnerability in a base layer. Which action BEST addresses the issue?

A.Disable the security scanner to avoid false positives.
B.Rebuild the image using an updated base image from a trusted registry.
C.Implement run-time security monitoring to detect exploitation.
D.Add an exception to the vulnerability report.
AnswerB

Fixes the vulnerability by updating the base image.

Why this answer

Option B is correct because the vulnerability exists in the base layer of the Docker image, which is immutable once built. The only way to eliminate the vulnerability is to rebuild the image using an updated base image from a trusted registry (e.g., Docker Hub official images or a private registry with patched images). This ensures the vulnerable packages are replaced with patched versions at the OS or application level, directly addressing the root cause.

Exam trap

Cisco often tests the distinction between detection/monitoring (options C and D) and actual remediation (option B), trapping candidates who think run-time monitoring or ignoring the report is sufficient to address a build-time vulnerability.

How to eliminate wrong answers

Option A is wrong because disabling the security scanner does not fix the vulnerability; it only hides the issue, violating security best practices and potentially leading to exploitation in production. Option C is wrong because run-time security monitoring (e.g., Falco or AppArmor) can detect exploitation attempts but does not remove the vulnerability from the image; the vulnerable base layer remains and can still be exploited if the monitoring fails or is bypassed. Option D is wrong because adding an exception to the vulnerability report ignores the risk; it does not remediate the vulnerability and may violate compliance requirements (e.g., PCI DSS) that mandate patching known vulnerabilities.

838
Multi-Selecteasy

Which TWO statements are correct about Ansible inventory files? (Select exactly 2.)

Select 2 answers
A.Inventory files can be written in YAML format
B.Inventory files cannot contain variables for individual hosts
C.Inventory files must be in INI format only
D.Inventory files can define groups of devices
E.An inventory file can include a [vars] section to define group variables
AnswersA, D

Why this answer

Ansible inventory files define the hosts and groups that Ansible manages. They can be written in YAML format, which is a human-readable data serialization language that Ansible supports alongside the traditional INI format. This flexibility allows users to choose the format that best suits their automation needs, with YAML being particularly useful for complex inventories due to its support for structured data.

Exam trap

Cisco often tests the misconception that Ansible inventory files are limited to INI format, but the exam expects you to know that YAML is also a valid format, and that `[vars]` is not a standard section in Ansible inventories (group variables are handled differently).

839
MCQmedium

A developer is exploring YANG models on yangcatalog.org. They want to find a standard model for interface configuration that is vendor-neutral. Which model should they look for?

A.Cisco-NX-OS-device
B.oc-interfaces
C.ietf-interfaces
D.Cisco-IOS-XE-native
AnswerB

OpenConfig models are vendor-neutral.

Why this answer

OpenConfig models are vendor-neutral. oc-interfaces is the OpenConfig model for interfaces.

840
MCQhard

A NETCONF manager sends a get-config request to a Cisco device and receives the above reply. The automation script expected the interface to be enabled. Which of the following is the best course of action to remediate the issue?

A.Send an rpc to reboot the device
B.Use CLI to enable the interface manually
C.Send an edit-config request with <enabled>true</enabled> for the interface
D.Send a get request again
AnswerC

This changes the configuration to enable the interface.

Why this answer

Option C is correct because NETCONF uses the edit-config operation to modify device configuration programmatically. Since the automation script detected that the interface is disabled (enabled state is false), sending an edit-config request with <enabled>true</enabled> for that interface directly remediates the issue by setting the operational state to enabled, aligning with the expected state without manual intervention.

Exam trap

Cisco often tests the distinction between read-only operations (get, get-config) and write operations (edit-config), and the trap here is that candidates may think re-querying the device (Option D) or using CLI (Option B) is acceptable, when the correct approach is to use the appropriate NETCONF operation to modify the configuration programmatically.

How to eliminate wrong answers

Option A is wrong because rebooting the device via an rpc is an extreme, unnecessary action that does not specifically enable the interface and would cause service disruption. Option B is wrong because using CLI to enable the interface manually defeats the purpose of automation and NETCONF's programmatic management, and it is not a scalable or scripted solution. Option D is wrong because sending a get request again would only retrieve the current configuration again, not change the disabled state of the interface.

841
MCQmedium

A network engineer is developing a Python application that uses the Cisco Meraki Dashboard API. The API responses are in JSON format. Which Python module is most commonly used to parse JSON responses?

A.csv
B.yaml
C.json
D.xml
AnswerC

The json module provides methods for parsing JSON strings and converting Python objects to JSON.

Why this answer

The `json` module is the standard Python library for parsing JSON data, which is the format used by the Cisco Meraki Dashboard API responses. It provides `json.loads()` to convert a JSON string into a Python dictionary and `json.load()` to read from a file, making it the correct and most commonly used choice for handling API responses in JSON format.

Exam trap

Cisco often tests the candidate's familiarity with the specific Python module name for JSON parsing, and the trap here is that candidates may confuse the `json` module with other data interchange formats like YAML or XML, which are also used in networking but not for Meraki API responses.

How to eliminate wrong answers

Option A is wrong because the `csv` module is designed for parsing Comma-Separated Values, not JSON, and would fail to handle nested objects or arrays typical in API responses. Option B is wrong because the `yaml` module is used for YAML format, which is a different serialization standard (YAML 1.2) and not the native format of Meraki API responses. Option D is wrong because the `xml` module handles XML data, which uses a different syntax (tags and attributes) compared to JSON's key-value pairs and is not the default response format for the Meraki Dashboard API.

842
MCQeasy

A team is using Python scripts with netmiko to back up configurations from a large number of network devices. What is the primary advantage of using netmiko over direct paramiko for this task?

A.Netmiko supports only Cisco devices
B.Netmiko uses REST API instead of SSH
C.Netmiko is faster than paramiko
D.Netmiko simplifies the handling of device-specific prompts and command output
AnswerD

Netmiko abstracts away the complexities of different device interactions.

Why this answer

Netmiko is built on top of Paramiko but adds a higher-level abstraction layer that automatically handles device-specific prompt detection, command output parsing, and SSH session management. This simplifies the backup process across heterogeneous devices by eliminating the need to manually write code for each device's unique prompt patterns and command responses.

Exam trap

Cisco often tests the misconception that Netmiko is a faster alternative to Paramiko, when in reality the advantage is about abstraction and ease of use, not raw performance.

How to eliminate wrong answers

Option A is wrong because Netmiko supports a wide range of vendors (Cisco, Juniper, Arista, HP, etc.), not just Cisco devices. Option B is wrong because Netmiko uses SSH (via Paramiko) for network device access, not REST API; REST API is a separate paradigm used with tools like requests or ncclient. Option C is wrong because Netmiko is not inherently faster than Paramiko; it adds overhead for prompt handling and session management, and performance depends on network latency and device responsiveness, not the library itself.

843
Multi-Selecteasy

Which TWO of the following are HTTP methods used for creating or updating resources in REST APIs? (Select TWO)

Select 3 answers
A.DELETE
B.PUT
C.POST
D.GET
E.PATCH
AnswersB, C, E

PUT is used to replace a resource entirely.

Why this answer

POST is used to create, PUT to fully replace, and PATCH to partially update. GET retrieves, DELETE removes.

844
MCQhard

A developer is designing a microservices architecture where services need to discover each other using DNS. The team wants to map a service name 'payment-service.example.com' to its IPv6 address. Which DNS record type should be used?

A.PTR record
B.AAAA record
C.A record
D.CNAME record
AnswerB

AAAA record maps a hostname to an IPv6 address.

Why this answer

The AAAA record (Quad-A) is the correct DNS record type for mapping a hostname to an IPv6 address, as defined in RFC 3596. Since the requirement is specifically to resolve 'payment-service.example.com' to an IPv6 address, the AAAA record is the appropriate choice.

Exam trap

Cisco often tests the distinction between A and AAAA records, and the trap here is that candidates may confuse the AAAA record with the A record or incorrectly think a CNAME can resolve to an IP address directly.

How to eliminate wrong answers

Option A is wrong because a PTR record is used for reverse DNS lookups (mapping an IP address to a hostname), not for forward resolution of a hostname to an IPv6 address. Option C is wrong because an A record maps a hostname to an IPv4 address, not an IPv6 address. Option D is wrong because a CNAME record creates an alias from one hostname to another canonical hostname, and does not directly provide an IP address mapping.

845
MCQmedium

A DevOps team is building a CI/CD pipeline that configures Cisco NX-OS switches. They want to use model-driven telemetry to stream operational data. Which protocol should they use for on-change telemetry?

A.SSH
B.gRPC
C.HTTP
D.SNMP
AnswerB

gRPC is used for model-driven telemetry.

Why this answer

gRPC (Google Remote Procedure Call) is the correct protocol for on-change telemetry on Cisco NX-OS because it supports a publish-subscribe model where the switch pushes data only when a monitored value changes, reducing bandwidth and CPU overhead. This is defined in the Cisco MDT (Model-Driven Telemetry) framework, which uses gRPC with Protobuf encoding for efficient streaming of YANG-modeled operational data.

Exam trap

Cisco often tests the distinction between push-based (gRPC) and pull-based (SNMP, HTTP) protocols, trapping candidates who confuse SNMP traps (which are event-driven but not model-driven) with true on-change telemetry.

How to eliminate wrong answers

Option A (SSH) is wrong because SSH is a secure shell protocol used for CLI access and command execution, not for streaming telemetry; it lacks the push-based, subscription-driven mechanism required for on-change telemetry. Option C (HTTP) is wrong because HTTP is a request-response protocol that requires polling, which is inefficient for real-time on-change updates and does not natively support the bidirectional streaming or Protobuf encoding used in Cisco MDT. Option D (SNMP) is wrong because SNMP is a pull-based protocol that relies on polling or traps, but traps are event-driven and not designed for the structured, model-driven, on-change streaming of YANG-modeled data that gRPC provides.

846
Multi-Selecteasy

Which TWO of the following are true about REST API design principles?

Select 2 answers
A.PATCH is used for full replacement of a resource
B.GET requests should not change state
C.POST requests should be idempotent
D.DELETE responses must always contain a body
E.PUT can be used for both creation and update of resources
AnswersB, E

GET is intended to retrieve data without side effects.

Why this answer

B is correct because REST APIs are designed to be stateless, and GET requests are defined as safe methods in RFC 7231. A safe method does not alter server state; it only retrieves data. Therefore, a GET request should never trigger side effects like creating or modifying resources.

Exam trap

Cisco often tests the distinction between idempotency and safety, and the trap here is confusing PATCH with PUT or assuming POST must be idempotent like PUT.

847
Multi-Selectmedium

A DevOps engineer is configuring a CI/CD pipeline that uses Cisco DNA Center API to deploy network configurations. Which two best practices should be followed? (Choose two.)

Select 2 answers
A.Use a single API call for all changes
B.Disable SSL verification for faster execution
C.Store API credentials in environment variables
D.Implement retry logic for API calls
E.Use hardcoded API keys in scripts
AnswersC, D

Keeps secrets out of code and version control.

Why this answer

Storing API credentials in environment variables (Option C) is a security best practice because it prevents hardcoding secrets in source code, which could be exposed in version control. This approach aligns with the principle of least privilege and is recommended for CI/CD pipelines interacting with Cisco DNA Center API, as it allows credentials to be managed externally and rotated without code changes.

Exam trap

Cisco often tests the misconception that disabling SSL verification speeds up execution, but in reality, the overhead is negligible, and the security risk makes it unacceptable in any production pipeline.

848
MCQhard

A developer is integrating a Webex Teams bot with an external system using the Webex API. The bot receives an HTTP POST callback from Webex every time a message is posted in a monitored space. The developer notices that sometimes the callback includes a 'data' object with 'actorId', but other times the 'actorId' is missing. The bot needs to log the identity of the person who posted the message. What should the developer do to reliably obtain the sender's identity?

A.Request additional OAuth scopes to include the actorId in the callback payload.
B.Filter callbacks by the verb 'posted' to ensure the actorId is included.
C.Use the 'createdBy' field from the message details API as a fallback when 'actorId' is missing.
D.Check the 'resource' field in the callback to determine if it is a 'messages' event; only messages events include actorId.
AnswerD

The resource field indicates the object type; actorId is always present for messages events.

Why this answer

Option D is correct because the Webex API callback payload includes the 'actorId' only for certain event types. Specifically, when the 'resource' field is 'messages' and the 'event' field is 'created', the 'actorId' is guaranteed to be present, representing the user who posted the message. Filtering by the 'resource' field ensures the bot processes only message creation events, reliably obtaining the sender's identity.

Exam trap

Cisco often tests the distinction between webhook callback payload fields (like 'resource' and 'event') versus API response fields, leading candidates to confuse the callback structure with the API data model.

How to eliminate wrong answers

Option A is wrong because OAuth scopes control access to API endpoints, not the structure of webhook callback payloads; the 'actorId' is included based on the event type, not scopes. Option B is wrong because the 'verb' field does not exist in Webex webhook callbacks; the relevant field is 'event', and filtering by 'event' as 'created' alone does not guarantee 'actorId' is present—it depends on the 'resource' type. Option C is wrong because the 'createdBy' field is not a standard field in the Webex Messages API; the correct field to retrieve the sender is 'personId' or 'personEmail' via a GET request to the messages endpoint, and using a non-existent field as a fallback would fail.

849
MCQmedium

When using the Cisco Meraki Dashboard API with pagination, the Link header in the response contains <https://api.meraki.com/api/v1/organizations?perPage=10&startingAfter=123>; rel="next". What does this indicate?

A.The API uses offset-based pagination and the next offset is 123.
B.The request should be retried after 123 seconds.
C.The response is limited to 10 items, and 123 items remain.
D.The API uses cursor-based pagination; the next page can be retrieved using the provided URL.
AnswerD

Link header with next indicates next page URL.

Why this answer

The Link header with rel="next" provides the URL for the next page of results; cursor-based pagination is used via startingAfter.

850
MCQeasy

Which of the following best describes the purpose of a unit test in software development?

A.To check the performance of the application under load
B.To test individual functions or methods in isolation
C.To verify that different modules work together correctly
D.To test the entire system from end to end
AnswerB

Unit tests focus on the smallest testable parts of an application.

Why this answer

Unit tests focus on verifying the correctness of the smallest testable parts of an application, such as individual functions or methods, in complete isolation from dependencies (e.g., using mocks or stubs). This ensures that each unit of code behaves as expected under controlled conditions, which is a foundational practice in test-driven development (TDD) and continuous integration pipelines. In the context of the 200-901 exam, understanding unit testing is critical for validating code quality in Cisco platforms like Cisco DNA Center or Meraki API integrations.

Exam trap

Cisco often tests the distinction between unit, integration, and end-to-end testing by presenting scenarios where a candidate confuses 'testing in isolation' with 'testing with real dependencies,' leading them to incorrectly select integration or E2E testing options.

How to eliminate wrong answers

Option A is wrong because it describes a performance or load test, which measures system behavior under stress (e.g., using tools like JMeter or Locust), not the isolated verification of individual code units. Option C is wrong because it describes integration testing, which validates interactions between modules (e.g., API contracts or database connections), not isolated function-level checks. Option D is wrong because it describes end-to-end (E2E) testing, which exercises the entire system stack (e.g., UI to database) to simulate real user workflows, not the granular, isolated testing of a single function or method.

851
MCQmedium

A developer is using Git to manage automation code. What is the primary advantage of using 'rebase' instead of 'merge' to integrate changes from a feature branch into the main branch?

A.Rebase automatically resolves all conflicts
B.Rebase is faster than merge
C.Rebase preserves the exact commit timestamps
D.Rebase results in a linear project history
AnswerD

Rebase replays commits on top of the base branch, resulting in a linear history.

Why this answer

Option D is correct because `git rebase` rewrites the commit history of the feature branch to appear as if it was branched from the latest commit on the main branch, resulting in a linear, clean project history. This avoids the merge commits that `git merge` creates, making the commit log easier to follow and debug. The primary advantage is not speed or conflict resolution, but a streamlined, non-branching history.

Exam trap

Cisco often tests the misconception that rebase is faster or automatically resolves conflicts, when in fact its true advantage is creating a linear history, which is critical for audit trails and debugging in automation workflows.

How to eliminate wrong answers

Option A is wrong because rebase does not automatically resolve conflicts; it replays each commit one by one, and if a conflict occurs, the developer must resolve it manually for each commit. Option B is wrong because rebase is not inherently faster than merge; in fact, rebase can be slower due to rewriting commits and requiring conflict resolution per commit, whereas merge creates a single merge commit. Option C is wrong because rebase does not preserve exact commit timestamps; it creates new commits with new timestamps (the time of the rebase operation), while merge retains the original commit timestamps.

852
MCQhard

A team is building a CI/CD pipeline for network automation. They want to use Cisco Modeling Labs (CML) to validate configuration changes before production. What is the best approach to integrate CML into the pipeline?

A.Use the pyATS framework to connect to CML and run tests
B.Create a permanent topology in CML for each branch
C.Use Ansible to provision CML nodes directly
D.Use CML's REST API to start a simulation, apply changes, run tests, then tear down
AnswerD

Dynamically starting and stopping simulations ensures clean, isolated testing.

Why this answer

D is correct because CML provides a REST API that allows programmatic lifecycle management of simulations. Integrating this API into a CI/CD pipeline enables the pipeline to dynamically create an isolated test environment, apply configuration changes, run validation tests, and then tear down the simulation to free resources. This approach ensures repeatability, isolation, and efficient resource usage, which are critical for automated network validation.

Exam trap

Cisco often tests the distinction between tools that manage device configuration (Ansible, pyATS) versus tools that manage the simulation environment itself (CML API), leading candidates to pick a tool they know well instead of the correct integration method.

How to eliminate wrong answers

Option A is wrong because pyATS is a test automation framework that can connect to network devices to run tests, but it does not manage CML simulation lifecycles; it would require the simulation to already be running and accessible. Option B is wrong because creating a permanent topology for each branch wastes CML resources and defeats the purpose of ephemeral, on-demand test environments that CI/CD pipelines require. Option C is wrong because Ansible can provision and configure network devices, but it cannot directly control CML simulations; it would need to interact with CML's API or use a module that wraps the API, making the direct statement inaccurate.

853
MCQeasy

When designing a REST API endpoint to update a network device's configuration, which HTTP method should be used?

A.POST
B.DELETE
C.PUT
D.PATCH
AnswerC

PUT replaces or updates the entire resource at the specified URI.

Why this answer

PUT is the correct HTTP method for updating a network device's configuration because it is idempotent and replaces the entire resource at the specified URI. In RESTful design, PUT is used to update or create a resource when the client sends a full representation of the resource, which aligns with replacing the entire device configuration.

Exam trap

Cisco often tests the distinction between PUT and PATCH, where candidates mistakenly choose PATCH because they think 'update' always implies partial changes, but the question's context of 'updating a network device's configuration' typically means replacing the entire configuration, making PUT the correct choice.

How to eliminate wrong answers

Option A is wrong because POST is used to create a new resource or submit data to be processed, not to update an existing resource; it is non-idempotent and would typically create a new configuration entry rather than replace the current one. Option B is wrong because DELETE is used to remove a resource entirely, which would delete the device's configuration, not update it. Option D is wrong because PATCH is used for partial updates to a resource, applying a set of changes rather than replacing the entire configuration; while it could update a configuration, the question specifies updating a network device's configuration (implying a full replacement), making PUT the more appropriate and standard choice.

854
Multi-Selectmedium

A developer is deploying a containerized application with Docker Compose. The application requires environment variables for database credentials that should not be hardcoded in the docker-compose.yml file. Which two methods securely provide these credentials? (Choose two.)

Select 2 answers
A.Use a public registry to store the credentials.
B.Hardcode the credentials in the docker-compose.yml under environment.
C.Use an .env file and add it to .gitignore, then reference it with env_file in the service.
D.Define the variables in the environment block of docker-compose.yml, with values from shell variables using ${VAR} syntax.
E.Store the credentials in the Docker image during build.
AnswersC, D

.env file with env_file keeps secrets out of version control.

Why this answer

Option C is correct because using an `.env` file allows you to externalize sensitive environment variables (like database credentials) from the `docker-compose.yml` file. By adding the `.env` file to `.gitignore`, you prevent it from being committed to version control, thus keeping credentials secure. The `env_file` directive in the service definition loads these variables at runtime without exposing them in the compose file.

Exam trap

Cisco often tests the distinction between compile-time (build) and runtime injection of secrets, and the trap here is that candidates may think storing credentials in the Docker image (Option E) is acceptable, not realizing that image layers are persistent and can be inspected by anyone with access to the image.

855
MCQeasy

Which HTTP method should be used to replace an entire existing resource in a RESTful API?

A.POST
B.PUT
C.PATCH
D.DELETE
AnswerB

PUT replaces the entire resource at the target URL.

Why this answer

PUT is the correct HTTP method for replacing an entire existing resource in a RESTful API because it is defined as idempotent in RFC 7231, meaning the client sends a full representation of the resource to replace the current state at the target URI. Unlike POST, PUT is intended for full updates where the client specifies the URI and the server replaces the resource entirely with the provided payload.

Exam trap

Cisco often tests the distinction between PUT and PATCH, trapping candidates who confuse 'update' with 'replace' and incorrectly choose PATCH for full resource replacement.

How to eliminate wrong answers

Option A is wrong because POST is used to create a new subordinate resource or trigger a non-idempotent action, not to replace an existing resource. Option C is wrong because PATCH applies a partial modification to a resource using a diff or set of changes, not a full replacement. Option D is wrong because DELETE removes the resource entirely, which is the opposite of replacing it.

856
Multi-Selectmedium

Which THREE of the following are direct benefits of using version control in software development?

Select 3 answers
A.Traceability of changes
B.Automated testing integration
C.Eliminates syntax errors
D.History and rollback capabilities
E.Collaboration among team members
AnswersA, D, E

Version control tracks who made what change and when, providing an audit trail.

Why this answer

Option A is correct because version control systems (VCS) like Git track every commit with a unique SHA-1 hash, author, timestamp, and commit message. This creates a complete audit trail, allowing developers to trace exactly when, why, and by whom a specific change was introduced, which is critical for debugging and compliance.

Exam trap

Cisco often tests the distinction between direct features of a technology and indirect benefits enabled by external tools; here, the trap is confusing CI/CD integration (Option B) with a core VCS capability, or assuming VCS can fix code quality issues like syntax errors (Option C).

857
MCQmedium

A developer is using the Meraki Dashboard API to programmatically change the SSID name of a wireless network. The developer successfully authenticates with an API key and sends a PUT request to /networks/{networkId}/wireless/ssids/{number} with a JSON body containing the updated name. The API returns a 200 OK response, but the SSID name does not change in the Meraki Dashboard. The developer double-checks the networkId and SSID number, and they are correct. The developer also confirms that the API key has full write access to the network. What additional step is most likely required?

A.After the PUT request, send a POST request to /networks/{networkId}/wireless/ssids/{number}/provision to apply the change.
B.Use a PATCH request instead of PUT to update the SSID.
C.Log out of the Meraki Dashboard and re-login to see the change.
D.Regenerate the API key and try again with the new key.
AnswerA

Some Meraki SSID changes require a separate provision API call to take effect.

Why this answer

The Meraki Dashboard API requires an explicit provisioning step to apply configuration changes to SSIDs. After a successful PUT request to update the SSID name, the developer must send a POST request to /networks/{networkId}/wireless/ssids/{number}/provision to push the change to the access points. The 200 OK response only confirms the API accepted the update, but the change is not applied until the provisioning endpoint is called.

Exam trap

Cisco often tests the misconception that a 200 OK response from a PUT request means the change is fully applied, when in fact the Meraki API requires an additional provisioning step to push the configuration to devices.

How to eliminate wrong answers

Option B is wrong because the Meraki Dashboard API supports PUT for full resource updates, and PATCH is not required; the issue is not the HTTP method but the missing provisioning step. Option C is wrong because logging out and back into the Meraki Dashboard does not trigger the provisioning of SSID changes; the API change must be explicitly applied via the provision endpoint. Option D is wrong because the API key has full write access and the authentication is successful; regenerating the key does not address the missing provisioning call.

858
MCQmedium

Which Docker command is used to view the logs of a running container in real-time?

A.docker exec -it <container> tail -f /var/log/app.log
B.docker logs -f <container>
C.docker attach <container>
D.docker logs <container>
AnswerB

The -f flag follows log output in real-time.

Why this answer

docker logs -f follows the log output, similar to tail -f.

859
Multi-Selecthard

A network engineer is analyzing traffic and needs to identify which applications use UDP. Which three applications commonly use UDP as their transport protocol? (Choose three.)

Select 3 answers
A.DHCP
B.SSH
C.SMTP
D.DNS
E.NTP
AnswersA, D, E

DHCP uses UDP for client-server communication.

Why this answer

DHCP (Dynamic Host Configuration Protocol) uses UDP as its transport protocol because it relies on connectionless, best-effort delivery for broadcasting IP configuration requests and offers. DHCP clients send discovery messages to UDP port 67 (server) and servers respond to UDP port 68 (client), avoiding the overhead of TCP's connection establishment, which is unnecessary for transient broadcast-based transactions.

Exam trap

Cisco often tests the distinction between control plane protocols (like DHCP, DNS, NTP) that use UDP for efficiency versus management or data transfer protocols (like SSH, SMTP) that require TCP's reliability, leading candidates to mistakenly associate all 'important' traffic with TCP.

860
MCQmedium

A user reports that they can ping the IP address of the default gateway but cannot ping a server on a different subnet. The administrator checks the ARP table on the user's PC and sees an incomplete entry for the server's IP. What is the most likely cause?

A.There is an IP address conflict on the network.
B.Spanning Tree Protocol is blocking the port on the switch.
C.The PC is not configured with a default gateway.
D.A firewall is blocking ICMP packets between subnets.
AnswerC

Without a default gateway, the PC tries to ARP for the server directly.

Why this answer

The user can ping the default gateway, confirming that the PC has local connectivity and a correctly configured IP address and subnet mask. However, the incomplete ARP entry for the server's IP indicates that the PC cannot resolve the server's MAC address, which is required to send frames to a different subnet. Without a default gateway configured, the PC will not send ARP requests for remote hosts to the router; instead, it will attempt to ARP for the server directly, which fails because the server is on a different broadcast domain.

Exam trap

Cisco often tests the distinction between Layer 2 (ARP) and Layer 3 (routing) failures, and the trap here is that candidates assume a firewall or STP is blocking traffic, when the real issue is the PC's lack of a default gateway preventing it from even attempting to reach the remote subnet via ARP for the router.

How to eliminate wrong answers

Option A is wrong because an IP address conflict would typically cause intermittent connectivity or duplicate IP warnings, not a specific incomplete ARP entry for a remote server while local connectivity works. Option B is wrong because Spanning Tree Protocol (STP) blocking a switch port would prevent all traffic through that port, including pings to the default gateway, which the user can still reach. Option D is wrong because a firewall blocking ICMP between subnets would cause ping failures but would not result in an incomplete ARP entry on the PC; ARP operates at Layer 2 and is not affected by Layer 3 firewalls.

861
MCQmedium

An Ansible playbook using the ios_config module fails with the error 'unable to open connection'. The network device is reachable via SSH from the Ansible control node. What is the most likely cause?

A.The device has an invalid username and password
B.The Ansible user does not have privilege level 15 on the device
C.The SSH key exchange algorithm is not supported by the device
D.The ios_config module requires NETCONF instead of SSH
AnswerC

Unsupported key exchange algorithm causes SSH connection failure.

Why this answer

The error 'unable to open connection' indicates that Ansible cannot establish an SSH session with the device, even though the device is reachable. Since the device is reachable via SSH from the control node, the most likely cause is a mismatch in SSH key exchange algorithms, where the device only supports older algorithms (e.g., diffie-hellman-group1-sha1) that are not enabled by default in modern SSH clients. This is a common issue when connecting to legacy Cisco IOS devices that lack updated SSH configurations.

Exam trap

Cisco often tests the distinction between SSH transport errors (key exchange, ciphers) and authentication/authorization errors, leading candidates to incorrectly blame credentials or privilege levels when the actual issue is a cryptographic algorithm mismatch.

How to eliminate wrong answers

Option A is wrong because invalid username/password would typically produce an 'Authentication failed' or 'Permission denied' error, not 'unable to open connection', which occurs before authentication. Option B is wrong because privilege level 15 is required for executing configuration commands, not for establishing the SSH connection itself; a lower privilege level would cause a different error like 'privilege level is not sufficient'. Option D is wrong because the ios_config module uses SSH (via CLI) by default, not NETCONF; NETCONF is used by the ios_netconf module, and the error message is specific to SSH connection failure.

862
MCQmedium

A developer is writing a web application and wants to prevent SQL injection attacks. Which coding practice should be followed when constructing SQL queries?

A.Use parameterized queries with prepared statements
B.Use stored procedures exclusively
C.Encode user input with base64 before inserting into SQL
D.Concatenate user input directly into SQL statements
AnswerA

Parameterized queries safely separate SQL logic from data.

Why this answer

Using parameterized queries ensures that user input is treated as data, not executable code, preventing SQL injection.

863
Multi-Selectmedium

Which TWO Kubernetes resources are used to provide configuration data to pods? (Choose TWO.)

Select 2 answers
A.Secret
B.PersistentVolumeClaim
C.ConfigMap
D.Deployment
E.Service
AnswersA, C

Secret stores sensitive data like passwords or API keys.

Why this answer

ConfigMap for non-sensitive data and Secret for sensitive data are both used to inject configuration into pods.

864
MCQmedium

A university campus network uses Cisco switches with 802.1X for wired authentication. Recently, users in a dormitory report intermittent connectivity: they can connect initially but are disconnected after a few minutes. The network team checks the switch logs and sees messages like 'Authentication failure for MAC address xxxx.xxxx.xxxx on port GigabitEthernet1/0/5' but the users claim they are using valid credentials. The same users can connect from other ports without issues. The port configuration for Gi1/0/5 is: switchport mode access, authentication port-control auto, dot1x pae authenticator, authentication periodic, authentication timer reauthenticate 3600. The team suspects a misconfiguration. What is the most likely cause of the intermittent disconnections?

A.The port is a trunk port but configured as access, causing VLAN mismatch
B.The port is configured in multi-auth host mode, causing conflicts
C.The 'authentication periodic' command forces reauthentication every 3600 seconds, and the client fails to reauthenticate
D.The switch is using MAC authentication bypass (MAB) as a fallback, which fails for some devices
AnswerC

Periodic reauthentication can cause disconnections if client fails.

Why this answer

The 'authentication periodic' command enables periodic reauthentication, and the 'authentication timer reauthenticate 3600' sets the interval to 3600 seconds (1 hour). However, the logs show authentication failures occurring much sooner than 3600 seconds, indicating that the client is failing reauthentication attempts triggered by other events (e.g., a new supplicant attempt or a reauthentication due to a port state change). The intermittent disconnections are caused by the client failing to reauthenticate when the switch initiates a new authentication exchange, likely due to a mismatch in EAP method or credential caching issues.

Exam trap

Cisco often tests the subtle behavior of 'authentication periodic' and 'authentication timer reauthenticate' — candidates mistakenly think the timer is the only trigger for reauthentication, but the switch can also reauthenticate due to link state changes or new supplicant attempts, and a failure during any reauthentication causes immediate disconnection.

How to eliminate wrong answers

Option A is wrong because the port is configured as 'switchport mode access', which is correct for an end-user device; a trunk port would not be used for a dormitory user, and VLAN mismatch would cause persistent connectivity failure, not intermittent disconnections. Option B is wrong because 'multi-auth host mode' allows multiple devices on a single port, but the logs show a single MAC address failing authentication, and the port configuration does not include 'authentication host-mode multi-auth', so this is not the issue. Option D is wrong because MAC authentication bypass (MAB) is a fallback method used when 802.1X fails, but the logs explicitly show 'Authentication failure' for 802.1X, not MAB; MAB would appear as a separate log entry and would not cause intermittent disconnections if the client initially authenticates successfully.

865
MCQmedium

A network automation script uses the requests library to retrieve device information from a REST API. The API requires authentication via a bearer token. Which code example correctly sets the Authorization header?

A.headers = {'Authorization': 'Token ' + token}\nresponse = requests.get(url, headers=headers)
B.response = requests.get(url, headers={'Authorization': token})
C.headers = {'Authorization': 'Bearer ' + token}\nresponse = requests.get(url, headers=headers)
D.response = requests.get(url, auth=('Bearer', token))
AnswerC

Correct usage of Bearer token authentication.

Why this answer

Option C is correct because it constructs the Authorization header using the 'Bearer' scheme, which is the standard method for passing OAuth 2.0 bearer tokens in HTTP requests. The requests library requires the header to be explicitly set as a dictionary, and the token must be prefixed with 'Bearer ' to comply with RFC 6750.

Exam trap

Cisco often tests the distinction between the 'Bearer' scheme and other authentication methods, and the trap here is that candidates confuse the auth parameter (which only supports Basic/Digest) with the need to manually set the Authorization header for bearer tokens.

How to eliminate wrong answers

Option A is wrong because it uses 'Token ' as the scheme prefix instead of 'Bearer ', which is the correct scheme for bearer tokens per OAuth 2.0 (RFC 6750). Option B is wrong because it passes only the token value without any scheme prefix, which will cause the API to reject the request as malformed. Option D is wrong because the requests library's auth parameter expects a tuple of (username, password) for Basic authentication, not a bearer token scheme.

866
MCQhard

A developer is writing a Python script that processes a large CSV file. The script uses 'with open(file, 'r') as f' to read the file. Why is this approach preferred over calling f = open(file) and then f.close()?

A.It automatically closes the file when the block exits, even if an exception is raised.
B.It allows the file to be opened in both read and write mode simultaneously.
C.It reduces memory usage by loading the file in chunks.
D.It increases the speed of file operations.
AnswerA

The context manager guarantees cleanup, which is the main advantage.

Why this answer

Option A is correct because the 'with' statement in Python implements a context manager that automatically calls the file object's __exit__ method when the block exits, ensuring the file is closed even if an exception occurs. This prevents resource leaks and is the recommended pattern for file I/O in Python, as explicitly calling f.close() may be skipped if an exception is raised before the close call.

Exam trap

Cisco often tests the distinction between a language feature (context managers) and unrelated performance or mode characteristics, so candidates may incorrectly associate 'with' with speed or chunking rather than its core purpose of guaranteed cleanup.

How to eliminate wrong answers

Option B is wrong because the 'with open(file, 'r')' opens the file in read-only mode, not both read and write simultaneously; to open in both modes you would use 'r+' or 'w+'. Option C is wrong because the 'with' statement does not inherently load the file in chunks; memory usage depends on how the file is read (e.g., using f.read() vs iterating line by line), not on the context manager itself. Option D is wrong because the 'with' statement does not increase the speed of file operations; it provides deterministic cleanup but does not affect I/O performance.

867
MCQmedium

Which OAuth 2.0 grant type is most appropriate for a server-to-server integration where no user interaction is required?

A.Implicit Grant
B.Client Credentials Grant
C.Authorization Code Grant
D.Password Grant
AnswerB

Used for machine-to-machine communication.

Why this answer

Client credentials grant is used for server-to-server authentication without user consent.

868
MCQhard

A developer is writing a Kubernetes Deployment YAML and wants to set a CPU limit of 500 millicores. Which of the following is the correct YAML snippet?

A.spec: containers: - resources: limit: cpu: "500m"
B.spec: containers: - resources: requests: cpu: "500m"
C.spec: containers: - resources: limits: cpu: "500m"
D.spec: containers: - resources: limits: cpu: 500m
AnswerD

Correct syntax: limits under resources, CPU as a string with 'm' suffix without quotes (YAML interprets as string).

Why this answer

Option D is correct because Kubernetes resource limits are specified under the `resources.limits` key, and CPU limits are expressed in millicores using the `m` suffix. The YAML must use correct indentation: `limits:` is a child of `resources:`, and `cpu: 500m` is a valid value (500 millicores = 0.5 CPU cores).

Exam trap

Cisco often tests the distinction between `limits` and `requests`, and the correct YAML indentation hierarchy, tricking candidates who confuse the two or misplace the `limits` key under `resources`.

How to eliminate wrong answers

Option A is wrong because it uses `limit:` (singular) instead of the correct plural `limits:`, and the indentation is incorrect—`limit` should be a child of `resources`, not a sibling. Option B is wrong because it sets a `requests` value, not a `limits` value; requests are for guaranteed minimum resources, not hard limits. Option C is wrong because `limits:` is incorrectly indented at the same level as `resources:`, making it a sibling rather than a child, which is invalid YAML structure.

869
MCQhard

Refer to the exhibit. A developer receives this response from Cisco DNA Center API. What is the most likely cause and solution?

A.The token is expired; generate a new one using /dna/system/api/v1/auth/token.
B.The API path is incorrect; verify the endpoint URL.
C.The request body is malformed; check JSON syntax.
D.The user does not have permission; request admin to grant access.
AnswerA

Correct diagnosis and solution.

Why this answer

The HTTP 401 Unauthorized response indicates that the request lacks valid authentication credentials. In Cisco DNA Center API, tokens are short-lived (default 1 hour) and must be refreshed via POST /dna/system/api/v1/auth/token. The error is not about the endpoint, body syntax, or RBAC permissions — it specifically means the token used is expired or invalid.

Exam trap

Cisco often tests the distinction between HTTP 401 (authentication failure) and 403 (authorization failure) — candidates confuse these two status codes, especially when the question involves API tokens.

How to eliminate wrong answers

Option B is wrong because a 401 error is an authentication issue, not a routing or endpoint issue; an incorrect API path would return a 404 Not Found. Option C is wrong because a malformed JSON body would return a 400 Bad Request, not 401. Option D is wrong because insufficient permissions (RBAC) would return a 403 Forbidden, not 401 Unauthorized.

870
MCQhard

A large enterprise operates a multi-vendor network with Cisco routers and switches, as well as Juniper devices. The network team uses Ansible for automation, with a centralized control node running RHEL. They have been using the 'ios_config' module for Cisco devices and 'junos_config' for Juniper devices. Recently, they added a new Cisco Catalyst 9300 switch to the network. They wrote a playbook to configure VLAN 100 on the switch, but the task fails with the error: 'module_stderr: Could not find platform module for Cisco IOS XE'. The playbook uses the 'cisco.ios.ios_config' module. The control node has the 'cisco.ios' collection installed (version 2.0.0). The target switch runs IOS XE 16.12.3. The control node can SSH to the switch successfully. Which action will most likely resolve the issue?

A.Upgrade the 'cisco.ios' Ansible collection to the latest version.
B.Configure the switch to allow SSH connections from the control node IP.
C.Use the 'raw' module instead of 'ios_config' to send CLI commands directly.
D.Install Python 3.8 on the control node and update the ansible.cfg to use it.
AnswerA

Older collection versions may lack support for newer IOS XE versions.

Why this answer

The error 'Could not find platform module for Cisco IOS XE' indicates that the installed 'cisco.ios' collection (version 2.0.0) does not include a module or plugin that supports the IOS XE platform for the target switch. Upgrading the collection to the latest version ensures compatibility with IOS XE 16.12.3, as newer releases add support for newer platforms and OS versions.

Exam trap

Cisco often tests the misconception that SSH connectivity or Python version is the root cause, when the real issue is a missing or outdated collection that lacks platform support for the specific OS version.

How to eliminate wrong answers

Option B is wrong because the control node can already SSH to the switch successfully, so SSH connectivity is not the issue. Option C is wrong because using the 'raw' module bypasses the structured module logic and would not resolve the missing platform module error; it also loses idempotency and error handling. Option D is wrong because Python 3.8 is not required for the 'cisco.ios' collection (which works with Python 3.6+), and the error is about a missing platform module, not a Python version incompatibility.

871
MCQeasy

A developer wants to send a message to a specific Webex Teams room using the REST API. Which HTTP method and endpoint should be used?

A.POST /rooms/{roomId}/messages
B.POST /messages
C.PUT /messages
D.GET /rooms/{roomId}/messages
AnswerB

POST to /messages with roomId in body sends a message.

Why this answer

The correct endpoint to send a message to a specific Webex Teams room is POST /messages, because the Webex REST API uses a single messages resource for creating new messages. The room ID is included in the request body as a JSON parameter, not in the URL path. This design follows RESTful conventions where POST is used to create a resource, and the /messages endpoint accepts the roomId field to target the desired space.

Exam trap

Cisco often tests the misconception that resources must be nested in the URL path (e.g., /rooms/{roomId}/messages) when the API actually uses a flat endpoint with the identifier in the request body, leading candidates to choose Option A.

How to eliminate wrong answers

Option A is wrong because POST /rooms/{roomId}/messages is not a valid Webex REST API endpoint; the API does not nest messages under rooms in the URL path. Option C is wrong because PUT /messages is not supported; the Webex API uses PUT only for updating existing resources, and messages cannot be updated after creation. Option D is wrong because GET /rooms/{roomId}/messages retrieves existing messages from a room, but the developer wants to send (create) a new message, which requires a POST request.

872
MCQeasy

A developer creates a Dockerfile with the following content: FROM python:3.9-slim, COPY app.py /app/, RUN pip install flask, EXPOSE 5000, CMD ["python", "/app/app.py"]. When building the image with 'docker build -t myapp .', what is the purpose of the EXPOSE instruction?

A.It automatically publishes port 5000 to a random host port.
B.It informs Docker that the container listens on port 5000, but the port must be published at runtime.
C.It installs the Flask framework on port 5000.
D.It maps host port 5000 to container port 5000.
AnswerB

EXPOSE documents the port, but publishing requires -p.

Why this answer

EXPOSE documents that the container listens on port 5000 at runtime. It does not publish the port; that requires -p flag when running the container.

873
MCQeasy

A developer wants to create a Docker image that runs a Python application. Which instruction should be placed at the end of the Dockerfile to specify the command that runs when the container starts?

A.RUN
B.ENTRYPOINT
C.COPY
D.CMD
AnswerD

CMD specifies the command to run when the container starts.

Why this answer

CMD specifies the default command to run when the container starts, and it can be overridden by providing a command at runtime. ENTRYPOINT is similar but not easily overridden. RUN executes during build.

COPY copies files during build.

874
MCQmedium

In a CI/CD pipeline using Jenkins, which stage is typically executed immediately after the build stage to ensure code quality before deployment?

A.Unit test
B.Deploy to production
C.Integration test
D.Artifact publication
AnswerA

Unit tests validate code functionality immediately after build.

Why this answer

In a Jenkins CI/CD pipeline, the build stage compiles the code and produces artifacts. Immediately after the build, unit tests are executed to validate individual components in isolation, catching defects early before proceeding to integration or deployment stages. This aligns with the principle of 'shift-left' testing, where quality gates are applied as early as possible.

Exam trap

Cisco often tests the distinction between unit tests and integration tests in a CI/CD pipeline, where candidates mistakenly think integration tests come immediately after build because they involve 'testing code' broadly, but the correct order is unit tests first to validate individual modules before combining them.

How to eliminate wrong answers

Option B is wrong because deploying to production occurs much later in the pipeline, after all testing stages (unit, integration, acceptance) have passed, and typically requires manual approval gates. Option C is wrong because integration tests are executed after unit tests, as they require multiple components or services to be available and often depend on the build artifacts being published. Option D is wrong because artifact publication (e.g., storing the build output in a repository like Nexus or Artifactory) usually happens after unit tests pass, ensuring only verified artifacts are stored for later stages.

875
MCQhard

A script using the Meraki Python library fails with an error 'Rate limit exceeded'. The developer needs to handle this. Which approach is correct?

A.Increase the sleep interval between requests and implement exponential backoff.
B.Reduce the number of API calls by caching responses.
C.Use a different API endpoint to avoid the limit.
D.Request a higher rate limit from Meraki support.
AnswerA

Standard rate limiting handling.

Why this answer

Option A is correct because the Meraki API enforces rate limits per organization and per API key. When a 'Rate limit exceeded' error occurs, the proper response is to implement exponential backoff with increased sleep intervals between requests. This approach respects the API's retry-after headers and prevents further throttling, aligning with REST API best practices for handling 429 status codes.

Exam trap

Cisco often tests the distinction between proactive optimization (caching) and reactive error handling (backoff), and candidates may incorrectly choose caching as a way to avoid rate limits entirely, missing that the question specifically asks how to handle the error after it occurs.

How to eliminate wrong answers

Option B is wrong because caching responses reduces the number of API calls but does not handle the immediate rate limit error; it is a proactive optimization, not a reactive solution to a 429 response. Option C is wrong because using a different API endpoint does not bypass the overall rate limit, which is applied at the account or API key level, not per endpoint. Option D is wrong because while requesting a higher rate limit from Meraki support might be a long-term solution, it is not the correct immediate programmatic handling of a rate limit error; the developer must implement backoff in the script.

876
Multi-Selectmedium

A network automation engineer is using Cisco DNA Center APIs. Which TWO of the following are valid API categories? (Choose two.)

Select 2 answers
A.Monitor your network
B.Know your network
C.Secure your network
D.Change your network
E.Automate your network
AnswersB, D

Correct. This includes device list, topology, and site APIs.

Why this answer

The valid categories are 'Know your network' and 'Change your network'. 'Monitor your network' and 'Secure your network' are not official categories.

877
MCQmedium

A company uses Ansible to automate network configuration. They have an Ansible control node that must reach all network devices. Which transport protocol does Ansible use by default to connect to Cisco IOS devices?

A.HTTP
B.Telnet
C.SSH
D.SNMP
AnswerC

Ansible uses SSH by default for network devices.

Why this answer

Ansible uses SSH as its default transport protocol to connect to Cisco IOS devices because SSH provides encrypted, secure remote access and is the standard for network device management in modern environments. Ansible's native architecture relies on SSH for agentless communication, executing modules and playbooks over this secure channel without requiring additional software on the target devices.

Exam trap

Cisco often tests the misconception that Ansible uses Telnet or SNMP for legacy device compatibility, but the trap here is that Ansible defaults to SSH for secure, agentless automation, and candidates may confuse Ansible's connection methods with other tools like NETCONF or RESTCONF.

How to eliminate wrong answers

Option A is wrong because HTTP is not used by Ansible for device connections; it is an unencrypted protocol typically used for web-based management interfaces, not for Ansible's agentless automation. Option B is wrong because Telnet is an unencrypted, legacy protocol that Ansible does not use by default due to security concerns and lack of support for modern automation features. Option D is wrong because SNMP is a monitoring and management protocol used for reading and writing device configuration data via MIBs, but it is not a transport protocol for executing Ansible modules or playbooks.

878
MCQmedium

A network team is implementing automation to provision new switchports across a campus network. They decide to use a controller-based approach with Cisco DNA Center. What is the primary advantage of using DNA Center for this task?

A.It automatically rolls back any configuration that deviates from the standard.
B.It replaces all existing CLI commands with a graphical interface.
C.It allows intent-based automation where the desired state is defined and the controller pushes the necessary configuration.
D.It eliminates the need for any human intervention in network management.
AnswerC

Intent-based automation abstracts low-level configuration from the user.

Why this answer

Option C is correct because Cisco DNA Center uses an intent-based networking model where the administrator defines the desired state (e.g., 'provision a switchport for access VLAN 10') and the controller automatically translates that intent into the necessary device configurations (CLI or NETCONF/YANG). This abstraction reduces manual errors and enforces consistency across the campus network without requiring per-device CLI scripting.

Exam trap

Cisco often tests the distinction between intent-based automation (defining the desired state) versus traditional script-based automation (pushing explicit commands), and the trap here is confusing 'intent-based' with 'fully autonomous' or 'error-correcting' systems.

How to eliminate wrong answers

Option A is wrong because DNA Center does not automatically roll back configurations that deviate from a standard; it can detect drift and alert the operator, but rollback typically requires a manual or policy-driven action. Option B is wrong because DNA Center does not replace all CLI commands with a graphical interface; it provides a GUI for high-level intent but still relies on underlying CLI, NETCONF, or RESTCONF for device-level configuration. Option D is wrong because DNA Center does not eliminate the need for human intervention; it automates many tasks but still requires human oversight for policy definition, troubleshooting, and exception handling.

879
MCQhard

A team uses GitHub Actions for CI/CD. Their workflow includes a job that builds a Docker image and pushes it to a private registry. The job needs to authenticate to the registry using secrets stored in GitHub. Which approach is most secure for passing credentials?

A.Use GitHub Secrets and reference them with ${{ secrets.REGISTRY_PASSWORD }}.
B.Embed the password directly in the workflow YAML file.
C.Store the password in a plain text file in the repository and read it during the build.
D.Use environment variables set in the runner's local .env file.
AnswerA

Secrets are encrypted and not exposed in logs.

Why this answer

GitHub Secrets allow storing sensitive data encrypted. In the workflow, secrets are accessed via ${{ secrets.REGISTRY_PASSWORD }}. This avoids hardcoding credentials.

880
MCQhard

An organization wants to automate the deployment of wireless configurations across multiple Meraki networks using the Meraki Dashboard API. What authentication method should the developer use in the API requests?

A.Provide username and password in the Authorization header with Basic auth
B.Use OAuth2 client credentials grant and pass a bearer token
C.Include an API key in the X-Cisco-Meraki-API-Key header
D.Generate a JSON Web Token (JWT) signed with a shared secret
AnswerC

Meraki API uses a static API key in the request header for authentication.

Why this answer

The Meraki Dashboard API uses a simple API key for authentication, not OAuth2 or JWT. The key must be included in the `X-Cisco-Meraki-API-Key` header of every request. This is the only supported method for authenticating with the Meraki API, as documented by Cisco Meraki.

Exam trap

Cisco often tests the misconception that all REST APIs use OAuth2 or Basic Auth, but the Meraki API specifically uses a custom header-based API key, which candidates may overlook in favor of more common authentication methods.

How to eliminate wrong answers

Option A is wrong because the Meraki Dashboard API does not support HTTP Basic authentication with username and password; it requires an API key. Option B is wrong because the Meraki API does not use OAuth2; it uses a static API key for all requests. Option D is wrong because the Meraki API does not accept JSON Web Tokens (JWTs); it relies solely on the API key in the custom header.

881
MCQeasy

Which of the following is a non-overlapping channel in the 2.4 GHz Wi-Fi band?

A.Channel 3
B.Channel 6
C.Channel 12
D.Channel 9
AnswerB

Channel 6 is non-overlapping.

Why this answer

Channels 1, 6, and 11 are non-overlapping in the 2.4 GHz band.

882
MCQeasy

A network automation script uses the Python ncclient library to modify a device configuration. Which NETCONF operation should be used to apply configuration changes?

A.<close-session>
B.<get-config>
C.<get>
D.<edit-config>
AnswerD

edit-config modifies configuration.

Why this answer

The <edit-config> operation is used to modify configuration in NETCONF.

883
MCQhard

A security team is developing an application that collects network alerts from Cisco Firepower Management Center (FMC) API. The API requires OAuth2 authorization code grant flow. After obtaining an authorization code, what must the application do to get an access token?

A.Resend the authorization request with the code included in the redirect URI.
B.Decode the authorization code using base64 to extract the access token.
C.Use the authorization code directly in subsequent API requests as a bearer token.
D.Exchange the authorization code for an access token by calling the token endpoint with the code and client credentials.
AnswerD

This is the correct step in the authorization code grant flow.

Why this answer

In the OAuth2 authorization code grant flow, the authorization code is an intermediate credential that must be exchanged for an access token. The application must call the token endpoint, presenting the authorization code along with its client credentials (client ID and client secret) to receive the access token. This exchange is required by RFC 6749 and is a fundamental security measure to ensure the client is authorized to obtain the token.

Exam trap

Cisco often tests the misconception that the authorization code itself can be used as a bearer token or decoded to reveal the access token, when in fact it must be exchanged at the token endpoint with client credentials.

How to eliminate wrong answers

Option A is wrong because resending the authorization request with the code in the redirect URI is not part of the OAuth2 flow; the authorization code is obtained from the authorization endpoint's redirect, not reused in a new request. Option B is wrong because the authorization code is not a base64-encoded access token; it is a short-lived, one-time-use code that must be exchanged via the token endpoint, not decoded. Option C is wrong because the authorization code cannot be used directly as a bearer token; bearer tokens are access tokens, and using the code in API requests would be rejected by the resource server as it is not a valid token.

884
Multi-Selecthard

Which THREE of the following are characteristics of IPv6? (Select exactly three.)

Select 3 answers
A.IPv6 does not have a built-in NAT requirement.
B.IPv6 uses a 128-bit address space.
C.IPv6 addresses are 32 bits in length.
D.IPv6 supports stateless address autoconfiguration (SLAAC).
E.IPv6 uses ARP to resolve MAC addresses.
AnswersA, B, D

IPv6 was designed with enough address space to avoid NAT.

Why this answer

IPv6 was designed without a built-in requirement for Network Address Translation (NAT) because its vast 128-bit address space allows every device to have a globally unique public IP address. Unlike IPv4, which relies on NAT to conserve limited address space, IPv6 restores end-to-end connectivity by default, eliminating the need for address translation at the network edge.

Exam trap

Cisco often tests the misconception that IPv6 still uses ARP or that its address length is 32 bits, hoping candidates confuse IPv6 with IPv4 fundamentals.

885
Multi-Selectmedium

A network administrator is using Cisco DNA Center APIs to automate network changes. Which two API categories are used to perform configuration deployments? (Choose two.)

Select 2 answers
A.Platform
B.Change your network
C.Know your network
D.Run your network
E.Event notifications
AnswersA, B

Platform APIs include task management to track deployment status.

Why this answer

DNAC API categories: 'Change your network' includes template deployment and PnP; 'Platform' includes task management for monitoring deployment status.

886
MCQeasy

A developer runs 'docker-compose up -d' for a multi-service application. What does the '-d' flag do?

A.It enables debugging output
B.It pulls the latest images before starting
C.It deletes the containers after they stop
D.It runs containers in detached mode (background)
AnswerD

Detached mode runs containers in the background.

Why this answer

The `-d` flag in `docker-compose up -d` stands for 'detached mode', which instructs Docker Compose to run the containers in the background, freeing the terminal for other commands. This is analogous to the `-d` flag in `docker run -d` and is essential for long-running services that should not block the command-line session.

Exam trap

Cisco often tests the `-d` flag to see if candidates confuse it with debugging (`-d` in some tools like `curl`) or assume it stands for 'delete', when in Docker it specifically means 'detached mode'.

How to eliminate wrong answers

Option A is wrong because debugging output is enabled by the `--debug` flag (or `DOCKER_COMPOSE_DEBUG` environment variable), not `-d`. Option B is wrong because pulling the latest images is done with the `--pull always` or `--pull missing` flag, or by running `docker-compose pull` separately; `-d` does not trigger a pull. Option C is wrong because deleting containers after they stop is achieved with the `--rm` flag (for `docker run`) or by using `docker-compose down`; `-d` does not affect container lifecycle on exit.

887
MCQhard

A network automation engineer is tasked with creating a Python script to automatically back up the running configuration of all IOS XE devices in a data center using the Cisco IOS XE REST API. The engineer has credentials for each device and knows the IP addresses. The script uses the requests library and sends a GET request to https://<device-ip>/restconf/data/Cisco-IOS-XE-native:native?content=config. The script runs successfully for some devices but fails with a 401 Unauthorized error for others. The engineer confirms the credentials are correct and the devices are reachable. The working devices are running IOS XE 16.9, while the failing ones are running IOS XE 16.6. The engineer checks the API documentation and finds that RESTCONF is enabled on all devices. However, the engineer notices that the failing devices require a different authentication method. What should the engineer do to fix the authentication for the IOS XE 16.6 devices?

A.Switch from HTTPS to HTTP for the failing devices.
B.Use the NETCONF protocol instead of RESTCONF for all devices.
C.Change the URL to use the Cisco IOS XE CLI-based API instead of RESTCONF.
D.Modify the script to use HTTP Basic Authentication and disable CSRF check on the device.
AnswerD

Older IOS XE versions require basic authentication; disabling CSRF check may be necessary.

Why this answer

Option D is correct because IOS XE 16.6 requires HTTP Basic Authentication with the 'Authorization' header, and the RESTCONF API on these older versions also requires disabling the CSRF (Cross-Site Request Forgery) check. The engineer must modify the script to include the 'requests.auth.HTTPBasicAuth' and set the 'X-CSRF-Token' header to 'false' or disable CSRF on the device. This resolves the 401 error while still using RESTCONF.

Exam trap

Cisco often tests the version-specific RESTCONF authentication differences, where candidates assume all IOS XE versions use the same authentication method (e.g., token-based), but older versions require Basic Auth and CSRF bypass.

How to eliminate wrong answers

Option A is wrong because switching from HTTPS to HTTP would not fix authentication; it would introduce a security risk and the 401 error is due to missing or incorrect authentication headers, not the protocol. Option B is wrong because NETCONF is a different protocol (SSH-based) and does not use RESTCONF URLs or HTTP authentication; the engineer is specifically tasked with using the REST API, and NETCONF would require a completely different script and library (e.g., ncclient). Option C is wrong because the Cisco IOS XE CLI-based API (e.g., 'on-box' Python or guest shell) is not accessed via RESTCONF URLs; the engineer is already using RESTCONF, and changing to a CLI-based API would not address the authentication issue.

888
Multi-Selectmedium

A developer is using the Meraki Dashboard API to list all organizations. Which TWO of the following are true regarding pagination in the Meraki API? (Choose TWO.)

Select 2 answers
A.Page size is fixed at 1000 items per page.
B.Pagination is optional and disabled by default.
C.Pagination requires the use of OAuth tokens.
D.The Link header contains URLs for the next and previous pages.
E.The startingAfter and endingBefore parameters control the page cursor.
AnswersD, E

Meraki uses the Link header for pagination.

Why this answer

Meraki API pagination uses Link header or startingAfter/endingBefore query parameters.

889
MCQmedium

A network administrator configures a switch port to belong to VLAN 10. Which OSI layer is primarily involved in VLAN tagging?

A.Layer 1 (Physical)
B.Layer 3 (Network)
C.Layer 2 (Data Link)
D.Layer 4 (Transport)
AnswerC

VLAN tagging is a Layer 2 function using IEEE 802.1Q.

Why this answer

VLANs operate at Layer 2 (Data Link) by adding tags to Ethernet frames.

890
MCQmedium

When using RESTCONF to configure a network device, which URL path prefix and content-type header should be used?

A./restconf/operations/ and Content-Type: application/xml
B./restconf/data/ and Content-Type: application/yang-data+json
C./restconf/data/ and Content-Type: application/json
D./restconf/ and Content-Type: text/plain
AnswerB

This is the standard for RESTCONF.

Why this answer

RESTCONF uses /restconf/data/ and content-type application/yang-data+json.

891
Multi-Selectmedium

A network administrator is configuring a DNS server. Which TWO DNS record types are used for IPv6 address resolution?

Select 2 answers
A.MX record
B.CNAME record
C.PTR record
D.AAAA record
E.A record
AnswersC, D

PTR records are used for reverse DNS lookup, which also works with IPv6.

Why this answer

The AAAA record (option D) maps a hostname to a 128-bit IPv6 address, analogous to the A record for IPv4. The PTR record (option C) performs reverse DNS lookup, mapping an IPv6 address to a hostname, which is essential for IPv6 address resolution in scenarios like logging or mail server verification.

Exam trap

Cisco often tests the distinction between A records (IPv4) and AAAA records (IPv6), and the trap here is that candidates may confuse PTR records as only relevant for IPv4, forgetting that PTR records are equally critical for IPv6 reverse resolution.

892
Matchingmedium

Match each Git command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Copy a repository to local machine

Save changes to local repository

Upload local changes to remote repository

Fetch and merge changes from remote

List, create, or delete branches

Why these pairings

Common Git commands used in software development.

893
MCQhard

An application needs to retrieve all network clients from a specific Meraki network. The API response may be paginated. Which query parameters can be used to implement cursor-based pagination with the Meraki Dashboard API?

A.offset and limit
B.startingAfter and endingBefore
C.page and perPage
D.nextToken and previousToken
AnswerB

Correct. These are the cursor parameters for pagination.

Why this answer

Meraki supports cursor-based pagination using startingAfter and endingBefore parameters.

894
MCQhard

In a CI/CD pipeline, a code quality check fails due to a security vulnerability in a third-party library. What is the best practice to address this?

A.Suppress the warning and proceed
B.Update the library to a patched version
C.Add a firewall rule to block the vulnerability
D.Remove the dependency and rewrite the code
AnswerB

Updating to the latest patched version resolves the vulnerability and maintains compatibility.

Why this answer

Updating the library to a patched version directly resolves the security vulnerability at its source, aligning with the principle of supply chain security in CI/CD pipelines. This practice ensures that the codebase uses a version of the dependency that has been officially fixed by the maintainer, preventing exploitation without altering the application's functionality or introducing unnecessary risk.

Exam trap

Cisco often tests the misconception that security vulnerabilities can be mitigated with network controls (like firewalls) or by ignoring the issue, rather than addressing the root cause through dependency updates.

How to eliminate wrong answers

Option A is wrong because suppressing the warning ignores the vulnerability, leaving the application exposed to potential exploitation; it violates the security-first principle of DevSecOps. Option C is wrong because a firewall rule only attempts to block network-level access to the vulnerability, which does not fix the underlying insecure code in the library and can be bypassed; it is a network control, not a code fix. Option D is wrong because removing the dependency and rewriting the code is an extreme, time-consuming measure that is unnecessary when a patched version is available; it ignores the standard practice of dependency management and version updates.

895
MCQhard

Using the Cisco DNA Center API, an engineer wants to create a new site with building and floor information. Which HTTP method and endpoint should be used?

A.PUT /dna/intent/api/v1/site
B.GET /dna/intent/api/v1/site
C.POST /dna/intent/api/v1/site
D.POST /dna/intent/api/v1/site/create
AnswerC

Correct endpoint and method to create a site.

Why this answer

The POST HTTP method is used to create a new resource on the server, and the Cisco DNA Center API endpoint `/dna/intent/api/v1/site` is designed to accept a POST request with a JSON payload containing site, building, and floor details. This follows RESTful conventions where POST is the standard method for resource creation, and the API documentation specifies this exact endpoint for adding a new site hierarchy.

Exam trap

The trap here is that candidates often confuse POST with PUT or assume a 'create' suffix is needed in the endpoint, but Cisco tests the exact RESTful convention where POST on the base resource URI is the correct method for creation.

How to eliminate wrong answers

Option A is wrong because the PUT method is typically used for updating an existing resource or creating a resource at a specific URI, but the Cisco DNA Center API for site creation explicitly requires POST, not PUT. Option B is wrong because the GET method is used for retrieving information, not creating resources; it would return existing site data, not create a new site. Option D is wrong because the endpoint `/dna/intent/api/v1/site/create` does not exist in the Cisco DNA Center API; the correct endpoint is `/dna/intent/api/v1/site` without the `/create` suffix, and the creation action is implied by the POST method.

896
MCQmedium

A Python script uses the ncclient library to connect to a Cisco NX-OS device over NETCONF. After establishing the session, the script executes an editing operation with candidate datastore. Which additional step is required to make the changes take effect immediately on the running configuration?

A.Execute a discard-changes operation on the candidate datastore
B.Execute a validate operation on the candidate datastore
C.No additional step is needed; candidate changes are automatically applied to running
D.Execute a commit operation on the candidate datastore
AnswerD

Commit copies candidate to running, making changes active.

Why this answer

Option D is correct because when using NETCONF with the candidate datastore on Cisco NX-OS, changes are staged in the candidate configuration and do not affect the running configuration until a commit operation is explicitly sent. The commit operation copies the candidate configuration to the running datastore, making the changes take effect immediately. Without this step, the candidate changes remain unapplied.

Exam trap

Cisco often tests the distinction between the candidate and running datastores, trapping candidates who assume that editing the candidate automatically updates the running configuration, which is only true for the 'candidate' datastore on some platforms like Juniper but not for NX-OS NETCONF.

How to eliminate wrong answers

Option A is wrong because discard-changes is used to revert the candidate datastore to the running configuration, discarding any uncommitted edits; it does not apply changes. Option B is wrong because validate checks the syntactic and semantic correctness of the candidate configuration but does not apply it to the running datastore. Option C is wrong because the candidate datastore is a separate, working copy; changes are not automatically applied to running — a commit is required per RFC 6241.

897
Multi-Selecteasy

A developer is writing a Python script to back up Cisco router configurations via SSH. Which two libraries are appropriate for this task? (Choose two.)

Select 2 answers
A.requests
B.netmiko
C.urllib
D.paramiko
E.flask
AnswersB, D

Netmiko simplifies SSH connections to network devices.

Why this answer

Netmiko is a Python library built on top of Paramiko that simplifies SSH connections to network devices, including Cisco routers. It provides high-level methods for sending commands and retrieving output, making it ideal for automating configuration backups via SSH.

Exam trap

Cisco often tests the distinction between HTTP-focused libraries (requests, urllib) and SSH-focused libraries (paramiko, netmiko), trapping candidates who mistakenly think 'requests' can handle any network protocol or that Flask's 'networking' capabilities extend to SSH.

898
MCQmedium

An administrator is configuring a Cisco Meraki Dashboard API integration. After receiving a 429 HTTP response, what header should be examined to determine when the request can be retried?

A.X-RateLimit-Reset
B.Retry-After
C.X-Cisco-Meraki-API-Key
D.Location
AnswerB

Correct. Meraki includes a Retry-After header in the 429 response.

Why this answer

Meraki's rate limit returns a 429 status with a Retry-After header indicating the number of seconds to wait before retrying.

899
MCQeasy

A developer wants to use Postman to test a REST API that requires a Bearer token. Where should the token be placed in the request?

A.In the Authorization header
B.As a query parameter
C.In a custom header like X-Auth-Token
D.In the request body
AnswerA

Bearer tokens are sent in the Authorization header.

Why this answer

The Bearer token is placed in the Authorization header using the format 'Bearer <token>'. The request body is used for data, not authentication.

900
Multi-Selectmedium

Which TWO statements about the MVC pattern are correct? (Choose two.)

Select 2 answers
A.Model is dependent on the View.
B.Controller handles user input and updates the Model.
C.View displays data from the Model.
D.Model represents the user interface.
E.View directly modifies the Model.
AnswersB, C

Controller processes input.

Why this answer

MVC separates Model (data), View (UI), Controller (logic). Controller updates Model, View reflects Model.

Page 11

Page 12 of 14

Page 13