Cisco DevNet Associate 200-901 (200-901) — Questions 901975

992 questions total · 14pages · All types, answers revealed

Page 12

Page 13 of 14

Page 14
901
MCQeasy

In a Docker Compose file, which key is used to define the dependency order between services?

A.links
B.volumes
C.networks
D.depends_on
AnswerD

Correct. depends_on defines service dependencies.

Why this answer

The depends_on key in Docker Compose allows specifying that one service depends on another, controlling startup order.

902
MCQeasy

Which of the following is a private IPv4 address range as defined by RFC 1918?

A.192.168.0.0/16
B.172.32.0.0/12
C.172.15.0.0/12
D.11.0.0.0/8
AnswerA

Correct. 192.168.0.0/16 is private.

Why this answer

RFC 1918 defines private IPv4 address ranges that are not routable on the public Internet. The 192.168.0.0/16 range (192.168.0.0 – 192.168.255.255) is explicitly listed in RFC 1918 as a Class C private block, making option A correct.

Exam trap

Cisco often tests the exact prefix length of the 172.16.0.0/12 range, and the trap here is that candidates confuse 172.16.0.0/12 with 172.32.0.0/12, mistakenly thinking any 172.x.x.x address is private.

How to eliminate wrong answers

Option B is wrong because 172.32.0.0/12 falls outside the RFC 1918 private range for Class B, which is 172.16.0.0/12 (172.16.0.0 – 172.31.255.255); 172.32.0.0 is a public address range. Option C is wrong because 172.15.0.0/12 is not a private range at all; it is part of the public Class B space and does not overlap with the 172.16.0.0/12 private block. Option D is wrong because 11.0.0.0/8 is a public Class A range (assigned to the US Department of Defense) and is not listed in RFC 1918; the private Class A range is 10.0.0.0/8.

903
MCQhard

A developer is implementing secure coding practices to prevent SQL injection. Which approach is most effective when building a SQL query with user input?

A.Validating user input to allow only alphanumeric characters
B.Using parameterized queries with prepared statements
C.Storing user input in a database before using it in a query
D.Escaping all user input with a function like mysqli_real_escape_string
AnswerB

Parameterized queries ensure input is treated as data, not executable code.

Why this answer

Parameterized queries separate SQL code from data, preventing injection. Input validation helps but not sufficient alone. Stored procedures can help but parameterized queries are standard.

Escaping is error-prone.

904
MCQeasy

Which YANG model is an OpenConfig model commonly used for interface configuration?

A.openconfig-interfaces
B.Cisco-IOS-XE-interfaces
C.ietf-interfaces
D.openconfig-routing-policy
AnswerA

Correct. OpenConfig's interface model is oc-interfaces (openconfig-interfaces).

Why this answer

OpenConfig models include oc-interfaces for interface configuration.

905
MCQmedium

Which YANG model is an OpenConfig model used for interface configuration?

A.oc-yang-interfaces
B.ietf-interfaces
C.Cisco-IOS-XE-interfaces
D.openconfig-interfaces
AnswerD

This is the OpenConfig model for interfaces.

Why this answer

OpenConfig is a vendor-neutral, community-driven data model standard for network configuration and state. The 'openconfig-interfaces' YANG model is the OpenConfig model specifically designed for interface configuration, providing a consistent, model-driven approach across different network operating systems. Option D is correct because it directly names the OpenConfig model for interfaces.

Exam trap

Cisco often tests the distinction between vendor-neutral OpenConfig models, IETF standard models, and Cisco proprietary native models, expecting candidates to recognize that 'openconfig-interfaces' is the correct OpenConfig model name, not a generic or IETF-prefixed alternative.

How to eliminate wrong answers

Option A is wrong because 'oc-yang-interfaces' is not a recognized YANG model name; OpenConfig models use the prefix 'openconfig-', not 'oc-yang-'. Option B is wrong because 'ietf-interfaces' is the IETF standard YANG model for interface management (RFC 7223), not an OpenConfig model. Option C is wrong because 'Cisco-IOS-XE-interfaces' is a Cisco proprietary native YANG model specific to IOS XE platforms, not an OpenConfig model.

906
MCQmedium

A developer needs to retrieve a list of network devices from Cisco DNA Center. Which API endpoint should be used?

A.GET /dna/intent/api/v1/network-device
B.GET /dna/intent/api/v1/topology
C.POST /dna/intent/api/v1/network-device
D.GET /dna/intent/api/v1/site
AnswerA

This endpoint retrieves network devices.

Why this answer

The intent API endpoint /dna/intent/api/v1/network-device retrieves network devices.

907
MCQmedium

Which HTTP method is idempotent and used to update a resource by sending the full representation?

A.PUT
B.DELETE
C.POST
D.GET
AnswerA

Correct. PUT is idempotent and updates the entire resource.

Why this answer

PUT is idempotent because making the same request multiple times results in the same server state. It requires the client to send a full representation of the resource, replacing any existing resource at that URI. This aligns with RFC 7231, which defines PUT as a method that creates or replaces the target resource with the enclosed representation.

Exam trap

Cisco often tests the confusion between PUT and PATCH, where candidates mistakenly think PUT can be used for partial updates, but the question specifically asks for 'full representation,' making PUT the only correct choice.

How to eliminate wrong answers

Option B (DELETE) is wrong because while DELETE is idempotent, it is used to remove a resource, not update it by sending a full representation. Option C (POST) is wrong because POST is not idempotent; it is designed to submit data for processing (e.g., creating a subordinate resource) and repeated requests may create multiple resources. Option D (GET) is wrong because GET is idempotent and safe, but it is used to retrieve a resource, not update it.

908
MCQmedium

An administrator needs to retrieve the hostname of an IOS XE device using RESTCONF. Which URL and data path should they use?

A.GET /restconf/data/Cisco-IOS-XE-native:native/hostname
B.GET /api/v1/device/hostname
C.POST /restconf/data/Cisco-IOS-XE-native:native/hostname
D.GET /restconf/data/ietf-interfaces:interfaces
AnswerA

This is the correct RESTCONF path for the hostname.

Why this answer

RESTCONF on IOS XE uses the native YANG model; the hostname is under /Cisco-IOS-XE-native:native/hostname.

909
Multi-Selectmedium

A developer is troubleshooting a Cisco RESTCONF API call that returns a 409 Conflict error. Which two scenarios could cause this? (Choose two.)

Select 2 answers
A.Authentication token is missing.
B.The resource's current state conflicts with the requested change (e.g., trying to delete a resource that is in use).
C.The resource already exists and the request attempts to create a duplicate.
D.The resource does not exist.
E.The request contains invalid data types.
AnswersB, C

State conflicts, like deleting a resource that is referenced, cause 409.

Why this answer

Option B is correct because a 409 Conflict error in RESTCONF indicates that the request cannot be completed due to a conflict with the current state of the resource. For example, attempting to delete a resource that is referenced by other resources (e.g., a VLAN interface that is still active) violates the resource's state constraints, triggering this HTTP status code.

Exam trap

Cisco often tests the distinction between 409 Conflict and 400 Bad Request, where candidates mistakenly think invalid data types cause a conflict rather than a client-side syntax error.

910
MCQeasy

Which tool is used to explore and validate YANG models?

A.Postman
B.cURL
C.YANGman
D.pyang
AnswerD

pyang is the standard tool for YANG model exploration.

Why this answer

pyang is a Python-based tool for validating and converting YANG models.

911
MCQhard

A network engineer is using Cisco IOS XE RESTCONF to retrieve the hostname of a device. The device has already enabled netconf-yang and restconf. Which URL path should be used?

A./restconf/data/hostname
B./restconf/data/Cisco-IOS-XE-native:native/hostname
C./restconf/operations/hostname
D./restconf/config/Cisco-IOS-XE-native:native/hostname
AnswerB

This is the correct RESTCONF path for hostname using the native YANG model.

Why this answer

The hostname is under Cisco-IOS-XE-native:native/hostname in the YANG model. RESTCONF uses the module name and path.

912
MCQeasy

Which data structure in Python would be most appropriate for storing a collection of unique items and performing fast membership tests?

A.Tuple
B.Set
C.List
D.Dictionary
AnswerB

Sets are designed for unique elements and fast membership testing.

Why this answer

A set is the correct choice because it is implemented as a hash table in Python, which provides O(1) average-time complexity for membership tests using the `in` operator. Sets automatically enforce uniqueness, meaning duplicate items are not allowed, making them ideal for storing a collection of distinct elements. This directly matches the requirement for fast membership testing and uniqueness.

Exam trap

Cisco often tests the misconception that a dictionary is the best choice for fast membership tests because it also uses hashing, but the trap is that the question specifically asks for a collection of unique items, not key-value pairs, making a set the more precise and appropriate data structure.

How to eliminate wrong answers

Option A is wrong because a tuple is an immutable ordered sequence that allows duplicates and requires O(n) linear search for membership tests, making it unsuitable for fast lookups. Option C is wrong because a list is an ordered mutable sequence that also allows duplicates and requires O(n) linear search for membership tests, failing both the uniqueness and speed requirements. Option D is wrong because while a dictionary provides O(1) membership tests on its keys, it stores key-value pairs rather than just unique items, making it overkill and semantically incorrect for a simple collection of unique items.

913
MCQmedium

When using the NX-API on Cisco NX-OS, which HTTP method is used to send CLI commands in JSON format?

A.POST
B.PUT
C.GET
D.PATCH
AnswerA

Correct. CLI commands are sent via POST to /ins.

Why this answer

NX-API uses POST requests to the /ins endpoint with a JSON body containing the CLI commands and the type (cli_show or cli_conf).

914
MCQhard

A Kubernetes Deployment has replicas: 3. The team updates the container image to a new version. The rollout gets stuck because the new pod fails readiness probes. Which kubectl command will display the rollout status and help diagnose the issue?

A.kubectl get pods -l app=my-deployment
B.kubectl logs deployment/my-deployment
C.kubectl describe deployment my-deployment
D.kubectl rollout status deployment/my-deployment
AnswerD

Shows rollout progress and can indicate failure.

Why this answer

kubectl rollout status deployment/my-deployment shows the progress. If stuck, it indicates failure. kubectl describe pod can show probe details.

915
Multi-Selectmedium

Which two authentication methods are commonly used with Cisco REST APIs? (Choose two.)

Select 2 answers
A.API key in header
B.Basic authentication with username/password
C.Session cookie
D.SAML assertion
E.OAuth 2.0 token
AnswersA, E

Used by Meraki and others.

Why this answer

API key and OAuth 2.0 are common; Basic auth is less common; session cookie and SAML are not typical for REST APIs.

916
MCQeasy

A technician needs to verify the IP address of a remote server using DNS. Which command should be used on a Cisco IOS device?

A.traceroute server.example.com
B.show hosts server.example.com
C.ping server.example.com
D.nslookup server.example.com
AnswerD

Performs DNS lookup and returns IP address.

Why this answer

The `nslookup` command is used to query DNS servers to resolve a hostname to an IP address. On a Cisco IOS device, `nslookup` sends a DNS query for the specified hostname and returns the corresponding IP address, making it the correct tool for verifying a remote server's IP via DNS.

Exam trap

Cisco often tests the distinction between commands that incidentally perform DNS resolution (like `ping` or `traceroute`) and commands specifically designed for DNS queries (`nslookup`), leading candidates to choose `ping` because it shows the resolved IP in its output.

How to eliminate wrong answers

Option A is wrong because `traceroute` is used to trace the network path to a destination, not to perform DNS resolution; it may trigger a DNS lookup for display but does not directly verify the IP address. Option B is wrong because `show hosts` displays the static hostname-to-address mappings configured locally on the device, not dynamic DNS query results. Option C is wrong because `ping` sends ICMP echo requests to test reachability and may perform a DNS lookup as a side effect, but its primary purpose is not to verify the IP address via DNS.

917
Multi-Selecteasy

Which THREE of the following are common security vulnerabilities listed in the OWASP Top 10? (Choose three.)

Select 3 answers
A.Cross-Site Scripting (XSS)
B.Broken Access Control
C.Multi-Factor Authentication
D.SQL Injection
E.DNS Cache Poisoning
AnswersA, B, D

Included in OWASP Top 10 as an injection issue.

Why this answer

Cross-Site Scripting (XSS) is a common security vulnerability in the OWASP Top 10 because it allows attackers to inject malicious scripts into web pages viewed by other users, typically through input fields that are not properly sanitized. This can lead to session hijacking, defacement, or redirection to malicious sites, exploiting the trust a user has in a legitimate application.

Exam trap

Cisco often tests whether candidates can distinguish between actual vulnerabilities (like XSS, Broken Access Control, SQL Injection) and security controls or network-layer attacks, leading them to mistakenly select Multi-Factor Authentication or DNS Cache Poisoning as OWASP Top 10 items.

918
MCQmedium

An engineer configures a trunk port as shown. A device connected to this port sends an untagged frame. Which VLAN will the switch associate the frame with?

A.VLAN 1
B.The frame is dropped
C.VLAN 10
D.VLAN 99
AnswerD

Untagged frames are placed in native VLAN.

Why this answer

The switchport trunk native vlan 99 command configures VLAN 99 as the native VLAN for the trunk port. When an untagged frame arrives on a trunk port, the switch associates it with the native VLAN. Therefore, the frame is placed into VLAN 99.

Exam trap

Cisco often tests the misconception that untagged frames on a trunk are dropped or that the native VLAN is always VLAN 1, leading candidates to overlook the explicit native VLAN configuration.

How to eliminate wrong answers

Option A is wrong because VLAN 1 is the default native VLAN only if no native VLAN is explicitly configured; here VLAN 99 is set as the native VLAN. Option B is wrong because untagged frames on a trunk port are not dropped; they are assigned to the native VLAN. Option C is wrong because VLAN 10 is not the native VLAN; the native VLAN is explicitly set to VLAN 99.

919
MCQmedium

Which NX-OS API method allows sending CLI commands in JSON format without enabling any additional features?

A.NX-API method 'cli' with JSON encoding
B.RESTCONF with YANG data
C.SNMP with MIB objects
D.NETCONF with XML data
AnswerA

NX-API allows CLI commands via JSON-RPC.

Why this answer

NX-API on NX-OS supports both JSON-RPC (with method 'cli' or 'cli_ascii') and JSON encoding for CLI commands. The method 'cli' or 'cli_ascii' in JSON-RPC format is used.

920
Multi-Selecteasy

Which two statements are true about Cisco DevNet Sandboxes?

Select 2 answers
A.DevNet Sandboxes are only available with a paid subscription.
B.DevNet Sandboxes include reserved labs for fixed time periods and always-on labs.
C.DevNet Sandboxes only support Cisco Catalyst switches.
D.DevNet Sandboxes provide API access to simulate integrations.
E.DevNet Sandboxes do not support third-party devices.
AnswersB, D

Correct; both types exist.

Why this answer

Option B is correct because DevNet Sandboxes offer two primary reservation models: reserved labs, which provide exclusive access to a sandbox for a fixed time period (e.g., 4 hours), and always-on labs, which are perpetually available but shared among users. This flexibility allows developers to choose between dedicated, time-limited environments for intensive testing and persistent, always-available environments for ongoing development and learning.

Exam trap

The trap here is that candidates may assume all sandboxes require payment or only support Cisco hardware, overlooking the free tier and the inclusion of third-party components like Linux VMs or partner APIs for realistic integration testing.

921
MCQhard

A developer is using Git for version control of a Python library. A colleague accidentally committed a large sensitive file. Which Git command sequence should be used to remove the file from history without losing subsequent changes?

A.git filter-branch or git filter-repo
B.git rm --cached && git commit
C.git rebase -i && git commit --amend
D.git revert HEAD
AnswerA

These tools rewrite history, removing the file from all commits.

Why this answer

The correct answer is A because `git filter-branch` and `git filter-repo` are designed to rewrite Git history, allowing you to permanently remove a large sensitive file from all commits. This is necessary when a file has been committed and pushed, as simple removal with `git rm` only affects the latest commit and leaves the file accessible in prior history. Using these commands ensures the file is purged from the entire repository history without losing subsequent changes, as they replay the commit graph while filtering out the specified file.

Exam trap

Cisco often tests the distinction between removing a file from the working tree versus removing it from the entire commit history, leading candidates to mistakenly choose `git rm` or `git revert` which only affect the latest state, not the historical record.

How to eliminate wrong answers

Option B is wrong because `git rm --cached` only removes the file from the index (staging area) and the working directory, but the file remains in all previous commits, so it is still accessible in the repository history. Option C is wrong because `git rebase -i` and `git commit --amend` can modify recent commits but cannot efficiently remove a file from deep history without manually editing each commit, and they do not handle large-scale history rewriting for a file that was committed long ago. Option D is wrong because `git revert HEAD` creates a new commit that undoes the changes of the last commit, but it does not remove the sensitive file from earlier commits; the file remains in the commit history and can still be retrieved.

922
MCQhard

An IoT device streams telemetry data to a collector using gNMI. Which mode allows the collector to initiate the subscription?

A.gRPC streaming
B.Dial-in mode
C.Dial-out mode
D.NETCONF telemetry
AnswerB

Dial-in is collector-initiated.

Why this answer

In dial-in mode, the collector (client) initiates the gNMI subscription to the device (server).

923
MCQeasy

Based on the exhibit, what is the frequency of the telemetry subscription?

A.Every 500 seconds
B.Every 500 milliseconds
C.When the management connection is re-established
D.On-change only
AnswerB

The periodic policy value is in milliseconds; 500 ms is the correct interpretation.

Why this answer

The exhibit shows a telemetry subscription with a 'period' of 500, which in Cisco model-driven telemetry (MDT) is expressed in milliseconds. Therefore, the frequency is every 500 milliseconds, making option B correct.

Exam trap

Cisco often tests the unit of the 'period' value, and the trap here is that candidates assume the value is in seconds (like many other network timers) instead of milliseconds, leading them to choose 'Every 500 seconds'.

How to eliminate wrong answers

Option A is wrong because 500 seconds would be an unusually long interval for telemetry updates and the period value in Cisco MDT is always in milliseconds, not seconds. Option C is wrong because a re-establishment-based subscription is a different type (e.g., 'periodic' vs 'on-change' vs 'connection-based'), and the exhibit explicitly shows a periodic subscription with a numeric period value. Option D is wrong because 'on-change' subscriptions do not use a numeric period; they trigger only when the monitored data changes, whereas the exhibit shows a fixed period of 500.

924
Multi-Selecteasy

Which TWO are valid methods to secure a REST API? (Choose two.)

Select 2 answers
A.Use HTTPS to encrypt data in transit.
B.Use HTTP with basic authentication.
C.Embed API keys in the URL query string.
D.Implement rate limiting to prevent abuse.
E.Implement OAuth 2.0 for token-based access control.
AnswersA, E

HTTPS encrypts the communication, preventing eavesdropping and tampering.

Why this answer

HTTPS (HTTP over TLS) encrypts the entire HTTP conversation, including headers and payload, using Transport Layer Security (TLS). This prevents eavesdropping, man-in-the-middle attacks, and tampering of data in transit. For a REST API, HTTPS is a fundamental security requirement to protect sensitive data and credentials from being exposed on the network.

Exam trap

Cisco often tests the distinction between mechanisms that provide confidentiality/integrity (HTTPS, OAuth 2.0) versus those that only provide availability or weak authentication (rate limiting, HTTP Basic), leading candidates to mistakenly select rate limiting as a security method.

925
Multi-Selectmedium

Which THREE of the following are valid event triggers in Cisco EEM?

Select 3 answers
A.snmp oid
B.timer
C.interface (line protocol change)
D.http request
E.syslog pattern
AnswersB, C, E

Correct. EEM can trigger based on a timer (absolute, countdown, etc.).

Why this answer

EEM supports syslog pattern, CLI match, timer, and interface events.

926
MCQmedium

In a CI/CD pipeline using Jenkins, which plugin is commonly used to integrate with Cisco Container Platform for deploying containers?

A.Docker Pipeline Plugin
B.Cisco Container Platform Plugin
C.Kubernetes CLI Plugin
D.SSH Plugin
AnswerB

The Cisco Container Platform Plugin is designed for CCP integration.

Why this answer

The Cisco Container Platform Plugin is the correct choice because it provides native integration between Jenkins and Cisco Container Platform (CCP), enabling automated deployment of containers directly to CCP clusters. This plugin handles authentication, cluster discovery, and deployment orchestration specific to CCP, which is built on Kubernetes but includes Cisco-specific extensions for policy and networking.

Exam trap

Cisco often tests the distinction between a generic Kubernetes plugin and a platform-specific plugin, so the trap here is that candidates assume any Kubernetes-related plugin (like Kubernetes CLI Plugin) works with Cisco Container Platform, ignoring the need for Cisco-specific API integration and authentication.

How to eliminate wrong answers

Option A (Docker Pipeline Plugin) is wrong because it only provides Docker commands (like build, push, run) within a pipeline, but it does not integrate with Cisco Container Platform or manage deployments to CCP clusters. Option C (Kubernetes CLI Plugin) is wrong because it wraps kubectl commands for generic Kubernetes clusters, but it lacks the Cisco-specific API calls and authentication mechanisms required for CCP. Option D (SSH Plugin) is wrong because it only enables remote command execution over SSH, which is far too low-level and insecure for orchestrating container deployments to a platform like CCP.

927
Multi-Selecthard

Which THREE security measures should be implemented in a CI/CD pipeline to protect against supply chain attacks? (Choose three.)

Select 3 answers
A.Enable verbose logging for all build steps to detect anomalies.
B.Pin dependency versions to specific hashes.
C.Sign all build artifacts with a GPG key.
D.Verify checksums of downloaded dependencies.
E.Use a private registry for container images with vulnerability scanning.
AnswersB, D, E

Version pinning prevents accidental introduction of malicious updates.

Why this answer

Option B is correct because pinning dependency versions to specific hashes (e.g., using `integrity` attributes in npm’s package-lock.json or `sha256` checksums in pip’s requirements.txt) ensures that only the exact, verified content is downloaded. This prevents an attacker from substituting a malicious version of a dependency, even if the version tag remains the same, by validating the cryptographic hash of the artifact against a known good value.

Exam trap

Cisco often tests the distinction between artifact signing (which protects authenticity after build) and dependency integrity verification (which protects against supply chain attacks during the build), causing candidates to mistakenly select signing as a supply chain defense.

928
MCQhard

A developer is creating a YANG data model for a new interface feature. The model must allow the user to choose from a predefined set of values for the 'duplex' leaf. Which YANG statement should be used to restrict the values to 'full', 'half', and 'auto'?

A.choice duplex-options { case full; case half; case auto; }
B.type string;
C.type leafref { path '/other:duplex-list'; }
D.type enumeration { enum full; enum half; enum auto; }
AnswerD

Enumeration restricts to listed values.

Why this answer

Option D is correct because the 'type enumeration' statement in YANG defines a leaf that can only take one of the explicitly listed enum values. By specifying 'enum full;', 'enum half;', and 'enum auto;', the developer restricts the 'duplex' leaf to exactly those three predefined strings, which matches the requirement.

Exam trap

Cisco often tests the distinction between YANG's 'choice' statement (which selects among different schema branches) and the 'enumeration' type (which restricts a single leaf's value), leading candidates to mistakenly choose 'choice' when they need a value restriction.

How to eliminate wrong answers

Option A is wrong because 'choice' and 'case' in YANG are used to model a selection among different schema nodes (e.g., different leafs or containers), not to restrict the value of a single leaf to a set of strings. Option B is wrong because 'type string;' would allow any arbitrary string value, providing no restriction to 'full', 'half', or 'auto'. Option C is wrong because 'type leafref' references the value of another leaf in the data tree; it does not define an inline set of allowed values, and the path '/other:duplex-list' would require a separate list node that may not exist or may not contain the desired restriction.

929
MCQhard

You are automating the deployment of a new software image on a fleet of Cisco Nexus switches using Ansible. The switches are in a production environment and must have minimal downtime. You have a maintenance window of 30 minutes per switch. Your playbook performs the following steps: 1) Copy the image to the switch via SCP, 2) Set the boot variable to the new image, 3) Save the configuration, 4) Reload the switch. During a dry run on a test switch, you notice that the reload step takes 8 minutes, but the copy step takes 15 minutes due to slow link speed. For the production rollout, you need to reduce the overall time per switch. Which approach should you take?

A.Skip the save configuration step to save time
B.Use a local file server with HTTP for image transfer to improve speed
C.Use a compressed image to reduce copy time
D.Reload all switches simultaneously in the same maintenance window
AnswerB

HTTP is generally faster than SCP for file transfer.

Why this answer

Option B is correct because the bottleneck is the SCP copy time (15 minutes), which exceeds the 30-minute maintenance window when combined with the reload (8 minutes). Using HTTP for image transfer leverages a more efficient protocol with better throughput and lower overhead than SCP, which uses SSH encryption and can be slower on low-bandwidth links. This directly reduces the copy time, bringing the total per-switch time under the maintenance window limit.

Exam trap

The trap here is that candidates focus on reducing the reload time or configuration steps, when the real bottleneck is the image transfer protocol; Cisco often tests the understanding that protocol choice (SCP vs. HTTP) directly impacts transfer speed in bandwidth-constrained environments.

How to eliminate wrong answers

Option A is wrong because skipping the 'save configuration' step would risk losing the running configuration after reload, potentially causing misconfiguration or downtime, and it does not address the primary bottleneck (copy time). Option C is wrong because while a compressed image reduces file size, the copy time is dominated by link speed and protocol overhead; decompression on the switch adds CPU load and time, and the net gain may be minimal or negative. Option D is wrong because reloading all switches simultaneously would cause a complete network outage, violating the requirement for minimal downtime and exceeding the per-switch maintenance window constraint.

930
MCQhard

In a CI/CD pipeline for a network automation project, which stage is responsible for validating the syntax of YAML configuration files?

A.Deploy
B.Lint
C.Test
D.Build
AnswerB

Linting checks for syntax errors and coding standards in configuration files.

Why this answer

The Lint stage in a CI/CD pipeline is specifically designed to perform static analysis on code and configuration files, including YAML syntax validation. For network automation projects, tools like yamllint or ansible-lint check for indentation errors, missing colons, or invalid data types before the configuration is applied to network devices. This ensures that only syntactically correct YAML files proceed to later stages, preventing deployment failures.

Exam trap

Cisco often tests the distinction between static analysis (Lint) and dynamic verification (Test), so candidates may confuse syntax validation with functional testing and incorrectly select Test.

How to eliminate wrong answers

Option A is wrong because the Deploy stage applies validated configurations to production or staging environments, not validate syntax; deploying invalid YAML would cause errors. Option C is wrong because the Test stage typically runs functional or integration tests (e.g., using pytest or pyATS) to verify network behavior, not static syntax checks. Option D is wrong because the Build stage compiles or packages code (e.g., converting Python to bytecode or creating Docker images), not validate YAML syntax.

931
Multi-Selecteasy

A developer is building a RESTful API with Python Flask. Which TWO are recommended security best practices for exposing the API over HTTPS?

Select 2 answers
A.Use HTTP Basic Authentication for simplicity.
B.Validate and sanitize all user input.
C.Enable CORS for all origins.
D.Store passwords in plaintext in the database.
E.Implement rate limiting to prevent abuse.
AnswersB, E

This prevents injection attacks like SQLi and XSS.

Why this answer

Option B is correct because validating and sanitizing all user input is a fundamental security practice that prevents injection attacks (e.g., SQL injection, cross-site scripting) against the Flask API. Even over HTTPS, encrypted transport does not protect against malicious payloads; input validation must be applied server-side, often using libraries like marshmallow or Flask-WTF to enforce data types and strip dangerous characters.

Exam trap

Cisco often tests the misconception that HTTPS alone makes an API secure, but the trap here is that encryption only protects data in transit, not the application logic—so candidates must remember that input validation and rate limiting are still required server-side defenses.

932
MCQmedium

A network engineer notices that after a link failure, traffic to a server on a different VLAN is intermittent. The network uses Rapid PVST+. The switch connecting the server is a root bridge for that VLAN. What is the most likely cause of the intermittent connectivity?

A.The server port is not configured as an edge port, causing STP convergence delay.
B.The server is sending BPDUs with a higher priority.
C.The root bridge is flapping due to a configuration mismatch.
D.OSPF hold-down timers are preventing route updates.
AnswerA

Non-edge ports go through STP states, causing delays.

Why this answer

When a link fails in a Rapid PVST+ network, the switch that is the root bridge for the VLAN must reconverge. If the server port is not configured as an edge port (using the 'spanning-tree portfast' command), the switch will transition the port through the listening and learning states (even with Rapid PVST+, non-edge ports still undergo a brief convergence delay). This delay causes intermittent connectivity until the port reaches the forwarding state.

Exam trap

Cisco often tests the misconception that Rapid PVST+ eliminates all convergence delays, but the trap here is that non-edge ports still require a brief transition delay, and candidates may forget that PortFast (edge port configuration) is necessary to avoid this delay for host-facing ports.

How to eliminate wrong answers

Option B is wrong because BPDUs are sent by switches, not servers; a server sending BPDUs with a higher priority would not affect STP convergence, and servers typically do not participate in STP. Option C is wrong because a root bridge flapping due to a configuration mismatch would cause repeated topology changes, but the scenario describes a single link failure followed by intermittent connectivity, not continuous flapping. Option D is wrong because OSPF is a Layer 3 routing protocol and does not affect Layer 2 STP convergence; the issue is within the same VLAN, and OSPF hold-down timers are irrelevant to Rapid PVST+ behavior.

933
Multi-Selecthard

A DevOps team is securing a CI/CD pipeline that deploys containerized applications to Kubernetes. Which THREE practices enhance security?

Select 3 answers
A.Implementing network policies to restrict pod communication.
B.Allowing containers to run with privileges.
C.Scanning container images for vulnerabilities before deployment.
D.Running containers as root.
E.Using Kubernetes Secrets for sensitive environment variables.
AnswersA, C, E

Limits lateral movement in the cluster.

Why this answer

Network policies in Kubernetes act as a firewall for pods, restricting ingress and egress traffic based on labels, namespaces, or IP blocks. This implements a zero-trust model by default, preventing lateral movement if a container is compromised. Option A is correct because it directly reduces the attack surface within the cluster.

Exam trap

Cisco often tests the misconception that 'containers are inherently isolated'—candidates may think privileges or root access are safe because containers are 'lightweight VMs,' but in reality, they share the host kernel, making privilege escalation a critical risk.

934
MCQeasy

Which of the following is a best practice for securing API keys in a CI/CD pipeline?

A.Share via email
B.Hardcode in Dockerfile
C.Store them in source code
D.Use environment variables in build configuration
AnswerA

Email is not secure for sharing API keys.

Why this answer

Option A is correct because sharing API keys via email is not a best practice; the correct best practice is to use environment variables in the build configuration (Option D). Environment variables keep secrets out of source code, Dockerfiles, and insecure communication channels like email, ensuring they are injected at runtime and not exposed in logs or artifacts.

Exam trap

Cisco often tests the misconception that environment variables in build configuration are a fully secure method, but the trap is that they can still be exposed in logs or pipeline artifacts, whereas a dedicated secrets manager is the true best practice.

How to eliminate wrong answers

Option B is wrong because hardcoding API keys in a Dockerfile embeds secrets in the image layers, making them accessible to anyone who can pull the image and inspect its history. Option C is wrong because storing API keys in source code commits them to version control, exposing them to all repository users and potentially to public repositories. Option D is wrong because while environment variables in build configuration are a step up, they can still leak in build logs or be exposed if the CI/CD system is compromised; the question asks for the best practice, which is to use a dedicated secrets manager or vault (e.g., HashiCorp Vault, AWS Secrets Manager) rather than plain environment variables.

935
MCQmedium

In a Docker bridge network, two containers can communicate with each other using which identifier by default?

A.Their IP addresses only
B.Their image names
C.Their container names
D.Their MAC addresses
AnswerC

Docker DNS resolves container names to IPs on the same bridge network.

Why this answer

On the default bridge network, containers can communicate using IP addresses. For name resolution, Docker provides a DNS service using container names. Container names are used as hostnames.

936
MCQmedium

A Webex bot needs to receive real-time notifications when a new message is posted in a Webex space. Which Webex API feature should the bot implement?

A.Long polling
B.Polling the messages API every second
C.Webhooks
D.Server-Sent Events
AnswerC

Webhooks provide real-time event notifications.

Why this answer

Webhooks allow the bot to receive HTTP callbacks for events like message creation.

937
MCQmedium

A network administrator is configuring a new subnet for a branch office that requires at least 50 usable host addresses. Which subnet mask would meet this requirement while minimizing address waste?

A.255.255.255.0 (/24)
B.255.255.255.128 (/25)
C.255.255.255.224 (/27)
D.255.255.255.192 (/26)
AnswerD

Correct. /26 gives 62 usable hosts, fitting 50 with minimal waste.

Why this answer

A /26 subnet provides 62 usable hosts (2^6 - 2 = 62), which is the smallest subnet meeting the requirement of 50 hosts.

938
MCQmedium

A network engineer needs to automate the deployment of a new VLAN on multiple Cisco switches using RESTCONF. Which URL structure should be used to create a VLAN with ID 100?

A.PUT /restconf/data/Cisco-IOS-XE-vlan:vlans/vlan=100
B.POST /restconf/operations/Cisco-IOS-XE-vlan:create-vlan
C.POST /restconf/data/Cisco-IOS-XE-vlan:vlans/vlan=100
D.PUT /restconf/config/vlan/100
AnswerA

PUT creates or replaces the VLAN resource at the specified URI.

Why this answer

Option A is correct because RESTCONF uses the HTTP PUT method to create or replace a specific data resource, and the URL path follows the YANG module structure. Here, 'Cisco-IOS-XE-vlan:vlans/vlan=100' targets the VLAN list entry with ID 100, creating it if it does not exist. This aligns with RESTCONF's resource-oriented design, where PUT on a specific data node performs a create or replace operation.

Exam trap

Cisco often tests the distinction between PUT and POST in RESTCONF, where candidates mistakenly use POST to create a specific resource instance (like a VLAN by ID) instead of PUT, or confuse the '/operations' RPC path with data resource manipulation.

How to eliminate wrong answers

Option B is wrong because it uses POST to a '/operations' URI, which is associated with NETCONF-style RPCs, not RESTCONF data resource creation; RESTCONF does not use '/operations' for creating data resources. Option C is wrong because POST on a data resource URL is used to create a child resource (e.g., a new entry in a list) when the parent container is targeted, not to create a specific instance by ID; using POST on '/vlan=100' would attempt to create a child of that specific VLAN, which is incorrect. Option D is wrong because it uses a non-standard '/config' path and omits the YANG module namespace; RESTCONF requires the module name prefix (e.g., 'Cisco-IOS-XE-vlan:') to identify the data model, and the path should be under '/restconf/data'.

939
Multi-Selecthard

A company is adopting DevSecOps practices. Which THREE practices should be implemented to secure application deployment?

Select 3 answers
A.Secrets management using environment variables stored in .env files committed to git
B.Dependency scanning with tools like Snyk or Dependabot
C.HTTPS enforcement and CORS configuration
D.Secure coding practices (input validation, parameterized queries)
E.Disabling all security tools to reduce deployment time
AnswersB, C, D

Identifies vulnerable third-party libraries.

Why this answer

Secure coding, secrets management, and dependency scanning are core DevSecOps practices that address security throughout the deployment lifecycle.

940
MCQeasy

A Python script used for network automation requires storing an API secret. Which approach is the most secure and recommended best practice?

A.Hardcode the secret in the Python script
B.Store the secret in a plain text file in the repository
C.Encrypt the secret and store it in the script
D.Use environment variables
AnswerD

Environment variables keep secrets out of code and are configurable per deployment.

Why this answer

Option D is correct because storing secrets in environment variables decouples sensitive data from the source code, preventing accidental exposure in version control systems like Git. This approach follows the principle of least privilege and is recommended by security best practices such as the Twelve-Factor App methodology. Environment variables are managed outside the script, reducing the risk of credential leakage during code sharing or deployment.

Exam trap

Cisco often tests the misconception that encryption within the script is sufficient, but the trap is that the decryption key must still be stored somewhere, creating a key management problem that environment variables solve by keeping secrets out of the code entirely.

How to eliminate wrong answers

Option A is wrong because hardcoding the secret in the Python script exposes it to anyone with access to the source code, including version control history, and violates the principle of separating configuration from code. Option B is wrong because storing the secret in a plain text file in the repository makes it readable by anyone who can access the repo, and it can be inadvertently committed and shared, leading to credential exposure. Option C is wrong because encrypting the secret and storing it in the script still requires managing the decryption key within the script or repository, which creates a circular security problem and does not eliminate the risk of exposure through code access.

941
Multi-Selectmedium

A developer is designing a REST API for managing network devices. Which three best practices should be followed for the API design? (Choose three.)

Select 3 answers
A.Use POST for all state-changing operations to ensure idempotency.
B.Use nouns for resource names (e.g., /devices) rather than verbs.
C.Include versioning in the URL path (e.g., /v1/devices).
D.Always send the entire resource representation in all responses to reduce client requests.
E.Use proper HTTP status codes to describe results.
AnswersB, C, E

D is correct because RESTful APIs use nouns to represent resources, while verbs are typically avoided in endpoint paths.

Why this answer

Option B is correct because REST APIs should use nouns to represent resources (e.g., /devices) rather than verbs, which aligns with the uniform interface constraint of REST. Using verbs like /getDevices or /deleteDevice violates REST principles and mixes action semantics with resource identification, making the API less intuitive and harder to maintain.

Exam trap

Cisco often tests the misconception that POST should be used for all state-changing operations because it is simple, but the trap is that POST is not idempotent, and idempotency is a key REST constraint that must be satisfied by using PUT or DELETE for appropriate operations.

942
MCQeasy

A Python script uses a dictionary to store device configuration parameters. Which key, if any, will raise a KeyError if it does not exist in the dictionary?

A.config.setdefault('timeout', 30)
B.config['timeout']
C.config.get('timeout')
D.config.pop('timeout', None)
AnswerB

Direct key access raises KeyError if the key does not exist.

Why this answer

Option B is correct because using square bracket notation (config['timeout']) on a dictionary will raise a KeyError if the specified key does not exist. This is a fundamental behavior of Python dictionaries: direct key access without a fallback mechanism throws an exception when the key is missing.

Exam trap

Cisco often tests the distinction between direct dictionary access (which raises KeyError) and safe access methods like .get(), .setdefault(), and .pop() with defaults, trapping candidates who assume all dictionary access methods behave identically.

How to eliminate wrong answers

Option A is wrong because dict.setdefault('timeout', 30) does not raise a KeyError; if the key 'timeout' does not exist, it inserts the key with the default value 30 and returns that value. Option C is wrong because dict.get('timeout') returns None (or a user-specified default) if the key is missing, never raising a KeyError. Option D is wrong because dict.pop('timeout', None) removes the key if it exists and returns its value; if the key does not exist, it returns the default value None without raising an error.

943
MCQeasy

Which data serialization format is most commonly used for configuration files in Cisco automation tools like Ansible?

A.CSV
B.YAML
C.HTML
D.XML
AnswerB

YAML is the default format for Ansible playbooks and is human-readable, making it ideal for configuration files.

Why this answer

YAML is the most commonly used data serialization format for configuration files in Cisco automation tools like Ansible because it is human-readable, supports complex data structures (lists, dictionaries), and is natively parsed by Ansible playbooks. Cisco's automation solutions, including those for network devices, rely on YAML for defining tasks, variables, and inventory files due to its minimal syntax and compatibility with Jinja2 templating.

Exam trap

Cisco often tests YAML vs. XML to catch candidates who assume XML is the default for all network automation, but YAML is the standard for Ansible due to its simplicity and native support in the toolchain.

How to eliminate wrong answers

Option A is wrong because CSV is a flat, row-oriented format that lacks support for nested structures and is not used for Ansible playbooks or configuration files; it is typically used for tabular data exports. Option C is wrong because HTML is a markup language for web content, not a data serialization format, and has no role in Ansible configuration files. Option D is wrong because XML, while structured and used in older Cisco systems (e.g., NETCONF), is verbose and less human-readable than YAML, making it less preferred for Ansible's declarative playbooks.

944
MCQmedium

A DevOps engineer is implementing Infrastructure as Code (IaC) for network devices. Which of the following practices is most critical to ensure that the environment state matches the desired configuration defined in code?

A.Using Jinja2 templates to generate device configurations.
B.Ensuring that the automation tool is idempotent.
C.Using version control for all configuration files.
D.Implementing rollback procedures for failed deployments.
AnswerB

Idempotency guarantees consistent state.

Why this answer

Idempotency ensures that applying the same configuration multiple times always results in the same desired state, regardless of the current state of the device. This is the most critical practice for IaC because it prevents configuration drift and guarantees that the environment state matches the code-defined configuration. Without idempotency, repeated runs of the automation tool could introduce unintended changes or fail to correct deviations.

Exam trap

Cisco often tests the concept that idempotency is the core principle of IaC for state convergence, tempting candidates to choose version control or rollback procedures because they are familiar best practices, but they do not directly ensure the environment state matches the code.

How to eliminate wrong answers

Option A is wrong because Jinja2 templates are a tool for generating configuration files from variables, but they do not ensure that the applied configuration matches the desired state; they only help with parameterization and reuse. Option C is wrong because version control tracks changes to configuration files over time but does not enforce that the live environment state matches the code; it is a best practice for auditability, not for state convergence. Option D is wrong because rollback procedures handle failed deployments by reverting to a previous state, but they do not guarantee that the environment state matches the desired configuration defined in code; they are a recovery mechanism, not a preventive or corrective one.

945
Matchingmedium

Match each HTTP method to its typical use case in REST APIs.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve a resource

Create a new resource

Update an existing resource

Remove a resource

Partially modify a resource

Why these pairings

These are standard RESTful HTTP methods.

946
Multi-Selecthard

A network automation engineer is evaluating options for model-driven programmability on Cisco devices. Which THREE are valid YANG model sources or tools? (Choose three.)

Select 3 answers
A.pyang
B.NETCONF
C.Cisco native YANG models
D.yangcatalog.org
E.oc-interfaces
AnswersA, C, D

pyang is a YANG data modeling tool.

Why this answer

pyang is a YANG tool, yangcatalog.org is a repository, and Cisco native models are valid sources. OpenConfig is a standard, but oc-interfaces is a model, not a source/tool.

947
Multi-Selectmedium

Which two of the following are valid ways to authenticate to the Cisco DNA Center API?

Select 2 answers
A.Use SNMP v3
B.Use SAML assertion
C.Provide API token in HTTP header
D.Use SSH key
E.Use OAuth 2.0 client credentials
AnswersC, E

Tokens are obtained via login and passed in headers.

Why this answer

Option C is correct because the Cisco DNA Center API uses token-based authentication. After obtaining a token via a POST request to the /dna/system/api/v1/auth/token endpoint with valid credentials, the token must be included in the HTTP header as 'X-Auth-Token: <token>' for all subsequent API requests. This is the standard method for authenticating REST API calls to Cisco DNA Center.

Exam trap

Cisco often tests the distinction between device-level authentication (SNMP, SSH) and API-level authentication (tokens, OAuth 2.0), leading candidates to mistakenly select protocols used for network device management instead of REST API authentication methods.

948
MCQmedium

When using the Meraki Dashboard API, what is the correct method to authenticate requests?

A.Include an API key in the Authorization header as a Bearer token
B.Use a session token obtained from a login endpoint
C.Use Basic authentication with username and password
D.Include an API key in the X-Cisco-Meraki-API-Key header
AnswerD

This is the correct Meraki authentication method.

Why this answer

The Meraki Dashboard API uses a unique API key for authentication, which must be included in the `X-Cisco-Meraki-API-Key` header. This key is generated per user in the Meraki Dashboard and identifies the request without requiring a session or password. Option D correctly specifies this custom header, which is the only supported method for authenticating requests to the Meraki API.

Exam trap

Cisco often tests the misconception that all REST APIs use standard Bearer tokens or OAuth, but the Meraki API deliberately uses a custom header to emphasize vendor-specific authentication patterns that candidates must memorize.

How to eliminate wrong answers

Option A is wrong because the Meraki API does not use Bearer tokens in the Authorization header; it uses a custom header (`X-Cisco-Meraki-API-Key`) instead of the standard `Authorization: Bearer` format. Option B is wrong because the Meraki API does not have a login endpoint or session tokens; authentication is stateless and key-based. Option C is wrong because Basic authentication with username and password is not supported; the API key is a static, pre-generated token that does not involve credentials in the request.

949
MCQeasy

Which Python data type is mutable and unordered?

A.List
B.Tuple
C.Dictionary
D.Set
AnswerC

Dicts are mutable and unordered (or insertion-ordered in 3.7+, but still considered unordered in context).

Why this answer

Option C (Dictionary) is correct because dictionaries in Python are mutable (you can add, remove, or change key-value pairs) and unordered (prior to Python 3.7, insertion order was not guaranteed; even with order preservation in CPython 3.7+, the data structure is conceptually unordered and accessed by key, not index). This matches the question's requirement for a mutable and unordered data type.

Exam trap

Cisco often tests the distinction between mutable vs. immutable and ordered vs. unordered, and the trap here is that candidates confuse the ordered nature of lists (mutable, ordered) with the unordered nature of dictionaries, or mistakenly think tuples are mutable because they can contain mutable objects.

How to eliminate wrong answers

Option A is wrong because a list is mutable but ordered (elements maintain insertion order and are accessed by index). Option B is wrong because a tuple is immutable (cannot be changed after creation) and ordered. Option D is wrong because a set is mutable and unordered, but the question asks for a data type that is both mutable and unordered, and while set fits, dictionary is the correct answer in the context of the provided options; however, note that set is also mutable and unordered, but the exam expects dictionary as the canonical answer for this pairing.

950
MCQhard

In the MVC (Model-View-Controller) pattern, which component is responsible for handling user input and updating the model?

A.Controller
B.Model
C.Router
D.View
AnswerA

Controller handles input and updates Model.

Why this answer

In the MVC pattern, the Controller is the component that receives user input (e.g., HTTP requests, button clicks) and translates it into commands that update the Model. It acts as the intermediary between the View and the Model, ensuring that user actions trigger appropriate changes in the application's data layer.

Exam trap

Cisco often tests the misconception that the Router is part of the MVC pattern, but in reality, the Router is a separate component used for URL dispatch, not for handling user input or updating the Model.

How to eliminate wrong answers

Option B is wrong because the Model is responsible for managing the application's data, business logic, and rules, not for handling user input directly. Option C is wrong because the Router is a component used in web frameworks (e.g., Express.js, Django) to map URLs to controllers, but it is not part of the core MVC pattern and does not handle user input or update the Model. Option D is wrong because the View is responsible for presenting data to the user and rendering the UI, not for processing user input or modifying the Model.

951
MCQmedium

A developer wants to create a Webex webhook that triggers when a new message is posted in any room the bot is in. Which resource event should they subscribe to?

A.resource: 'messages', event: 'updated'
B.resource: 'rooms', event: 'created'
C.resource: 'messages', event: 'created'
D.resource: 'memberships', event: 'created'
AnswerC

Correct. This triggers when a message is created.

Why this answer

To trigger on new messages, subscribe to 'messages' resource with 'created' event.

952
Multi-Selectmedium

Which three capabilities are offered by the Cisco DNA Center REST API?

Select 3 answers
A.Intent-based API for business intent deployment
B.Real-time packet capture
C.Device discovery and inventory
D.Direct command-line execution on managed devices
E.Site and building management
AnswersA, C, E

DNA Center provides intent APIs.

Why this answer

Cisco DNA Center's REST API offers an intent-based API that allows you to express business intent (e.g., 'deploy QoS for voice traffic') rather than configuring individual device commands. This abstraction layer translates high-level policies into device-specific configurations, enabling network automation and assurance. It is a core capability of the Cisco Platform Abstraction Layer (PAL).

Exam trap

Cisco often tests the distinction between 'intent-based' (policy-driven) and 'direct device management' (CLI/SNMP) capabilities, so the trap here is assuming that DNA Center's API provides low-level device access like packet capture or CLI execution, when in fact it focuses on high-level automation and assurance.

953
MCQhard

In the context of SDN, which API allows a network controller to communicate with the forwarding plane of network devices?

A.Eastbound API
B.Northbound API
C.REST API
D.Southbound API
AnswerD

Southbound API controls data plane devices.

Why this answer

Southbound APIs (e.g., OpenFlow, NETCONF, gRPC) enable communication from the controller to the network devices.

954
MCQmedium

Which EEM applet action is used to execute a CLI command when an event triggers?

A.action 1.0 event "..."
B.action 1.0 set 1.0 "..."
C.action 1.0 cli command "..."
D.action 1.0 syslog msg "..."
AnswerC

Correct. This executes a CLI command.

Why this answer

EEM uses 'action' with a sequence number and 'cli' keyword to execute commands.

955
MCQmedium

Which NETCONF operation is used to retrieve the entire configuration datastore from a network device?

A.<edit-config>
B.<get>
C.<get-config>
D.<commit>
AnswerC

<get-config> specifically retrieves the configuration datastore.

Why this answer

<get-config> retrieves configuration datastore. <get> retrieves state and config data. <edit-config> modifies configuration. <commit> confirms a candidate configuration.

956
MCQhard

Refer to the exhibit. A developer is building a Docker image for a Node.js application. The Dockerfile contains: ``` FROM node:14 WORKDIR /usr/src/app COPY package*.json ./ RUN npm install COPY . . CMD ["node", "app.js"] ``` When building, the error shown occurs. What is the most likely cause?

A.The Dockerfile should use the root user for running npm install.
B.The npm install command should be run with the --unsafe-perm flag.
C.The base image node:14 is outdated and contains a bug.
D.The application is running as a non-root user (e.g., node) that lacks write permission to the working directory.
AnswerD

The node image often uses the node user; if the WORKDIR is owned by root, the node user cannot write to it. The fix is to ensure proper ownership.

Why this answer

The error occurs because the official Node.js Docker image (node:14) runs as a non-root user named 'node' by default. The WORKDIR /usr/src/app is owned by root, so the 'node' user lacks write permission to that directory. When npm install tries to create node_modules or write package-lock.json, it fails with a permission error.

Option D correctly identifies this user-permission mismatch.

Exam trap

Cisco often tests the misconception that npm install always requires root privileges, when in fact the official Node.js image deliberately runs as a non-root user and the fix is to adjust directory ownership, not to escalate privileges.

How to eliminate wrong answers

Option A is wrong because running as root is a security anti-pattern; the official image intentionally uses a non-root user to follow least-privilege principles. Option B is wrong because the --unsafe-perm flag is only relevant when running npm scripts as root (it prevents dropping privileges), not for fixing permission issues with a non-root user. Option C is wrong because the node:14 image is not inherently buggy regarding permissions; the issue is a deliberate design choice to run as a non-root user, not an outdated bug.

957
Multi-Selecteasy

Which two authentication methods are commonly used with Cisco APIs? (Choose two.)

Select 2 answers
A.SNMPv3
B.Basic Authentication over HTTPS
C.SSH Key
D.RADIUS
E.API Token (Bearer Token)
AnswersB, E

Many Cisco APIs support Basic Auth for initial token acquisition.

Why this answer

Basic Authentication over HTTPS is commonly used with Cisco APIs because it sends a base64-encoded username:password pair in the Authorization header, which is a simple and widely supported method for authenticating REST API requests. Cisco's REST APIs, such as those on DNA Center and Meraki, often accept Basic Auth as a fallback or for legacy integration, though it is less secure than token-based methods.

Exam trap

Cisco often tests the distinction between authentication methods used for API access versus those used for device management or network protocols, so the trap here is confusing SNMPv3 or SSH keys (which are for device CLI/management) with HTTP-based API authentication methods.

958
MCQhard

A developer is using the Cisco Webex API to create a room and add members. The API requires an access token with the appropriate scopes. The developer receives a 401 Unauthorized error when trying to create a room. What is the most likely cause?

A.The access token only has the 'spark:rooms_read' scope
B.The access token has the 'spark:memberships_write' scope but not 'spark:rooms_write'
C.The access token is not being sent in the Authorization header
D.The access token has expired
AnswerA

Correct: The write scope is required for creating rooms.

Why this answer

The 401 Unauthorized error indicates that the request lacks valid authentication credentials. Since the developer is using an access token but still getting a 401, the most likely cause is that the token does not have the required scopes to perform the operation. The 'spark:rooms_read' scope only allows reading room details, not creating them, so the API rejects the request with a 401 because the token is valid but insufficiently scoped.

Exam trap

Cisco often tests the distinction between 401 Unauthorized (authentication failure) and 403 Forbidden (authorization failure), and the trap here is that candidates assume a 401 always means a missing or expired token, when in fact an invalid scope can also trigger a 401 in Webex APIs.

How to eliminate wrong answers

Option B is wrong because having 'spark:memberships_write' without 'spark:rooms_write' would still cause a 403 Forbidden (insufficient permissions), not a 401 Unauthorized — the token is valid but lacks the specific scope. Option C is wrong because if the token were not sent in the Authorization header, the API would return a 401 Unauthorized, but this is less likely than a scope issue given the developer is explicitly using an access token; however, the question asks for the 'most likely' cause, and scope misconfiguration is a common pitfall. Option D is wrong because an expired token would also return a 401, but the developer is actively generating and using the token, making expiration less probable than a scope mismatch.

959
MCQhard

A developer is working with the Cisco SD-WAN vManage API to monitor overlay tunnels. They need to retrieve a list of all devices with their site IDs and IP addresses. Which API endpoint is most appropriate?

A.GET /dataservice/device/monitor
B.GET /dataservice/device/device
C.GET /dataservice/device/overlay
D.GET /dataservice/device
AnswerD

Returns list of devices with site ID and system IP.

Why this answer

The GET /dataservice/device endpoint returns a list of all devices managed by the Cisco SD-WAN vManage, including their site IDs and IP addresses. This is the correct endpoint for retrieving device inventory details, as it provides the necessary fields like 'deviceId', 'system-ip', and 'site-id' in the response.

Exam trap

Cisco often tests the distinction between device inventory endpoints and monitoring/overlay-specific endpoints, leading candidates to choose 'monitor' or 'overlay' when they only need basic device information.

How to eliminate wrong answers

Option A is wrong because GET /dataservice/device/monitor is used for retrieving real-time monitoring data (e.g., CPU, memory) for a specific device, not a list of all devices with site IDs and IP addresses. Option B is wrong because GET /dataservice/device/device is not a valid vManage API endpoint; the correct path for device details is /dataservice/device. Option C is wrong because GET /dataservice/device/overlay returns overlay tunnel statistics (e.g., OMP routes, TLOC information) rather than a flat list of devices with site IDs and IP addresses.

960
MCQhard

An engineer is exploring YANG models for network interfaces. They need a vendor-neutral model that can be used across multiple device types. Which YANG model should they use?

A.ietf-interfaces
B.OpenConfig interfaces
C.Cisco-NX-OS-device
D.Cisco-IOS-XE-native
AnswerB

OpenConfig provides vendor-neutral YANG models.

Why this answer

OpenConfig models are vendor-neutral, while Cisco native models are vendor-specific.

961
MCQhard

A network engineer is designing a subnetting scheme for a company that requires 5 subnets from the 192.168.1.0/24 network. What subnet mask should be used, and how many usable hosts per subnet will be available?

A.255.255.255.192 with 62 usable hosts per subnet
B.255.255.255.224 with 30 usable hosts per subnet
C.255.255.255.240 with 14 usable hosts per subnet
D.255.255.255.248 with 6 usable hosts per subnet
AnswerB

255.255.255.224 (/27) provides 8 subnets (2^3=8) with 30 usable hosts each (2^5-2=30).

Why this answer

To create 5 subnets, at least 3 bits are needed (2^3=8 subnets). /27 (255.255.255.224) gives 8 subnets with 30 usable hosts each (2^5-2=30).

962
MCQmedium

A developer is using the Meraki API to retrieve a list of networks for an organization. Which HTTP method and endpoint should be used?

A.GET /organizations/{organizationId}/networks
B.POST /organizations/{organizationId}/networks
C.GET /networks
D.PUT /organizations/{organizationId}/networks
AnswerA

Correct endpoint and method to list networks.

Why this answer

The Meraki API uses RESTful conventions where retrieving a list of resources is done with a GET request. The endpoint GET /organizations/{organizationId}/networks returns all networks belonging to a specific organization, as documented in the Meraki API reference. This matches the standard pattern for listing child resources under a parent resource.

Exam trap

Cisco often tests the distinction between HTTP methods (GET vs POST vs PUT) and the necessity of proper resource scoping (including the organization ID), so the trap here is assuming a flat /networks endpoint exists or that POST can be used for retrieval.

How to eliminate wrong answers

Option B is wrong because POST is used to create a new resource, not to retrieve a list; using POST for retrieval violates REST principles and the Meraki API specification. Option C is wrong because /networks is not a valid top-level endpoint; the Meraki API requires the organization ID to scope the request, as networks are always associated with an organization. Option D is wrong because PUT is used to update an existing resource, not to retrieve a list; it would either fail or be interpreted incorrectly by the API.

963
Multi-Selectmedium

A DevOps engineer is managing a Git repository and wants to discard local changes to a file and revert it to the last committed state. Which TWO commands can accomplish this? (Choose two.)

Select 2 answers
A.git reset --hard HEAD
B.git checkout -- <file>
C.git stash drop
D.git revert <file>
E.git restore <file>
AnswersB, E

This reverts the file to its state in the index (last staged version) or HEAD if not staged.

Why this answer

Both `git checkout -- <file>` and `git restore <file>` discard unstaged local changes to a file, reverting it to the content of the last commit (HEAD). `git checkout -- <file>` is the traditional command, while `git restore <file>` is the newer, more intuitive alternative introduced in Git 2.23. Both operate on the working tree without affecting the staging area or commit history.

Exam trap

Cisco often tests the distinction between commands that affect the entire repository (like `git reset --hard`) versus those that target a single file (like `git checkout -- <file>` or `git restore <file>`), leading candidates to incorrectly choose `git reset --hard HEAD` when only a single file needs reversion.

964
MCQhard

A developer needs to send a message to a specific room in Webex using the API. What is the correct endpoint and required body parameter for the room destination?

A.POST /v1/messages with roomId parameter
B.POST /v1/messages with toPersonEmail parameter
C.POST /v1/memberships with roomId
D.POST /v1/rooms with message text
AnswerA

roomId specifies the target room for the message.

Why this answer

To send a message to a Webex room, use POST /v1/messages with the roomId parameter to specify the target room.

965
MCQmedium

A developer needs to create a Python function that accepts any number of keyword arguments and prints them. Which function definition correctly uses **kwargs?

A.def print_args(*args): print(args)
B.def print_args(kwargs): print(kwargs)
C.def print_args(**kwargs): print(kwargs)
D.def print_args(*kwargs): print(kwargs)
AnswerC

**kwargs collects keyword arguments into a dict.

Why this answer

Option C is correct because the **kwargs syntax in a Python function definition collects any number of keyword arguments into a dictionary. The function then prints that dictionary, which matches the requirement to accept and print any number of keyword arguments.

Exam trap

Cisco often tests the distinction between *args (positional arguments) and **kwargs (keyword arguments), and the trap here is that candidates confuse the single asterisk (*) for collecting keyword arguments instead of the double asterisk (**).

How to eliminate wrong answers

Option A is wrong because *args collects positional arguments into a tuple, not keyword arguments. Option B is wrong because it defines a single parameter named 'kwargs' that expects a single positional argument, not any number of keyword arguments. Option D is wrong because *kwargs uses the single-asterisk syntax, which collects positional arguments into a tuple, not keyword arguments into a dictionary.

966
MCQhard

In a network automation workflow, a developer needs to ensure idempotency. What does idempotency mean in this context?

A.The script uses a single API call
B.Running the script once produces the same result as running it multiple times
C.The script can recover from failures
D.The script can run on multiple devices simultaneously
AnswerB

This is the definition of idempotency.

Why this answer

Idempotency in network automation means that executing an operation multiple times results in the same network state as executing it once. For example, using a REST API PUT request to set a VLAN configuration will leave the device in the same state whether the request is sent once or repeatedly, because PUT is inherently idempotent. This prevents unintended side effects like duplicate VLANs or interface misconfigurations when a script is retried due to network failures or timeouts.

Exam trap

Cisco often tests idempotency by pairing it with failure recovery or concurrency, hoping candidates confuse idempotency with fault tolerance or parallel execution.

How to eliminate wrong answers

Option A is wrong because a single API call does not guarantee idempotency; for instance, a POST request that creates a resource is not idempotent and can create duplicates. Option C is wrong because failure recovery (e.g., retry logic or rollback) is a separate reliability concern, not a definition of idempotency; idempotency ensures safe retries but does not itself handle recovery. Option D is wrong because running a script on multiple devices simultaneously relates to parallelism or concurrency, not idempotency; idempotency applies per-operation regardless of the number of targets.

967
MCQhard

An IPv6-enabled host is trying to discover the MAC address of another host on the same link. The host knows the destination IPv6 address but does not have a corresponding entry in the neighbor cache. Which protocol and message type does the host use?

A.Neighbor Advertisement (ICMPv6 type 136)
B.Router Solicitation (ICMPv6 type 133)
C.Neighbor Solicitation (ICMPv6 type 135)
D.Address Resolution Protocol (ARP)
AnswerC

NS is used for address resolution.

Why this answer

When an IPv6 host needs to resolve a known destination IPv6 address to its MAC address on the same link, it sends a Neighbor Solicitation (NS) message, which is ICMPv6 type 135. This message is multicast to the solicited-node multicast address of the target, and the host with that IPv6 address responds with a Neighbor Advertisement (ICMPv6 type 136) containing its MAC address. This process replaces ARP in IPv4 and is defined in RFC 4861.

Exam trap

Cisco often tests the distinction between the solicitation (type 135) and advertisement (type 136) messages, and the trap here is that candidates may confuse Neighbor Solicitation with Router Solicitation or mistakenly think ARP is used in IPv6.

How to eliminate wrong answers

Option A is wrong because Neighbor Advertisement (ICMPv6 type 136) is the response message, not the initial query used to discover a MAC address. Option B is wrong because Router Solicitation (ICMPv6 type 133) is used by hosts to discover routers on the link, not to resolve a neighbor's MAC address. Option D is wrong because Address Resolution Protocol (ARP) is an IPv4-only protocol; IPv6 uses Neighbor Discovery Protocol (NDP) with ICMPv6 messages instead of ARP.

968
MCQeasy

A Python script uses the Cisco Meraki API to list networks in an organization. The API returns HTTP 403 Forbidden. What is the most likely cause?

A.The request was sent over HTTP instead of HTTPS.
B.The network ID specified is incorrect.
C.The API key is invalid or missing.
D.The organization ID was omitted from the request.
AnswerC

The Meraki API returns 403 when the API key is invalid or not provided.

Why this answer

HTTP 403 Forbidden indicates the server understood the request but refuses to authorize it. In the context of the Meraki API, this almost always means the API key (X-Cisco-Meraki-API-Key header) is invalid, expired, or missing from the request. Without a valid API key, the server cannot authenticate the client and returns 403.

Exam trap

Cisco often tests the distinction between 401 Unauthorized (missing or invalid authentication credentials) and 403 Forbidden (authenticated but not authorized); the trap here is that candidates may confuse 403 with a missing parameter (like organization ID) or a wrong resource ID, but 403 specifically indicates the request was understood but authorization failed.

How to eliminate wrong answers

Option A is wrong because using HTTP instead of HTTPS would typically result in a redirect (301/302) or a connection error, not a 403 Forbidden; the Meraki API enforces HTTPS at the transport layer, not as an authorization check. Option B is wrong because an incorrect network ID would cause a 404 Not Found (resource not found) or a 400 Bad Request, not a 403 Forbidden; the 403 is an authorization failure, not a resource identification issue. Option D is wrong because omitting the organization ID would result in a 400 Bad Request (missing required parameter) or a 404 if the endpoint expects it in the path, not a 403; the 403 specifically points to authentication/authorization failure, not a missing parameter.

969
MCQmedium

A REST API returns a 500 Internal Server Error when a client sends a malformed JSON payload. What is the most appropriate HTTP response code to indicate a client-side error?

A.400 Bad Request
B.401 Unauthorized
C.403 Forbidden
D.422 Unprocessable Entity
AnswerA

400 indicates the server cannot process the request due to malformed syntax, which fits a malformed JSON payload.

Why this answer

A 400 Bad Request is the correct response because the client sent a malformed JSON payload, which is a client-side error. HTTP 400 indicates that the server cannot process the request due to something perceived as a client error (e.g., malformed syntax). This aligns with RFC 7231, which defines 400 as appropriate for requests with invalid syntax or structure.

Exam trap

Cisco often tests the distinction between 400 (syntax errors) and 422 (semantic errors), leading candidates to mistakenly choose 422 when the question explicitly states 'malformed JSON payload' (a syntax issue), not a validation failure.

How to eliminate wrong answers

Option B (401 Unauthorized) is wrong because it indicates missing or invalid authentication credentials, not a malformed payload. Option C (403 Forbidden) is wrong because it means the server understood the request but refuses to authorize it, typically due to insufficient permissions, not a syntax error. Option D (422 Unprocessable Entity) is wrong because it is defined in RFC 4918 for WebDAV and indicates the server understands the content type and syntax but cannot process the instructions (e.g., semantic validation failures), not a malformed JSON structure.

970
MCQhard

In a microservices architecture, which of the following is a primary advantage over a monolithic architecture?

A.Easier end-to-end testing
B.Lower operational overhead
C.Simpler inter-service communication
D.Independent deployability and scaling of services
AnswerD

Each service can be deployed and scaled independently, improving agility.

Why this answer

Microservices allow independent deployment and scaling of services, which is a key advantage.

971
Multi-Selectmedium

Which three of the following are common data formats used with REST APIs on Cisco platforms?

Select 3 answers
A.CSV
B.JSON
C.XML
D.HTML
E.YAML
AnswersB, C, E

JSON is widely used for REST APIs.

Why this answer

JSON (JavaScript Object Notation) is a lightweight, text-based data interchange format that is natively supported by most programming languages and REST APIs. Cisco platforms, such as Cisco DNA Center and Cisco Meraki, use JSON as the primary data format for API requests and responses because it is easy to parse and has a compact structure. JSON's key-value pair syntax aligns well with RESTful principles, making it the most common choice for modern Cisco REST APIs.

Exam trap

Cisco often tests that candidates recognize JSON, XML, and YAML as common data formats for REST APIs, but the trap here is that YAML is less common for REST API payloads and more associated with configuration management tools like Ansible, leading some to incorrectly exclude it while including CSV or HTML.

972
MCQeasy

An engineer needs to modify the running configuration of a Cisco IOS-XE device using a protocol that is stateless and uses HTTP methods. Which protocol should be used?

A.NETCONF
B.SNMP
C.RESTCONF
D.CLI
AnswerC

RESTCONF is stateless, uses HTTP, and aligns with RESTful principles.

Why this answer

RESTCONF is the correct choice because it is a stateless protocol that uses standard HTTP methods (GET, POST, PUT, PATCH, DELETE) to manipulate YANG-defined data stores on a Cisco IOS-XE device. Unlike NETCONF, which is stateful and session-oriented, RESTCONF operates over HTTP without maintaining session state, making it ideal for lightweight, RESTful automation.

Exam trap

Cisco often tests the distinction between NETCONF and RESTCONF, where candidates mistakenly choose NETCONF because it is more familiar for network automation, but the question specifically requires a stateless protocol using HTTP methods, which only RESTCONF satisfies.

How to eliminate wrong answers

Option A is wrong because NETCONF is a stateful protocol that relies on SSH or TLS and uses RPC-based operations, not stateless HTTP methods. Option B is wrong because SNMP uses UDP and a manager-agent model with GET/SET/TRAP operations, not HTTP methods, and is not designed for modifying running configurations via RESTful APIs. Option D is wrong because CLI (Command-Line Interface) is a human-interactive interface that does not use HTTP methods and is not a protocol for programmatic, stateless configuration management.

973
Multi-Selecteasy

Which TWO are valid methods to secure a Docker container?

Select 2 answers
A.Use read-only filesystem
B.Expose all ports
C.Set resource limits
D.Run containers as root
E.Disable network isolation
AnswersA, C

Read-only filesystem prevents container from modifying files.

Why this answer

Option A is correct because mounting the container's filesystem as read-only prevents any process inside the container from writing to the filesystem, which blocks malware persistence, log tampering, and unauthorized configuration changes. This is enforced by the Linux kernel's mount namespace and can be set with the `--read-only` flag in `docker run`. It is a key principle of immutable infrastructure for containers.

Exam trap

Cisco often tests the misconception that 'running as root inside a container is safe because the container is isolated,' but the trap here is that root inside a container is the same UID 0 on the host if the container is not run with a user namespace remapping or `--user` flag, making it a direct privilege escalation vector.

974
MCQhard

An engineer is troubleshooting packet loss between two hosts on different subnets. The traceroute shows that packets reach the first hop router but then stop. The router's ARP table shows an incomplete entry for the next-hop IP address. What is the most likely cause?

A.The MTU is misconfigured on the outgoing interface.
B.The routing protocol has not converged yet.
C.The next-hop device is powered off or has a Layer 1 issue.
D.An ACL is blocking traffic on the outgoing interface.
AnswerC

If the next-hop device is offline, the router cannot complete ARP.

Why this answer

An incomplete ARP entry for the next-hop IP address indicates that the router sent an ARP request but received no reply. This typically means the next-hop device is unreachable at Layer 2, often because it is powered off, has a failed interface, or there is a cabling issue. Since traceroute shows packets reaching the first hop but not beyond, the Layer 2 failure at the next hop is the most direct cause.

Exam trap

Cisco often tests the distinction between Layer 2 failures (incomplete ARP) and Layer 3 failures (routing or ACL issues), tempting candidates to blame routing convergence or ACLs when the real problem is a missing ARP reply due to a physical or data-link problem.

How to eliminate wrong answers

Option A is wrong because an MTU misconfiguration would cause fragmentation issues or ICMP 'fragmentation needed' messages, not an incomplete ARP entry; ARP operates independently of MTU. Option B is wrong because routing protocol convergence affects the routing table, not the ARP table; an incomplete ARP entry is a Layer 2 issue, not a routing protocol state. Option D is wrong because an ACL blocking traffic would drop packets after a successful ARP resolution, resulting in a complete ARP entry but no forwarded packets; an incomplete ARP entry specifically indicates the ARP request itself failed.

975
MCQmedium

When using Cisco Intersight API to manage UCS servers, a script must invoke an API that triggers a firmware upgrade. Which HTTP method and endpoint pattern should be used?

A.PUT to /api/v1/version
B.DELETE to /api/v1/firmware
C.GET to /api/v1/status
D.POST to /api/v1/upgrade
AnswerD

This is consistent with Intersight API patterns for action endpoints.

Why this answer

Option D is correct because triggering a firmware upgrade in Cisco Intersight requires creating a new operation, which aligns with the POST HTTP method. The endpoint /api/v1/upgrade is a typical RESTful pattern for initiating an upgrade action, as POST is used to submit data to a resource to create or trigger a process. In Intersight's API, firmware upgrades are managed via POST requests to specific endpoints like /api/v1/upgrade, not through retrieval, modification, or deletion of existing resources.

Exam trap

Cisco often tests the misconception that firmware upgrades are performed via PUT (update) or GET (status check), but the correct method is POST because it initiates a new action rather than modifying an existing resource.

How to eliminate wrong answers

Option A is wrong because PUT is used to update an existing resource, not to trigger a new operation, and /api/v1/version is a read-only endpoint for retrieving version information, not for initiating upgrades. Option B is wrong because DELETE is used to remove a resource, and /api/v1/firmware would typically represent a firmware resource or collection, not an action endpoint; deleting firmware does not trigger an upgrade. Option C is wrong because GET is used to retrieve data, and /api/v1/status is for checking system status or health, not for performing state-changing operations like firmware upgrades.

Page 12

Page 13 of 14

Page 14
Cisco DevNet Associate 200-901 200-901 Questions 901–975 | Page 13/14 | Courseiva