Cisco DevNet Associate 200-901 (200-901) — Questions 76150

505 questions total · 7pages · All types, answers revealed

Page 1

Page 2 of 7

Page 3
76
MCQhard

Refer to the exhibit. A router has the routing table shown. A packet arrives at GigabitEthernet0/0 with destination IP 8.8.8.8. What will the router do?

A.Look up the destination in the ARP cache and then forward.
B.Send an ICMP unreachable message back to the source.
C.Forward the packet out GigabitEthernet0/1 to the default gateway.
D.Drop the packet because there is no route to 8.8.8.8.
E.Forward the packet out GigabitEthernet0/0 via 10.0.0.1.
AnswerE

The default route is used, and the next hop is 10.0.0.1 out Gi0/0.

Why this answer

The router has a default route via 10.0.0.1. The destination 8.8.8.8 does not match any specific route, so it will use the default route. The packet will be forwarded out GigabitEthernet0/0 to 10.0.0.1.

77
MCQmedium

A developer is writing a Python script to interact with a Cisco device using NETCONF. Which library is most appropriate?

A.netmiko
B.requests
C.paramiko
D.ncclient
AnswerD

ncclient is a Python library that provides an API for NETCONF operations on network devices.

Why this answer

Option B is correct because ncclient is the standard Python library for NETCONF operations. Option A (requests) is for HTTP, not NETCONF. Option C (paramiko) is for SSH, not NETCONF.

Option D (netmiko) is for SSH and Telnet to network devices, but it does not natively support NETCONF. Therefore, ncclient is the correct choice.

78
MCQhard

A company uses Cisco NSO to manage multiple network devices. They want to ensure that before deploying a configuration change, all devices are in sync with NSO's CDB. Which approach is the best practice?

A.Configure NSO to automatically sync devices when changes are detected
B.Run 'devices sync-from' on all devices before each deployment
C.Schedule a periodic sync every hour
D.Use the 'check-sync' action and only deploy if all devices are in sync
AnswerA

NSO can automatically sync devices via 'sync-from' triggered by device changes or periodic checks.

Why this answer

Option A is correct because NSO's automatic sync capability (via the 'devices sync' or 'sync-from' action triggered by device changes) ensures that the Configuration Database (CDB) remains the authoritative source of truth without manual intervention. This best practice eliminates the risk of deploying a change to devices that are out of sync, which could cause configuration drift or operational failures. NSO's NETCONF-based synchronization allows it to detect and reconcile differences between CDB and device running configurations automatically.

Exam trap

Cisco often tests the misconception that 'check-sync' is sufficient for safe deployments, but the trap is that it only verifies state without automatically resolving drift, which still requires a separate sync action to ensure CDB accuracy before deployment.

How to eliminate wrong answers

Option B is wrong because running 'devices sync-from' on all devices before each deployment is inefficient and disruptive, as it forces a full configuration pull from every device even if only a subset is out of sync, and it does not leverage NSO's ability to detect changes incrementally. Option C is wrong because scheduling a periodic sync every hour introduces a window of vulnerability where devices could become out of sync between sync intervals, and it does not guarantee that devices are in sync at the exact moment of deployment. Option D is wrong because using the 'check-sync' action only reports the sync status without automatically correcting out-of-sync devices; if a device is out of sync, the deployment would be blocked or proceed with stale data, requiring manual intervention to sync first, which defeats the purpose of an automated best practice.

79
Multi-Selectmedium

Which THREE of the following are typically included in a Cisco DevNet sandbox environment? (Choose three.)

Select 3 answers
A.Ability to run production application traffic
B.Access to production customer data for realistic testing
C.Pre-configured Cisco devices (routers, switches, or firewalls)
D.A sample network topology with an IP plan
E.REST API endpoints for programmatic interaction
AnswersC, D, E

Sandboxes typically include virtual or physical Cisco devices for testing.

Why this answer

Option C is correct because Cisco DevNet sandboxes provide pre-configured Cisco devices (routers, switches, firewalls) to allow developers to test automation scripts and network configurations without needing physical hardware. These sandboxes are isolated environments that mirror production-like setups, enabling safe experimentation with device APIs and CLI commands.

Exam trap

Cisco often tests the distinction between sandbox environments and production systems, and the trap here is that candidates mistakenly assume sandboxes include real customer data or can handle production traffic, when in fact they are strictly for development and testing with simulated resources.

80
Multi-Selectmedium

Which TWO of the following are valid reasons to use a trunk link between two switches? (Select exactly two.)

Select 2 answers
A.To connect a switch to a router using a single link for one VLAN.
B.To increase bandwidth between switches by combining multiple links.
C.To reduce latency by using 802.1Q encapsulation.
D.To interconnect switches in a multi-VLAN environment.
E.To allow traffic from multiple VLANs to traverse a single link.
AnswersD, E

Trunks are standard for switch-to-switch connections carrying multiple VLANs.

Why this answer

Option D is correct because trunk links are specifically designed to interconnect switches in a multi-VLAN environment, allowing the switches to exchange frames tagged with VLAN information using the 802.1Q protocol. Without a trunk, each VLAN would require a separate physical link between switches, which is inefficient and does not scale.

Exam trap

Cisco often tests the distinction between trunking (VLAN tagging) and link aggregation (EtherChannel), so candidates mistakenly select 'increase bandwidth' as a trunk benefit when it is actually a feature of EtherChannel.

81
MCQhard

An engineer needs to troubleshoot a RESTCONF request that returns a 409 Conflict error when trying to modify a YANG data node. What is the most likely cause?

A.The data node is read-only
B.Authentication failure
C.The resource was modified by another client during the operation
D.The YANG model version mismatch
AnswerC

409 Conflict indicates a conflict with the current state.

Why this answer

A 409 Conflict error in RESTCONF specifically indicates a resource state conflict, typically caused by a YANG data store version mismatch detected via the 'if-match' header or ETag validation. When another client modifies the same resource between the time a client retrieves it and attempts to update it, the server rejects the request to prevent lost updates, enforcing optimistic locking as defined in RFC 8040.

Exam trap

Cisco often tests the distinction between HTTP status codes in RESTCONF, and the trap here is that candidates confuse a 409 Conflict with a generic 'modification failure' and incorrectly attribute it to permissions (401) or model issues (400/404), rather than recognizing it as a concurrency control mechanism.

How to eliminate wrong answers

Option A is wrong because a read-only data node would return a 405 Method Not Allowed or a 403 Forbidden, not a 409 Conflict, as RESTCONF explicitly rejects write operations on read-only nodes. Option B is wrong because authentication failure results in a 401 Unauthorized error, not a 409 Conflict, which is a resource state issue unrelated to credentials. Option D is wrong because a YANG model version mismatch would typically cause a 400 Bad Request or a 404 Not Found if the data node is unrecognized, not a 409 Conflict, which is specific to concurrent modification conflicts.

82
MCQhard

A Python script using the ncclient library connects to a Cisco IOS-XE device to retrieve the running configuration. The script raises an exception: 'TimeoutError: Session timed out'. Which is the most likely cause?

A.The device does not support NETCONF
B.The SSH port (830) is blocked by a firewall
C.The device's running configuration is too large
D.The XML payload is malformed
AnswerB

If port 830 is blocked, the connection cannot be established, leading to a timeout.

Why this answer

The ncclient library uses NETCONF over SSH, which by default connects to TCP port 830. A 'TimeoutError: Session timed out' indicates that the TCP connection to the device could not be established within the timeout period. The most likely cause is that a firewall is blocking port 830, preventing the SSH session from being initiated.

Exam trap

Cisco often tests the distinction between connection-level errors (like timeouts) and protocol-level errors (like capability mismatches or malformed payloads), so candidates must identify that a timeout points to a network connectivity issue rather than a configuration or data format problem.

How to eliminate wrong answers

Option A is wrong because if the device did not support NETCONF, the error would typically be a capability exchange failure or an 'Unsupported protocol' error, not a timeout during session establishment. Option C is wrong because a large running configuration might cause a slow retrieval or memory issues, but it would not prevent the initial TCP connection and SSH session from being established; the timeout occurs before any configuration data is exchanged. Option D is wrong because a malformed XML payload would cause an RPC error or parsing exception after the session is established, not a timeout during the connection phase.

83
MCQeasy

A network technician runs the command 'ping 8.8.8.8' from a workstation and receives 'Reply from 192.168.1.1: Destination host unreachable.' What does this indicate?

A.There is a routing issue beyond the local network.
B.DNS resolution is failing.
C.The default gateway is misconfigured.
D.The workstation has no internet connectivity.
E.The remote server is down.
AnswerA

The gateway cannot reach the destination, indicating a routing problem.

Why this answer

The 'Reply from 192.168.1.1: Destination host unreachable' message indicates that the local router (192.168.1.1) received the ICMP echo request for 8.8.8.8 but could not find a route to that destination in its routing table. This means the router has a valid path back to the workstation (so the default gateway is reachable), but it lacks a route to the remote network, pointing to a routing issue beyond the local subnet.

Exam trap

Cisco often tests the distinction between 'Destination host unreachable' (routing issue at a router) and 'Request timed out' (no response received), leading candidates to incorrectly assume the default gateway is misconfigured or that there is no connectivity at all.

How to eliminate wrong answers

Option B is wrong because DNS resolution is not involved in a ping to an IP address; the command uses a raw IP address, so no DNS query occurs. Option C is wrong because if the default gateway were misconfigured, the workstation would not receive any reply (or would get 'Request timed out'), as the ICMP echo request would never leave the local network. Option D is wrong because the workstation does have internet connectivity to its local router (192.168.1.1), as evidenced by the reply; the issue is beyond the local network.

Option E is wrong because the remote server (8.8.8.8) is not necessarily down; the router cannot even attempt to reach it due to missing routing information.

84
MCQeasy

A script is using the Cisco Meraki API to fetch a list of organizations. The script needs to authenticate with an API key. Where should the API key be included in the request?

A.In the HTTP Authorization header using Bearer scheme.
B.In the request body as a JSON field.
C.In the request URL as a query parameter.
D.In the request header as 'X-Cisco-Meraki-API-Key'.
AnswerD

Meraki API uses the custom header 'X-Cisco-Meraki-API-Key' for API key authentication.

Why this answer

The Cisco Meraki API requires the API key to be sent in a custom HTTP header named 'X-Cisco-Meraki-API-Key'. This is a vendor-specific authentication mechanism, not a standard Bearer token. Including the key in this header ensures the request is authenticated without exposing the key in the URL or body.

Exam trap

Cisco often tests the fact that many APIs use standard Bearer tokens, but the Meraki API specifically uses a custom header, so candidates mistakenly choose the Authorization header option without reading the vendor-specific documentation.

How to eliminate wrong answers

Option A is wrong because the Meraki API does not use the standard HTTP Authorization header with the Bearer scheme; it uses a custom header. Option B is wrong because API keys should never be sent in the request body as a JSON field, as this would require parsing the body for authentication and violates RESTful stateless design. Option C is wrong because including the API key as a query parameter in the URL exposes it in logs, browser history, and network traffic, which is a security risk and not supported by the Meraki API.

85
MCQmedium

Refer to the exhibit. A security audit requires that the container cannot run as root. Which part of the pod spec ensures this?

A.The configMap volume
B.The image tag "latest"
C.allowPrivilegeEscalation: false
D.runAsUser: 1000
AnswerD

Sets the container to run as a non-root user.

Why this answer

Option D is correct because setting `runAsUser: 1000` in the pod's security context explicitly instructs the container runtime to launch the container's main process with a user ID of 1000, which is a non-root user. This directly satisfies the security audit requirement that the container cannot run as root (UID 0). The `runAsUser` field overrides the default behavior where containers run as root unless a non-root user is specified in the container image or security context.

Exam trap

Cisco often tests the distinction between security context fields: candidates confuse `allowPrivilegeEscalation` (which prevents gaining additional privileges after startup) with `runAsUser` (which sets the initial user), leading them to incorrectly select option C when the requirement is to avoid running as root entirely.

How to eliminate wrong answers

Option A is wrong because a ConfigMap volume is used to inject configuration data (key-value pairs) into a container's filesystem or environment variables; it has no effect on the user identity under which the container process runs. Option B is wrong because the image tag 'latest' simply refers to the most recent version of a container image and does not influence the runtime user ID; it is a common anti-pattern for reproducibility but irrelevant to root vs. non-root execution. Option C is wrong because `allowPrivilegeEscalation: false` controls whether a process can gain more privileges than its parent (e.g., via setuid binaries), but it does not prevent the container from starting as root; a container can still run as root with privilege escalation disabled, which would violate the audit requirement.

86
MCQeasy

A DevOps team manages a hybrid cloud environment with on-premises Cisco Nexus switches and AWS VPCs using Terraform. They have a configuration management tool that pushes VLAN and interface configurations to the Nexus switches. Recently, they noticed that after a Terraform run that updates the AWS VPC subnets, some on-premises switches lose connectivity to the cloud. The team suspects a mismatch between the VLAN configurations on the Nexus switches and the AWS VPC subnets. They have a centralized source of truth stored in a Git repository containing YAML files for network definitions. Which action should the team take first to resolve the issue and prevent future occurrences?

A.Restore the Nexus switch configurations from the most recent backup.
B.Modify the Terraform scripts to automatically update Nexus switches when AWS VPC subnets change.
C.Compare the Git repository's YAML definitions with the actual switch configurations and AWS VPC subnets, then correct any discrepancies.
D.Manually reconfigure the VLANs on the Nexus switches to match the AWS VPC subnets.
AnswerC

The source of truth should be verified first.

Why this answer

Option C is correct because the team's centralized source of truth in Git (YAML files) should be the authoritative reference for network definitions. By comparing these definitions against both the actual Nexus switch configurations and AWS VPC subnets, the team can identify and correct any drift or mismatch. This aligns with Infrastructure as Code (IaC) best practices, ensuring that all environments are synchronized from a single, version-controlled source before making any changes.

Exam trap

The trap here is that candidates may assume the immediate fix is to restore or manually reconfigure the switches (options A or D), rather than first validating the source of truth (Git) to identify the root cause of the mismatch, which is a core DevOps principle of treating infrastructure as code.

How to eliminate wrong answers

Option A is wrong because restoring from a backup does not address the root cause of the mismatch; it may reintroduce outdated configurations that do not match the current AWS VPC subnets, and it ignores the centralized Git repository as the source of truth. Option B is wrong because modifying Terraform scripts to automatically update Nexus switches would bypass the configuration management tool and the Git-based source of truth, potentially causing further inconsistencies and breaking the separation of concerns between cloud provisioning and on-premises network management. Option D is wrong because manually reconfiguring VLANs on the Nexus switches is error-prone, not scalable, and does not leverage the Git repository as the single source of truth, making it impossible to prevent future occurrences through automation and version control.

87
Multi-Selecteasy

A developer is using Cisco Webex Teams REST API. Which two authentication methods are supported for bot accounts? (Choose two.)

Select 2 answers
A.OAuth2 with client credentials
B.Bearer Token
C.JWT
D.Basic Auth
E.API Key
AnswersA, B

OAuth2 client credentials grant is supported for server-to-server.

Why this answer

Option A is correct because OAuth2 with client credentials is the standard authentication flow for server-to-server communication, allowing a bot to authenticate without user interaction. Option B is correct because a Bearer Token, typically obtained via OAuth2, is used in the Authorization header of API requests to authenticate bot accounts in Cisco Webex Teams.

Exam trap

Cisco often tests the distinction between authentication methods supported for bots versus user accounts, and the trap here is that candidates may confuse JWT (used for guest access) or API Key (common in other APIs) with the OAuth2 token-based methods actually required for bot accounts.

88
MCQhard

A Python script using the Cisco ACI Toolkit (aciToolkit) fails with 'LoginError: unable to login to APIC'. The APIC is reachable via HTTPS. What is the most likely cause?

A.The APIC has reached its maximum session limit.
B.The script uses HTTP instead of HTTPS.
C.The script uses an incorrect APIC domain (e.g., 'apic' instead of the FQDN).
D.The APIC is running an unsupported firmware version.
AnswerC

The aciToolkit's login() requires the correct APIC domain; an incorrect domain prevents proper authentication.

Why this answer

The Cisco ACI Toolkit (aciToolkit) requires the APIC domain to be specified as a fully qualified domain name (FQDN) or IP address that matches the APIC's certificate. Using a short name like 'apic' instead of the FQDN (e.g., 'apic.example.com') causes a TLS certificate hostname mismatch, leading to a login failure even though the APIC is reachable. The 'LoginError: unable to login to APIC' error typically indicates an authentication or connectivity issue, and in this scenario, the certificate validation fails because the toolkit verifies the server's hostname against the certificate's Subject Alternative Name (SAN).

Exam trap

Cisco often tests the nuance that a reachable APIC via HTTPS does not guarantee successful login if the hostname in the script does not match the APIC's TLS certificate, leading candidates to overlook certificate validation as the root cause.

How to eliminate wrong answers

Option A is wrong because the APIC session limit would produce a different error (e.g., 'maximum sessions reached' or 'login denied'), not a generic 'unable to login' message, and the APIC is reachable via HTTPS. Option B is wrong because the error message explicitly states the APIC is reachable via HTTPS, and if the script used HTTP, it would likely fail with a connection timeout or HTTP error, not a login error. Option D is wrong because an unsupported firmware version would typically cause API incompatibility errors (e.g., 'unsupported version' or 'method not found'), not a login failure, and the APIC is reachable.

89
Multi-Selectmedium

Which TWO of the following are commonly used HTTP methods for a RESTful API to retrieve and update a resource? (Select TWO)

Select 2 answers
A.GET
B.POST
C.PUT
D.DELETE
E.HEAD
AnswersA, C

GET retrieves the current state of a resource.

Why this answer

GET is used to retrieve, PUT is used to update. POST is for create, DELETE for delete, HEAD for headers.

90
MCQhard

In a microservices architecture, a REST API must support idempotent updates. Which HTTP method and design practice should be used?

A.PUT with the full resource representation
B.POST with a unique transaction ID
C.DELETE with a resource version
D.PATCH with a conditional header
AnswerA

PUT is idempotent by definition; replacing the entire resource ensures the same result regardless of request count.

Why this answer

Option B is correct because PUT is inherently idempotent—making the same request multiple times results in the same resource state. Option A (POST) is not idempotent unless combined with a unique transaction ID, but this is not standard and can lead to complexity. Option C (PATCH) may be idempotent if using a conditional header like If-Match, but the method itself is not guaranteed idempotent.

Option D (DELETE) is idempotent but not for updates. Therefore, PUT with the full resource representation is the best practice for idempotent updates.

91
MCQeasy

A developer uses Cisco Intersight API to manage UCS servers. Which authentication method is required for Intersight API calls?

A.API key with HMAC signature
B.OAuth2 token from Webex
C.Session cookie
D.Basic authentication with username/password
AnswerA

Correct method.

Why this answer

Cisco Intersight API requires API key authentication with HMAC (Hash-Based Message Authentication Code) signing for all REST API calls. The developer generates an API key pair (private and public) in the Intersight GUI, then uses the private key to create an HMAC-SHA256 signature over the request headers and payload. This signature is included in the Authorization header, ensuring request integrity and non-repudiation without transmitting the secret key over the network.

Exam trap

Cisco often tests the distinction between web UI authentication (session cookies) and API authentication (HMAC keys), and candidates mistakenly choose session cookies because they are familiar from the Intersight web interface, forgetting that API calls require a different, stateless mechanism.

How to eliminate wrong answers

Option B is wrong because OAuth2 tokens from Webex are used for Cisco Webex API authentication, not for Intersight; Intersight does not support OAuth2 token exchange from Webex. Option C is wrong because session cookies are used for browser-based web UI sessions, not for programmatic API calls; Intersight API calls are stateless and require per-request authentication via HMAC signatures. Option D is wrong because basic authentication with username/password is not supported for Intersight API calls; it would expose credentials in plaintext and violates Intersight's security model, which mandates key-based HMAC signing.

92
Multi-Selecteasy

Which TWO of the following are commonly used protocols for network automation?

Select 2 answers
A.RESTCONF
B.NETCONF
C.HTTP
D.SNMP
E.SSH
AnswersA, B

RESTCONF is a RESTful protocol for network automation using YANG models.

Why this answer

NETCONF and RESTCONF are standardized protocols used for network automation based on YANG models. SNMP is primarily for monitoring, HTTP is a transport protocol, and SSH is used for CLI access but not as an automation protocol.

93
MCQeasy

A YANG module defines a leaf named 'bandwidth' of type 'uint32'. What does this represent in the context of a network device?

A.A set of unique bandwidth values
B.A single integer value representing bandwidth in kilobits per second
C.A grouping of related bandwidth parameters
D.An ordered list of bandwidth values
AnswerB

A leaf holds one value; uint32 is appropriate for bandwidth.

Why this answer

In YANG, a 'leaf' node defines a single, scalar value of a specific data type. When the leaf is named 'bandwidth' with type 'uint32', it represents a single integer value, typically interpreted as kilobits per second (kbps) in the context of network device configuration (e.g., interface bandwidth). This aligns with the standard YANG data modeling approach where a leaf cannot hold multiple values or complex structures.

Exam trap

Cisco often tests the distinction between a 'leaf' (single value) and a 'leaf-list' (multiple values), so the trap here is that candidates may confuse a leaf with a list or container, especially when the leaf name 'bandwidth' might imply multiple possible values.

How to eliminate wrong answers

Option A is wrong because a 'leaf' in YANG cannot represent a set of unique values; sets are modeled using 'leaf-list' or 'list' nodes, not a single leaf. Option C is wrong because a grouping of related parameters is defined using a 'container' or 'grouping' statement in YANG, not a leaf. Option D is wrong because an ordered list of values is modeled with a 'leaf-list' (which can have ordered-by user or system), not a single leaf of type uint32.

94
MCQmedium

A network engineer is automating the deployment of VLANs across multiple switches using Ansible. The playbook fails with an error indicating that the VLAN ID already exists on one of the switches. Which approach should the engineer use to ensure the playbook completes without errors?

A.Modify the playbook to skip switches where the VLAN already exists.
B.Remove the VLAN from all switches before creating it again.
C.Use an idempotent Ansible module that checks for existing VLANs before creating them.
D.Add ignore_errors: yes to the VLAN creation task.
AnswerC

Idempotent modules handle existing configurations gracefully.

Why this answer

Option C is correct because Ansible's idempotent modules, such as `ios_vlan` for Cisco IOS devices, are designed to check the current state of the device before making changes. If the VLAN already exists, the module will report 'ok' and not attempt to create it again, preventing the error and ensuring the playbook completes successfully. This aligns with Ansible's best practice of writing idempotent playbooks that produce the same result regardless of how many times they are run.

Exam trap

Cisco often tests the concept of idempotency in automation tools like Ansible, and the trap here is that candidates may think 'ignore_errors' is a valid workaround for configuration conflicts, when in fact it only hides failures without ensuring the desired state is achieved.

How to eliminate wrong answers

Option A is wrong because skipping switches where the VLAN already exists would require manual or dynamic inventory logic that is not built into a simple playbook; it would also defeat the purpose of automation by not ensuring consistent VLAN configuration across all switches. Option B is wrong because removing the VLAN from all switches before recreating it would cause unnecessary network disruption and downtime, violating the principle of minimal change in network automation. Option D is wrong because adding `ignore_errors: yes` would mask the error but not resolve the underlying issue; the VLAN creation task would still fail on the switch where the VLAN exists, and the playbook would continue without correcting the configuration, potentially leading to an inconsistent state.

95
MCQmedium

During an automation script run, a network device returns HTTP 429. What does this indicate?

A.Internal server error
B.Rate limiting
C.Authentication failure
D.Resource not found
AnswerB

429 means rate limit exceeded.

Why this answer

HTTP 429 (Too Many Requests) indicates the client has sent too many requests in a given amount of time, triggering rate limiting on the server. In network automation, devices like routers or switches enforce rate limits to prevent resource exhaustion, often based on RFC 6585. This is common when automation scripts exceed API call thresholds, requiring retry logic with exponential backoff.

Exam trap

Cisco often tests HTTP 429 to distinguish it from HTTP 503 (Service Unavailable), which is a server overload but not specifically a client rate limit, and candidates may confuse the two due to both involving temporary unavailability.

How to eliminate wrong answers

Option A is wrong because HTTP 500 (Internal Server Error) indicates a server-side failure, not a client-side request limit. Option C is wrong because authentication failures return HTTP 401 (Unauthorized) or 403 (Forbidden), not 429. Option D is wrong because resource not found returns HTTP 404, which is unrelated to request throttling.

96
Multi-Selectmedium

Which TWO statements about Dockerfile best practices are correct? (Choose two.)

Select 2 answers
A.Use the ADD instruction instead of COPY to copy local files into the image.
B.Combine multiple RUN commands into a single RUN statement to reduce image layers.
C.Use a .dockerignore file to exclude unnecessary files from the build context.
D.Use the EXPOSE instruction to secure the container by limiting exposed ports.
E.Prefer official base images from trusted registries.
AnswersC, E

.dockerignore reduces build context size and improves security by excluding sensitive files.

Why this answer

Option C is correct because a .dockerignore file prevents unnecessary files (e.g., node_modules, .git, logs) from being sent to the Docker daemon as part of the build context. This reduces build time, minimizes the risk of including sensitive data, and ensures a cleaner, more efficient image build.

Exam trap

Cisco often tests the misconception that EXPOSE actually secures or opens ports, when in reality it is only documentation and has no effect on container network security.

97
MCQhard

An application sends a packet with destination IP 10.0.0.10. The sending host's routing table has a default gateway of 10.0.0.1. The host's ARP cache is empty. What is the next step after the host determines the packet should go to the default gateway?

A.Sends an ARP request for 10.0.0.1
B.Sends the packet to the DNS server
C.Sends the packet directly to 10.0.0.10
D.Sends an ARP request for 10.0.0.10
AnswerA

The host needs the MAC of the gateway to encapsulate the packet.

Why this answer

When the host determines that the destination IP (10.0.0.10) is not on the same subnet and must be sent to the default gateway (10.0.0.1), it needs the gateway's MAC address to encapsulate the packet in a Layer 2 frame. Since the ARP cache is empty, the host must send an ARP request for the IP address of the default gateway (10.0.0.1) to obtain its MAC address before the packet can be forwarded.

Exam trap

Cisco often tests the misconception that ARP is always used for the final destination IP, but the trap here is that when routing through a gateway, ARP is only performed for the next-hop router's IP, not the remote destination.

How to eliminate wrong answers

Option B is wrong because DNS resolution is used to resolve hostnames to IP addresses, not to determine the next-hop MAC address; the destination IP is already known. Option C is wrong because the host cannot send the packet directly to 10.0.0.10 if it is on a different subnet; the packet must be sent to the default gateway for routing. Option D is wrong because the host does not need the MAC address of the final destination (10.0.0.10) when routing through a gateway; it only needs the MAC address of the next-hop router (10.0.0.1).

98
MCQeasy

Which Cisco product provides end-to-end application visibility and performance monitoring across hybrid cloud environments?

A.Cisco Intersight
B.Cisco DNA Center
C.Cisco AppDynamics
D.Cisco SecureX
AnswerA

Intersight is for infrastructure management, not application monitoring.

Why this answer

Cisco Intersight is the correct answer because it provides unified infrastructure management with end-to-end application visibility and performance monitoring across hybrid cloud environments. It integrates telemetry from compute, storage, and network resources, enabling real-time insights into application behavior regardless of whether workloads run on-premises or in public clouds.

Exam trap

Cisco often tests the distinction between application performance monitoring (AppDynamics) and unified infrastructure management with application visibility (Intersight), leading candidates to confuse a specialized APM tool with a broader hybrid cloud management platform.

How to eliminate wrong answers

Option B is wrong because Cisco DNA Center focuses on intent-based networking for campus and branch networks, not on application performance monitoring across hybrid clouds. Option C is wrong because Cisco AppDynamics is an application performance monitoring (APM) tool that provides deep application-level visibility, but it does not offer end-to-end infrastructure visibility across hybrid cloud environments as a unified management platform. Option D is wrong because Cisco SecureX is a cloud-native security platform that integrates security products and automates threat response, not application performance monitoring.

99
Multi-Selectmedium

Which THREE of the following are common steps in a CI/CD pipeline for a Python application that manages Cisco devices?

Select 3 answers
A.Build a Docker container
B.Manually review code before merge
C.Perform static code analysis (linting)
D.Run unit tests on each commit
E.Deploy to production on every commit
AnswersA, C, D

Containerization is common for packaging the application.

Why this answer

Options A, C, and D are typical CI/CD steps. Option B (deploy to production on every commit) is risky and not a common CI/CD practice; usually deployment to production is triggered after passing all stages. Option E (manual review) is important but is not typically automated within the pipeline; it is a gate before merging.

100
MCQmedium

A network administrator uses the Cisco IOS XE CLI to configure a router. They want to use a Python script to automate this configuration via the guest shell. Which library should they use to interact with the CLI from within the guest shell?

A.cli
B.requests
C.ncclient
D.paramiko
AnswerA

The cli library allows Python to execute IOS XE commands.

Why this answer

The `cli` library is a built-in Python module available within the Cisco Guest Shell that allows scripts to execute IOS XE CLI commands directly on the host device. This library provides functions like `cli.execute()` and `cli.configure()` to send commands and retrieve output, making it the correct choice for automating configuration via the Guest Shell without external dependencies.

Exam trap

Cisco often tests the distinction between on-box automation (using the `cli` library) and off-box automation (using libraries like paramiko, ncclient, or requests), and the trap here is that candidates may assume any SSH library (paramiko) works for local Guest Shell interaction, not realizing the `cli` library is purpose-built for direct host communication.

How to eliminate wrong answers

Option B (requests) is wrong because it is an HTTP client library used for REST API calls, not for interacting with the native IOS XE CLI within the Guest Shell. Option C (ncclient) is wrong because it is a Python library for NETCONF, which uses XML-based YANG models over SSH, not the direct CLI interface. Option D (paramiko) is wrong because it is an SSH implementation for remote connections, but within the Guest Shell, the script runs locally on the device and does not need to SSH back into itself; the `cli` library provides direct, privileged access without additional authentication.

101
MCQeasy

Refer to the exhibit. An Ansible playbook targeting a Cisco IOS device fails with this error. What is the most likely cause?

A.The device is unreachable
B.The playbook syntax is incorrect
C.The device is not running IOS
D.Wrong SSH username or password
AnswerD

Authentication failure points to credentials.

Why this answer

The error message in Ansible typically indicates an authentication failure when connecting to the Cisco IOS device via SSH. Option D is correct because the playbook likely specifies incorrect SSH credentials (username or password), preventing Ansible from authenticating with the device. Ansible uses the `ansible_user` and `ansible_ssh_pass` or `ansible_password` variables for SSH authentication, and a mismatch will cause a 'Authentication failed' or 'Permission denied' error.

Exam trap

Cisco often tests the distinction between connectivity errors (unreachable) and authentication errors (wrong credentials), where candidates mistakenly attribute a failed SSH authentication to a network reachability issue.

How to eliminate wrong answers

Option A is wrong because if the device were unreachable, Ansible would return a 'Host unreachable' or 'Connection timed out' error, not an authentication failure. Option B is wrong because a playbook syntax error would be caught during YAML parsing before any connection attempt, resulting in a 'Syntax Error' message. Option C is wrong because if the device were not running IOS, Ansible would still attempt SSH authentication; the error would be about unsupported connection methods or missing required modules, not authentication failure.

102
Multi-Selecteasy

Which THREE of the following are layers in the OSI model? (Select exactly three.)

Select 3 answers
A.Internet
B.Network Access
C.Transport
D.Presentation
E.Data Link
AnswersC, D, E

Layer 4 of the OSI model.

Why this answer

The Transport layer (Layer 4) of the OSI model is correct because it provides end-to-end communication, error recovery, and flow control between hosts. Protocols such as TCP and UDP operate at this layer, ensuring reliable or connectionless data delivery as required by applications.

Exam trap

Cisco often tests the distinction between the OSI and TCP/IP models, and the trap here is that candidates confuse the TCP/IP layers (Internet, Network Access) with OSI layers, leading them to select those incorrect options instead of the correct OSI layers like Data Link.

103
MCQhard

A developer is writing a Python script using the Cisco Webex Teams API to send a message to a specific room. The script works for some rooms but fails for others with a 404 error. What is the most likely reason?

A.The API rate limit has been exceeded for those rooms.
B.The access token is invalid for those rooms.
C.The bot does not have permission to send messages in those rooms.
D.The bot is not a member of those rooms.
AnswerD

Non-membership results in 404 when trying to send to a room.

Why this answer

The 404 error indicates that the resource (the room) was not found by the API. In the Cisco Webex Teams API, a bot can only interact with rooms it has been added to as a member. If the bot is not a member of a room, the API cannot locate the room from the bot's perspective, resulting in a 404 error.

This is the most common cause of intermittent 404 errors when the script works for some rooms but not others.

Exam trap

Cisco often tests the distinction between HTTP status codes (404 vs 403 vs 401) and their specific meanings in the context of API authorization and resource existence, leading candidates to confuse permission issues (403) with membership/visibility issues (404).

How to eliminate wrong answers

Option A is wrong because exceeding the API rate limit would return a 429 (Too Many Requests) error, not a 404. Option B is wrong because an invalid access token would cause a 401 (Unauthorized) error for all API calls, not just for specific rooms. Option C is wrong because permission issues (e.g., not having the 'send messages' scope) would typically result in a 403 (Forbidden) error, not a 404; the bot must be a member of the room to even be considered for permission checks.

104
MCQeasy

An application exposes a REST API. To ensure that only authorized clients can access the API, the developer implements token-based authentication. Which HTTP header is typically used to transmit the bearer token?

A.Cookie
B.X-API-Key
C.Authorization: Basic
D.Authorization: Bearer
AnswerD

This is the standard header for bearer tokens.

Why this answer

The Authorization header with the Bearer scheme (RFC 6750) is the standard method for transmitting bearer tokens in HTTP requests. When a client authenticates and receives a token, it includes the token in the Authorization header as 'Bearer <token>', allowing the server to validate the token and authorize the request without requiring session state.

Exam trap

Cisco often tests the distinction between Authorization: Basic and Authorization: Bearer, where candidates confuse the two because both use the Authorization header, but Basic transmits credentials while Bearer transmits a token.

How to eliminate wrong answers

Option A is wrong because the Cookie header is used for session-based authentication (e.g., JSESSIONID) and is not the standard for bearer token transmission; cookies are vulnerable to CSRF and require additional security measures. Option B is wrong because X-API-Key is a custom header typically used for API key authentication, not for bearer tokens; it lacks the standardized Bearer scheme defined in RFC 6750. Option C is wrong because Authorization: Basic uses Base64-encoded credentials (username:password) for HTTP Basic Authentication, not a token; it transmits credentials directly rather than a bearer token.

105
Multi-Selecteasy

Which TWO of the following are common methods for authenticating to Cisco REST APIs? (Choose two.)

Select 2 answers
A.API Key
B.Certificate-based Authentication
C.NTLM Authentication
D.OAuth 2.0
E.Basic Authentication
AnswersA, D

API keys are a common authentication method for Cisco APIs such as Meraki and DNA Center.

Why this answer

API Key authentication (Option A) is a common method for Cisco REST APIs, such as those on Cisco DNA Center and Meraki, where a pre-generated key is included in the HTTP header (e.g., 'X-Cisco-Meraki-API-Key') to identify the client. OAuth 2.0 (Option D) is widely used in Cisco platforms like Webex Teams and Cisco DNA Center for delegated access, issuing a bearer token after an authorization flow. Both methods are officially supported and documented for Cisco REST API authentication.

Exam trap

Cisco often tests the distinction between 'common' and 'possible' authentication methods, leading candidates to select Basic Authentication (Option E) because it is widely known, even though Cisco REST APIs explicitly recommend against it in favor of API keys or OAuth 2.0.

106
MCQmedium

A developer is building a chatbot that retrieves interface status from a Cisco Catalyst 9000 switch using RESTCONF. Which authentication method is most appropriate for programmatic access?

A.HTTP Basic Authentication over HTTPS.
B.API key passed in the HTTP header.
C.OAuth 2.0 with client credentials grant.
D.Client certificate authentication.
AnswerA

RESTCONF on Cisco devices supports basic auth over HTTPS.

Why this answer

RESTCONF on Cisco Catalyst 9000 switches supports HTTP Basic Authentication over HTTPS as a straightforward, standards-based method for programmatic access. Basic authentication sends the username and password in the HTTP Authorization header, and when combined with HTTPS, the credentials are encrypted in transit, providing adequate security for device management without requiring additional infrastructure like an OAuth provider or certificate authority.

Exam trap

Cisco often tests the misconception that RESTCONF requires OAuth or API keys because it is a RESTful API, but in reality, IOS XE devices rely on traditional AAA and HTTP Basic Auth over HTTPS for programmatic access.

How to eliminate wrong answers

Option B is wrong because RESTCONF does not natively support API key authentication; API keys are typically used with REST APIs that have a dedicated key management system, not with NETCONF/RESTCONF on Cisco IOS XE. Option C is wrong because OAuth 2.0 with client credentials grant is not a standard authentication mechanism for RESTCONF on Catalyst 9000 switches; these devices use local or AAA-based authentication, not token-based OAuth flows. Option D is wrong while client certificate authentication is supported for HTTPS, it is not the most appropriate for simple programmatic access because it requires a PKI infrastructure and certificate management, adding complexity that is unnecessary for basic interface status retrieval.

107
MCQeasy

A developer is working with a REST API that uses HTTP Basic Authentication. The developer needs to send a request with the username 'admin' and password 'secret'. Which HTTP header should be set?

A.Authorization: Basic admin:secret
B.Authorization: YWRtaW46c2VjcmV0
C.Authorization: Basic YWRtaW46c2VjcmV0
D.Authorization: Bearer YWRtaW46c2VjcmV0
AnswerC

Correct: This is the standard format for Basic Auth.

Why this answer

HTTP Basic Authentication requires the credentials to be formatted as 'username:password', then Base64-encoded, and sent in the Authorization header with the 'Basic' scheme. Option C correctly includes the 'Basic' scheme followed by the Base64-encoded string 'YWRtaW46c2VjcmV0' (which decodes to 'admin:secret').

Exam trap

Cisco often tests whether candidates know that the credentials must be Base64-encoded and prefixed with the 'Basic' scheme, not sent in plaintext or with the wrong scheme like 'Bearer'.

How to eliminate wrong answers

Option A is wrong because it sends the credentials in plaintext 'admin:secret' without Base64 encoding and omits the required 'Basic' scheme prefix. Option B is wrong because it sends the Base64-encoded string 'YWRtaW46c2VjcmV0' but lacks the 'Basic' scheme identifier, making the header invalid per RFC 7617. Option D is wrong because it uses the 'Bearer' scheme, which is used for OAuth 2.0 token authentication, not HTTP Basic Authentication.

108
Multi-Selecteasy

Which TWO conditions are valid triggers for a webhook notification in Cisco Meraki?

Select 2 answers
A.Client data usage exceeds configured threshold
B.A client joins a wireless network
C.Firmware upgrade completes
D.Network administrator logs in
E.A new SSID is added
AnswersA, B

Meraki webhooks support 'Data usage alert' events.

Why this answer

Option B (A client joins a wireless network) is a valid trigger ('Client join' event). Option D (Client data usage exceeds configured threshold) is a valid trigger ('Data usage alert'). Option A (A new SSID is added) is not a standard webhook trigger.

Option C (Firmware upgrade completes) is not a standard trigger. Option E (Network administrator logs in) is not a standard trigger.

109
MCQmedium

Refer to the exhibit. A Python script using RESTCONF sends a GET request to retrieve the interface configuration. The response is shown. What is the VLAN assigned to GigabitEthernet1/0/1?

A.10
B.1
C.100
D.20
AnswerA

The JSON clearly shows 'vlan': 10.

Why this answer

The correct answer is A (VLAN 10) because the RESTCONF GET response shows the native VLAN for GigabitEthernet1/0/1 is set to 10. In Cisco IOS-XE, the native VLAN is the VLAN assigned to an interface when it is in access mode, and the response explicitly includes the 'native-vlan' field with a value of 10 under the 'Cisco-IOS-XE-native:interface' hierarchy.

Exam trap

Cisco often tests whether candidates can distinguish between the 'native-vlan' field (which represents the access VLAN for an access port) and the default VLAN 1, leading many to incorrectly select VLAN 1 when the response clearly shows a different value.

How to eliminate wrong answers

Option B (VLAN 1) is wrong because VLAN 1 is the default VLAN on Cisco switches, but the RESTCONF response explicitly shows the native VLAN is 10, not 1. Option C (VLAN 100) is wrong because VLAN 100 is not referenced anywhere in the response; it might be a distractor for a trunk port scenario, but this interface is configured as an access port. Option D (VLAN 20) is wrong because VLAN 20 is not present in the response; the only VLAN value shown is 10 under the native-vlan field.

110
MCQmedium

In a Cisco DNA Center environment, an application needs to retrieve the network device list using REST API. Which authentication method is required?

A.OAuth 2.0 client credentials grant with client ID and secret
B.Obtain an API token by POSTing credentials to /dna/system/api/v1/auth/token, then use the token in subsequent requests
C.Basic authentication with username and password in the header
D.API key passed in a query parameter
AnswerB

DNA Center uses a token-based authentication; the token is passed in the X-Auth-Token header.

Why this answer

Cisco DNA Center uses token-based authentication. The correct flow is to first send a POST request to the /dna/system/api/v1/auth/token endpoint with a valid username and password (typically using Basic Authentication over HTTPS). The response contains a JSON Web Token (JWT) that must be included in the Authorization header of all subsequent API requests as 'Bearer <token>'.

This token has a configurable expiry (default 60 minutes) and must be refreshed before it expires.

Exam trap

Cisco often tests the distinction between the authentication method used to obtain a token (Basic Auth) versus the method used to authorize subsequent API calls (Bearer token), leading candidates to mistakenly select Basic Authentication for all requests.

How to eliminate wrong answers

Option A is wrong because OAuth 2.0 client credentials grant is not the authentication method used by Cisco DNA Center; DNA Center uses a custom token-based system, not the OAuth 2.0 framework. Option C is wrong because Basic authentication with username and password in the header is only used for the initial token acquisition step, not for subsequent API calls; sending credentials with every request is insecure and not supported by the API. Option D is wrong because API keys passed in query parameters are not used by Cisco DNA Center; the token must be sent in the Authorization header as a Bearer token, not as a query parameter.

111
MCQeasy

An engineer notices that a switch port configured as an access port in VLAN 10 is not forwarding traffic. The switch shows the port is up/up. What is the most likely cause?

A.Spanning Tree Protocol blocking the port
B.The connected device is sending 802.1Q tagged frames
C.Speed/duplex mismatch
D.VLAN 10 does not exist in the VLAN database
AnswerB

Access ports drop tagged frames.

Why this answer

An access port expects to receive and send only untagged frames, as it belongs to a single VLAN (VLAN 10). If the connected device sends 802.1Q tagged frames, the switch will drop them because the access port does not process VLAN tags. This explains why the port is up/up but not forwarding traffic.

Exam trap

Cisco often tests the misconception that an access port can handle tagged frames, leading candidates to overlook the strict untagged-only behavior of access ports.

How to eliminate wrong answers

Option A is wrong because Spanning Tree Protocol (STP) blocking would place the port in a blocking state, not up/up; STP blocking is typically seen on trunk ports or redundant links, not on an access port in a single VLAN. Option C is wrong because a speed/duplex mismatch would cause layer 1 errors (e.g., CRC errors, collisions) and often result in the port being up/down or flapping, not up/up with no traffic forwarding. Option D is wrong because if VLAN 10 did not exist in the VLAN database, the port would be operationally down (inactive) or placed in a suspended state, not up/up.

112
MCQmedium

During a CI/CD pipeline for network changes, a Jenkins job runs an Ansible playbook that applies configuration to a device. The playbook fails with a timeout error. What is the most likely cause?

A.The playbook syntax is invalid
B.Incorrect credentials
C.The device is under heavy CPU load causing slow responses
D.Device is unreachable
AnswerC

High CPU can delay responses, resulting in timeout errors.

Why this answer

A timeout error in an Ansible playbook during a CI/CD pipeline typically indicates that the network device is responding too slowly to complete the SSH or API session within the configured timeout period. Heavy CPU load on the device can cause delayed responses to Ansible's control node, triggering the timeout before the playbook finishes applying the configuration. This is distinct from connectivity failures or authentication issues, which produce different error messages.

Exam trap

Cisco often tests the distinction between connectivity failures (unreachable), authentication errors (wrong credentials), and performance issues (timeouts), where candidates mistakenly assume any failure is due to a syntax or credential problem rather than device resource exhaustion.

How to eliminate wrong answers

Option A is wrong because an invalid playbook syntax would cause a parsing error at the start of the job, not a timeout during execution. Option B is wrong because incorrect credentials would result in an authentication failure (e.g., 'Authentication failed' or 'Permission denied'), not a timeout. Option D is wrong because an unreachable device would produce a 'Host unreachable' or 'Connection refused' error immediately, not a timeout after the connection is established.

113
Multi-Selecthard

Which TWO of the following Git commands modify the commit history? (Select TWO)

Select 2 answers
A.git diff
B.git log
C.git commit --amend
D.git rebase -i
E.git status
AnswersC, D

This command modifies the last commit.

Why this answer

`git commit --amend` modifies the most recent commit by replacing it with a new commit that incorporates staged changes or an updated commit message, effectively rewriting the commit history. `git rebase -i` (interactive rebase) allows you to reorder, squash, edit, or drop commits, which also rewrites the commit history by creating new commit objects.

Exam trap

Cisco often tests the distinction between read-only inspection commands (like `git diff`, `git log`, `git status`) and commands that actually rewrite commit history, leading candidates to mistakenly select non-modifying commands.

114
Multi-Selecthard

Which THREE of the following are constraints of the REST architectural style (as defined by Roy Fielding)?

Select 3 answers
A.Client-server architecture
B.Layered system
C.Session management on the server
D.Code-on-demand
E.Statelessness
AnswersA, B, E

Client-server is a fundamental REST constraint separating concerns between user interface and data storage.

Why this answer

Options A, B, and C are correct because the REST architectural style includes client-server, stateless, cacheable, uniform interface, layered system, and optionally code-on-demand. Code-on-demand (E) is optional, and session management (D) is explicitly prohibited by statelessness. Therefore, the correct constraints are client-server, statelessness, and layered system.

115
Multi-Selecteasy

Which TWO Cisco platforms provide comprehensive REST APIs for network configuration and monitoring?

Select 2 answers
A.Cisco ASA
B.Cisco IOS XE
C.Cisco ISE
D.Cisco Prime Infrastructure
E.Cisco DNA Center
AnswersB, E

Cisco IOS XE supports RESTCONF and NETCONF APIs for device configuration and monitoring.

Why this answer

Cisco DNA Center and Cisco IOS XE both have robust REST APIs. Cisco DNA Center provides a northbound intent API, and Cisco IOS XE supports RESTCONF and NETCONF for programmatic configuration. The other platforms have limited or no REST API for full configuration management.

116
MCQeasy

Which Docker command is used to build an image from a Dockerfile?

A.docker run
B.docker commit
C.docker build
D.docker create
AnswerC

docker build is the correct command to build an image.

Why this answer

The `docker build` command reads the instructions in a Dockerfile and assembles a Docker image layer by layer. Each instruction in the Dockerfile (e.g., FROM, RUN, COPY) creates a new layer that is cached and reused, making subsequent builds faster. This is the standard and only command designed specifically for building images from a Dockerfile.

Exam trap

Cisco often tests the distinction between commands that create containers (`docker run`, `docker create`) and the command that builds images (`docker build`), hoping candidates confuse the purpose of `docker run` with image creation.

How to eliminate wrong answers

Option A is wrong because `docker run` creates and starts a container from an existing image, it does not build a new image. Option B is wrong because `docker commit` creates a new image from a container's current state (filesystem changes), but it is not the intended way to build from a Dockerfile; it bypasses the reproducible, layered build process defined in the Dockerfile. Option D is wrong because `docker create` only creates a container from an image without starting it, and it does not perform any image building.

117
MCQeasy

A company has two Cisco Catalyst switches, SW1 and SW2, connected via a trunk link using port GigabitEthernet0/1 on both switches. SW1 is the root bridge for all VLANs spanning tree. VLAN 10 users on SW1 report they can access the internet and resources in VLAN 10 on SW2, but cannot reach a critical server in VLAN 20 connected to SW2. The server in VLAN 20 has a static IP address and can communicate with other VLAN 20 devices on SW2. SW2's configuration for the trunk port includes 'switchport trunk allowed vlan 10,20'. SW1's trunk port configuration is 'switchport trunk allowed vlan 10'. The network administrator has verified that both switches have VLANs 10 and 20 created and that the default gateways are correct. What is the most likely cause of the issue?

A.SW1's trunk port is not configured to allow VLAN 20.
B.SW1 is the root bridge for VLAN 20, causing traffic to be blocked.
C.The trunk link between SW1 and SW2 is down.
D.The server in VLAN 20 has an incorrect IP address configuration.
AnswerA

The trunk allowed VLAN list on SW1 only includes VLAN 10, so VLAN 20 traffic is blocked.

Why this answer

SW1's trunk port is configured with 'switchport trunk allowed vlan 10', which explicitly permits only VLAN 10 traffic. Since VLAN 20 is not in the allowed list, frames from VLAN 20 (including traffic to the server) are dropped at the trunk egress on SW1. This prevents SW1 hosts in VLAN 10 from reaching the VLAN 20 server on SW2, even though the trunk is up and both VLANs exist on both switches.

Exam trap

Cisco often tests the distinction between VLAN existence on a switch and VLAN permission on a trunk port—candidates assume that if a VLAN is created on both switches, traffic will flow, but the trunk allowed list is the gatekeeper.

How to eliminate wrong answers

Option B is wrong because SW1 being the root bridge for all VLANs (including VLAN 20) does not block traffic; the root bridge is the reference point for spanning tree and does not itself cause traffic blocking—blocking occurs on non-root ports. Option C is wrong because if the trunk link were down, VLAN 10 users on SW1 would also be unable to access VLAN 10 resources on SW2, which they can. Option D is wrong because the server in VLAN 20 can communicate with other VLAN 20 devices on SW2, proving its IP configuration is correct for its local subnet.

118
MCQhard

A DevOps team is automating network configuration using Ansible. They want to push a new VLAN configuration to a switch but ensure that only one switch is updated at a time to avoid network disruption. Which Ansible strategy or feature should they use?

A.Use 'strategy: free' to manage execution order.
B.Set 'forks: 1' in the playbook.
C.Use 'throttle: 1' on each task.
D.Set 'serial: 1' in the playbook.
AnswerD

'serial: 1' ensures only one host is updated at a time, preventing disruption.

Why this answer

Option D is correct because setting `serial: 1` in an Ansible playbook forces the play to execute against only one host at a time, even if the play targets multiple switches. This ensures that VLAN configuration is pushed to exactly one switch before moving to the next, preventing network disruption from simultaneous changes.

Exam trap

The trap here is that candidates confuse `forks` (which controls task-level parallelism) with `serial` (which controls host-level batching), or mistakenly think `throttle` or `strategy: free` can achieve the same serialization effect.

How to eliminate wrong answers

Option A is wrong because `strategy: free` allows each host to run tasks independently without waiting for others, which could cause multiple switches to be updated concurrently, defeating the purpose of serialized updates. Option B is wrong because `forks: 1` limits the number of parallel task executions but still allows multiple hosts to be processed in parallel if the play targets multiple hosts; `forks` controls task-level parallelism, not host-level serialization. Option C is wrong because `throttle: 1` limits the number of concurrent task runs across all hosts but does not guarantee that only one switch is updated at a time; it can still allow multiple hosts to start the task before the throttle limit is reached, and it applies per task, not per play.

119
MCQmedium

A developer calls Cisco DNA Center API to get device details and receives the JSON response shown. The device 'Switch-A' is listed but the status is 'unreachable'. Which Cisco DNA Center API endpoint was most likely used?

A./dna/intent/api/v1/network-device/{id}
B./dna/intent/api/v1/site/{siteId}/device
C./dna/intent/api/v1/device-health
D./dna/intent/api/v1/network-device
AnswerA

This endpoint retrieves a single device by ID, matching the response structure.

Why this answer

Option A is correct because the endpoint /dna/intent/api/v1/network-device/{id} retrieves detailed information for a specific network device, including its management IP address, reachability status, and other attributes. The JSON response showing 'Switch-A' with status 'unreachable' indicates a single-device query, which matches the path parameter {id} used to target a particular device. This endpoint returns a device-level status field (e.g., 'reachabilityStatus') that directly reflects the 'unreachable' value seen in the response.

Exam trap

Cisco often tests the distinction between list endpoints (e.g., /network-device) and detail endpoints (e.g., /network-device/{id}), where candidates mistakenly choose the list endpoint because they see a device name in the response, but the presence of a specific status like 'unreachable' for a single device indicates the ID-specific endpoint was used.

How to eliminate wrong answers

Option B is wrong because /dna/intent/api/v1/site/{siteId}/device returns a list of devices associated with a specific site, not a single device's detailed status; it would not include the 'unreachable' status for an individual device in the same granular way. Option C is wrong because /dna/intent/api/v1/device-health returns aggregated health scores (e.g., overall health, network, wireless) for devices, not the raw reachability status like 'unreachable' for a single device. Option D is wrong because /dna/intent/api/v1/network-device (without an ID) returns a list of all network devices, each with summary information, but the question's response shows details for a single device (Switch-A) with its status, which requires the ID-specific endpoint.

120
Multi-Selecteasy

Which TWO functions are performed by the data plane in a network device? (Choose two.)

Select 2 answers
A.Building the routing table using OSPF
B.Forwarding packets based on destination MAC address
C.Applying ACLs to permit or deny traffic
D.Maintaining ARP cache entries
E.Establishing OSPF neighbor adjacencies
AnswersB, C

Data plane performs forwarding.

Why this answer

The data plane is responsible for forwarding packets based on information in the forwarding table, such as destination MAC address for Layer 2 switching. Applying ACLs is also a data plane function because ACL rules are evaluated in hardware or software during packet forwarding to permit or deny traffic.

Exam trap

Cisco often tests the distinction between control plane and data plane by listing functions that sound like forwarding (e.g., maintaining ARP cache) but are actually control plane operations, leading candidates to confuse maintenance with usage.

121
MCQhard

A company runs a microservices application on a Kubernetes cluster with 10 worker nodes. The application consists of 3 services: frontend, backend, and database. The database service is stateful and uses persistent volumes. Recently, the operations team noticed that the backend service is experiencing intermittent failures with 'Connection refused' errors when trying to connect to the database. The database service is exposed via a ClusterIP service named 'database-service'. The backend service uses environment variable DB_HOST=database-service to connect. The pod logs show that the connection is attempted to an IP address that does not correspond to any database pod. Further investigation reveals that the database pod has been restarted multiple times due to OOMKilled errors. The backend service is configured with a liveness probe that checks the health endpoint every 10 seconds, and a readiness probe that checks the same endpoint every 5 seconds. The database pod has resource limits set to 512Mi memory and 500m CPU. The node running the database pod has 4Gi memory and 2 CPU cores. What is the most likely cause of the intermittent connection failures?

A.The backend service is using a hardcoded IP address instead of the service DNS name.
B.The backend service's readiness probe is failing, so it is not receiving traffic, but the backend still tries to connect.
C.The database pod is being killed due to memory limits, causing frequent restarts and temporary unavailability; the backend's connection attempts fail during the restart window.
D.The DNS entry for database-service is cached and pointing to the old pod IP after the database pod restarts.
AnswerC

The OOMKilled errors indicate the database pod exceeds memory limits. When it restarts, there is a brief period of unavailability, causing 'Connection refused' errors.

Why this answer

The intermittent 'Connection refused' errors are caused by the database pod being repeatedly killed due to exceeding its memory limit (512Mi), which triggers OOMKilled restarts. During the restart window, the database pod is unavailable, and the backend's connection attempts to the ClusterIP service (which resolves to the pod's IP) fail because no pod is ready to accept connections. The frequent restarts create a pattern of temporary unavailability that aligns with the observed symptoms.

Exam trap

Cisco often tests the distinction between pod-level failures (like OOMKilled causing restarts) and service-level issues (like DNS caching or readiness probes), leading candidates to incorrectly attribute the problem to DNS or probe misconfiguration instead of the resource constraint causing the database pod to be temporarily unavailable.

How to eliminate wrong answers

Option A is wrong because the backend uses the environment variable DB_HOST=database-service, which resolves via DNS to the ClusterIP of the service, not a hardcoded IP; the pod logs show the connection is attempted to an IP that does not correspond to any database pod, which is consistent with the service's ClusterIP, not a hardcoded address. Option B is wrong because the backend's readiness probe checks its own health endpoint, not the database's; a failing readiness probe would remove the backend from service endpoints but would not cause the backend to attempt connections to an incorrect IP or fail with 'Connection refused' to the database. Option D is wrong because DNS caching for a ClusterIP service resolves to the stable virtual IP of the service, not the pod IP; even if the pod restarts, the service's ClusterIP remains unchanged, and DNS entries are not tied to pod IPs in this context.

122
MCQeasy

Which protocol is commonly used to retrieve real-time telemetry data from network devices in a streaming fashion?

A.SNMP polling
B.NETCONF
C.HTTP
D.gRPC
AnswerD

gRPC supports streaming telemetry.

Why this answer

gRPC is correct because it is designed for high-performance, real-time streaming of telemetry data using HTTP/2 and Protocol Buffers. Network devices like Cisco IOS XR and NX-OS use gRPC to push telemetry data to collectors in a continuous stream, eliminating the need for polling and reducing latency.

Exam trap

Cisco often tests the distinction between configuration protocols (NETCONF) and streaming telemetry protocols (gRPC), so the trap here is that candidates confuse NETCONF's subscription capability with true real-time streaming, but NETCONF subscriptions are typically poll-based or have higher latency compared to gRPC's push model.

How to eliminate wrong answers

Option A is wrong because SNMP polling is a request-response model that retrieves data on-demand, not in a streaming fashion, and introduces overhead and latency. Option B is wrong because NETCONF is a network configuration protocol that uses YANG models for configuration and state retrieval, but it is not optimized for real-time streaming telemetry; it typically uses polling or subscriptions with delays. Option C is wrong because HTTP is a generic protocol that can be used for data transfer, but it lacks the built-in streaming and bidirectional capabilities of gRPC, and is not specifically designed for real-time telemetry streaming.

123
MCQmedium

A network engineer is automating the deployment of a new VLAN across multiple Cisco switches using Ansible. The engineer has written a playbook that uses the ios_vlan module to create VLAN 100 with name 'Users'. The playbook runs successfully on the first switch but fails on the second switch with the error message: 'VLAN name is already in use'. The engineer checks the second switch and confirms that VLAN 100 does not exist, but a different VLAN with the name 'Users' exists. The engineer wants to ensure that the playbook creates VLAN 100 with the exact name 'Users' only if it does not already exist, and without conflicting with existing VLANs. Which approach should the engineer take?

A.Use the ios_vlan module with parameters vlan_id=100 and name='Users' and set state=present. The module will create the VLAN if it does not exist or update the name if it exists with a different name.
B.First use the ios_command module to run 'show vlan name Users' and then conditionally create VLAN 100 if no output is returned.
C.Use the ios_config module to directly apply the configuration 'vlan 100\n name Users' and then use the 'parents' directive to ensure idempotency.
D.Use the ios_vlan module with vlan_id=100 and state=present, but omit the name parameter.
AnswerA

The ios_vlan module idempotently creates or updates VLAN; it will rename the existing VLAN if needed.

Why this answer

Option A is correct because the `ios_vlan` module with `state=present` ensures idempotency: if VLAN 100 does not exist, it creates it with the specified name; if VLAN 100 exists but has a different name, it updates the name to 'Users'. This directly resolves the conflict where a different VLAN ID already uses the name 'Users', as the module will not attempt to reuse a name that is already assigned to another VLAN — instead, it will fail with the observed error only if the name is already in use by a different VLAN ID. The engineer's goal is to create VLAN 100 with name 'Users' only if it does not already exist, and the module's default behavior (without additional checks) will fail when the name is taken, so the correct approach is to rely on the module's built-in idempotency to create or update VLAN 100 without conflicting with existing VLAN names.

Exam trap

Cisco often tests the misconception that omitting the `name` parameter or using raw config modules like `ios_config` can bypass name conflicts, but the actual trap is that the `ios_vlan` module's idempotency only works when the VLAN ID exists — it cannot resolve a name conflict where a different VLAN ID already owns the desired name, so the correct answer is to rely on the module's default behavior of creating or updating the VLAN by ID, which will fail gracefully if the name is taken, prompting the engineer to handle the conflict separately.

How to eliminate wrong answers

Option B is wrong because using `ios_command` to run `show vlan name Users` is not a standard Cisco command (the correct command is `show vlan name Users` but it returns output even if the name exists on a different VLAN, and the conditional logic would still need to handle the name conflict; moreover, this approach adds unnecessary complexity and does not leverage Ansible's idempotent modules, and it would still fail if the name is in use by another VLAN. Option C is wrong because the `ios_config` module with `parents` directive applies raw configuration lines and does not inherently check for name conflicts; applying `vlan 100

name Users` would fail with the same 'VLAN name is already in use' error if the name is already assigned to a different VLAN, and the `parents` directive does not provide idempotency for VLAN name uniqueness. Option D is wrong because omitting the `name` parameter would create VLAN 100 with a default name (e.g., 'VLAN0100') or leave it unnamed, which does not satisfy the requirement to assign the exact name 'Users'; it also does not address the conflict with the existing VLAN that already uses the name 'Users'.

124
Multi-Selecthard

Which THREE are benefits of using YANG as a data modeling language for network automation? (Select exactly 3.)

Select 3 answers
A.Enables validation of data constraints before applying changes
B.Allows direct execution of CLI commands on any device
C.Provides a standard way to define configuration and state data
D.Supports multiple serialization formats like JSON and XML
E.Promotes interoperability between different vendor devices
AnswersA, C, E

Why this answer

Option A is correct because YANG (RFC 6020/7950) allows you to define data constraints such as ranges, mandatory elements, and type restrictions directly in the model. When you attempt to apply configuration via NETCONF or RESTCONF, the server validates the data against these constraints before committing, preventing invalid changes from being applied.

Exam trap

Cisco often tests the distinction between the data modeling language (YANG) and the transport protocols (NETCONF/RESTCONF) or serialization formats (JSON/XML), so the trap here is confusing the benefits of the model itself with the features of the protocols that use it.

125
MCQmedium

Refer to the exhibit. A developer sent a POST request to https://apic-ip/api/mo/uni/tn-testtenant.json with a JSON body missing the name attribute. What should the correct JSON body include?

A.{"fvTenant": {"name": "testtenant"}}
B.{"attributes": {"name": "testtenant"}}
C.{"fvTenant": {"attributes": {"name": "TestTenant"}}}
D.{"fvTenant": {"attributes": {"name": "testtenant"}}}
AnswerD

Correctly nests the 'name' property under 'attributes' inside 'fvTenant'.

Why this answer

Option D is correct because the Cisco APIC REST API requires the JSON body for creating a tenant to follow the object model structure: the top-level key is the managed object class (fvTenant), which contains an 'attributes' object with the 'name' property. The name must match the tenant name in the URL (testtenant), and the API expects lowercase for the name value unless the object model specifies otherwise.

Exam trap

Cisco often tests the requirement to nest attributes inside the managed object class, and the trap here is that candidates either omit the 'attributes' wrapper entirely (Option A) or place 'attributes' at the top level (Option B), both of which are common mistakes when transitioning from simpler REST APIs to the APIC's structured object model.

How to eliminate wrong answers

Option A is wrong because it omits the required 'attributes' wrapper; the APIC API expects the 'name' attribute to be nested inside an 'attributes' object within the managed object. Option B is wrong because it uses 'attributes' as the top-level key instead of the managed object class 'fvTenant', which violates the APIC REST API's object model hierarchy. Option C is wrong because it capitalizes 'TestTenant' in the name value, but the URL path uses lowercase 'testtenant', and the APIC API is case-sensitive for tenant names, so this would either create a different tenant or fail.

126
MCQmedium

A NETCONF RPC reply indicates a validation failure. Based on the exhibit, what is the most probable reason for the failure?

A.The MTU value provided is outside the allowed range.
B.The XML syntax in the edit operation was malformed.
C.The XML namespace 'Cisco-IOS-XE-native' is not supported.
D.The NETCONF session timed out before the operation completed.
AnswerA

Bad-element MTU indicates value issue.

Why this answer

The NETCONF RPC reply indicates a validation failure, which typically occurs when the data being configured does not conform to the YANG model's constraints. In this context, the MTU value provided is outside the allowed range defined in the YANG model for the interface, triggering a validation error before any configuration is applied.

Exam trap

Cisco often tests the distinction between validation errors (data model constraints) and other error types like syntax errors or namespace issues, leading candidates to confuse a validation failure with a malformed XML or unsupported namespace.

How to eliminate wrong answers

Option B is wrong because a malformed XML syntax would result in a parsing error, not a validation failure; the RPC reply would indicate a syntax error or malformed message. Option C is wrong because if the XML namespace 'Cisco-IOS-XE-native' were not supported, the device would reject the entire operation with a 'namespace not supported' error, not a validation failure on a specific value. Option D is wrong because a NETCONF session timeout would cause the RPC to fail with a timeout error or no reply, not a validation failure response.

127
MCQhard

An automation script uses the Cisco IOS XE REST API to modify the running configuration. The script sends a PUT request to /restconf/data/Cisco-IOS-XE-native:native/interface/GigabitEthernet=1/0/1/ip/address. The response returns 405 Method Not Allowed. What is the most likely reason?

A.The request body is missing.
B.PUT is not allowed on this resource; use PATCH instead.
C.The interface does not exist.
D.The script is not authenticated.
E.The IP address format is incorrect.
AnswerB

RESTCONF often uses PATCH for partial updates; PUT might not be implemented.

Why this answer

The 405 Method Not Allowed response indicates that the HTTP method (PUT) is recognized but not supported for the specific resource. In RESTCONF, PUT is used for full resource replacement, but Cisco IOS XE often restricts PUT on certain configuration resources like interface IP addresses because they are nested leafs or lists that require partial updates. PATCH is the correct method for modifying specific fields without replacing the entire resource, aligning with RFC 8040 for partial resource modifications.

Exam trap

Cisco often tests the distinction between PUT and PATCH in RESTCONF, where candidates mistakenly assume PUT is always allowed for modifications, but the trap is that PUT requires full resource replacement and is often blocked on nested or list-based resources, making PATCH the correct choice for partial updates.

How to eliminate wrong answers

Option A is wrong because a missing request body would typically result in a 400 Bad Request, not 405 Method Not Allowed. Option C is wrong because a non-existent interface would return a 404 Not Found, not a 405. Option D is wrong because authentication failures return 401 Unauthorized, not 405.

Option E is wrong because an incorrect IP address format would cause a 400 Bad Request due to schema validation failure, not a 405.

128
Multi-Selectmedium

Which TWO methods are commonly used to discover network devices in an automation environment? (Select exactly 2.)

Select 2 answers
A.Manually entering device details into a spreadsheet
B.Using SNMP to bulk-configure devices
C.Monitoring DHCP logs to lease IP addresses to new devices
D.Using LLDP or CDP to retrieve directly connected neighbor information
E.Using a centralized controller like Cisco DNA Center to query device inventory
AnswersD, E

Why this answer

Option D is correct because LLDP (IEEE 802.1AB) and CDP (Cisco Discovery Protocol) are Layer 2 protocols that allow network devices to advertise their identity, capabilities, and directly connected neighbors. In automation environments, these protocols enable dynamic discovery of the network topology without manual intervention, making them essential for automated inventory and mapping.

Exam trap

Cisco often tests the distinction between discovery protocols (LLDP/CDP) and management protocols (SNMP), so candidates may mistakenly think SNMP is used for discovery when it is actually used for reading MIBs after discovery is complete.

129
MCQeasy

A network engineer is writing a Python script to interact with Cisco DNA Center. After successfully authenticating and receiving a token, what header must be included in subsequent API requests?

A.In a custom header
B.In the URL query string
C.In the request body
D.In the Authorization header as Bearer
AnswerD

The standard way is to include 'Authorization: Bearer <token>' in the header.

Why this answer

Option D is correct because Cisco DNA Center uses token-based authentication following the OAuth 2.0 framework. After obtaining a token via the /dna/system/api/v1/auth/token endpoint, the token must be included in the Authorization header using the Bearer scheme (e.g., 'Authorization: Bearer <token>') for all subsequent API requests to prove the client's identity and authorization.

Exam trap

Cisco often tests the distinction between authentication (getting the token) and authorization (using the token), and the trap here is that candidates might think the token is sent in the request body or a custom header because they confuse it with API keys or session cookies, but the correct standard is the Authorization header with Bearer.

How to eliminate wrong answers

Option A is wrong because while you can technically place the token in a custom header, Cisco DNA Center's API specification explicitly requires the token in the Authorization header; using a custom header would result in a 401 Unauthorized error. Option B is wrong because passing the token in the URL query string is insecure (it can be logged, cached, or exposed in browser history) and is not supported by Cisco DNA Center's REST API design. Option C is wrong because the token is not sent in the request body; the body is reserved for payload data (e.g., JSON parameters for creating a site or device), and placing the token there would violate the standard HTTP authentication mechanism.

130
MCQhard

During a code review, a developer notices that a function has multiple nested if-else statements. Which refactoring technique would improve maintainability?

A.Introduce parameter object
B.Decompose conditional
C.Replace conditional with polymorphism
D.Extract method
AnswerC

Polymorphism allows each subclass to implement its own behavior, eliminating the need for complex conditionals.

Why this answer

Option A is correct because replacing conditionals with polymorphism leverages object-oriented design to eliminate complex conditionals by using subtype-specific behavior. Option B (Extract method) can reduce nesting but still leaves the conditional logic. Option C (Introduce parameter object) reduces parameter lists but not conditionals.

Option D (Decompose conditional) is a valid technique but is less comprehensive than polymorphism for deeply nested conditionals. Therefore, polymorphism is the most effective for improving maintainability in this scenario.

131
MCQmedium

A network administrator is tasked with automating the deployment of a new VLAN configuration across a fabric of Cisco ACI switches. Which automation tool is best suited for interacting with the APIC REST API?

A.Bash scripting with curl
B.Chef
C.Puppet
D.Ansible
AnswerD

Ansible has built-in ACI modules that simplify interactions with the APIC.

Why this answer

Ansible is the best-suited tool because it provides a dedicated module (cisco.aci.aci_rest) that directly interacts with the APIC REST API, allowing declarative automation of VLAN and other ACI configurations. Unlike generic scripting, Ansible abstracts the HTTP requests and handles idempotency, authentication, and error handling natively for the ACI fabric.

Exam trap

Cisco often tests the misconception that any scripting tool (like Bash with curl) is sufficient for automation, but the key is choosing a tool with native, purpose-built modules for the specific API, not just the ability to make HTTP requests.

How to eliminate wrong answers

Option A is wrong because Bash scripting with curl is a low-level, manual approach that requires writing custom code for every API call, lacks idempotency, and does not provide the structured, reusable automation framework needed for consistent ACI deployments. Option B is wrong because Chef is a configuration management tool designed for node-based infrastructure (e.g., servers) and does not have native modules or resources for interacting with the Cisco APIC REST API; it would require extensive custom scripting. Option C is wrong because Puppet, like Chef, is primarily a configuration management tool for server nodes and lacks built-in support for the ACI APIC REST API, making it inefficient for automating network fabric configurations.

132
Multi-Selecthard

Which TWO statements about REST API design best practices are correct?

Select 2 answers
A.API versioning should be implemented using query parameters only
B.HTTP PUT method should be used for partial updates to a resource
C.Resources should be represented using nouns in the URI
D.Responses should return only HTTP status codes without a body
E.HTTP verbs should describe the action performed on the resource
AnswersC, E

Using nouns for resources (e.g., /devices) is a REST best practice.

Why this answer

Option C is correct because REST API best practices dictate that URIs should represent resources (nouns), not actions. For example, '/users' or '/orders' clearly identifies the resource being manipulated, while verbs like '/getUsers' or '/createOrder' are discouraged as they conflate the resource with the operation.

Exam trap

Cisco often tests the distinction between PUT (full replacement) and PATCH (partial update), and the trap here is that candidates mistakenly think PUT can be used for partial updates because they overlook the idempotent, full-replacement semantics defined in RFC 7231.

133
MCQeasy

What is the default transport protocol for NETCONF sessions?

A.HTTP
B.SSH
C.TLS
D.SNMP
AnswerB

SSH is the mandatory transport for NETCONF.

Why this answer

NETCONF (Network Configuration Protocol) uses SSH as its default transport protocol, as specified in RFC 6242. SSH provides the required secure, authenticated, and encrypted channel for NETCONF sessions, ensuring confidentiality and integrity of configuration data exchanged between the client and server.

Exam trap

Cisco often tests the distinction between 'default' and 'optional' transports, so the trap here is that candidates may confuse TLS (which is supported but not default) with the mandatory SSH transport, or assume HTTP is used because NETCONF is XML-based and HTTP is commonly associated with XML APIs.

How to eliminate wrong answers

Option A is wrong because HTTP is not a transport protocol for NETCONF; NETCONF over HTTP is not defined in any standard, and HTTP lacks the built-in encryption and authentication required for secure network device configuration. Option C is wrong because TLS is an optional transport for NETCONF (as per RFC 7589), not the default; the default remains SSH, and TLS is used only when explicitly configured. Option D is wrong because SNMP is a separate protocol for network management and monitoring, not a transport for NETCONF; SNMP uses UDP or TCP, but it does not carry NETCONF messages.

134
Multi-Selectmedium

Which THREE of the following are key characteristics of a RESTful API? (Choose three.)

Select 3 answers
A.Resource-based URLs
B.Stateless communication
C.Uses SOAP protocol
D.Relies on session cookies for state
E.Uses standard HTTP methods (GET, POST, PUT, DELETE)
AnswersA, B, E

Resources are identified by URIs.

Why this answer

RESTful APIs use resource-based URLs (e.g., /users/123) to uniquely identify resources, which aligns with the uniform interface constraint of REST. This design makes the API intuitive and self-descriptive, allowing clients to interact with resources directly via the URL structure.

Exam trap

Cisco often tests the distinction between REST and SOAP, and the trap here is that candidates may confuse REST's statelessness with the need for session cookies (stateful behavior) or incorrectly associate REST with SOAP due to both being web service technologies.

135
MCQhard

A Python script uses the Cisco Meraki API to create a new network and then immediately attempts to configure an SSID on that network. The SSID creation fails with a 400 error indicating 'network is not ready'. What is the most likely cause?

A.The network is not fully provisioned yet; a delay is needed.
B.The API rate limit has been exceeded.
C.The API key does not have write access to networks.
D.The SSID name contains invalid characters.
AnswerA

Asynchronous provisioning requires waiting.

Why this answer

The Meraki API returns a 400 error with 'network is not ready' because creating a network is an asynchronous operation. The network's underlying infrastructure (e.g., virtual LANs, DHCP scopes, firewall rules) must be fully provisioned before it can accept SSID configurations. Attempting to configure an SSID immediately after creation fails because the network is still in a 'pending' or 'provisioning' state, requiring a polling delay or retry logic.

Exam trap

Cisco often tests the misconception that API calls are synchronous and that a successful creation response means the resource is immediately usable, ignoring the asynchronous provisioning that occurs in cloud-managed platforms like Meraki.

How to eliminate wrong answers

Option B is wrong because exceeding the API rate limit would return a 429 (Too Many Requests) error, not a 400 with 'network is not ready'. Option C is wrong because an API key lacking write access would result in a 403 (Forbidden) error, not a 400. Option D is wrong because invalid characters in an SSID name would cause a 400 error with a validation-specific message (e.g., 'Invalid SSID name'), not a generic 'network is not ready'.

136
MCQhard

During a migration from legacy to SD-Access, a network team wants to use Cisco DNA Center to automate policy deployment. They have defined a macro-level intent but need to ensure that the fabric devices are correctly configured. Which API call should they use to validate the fabric configuration?

A.PUT /dna/intent/api/v1/business/sda/fabric-device
B.POST /dna/intent/api/v1/business/sda/fabric-site
C.GET /dna/intent/api/v1/business/sda/fabric-site
D.GET /dna/intent/api/v1/business/sda/network-profile
AnswerC

Retrieves the fabric site configuration for validation.

Why this answer

The GET /dna/intent/api/v1/business/sda/fabric-site API call retrieves the current configuration of fabric sites, allowing the team to validate that fabric devices are correctly provisioned and associated with the intended site. This aligns with the intent-based API model where GET operations are used for validation and monitoring of deployed policies.

Exam trap

Cisco often tests the distinction between CRUD operations in intent APIs, and the trap here is that candidates confuse a POST (create) or PUT (update) with a GET (read/validate) when the question specifically asks for validation.

How to eliminate wrong answers

Option A is wrong because PUT /dna/intent/api/v1/business/sda/fabric-device is used to update or add a fabric device, not to validate existing configuration. Option B is wrong because POST /dna/intent/api/v1/business/sda/fabric-site creates a new fabric site, which is a deployment action rather than a validation step. Option D is wrong because GET /dna/intent/api/v1/business/sda/network-profile retrieves network profile definitions, not the actual fabric device configuration or site status.

137
MCQeasy

A Python script using the Cisco Meraki SDK fails with 'APIError: 429 Too Many Requests'. What action should the developer take?

A.Increase the timeout value
B.Change the HTTP method to POST
C.Use a different API key
D.Add a retry mechanism with exponential backoff
AnswerD

Standard best practice to handle rate limiting.

Why this answer

The HTTP 429 status code indicates rate limiting has been exceeded. The Meraki API enforces rate limits to protect its infrastructure, and the SDK's built-in retry mechanism with exponential backoff is the correct way to handle this, as it automatically waits increasing intervals between retries, respecting the Retry-After header if present.

Exam trap

Cisco often tests the distinction between handling rate limiting (429) versus handling request timeouts (408/504), so candidates mistakenly choose to increase the timeout value instead of implementing retry logic with backoff.

How to eliminate wrong answers

Option A is wrong because increasing the timeout value only extends how long the script waits for a single request to complete; it does not address the rate limit being exceeded. Option B is wrong because changing the HTTP method to POST does not affect rate limiting; the 429 error is about request frequency, not the method used. Option C is wrong because using a different API key does not resolve the rate limit issue; the new key would also be subject to the same rate limits, and the problem is the request rate, not authentication.

138
Multi-Selectmedium

Which TWO statements about VLAN trunking are true?

Select 2 answers
A.Trunk links can only carry one VLAN at a time.
B.Trunk links use access ports.
C.Trunk links carry traffic for multiple VLANs.
D.Trunk links require 802.1Q encapsulation.
E.Trunk links are used to connect a switch to a single host.
AnswersC, D

Trunk links allow multiple VLANs by tagging frames.

Why this answer

Trunk links carry traffic for multiple VLANs simultaneously by tagging each frame with a VLAN identifier. This allows a single physical link to transport traffic from different VLANs between switches or between a switch and a router. Option C is correct because the primary purpose of a trunk is to multiplex VLAN traffic over one link.

Exam trap

Cisco often tests the misconception that trunk links are used to connect end hosts (like PCs or servers), when in fact trunk links are only used between network infrastructure devices (switches, routers, firewalls) to carry multiple VLANs.

139
MCQhard

A DevOps team is deploying a containerized application across multiple hosts. They need to ensure that traffic between containers on the same host is isolated from other tenants. Which network implementation best meets this requirement?

A.Linux bridge with ebtables rules
B.NAT with port forwarding
C.VXLAN overlays with a distributed virtual switch
D.802.1Q VLANs on the host switch
AnswerC

VXLAN provides scalable network isolation across hosts.

Why this answer

VXLAN overlays with a distributed virtual switch provide Layer 2 isolation across multiple hosts by encapsulating Ethernet frames in UDP packets (RFC 7348). This creates independent virtual networks (VXLAN segments) that can span hosts, ensuring traffic between containers on the same host is isolated from other tenants without relying on physical network topology.

Exam trap

Cisco often tests the misconception that VLANs (802.1Q) are sufficient for multi-host container isolation, but the trap is that VLANs are limited to a single broadcast domain and cannot scale across hosts without complex trunking, whereas VXLAN overlays are designed for multi-tenant, multi-host environments.

How to eliminate wrong answers

Option A is wrong because Linux bridge with ebtables rules operates at Layer 2 but does not provide multi-host isolation natively; it requires complex manual rules and lacks the scalability and tenant separation of overlay networks. Option B is wrong because NAT with port forwarding is a Layer 3/4 mechanism for translating IP addresses and ports, not for isolating container traffic at Layer 2; it breaks direct container-to-container communication and introduces single points of failure. Option D is wrong because 802.1Q VLANs on the host switch are limited to a single physical switch or require trunking across switches, and they cannot provide isolated Layer 2 segments across multiple hosts without extensive VLAN management and are limited to 4094 VLANs.

140
Multi-Selectmedium

Which TWO tools are commonly used for automated network compliance checking against a desired state? (Select two)

Select 2 answers
A.SolarWinds
B.Ansible
C.Microsoft Visio
D.pyATS (with Genie)
E.Chef
AnswersB, D

Ansible can compare current config to a desired state and report differences.

Why this answer

B is correct because Ansible is an automation tool that uses playbooks (YAML-based) to define a desired network state and can enforce compliance by comparing the current device configuration against the defined state using modules like `ios_config` or `nxos_config`. It is widely used for network compliance checking due to its agentless architecture and idempotent behavior.

Exam trap

Cisco often tests the distinction between monitoring tools (like SolarWinds) and automation/compliance tools (like Ansible and pyATS), trapping candidates who confuse network monitoring with automated state enforcement.

141
MCQhard

Refer to the exhibit. A developer sends a PUT request to the RESTCONF endpoint with the above JSON payload. The device already has interface GigabitEthernet1/0/1 configured with IP address 10.10.10.1/24. What is the expected outcome?

A.The request fails because the interface already exists.
B.The request creates a new interface with the same configuration.
C.The request fails because the JSON is malformed.
D.The request succeeds and the interface configuration remains unchanged.
AnswerD

PUT replaces the resource with the given data; since it matches, no change occurs but the operation succeeds.

Why this answer

D is correct because the PUT request to the RESTCONF endpoint with the provided JSON payload is an idempotent operation. Since the interface GigabitEthernet1/0/1 already exists with the exact same configuration (IP address 10.10.10.1/24), the PUT request effectively replaces the resource with the same data, resulting in no change. RESTCONF uses the HTTP PUT method to create or replace a resource, and if the resource already exists and the payload matches, the operation succeeds without modification.

Exam trap

Cisco often tests the misconception that PUT will fail or create a duplicate resource when the target already exists, but the correct behavior is that PUT replaces the resource idempotently, and if the data is identical, the configuration remains unchanged.

How to eliminate wrong answers

Option A is wrong because RESTCONF PUT is idempotent and does not fail when the resource already exists; it replaces the resource with the provided data, and if the data is identical, the configuration remains unchanged. Option B is wrong because PUT does not create a new interface when the resource already exists; it replaces the existing resource, and since the payload matches the current configuration, no new interface is created. Option C is wrong because the JSON payload is syntactically valid and correctly structured for a RESTCONF PUT request to modify an interface; there is no malformation.

142
MCQmedium

A network administrator is asked to reduce the size of the routing table on a core router. The router currently has many /24 routes learned via BGP. Which technique will most effectively reduce the number of routes without losing reachability to all subnets?

A.Implement route summarization on the BGP neighbor.
B.Replace BGP with static routes.
C.Remove all BGP learned routes and use only OSPF.
D.Configure a default route to the upstream provider.
AnswerA

Summarization reduces the number of prefixes advertised and installed.

Why this answer

Route summarization (aggregation) combines multiple specific routes into a larger prefix. Option A is wrong because static routes are not dynamic and don't reduce BGP table. Option B is wrong because default route only covers traffic not in table, but you lose granularity.

Option C is wrong because removing BGP altogether loses routes.

143
MCQhard

An application running on Kubernetes is experiencing intermittent 503 errors. The logs show 'upstream timed out'. The application is behind a Cisco Application Policy Infrastructure Controller (APIC) load balancer. What is the most likely cause?

A.The service port is misconfigured
B.The Readiness probe is not defined
C.The Liveness probe timeout is too low
D.The pod is not ready
AnswerB

Without Readiness probe, the service may send traffic to unready pods causing timeouts.

Why this answer

The 'upstream timed out' error in a Kubernetes environment behind a Cisco APIC load balancer indicates that the load balancer is attempting to forward traffic to a pod that is not ready to accept connections. Without a Readiness probe, Kubernetes assumes the pod is ready as soon as it starts, but the application may still be initializing or unable to handle requests. The APIC load balancer then sends traffic to an unready pod, causing timeouts and 503 errors.

Exam trap

Cisco often tests the distinction between Readiness and Liveness probes, where candidates mistakenly associate 'upstream timed out' with Liveness probe failures, but the correct focus is on traffic routing via Readiness probes.

How to eliminate wrong answers

Option A is wrong because a misconfigured service port would typically cause persistent connectivity failures (e.g., connection refused or no route to host), not intermittent 503 errors with 'upstream timed out' logs. Option C is wrong because the Liveness probe determines when to restart a container, not when to include it in the load balancer pool; a low Liveness probe timeout would cause pod restarts, not upstream timeouts. Option D is wrong because 'the pod is not ready' is a symptom, not the root cause; the underlying issue is the absence of a Readiness probe that would prevent the pod from receiving traffic until it is truly ready.

144
Multi-Selecteasy

Which TWO are valid capabilities advertised during a NETCONF session?

Select 2 answers
A.urn:ietf:params:netconf:capability:url:1.0
B.urn:ietf:params:netconf:capability:writable-running:2.0
C.urn:ietf:params:netconf:capability:validate:2.0
D.urn:ietf:params:netconf:base:1.0
E.urn:ietf:params:netconf:capability:interleave:1.0
AnswersA, D

This is the URL capability for NETCONF.

Why this answer

Option A is correct because the URL capability (urn:ietf:params:netconf:capability:url:1.0) is a standard NETCONF capability that allows a client to specify a URL as the source or target of operations like <copy-config> or <edit-config>. Option D is correct because urn:ietf:params:netconf:base:1.0 is the mandatory base capability that every NETCONF session must advertise, as defined in RFC 6241, indicating support for the core NETCONF protocol operations.

Exam trap

Cisco often tests the exact version numbers of NETCONF capabilities, and the trap here is that candidates assume all capabilities use version 2.0 (confusing them with YANG module revisions or other protocols), but in reality, the standard NETCONF capabilities defined in RFC 6241 are all version 1.0.

145
MCQhard

Refer to the exhibit. A Meraki network has a group policy 'Block Social Media' that references a content filtering rule. The policy is applied to VLAN 1. Users in that VLAN cannot access instagram.com but can access facebook.com. What is the most likely reason?

A.The content filtering rule blocks only a specific set of URLs, but not all social media sites.
B.The group policy is not applied to the VLAN.
C.The blocked URL patterns list does not include all social media sites.
D.The content filtering is not enabled on the MX appliance.
AnswerC

The blocked list likely contains patterns for instagram but not facebook, so users can access facebook.

Why this answer

Option C is correct because the group policy 'Block Social Media' references a content filtering rule that likely uses a predefined or custom URL category list. If the rule blocks only specific URL patterns (e.g., 'instagram.com') but does not include all social media sites (e.g., 'facebook.com'), then users can still access unblocked sites. Meraki content filtering operates on URL category matching or explicit URL pattern lists; if the list is incomplete, the policy will not block all intended sites.

Exam trap

Cisco often tests the distinction between a policy being applied (which is true here) and the rule's scope being incomplete, tempting candidates to blame the policy application or appliance configuration rather than the rule's content.

How to eliminate wrong answers

Option A is wrong because it describes the symptom (blocking only a specific set of URLs) rather than the root cause; the question asks for the most likely reason, which is that the blocked URL patterns list does not include all social media sites, not merely that the rule blocks a specific set. Option B is wrong because the scenario explicitly states the policy is applied to VLAN 1, and users cannot access instagram.com, proving the policy is active; if it were not applied, no blocking would occur. Option D is wrong because content filtering must be enabled for any blocking to occur; since instagram.com is blocked, content filtering is clearly enabled on the MX appliance.

146
MCQhard

A developer is troubleshooting an API call to Cisco SD-WAN vManage. The request fails with HTTP 400 status and the response body: '{"error": "Bad Request", "details": "Invalid JSON: unexpected token at position 42"}'. Which tool or technique should the developer use to quickly identify the syntax error?

A.Use a JSON validator to check the request body.
B.Increase the timeout value for the HTTP request.
C.Check the API key validity in the header.
D.Review the API documentation for required fields.
AnswerA

A JSON validator can identify syntax errors such as unexpected tokens.

Why this answer

The HTTP 400 status code indicates a client-side error, and the response body explicitly states 'Invalid JSON: unexpected token at position 42'. This means the request body contains malformed JSON. A JSON validator (e.g., jsonlint.com, jq, or a library like `json.loads()` in Python) will parse the JSON and pinpoint the exact syntax error (e.g., a missing comma, extra brace, or unescaped quote) at the specified position, allowing the developer to fix the request body quickly.

Exam trap

Cisco often tests the ability to map specific HTTP status codes and error messages to the correct troubleshooting tool, and the trap here is that candidates may confuse a JSON syntax error (400) with an authentication error (401/403) or a missing-field error (422), leading them to choose options like checking the API key or reviewing documentation instead of using a JSON validator.

How to eliminate wrong answers

Option B is wrong because increasing the timeout value addresses network latency or server delays, not a syntax error in the request body that causes an immediate 400 response. Option C is wrong because checking the API key validity would be relevant for a 401 Unauthorized or 403 Forbidden error, not a 400 Bad Request with a JSON parsing error. Option D is wrong because reviewing API documentation for required fields would help if the error were about missing or invalid fields (e.g., 422 Unprocessable Entity), but the error message explicitly points to a JSON syntax error, not a schema validation issue.

147
MCQhard

A large enterprise uses Cisco Meraki for their wireless and switching infrastructure. The network team has developed a Python script that uses the Meraki API to automatically update SSID configurations across all networks. The script has been running successfully for months, performing daily updates to SSID settings such as names, passwords, and VLAN assignments. Recently, the script started failing with the following error message: '{"errors":["This operation is not allowed for this network"]}'. The team has verified the following: the API key is still valid and has access to the full organization, the network IDs used in the script are correct and the networks are active, and no changes have been made to the script code. The script uses the PUT endpoint '/networks/{networkId}/wireless/ssids/{number}' to update SSIDs. What is the most likely cause of the failure?

A.The Meraki API rate limit has been exceeded, and the request is being rejected.
B.The network(s) have been moved to a different organization in the Meraki dashboard.
C.The API key has been downgraded to read-only access due to a security compliance audit.
D.The SSID number used in the request does not exist on the target network.
AnswerB

When a network is moved to another organization, the original API key loses access, causing this error.

Why this answer

Option B is correct. The error 'This operation is not allowed for this network' typically occurs when the API key does not have permission on the network, often because the network has been moved to a different organization. Option A would result in a 429 Too Many Requests error.

Option C would produce a 403 Forbidden error with a different message. Option D would yield a 404 Not Found error.

148
MCQeasy

When designing a RESTful API for a network automation tool, which status code indicates that a resource has been created successfully?

A.204 No Content
B.200 OK
C.201 Created
D.202 Accepted
AnswerA

204 No Content is used for DELETE operations, not creation.

Why this answer

201 Created is the correct status code for a successful creation. 200 OK means request succeeded but not specifically creation; 202 Accepted indicates accepted for processing; 204 No Content indicates successful deletion.

149
MCQmedium

Refer to the exhibit. During a rolling update, a developer notices that the new pods are not passing the readiness probe and the update stalls. What is the most likely reason?

A.The rolling update strategy is configured incorrectly with maxUnavailable and maxSurge.
B.The readiness probe path /health is not implemented in the new image.
C.The image tag is incorrect.
D.The selector does not match the new pods' labels.
AnswerB

If the endpoint is missing, the probe fails and pods remain not ready.

Why this answer

The rolling update stalls because the new pods fail the readiness probe. The readiness probe is configured to check the /health endpoint, and if that endpoint is not implemented in the new image, the probe never returns a success status. Kubernetes will not route traffic to pods that fail the readiness probe, and the rolling update will not proceed to replace old pods until the new ones are ready.

Exam trap

Cisco often tests the distinction between readiness and liveness probes, and the trap here is that candidates may confuse a readiness probe failure with a liveness probe failure or assume the issue is with the rolling update strategy configuration rather than the application endpoint not being implemented.

How to eliminate wrong answers

Option A is wrong because maxUnavailable and maxSurge control the speed and number of pods updated, but they do not cause a stall due to probe failure; they would only affect how many pods are updated at once. Option C is wrong because an incorrect image tag would cause an ImagePullBackOff or ErrImagePull, not a readiness probe failure; the pod would never reach the running state. Option D is wrong because if the selector did not match the new pods' labels, the new pods would not be part of the ReplicaSet or Service, and the update would not even create them under the same selector; the issue is specifically with the readiness check, not label matching.

150
Multi-Selecthard

Which THREE of the following are best practices for writing Ansible playbooks for network automation? (Select exactly 3.)

Select 3 answers
A.Run all tasks without checking for errors
B.Include a validation task after configuration changes
C.Use variables for device-specific parameters
D.Hardcode device IPs in the playbook
E.Use the 'changed_when' condition to ensure idempotency
AnswersB, C, E

Ensures the change took effect.

Why this answer

Option B is correct because after applying configuration changes via modules like `ios_config` or `junos_config`, a validation task (e.g., using `wait_for` or `assert` to verify operational state) ensures the device is reachable and the changes took effect before proceeding. This prevents cascading failures in multi-device playbooks and aligns with network automation best practices for reliability.

Exam trap

Cisco often tests the misconception that ignoring errors (Option A) speeds up automation, but the trap is that network devices require strict error handling to avoid partial configs or unreachable states, making error-checking a mandatory best practice.

Page 1

Page 2 of 7

Page 3

All pages