Cisco DevNet Associate 200-901 (200-901) — Questions 151225

505 questions total · 7pages · All types, answers revealed

Page 2

Page 3 of 7

Page 4
151
MCQhard

An application running in a Kubernetes pod needs to access an external database securely. The database credentials are rotated every 24 hours. Which approach ensures that the pod always uses the current credentials without manual intervention?

A.Embed a token in the application code that refreshes automatically.
B.Use a Secrets Store CSI driver to mount secrets from an external vault as a volume.
C.Store credentials in a Kubernetes Secret and mount as volume; restart pod daily.
D.Use a sidecar container that watches a vault and updates the application config.
AnswerB

Dynamically updates secrets without pod restart.

Why this answer

Option D is correct because a Secrets Store CSI driver can dynamically mount secrets from an external vault, and the application can read the updated secret from the volume without restarting the pod. Option A is incorrect because restarting daily is disruptive. Option B is valid but the CSI driver is more integrated and standard.

Option C is not a specific solution.

152
Multi-Selecteasy

Which TWO of the following are best practices for securely managing API tokens in a CI/CD pipeline?

Select 2 answers
A.Store tokens as plain text in the source code repository for easy access.
B.Hardcode tokens into the Docker image during build.
C.Use environment variables injected by the CI/CD system (e.g., Jenkins secrets).
D.Encrypt tokens with a static key stored in the repository.
E.Use a secrets management service like HashiCorp Vault to retrieve tokens at runtime.
AnswersC, E

CI/CD systems can securely inject tokens as environment variables without storing them in code.

Why this answer

Options B and D are correct because using a secrets management service (e.g., HashiCorp Vault) and injecting tokens via CI/CD environment variables are secure methods. Storing tokens in source code (A) or Docker images (C) is insecure, and encrypting with a static key in the repository (E) is also vulnerable.

153
MCQeasy

A network engineer runs an Ansible playbook to backup a Cisco router configuration. The playbook fails with the error: 'ssh: connect to host 192.168.1.1 port 22: Connection timed out'. What is the most likely cause?

A.The router's IP address is unreachable from the control node.
B.The playbook uses the incorrect gather_facts setting.
C.The SSH key is not authorized on the router.
D.The router does not have SSH enabled.
AnswerA

A connection timeout typically means the host is not reachable, often due to network issues or incorrect IP.

Why this answer

The error 'Connection timed out' indicates that the control node sent a TCP SYN to 192.168.1.1 on port 22 but never received a SYN-ACK response. This occurs when the destination IP is unreachable due to routing issues, a firewall dropping packets, or the host being offline. Since Ansible uses SSH to connect to network devices, a timeout at the transport layer points directly to network reachability problems, not authentication or service configuration.

Exam trap

Cisco often tests the distinction between 'Connection timed out' (network unreachable) and 'Connection refused' (service not listening) to trap candidates who confuse SSH service availability with network connectivity.

How to eliminate wrong answers

Option B is wrong because the gather_facts setting controls whether Ansible collects system information before running tasks; it does not affect TCP connectivity or SSH transport. Option C is wrong because an unauthorized SSH key would produce a 'Permission denied' error, not a connection timeout. Option D is wrong because if SSH were not enabled on the router, the control node would receive a 'Connection refused' (RST) response, not a timeout.

154
MCQhard

A microservice application uses JWT for authentication. The JWT is signed with RS256. Which practice ensures that the public key used for verification is securely distributed to all services?

A.Include the public key in the JWT header.
B.Embed the public key in each service's source code.
C.Use a public key infrastructure (PKI) and distribute via HTTPS.
D.Store the public key in a Kubernetes ConfigMap and mount it into pods.
AnswerD

Standard method for distributing configuration in Kubernetes.

Why this answer

Option D is correct because Kubernetes ConfigMaps allow you to decouple configuration artifacts like public keys from container images, enabling secure, centralized distribution. Mounting the ConfigMap into pods ensures that all microservice instances can access the same public key without embedding it in source code or relying on external PKI for every verification. This approach aligns with cloud-native best practices for managing secrets and configuration in a microservice architecture.

Exam trap

Cisco often tests the misconception that PKI is always required for secure key distribution, but in a microservice environment with a static public key, a simpler configuration management approach (like Kubernetes ConfigMaps) is more practical and aligns with DevOps principles.

How to eliminate wrong answers

Option A is wrong because including the public key in the JWT header (e.g., in the 'jwk' header parameter) would allow an attacker to replace the key and forge tokens, defeating the purpose of signature verification. Option B is wrong because embedding the public key in each service's source code creates a maintenance nightmare, requires redeployment to update the key, and violates the principle of separating configuration from code. Option C is wrong because while PKI and HTTPS distribution are secure, they introduce unnecessary complexity for a static public key; in a microservice environment, the key is typically long-lived and can be distributed more simply via a shared configuration mechanism like ConfigMaps, without the overhead of certificate authorities and revocation checks.

155
MCQmedium

A developer has created a Webex Teams bot that listens for messages in a specific room and responds with information from an external database. The bot uses the Webex API's 'messages.create' method to post replies. During testing, the bot sometimes fails to respond, but no errors are logged. The developer checks the Webex Developer Portal and sees that the bot's rate limit is set to 10 requests per second. The bot's average load is 5 requests per second, but occasionally spikes to 15 requests per second for a few seconds. The developer wants to ensure the bot functions reliably without exceeding rate limits. Which approach should the developer implement?

A.Implement a request queue that limits outgoing requests to 10 per second and uses exponential backoff on failure.
B.Request a higher rate limit from the Webex API support team.
C.Catch HTTP 429 (Too Many Requests) errors and immediately retry the request.
D.Reduce the bot's overall request rate to 5 per second to stay well within the limit.
AnswerA

This ensures steady request rate and handles errors gracefully.

Why this answer

Option A is correct because implementing a request queue that limits outgoing requests to 10 per second and uses exponential backoff on failure ensures the bot respects the Webex API rate limit of 10 requests per second. The queue smooths out spikes (e.g., 15 req/s) by buffering excess requests, while exponential backoff handles any HTTP 429 responses gracefully by retrying after increasing delays, preventing further rate limit violations. This approach directly addresses the bot's intermittent failure without relying on external support or sacrificing functionality.

Exam trap

Cisco often tests the misconception that simply catching HTTP 429 errors and retrying immediately is sufficient, when in fact exponential backoff is required to avoid compounding the rate limit violation.

How to eliminate wrong answers

Option B is wrong because requesting a higher rate limit from the Webex API support team is not a standard practice for Webex Teams bots; rate limits are fixed per application and cannot be arbitrarily increased, and the developer should first optimize their bot's behavior rather than seeking a limit change. Option C is wrong because catching HTTP 429 errors and immediately retrying the request would likely trigger another 429 response, as the rate limit is still exceeded; proper handling requires a delay (e.g., via exponential backoff) before retrying. Option D is wrong because reducing the bot's overall request rate to 5 per second is an overreaction that unnecessarily limits the bot's throughput and does not address the occasional spikes to 15 req/s, which could still cause failures if not managed with queuing or backoff.

156
MCQeasy

A developer needs to securely store API keys for use in a CI/CD pipeline. Which best practice should be followed?

A.Share the keys via email to the team.
B.Hardcode the keys in the source code.
C.Use built-in pipeline secrets or environment variables.
D.Store the keys in a JSON file committed to the repository.
AnswerC

Pipeline secrets are encrypted and not exposed in logs, providing secure storage.

Why this answer

Option C is correct because CI/CD platforms (e.g., Jenkins, GitLab CI, GitHub Actions) provide built-in mechanisms to store secrets as encrypted environment variables or pipeline secrets. These values are masked in logs and never exposed in source code, ensuring API keys remain confidential throughout the pipeline execution.

Exam trap

Cisco often tests the misconception that storing secrets in a separate configuration file (like a JSON or .env file) is acceptable as long as it is not committed, but the trap is that any file-based storage in the repository—even if ignored—risks accidental exposure, whereas pipeline secrets are designed specifically for secure injection without file persistence.

How to eliminate wrong answers

Option A is wrong because sharing keys via email exposes them in transit and at rest in mail servers, violating security best practices and potentially leading to unauthorized access. Option B is wrong because hardcoding keys in source code embeds them in version control history, making them accessible to anyone with repository access and violating the principle of not storing secrets in code. Option D is wrong because committing a JSON file with keys to the repository stores secrets in plaintext in version control, which can be easily read by anyone with access to the repository history.

157
MCQeasy

Which HTTP method is considered both safe and idempotent?

A.POST
B.PUT
C.PATCH
D.GET
E.DELETE
AnswerD

Correct: GET is safe and idempotent.

Why this answer

GET is both safe and idempotent according to HTTP semantics (RFC 7231). Safe means it must not cause side effects on the server, and idempotent means multiple identical requests produce the same result as a single request. GET is designed solely for retrieval of a resource, so it satisfies both properties.

Exam trap

Cisco often tests the distinction between 'safe' and 'idempotent' as separate properties, trapping candidates who assume that idempotent methods like PUT or DELETE are also safe, or that PATCH is idempotent because it modifies a resource.

How to eliminate wrong answers

Option A is wrong because POST is neither safe nor idempotent; it creates or modifies resources and repeated submissions can create multiple resources or different side effects. Option B is wrong because PUT is idempotent but not safe; it modifies or replaces a resource at a specific URI, which is a side effect. Option C is wrong because PATCH is neither safe nor idempotent; it applies partial modifications, and repeated requests can have different outcomes depending on the current state of the resource.

Option E is wrong because DELETE is idempotent but not safe; it removes a resource, which is a side effect.

158
Multi-Selecteasy

Which TWO of the following are characteristics of the YANG data modeling language that make it suitable for network automation? (Select two)

Select 2 answers
A.YANG defines data types and constraints
B.YANG is human-readable only
C.YANG is a markup language like XML
D.YANG supports both configuration and operational state data
E.YANG can be used with NETCONF and RESTCONF
AnswersA, E

YANG provides a type system and constraints to ensure data validity.

Why this answer

Option A is correct because YANG is a data modeling language that defines the structure, syntax, and semantics of configuration and state data, including explicit data types (e.g., string, uint32) and constraints (e.g., range, pattern, mandatory). This strict typing and validation ensure that network devices receive well-formed data, reducing errors in automation workflows.

Exam trap

Cisco often tests the distinction between a data modeling language (YANG) and a serialization format (XML/JSON), so candidates mistakenly select 'YANG is a markup language like XML' because they associate YANG with XML-based NETCONF messages.

159
MCQeasy

A developer is building a dashboard that displays the health status of network devices managed by Cisco ACI. The developer uses the ACI REST API to query the APIC (Application Policy Infrastructure Controller). The developer sends a GET request to https://apic-ip/api/class/fabricHealthInst.json returns a JSON object with health scores. The dashboard works for a small set of devices, but when scaled to 500 devices, the API responses become slower and sometimes time out. The developer needs to optimize the data retrieval to keep the dashboard responsive. Which approach should the developer use?

A.Break the request into multiple smaller requests, each fetching a subset of devices.
B.Add a query parameter to sort the results by health score to reduce processing time.
C.Switch from JavaScript to Python for the backend to handle larger responses more efficiently.
D.Use the ACI event subscription mechanism to receive health updates only when changes occur.
AnswerD

Subscriptions push updates, reducing the need for frequent polling.

Why this answer

Option A is correct because using bulk APIs or subscribing to events reduces the number of API calls and overhead. Option B is incorrect because sorting doesn't reduce data volume. Option C is incorrect because moving to Python doesn't inherently improve performance.

Option D is incorrect because splitting into many calls increases overhead.

160
MCQhard

Refer to the exhibit. What is the most effective action to eliminate both vulnerabilities in the container image?

A.Rebuild the image using the same base image but update the OS packages.
B.Add a .dockerignore file to exclude vulnerable libraries.
C.Only run the container with read-only root filesystem.
D.Switch the base image to a distroless base image that does not include openssl and curl.
AnswerD

Removes these libraries entirely, as they are not needed by the application.

Why this answer

Option D is correct because switching to a distroless base image removes unnecessary packages like openssl and curl entirely, eliminating the vulnerabilities they introduce. Distroless images contain only the application and its runtime dependencies, reducing the attack surface by excluding OS package managers and shell utilities that are common sources of CVEs. This approach directly addresses both vulnerabilities by ensuring the vulnerable components are not present in the image at all.

Exam trap

Cisco often tests the misconception that updating packages (Option A) is sufficient, when the real goal is to eliminate the vulnerable components entirely, not just patch them.

How to eliminate wrong answers

Option A is wrong because rebuilding with the same base image and updating OS packages only patches known vulnerabilities but does not remove the packages themselves; future vulnerabilities in those packages would still require updates, and the attack surface remains. Option B is wrong because a .dockerignore file controls which files are sent to the Docker build context, not which packages are installed in the image; it cannot exclude pre-installed libraries like openssl or curl from the base image. Option C is wrong because running the container with a read-only root filesystem prevents writes at runtime but does not remove the vulnerable binaries from the image; an attacker could still exploit the vulnerable openssl or curl processes if they are executed.

161
MCQeasy

In the Ansible playbook snippet, what connection method is typically used for the ios_config module to communicate with the devices?

A.local
B.network_cli
C.netconf
D.httpapi
AnswerB

The ios_config module requires the network_cli connection to send CLI commands over SSH.

Why this answer

The ios_config module is designed for Cisco IOS devices and requires a persistent network connection to send configuration commands. The network_cli connection method establishes an SSH session that remains open for the duration of the playbook task, allowing the module to send multiple CLI commands and handle prompts. This is the recommended connection method for ios_config because it supports privilege escalation and command responses needed for configuration changes.

Exam trap

Cisco often tests the distinction between connection methods by making candidates think 'local' is correct because it runs on the control node, but the trap is that ios_config requires a persistent SSH session to the device, which only network_cli provides.

How to eliminate wrong answers

Option A is wrong because 'local' connection runs the module on the control node without opening a persistent SSH session to the device, which prevents ios_config from properly handling interactive prompts and privilege escalation. Option C is wrong because 'netconf' uses XML-based NETCONF protocol over SSH, which is not supported by the ios_config module (it is used with the ios_netconf module instead). Option D is wrong because 'httpapi' uses RESTCONF or other HTTP-based APIs, which are not applicable to the CLI-based ios_config module.

162
MCQhard

A network engineer is configuring EtherChannel between two switches. The switches are connected via four links. The engineer wants to load balance traffic based on source and destination IP addresses. Which configuration command should be used on Cisco IOS?

A.port-channel load-balance src-ip
B.port-channel load-balance dst-ip
C.port-channel load-balance src-dst-mac
D.port-channel load-balance src-dst-ip
AnswerD

Uses both source and destination IP.

Why this answer

The command 'port-channel load-balance src-dst-ip' sets the load-balancing method to use both source and destination IP addresses. Option A is wrong because it sets only source IP. Option C is wrong because it sets only destination IP.

Option D is wrong because it sets src-dst-mac, not IP.

163
MCQmedium

A company uses a blue/green deployment strategy for their web application. The current live version is blue, and a new version green is ready. The load balancer currently routes all traffic to blue. What is the correct next step to switch traffic to green with minimal downtime?

A.Scale down blue pods and scale up green
B.Perform a rolling update from blue to green
C.Delete the blue deployment and create green
D.Update the load balancer to route all traffic to green
AnswerD

This switches traffic instantly with minimal downtime.

Why this answer

In a blue/green deployment, the entire new version (green) is deployed alongside the current live version (blue). The correct next step to switch traffic with minimal downtime is to update the load balancer to route all traffic to green. This instant switch avoids the incremental risk of rolling updates and ensures a clean cutover that can be quickly reverted if issues arise.

Exam trap

Cisco often tests the distinction between deployment strategies, and the trap here is confusing a rolling update (which gradually replaces pods) with a blue/green deployment (which switches traffic at the load balancer level), leading candidates to incorrectly select Option B.

How to eliminate wrong answers

Option A is wrong because scaling down blue and scaling up green is a manual, non-atomic process that does not leverage the load balancer's routing capability, potentially causing partial traffic loss or mixed-version serving. Option B is wrong because a rolling update gradually replaces blue pods with green pods, which contradicts the blue/green strategy's goal of maintaining two fully separate environments for instant rollback. Option C is wrong because deleting the blue deployment before creating green would cause downtime, as there is no live environment to serve traffic during the deletion and creation process.

164
Multi-Selectmedium

Which THREE are valid ways to expose ConfigMap data to a pod in Kubernetes?

Select 3 answers
A.As a Kubernetes Secret
B.As environment variables
C.As a container image label
D.As a volume mounted file
E.As a command-line argument
AnswersB, D, E

You can use envFrom or valueFrom to expose as env vars.

Why this answer

Option B is correct because Kubernetes allows ConfigMap data to be exposed as environment variables inside a pod using the `env` or `envFrom` field in the pod spec. This is a common method for injecting configuration into containers without modifying the container image.

Exam trap

Cisco often tests the distinction between ConfigMaps and Secrets, and the trap here is that candidates may confuse the purpose of Secrets (sensitive data) with ConfigMaps (non-sensitive data), or incorrectly assume that container image labels can be dynamically injected from runtime objects.

165
MCQeasy

A developer wants to ensure that a Docker container running a web application can only accept incoming traffic on port 443. Which Docker run option should be used?

A.docker run --port 443 myapp
B.docker run --net host myapp
C.docker run -p 443:443 myapp
D.docker run --expose 443 myapp
AnswerC

-p 443:443 publishes container port 443 to host port 443, allowing external access only on that port.

Why this answer

Option C is correct because the `-p 443:443` flag publishes container port 443 to the host port 443, mapping incoming traffic on the host's port 443 to the container's port 443. This ensures the web application inside the container only accepts incoming traffic on port 443, as the host firewall and Docker's port mapping restrict access to that specific port.

Exam trap

Cisco often tests the distinction between `--expose` (documentation only) and `-p` (actual port publishing), and the trap here is that candidates confuse `--expose` with making a port externally accessible, when in fact it only informs Docker that the container uses that port internally.

How to eliminate wrong answers

Option A is wrong because `--port` is not a valid Docker run flag; the correct flag is `-p` or `--publish`. Option B is wrong because `--net host` makes the container share the host's network stack, exposing all host ports to the container and bypassing Docker's port isolation, which would allow traffic on any port, not just 443. Option D is wrong because `--expose 443` only documents that the container listens on port 443 but does not actually publish the port to the host, so no external traffic can reach the container on that port.

166
Multi-Selectmedium

Which THREE of the following are valid JSON data types? (Choose three.)

Select 3 answers
A.String
B.Number
C.Function
D.Array
E.Date
AnswersA, B, D

Strings are enclosed in double quotes.

Why this answer

JSON (JavaScript Object Notation) is a lightweight data-interchange format that supports only a fixed set of data types as defined by RFC 7159. String is a valid JSON type because it must be enclosed in double quotes and can contain Unicode characters. Number is valid as it includes integers and floating-point values without quotes, following the numeric grammar in the JSON specification.

Exam trap

Cisco often tests the misconception that JSON supports JavaScript-specific types like Function or Date, but JSON is a language-independent format with only six defined types per RFC 7159.

167
MCQmedium

A DevOps team is using Cisco AppDynamics to monitor a microservices application. They notice that a specific service's response time spikes under load. Which AppDynamics feature should be used to drill down into the transaction trace?

A.Health Rules
B.Transaction Snapshots
C.Business Transactions
D.Service Endpoints
AnswerC

Business Transactions are high-level groupings, not individual traces.

Why this answer

Business Transactions in AppDynamics represent the logical business operations (e.g., checkout, login) that span across multiple tiers. When a response time spike occurs, selecting the specific Business Transaction allows you to drill into its Transaction Snapshots, which capture the full distributed trace including call chains, method timings, and database queries. This is the correct entry point for root-cause analysis of performance degradation.

Exam trap

Cisco often tests the distinction between the logical grouping (Business Transactions) and the raw trace data (Transaction Snapshots), trapping candidates who confuse the container with the content.

How to eliminate wrong answers

Option A is wrong because Health Rules are used to define thresholds and trigger alerts or actions (e.g., email, remediation) when metrics deviate, not to drill into transaction traces. Option B is wrong because Transaction Snapshots are the detailed trace data itself, not the feature used to initiate the drill-down; you must first select a Business Transaction to access its snapshots. Option D is wrong because Service Endpoints represent the specific HTTP or API endpoints (e.g., /api/orders) and are a subset of a Business Transaction; they provide endpoint-level metrics but not the full transaction trace across services.

168
MCQmedium

A DevOps team is deploying a microservices application on Cisco UCS using Docker containers. They need to ensure that secrets such as database credentials are securely managed without hardcoding them in the application code or container images. Which approach should they use?

A.Embed secrets directly in the container image using COPY instructions.
B.Pass secrets as build arguments in the Docker build command.
C.Use a secure secret store like HashiCorp Vault and retrieve secrets at runtime via API.
D.Store secrets as environment variables in the Docker Compose file.
AnswerC

A secret store provides dynamic, audited, and encrypted access to secrets without embedding them in code or images.

Why this answer

Option C is correct because it follows the principle of secret management by decoupling sensitive data from application code and container images. HashiCorp Vault provides a centralized, encrypted secret store with dynamic secrets, access policies, and audit logging, allowing the microservices to authenticate and retrieve credentials at runtime via its REST API, eliminating the need to hardcode secrets.

Exam trap

Cisco often tests the misconception that environment variables in Docker Compose or build arguments are secure enough for secrets, but the trap here is that these methods leave secrets exposed in plaintext within the image layers, logs, or runtime environment, whereas a dedicated secret store like Vault provides encryption, rotation, and access control.

How to eliminate wrong answers

Option A is wrong because embedding secrets directly in a container image using COPY instructions bakes them into the image layers, making them accessible to anyone with image pull access and violating security best practices. Option B is wrong because build arguments in the Docker build command are visible in the image history via `docker history` and can be exposed through build logs or cached layers, so they are not secure for secrets. Option D is wrong because storing secrets as environment variables in a Docker Compose file leaves them in plaintext within the file and the container's environment, which can be leaked through logs, debugging, or process inspection, and does not provide encryption or access control.

169
MCQmedium

A company uses a /24 subnet for its office LAN. The network must accommodate 30 hosts per VLAN. Which subnet mask would be most efficient for each VLAN while minimizing wasted IP addresses?

A.255.255.255.224
B.255.255.255.240
C.255.255.255.0
D.255.255.255.128
E.255.255.255.192
AnswerA

This is /27, provides 30 usable hosts, exactly meeting the requirement.

Why this answer

A /27 subnet mask (255.255.255.224) provides 32 total addresses per subnet, with 30 usable host addresses (2^5 - 2 = 30). This exactly meets the requirement of 30 hosts per VLAN without wasting IP addresses, as any larger subnet would leave unused addresses.

Exam trap

Cisco often tests the misconception that the subnet mask must match the exact number of hosts without accounting for the network and broadcast addresses, leading candidates to choose a mask that provides exactly 30 total addresses (like /27) but forget that 2 addresses are reserved.

How to eliminate wrong answers

Option B (255.255.255.240) is wrong because it provides only 14 usable hosts per subnet (2^4 - 2 = 14), which is insufficient for 30 hosts. Option C (255.255.255.0) is wrong because it provides 254 usable hosts, which is far more than needed and wastes IP addresses. Option D (255.255.255.128) is wrong because it provides 126 usable hosts, also wasteful for 30 hosts.

Option E (255.255.255.192) is wrong because it provides 62 usable hosts, which is more than required and inefficient.

170
MCQeasy

A network engineer is configuring a new switch and needs to ensure that frames from VLAN 10 and VLAN 20 are isolated on the same trunk link to another switch. Which IEEE standard should be configured on the trunk interfaces?

A.802.3
B.802.11
C.802.1Q
D.802.1X
AnswerC

802.1Q is the IEEE standard for VLAN tagging on trunk links.

Why this answer

C is correct because 802.1Q is the IEEE standard that defines VLAN tagging, allowing multiple VLANs (such as VLAN 10 and VLAN 20) to be carried over a single trunk link while maintaining isolation between them. By inserting a 4-byte VLAN tag into the Ethernet frame, 802.1Q enables the receiving switch to identify which VLAN a frame belongs to, ensuring traffic from different VLANs remains separate.

Exam trap

Cisco often tests the distinction between 802.1Q (VLAN tagging) and 802.1X (authentication), so the trap here is confusing a trunking protocol with a security protocol, leading candidates to pick 802.1X when the question is about VLAN isolation on a trunk.

How to eliminate wrong answers

Option A is wrong because 802.3 is the IEEE standard for Ethernet (CSMA/CD) and defines physical layer and MAC sublayer specifications, not VLAN tagging or trunking. Option B is wrong because 802.11 is the IEEE standard for wireless LAN (Wi-Fi) and is unrelated to wired switch trunk links or VLAN isolation. Option D is wrong because 802.1X is the IEEE standard for port-based network access control (authentication), not for VLAN tagging or trunking.

171
MCQhard

Refer to the exhibit. Based on the YANG model snippet, what is the data type of the 'mask' leaf?

A.inet:ipv4-address
B.inet:ipv4-prefix-length
C.uint8
D.string
AnswerB

The exhibit shows the type as inet:ipv4-prefix-length.

Why this answer

The 'mask' leaf is defined with the type 'inet:ipv4-prefix-length', which represents a decimal integer from 0 to 32 indicating the number of leading 1 bits in the subnet mask (e.g., 24 for /24). This is the correct data type for a prefix length in YANG models, not an IPv4 address or a generic string.

Exam trap

Cisco often tests the distinction between 'inet:ipv4-address' (a full address) and 'inet:ipv4-prefix-length' (the /N notation), tricking candidates who confuse the subnet mask value with its prefix length representation.

How to eliminate wrong answers

Option A is wrong because 'inet:ipv4-address' is a dotted-decimal IPv4 address (e.g., 192.168.1.1), not a prefix length. Option C is wrong because 'uint8' is a generic 8-bit unsigned integer (0-255) but lacks the semantic constraint of 0-32 that 'inet:ipv4-prefix-length' enforces. Option D is wrong because 'string' would allow arbitrary text, which is not appropriate for a numeric prefix length that must be validated as an integer between 0 and 32.

172
Multi-Selecteasy

A network administrator is deploying a new application that requires high availability and load balancing across multiple servers. The servers are connected to a pair of switches that use StackWise virtual technology. The application team requests that the servers be configured with NIC teaming in active-active mode. Which two requirements must be met for this configuration to work correctly? (Choose two.)

Select 2 answers
A.The two switches must be part of a single stack or virtual switch fabric.
B.Spanning-tree PortFast must be enabled on the switch ports connected to the servers.
C.Both NIC team members must be configured in the same VLAN.
D.The NIC team must use LACP for load balancing.
E.Both NIC team members should connect to the same switch module for consistency.
AnswersA, C

This allows the NIC team to see the two switches as one logical switch and use both links simultaneously.

Why this answer

Option A is correct because StackWise virtual technology logically combines two physical switches into a single control plane, allowing NIC teaming in active-active mode to treat the pair as one logical switch. This ensures that both NIC team members can forward traffic simultaneously without loops, as the stack provides a unified Layer 2 topology and prevents MAC flapping between the two switches.

Exam trap

Cisco often tests the misconception that NIC teaming requires LACP or that PortFast is necessary for active-active operation, but the real key is that the switches must be part of a single logical fabric to avoid loops and MAC flapping.

173
MCQhard

A network administrator is deploying a custom container application on a Cisco Catalyst 9300 switch running IOS XE 16.12. The application is packaged as a .tar file and installed using 'app-hosting install app myapp flash:myapp.tar'. The administrator configures the app-hosting context as follows: app-hosting app myapp app-default-gateway 192.168.1.1 app-vnic gateway0 guest-interface 0 guest-ipaddress 192.168.1.10 netmask 255.255.255.0 app-resource profile custom cpu 1000 memory 2048 storage 5000 The administrator also creates a virtual port group 'vg0' and assigns it to the management interface. The application fails to start with the error: 'Application failed to start: guest interface not ready'. The administrator verifies that the .tar file is valid, the resources are sufficient, and the gateway is reachable. What is the most likely cause of the failure?

A.The application requires a DHCP server, but the configuration uses a static IP address.
B.The guest-interface is not bound to the virtual port group.
C.The .tar file is corrupt despite appearing valid.
D.The CPU allocation of 1000 units is insufficient for the application.
AnswerB

The virtual port group must be explicitly bound to the app-vnic interface; otherwise, the interface remains 'not ready'.

Why this answer

The error 'guest interface not ready' indicates that the guest-interface (interface 0) is not properly bound to the virtual port group. After creating the virtual port group, the administrator must associate it with the app-vnic using the 'bind' command. Without this binding, the guest interface cannot obtain or use the IP configuration.

174
Multi-Selecteasy

Which THREE are valid methods for managing Kubernetes application configuration?

Select 3 answers
A.Helm values.
B.Secrets.
C.Operator custom resources.
D.Environment variables in the Dockerfile.
E.ConfigMaps.
AnswersA, B, E

Used in Helm charts for template configuration.

Why this answer

Helm values (A) are correct because Helm is a package manager for Kubernetes that uses values.yaml files to inject configuration into templates at deployment time, enabling dynamic, environment-specific application configuration without modifying the underlying chart. This is a standard method for managing Kubernetes application configuration in production workflows.

Exam trap

Cisco often tests the distinction between build-time configuration (Dockerfile ENV) and runtime configuration (ConfigMaps, Secrets, Helm values), trapping candidates who think environment variables in the Dockerfile are a valid runtime management method for Kubernetes.

175
MCQmedium

A company uses a centralized automation server that runs Ansible playbooks. What is the best security practice for storing SSH credentials?

A.Store credentials in a public repository
B.Use Ansible Vault
C.Hardcode credentials in playbooks
D.Use plain text inventory files
AnswerB

Ansible Vault encrypts secrets.

Why this answer

Ansible Vault is the recommended security practice for encrypting sensitive data like SSH credentials. It allows you to store encrypted variables and files within your playbooks or inventory, protecting secrets at rest while enabling decryption at runtime via a password or key file. This avoids exposing credentials in plain text, which is critical for centralized automation servers that may be accessed by multiple users or integrated into CI/CD pipelines.

Exam trap

Cisco often tests the misconception that 'inventory files are safe if stored locally' or that 'hardcoding is acceptable for small teams,' but the exam expects candidates to recognize that any plain text storage of credentials violates security best practices, and Ansible Vault is the standard built-in solution for encryption.

How to eliminate wrong answers

Option A is wrong because storing credentials in a public repository exposes them to unauthorized access, violating the principle of least privilege and potentially leading to security breaches. Option C is wrong because hardcoding credentials in playbooks embeds secrets in plain text within version control, making them visible to anyone with repository access and preventing easy rotation. Option D is wrong because using plain text inventory files stores SSH credentials unencrypted, which is insecure and defeats the purpose of a centralized automation server that should enforce encryption at rest.

176
Multi-Selecteasy

A software developer is using the Cisco Webex REST API and wants to filter messages by date range. Which two query parameters should be included? (Choose two.)

Select 2 answers
A.since
B.before
C.after
D.end
E.start
AnswersB, C

Used to specify the end date.

Why this answer

The Cisco Webex REST API uses the 'before' and 'after' query parameters to filter messages by date range. 'before' returns messages sent before a specified date/time, and 'after' returns messages sent after a specified date/time, allowing precise range-based filtering.

Exam trap

Cisco often tests the specific parameter names used in the Webex API (before/after) versus generic terms like start/end or since/until, catching candidates who assume common naming conventions from other platforms.

177
MCQhard

A developer is troubleshooting a CI/CD pipeline that automatically deploys configuration changes to network devices. The pipeline includes a stage that runs Python unit tests. Which of the following would be a valid test to include in that stage to validate the configuration before deployment?

A.Test that the configuration can be applied to the device by sending it via NETCONF
B.Test that the configuration file is valid JSON
C.Test that the configuration changes do not break connectivity by pinging the device after deployment
D.Test that the configuration adheres to company naming conventions using a regular expression
AnswerB

A unit test can verify syntax without needing network access.

Why this answer

Validating that the configuration is valid JSON is a simple unit test that can catch syntax errors early. The other options either require network access (which unit tests should avoid) or are not unit-level.

178
MCQeasy

An engineer needs to identify which hosts are reachable in a 10.0.0.0/24 network using an automated script that does not require any credentials on the target devices. Which protocol is best suited for this task?

A.ICMP
B.CDP
C.SNMP
D.ARP
AnswerA

ICMP echo requests are unauthenticated and can be used to check reachability.

Why this answer

ICMP (Internet Control Message Protocol) is the correct choice because it provides the Echo Request and Echo Reply messages (commonly used by the 'ping' command) that can determine host reachability without requiring any authentication or credentials on the target devices. This makes ICMP ideal for an automated script that needs to probe a 10.0.0.0/24 network for live hosts, as it operates at the network layer and only requires IP connectivity.

Exam trap

Cisco often tests the distinction between protocols that require credentials (SNMP) and those that do not (ICMP), and the trap here is that candidates may choose ARP thinking it can discover hosts without credentials, but ARP only works on the local subnet and does not confirm IP-level reachability across a routed network.

How to eliminate wrong answers

Option B (CDP) is wrong because Cisco Discovery Protocol is a proprietary Layer 2 protocol used to discover directly connected Cisco devices and their capabilities; it requires the target devices to be Cisco devices with CDP enabled and does not test reachability via IP, nor does it work across routers or subnets. Option C (SNMP) is wrong because Simple Network Management Protocol requires credentials (community strings or SNMPv3 authentication) to query managed devices, and the question explicitly states no credentials are allowed. Option D (ARP) is wrong because Address Resolution Protocol resolves IP addresses to MAC addresses on a local broadcast domain; it can only detect hosts on the same subnet and requires an ARP request to be sent, but it does not confirm end-to-end reachability beyond Layer 2 and is not suitable for a /24 network that may span multiple Layer 2 segments.

179
MCQeasy

An organization uses Cisco Intersight to manage UCS servers. They want to automate the firmware upgrade process. Which Intersight API should be used to trigger a firmware upgrade on a server?

A.POST /api/v1/ntp/Policies
B.POST /api/v1/equipment/Fex
C.POST /api/v1/fabric/EthNetworkPolicies
D.POST /api/v1/compute/Physical
AnswerD

Physical server resource supports firmware actions.

Why this answer

Option D is correct because the `/api/v1/compute/Physical` endpoint in Cisco Intersight is used to manage physical compute resources, including triggering firmware upgrades on UCS servers. By sending a POST request to this endpoint with the appropriate action payload (e.g., `"Action": "UpgradeFirmware"`), you can initiate a firmware upgrade on a specific server. This aligns with Intersight's RESTful API design for lifecycle management of UCS infrastructure.

Exam trap

The trap here is that candidates may confuse general management endpoints (like NTP policies or network policies) with the specific compute resource endpoint, assuming any POST to a policy-related API can trigger an action, when in fact only the compute resource endpoint supports firmware upgrade actions.

How to eliminate wrong answers

Option A is wrong because `POST /api/v1/ntp/Policies` is used to create or manage NTP (Network Time Protocol) policies, which control time synchronization settings, not firmware upgrades. Option B is wrong because `POST /api/v1/equipment/Fex` targets Fabric Extender (FEX) equipment, which handles port expansion and does not support firmware upgrade actions for servers. Option C is wrong because `POST /api/v1/fabric/EthNetworkPolicies` is for managing Ethernet network policies (e.g., VLAN, QoS) for fabric interconnects, not for triggering server firmware updates.

180
Multi-Selectmedium

A network automation solution uses YANG data models to describe network configurations. Which THREE statements about YANG are true? (Select THREE)

Select 3 answers
A.YANG can be used in conjunction with NETCONF and RESTCONF.
B.YANG models are always written in XML syntax.
C.YANG is used to define both configuration and state data.
D.YANG is a data modeling language used to define the structure of data.
E.YANG is a replacement for SNMP.
AnswersA, C, D

Both protocols use YANG models.

Why this answer

YANG is a data modeling language that defines the structure and constraints of configuration and state data, and it is designed to be used with NETCONF (RFC 6241) and RESTCONF (RFC 8040) as the transport protocols. This makes option A correct because YANG models are encoded in XML or JSON and exchanged via these protocols.

Exam trap

Cisco often tests the misconception that YANG is tied to a specific encoding (like XML) or that it replaces SNMP entirely, when in fact YANG is encoding-agnostic and complements SNMP by providing structured, transactional configuration management.

181
MCQeasy

A network engineer needs to allow HTTPS traffic from the internet to an internal web server. Which type of firewall rule should be applied on the perimeter firewall?

A.Routing protocol configuration
B.Outbound ACL on the inside interface
C.Inbound ACL on the outside interface
D.Static NAT configuration
AnswerC

An inbound ACL on the outside interface permits incoming HTTPS traffic to the web server.

Why this answer

An inbound ACL on the outside interface allows traffic from internet to internal. Option A is wrong because outbound ACL controls traffic leaving the network. Option C is wrong because NAT handles translation, not filtering.

Option D is wrong because routing is not access control.

182
MCQhard

A company has a three-tier data center architecture with access, aggregation, and core layers. The network team is migrating to a leaf-spine architecture to support increasing east-west traffic. The current network uses STP for loop prevention, and the team wants to eliminate STP in the new design. They plan to use VXLAN overlays with BGP EVPN for control plane. During a pilot deployment, the team notices that some legacy servers that rely on traditional VLANs are not reachable across the new fabric. The servers are connected to access switches that are part of the leaf layer. The access switches are configured as VXLAN tunnel endpoints (VTEPs) but the legacy servers are still using traditional VLANs. The team needs to ensure connectivity between the legacy VLAN-based servers and the new VXLAN-based network. What is the best approach to integrate these legacy servers without changing their configuration?

A.Create a separate VRF for legacy VLANs and redistribute into BGP EVPN
B.Implement a Layer 2 gateway (L2GW) on the leaf switches to bridge VLANs to VXLAN using IRB
C.Configure the same VLAN on all leaf switches and use VXLAN to stretch the VLAN across the fabric
D.Reconfigure the legacy servers to use VXLAN encapsulation
AnswerB

IRB provides seamless bridging between VLAN and VXLAN.

Why this answer

Option B is correct because an Integrated Routing and Bridging (IRB) interface on the leaf switch acts as a Layer 2 gateway (L2GW), bridging the legacy VLAN to a VXLAN segment. This allows the legacy server, which still uses traditional VLAN tagging, to communicate with the VXLAN-based fabric without any configuration changes on the server. The IRB interface performs the VLAN-to-VXLAN mapping and handles ARP suppression, enabling seamless integration.

Exam trap

The trap here is that candidates often confuse Layer 2 stretching (Option C) with a Layer 2 gateway, not realizing that stretching VLANs across the fabric would reintroduce STP dependencies and does not provide the necessary gateway function for legacy VLAN-based devices.

How to eliminate wrong answers

Option A is wrong because creating a separate VRF for legacy VLANs and redistributing into BGP EVPN does not solve the Layer 2 connectivity issue; VRFs are for Layer 3 isolation, not for bridging VLANs to VXLAN. Option C is wrong because configuring the same VLAN on all leaf switches and using VXLAN to stretch the VLAN across the fabric would require the legacy servers to be in the same broadcast domain, which defeats the purpose of eliminating STP and does not address the need for a gateway between VLAN and VXLAN. Option D is wrong because reconfiguring the legacy servers to use VXLAN encapsulation would require changing their configuration, which the team explicitly wants to avoid.

183
MCQhard

A DevOps engineer is automating network device configuration using Ansible. The playbook must retrieve the MAC address table from a Cisco switch. Which protocol should the engineer use to fetch this data?

A.SSH with CLI scraping
B.HTTPS with Web UI
C.REST API
D.NETCONF
E.SNMP
AnswerE

SNMP is a standard protocol for retrieving MIB data like MAC tables.

Why this answer

The MAC address table is accessible via SNMP (MIB). REST API is not native on older switches; NETCONF can be used but is more complex for this task. CLI scraping is not recommended.

Ansible can use SNMP to gather information.

184
Multi-Selecteasy

An engineer is automating the configuration of SNMP on Cisco routers using Ansible. Which two modules are commonly used for this purpose? (Select TWO)

Select 2 answers
A.cisco.ios.ios_interface
B.cisco.ios.ios_config
C.cisco.ios.ios_snmp_server
D.cisco.ios.ios_command
E.cisco.ios.ios_banner
AnswersB, C

This module can push arbitrary CLI commands including SNMP-related ones.

Why this answer

The cisco.ios.ios_config module is correct because it allows you to push raw CLI configuration lines to Cisco IOS devices, including SNMP-related commands like 'snmp-server community' or 'snmp-server host'. The cisco.ios.ios_snmp_server module is correct because it is a dedicated Ansible module that provides structured, idempotent management of SNMP server settings (e.g., communities, hosts, traps) without requiring raw CLI lines.

Exam trap

Cisco often tests the distinction between general-purpose modules like ios_config and purpose-built modules like ios_snmp_server, expecting candidates to recognize that both can configure SNMP but the dedicated module is more appropriate for structured automation.

185
Multi-Selectmedium

Which THREE are characteristics of OSPF? (Choose three.)

Select 3 answers
A.It is a distance-vector routing protocol
B.It uses cost as the metric
C.It uses hop count as the metric
D.It is a link-state routing protocol
E.It supports Variable-Length Subnet Mask (VLSM)
AnswersB, D, E

Cost is derived from bandwidth.

Why this answer

OSPF uses cost as its metric, which is derived from the bandwidth of the interface (calculated as 10^8 / bandwidth in bps by default). This allows OSPF to select the most efficient path based on link speed rather than a simple hop count, making it suitable for larger, more complex networks.

Exam trap

Cisco often tests the distinction between OSPF (link-state, cost metric) and RIP (distance-vector, hop count metric), so the trap here is confusing OSPF's cost with RIP's hop count or assuming OSPF is distance-vector due to its routing behavior.

186
MCQhard

Refer to the exhibit. A Python script uses the YANG model to configure the interface. After applying this JSON payload via a PATCH request, what is the expected operational state of the interface?

A.Error because PATCH is not allowed on interfaces
B.No change, remains as previously configured
C.Administratively down
D.Administratively up and protocol up
AnswerC

enabled: false sets admin down.

Why this answer

The PATCH request applies the provided JSON payload, which sets the interface's 'enabled' leaf to 'false' (or equivalent YANG leaf for administrative state). In YANG models for interfaces (e.g., RFC 8343 or Cisco native models), setting 'enabled' to false places the interface in an administratively down state. The PATCH operation is valid for modifying interface configuration, and the payload explicitly changes the administrative state to down, overriding any previous configuration.

Exam trap

Cisco often tests the distinction between administrative state (controlled by the 'enabled' leaf) and operational state (which includes protocol status), and the trap here is that candidates may assume PATCH cannot modify administrative state or that the interface remains up if only a partial payload is sent.

How to eliminate wrong answers

Option A is wrong because PATCH is a standard HTTP method allowed on interfaces in RESTCONF/NETCONF for partial updates; there is no restriction against using PATCH on interface resources. Option B is wrong because the JSON payload explicitly sets the 'enabled' leaf to false, which changes the administrative state; the interface does not remain as previously configured. Option D is wrong because the payload sets 'enabled' to false, which results in an administratively down state, not up; protocol state is irrelevant when the interface is administratively down.

187
MCQhard

Refer to the exhibit. A developer receives this response when making a POST request to the Cisco DNA Center API to create a new device. What is the most likely issue?

A.The request body is missing the required field 'ipAddress'.
B.The API endpoint is incorrect.
C.The device IP address is already in use.
D.The API token has expired.
AnswerA

The error message clearly indicates the missing parameter 'ipAddress'.

Why this answer

The error response includes a field 'missingParameters' with the value 'ipAddress', which explicitly indicates that the request body did not include the required 'ipAddress' field. Cisco DNA Center's API for device creation requires this field to identify the device on the network. Without it, the API cannot proceed with adding the device, resulting in a 400 Bad Request.

Exam trap

Cisco often tests the ability to read API error responses carefully, where candidates might overlook the 'missingParameters' field and incorrectly assume a token or endpoint issue instead of a missing required field.

How to eliminate wrong answers

Option B is wrong because the API endpoint is likely correct; a wrong endpoint would typically return a 404 Not Found or a different error message, not a 'missingParameters' error. Option C is wrong because if the IP address were already in use, the API would return a conflict error (e.g., 409 Conflict) with a message like 'Device already exists', not a missing field error. Option D is wrong because an expired token would result in a 401 Unauthorized or 403 Forbidden response, not a 400 Bad Request with parameter validation details.

188
MCQeasy

Refer to the exhibit. A developer is parsing the output of 'show ip route' using Python. Which regular expression would extract the prefix '10.0.1.0/24'?

A.r'^S\s+(\d+\/\d+)'
B.r'^S.*(\d+\.\d+\.\d+\.\d+)'
C.r'S\s+(\S+)'
D.r'^S\s+(\d+\.\d+\.\d+\.\d+/\d+)'
AnswerD

Correctly anchors at line start and captures prefix.

Why this answer

The pattern r'^S\s+(\d+\.\d+\.\d+\.\d+/\d+)' matches a line starting with 'S' followed by whitespace and then the prefix. Option B lacks the start anchor; Option C is too specific; Option D uses greedy matching and may capture extra.

189
Matchingmedium

Match each YAML structure to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Scalar mapping

List item

Comment line

Nested mapping

Block scalar (literal)

Why these pairings

YAML syntax basics.

190
MCQeasy

Refer to the exhibit. A PC is connected to interface GigabitEthernet0/1 on a Cisco switch. The PC is in VLAN 10. What is the purpose of the 'spanning-tree portfast' command on this interface?

A.It disables STP on the interface.
B.It prevents the interface from entering blocking state.
C.It allows the interface to transition directly to forwarding state.
D.It enables BPDU guard on the interface.
E.It enables Rapid Spanning Tree on the interface.
AnswerC

PortFast eliminates the learning/listening delays.

Why this answer

PortFast brings the interface to forwarding state immediately, bypassing STP listening and learning states. This speeds up access port convergence.

191
MCQmedium

You are deploying a new data center network using Cisco Nexus switches. The design uses Virtual Port Channel (vPC) to provide redundancy and increased bandwidth to servers with dual-homed NICs. The two vPC peer switches are NX1 and NX2, and they are connected via a peer-link. The servers are configured with active/standby NIC teaming. After the deployment, you notice that some ARP requests from servers are not being responded to, leading to connectivity issues. Analysis shows that when a server sends an ARP request for its default gateway (which is a virtual IP on the vPC), only one of the peer switches responds, but the response does not reach the server intermittently. The vPC is correctly configured, and the peer-gateway feature is enabled. What is the most likely cause?

A.The virtual gateway IP is misconfigured with HSRP, causing split-brain.
B.STP is blocking the vPC peer-link, preventing ARP responses.
C.The server's MAC address is not pinned to the correct vPC member port.
D.The server's NIC teaming is sending ARP requests to the standby switch, which forwards them over the peer-link, and the peer-gateway feature does not respond to ARP requests received over the peer-link.
AnswerD

Peer-gateway only responds to ARP on vPC member ports, not on peer-link.

Why this answer

If peer-gateway is enabled, each vPC peer can respond to ARP for the virtual gateway IP. However, if the ARP request is sent via the peer-link (because the server's NIC is active on one switch but the request may be flooded), the response might be blocked by the peer-link's native VLAN mismatch or STP issues. Option A is correct: The peer-gateway feature works only for packets received on a vPC member port, not on the peer-link.

So if the server's NIC teaming sends traffic to the standby switch first, that switch may receive the ARP request on a vPC member port and respond, but if the request goes over the peer-link, the peer switch may not respond or the response may be dropped. Option B is wrong because vPC does not use STP on member ports. Option C is wrong because HSRP is not used with vPC peer-gateway.

Option D is wrong because the issue is not about MAC pinning.

192
MCQhard

A team uses Git for source control. They want to ensure that all code committed to the main branch passes unit tests and linting. Which Git workflow practice best ensures this?

A.Using pre-commit hooks and CI pipeline to block failing commits
B.Trunk-based development with feature toggles
C.Feature branching with manual merge
D.GitFlow with hotfix branches
AnswerA

Pre-commit hooks run tests locally before commit, and CI blocks merges that fail tests.

Why this answer

Using pre-commit hooks and a CI pipeline that blocks commits if tests fail is the most reliable way. Option A (feature branching with manual merge) does not enforce tests. Option B (GitFlow with hotfix branches) is about branching models, not enforcement.

Option C (trunk-based development with feature toggles) allows incomplete code but does not guarantee passing tests on merge.

193
MCQhard

In a CI/CD pipeline for network changes, which practice best ensures that a configuration push does not disrupt production traffic?

A.Disable rollback
B.Canary deployment
C.Push all changes at once
D.Skip validation
AnswerB

Canary deployment limits blast radius.

Why this answer

Canary deployment is the correct practice because it gradually introduces the configuration change to a small subset of devices or traffic before full rollout. This allows monitoring for adverse effects and automatic rollback if issues arise, minimizing the risk of production disruption. In a CI/CD pipeline for network changes, this approach aligns with incremental validation and risk mitigation.

Exam trap

Cisco often tests the misconception that 'push all changes at once' is efficient and safe, but the trap here is that it ignores the principle of incremental risk reduction, which is fundamental to CI/CD best practices for network automation.

How to eliminate wrong answers

Option A is wrong because disabling rollback removes the safety net to revert a failed configuration push, increasing the risk of prolonged disruption. Option C is wrong because pushing all changes at once maximizes the blast radius and makes it difficult to isolate the cause of any failure. Option D is wrong because skipping validation bypasses critical checks (e.g., syntax, reachability, or policy compliance), which can directly cause misconfigurations that disrupt traffic.

194
Matchingmedium

Match each CI/CD concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automatically build and test code changes

Automatically deploy to staging after CI

Automatically deploy to production after CI

Compile source code into artifacts

Sequence of automated steps for delivery

Why these pairings

Core CI/CD concepts in DevOps.

195
Multi-Selecthard

Which THREE of the following are common design patterns for microservices? (Choose three.)

Select 3 answers
A.Chain of Responsibility
B.Circuit Breaker
C.Singleton
D.Service Registry
E.API Gateway
AnswersB, D, E

Correct: Circuit Breaker is used for fault tolerance.

Why this answer

The Circuit Breaker pattern (B) is a common microservices design pattern that prevents cascading failures by monitoring for failures and opening a circuit to stop requests to a failing service, allowing it to recover. It is widely implemented in frameworks like Netflix Hystrix or Resilience4j, where states (closed, open, half-open) control request flow and timeout thresholds.

Exam trap

Cisco often tests the distinction between general software design patterns (like Singleton or Chain of Responsibility) and patterns specifically designed for microservices architecture, such as Circuit Breaker, Service Registry, and API Gateway.

196
MCQeasy

A developer needs to ensure that microservice A can securely communicate with microservice B over HTTPS within a Kubernetes cluster. What is the simplest approach?

A.Use a Kubernetes Ingress resource with TLS termination for microservice B.
B.Expose microservice B via a LoadBalancer Service and use HTTPS from microservice A.
C.Connect directly using the pod IP of microservice B over HTTP.
D.Create a Kubernetes Service of type ClusterIP for microservice B and configure microservice A to use HTTPS with the service DNS name.
AnswerD

ClusterIP services are internal and can be used with TLS termination within the cluster for secure communication.

Why this answer

Option D is correct because using a ClusterIP Service for microservice B provides a stable DNS name within the cluster, allowing microservice A to communicate over HTTPS without exposing the service externally. This approach leverages Kubernetes' internal service discovery and can be paired with a service mesh or mutual TLS (mTLS) for secure communication, meeting the requirement for simplicity and security.

Exam trap

The trap here is that candidates often assume external-facing components like Ingress or LoadBalancer are required for HTTPS, but Kubernetes internal services can use HTTPS with ClusterIP and proper certificate management, which is simpler and more secure for east-west traffic.

How to eliminate wrong answers

Option A is wrong because an Ingress resource with TLS termination is designed for external traffic entering the cluster, not for internal service-to-service communication within the same cluster, and it adds unnecessary complexity. Option B is wrong because exposing microservice B via a LoadBalancer Service makes it publicly accessible, which is overkill and insecure for internal communication, and it introduces external dependencies. Option C is wrong because connecting directly using the pod IP over HTTP bypasses service abstraction, making the communication insecure (no HTTPS) and brittle, as pod IPs can change on restarts.

197
MCQhard

A Python script sends the above REST API request to a Cisco Catalyst 9000 switch running IOS XE. The response is a 400 Bad Request. Which field is most likely missing from the JSON payload?

A.vlanId
B.description
C.interface
D.name
AnswerC

For VLAN creation, a mandatory 'interface' field (e.g., port membership) or 'vlanType' is required.

Why this answer

The REST API request is targeting the creation of a network interface on a Cisco Catalyst 9000 switch running IOS XE. The 400 Bad Request indicates a missing required field in the JSON payload. According to the Cisco IOS XE REST API documentation for the `/api/v1/interface` endpoint, the `interface` field (which specifies the interface name, e.g., 'GigabitEthernet1/0/1') is mandatory when creating a new interface.

Without it, the API cannot determine which interface to configure, resulting in a 400 error.

Exam trap

Cisco often tests the distinction between the `interface` field (the actual interface identifier) and the `name` field (which is not used in this API), leading candidates to incorrectly choose `name` as the missing field.

How to eliminate wrong answers

Option A is wrong because `vlanId` is only required when configuring a VLAN interface (e.g., a subinterface or SVI), not for a physical interface creation. Option B is wrong because `description` is an optional field used for administrative labeling and is not required for the API to process the request. Option D is wrong because `name` is not a standard field in the IOS XE REST API interface payload; the correct field is `interface` which holds the interface identifier.

198
MCQmedium

Refer to the exhibit. A network engineer runs a script that queries the Cisco DNA Center site health API. The response shows Branch1 with a healthScore of 10. What is the most likely action to improve Branch1's health?

A.Investigate the network devices and connectivity at Branch1.
B.Increase the number of clients at Branch1.
C.Check the API authentication token.
D.Use a different API version.
AnswerA

Low health score indicates problems at the site.

Why this answer

A healthScore of 10 on a scale of 0–100 indicates severe degradation, typically caused by network device failures, link flaps, or connectivity loss. Investigating the network devices and connectivity at Branch1 is the correct first step to identify and resolve the root cause, such as a down switch or a routing issue.

Exam trap

Cisco often tests the misconception that API response issues (like authentication or version) are the cause of low health scores, when in fact the API is correctly reporting a real network fault that must be investigated on the infrastructure side.

How to eliminate wrong answers

Option B is wrong because increasing the number of clients would likely worsen the health score by adding more load to an already failing network, and client count is not a direct lever for improving device or site health. Option C is wrong because the script successfully queried the API and received a valid response (healthScore of 10), so the authentication token is valid and not the issue. Option D is wrong because the API version is irrelevant to the health score value; using a different version would not change the underlying network condition that caused the low score.

199
Multi-Selecteasy

Which TWO of the following are essential steps in a typical Git workflow when collaborating on a feature branch? (Choose two.)

Select 2 answers
A.Rebase onto master
B.Merge the branch into master
C.Delete the remote repository
D.Stash changes before switching branches
E.Create a branch
AnswersB, E

Merging integrates the feature back into the main branch.

Why this answer

Creating a branch isolates work, and merging integrates it back. While rebasing is common, the question asks for essential steps; merge is more fundamental than rebase.

200
MCQmedium

A developer is designing an API that needs to support rate limiting per API key. The application is deployed on multiple instances. Which approach ensures consistent rate limiting across all instances?

A.Use a local in-memory counter
B.Use a file-based lock
C.Use environment variables
D.Use a distributed cache like Redis
AnswerD

Redis provides a shared counter accessible from all instances.

Why this answer

Option D is correct because a distributed cache like Redis provides a shared, atomic counter that all application instances can read and increment, ensuring consistent rate limiting across a multi-instance deployment. Redis supports atomic operations like INCR and EXPIRE, which are essential for implementing sliding window or token bucket algorithms without race conditions.

Exam trap

Cisco often tests the misconception that local counters or environment variables can be used for distributed state, when in fact they lack the shared, atomic, and persistent storage required for multi-instance rate limiting.

How to eliminate wrong answers

Option A is wrong because a local in-memory counter is per-instance and cannot synchronize across multiple instances, leading to inconsistent rate limits. Option B is wrong because a file-based lock introduces severe performance bottlenecks and is not designed for high-throughput distributed systems; it also fails to provide atomic counters. Option C is wrong because environment variables are static configuration values and cannot be dynamically updated or shared across instances to track real-time request counts.

201
MCQmedium

A network administrator automates the provisioning of Meraki MX security appliances using the Meraki Dashboard API. The Python script reads a CSV file with site details and creates VLANs, firewall rules, and VPN settings. Recently, the script started throwing an HTTP 429 error. The script is single-threaded and makes fewer than 10 requests per second. Which of the following is the most likely cause of the 429 error?

A.The API key has been revoked.
B.The rate limit for the API key is 5 requests per second.
C.The Meraki cloud is under maintenance.
D.The organization has a lower rate limit than the API key's default.
AnswerD

Rate limits are applied at multiple levels; organization-level limit may be lower.

Why this answer

The HTTP 429 (Too Many Requests) error indicates the client has exceeded the rate limit imposed by the Meraki Dashboard API. Even though the script makes fewer than 10 requests per second, the organization-level rate limit can be lower than the default API key limit. Option D is correct because the organization's rate limit overrides the default, and the script's request rate may still exceed that lower threshold.

Exam trap

The trap here is that candidates assume the default API key rate limit is the only constraint, overlooking that the organization-level rate limit can be lower and is the actual cause of the 429 error.

How to eliminate wrong answers

Option A is wrong because an API key revocation would return a 401 Unauthorized error, not a 429. Option B is wrong because the script makes fewer than 10 requests per second, so a 5 requests per second limit would not be exceeded; the error would only occur if the script actually surpassed that rate. Option C is wrong because Meraki cloud maintenance typically returns a 503 Service Unavailable error, not a 429 rate-limit error.

202
MCQeasy

Refer to the exhibit. The Docker image built from this Dockerfile is larger than expected. Which optimization should be recommended?

A.Use a smaller base image like python:3.9-alpine.
B.Combine RUN and COPY layers to reduce layers.
C.Remove the EXPOSE instruction.
D.Use a multi-stage build.
AnswerD

Multi-stage builds allow copying only necessary artifacts, significantly reducing the final image size.

Why this answer

Multi-stage builds allow you to use multiple FROM statements in your Dockerfile. You can compile or install dependencies in an intermediate stage using a full-featured base image, then copy only the necessary artifacts (e.g., compiled code, libraries) into a final, minimal runtime image. This dramatically reduces the final image size by discarding build tools, temporary files, and unnecessary layers from the earlier stages.

Exam trap

Cisco often tests the misconception that reducing the number of layers (Option B) or using a smaller base image (Option A) is the primary way to shrink image size, when in fact multi-stage builds are the correct, targeted solution for removing build-time artifacts that inflate the final image.

How to eliminate wrong answers

Option A is wrong because while using a smaller base image like python:3.9-alpine can reduce image size, it is not always the best optimization when the image is larger than expected due to leftover build artifacts or unnecessary dependencies; the question specifically asks for an optimization to address an unexpectedly large image, and multi-stage builds are the standard solution for removing build-time cruft. Option B is wrong because combining RUN and COPY layers does not inherently reduce the final image size; Docker layers are cached and combining them can actually break caching and increase rebuild time, and the size issue is typically caused by including unnecessary files, not by the number of layers. Option C is wrong because the EXPOSE instruction is purely documentation; it does not add any data to the image or affect its size, so removing it has zero impact on image size.

203
MCQhard

An organization uses a private Docker registry with TLS. A developer attempts to pull an image and receives the error: "x509: certificate signed by unknown authority". What is the most likely cause and solution?

A.Add the CA certificate to the client's trust store
B.Use the registry's IP address instead of hostname
C.Disable TLS verification on the client
D.Use HTTP instead of HTTPS
AnswerA

This establishes trust in the registry's certificate.

Why this answer

The error 'x509: certificate signed by unknown authority' occurs because the Docker client does not recognize the certificate authority (CA) that signed the registry's TLS certificate. The correct solution is to add the CA certificate to the client's trust store, typically by placing it in /etc/docker/certs.d/<registry_hostname>:<port>/ca.crt on Linux or the equivalent Docker certs directory on other platforms. This allows the Docker daemon to validate the registry's certificate during the TLS handshake.

Exam trap

The trap here is that candidates may confuse a certificate trust issue with a hostname mismatch or think disabling TLS is an acceptable workaround, but Cisco specifically tests the understanding that the correct enterprise-grade fix is to trust the CA, not to weaken security.

How to eliminate wrong answers

Option B is wrong because using the registry's IP address instead of hostname does not resolve a certificate trust issue; it may cause a hostname mismatch error if the certificate is issued to a specific hostname, but the root cause is the untrusted CA, not the address format. Option C is wrong because disabling TLS verification (e.g., setting 'insecure-registries' in Docker daemon config) bypasses security entirely and is not a best practice; it exposes the connection to man-in-the-middle attacks and is not the intended fix for a missing CA certificate. Option D is wrong because using HTTP instead of HTTPS would eliminate TLS entirely, but the registry is configured with TLS and likely rejects plain HTTP connections; this also compromises security and does not address the trust issue.

204
MCQeasy

A team uses GitHub for version control and wants Jenkins to automatically run tests when changes are pushed to the main branch. Which trigger should be configured in the Jenkins job?

A.Cron job on the Jenkins server
B.Poll SCM every minute
C.Manual build trigger
D.GitHub webhook
AnswerD

A webhook sends an HTTP POST to Jenkins when changes are pushed, triggering the job immediately.

Why this answer

A webhook allows GitHub to notify Jenkins instantly on push events, enabling immediate triggering of the pipeline.

205
MCQeasy

A DevOps engineer wants to automate the configuration of network devices using Ansible. Which file format is commonly used for Ansible playbooks?

A.INI
B.YAML
C.XML
D.JSON
AnswerB

Ansible playbooks are written in YAML, which is human-readable and easy to parse.

Why this answer

Ansible playbooks are written in YAML (YAML Ain't Markup Language) because YAML is human-readable, supports complex data structures like lists and dictionaries, and is designed for configuration files. YAML's indentation-based syntax aligns with Ansible's declarative automation model, making it the default and recommended format for defining tasks, variables, and handlers in playbooks.

Exam trap

Cisco often tests the distinction between Ansible inventory files (which can use INI or YAML) and playbook files (which exclusively use YAML), causing candidates to incorrectly associate INI with playbooks.

How to eliminate wrong answers

Option A is wrong because INI files are used for Ansible inventory definitions (e.g., listing hosts and groups), not for playbooks; playbooks require a structured format that supports sequences and mappings, which INI lacks. Option C is wrong because XML is verbose, less human-readable, and not natively supported by Ansible for playbooks; Ansible uses YAML for its simplicity and readability. Option D is wrong because JSON, while valid for some Ansible configurations (e.g., dynamic inventory scripts), is not the standard format for playbooks; YAML is preferred for its cleaner syntax and reduced boilerplate.

206
MCQhard

A team is designing a CI/CD pipeline that uses the Cisco ACI REST API to deploy tenant policies. Which best practice should be followed for secure credential management?

A.Store credentials in plain text in the pipeline configuration
B.Use a secrets management service and reference it in the pipeline
C.Hardcode credentials in the source code
D.Use a shared user account with no MFA
AnswerB

Secrets management services like HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault provide secure storage.

Why this answer

Storing credentials in a secrets management service and referencing them in the pipeline is a security best practice. Hardcoding or storing in plain text is insecure.

207
MCQeasy

A developer is deploying a microservice to a Kubernetes cluster. The application needs to read a database password securely without hardcoding it in the image. Which Kubernetes resource should be used?

A.ConfigMap
B.ServiceAccount
C.PersistentVolume
D.Secret
AnswerD

Secret is designed for sensitive data like passwords.

Why this answer

Option D (Secret) is correct because Kubernetes Secrets are specifically designed to store sensitive data such as database passwords, API keys, and certificates. They can be mounted as files or injected as environment variables into pods, ensuring the password is never hardcoded in the container image. Secrets are base64-encoded and can be encrypted at rest using etcd encryption or external KMS providers, providing a secure mechanism for managing credentials.

Exam trap

Cisco often tests the distinction between ConfigMaps and Secrets, trapping candidates who assume that base64 encoding provides security or that ConfigMaps can safely store passwords because they are 'just configuration.'

How to eliminate wrong answers

Option A is wrong because ConfigMaps are intended for non-sensitive configuration data (e.g., plain text settings) and do not provide encryption or access control for secrets; storing a password in a ConfigMap would expose it in plaintext. Option B is wrong because a ServiceAccount is an identity for pods to authenticate to the Kubernetes API server, not a resource for storing secret data like passwords. Option C is wrong because a PersistentVolume is used for persistent storage of application data (e.g., files, databases) and has no mechanism for securely storing or injecting credentials into a pod.

208
MCQmedium

A developer is designing a Python script that uses the NSO (Network Services Orchestrator) northbound API. Which data format is natively supported by NSO's RESTCONF API?

A.YAML only
B.JSON only
C.XML only
D.JSON and XML
AnswerD

RESTCONF supports both JSON and XML encoding.

Why this answer

RESTCONF supports both JSON and XML as data formats. JSON-only or XML-only is incorrect; YAML is not natively supported by NSO's RESTCONF.

209
MCQhard

A network administrator is troubleshooting BGP path selection for a route received from two different ISPs. The routes have the same local preference and AS-path length, but one route has a shorter MED value. Which route will be preferred?

A.The route with the most specific prefix length
B.The route from the ISP with the higher bandwidth
C.The route with the lower MED
D.The route with the higher local preference
AnswerC

Lower MED is preferred.

Why this answer

In BGP path selection, when routes have the same local preference and AS-path length, the next tiebreaker is the Multi-Exit Discriminator (MED) value. A lower MED value is preferred because it indicates a more desirable entry point into the neighboring AS. Therefore, the route with the shorter MED will be selected.

Exam trap

Cisco often tests the order of BGP path selection steps, and the trap here is that candidates may confuse MED with local preference or AS-path length, or incorrectly think that prefix length or bandwidth plays a role in BGP best-path selection.

How to eliminate wrong answers

Option A is wrong because prefix length (most specific route) is not a BGP path selection attribute; it is used in the routing table for longest-prefix match, not for BGP best-path decision. Option B is wrong because bandwidth is not a standard BGP attribute and is not considered in the BGP path selection algorithm; BGP relies on configured metrics like MED, not physical link speed. Option D is wrong because the question states both routes have the same local preference, so this attribute cannot differentiate them; higher local preference would only matter if they were different.

210
MCQeasy

A company is designing a new branch network. They want to segment traffic into separate broadcast domains to improve security and reduce broadcast traffic. Which technology should be used to achieve this?

A.Spanning Tree Protocol
B.Subnetting
C.EtherChannel
D.VLANs
AnswerD

VLANs create separate broadcast domains.

Why this answer

VLANs create separate Layer 2 broadcast domains, isolating traffic between groups. Subnetting (Option A) is a Layer 3 concept but does not create broadcast domains; it works with VLANs. STP (Option B) prevents loops.

EtherChannel (Option D) bundles links.

211
MCQmedium

A team is using Git for version control. A developer accidentally committed a sensitive file. Which Git command should be used to remove the file from the repository history while keeping it locally?

A.git rebase -i
B.git reset --soft
C.git rm --cached
D.git filter-branch
AnswerD

This rewrites history to remove the file from all commits, effectively erasing it from the repository.

Why this answer

Option C is correct because git filter-branch rewrites history to remove the file from all commits. Option A (git rm --cached) only removes the file from the index, not from past commits. Option B (git reset --soft) resets the current branch pointer but does not remove the file from history.

Option D (git rebase -i) allows interactive rebase but does not directly remove files from history without additional steps. Therefore, git filter-branch is the appropriate command for this task.

212
MCQeasy

Refer to the exhibit. An engineer applied this configuration to a Cisco switch port connected to an application server. The server runs a critical business application that should not be disrupted. However, after applying the configuration, the port goes into errdisable state. What is the most likely cause?

A.The VLAN 10 does not exist on the switch.
B.The spanning-tree portfast command is incompatible with access ports.
C.The switchport mode access command is incorrect for a server connection.
D.The server is generating BPDU frames, triggering BPDU guard.
AnswerD

BPDU guard errdisables a port if it receives a BPDU, which can happen if the server runs STP or is connected to another switch.

Why this answer

The correct answer is D because BPDU guard is enabled on the switch port (implicitly or explicitly via spanning-tree bpduguard enable). When the application server sends BPDU frames—perhaps because it is running a software bridge, virtualization host, or has a misconfigured NIC—the switch detects these frames on a port configured with portfast and immediately errdisables the port to prevent a potential bridging loop. This matches the symptom of the port going into errdisable state after applying the configuration.

Exam trap

Cisco often tests the misconception that BPDU guard is only for trunk ports or that PortFast is incompatible with access ports, but the trap here is that candidates overlook how a server can generate BPDU frames (e.g., from a virtual switch or bridging software) and that BPDU guard on an access port will errdisable it.

How to eliminate wrong answers

Option A is wrong because a non-existent VLAN would cause the port to remain in a down or inactive state, not errdisable; the switch would still allow the port to be administratively up but traffic would not pass. Option B is wrong because spanning-tree portfast is specifically designed for access ports (and edge ports) to bypass the listening/learning states; it is fully compatible and commonly used on server-facing access ports. Option C is wrong because switchport mode access is correct for a server connection that belongs to a single VLAN; it is not inherently incorrect and would not cause errdisable by itself.

213
MCQmedium

A developer is using Git for source control. They have made changes to a file and want to temporarily save the changes without committing, then work on a different branch. Which Git command should they use?

A.git checkout other-branch
B.git commit -m 'temp'
C.git reset --hard
D.git stash
AnswerD

Correct: Stashing saves changes for later use.

Why this answer

Option D is correct because `git stash` temporarily saves uncommitted changes (both staged and unstaged) to a stack, reverting the working directory to the last commit. This allows the developer to switch branches without losing work, then later reapply the changes with `git stash pop` or `git stash apply`.

Exam trap

Cisco often tests the distinction between temporarily saving work (`git stash`) versus permanently committing or discarding changes, and the trap here is that candidates may think `git checkout` can switch branches regardless of dirty state, ignoring the conflict risk.

How to eliminate wrong answers

Option A is wrong because `git checkout other-branch` will fail if there are uncommitted changes that conflict with the target branch, or it may carry the changes to the other branch unintentionally. Option B is wrong because `git commit -m 'temp'` creates a permanent commit in the commit history, which is not a temporary save and would require later cleanup (e.g., rebase or reset). Option C is wrong because `git reset --hard` discards all uncommitted changes permanently, which is destructive and does not save the work for later use.

214
Multi-Selectmedium

A company is implementing an API gateway for its microservices. Which TWO security features should be enabled at the gateway to protect backend services?

Select 2 answers
A.In-depth packet inspection.
B.Database connection pooling.
C.JWT validation.
D.CORS configuration.
E.Rate limiting.
AnswersC, E

Authenticates API requests.

Why this answer

JWT validation at the API gateway ensures that only requests with valid, unexpired, and properly signed JSON Web Tokens are forwarded to backend microservices. This offloads authentication and token verification from individual services, enforcing a consistent security boundary and preventing unauthorized access.

Exam trap

Cisco often tests the distinction between security features that protect the API layer (JWT validation, rate limiting) versus network-level or backend-specific features (DPI, connection pooling), leading candidates to confuse operational optimizations with security controls.

215
Multi-Selectmedium

Which TWO of the following are characteristics of Model-Driven Programmability with YANG models?

Select 2 answers
A.YANG models define a hierarchical data tree.
B.YANG models are only used with the Python library ncclient.
C.NETCONF and RESTCONF use YANG models to manipulate device configurations.
D.The controller directly pushes configurations to network devices without validation.
E.NETCONF requires JSON encoding for configuration data.
AnswersA, C

YANG models represent data as a tree structure.

Why this answer

Option A is correct because YANG models define a hierarchical data tree structure that organizes configuration and state data in a parent-child relationship, mirroring the structure of the device's operational and configuration data. This hierarchical representation allows for precise, path-based access to individual data nodes, which is fundamental to model-driven programmability.

Exam trap

Cisco often tests the misconception that YANG models are tied to a single protocol or encoding format, leading candidates to incorrectly associate YANG exclusively with NETCONF or JSON.

216
MCQmedium

An engineer is tasked with automating the backup of running configurations from 50 routers. Which approach is most scalable?

A.SSH manually to each router and copy config
B.Schedule a cron job on each router to SCP config
C.Use SNMP to capture config
D.Use an Ansible playbook with ios_config backup
AnswerD

Automates and scales.

Why this answer

An Ansible playbook with the ios_config module's backup option is the most scalable approach because it uses a push-based automation model that can manage all 50 routers from a single control node, leveraging SSH for secure transport and idempotent configuration management without requiring any agent on the routers.

Exam trap

Cisco often tests the misconception that SNMP can be used for configuration backup, but SNMP is designed for read-only monitoring of OIDs, not for retrieving or storing entire configuration files, which requires a file transfer or CLI-based method.

How to eliminate wrong answers

Option A is wrong because manually SSHing to each router is not scalable for 50 devices, introduces human error, and defeats the purpose of automation. Option B is wrong because scheduling a cron job on each router to SCP the config requires individual configuration on every device, does not centralize management, and still relies on per-router setup, which is not scalable. Option C is wrong because SNMP is designed for monitoring and retrieving MIB data, not for capturing full running configurations; it lacks the ability to reliably back up the entire configuration file and is not a standard method for configuration backup.

217
Multi-Selectmedium

A developer is deploying a containerized application using Docker Compose. Which TWO statements about Docker Compose are correct?

Select 2 answers
A.Docker Compose can only be used with swarm mode.
B.Services in a compose file can be scaled using the docker-compose scale command.
C.The docker-compose up command builds, (re)creates, starts, and attaches to containers for a service.
D.Docker Compose is used to define and run multi-container Docker applications.
E.Docker Compose files are written in JSON format only.
AnswersC, D

This is the behavior of docker-compose up.

Why this answer

Option C is correct because `docker-compose up` is the primary command that builds images if needed, (re)creates containers, starts them, and attaches to their output. This behavior is documented in the Docker Compose CLI reference and is fundamental to how Compose orchestrates multi-service deployments.

Exam trap

Cisco often tests the misconception that Docker Compose is only for swarm mode or that it requires JSON files, when in fact it works standalone and uses YAML as its native format.

218
MCQhard

A network engineer is using the Cisco DNA Center API to get site health. The API endpoint returns a large dataset with pagination. The response includes the header 'X-Page-Total-Count'. To retrieve all pages efficiently, what should the engineer implement?

A.A single request with a high limit parameter to fetch all data at once.
B.A loop that increments the page parameter until the response is empty, using the total count header.
C.A recursive function that follows 'next' links in the response body.
D.Polling the endpoint at regular intervals to gather data over time.
AnswerB

This efficiently retrieves all pages by iterating through page numbers.

Why this answer

Option B is correct because the Cisco DNA Center API uses pagination with a page parameter and returns a 'X-Page-Total-Count' header indicating the total number of pages. By implementing a loop that increments the page parameter until all pages are retrieved, the engineer can efficiently fetch all data without overwhelming the API or missing records, using the total count to know when to stop.

Exam trap

Cisco often tests the distinction between REST API pagination patterns (offset/limit vs. page-based with total count) and the trap here is that candidates assume all APIs use 'next' links (like in HAL or JSON:API), but Cisco DNA Center uses explicit page parameters and headers.

How to eliminate wrong answers

Option A is wrong because setting a high limit parameter may exceed the API's maximum allowed limit, causing the request to fail or return truncated data; Cisco DNA Center APIs enforce a maximum page size (e.g., 500 or 1000 records) to prevent server overload. Option C is wrong because the Cisco DNA Center pagination response does not include 'next' links in the response body; it relies on explicit page and total count headers, making recursive following of links inapplicable. Option D is wrong because polling at regular intervals is designed for monitoring changes over time, not for retrieving a complete static dataset; it introduces unnecessary latency and potential data duplication.

219
MCQeasy

A junior developer is writing a Python script to gather interface statistics from a Cisco IOS-XE device using NETCONF. They use the 'ncclient' library and successfully connect. They want to retrieve the operational status of all interfaces. Which YANG model and XPATH expression should they use to get the operational data?

A.Model: ietf-interfaces, XPATH: /interfaces-state/interface
B.Model: cisco-native, XPATH: /native/interface
C.Model: ietf-interfaces, XPATH: /interfaces/interface
D.Model: ietf-interfaces, XPATH: /interfaces-state
AnswerA

Interfaces-state contains operational data per IETF standard.

Why this answer

Option A is correct because the 'ietf-interfaces' YANG model defines the '/interfaces-state' container specifically for operational state data (e.g., status, counters), as per RFC 7223. The XPATH '/interfaces-state/interface' retrieves the list of all interfaces with their operational status, which is exactly what the developer needs. The 'ncclient' library can filter using this XPATH to get read-only operational data from a NETCONF-enabled Cisco IOS-XE device.

Exam trap

Cisco often tests the distinction between configuration and operational data in YANG models, and the trap here is that candidates confuse '/interfaces/interface' (configuration) with '/interfaces-state/interface' (operational state), or they pick a too-broad XPATH like '/interfaces-state' instead of the specific list node.

How to eliminate wrong answers

Option B is wrong because 'cisco-native' is a proprietary Cisco model for configuration data, not operational state, and '/native/interface' would return configured interfaces, not their operational status. Option C is wrong because '/interfaces/interface' under 'ietf-interfaces' targets the configuration container, which holds intended settings, not operational state (status, counters). Option D is wrong because '/interfaces-state' is the correct container, but the XPATH is too broad—it returns the entire container rather than the list of interfaces; the developer needs '/interfaces-state/interface' to get each interface's operational data.

220
Multi-Selecthard

Which THREE practices help ensure idempotent network automation? (Select three)

Select 3 answers
A.Using the 'state' parameter in Ansible modules to define desired state
B.Using a transactional approach (e.g., configure candidate and commit)
C.Running commands multiple times to ensure they are applied
D.Checking the current state before applying changes
E.Always appending new configuration commands to the running config
AnswersA, B, D

This ensures the module only takes action if the current state does not match the desired state.

Why this answer

Option A is correct because using the 'state' parameter in Ansible modules (e.g., 'state: present' or 'state: absent') explicitly declares the desired end state of a resource. This allows the module to compare the current state against the desired state and only make changes if necessary, ensuring that running the playbook multiple times produces the same result without unintended side effects.

Exam trap

Cisco often tests the misconception that simply running a command multiple times or appending configuration ensures idempotency, when in fact true idempotency requires state checking and declarative desired-state definitions.

221
MCQeasy

Refer to the exhibit. An engineer uses NETCONF to configure an interface. After applying this configuration, the interface is administratively up. However, the interface does not pass traffic. What is the most likely cause?

A.The interface type is misspelled
B.The 'enabled' field should be a string instead of a boolean
C.The IP address configuration uses 'netmask' instead of 'prefix-length'
D.The interface name is invalid
AnswerC

The ietf-ip model requires prefix-length, not netmask.

Why this answer

NETCONF uses YANG models that define IP address configuration with the leaf 'prefix-length' (an integer), not 'netmask'. The 'netmask' field is not a valid leaf in the standard ietf-interfaces or ietf-ip YANG model for IPv4 addresses, so the NETCONF server will either reject the configuration or apply it incorrectly, leaving the interface without a proper IP address and unable to pass traffic.

Exam trap

Cisco often tests the distinction between CLI-style 'netmask' and YANG-model 'prefix-length' in NETCONF/RESTCONF questions, trapping candidates who assume the old CLI syntax works in model-driven APIs.

How to eliminate wrong answers

Option A is wrong because the interface type (e.g., 'iana-if-type:ethernetCsmacd') is a valid YANG identity and a misspelling would cause a validation error, but the question states the configuration was applied and the interface is administratively up, so the type is correct. Option B is wrong because the 'enabled' field in the ietf-interfaces YANG model is defined as a boolean (leaf type 'boolean'), so using a string would cause a schema violation and the configuration would not be accepted; the interface being up indicates the boolean was correctly used. Option D is wrong because the interface name (e.g., 'GigabitEthernet0/0/0') is a standard Cisco interface name and is valid; if it were invalid, the NETCONF server would reject the edit, but the interface is administratively up, confirming the name is correct.

222
Multi-Selecthard

Which TWO are components of a REST API request? (Choose two.)

Select 2 answers
A.URI
B.Status code
C.Payload
D.HTTP method
E.Query string
AnswersA, D

Identifies the resource.

Why this answer

A REST API request includes an HTTP method (verb) like GET or POST (B) and a URI (Uniform Resource Identifier) that identifies the resource (D). Payload (A) is only for some methods like POST. Query string (C) is part of the URI.

Status code (E) is in the response, not request.

223
MCQeasy

A company uses Cisco Meraki APs and an internal web application hosted on AWS. The application store customer payment data. The security team discovers that sensitive application logs are being transmitted in plaintext over the network to the SIEM. The DevOps team wants to improve security without changing the application code because it is proprietary and cannot be modified. Which solution should be recommended?

A.Modify the application to send logs via syslog over TLS
B.Enable HTTPS on the SIEM receiver to ensure logs are encrypted during transmission
C.Enable TLS on the web application to encrypt data in transit
D.Set up a site-to-site VPN between the Meraki network and AWS to encrypt all traffic, including logs
AnswerD

VPN encrypts all traffic between networks without modifying applications.

Why this answer

Option D is correct because a site-to-site VPN between the Meraki network and AWS encrypts all traffic traversing the link, including the sensitive application logs sent to the SIEM, without requiring any changes to the proprietary application code. This solution operates at the network layer, ensuring that even if the application transmits logs in plaintext, the entire payload is encrypted by the VPN tunnel. Meraki Auto VPN and AWS VPN Gateway can establish an IPsec tunnel, providing confidentiality for all data in transit between the on-premises network and the AWS VPC.

Exam trap

Cisco often tests the distinction between application-layer encryption (e.g., TLS/HTTPS) and network-layer encryption (e.g., VPN), leading candidates to mistakenly choose options that encrypt the wrong traffic or require code changes, when the correct answer is a network-level solution that secures all traffic without modifying the application.

How to eliminate wrong answers

Option A is wrong because modifying the application to send logs via syslog over TLS requires changing the application code, which the DevOps team explicitly cannot do due to the proprietary nature of the application. Option B is wrong because enabling HTTPS on the SIEM receiver only secures the SIEM's web interface; it does not encrypt the log transmission from the application to the SIEM, as the logs are still sent in plaintext over the network. Option C is wrong because enabling TLS on the web application encrypts data between clients and the web server, but the sensitive logs are generated and transmitted by the application server to the SIEM, not during web client interactions; this does not address the log transmission issue.

224
MCQeasy

An administrator is using the Cisco Intersight API to manage server profiles. The API returns the following error: '{"error": "Forbidden", "message": "Insufficient privileges"}'. What is the most likely cause?

A.The server profile ID is incorrect.
B.The request body is malformed.
C.The OAuth2 token has insufficient scopes.
D.The API key has expired.
AnswerC

A 403 Forbidden with 'Insufficient privileges' explicitly indicates lack of required scopes.

Why this answer

The error 'Forbidden' with message 'Insufficient privileges' directly indicates that the authenticated user or API client does not have the required permissions to perform the requested operation. In Cisco Intersight, access control is managed via OAuth2 scopes assigned to API keys; if the token lacks the specific scope (e.g., 'server-profile-write') needed for the API call, the server returns this 403 Forbidden error. Option C correctly identifies that the OAuth2 token has insufficient scopes.

Exam trap

The trap here is that candidates confuse 403 Forbidden with 401 Unauthorized, assuming any privilege error means the API key is expired or invalid, when in fact the token is valid but lacks the required OAuth2 scopes.

How to eliminate wrong answers

Option A is wrong because an incorrect server profile ID would typically result in a 404 Not Found error, not a 403 Forbidden. Option B is wrong because a malformed request body would produce a 400 Bad Request error with details about parsing failures, not a privilege-related error. Option D is wrong because an expired API key would cause a 401 Unauthorized error, not a 403 Forbidden; the token is valid but lacks the necessary authorization scopes.

225
MCQeasy

An automation engineer is using the Cisco DNA Center REST API to retrieve a list of network devices. The API call returns HTTP status code 200. What does this indicate?

A.The request succeeded but no content is returned.
B.The request was created successfully.
C.The request was successful and data is returned.
D.The request failed due to a client error.
AnswerC

Standard success response with body.

Why this answer

HTTP status code 200 indicates a successful GET request where the server has processed the request and is returning the requested data in the response body. In the context of the Cisco DNA Center REST API, a 200 response to a GET /network-device call means the list of network devices was successfully retrieved and is included in the response payload.

Exam trap

Cisco often tests the distinction between 200 OK and 204 No Content, expecting candidates to know that 200 always includes a response body while 204 explicitly does not, even though both are successful.

How to eliminate wrong answers

Option A is wrong because HTTP 200 does not mean 'no content' — that is indicated by status code 204 (No Content), which is used for successful requests that intentionally return no body. Option B is wrong because a 201 (Created) status code indicates successful creation of a resource, not a retrieval; 200 is used for successful GET, PUT, or DELETE operations that return data. Option D is wrong because client errors are represented by 4xx status codes (e.g., 400 Bad Request, 401 Unauthorized), not 2xx success codes.

Page 2

Page 3 of 7

Page 4

All pages