Cisco DevNet Associate 200-901 (200-901) — Questions 226300

505 questions total · 7pages · All types, answers revealed

Page 3

Page 4 of 7

Page 5
226
MCQeasy

A developer needs to retrieve the list of devices from a Meraki network using the Meraki Dashboard API. Which HTTP method and endpoint should be used?

A.POST /networks/{networkId}/devices
B.GET /devices
C.GET /organizations/{organizationId}/networks
D.GET /networks/{networkId}/devices
AnswerD

Correct endpoint.

Why this answer

Option D is correct because the Meraki Dashboard API uses RESTful conventions: to retrieve a list of devices within a specific network, you send a GET request to the endpoint `/networks/{networkId}/devices`. This follows the standard pattern of using GET for read operations and scoping the resource under the network identifier.

Exam trap

Cisco often tests the distinction between GET and POST for read vs. create operations, and the trap here is that candidates may confuse the endpoint for listing networks (`/organizations/{organizationId}/networks`) with the endpoint for listing devices, or assume a top-level `/devices` path exists without understanding the hierarchical resource model.

How to eliminate wrong answers

Option A is wrong because POST is used to create resources, not retrieve them; sending a POST to `/networks/{networkId}/devices` would attempt to add a new device, not list existing ones. Option B is wrong because `/devices` is not a valid top-level endpoint in the Meraki API; device resources are always nested under a network or organization context. Option C is wrong because `/organizations/{organizationId}/networks` returns a list of networks, not devices; it retrieves the networks within an organization, which is a different resource entirely.

227
MCQeasy

A developer is designing a REST API that will be used by multiple client applications. The API must support versioning to ensure backward compatibility. Which approach should the developer use to implement API versioning?

A.Embed the version in the URI, e.g., /v1/resource
B.Use different HTTP methods for different versions
C.Pass the version as a query parameter, e.g., ?version=1
D.Use a custom HTTP header to specify the version
AnswerA

Correct: URI versioning is straightforward and widely adopted.

Why this answer

Embedding the version in the URI (e.g., /v1/resource) is the most common and straightforward approach for REST API versioning. It makes the version explicit in the URL, allowing clients to directly target a specific version without requiring special header handling or query parameter parsing. This method is widely adopted in industry APIs (e.g., GitHub, Twilio) and ensures backward compatibility by keeping older endpoints accessible under their original URI path.

Exam trap

Cisco often tests the misconception that query parameters or custom headers are more 'RESTful' or flexible, but the exam expects URI-based versioning as the simplest and most compatible approach for backward compatibility.

How to eliminate wrong answers

Option B is wrong because HTTP methods (GET, POST, PUT, DELETE) define the action on a resource, not the version; using different methods for different versions violates REST principles and confuses clients. Option C is wrong because passing the version as a query parameter (e.g., ?version=1) can be cached incorrectly by proxies and CDNs, and it clutters the URL without providing a clean, hierarchical resource structure. Option D is wrong because using a custom HTTP header (e.g., Accept-Version) requires clients to implement additional header logic, reduces discoverability, and is not as transparent or testable as URI-based versioning.

228
MCQmedium

You are a network automation engineer using the Cisco DNA Center REST API to retrieve health scores for all sites in your network. You call the 'GET /dna/intent/api/v1/site-health' endpoint with parameters to filter by time range. The response returns only the first 20 sites out of a total of 150 sites. You notice that the response includes a 'totalRecords' field showing 150, but only 20 objects are in the 'response' array. You recall that the API documentation mentions pagination support. To avoid manually looping through all pages, you want to implement a robust solution that efficiently retrieves all site health data. Which approach should you take?

A.Change the endpoint to 'GET /dna/intent/api/v1/network-device' which returns all devices without pagination.
B.Export the site health data using the 'POST /dna/intent/api/v1/site-health/export' endpoint.
C.Increase the 'pageSize' parameter to 150 to retrieve all records in a single request.
D.Use the 'nextPageUri' field provided in the response to iterate through all pages until no more pages are available.
AnswerD

Correct. Following the pagination links (nextPageUri) is the standard and reliable method to retrieve all records.

Why this answer

Option D is correct because the Cisco DNA Center REST API implements pagination using a 'nextPageUri' field in the response, which provides the direct URL to the next page of results. By following this field iteratively until it is null or absent, you can efficiently retrieve all 150 site health records without manually constructing pagination parameters or looping through page numbers, ensuring a robust and maintainable solution.

Exam trap

Cisco often tests the misconception that you can simply increase the 'pageSize' parameter to retrieve all records at once, but the trap is that API endpoints enforce a maximum page size, and the correct pattern is to use the provided 'nextPageUri' field to iterate through pages.

How to eliminate wrong answers

Option A is wrong because the 'GET /dna/intent/api/v1/network-device' endpoint returns network device data, not site health data, and it also uses pagination; it does not return all devices without pagination. Option B is wrong because the 'POST /dna/intent/api/v1/site-health/export' endpoint is designed for exporting data to a file (e.g., CSV), not for programmatic retrieval of all records in a single API response, and it may not support the same filtering or real-time access. Option C is wrong because the 'pageSize' parameter typically has a maximum limit (often 500 or less, but in many Cisco APIs the default max is 20 or 50), and setting it to 150 may exceed the allowed maximum, causing the request to fail or be truncated; even if accepted, it is not a guaranteed or recommended practice for large datasets.

229
MCQmedium

A network automation engineer is writing a Python script to configure multiple devices. Which library is most appropriate for SSH-based interactions?

A.requests
B.socket
C.Netmiko
D.paramiko
AnswerC

Netmiko is the standard library for network device SSH automation.

Why this answer

Netmiko is a Python library built on top of Paramiko that simplifies SSH connections to network devices. It provides high-level methods for sending commands, handling prompts, and managing device interactions, making it the most appropriate choice for automating configuration tasks across multiple devices.

Exam trap

Cisco often tests the distinction between Paramiko (a general SSH library) and Netmiko (a network-device-specific library built on Paramiko), leading candidates to choose Paramiko because they recognize it as an SSH library without considering the higher-level abstractions Netmiko provides for network automation.

How to eliminate wrong answers

Option A is wrong because the requests library is designed for HTTP/HTTPS API calls, not for SSH-based interactions. Option B is wrong because the socket library provides low-level network communication primitives and lacks the SSH protocol handling needed for device configuration. Option D is wrong because while Paramiko is a valid SSH library, it requires manual handling of authentication, channel management, and command output parsing, making it less suitable than Netmiko for multi-device automation scenarios.

230
MCQmedium

An Ansible playbook fails with the error: "mapping values are not allowed here". The relevant YAML snippet is: --- - name: Configure interface ios_config: lines: - ip address 10.0.0.1 255.255.255.0 parents: interface GigabitEthernet0/1 What is the most likely cause of this error?

A.The indentation of `parents:` is incorrect relative to `lines:`
B.The `ios_config` module requires a provider statement
C.The `lines:` item should be a list of strings
D.The `parents:` value must be enclosed in quotes
AnswerA

In YAML, keys under the same mapping must have the same indentation; `parents:` seems misaligned.

Why this answer

The error "mapping values are not allowed here" in YAML typically indicates an indentation issue. The `parents:` line should be at the same indentation level as `lines:`.

231
MCQeasy

A system administrator wants to use the Cisco Intersight API to collect hardware inventory from a set of UCS servers managed by Intersight. The administrator needs to retrieve the serial numbers, memory, and CPU information. The administrator has an API key with the appropriate permissions. The administrator uses a Python script with the requests library to send a GET request to https://intersight.com/api/v1/compute/PhysicalSummaries. The request returns HTTP 200 with a list of objects. However, each object only contains the 'Moid' and 'Name' fields; the serial number and hardware details are missing. What should the administrator do to get the full inventory details?

A.Change the endpoint to /api/v1/compute/PhysicalSummary?details=true.
B.Add the '?expand=*' query parameter to the request to include all fields.
C.Use the 'Moid' from each summary object to send individual GET requests to /api/v1/compute/PhysicalSummaries/{Moid} for full details.
D.Generate a new API key with broader permissions.
AnswerC

This retrieves the full object with all fields, including serial number and hardware details.

Why this answer

Option C is correct because the `/api/v1/compute/PhysicalSummaries` endpoint returns a list of summary objects containing only the 'Moid' and 'Name' fields by design. To retrieve the full hardware inventory details (serial numbers, memory, CPU), the administrator must use the 'Moid' from each summary object to send individual GET requests to the specific resource endpoint `/api/v1/compute/PhysicalSummaries/{Moid}`. This is a common RESTful API pattern where list endpoints provide lightweight summaries, and full details require fetching each resource individually.

Exam trap

Cisco often tests the misconception that adding a query parameter like `?expand=*` or `?details=true` will magically include all fields in a list response, when in reality the correct approach is to fetch individual resources by their unique identifier (Moid).

How to eliminate wrong answers

Option A is wrong because the endpoint `/api/v1/compute/PhysicalSummary?details=true` does not exist; Intersight API does not support a `details` query parameter on this endpoint, and the correct endpoint for full details is the individual resource endpoint using the Moid. Option B is wrong because the `?expand=*` query parameter is not a valid parameter in the Intersight REST API; Intersight uses a different mechanism (e.g., `$select` or `$expand` in OData-style queries) but `expand=*` is not supported and would be ignored or cause an error. Option D is wrong because the API key permissions are not the issue—the administrator already has appropriate permissions (as stated), and the missing fields are due to the endpoint design, not authorization.

232
MCQmedium

Based on the exhibit, which interface is in a state that prevents it from sending or receiving IP traffic?

A.GigabitEthernet0/2
B.GigabitEthernet0/0
C.GigabitEthernet0/1
D.None of the interfaces are down
AnswerC

It is administratively down, so no traffic can pass.

Why this answer

Interface GigabitEthernet0/1 is in the 'administratively down' state, as indicated by the 'down' status in the 'Status' column and the 'down' in the 'Protocol' column. This means the interface has been manually disabled with the 'shutdown' command, preventing it from sending or receiving any IP traffic. In contrast, interfaces that are 'up/up' can forward traffic, while 'up/down' indicates a Layer 1 issue but still allows Layer 2 control plane traffic.

Exam trap

Cisco often tests the distinction between 'administratively down' (Status: down) and 'up/down' (Status: up, Protocol: down), where candidates mistakenly assume any 'down' protocol means no IP traffic is possible, but only the administratively down state explicitly prevents all traffic due to manual shutdown.

How to eliminate wrong answers

Option A is wrong because GigabitEthernet0/2 shows 'up' in both Status and Protocol columns, meaning it is fully operational and can send/receive IP traffic. Option B is wrong because GigabitEthernet0/0 shows 'up' in Status and 'down' in Protocol, indicating a Layer 1 connectivity issue (e.g., no cable or faulty transceiver) but the interface is not administratively disabled; it still attempts to send/receive Layer 2 frames, though IP traffic may fail due to the protocol being down. Option D is wrong because GigabitEthernet0/1 is indeed in a state that prevents IP traffic (administratively down), so not all interfaces are operational.

233
Multi-Selectmedium

Which TWO of the following are characteristics of a declarative automation model? (Select exactly 2.)

Select 2 answers
A.It requires procedural scripts
B.You specify the desired end state
C.Idempotency is not a concern
D.The tool handles ordering and dependencies
E.You specify the exact steps to achieve the state
AnswersB, D

Declarative defines what, not how.

Why this answer

In a declarative automation model, you specify the desired end state of the system, not the steps to achieve it. This is a core characteristic because the automation tool (e.g., Ansible, Terraform, Puppet) interprets the desired state and determines the necessary actions to reach it, making option B correct.

Exam trap

Cisco often tests the distinction between declarative and imperative models by presenting options that sound plausible but reverse the roles, such as confusing 'specify the end state' with 'specify the exact steps', or assuming idempotency is irrelevant in declarative models.

234
Multi-Selectmedium

Which TWO of the following are benefits of using NETCONF over SNMP for network automation? (Select exactly 2.)

Select 2 answers
A.Structured data models (YANG)
B.Lower CPU usage on devices
C.Binary data encoding
D.Transactional configuration changes
E.Simple polling mechanism
AnswersA, D

YANG provides standardized data models.

Why this answer

Option A is correct because NETCONF uses YANG (RFC 6020/7950) to define structured, hierarchical data models, enabling consistent and predictable configuration and state data retrieval. This contrasts with SNMP's flat MIB structure, which is less flexible for complex automation tasks. Option D is correct because NETCONF supports candidate configurations and confirmed commits (RFC 6241, Section 8.4), allowing transactional changes that can be validated and rolled back atomically, whereas SNMP lacks built-in transaction support.

Exam trap

Cisco often tests the misconception that NETCONF is 'lighter' than SNMP, but the trap here is that NETCONF's XML and SSH overhead actually increase CPU usage, while SNMP's binary encoding and UDP make it more efficient for simple monitoring tasks.

235
MCQmedium

An engineer needs to transfer a router configuration file to a server in the same network using a simple protocol that does not require authentication. Which protocol is best?

A.SCP
B.TFTP
C.FTP
D.HTTP
AnswerB

TFTP has no authentication and is simple to implement.

Why this answer

TFTP (Trivial File Transfer Protocol) is the best choice because it is a lightweight, connectionless protocol that operates over UDP (port 69) and does not require any authentication or user credentials. It is commonly used for transferring router configuration files and IOS images in local network environments where simplicity and speed are prioritized over security.

Exam trap

Cisco often tests the distinction between TFTP and SCP, where candidates mistakenly choose SCP because it is secure, overlooking the explicit requirement for a protocol that does not require authentication.

How to eliminate wrong answers

Option A (SCP) is wrong because it relies on SSH for authentication and encryption, requiring credentials and adding overhead that is unnecessary for a simple, unauthenticated transfer. Option C (FTP) is wrong because it typically requires username/password authentication and uses TCP, making it more complex and less suitable for a no-authentication requirement. Option D (HTTP) is wrong because while it can be used without authentication, it is designed for web content transfer and often involves more overhead (TCP-based) and is not the standard protocol for router configuration file transfers in a local network.

236
MCQhard

When using NETCONF to edit the configuration of a Cisco IOS XE device, an engineer receives an <rpc-error> with error-tag 'in-use' and error-app-tag 'data-exists'. What does this error indicate?

A.The NETCONF session was closed due to a timeout.
B.The RPC message was malformed.
C.The configuration being added already exists on the device.
D.The device does not have the required user permissions.
AnswerC

data-exists indicates duplicate data.

Why this answer

The error-tag 'in-use' combined with the error-app-tag 'data-exists' in NETCONF indicates that the configuration operation (e.g., <edit-config> with operation 'create') attempted to add a configuration element that already exists in the running datastore. NETCONF uses these standardized error tags per RFC 6241 to signal that the requested operation cannot be completed because the target data node is already present, preventing duplicate configuration entries.

Exam trap

Cisco often tests the distinction between NETCONF <edit-config> operations (create vs. merge vs. replace) and their corresponding error tags, leading candidates to confuse 'in-use' with permission or syntax errors.

How to eliminate wrong answers

Option A is wrong because a session timeout would generate an <rpc-error> with error-tag 'session-timeout' or 'transport-error', not 'in-use'. Option B is wrong because a malformed RPC message would produce error-tag 'malformed-message' or 'operation-failed', not 'in-use'. Option D is wrong because insufficient permissions would result in error-tag 'access-denied' or 'authorization-error', not 'in-use'.

237
MCQhard

A developer is building a chat application that requires low-latency communication, and occasional packet loss is acceptable. Which transport protocol should the developer choose?

A.UDP
B.RTP
C.QUIC
D.TCP
AnswerA

UDP is connectionless and low-latency; packet loss is acceptable in this scenario.

Why this answer

UDP is the correct choice because it provides low-latency, connectionless communication without retransmission or congestion control, making it ideal for real-time chat applications where occasional packet loss is acceptable. Unlike TCP, UDP does not require a handshake or acknowledgment, minimizing delay and overhead.

Exam trap

Cisco often tests the distinction between transport protocols and application-layer protocols, so candidates may confuse RTP (which is not a transport protocol) with UDP, or assume QUIC is a transport protocol when it is actually an application-layer protocol built on UDP.

How to eliminate wrong answers

Option B (RTP) is wrong because RTP is an application-layer protocol that typically runs over UDP to deliver real-time media, but it is not a transport protocol itself; the question asks for a transport protocol. Option C (QUIC) is wrong because QUIC, while offering lower latency than TCP, is built on top of UDP and includes reliability and congestion control features that are unnecessary when packet loss is acceptable, and it is not a pure transport protocol in the OSI model. Option D (TCP) is wrong because TCP's reliability mechanisms (retransmission, flow control, congestion avoidance) introduce latency and overhead that conflict with the requirement for low-latency communication, and its connection-oriented nature is unsuitable when occasional packet loss is acceptable.

238
MCQeasy

A team is deploying a new microservice on Cisco Container Platform. The microservice needs to access a database hosted on a separate VM. The security policy requires that only the microservice can communicate with the database, and all traffic must be encrypted. The team is using Kubernetes network policies and mutual TLS. During testing, the microservice cannot reach the database. The database team reports that the database is reachable from other services. What is the most likely cause?

A.A Kubernetes NetworkPolicy is blocking egress from the microservice pod to the database IP
B.The database server is not listening on the expected port
C.The mutual TLS certificates are expired or not trusted
D.The Istio sidecar proxy is misconfigured and rejecting traffic due to a missing ServiceEntry
AnswerA

Network policies can restrict traffic; a default deny or misconfigured policy could block the connection.

Why this answer

The most likely cause is that a Kubernetes NetworkPolicy is blocking egress from the microservice pod to the database IP. Since the database is reachable from other services, the issue is specific to the microservice pod's network access. A NetworkPolicy that does not explicitly allow egress traffic to the database IP will default to denying that traffic, preventing the microservice from reaching the database even though the database itself is operational.

Exam trap

Cisco often tests the default-deny behavior of Kubernetes NetworkPolicy, where candidates mistakenly assume that no policy means all traffic is allowed, but the trap is that once a policy selects a pod, all unallowed traffic is implicitly denied, including egress to external IPs.

How to eliminate wrong answers

Option B is wrong because the database is reachable from other services, indicating it is listening on the expected port. Option C is wrong because mutual TLS certificate issues would typically cause authentication failures or connection resets, not a complete inability to reach the database (the microservice would still establish a TCP connection). Option D is wrong because Istio sidecar proxy misconfiguration or a missing ServiceEntry would affect service mesh routing, but the question states the team is using Kubernetes network policies and mutual TLS, not explicitly Istio; moreover, a missing ServiceEntry would cause traffic to be rejected at the proxy level, but the core issue is network-level egress blocking, which is more directly addressed by NetworkPolicy.

239
MCQmedium

A Python script uses the `requests` library to fetch device details from Cisco DNA Center. The API returns a JSON response with nested objects. To extract the management IP address from the response stored in variable `data`, which code snippet is correct? The JSON structure is: { "response": [ { "managementIpAddress": "192.168.1.1", "hostname": "router1" } ] }

A.data.managementIpAddress
B.data['response']['managementIpAddress']
C.data.get('response')[0].get('managementIpAddress')
D.data['response'][0]['managementIpAddress']
AnswerD

Correctly indexes into the list and retrieves the management IP.

Why this answer

The response contains a list under key 'response'; correct access is via data['response'][0]['managementIpAddress'].

240
MCQmedium

A university IT department manages a Cisco Meraki network with 200 MR access points and 50 MS switches. They use the Meraki dashboard API to automate network provisioning. A new student dormitory was added, and the team needs to create a new network and claim devices. They have a Python script that uses the Meraki API to create the network and then claim devices by serial numbers. The script successfully creates the network but fails when claiming devices with a 400 error: 'Device serial number is not valid or already claimed'. The serial numbers are correct and unused. The API key has full organization access. The script uses the endpoint 'POST /networks/{networkId}/devices/claim' with the correct body. What is the most likely cause of the failure?

A.The API key does not have permission to claim devices.
B.The serial numbers contain a typo.
C.The devices have not been added to the organization's inventory first.
D.The devices are not Meraki MR or MS models.
AnswerC

Devices must be claimed into the organization before being assigned to a network.

Why this answer

Option C is correct because in the Meraki API workflow, devices must first be added to the organization's inventory via the 'POST /organizations/{organizationId}/inventory/devices' endpoint before they can be claimed into a specific network. The 400 error 'Device serial number is not valid or already claimed' occurs when the serial numbers are not present in the organization's inventory, even if they are correct and unused. The script successfully creates the network but fails at the claim step because the devices have not been inventoried at the organization level.

Exam trap

Cisco often tests the distinction between organization-level inventory and network-level claiming, trapping candidates who assume that claiming a device automatically adds it to the organization's inventory or that a valid serial number is sufficient without prior inventory registration.

How to eliminate wrong answers

Option A is wrong because the API key has full organization access, which includes permission to claim devices; a permission issue would typically result in a 403 Forbidden error, not a 400 error. Option B is wrong because the question explicitly states that the serial numbers are correct and unused, so a typo is not the cause. Option D is wrong because the devices are MR and MS models, which are supported by the Meraki dashboard API for claiming; the error message does not indicate an unsupported model.

241
MCQhard

A network automation team uses Ansible to manage Cisco ACI fabrics. They have a playbook that creates application profiles using the 'aci_ap' module. Recently, they started using a new Python script that directly uses the Cisco ACI REST API to perform the same tasks. The script often fails with a 403 Forbidden error, although the Ansible playbook works fine. The authentication method is the same: basic authentication over HTTPS. The API user has the same privileges. Which of the following is the most likely cause?

A.The script is not including the APIC cookie in subsequent requests
B.The script is not setting the proper Content-Type header for POST requests
C.The script is using HTTP instead of HTTPS
D.The API user's password was changed between runs
AnswerA

ACI requires a session cookie; missing it results in 403.

Why this answer

The Cisco ACI REST API requires the token returned from the login to be sent as a cookie in subsequent requests. The script likely overlooks this step, while Ansible handles it automatically. Option A is correct.

Option B (HTTP vs HTTPS) would cause a different error. Option C (password change) would affect both. Option D (Content-Type) might cause a 400, not 403.

242
MCQeasy

When using the Cisco Meraki Dashboard API to create an HTTP webhook for network alerts, which authentication method is required in the request header?

A.Authorization: Bearer <token>
B.Include the API key as a query parameter.
C.Authorization: Basic <base64>
D.X-Cisco-Meraki-API-Key: <your_api_key>
AnswerD

Meraki requires this custom header.

Why this answer

The Cisco Meraki Dashboard API requires authentication via a custom HTTP header named `X-Cisco-Meraki-API-Key`, where the value is your API key. This is the only supported method for authenticating requests to the Meraki API, as documented in the official API reference. Option D correctly specifies this header, making it the required authentication method for creating an HTTP webhook for network alerts.

Exam trap

Cisco often tests the distinction between standard authentication methods (Bearer tokens, Basic Auth) and vendor-specific custom headers, so the trap here is that candidates may assume a common standard like OAuth 2.0 or Basic Auth applies, when the Meraki API explicitly requires its own proprietary header.

How to eliminate wrong answers

Option A is wrong because the Meraki API does not use OAuth 2.0 Bearer tokens; it uses a custom API key header instead. Option B is wrong because passing the API key as a query parameter is insecure and not supported by the Meraki API; the key must be sent in a header. Option C is wrong because HTTP Basic Authentication (Base64-encoded credentials) is not used by the Meraki API; it relies solely on the `X-Cisco-Meraki-API-Key` header.

243
MCQeasy

Which design principle suggests that a module should be responsible for a single part of the functionality?

A.Separation of Concerns
B.YAGNI (You Aren't Gonna Need It)
C.DRY (Don't Repeat Yourself)
D.KISS (Keep It Simple, Stupid)
AnswerA

This principle dictates that each module should handle a distinct aspect of the application's functionality.

Why this answer

Option B is correct because Separation of Concerns (SoC) advocates for dividing a program into distinct sections that each address a separate concern. Option A (DRY) stands for Don't Repeat Yourself, which focuses on reducing repetition. Option C (KISS) stands for Keep It Simple, Stupid, emphasizing simplicity.

Option D (YAGNI) stands for You Aren't Gonna Need It, advising against adding unnecessary features. Therefore, SoC is the principle that matches the description.

244
MCQmedium

Refer to the exhibit. A switch has the VLAN configuration shown. If a device is connected to interface Gi0/3 and another to Gi0/5, can they communicate if the switch is not configured with any inter-VLAN routing?

A.Yes, if the default gateway is configured on each device.
B.No, because VLAN 20 is not active on those ports.
C.No, because they are in different VLANs and no routing is configured.
D.Yes, if the devices have IP addresses in the same subnet.
E.Yes, because all ports are on the same switch.
AnswerC

VLANs isolate traffic; inter-VLAN requires layer 3 routing.

Why this answer

Option C is correct because devices in different VLANs (VLAN 10 and VLAN 20) are on separate Layer 2 broadcast domains. Without inter-VLAN routing (either a Layer 3 switch with IP routing enabled or an external router), traffic cannot cross VLAN boundaries, even if the devices share the same physical switch. The switch forwards frames only within the same VLAN unless routing is explicitly configured.

Exam trap

The trap here is that candidates assume all ports on the same switch can communicate by default, overlooking that VLANs create isolated Layer 2 domains that require routing to interconnect.

How to eliminate wrong answers

Option A is wrong because configuring a default gateway on each device only enables them to send traffic to a router; it does not enable the switch to route between VLANs. Option B is wrong because the exhibit shows VLAN 20 is active on Gi0/5 (access VLAN 20), so the port is correctly assigned; the issue is not inactivity but the VLAN mismatch. Option D is wrong because the devices are in different VLANs and thus belong to different subnets by design; even if they had IP addresses in the same subnet, the switch would still isolate them at Layer 2 because VLANs enforce separate broadcast domains.

Option E is wrong because being on the same switch does not imply Layer 3 connectivity; the switch forwards frames only within the same VLAN unless routing is configured.

245
Multi-Selectmedium

A network engineer needs to create a new subnet that can support at least 50 usable host addresses for a development environment. Which TWO subnet masks would meet this requirement? (Choose two.)

Select 2 answers
A.255.255.255.224 (/27)
B.255.255.255.128 (/25)
C.255.255.255.192 (/26)
D.255.255.255.248 (/29)
E.255.255.255.240 (/28)
AnswersB, C

Correct. /25 provides 2^(32-25)-2 = 126 usable host addresses, which is more than 50.

Why this answer

Subnet masks /25 and /26 provide 126 and 62 usable host addresses respectively, both exceeding the requirement of 50. /27 provides only 30 usable addresses, /28 provides 14, and /29 provides 6, all insufficient.

246
MCQhard

A developer is using a Dockerfile to build an image. The image must be based on a minimal Linux distribution to reduce attack surface. Which base image should be used?

A.alpine:latest
B.ubuntu:latest
C.debian:latest
D.centos:latest
AnswerA

Alpine is a minimal distribution (~5 MB) ideal for security.

Why this answer

Alpine Linux is a minimal Linux distribution designed for security, simplicity, and resource efficiency. Its base image is typically around 5 MB, significantly reducing the attack surface compared to full-featured distributions like Ubuntu, Debian, or CentOS. This makes it the ideal choice for minimizing vulnerabilities in containerized applications.

Exam trap

Cisco often tests the concept that 'minimal' means fewer packages and smaller size, not just a different package manager, and the trap here is that candidates may choose a familiar distribution like Ubuntu or CentOS without considering the attack surface implications of a bloated base image.

How to eliminate wrong answers

Option B (ubuntu:latest) is wrong because Ubuntu includes a large set of pre-installed packages and libraries, resulting in a much larger image size (hundreds of MB) and a broader attack surface. Option C (debian:latest) is wrong because Debian, while stable, also ships with many default utilities and libraries that increase the image footprint and potential vulnerabilities. Option D (centos:latest) is wrong because CentOS, based on RHEL, includes a full userland and package manager, leading to a larger image and unnecessary components that expand the attack surface.

247
MCQmedium

You manage a network that uses a mix of Cisco IOS and IOS-XE devices. The company wants to implement network automation using RESTCONF and YANG. You have configured RESTCONF on a branch router running IOS-XE 16.12. You can successfully retrieve the interface configuration using a GET request from a Python script. However, when you try to modify the description of an interface using a PATCH request, you receive a 405 Method Not Allowed error. The script uses basic authentication over HTTPS. The URL is correct, and the YANG data payload is valid. What is the most likely reason for the failure?

A.The RESTCONF service on the router is not enabled for write operations.
B.The YANG payload must be in XML format instead of JSON.
C.Basic authentication is not supported for PATCH requests.
D.The PATCH request must target the entire configuration data store, not a specific interface.
AnswerA

The 'restconf' capability may be read-only; you need to enable the 'restconf' agent with write support.

Why this answer

RESTCONF on IOS-XE may require specific HTTP methods to be enabled. By default, only GET is allowed; PATCH and PUT require explicit configuration or the 'restconf' capability advertisement. Option A is correct because the router may not have the 'restconf' capability with write support.

Option B is wrong because basic authentication is supported. Option C is wrong because the URL is for the interface, not the whole configuration. Option D is wrong because YANG is valid.

248
Multi-Selectmedium

Which THREE of the following are key principles of Infrastructure as Code (IaC) as applied to network automation?

Select 3 answers
A.Manual configuration is preferred for critical devices.
B.Configuration should be idempotent.
C.Configuration should be validated through automated testing.
D.Temporary scripts should be used for one-time changes.
E.All configuration code should be stored in version control.
AnswersB, C, E

Idempotency ensures consistent state.

Why this answer

IaC principles include idempotency (repeatable results), version control (track changes), and continuous testing (validate configurations). Option A (manual configuration) is opposite. Option D (temporary scripts) is not a principle.

249
Multi-Selectmedium

A network engineer is troubleshooting an issue where hosts in VLAN 100 cannot reach a server at 10.1.1.100. The switch interfaces are configured as access ports in VLAN 100, and the default gateway is 10.1.1.1. The engineer checks the switch and finds that the ARP table does not contain the server's MAC address. Which two actions should the engineer take to resolve the issue? (Choose two.)

Select 2 answers
A.Ping the server's IP address from the switch management interface.
B.Ping the default gateway from a host in VLAN 100.
C.Check the ARP table on the default gateway router.
D.Check the MAC address table on the switch for the server's MAC.
E.Verify that the switch port connected to the server is in VLAN 100.
AnswersC, E

The hosts need to resolve the server's MAC, not the gateway's. The issue is on the switch or host side.

Why this answer

Option E is correct because if the switch port connected to the server is not in VLAN 100, the server will be in a different broadcast domain and will not receive ARP requests from hosts in VLAN 100. This would cause the ARP table on the switch to lack the server's MAC address, as the switch cannot learn it through normal Layer 2 flooding within the VLAN.

Exam trap

Cisco often tests the distinction between the MAC address table (Layer 2 forwarding) and the ARP table (Layer 3 resolution), leading candidates to incorrectly choose checking the MAC address table when the real issue is VLAN membership affecting ARP propagation.

250
MCQmedium

Refer to the exhibit. An automation script expects the interface IP address to be configured via DHCP. Based on the output, what is the current configuration source for the IP address?

A.DHCP
B.BOOTP
C.Manual configuration (NVRAM)
D.PPP negotiation
AnswerC

The show output confirms non-volatile memory.

Why this answer

The output shows 'IP address is 192.168.1.1, subnet mask is 255.255.255.0' with no DHCP or BOOTP flags, and the configuration is stored in NVRAM (startup-config). This indicates the IP was manually configured (typed by an administrator) and saved, not obtained via DHCP. Option C is correct because the source is manual configuration from NVRAM.

Exam trap

Cisco often tests the distinction between 'how an IP is assigned' (DHCP vs. manual) and 'where the config is stored' (running-config vs. NVRAM), leading candidates to mistakenly think any saved config implies DHCP when it actually indicates manual configuration.

How to eliminate wrong answers

Option A is wrong because DHCP would show 'IP address negotiated via DHCP' or a DHCP-assigned address with a lease, and the output lacks any DHCP client identifier or lease information. Option B is wrong because BOOTP is a legacy protocol that assigns IP addresses statically from a BOOTP server, and the output shows no BOOTP server interaction or 'bootp' flag. Option D is wrong because PPP negotiation applies to serial interfaces using PPP encapsulation, not to Ethernet interfaces, and the output shows no PPP-related parameters like IPCP negotiation.

251
MCQhard

In a Python application that uses the ncclient library to manage Cisco devices via NETCONF, the developer encounters an error: 'ncclient.transport.errors.SessionCloseError: session closed on error'. Which of the following is the most likely cause?

A.The NETCONF session timed out due to inactivity
B.The device does not support base NETCONF 1.0
C.The device's SSH key has changed
D.The device does not support the candidate datastore
AnswerA

Idle session timeouts are a common cause of SessionCloseError.

Why this answer

SessionCloseError typically occurs when the NETCONF session is closed by the server due to a timeout (e.g., inactivity). Option A (SSH key change) would cause authentication failure, not this error. Option C (candidate datastore unsupported) would cause a capability error.

Option D (base NETCONF 1.0 unsupported) would also cause a capability exchange failure.

252
Multi-Selecthard

A company is implementing a secure CI/CD pipeline. Which THREE practices are essential for securing the pipeline?

Select 3 answers
A.Sign and verify all build artifacts.
B.Allow all container images to be pulled from any public registry.
C.Store secrets (API keys, passwords) in version control.
D.Implement role-based access control (RBAC) on the CI/CD system.
E.Use static application security testing (SAST) tools in the build stage.
AnswersA, D, E

Signing ensures artifacts are not tampered with.

Why this answer

Signing and verifying build artifacts ensures integrity and authenticity, preventing tampered artifacts from being deployed. This is a core supply chain security practice, often implemented using tools like GPG or Sigstore (Cosign) to generate and validate cryptographic signatures. Without verification, an attacker could inject malicious code into the pipeline by replacing a signed artifact with a compromised one.

Exam trap

Cisco often tests the misconception that 'allowing any public registry' is acceptable for speed or convenience, but the correct practice is to restrict registries to trusted, scanned sources to prevent supply chain attacks.

253
MCQmedium

During a network outage, a technician notices that hosts in VLAN 10 cannot reach the default gateway at 192.168.10.1, but hosts in VLAN 20 can. The switch interfaces are up, and the router is configured with subinterfaces. What is the most likely cause?

A.The trunk link is administratively down.
B.The switchport trunk native VLAN is mismatched.
C.The router subinterface for VLAN 10 is down or misconfigured.
D.The router does not have an IP address configured.
AnswerC

A down or misconfigured subinterface prevents routing for that VLAN.

Why this answer

The router subinterface for VLAN 10 is down or misconfigured. Since hosts in VLAN 10 cannot reach the default gateway but hosts in VLAN 20 can, the issue is isolated to VLAN 10. The router uses subinterfaces to route between VLANs via a trunk link; if the subinterface for VLAN 10 is down (e.g., no 'no shutdown' command) or misconfigured (e.g., wrong VLAN ID or encapsulation), it will not process traffic for that VLAN, while other subinterfaces remain functional.

Exam trap

Cisco often tests the misconception that a trunk link issue or native VLAN mismatch would affect all VLANs equally, when in fact a subinterface-specific problem (like being administratively down or misconfigured) can isolate a single VLAN.

How to eliminate wrong answers

Option A is wrong because if the trunk link were administratively down, all VLANs (including VLAN 20) would be affected, not just VLAN 10. Option B is wrong because a native VLAN mismatch on a trunk would cause issues for untagged traffic (typically VLAN 1) or potential spanning-tree problems, but it would not selectively break only VLAN 10 while VLAN 20 works. Option D is wrong because the router does have IP addresses configured (as implied by the default gateway 192.168.10.1 for VLAN 10 and presumably another for VLAN 20), and the problem is specific to VLAN 10, not a global lack of IP configuration.

254
MCQhard

Refer to the exhibit. A service engineer runs a 'check-sync' action on the NSO service 'vpn1'. The result shows 'out-of-sync' for device 'pe1'. What does this indicate?

A.The device pe1 is unreachable via NETCONF.
B.The service model in NSO does not have a configuration for pe1.
C.The device pe1 has a hardware failure.
D.The configuration on pe1 differs from the service model defined in NSO.
AnswerD

Check-sync compares device config with service model.

Why this answer

The 'check-sync' action in NSO compares the actual device configuration (retrieved via NETCONF or CLI) against the configuration that NSO's service model expects. An 'out-of-sync' result for device 'pe1' means the running configuration on pe1 does not match the configuration defined by the NSO service model for that device. This is a standard NSO feature to detect configuration drift.

Exam trap

The trap here is confusing 'out-of-sync' with connectivity or hardware issues; Cisco tests whether you understand that NSO's check-sync is a configuration comparison mechanism, not a reachability or health check.

How to eliminate wrong answers

Option A is wrong because 'out-of-sync' does not indicate reachability; if pe1 were unreachable via NETCONF, the check-sync action would fail with a connection error, not return 'out-of-sync'. Option B is wrong because if the service model had no configuration for pe1, NSO would not attempt a check-sync on that device, or the result would indicate 'no configuration' rather than 'out-of-sync'. Option C is wrong because hardware failures are not detected by NSO's configuration synchronization mechanism; NSO operates at the configuration management layer, not the hardware monitoring layer.

255
MCQhard

A network engineer is designing a REST API using Python Flask to allow provisioning of VPN tunnels. The API must support multiple clients and must be secure. Which approach is most appropriate for authenticating and authorizing API requests?

A.Use OAuth 2.0 with client credentials grant
B.Use HTTP Basic Authentication with a dictionary of usernames and passwords
C.Embed a shared secret in each client's source code
D.Issue API tokens to each client and validate them on each request
AnswerD

API tokens are a standard, secure method for API authentication and can include scopes.

Why this answer

API tokens with scopes are a common and secure method for REST APIs, allowing fine-grained access control. Basic auth with dictionary is outdated and insecure. OAuth 2.0 with client credentials is best for machine-to-machine, but given options, API tokens are most appropriate.

256
MCQhard

A developer is using Cisco NSO to create a service. They are evaluating whether to use Python or Java for plan callbacks. Which consideration is most important?

A.Java is preferred due to better integration with NSO's internal data model
B.Python is the only supported language for custom service code in NSO
C.Both are equally supported, but Python has more extensive libraries for networking
D.Python is preferred due to faster execution
AnswerC

Python's rich ecosystem and readability make it a common choice.

Why this answer

Option C is correct because Cisco NSO supports both Python and Java for plan callbacks, and the choice between them often hinges on the developer's familiarity and the specific requirements of the service. Python is particularly favored in many networking contexts due to its extensive ecosystem of libraries (e.g., for NETCONF, RESTCONF, or SNMP), which can accelerate development. However, Java is equally supported and may be chosen for performance-critical or deeply integrated components within NSO's Java Native Interface (JNI).

Exam trap

Cisco often tests the misconception that Python is the only or primary language for NSO customizations, when in fact both Python and Java are fully supported, and the choice depends on factors like library availability and developer expertise, not exclusivity or raw performance.

How to eliminate wrong answers

Option A is wrong because Java does not have inherently better integration with NSO's internal data model; both Python and Java interact with NSO's CDB and service models through well-defined APIs (e.g., Python's ncs module and Java's Maapi/TransAPI). Option B is wrong because Python is not the only supported language for custom service code; NSO explicitly supports both Python and Java for plan callbacks and action implementations. Option D is wrong because Python is generally slower in execution than Java (due to being interpreted vs. compiled), so faster execution is not a valid reason to prefer Python.

257
Multi-Selectmedium

A developer receives HTTP 409 Conflict when updating a network configuration via Cisco NX-OS API. Which two scenarios could cause this error?

Select 2 answers
A.The resource was recently modified by another client.
B.The update conflicts with a lock held by another transaction.
C.The request body contains malformed JSON.
D.The request includes unsupported parameters.
E.The API key used is invalid.
AnswersA, B

A concurrent modification leads to a version conflict, resulting in 409.

Why this answer

HTTP 409 Conflict indicates a request conflicts with the current state of the resource. In the context of Cisco NX-OS API, this error occurs when the resource was recently modified by another client (option A) or when the update conflicts with a lock held by another transaction (option B). Both scenarios involve a state mismatch that the server cannot resolve without client intervention, often requiring the client to re-fetch the resource and retry.

Exam trap

Cisco often tests the distinction between client-side errors (400, 401) and server-side state conflicts (409), so the trap here is confusing a malformed request or authentication failure with a resource state conflict.

258
MCQeasy

Based on the exhibit, which interface is in a down/down state (both Status and Protocol are down)?

A.None
B.GigabitEthernet0/2
C.GigabitEthernet0/0
D.GigabitEthernet0/1
AnswerD

Gig0/1 shows Status down and Protocol down.

Why this answer

Option D is correct because the exhibit shows that GigabitEthernet0/1 has both Status and Protocol listed as 'down'. In Cisco IOS, the 'Status' column indicates the line protocol state (Layer 1), and the 'Protocol' column indicates the data link layer state (Layer 2). When both are 'down', the interface is administratively down or has a physical layer issue, such as a disconnected cable or a shutdown command.

Exam trap

Cisco often tests the ability to read the 'show interfaces' output correctly, where candidates may confuse the 'Status' and 'Protocol' columns or misinterpret an 'up/up' state as a problem, leading them to select a wrong interface like GigabitEthernet0/0 or GigabitEthernet0/2.

How to eliminate wrong answers

Option A is wrong because the exhibit clearly shows at least one interface (GigabitEthernet0/1) with both Status and Protocol down, so 'None' is incorrect. Option B is wrong because GigabitEthernet0/2 shows Status as 'up' and Protocol as 'up', indicating a fully operational interface. Option C is wrong because GigabitEthernet0/0 shows Status as 'up' and Protocol as 'up', meaning it is also fully functional.

259
Multi-Selecthard

A network automation script using NX-API on a Nexus switch fails intermittently with HTTP 500 errors. Which two troubleshooting steps are most effective in diagnosing the issue? (Choose two.)

Select 2 answers
A.Check the length of the JSON payload sent to the API.
B.Ensure the switch is running NX-OS version 9.3(1) or later.
C.Enable NX-API debugging on the switch to capture detailed logs.
D.Verify that the NX-API sandbox feature is enabled and running.
E.Use HTTP instead of HTTPS for the API requests.
AnswersC, D

Debug logs help identify the exact failure point.

Why this answer

Option C is correct because enabling NX-API debugging on the switch (using the 'debug nxapi' command) captures detailed logs of API requests and responses, including HTTP 500 error details. This allows you to pinpoint the root cause, such as malformed payloads, internal server errors, or resource exhaustion. Without debugging, the generic 500 error provides no insight into the specific failure.

Exam trap

Cisco often tests the misconception that HTTP 500 errors are always client-side issues (like payload size) or can be fixed by changing protocols, when in fact they require server-side debugging to diagnose internal failures.

260
Multi-Selectmedium

Which TWO of the following are recommended practices for securing a CI/CD pipeline in a DevOps environment? (Choose two.)

Select 2 answers
A.Store secrets and credentials in a secure vault and inject them at runtime
B.Grant all developers write access to the production environment to enable faster fixes
C.Deploy code to production first, then run security tests to check for issues
D.Scan container images for known vulnerabilities as part of the build pipeline
E.Use the same API token for all pipeline stages to simplify authentication
AnswersA, D

Keeps secrets out of source code and build logs.

Why this answer

Option A is correct because storing secrets (e.g., API keys, database passwords) in a secure vault (like HashiCorp Vault or AWS Secrets Manager) and injecting them at runtime prevents hard-coded credentials in source code or configuration files. This follows the principle of least privilege and ensures that secrets are never exposed in logs, version control, or build artifacts, which is a fundamental security practice for CI/CD pipelines.

Exam trap

Cisco often tests the misconception that security testing can be deferred to post-production (Option C) or that shared credentials simplify management (Option E), but the correct answers emphasize proactive security (scanning early) and credential isolation (vault injection).

261
MCQeasy

A developer is deploying a containerized application to a Kubernetes cluster. To ensure that the application can securely access a third-party API, what is the best practice for storing the API key?

A.Store it as a Kubernetes Secret and mount it as an environment variable.
B.Hardcode the API key in the Docker image.
C.Use a service account token.
D.Store it in a ConfigMap and reference it from the pod.
AnswerA

Correct approach for sensitive data.

Why this answer

Option A is correct because Kubernetes Secrets are designed for sensitive data and can be mounted as environment variables. Option B is insecure because hardcoding keys in images exposes them. Option C is incorrect because ConfigMaps are for non-sensitive data.

Option D is incorrect because service account tokens are for cluster authentication, not external APIs.

262
MCQmedium

A developer is writing an application that needs to send a large amount of data reliably over a network. Which transport layer protocol should the developer use?

A.TCP
B.ICMP
C.HTTP
D.UDP
AnswerA

TCP ensures reliable data transfer through acknowledgments and retransmissions.

Why this answer

TCP (Transmission Control Protocol) is the correct choice because it provides reliable, connection-oriented data delivery with acknowledgments, retransmission, and sequencing. This ensures that large amounts of data are transmitted without loss or corruption, which is critical for applications requiring data integrity.

Exam trap

Cisco often tests the distinction between transport-layer protocols (TCP vs. UDP) and higher-layer protocols (HTTP), so the trap here is that candidates might choose HTTP because it is commonly used for data transfer, forgetting that it is not a transport-layer protocol.

How to eliminate wrong answers

Option B (ICMP) is wrong because ICMP is a network-layer protocol used for error reporting and diagnostics (e.g., ping), not for reliable data transport. Option C (HTTP) is wrong because HTTP is an application-layer protocol that relies on TCP for reliable transport; it is not a transport-layer protocol itself. Option D (UDP) is wrong because UDP is connectionless and does not guarantee delivery, ordering, or retransmission, making it unsuitable for reliable large-data transfers.

263
MCQmedium

A developer is using Python requests library to interact with a Cisco IOS XE device's REST API. The call returns a 400 Bad Request status. The payload is correctly formatted JSON. What is the most likely cause?

A.The authentication credentials are missing or incorrect in the request header
B.The device's API service is not enabled
C.The requested URL path is incorrect
D.The JSON payload contains a syntax error
AnswerA

400 Bad Request commonly indicates missing or invalid authentication headers.

Why this answer

A 400 Bad Request status from a Cisco IOS XE REST API indicates a client-side error, typically related to malformed syntax or missing required elements. Since the JSON payload is confirmed as correctly formatted, the most likely cause is missing or incorrect authentication credentials in the request header, as the API requires valid credentials (e.g., Basic Auth with username:password encoded in Base64) to process the request. Without proper authentication, the server rejects the request with a 400 status before even evaluating the payload.

Exam trap

Cisco often tests the distinction between 400 Bad Request (client-side syntax/header issues) and 401 Unauthorized (invalid credentials), tricking candidates into assuming authentication errors always return 401, when in fact missing or malformed authentication headers can trigger a 400.

How to eliminate wrong answers

Option B is wrong because if the API service is not enabled, the device would typically return a 404 Not Found or a connection refusal, not a 400 Bad Request. Option C is wrong because an incorrect URL path would result in a 404 Not Found status, not a 400 Bad Request, as the server would not find the resource. Option D is wrong because the question explicitly states the JSON payload is correctly formatted, so a syntax error cannot be the cause.

264
MCQhard

A developer wants to automate the provisioning of a UCS server using Cisco Intersight. Which authentication method is recommended for programmatic access?

A.Basic authentication with username and password
B.API Key with HMAC signing
C.Session token from Intersight UI
D.OAuth2 with client credentials
AnswerB

Intersight recommends API keys with HMAC signing for automated access.

Why this answer

Cisco Intersight recommends API key authentication with HMAC signing for programmatic access because it provides a secure, non-interactive method for automation scripts and tools. The API key consists of a key ID and a secret, and each request must include an HMAC signature generated from the request details, ensuring integrity and authenticity without exposing static credentials over the network.

Exam trap

Cisco often tests the distinction between interactive (session-based) and non-interactive (API key) authentication, leading candidates to mistakenly choose session tokens or basic auth because they are familiar from other Cisco platforms like UCS Manager or APIC.

How to eliminate wrong answers

Option A is wrong because basic authentication transmits the username and password in plaintext (Base64-encoded) with each request, which is insecure and not recommended for programmatic access to Intersight. Option C is wrong because a session token obtained from the Intersight UI is tied to a user session and requires interactive login, making it unsuitable for automated, headless provisioning workflows. Option D is wrong because OAuth2 with client credentials is not the standard or recommended method for Intersight; Intersight uses API key-based HMAC signing as its primary programmatic authentication mechanism.

265
MCQmedium

A network team uses an Ansible playbook to automate the configuration of multiple Cisco IOS XE devices. The playbook includes the 'ios_config' module. Which of the following best describes the purpose of the 'provider' parameter in the ios_config module?

A.It defines the connection details for the device.
B.It identifies the name of the playbook being used.
C.It specifies the configuration lines to be applied.
D.It sets the timeout for the module execution.
AnswerA

Provider includes transport credentials.

Why this answer

The 'provider' parameter in the ios_config module is a dictionary that encapsulates the connection details required to access the network device, such as hostname, username, password, port, and transport protocol (e.g., SSH). This allows the module to establish a session with the Cisco IOS XE device before applying configuration changes. Without the provider, the module would not know how to reach or authenticate to the target device.

Exam trap

Cisco often tests the distinction between the 'provider' parameter (connection details) and the 'lines' parameter (configuration commands), leading candidates to mistakenly think 'provider' specifies the configuration content.

How to eliminate wrong answers

Option B is wrong because the playbook name is defined in the playbook file itself (e.g., the name field under a play), not in the ios_config module's provider parameter. Option C is wrong because the configuration lines to be applied are specified using the 'lines' or 'parents' parameters within the ios_config module, not the provider. Option D is wrong because timeout settings are configured via a separate 'timeout' parameter in the provider dictionary or directly in the module, not as the primary purpose of the provider parameter.

266
MCQeasy

An engineer needs to automate the deployment of a new VLAN across multiple switches. Which tool is best suited for this task?

A.NetFlow
B.Syslog
C.Ansible
D.SNMP
AnswerC

Ansible is designed for configuration management and automation.

Why this answer

Ansible is the correct tool because it is an agentless automation platform that uses SSH to push configuration changes, such as VLAN deployment, to network devices. It allows engineers to define the desired state of VLANs in YAML playbooks and apply them consistently across multiple switches without manual intervention.

Exam trap

Cisco often tests the distinction between monitoring protocols (NetFlow, Syslog, SNMP) and automation tools (Ansible, Puppet, Chef), leading candidates to mistakenly choose SNMP because they recall it can write configurations, but they overlook its lack of idempotency and scalability for multi-switch VLAN deployment.

How to eliminate wrong answers

Option A is wrong because NetFlow is a network protocol used for traffic monitoring and analysis, not for configuration deployment. Option B is wrong because Syslog is a standard for message logging and does not provide any mechanism to push configuration changes to devices. Option D is wrong because SNMP is primarily used for monitoring and reading device statistics via MIBs, and while it can write some configuration values (SNMP SET), it is not designed for reliable, idempotent, or scalable VLAN deployment across multiple switches.

267
MCQhard

A Kubernetes cluster is configured with a NetworkPolicy that allows ingress traffic only from pods with label 'app: frontend'. A new backend service needs to communicate with the database pod. What must be done to allow this?

A.Delete the existing NetworkPolicy
B.Add label 'app: backend' to the database pod
C.Modify the NetworkPolicy to include an additional rule allowing from pods with label 'app: backend'
D.Create a new NetworkPolicy for the database
AnswerA

Deleting the policy would remove all restrictions, which is less secure and not best practice.

Why this answer

Option A is correct because the existing NetworkPolicy explicitly restricts ingress traffic to only pods with the label 'app: frontend'. Since the new backend service does not have this label, its traffic will be blocked by the policy. Deleting the NetworkPolicy removes all ingress restrictions, allowing the backend service to communicate with the database pod.

In Kubernetes, NetworkPolicies are additive and default-deny if any policy selects the pod, so removing the policy is the simplest way to permit all ingress traffic.

Exam trap

The trap here is that candidates assume you must always modify or add policies to allow new traffic, but Cisco tests whether you understand that deleting a restrictive NetworkPolicy is a valid (though less secure) method to permit all traffic, especially when the question does not specify a security requirement.

How to eliminate wrong answers

Option B is wrong because adding the label 'app: backend' to the database pod does not change the source of traffic; the NetworkPolicy filters based on the source pod's labels, not the destination pod's labels. Option C is wrong because modifying the NetworkPolicy to include an additional rule for pods with label 'app: backend' would allow the backend service to reach the database, but this is not the only correct approach; the question asks 'what must be done', and deleting the policy is a valid and simpler solution, but the answer explicitly marks A as correct, so C is not the required action. Option D is wrong because creating a new NetworkPolicy for the database does not override the existing policy; Kubernetes NetworkPolicies are additive, so the existing policy would still block traffic from pods without the 'app: frontend' label, and the new policy would only add additional rules, not remove the restriction.

268
MCQeasy

Which tool is specifically designed for model-driven programmability using YANG data models?

A.NETCONF
B.SNMP
C.CLI
D.Ansible
AnswerA

NETCONF is a protocol designed for model-driven management with YANG.

Why this answer

NETCONF is the correct answer because it is a network management protocol specifically designed to operate with YANG data models, using XML or JSON encoding to transport configuration and state data. YANG defines the structure of the data, and NETCONF provides the operations (get, edit-config, etc.) to manipulate that data in a model-driven, programmatic way. This makes NETCONF the standard tool for model-driven programmability in modern network automation.

Exam trap

Cisco often tests the distinction between a protocol that natively uses YANG (NETCONF) versus tools that can work with YANG but are not designed specifically for it (like Ansible), so the trap here is assuming any automation tool that supports YANG qualifies as 'specifically designed' for model-driven programmability.

How to eliminate wrong answers

Option B (SNMP) is wrong because SNMP uses MIBs (Management Information Bases) defined by SMI (Structure of Management Information), not YANG data models, and it is primarily used for monitoring rather than model-driven configuration. Option C (CLI) is wrong because CLI is a human-oriented, command-line interface that is not model-driven and does not use YANG; it relies on proprietary, device-specific commands. Option D (Ansible) is wrong because Ansible is an automation tool that can use YANG models indirectly via modules (e.g., ios_config), but it is not specifically designed for model-driven programmability using YANG; it is a general-purpose configuration management tool.

269
MCQhard

A network engineer is troubleshooting a Kubernetes deployment where pods are failing to start with the error 'CrashLoopBackOff'. The pod log shows 'bind: address already in use'. The deployment runs multiple replicas of a container that listens on port 8080. What is the most likely cause?

A.The container is attempting to bind to a privileged port without the necessary capabilities.
B.The deployment has hostPort: 8080 specified, causing port conflict when multiple replicas are scheduled on the same node.
C.The service is using NodePort and the node port is already in use.
D.Multiple containers in the same pod are trying to bind to the same port.
AnswerB

hostPort reserves the port on the host node, so only one pod per node can use it. With multiple replicas, subsequent pods fail with address in use.

Why this answer

The 'bind: address already in use' error indicates that the container's process cannot bind to port 8080 because it is already occupied. When `hostPort: 8080` is specified in the pod spec, Kubernetes instructs the container runtime to map the container port to the same port on the node's network namespace. If multiple replicas of the deployment are scheduled on the same node, each pod attempts to bind to port 8080 on the host, causing a conflict and the CrashLoopBackOff state.

This is a common misconfiguration when using hostPort without ensuring that replicas are spread across different nodes.

Exam trap

Cisco often tests the distinction between hostPort (which binds to the node's IP) and containerPort (which is informational), leading candidates to overlook that hostPort causes direct port conflicts on the same node.

How to eliminate wrong answers

Option A is wrong because port 8080 is not a privileged port (privileged ports are below 1024), and the error message 'address already in use' is unrelated to capabilities. Option C is wrong because a NodePort service allocates a port on every node's IP (typically in the range 30000-32767), and the error occurs at the pod level, not at the service level; a NodePort conflict would manifest differently, such as service creation failure. Option D is wrong because multiple containers in the same pod share the same network namespace and cannot bind to the same container port without explicit port mapping, but the error is about the host port conflict, not inter-container conflict within a single pod.

270
MCQeasy

A network automation script uses RESTCONF to retrieve operational data from a Cisco device. What data format is typically supported by RESTCONF?

A.YAML
B.Plain text
C.XML or JSON
D.CSV
AnswerC

RESTCONF uses XML and JSON as data formats.

Why this answer

RESTCONF (RFC 8040) is a REST-like protocol that uses HTTP methods to access structured data defined by YANG models. It natively supports both XML and JSON as data serialization formats, allowing clients to choose the format via the Accept header or URL suffix (e.g., .xml or .json). This makes XML and JSON the correct answer because they are the only formats explicitly defined in the RESTCONF specification for encoding configuration and operational data.

Exam trap

Cisco often tests the misconception that RESTCONF supports YAML because of its popularity in automation tools like Ansible, but RESTCONF strictly uses XML and JSON per RFC 8040, and YAML is not a valid encoding in the standard.

How to eliminate wrong answers

Option A is wrong because YAML is not a supported data format in RESTCONF; RESTCONF uses XML and JSON as defined in RFC 8040, and YAML is not part of the standard. Option B is wrong because plain text lacks the structured, hierarchical representation required by YANG data models, and RESTCONF requires a structured format like XML or JSON for data serialization. Option D is wrong because CSV is a flat, row-based format that cannot represent the nested, tree-like data structures of YANG models, and it is not supported by RESTCONF.

271
Matchingmedium

Match each JSON data type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

"hello"

42

true

[1, 2, 3]

{"key": "value"}

Why these pairings

JSON supports these basic data types.

272
MCQmedium

A company has multiple subnets. A device in subnet 192.168.1.0/24 needs to communicate with a device in subnet 192.168.2.0/24. What is required for this communication?

A.A DNS server
B.A VLAN
C.A bridge
D.A router or Layer 3 switch
AnswerD

A router or Layer 3 switch can forward packets between different subnets.

Why this answer

Devices in different subnets (192.168.1.0/24 and 192.168.2.0/24) are on separate Layer 3 networks. To forward packets between these subnets, a router or Layer 3 switch is required to perform IP routing, using the destination IP address to determine the next hop. Without a Layer 3 device, the frames cannot leave the local broadcast domain.

Exam trap

Cisco often tests the misconception that a VLAN alone enables communication between subnets, but VLANs only isolate traffic at Layer 2; a Layer 3 device is always needed to route between different subnets.

How to eliminate wrong answers

Option A is wrong because a DNS server resolves hostnames to IP addresses but does not forward packets between subnets; routing is a Layer 3 function, not a naming service. Option B is wrong because a VLAN segments a single switch into multiple broadcast domains at Layer 2, but it does not route between subnets; inter-VLAN communication still requires a Layer 3 device. Option C is wrong because a bridge operates at Layer 2 to connect two network segments within the same subnet, forwarding frames based on MAC addresses; it cannot route between different IP subnets.

273
MCQhard

A network automation engineer is developing a Python script that uses the NETCONF protocol to retrieve the running configuration from a Cisco IOS XE device. They use the ncclient library. The script works on the test device but fails on a production device with an error: "ncclient.transport.errors.AuthenticationError: Authentication exception". The engineer verifies that the SSH credentials (username and password) are correct and that the production device is reachable via SSH on port 830. What is the most likely issue?

A.The production device uses a different port for NETCONF than the test device.
B.The production device has a firewall rule blocking NETCONF capabilities.
C.The production device does not have NETCONF enabled; it only supports SSH.
D.The production device requires SSH key-based authentication, but the script uses password.
AnswerD

Many production devices require keys for NETCONF authentication; password may fail at the NETCONF layer.

Why this answer

The error 'AuthenticationException' from ncclient indicates that the NETCONF session over SSH failed during authentication. Since the engineer verified the password is correct and the device is reachable on port 830, the most likely cause is that the production device is configured to require SSH key-based authentication (e.g., using 'ip ssh server algorithm authentication publickey' or similar), while the script is attempting password-based authentication. ncclient defaults to password authentication unless explicitly configured with a key filename.

Exam trap

Cisco often tests the distinction between SSH transport authentication failures and NETCONF protocol-level failures, leading candidates to incorrectly attribute the error to NETCONF not being enabled or a firewall issue rather than the SSH authentication method mismatch.

How to eliminate wrong answers

Option A is wrong because the engineer verified the device is reachable via SSH on port 830, and the error is an authentication exception, not a connection timeout or port mismatch. Option B is wrong because a firewall rule blocking NETCONF capabilities would typically cause a connection timeout or 'Connection refused' error, not an authentication exception. Option C is wrong because if the device only supported SSH and not NETCONF, the ncclient library would fail with a 'CapabilityException' or similar error during the hello exchange, not an authentication error.

274
MCQmedium

A developer is designing a Python script to parse the output of 'show ip interface brief' from a Cisco IOS device. The output is stored in a string variable. The developer wants to extract only the interfaces that are up/up. The current code uses regular expressions but often fails because the interface names contain special characters (e.g., GigabitEthernet1/0/1). Which approach should the developer use to reliably parse the output?

A.Use the 're' module with a more complex pattern that escapes special characters
B.Use split on whitespace and check column values
C.Use a structured data format like JSON or YAML if available from the device
D.Use a CSV parser with a custom delimiter
AnswerC

Structured output is consistent, machine-readable, and immune to formatting changes.

Why this answer

The most reliable approach is to use structured output if the device supports JSON or YAML output (e.g., 'show ip interface brief | json' on IOS-XE). This avoids regex pitfalls. Option A (split on whitespace) may break if interface names contain spaces (they don't, but slashes are fine).

Option B (CSV parser) is not appropriate for this output. Option D (complex regex) is possible but less maintainable and error-prone.

275
MCQmedium

A developer writes a Python script using ncclient to retrieve the running configuration from a Cisco IOS XE device. The script fails with an XML parsing error. What is the most likely cause?

A.The script is not filtering the output correctly and receives multiple root elements
B.The device does not support NETCONF
C.The ncclient library version is too old
D.The username and password are incorrect
AnswerA

If multiple root elements are returned (e.g., unfiltered), the XML parser will throw an error.

Why this answer

The most likely cause is that the script does not filter the NETCONF reply to a specific subtree, so the device returns multiple top-level XML elements (e.g., both <native> and <config>). An XML parser expects a single root element, and receiving multiple roots triggers a parsing error. ncclient's `get_config` with no filter can return the entire configuration as separate elements, violating XML well-formedness.

Exam trap

Cisco often tests the subtle requirement that NETCONF replies must be well-formed XML with a single root element, and candidates mistakenly think the error is due to connectivity or authentication rather than the missing filter.

How to eliminate wrong answers

Option B is wrong because if the device did not support NETCONF, the script would fail with a connection or capability exchange error, not an XML parsing error. Option C is wrong because an outdated ncclient library might cause missing features or deprecation warnings, but it would not directly produce an XML parsing error from a valid reply. Option D is wrong because incorrect credentials would result in an authentication failure (e.g., 'AuthenticationException' or connection refused), not an XML parsing error.

276
Multi-Selecthard

Which THREE of the following are valid methods to handle API rate limiting in a Python automation script? (Select exactly 3.)

Select 3 answers
A.Parse the Retry-After header from the response
B.Use a token bucket algorithm to control request rate
C.Sleep for a fixed amount of time between requests
D.Ignore the limit and send requests faster
E.Implement retry logic with exponential backoff
AnswersA, B, E

Respects server-specified wait time.

Why this answer

Option A is correct because the Retry-After header is a standard HTTP mechanism (defined in RFC 7231) that explicitly tells the client how long to wait before making the next request. Parsing this header allows your Python script to respect the server's rate limit dynamically, rather than using a fixed or arbitrary delay. This is a common pattern when interacting with REST APIs that enforce rate limiting.

Exam trap

Cisco often tests the distinction between a fixed sleep (which is naive and not adaptive) versus dynamic methods like parsing Retry-After or using exponential backoff, and candidates mistakenly think a static delay is sufficient for rate limiting.

277
Multi-Selecthard

Which THREE are best practices for securing a CI/CD pipeline?

Select 3 answers
A.Use dynamic application security testing (DAST) tools
B.Allow manual approval for production deployments
C.Store credentials in the source code repository
D.Run all pipeline steps as the same user
E.Use static application security testing (SAST) tools
AnswersA, B, E

DAST tests running applications for security issues.

Why this answer

Dynamic application security testing (DAST) tools analyze a running application by simulating external attacks, which helps identify runtime vulnerabilities such as SQL injection or cross-site scripting. Integrating DAST into a CI/CD pipeline ensures that security checks are automated and performed before deployment, catching issues that static analysis might miss. This aligns with the DevSecOps principle of shifting security left without slowing down delivery.

Exam trap

Cisco often tests the distinction between DAST and SAST, where candidates may incorrectly think only one is needed, but the exam expects both as complementary practices for comprehensive security coverage.

278
MCQhard

A Python script using the Cisco Meraki API v1 is failing with a 429 status code. What is the recommended course of action?

A.Change the API endpoint to a different region
B.Check the API token
C.Increase the rate limit on the dashboard
D.Implement retry logic with exponential backoff and respect Retry-After header
AnswerD

This is the standard approach for handling rate limiting.

Why this answer

A 429 status code indicates rate limiting, meaning the client has exceeded the allowed number of requests per time window. The correct response is to implement retry logic with exponential backoff and respect the Retry-After header, which tells the client how long to wait before retrying. This is a standard best practice for REST APIs, including Cisco Meraki's API v1, to handle rate limits gracefully without overwhelming the server.

Exam trap

Cisco often tests the distinction between HTTP status codes, so the trap here is that candidates confuse a 429 (rate limit) with authentication errors (401/403) or assume they can modify server-side limits, leading them to pick options like B or C.

How to eliminate wrong answers

Option A is wrong because changing the API endpoint to a different region does not affect rate limits; rate limits are per API key or per organization, not per regional endpoint. Option B is wrong because a 429 status code is not related to authentication; an invalid API token would result in a 401 Unauthorized or 403 Forbidden error, not a 429. Option C is wrong because the rate limit is enforced by the Meraki cloud and cannot be increased by the client; the dashboard does not provide a mechanism for clients to modify their rate limit.

279
MCQmedium

A team uses Chef to manage network device configurations. Which component of Chef is responsible for storing configuration policy and distributing it to nodes?

A.Knife
B.Chef Server
C.Chef Client
D.Supermarket
AnswerB

The central server stores and distributes policy.

Why this answer

The Chef Server is the central hub that stores configuration policies (cookbooks, roles, environments, data bags) and distributes them to nodes via a REST API. When a Chef Client runs on a node, it authenticates with the Chef Server and downloads the relevant policy to converge the node to the desired state. This makes the Chef Server the authoritative source of configuration policy in a Chef architecture.

Exam trap

Cisco often tests the distinction between the Chef Server (policy storage/distribution) and the Chef Client (policy execution), tempting candidates to confuse the agent with the central repository.

How to eliminate wrong answers

Option A is wrong because Knife is a command-line tool used by administrators to interact with the Chef Server (e.g., upload cookbooks, bootstrap nodes), but it does not store or distribute policy itself. Option C is wrong because the Chef Client is an agent that runs on nodes to apply configuration locally; it pulls policy from the Chef Server but does not store or distribute it. Option D is wrong because Supermarket is a public community repository for sharing cookbooks, not a component that stores or distributes policy within an organization's own infrastructure.

280
MCQmedium

Refer to the exhibit. Which statement correctly describes this subscription configuration?

A.It subscribes to YANG-push notifications for interface state data.
B.It pushes interface operational status changes to a receiver using UDP.
C.It uses XML encoding for the telemetry data.
D.The receiver is configured to listen on port 2000 using TCP.
AnswerA

Correct description.

Why this answer

Option A is correct because the subscription configuration uses YANG-push notifications to stream interface state data. The presence of a subscription ID, a YANG-push filter (e.g., 'ietf-interfaces:interfaces-state'), and a destination group (e.g., '10.1.1.1:2000') indicates that the device is configured to push telemetry data for interface operational state changes to a receiver using the YANG-push model, which is a standard mechanism for streaming data from network devices.

Exam trap

Cisco often tests the distinction between subscription configuration details (e.g., destination IP/port) and the actual transport protocol or encoding used, leading candidates to incorrectly assume that a port number implies a specific protocol (like UDP) or that YANG-push always uses XML encoding.

How to eliminate wrong answers

Option B is wrong because YANG-push notifications typically use TCP (e.g., gRPC or NETCONF) or UDP with DTLS for secure transport, but the subscription configuration does not specify UDP; the destination port 2000 is commonly used for gRPC or custom telemetry receivers, not necessarily UDP. Option C is wrong because YANG-push telemetry data is typically encoded in JSON or CBOR, not XML, unless explicitly configured for NETCONF-based subscriptions; the exhibit shows no XML encoding specification. Option D is wrong because the receiver is not configured to listen on port 2000 using TCP; the subscription defines the destination IP and port (10.1.1.1:2000) for the telemetry data to be sent to, but the receiver's listening protocol (TCP or UDP) is not specified in the subscription configuration.

281
MCQhard

Refer to the exhibit. A network engineer applies this JSON-based QoS policy to a Cisco device using NETCONF/YANG. Which statement best describes the expected behavior for traffic from 10.0.0.0/24 with DSCP EF?

A.Traffic with DSCP EF from any source is re-marked to AF41 and dropped if exceeding 100 Mbps.
B.The policy is invalid because DSCP values cannot be changed in a QoS policy.
C.Traffic from 10.0.0.0/24 with DSCP EF is re-marked to AF41 and limited to 100 Mbps; excess is dropped.
D.Traffic from 10.0.0.0/24 is re-marked to DSCP EF, then policed at 100 Mbps.
AnswerC

The policy matches both conditions, then re-marks and polices.

Why this answer

Option C is correct because the JSON-based QoS policy uses a class map matching traffic from source 10.0.0.0/24 with DSCP EF, then applies a police action that re-marks exceeding traffic to AF41 and drops it when the rate exceeds 100 Mbps. This is a standard two-rate policer behavior in Cisco IOS QoS, where conforming traffic is transmitted unchanged and exceeding traffic is re-marked and dropped.

Exam trap

Cisco often tests the distinction between matching criteria (source IP and DSCP) versus the action applied (re-marking and policing), leading candidates to confuse which traffic is matched and what happens to conforming versus exceeding packets.

How to eliminate wrong answers

Option A is wrong because the policy matches traffic from 10.0.0.0/24 with DSCP EF, not any source; the match condition is specific to that source subnet. Option B is wrong because DSCP values can be changed in a QoS policy using the 'set dscp' action within a police or service-policy; this is a common practice for re-marking. Option D is wrong because the policy does not re-mark traffic to DSCP EF; it matches traffic already marked as DSCP EF and then polices it, re-marking exceeding traffic to AF41.

282
MCQhard

You are a DevNet engineer responsible for automating configuration management across a Cisco SD-WAN fabric. You have been using the vManage REST API to retrieve device inventory and template lists. You generate an API token with read/write scope and successfully execute GET requests to /dataservice/device and /dataservice/template/device to list devices and templates. Now you want to attach a specific template to a device using POST /dataservice/template/device/config/attach. Your Python script uses the correct URL and includes the token in the Authorization header. The request body contains the device UUID and template UUID retrieved earlier. However, the API returns an HTTP 403 Forbidden error. You have verified that the device UUID and template UUID are correct and that the template exists. The vManage server logs indicate no high resource usage. What is the most likely cause of the 403 error?

A.The vManage version does not support the attach API.
B.The template is already attached to the device.
C.The device is not part of any template group.
D.The API token has been issued only with read scope for the attach operation.
AnswerB

If the template is already attached, the API would return a 409 Conflict or 400 Bad Request, not 403.

Why this answer

An HTTP 403 Forbidden error indicates the server understood the request but refuses to authorize it. Since the token worked for GET requests but not for the POST attach operation, the most likely cause is insufficient privileges. The token may have been generated with read-only scope for the attach operation, or the token's scope explicitly denied write access to this API.

The other options are less likely: device group membership does not affect authorization; template already attached would yield a 400 or 409; version incompatibility would give a 404 or 501.

283
MCQhard

Refer to the exhibit. A switch is configured with the shown trunk port. After connecting the uplink, the switch logs show repeated 'errdisable' state transitions on this port. The core switch is configured with the same allowed VLAN list. Which configuration change is most likely to resolve the issue?

A.Change the switchport mode to dynamic desirable.
B.Add VLAN 1 to the allowed VLAN list.
C.Remove the spanning-tree portfast trunk command from the interface.
D.Add the spanning-tree bpduguard enable command to the interface.
AnswerC

Portfast trunk is designed for host-facing trunks (e.g., to servers) and can cause STP issues when connecting to another switch.

Why this answer

The 'errdisable' state transitions on a trunk port are typically caused by a spanning-tree BPDU guard violation when PortFast is enabled. The 'spanning-tree portfast trunk' command enables PortFast on the trunk, which bypasses the normal listening/learning states and can cause the port to be placed into errdisable state if a BPDU is received from the core switch. Removing this command allows the trunk port to participate in standard spanning-tree convergence, preventing the repeated errdisable transitions.

Exam trap

Cisco often tests the misconception that 'spanning-tree portfast trunk' is safe for trunk ports, but the trap is that PortFast combined with BPDU guard (even if not explicitly configured, but enabled globally) causes errdisable when BPDUs are received, so the fix is to remove PortFast from the trunk.

How to eliminate wrong answers

Option A is wrong because changing the switchport mode to 'dynamic desirable' does not address the errdisable issue; it only affects DTP negotiation and could cause trunking misalignment. Option B is wrong because VLAN 1 is already the native VLAN and is implicitly allowed on trunk ports; adding it to the allowed VLAN list is redundant and does not resolve errdisable transitions. Option D is wrong because adding 'spanning-tree bpduguard enable' would actually worsen the problem by explicitly enabling BPDU guard, which is the mechanism causing the errdisable state when a BPDU is received on a PortFast-enabled port.

284
MCQeasy

Which data format is most commonly used in REST API requests and responses in modern network automation?

A.YAML
B.XML
C.CSV
D.JSON
AnswerD

JSON is the standard for REST APIs.

Why this answer

JSON (JavaScript Object Notation) is the most commonly used data format in REST API requests and responses for modern network automation because it is lightweight, language-agnostic, and natively supported by most programming languages and network devices. REST APIs typically use JSON over HTTP due to its ease of parsing, compact structure, and alignment with web development practices, making it the de facto standard for exchanging structured data in automation workflows like those with Cisco NSO, Ansible, or Python scripts.

Exam trap

The trap here is that candidates may confuse YAML's prevalence in configuration management (e.g., Ansible) with REST API data interchange, or assume XML's historical role in SOAP extends to modern REST, leading them to overlook JSON's dominance in actual API payloads.

How to eliminate wrong answers

Option A is wrong because YAML, while popular in configuration files (e.g., Ansible playbooks), is not the primary format for REST API payloads; it lacks native HTTP content-type support and is less commonly used in request/response bodies. Option B is wrong because XML, though historically used in SOAP APIs and some legacy REST implementations, is verbose, requires more parsing overhead, and has been largely superseded by JSON in modern REST APIs due to simplicity and performance. Option C is wrong because CSV is a tabular data format unsuitable for hierarchical or nested structures common in REST API responses, and it lacks standard schema support for complex objects like device configurations or network states.

285
MCQmedium

A network automation engineer is using Ansible to manage Cisco IOS devices. The playbook includes a task that executes a 'show version' command and registers the output. The engineer then wants to parse the output to extract the IOS version. Which approach should be used?

A.Use the 'cisco.ios.ios_command' module and parse the output with regex
B.Use the 'cisco.ios.ios_command' module and the 'parse' option
C.Use the 'cisco.ios.ios_config' module to retrieve the version
D.Use the 'cisco.ios.ios_facts' module to get structured facts
AnswerD

Correct: 'ios_facts' returns structured data including the IOS version.

Why this answer

The 'cisco.ios.ios_facts' module retrieves structured data from Cisco IOS devices, including the IOS version as a key-value pair in the Ansible facts dictionary. This eliminates the need for manual parsing, as the module uses the device's CLI or NETCONF to gather structured output, making it the most efficient and reliable approach for extracting specific device attributes.

Exam trap

Cisco often tests the misconception that raw CLI output must be parsed manually, but the correct approach is to use dedicated facts modules that return structured data, avoiding fragile regex or template-based parsing.

How to eliminate wrong answers

Option A is wrong because while 'cisco.ios.ios_command' can execute 'show version' and register raw output, parsing it with regex is error-prone, fragile, and unnecessary when structured facts are available. Option B is wrong because the 'parse' option in 'cisco.ios.ios_command' is used for converting unstructured output to structured data using a 'parser' or 'textfsm' template, but it still requires a template and is not the direct method for obtaining the IOS version as a fact. Option C is wrong because 'cisco.ios.ios_config' is designed for pushing configuration changes, not for retrieving operational data like the IOS version; it does not support 'show' commands or fact gathering.

286
Drag & Dropmedium

Drag and drop the steps to set up a Python virtual environment for a DevNet project into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Virtual environments isolate dependencies; creation, activation, package installation, and deactivation are standard steps.

287
MCQeasy

An automation engineer wants to programmatically retrieve the interface configuration of a Cisco Nexus switch using NX-API. Which API call method is most appropriate?

A.POST
B.DELETE
C.PUT
D.GET
AnswerD

GET is used to retrieve resource representations.

Why this answer

The NX-API on Cisco Nexus switches uses HTTP methods that map to CRUD operations. To retrieve (read) interface configuration without modifying any state, the GET method is the correct and most appropriate choice, as it corresponds to the 'show' commands in the CLI. POST, PUT, and DELETE are intended for creating, updating, or deleting resources, not for read-only queries.

Exam trap

The trap here is that candidates may confuse POST with GET because NX-API examples often use POST for sending CLI commands in the request body, but the question specifically asks for retrieving configuration, which requires the read-only GET method.

How to eliminate wrong answers

Option A is wrong because POST is used to create a new resource or invoke an action (e.g., applying a configuration), not to retrieve existing data. Option B is wrong because DELETE is used to remove a resource (e.g., deleting an interface configuration), which is destructive and inappropriate for a read operation. Option C is wrong because PUT is used to update or replace an existing resource (e.g., modifying interface parameters), not to retrieve configuration.

288
MCQeasy

A developer is creating an application that uses the Cisco Webex Teams API to send messages. What authentication method is typically used?

A.Session cookies
B.Basic Auth
C.OAuth 2.0
D.API Key
AnswerC

OAuth 2.0 is the standard for Webex API.

Why this answer

The Cisco Webex Teams API uses OAuth 2.0 as its primary authentication method for applications that need to act on behalf of a user. OAuth 2.0 provides delegated access via access tokens, allowing the application to send messages without exposing user credentials. This is the standard for modern REST APIs that require secure, scoped access.

Exam trap

The trap here is that candidates confuse API Keys with OAuth 2.0 tokens, assuming a simple key is sufficient, but Webex Teams requires the OAuth 2.0 flow for user-specific actions like sending messages, not just a static key.

How to eliminate wrong answers

Option A is wrong because session cookies are used for stateful web applications, not for REST API authentication in Webex Teams, which is stateless and token-based. Option B is wrong because Basic Auth transmits credentials in plaintext (Base64-encoded) and is not supported by the Webex Teams API due to security concerns. Option D is wrong because API Keys are typically used for server-to-server or service account access, but the Webex Teams API requires OAuth 2.0 tokens for user-delegated actions like sending messages.

289
MCQeasy

Which IPv6 address type is equivalent to a private IPv4 address?

A.Multicast
B.Global unicast
C.Link-local
D.Unique local
AnswerD

Unique local addresses are private and not globally routable.

Why this answer

Unique local addresses (ULA) in IPv6, defined in RFC 4193, are the equivalent of private IPv4 addresses (RFC 1918) because they are intended for local communication within a site or organization and are not routable on the global internet. They use the prefix fc00::/7, with the L bit set to 1 (fd00::/8) for locally assigned addresses, ensuring uniqueness within a site without requiring global registration.

Exam trap

Cisco often tests the distinction between link-local and unique local addresses, trapping candidates who confuse link-local (fe80::/10) with private IPv4 because both are non-routable, but link-local is strictly single-link and not site-wide like private IPv4.

How to eliminate wrong answers

Option A is wrong because multicast addresses (ff00::/8) are used for one-to-many communication to a group of interfaces, not for private, site-local addressing like private IPv4. Option B is wrong because global unicast addresses (2000::/3) are globally routable and unique on the internet, analogous to public IPv4 addresses, not private ones. Option C is wrong because link-local addresses (fe80::/10) are automatically configured and only valid on a single network link, never routed, making them more similar to APIPA (169.254.x.x) in IPv4 rather than private addresses like 10.0.0.0/8.

290
MCQmedium

An automation tool uses RESTCONF to configure a Cisco device. The device returns a 404 error for a PUT request. What does this indicate?

A.The server is overloaded
B.The request body is malformed
C.Authentication failed
D.The resource does not exist
AnswerD

404 is specifically for not found.

Why this answer

A 404 (Not Found) response to a RESTCONF PUT request indicates that the target resource (e.g., a specific YANG data node or URI) does not exist on the device. RESTCONF uses HTTP methods to manipulate resources identified by URIs; a PUT request is intended to create or replace a resource at that URI, but if the resource path is invalid or the data model node is not present, the server returns 404. This is consistent with RFC 8040, which defines the RESTCONF protocol.

Exam trap

Cisco often tests the distinction between HTTP status codes in RESTCONF/NETCONF contexts, and the trap here is that candidates confuse 404 (resource not found) with 400 (bad request) or 401 (authentication failure), especially when the PUT request seems syntactically correct but targets a non-existent resource.

How to eliminate wrong answers

Option A is wrong because a 404 error is not related to server overload; server overload typically results in 503 (Service Unavailable) or 429 (Too Many Requests). Option B is wrong because a malformed request body (e.g., invalid JSON or XML) would produce a 400 (Bad Request) error, not 404. Option C is wrong because authentication failure results in 401 (Unauthorized) or 403 (Forbidden), not 404.

291
MCQeasy

A network administrator needs to assign IP addresses to 50 hosts in a subnet. Which subnet mask provides the minimum required number of usable addresses while minimizing waste?

A.255.255.255.192 (/26)
B.255.255.255.224 (/27)
C.255.255.255.240 (/28)
D.255.255.255.128 (/25)
AnswerA

62 usable, sufficient and minimal waste.

Why this answer

A /26 subnet mask (255.255.255.192) provides 64 total addresses per subnet, of which 62 are usable (2^6 - 2 = 62). This is the smallest power-of-two block that can accommodate 50 hosts, minimizing waste while meeting the requirement.

Exam trap

Cisco often tests the distinction between 'total addresses' and 'usable addresses' — candidates mistakenly count the total 64 addresses as usable, forgetting to subtract the network and broadcast addresses, or they choose a mask that provides exactly 50 total addresses (which is impossible since host bits must be a power of 2).

How to eliminate wrong answers

Option B (255.255.255.224, /27) is wrong because it provides only 30 usable addresses (2^5 - 2 = 30), which is insufficient for 50 hosts. Option C (255.255.255.240, /28) is wrong because it provides only 14 usable addresses (2^4 - 2 = 14), far below the requirement. Option D (255.255.255.128, /25) is wrong because while it provides 126 usable addresses (2^7 - 2 = 126), it wastes 76 addresses, failing the 'minimizing waste' criterion.

292
MCQeasy

A network developer wants to quickly prototype an application that interacts with a Cisco Catalyst 9000 switch using REST APIs. What is the most appropriate resource to use?

A.Cisco DevNet Sandbox
B.Cisco DNA Center
C.Cisco Unified Communications Manager
D.Cisco Prime Infrastructure
AnswerA

Cisco DevNet Sandbox provides free, always-on labs with pre-configured devices for development and testing.

Why this answer

Cisco DevNet Sandbox provides free, cloud-hosted lab environments with pre-configured Cisco Catalyst 9000 switches that expose REST APIs (e.g., RESTCONF over HTTPS). This allows a developer to quickly prototype and test applications without needing physical hardware or complex setup, making it the most appropriate resource for rapid prototyping.

Exam trap

Cisco often tests the distinction between a development sandbox (DevNet) and production management platforms (DNA Center, Prime Infrastructure), expecting candidates to recognize that rapid prototyping requires a lightweight, accessible environment rather than a full-scale orchestration tool.

How to eliminate wrong answers

Option B (Cisco DNA Center) is wrong because it is a centralized network management platform that abstracts device-level APIs and is overkill for prototyping a single switch interaction; it requires additional infrastructure and licensing. Option C (Cisco Unified Communications Manager) is wrong because it is a voice and video communications platform, not a resource for interacting with Catalyst 9000 switch REST APIs. Option D (Cisco Prime Infrastructure) is wrong because it is a legacy network management tool that does not provide direct REST API access to Catalyst 9000 switches and is not designed for rapid prototyping.

293
MCQeasy

A DevOps team wants to version control their network configurations. Which tool should they use?

A.Puppet
B.Jenkins
C.Git
D.Docker
AnswerC

Git is the standard for version control.

Why this answer

Git is a distributed version control system that tracks changes in source code and configuration files, making it the ideal tool for version controlling network configurations. Unlike configuration management tools, Git provides commit history, branching, and rollback capabilities specifically designed for version control.

Exam trap

Cisco often tests the distinction between version control tools (Git) and configuration management tools (Puppet, Ansible) or CI/CD tools (Jenkins), leading candidates to confuse the purpose of each tool in the DevOps pipeline.

How to eliminate wrong answers

Option A is wrong because Puppet is a configuration management tool that enforces desired state on systems, not a version control system for tracking changes to configuration files. Option B is wrong because Jenkins is a continuous integration/continuous delivery (CI/CD) automation server, not a version control tool. Option D is wrong because Docker is a containerization platform for packaging applications and their dependencies, not a version control system.

294
MCQmedium

Refer to the exhibit. What will be the result of running this Ansible playbook against the 'switches' group?

A.VLAN 10 will be deleted
B.VLAN 10 will be modified to have the name 'voice'
C.The playbook will only show the running configuration of VLAN 10
D.VLAN 10 will be created if it does not already exist
AnswerD

The 'state: present' parameter ensures the VLAN is present; Ansible will create it if missing.

Why this answer

Option A is correct because the task uses the 'state: present' parameter to ensure VLAN 10 exists. Option B (deletion) would require 'state: absent'. Option C (modification) would apply only if the VLAN already exists with different attributes, but the task is idempotent.

Option D is incorrect because the playbook does not show configuration. Therefore, the primary outcome is creating VLAN 10 if it does not exist.

295
MCQmedium

A Python script using the requests library to query the Cisco Meraki API returns a 403 Forbidden error. The API key is correctly set in the header. What is the most likely cause?

A.The request URL is incorrect
B.The API endpoint is rate-limiting the request
C.The API key does not have permission for the requested resource
D.The Content-Type header is missing
AnswerC

403 Forbidden means the server understood the request but refuses to authorize it; the API key likely lacks the required scope.

Why this answer

A 403 Forbidden error typically indicates the API key is invalid or lacks permissions. The API key is set correctly, so the issue is likely that the API key does not have the required scope for the endpoint.

296
MCQmedium

A network automation engineer is writing an Ansible playbook to configure interface descriptions on Cisco IOS-XE devices. The playbook uses the ios_config module. Which attribute should be used to ensure idempotency and only apply changes when the interface does not already have the desired description?

A.lines
B.src
C.parents
D.before
AnswerA

lines defines the configuration lines to be added or modified; the module checks current state to avoid duplicate changes.

Why this answer

Option A is correct because the `lines` attribute in the `ios_config` module specifies the exact configuration lines to be applied. Ansible's `ios_config` module inherently checks the current device configuration against the desired state defined in `lines`; if the interface already has the matching description, the module skips the task, ensuring idempotency. This prevents unnecessary configuration changes and maintains network stability.

Exam trap

Cisco often tests the misconception that `src` or `parents` alone provide idempotency, but the trap here is that `lines` is the attribute that directly enables the module to compare and skip unchanged configuration lines, while `parents` only sets the configuration context and does not perform the idempotency check itself.

How to eliminate wrong answers

Option B is wrong because `src` specifies a file or template containing configuration commands, but it does not inherently check the current state of the interface description; it reapplies the entire file content each run, breaking idempotency unless combined with other logic. Option C is wrong because `parents` is used to navigate to a specific configuration context (e.g., interface configuration mode) but does not itself enforce idempotency for the description line; it only sets the parent path for the `lines` or `src` content. Option D is wrong because `before` inserts configuration lines before a matched line in the running config, which is used for ordering or insertion, not for checking existing descriptions to avoid redundant changes.

297
MCQhard

An engineer is troubleshooting a NETCONF session that fails to establish with a Cisco IOS XE device. The SSH connection succeeds, but NETCONF capabilities are not exchanged. What is the most likely cause?

A.The device requires authentication via SSH keys but password was used.
B.The firewall is blocking port 830.
C.The device is running an older IOS version that does not support NETCONF.
D.The device's NETCONF server is not enabled.
AnswerD

If netconf-yang feature is not enabled, SSH connects but no NETCONF capabilities.

Why this answer

Option D is correct because NETCONF uses a client-server model where the server (the Cisco IOS XE device) must have the NETCONF server explicitly enabled. If the SSH transport succeeds but capabilities are not exchanged, it indicates the NETCONF subsystem is not active on the device. The `netconf-yang` feature must be enabled via `netconf-yang` in global configuration mode to start the NETCONF server and allow capability exchange.

Exam trap

Cisco often tests the distinction between SSH transport success and NETCONF protocol success, trapping candidates who assume a successful SSH connection implies NETCONF is fully operational.

How to eliminate wrong answers

Option A is wrong because the SSH connection succeeded, meaning authentication was accepted regardless of method (password or SSH keys); NETCONF capability exchange occurs after SSH transport is established, so authentication is not the issue. Option B is wrong because the SSH connection succeeded, which typically uses port 830 for NETCONF-over-SSH; if a firewall were blocking port 830, the SSH connection itself would fail, not just the capability exchange. Option C is wrong because even older IOS XE versions (e.g., 16.x) support NETCONF; the issue is not version compatibility but whether the NETCONF server is administratively enabled.

298
Drag & Dropmedium

Drag and drop the steps to use Git to commit and push code changes to a remote repository into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Typical workflow: stage, commit, pull to sync, resolve conflicts, then push.

299
MCQmedium

An engineer is writing a Python script using the Cisco DevNet sandbox to configure OSPF on a CSR1000v via RESTCONF. What authentication method is typically used for RESTCONF requests?

A.No authentication
B.OAuth2
C.API token only
D.Basic authentication over HTTPS
AnswerD

Basic auth over HTTPS is widely used for RESTCONF on Cisco devices.

Why this answer

RESTCONF typically uses Basic authentication over HTTPS (RFC 7235) because it is a lightweight, stateless mechanism that sends a base64-encoded username:password pair in the Authorization header. In the Cisco DevNet sandbox CSR1000v environment, this is the standard method for authenticating RESTCONF requests, as the sandbox provides a username and password for access.

Exam trap

Cisco often tests the distinction between RESTCONF and NETCONF authentication, where candidates might mistakenly think RESTCONF uses SSH keys or no authentication, but RESTCONF always requires HTTPS-based authentication, typically Basic.

How to eliminate wrong answers

Option A is wrong because RESTCONF requires authentication; no authentication would leave the device open to unauthorized configuration changes. Option B is wrong because OAuth2 is not typically used for RESTCONF on Cisco IOS-XE devices; it is more common in cloud-based APIs like Webex or Meraki. Option C is wrong because API token only is not a standard RESTCONF authentication method; while some Cisco platforms (e.g., DNA Center) use tokens, the CSR1000v sandbox relies on Basic authentication over HTTPS.

300
MCQmedium

A developer needs to retrieve interface configuration from a Cisco IOS XE device using NETCONF. Which operation should be used?

A.<get> with filter
B.<delete-config>
C.<edit-config>
D.<get-config> with filter
AnswerD

Correct operation for configuration retrieval.

Why this answer

To retrieve interface configuration from a Cisco IOS XE device using NETCONF, the <get-config> operation with a filter is the correct choice. <get-config> retrieves the running configuration datastore, and the filter (typically an XML subtree filter) narrows the response to only the interface subtree, avoiding unnecessary data. This is the standard NETCONF operation for reading configuration data, as defined in RFC 6241.

Exam trap

Cisco often tests the distinction between <get> and <get-config>, where candidates mistakenly choose <get> because it sounds like 'get configuration,' but <get> returns both config and state data, which is not the correct operation for retrieving only configuration.

How to eliminate wrong answers

Option A is wrong because <get> retrieves both configuration and state data from the device, which is not limited to configuration and may include operational status, making it less precise for retrieving only interface configuration. Option B is wrong because <delete-config> is used to delete a configuration datastore (e.g., the candidate datastore), not to retrieve configuration; it would remove the interface configuration entirely. Option C is wrong because <edit-config> is used to modify or create configuration, not to retrieve it; it would attempt to change the interface configuration rather than read it.

Page 3

Page 4 of 7

Page 5

All pages