Cisco DevNet Associate 200-901 (200-901) — Questions 301375

505 questions total · 7pages · All types, answers revealed

Page 4

Page 5 of 7

Page 6
301
MCQmedium

A network automation script uses the Cisco DNAC Python SDK (dnacentersdk) to retrieve devices. Which method correctly lists all devices?

A.dnac.get_devices()
B.dnac.devices.get_device_list()
C.dnac.sites.get_site_devices()
D.dnac.devices.list_devices()
AnswerB

Correct method.

Why this answer

Option B is correct because the Cisco DNAC Python SDK (dnacentersdk) uses a hierarchical method structure where the `devices` resource is accessed via `dnac.devices`, and the `get_device_list()` method is the exact SDK call to retrieve all devices from the Cisco DNA Center. This matches the official SDK documentation and the REST API endpoint `/dna/intent/api/v1/network-device`.

Exam trap

Cisco often tests the exact method naming conventions in the SDK, and the trap here is that candidates confuse the generic Python list concept (e.g., `list_devices()`) with the SDK's actual method name (`get_device_list()`), or they assume a top-level method exists without the resource hierarchy.

How to eliminate wrong answers

Option A is wrong because `dnac.get_devices()` is not a valid method in the dnacentersdk; the SDK requires resource-specific access (e.g., `dnac.devices`), and calling a top-level method like this would raise an AttributeError. Option C is wrong because `dnac.sites.get_site_devices()` retrieves devices associated with a specific site, not all devices in the network, and is intended for site-scoped queries. Option D is wrong because `dnac.devices.list_devices()` does not exist in the SDK; the correct method name is `get_device_list()`, and using `list_devices()` would result in a method-not-found error.

302
MCQeasy

A network administrator is managing a small office with 10 Cisco 9200 switches. They want to automate the deployment of a standard base configuration (VLANs, STP, management access) to all switches. They have a Linux server with Ansible installed. The administrator writes a playbook that uses the 'ios_config' module to apply configuration blocks. However, when they run the playbook against the first switch, it fails with an authentication error. The administrator can SSH to the switch manually using the same credentials. What is the most likely cause of the failure?

A.The Ansible playbook is missing the 'ansible_connection: network_cli' and 'ansible_network_os: ios' variables.
B.The switch's SSH server does not support the key exchange algorithm used by Ansible.
C.The playbook is using the wrong username because the variable is not defined.
D.The switch is running an incompatible IOS version that does not support the commands in the playbook.
AnswerA

Network devices require these variables to handle the SSH session correctly.

Why this answer

For Ansible to connect to network devices, the connection type must be set to 'network_cli' and the network OS must be specified. Without these, Ansible may attempt to use the default SSH connection method (paramiko) which does not handle network device prompts correctly, leading to authentication errors.

303
MCQeasy

Refer to the exhibit. A developer builds this Docker image and runs it. The container starts but cannot be accessed on port 5000 from the host. What is the most likely cause?

A.The requirements.txt is missing Flask.
B.The Python application is not listening on 0.0.0.0.
C.The container is using a different port inside.
D.The EXPOSE instruction does not publish the port; the container was run without -p.
AnswerD

EXPOSE is documentation; without -p, no port is published to the host.

Why this answer

The EXPOSE instruction in a Dockerfile is documentation only; it does not actually publish the container's port to the host. For the container to be accessible on port 5000 from the host, the container must be run with the `-p` (or `--publish`) flag (e.g., `docker run -p 5000:5000 ...`). Without this, the container's port 5000 is only reachable from within the Docker network, not from the host.

Exam trap

Cisco often tests the misconception that EXPOSE publishes the port, when in fact it only documents the port and requires `-p` or `-P` for actual host access.

How to eliminate wrong answers

Option A is wrong because a missing Flask in requirements.txt would cause the application to fail to start or crash, not prevent host access to a running container on port 5000. Option B is wrong because even if the Python app is not listening on 0.0.0.0 (e.g., it listens on 127.0.0.1), the container would still be unreachable from the host, but the question states the container starts and cannot be accessed on port 5000; the most likely cause is the missing `-p` flag, not a binding issue, as the default Flask binding is 127.0.0.1 and would still require port publishing. Option C is wrong because if the container were using a different port inside, the EXPOSE instruction would typically match that port, and the symptom would be a mismatch, but the question implies the container is running and the port is defined; the core issue is that EXPOSE alone does not publish the port.

304
MCQhard

A developer is building a Webex Teams bot that monitors network alerts from Cisco DNA Assurance. The bot must authenticate to the Webex API. Which authentication method should be used?

A.Basic authentication with username/password
B.Session ID cookie
C.OAuth2 client credentials grant with bot token
D.API key in query string
AnswerC

Correct method for Webex bots.

Why this answer

Webex Teams bots require OAuth2 client credentials grant to obtain a bot token, which is a long-lived, scoped token that authenticates the bot without user interaction. This method is designed for server-to-server communication, matching the bot's need to post messages and listen for events via the Webex API. Basic authentication, session cookies, and API keys are not supported or appropriate for bot authentication in Webex.

Exam trap

Cisco often tests the distinction between user-based authentication (OAuth2 authorization code grant) and bot/application authentication (client credentials grant), leading candidates to mistakenly choose Basic auth or API keys due to familiarity with older APIs.

How to eliminate wrong answers

Option A is wrong because Webex API does not support Basic authentication with username/password for bots; bots are not user accounts and require token-based auth. Option B is wrong because session ID cookies are used for browser-based user sessions, not for bot or API authentication, and Webex API does not issue session cookies for bots. Option D is wrong because Webex API does not accept API keys in query strings; it uses Bearer tokens in the Authorization header, and query string keys are insecure and not part of the OAuth2 flow.

305
MCQmedium

A DevOps team uses Ansible to configure Cisco Nexus switches for a new data center. They have a playbook that uses the nxos_vlan module to create VLANs and nxos_interface module to assign access VLANs. The playbook runs successfully on the first Nexus switch but fails on the second with error: 'module_stderr: ntclib: error: unable to connect to switch'. Both switches are reachable via ping and SSH from the Ansible control node. The inventory file has the same SSH credentials for both switches. What is the most likely cause of the connection failure on the second switch?

A.The second switch does not have NX-API enabled.
B.The Ansible control node has an incompatible version of the nxos collection.
C.The second switch has a different VLAN database that conflicts with the playbook.
D.The second switch's SSH key fingerprint has changed and is not accepted.
AnswerA

The error indicates NX-API connection failure; enabling NX-API resolves.

Why this answer

The error 'module_stderr: ntclib: error: unable to connect to switch' indicates that the Ansible nxos modules are attempting to use NX-API (REST-like HTTP/HTTPS API) to communicate with the switch, not SSH. Even though SSH is reachable, the second switch likely has NX-API disabled or not configured, causing the connection failure. The nxos_vlan and nxos_interface modules in Ansible rely on NX-API by default when the connection type is set to 'network_cli' or 'httpapi', and without NX-API enabled, the modules cannot execute.

Exam trap

Cisco often tests the misconception that Ansible nxos modules use SSH for all operations, when in fact they default to NX-API for task execution, so candidates may overlook the need for NX-API to be enabled on the target switch.

How to eliminate wrong answers

Option B is wrong because an incompatible nxos collection version would typically cause module-specific errors (e.g., missing parameters or attributes), not a generic 'unable to connect' error; the connection failure is at the transport layer, not the module logic. Option C is wrong because VLAN database conflicts would result in task-level failures (e.g., 'VLAN already exists') during module execution, not a connection error before the module runs. Option D is wrong because SSH key fingerprint changes would cause an SSH authentication failure (e.g., 'Host key verification failed') in the SSH transport, not an NX-API connection error; the error message specifically references 'ntclib', which is the NX-API client library.

306
MCQhard

An engineer is using the Cisco Intersight API to manage UCS servers. The API response returns a paginated list. What is the proper way to retrieve all items?

A.Loop through pages using the 'next' link in the response
B.Increase the page size limit to maximum
C.Send multiple requests with different offsets manually
D.Use a single request with a filter to get all
AnswerA

Following pagination links is the recommended pattern.

Why this answer

The Cisco Intersight API uses cursor-based pagination, where each page response includes a 'next' link pointing to the next page of results. To retrieve all items, you must follow that link in a loop until the 'next' field is null or absent, ensuring you get every page without assuming a fixed offset or page size.

Exam trap

Cisco often tests the distinction between offset-based pagination (common in REST APIs) and cursor-based pagination (used by Intersight), trapping candidates who assume they can manually increment a page number or offset.

How to eliminate wrong answers

Option B is wrong because increasing the page size limit to maximum may exceed API-imposed constraints (e.g., 1000 items per page) and does not guarantee all items are retrieved if the total exceeds that limit. Option C is wrong because Intersight uses cursor-based pagination, not offset-based; manually incrementing offsets will cause duplicate or missed items since the API does not support offset parameters. Option D is wrong because a single request with a filter cannot bypass pagination; the API enforces pagination on all list endpoints, and filters only narrow the result set, not the number of pages.

307
MCQeasy

An automation script needs to update the hostname of a Cisco IOS-XE device via RESTCONF. Which HTTP method is appropriate?

A.PUT
B.PATCH
C.GET
D.POST
AnswerA

PUT is used to replace the target resource with the request payload.

Why this answer

To update the hostname of a Cisco IOS-XE device via RESTCONF, the PUT HTTP method is appropriate because it performs a full replacement of the target resource. RESTCONF uses the YANG data model, and the hostname is a leaf node under the Cisco-IOS-XE-native YANG module. A PUT request with the complete updated hostname data replaces the existing configuration, aligning with RESTCONF's semantics for resource replacement.

Exam trap

Cisco often tests the distinction between PUT and PATCH, and the trap here is that candidates familiar with RESTful APIs might assume PATCH is available for partial updates, but RESTCONF explicitly omits PATCH, requiring PUT for all replacements.

How to eliminate wrong answers

Option B (PATCH) is wrong because RESTCONF does not support the PATCH method; it uses PUT for full replacement and POST for operations or data resource creation. Option C (GET) is wrong because it is used to retrieve the current hostname, not to update it. Option D (POST) is wrong because in RESTCONF, POST is used to create a new data resource or invoke an RPC operation, not to replace an existing leaf like the hostname.

308
MCQhard

A Cisco DevNet engineer is configuring model-driven telemetry on a Cisco IOS-XE device. The telemetry subscription includes the following path: 'Cisco-IOS-XE-native:native/interface/GigabitEthernet[Name='1/0/1']/ip/address'. Which part of this path identifies a specific list instance?

A.Cisco-IOS-XE-native
B.[Name='1/0/1']
C.GigabitEthernet
D.ip/address
AnswerB

This specifies the key value to identify the particular interface instance.

Why this answer

Option B is correct because the XPath expression `[Name='1/0/1']` is a predicate filter that selects a specific list instance from the `GigabitEthernet` YANG list. In YANG model-driven telemetry, list keys are used to identify individual entries, and the predicate syntax `[key='value']` pinpoints exactly one instance within the list.

Exam trap

Cisco often tests whether candidates confuse the YANG module name or the list node name with the list instance identifier, leading them to pick the module or the list name instead of the key predicate.

How to eliminate wrong answers

Option A is wrong because `Cisco-IOS-XE-native` is the YANG module name, not a list instance identifier. Option C is wrong because `GigabitEthernet` is the YANG list node name, which represents the entire list of interfaces, not a specific instance. Option D is wrong because `ip/address` is a leaf path within the interface instance, not a list instance identifier.

309
MCQhard

A DevOps team is implementing a CI/CD pipeline for network services using Cisco NSO (Network Services Orchestrator). They have a Python script that uses the NSO RESTCONF API to create a new VPN service instance. The script passes all integration tests in the staging environment, but when deployed to production, the 'POST' request to /api/run/vpn-service returns a 500 Internal Server Error. The team checks the NSO logs and finds the error 'Error: No such device: device-xr-1'. The production NSO instance manages multiple devices, and device-xr-1 is one of them. The team confirms device-xr-1 is reachable and managed by NSO in the production environment. What is the most likely cause of this error?

A.The production NSO instance uses a different authentication method for device-xr-1.
B.The device configuration in NSO is out of sync; a sync-from is needed before service creation.
C.The YANG service model expects a device name that does not match the device's name in NSO's device list.
D.The production NSO instance has insufficient memory to handle the request.
AnswerC

The service template likely uses a device reference that conflicts with the actual device name.

Why this answer

The error 'No such device: device-xr-1' indicates that the YANG service model references a device name that does not match the actual device name configured in NSO's device list. Even though device-xr-1 is reachable and managed by NSO, the service model's 'device' leaf expects a specific name (e.g., 'xr-1' or 'device-xr-1-prod'), and the mismatch causes NSO to fail when trying to map the service to the device. This is a common issue when service YANG models are developed with hardcoded or environment-specific device names that differ between staging and production.

Exam trap

Cisco often tests the distinction between device reachability/authentication errors and device name mismatches in NSO service models, where candidates mistakenly assume a connectivity or sync issue when the actual problem is a YANG model reference mismatch.

How to eliminate wrong answers

Option A is wrong because authentication methods (e.g., SSH keys, passwords) are configured per device in NSO's device list and would cause a connection failure (e.g., 'Authentication failed'), not a 'No such device' error. Option B is wrong because a sync-from operation addresses configuration drift between NSO and the actual device state, but the error here is about the device name not being found in NSO's device list, not about out-of-sync configuration. Option D is wrong because insufficient memory would typically manifest as a timeout or out-of-memory exception in NSO logs, not a specific 'No such device' error referencing a device name.

310
Drag & Dropmedium

Drag and drop the steps to deploy a Python script to a Cisco device via RESTCONF into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

RESTCONF operations require authentication, correct URL, headers, and payload; verify with response.

311
Multi-Selectmedium

Which THREE are common best practices for implementing CI/CD in network automation?

Select 3 answers
A.Perform manual testing after every deployment
B.Use version control for all automation scripts and playbooks
C.Treat infrastructure configurations as code
D.Implement automated unit and integration tests
E.Store credentials and secrets in code repositories
AnswersB, C, D

Version control is essential for tracking changes and collaboration.

Why this answer

Option B is correct because version control (e.g., Git) is a fundamental CI/CD best practice: it tracks changes, enables rollbacks, and supports collaboration on automation scripts and playbooks. Without version control, you lose auditability and the ability to reliably reproduce network states, which violates the principle of infrastructure as code.

Exam trap

Cisco often tests the distinction between 'automation' and 'CI/CD best practices'—candidates may confuse manual testing (Option A) as a safety net, but the exam expects you to recognize that CI/CD relies on automated testing, not manual steps.

312
MCQhard

A network automation script using Ansible with the cisco.ios.ios_config module fails with "Unsupported parameters for (cisco.ios.ios_config) module: src." What is the most likely issue?

A.The Ansible version is too old
B.The inventory file has incorrect credentials
C.The network device is unreachable
D.The module does not support 'src' parameter; it should use 'lines'
AnswerD

The ios_config module uses 'lines' for configuration commands.

Why this answer

The error message 'Unsupported parameters for (cisco.ios.ios_config) module: src' indicates that the 'src' parameter is not a valid parameter for the cisco.ios.ios_config module. In Ansible, the correct parameter to specify configuration lines directly is 'lines', not 'src'. The 'src' parameter is used by other modules like ios_config (from the older ansible.netcommon collection) or for file-based configuration, but the cisco.ios.ios_config module expects configuration content via 'lines' or 'parents'.

Exam trap

Cisco often tests the specific parameter names of modules in the cisco.ios collection versus the older ansible.netcommon collection, trapping candidates who assume 'src' works universally across all configuration modules.

How to eliminate wrong answers

Option A is wrong because an outdated Ansible version might cause missing modules or features, but the error specifically points to an unsupported parameter, not a missing module; the module exists but the parameter is invalid. Option B is wrong because incorrect credentials in the inventory file would result in authentication or connection failures (e.g., 'invalid username/password' or 'unable to connect'), not a parameter validation error. Option C is wrong because an unreachable network device would produce a timeout or connection refused error, not a module parameter error; the error occurs before any connection attempt during parameter validation.

313
MCQhard

Refer to the exhibit. A developer executes this Python script against a Cisco device. Assuming valid credentials and network connectivity, what is printed to the console?

A.An exception due to invalid credentials
B.The startup configuration of the device in XML format
C.The running configuration of the device in XML format
D.A JSON representation of the device interfaces
AnswerC

The script calls m.get_config(source='running') which returns the running config as XML, then prints it prettified.

Why this answer

Option A is correct because the script retrieves the running configuration (source='running') using NETCONF, and then prints it in a pretty XML format. Option B is wrong because the source is 'running', not 'startup'. Option C is wrong because no exception is raised with valid inputs.

Option D is wrong because the output is XML, not JSON. Therefore, the correct output is the running configuration in XML.

314
MCQeasy

A developer is creating a Helm chart for a stateless web application. Where should the application's configuration settings (like log level and feature flags) be stored?

A.Directly in the Docker image.
B.In values.yaml file of the Helm chart.
C.Hardcoded in the application code.
D.In a Kubernetes Secret.
AnswerB

Standard approach for Helm charts.

Why this answer

In a Helm chart, the `values.yaml` file is the standard location for configuration settings like log level and feature flags. This file allows developers to externalize configuration from the application code and Docker image, enabling environment-specific overrides without rebuilding the image. Helm uses `values.yaml` to inject these settings into Kubernetes manifests via template directives, making the chart reusable across different deployments.

Exam trap

Cisco often tests the distinction between configuration data (stored in ConfigMaps or `values.yaml`) and secret data (stored in Secrets), leading candidates to incorrectly choose Secrets for all configuration settings.

How to eliminate wrong answers

Option A is wrong because storing configuration in the Docker image violates the principle of immutable infrastructure; any change to log level or feature flags would require rebuilding and redeploying the image, which is inefficient and defeats the purpose of configuration externalization. Option C is wrong because hardcoding configuration in the application code tightly couples the application to specific settings, preventing runtime changes without code modification and recompilation, which is contrary to cloud-native best practices. Option D is wrong because Kubernetes Secrets are specifically designed for sensitive data (e.g., passwords, API keys), not for non-sensitive configuration like log level or feature flags; using Secrets for such data adds unnecessary complexity and security overhead without benefit.

315
MCQmedium

A network engineer runs the Ansible playbook shown in the exhibit, but it fails. The error indicates the module 'cisco.ios.ios_vlan' does not exist. What is the most likely cause?

A.The collection 'cisco.ios' is not installed
B.The module name is misspelled; it should be 'ios_vlans'
C.The 'state: present' is invalid for this module
D.The playbook lacks 'become: yes'
AnswerB

The correct module for configuring VLANs on Cisco IOS is 'ios_vlans' (with an 's').

Why this answer

The correct module name is 'ios_vlans' (plural) for Cisco IOS VLAN configuration. 'ios_vlan' is not a valid module.

316
MCQeasy

What does a TTL of 128 indicate about the destination host?

A.It is a network switch
B.It is a Cisco router
C.It is a Windows host
D.It is a Linux host
AnswerC

Windows uses a default TTL of 128.

Why this answer

The Time-to-Live (TTL) value in an IP packet is decremented by each router that forwards the packet. When a host receives a packet, the remaining TTL value can indicate the operating system of the source that sent it. Windows operating systems typically set the initial TTL to 128, so a TTL of 128 in a received packet strongly suggests the destination host (the sender of that packet) is a Windows host.

Exam trap

Cisco often tests the common misconception that TTL values are set by routers or switches, rather than by the originating host's operating system, leading candidates to incorrectly associate a TTL of 128 with a specific network device instead of a Windows host.

How to eliminate wrong answers

Option A is wrong because network switches operate at Layer 2 and do not decrement or set TTL values in IP headers; TTL is a Layer 3 concept. Option B is wrong because Cisco routers, like most routers, set the initial TTL to 255 (or sometimes 64), not 128. Option D is wrong because Linux hosts typically set the initial TTL to 64, not 128.

317
Multi-Selectmedium

Which TWO of the following are best practices when using REST APIs in Cisco networking environments?

Select 2 answers
A.Send credentials as plain text in every request.
B.Poll the API every second to get real-time updates.
C.Always handle HTTP error codes like 4xx and 5xx.
D.Embed API keys directly in the URL query parameters.
E.Implement caching to reduce redundant API calls.
AnswersC, E

Error handling is critical for robustness.

Why this answer

Option C is correct because handling HTTP error codes like 4xx (client errors) and 5xx (server errors) is essential for robust REST API integration. In Cisco environments, APIs such as those for DNA Center or Meraki return these codes to indicate issues like authentication failure (401), rate limiting (429), or server overload (503). Proper error handling allows the application to retry, log, or alert appropriately, preventing silent failures and ensuring reliable network automation.

Exam trap

Cisco often tests the misconception that polling frequently (e.g., every second) is acceptable for real-time data, but the trap is that this violates API rate-limiting best practices and ignores the recommended use of webhooks or longer intervals.

318
Drag & Dropmedium

Drag and drop the steps to troubleshoot a network connectivity issue using the OSI model from bottom to top.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting follows the OSI model from physical up to application to systematically isolate the problem.

319
MCQmedium

A developer is building a REST API for a Cisco DNA Center application. The API must allow external partners to retrieve network device inventory. Which security mechanism should be implemented to ensure that only authorized partners can access the API while maintaining the ability to revoke access for a specific partner without affecting others?

A.Use unique API keys per partner
B.Whitelist partner IP addresses in the API gateway firewall
C.Require HTTP basic authentication with a shared username and password
D.Implement OAuth 2.0 with client credentials grant
AnswerA

API keys are simple to manage and can be revoked individually without impacting other partners.

Why this answer

Option B is correct because API keys are simple tokens that can be issued per partner and easily revoked. Option A is wrong because OAuth 2.0 with client credentials requires a more complex setup but still allows per-client revocation; however, API keys are simpler and sufficient for this scenario. Option C is wrong because basic authentication would require sharing passwords and revoking would change credentials for all.

Option D is wrong because IP whitelisting does not scale well and may not work across different partner networks.

320
Multi-Selecthard

A developer needs to authenticate to the Cisco SD-WAN vManage API. Which two steps are required to obtain a session token?

Select 2 answers
A.POST j_username and j_password to the /j_security_check endpoint.
B.GET the /dataservice/client/token endpoint.
C.Provide an API key in the HTTP header.
D.POST credentials to the /authenticate endpoint.
E.Use OAuth2 client credentials grant.
AnswersA, B

First step for JSESSIONID.

Why this answer

Option A is correct because the Cisco SD-WAN vManage API uses a form-based authentication mechanism where credentials (j_username and j_password) are submitted via a POST request to the /j_security_check endpoint. This endpoint validates the credentials and, upon success, returns a JSESSIONID cookie that serves as the session token for subsequent API calls. Option B is correct because after obtaining the JSESSIONID, a GET request to /dataservice/client/token is required to retrieve an XSRF token, which must be included in the header of all subsequent requests to prevent cross-site request forgery attacks.

Exam trap

Cisco often tests the distinction between the initial credential submission endpoint (/j_security_check) and the token retrieval endpoint (/dataservice/client/token), leading candidates to mistakenly think a single POST to /authenticate is sufficient or that OAuth2 is used.

321
MCQmedium

A Cisco SD-WAN vManage API call to retrieve device inventory returns a 401 error. Which step is most likely missing?

A.The authentication token is expired or invalid
B.The request body is missing required fields
C.The device is unreachable
D.The API endpoint is incorrect
AnswerA

401 indicates authentication failure.

Why this answer

A 401 Unauthorized error in Cisco SD-WAN vManage API indicates that the request lacks valid authentication credentials. The vManage API uses token-based authentication (typically a JSON Web Token, JWT) obtained via a POST to /j_security_check or /authenticate. If the token is expired, malformed, or not included in the Authorization header, the API returns 401.

This is the most likely cause because the other options would produce different HTTP status codes (e.g., 400 for missing fields, 502 for unreachable device, 404 for incorrect endpoint).

Exam trap

Cisco often tests the distinction between HTTP status codes (401 vs 400, 404, 502) to see if candidates understand that authentication failures produce a specific code, not generic errors.

How to eliminate wrong answers

Option B is wrong because a missing required field in the request body would result in a 400 Bad Request error, not a 401. Option C is wrong because an unreachable device is a backend issue that would cause a 502 Bad Gateway or timeout, not a 401 authentication error. Option D is wrong because an incorrect API endpoint would return a 404 Not Found error, not a 401.

322
MCQeasy

A developer uses the Cisco DNA Center API to retrieve device inventory. The JSON response is shown. Which Python code snippet correctly extracts the serial number?

A.data['response'][0]['serialNumber']
B.data['serialNumber']
C.data['response']['serialNumber']
D.data[0]['serialNumber']
AnswerA

Correctly accesses first element.

Why this answer

Option A is correct because the JSON response from the Cisco DNA Center device inventory API returns a list of devices under the 'response' key, and each device is a dictionary. The serial number for the first device is accessed by indexing into the list with [0] and then retrieving the 'serialNumber' key from that dictionary.

Exam trap

The trap here is that candidates mistakenly treat the JSON response as a flat dictionary or forget that the 'response' value is a list, leading them to omit the list index and incorrectly access 'serialNumber' directly from 'response'.

How to eliminate wrong answers

Option B is wrong because it assumes 'serialNumber' is a top-level key in the JSON response, but the actual structure nests it inside 'response' and then inside a list. Option C is wrong because it omits the list index, treating 'response' as a direct dictionary containing 'serialNumber', but 'response' is actually a list of device dictionaries. Option D is wrong because it attempts to index the top-level JSON object with [0], but the top-level is a dictionary, not a list, so this would raise a KeyError or TypeError.

323
MCQhard

Refer to the exhibit. A DevOps engineer is using NETCONF to retrieve the OSPF configuration. The <get> response is missing the network statements. What is the most likely cause?

A.The filter used in the NETCONF request did not include the correct path for network commands.
B.The YANG model for OSPF does not include the network statement.
C.The device does not support NETCONF for OSPF.
D.The NETCONF username does not have sufficient privileges.
AnswerA

If the filter subtree does not include the network list, the response will not contain those statements.

Why this answer

The most likely cause is that the NETCONF <get> request used an incorrect or incomplete XML filter that did not specify the correct XPath for the OSPF network statements. NETCONF relies on YANG-defined data paths; if the filter omits the subtree for network commands, the device will not return those configuration elements, even though they exist in the running configuration.

Exam trap

Cisco often tests the nuance that NETCONF filters are not automatically recursive; candidates mistakenly assume that requesting a parent container returns all child elements, but the filter must explicitly include the desired subtree path.

How to eliminate wrong answers

Option B is wrong because YANG models for OSPF (e.g., RFC 7277 or vendor-specific models) do include network statements as part of the OSPF area configuration; the model itself is not the issue. Option C is wrong because the device successfully returned other OSPF configuration (e.g., router-id, area), proving NETCONF support for OSPF is functional. Option D is wrong because insufficient privileges would typically result in an access-denied error or an empty <rpc-reply>, not a partial response missing only the network statements.

324
MCQmedium

An engineer retrieves the list of devices in a Meraki network via the Dashboard API. The API returns HTTP 200 OK with an empty array. What is the most likely reason?

A.The organization has no networks.
B.The network ID provided is incorrect.
C.The API key has expired.
D.The network exists but has no devices.
AnswerD

A 200 with empty array means the network is valid but contains no devices.

Why this answer

An HTTP 200 OK with an empty array indicates the API request was successfully processed and the target resource (the network) exists, but there are no devices associated with it. This is the expected response when the network is valid but has no devices provisioned.

Exam trap

The trap here is that candidates may confuse a successful empty response (200 OK with empty array) with an error condition, leading them to incorrectly assume the network ID is wrong or the API key is invalid, when in fact the request was valid and the network simply has no devices.

How to eliminate wrong answers

Option A is wrong because if the organization had no networks, the API would return a 404 Not Found or an error message, not a 200 OK with an empty array. Option B is wrong because an incorrect network ID would result in a 404 Not Found or a 400 Bad Request, not a successful 200 OK response. Option C is wrong because an expired API key would cause a 401 Unauthorized or 403 Forbidden error, not a 200 OK.

325
Multi-Selecteasy

Which THREE of the following are common stages in a continuous integration pipeline? (Select THREE)

Select 3 answers
A.Monitor
B.Deploy
C.Build
D.Test
E.Lint
AnswersC, D, E

Build compiles code and creates artifacts.

Why this answer

Build, Test, and Lint are typical CI stages. Deploy is usually part of continuous delivery/deployment, and Monitor is after deployment.

326
MCQmedium

A DevOps team uses GitLab CI to deploy a containerized application to a Kubernetes cluster. The deployment pipeline fails at the 'deploy' stage with an error: 'unable to connect to server'. What is the most likely cause?

A.The Git repository is private and cannot be accessed.
B.The kubeconfig file for the cluster is missing or invalid.
C.The Docker image was not built successfully.
D.The Kubernetes cluster has insufficient resources to schedule the pod.
AnswerB

Without a valid kubeconfig, kubectl cannot connect to the cluster.

Why this answer

The error 'unable to connect to server' indicates that the GitLab CI runner cannot establish a TCP connection to the Kubernetes API server. This is most commonly caused by a missing or invalid kubeconfig file, which contains the cluster endpoint, credentials, and context required by kubectl to authenticate and communicate with the cluster. Without a valid kubeconfig, the deployment stage cannot proceed.

Exam trap

Cisco often tests the distinction between pipeline-stage-specific errors; the trap here is confusing a Kubernetes connectivity error (missing kubeconfig) with a resource scheduling issue (insufficient resources) or a build failure, which occur at different stages and produce distinct error messages.

How to eliminate wrong answers

Option A is wrong because a private Git repository would cause a 'repository not found' or authentication error during the clone step, not during the deploy stage when connecting to Kubernetes. Option C is wrong because a failed Docker image build would result in an 'image not found' or build failure earlier in the pipeline, not a connection error to the Kubernetes server. Option D is wrong because insufficient cluster resources would produce a pod scheduling failure (e.g., '0/1 nodes are available'), not a 'unable to connect to server' error, which is a network/authentication issue.

327
MCQmedium

A large enterprise uses Cisco DNA Center to manage their campus network. They have deployed fabric technology for SD-Access. The network team wants to use the DNA Center REST API to automate the addition of new wireless users to a specific virtual network (VN) based on their location (building). They have identified the API endpoint for creating a user device in the fabric. However, when they send a POST request with the appropriate JSON body, they receive a 400 Bad Request error. The JSON payload includes the mandatory fields for hostname, MAC address, and VN name. What is the most likely cause of the error?

A.The API call requires an authentication token that is missing or expired.
B.The virtual network name provided does not exist in the fabric.
C.The MAC address format is incorrect (e.g., lowercase vs uppercase).
D.The user making the API call does not have sufficient privileges.
AnswerB

If the VN doesn't exist, the API returns a 400 error.

Why this answer

The 400 Bad Request error indicates that the server cannot process the request due to a client-side issue, such as invalid data in the payload. Since the mandatory fields (hostname, MAC address, VN name) are provided, the most likely cause is that the virtual network (VN) name does not match any existing VN in the fabric. DNA Center validates the VN name against its fabric configuration; if the VN is not defined, the API rejects the request with a 400 error.

Exam trap

Cisco often tests the distinction between HTTP status codes (400 vs 401 vs 403) to see if candidates understand that 400 errors are client-side payload issues, not authentication or authorization problems.

How to eliminate wrong answers

Option A is wrong because a missing or expired authentication token would result in a 401 Unauthorized error, not a 400 Bad Request. Option C is wrong because DNA Center accepts MAC addresses in various formats (e.g., lowercase, uppercase, with or without colons) and normalizes them internally; an incorrect format would not cause a 400 error. Option D is wrong because insufficient privileges would result in a 403 Forbidden error, not a 400 Bad Request.

329
Drag & Dropmedium

Drag and drop the steps to configure a new VLAN on a Cisco switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VLAN creation requires global config mode; ports are assigned after the VLAN exists.

330
Multi-Selecthard

Which THREE of the following are valid methods to automatically assign IP addresses to network hosts?

Select 3 answers
A.Static assignment
B.SLAAC
C.DHCP
D.BOOTP
E.DNS
AnswersB, C, D

Stateless Address Autoconfiguration is used in IPv6 for automatic addressing.

Why this answer

SLAAC (Stateless Address Autoconfiguration) is a valid method for automatically assigning IPv6 addresses to network hosts. It uses ICMPv6 Router Advertisement (RA) messages to provide a prefix, and the host generates its own interface identifier (often based on EUI-64 or privacy extensions) to form a complete IPv6 address without a central server.

Exam trap

Cisco often tests the distinction between automatic address assignment methods (SLAAC, DHCP, BOOTP) and services that operate at higher layers (DNS) or manual configuration (static), leading candidates to incorrectly include static or DNS as automatic assignment methods.

331
MCQmedium

A network administrator wants to use Ansible to automate the configuration of a Cisco IOS-XE device. Which module is designed for this purpose?

A.cisco.ios.ios_config
B.cisco.nxos.nxos_config
C.ansible.netcommon.network_config
D.cisco.asa.asa_config
AnswerA

Specifically designed for Cisco IOS/IOS-XE devices.

Why this answer

The cisco.ios.ios_config module is specifically designed for managing Cisco IOS and IOS-XE device configurations via Ansible. It supports idempotent configuration updates using CLI commands, allowing the administrator to push, merge, or replace configuration snippets on the target device. This module is part of the Cisco IOS collection and directly interacts with the device's CLI to apply configuration changes.

Exam trap

Cisco often tests the candidate's ability to match the correct module to the specific device OS, so the trap here is that candidates may choose the generic ansible.netcommon.network_config module, thinking it works universally, without realizing that dedicated OS-specific modules provide better reliability and feature support.

How to eliminate wrong answers

Option B is wrong because cisco.nxos.nxos_config is designed for Cisco NX-OS devices (e.g., Nexus switches), not IOS-XE. Option C is wrong because ansible.netcommon.network_config is a platform-agnostic module that requires a specific network_cli or netconf connection plugin and does not provide the IOS-XE-specific CLI handling or idempotent behavior of the dedicated ios_config module. Option D is wrong because cisco.asa.asa_config is intended for Cisco ASA firewalls, which run a different operating system (ASA OS) and use a distinct command syntax compared to IOS-XE.

332
MCQmedium

An automation engineer runs a Python script using the Cisco NXOS NX-API to retrieve the interface configuration. The JSON response shows the 'switchport access vlan' as '10'. However, VLAN 10 does not exist in the VLAN database. What is the expected behavior of the switch regarding this interface?

A.The interface will work but traffic will be dropped
B.The switch will automatically create the VLAN
C.The interface will be error-disabled
D.The interface will be operationally down
AnswerD

Without the VLAN, the interface cannot function and is placed in down state.

Why this answer

When a switchport is configured with an access VLAN that does not exist in the VLAN database, the interface remains administratively up but is placed in an operationally down state. This occurs because the switch cannot forward traffic for a non-existent VLAN, and the interface will not transition to a forwarding state until the VLAN is created. The NX-API response reflects the configured VLAN ID, but the operational status is determined by the VLAN's existence.

Exam trap

Cisco often tests the distinction between configuration and operational state, trapping candidates who assume a configured VLAN ID automatically makes the interface active even if the VLAN does not exist.

How to eliminate wrong answers

Option A is wrong because the interface will not work at all; traffic is not simply dropped—the interface is operationally down, preventing any frame forwarding. Option B is wrong because Cisco NX-OS does not automatically create VLANs when they are assigned to an interface; VLANs must be explicitly created in the VLAN database. Option C is wrong because error-disabled is a specific state triggered by events like port security violations or STP BPDU guard, not by a missing VLAN assignment.

333
Multi-Selectmedium

Which TWO of the following are common causes of VLAN connectivity issues?

Select 2 answers
A.VLAN not created on all switches
B.Mismatched subnet masks on access ports
C.Incorrect default gateway
D.Mismatched VLAN IDs on trunk ports
E.STP blocking port
AnswersA, D

If a VLAN is missing on a switch, ports assigned to that VLAN will be down.

Why this answer

Option A is correct because VLANs must exist in the VLAN database of every switch that needs to forward traffic for that VLAN. If a VLAN is not created on a switch, interfaces assigned to that VLAN will be in an inactive or error-disabled state, and the switch will not forward frames for that VLAN across trunk links. This is a common misconfiguration when adding a new VLAN to a network without propagating it to all switches.

Exam trap

Cisco often tests the distinction between Layer 2 and Layer 3 issues, so candidates mistakenly select subnet mask or default gateway problems as VLAN connectivity issues when those are actually routing or host configuration problems.

334
MCQhard

An engineer uses Ansible to push a configuration change to 100 switches. The playbook fails on 5 switches. What is the most efficient way to apply the change only to those 5?

A.Use Ansible's --limit with the retry file
B.Use --skip-tags on successful hosts
C.Re-run the playbook on all switches
D.Manually configure the 5 switches
AnswerA

This targets only the failed hosts.

Why this answer

Ansible generates a retry file by default when a playbook fails on some hosts. Using `--limit @<retry-file>` re-runs the playbook only against the failed hosts, avoiding unnecessary execution on the 95 successful switches. This is the most efficient method because it targets only the problematic devices without manual intervention or full re-runs.

Exam trap

Cisco often tests the distinction between host-level filtering (`--limit`) and task-level filtering (`--tags`/`--skip-tags`), leading candidates to confuse `--skip-tags` as a way to skip hosts instead of tasks.

How to eliminate wrong answers

Option B is wrong because `--skip-tags` is used to skip tasks with specific tags, not to filter hosts; it would still run on all hosts. Option C is wrong because re-running the playbook on all 100 switches wastes time and resources on the 95 already-configured switches, which is inefficient. Option D is wrong because manually configuring 5 switches defeats the purpose of automation and is error-prone and time-consuming.

335
MCQhard

A financial services company deploys a multi-tier application on Cisco UCS with separate VMs for web, app, and database tiers. The security team runs a vulnerability scan and finds that the web server is vulnerable to SQL injection. The development team cannot fix the code immediately because of a pending third-party library update. The company needs to deploy a security control to mitigate the vulnerability as soon as possible without changing the application. Which of the following is the best immediate mitigation?

A.Deploy a Web Application Firewall (WAF) in front of the web server to filter malicious SQL patterns
B.Implement network segmentation to isolate the web server from the database server
C.Apply input validation on the web server by configuring the web server itself to sanitize inputs
D.Apply the latest security patches to the web server operating system
AnswerA

A WAF can provide virtual patching without code changes, blocking SQL injection attempts.

Why this answer

A Web Application Firewall (WAF) operates at Layer 7 and can inspect HTTP/HTTPS traffic for malicious payloads, such as SQL injection patterns, without requiring any changes to the application code. By deploying a WAF in front of the web server, the company can immediately filter out malicious SQL patterns (e.g., ' OR 1=1 --) using signature-based or behavioral rules, providing a virtual patch until the code fix is available. This aligns with the requirement to mitigate the vulnerability without modifying the application itself.

Exam trap

Cisco often tests the distinction between network-layer controls (like segmentation) and application-layer controls (like WAF), trapping candidates who think isolating the database server stops SQL injection, when in fact the malicious SQL commands are generated by the web server itself after the attack has already succeeded.

How to eliminate wrong answers

Option B is wrong because network segmentation isolates the web server from the database server at the network layer, but it does not prevent SQL injection attacks that originate from the web server itself; the web server still sends malicious queries to the database. Option C is wrong because applying input validation on the web server requires modifying the web server configuration or code, which contradicts the constraint of not changing the application. Option D is wrong because patching the web server operating system addresses OS-level vulnerabilities, not application-layer SQL injection flaws in the web application code.

336
Multi-Selecteasy

Which TWO HTTP methods are considered safe according to HTTP/1.1 specification?

Select 2 answers
A.PUT
B.GET
C.DELETE
D.HEAD
E.POST
AnswersB, D

GET is a safe method; it only retrieves resources and does not change server state.

Why this answer

Options A and D are correct because GET and HEAD are defined as safe methods that do not modify resources. POST, PUT, and DELETE are not safe as they can change server state. Therefore, only GET and HEAD qualify.

337
MCQmedium

Refer to the exhibit. A developer is writing an Ansible playbook to configure this interface on a Cisco IOS XE device. Which Ansible module should be used to set the IP address?

A.ios_ip_interface
B.ios_command
C.ios_facts
D.ios_config
AnswerD

ios_config allows sending configuration commands like 'ip address'.

Why this answer

The ios_config module sends arbitrary configuration commands, which is appropriate for setting the ip address. ios_command runs show commands, ios_ip_interface does not exist, ios_facts gathers facts.

338
MCQhard

A network engineer is configuring a Cisco switch to support LLDP-MED for VoIP phones. Which command is required to enable LLDP globally on the switch?

A.lldp transmit
B.cdp run
C.lldp run
D.lldp enable
E.lldp med
AnswerC

This enables LLDP globally on Cisco IOS switches.

Why this answer

The command 'lldp run' is required to enable LLDP globally on a Cisco switch. LLDP is disabled by default on most Cisco switches, and 'lldp run' activates the protocol at the global configuration level, allowing LLDP-MED (which extends LLDP for VoIP and other endpoint devices) to function. Without this global enablement, LLDP frames are not transmitted or received, even if per-interface commands like 'lldp transmit' or 'lldp receive' are configured.

Exam trap

Cisco often tests the distinction between global and interface-level LLDP commands, and the trap here is that candidates confuse 'lldp run' (global enable) with 'lldp enable' (a nonexistent command) or assume that 'lldp transmit' alone is sufficient to start LLDP.

How to eliminate wrong answers

Option A is wrong because 'lldp transmit' is an interface-level command that enables LLDP transmission on a specific interface, but it does not enable LLDP globally; the global 'lldp run' must be issued first. Option B is wrong because 'cdp run' enables Cisco Discovery Protocol (CDP), not LLDP; CDP is Cisco-proprietary and does not support LLDP-MED, which is an IEEE 802.1AB standard. Option D is wrong because 'lldp enable' is not a valid Cisco IOS command; the correct global command is 'lldp run', and the interface-level command is 'lldp transmit' or 'lldp receive'.

Option E is wrong because 'lldp med' is a subcommand used under LLDP configuration to enable LLDP-MED TLV support, but it does not enable LLDP itself; LLDP must already be running globally via 'lldp run'.

339
MCQmedium

A developer is designing a REST API for managing network devices. The API should support idempotent operations for updating device configuration. Which HTTP method should be used for the update operation?

A.DELETE
B.PUT
C.PATCH
D.POST
AnswerB

PUT replaces the resource and is idempotent, making it suitable for updates.

Why this answer

PUT is idempotent; making the same PUT request multiple times has the same effect as one request. PATCH is not necessarily idempotent. POST is not idempotent.

DELETE is idempotent but not for updates.

340
MCQeasy

Which tool is designed for infrastructure as code, uses a declarative language, and can automate configuration management across multiple devices?

A.Ansible
B.Git
C.Python
D.Postman
AnswerA

Ansible is an automation tool that uses declarative playbooks for configuration management.

Why this answer

Ansible is the correct answer because it is an infrastructure-as-code tool that uses a declarative YAML-based language (playbooks) to define desired system states. It automates configuration management across multiple devices agentlessly, using SSH or WinRM to push configurations, making it ideal for multi-device environments.

Exam trap

The trap here is that candidates may confuse Git (a version control tool) with infrastructure-as-code because Git is often used to store IaC files, but it does not perform automation or configuration management itself.

How to eliminate wrong answers

Option B (Git) is wrong because Git is a distributed version control system for tracking source code changes, not an infrastructure-as-code tool for automating configuration management. Option C (Python) is wrong because Python is a general-purpose programming language that requires imperative scripting to manage configurations, lacking the declarative language model and built-in multi-device automation of Ansible. Option D (Postman) is wrong because Postman is an API testing and development tool, not designed for infrastructure-as-code or configuration management across devices.

341
MCQmedium

A network engineer is troubleshooting slow connectivity between two sites connected via a WAN link. The engineer suspects packet loss due to collisions. Which interface counter should be examined to confirm this?

A.Runts
B.CRC errors
C.Output errors
D.Giants
AnswerB

CRC errors indicate frame checksum failures often caused by collisions.

Why this answer

CRC (Cyclic Redundancy Check) errors indicate that frames received on an interface have failed the integrity check, which is often caused by physical-layer issues such as collisions, faulty cabling, or signal degradation. In the context of a WAN link, collisions are not typical (since full-duplex is standard), but if the link is misconfigured as half-duplex, collisions can occur and will manifest as CRC errors. Thus, examining the CRC errors counter is the correct way to confirm packet loss due to collisions.

Exam trap

Cisco often tests the misconception that collisions are directly indicated by 'runts' or 'output errors', but the correct indicator for collision-induced corruption is the CRC errors counter, especially when the link is suspected of operating in half-duplex mode.

How to eliminate wrong answers

Option A is wrong because runts are frames smaller than the minimum 64-byte size (for Ethernet) and are typically caused by collisions or underruns, but they are not the direct counter for confirming collisions; CRC errors are more definitive. Option C is wrong because output errors encompass a variety of issues such as buffer failures, underruns, and late collisions, but they are not specific to collisions themselves and can be misleading. Option D is wrong because giants are frames larger than the maximum 1518-byte size (for standard Ethernet) and are usually caused by misconfigured NICs or software issues, not collisions.

342
MCQmedium

A developer is using the Cisco Webex Teams API to create a room and add members. The API returns a 400 error. What is the most likely cause?

A.Invalid access token
B.Missing required fields
C.Network connectivity issue
D.Room name already exists
AnswerB

400 errors are commonly due to missing or invalid fields.

Why this answer

A 400 Bad Request error from the Cisco Webex Teams API indicates that the server cannot process the request due to a client-side error, most commonly missing required fields in the request body. When creating a room, the API requires a 'title' field; omitting it or sending an empty value triggers a 400 response. This is distinct from authentication or network issues, which produce different HTTP status codes.

Exam trap

Cisco often tests the distinction between HTTP 4xx status codes, leading candidates to confuse authentication errors (401) with client-side request errors (400) when the actual issue is missing or malformed data.

How to eliminate wrong answers

Option A is wrong because an invalid access token would result in a 401 Unauthorized error, not a 400 Bad Request. Option C is wrong because a network connectivity issue would typically cause a timeout or connection refused error, not an HTTP 400 response from the server. Option D is wrong because the Webex Teams API allows duplicate room names; a 400 error would not occur for a name that already exists.

343
MCQmedium

An engineer needs to automate the deployment of VLAN configurations on a fleet of Cisco Catalyst 9000 switches running IOS-XE. The team uses Ansible Tower for automation. Which Ansible module should be used to push VLAN configuration idempotently?

A.ios_vlan
B.ios_command
C.ios_config
D.ios_interface
AnswerA

ios_vlan is specifically designed for VLAN management, ensuring idempotent operations.

Why this answer

The ios_vlan module is purpose-built for idempotent VLAN management on Cisco IOS-XE devices. It ensures that a VLAN with the specified VLAN ID, name, and state (active/suspend) is present or absent without affecting other VLANs, making it the correct choice for automating VLAN deployment idempotently.

Exam trap

Cisco often tests the distinction between generic configuration modules (ios_config) and resource-specific modules (ios_vlan), trapping candidates who assume any module that can push VLAN commands is sufficient for idempotent VLAN management.

How to eliminate wrong answers

Option B (ios_command) is wrong because it sends raw CLI commands and does not enforce idempotency; it blindly executes commands without checking current state, which can cause errors or duplicate configurations. Option C (ios_config) is wrong because it manages arbitrary configuration lines as a whole, not VLAN-specific resources; it can be used to push VLAN commands but lacks the idempotent, declarative VLAN handling that ios_vlan provides (e.g., it does not parse existing VLAN state to avoid re-adding). Option D (ios_interface) is wrong because it manages interface properties (e.g., switchport mode, access VLAN) but does not create, delete, or modify VLAN definitions themselves.

344
Multi-Selectmedium

When using the Cisco DNA Center API, which three steps are typically involved in making a successful API call? (Choose three.)

Select 3 answers
A.Send requests to the correct API endpoint.
B.Obtain an authentication token using Basic Auth credentials.
C.Use the token in the request body.
D.Use SNMP to retrieve device data.
E.Include the token in the Authorization header as Bearer.
AnswersA, B, E

Correct endpoints are necessary to access desired resources.

Why this answer

To use the DNA Center API, you first obtain an authentication token via Basic Auth, then include that token as a Bearer token in the Authorization header of subsequent requests, and send requests to the correct endpoint. Tokens are not sent in the request body, and SNMP is not used for API calls.

345
Multi-Selecthard

A network developer is using Cisco NSO to manage multi-vendor devices. Which three are valid approaches to handle device-specific differences? (Choose three.)

Select 3 answers
A.Write custom Python code in the service model
B.Use YANG data models to abstract device specifics
C.Use SNMP MIBs for all configurations
D.Configure each device manually through CLI
E.Use NEDs (Network Element Drivers) for each vendor
AnswersA, B, E

Python callbacks can implement vendor-specific logic.

Why this answer

Option A is correct because Cisco NSO allows developers to write custom Python code within the service model to handle device-specific logic, such as translating abstract service parameters into vendor-specific CLI or NETCONF commands. This approach provides flexibility to accommodate non-standard configurations that cannot be expressed purely through YANG models or NEDs.

Exam trap

Cisco often tests the misconception that SNMP MIBs are a primary tool for configuration management in NSO, when in fact NSO uses NEDs and YANG models for configuration abstraction, and SNMP is typically limited to read-only monitoring.

346
MCQhard

A network engineer is automating the deployment of new branch offices using Cisco DNA Center REST API. The script creates a new site under a parent site using the POST /dna/intent/api/v1/site API endpoint. The script runs successfully but when checking the DNA Center UI, the new site appears under the incorrect parent site. The script uses the following JSON payload: { "parentId": "0a1b2c3d-4e5f-6789-0ab1-2c3d4e5f6789", "name": "Branch-Office-42", "type": "area", "latitude": 34.0522, "longitude": -118.2437 } The parentId is obtained from a GET request to /dna/intent/api/v1/site that returns a list of all sites. The engineer verified that the parentId matches the UUID of a site named 'HQ', which the engineer believes is an area. However, 'HQ' is actually a building site. The engineer is not aware that the site type is different because the GET response does not display the type field prominently. What is the most likely cause of the new site being placed under the wrong parent?

A.The type field is set to 'area' but the parent site is of type 'building'
B.The script is using the wrong API endpoint for creating sites
C.The API is ignoring the parentId because the request is missing the 'siteId' header
D.The script is not including the 'address' field which is required for site creation
AnswerA

The site hierarchy does not allow an area directly under a building. The API may fall back to a different parent, causing the site to appear under the incorrect parent.

Why this answer

Option B is correct because the parent site 'HQ' is of type 'building', but the request is trying to create an 'area' under it. In Cisco DNA Center, the site hierarchy requires that an area cannot be directly under a building; areas can only be under Global or another area. The API may silently place the new area under the root or another compatible parent, resulting in the wrong parent.

Option A is incorrect because the endpoint is correct. Option C is incorrect because there is no 'siteId' header requirement for site creation. Option D is incorrect because the 'address' field is not required for creating an area.

347
MCQmedium

When making API calls to Cisco DNA Center, a developer receives a 401 Unauthorized error. The token was obtained using the token API endpoint. What is the most likely reason?

A.The request body contains invalid JSON
B.The token has expired
C.The API base URL is incorrect
D.The HTTP header for Accept is missing
AnswerB

Tokens have an expiration time; expired tokens cause 401.

Why this answer

A 401 Unauthorized error when using a token obtained from the token API endpoint most commonly indicates that the token has expired. Cisco DNA Center tokens have a configurable Time-To-Live (TTL), typically defaulting to 1 hour, after which the token becomes invalid and must be refreshed via the /dna/system/api/v1/auth/token endpoint.

Exam trap

Cisco often tests the distinction between authentication errors (401) and other HTTP errors (400, 404, 406) to see if candidates understand that a valid but expired token still returns 401, not a different status code.

How to eliminate wrong answers

Option A is wrong because invalid JSON in the request body would typically result in a 400 Bad Request error, not a 401 Unauthorized. Option C is wrong because an incorrect API base URL would cause a connection failure (e.g., DNS resolution error or 404 Not Found), not a 401 status code. Option D is wrong because a missing Accept header might lead to a 406 Not Acceptable or a default response format, but it does not trigger authentication failure.

348
MCQmedium

A developer is implementing error handling in a script that makes multiple API calls to Cisco ACI. Which approach is best practice for handling transient network failures?

A.Retry with fixed delay
B.Ignore errors and continue
C.Always retry immediately
D.Retry with exponential backoff
AnswerD

Exponential backoff gradually increases wait time, reducing server load and improving success chances.

Why this answer

Retrying with exponential backoff is best practice to handle transient failures without overwhelming the server. Ignoring errors can cause data inconsistency; immediate retry may cause congestion; logging and terminating defeats automation goals.

349
Multi-Selectmedium

Which TWO are benefits of using model-driven programmability (e.g., NETCONF/RESTCONF) over traditional CLI scripting for network automation?

Select 2 answers
A.Reduces network latency because it uses a lighter protocol.
B.Requires no additional learning beyond CLI commands.
C.Easier to debug because it uses the same syntax as CLI.
D.Data is structured and machine-readable (e.g., XML/JSON).
E.Allows network devices to be managed using any programming language with HTTP libraries.
AnswersD, E

Model-driven APIs return structured data.

Why this answer

Option D is correct because model-driven programmability with NETCONF/RESTCONF uses structured data formats like XML or JSON, which are machine-readable. This eliminates the need for screen-scraping or parsing CLI output, making automation scripts more reliable and easier to maintain. Structured data also enables consistent validation and integration with other systems.

Exam trap

Cisco often tests the misconception that model-driven programmability is just a 'new way to type CLI commands,' but the key benefit is the use of structured, machine-readable data (XML/JSON) and protocol-level operations that decouple automation from device-specific CLI syntax.

350
MCQeasy

A team is implementing a CI/CD pipeline using Jenkins. The pipeline must build a Docker image and push it to a private registry. Which Jenkins plugin is specifically designed to handle Docker builds and pushes?

A.Credentials Plugin
B.Pipeline Plugin
C.Docker Pipeline Plugin
D.Git Plugin
AnswerC

This plugin provides Docker build and push steps.

Why this answer

The Docker Pipeline Plugin is the correct choice because it provides Jenkins Pipeline steps specifically for building and pushing Docker images, such as `docker.build()` and `docker.withRegistry()`. This plugin integrates Docker operations directly into Declarative or Scripted Pipelines, enabling seamless CI/CD workflows without requiring shell commands.

Exam trap

The trap here is that candidates may confuse the general-purpose Pipeline Plugin with the Docker-specific Docker Pipeline Plugin, assuming that Pipeline alone can handle Docker builds, when in fact it requires the dedicated plugin for native Docker steps.

How to eliminate wrong answers

Option A is wrong because the Credentials Plugin manages authentication credentials (e.g., usernames, passwords, SSH keys) but does not provide any Docker-specific build or push functionality. Option B is wrong because the Pipeline Plugin is the core plugin that enables defining Jenkins pipelines as code, but it lacks built-in Docker steps; it requires additional plugins like the Docker Pipeline Plugin to handle Docker operations. Option D is wrong because the Git Plugin integrates Git SCM operations (e.g., checkout, fetch) into Jenkins jobs, but it has no capability to build or push Docker images.

351
MCQhard

A DevOps team uses a CI/CD pipeline to deploy network configurations. They want to ensure that only authorized network engineers can trigger changes to production devices. Which integration is most appropriate?

A.Encrypt the Ansible vault password
B.Implement Role-Based Access Control (RBAC) on the CI/CD tool
C.Use a separate staging environment
D.Use a pre-commit hook in Git to validate YAML syntax
AnswerB

RBAC enforces authorization for pipeline executions.

Why this answer

Option B is correct because Role-Based Access Control (RBAC) on the CI/CD tool directly restricts which users or groups can trigger pipeline jobs that modify production network devices. This ensures that only authorized network engineers have the permissions to execute changes, aligning with the principle of least privilege in deployment pipelines.

Exam trap

The trap here is that candidates confuse technical controls (like encryption or syntax validation) with authorization controls, assuming that protecting secrets or validating code is equivalent to restricting who can trigger a deployment.

How to eliminate wrong answers

Option A is wrong because encrypting the Ansible vault password protects secrets (e.g., credentials) but does not control who can trigger the pipeline or authorize changes to production devices. Option C is wrong because a separate staging environment validates configurations before production but does not enforce authorization on who can trigger the production deployment. Option D is wrong because a pre-commit hook in Git validates YAML syntax locally, which prevents malformed files but does not provide any access control over who can initiate the CI/CD pipeline or deploy to production.

352
Multi-Selectmedium

An application authenticates to Cisco Webex API using OAuth2 client credentials grant. Which three pieces of information must the application include in the token request?

Select 3 answers
A.Authorization Code
B.Client ID
C.Redirect URI
D.Client Secret
E.Grant Type
AnswersB, D, E

The client ID identifies the application to the authorization server.

Why this answer

In the OAuth2 client credentials grant flow, the application authenticates directly as itself (not on behalf of a user) to obtain an access token. The token request must include the client ID (B) to identify the application, the client secret (D) to prove its identity, and the grant type (E) set to 'client_credentials' to indicate the flow being used. These three fields are mandatory per RFC 6749 Section 4.4.2.

Exam trap

Cisco often tests the distinction between OAuth2 grant types, and the trap here is that candidates confuse the client credentials grant with the authorization code grant, incorrectly assuming an authorization code or redirect URI is always required for any OAuth2 token request.

353
Multi-Selecteasy

Which TWO of the following are functions of the transport layer in the OSI model? (Choose two.)

Select 2 answers
A.Segmentation and reassembly of data.
B.Providing reliable data transfer with acknowledgements.
C.Adding a trailer for error detection.
D.Encrypting data for secure transmission.
E.Determining the best path to a destination.
AnswersA, B

Transport layer segments data and reassembles it at the destination.

Why this answer

Segmentation and reassembly of data is a core function of the transport layer. The transport layer (e.g., TCP) takes data from the session layer, breaks it into smaller segments (segmentation), assigns sequence numbers, and then reassembles these segments in the correct order at the destination. This allows large data streams to be transmitted efficiently over the network layer, which has a maximum transmission unit (MTU) size.

Exam trap

Cisco often tests the distinction between transport layer functions (segmentation, reliability) and data link layer functions (error detection via trailer), so candidates mistakenly assign trailer-based error detection to the transport layer instead of the data link layer.

354
MCQeasy

A Python script uses the Cisco Meraki API to fetch the list of organizations. The script fails with a 401 HTTP status. What is the most likely cause?

A.The API key is invalid or missing.
B.The API request exceeded the rate limit.
C.The API key does not have permission to list organizations.
D.The API endpoint URL is incorrect.
AnswerA

401 Unauthorized means authentication failure.

Why this answer

A 401 HTTP status indicates 'Unauthorized', which in the context of the Meraki API means the request lacks valid authentication credentials. The most common cause is an invalid or missing API key, as the Meraki API requires a valid API key in the `X-Cisco-Meraki-API-Key` header for all requests.

Exam trap

Cisco often tests the distinction between HTTP 401 (authentication failure) and 403 (authorization failure), and candidates frequently confuse these status codes, especially when the API key is valid but lacks permissions for a specific resource.

How to eliminate wrong answers

Option B is wrong because a rate limit exceeded would return a 429 HTTP status (Too Many Requests), not 401. Option C is wrong because permission issues (e.g., insufficient scope) typically result in a 403 Forbidden status, not 401 Unauthorized. Option D is wrong because an incorrect endpoint URL would return a 404 Not Found or a different error, not a 401; the 401 specifically points to authentication failure, not routing issues.

355
MCQmedium

A company uses a CI/CD pipeline to deploy network configurations. The pipeline includes a stage that runs automated tests against a simulated network environment. Which testing strategy does this represent?

A.Regression testing
B.Unit testing
C.Integration testing
D.Smoke testing
AnswerC

Integration testing validates the interaction between components in a simulated or staging environment.

Why this answer

Option C is correct because running automated tests against a simulated network environment validates how multiple network components (e.g., routers, switches, firewalls) interact as a whole. This is integration testing, which focuses on detecting interface and communication failures between integrated units, not on individual components or end-to-end system behavior. In a CI/CD pipeline for network configurations, this stage ensures that the combined changes work together before deployment to production.

Exam trap

Cisco often tests the distinction between integration testing and unit testing by describing a scenario that involves multiple components interacting, leading candidates to mistakenly choose unit testing because they focus on the word 'automated tests' rather than the environment (simulated network) that implies multi-device interaction.

How to eliminate wrong answers

Option A is wrong because regression testing re-runs previously passed tests to ensure new changes haven't broken existing functionality; it does not specifically target interactions in a simulated environment. Option B is wrong because unit testing validates individual functions or modules in isolation (e.g., a single Ansible playbook or a single CLI command), not the interaction of multiple network devices. Option D is wrong because smoke testing is a shallow, quick check of critical functionality (e.g., 'does the router respond to ping?') to decide whether to proceed with deeper testing, not a comprehensive test of integrated components.

356
MCQeasy

An organization uses Ansible for configuration management and wants to secure the automation secrets (e.g., SSH keys, API tokens). The secrets are currently stored in plaintext in inventory files. The security team requires that secrets be encrypted at rest and decrypted only at runtime by authorized users. Which solution should be implemented?

A.Store secrets in an encrypted SSH key file and use it for authentication
B.Set strict file permissions (0600) on the inventory files to limit access
C.Use environment variables to pass secrets at runtime
D.Use Ansible Vault to encrypt sensitive variables in the inventory files
AnswerD

Ansible Vault encrypts data and only decrypts it when the vault password is provided, securing secrets at rest.

Why this answer

Ansible Vault is the built-in tool for encrypting sensitive data such as passwords, API tokens, and SSH keys at rest. It encrypts variables or entire files using AES-256, and decryption occurs only at runtime when the correct vault password is provided, meeting the requirement that secrets are decrypted only by authorized users.

Exam trap

Cisco often tests the distinction between access control (file permissions) and encryption at rest, leading candidates to mistakenly choose strict permissions as sufficient for securing secrets, when encryption is required to protect data from unauthorized access even if the file system is compromised.

How to eliminate wrong answers

Option A is wrong because storing secrets in an encrypted SSH key file does not address encryption of the inventory files themselves; SSH keys are used for authentication, not for encrypting variables in inventory. Option B is wrong because setting file permissions to 0600 only restricts file system access but does not encrypt the data; secrets remain in plaintext and could be read by any process with sufficient privileges or during backup. Option C is wrong because environment variables are not encrypted at rest; they are stored in plaintext in process memory and can be exposed via /proc filesystem or logging, and they do not provide encryption for the inventory files.

357
MCQeasy

A developer is designing a REST API for a network automation tool. Which HTTP method should be used to retrieve the current configuration of a network device?

A.DELETE
B.GET
C.PUT
D.POST
AnswerB

GET is the correct method for retrieving resource representations; it is safe and idempotent.

Why this answer

Option B is correct because GET is the standard HTTP method for retrieving resources without side effects. Option A (POST) is used for creating resources, not retrieval. Option C (PUT) is used for updating resources.

Option D (DELETE) is used for removing resources. Therefore, only GET is appropriate for safe retrieval.

358
MCQhard

A network automation engineer is using a Python script with the requests library to configure VLAN 100 on a Cisco Catalyst 9300 switch via the REST API. The script sends a PUT request to https://switch-ip/restconf/data/Cisco-IOS-XE-native:native/vlan. The response returns a 201 Created, but subsequent checks show VLAN 100 is not present in the running configuration. The switch's management interface is in VLAN 99 with IP 10.10.99.10/24, and the engineer's workstation is on a different subnet (10.10.88.0/24). The switch has the following relevant configuration: ip default-gateway 10.10.99.1, and a route for 10.10.88.0/24 via 10.10.99.1. The engineer also verified that the REST API credentials are correct and that the switch's HTTP server is enabled. Which action should the engineer take to resolve the issue?

A.Resend the PUT request with the VLAN configuration nested under 'Cisco-IOS-XE-native:native/vlan' in YANG format.
B.Reboot the switch to force the candidate configuration to become active.
C.Send a commit operation to the RESTCONF API using the 'cisco-ia:commit' RPC to apply the candidate datastore changes.
D.Check the MTU on the switch's management interface to ensure it can accept the configuration payload.
AnswerC

On Cisco IOS-XE devices, configuration changes via RESTCONF are staged in the candidate datastore and must be explicitly committed. This is the likely missing step.

Why this answer

The 201 Created response indicates the REST API request was accepted, but the VLAN is not appearing in the running config. This suggests the configuration was written to the candidate datastore but not committed. Cisco's RESTCONF requires a commit operation after editing the candidate datastore.

To commit changes, a PATCH or POST request to the 'ietf-restconf:operations' with 'cisco-ia:commit' is needed. Alternatively, the switch might be using 'immediate' mode, but the default is 'candidate'. Checking the 'default-operation' setting would help, but the most direct correct action is to commit the changes.

Distractors: checking MTU, resending the request with different data, or restarting the switch.

359
MCQhard

You are a network automation engineer at a large enterprise. The network consists of 200 Cisco Catalyst switches distributed across five data centers. Each switch runs IOS-XE and supports NETCONF. Your team uses a centralized Ansible control node to manage configurations. Recently, the security team mandated that all management access must use SSH keys instead of passwords. You updated the Ansible inventory to use SSH keys and tested on a few switches successfully. However, when you run the playbook against all switches, about 30 switches fail with the error: 'Authentication failed.' You verify that the SSH public key is correctly deployed on those switches via the console. What is the most likely cause of the failure?

A.The public key on the switches is not in the correct format
B.The Ansible become method is misconfigured
C.The private key file on the Ansible control node has permissions 644, which SSH rejects
D.The switches are not reachable over the network
AnswerC

SSH requires private key permissions to be 600 or more restrictive.

Why this answer

SSH strictly requires private key files to have permissions no more permissive than 600 (owner read/write) or 640 (owner read/write, group read) on Unix-like systems. A permission of 644 allows group and others to read the key, which SSH interprets as insecure and refuses to use, causing 'Authentication failed' even though the public key is correctly deployed on the switches.

Exam trap

Cisco often tests the subtle distinction between SSH key format issues and file permission issues, where candidates assume the problem is key format when the real issue is the private key file's restrictive permissions required by OpenSSH.

How to eliminate wrong answers

Option A is wrong because if the public key format were incorrect, the switches would reject the key during authentication, but the engineer verified the key is correctly deployed via console, and the same key works on other switches. Option B is wrong because the become method controls privilege escalation (e.g., to enable mode) on the target device, not SSH authentication; the error 'Authentication failed' occurs at the SSH transport layer, before any become operation. Option D is wrong because unreachable switches would produce a 'Host unreachable' or 'Connection timed out' error, not 'Authentication failed'; the error message specifically indicates the SSH handshake failed due to credentials.

360
Multi-Selecthard

Which TWO of the following are true about NETCONF capabilities as defined in RFC 6241?

Select 2 answers
A.The <edit-config> operation supports 'merge', 'replace', 'create', 'delete', and 'remove' operations.
B.The <edit-config> operation replaces the entire configuration by default.
C.The <candidate> configuration datastore is optional and requires the :candidate capability.
D.The :rollback-on-error capability is mandatory.
E.The <running> configuration datastore is optional.
AnswersA, C

Correct – these are the standard operations defined in RFC 6241.

Why this answer

Option A is correct because RFC 6241 defines the <edit-config> operation with the 'merge', 'replace', 'create', 'delete', and 'remove' operations. These allow granular modification of configuration data, with 'merge' being the default behavior if no operation attribute is specified.

Exam trap

Cisco often tests the distinction between mandatory and optional capabilities, and the default operation of <edit-config>, to catch candidates who confuse 'merge' with 'replace' or assume all datastores are optional.

361
MCQeasy

In Python, which keyword is used to define a function that does not return any value?

A.pass
B.yield
C.return
D.def
AnswerD

def is the keyword to define any function in Python.

Why this answer

The 'def' keyword is used to define any function, regardless of whether it returns a value. Option B (return) is used inside a function to return a value. Option A (yield) is for generators.

Option D (pass) is a placeholder statement.

362
MCQmedium

A junior network developer is tasked with writing a Python script that uses the Cisco NX-API to retrieve the current VLAN configuration from a Nexus switch. The script should output the VLAN IDs in a JSON format. The developer wrote the following code: import requests import json url = "https://192.168.1.1/api/aaaLogin.json" payload = {"aaaUser":{"attributes":{"name":"admin","pwd":"cisco123"}}} r = requests.post(url, json=payload, verify=False) token = r.json()["imdata"][0]["aaaLogin"]["attributes"]["token"] After authentication, the developer attempts to get VLANs using a GET request to "https://192.168.1.1/api/mo/sys/vlan.json" but receives a 401 error. Which of the following should the developer do to fix the issue?

A.Set the 'Authorization' header to 'Bearer ' + token
B.Use a PUT request instead of GET
C.Include the token in the cookie header
D.Use POST to retrieve VLANs
AnswerC

NX-API uses cookie-based authentication; the token must be sent as a cookie.

Why this answer

Cisco NX-API requires the token obtained from the login to be sent as a cookie in subsequent requests. Option B correctly identifies this. Option A (using PUT) is not relevant to authentication.

Option C (set Authorization header) is used for RESTCONF, not NX-API. Option D (use POST) is incorrect for retrieving data.

363
MCQhard

An organization implements zero-touch provisioning (ZTP) for new Cisco routers using DHCP and TFTP. The provision script is not being executed even though the device obtains an IP address. The DHCP server logs show the option 67 (bootfile-name) and option 150 (tftp-server) are set. What is the most probable reason?

A.The DHCP server is not authoritative
B.The script file name in option 67 does not match the actual file on the TFTP server
C.The TFTP server IP is unreachable from the router
D.The router does not support ZTP
AnswerB

A mismatch in filename prevents the device from loading the script.

Why this answer

Option B is correct because the most common reason for a ZTP script not executing after a device obtains an IP address is a mismatch between the bootfile name specified in DHCP option 67 and the actual filename on the TFTP server. Even if the DHCP server logs show option 67 and 150 are set, the router will attempt to download the file specified in option 67; if that file does not exist or is named differently on the TFTP server, the download fails and the script is not executed.

Exam trap

Cisco often tests the distinction between DHCP options being configured correctly on the server versus the actual file availability on the TFTP server, leading candidates to incorrectly blame network connectivity (option C) or DHCP server authority (option A) when the real issue is a simple filename mismatch.

How to eliminate wrong answers

Option A is wrong because the DHCP server being 'not authoritative' affects lease assignment and renewal behavior (e.g., sending DHCPNAK for unknown clients), but does not prevent the router from obtaining an IP address or downloading the bootfile; the router already has an IP address, so this is not the issue. Option C is wrong because if the TFTP server IP were unreachable, the router would not be able to download any file, but the question states the device obtains an IP address and the DHCP logs show option 150 is set; the issue is specifically that the script is not executed, which points to a file mismatch rather than connectivity. Option D is wrong because Cisco routers that support ZTP (e.g., IOS-XE devices) are designed to use DHCP options 67 and 150 for automated provisioning; if the router did not support ZTP, it would not even attempt to download the script, but the question implies the router is capable and the failure is in execution.

364
MCQeasy

An automation script using Ansible tries to configure IP address 192.168.1.2 on GigabitEthernet0/1. After running, the interface remains administratively down. What is the first thing to check?

A.The VLAN configuration
B.The IP address is a duplicate
C.The interface is faulty
D.The 'no shutdown' command was not included in the configuration
AnswerD

Without 'no shutdown', the interface remains administratively down.

Why this answer

The 'no shutdown' command is required to administratively enable an interface on Cisco IOS devices. Without it, the interface remains in an administratively down state regardless of IP configuration. Ansible automation scripts must include this command in the task or playbook to bring the interface up.

Exam trap

Cisco often tests the distinction between interface configuration (IP address, VLAN) and interface state (shutdown/no shutdown), trapping candidates who assume that assigning an IP address automatically enables the interface.

How to eliminate wrong answers

Option A is wrong because VLAN configuration affects Layer 2 connectivity and trunking, not the administrative state of a routed interface; an interface can be administratively down even with correct VLAN settings. Option B is wrong because a duplicate IP address would cause a conflict or error message, but it would not prevent the interface from being administratively enabled; the 'no shutdown' command is still required. Option C is wrong because a faulty interface would typically show as 'down/down' or have CRC errors, not 'administratively down'; the administrative state is a software-controlled flag, not a hardware fault.

365
MCQmedium

A developer needs to run a temporary container that executes a command and then exits. Which Docker command should be used?

A.docker exec
B.docker run -d
C.docker start
D.docker run --rm
AnswerD

This runs a container and removes it after it exits.

Why this answer

The `docker run --rm` command creates a container, runs the specified command, and automatically removes the container filesystem after it exits. This is the correct approach for a temporary, disposable container that should not persist after execution. The `--rm` flag ensures cleanup without manual intervention.

Exam trap

Cisco often tests the distinction between `docker run` (creates and starts a new container) and `docker exec` (attaches to an existing running container), leading candidates to mistakenly choose `docker exec` for running a one-time command.

How to eliminate wrong answers

Option A is wrong because `docker exec` runs a command in an already running container, not a new temporary container. Option B is wrong because `docker run -d` runs a container in detached mode in the background, intended for long-running services, not a one-off command that exits. Option C is wrong because `docker start` restarts an existing stopped container, not a new temporary container.

366
MCQeasy

Refer to the exhibit. Which key-value pair indicates whether this Meraki MR is currently connected to the cloud?

A."serial": "Q2XX-XXXX-XXXX"
B."lanIp": "192.168.1.100"
C."status": "online"
D."model": "MR42"
AnswerC

Correct indicator.

Why this answer

The 'status' key with the value 'online' directly indicates that the Meraki MR access point is currently connected to the Meraki cloud. In the Meraki dashboard API response, the 'status' field reflects the device's cloud connectivity state, where 'online' means the device has an active connection to the Meraki cloud controller.

Exam trap

Cisco often tests the distinction between network-layer connectivity (like having an IP address) and application-layer connectivity to the cloud, leading candidates to mistakenly choose 'lanIp' as the indicator of cloud connection.

How to eliminate wrong answers

Option A is wrong because 'serial' is a unique hardware identifier for the device and does not indicate cloud connectivity status. Option B is wrong because 'lanIp' shows the local IP address assigned to the device on the LAN, which can be present even if the device is offline or disconnected from the cloud. Option D is wrong because 'model' specifies the hardware model (e.g., MR42) and has no bearing on the device's current cloud connection state.

367
MCQhard

A large enterprise uses Cisco DNA Center to manage over 500 network devices across multiple sites. The network operations team wants to automate the validation of device compliance with a baseline configuration. They have a Python script that uses the Cisco DNA Center REST API to retrieve the device configuration and compare it against a golden configuration stored in a local file. Recently, the script started failing with a 401 HTTP response code when trying to authenticate. The team confirmed the username and password are correct and that the DNA Center server is reachable. The script uses the /api/system/v1/auth/token endpoint to obtain a token. Which of the following is the most likely cause of the 401 error?

A.The API endpoint requires a different HTTP method (e.g., POST vs GET).
B.The script is using an incorrect API version path (e.g., /v2 instead of /v1).
C.CORS (Cross-Origin Resource Sharing) is blocking the request.
D.The authentication token has expired and the script is not refreshing it.
AnswerD

Tokens expire; re-authentication is needed. 401 indicates invalid authentication.

Why this answer

The 401 HTTP response code indicates an authentication failure. Since the username and password are confirmed correct and the server is reachable, the most likely cause is that the script obtained a token earlier but is now using an expired token without refreshing it. Cisco DNA Center tokens have a configurable timeout (default 1 hour), and the script must re-authenticate or refresh the token before it expires.

Exam trap

Cisco often tests the distinction between authentication (401) and authorization (403) errors, and the trap here is that candidates might blame the endpoint version or HTTP method when the real issue is token lifecycle management.

How to eliminate wrong answers

Option A is wrong because the /api/system/v1/auth/token endpoint requires a POST method with Basic Authentication, not a GET; if the script used GET, it would get a 405 Method Not Allowed, not a 401. Option B is wrong because the script is using /v1 which is the correct version for token generation; using /v2 would return a 404 Not Found, not a 401. Option C is wrong because CORS is a browser-enforced security mechanism that blocks cross-origin HTTP requests from JavaScript in a web page, not from a Python script running on a server or CLI; a Python script is not subject to CORS restrictions.

368
Drag & Dropmedium

Drag and drop the steps to configure a Cisco IOS device for NETCONF access into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

NETCONF requires enabling the service, SSH configuration, user creation, and verification.

369
MCQeasy

You are troubleshooting connectivity for a remote branch office. The branch router (BR) connects to the head office router (HQ) via a point-to-point T1 link. The HQ router is also connected to the internet via a separate interface. Users at the branch can access the internet but cannot reach servers at the head office (subnet 10.10.10.0/24). You run 'show ip route' on BR and see a default route pointing to HQ's IP address, but no specific route for 10.10.10.0/24. The HQ router has a connected route for that subnet. On HQ, you see that the interface towards BR is up/up, and you can ping the BR's interface IP. What is the most likely cause of the issue?

A.The HQ router does not have a route for the branch's local subnet.
B.An ACL on the HQ router is blocking traffic from the branch subnet.
C.The default route on BR is not pointing to the correct next-hop.
D.The T1 link is experiencing errors causing packet loss.
AnswerA

Without a return route, traffic from branch to HQ can leave but replies are dropped.

Why this answer

The branch router (BR) has a default route pointing to the HQ router, which allows outbound traffic to the internet. However, for traffic from the branch to reach the HQ subnet (10.10.10.0/24), the HQ router must have a return route to the branch's local subnet. Without this specific route, the HQ router will drop packets destined for the branch because it does not know how to reach that network, even though the T1 link is up and the BR can ping the HQ interface.

This is a classic asymmetric routing issue where the forward path works but the return path fails.

Exam trap

Cisco often tests the concept that a default route on the branch router is sufficient for outbound traffic, but candidates forget that the head office router also needs a route back to the branch's subnet for return traffic to succeed.

How to eliminate wrong answers

Option B is wrong because an ACL blocking traffic from the branch subnet would typically prevent the initial outbound traffic from the branch, but users at the branch can already access the internet, indicating no such ACL is blocking general traffic; additionally, the ping from HQ to BR succeeds, suggesting no ACL is blocking ICMP. Option C is wrong because the default route on BR is correctly pointing to HQ's IP address, as evidenced by the branch's ability to reach the internet through HQ. Option D is wrong because the T1 link is up/up and the ping from HQ to BR is successful, which rules out significant link errors or packet loss that would affect connectivity.

370
Matchingmedium

Match each Cisco DevNet Associate exam topic to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Covers version control, testing, and CI/CD pipelines

Focuses on REST APIs, authentication, and API consumption

Includes configuration management, infrastructure as code, and network automation

Covers OSI model, TCP/IP, routing, switching, and network topologies

Involves containerization, cloud deployment, and security best practices

Why these pairings

These are the main domains of the Cisco DevNet Associate 200-901 exam.

371
Multi-Selecthard

Which TWO statements correctly describe differences between model-driven telemetry and traditional SNMP polling?

Select 2 answers
A.SNMP supports push-based notifications using informs
B.Model-driven telemetry reduces device CPU usage compared to frequent SNMP polling
C.Model-driven telemetry can only be used with NETCONF
D.Model-driven telemetry uses a push model, while SNMP polling is a pull model
E.SNMP uses YANG models for data definition
AnswersB, D

Telemetry is more efficient as devices send data at intervals rather than being polled.

Why this answer

Option B is correct because model-driven telemetry uses a push model that sends data only when there is a change or at a configured interval, which significantly reduces the device CPU overhead compared to frequent SNMP polling, where the device must process and respond to each individual GET request from the NMS. This efficiency gain is a primary advantage of telemetry over traditional polling.

Exam trap

Cisco often tests the misconception that SNMP is purely pull-based and cannot push, but the trap here is that SNMP informs and traps are push mechanisms, so candidates must focus on the 'frequent polling' CPU reduction as the key differentiator, not the push/pull model alone.

372
MCQhard

An application uses OAuth 2.0 for authorization. The developer receives an access token but needs to know the user's identity. Which OAuth flow should be used to also obtain an ID token that contains user claims?

A.Authorization Code Grant without PKCE
B.Authorization Code Grant with OpenID Connect
C.Resource Owner Password Grant
D.Client Credentials Grant
AnswerB

OpenID Connect adds ID token with user claims.

Why this answer

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that adds an ID token (a JWT) containing user claims such as name, email, and sub. The Authorization Code Grant with OIDC is the correct flow because it allows the client to request both an access token and an ID token, enabling the application to verify the user's identity while obtaining authorization.

Exam trap

Cisco often tests the misconception that any OAuth 2.0 flow can provide user identity, but only OpenID Connect (specifically the Authorization Code Grant with OIDC) adds the ID token for authentication; candidates may incorrectly choose the Client Credentials Grant, which is purely for machine-to-machine authorization and never includes user claims.

How to eliminate wrong answers

Option A is wrong because the Authorization Code Grant without PKCE (or without OIDC) only returns an access token, not an ID token with user claims; it is designed for authorization, not authentication. Option C is wrong because the Resource Owner Password Grant directly exchanges user credentials for an access token, but it does not include an ID token and is deprecated due to security risks (RFC 6749 Section 4.3). Option D is wrong because the Client Credentials Grant is used for server-to-server communication without a user context, so it never returns an ID token or user claims.

373
MCQmedium

An application developer is designing a microservice that communicates over HTTP. The service must guarantee that the request is processed exactly once. Which HTTP method should be used to ensure idempotency?

A.PUT
B.PATCH
C.GET
D.DELETE
E.POST
AnswerA

PUT is idempotent; repeating the request yields the same result.

Why this answer

Idempotent methods like PUT, DELETE, GET, and HEAD can be retried without side effects. POST is not idempotent. The requirement 'exactly once' implies idempotency.

PUT is the best choice for creating/updating resources.

374
Drag & Dropmedium

Drag and drop the steps to configure a static route on a Cisco IOS router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Static routes require global config mode and must specify the destination network, subnet mask, and next-hop address or exit interface.

375
MCQmedium

Based on the exhibit, what is the purpose of the 'vpn' field in the route object?

A.It is an optional field that sets the VPN label
B.It defines the transport VPN for traffic from this VPN
C.It specifies the VPN that the route belongs to
D.It specifies the VPN ID of the next hop
AnswerD

The next hop is reachable via the specified VPN.

Why this answer

In Cisco NSO (Network Services Orchestrator) and similar routing contexts, the 'vpn' field in a route object specifies the VPN ID of the next hop, not the route's own VPN. This is critical for inter-VPN routing, where a route in one VPN must point to a next hop that resides in a specific VPN to ensure proper forwarding across VPN boundaries. The correct answer is D because the field identifies the VPN context of the next-hop address, enabling the route to be resolved correctly in multi-VPN environments.

Exam trap

Cisco often tests the distinction between a route's own VPN context and the VPN of its next hop, and the trap here is that candidates mistakenly think the 'vpn' field identifies the route's own VPN (Option C) rather than the next hop's VPN, because they overlook the fact that the route's VPN is already defined by the containing VRF or service model.

How to eliminate wrong answers

Option A is wrong because the 'vpn' field is not optional for setting a VPN label; VPN labels are typically assigned via MPLS label operations or separate label-switching configurations, not via a route object's 'vpn' field. Option B is wrong because it does not define the transport VPN for traffic from this VPN; transport VPNs are defined by separate VRF or MPLS transport constructs, not by a per-route field. Option C is wrong because it does not specify the VPN that the route belongs to; the route's own VPN is usually implied by the VRF or routing context in which the route is defined, not by a field pointing to a next-hop VPN.

Page 4

Page 5 of 7

Page 6

All pages