Cisco DevNet Associate 200-901 (200-901) — Questions 376450

505 questions total · 7pages · All types, answers revealed

Page 5

Page 6 of 7

Page 7
376
Multi-Selecteasy

Which TWO are benefits of using VLANs in a network? (Choose two.)

Select 2 answers
A.Reducing the size of broadcast domains
B.Simplifying Layer 3 routing
C.Improving network security by isolating traffic
D.Reducing the number of collision domains
E.Guaranteeing faster routing performance
AnswersA, C

VLANs segment the network into smaller broadcast domains.

Why this answer

VLANs reduce the size of broadcast domains (A) and improve security by isolating traffic (C). They do not reduce the number of collision domains (B) – collision domains are reduced by switches, not VLANs. VLANs do not simplify Layer 3 routing (D) – they often require routing between VLANs.

They do not guarantee faster routing (E).

377
Multi-Selecthard

A developer is using a REST API and receives HTTP status codes. Which two codes indicate a client-side error that the developer should fix? (Choose two.)

Select 2 answers
A.401 Unauthorized
B.500 Internal Server Error
C.400 Bad Request
D.200 OK
E.404 Not Found
AnswersA, C

401 indicates missing or invalid authentication.

Why this answer

A 401 Unauthorized status code indicates that the request lacks valid authentication credentials for the target resource. This is a client-side error because the developer must provide correct credentials (e.g., API key, OAuth token) or fix the authentication header in the request. A 400 Bad Request status code means the server cannot process the request due to malformed syntax, invalid request message framing, or deceptive request routing — all issues the developer must correct on the client side.

Exam trap

Cisco often tests the distinction between client-side (4xx) and server-side (5xx) errors, and the trap here is that 404 Not Found is also a client-side error, but the question asks for two specific codes (401 and 400) that directly indicate the developer must fix the request, not just that the resource is missing.

378
MCQmedium

A developer is deploying a Python web application on Cisco UCS servers using a CI/CD pipeline that runs on Jenkins. The application uses a PostgreSQL database. The security team mandates that all database credentials must be rotated every 30 days. Currently, credentials are stored as plaintext in a configuration file in the application repository. Which approach should the developer take to meet the rotation requirement without storing secrets in the repository?

A.Integrate with HashiCorp Vault to dynamically generate credentials for each deployment
B.Set the credentials as environment variables in the Jenkins pipeline and generate a new set every month manually
C.Store the credentials in Jenkins credentials store and reference them in the pipeline
D.Store the credentials in a Kubernetes ConfigMap and update it every 30 days
AnswerA

Vault can generate short-lived credentials and rotate them automatically, meeting the rotation requirement.

Why this answer

Integrating with HashiCorp Vault allows the CI/CD pipeline to dynamically generate short-lived database credentials for each deployment, eliminating the need to store secrets in the repository. Vault can be configured to automatically rotate credentials every 30 days (or less) and inject them into the application at runtime via sidecar containers or API calls, meeting the security mandate without manual intervention.

Exam trap

Cisco often tests the distinction between static secret storage (e.g., Jenkins credentials store or ConfigMaps) and dynamic secret generation (e.g., Vault), where the key requirement is automatic rotation without manual intervention.

How to eliminate wrong answers

Option B is wrong because manually generating and setting environment variables every 30 days is not automated, error-prone, and still exposes credentials in the Jenkins pipeline configuration, which may be stored in the Jenkins home directory or logs. Option C is wrong because storing credentials in the Jenkins credentials store avoids plaintext in the repo but does not provide automatic rotation; the credentials would still need to be manually updated every 30 days, and they remain static within the pipeline. Option D is wrong because storing credentials in a Kubernetes ConfigMap is insecure (ConfigMaps are not designed for secrets) and does not support automatic rotation; updating it every 30 days would require manual intervention or additional scripting, and the credentials would still be stored in plaintext within the cluster.

379
MCQmedium

A team uses Ansible Tower for network automation. They need to restrict a user to only view job results without making any changes. Which Tower role should be assigned?

A.Execute
B.Read
C.Auditor
D.Admin
AnswerB

The Read role provides view-only permissions for jobs, inventories, and other resources.

Why this answer

The Read role in Ansible Tower grants read-only access to all resources, including job results, without allowing any modifications. This is the correct choice because the requirement is to restrict the user to viewing job results only, and Read provides exactly that level of access without any write or execute permissions.

Exam trap

Cisco often tests the distinction between Read and Auditor roles, where candidates may mistakenly choose Auditor thinking it is more restrictive, but Auditor actually provides broader read access to all objects including credentials, while Read is the correct role for limiting to job results only.

How to eliminate wrong answers

Option A is wrong because the Execute role allows a user to run jobs and launch playbooks, which would enable changes to the network, not just view results. Option C is wrong because the Auditor role provides read-only access to all objects, including sensitive data like credentials and inventory, but it is designed for auditing purposes and is more permissive than necessary for simply viewing job results; however, the Read role is more appropriate for restricting to job results only. Option D is wrong because the Admin role grants full administrative privileges, including the ability to modify configurations, manage users, and execute jobs, which would allow changes and violate the restriction.

380
Matchingmedium

Match each Cisco platform to its primary use case.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Intent-based networking management

Cloud-managed network administration

Collaboration and messaging integration

Unified infrastructure management

Application performance monitoring

Why these pairings

These are key Cisco platforms relevant to the exam.

381
MCQmedium

A company has a DHCP server that assigns IP addresses from a scope of 192.168.10.0/24. A new device receives IP 192.168.10.100/24 but cannot access the internet. The default gateway is 192.168.10.1. What is the most likely issue?

A.DNS server is unreachable.
B.The DHCP scope is exhausted.
C.The device has a duplicate IP address.
D.The default gateway is not reachable from the device.
E.The device's subnet mask is incorrect.
AnswerD

This is the most direct cause: if the gateway is down or not on the same VLAN, traffic cannot exit.

Why this answer

The device received a valid IP address (192.168.10.100/24) and subnet mask from the DHCP server, but it cannot access the internet. Since the default gateway is 192.168.10.1, the most likely cause is that the device cannot reach the gateway, which is required to route traffic outside the local subnet. Without connectivity to the default gateway, the device cannot forward packets to external networks, even though its IP configuration is otherwise correct.

Exam trap

Cisco often tests the concept that a valid IP address and subnet mask do not guarantee internet access; the default gateway must be reachable, and candidates may mistakenly blame DNS or DHCP exhaustion when the real issue is Layer 3 connectivity to the gateway.

How to eliminate wrong answers

Option A is wrong because the question does not mention any DNS-related symptoms (e.g., name resolution failures), and a DNS server being unreachable would prevent domain name resolution but not necessarily all internet access (IP-based access could still work). Option B is wrong because the device successfully received IP 192.168.10.100, which is within the /24 scope, indicating the DHCP scope is not exhausted. Option C is wrong because a duplicate IP address would typically cause an address conflict error or connectivity issues for both devices, but the question does not describe such symptoms, and the device received a valid lease.

Option E is wrong because the device was assigned a /24 subnet mask (255.255.255.0) via DHCP, which is correct for the 192.168.10.0/24 network, so the mask is not the issue.

382
MCQhard

A developer is designing a data model for network device configurations using YANG. They need to represent a list of interfaces where each interface has a name (string) and speed (enumeration). Which YANG statement correctly defines this structure?

A.leaf interface-list { type string; }
B.leaf-list interface { type string; }
C.list interface { key name; leaf name { type string; } leaf speed { type enumeration; } }
D.list interface { leaf name { type string; } leaf speed { type enumeration; } }
AnswerC

This defines a list with a key, and two leaves for name and speed.

Why this answer

Option C is correct because YANG requires a `list` statement to define a collection of entries with multiple leafs, and a `key` statement to uniquely identify each list entry. The `list interface` with `key name` allows multiple interfaces, each having both a `name` (string) and `speed` (enumeration), matching the requirement exactly.

Exam trap

Cisco often tests the requirement of the `key` statement in a YANG `list`; candidates may forget that a list without a key is syntactically invalid, leading them to choose option D.

How to eliminate wrong answers

Option A is wrong because `leaf` defines a single scalar value, not a list of interfaces with multiple properties. Option B is wrong because `leaf-list` defines an ordered list of simple values (e.g., strings), not entries with multiple leafs like name and speed. Option D is wrong because it omits the mandatory `key` statement, which is required by YANG for any `list` to uniquely identify each entry; without a key, the list is invalid.

383
MCQhard

An organization uses Cisco ISE for network access control. A user reports inability to access the network. The switch port shows the authenticator state as 'connecting'. What does this indicate?

A.The client is in the process of 802.1X authentication
B.The client has successfully authenticated
C.The port is in a held state due to multiple failures
D.Authentication has failed
AnswerA

'Connecting' means authentication is ongoing.

Why this answer

In Cisco ISE and 802.1X, the authenticator state 'connecting' indicates that the switch (authenticator) has detected a new client on the port and has initiated the 802.1X authentication process. This state means the port is actively sending EAP-Request/Identity frames and waiting for the client to respond, so the client is in the process of authentication, not yet authenticated or failed.

Exam trap

Cisco often tests the distinction between the 'connecting' state (meaning the process is ongoing) and the 'authenticated' or 'failed' states, so candidates mistakenly think 'connecting' implies a problem or failure rather than normal progress.

How to eliminate wrong answers

Option B is wrong because 'connecting' is a transitional state; successful authentication would show the port in the 'authenticated' state, not 'connecting'. Option C is wrong because a held state due to multiple failures is represented by the 'held' or 'auth_fail' state, not 'connecting'. Option D is wrong because authentication failure results in the port moving to a 'failed' or 'unauthorized' state, not remaining in 'connecting'.

384
MCQeasy

A network engineer needs to automate the configuration of VLANs across 50 switches. Which approach best follows Cisco’s recommended practices for programmability?

A.Write an Ansible playbook using the ios_vlan module to configure VLANs on all switches.
B.Use a REST API on each switch to push the VLAN configuration individually.
C.Use a Python script that manually SSHes into each switch and applies CLI commands.
D.Configure all VLANs via SNMP MIBs.
AnswerA

Ansible with idempotent modules is a best practice for network automation.

Why this answer

Option A is correct because Ansible's ios_vlan module is purpose-built for automating VLAN configuration on Cisco IOS devices, aligning with Cisco's recommended practices for programmability by using a declarative, agentless automation tool that abstracts the underlying CLI and ensures idempotent configuration across multiple switches.

Exam trap

Cisco often tests the misconception that REST APIs are universally available on all network devices, but in reality, many legacy switches lack REST API support, making Ansible (which uses SSH/CLI abstraction) the more practical and recommended choice for multi-vendor or mixed-platform environments.

How to eliminate wrong answers

Option B is wrong because most Cisco switches do not expose a native REST API for VLAN configuration; REST APIs are typically available on newer platforms like IOS-XE via NETCONF/RESTCONF, but using them individually on each switch is inefficient and not a scalable approach for 50 switches. Option C is wrong because manually SSHing into each switch with a Python script is a legacy, non-programmable approach that lacks idempotency, error handling, and scalability, and does not follow Cisco's recommended practices for network automation. Option D is wrong because SNMP MIBs for VLAN configuration (like BRIDGE-MIB or Q-BRIDGE-MIB) are outdated, cumbersome, and not recommended for modern automation; they require complex OID manipulation and lack the declarative, idempotent capabilities of tools like Ansible.

385
MCQhard

A Python script uses the requests library to authenticate to Cisco DNA Center. The script receives a 401 Unauthorized error even though the credentials are correct. Which of the following is a likely cause?

A.The request is using HTTP instead of HTTPS
B.The Content-Type header is not set to application/json
C.The API endpoint is incorrect
D.The token has expired
AnswerD

Cisco DNA Center uses token-based authentication; an expired token returns 401.

Why this answer

If using a cached token, the token may have expired, causing a 401. Option B (wrong endpoint) gives 404. Option C (Content-Type) causes a 400.

Option D (HTTP) may cause a redirect or error but not necessarily 401 with correct credentials.

386
MCQmedium

Refer to the exhibit. Which Cisco DNA Center Intent API request produced this response?

A.GET /dna/intent/api/v1/network-device/{id}
B.GET /dna/intent/api/v1/network-device
C.POST /dna/intent/api/v1/network-device
D.PUT /dna/intent/api/v1/network-device/{id}
AnswerA

This would return a single object, not an array.

Why this answer

The response is an array (list) of network devices, indicating a GET request to the collection endpoint. A GET request to the specific device endpoint would return a single object, not an array. POST and PUT do not return such arrays.

387
MCQeasy

A network engineer needs to automate the configuration of VLANs on a set of Cisco switches using Ansible. Which API should be targeted to ensure idempotent configuration updates?

A.NETCONF/YANG
B.REST API of Cisco DNA Center
C.SNMP
D.CLI with SSH
AnswerA

NETCONF/YANG supports idempotent operations through data model validation and transaction support.

Why this answer

NETCONF/YANG is the correct choice because NETCONF provides a transactional, lock-based mechanism that ensures idempotent configuration updates—applying the desired state exactly once without side effects from repeated runs. YANG models define the VLAN configuration structure, allowing Ansible to compare the current device state against the desired state and only push changes when necessary, which is the essence of idempotency.

Exam trap

Cisco often tests the misconception that CLI with SSH is sufficient for automation, but the trap here is that CLI commands are not idempotent by default—candidates overlook the need for a structured, transactional protocol like NETCONF to guarantee repeatable, safe configuration updates.

How to eliminate wrong answers

Option B is wrong because the REST API of Cisco DNA Center is a controller-based intent API that abstracts device-level configuration; it is not designed for direct, idempotent per-device VLAN updates and introduces dependency on the DNA Center controller. Option C is wrong because SNMP is a polling-based monitoring protocol that lacks transactional semantics and write operations for VLAN configuration are not idempotent—repeated SETs can cause duplicate entries or errors. Option D is wrong because CLI with SSH is imperative and stateful; running the same VLAN configuration commands multiple times can result in duplicate VLANs or errors, and there is no built-in mechanism to compare current vs. desired state without custom scripting.

388
MCQeasy

A developer is using Cisco DNA Center API to add a new device to the inventory. Which HTTP method should be used for this operation?

A.PATCH
B.GET
C.DELETE
D.POST
AnswerD

POST is the standard HTTP method to create a new resource in REST APIs.

Why this answer

The POST HTTP method is used to create a new resource on the server. When adding a new device to the Cisco DNA Center inventory, you are creating a new device entry, which aligns with the POST method as defined by RESTful API conventions. Cisco DNA Center's device onboarding API endpoint (e.g., /dna/intent/api/v1/network-device) specifically requires a POST request to add a device.

Exam trap

Cisco often tests the distinction between POST and PUT, where candidates mistakenly choose PUT for creation, but PUT is typically used for full replacement of an existing resource, while POST is the correct method for creating a new resource in Cisco DNA Center's API design.

How to eliminate wrong answers

Option A is wrong because PATCH is used for partial updates to an existing resource, not for creating a new device. Option B is wrong because GET is used to retrieve existing data, not to create new resources. Option C is wrong because DELETE is used to remove an existing resource, not to add one.

389
MCQhard

A developer is writing a Python script that uses the Cisco Meraki API to retrieve a list of networks for an organization. The API returns a JSON array. The developer wants to filter networks where the 'tags' field contains 'production'. Which code snippet correctly filters the results?

A.filtered = [net for net in networks if 'production' in net['tags']]
B.filtered = [net for net in networks if 'production' in str(net['tags'])]
C.filtered = [net for net in networks if 'production' in net['tags'].split(',')]
D.filtered = [net for net in networks if any('production' in t for t in net['tags'])]
AnswerA

Correct: 'tags' is a list, and 'in' works for list membership.

Why this answer

Option A is correct because the Meraki API returns the 'tags' field as a list of strings (e.g., ['production', 'critical']). The Python `in` operator directly checks membership in a list, so `'production' in net['tags']` efficiently filters networks where the exact string 'production' appears as an element in the list.

Exam trap

Cisco often tests the distinction between list membership (`in` on a list) and substring matching (`in` on a string), leading candidates to overcomplicate the filter with `split()` or `any()` when the API already returns a list.

How to eliminate wrong answers

Option B is wrong because converting the list to a string with `str()` produces a string like "['production', 'critical']", and then checking `'production' in` that string would match substrings (e.g., 'production' would also match 'production-backup'), leading to false positives. Option C is wrong because `net['tags'].split(',')` assumes 'tags' is a comma-separated string, but the Meraki API returns a list, not a string; calling `.split()` on a list raises an AttributeError. Option D is wrong because `any('production' in t for t in net['tags'])` checks if the substring 'production' exists within any tag string (e.g., 'production-backup' would match), which is overly broad and not an exact match; the simple `in` on the list already performs exact membership.

390
MCQhard

A DevOps team manages a multi-site Cisco Meraki network with 50 MX appliances and 200 MR access points. They use a Python script that calls the Meraki API to collect device utilization data every hour and stores it in a CSV file. Recently, the script started failing intermittently with HTTP 429 status codes. The team suspects rate limiting but notices that the failures occur even when only one script instance runs. The script uses a single API key and makes requests to the /devices/{serial}/uplink endpoint for each MX and the /devices/{serial}/wireless/status endpoint for each MR. The script is scheduled via cron and runs sequentially. The team wants to resolve the rate limiting while minimizing changes to the script. Which course of action should the team take?

A.Introduce a delay between API calls to stay within the rate limit.
B.Distribute the API requests across multiple API keys.
C.Switch to a webhook-based approach to receive data instead of polling.
D.Use the bulk API request feature to collect data in fewer calls.
AnswerA

Adding a small delay reduces request rate and avoids 429 errors.

Why this answer

The intermittent HTTP 429 errors indicate the script is exceeding the Meraki API rate limit, which applies per API key. Since the script runs sequentially with a single key, introducing a delay between API calls (e.g., using time.sleep()) is the simplest fix that stays within the rate limit without requiring architectural changes. This directly addresses the root cause while minimizing modifications to the existing script.

Exam trap

Cisco often tests the misconception that rate limiting can be solved by distributing requests across multiple keys, but the trap here is that the rate limit applies per key and the script's sequential nature means a single key is sufficient if delays are added.

How to eliminate wrong answers

Option B is wrong because distributing requests across multiple API keys does not change the per-key rate limit; the script still makes the same number of calls in the same time window, so 429 errors would persist. Option C is wrong because switching to webhooks requires significant infrastructure changes (e.g., setting up a listener, handling payloads) and does not address the immediate rate-limiting issue with the existing polling script. Option D is wrong because the Meraki API does not support a 'bulk' endpoint for the specific /devices/{serial}/uplink and /devices/{serial}/wireless/status endpoints; these are per-device calls, so batching is not possible.

391
MCQmedium

A network engineer is developing a Python script to automate the collection of interface statistics from multiple Cisco Catalyst switches using NETCONF. The engineer uses the 'ncclient' library to connect to each switch. The script works for most switches, but for one switch, the connection consistently fails with an authentication error. The engineer has verified that the username and password are correct and that the switch has NETCONF enabled. The engineer suspects the issue might be related to SSH host key checking. The engineer wants to modify the script to bypass host key checking for this specific switch. Which approach should the engineer use?

A.Set the 'hostkey_verify' parameter to False in the connect method
B.Disable SSH key-based authentication by setting 'look_for_keys=False'
C.Use the 'allow_agent' parameter set to False
D.Set the 'known_hosts' parameter to an empty file in the connect method
AnswerA

Correct: This disables host key verification.

Why this answer

Option A is correct because the 'ncclient' library's connect method accepts a 'hostkey_verify' parameter. Setting it to False disables SSH host key checking, which bypasses the verification of the switch's host key against the known_hosts file. This resolves authentication errors caused by host key mismatches, such as when the switch's host key has changed or is not present in the known_hosts file.

Exam trap

Cisco often tests the distinction between SSH host key verification and SSH key-based authentication, leading candidates to confuse parameters like 'look_for_keys' (which controls key-based login) with 'hostkey_verify' (which controls host key trust).

How to eliminate wrong answers

Option B is wrong because 'look_for_keys=False' disables SSH key-based authentication (public/private key pairs), but the engineer is using username/password authentication, and the error is about host key verification, not key-based authentication. Option C is wrong because 'allow_agent=False' prevents the use of an SSH agent for key-based authentication, which is unrelated to host key checking. Option D is wrong because the 'known_hosts' parameter is not a valid parameter in the ncclient connect method; the correct way to bypass host key checking is via 'hostkey_verify=False', not by pointing to an empty file.

392
MCQmedium

Refer to the exhibit. An application is deployed on a server at 192.168.1.10, listening on TCP port 8080. The ACL is applied inbound on the server's network interface. Which clients will be able to access the application?

A.Clients from any network, because the permit statement overrides the deny
B.Only clients from the 192.168.1.0/24 network
C.No clients, because the deny statement blocks all TCP traffic to port 8080
D.Only clients sending UDP traffic to port 53
AnswerC

The first rule denies all TCP traffic to port 8080, making the subsequent permit ineffective for TCP.

Why this answer

The ACL processes rules in order. The first rule denies all TCP traffic to port 8080 from any source, so even traffic from 192.168.1.0/24 is blocked. The second permit rule is never reached for TCP 8080.

Therefore, no clients can access the application on port 8080.

393
MCQhard

Refer to the exhibit. A security audit reveals that the authentication mechanism is vulnerable. Which attack is most likely possible?

A.Cross-site scripting (XSS) via the token.
B.Token forgery if the secret key is weak.
C.Man-in-the-middle attack due to missing HTTPS.
D.SQL injection through the login endpoint.
AnswerB

The weak secret 'my-secret' can be easily guessed, allowing attacker to forge valid tokens.

Why this answer

The exhibit shows a JSON Web Token (JWT) being used for authentication. If the secret key used to sign the JWT is weak or easily guessable, an attacker can forge a valid token by brute-forcing the secret and then crafting a token with arbitrary claims (e.g., elevated privileges). This is a classic token forgery attack, not a cross-site scripting or injection attack, because the vulnerability lies in the signing mechanism, not in input handling or transport security.

Exam trap

Cisco often tests the distinction between attacks that target the authentication mechanism itself (like token forgery) versus attacks that exploit input handling (XSS, SQLi) or transport security (MITM), leading candidates to pick a wrong option because they focus on a general security flaw (e.g., missing HTTPS) rather than the specific vulnerability implied by the token's weak secret.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) exploits the injection of malicious scripts into web pages, not the forging of authentication tokens; the token itself is not rendered as HTML or executed in a browser context. Option C is wrong because while missing HTTPS is a security concern, the question specifically asks about an attack made possible by the authentication mechanism's vulnerability, and a man-in-the-middle attack would exploit the lack of encryption, not the token's signing secret. Option D is wrong because SQL injection targets database queries through unsanitized input, whereas the token-based authentication shown does not involve direct SQL queries at the login endpoint; the vulnerability is in the token's cryptographic integrity, not in query construction.

394
Drag & Dropmedium

Drag and drop the steps to configure a Cisco switch for remote management (SSH) into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

SSH requires a hostname, RSA keys, local authentication, and VTY line configuration.

395
Multi-Selecthard

Which TWO of the following are valid security considerations when deploying an application to a Kubernetes cluster managed by Cisco Intersight? (Choose two.)

Select 2 answers
A.Store secrets in ConfigMaps for easy retrieval.
B.Define Network Policies to isolate pods and control traffic flow.
C.Disable RBAC to simplify management and reduce overhead.
D.Use default service accounts for all pods to avoid misconfiguration.
E.Implement Pod Security Policies to restrict privileged containers.
AnswersB, E

Network policies enforce micro-segmentation and limit lateral movement.

Why this answer

Option B is correct because Network Policies in Kubernetes act as a firewall at the pod level, using label selectors and namespace selectors to control ingress and egress traffic. In a Cisco Intersight-managed cluster, defining these policies is a critical security consideration to enforce micro-segmentation and prevent lateral movement of threats. Option E is correct because Pod Security Policies (PSPs) are a cluster-level resource that control security-sensitive aspects of pod specification, such as preventing privileged containers, which is a key security best practice in Kubernetes.

Exam trap

Cisco often tests the misconception that ConfigMaps are suitable for secrets (they are not) and that disabling RBAC simplifies management (it actually creates a massive security hole), while candidates may overlook that Network Policies require a compatible CNI plugin to be effective.

396
MCQhard

A company has a microservices application deployed on Kubernetes. There are three services: frontend, backend, and database. The frontend is exposed via an Ingress. The API gateway is used for authentication. Recently, after updating the backend service, users are experiencing 401 Unauthorized errors when accessing endpoints that previously worked. The authentication mechanism uses JWT tokens issued by an external identity provider. The JWT tokens are validated by the API gateway. The backend service itself does not validate tokens; it relies on the gateway to forward user identity via headers. The development team checked the logs and found that the backend is receiving requests with the correct JWT from the gateway but still returning 401. What is the most likely cause?

A.The Ingress controller is stripping the Authorization header before forwarding to the backend.
B.The API gateway's JWT signing key has changed and the backend is using the old key.
C.The new backend version uses a different HTTP method for the affected endpoints.
D.The backend service code now attempts to validate the JWT itself and fails.
AnswerD

Likely the update added token validation code that is not properly configured.

Why this answer

The scenario states that the backend service relies on the gateway to forward user identity via headers and does not validate JWT tokens itself. If the new backend version now attempts to validate the JWT, it would likely fail because the backend lacks the necessary signing key or validation logic, causing 401 errors even though the gateway correctly forwards the token. This matches option D, as the change in backend behavior introduces a new validation step that was not present before.

Exam trap

Cisco often tests the misconception that JWT validation must happen at the backend, but here the trap is that the backend was never supposed to validate tokens, and a code change introducing such validation causes the 401 errors, not a problem with the gateway or Ingress.

How to eliminate wrong answers

Option A is wrong because the Ingress controller is not involved in JWT validation; the issue occurs after the gateway forwards the request, and the backend receives the correct JWT, so stripping the Authorization header would prevent the token from reaching the backend, contradicting the log evidence. Option B is wrong because the backend does not validate JWT tokens; it relies on the gateway, so a key change would affect the gateway's validation, not the backend's response, and the logs show the gateway is forwarding the correct JWT. Option C is wrong because HTTP method changes would cause 405 Method Not Allowed errors, not 401 Unauthorized, and the problem is specifically about authentication failure.

397
MCQeasy

An engineer wants to verify that a switch port is configured as an access port in VLAN 10. Which command provides this information?

A.show running-config interface
B.show interfaces status
C.show ip interface brief
D.show vlan brief
AnswerA

This displays the running configuration of the interface, including switchport settings.

Why this answer

The `show running-config interface` command displays the current operational configuration of a specific interface, including whether it is configured as an access port and which VLAN it is assigned to. For a switch port in VLAN 10, the output will show `switchport mode access` and `switchport access vlan 10`, directly confirming the desired configuration.

Exam trap

Cisco often tests the distinction between commands that show operational status (like `show interfaces status`) versus those that show configuration (like `show running-config interface`), leading candidates to pick a command that only shows interface state rather than the actual VLAN assignment and port mode.

How to eliminate wrong answers

Option B is wrong because `show interfaces status` shows the administrative and operational status of interfaces (e.g., up/down, speed, duplex) but does not display the VLAN assignment or port mode configuration. Option C is wrong because `show ip interface brief` lists IP addresses and interface status for Layer 3 interfaces, not Layer 2 switch port VLAN details. Option D is wrong because `show vlan brief` lists all VLANs and their member ports, but it does not show the port mode (access vs. trunk) or confirm that a specific port is configured as an access port in VLAN 10.

398
MCQhard

Refer to the exhibit. A developer receives this response when attempting to send a PATCH request to modify a YANG data node via RESTCONF. What is the most likely cause?

A.The resource does not exist
B.The authentication token is expired
C.The YANG model is not supported
D.The JSON payload is malformed
AnswerD

The error-tag 'malformed-message' indicates JSON syntax error.

Why this answer

A PATCH request to modify a YANG data node via RESTCONF returns a 400 Bad Request status when the JSON payload is malformed. RESTCONF (RFC 8040) requires the request body to conform to the YANG module's data model; if the JSON syntax is invalid or the data does not match the schema (e.g., missing required fields, incorrect data types), the server rejects the request with a 400 error. The 400 status code specifically indicates a client-side error in the request payload, not an authentication or resource existence issue.

Exam trap

Cisco often tests the distinction between HTTP status codes for RESTCONF errors, and the trap here is that candidates confuse a 400 Bad Request (payload issue) with a 404 Not Found (resource missing) or a 401 Unauthorized (auth issue), especially when the question describes a 'modify' operation that might imply the resource exists.

How to eliminate wrong answers

Option A is wrong because a 400 Bad Request does not indicate a missing resource; a nonexistent resource would return a 404 Not Found. Option B is wrong because an expired authentication token would result in a 401 Unauthorized or 403 Forbidden, not a 400. Option C is wrong because an unsupported YANG model would cause a 501 Not Implemented or a 404 if the model is not available, not a 400 Bad Request.

399
MCQeasy

A developer wants to use Cisco Webex Teams API to send a message to a specific room. Which of the following request JSON body fields is required?

A."toPersonId"
B."toPersonEmail"
C."roomId"
D."text"
AnswerC

Required to specify the target room.

Why this answer

The Cisco Webex Teams API requires the 'roomId' field in the request body to identify the specific room where the message will be sent. Without this field, the API cannot determine the destination, and the request will fail with a 400 Bad Request error. The 'roomId' is a mandatory parameter for sending messages to a room, as documented in the Webex API reference.

Exam trap

Cisco often tests the distinction between room messages and direct messages, and the trap here is that candidates may assume 'text' is required because it is the most obvious content field, but the API allows messages without text (e.g., only a file), making 'roomId' the only truly required field for room-targeted messages.

How to eliminate wrong answers

Option A is wrong because 'toPersonId' is used to send a direct message to a specific person, not to a room, and is not required when targeting a room. Option B is wrong because 'toPersonEmail' is also for direct messages to a person by email address, and is mutually exclusive with 'roomId' for room messages. Option D is wrong because 'text' is optional; the message can be sent with other content types like markdown or file attachments, and the API does not require a 'text' field.

400
MCQhard

A large enterprise is migrating to a DevOps model and needs to automate the provisioning of network devices. The team has chosen Ansible for configuration management and is using a Git repository for version control. The network includes Cisco IOS routers, Catalyst switches running IOS-XE, and ASA firewalls. The team has written Ansible playbooks for each device type. The goal is to have a CI/CD pipeline that automatically deploys configuration changes to the production network after the changes are merged into the main branch. However, during a recent deployment, a misconfiguration was pushed to a core router, causing a 10-minute outage. The root cause was that the playbook that was executed was not the correct one for that device model. The team wants to implement a mechanism to prevent similar incidents. Which approach should the team adopt?

A.Implement a CI/CD pipeline that runs playbooks against a staging environment with similar devices, and only deploy to production after successful validation
B.Require all changes to be approved by a change advisory board before merging
C.Require two-person peer review for all playbook changes
D.Use a pre-commit hook that checks the playbook syntax and device compatibility
AnswerA

Correct: Automated testing in staging catches misconfigurations.

Why this answer

Option A is correct because a staging environment with similar devices allows the team to validate playbooks against representative hardware before production deployment. This catches model-specific incompatibilities (e.g., a playbook written for IOS-XE being applied to a classic IOS router) without risking production outages. The CI/CD pipeline can run the same playbooks in staging, verify the resulting device state, and only promote changes to production after successful validation.

Exam trap

Cisco often tests the distinction between static validation (syntax checks, peer review) and dynamic validation (staging environment testing), and the trap here is assuming that code review or pre-commit hooks alone can prevent runtime device-model mismatches.

How to eliminate wrong answers

Option B is wrong because requiring a change advisory board (CAB) approval before merging introduces manual delays and does not automatically prevent the execution of an incorrect playbook for a specific device model; it only gates the merge, not the deployment. Option C is wrong because two-person peer review of playbook changes can catch syntax errors but cannot guarantee that the playbook is compatible with every target device model in production, especially when device types vary. Option D is wrong because a pre-commit hook that checks playbook syntax and device compatibility can only validate static code against predefined rules; it cannot test the actual behavior of the playbook on real hardware or detect runtime issues like model-specific command differences.

401
MCQmedium

A DevOps engineer is designing a REST API for a custom network automation tool. Which principle is essential for a RESTful design?

A.Maintain session state on the server between requests.
B.Use HTTP methods to perform CRUD operations on resources.
C.Use a single URI for all operations with different method names.
D.Return XML responses by default for compatibility.
AnswerB

This is a core REST principle, mapping operations to HTTP methods like GET, POST, PUT, DELETE.

Why this answer

RESTful APIs are designed around resources, and HTTP methods (GET, POST, PUT, DELETE, PATCH) directly map to CRUD operations (Create, Read, Update, Delete). This stateless, resource-oriented approach is a core principle of REST as defined by Roy Fielding's dissertation, enabling uniform interfaces and predictable interactions.

Exam trap

Cisco often tests the misconception that REST APIs can maintain server-side session state (like traditional web apps) or that a single URI with different method names is acceptable, confusing REST with RPC-style designs.

How to eliminate wrong answers

Option A is wrong because REST requires statelessness; each request from a client must contain all necessary information, and session state should be stored on the client, not the server. Option C is wrong because RESTful design uses distinct URIs for each resource, not a single URI with different method names; using a single URI for all operations violates the principle of resource identification and leads to RPC-style APIs. Option D is wrong because REST APIs should support content negotiation (e.g., via the Accept header) and typically return JSON by default for modern web services; forcing XML responses by default reduces flexibility and violates the principle of using standard media types.

402
Matchingmedium

Match each network automation tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Configuration management and automation

API testing and development

Network test automation framework

SSH-based network device interaction

Python automation framework for networking

Why these pairings

Tools commonly used in Cisco DevNet environments.

403
MCQhard

A network engineer wants to programmatically enable an interface using the YANG model shown. Which XPath expression correctly targets the 'shutdown' leaf for GigabitEthernet0/1?

A.//shut
B./interfaces/GigabitEthernet[name='0/1']/shutdown
C./Cisco-IOS-XE-interface:interfaces/GigabitEthernet[0/1]/shutdown
D./native/interface/GigabitEthernet0/1/shutdown
AnswerB

Correctly uses list instance selection.

Why this answer

Option B is correct because it uses the correct XPath syntax to target the 'shutdown' leaf under a specific GigabitEthernet interface instance. The path starts from the root, navigates to the 'interfaces' container, selects the 'GigabitEthernet' list entry where the 'name' key equals '0/1', and then accesses the 'shutdown' leaf. This matches the YANG model structure where list entries are filtered using a predicate with the key leaf.

Exam trap

Cisco often tests the distinction between using a key-based predicate (e.g., [name='0/1']) versus a positional index (e.g., [0/1]) or a concatenated name (e.g., GigabitEthernet0/1), which are invalid in YANG XPath expressions.

How to eliminate wrong answers

Option A is wrong because '//shut' is an abbreviated XPath that searches for any element named 'shut' anywhere in the document, but the YANG model defines the leaf as 'shutdown', not 'shut', and the path is not scoped to the correct interface. Option C is wrong because it uses '[0/1]' as a positional predicate on a list, but YANG lists are keyed by the 'name' leaf, not by index; the correct predicate is '[name='0/1']'. Option D is wrong because it uses a non-standard root path '/native/interface' which does not match the YANG model's top-level container 'interfaces' and incorrectly concatenates the interface name without a predicate.

404
MCQeasy

In a Python script using the 'requests' library to interact with Cisco DNA Center API, which function call is used to send a POST request with JSON data?

A.requests.post(url, json=data)
B.requests.patch(url, json=data)
C.requests.get(url, json=data)
D.requests.put(url, json=data)
AnswerA

post() sends POST with JSON.

Why this answer

Option A is correct because the `requests.post()` function is specifically designed to send HTTP POST requests, and passing the `json=data` parameter automatically serializes the Python dictionary to JSON and sets the `Content-Type` header to `application/json`. This is the standard way to create a resource via Cisco DNA Center's REST API endpoints that expect JSON payloads.

Exam trap

Cisco often tests the distinction between POST and PUT by having candidates confuse resource creation (POST) with resource replacement (PUT), especially when both methods accept a JSON body.

How to eliminate wrong answers

Option B is wrong because `requests.patch()` sends an HTTP PATCH request, which is used for partial updates to an existing resource, not for creating a new resource via POST. Option C is wrong because `requests.get()` sends an HTTP GET request, which is used to retrieve data, not to send a JSON payload to create a resource. Option D is wrong because `requests.put()` sends an HTTP PUT request, which is used to replace an entire resource, not to create a new one; POST is the correct HTTP method for resource creation in RESTful APIs.

405
MCQhard

A microservices application deployed on Kubernetes uses Istio service mesh. After a recent update, some services cannot communicate with each other. Which diagnostic step is most likely to identify the issue?

A.Verify that Istio sidecar injection is enabled for the affected pods.
B.Review the Istio destination rules for the services.
C.All of the above.
D.Check the logs of the pods that are failing.
AnswerC

Each step is valid; a comprehensive approach is needed to isolate Istio-related issues.

Why this answer

Option C is correct because both verifying sidecar injection and reviewing destination rules are essential diagnostic steps when services in an Istio service mesh cannot communicate after an update. Sidecar injection ensures that the Envoy proxy is present to enforce traffic policies, while destination rules define how traffic is routed and can cause connectivity failures if misconfigured. Checking pod logs alone may reveal symptoms but not the root cause, which is often a policy or proxy configuration issue.

Exam trap

The trap here is that candidates often pick a single option (A or B) thinking one diagnostic step is sufficient, but Cisco tests the understanding that multiple layers (proxy presence and policy configuration) must be verified in a service mesh environment.

How to eliminate wrong answers

Option A is wrong because while verifying sidecar injection is a valid step, it alone may not identify issues caused by misconfigured destination rules or traffic policies. Option B is wrong because reviewing destination rules is important but insufficient if sidecar injection is missing, as the Envoy proxy is required to enforce those rules. Option D is wrong because checking pod logs may show application-level errors but will not directly reveal Istio-specific configuration problems like missing sidecars or incorrect routing rules.

406
MCQmedium

Refer to the exhibit. A Python script parses this JSON response to check if NetFlow is enabled on the network. Which code snippet correctly checks the NetFlow status?

A.if response['netflow'].get('enabled', False):
B.if response['netflow']['enabled'] == 'true':
C.if response.netflow.enabled:
D.if response['netflow']['enabled']:
AnswerA

Safely checks for the 'enabled' key with a default of False.

Why this answer

Option A is correct because it uses the `.get()` method with a default value of `False` to safely access the `enabled` key within the `netflow` dictionary. This handles cases where the key might be missing or the value is `False`, avoiding a `KeyError` and correctly evaluating the boolean condition. In JSON, the `enabled` field is typically a boolean, so checking truthiness directly is the proper approach.

Exam trap

Cisco often tests the difference between JSON boolean values and their string representations, trapping candidates who treat `true`/`false` as strings instead of Python booleans, and also tests safe dictionary access methods versus direct key access that can raise exceptions.

How to eliminate wrong answers

Option B is wrong because it compares the value to the string `'true'`, but JSON booleans are lowercase `true` (which Python parses as `True`, not a string). This comparison will always be `False` even when NetFlow is enabled. Option C is wrong because it uses dot notation (`response.netflow.enabled`), which is not valid for a Python dictionary; dictionaries require bracket or `.get()` access.

Option D is wrong because it directly accesses `response['netflow']['enabled']` without a fallback; if the `enabled` key is missing or the `netflow` key is absent, this will raise a `KeyError` and crash the script.

407
MCQeasy

A network administrator is troubleshooting a connectivity issue. A PC with IP address 192.168.1.10/24 cannot ping a server at 192.168.1.20/24. Both are on the same VLAN and connected to the same switch. What is the most likely cause of the issue?

A.The ARP cache on the PC needs to be cleared.
B.The subnet mask on the PC is incorrect.
C.The switch port is in the wrong VLAN.
D.The server has a firewall blocking ICMP echo requests.
E.The default gateway is misconfigured on the PC.
AnswerD

A firewall can block ping, which is a common troubleshooting scenario.

Why this answer

Since both devices are on the same subnet, a firewall on either device blocking ICMP is a common cause. Incorrect subnet mask would cause them to be on different subnets, but they have /24, so that is correct. ARP cache issue could be resolved, but not most likely.

Default gateway is not needed for same subnet communication.

408
MCQmedium

An engineer uses the Cisco Webex Teams API to send a message to a room. The API returns HTTP 403 Forbidden. What is the most likely cause?

A.The message payload is too large.
B.The bot token has expired.
C.The room ID is incorrect.
D.The token does not have permission to post to that room.
AnswerD

A 403 error indicates the token is valid but lacks authorization for the action.

Why this answer

HTTP 403 Forbidden indicates the server understood the request but refuses to authorize it. In the context of the Cisco Webex Teams API, this status code most commonly means the access token provided does not have the required scopes or permissions to post messages to the specified room. The token may be valid and not expired, but it lacks the authorization (e.g., the `spark:rooms_write` scope) needed for the action.

Exam trap

Cisco often tests the distinction between HTTP 401 (authentication failure, e.g., expired or invalid token) and HTTP 403 (authorization failure, e.g., valid token but insufficient permissions), so candidates must not confuse the two.

How to eliminate wrong answers

Option A is wrong because a payload that is too large would typically result in HTTP 413 Payload Too Large, not 403 Forbidden. Option B is wrong because an expired token would return HTTP 401 Unauthorized, not 403 Forbidden. Option C is wrong because an incorrect room ID would return HTTP 404 Not Found, as the API cannot locate the resource; a 403 indicates the resource exists but the token lacks permission.

409
MCQeasy

Refer to the exhibit. A developer is trying to access the REST API on a Cisco IOS XE device but receives a 401 Unauthorized error. What is the most likely cause?

A.The device does not support REST API
B.Authentication requires local credentials, but none were provided
C.HTTPS is not configured
D.HTTP server is not enabled
AnswerB

With 'ip http authentication local', the device requires valid local username/password, which if missing results in 401.

Why this answer

Option C is correct because authentication is set to 'local', meaning the device uses local usernames and passwords. A 401 error indicates missing or invalid credentials. Option A is incorrect because HTTP server is enabled.

Option B is incorrect because HTTPS is also enabled. Option D is incorrect because the device supports REST API. Therefore, the issue is that the request did not include valid credentials.

410
MCQhard

Based on the routing table, what type of OSPF route is the default route (0.0.0.0/0)?

A.OSPF inter-area route
B.OSPF NSSA external type 1 route
C.OSPF intra-area route
D.OSPF external type 2 route
AnswerD

O*E2 indicates external type 2 default.

Why this answer

The default route (0.0.0.0/0) in OSPF is typically redistributed from another routing protocol or statically configured and then advertised into OSPF. When a default route is injected via the 'default-information originate' command, it is advertised as an OSPF external type 2 (E2) route by default, meaning the metric does not change as it traverses OSPF areas. This matches option D.

Exam trap

Cisco often tests the misconception that a default route in OSPF is always an intra-area or inter-area route, when in fact it is an external route injected via redistribution or the 'default-information originate' command, and candidates confuse the route type with the LSA type.

How to eliminate wrong answers

Option A is wrong because an OSPF inter-area route (O IA) is a route learned from another area via an Area Border Router (ABR), but a default route is not learned as an inter-area route unless it is specifically originated as a type 3 LSA summary, which is not the default behavior. Option B is wrong because an OSPF NSSA external type 1 route (N1) is used in Not-So-Stubby Areas (NSSA) for redistributed routes, but the default route in a standard OSPF configuration is not an NSSA route unless the area is configured as NSSA and the default route is explicitly generated as type 1. Option C is wrong because an OSPF intra-area route (O) is a route within the same area learned via type 1 or type 2 LSAs, but the default route is not an intra-area route as it is not part of the area's internal topology.

411
MCQmedium

A company has a web application running on Cisco DNA Center. The application uses OAuth 2.0 for authentication with an external identity provider (IdP). Recently, users have reported that they are being logged out unexpectedly after a few minutes of inactivity, even though the IdP token has a 1-hour expiration. The application developer wants to maintain usability while keeping security controls. What is the most likely cause and solution?

A.The application session timeout is shorter than the token lifetime; align the application session timeout to the token expiration or implement silent token refresh
B.The application is not properly validating the token expiry and needs to refresh tokens proactively
C.The IdP is configured to log out users automatically after 5 minutes; reconfigure IdP session settings
D.The OAuth 2.0 access token is set to expire in 5 minutes; increase it to 1 hour
AnswerA

Short application session timeout causes early logout; aligning or using silent refresh solves it.

Why this answer

The most likely cause is that the application's session timeout is set to a shorter duration than the OAuth 2.0 token's 1-hour expiration. When the application session expires, the user is logged out even though the IdP token is still valid. The solution is to align the application session timeout with the token expiration or implement silent token refresh using a refresh token, which allows the application to obtain a new access token without user interaction, maintaining usability while preserving security.

Exam trap

Cisco often tests the distinction between token expiration and session timeout, where candidates mistakenly focus on token refresh or IdP configuration instead of recognizing that the application's session management is the root cause.

How to eliminate wrong answers

Option B is wrong because the issue is not about token validation or proactive refresh; the token is valid for 1 hour, but the application session expires earlier, causing logout. Option C is wrong because the IdP is not configured to log out users after 5 minutes; the IdP token has a 1-hour expiration, so the problem lies in the application session management. Option D is wrong because the access token expiration is already set to 1 hour, not 5 minutes; increasing it further would not fix the mismatch between the application session timeout and token lifetime.

412
MCQeasy

A developer wants to use Cisco Modeling Labs (CML) API to control a lab session. Which base URL structure is correct for the CML REST API?

A.https://cml-server/labapi/v1
B.https://cml-server/api/v0
C.https://cml-server/api/v2
D.https://cml-server/rest/v1
AnswerB

Correct base URL for CML API.

Why this answer

The correct base URL for the Cisco Modeling Labs (CML) REST API is `https://cml-server/api/v0`. This is the documented and stable endpoint for interacting with CML lab sessions, including starting, stopping, and managing topologies. The `/api/v0` path is specific to CML and reflects its API versioning scheme, which differs from other Cisco platforms like DNA Center or Meraki.

Exam trap

Cisco often tests the specific API versioning and base URL patterns for each platform (CML vs. DNA Center vs. Meraki), and the trap here is confusing the `/api/v0` of CML with the more common `/api/v2` of DNA Center or `/rest/v1` of Meraki.

How to eliminate wrong answers

Option A is wrong because `/labapi/v1` is not a valid base URL for CML; it resembles the legacy API path used in Cisco VIRL (the predecessor to CML), not the current CML REST API. Option C is wrong because `/api/v2` is the base URL for Cisco DNA Center's REST API, not CML. Option D is wrong because `/rest/v1` is the base URL for Cisco Meraki's REST API, which uses a different versioning and resource structure.

413
Multi-Selectmedium

When designing a REST API for managing network devices, which two principles should be followed to ensure statelessness?

Select 2 answers
A.All state information is stored on the client.
B.The server maintains session data and identifies clients via cookies.
C.API endpoints include version numbers to support backward compatibility.
D.Each request from client to server must contain all information needed to understand and complete the request.
E.Responses are idempotent for all POST requests.
AnswersA, D

This is a key principle of statelessness: the client holds session state.

Why this answer

Option A is correct because statelessness in REST requires that all session state be stored on the client, not the server. Each request must be self-contained, meaning the server does not retain any client context between requests. This aligns with the REST architectural constraint defined by Roy Fielding, where the server treats each request independently.

Exam trap

Cisco often tests the distinction between statelessness and other REST principles like idempotency or versioning; the trap here is that candidates confuse 'statelessness' with 'idempotency' or 'backward compatibility', leading them to select options that are valid REST practices but do not address the statelessness constraint.

414
MCQhard

Refer to the exhibit. Both switches are configured with EtherChannel. Which statement is true about VLAN traffic across the trunk?

A.VLAN 150 traffic is allowed across the trunk.
B.VLAN 50 traffic is blocked across the trunk.
C.VLAN 200 traffic is allowed across the trunk.
D.VLAN 100 traffic is allowed across the trunk.
AnswerD

VLAN 100 is allowed on both switches (1-100 on A, 100-199 on B).

Why this answer

The correct answer is D because the exhibit shows that VLAN 100 is configured on both switches and is included in the allowed VLAN list on the trunk. EtherChannel does not affect VLAN filtering; the trunk's allowed VLAN list determines which VLANs can traverse the link. Since VLAN 100 is explicitly permitted, its traffic is allowed across the trunk.

Exam trap

Cisco often tests the misconception that EtherChannel overrides or bypasses VLAN trunk filtering, but in reality, the allowed VLAN list on the port-channel interface still controls which VLANs are permitted across the aggregated link.

How to eliminate wrong answers

Option A is wrong because VLAN 150 is not shown in the allowed VLAN list on either switch, so it is implicitly denied on the trunk. Option B is wrong because VLAN 50 is listed in the allowed VLAN list on both switches, so its traffic is permitted, not blocked. Option C is wrong because VLAN 200 is not present in the allowed VLAN list on either switch, meaning it is not allowed across the trunk.

415
MCQmedium

Refer to the exhibit. A Python script uses the Cisco IOS-XE RESTCONF API to retrieve the device configuration. The returned JSON is shown. What must be done to enable the GigabitEthernet0/1 interface using the API?

A.Send a PATCH request to the interface resource with the JSON payload {"enabled": true}.
B.Send a DELETE request to the interface resource.
C.Send a GET request to the interface resource and parse the response.
D.Send a PUT request to the interface resource with the entire JSON payload.
AnswerA

PATCH partially updates the resource; changing enabled to true will enable the interface.

Why this answer

Option A is correct because RESTCONF uses PATCH for partial updates. To enable an interface, you only need to send the specific field that changes ({"enabled": true}) to the interface resource URI, which modifies the configuration without replacing the entire resource.

Exam trap

Cisco often tests the distinction between PUT (full replace) and PATCH (partial update) in RESTCONF, where candidates mistakenly choose PUT thinking it can be used for single-field changes, but that would require sending the entire resource payload.

How to eliminate wrong answers

Option B is wrong because a DELETE request would remove the entire interface resource, not enable it. Option C is wrong because a GET request only retrieves data; it does not modify the configuration. Option D is wrong because a PUT request replaces the entire resource with the provided JSON payload, which would require sending the full interface configuration, not just the enabled field, and could overwrite other settings.

416
MCQhard

A security policy requires that all container images in a registry are scanned for vulnerabilities before deployment. Which approach best integrates this into a CI/CD pipeline without slowing down the pipeline?

A.Build the image, push it, then scan it, and if vulnerabilities are found, rebuild and repush.
B.Run the vulnerability scan on the image after pushing to the registry and block deployment if critical vulnerabilities are found.
C.Build the image, scan it locally, and if it passes, push it to the registry; run scans in parallel with the build if possible.
D.Scan the source code dependencies before building the image, and skip image scanning.
AnswerC

Local scanning before push catches vulnerabilities early and does not delay the pipeline if done in parallel.

Why this answer

Option C is correct because it shifts the vulnerability scan left in the pipeline: the image is built and scanned locally before being pushed to the registry. If the scan passes, the image is pushed; if it fails, the pipeline stops early, avoiding the overhead of pushing a vulnerable image and then rebuilding. This approach minimizes pipeline latency by running scans in parallel with the build where possible, ensuring security without blocking the deployment flow.

Exam trap

Cisco often tests the concept of 'shifting left' security — candidates mistakenly think scanning after pushing (Option B) is acceptable because it blocks deployment, but the trap is that the policy requires scanning before deployment, not before push, and Option B still allows vulnerable images to reside in the registry.

How to eliminate wrong answers

Option A is wrong because it pushes the image first, then scans it, and if vulnerabilities are found, rebuilds and repushes — this wastes time and registry storage by pushing a vulnerable image that must be replaced, and it introduces a slow feedback loop. Option B is wrong because it scans after pushing to the registry and only blocks deployment for critical vulnerabilities, which still allows non-critical vulnerabilities to be deployed and does not prevent the vulnerable image from being stored in the registry, violating the policy that all images must be scanned before deployment. Option D is wrong because scanning only source code dependencies misses vulnerabilities introduced by the base image, runtime libraries, or configuration files in the container image, leaving the image itself unscanned and failing the security policy requirement.

417
MCQeasy

A developer needs to send a diagnostic request to a network device to verify if it supports a specific MIB object. Which protocol and operation should be used?

A.ICMP ping
B.HTTP GET
C.SNMP SET
D.NETCONF get-config
E.SNMP GET
AnswerE

GET retrieves the value of a MIB object.

Why this answer

SNMP GET is the correct operation to retrieve the value of a specific MIB object from a network device. It sends a diagnostic request to verify if the device supports that object by checking whether a valid response is returned. This is the standard SNMP operation for reading a single managed object's value.

Exam trap

Cisco often tests the distinction between SNMP GET (read) and SNMP SET (write), and candidates may confuse them or think SET can verify support, but SET only modifies values and requires the object to already exist.

How to eliminate wrong answers

Option A is wrong because ICMP ping is used for basic reachability testing and does not interact with MIB objects or SNMP. Option B is wrong because HTTP GET is used for web-based APIs or RESTCONF, not for querying SNMP MIB objects. Option C is wrong because SNMP SET is used to modify the value of a MIB object, not to read or verify its existence.

Option D is wrong because NETCONF get-config retrieves device configuration data, not MIB objects, and uses YANG data models instead of SNMP.

418
MCQhard

During a security audit of a microservices application deployed on Cisco Container Platform, the auditor discovers that some containers are running with privileged access. The development team argues that certain containers need to modify kernel parameters. Which security best practice should be recommended to minimize risk while allowing necessary kernel adjustments?

A.Set the container security context to add only the necessary Linux capabilities, e.g., CAP_SYS_ADMIN
B.Set the container to privileged: false and add the SYS_ADMIN capability only for containers that need it
C.Run the container as root user but remove the CAP_SYS_ADMIN capability
D.Drop all Linux capabilities and run the container as a non-root user
AnswerA

This grants only the required capabilities, reducing the attack surface compared to privileged mode.

Why this answer

Option A is correct because it follows the principle of least privilege by granting only the specific Linux capability (CAP_SYS_ADMIN) needed to modify kernel parameters, rather than full privileged access. In Kubernetes (used by Cisco Container Platform), a security context with `capabilities.add: ['SYS_ADMIN']` allows the container to perform privileged operations like sysctl modifications without exposing the host or other containers to the broader risks of privileged mode.

Exam trap

Cisco often tests the distinction between privileged mode and individual capabilities, where candidates mistakenly think setting `privileged: false` is required alongside capability addition, or that running as root is necessary for kernel modifications.

How to eliminate wrong answers

Option B is wrong because setting `privileged: false` is redundant when adding SYS_ADMIN capability; the security context already defaults to non-privileged, and the phrasing implies a separate privileged flag is needed, which is not the case. Option C is wrong because running as root user with CAP_SYS_ADMIN removed would prevent the container from modifying kernel parameters, directly contradicting the requirement. Option D is wrong because dropping all capabilities and running as non-root would completely block any kernel parameter changes, failing to meet the development team's need.

419
MCQeasy

A developer is writing a Python script to interact with a Cisco device using RESTCONF. The script sends a PUT request to modify an interface configuration. Which HTTP response code indicates that the resource was successfully created?

A.404 Not Found
B.201 Created
C.200 OK
D.204 No Content
AnswerB

201 Created indicates the resource was successfully created.

Why this answer

A PUT request can create a resource if it does not exist; the 201 Created response is appropriate for successful creation. Option A (200 OK) is typically for successful retrieval, not creation. Option C (204 No Content) is used when no content is returned.

Option D (404 Not Found) indicates the resource does not exist.

420
MCQhard

Based on the exhibit, what is the most likely reason for the connection timeout?

A.The URL is incorrect; the correct endpoint is /api/system/v1/auth/token
B.The username and password are invalid, causing the server to drop the connection
C.The verify=False parameter causes SSL handshake failure and timeout
D.The network is not able to reach the sandbox server due to firewall or DNS issues
AnswerD

Connection timeout indicates network unreachability.

Why this answer

The connection timeout indicates that the client cannot establish a TCP connection to the server at all. This is most likely caused by a network-level issue such as a firewall blocking the port or DNS resolution failure, which prevents the HTTP request from reaching the sandbox server. Options A, B, and C would produce different HTTP error responses (e.g., 404, 401, or SSL certificate errors), not a timeout.

Exam trap

Cisco often tests the distinction between network-level failures (timeout) and application-level errors (HTTP status codes), trapping candidates who confuse a timeout with authentication or SSL issues.

How to eliminate wrong answers

Option A is wrong because an incorrect URL would result in an HTTP 404 Not Found error, not a connection timeout. Option B is wrong because invalid credentials would return an HTTP 401 Unauthorized response after the TCP connection is established, not a timeout. Option C is wrong because the verify=False parameter disables SSL certificate verification; it does not cause an SSL handshake failure—rather, it allows the handshake to proceed even with an invalid certificate, so a timeout would not occur from this parameter alone.

421
MCQeasy

Refer to the exhibit. An Ansible playbook is intended to set the description on GigabitEthernet0/1. However, the playbook fails because the device does not have that interface. What is the most likely reason?

A.The module requires gather_facts to be yes
B.The hosts group is incorrect
C.The lines attribute is misconfigured
D.The specified interface does not exist on the device
AnswerD

If the interface is not present, the module cannot apply configuration under it.

Why this answer

Option D is correct because the playbook explicitly targets GigabitEthernet0/1 using the `interface` attribute under `lines`, and the error indicates the device does not have that interface. Ansible's ios_config module will fail if the specified interface does not exist on the device, as it cannot apply configuration to a non-existent logical or physical interface.

Exam trap

Cisco often tests the distinction between a syntactically correct playbook and a playbook that fails due to device-specific constraints, such as a non-existent interface, to see if candidates confuse configuration syntax errors with device state issues.

How to eliminate wrong answers

Option A is wrong because `gather_facts` is not required for the ios_config module to work; it is optional and only collects device facts, not a prerequisite for configuring interfaces. Option B is wrong because the hosts group being incorrect would cause a connection failure or no matching hosts, not a specific error about a missing interface on a reachable device. Option C is wrong because the `lines` attribute is correctly structured with the `interface GigabitEthernet0/1` line and the `description` line; the misconfiguration is not in the syntax of `lines` but in the target interface name.

422
MCQmedium

During a CI/CD pipeline, a security scan reveals that a Docker image contains a vulnerability in a base layer. Which action BEST addresses the issue?

A.Disable the security scanner to avoid false positives.
B.Rebuild the image using an updated base image from a trusted registry.
C.Implement run-time security monitoring to detect exploitation.
D.Add an exception to the vulnerability report.
AnswerB

Fixes the vulnerability by updating the base image.

Why this answer

Option B is correct because the vulnerability exists in the base layer of the Docker image, which is immutable once built. The only way to eliminate the vulnerability is to rebuild the image using an updated base image from a trusted registry (e.g., Docker Hub official images or a private registry with patched images). This ensures the vulnerable packages are replaced with patched versions at the OS or application level, directly addressing the root cause.

Exam trap

Cisco often tests the distinction between detection/monitoring (options C and D) and actual remediation (option B), trapping candidates who think run-time monitoring or ignoring the report is sufficient to address a build-time vulnerability.

How to eliminate wrong answers

Option A is wrong because disabling the security scanner does not fix the vulnerability; it only hides the issue, violating security best practices and potentially leading to exploitation in production. Option C is wrong because run-time security monitoring (e.g., Falco or AppArmor) can detect exploitation attempts but does not remove the vulnerability from the image; the vulnerable base layer remains and can still be exploited if the monitoring fails or is bypassed. Option D is wrong because adding an exception to the vulnerability report ignores the risk; it does not remediate the vulnerability and may violate compliance requirements (e.g., PCI DSS) that mandate patching known vulnerabilities.

423
Multi-Selecteasy

Which TWO statements are correct about Ansible inventory files? (Select exactly 2.)

Select 2 answers
A.Inventory files can be written in YAML format
B.Inventory files cannot contain variables for individual hosts
C.Inventory files must be in INI format only
D.Inventory files can define groups of devices
E.An inventory file can include a [vars] section to define group variables
AnswersA, D

Why this answer

Ansible inventory files define the hosts and groups that Ansible manages. They can be written in YAML format, which is a human-readable data serialization language that Ansible supports alongside the traditional INI format. This flexibility allows users to choose the format that best suits their automation needs, with YAML being particularly useful for complex inventories due to its support for structured data.

Exam trap

Cisco often tests the misconception that Ansible inventory files are limited to INI format, but the exam expects you to know that YAML is also a valid format, and that `[vars]` is not a standard section in Ansible inventories (group variables are handled differently).

424
MCQhard

A NETCONF manager sends a get-config request to a Cisco device and receives the above reply. The automation script expected the interface to be enabled. Which of the following is the best course of action to remediate the issue?

A.Send an rpc to reboot the device
B.Use CLI to enable the interface manually
C.Send an edit-config request with <enabled>true</enabled> for the interface
D.Send a get request again
AnswerC

This changes the configuration to enable the interface.

Why this answer

Option C is correct because NETCONF uses the edit-config operation to modify device configuration programmatically. Since the automation script detected that the interface is disabled (enabled state is false), sending an edit-config request with <enabled>true</enabled> for that interface directly remediates the issue by setting the operational state to enabled, aligning with the expected state without manual intervention.

Exam trap

Cisco often tests the distinction between read-only operations (get, get-config) and write operations (edit-config), and the trap here is that candidates may think re-querying the device (Option D) or using CLI (Option B) is acceptable, when the correct approach is to use the appropriate NETCONF operation to modify the configuration programmatically.

How to eliminate wrong answers

Option A is wrong because rebooting the device via an rpc is an extreme, unnecessary action that does not specifically enable the interface and would cause service disruption. Option B is wrong because using CLI to enable the interface manually defeats the purpose of automation and NETCONF's programmatic management, and it is not a scalable or scripted solution. Option D is wrong because sending a get request again would only retrieve the current configuration again, not change the disabled state of the interface.

425
MCQmedium

A network engineer is developing a Python application that uses the Cisco Meraki Dashboard API. The API responses are in JSON format. Which Python module is most commonly used to parse JSON responses?

A.csv
B.yaml
C.json
D.xml
AnswerC

The json module provides methods for parsing JSON strings and converting Python objects to JSON.

Why this answer

The json module is the standard Python module for parsing JSON data. csv, xml, and yaml are used for other data formats.

426
MCQeasy

A team is using Python scripts with netmiko to back up configurations from a large number of network devices. What is the primary advantage of using netmiko over direct paramiko for this task?

A.Netmiko supports only Cisco devices
B.Netmiko uses REST API instead of SSH
C.Netmiko is faster than paramiko
D.Netmiko simplifies the handling of device-specific prompts and command output
AnswerD

Netmiko abstracts away the complexities of different device interactions.

Why this answer

Netmiko is built on top of Paramiko but adds a higher-level abstraction layer that automatically handles device-specific prompt detection, command output parsing, and SSH session management. This simplifies the backup process across heterogeneous devices by eliminating the need to manually write code for each device's unique prompt patterns and command responses.

Exam trap

Cisco often tests the misconception that Netmiko is a faster alternative to Paramiko, when in reality the advantage is about abstraction and ease of use, not raw performance.

How to eliminate wrong answers

Option A is wrong because Netmiko supports a wide range of vendors (Cisco, Juniper, Arista, HP, etc.), not just Cisco devices. Option B is wrong because Netmiko uses SSH (via Paramiko) for network device access, not REST API; REST API is a separate paradigm used with tools like requests or ncclient. Option C is wrong because Netmiko is not inherently faster than Paramiko; it adds overhead for prompt handling and session management, and performance depends on network latency and device responsiveness, not the library itself.

427
MCQmedium

A DevOps team is building a CI/CD pipeline that configures Cisco NX-OS switches. They want to use model-driven telemetry to stream operational data. Which protocol should they use for on-change telemetry?

A.SSH
B.gRPC
C.HTTP
D.SNMP
AnswerB

gRPC is used for model-driven telemetry.

Why this answer

gRPC (Google Remote Procedure Call) is the correct protocol for on-change telemetry on Cisco NX-OS because it supports a publish-subscribe model where the switch pushes data only when a monitored value changes, reducing bandwidth and CPU overhead. This is defined in the Cisco MDT (Model-Driven Telemetry) framework, which uses gRPC with Protobuf encoding for efficient streaming of YANG-modeled operational data.

Exam trap

Cisco often tests the distinction between push-based (gRPC) and pull-based (SNMP, HTTP) protocols, trapping candidates who confuse SNMP traps (which are event-driven but not model-driven) with true on-change telemetry.

How to eliminate wrong answers

Option A (SSH) is wrong because SSH is a secure shell protocol used for CLI access and command execution, not for streaming telemetry; it lacks the push-based, subscription-driven mechanism required for on-change telemetry. Option C (HTTP) is wrong because HTTP is a request-response protocol that requires polling, which is inefficient for real-time on-change updates and does not natively support the bidirectional streaming or Protobuf encoding used in Cisco MDT. Option D (SNMP) is wrong because SNMP is a pull-based protocol that relies on polling or traps, but traps are event-driven and not designed for the structured, model-driven, on-change streaming of YANG-modeled data that gRPC provides.

428
Multi-Selecteasy

Which TWO of the following are true about REST API design principles?

Select 2 answers
A.PATCH is used for full replacement of a resource
B.GET requests should not change state
C.POST requests should be idempotent
D.DELETE responses must always contain a body
E.PUT can be used for both creation and update of resources
AnswersB, E

GET is intended to retrieve data without side effects.

Why this answer

Option B and C are correct. A is false because POST is not idempotent. D is false because DELETE often returns 204, not necessarily 200.

E is false because PATCH is for partial updates, not full replacement.

429
Multi-Selectmedium

A DevOps engineer is configuring a CI/CD pipeline that uses Cisco DNA Center API to deploy network configurations. Which two best practices should be followed? (Choose two.)

Select 2 answers
A.Use a single API call for all changes
B.Disable SSL verification for faster execution
C.Store API credentials in environment variables
D.Implement retry logic for API calls
E.Use hardcoded API keys in scripts
AnswersC, D

Keeps secrets out of code and version control.

Why this answer

Storing API credentials in environment variables (Option C) is a security best practice because it prevents hardcoding secrets in source code, which could be exposed in version control. This approach aligns with the principle of least privilege and is recommended for CI/CD pipelines interacting with Cisco DNA Center API, as it allows credentials to be managed externally and rotated without code changes.

Exam trap

Cisco often tests the misconception that disabling SSL verification speeds up execution, but in reality, the overhead is negligible, and the security risk makes it unacceptable in any production pipeline.

430
MCQhard

A developer is integrating a Webex Teams bot with an external system using the Webex API. The bot receives an HTTP POST callback from Webex every time a message is posted in a monitored space. The developer notices that sometimes the callback includes a 'data' object with 'actorId', but other times the 'actorId' is missing. The bot needs to log the identity of the person who posted the message. What should the developer do to reliably obtain the sender's identity?

A.Request additional OAuth scopes to include the actorId in the callback payload.
B.Filter callbacks by the verb 'posted' to ensure the actorId is included.
C.Use the 'createdBy' field from the message details API as a fallback when 'actorId' is missing.
D.Check the 'resource' field in the callback to determine if it is a 'messages' event; only messages events include actorId.
AnswerD

The resource field indicates the object type; actorId is always present for messages events.

Why this answer

Option D is correct because the Webex API callback payload includes the 'actorId' only for certain event types. Specifically, when the 'resource' field is 'messages' and the 'event' field is 'created', the 'actorId' is guaranteed to be present, representing the user who posted the message. Filtering by the 'resource' field ensures the bot processes only message creation events, reliably obtaining the sender's identity.

Exam trap

Cisco often tests the distinction between webhook callback payload fields (like 'resource' and 'event') versus API response fields, leading candidates to confuse the callback structure with the API data model.

How to eliminate wrong answers

Option A is wrong because OAuth scopes control access to API endpoints, not the structure of webhook callback payloads; the 'actorId' is included based on the event type, not scopes. Option B is wrong because the 'verb' field does not exist in Webex webhook callbacks; the relevant field is 'event', and filtering by 'event' as 'created' alone does not guarantee 'actorId' is present—it depends on the 'resource' type. Option C is wrong because the 'createdBy' field is not a standard field in the Webex Messages API; the correct field to retrieve the sender is 'personId' or 'personEmail' via a GET request to the messages endpoint, and using a non-existent field as a fallback would fail.

431
MCQeasy

Which of the following best describes the purpose of a unit test in software development?

A.To check the performance of the application under load
B.To test individual functions or methods in isolation
C.To verify that different modules work together correctly
D.To test the entire system from end to end
AnswerB

Unit tests focus on the smallest testable parts of an application.

Why this answer

Unit tests verify the behavior of individual functions or methods in isolation. Option A describes integration tests. Option C describes end-to-end tests.

Option D describes performance tests.

432
MCQmedium

A developer is using Git to manage automation code. What is the primary advantage of using 'rebase' instead of 'merge' to integrate changes from a feature branch into the main branch?

A.Rebase automatically resolves all conflicts
B.Rebase is faster than merge
C.Rebase preserves the exact commit timestamps
D.Rebase results in a linear project history
AnswerD

Rebase replays commits on top of the base branch, resulting in a linear history.

Why this answer

Option D is correct because `git rebase` rewrites the commit history of the feature branch to appear as if it was branched from the latest commit on the main branch, resulting in a linear, clean project history. This avoids the merge commits that `git merge` creates, making the commit log easier to follow and debug. The primary advantage is not speed or conflict resolution, but a streamlined, non-branching history.

Exam trap

Cisco often tests the misconception that rebase is faster or automatically resolves conflicts, when in fact its true advantage is creating a linear history, which is critical for audit trails and debugging in automation workflows.

How to eliminate wrong answers

Option A is wrong because rebase does not automatically resolve conflicts; it replays each commit one by one, and if a conflict occurs, the developer must resolve it manually for each commit. Option B is wrong because rebase is not inherently faster than merge; in fact, rebase can be slower due to rewriting commits and requiring conflict resolution per commit, whereas merge creates a single merge commit. Option C is wrong because rebase does not preserve exact commit timestamps; it creates new commits with new timestamps (the time of the rebase operation), while merge retains the original commit timestamps.

433
MCQhard

A team is building a CI/CD pipeline for network automation. They want to use Cisco Modeling Labs (CML) to validate configuration changes before production. What is the best approach to integrate CML into the pipeline?

A.Use the pyATS framework to connect to CML and run tests
B.Create a permanent topology in CML for each branch
C.Use Ansible to provision CML nodes directly
D.Use CML's REST API to start a simulation, apply changes, run tests, then tear down
AnswerD

Dynamically starting and stopping simulations ensures clean, isolated testing.

Why this answer

D is correct because CML provides a REST API that allows programmatic lifecycle management of simulations. Integrating this API into a CI/CD pipeline enables the pipeline to dynamically create an isolated test environment, apply configuration changes, run validation tests, and then tear down the simulation to free resources. This approach ensures repeatability, isolation, and efficient resource usage, which are critical for automated network validation.

Exam trap

Cisco often tests the distinction between tools that manage device configuration (Ansible, pyATS) versus tools that manage the simulation environment itself (CML API), leading candidates to pick a tool they know well instead of the correct integration method.

How to eliminate wrong answers

Option A is wrong because pyATS is a test automation framework that can connect to network devices to run tests, but it does not manage CML simulation lifecycles; it would require the simulation to already be running and accessible. Option B is wrong because creating a permanent topology for each branch wastes CML resources and defeats the purpose of ephemeral, on-demand test environments that CI/CD pipelines require. Option C is wrong because Ansible can provision and configure network devices, but it cannot directly control CML simulations; it would need to interact with CML's API or use a module that wraps the API, making the direct statement inaccurate.

434
MCQeasy

When designing a REST API endpoint to update a network device's configuration, which HTTP method should be used?

A.POST
B.DELETE
C.PUT
D.PATCH
AnswerC

PUT replaces or updates the entire resource at the specified URI.

Why this answer

PUT is idempotent and used to update a resource entirely. POST is for creation, GET for retrieval, DELETE for deletion.

435
Multi-Selectmedium

Which THREE of the following are direct benefits of using version control in software development?

Select 3 answers
A.Traceability of changes
B.Automated testing integration
C.Eliminates syntax errors
D.History and rollback capabilities
E.Collaboration among team members
AnswersA, D, E

Version control tracks who made what change and when, providing an audit trail.

Why this answer

Options A, C, and E are correct because version control enables collaboration by allowing multiple developers to work concurrently, provides a history for rollback, and offers traceability for changes. Automated testing (B) is not a direct benefit of version control, and eliminating syntax errors (D) is unrelated to version control.

436
MCQmedium

A developer is using the Meraki Dashboard API to programmatically change the SSID name of a wireless network. The developer successfully authenticates with an API key and sends a PUT request to /networks/{networkId}/wireless/ssids/{number} with a JSON body containing the updated name. The API returns a 200 OK response, but the SSID name does not change in the Meraki Dashboard. The developer double-checks the networkId and SSID number, and they are correct. The developer also confirms that the API key has full write access to the network. What additional step is most likely required?

A.After the PUT request, send a POST request to /networks/{networkId}/wireless/ssids/{number}/provision to apply the change.
B.Use a PATCH request instead of PUT to update the SSID.
C.Log out of the Meraki Dashboard and re-login to see the change.
D.Regenerate the API key and try again with the new key.
AnswerA

Some Meraki SSID changes require a separate provision API call to take effect.

Why this answer

The Meraki Dashboard API requires an explicit provisioning step to apply configuration changes to SSIDs. After a successful PUT request to update the SSID name, the developer must send a POST request to /networks/{networkId}/wireless/ssids/{number}/provision to push the change to the access points. The 200 OK response only confirms the API accepted the update, but the change is not applied until the provisioning endpoint is called.

Exam trap

Cisco often tests the misconception that a 200 OK response from a PUT request means the change is fully applied, when in fact the Meraki API requires an additional provisioning step to push the configuration to devices.

How to eliminate wrong answers

Option B is wrong because the Meraki Dashboard API supports PUT for full resource updates, and PATCH is not required; the issue is not the HTTP method but the missing provisioning step. Option C is wrong because logging out and back into the Meraki Dashboard does not trigger the provisioning of SSID changes; the API change must be explicitly applied via the provision endpoint. Option D is wrong because the API key has full write access and the authentication is successful; regenerating the key does not address the missing provisioning call.

437
MCQmedium

A user reports that they can ping the IP address of the default gateway but cannot ping a server on a different subnet. The administrator checks the ARP table on the user's PC and sees an incomplete entry for the server's IP. What is the most likely cause?

A.There is an IP address conflict on the network.
B.Spanning Tree Protocol is blocking the port on the switch.
C.The PC is not configured with a default gateway.
D.A firewall is blocking ICMP packets between subnets.
AnswerC

Without a default gateway, the PC tries to ARP for the server directly.

Why this answer

The user can ping the default gateway, confirming that the PC has local connectivity and a correctly configured IP address and subnet mask. However, the incomplete ARP entry for the server's IP indicates that the PC cannot resolve the server's MAC address, which is required to send frames to a different subnet. Without a default gateway configured, the PC will not send ARP requests for remote hosts to the router; instead, it will attempt to ARP for the server directly, which fails because the server is on a different broadcast domain.

Exam trap

Cisco often tests the distinction between Layer 2 (ARP) and Layer 3 (routing) failures, and the trap here is that candidates assume a firewall or STP is blocking traffic, when the real issue is the PC's lack of a default gateway preventing it from even attempting to reach the remote subnet via ARP for the router.

How to eliminate wrong answers

Option A is wrong because an IP address conflict would typically cause intermittent connectivity or duplicate IP warnings, not a specific incomplete ARP entry for a remote server while local connectivity works. Option B is wrong because Spanning Tree Protocol (STP) blocking a switch port would prevent all traffic through that port, including pings to the default gateway, which the user can still reach. Option D is wrong because a firewall blocking ICMP between subnets would cause ping failures but would not result in an incomplete ARP entry on the PC; ARP operates at Layer 2 and is not affected by Layer 3 firewalls.

438
MCQmedium

An Ansible playbook using the ios_config module fails with the error 'unable to open connection'. The network device is reachable via SSH from the Ansible control node. What is the most likely cause?

A.The device has an invalid username and password
B.The Ansible user does not have privilege level 15 on the device
C.The SSH key exchange algorithm is not supported by the device
D.The ios_config module requires NETCONF instead of SSH
AnswerC

Unsupported key exchange algorithm causes SSH connection failure.

Why this answer

The error 'unable to open connection' indicates that Ansible cannot establish an SSH session with the device, even though the device is reachable. Since the device is reachable via SSH from the control node, the most likely cause is a mismatch in SSH key exchange algorithms, where the device only supports older algorithms (e.g., diffie-hellman-group1-sha1) that are not enabled by default in modern SSH clients. This is a common issue when connecting to legacy Cisco IOS devices that lack updated SSH configurations.

Exam trap

Cisco often tests the distinction between SSH transport errors (key exchange, ciphers) and authentication/authorization errors, leading candidates to incorrectly blame credentials or privilege levels when the actual issue is a cryptographic algorithm mismatch.

How to eliminate wrong answers

Option A is wrong because invalid username/password would typically produce an 'Authentication failed' or 'Permission denied' error, not 'unable to open connection', which occurs before authentication. Option B is wrong because privilege level 15 is required for executing configuration commands, not for establishing the SSH connection itself; a lower privilege level would cause a different error like 'privilege level is not sufficient'. Option D is wrong because the ios_config module uses SSH (via CLI) by default, not NETCONF; NETCONF is used by the ios_netconf module, and the error message is specific to SSH connection failure.

439
MCQmedium

A university campus network uses Cisco switches with 802.1X for wired authentication. Recently, users in a dormitory report intermittent connectivity: they can connect initially but are disconnected after a few minutes. The network team checks the switch logs and sees messages like 'Authentication failure for MAC address xxxx.xxxx.xxxx on port GigabitEthernet1/0/5' but the users claim they are using valid credentials. The same users can connect from other ports without issues. The port configuration for Gi1/0/5 is: switchport mode access, authentication port-control auto, dot1x pae authenticator, authentication periodic, authentication timer reauthenticate 3600. The team suspects a misconfiguration. What is the most likely cause of the intermittent disconnections?

A.The port is a trunk port but configured as access, causing VLAN mismatch
B.The port is configured in multi-auth host mode, causing conflicts
C.The 'authentication periodic' command forces reauthentication every 3600 seconds, and the client fails to reauthenticate
D.The switch is using MAC authentication bypass (MAB) as a fallback, which fails for some devices
AnswerC

Periodic reauthentication can cause disconnections if client fails.

Why this answer

The 'authentication periodic' command enables periodic reauthentication, and the 'authentication timer reauthenticate 3600' sets the interval to 3600 seconds (1 hour). However, the logs show authentication failures occurring much sooner than 3600 seconds, indicating that the client is failing reauthentication attempts triggered by other events (e.g., a new supplicant attempt or a reauthentication due to a port state change). The intermittent disconnections are caused by the client failing to reauthenticate when the switch initiates a new authentication exchange, likely due to a mismatch in EAP method or credential caching issues.

Exam trap

Cisco often tests the subtle behavior of 'authentication periodic' and 'authentication timer reauthenticate' — candidates mistakenly think the timer is the only trigger for reauthentication, but the switch can also reauthenticate due to link state changes or new supplicant attempts, and a failure during any reauthentication causes immediate disconnection.

How to eliminate wrong answers

Option A is wrong because the port is configured as 'switchport mode access', which is correct for an end-user device; a trunk port would not be used for a dormitory user, and VLAN mismatch would cause persistent connectivity failure, not intermittent disconnections. Option B is wrong because 'multi-auth host mode' allows multiple devices on a single port, but the logs show a single MAC address failing authentication, and the port configuration does not include 'authentication host-mode multi-auth', so this is not the issue. Option D is wrong because MAC authentication bypass (MAB) is a fallback method used when 802.1X fails, but the logs explicitly show 'Authentication failure' for 802.1X, not MAB; MAB would appear as a separate log entry and would not cause intermittent disconnections if the client initially authenticates successfully.

440
MCQhard

A developer is writing a Kubernetes Deployment YAML and wants to set a CPU limit of 500 millicores. Which of the following is the correct YAML snippet?

A.spec: containers: - resources: limit: cpu: "500m"
B.spec: containers: - resources: requests: cpu: "500m"
C.spec: containers: - resources: limits: cpu: "500m"
D.spec: containers: - resources: limits: cpu: 500m
AnswerD

Correct syntax: limits under resources, CPU as a string with 'm' suffix without quotes (YAML interprets as string).

Why this answer

Option D is correct because Kubernetes resource limits are specified under the `resources.limits` key, and CPU limits are expressed in millicores using the `m` suffix. The YAML must use correct indentation: `limits:` is a child of `resources:`, and `cpu: 500m` is a valid value (500 millicores = 0.5 CPU cores).

Exam trap

Cisco often tests the distinction between `limits` and `requests`, and the correct YAML indentation hierarchy, tricking candidates who confuse the two or misplace the `limits` key under `resources`.

How to eliminate wrong answers

Option A is wrong because it uses `limit:` (singular) instead of the correct plural `limits:`, and the indentation is incorrect—`limit` should be a child of `resources`, not a sibling. Option B is wrong because it sets a `requests` value, not a `limits` value; requests are for guaranteed minimum resources, not hard limits. Option C is wrong because `limits:` is incorrectly indented at the same level as `resources:`, making it a sibling rather than a child, which is invalid YAML structure.

441
MCQhard

Refer to the exhibit. A developer receives this response from Cisco DNA Center API. What is the most likely cause and solution?

A.The token is expired; generate a new one using /dna/system/api/v1/auth/token.
B.The API path is incorrect; verify the endpoint URL.
C.The request body is malformed; check JSON syntax.
D.The user does not have permission; request admin to grant access.
AnswerA

Correct diagnosis and solution.

Why this answer

The HTTP 401 Unauthorized response indicates that the request lacks valid authentication credentials. In Cisco DNA Center API, tokens are short-lived (default 1 hour) and must be refreshed via POST /dna/system/api/v1/auth/token. The error is not about the endpoint, body syntax, or RBAC permissions — it specifically means the token used is expired or invalid.

Exam trap

Cisco often tests the distinction between HTTP 401 (authentication failure) and 403 (authorization failure) — candidates confuse these two status codes, especially when the question involves API tokens.

How to eliminate wrong answers

Option B is wrong because a 401 error is an authentication issue, not a routing or endpoint issue; an incorrect API path would return a 404 Not Found. Option C is wrong because a malformed JSON body would return a 400 Bad Request, not 401. Option D is wrong because insufficient permissions (RBAC) would return a 403 Forbidden, not 401 Unauthorized.

442
MCQhard

A large enterprise operates a multi-vendor network with Cisco routers and switches, as well as Juniper devices. The network team uses Ansible for automation, with a centralized control node running RHEL. They have been using the 'ios_config' module for Cisco devices and 'junos_config' for Juniper devices. Recently, they added a new Cisco Catalyst 9300 switch to the network. They wrote a playbook to configure VLAN 100 on the switch, but the task fails with the error: 'module_stderr: Could not find platform module for Cisco IOS XE'. The playbook uses the 'cisco.ios.ios_config' module. The control node has the 'cisco.ios' collection installed (version 2.0.0). The target switch runs IOS XE 16.12.3. The control node can SSH to the switch successfully. Which action will most likely resolve the issue?

A.Upgrade the 'cisco.ios' Ansible collection to the latest version.
B.Configure the switch to allow SSH connections from the control node IP.
C.Use the 'raw' module instead of 'ios_config' to send CLI commands directly.
D.Install Python 3.8 on the control node and update the ansible.cfg to use it.
AnswerA

Older collection versions may lack support for newer IOS XE versions.

Why this answer

The error 'Could not find platform module for Cisco IOS XE' indicates that the installed 'cisco.ios' collection (version 2.0.0) does not include a module or plugin that supports the IOS XE platform for the target switch. Upgrading the collection to the latest version ensures compatibility with IOS XE 16.12.3, as newer releases add support for newer platforms and OS versions.

Exam trap

Cisco often tests the misconception that SSH connectivity or Python version is the root cause, when the real issue is a missing or outdated collection that lacks platform support for the specific OS version.

How to eliminate wrong answers

Option B is wrong because the control node can already SSH to the switch successfully, so SSH connectivity is not the issue. Option C is wrong because using the 'raw' module bypasses the structured module logic and would not resolve the missing platform module error; it also loses idempotency and error handling. Option D is wrong because Python 3.8 is not required for the 'cisco.ios' collection (which works with Python 3.6+), and the error is about a missing platform module, not a Python version incompatibility.

443
MCQeasy

A developer wants to send a message to a specific Webex Teams room using the REST API. Which HTTP method and endpoint should be used?

A.POST /rooms/{roomId}/messages
B.POST /messages
C.PUT /messages
D.GET /rooms/{roomId}/messages
AnswerB

POST to /messages with roomId in body sends a message.

Why this answer

The correct endpoint to send a message to a specific Webex Teams room is POST /messages, because the Webex REST API uses a single messages resource for creating new messages. The room ID is included in the request body as a JSON parameter, not in the URL path. This design follows RESTful conventions where POST is used to create a resource, and the /messages endpoint accepts the roomId field to target the desired space.

Exam trap

Cisco often tests the misconception that resources must be nested in the URL path (e.g., /rooms/{roomId}/messages) when the API actually uses a flat endpoint with the identifier in the request body, leading candidates to choose Option A.

How to eliminate wrong answers

Option A is wrong because POST /rooms/{roomId}/messages is not a valid Webex REST API endpoint; the API does not nest messages under rooms in the URL path. Option C is wrong because PUT /messages is not supported; the Webex API uses PUT only for updating existing resources, and messages cannot be updated after creation. Option D is wrong because GET /rooms/{roomId}/messages retrieves existing messages from a room, but the developer wants to send (create) a new message, which requires a POST request.

444
MCQhard

A script using the Meraki Python library fails with an error 'Rate limit exceeded'. The developer needs to handle this. Which approach is correct?

A.Increase the sleep interval between requests and implement exponential backoff.
B.Reduce the number of API calls by caching responses.
C.Use a different API endpoint to avoid the limit.
D.Request a higher rate limit from Meraki support.
AnswerA

Standard rate limiting handling.

Why this answer

Option A is correct because the Meraki API enforces rate limits per organization and per API key. When a 'Rate limit exceeded' error occurs, the proper response is to implement exponential backoff with increased sleep intervals between requests. This approach respects the API's retry-after headers and prevents further throttling, aligning with REST API best practices for handling 429 status codes.

Exam trap

Cisco often tests the distinction between proactive optimization (caching) and reactive error handling (backoff), and candidates may incorrectly choose caching as a way to avoid rate limits entirely, missing that the question specifically asks how to handle the error after it occurs.

How to eliminate wrong answers

Option B is wrong because caching responses reduces the number of API calls but does not handle the immediate rate limit error; it is a proactive optimization, not a reactive solution to a 429 response. Option C is wrong because using a different API endpoint does not bypass the overall rate limit, which is applied at the account or API key level, not per endpoint. Option D is wrong because while requesting a higher rate limit from Meraki support might be a long-term solution, it is not the correct immediate programmatic handling of a rate limit error; the developer must implement backoff in the script.

445
MCQmedium

A company uses Ansible to automate network configuration. They have an Ansible control node that must reach all network devices. Which transport protocol does Ansible use by default to connect to Cisco IOS devices?

A.HTTP
B.Telnet
C.SSH
D.SNMP
AnswerC

Ansible uses SSH by default for network devices.

Why this answer

Ansible uses SSH as its default transport protocol to connect to Cisco IOS devices because SSH provides encrypted, secure remote access and is the standard for network device management in modern environments. Ansible's native architecture relies on SSH for agentless communication, executing modules and playbooks over this secure channel without requiring additional software on the target devices.

Exam trap

Cisco often tests the misconception that Ansible uses Telnet or SNMP for legacy device compatibility, but the trap here is that Ansible defaults to SSH for secure, agentless automation, and candidates may confuse Ansible's connection methods with other tools like NETCONF or RESTCONF.

How to eliminate wrong answers

Option A is wrong because HTTP is not used by Ansible for device connections; it is an unencrypted protocol typically used for web-based management interfaces, not for Ansible's agentless automation. Option B is wrong because Telnet is an unencrypted, legacy protocol that Ansible does not use by default due to security concerns and lack of support for modern automation features. Option D is wrong because SNMP is a monitoring and management protocol used for reading and writing device configuration data via MIBs, but it is not a transport protocol for executing Ansible modules or playbooks.

446
MCQmedium

A network team is implementing automation to provision new switchports across a campus network. They decide to use a controller-based approach with Cisco DNA Center. What is the primary advantage of using DNA Center for this task?

A.It automatically rolls back any configuration that deviates from the standard.
B.It replaces all existing CLI commands with a graphical interface.
C.It allows intent-based automation where the desired state is defined and the controller pushes the necessary configuration.
D.It eliminates the need for any human intervention in network management.
AnswerC

Intent-based automation abstracts low-level configuration from the user.

Why this answer

Option C is correct because Cisco DNA Center uses an intent-based networking model where the administrator defines the desired state (e.g., 'provision a switchport for access VLAN 10') and the controller automatically translates that intent into the necessary device configurations (CLI or NETCONF/YANG). This abstraction reduces manual errors and enforces consistency across the campus network without requiring per-device CLI scripting.

Exam trap

Cisco often tests the distinction between intent-based automation (defining the desired state) versus traditional script-based automation (pushing explicit commands), and the trap here is confusing 'intent-based' with 'fully autonomous' or 'error-correcting' systems.

How to eliminate wrong answers

Option A is wrong because DNA Center does not automatically roll back configurations that deviate from a standard; it can detect drift and alert the operator, but rollback typically requires a manual or policy-driven action. Option B is wrong because DNA Center does not replace all CLI commands with a graphical interface; it provides a GUI for high-level intent but still relies on underlying CLI, NETCONF, or RESTCONF for device-level configuration. Option D is wrong because DNA Center does not eliminate the need for human intervention; it automates many tasks but still requires human oversight for policy definition, troubleshooting, and exception handling.

447
MCQhard

An organization wants to automate the deployment of wireless configurations across multiple Meraki networks using the Meraki Dashboard API. What authentication method should the developer use in the API requests?

A.Provide username and password in the Authorization header with Basic auth
B.Use OAuth2 client credentials grant and pass a bearer token
C.Include an API key in the X-Cisco-Meraki-API-Key header
D.Generate a JSON Web Token (JWT) signed with a shared secret
AnswerC

Meraki API uses a static API key in the request header for authentication.

Why this answer

The Meraki Dashboard API uses a simple API key for authentication, not OAuth2 or JWT. The key must be included in the `X-Cisco-Meraki-API-Key` header of every request. This is the only supported method for authenticating with the Meraki API, as documented by Cisco Meraki.

Exam trap

Cisco often tests the misconception that all REST APIs use OAuth2 or Basic Auth, but the Meraki API specifically uses a custom header-based API key, which candidates may overlook in favor of more common authentication methods.

How to eliminate wrong answers

Option A is wrong because the Meraki Dashboard API does not support HTTP Basic authentication with username and password; it requires an API key. Option B is wrong because the Meraki API does not use OAuth2; it uses a static API key for all requests. Option D is wrong because the Meraki API does not accept JSON Web Tokens (JWTs); it relies solely on the API key in the custom header.

448
MCQhard

A security team is developing an application that collects network alerts from Cisco Firepower Management Center (FMC) API. The API requires OAuth2 authorization code grant flow. After obtaining an authorization code, what must the application do to get an access token?

A.Resend the authorization request with the code included in the redirect URI.
B.Decode the authorization code using base64 to extract the access token.
C.Use the authorization code directly in subsequent API requests as a bearer token.
D.Exchange the authorization code for an access token by calling the token endpoint with the code and client credentials.
AnswerD

This is the correct step in the authorization code grant flow.

Why this answer

In the OAuth2 authorization code grant flow, the authorization code is an intermediate credential that must be exchanged for an access token. The application must call the token endpoint, presenting the authorization code along with its client credentials (client ID and client secret) to receive the access token. This exchange is required by RFC 6749 and is a fundamental security measure to ensure the client is authorized to obtain the token.

Exam trap

Cisco often tests the misconception that the authorization code itself can be used as a bearer token or decoded to reveal the access token, when in fact it must be exchanged at the token endpoint with client credentials.

How to eliminate wrong answers

Option A is wrong because resending the authorization request with the code in the redirect URI is not part of the OAuth2 flow; the authorization code is obtained from the authorization endpoint's redirect, not reused in a new request. Option B is wrong because the authorization code is not a base64-encoded access token; it is a short-lived, one-time-use code that must be exchanged via the token endpoint, not decoded. Option C is wrong because the authorization code cannot be used directly as a bearer token; bearer tokens are access tokens, and using the code in API requests would be rejected by the resource server as it is not a valid token.

449
Multi-Selecthard

Which THREE of the following are characteristics of IPv6? (Select exactly three.)

Select 3 answers
A.IPv6 does not have a built-in NAT requirement.
B.IPv6 uses a 128-bit address space.
C.IPv6 addresses are 32 bits in length.
D.IPv6 supports stateless address autoconfiguration (SLAAC).
E.IPv6 uses ARP to resolve MAC addresses.
AnswersA, B, D

IPv6 was designed with enough address space to avoid NAT.

Why this answer

IPv6 has a 128-bit address space, uses SLAAC for autoconfiguration, and does not support NAT as a design requirement (though NPTv6 exists). Options B, C, and D are correct. Option A is wrong because IPv6 addresses are 128-bit.

Option E is wrong because IPv6 uses NDP instead of ARP.

450
MCQhard

A network automation engineer is tasked with creating a Python script to automatically back up the running configuration of all IOS XE devices in a data center using the Cisco IOS XE REST API. The engineer has credentials for each device and knows the IP addresses. The script uses the requests library and sends a GET request to https://<device-ip>/restconf/data/Cisco-IOS-XE-native:native?content=config. The script runs successfully for some devices but fails with a 401 Unauthorized error for others. The engineer confirms the credentials are correct and the devices are reachable. The working devices are running IOS XE 16.9, while the failing ones are running IOS XE 16.6. The engineer checks the API documentation and finds that RESTCONF is enabled on all devices. However, the engineer notices that the failing devices require a different authentication method. What should the engineer do to fix the authentication for the IOS XE 16.6 devices?

A.Switch from HTTPS to HTTP for the failing devices.
B.Use the NETCONF protocol instead of RESTCONF for all devices.
C.Change the URL to use the Cisco IOS XE CLI-based API instead of RESTCONF.
D.Modify the script to use HTTP Basic Authentication and disable CSRF check on the device.
AnswerD

Older IOS XE versions require basic authentication; disabling CSRF check may be necessary.

Why this answer

Option D is correct because IOS XE 16.6 requires HTTP Basic Authentication with the 'Authorization' header, and the RESTCONF API on these older versions also requires disabling the CSRF (Cross-Site Request Forgery) check. The engineer must modify the script to include the 'requests.auth.HTTPBasicAuth' and set the 'X-CSRF-Token' header to 'false' or disable CSRF on the device. This resolves the 401 error while still using RESTCONF.

Exam trap

Cisco often tests the version-specific RESTCONF authentication differences, where candidates assume all IOS XE versions use the same authentication method (e.g., token-based), but older versions require Basic Auth and CSRF bypass.

How to eliminate wrong answers

Option A is wrong because switching from HTTPS to HTTP would not fix authentication; it would introduce a security risk and the 401 error is due to missing or incorrect authentication headers, not the protocol. Option B is wrong because NETCONF is a different protocol (SSH-based) and does not use RESTCONF URLs or HTTP authentication; the engineer is specifically tasked with using the REST API, and NETCONF would require a completely different script and library (e.g., ncclient). Option C is wrong because the Cisco IOS XE CLI-based API (e.g., 'on-box' Python or guest shell) is not accessed via RESTCONF URLs; the engineer is already using RESTCONF, and changing to a CLI-based API would not address the authentication issue.

Page 5

Page 6 of 7

Page 7

All pages