Cisco DevNet Associate 200-901 (200-901) — Questions 451505

505 questions total · 7pages · All types, answers revealed

Page 6

Page 7 of 7

451
Matchingmedium

Match each Git command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Copy a repository to local machine

Save changes to local repository

Upload local changes to remote repository

Fetch and merge changes from remote

List, create, or delete branches

Why these pairings

Common Git commands used in software development.

452
MCQhard

In a CI/CD pipeline, a code quality check fails due to a security vulnerability in a third-party library. What is the best practice to address this?

A.Suppress the warning and proceed
B.Update the library to a patched version
C.Add a firewall rule to block the vulnerability
D.Remove the dependency and rewrite the code
AnswerB

Updating to the latest patched version resolves the vulnerability and maintains compatibility.

Why this answer

Updating the library to a patched version directly resolves the security vulnerability at its source, aligning with the principle of supply chain security in CI/CD pipelines. This practice ensures that the codebase uses a version of the dependency that has been officially fixed by the maintainer, preventing exploitation without altering the application's functionality or introducing unnecessary risk.

Exam trap

Cisco often tests the misconception that security vulnerabilities can be mitigated with network controls (like firewalls) or by ignoring the issue, rather than addressing the root cause through dependency updates.

How to eliminate wrong answers

Option A is wrong because suppressing the warning ignores the vulnerability, leaving the application exposed to potential exploitation; it violates the security-first principle of DevSecOps. Option C is wrong because a firewall rule only attempts to block network-level access to the vulnerability, which does not fix the underlying insecure code in the library and can be bypassed; it is a network control, not a code fix. Option D is wrong because removing the dependency and rewriting the code is an extreme, time-consuming measure that is unnecessary when a patched version is available; it ignores the standard practice of dependency management and version updates.

453
MCQhard

Using the Cisco DNA Center API, an engineer wants to create a new site with building and floor information. Which HTTP method and endpoint should be used?

A.PUT /dna/intent/api/v1/site
B.GET /dna/intent/api/v1/site
C.POST /dna/intent/api/v1/site
D.POST /dna/intent/api/v1/site/create
AnswerC

Correct endpoint and method to create a site.

Why this answer

The POST HTTP method is used to create a new resource on the server, and the Cisco DNA Center API endpoint `/dna/intent/api/v1/site` is designed to accept a POST request with a JSON payload containing site, building, and floor details. This follows RESTful conventions where POST is the standard method for resource creation, and the API documentation specifies this exact endpoint for adding a new site hierarchy.

Exam trap

The trap here is that candidates often confuse POST with PUT or assume a 'create' suffix is needed in the endpoint, but Cisco tests the exact RESTful convention where POST on the base resource URI is the correct method for creation.

How to eliminate wrong answers

Option A is wrong because the PUT method is typically used for updating an existing resource or creating a resource at a specific URI, but the Cisco DNA Center API for site creation explicitly requires POST, not PUT. Option B is wrong because the GET method is used for retrieving information, not creating resources; it would return existing site data, not create a new site. Option D is wrong because the endpoint `/dna/intent/api/v1/site/create` does not exist in the Cisco DNA Center API; the correct endpoint is `/dna/intent/api/v1/site` without the `/create` suffix, and the creation action is implied by the POST method.

454
MCQmedium

A Python script uses the ncclient library to connect to a Cisco NX-OS device over NETCONF. After establishing the session, the script executes an editing operation with candidate datastore. Which additional step is required to make the changes take effect immediately on the running configuration?

A.Execute a discard-changes operation on the candidate datastore
B.Execute a validate operation on the candidate datastore
C.No additional step is needed; candidate changes are automatically applied to running
D.Execute a commit operation on the candidate datastore
AnswerD

Commit copies candidate to running, making changes active.

Why this answer

Option D is correct because when using NETCONF with the candidate datastore on Cisco NX-OS, changes are staged in the candidate configuration and do not affect the running configuration until a commit operation is explicitly sent. The commit operation copies the candidate configuration to the running datastore, making the changes take effect immediately. Without this step, the candidate changes remain unapplied.

Exam trap

Cisco often tests the distinction between the candidate and running datastores, trapping candidates who assume that editing the candidate automatically updates the running configuration, which is only true for the 'candidate' datastore on some platforms like Juniper but not for NX-OS NETCONF.

How to eliminate wrong answers

Option A is wrong because discard-changes is used to revert the candidate datastore to the running configuration, discarding any uncommitted edits; it does not apply changes. Option B is wrong because validate checks the syntactic and semantic correctness of the candidate configuration but does not apply it to the running datastore. Option C is wrong because the candidate datastore is a separate, working copy; changes are not automatically applied to running — a commit is required per RFC 6241.

455
Multi-Selecteasy

A developer is writing a Python script to back up Cisco router configurations via SSH. Which two libraries are appropriate for this task? (Choose two.)

Select 2 answers
A.requests
B.netmiko
C.urllib
D.paramiko
E.flask
AnswersB, D

Netmiko simplifies SSH connections to network devices.

Why this answer

Netmiko is a Python library built on top of Paramiko that simplifies SSH connections to network devices, including Cisco routers. It provides high-level methods for sending commands and retrieving output, making it ideal for automating configuration backups via SSH.

Exam trap

Cisco often tests the distinction between HTTP-focused libraries (requests, urllib) and SSH-focused libraries (paramiko, netmiko), trapping candidates who mistakenly think 'requests' can handle any network protocol or that Flask's 'networking' capabilities extend to SSH.

456
Multi-Selectmedium

A developer is troubleshooting a Cisco RESTCONF API call that returns a 409 Conflict error. Which two scenarios could cause this? (Choose two.)

Select 2 answers
A.Authentication token is missing.
B.The resource's current state conflicts with the requested change (e.g., trying to delete a resource that is in use).
C.The resource already exists and the request attempts to create a duplicate.
D.The resource does not exist.
E.The request contains invalid data types.
AnswersB, C

State conflicts, like deleting a resource that is referenced, cause 409.

Why this answer

Option B is correct because a 409 Conflict error in RESTCONF indicates that the request cannot be completed due to a conflict with the current state of the resource. For example, attempting to delete a resource that is referenced by other resources (e.g., a VLAN interface that is still active) violates the resource's state constraints, triggering this HTTP status code.

Exam trap

Cisco often tests the distinction between 409 Conflict and 400 Bad Request, where candidates mistakenly think invalid data types cause a conflict rather than a client-side syntax error.

457
MCQeasy

A technician needs to verify the IP address of a remote server using DNS. Which command should be used on a Cisco IOS device?

A.traceroute server.example.com
B.show hosts server.example.com
C.ping server.example.com
D.nslookup server.example.com
AnswerD

Performs DNS lookup and returns IP address.

Why this answer

The `nslookup` command is used to query DNS servers to resolve a hostname to an IP address. On a Cisco IOS device, `nslookup` sends a DNS query for the specified hostname and returns the corresponding IP address, making it the correct tool for verifying a remote server's IP via DNS.

Exam trap

Cisco often tests the distinction between commands that incidentally perform DNS resolution (like `ping` or `traceroute`) and commands specifically designed for DNS queries (`nslookup`), leading candidates to choose `ping` because it shows the resolved IP in its output.

How to eliminate wrong answers

Option A is wrong because `traceroute` is used to trace the network path to a destination, not to perform DNS resolution; it may trigger a DNS lookup for display but does not directly verify the IP address. Option B is wrong because `show hosts` displays the static hostname-to-address mappings configured locally on the device, not dynamic DNS query results. Option C is wrong because `ping` sends ICMP echo requests to test reachability and may perform a DNS lookup as a side effect, but its primary purpose is not to verify the IP address via DNS.

458
Multi-Selecteasy

Which THREE of the following are common security vulnerabilities listed in the OWASP Top 10? (Choose three.)

Select 3 answers
A.Cross-Site Scripting (XSS)
B.Broken Access Control
C.Multi-Factor Authentication
D.SQL Injection
E.DNS Cache Poisoning
AnswersA, B, D

Included in OWASP Top 10 as an injection issue.

Why this answer

Cross-Site Scripting (XSS) is a common security vulnerability in the OWASP Top 10 because it allows attackers to inject malicious scripts into web pages viewed by other users, typically through input fields that are not properly sanitized. This can lead to session hijacking, defacement, or redirection to malicious sites, exploiting the trust a user has in a legitimate application.

Exam trap

Cisco often tests whether candidates can distinguish between actual vulnerabilities (like XSS, Broken Access Control, SQL Injection) and security controls or network-layer attacks, leading them to mistakenly select Multi-Factor Authentication or DNS Cache Poisoning as OWASP Top 10 items.

459
MCQmedium

An engineer configures a trunk port as shown. A device connected to this port sends an untagged frame. Which VLAN will the switch associate the frame with?

A.VLAN 1
B.The frame is dropped
C.VLAN 10
D.VLAN 99
AnswerD

Untagged frames are placed in native VLAN.

Why this answer

The switchport trunk native vlan 99 command configures VLAN 99 as the native VLAN for the trunk port. When an untagged frame arrives on a trunk port, the switch associates it with the native VLAN. Therefore, the frame is placed into VLAN 99.

Exam trap

Cisco often tests the misconception that untagged frames on a trunk are dropped or that the native VLAN is always VLAN 1, leading candidates to overlook the explicit native VLAN configuration.

How to eliminate wrong answers

Option A is wrong because VLAN 1 is the default native VLAN only if no native VLAN is explicitly configured; here VLAN 99 is set as the native VLAN. Option B is wrong because untagged frames on a trunk port are not dropped; they are assigned to the native VLAN. Option C is wrong because VLAN 10 is not the native VLAN; the native VLAN is explicitly set to VLAN 99.

460
Multi-Selecteasy

Which two statements are true about Cisco DevNet Sandboxes?

Select 2 answers
A.DevNet Sandboxes are only available with a paid subscription.
B.DevNet Sandboxes include reserved labs for fixed time periods and always-on labs.
C.DevNet Sandboxes only support Cisco Catalyst switches.
D.DevNet Sandboxes provide API access to simulate integrations.
E.DevNet Sandboxes do not support third-party devices.
AnswersB, D

Correct; both types exist.

Why this answer

Option B is correct because DevNet Sandboxes offer two primary reservation models: reserved labs, which provide exclusive access to a sandbox for a fixed time period (e.g., 4 hours), and always-on labs, which are perpetually available but shared among users. This flexibility allows developers to choose between dedicated, time-limited environments for intensive testing and persistent, always-available environments for ongoing development and learning.

Exam trap

The trap here is that candidates may assume all sandboxes require payment or only support Cisco hardware, overlooking the free tier and the inclusion of third-party components like Linux VMs or partner APIs for realistic integration testing.

461
MCQhard

A developer is using Git for version control of a Python library. A colleague accidentally committed a large sensitive file. Which Git command sequence should be used to remove the file from history without losing subsequent changes?

A.git filter-branch or git filter-repo
B.git rm --cached && git commit
C.git rebase -i && git commit --amend
D.git revert HEAD
AnswerA

These tools rewrite history, removing the file from all commits.

Why this answer

git filter-branch (or git filter-repo) rewrites history to remove the file across all commits. git reset affects recent commits but loses changes after it. git rebase -i can edit specific commits but becomes complex for large files. git rm only removes from current commit.

462
MCQeasy

Based on the exhibit, what is the frequency of the telemetry subscription?

A.Every 500 seconds
B.Every 500 milliseconds
C.When the management connection is re-established
D.On-change only
AnswerB

The periodic policy value is in milliseconds; 500 ms is the correct interpretation.

Why this answer

The exhibit shows a telemetry subscription with a 'period' of 500, which in Cisco model-driven telemetry (MDT) is expressed in milliseconds. Therefore, the frequency is every 500 milliseconds, making option B correct.

Exam trap

Cisco often tests the unit of the 'period' value, and the trap here is that candidates assume the value is in seconds (like many other network timers) instead of milliseconds, leading them to choose 'Every 500 seconds'.

How to eliminate wrong answers

Option A is wrong because 500 seconds would be an unusually long interval for telemetry updates and the period value in Cisco MDT is always in milliseconds, not seconds. Option C is wrong because a re-establishment-based subscription is a different type (e.g., 'periodic' vs 'on-change' vs 'connection-based'), and the exhibit explicitly shows a periodic subscription with a numeric period value. Option D is wrong because 'on-change' subscriptions do not use a numeric period; they trigger only when the monitored data changes, whereas the exhibit shows a fixed period of 500.

463
Multi-Selecteasy

Which TWO are valid methods to secure a REST API? (Choose two.)

Select 2 answers
A.Use HTTPS to encrypt data in transit.
B.Use HTTP with basic authentication.
C.Embed API keys in the URL query string.
D.Implement rate limiting to prevent abuse.
E.Implement OAuth 2.0 for token-based access control.
AnswersA, E

HTTPS encrypts the communication, preventing eavesdropping and tampering.

Why this answer

HTTPS (HTTP over TLS) encrypts the entire HTTP conversation, including headers and payload, using Transport Layer Security (TLS). This prevents eavesdropping, man-in-the-middle attacks, and tampering of data in transit. For a REST API, HTTPS is a fundamental security requirement to protect sensitive data and credentials from being exposed on the network.

Exam trap

Cisco often tests the distinction between mechanisms that provide confidentiality/integrity (HTTPS, OAuth 2.0) versus those that only provide availability or weak authentication (rate limiting, HTTP Basic), leading candidates to mistakenly select rate limiting as a security method.

464
MCQmedium

In a CI/CD pipeline using Jenkins, which plugin is commonly used to integrate with Cisco Container Platform for deploying containers?

A.Docker Pipeline Plugin
B.Cisco Container Platform Plugin
C.Kubernetes CLI Plugin
D.SSH Plugin
AnswerB

The Cisco Container Platform Plugin is designed for CCP integration.

Why this answer

The Cisco Container Platform Plugin is the correct choice because it provides native integration between Jenkins and Cisco Container Platform (CCP), enabling automated deployment of containers directly to CCP clusters. This plugin handles authentication, cluster discovery, and deployment orchestration specific to CCP, which is built on Kubernetes but includes Cisco-specific extensions for policy and networking.

Exam trap

Cisco often tests the distinction between a generic Kubernetes plugin and a platform-specific plugin, so the trap here is that candidates assume any Kubernetes-related plugin (like Kubernetes CLI Plugin) works with Cisco Container Platform, ignoring the need for Cisco-specific API integration and authentication.

How to eliminate wrong answers

Option A (Docker Pipeline Plugin) is wrong because it only provides Docker commands (like build, push, run) within a pipeline, but it does not integrate with Cisco Container Platform or manage deployments to CCP clusters. Option C (Kubernetes CLI Plugin) is wrong because it wraps kubectl commands for generic Kubernetes clusters, but it lacks the Cisco-specific API calls and authentication mechanisms required for CCP. Option D (SSH Plugin) is wrong because it only enables remote command execution over SSH, which is far too low-level and insecure for orchestrating container deployments to a platform like CCP.

465
Multi-Selecthard

Which THREE security measures should be implemented in a CI/CD pipeline to protect against supply chain attacks? (Choose three.)

Select 3 answers
A.Enable verbose logging for all build steps to detect anomalies.
B.Pin dependency versions to specific hashes.
C.Sign all build artifacts with a GPG key.
D.Verify checksums of downloaded dependencies.
E.Use a private registry for container images with vulnerability scanning.
AnswersB, D, E

Version pinning prevents accidental introduction of malicious updates.

Why this answer

Option B is correct because pinning dependency versions to specific hashes (e.g., using `integrity` attributes in npm’s package-lock.json or `sha256` checksums in pip’s requirements.txt) ensures that only the exact, verified content is downloaded. This prevents an attacker from substituting a malicious version of a dependency, even if the version tag remains the same, by validating the cryptographic hash of the artifact against a known good value.

Exam trap

Cisco often tests the distinction between artifact signing (which protects authenticity after build) and dependency integrity verification (which protects against supply chain attacks during the build), causing candidates to mistakenly select signing as a supply chain defense.

466
MCQhard

A developer is creating a YANG data model for a new interface feature. The model must allow the user to choose from a predefined set of values for the 'duplex' leaf. Which YANG statement should be used to restrict the values to 'full', 'half', and 'auto'?

A.choice duplex-options { case full; case half; case auto; }
B.type string;
C.type leafref { path '/other:duplex-list'; }
D.type enumeration { enum full; enum half; enum auto; }
AnswerD

Enumeration restricts to listed values.

Why this answer

Option D is correct because the 'type enumeration' statement in YANG defines a leaf that can only take one of the explicitly listed enum values. By specifying 'enum full;', 'enum half;', and 'enum auto;', the developer restricts the 'duplex' leaf to exactly those three predefined strings, which matches the requirement.

Exam trap

Cisco often tests the distinction between YANG's 'choice' statement (which selects among different schema branches) and the 'enumeration' type (which restricts a single leaf's value), leading candidates to mistakenly choose 'choice' when they need a value restriction.

How to eliminate wrong answers

Option A is wrong because 'choice' and 'case' in YANG are used to model a selection among different schema nodes (e.g., different leafs or containers), not to restrict the value of a single leaf to a set of strings. Option B is wrong because 'type string;' would allow any arbitrary string value, providing no restriction to 'full', 'half', or 'auto'. Option C is wrong because 'type leafref' references the value of another leaf in the data tree; it does not define an inline set of allowed values, and the path '/other:duplex-list' would require a separate list node that may not exist or may not contain the desired restriction.

467
MCQhard

You are automating the deployment of a new software image on a fleet of Cisco Nexus switches using Ansible. The switches are in a production environment and must have minimal downtime. You have a maintenance window of 30 minutes per switch. Your playbook performs the following steps: 1) Copy the image to the switch via SCP, 2) Set the boot variable to the new image, 3) Save the configuration, 4) Reload the switch. During a dry run on a test switch, you notice that the reload step takes 8 minutes, but the copy step takes 15 minutes due to slow link speed. For the production rollout, you need to reduce the overall time per switch. Which approach should you take?

A.Skip the save configuration step to save time
B.Use a local file server with HTTP for image transfer to improve speed
C.Use a compressed image to reduce copy time
D.Reload all switches simultaneously in the same maintenance window
AnswerB

HTTP is generally faster than SCP for file transfer.

Why this answer

Option B is correct because the bottleneck is the SCP copy time (15 minutes), which exceeds the 30-minute maintenance window when combined with the reload (8 minutes). Using HTTP for image transfer leverages a more efficient protocol with better throughput and lower overhead than SCP, which uses SSH encryption and can be slower on low-bandwidth links. This directly reduces the copy time, bringing the total per-switch time under the maintenance window limit.

Exam trap

The trap here is that candidates focus on reducing the reload time or configuration steps, when the real bottleneck is the image transfer protocol; Cisco often tests the understanding that protocol choice (SCP vs. HTTP) directly impacts transfer speed in bandwidth-constrained environments.

How to eliminate wrong answers

Option A is wrong because skipping the 'save configuration' step would risk losing the running configuration after reload, potentially causing misconfiguration or downtime, and it does not address the primary bottleneck (copy time). Option C is wrong because while a compressed image reduces file size, the copy time is dominated by link speed and protocol overhead; decompression on the switch adds CPU load and time, and the net gain may be minimal or negative. Option D is wrong because reloading all switches simultaneously would cause a complete network outage, violating the requirement for minimal downtime and exceeding the per-switch maintenance window constraint.

468
MCQhard

In a CI/CD pipeline for a network automation project, which stage is responsible for validating the syntax of YAML configuration files?

A.Deploy
B.Lint
C.Test
D.Build
AnswerB

Linting checks for syntax errors and coding standards in configuration files.

Why this answer

Lint stage validates syntax and style. Build compiles code, test runs unit tests, deploy pushes to production. Syntax checking is a static analysis step typically done in linting.

469
Multi-Selecteasy

A developer is building a RESTful API with Python Flask. Which TWO are recommended security best practices for exposing the API over HTTPS?

Select 2 answers
A.Use HTTP Basic Authentication for simplicity.
B.Validate and sanitize all user input.
C.Enable CORS for all origins.
D.Store passwords in plaintext in the database.
E.Implement rate limiting to prevent abuse.
AnswersB, E

This prevents injection attacks like SQLi and XSS.

Why this answer

Option B is correct because validating and sanitizing all user input is a fundamental security practice that prevents injection attacks (e.g., SQL injection, cross-site scripting) against the Flask API. Even over HTTPS, encrypted transport does not protect against malicious payloads; input validation must be applied server-side, often using libraries like marshmallow or Flask-WTF to enforce data types and strip dangerous characters.

Exam trap

Cisco often tests the misconception that HTTPS alone makes an API secure, but the trap here is that encryption only protects data in transit, not the application logic—so candidates must remember that input validation and rate limiting are still required server-side defenses.

470
MCQmedium

A network engineer notices that after a link failure, traffic to a server on a different VLAN is intermittent. The network uses Rapid PVST+. The switch connecting the server is a root bridge for that VLAN. What is the most likely cause of the intermittent connectivity?

A.The server port is not configured as an edge port, causing STP convergence delay.
B.The server is sending BPDUs with a higher priority.
C.The root bridge is flapping due to a configuration mismatch.
D.OSPF hold-down timers are preventing route updates.
AnswerA

Non-edge ports go through STP states, causing delays.

Why this answer

When a link fails in a Rapid PVST+ network, the switch that is the root bridge for the VLAN must reconverge. If the server port is not configured as an edge port (using the 'spanning-tree portfast' command), the switch will transition the port through the listening and learning states (even with Rapid PVST+, non-edge ports still undergo a brief convergence delay). This delay causes intermittent connectivity until the port reaches the forwarding state.

Exam trap

Cisco often tests the misconception that Rapid PVST+ eliminates all convergence delays, but the trap here is that non-edge ports still require a brief transition delay, and candidates may forget that PortFast (edge port configuration) is necessary to avoid this delay for host-facing ports.

How to eliminate wrong answers

Option B is wrong because BPDUs are sent by switches, not servers; a server sending BPDUs with a higher priority would not affect STP convergence, and servers typically do not participate in STP. Option C is wrong because a root bridge flapping due to a configuration mismatch would cause repeated topology changes, but the scenario describes a single link failure followed by intermittent connectivity, not continuous flapping. Option D is wrong because OSPF is a Layer 3 routing protocol and does not affect Layer 2 STP convergence; the issue is within the same VLAN, and OSPF hold-down timers are irrelevant to Rapid PVST+ behavior.

471
Multi-Selecthard

A DevOps team is securing a CI/CD pipeline that deploys containerized applications to Kubernetes. Which THREE practices enhance security?

Select 3 answers
A.Implementing network policies to restrict pod communication.
B.Allowing containers to run with privileges.
C.Scanning container images for vulnerabilities before deployment.
D.Running containers as root.
E.Using Kubernetes Secrets for sensitive environment variables.
AnswersA, C, E

Limits lateral movement in the cluster.

Why this answer

Network policies in Kubernetes act as a firewall for pods, restricting ingress and egress traffic based on labels, namespaces, or IP blocks. This implements a zero-trust model by default, preventing lateral movement if a container is compromised. Option A is correct because it directly reduces the attack surface within the cluster.

Exam trap

Cisco often tests the misconception that 'containers are inherently isolated'—candidates may think privileges or root access are safe because containers are 'lightweight VMs,' but in reality, they share the host kernel, making privilege escalation a critical risk.

472
MCQeasy

Which of the following is a best practice for securing API keys in a CI/CD pipeline?

A.Share via email
B.Hardcode in Dockerfile
C.Store them in source code
D.Use environment variables in build configuration
AnswerA

Email is not secure for sharing API keys.

Why this answer

Option A is correct because sharing API keys via email is not a best practice; the correct best practice is to use environment variables in the build configuration (Option D). Environment variables keep secrets out of source code, Dockerfiles, and insecure communication channels like email, ensuring they are injected at runtime and not exposed in logs or artifacts.

Exam trap

Cisco often tests the misconception that environment variables in build configuration are a fully secure method, but the trap is that they can still be exposed in logs or pipeline artifacts, whereas a dedicated secrets manager is the true best practice.

How to eliminate wrong answers

Option B is wrong because hardcoding API keys in a Dockerfile embeds secrets in the image layers, making them accessible to anyone who can pull the image and inspect its history. Option C is wrong because storing API keys in source code commits them to version control, exposing them to all repository users and potentially to public repositories. Option D is wrong because while environment variables in build configuration are a step up, they can still leak in build logs or be exposed if the CI/CD system is compromised; the question asks for the best practice, which is to use a dedicated secrets manager or vault (e.g., HashiCorp Vault, AWS Secrets Manager) rather than plain environment variables.

473
MCQmedium

A network engineer needs to automate the deployment of a new VLAN on multiple Cisco switches using RESTCONF. Which URL structure should be used to create a VLAN with ID 100?

A.PUT /restconf/data/Cisco-IOS-XE-vlan:vlans/vlan=100
B.POST /restconf/operations/Cisco-IOS-XE-vlan:create-vlan
C.POST /restconf/data/Cisco-IOS-XE-vlan:vlans/vlan=100
D.PUT /restconf/config/vlan/100
AnswerA

PUT creates or replaces the VLAN resource at the specified URI.

Why this answer

Option A is correct because RESTCONF uses the HTTP PUT method to create or replace a specific data resource, and the URL path follows the YANG module structure. Here, 'Cisco-IOS-XE-vlan:vlans/vlan=100' targets the VLAN list entry with ID 100, creating it if it does not exist. This aligns with RESTCONF's resource-oriented design, where PUT on a specific data node performs a create or replace operation.

Exam trap

Cisco often tests the distinction between PUT and POST in RESTCONF, where candidates mistakenly use POST to create a specific resource instance (like a VLAN by ID) instead of PUT, or confuse the '/operations' RPC path with data resource manipulation.

How to eliminate wrong answers

Option B is wrong because it uses POST to a '/operations' URI, which is associated with NETCONF-style RPCs, not RESTCONF data resource creation; RESTCONF does not use '/operations' for creating data resources. Option C is wrong because POST on a data resource URL is used to create a child resource (e.g., a new entry in a list) when the parent container is targeted, not to create a specific instance by ID; using POST on '/vlan=100' would attempt to create a child of that specific VLAN, which is incorrect. Option D is wrong because it uses a non-standard '/config' path and omits the YANG module namespace; RESTCONF requires the module name prefix (e.g., 'Cisco-IOS-XE-vlan:') to identify the data model, and the path should be under '/restconf/data'.

474
MCQeasy

A Python script used for network automation requires storing an API secret. Which approach is the most secure and recommended best practice?

A.Hardcode the secret in the Python script
B.Store the secret in a plain text file in the repository
C.Encrypt the secret and store it in the script
D.Use environment variables
AnswerD

Environment variables keep secrets out of code and are configurable per deployment.

Why this answer

Option D is correct because storing secrets in environment variables decouples sensitive data from the source code, preventing accidental exposure in version control systems like Git. This approach follows the principle of least privilege and is recommended by security best practices such as the Twelve-Factor App methodology. Environment variables are managed outside the script, reducing the risk of credential leakage during code sharing or deployment.

Exam trap

Cisco often tests the misconception that encryption within the script is sufficient, but the trap is that the decryption key must still be stored somewhere, creating a key management problem that environment variables solve by keeping secrets out of the code entirely.

How to eliminate wrong answers

Option A is wrong because hardcoding the secret in the Python script exposes it to anyone with access to the source code, including version control history, and violates the principle of separating configuration from code. Option B is wrong because storing the secret in a plain text file in the repository makes it readable by anyone who can access the repo, and it can be inadvertently committed and shared, leading to credential exposure. Option C is wrong because encrypting the secret and storing it in the script still requires managing the decryption key within the script or repository, which creates a circular security problem and does not eliminate the risk of exposure through code access.

475
Multi-Selectmedium

A developer is designing a REST API for managing network devices. Which three best practices should be followed for the API design? (Choose three.)

Select 3 answers
A.Use POST for all state-changing operations to ensure idempotency.
B.Use nouns for resource names (e.g., /devices) rather than verbs.
C.Include versioning in the URL path (e.g., /v1/devices).
D.Always send the entire resource representation in all responses to reduce client requests.
E.Use proper HTTP status codes to describe results.
AnswersB, C, E

D is correct because RESTful APIs use nouns to represent resources, while verbs are typically avoided in endpoint paths.

Why this answer

A, B, and D are correct. A: Using proper HTTP status codes is a REST best practice for clear success/failure indication. B: Including versioning in the URL path ensures backward compatibility.

D: Using nouns for resources (e.g., /devices) aligns with RESTful principles. C is incorrect because POST is not idempotent; PUT/DELETE are preferred for idempotent operations. E is incorrect because transmitting full representations unnecessarily increases bandwidth; partial responses or specific fields should be used.

476
MCQeasy

Which data serialization format is most commonly used for configuration files in Cisco automation tools like Ansible?

A.CSV
B.YAML
C.HTML
D.XML
AnswerB

YAML is the default format for Ansible playbooks and is human-readable, making it ideal for configuration files.

Why this answer

Option B is correct because YAML is the standard configuration format for Ansible playbooks and many Cisco automation tools. Option A (XML) is used in some contexts like NETCONF but not in Ansible. Option C (CSV) is for tabular data, not configuration.

Option D (HTML) is for web pages. Therefore, YAML is the most appropriate choice.

477
MCQmedium

A DevOps engineer is implementing Infrastructure as Code (IaC) for network devices. Which of the following practices is most critical to ensure that the environment state matches the desired configuration defined in code?

A.Using Jinja2 templates to generate device configurations.
B.Ensuring that the automation tool is idempotent.
C.Using version control for all configuration files.
D.Implementing rollback procedures for failed deployments.
AnswerB

Idempotency guarantees consistent state.

Why this answer

Idempotency ensures that applying the same configuration multiple times always results in the same desired state, regardless of the current state of the device. This is the most critical practice for IaC because it prevents configuration drift and guarantees that the environment state matches the code-defined configuration. Without idempotency, repeated runs of the automation tool could introduce unintended changes or fail to correct deviations.

Exam trap

Cisco often tests the concept that idempotency is the core principle of IaC for state convergence, tempting candidates to choose version control or rollback procedures because they are familiar best practices, but they do not directly ensure the environment state matches the code.

How to eliminate wrong answers

Option A is wrong because Jinja2 templates are a tool for generating configuration files from variables, but they do not ensure that the applied configuration matches the desired state; they only help with parameterization and reuse. Option C is wrong because version control tracks changes to configuration files over time but does not enforce that the live environment state matches the code; it is a best practice for auditability, not for state convergence. Option D is wrong because rollback procedures handle failed deployments by reverting to a previous state, but they do not guarantee that the environment state matches the desired configuration defined in code; they are a recovery mechanism, not a preventive or corrective one.

478
Matchingmedium

Match each HTTP method to its typical use case in REST APIs.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Retrieve a resource

Create a new resource

Update an existing resource

Remove a resource

Partially modify a resource

Why these pairings

These are standard RESTful HTTP methods.

479
Multi-Selectmedium

Which two of the following are valid ways to authenticate to the Cisco DNA Center API?

Select 2 answers
A.Use SNMP v3
B.Use SAML assertion
C.Provide API token in HTTP header
D.Use SSH key
E.Use OAuth 2.0 client credentials
AnswersC, E

Tokens are obtained via login and passed in headers.

Why this answer

Option C is correct because the Cisco DNA Center API uses token-based authentication. After obtaining a token via a POST request to the /dna/system/api/v1/auth/token endpoint with valid credentials, the token must be included in the HTTP header as 'X-Auth-Token: <token>' for all subsequent API requests. This is the standard method for authenticating REST API calls to Cisco DNA Center.

Exam trap

Cisco often tests the distinction between device-level authentication (SNMP, SSH) and API-level authentication (tokens, OAuth 2.0), leading candidates to mistakenly select protocols used for network device management instead of REST API authentication methods.

480
Multi-Selectmedium

Which three capabilities are offered by the Cisco DNA Center REST API?

Select 3 answers
A.Intent-based API for business intent deployment
B.Real-time packet capture
C.Device discovery and inventory
D.Direct command-line execution on managed devices
E.Site and building management
AnswersA, C, E

DNA Center provides intent APIs.

Why this answer

Cisco DNA Center's REST API offers an intent-based API that allows you to express business intent (e.g., 'deploy QoS for voice traffic') rather than configuring individual device commands. This abstraction layer translates high-level policies into device-specific configurations, enabling network automation and assurance. It is a core capability of the Cisco Platform Abstraction Layer (PAL).

Exam trap

Cisco often tests the distinction between 'intent-based' (policy-driven) and 'direct device management' (CLI/SNMP) capabilities, so the trap here is assuming that DNA Center's API provides low-level device access like packet capture or CLI execution, when in fact it focuses on high-level automation and assurance.

481
MCQhard

Refer to the exhibit. A developer is building a Docker image for a Node.js application. The Dockerfile contains: ``` FROM node:14 WORKDIR /usr/src/app COPY package*.json ./ RUN npm install COPY . . CMD ["node", "app.js"] ``` When building, the error shown occurs. What is the most likely cause?

A.The Dockerfile should use the root user for running npm install.
B.The npm install command should be run with the --unsafe-perm flag.
C.The base image node:14 is outdated and contains a bug.
D.The application is running as a non-root user (e.g., node) that lacks write permission to the working directory.
AnswerD

The node image often uses the node user; if the WORKDIR is owned by root, the node user cannot write to it. The fix is to ensure proper ownership.

Why this answer

The error occurs because the official Node.js Docker image (node:14) runs as a non-root user named 'node' by default. The WORKDIR /usr/src/app is owned by root, so the 'node' user lacks write permission to that directory. When npm install tries to create node_modules or write package-lock.json, it fails with a permission error.

Option D correctly identifies this user-permission mismatch.

Exam trap

Cisco often tests the misconception that npm install always requires root privileges, when in fact the official Node.js image deliberately runs as a non-root user and the fix is to adjust directory ownership, not to escalate privileges.

How to eliminate wrong answers

Option A is wrong because running as root is a security anti-pattern; the official image intentionally uses a non-root user to follow least-privilege principles. Option B is wrong because the --unsafe-perm flag is only relevant when running npm scripts as root (it prevents dropping privileges), not for fixing permission issues with a non-root user. Option C is wrong because the node:14 image is not inherently buggy regarding permissions; the issue is a deliberate design choice to run as a non-root user, not an outdated bug.

482
Multi-Selecteasy

Which two authentication methods are commonly used with Cisco APIs? (Choose two.)

Select 2 answers
A.SNMPv3
B.Basic Authentication over HTTPS
C.SSH Key
D.RADIUS
E.API Token (Bearer Token)
AnswersB, E

Many Cisco APIs support Basic Auth for initial token acquisition.

Why this answer

Basic Authentication over HTTPS is commonly used with Cisco APIs because it sends a base64-encoded username:password pair in the Authorization header, which is a simple and widely supported method for authenticating REST API requests. Cisco's REST APIs, such as those on DNA Center and Meraki, often accept Basic Auth as a fallback or for legacy integration, though it is less secure than token-based methods.

Exam trap

Cisco often tests the distinction between authentication methods used for API access versus those used for device management or network protocols, so the trap here is confusing SNMPv3 or SSH keys (which are for device CLI/management) with HTTP-based API authentication methods.

483
MCQhard

A developer is using the Cisco Webex API to create a room and add members. The API requires an access token with the appropriate scopes. The developer receives a 401 Unauthorized error when trying to create a room. What is the most likely cause?

A.The access token only has the 'spark:rooms_read' scope
B.The access token has the 'spark:memberships_write' scope but not 'spark:rooms_write'
C.The access token is not being sent in the Authorization header
D.The access token has expired
AnswerA

Correct: The write scope is required for creating rooms.

Why this answer

The 401 Unauthorized error indicates that the request lacks valid authentication credentials. Since the developer is using an access token but still getting a 401, the most likely cause is that the token does not have the required scopes to perform the operation. The 'spark:rooms_read' scope only allows reading room details, not creating them, so the API rejects the request with a 401 because the token is valid but insufficiently scoped.

Exam trap

Cisco often tests the distinction between 401 Unauthorized (authentication failure) and 403 Forbidden (authorization failure), and the trap here is that candidates assume a 401 always means a missing or expired token, when in fact an invalid scope can also trigger a 401 in Webex APIs.

How to eliminate wrong answers

Option B is wrong because having 'spark:memberships_write' without 'spark:rooms_write' would still cause a 403 Forbidden (insufficient permissions), not a 401 Unauthorized — the token is valid but lacks the specific scope. Option C is wrong because if the token were not sent in the Authorization header, the API would return a 401 Unauthorized, but this is less likely than a scope issue given the developer is explicitly using an access token; however, the question asks for the 'most likely' cause, and scope misconfiguration is a common pitfall. Option D is wrong because an expired token would also return a 401, but the developer is actively generating and using the token, making expiration less probable than a scope mismatch.

484
MCQhard

A developer is working with the Cisco SD-WAN vManage API to monitor overlay tunnels. They need to retrieve a list of all devices with their site IDs and IP addresses. Which API endpoint is most appropriate?

A.GET /dataservice/device/monitor
B.GET /dataservice/device/device
C.GET /dataservice/device/overlay
D.GET /dataservice/device
AnswerD

Returns list of devices with site ID and system IP.

Why this answer

The GET /dataservice/device endpoint returns a list of all devices managed by the Cisco SD-WAN vManage, including their site IDs and IP addresses. This is the correct endpoint for retrieving device inventory details, as it provides the necessary fields like 'deviceId', 'system-ip', and 'site-id' in the response.

Exam trap

Cisco often tests the distinction between device inventory endpoints and monitoring/overlay-specific endpoints, leading candidates to choose 'monitor' or 'overlay' when they only need basic device information.

How to eliminate wrong answers

Option A is wrong because GET /dataservice/device/monitor is used for retrieving real-time monitoring data (e.g., CPU, memory) for a specific device, not a list of all devices with site IDs and IP addresses. Option B is wrong because GET /dataservice/device/device is not a valid vManage API endpoint; the correct path for device details is /dataservice/device. Option C is wrong because GET /dataservice/device/overlay returns overlay tunnel statistics (e.g., OMP routes, TLOC information) rather than a flat list of devices with site IDs and IP addresses.

485
MCQmedium

A developer is using the Meraki API to retrieve a list of networks for an organization. Which HTTP method and endpoint should be used?

A.GET /organizations/{organizationId}/networks
B.POST /organizations/{organizationId}/networks
C.GET /networks
D.PUT /organizations/{organizationId}/networks
AnswerA

Correct endpoint and method to list networks.

Why this answer

The Meraki API uses RESTful conventions where retrieving a list of resources is done with a GET request. The endpoint GET /organizations/{organizationId}/networks returns all networks belonging to a specific organization, as documented in the Meraki API reference. This matches the standard pattern for listing child resources under a parent resource.

Exam trap

Cisco often tests the distinction between HTTP methods (GET vs POST vs PUT) and the necessity of proper resource scoping (including the organization ID), so the trap here is assuming a flat /networks endpoint exists or that POST can be used for retrieval.

How to eliminate wrong answers

Option B is wrong because POST is used to create a new resource, not to retrieve a list; using POST for retrieval violates REST principles and the Meraki API specification. Option C is wrong because /networks is not a valid top-level endpoint; the Meraki API requires the organization ID to scope the request, as networks are always associated with an organization. Option D is wrong because PUT is used to update an existing resource, not to retrieve a list; it would either fail or be interpreted incorrectly by the API.

486
Drag & Dropmedium

Drag and drop the steps to set up a basic DHCP server on a Cisco router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

DHCP configuration on Cisco routers involves creating a pool, defining the network, and setting options like default gateway.

487
MCQhard

In a network automation workflow, a developer needs to ensure idempotency. What does idempotency mean in this context?

A.The script uses a single API call
B.Running the script once produces the same result as running it multiple times
C.The script can recover from failures
D.The script can run on multiple devices simultaneously
AnswerB

This is the definition of idempotency.

Why this answer

Idempotency in network automation means that executing an operation multiple times results in the same network state as executing it once. For example, using a REST API PUT request to set a VLAN configuration will leave the device in the same state whether the request is sent once or repeatedly, because PUT is inherently idempotent. This prevents unintended side effects like duplicate VLANs or interface misconfigurations when a script is retried due to network failures or timeouts.

Exam trap

Cisco often tests idempotency by pairing it with failure recovery or concurrency, hoping candidates confuse idempotency with fault tolerance or parallel execution.

How to eliminate wrong answers

Option A is wrong because a single API call does not guarantee idempotency; for instance, a POST request that creates a resource is not idempotent and can create duplicates. Option C is wrong because failure recovery (e.g., retry logic or rollback) is a separate reliability concern, not a definition of idempotency; idempotency ensures safe retries but does not itself handle recovery. Option D is wrong because running a script on multiple devices simultaneously relates to parallelism or concurrency, not idempotency; idempotency applies per-operation regardless of the number of targets.

488
MCQhard

An IPv6-enabled host is trying to discover the MAC address of another host on the same link. The host knows the destination IPv6 address but does not have a corresponding entry in the neighbor cache. Which protocol and message type does the host use?

A.Neighbor Advertisement (ICMPv6 type 136)
B.Router Solicitation (ICMPv6 type 133)
C.Neighbor Solicitation (ICMPv6 type 135)
D.Address Resolution Protocol (ARP)
AnswerC

NS is used for address resolution.

Why this answer

Neighbor Solicitation (NS) is used in IPv6 for address resolution, similar to ARP in IPv4. It is an ICMPv6 message of type 135. Option A is wrong because Neighbor Advertisement (NA) is the reply.

Option B is wrong because Router Solicitation (RS) is for discovering routers. Option D is wrong because ARP is not used in IPv6.

489
MCQeasy

A Python script uses the Cisco Meraki API to list networks in an organization. The API returns HTTP 403 Forbidden. What is the most likely cause?

A.The request was sent over HTTP instead of HTTPS.
B.The network ID specified is incorrect.
C.The API key is invalid or missing.
D.The organization ID was omitted from the request.
AnswerC

The Meraki API returns 403 when the API key is invalid or not provided.

Why this answer

HTTP 403 Forbidden indicates the server understood the request but refuses to authorize it. In the context of the Meraki API, this almost always means the API key (X-Cisco-Meraki-API-Key header) is invalid, expired, or missing from the request. Without a valid API key, the server cannot authenticate the client and returns 403.

Exam trap

Cisco often tests the distinction between 401 Unauthorized (missing or invalid authentication credentials) and 403 Forbidden (authenticated but not authorized); the trap here is that candidates may confuse 403 with a missing parameter (like organization ID) or a wrong resource ID, but 403 specifically indicates the request was understood but authorization failed.

How to eliminate wrong answers

Option A is wrong because using HTTP instead of HTTPS would typically result in a redirect (301/302) or a connection error, not a 403 Forbidden; the Meraki API enforces HTTPS at the transport layer, not as an authorization check. Option B is wrong because an incorrect network ID would cause a 404 Not Found (resource not found) or a 400 Bad Request, not a 403 Forbidden; the 403 is an authorization failure, not a resource identification issue. Option D is wrong because omitting the organization ID would result in a 400 Bad Request (missing required parameter) or a 404 if the endpoint expects it in the path, not a 403; the 403 specifically points to authentication/authorization failure, not a missing parameter.

490
MCQmedium

A REST API returns a 500 Internal Server Error when a client sends a malformed JSON payload. What is the most appropriate HTTP response code to indicate a client-side error?

A.400 Bad Request
B.401 Unauthorized
C.403 Forbidden
D.422 Unprocessable Entity
AnswerA

400 indicates the server cannot process the request due to malformed syntax, which fits a malformed JSON payload.

Why this answer

Option A is correct because 400 Bad Request is used when the server cannot process the request due to client error (e.g., malformed syntax). Option B (401) is for authentication failures. Option C (403) is for authorization failures.

Option D (422) is for unprocessable entities when the syntax is correct but semantics fail. Therefore, 400 is the best choice for a malformed JSON payload.

491
Multi-Selectmedium

Which three of the following are common data formats used with REST APIs on Cisco platforms?

Select 3 answers
A.CSV
B.JSON
C.XML
D.HTML
E.YAML
AnswersB, C, E

JSON is widely used for REST APIs.

Why this answer

JSON (JavaScript Object Notation) is a lightweight, text-based data interchange format that is natively supported by most programming languages and REST APIs. Cisco platforms, such as Cisco DNA Center and Cisco Meraki, use JSON as the primary data format for API requests and responses because it is easy to parse and has a compact structure. JSON's key-value pair syntax aligns well with RESTful principles, making it the most common choice for modern Cisco REST APIs.

Exam trap

Cisco often tests that candidates recognize JSON, XML, and YAML as common data formats for REST APIs, but the trap here is that YAML is less common for REST API payloads and more associated with configuration management tools like Ansible, leading some to incorrectly exclude it while including CSV or HTML.

492
MCQeasy

An engineer needs to modify the running configuration of a Cisco IOS-XE device using a protocol that is stateless and uses HTTP methods. Which protocol should be used?

A.NETCONF
B.SNMP
C.RESTCONF
D.CLI
AnswerC

RESTCONF is stateless, uses HTTP, and aligns with RESTful principles.

Why this answer

RESTCONF is the correct choice because it is a stateless protocol that uses standard HTTP methods (GET, POST, PUT, PATCH, DELETE) to manipulate YANG-defined data stores on a Cisco IOS-XE device. Unlike NETCONF, which is stateful and session-oriented, RESTCONF operates over HTTP without maintaining session state, making it ideal for lightweight, RESTful automation.

Exam trap

Cisco often tests the distinction between NETCONF and RESTCONF, where candidates mistakenly choose NETCONF because it is more familiar for network automation, but the question specifically requires a stateless protocol using HTTP methods, which only RESTCONF satisfies.

How to eliminate wrong answers

Option A is wrong because NETCONF is a stateful protocol that relies on SSH or TLS and uses RPC-based operations, not stateless HTTP methods. Option B is wrong because SNMP uses UDP and a manager-agent model with GET/SET/TRAP operations, not HTTP methods, and is not designed for modifying running configurations via RESTful APIs. Option D is wrong because CLI (Command-Line Interface) is a human-interactive interface that does not use HTTP methods and is not a protocol for programmatic, stateless configuration management.

493
Multi-Selecteasy

Which TWO are valid methods to secure a Docker container?

Select 2 answers
A.Use read-only filesystem
B.Expose all ports
C.Set resource limits
D.Run containers as root
E.Disable network isolation
AnswersA, C

Read-only filesystem prevents container from modifying files.

Why this answer

Option A is correct because mounting the container's filesystem as read-only prevents any process inside the container from writing to the filesystem, which blocks malware persistence, log tampering, and unauthorized configuration changes. This is enforced by the Linux kernel's mount namespace and can be set with the `--read-only` flag in `docker run`. It is a key principle of immutable infrastructure for containers.

Exam trap

Cisco often tests the misconception that 'running as root inside a container is safe because the container is isolated,' but the trap here is that root inside a container is the same UID 0 on the host if the container is not run with a user namespace remapping or `--user` flag, making it a direct privilege escalation vector.

494
MCQhard

An engineer is troubleshooting packet loss between two hosts on different subnets. The traceroute shows that packets reach the first hop router but then stop. The router's ARP table shows an incomplete entry for the next-hop IP address. What is the most likely cause?

A.The MTU is misconfigured on the outgoing interface.
B.The routing protocol has not converged yet.
C.The next-hop device is powered off or has a Layer 1 issue.
D.An ACL is blocking traffic on the outgoing interface.
AnswerC

If the next-hop device is offline, the router cannot complete ARP.

Why this answer

An incomplete ARP entry means the router sent an ARP request but received no reply, indicating the next-hop device is unreachable at Layer 2. Option A is wrong because ACL would drop packets differently. Option B is wrong because MTU issues cause fragmentation or drops, not ARP failure.

Option C is wrong because routing protocol convergence would not cause ARP failure specifically.

495
MCQmedium

When using Cisco Intersight API to manage UCS servers, a script must invoke an API that triggers a firmware upgrade. Which HTTP method and endpoint pattern should be used?

A.PUT to /api/v1/version
B.DELETE to /api/v1/firmware
C.GET to /api/v1/status
D.POST to /api/v1/upgrade
AnswerD

This is consistent with Intersight API patterns for action endpoints.

Why this answer

Option D is correct because triggering a firmware upgrade in Cisco Intersight requires creating a new operation, which aligns with the POST HTTP method. The endpoint /api/v1/upgrade is a typical RESTful pattern for initiating an upgrade action, as POST is used to submit data to a resource to create or trigger a process. In Intersight's API, firmware upgrades are managed via POST requests to specific endpoints like /api/v1/upgrade, not through retrieval, modification, or deletion of existing resources.

Exam trap

Cisco often tests the misconception that firmware upgrades are performed via PUT (update) or GET (status check), but the correct method is POST because it initiates a new action rather than modifying an existing resource.

How to eliminate wrong answers

Option A is wrong because PUT is used to update an existing resource, not to trigger a new operation, and /api/v1/version is a read-only endpoint for retrieving version information, not for initiating upgrades. Option B is wrong because DELETE is used to remove a resource, and /api/v1/firmware would typically represent a firmware resource or collection, not an action endpoint; deleting firmware does not trigger an upgrade. Option C is wrong because GET is used to retrieve data, and /api/v1/status is for checking system status or health, not for performing state-changing operations like firmware upgrades.

496
MCQeasy

A company wants to implement a zero-trust model for API access between microservices. What is the most effective way to authenticate service-to-service communication?

A.Rely on network segmentation with firewalls.
B.Use a shared secret that all services know.
C.Issue short-lived TLS certificates for each service.
D.Use long-lived API keys.
AnswerC

Provides strong identity verification with mTLS.

Why this answer

Option C is correct because mutual TLS (mTLS) with short-lived certificates validates identity and limits exposure. Options A and D are incorrect because shared secrets and long-lived API keys are less secure. Option B is incorrect because network segmentation is not authentication.

497
MCQmedium

A network automation team uses a CI/CD pipeline. Which practice best ensures that configuration changes are validated before deployment to production?

A.Automated unit tests that verify syntax of configuration files
B.Peer review of code only
C.Manual testing by the network engineer after deployment
D.Deploying to a staging environment that mirrors production
AnswerD

A staging environment allows safe validation of changes under realistic conditions before production deployment.

Why this answer

Deploying to a staging environment that mirrors production allows comprehensive testing without risk. This is a key DevOps best practice.

498
MCQmedium

Refer to the exhibit. A developer from subnet 10.10.10.0/24 cannot reach the RESTCONF API on the IOS-XE device. What is the most likely cause?

A.HTTPS is not enabled on the device.
B.The HTTP server is not enabled.
C.Authentication is not configured as local.
D.The 10.10.10.0/24 subnet is not permitted by the access-class.
AnswerD

Access-list 23 permits only 192.168.1.0/24, blocking all other subnets.

Why this answer

The access-class configured under the RESTCONF API restricts incoming connections to specific subnets. Since the developer is on subnet 10.10.10.0/24, which is not listed in the permit statement, all HTTPS requests from that subnet are dropped before reaching the API. This is the most direct cause of the connectivity failure.

Exam trap

Cisco often tests the distinction between HTTP/HTTPS server enablement and access-class filtering, trapping candidates who assume RESTCONF requires the HTTP server or that authentication is the root cause when a subnet is blocked.

How to eliminate wrong answers

Option A is wrong because HTTPS is enabled by default on IOS-XE devices that support RESTCONF, and the exhibit does not indicate it is disabled. Option B is wrong because RESTCONF uses HTTPS (port 443), not the HTTP server (port 80), so the HTTP server being disabled does not affect RESTCONF access. Option C is wrong because authentication can be configured via local, RADIUS, or TACACS+; the error is not about authentication method but about network-layer access control.

499
MCQeasy

A network engineer is troubleshooting a connectivity issue between two hosts in different VLANs on the same switch. The hosts are in VLAN 10 and VLAN 20, respectively. The switch has an SVI for each VLAN and IP routing is enabled. Which command should be used to verify that the switch is forwarding traffic between the VLANs?

A.show interfaces trunk
B.show vlan
C.show ip route
D.show mac address-table
AnswerC

Displays the routing table, confirming inter-VLAN routing.

Why this answer

Option C is correct because 'show ip route' displays the switch's routing table, which contains the directly connected subnets for VLAN 10 and VLAN 20 (via their SVIs) and any learned routes. Since IP routing is enabled, the switch uses this table to make forwarding decisions between VLANs. Verifying that both VLAN subnets appear in the routing table confirms that the switch can route traffic between them.

Exam trap

Cisco often tests the misconception that 'show vlan' or 'show interfaces trunk' can verify inter-VLAN routing, when in fact those commands only confirm Layer 2 connectivity and VLAN membership, not the Layer 3 routing table.

How to eliminate wrong answers

Option A is wrong because 'show interfaces trunk' only displays trunk link status and allowed VLANs on trunk ports, not the routing table or inter-VLAN forwarding capability. Option B is wrong because 'show vlan' lists VLAN membership and ports assigned to each VLAN, but does not show Layer 3 routing information or whether the switch is actually routing between VLANs. Option D is wrong because 'show mac address-table' shows Layer 2 MAC address forwarding entries, which are irrelevant for verifying Layer 3 inter-VLAN routing.

500
Multi-Selecthard

Which THREE factors influence the convergence time of OSPF in a large enterprise network? (Choose three.)

Select 3 answers
A.CPU processing power for SPF calculations
B.Hello and dead interval timers
C.Bidirectional Forwarding Detection (BFD) implementation
D.DUAL algorithm processing time
E.LSA propagation delay across the network
AnswersA, B, E

SPF computation time affects convergence.

Why this answer

CPU processing power for SPF calculations directly affects convergence time because OSPF must run the Dijkstra algorithm to compute the shortest path tree after a topology change. In large networks with many routers and LSAs, a slower CPU increases the time to complete SPF, delaying route convergence.

Exam trap

Cisco often tests the distinction between failure detection mechanisms (like BFD or Hello timers) and actual convergence processes (SPF calculation and LSA propagation), so candidates may mistakenly think BFD directly reduces convergence time rather than just detection time.

501
MCQhard

A CI/CD pipeline for network automation includes a stage that runs Ansible playbooks against a staging environment. The pipeline is triggered by Git commits. After a commit, the pipeline fails because the Ansible inventory file is missing. What is the most likely reason?

A.The inventory file is listed in .gitignore
B.The pipeline script has a typo in the inventory path
C.The Ansible version in the pipeline is incompatible
D.The staging environment is not reachable
AnswerA

If the inventory file is ignored by Git, it won't be in the repository, so the pipeline cannot find it.

Why this answer

Files that are not tracked by Git will not be available in the CI environment. The inventory file must be committed; ignoring it with .gitignore excludes it.

502
MCQmedium

Refer to the exhibit. Based on the output, which interface is experiencing a Layer 2 issue?

A.Loopback0
B.GigabitEthernet1
C.Serial0/0/0
D.GigabitEthernet2
AnswerC

Protocol is down while Status is up, indicating a Layer 2 issue.

Why this answer

The output shows that Serial0/0/0 is in the 'down/down' state, which indicates a Layer 1 or Layer 2 issue. Since the serial interface is administratively up (not 'administratively down'), the 'down/down' status points to a Layer 2 problem, such as a missing keepalive, encapsulation mismatch, or loss of carrier detect (CD) signal, rather than a Layer 3 addressing or routing issue.

Exam trap

Cisco often tests the distinction between 'up/down' (Layer 1 issue) and 'down/down' (Layer 2 issue), and candidates mistakenly assume any 'down' status is a Layer 1 problem without checking the line protocol state.

How to eliminate wrong answers

Option A is wrong because Loopback0 is a virtual interface that is always up/up unless administratively shut down; it does not experience Layer 2 issues as it has no physical or data-link layer. Option B is wrong because GigabitEthernet1 is shown as up/up, indicating both Layer 1 and Layer 2 are functioning correctly. Option D is wrong because GigabitEthernet2 is also up/up, confirming no Layer 2 problem exists on that interface.

503
Multi-Selecteasy

Which TWO are common authentication methods used when interacting with Cisco APIs?

Select 2 answers
A.Client certificate exchange
B.HTTP Basic Authentication
C.API key in HTTP header
D.LDAP bind credentials
E.SNMPv3 authentication
AnswersB, C

Used with RESTCONF over HTTPS.

Why this answer

HTTP Basic Authentication (option B) is a common method for authenticating to Cisco APIs, where the client sends a base64-encoded username:password string in the Authorization header. API keys in HTTP headers (option C) are also widely used, especially with REST APIs like Cisco DNA Center or Meraki, where the key is passed in a custom header (e.g., 'X-Cisco-Meraki-API-Key'). Both are simple, stateless mechanisms supported by many Cisco platforms.

Exam trap

Cisco often tests the distinction between authentication methods used for API access versus those used for network device management (like SNMPv3 or LDAP), leading candidates to confuse management-plane authentication with API-level authentication.

504
Multi-Selecthard

Which THREE are valid reasons to use Cisco DNA Center's Assurance APIs in an enterprise network?

Select 3 answers
A.Automatically enforce QoS policies on switches.
B.Proactively detect client connectivity issues.
C.Collect NetFlow data from all network devices.
D.Identify application performance bottlenecks.
E.Analyze historical network trends for capacity planning.
AnswersB, D, E

Assurance provides client health scores and alerts.

Why this answer

Option B is correct because Cisco DNA Center's Assurance APIs provide proactive monitoring and analytics that can detect client connectivity issues before they impact users, leveraging telemetry data from network devices to identify problems like authentication failures, DHCP timeouts, or signal degradation.

Exam trap

Cisco often tests the distinction between Assurance (monitoring/analytics) and Automation (configuration/policy enforcement) APIs, leading candidates to mistakenly associate QoS enforcement or NetFlow collection with Assurance when those belong to separate functional domains.

505
MCQhard

An organization uses Cisco DNA Center and wants to use its Intent API to retrieve the health score of all wireless clients. Which API endpoint and method should be used?

A.PUT /dna/intent/api/v1/client-health
B.GET /api/v1/health
C.GET /dna/intent/api/v1/client-health
D.POST /dna/intent/api/v1/client-detail
AnswerC

This endpoint returns client health information.

Why this answer

Option C is correct because the Intent API for retrieving client health scores uses the GET HTTP method on the `/dna/intent/api/v1/client-health` endpoint. This endpoint returns the aggregated health data for all wireless clients, aligning with the read-only nature of the operation and the Intent API's resource-oriented design.

Exam trap

Cisco often tests the distinction between Intent API endpoints and the correct HTTP verb for read operations, trapping candidates who confuse the client-health endpoint with the client-detail endpoint or who incorrectly assume that POST or PUT can be used for data retrieval.

How to eliminate wrong answers

Option A is wrong because it uses the PUT method, which is intended for updating or replacing resources, not for retrieving data; the client-health endpoint is read-only and does not support PUT. Option B is wrong because `/api/v1/health` is a generic health-check endpoint for the Cisco DNA Center platform itself, not for querying client health scores. Option D is wrong because it uses the POST method on `/dna/intent/api/v1/client-detail`, which is designed to retrieve detailed information about a specific client (typically by MAC address) rather than the aggregated health score of all wireless clients, and POST is not the correct verb for a read-only query.

Page 6

Page 7 of 7

All pages