Cisco DevNet Associate 200-901 (200-901) — Questions 526600

992 questions total · 14pages · All types, answers revealed

Page 7

Page 8 of 14

Page 9
526
MCQeasy

Which tool is specifically designed for model-driven programmability using YANG data models?

A.NETCONF
B.SNMP
C.CLI
D.Ansible
AnswerA

NETCONF is a protocol designed for model-driven management with YANG.

Why this answer

NETCONF is the correct answer because it is a network management protocol specifically designed to operate with YANG data models, using XML or JSON encoding to transport configuration and state data. YANG defines the structure of the data, and NETCONF provides the operations (get, edit-config, etc.) to manipulate that data in a model-driven, programmatic way. This makes NETCONF the standard tool for model-driven programmability in modern network automation.

Exam trap

Cisco often tests the distinction between a protocol that natively uses YANG (NETCONF) versus tools that can work with YANG but are not designed specifically for it (like Ansible), so the trap here is assuming any automation tool that supports YANG qualifies as 'specifically designed' for model-driven programmability.

How to eliminate wrong answers

Option B (SNMP) is wrong because SNMP uses MIBs (Management Information Bases) defined by SMI (Structure of Management Information), not YANG data models, and it is primarily used for monitoring rather than model-driven configuration. Option C (CLI) is wrong because CLI is a human-oriented, command-line interface that is not model-driven and does not use YANG; it relies on proprietary, device-specific commands. Option D (Ansible) is wrong because Ansible is an automation tool that can use YANG models indirectly via modules (e.g., ios_config), but it is not specifically designed for model-driven programmability using YANG; it is a general-purpose configuration management tool.

527
MCQhard

A network engineer is troubleshooting a Kubernetes deployment where pods are failing to start with the error 'CrashLoopBackOff'. The pod log shows 'bind: address already in use'. The deployment runs multiple replicas of a container that listens on port 8080. What is the most likely cause?

A.The container is attempting to bind to a privileged port without the necessary capabilities.
B.The deployment has hostPort: 8080 specified, causing port conflict when multiple replicas are scheduled on the same node.
C.The service is using NodePort and the node port is already in use.
D.Multiple containers in the same pod are trying to bind to the same port.
AnswerB

hostPort reserves the port on the host node, so only one pod per node can use it. With multiple replicas, subsequent pods fail with address in use.

Why this answer

The 'bind: address already in use' error indicates that the container's process cannot bind to port 8080 because it is already occupied. When `hostPort: 8080` is specified in the pod spec, Kubernetes instructs the container runtime to map the container port to the same port on the node's network namespace. If multiple replicas of the deployment are scheduled on the same node, each pod attempts to bind to port 8080 on the host, causing a conflict and the CrashLoopBackOff state.

This is a common misconfiguration when using hostPort without ensuring that replicas are spread across different nodes.

Exam trap

Cisco often tests the distinction between hostPort (which binds to the node's IP) and containerPort (which is informational), leading candidates to overlook that hostPort causes direct port conflicts on the same node.

How to eliminate wrong answers

Option A is wrong because port 8080 is not a privileged port (privileged ports are below 1024), and the error message 'address already in use' is unrelated to capabilities. Option C is wrong because a NodePort service allocates a port on every node's IP (typically in the range 30000-32767), and the error occurs at the pod level, not at the service level; a NodePort conflict would manifest differently, such as service creation failure. Option D is wrong because multiple containers in the same pod share the same network namespace and cannot bind to the same container port without explicit port mapping, but the error is about the host port conflict, not inter-container conflict within a single pod.

528
MCQmedium

A Python script reads a JSON configuration file named 'config.json' and needs to extract the value of a nested key 'api_key' under 'authentication'. The file structure is: {"authentication": {"api_key": "abc123", "method": "token"}, "timeout": 30}. Which code snippet correctly opens the file and retrieves the api_key value?

A.f = open('config.json'); data = json.load(f); key = data['authentication']['api_key']; f.close()
B.with open('config.json') as f: data = json.loads(f) key = data['authentication']['api_key']
C.with open('config.json', 'r') as f: data = json.load(f) key = data['authentication.api_key']
D.with open('config.json') as f: data = json.load(f) key = data['authentication']['api_key']
AnswerD

json.load() reads file and parses JSON; correct nested access.

Why this answer

Using the json module and context manager is the standard approach; the nested key is accessed via dictionary indexing.

529
MCQmedium

A developer needs to retrieve the current user's details from Webex API. Which endpoint should they call?

A.GET /v1/people/me
B.GET /v1/rooms?me=true
C.POST /v1/people
D.GET /v1/people?email=current@user.com
AnswerA

This endpoint returns the current user's information.

Why this answer

GET /v1/people/me returns details of the authenticated user.

530
Multi-Selectmedium

Which TWO of the following are valid methods for authenticating to a Cisco REST API? (Select two.)

Select 2 answers
A.API key in a custom header
B.IP address whitelisting
C.Username and password in the request body
D.Session ID in a cookie
E.OAuth 2.0 access token in Authorization header
AnswersA, E

Many Cisco APIs use API keys (e.g., Meraki).

Why this answer

API key and OAuth 2.0 token are common authentication methods. Basic auth (username:password) is also valid but less common for Cisco APIs. The question likely expects API key and OAuth 2.0.

531
MCQeasy

A network automation script uses RESTCONF to retrieve operational data from a Cisco device. What data format is typically supported by RESTCONF?

A.YAML
B.Plain text
C.XML or JSON
D.CSV
AnswerC

RESTCONF uses XML and JSON as data formats.

Why this answer

RESTCONF (RFC 8040) is a REST-like protocol that uses HTTP methods to access structured data defined by YANG models. It natively supports both XML and JSON as data serialization formats, allowing clients to choose the format via the Accept header or URL suffix (e.g., .xml or .json). This makes XML and JSON the correct answer because they are the only formats explicitly defined in the RESTCONF specification for encoding configuration and operational data.

Exam trap

Cisco often tests the misconception that RESTCONF supports YAML because of its popularity in automation tools like Ansible, but RESTCONF strictly uses XML and JSON per RFC 8040, and YAML is not a valid encoding in the standard.

How to eliminate wrong answers

Option A is wrong because YAML is not a supported data format in RESTCONF; RESTCONF uses XML and JSON as defined in RFC 8040, and YAML is not part of the standard. Option B is wrong because plain text lacks the structured, hierarchical representation required by YANG data models, and RESTCONF requires a structured format like XML or JSON for data serialization. Option D is wrong because CSV is a flat, row-based format that cannot represent the nested, tree-like data structures of YANG models, and it is not supported by RESTCONF.

532
Matchingmedium

Match each JSON data type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

"hello"

42

true

[1, 2, 3]

{"key": "value"}

Why these pairings

JSON supports these basic data types.

533
MCQeasy

Which Meraki API response header provides information for paginating through a large result set?

A.Content-Range
B.Link
C.X-RateLimit-Remaining
D.Retry-After
AnswerB

Correct. The Link header contains URLs for next and previous pages.

Why this answer

Meraki uses the Link header (LinkHeader) with 'next' and 'prev' URLs, or alternatively the startingAfter/endingBefore parameters. The Link header is standard for pagination.

534
MCQmedium

A company has multiple subnets. A device in subnet 192.168.1.0/24 needs to communicate with a device in subnet 192.168.2.0/24. What is required for this communication?

A.A DNS server
B.A VLAN
C.A bridge
D.A router or Layer 3 switch
AnswerD

A router or Layer 3 switch can forward packets between different subnets.

Why this answer

Devices in different subnets (192.168.1.0/24 and 192.168.2.0/24) are on separate Layer 3 networks. To forward packets between these subnets, a router or Layer 3 switch is required to perform IP routing, using the destination IP address to determine the next hop. Without a Layer 3 device, the frames cannot leave the local broadcast domain.

Exam trap

Cisco often tests the misconception that a VLAN alone enables communication between subnets, but VLANs only isolate traffic at Layer 2; a Layer 3 device is always needed to route between different subnets.

How to eliminate wrong answers

Option A is wrong because a DNS server resolves hostnames to IP addresses but does not forward packets between subnets; routing is a Layer 3 function, not a naming service. Option B is wrong because a VLAN segments a single switch into multiple broadcast domains at Layer 2, but it does not route between subnets; inter-VLAN communication still requires a Layer 3 device. Option C is wrong because a bridge operates at Layer 2 to connect two network segments within the same subnet, forwarding frames based on MAC addresses; it cannot route between different IP subnets.

535
MCQhard

An engineer is using EEM on an IOS XE device. They want to trigger an applet when a specific syslog message appears. Which event trigger type should they use?

A.event syslog pattern
B.event interface
C.event cli match
D.event timer
AnswerA

This matches a syslog message pattern.

Why this answer

EEM supports syslog pattern matching as an event trigger.

536
MCQhard

A network automation engineer is developing a Python script that uses the NETCONF protocol to retrieve the running configuration from a Cisco IOS XE device. They use the ncclient library. The script works on the test device but fails on a production device with an error: "ncclient.transport.errors.AuthenticationError: Authentication exception". The engineer verifies that the SSH credentials (username and password) are correct and that the production device is reachable via SSH on port 830. What is the most likely issue?

A.The production device uses a different port for NETCONF than the test device.
B.The production device has a firewall rule blocking NETCONF capabilities.
C.The production device does not have NETCONF enabled; it only supports SSH.
D.The production device requires SSH key-based authentication, but the script uses password.
AnswerD

Many production devices require keys for NETCONF authentication; password may fail at the NETCONF layer.

Why this answer

The error 'AuthenticationException' from ncclient indicates that the NETCONF session over SSH failed during authentication. Since the engineer verified the password is correct and the device is reachable on port 830, the most likely cause is that the production device is configured to require SSH key-based authentication (e.g., using 'ip ssh server algorithm authentication publickey' or similar), while the script is attempting password-based authentication. ncclient defaults to password authentication unless explicitly configured with a key filename.

Exam trap

Cisco often tests the distinction between SSH transport authentication failures and NETCONF protocol-level failures, leading candidates to incorrectly attribute the error to NETCONF not being enabled or a firewall issue rather than the SSH authentication method mismatch.

How to eliminate wrong answers

Option A is wrong because the engineer verified the device is reachable via SSH on port 830, and the error is an authentication exception, not a connection timeout or port mismatch. Option B is wrong because a firewall rule blocking NETCONF capabilities would typically cause a connection timeout or 'Connection refused' error, not an authentication exception. Option C is wrong because if the device only supported SSH and not NETCONF, the ncclient library would fail with a 'CapabilityException' or similar error during the hello exchange, not an authentication error.

537
MCQmedium

A developer is designing a Python script to parse the output of 'show ip interface brief' from a Cisco IOS device. The output is stored in a string variable. The developer wants to extract only the interfaces that are up/up. The current code uses regular expressions but often fails because the interface names contain special characters (e.g., GigabitEthernet1/0/1). Which approach should the developer use to reliably parse the output?

A.Use the 're' module with a more complex pattern that escapes special characters
B.Use split on whitespace and check column values
C.Use a structured data format like JSON or YAML if available from the device
D.Use a CSV parser with a custom delimiter
AnswerC

Structured output is consistent, machine-readable, and immune to formatting changes.

Why this answer

Option C is correct because Cisco IOS devices can output structured data formats like JSON or YAML when commands are prefixed with 'pipe' modifiers (e.g., `show ip interface brief | json`). Parsing structured data eliminates the need for fragile regex patterns that fail on interface names containing special characters like slashes or hyphens. This approach is more reliable and maintainable, aligning with modern network automation practices.

Exam trap

The trap here is that candidates assume regex or string splitting is always sufficient for parsing CLI output, overlooking that Cisco devices can natively output structured data formats like JSON, which is the recommended method for reliable parsing in network automation.

How to eliminate wrong answers

Option A is wrong because escaping special characters in regex patterns does not address the fundamental issue of variable-length interface names with nested delimiters (e.g., GigabitEthernet1/0/1), and complex patterns become brittle and hard to maintain. Option B is wrong because splitting on whitespace fails when interface names contain spaces or when the output format varies (e.g., extra spaces, line breaks), leading to misalignment of columns. Option D is wrong because a CSV parser expects a consistent delimiter and header row, but 'show ip interface brief' output is not CSV-formatted and may include irregular spacing or multiline entries.

538
MCQmedium

When using RESTCONF to configure a network device, what Content-Type header should be set in the HTTP request to indicate YANG data in JSON format?

A.application/yang
B.application/yang-data+json
C.application/xml
D.application/json
AnswerB

Correct media type for RESTCONF with JSON.

Why this answer

RESTCONF uses application/yang-data+json for JSON encoding of YANG data.

539
MCQmedium

A developer is writing a Dockerfile for a Node.js application. The application uses environment variables for configuration. Which Dockerfile instruction should be used to set a default value for the NODE_ENV variable?

A.RUN export NODE_ENV=production
B.ARG NODE_ENV=production
C.ENV NODE_ENV=production
D.CMD NODE_ENV=production
AnswerC

Correct. ENV sets environment variables that persist in the container.

Why this answer

Option C is correct because the ENV instruction sets environment variables that persist in the container at runtime, making it the appropriate way to define a default value for NODE_ENV that can be overridden later with `docker run -e`. Unlike shell-level exports or build-time-only ARGs, ENV ensures the variable is available to the Node.js process when the container starts.

Exam trap

Cisco often tests the distinction between build-time (ARG) and runtime (ENV) instructions, and the trap here is that candidates confuse ARG with ENV because both can set default values, but only ENV persists into the running container.

How to eliminate wrong answers

Option A is wrong because `RUN export` sets the variable only during the build step and does not persist into the final container image or runtime environment. Option B is wrong because ARG defines build-time variables that are not available to the running container unless explicitly passed via `--build-arg`, and they are not inherited by the runtime environment. Option D is wrong because CMD is used to provide default command arguments or an executable, not to set environment variables; it would be interpreted as a command string, not a key-value pair.

540
MCQmedium

When using the Cisco DNA Center intent API to retrieve issues, the response includes a Link header with rel="next" and a URL. What type of pagination is this?

A.Offset/limit pagination
B.Cursor-based pagination via Link header
C.Page-based pagination
D.No pagination
AnswerB

Link header with rel="next" is cursor-based.

Why this answer

The Link header with rel="next" indicates cursor-based or link-based pagination.

541
MCQmedium

A developer writes a Python script using ncclient to retrieve the running configuration from a Cisco IOS XE device. The script fails with an XML parsing error. What is the most likely cause?

A.The script is not filtering the output correctly and receives multiple root elements
B.The device does not support NETCONF
C.The ncclient library version is too old
D.The username and password are incorrect
AnswerA

If multiple root elements are returned (e.g., unfiltered), the XML parser will throw an error.

Why this answer

The most likely cause is that the script does not filter the NETCONF reply to a specific subtree, so the device returns multiple top-level XML elements (e.g., both <native> and <config>). An XML parser expects a single root element, and receiving multiple roots triggers a parsing error. ncclient's `get_config` with no filter can return the entire configuration as separate elements, violating XML well-formedness.

Exam trap

Cisco often tests the subtle requirement that NETCONF replies must be well-formed XML with a single root element, and candidates mistakenly think the error is due to connectivity or authentication rather than the missing filter.

How to eliminate wrong answers

Option B is wrong because if the device did not support NETCONF, the script would fail with a connection or capability exchange error, not an XML parsing error. Option C is wrong because an outdated ncclient library might cause missing features or deprecation warnings, but it would not directly produce an XML parsing error from a valid reply. Option D is wrong because incorrect credentials would result in an authentication failure (e.g., 'AuthenticationException' or connection refused), not an XML parsing error.

542
Multi-Selecthard

Which THREE of the following are valid methods to handle API rate limiting in a Python automation script? (Select exactly 3.)

Select 3 answers
A.Parse the Retry-After header from the response
B.Use a token bucket algorithm to control request rate
C.Sleep for a fixed amount of time between requests
D.Ignore the limit and send requests faster
E.Implement retry logic with exponential backoff
AnswersA, B, E

Respects server-specified wait time.

Why this answer

Option A is correct because the Retry-After header is a standard HTTP mechanism (defined in RFC 7231) that explicitly tells the client how long to wait before making the next request. Parsing this header allows your Python script to respect the server's rate limit dynamically, rather than using a fixed or arbitrary delay. This is a common pattern when interacting with REST APIs that enforce rate limiting.

Exam trap

Cisco often tests the distinction between a fixed sleep (which is naive and not adaptive) versus dynamic methods like parsing Retry-After or using exponential backoff, and candidates mistakenly think a static delay is sufficient for rate limiting.

543
Multi-Selecthard

Which THREE are best practices for securing a CI/CD pipeline?

Select 3 answers
A.Use dynamic application security testing (DAST) tools
B.Allow manual approval for production deployments
C.Store credentials in the source code repository
D.Run all pipeline steps as the same user
E.Use static application security testing (SAST) tools
AnswersA, B, E

DAST tests running applications for security issues.

Why this answer

Dynamic application security testing (DAST) tools analyze a running application by simulating external attacks, which helps identify runtime vulnerabilities such as SQL injection or cross-site scripting. Integrating DAST into a CI/CD pipeline ensures that security checks are automated and performed before deployment, catching issues that static analysis might miss. This aligns with the DevSecOps principle of shifting security left without slowing down delivery.

Exam trap

Cisco often tests the distinction between DAST and SAST, where candidates may incorrectly think only one is needed, but the exam expects both as complementary practices for comprehensive security coverage.

544
MCQmedium

A developer needs to store a database password securely in a Kubernetes cluster. Which resource should be used?

A.Secret
B.PersistentVolume
C.ConfigMap
D.ServiceAccount
AnswerA

Secret is the appropriate resource for storing sensitive data like passwords.

Why this answer

Secrets are designed to store sensitive information like passwords, encoded in base64 but intended for secrets. ConfigMaps are for non-sensitive data.

545
MCQhard

A Python script using the Cisco Meraki API v1 is failing with a 429 status code. What is the recommended course of action?

A.Change the API endpoint to a different region
B.Check the API token
C.Increase the rate limit on the dashboard
D.Implement retry logic with exponential backoff and respect Retry-After header
AnswerD

This is the standard approach for handling rate limiting.

Why this answer

A 429 status code indicates rate limiting, meaning the client has exceeded the allowed number of requests per time window. The correct response is to implement retry logic with exponential backoff and respect the Retry-After header, which tells the client how long to wait before retrying. This is a standard best practice for REST APIs, including Cisco Meraki's API v1, to handle rate limits gracefully without overwhelming the server.

Exam trap

Cisco often tests the distinction between HTTP status codes, so the trap here is that candidates confuse a 429 (rate limit) with authentication errors (401/403) or assume they can modify server-side limits, leading them to pick options like B or C.

How to eliminate wrong answers

Option A is wrong because changing the API endpoint to a different region does not affect rate limits; rate limits are per API key or per organization, not per regional endpoint. Option B is wrong because a 429 status code is not related to authentication; an invalid API token would result in a 401 Unauthorized or 403 Forbidden error, not a 429. Option C is wrong because the rate limit is enforced by the Meraki cloud and cannot be increased by the client; the dashboard does not provide a mechanism for clients to modify their rate limit.

546
MCQmedium

A team uses Chef to manage network device configurations. Which component of Chef is responsible for storing configuration policy and distributing it to nodes?

A.Knife
B.Chef Server
C.Chef Client
D.Supermarket
AnswerB

The central server stores and distributes policy.

Why this answer

The Chef Server is the central hub that stores configuration policies (cookbooks, roles, environments, data bags) and distributes them to nodes via a REST API. When a Chef Client runs on a node, it authenticates with the Chef Server and downloads the relevant policy to converge the node to the desired state. This makes the Chef Server the authoritative source of configuration policy in a Chef architecture.

Exam trap

Cisco often tests the distinction between the Chef Server (policy storage/distribution) and the Chef Client (policy execution), tempting candidates to confuse the agent with the central repository.

How to eliminate wrong answers

Option A is wrong because Knife is a command-line tool used by administrators to interact with the Chef Server (e.g., upload cookbooks, bootstrap nodes), but it does not store or distribute policy itself. Option C is wrong because the Chef Client is an agent that runs on nodes to apply configuration locally; it pulls policy from the Chef Server but does not store or distribute it. Option D is wrong because Supermarket is a public community repository for sharing cookbooks, not a component that stores or distributes policy within an organization's own infrastructure.

547
Multi-Selecthard

A network automation script uses Git for version control. The developer wants to revert the last two commits on the current branch but keep the changes in the working directory for further modification. Which TWO Git commands can achieve this? (Choose two.)

Select 2 answers
A.git checkout HEAD~2
B.git reset --hard HEAD~2
C.git reset --soft HEAD~2
D.git remove HEAD~2
E.git revert HEAD~2..HEAD
AnswersC, E

Moves HEAD back two commits, keeps changes staged.

Why this answer

git reset --soft and git revert can be used; soft reset moves HEAD back but keeps changes staged; revert creates new commits undoing changes.

548
MCQmedium

Refer to the exhibit. Which statement correctly describes this subscription configuration?

A.It subscribes to YANG-push notifications for interface state data.
B.It pushes interface operational status changes to a receiver using UDP.
C.It uses XML encoding for the telemetry data.
D.The receiver is configured to listen on port 2000 using TCP.
AnswerA

Correct description.

Why this answer

Option A is correct because the subscription configuration uses YANG-push notifications to stream interface state data. The presence of a subscription ID, a YANG-push filter (e.g., 'ietf-interfaces:interfaces-state'), and a destination group (e.g., '10.1.1.1:2000') indicates that the device is configured to push telemetry data for interface operational state changes to a receiver using the YANG-push model, which is a standard mechanism for streaming data from network devices.

Exam trap

Cisco often tests the distinction between subscription configuration details (e.g., destination IP/port) and the actual transport protocol or encoding used, leading candidates to incorrectly assume that a port number implies a specific protocol (like UDP) or that YANG-push always uses XML encoding.

How to eliminate wrong answers

Option B is wrong because YANG-push notifications typically use TCP (e.g., gRPC or NETCONF) or UDP with DTLS for secure transport, but the subscription configuration does not specify UDP; the destination port 2000 is commonly used for gRPC or custom telemetry receivers, not necessarily UDP. Option C is wrong because YANG-push telemetry data is typically encoded in JSON or CBOR, not XML, unless explicitly configured for NETCONF-based subscriptions; the exhibit shows no XML encoding specification. Option D is wrong because the receiver is not configured to listen on port 2000 using TCP; the subscription defines the destination IP and port (10.1.1.1:2000) for the telemetry data to be sent to, but the receiver's listening protocol (TCP or UDP) is not specified in the subscription configuration.

549
MCQmedium

A Kubernetes pod contains two containers that need to share a local filesystem. Which volume type should be used to enable this?

A.hostPath
B.emptyDir
C.configMap
D.persistentVolumeClaim
AnswerB

emptyDir provides a shared volume for containers within the same pod.

Why this answer

An emptyDir volume is created empty when a pod is assigned to a node and exists as long as the pod runs; it can be mounted by multiple containers within the same pod.

550
MCQhard

Refer to the exhibit. A network engineer applies this JSON-based QoS policy to a Cisco device using NETCONF/YANG. Which statement best describes the expected behavior for traffic from 10.0.0.0/24 with DSCP EF?

A.Traffic with DSCP EF from any source is re-marked to AF41 and dropped if exceeding 100 Mbps.
B.The policy is invalid because DSCP values cannot be changed in a QoS policy.
C.Traffic from 10.0.0.0/24 with DSCP EF is re-marked to AF41 and limited to 100 Mbps; excess is dropped.
D.Traffic from 10.0.0.0/24 is re-marked to DSCP EF, then policed at 100 Mbps.
AnswerC

The policy matches both conditions, then re-marks and polices.

Why this answer

Option C is correct because the JSON-based QoS policy uses a class map matching traffic from source 10.0.0.0/24 with DSCP EF, then applies a police action that re-marks exceeding traffic to AF41 and drops it when the rate exceeds 100 Mbps. This is a standard two-rate policer behavior in Cisco IOS QoS, where conforming traffic is transmitted unchanged and exceeding traffic is re-marked and dropped.

Exam trap

Cisco often tests the distinction between matching criteria (source IP and DSCP) versus the action applied (re-marking and policing), leading candidates to confuse which traffic is matched and what happens to conforming versus exceeding packets.

How to eliminate wrong answers

Option A is wrong because the policy matches traffic from 10.0.0.0/24 with DSCP EF, not any source; the match condition is specific to that source subnet. Option B is wrong because DSCP values can be changed in a QoS policy using the 'set dscp' action within a police or service-policy; this is a common practice for re-marking. Option D is wrong because the policy does not re-mark traffic to DSCP EF; it matches traffic already marked as DSCP EF and then polices it, re-marking exceeding traffic to AF41.

551
MCQeasy

At which layer of the OSI model do MAC addresses operate?

A.Layer 2 – Data Link
B.Layer 1 – Physical
C.Layer 4 – Transport
D.Layer 3 – Network
AnswerA

Correct. MAC addresses are Layer 2 identifiers.

Why this answer

MAC addresses operate at Layer 2 (Data Link) of the OSI model because they are used for local network addressing and frame delivery between directly connected devices. The Data Link layer encapsulates packets into frames and uses MAC addresses to identify source and destination interfaces on the same network segment, as defined by IEEE 802 standards.

Exam trap

Cisco often tests the confusion between Layer 2 MAC addresses and Layer 3 IP addresses, where candidates mistakenly associate MAC addresses with routing or network-layer functions instead of local data-link delivery.

How to eliminate wrong answers

Option B is wrong because Layer 1 (Physical) deals with raw bit transmission over physical media, such as voltages, cables, and connectors, not addressing. Option C is wrong because Layer 4 (Transport) uses port numbers (e.g., TCP/UDP) to identify applications and manage end-to-end communication, not MAC addresses. Option D is wrong because Layer 3 (Network) uses logical IP addresses (e.g., IPv4 or IPv6) for routing between networks, while MAC addresses are used for local delivery within a broadcast domain.

552
MCQhard

You are a DevNet engineer responsible for automating configuration management across a Cisco SD-WAN fabric. You have been using the vManage REST API to retrieve device inventory and template lists. You generate an API token with read/write scope and successfully execute GET requests to /dataservice/device and /dataservice/template/device to list devices and templates. Now you want to attach a specific template to a device using POST /dataservice/template/device/config/attach. Your Python script uses the correct URL and includes the token in the Authorization header. The request body contains the device UUID and template UUID retrieved earlier. However, the API returns an HTTP 403 Forbidden error. You have verified that the device UUID and template UUID are correct and that the template exists. The vManage server logs indicate no high resource usage. What is the most likely cause of the 403 error?

A.The vManage version does not support the attach API.
B.The template is already attached to the device.
C.The device is not part of any template group.
D.The API token has been issued only with read scope for the attach operation.
AnswerB

If the template is already attached, the API would return a 409 Conflict or 400 Bad Request, not 403.

Why this answer

The HTTP 403 Forbidden error indicates that the server understood the request but refuses to authorize it. In the context of Cisco SD-WAN vManage API, attempting to attach a template that is already attached to the device results in a 403 error because the API enforces idempotency and prevents duplicate attachments. This is a specific security and state-management behavior, not a generic permission issue.

Exam trap

Cisco often tests the misconception that a 403 Forbidden always means an authorization or scope issue, when in fact it can be a state-based rejection like attempting to attach an already-attached template.

How to eliminate wrong answers

Option A is wrong because if the vManage version did not support the attach API, the server would typically return a 404 Not Found or a 501 Not Implemented, not a 403 Forbidden. Option C is wrong because the device not being part of any template group does not cause a 403; it would either succeed (if the template is standalone) or return a different error like 400 Bad Request. Option D is wrong because the token was explicitly generated with read/write scope, and the 403 is not a scope issue; a scope mismatch would result in a 401 Unauthorized or a 403 with a specific scope-related error message, not a generic 403 for an idempotent attach attempt.

553
MCQmedium

An application uses the Meraki Dashboard API to fetch the list of networks for an organization. The API response includes a Link header with rel='next' pointing to the next page. Which pagination method is the API using?

A.Cursor-based pagination using startingAfter/endingBefore parameters
B.Offset-based pagination using page and perPage parameters
C.LinkHeader-based pagination
D.Token-based pagination using a nextPageToken parameter
AnswerC

Correct. Meraki uses LinkHeader-based pagination where the next page URL is provided in the Link header.

Why this answer

Meraki supports LinkHeader-based pagination. The Link header with rel='next' indicates the next page URL.

554
MCQmedium

A CI/CD pipeline uses GitLab CI. The pipeline must build a Docker image and then run security scans on the image before pushing. Which GitLab CI keyword allows defining a sequence of jobs that must run in order?

A.before_script
B.stages
C.only
D.image
AnswerB

Correct. stages define the sequential pipeline order.

Why this answer

The 'stages' keyword defines the order of jobs. Jobs are grouped by stage, and stages run sequentially.

555
MCQeasy

A developer creates a Dockerfile for a Python web application. Which instruction should be used to copy the application source code into the container image?

A.CMD
B.COPY
C.RUN
D.EXPOSE
AnswerB

COPY is the correct instruction to copy files into the image.

Why this answer

The COPY instruction copies files or directories from the build context into the container filesystem. RUN executes commands, EXPOSE documents ports, and CMD sets default command.

556
MCQhard

Refer to the exhibit. A switch is configured with the shown trunk port. After connecting the uplink, the switch logs show repeated 'errdisable' state transitions on this port. The core switch is configured with the same allowed VLAN list. Which configuration change is most likely to resolve the issue?

A.Change the switchport mode to dynamic desirable.
B.Add VLAN 1 to the allowed VLAN list.
C.Remove the spanning-tree portfast trunk command from the interface.
D.Add the spanning-tree bpduguard enable command to the interface.
AnswerC

Portfast trunk is designed for host-facing trunks (e.g., to servers) and can cause STP issues when connecting to another switch.

Why this answer

The 'errdisable' state transitions on a trunk port are typically caused by a spanning-tree BPDU guard violation when PortFast is enabled. The 'spanning-tree portfast trunk' command enables PortFast on the trunk, which bypasses the normal listening/learning states and can cause the port to be placed into errdisable state if a BPDU is received from the core switch. Removing this command allows the trunk port to participate in standard spanning-tree convergence, preventing the repeated errdisable transitions.

Exam trap

Cisco often tests the misconception that 'spanning-tree portfast trunk' is safe for trunk ports, but the trap is that PortFast combined with BPDU guard (even if not explicitly configured, but enabled globally) causes errdisable when BPDUs are received, so the fix is to remove PortFast from the trunk.

How to eliminate wrong answers

Option A is wrong because changing the switchport mode to 'dynamic desirable' does not address the errdisable issue; it only affects DTP negotiation and could cause trunking misalignment. Option B is wrong because VLAN 1 is already the native VLAN and is implicitly allowed on trunk ports; adding it to the allowed VLAN list is redundant and does not resolve errdisable transitions. Option D is wrong because adding 'spanning-tree bpduguard enable' would actually worsen the problem by explicitly enabling BPDU guard, which is the mechanism causing the errdisable state when a BPDU is received on a PortFast-enabled port.

557
Multi-Selecthard

A developer is building an automation script to retrieve network device details from Cisco DNA Center. The script needs to authenticate and then call the device list API. Which THREE steps are required in the correct sequence?

Select 2 answers
A.Send a GET request to /dna/intent/api/v1/network-device
B.Enable cookie-based authentication in the HTTP client
C.Use the token in the Authorization header as Bearer token for subsequent requests
D.Send a POST request to /dna/system/api/v1/auth/token with Basic Auth
E.Include the token as a query parameter in the device list request
AnswersC, D

The token is used in the Authorization header for all subsequent API calls.

Why this answer

Option C is correct because after obtaining a token via a POST request to the authentication endpoint, the token must be included in the Authorization header as a Bearer token for subsequent API calls. Cisco DNA Center uses token-based authentication (JWT), and the token is passed in the HTTP header as 'Authorization: Bearer <token>' to authorize requests to the device list API.

Exam trap

Cisco often tests the distinction between token-based authentication (Bearer token in header) and cookie-based or query-parameter authentication, and candidates may incorrectly assume cookies or query parameters are valid for Cisco DNA Center APIs.

558
MCQeasy

What does the Git command 'git log --oneline' display?

A.A list of files changed in the last commit
B.The branches and their latest commits
C.The differences between the working directory and the last commit
D.A summary of each commit on one line
AnswerD

Correct: oneline format.

Why this answer

The --oneline flag condenses each commit to a single line showing the commit hash and message.

559
Multi-Selectmedium

A Kubernetes cluster has a deployment named 'frontend' that needs to be updated to a new image version. The update should be performed with zero downtime. Which three kubectl commands or approaches can achieve this? (Choose three.)

Select 3 answers
A.kubectl set image deployment/frontend frontend=myimage:v2
B.kubectl delete deployment frontend and then create a new deployment.
C.kubectl edit deployment frontend and change the image.
D.kubectl rollout undo deployment/frontend
E.kubectl apply -f updated-frontend.yaml with the new image.
AnswersA, C, E

Directly updates the image, triggers rolling update.

Why this answer

Rolling updates can be done by editing the deployment, applying a new YAML, or using set image. kubectl edit deployment updates the live config. kubectl apply -f update.yaml applies a new manifest. kubectl set image updates the image directly. kubectl delete and create would cause downtime.

560
MCQhard

A network administrator is configuring a wireless network and wants to minimize interference. In the 2.4 GHz band, which set of channels are non-overlapping?

A.1, 5, 9, 13
B.1, 3, 5, 7, 9, 11
C.1, 6, 11
D.2, 7, 12
AnswerC

Correct. These are the standard non-overlapping channels.

Why this answer

Channels 1, 6, and 11 are the only non-overlapping channels in the 2.4 GHz band.

561
MCQeasy

Which data format is most commonly used in REST API requests and responses in modern network automation?

A.YAML
B.XML
C.CSV
D.JSON
AnswerD

JSON is the standard for REST APIs.

Why this answer

JSON (JavaScript Object Notation) is the most commonly used data format in REST API requests and responses for modern network automation because it is lightweight, language-agnostic, and natively supported by most programming languages and network devices. REST APIs typically use JSON over HTTP due to its ease of parsing, compact structure, and alignment with web development practices, making it the de facto standard for exchanging structured data in automation workflows like those with Cisco NSO, Ansible, or Python scripts.

Exam trap

The trap here is that candidates may confuse YAML's prevalence in configuration management (e.g., Ansible) with REST API data interchange, or assume XML's historical role in SOAP extends to modern REST, leading them to overlook JSON's dominance in actual API payloads.

How to eliminate wrong answers

Option A is wrong because YAML, while popular in configuration files (e.g., Ansible playbooks), is not the primary format for REST API payloads; it lacks native HTTP content-type support and is less commonly used in request/response bodies. Option B is wrong because XML, though historically used in SOAP APIs and some legacy REST implementations, is verbose, requires more parsing overhead, and has been largely superseded by JSON in modern REST APIs due to simplicity and performance. Option C is wrong because CSV is a tabular data format unsuitable for hierarchical or nested structures common in REST API responses, and it lacks standard schema support for complex objects like device configurations or network states.

562
MCQmedium

In a Docker Compose file, a service 'web' depends on 'db'. The 'db' service uses a volume to persist data. Which compose key ensures that the database starts before the web service?

A.volumes
B.depends_on
C.links
D.networks
AnswerB

depends_on ensures startup order.

Why this answer

depends_on creates a startup order: Docker Compose starts 'db' before 'web'. It does not wait for 'db' to be ready; that requires healthchecks.

563
Multi-Selecthard

An engineer is configuring a new IPv4 subnet with the address 172.16.5.0/25. Which three statements are true about this subnet? (Choose three.)

Select 3 answers
A.The subnet mask is 255.255.255.192.
B.There are 126 usable host addresses.
C.The broadcast address is 172.16.5.127.
D.The subnet mask is 255.255.255.128.
E.The network address is 172.16.5.128.
AnswersB, C, D

2^(32-25) - 2 = 126.

Why this answer

Option B is correct because a /25 prefix length corresponds to a subnet mask of 255.255.255.128, which provides 2^(32-25) - 2 = 128 - 2 = 126 usable host addresses. The network address is 172.16.5.0, and the broadcast address is 172.16.5.127, leaving addresses 172.16.5.1 through 172.16.5.126 for hosts.

Exam trap

Cisco often tests the confusion between the network address and the first usable host address, or the tendency to misapply the subnet mask by using 255.255.255.192 (/26) instead of 255.255.255.128 (/25) when the prefix length is given.

564
Multi-Selecthard

An engineer is troubleshooting a network issue where a client cannot reach a server. The client uses HTTPS. Which TWO factors are essential for a successful TLS handshake?

Select 2 answers
A.The server must have a valid digital certificate
B.The handshake uses UDP for faster negotiation
C.The client must present a certificate to the server
D.The client must have a public key to encrypt the session
E.The server's private key is used to decrypt the pre-master secret
AnswersA, E

The certificate proves the server's identity.

Why this answer

Option A is correct because the server must present a valid digital certificate during the TLS handshake to prove its identity to the client. This certificate contains the server's public key and is signed by a trusted Certificate Authority (CA), enabling the client to verify the server's authenticity before proceeding with encrypted communication.

Exam trap

Cisco often tests the misconception that the client must always present a certificate or that the handshake uses UDP, when in reality client certificates are optional and TLS relies on TCP.

565
MCQmedium

A network automation engineer is using Ansible to manage Cisco IOS devices. The playbook includes a task that executes a 'show version' command and registers the output. The engineer then wants to parse the output to extract the IOS version. Which approach should be used?

A.Use the 'cisco.ios.ios_command' module and parse the output with regex
B.Use the 'cisco.ios.ios_command' module and the 'parse' option
C.Use the 'cisco.ios.ios_config' module to retrieve the version
D.Use the 'cisco.ios.ios_facts' module to get structured facts
AnswerD

Correct: 'ios_facts' returns structured data including the IOS version.

Why this answer

The 'cisco.ios.ios_facts' module retrieves structured data from Cisco IOS devices, including the IOS version as a key-value pair in the Ansible facts dictionary. This eliminates the need for manual parsing, as the module uses the device's CLI or NETCONF to gather structured output, making it the most efficient and reliable approach for extracting specific device attributes.

Exam trap

Cisco often tests the misconception that raw CLI output must be parsed manually, but the correct approach is to use dedicated facts modules that return structured data, avoiding fragile regex or template-based parsing.

How to eliminate wrong answers

Option A is wrong because while 'cisco.ios.ios_command' can execute 'show version' and register raw output, parsing it with regex is error-prone, fragile, and unnecessary when structured facts are available. Option B is wrong because the 'parse' option in 'cisco.ios.ios_command' is used for converting unstructured output to structured data using a 'parser' or 'textfsm' template, but it still requires a template and is not the direct method for obtaining the IOS version as a fact. Option C is wrong because 'cisco.ios.ios_config' is designed for pushing configuration changes, not for retrieving operational data like the IOS version; it does not support 'show' commands or fact gathering.

566
Drag & Dropmedium

Drag and drop the steps to set up a Python virtual environment for a DevNet project into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Virtual environments isolate dependencies; creation, activation, package installation, and deactivation are standard steps.

567
Multi-Selectmedium

Which TWO of the following are benefits of using UDP over TCP for real-time applications?

Select 2 answers
A.Lower latency due to no connection setup
B.Guaranteed delivery of all packets
C.Reduced overhead from smaller header size
D.In-order packet delivery
E.Congestion control to avoid network overload
AnswersA, C

UDP is connectionless, reducing latency.

Why this answer

Option A is correct because UDP does not require a three-way handshake (SYN, SYN-ACK, ACK) before data transmission, eliminating the connection setup latency inherent in TCP. This makes UDP ideal for real-time applications like VoIP or video streaming where low delay is critical.

Exam trap

Cisco often tests the misconception that 'reliable' means 'better' for all applications, but candidates must recognize that real-time apps prioritize low latency over reliability, making UDP's lack of guarantees a feature, not a flaw.

568
MCQeasy

An automation engineer wants to programmatically retrieve the interface configuration of a Cisco Nexus switch using NX-API. Which API call method is most appropriate?

A.POST
B.DELETE
C.PUT
D.GET
AnswerD

GET is used to retrieve resource representations.

Why this answer

The NX-API on Cisco Nexus switches uses HTTP methods that map to CRUD operations. To retrieve (read) interface configuration without modifying any state, the GET method is the correct and most appropriate choice, as it corresponds to the 'show' commands in the CLI. POST, PUT, and DELETE are intended for creating, updating, or deleting resources, not for read-only queries.

Exam trap

The trap here is that candidates may confuse POST with GET because NX-API examples often use POST for sending CLI commands in the request body, but the question specifically asks for retrieving configuration, which requires the read-only GET method.

How to eliminate wrong answers

Option A is wrong because POST is used to create a new resource or invoke an action (e.g., applying a configuration), not to retrieve existing data. Option B is wrong because DELETE is used to remove a resource (e.g., deleting an interface configuration), which is destructive and inappropriate for a read operation. Option C is wrong because PUT is used to update or replace an existing resource (e.g., modifying interface parameters), not to retrieve configuration.

569
MCQmedium

A developer needs to view the logs of a running Docker container with ID 'abc123'. Which command should be used?

A.docker inspect abc123
B.docker exec -it abc123 logs
C.docker logs -f abc123
D.docker attach abc123
AnswerC

logs -f streams logs from the container.

Why this answer

docker logs -f follows the log output. docker exec runs a command inside container, docker attach attaches to a running container's I/O, docker inspect shows detailed info.

570
MCQhard

A developer needs to register a Webex webhook that triggers when a new message is posted in any room the bot is a member of. Which resource and event should be specified?

A.resource: 'rooms', event: 'created'
B.resource: 'messages', event: 'updated'
C.resource: 'messages', event: 'created'
D.resource: 'memberships', event: 'created'
AnswerC

Correct. This triggers when a new message is created.

Why this answer

To listen for new messages in any room the bot is in, use the 'messages' resource and 'created' event.

571
MCQhard

A network engineer is tasked with segmenting a large broadcast domain into smaller ones using VLANs. In the OSI model, at which layer does a VLAN operate?

A.Layer 2 - Data Link
B.Layer 4 - Transport
C.Layer 1 - Physical
D.Layer 3 - Network
AnswerA

VLANs work by adding tags to Ethernet frames at Layer 2.

Why this answer

VLANs operate at Layer 2 (Data Link) by tagging frames with VLAN IDs to separate broadcast domains.

572
MCQmedium

An application uses UDP. Which characteristic is true about this application's communication?

A.It guarantees packet delivery
B.It retransmits lost packets
C.It is connectionless
D.It performs a three-way handshake
AnswerC

UDP sends datagrams without establishing a connection.

Why this answer

UDP is a connectionless transport protocol, meaning it does not establish a dedicated end-to-end connection before sending data. This characteristic allows for low-latency, best-effort delivery without the overhead of connection setup, which is ideal for applications like DNS queries or streaming media where speed is prioritized over reliability.

Exam trap

Cisco often tests the misconception that all transport protocols provide reliability, leading candidates to associate UDP with features like guaranteed delivery or retransmission, when in fact those are exclusive to TCP.

How to eliminate wrong answers

Option A is wrong because UDP does not guarantee packet delivery; it is a best-effort protocol that provides no acknowledgment or retransmission mechanisms. Option B is wrong because UDP does not retransmit lost packets; retransmission is a feature of TCP, which uses sequence numbers and acknowledgments to ensure reliable delivery. Option D is wrong because a three-way handshake is a connection-establishment process used by TCP (SYN, SYN-ACK, ACK), not by UDP, which sends datagrams without prior setup.

573
Multi-Selectmedium

A developer is building a web application and wants to implement security best practices. Which TWO actions should be taken? (Choose two.)

Select 2 answers
A.Use parameterized queries for SQL
B.Use CSRF tokens in forms
C.Store passwords in plaintext
D.Disable HTTPS to improve performance
E.Apply output encoding to prevent XSS
AnswersB, E

Correct. CSRF tokens prevent cross-site request forgery.

Why this answer

B is correct because CSRF tokens are a standard defense against Cross-Site Request Forgery attacks. By embedding a unique, unpredictable token in each form and validating it on the server, the application ensures that requests originate from the legitimate user session, not from a malicious third-party site. This is a fundamental security best practice for web applications handling state-changing requests.

Exam trap

Cisco often tests the distinction between multiple valid security practices and forces you to select the two that are explicitly listed as correct in the answer options; the trap here is that parameterized queries (option A) are a real best practice, but the question's correct pair is B and E, so candidates who pick A instead of one of those will be wrong.

574
MCQeasy

A developer is creating an application that uses the Cisco Webex Teams API to send messages. What authentication method is typically used?

A.Session cookies
B.Basic Auth
C.OAuth 2.0
D.API Key
AnswerC

OAuth 2.0 is the standard for Webex API.

Why this answer

The Cisco Webex Teams API uses OAuth 2.0 as its primary authentication method for applications that need to act on behalf of a user. OAuth 2.0 provides delegated access via access tokens, allowing the application to send messages without exposing user credentials. This is the standard for modern REST APIs that require secure, scoped access.

Exam trap

The trap here is that candidates confuse API Keys with OAuth 2.0 tokens, assuming a simple key is sufficient, but Webex Teams requires the OAuth 2.0 flow for user-specific actions like sending messages, not just a static key.

How to eliminate wrong answers

Option A is wrong because session cookies are used for stateful web applications, not for REST API authentication in Webex Teams, which is stateless and token-based. Option B is wrong because Basic Auth transmits credentials in plaintext (Base64-encoded) and is not supported by the Webex Teams API due to security concerns. Option D is wrong because API Keys are typically used for server-to-server or service account access, but the Webex Teams API requires OAuth 2.0 tokens for user-delegated actions like sending messages.

575
MCQhard

When using OAuth 2.0 client credentials flow with a Cisco API, what is the typical purpose of the access token?

A.To identify the user's role
B.To authenticate the user
C.To authorize the client application to access resources
D.To encrypt the request payload
AnswerC

The token represents the client's authorization.

Why this answer

Client credentials flow is for server-to-server; the access token authorizes the client application to access resources on its own behalf, not on behalf of a user.

576
MCQmedium

A network engineer is configuring a wireless network for a new office. To maximize performance and minimize interference, the engineer decides to use the 5 GHz band. Which of the following is a key advantage of 5 GHz over 2.4 GHz?

A.Less interference and more channels
B.Better range through walls
C.Larger coverage area
D.Higher compatibility with older devices
AnswerA

5 GHz has more non-overlapping channels and less common interference.

Why this answer

5 GHz offers more non-overlapping channels and less interference from common devices like microwaves and Bluetooth.

577
MCQeasy

Which IPv6 address type is equivalent to a private IPv4 address?

A.Multicast
B.Global unicast
C.Link-local
D.Unique local
AnswerD

Unique local addresses are private and not globally routable.

Why this answer

Unique local addresses (ULA) in IPv6, defined in RFC 4193, are the equivalent of private IPv4 addresses (RFC 1918) because they are intended for local communication within a site or organization and are not routable on the global internet. They use the prefix fc00::/7, with the L bit set to 1 (fd00::/8) for locally assigned addresses, ensuring uniqueness within a site without requiring global registration.

Exam trap

Cisco often tests the distinction between link-local and unique local addresses, trapping candidates who confuse link-local (fe80::/10) with private IPv4 because both are non-routable, but link-local is strictly single-link and not site-wide like private IPv4.

How to eliminate wrong answers

Option A is wrong because multicast addresses (ff00::/8) are used for one-to-many communication to a group of interfaces, not for private, site-local addressing like private IPv4. Option B is wrong because global unicast addresses (2000::/3) are globally routable and unique on the internet, analogous to public IPv4 addresses, not private ones. Option C is wrong because link-local addresses (fe80::/10) are automatically configured and only valid on a single network link, never routed, making them more similar to APIPA (169.254.x.x) in IPv4 rather than private addresses like 10.0.0.0/8.

578
MCQmedium

An automation tool uses RESTCONF to configure a Cisco device. The device returns a 404 error for a PUT request. What does this indicate?

A.The server is overloaded
B.The request body is malformed
C.Authentication failed
D.The resource does not exist
AnswerD

404 is specifically for not found.

Why this answer

A 404 (Not Found) response to a RESTCONF PUT request indicates that the target resource (e.g., a specific YANG data node or URI) does not exist on the device. RESTCONF uses HTTP methods to manipulate resources identified by URIs; a PUT request is intended to create or replace a resource at that URI, but if the resource path is invalid or the data model node is not present, the server returns 404. This is consistent with RFC 8040, which defines the RESTCONF protocol.

Exam trap

Cisco often tests the distinction between HTTP status codes in RESTCONF/NETCONF contexts, and the trap here is that candidates confuse 404 (resource not found) with 400 (bad request) or 401 (authentication failure), especially when the PUT request seems syntactically correct but targets a non-existent resource.

How to eliminate wrong answers

Option A is wrong because a 404 error is not related to server overload; server overload typically results in 503 (Service Unavailable) or 429 (Too Many Requests). Option B is wrong because a malformed request body (e.g., invalid JSON or XML) would produce a 400 (Bad Request) error, not 404. Option C is wrong because authentication failure results in 401 (Unauthorized) or 403 (Forbidden), not 404.

579
Multi-Selectmedium

A developer is designing a REST API that requires pagination. Which two pagination methods are commonly used? (Choose two.)

Select 2 answers
A.B-tree pagination
B.Offset/limit pagination
C.Link header pagination
D.Cursor-based pagination
E.Hash-based pagination
AnswersB, D

Uses offset and limit parameters.

Why this answer

Offset/limit (page number/size) and cursor-based (use a token or cursor to navigate) are common. Link headers (RFC 5988) are also used but are not a pagination method themselves; they convey links. B-tree and hash-based are not typical.

580
Multi-Selectmedium

A developer is designing a system that requires high reliability and ordered data delivery. The developer chooses TCP. Which THREE features are provided by TCP?

Select 3 answers
A.Flow control using window size
B.Multicast support
C.Simple header with minimal overhead
D.Connection-oriented communication using a three-way handshake
E.Sequencing and retransmission of lost packets
AnswersA, D, E

TCP uses sliding window for flow control.

Why this answer

TCP provides a three-way handshake, sequence numbering for ordering, and flow control.

581
MCQhard

In a Jenkins declarative pipeline, a stage named 'Deploy to Production' should only run after manual approval. Which directive should be used to achieve this?

A.input
B.post
C.parallel
D.when
AnswerA

The 'input' directive pauses the pipeline and waits for user input or approval.

Why this answer

The `input` directive in a Jenkins declarative pipeline is specifically designed to pause a stage and wait for human approval before proceeding. When placed inside a stage block, it presents a message and optional parameters (like a 'Proceed' or 'Abort' button) to a user, effectively implementing a manual gate. This is the correct way to enforce manual approval before a 'Deploy to Production' stage runs.

Exam trap

Cisco often tests the distinction between `when` (which only evaluates a condition to skip a stage) and `input` (which actively pauses for human interaction), leading candidates to mistakenly choose `when` because they think 'conditional approval' is the same as 'manual approval'.

How to eliminate wrong answers

Option B is wrong because `post` defines actions to run after a stage or pipeline completes (e.g., always, success, failure), not to pause for manual approval. Option C is wrong because `parallel` is used to run multiple stages or branches concurrently, not to introduce a manual approval step. Option D is wrong because `when` controls conditional execution based on expressions or built-in conditions (like branch name), but it cannot pause the pipeline for human input; it only decides whether to skip or run the stage automatically.

582
Multi-Selectmedium

Which THREE of the following are valid event triggers for an EEM applet on Cisco IOS XE? (Choose THREE.)

Select 3 answers
A.timer
B.cli match
C.snmp trap
D.http request
E.syslog pattern
AnswersA, B, E

EEM supports timer-based events.

Why this answer

Option A is correct because EEM applets support timer-based event triggers, such as absolute time, countdown, or watchdog timers, allowing automation of actions at specified intervals or after a delay. This is a core EEM feature defined in Cisco IOS XE for scheduling tasks without external input.

Exam trap

Cisco often tests the exact EEM event trigger keywords, and candidates mistakenly assume 'snmp trap' is valid because SNMP traps are common network events, but the correct trigger is 'event snmp notification' or 'event snmp oid', not 'trap'.

583
MCQeasy

A network administrator needs to assign IP addresses to 50 hosts in a subnet. Which subnet mask provides the minimum required number of usable addresses while minimizing waste?

A.255.255.255.192 (/26)
B.255.255.255.224 (/27)
C.255.255.255.240 (/28)
D.255.255.255.128 (/25)
AnswerA

62 usable, sufficient and minimal waste.

Why this answer

A /26 subnet mask (255.255.255.192) provides 64 total addresses per subnet, of which 62 are usable (2^6 - 2 = 62). This is the smallest power-of-two block that can accommodate 50 hosts, minimizing waste while meeting the requirement.

Exam trap

Cisco often tests the distinction between 'total addresses' and 'usable addresses' — candidates mistakenly count the total 64 addresses as usable, forgetting to subtract the network and broadcast addresses, or they choose a mask that provides exactly 50 total addresses (which is impossible since host bits must be a power of 2).

How to eliminate wrong answers

Option B (255.255.255.224, /27) is wrong because it provides only 30 usable addresses (2^5 - 2 = 30), which is insufficient for 50 hosts. Option C (255.255.255.240, /28) is wrong because it provides only 14 usable addresses (2^4 - 2 = 14), far below the requirement. Option D (255.255.255.128, /25) is wrong because while it provides 126 usable addresses (2^7 - 2 = 126), it wastes 76 addresses, failing the 'minimizing waste' criterion.

584
Multi-Selecthard

Which three components are required to set up a Webex webhook for message creation events? (Choose three.)

Select 3 answers
A.Resource type (e.g., "messages")
B.Room ID to filter messages
C.API access token as a query parameter
D.Target URL to receive notifications
E.Event type (e.g., "created")
AnswersA, D, E

Resource specifies what to monitor.

Why this answer

A is correct because every Webex webhook must specify a resource type to define which API resource triggers the webhook. For message creation events, the resource type must be "messages" to indicate that the webhook listens for changes to message resources. Without this, the webhook cannot know which data model to monitor.

Exam trap

Cisco often tests the distinction between required fields (resource, event, target URL) and optional filters (like roomId), leading candidates to incorrectly select optional parameters as mandatory components.

585
MCQeasy

A network developer wants to quickly prototype an application that interacts with a Cisco Catalyst 9000 switch using REST APIs. What is the most appropriate resource to use?

A.Cisco DevNet Sandbox
B.Cisco DNA Center
C.Cisco Unified Communications Manager
D.Cisco Prime Infrastructure
AnswerA

Cisco DevNet Sandbox provides free, always-on labs with pre-configured devices for development and testing.

Why this answer

Cisco DevNet Sandbox provides free, cloud-hosted lab environments with pre-configured Cisco Catalyst 9000 switches that expose REST APIs (e.g., RESTCONF over HTTPS). This allows a developer to quickly prototype and test applications without needing physical hardware or complex setup, making it the most appropriate resource for rapid prototyping.

Exam trap

Cisco often tests the distinction between a development sandbox (DevNet) and production management platforms (DNA Center, Prime Infrastructure), expecting candidates to recognize that rapid prototyping requires a lightweight, accessible environment rather than a full-scale orchestration tool.

How to eliminate wrong answers

Option B (Cisco DNA Center) is wrong because it is a centralized network management platform that abstracts device-level APIs and is overkill for prototyping a single switch interaction; it requires additional infrastructure and licensing. Option C (Cisco Unified Communications Manager) is wrong because it is a voice and video communications platform, not a resource for interacting with Catalyst 9000 switch REST APIs. Option D (Cisco Prime Infrastructure) is wrong because it is a legacy network management tool that does not provide direct REST API access to Catalyst 9000 switches and is not designed for rapid prototyping.

586
Multi-Selecthard

Which THREE statements about NETCONF are correct?

Select 3 answers
A.NETCONF uses HTTP as the transport protocol.
B.NETCONF uses SSH as the transport protocol.
C.The <edit-config> operation is used to modify configuration data.
D.The <get-config> operation retrieves both configuration and state data.
E.NETCONF operations are XML RPCs.
AnswersB, C, E

RFC 6241 specifies SSH as the mandatory transport.

Why this answer

NETCONF uses SSH as its transport protocol, as specified in RFC 6242. This provides a secure, encrypted channel for network device management, which is a fundamental requirement for production environments.

Exam trap

Cisco often tests the distinction between NETCONF and RESTCONF transport protocols, and the specific datastore retrieval operations, leading candidates to confuse <get-config> with <get> or to assume HTTP is used for NETCONF.

587
MCQeasy

A DevOps team wants to version control their network configurations. Which tool should they use?

A.Puppet
B.Jenkins
C.Git
D.Docker
AnswerC

Git is the standard for version control.

Why this answer

Git is a distributed version control system that tracks changes in source code and configuration files, making it the ideal tool for version controlling network configurations. Unlike configuration management tools, Git provides commit history, branching, and rollback capabilities specifically designed for version control.

Exam trap

Cisco often tests the distinction between version control tools (Git) and configuration management tools (Puppet, Ansible) or CI/CD tools (Jenkins), leading candidates to confuse the purpose of each tool in the DevOps pipeline.

How to eliminate wrong answers

Option A is wrong because Puppet is a configuration management tool that enforces desired state on systems, not a version control system for tracking changes to configuration files. Option B is wrong because Jenkins is a continuous integration/continuous delivery (CI/CD) automation server, not a version control tool. Option D is wrong because Docker is a containerization platform for packaging applications and their dependencies, not a version control system.

588
MCQmedium

Refer to the exhibit. What will be the result of running this Ansible playbook against the 'switches' group?

A.VLAN 10 will be deleted
B.VLAN 10 will be modified to have the name 'voice'
C.The playbook will only show the running configuration of VLAN 10
D.VLAN 10 will be created if it does not already exist
AnswerD

The 'state: present' parameter ensures the VLAN is present; Ansible will create it if missing.

Why this answer

The playbook uses the `cisco.ios.ios_vlans` module with `state: merged`. This module ensures that the VLAN configuration specified in the playbook is present on the device. If VLAN 10 does not exist, it will be created with the given parameters (vlan_id 10 and name 'voice').

The `merged` state does not delete or modify existing VLANs unless their attributes differ; it only adds or updates to match the desired state.

Exam trap

Cisco often tests the misconception that `state: merged` only modifies existing objects, but in reality, it also creates objects that do not exist, leading candidates to incorrectly choose 'modify' or 'show only' options.

How to eliminate wrong answers

Option A is wrong because `state: merged` does not delete VLANs; it only ensures the specified VLAN configuration is present, and deletion would require `state: absent`. Option B is wrong because while the playbook sets the name to 'voice', `merged` will only modify the name if VLAN 10 already exists with a different name; however, the question asks for the result of running the playbook, and the primary behavior is creation if missing, not modification. Option C is wrong because the playbook does not use any `show running-config` command or a `debug` or `register` task to display the running configuration; it directly applies configuration changes.

589
Multi-Selectmedium

A developer needs to retrieve a list of network devices from Cisco DNA Center with pagination. Which TWO URL components are typically used for offset/limit pagination?

Select 2 answers
A.Link header
B.Query parameter 'page'
C.Query parameter 'limit'
D.Query parameter 'offset'
E.Path parameter 'page'
AnswersC, D

Specifies the maximum number of items.

Why this answer

In Cisco DNA Center's REST API, pagination is typically implemented using the 'offset' and 'limit' query parameters. 'offset' specifies the starting index for the results, and 'limit' specifies the maximum number of items to return per page. This is a common pattern in many RESTful APIs for offset/limit pagination.

Exam trap

Cisco often tests the distinction between offset/limit pagination (using 'offset' and 'limit' query parameters) and page-based pagination (using 'page' and 'size' or 'per_page' parameters), leading candidates to mistakenly select 'page' as a correct option.

590
MCQhard

A network engineer wants to stream telemetry data from a Cisco router using gRPC. Which gRPC service model is typically used for the router to push data to a collector?

A.RESTCONF events
B.NETCONF subscription
C.Dial-in model
D.Dial-out model
AnswerD

Dial-out is used for device-initiated push of telemetry data.

Why this answer

Dial-out streaming (also called telemetry push) is where the device initiates the connection and sends data to the collector. Dial-in is where the collector pulls data from the device.

591
MCQmedium

An engineer is troubleshooting a VoIP call quality issue. The call uses UDP and experiences packet loss. Which characteristic of UDP most likely contributes to the problem?

A.Ordered delivery guarantee
B.Connection-oriented setup
C.No retransmission of lost packets
D.Flow control mechanism
AnswerC

Correct. UDP does not retransmit, causing gaps in audio.

Why this answer

UDP is a connectionless transport protocol that does not provide retransmission of lost packets. In VoIP, packet loss directly degrades call quality because lost audio data is never resent, leading to gaps or distortion in the conversation.

Exam trap

Cisco often tests the misconception that UDP's lack of reliability is always a flaw, but the trap here is that candidates may incorrectly attribute the problem to UDP's lack of ordered delivery or flow control, when the core issue is the absence of retransmission for lost packets.

How to eliminate wrong answers

Option A is wrong because UDP does not guarantee ordered delivery; it is a best-effort protocol that may deliver packets out of order, and VoIP codecs typically handle sequencing at the application layer. Option B is wrong because UDP is connectionless and does not use a connection-oriented setup like TCP's three-way handshake; this lack of setup reduces latency but contributes to packet loss. Option D is wrong because UDP has no built-in flow control mechanism; flow control is a TCP feature that manages data transmission rates to prevent congestion, and its absence in UDP means the sender can overwhelm the network.

592
Multi-Selecteasy

Which TWO of the following HTTP methods are considered safe (idempotent and not modifying server state)? (Select two.)

Select 2 answers
A.PUT
B.DELETE
C.POST
D.GET
E.HEAD
AnswersD, E

GET is safe and idempotent.

Why this answer

GET and HEAD are safe; they do not change server state and are idempotent.

593
MCQmedium

A Python script using the requests library to query the Cisco Meraki API returns a 403 Forbidden error. The API key is correctly set in the header. What is the most likely cause?

A.The request URL is incorrect
B.The API endpoint is rate-limiting the request
C.The API key does not have permission for the requested resource
D.The Content-Type header is missing
AnswerC

403 Forbidden means the server understood the request but refuses to authorize it; the API key likely lacks the required scope.

Why this answer

A 403 Forbidden error indicates that the server understood the request but refuses to authorize it. Since the API key is correctly set in the header, the most likely cause is that the API key lacks the necessary permissions (e.g., read-only key trying to modify resources, or key scoped to a different organization) for the specific resource being accessed. In Cisco Meraki, API keys are tied to specific organizations and roles, and a 403 is the standard response when the key does not have the required access rights.

Exam trap

The trap here is that candidates often confuse 403 Forbidden with authentication failures (401 Unauthorized) or assume the API key is invalid, but Cisco tests the distinction that a valid key can still be denied access due to insufficient permissions.

How to eliminate wrong answers

Option A is wrong because an incorrect request URL would typically result in a 404 Not Found or a 400 Bad Request, not a 403 Forbidden. Option B is wrong because rate-limiting in Meraki returns a 429 Too Many Requests status code, not 403. Option D is wrong because the Content-Type header is not required for all requests (e.g., GET requests) and its absence would not cause a 403; it might cause a 400 or 415 if the endpoint requires a specific content type, but not a permission error.

594
MCQmedium

A network automation engineer is writing an Ansible playbook to configure interface descriptions on Cisco IOS-XE devices. The playbook uses the ios_config module. Which attribute should be used to ensure idempotency and only apply changes when the interface does not already have the desired description?

A.lines
B.src
C.parents
D.before
AnswerA

lines defines the configuration lines to be added or modified; the module checks current state to avoid duplicate changes.

Why this answer

Option A is correct because the `lines` attribute in the `ios_config` module specifies the exact configuration lines to be applied. Ansible's `ios_config` module inherently checks the current device configuration against the desired state defined in `lines`; if the interface already has the matching description, the module skips the task, ensuring idempotency. This prevents unnecessary configuration changes and maintains network stability.

Exam trap

Cisco often tests the misconception that `src` or `parents` alone provide idempotency, but the trap here is that `lines` is the attribute that directly enables the module to compare and skip unchanged configuration lines, while `parents` only sets the configuration context and does not perform the idempotency check itself.

How to eliminate wrong answers

Option B is wrong because `src` specifies a file or template containing configuration commands, but it does not inherently check the current state of the interface description; it reapplies the entire file content each run, breaking idempotency unless combined with other logic. Option C is wrong because `parents` is used to navigate to a specific configuration context (e.g., interface configuration mode) but does not itself enforce idempotency for the description line; it only sets the parent path for the `lines` or `src` content. Option D is wrong because `before` inserts configuration lines before a matched line in the running config, which is used for ordering or insertion, not for checking existing descriptions to avoid redundant changes.

595
MCQhard

A developer is working with Meraki API to list all clients on a network. The response is paginated. Which parameter allows the developer to specify the starting point for the next page?

A.nextToken
B.startingAfter
C.page
D.offset
AnswerB

This parameter sets the cursor for the next page.

Why this answer

Meraki uses startingAfter and endingBefore parameters for cursor-based pagination.

596
MCQhard

An engineer is troubleshooting a NETCONF session that fails to establish with a Cisco IOS XE device. The SSH connection succeeds, but NETCONF capabilities are not exchanged. What is the most likely cause?

A.The device requires authentication via SSH keys but password was used.
B.The firewall is blocking port 830.
C.The device is running an older IOS version that does not support NETCONF.
D.The device's NETCONF server is not enabled.
AnswerD

If netconf-yang feature is not enabled, SSH connects but no NETCONF capabilities.

Why this answer

Option D is correct because NETCONF uses a client-server model where the server (the Cisco IOS XE device) must have the NETCONF server explicitly enabled. If the SSH transport succeeds but capabilities are not exchanged, it indicates the NETCONF subsystem is not active on the device. The `netconf-yang` feature must be enabled via `netconf-yang` in global configuration mode to start the NETCONF server and allow capability exchange.

Exam trap

Cisco often tests the distinction between SSH transport success and NETCONF protocol success, trapping candidates who assume a successful SSH connection implies NETCONF is fully operational.

How to eliminate wrong answers

Option A is wrong because the SSH connection succeeded, meaning authentication was accepted regardless of method (password or SSH keys); NETCONF capability exchange occurs after SSH transport is established, so authentication is not the issue. Option B is wrong because the SSH connection succeeded, which typically uses port 830 for NETCONF-over-SSH; if a firewall were blocking port 830, the SSH connection itself would fail, not just the capability exchange. Option C is wrong because even older IOS XE versions (e.g., 16.x) support NETCONF; the issue is not version compatibility but whether the NETCONF server is administratively enabled.

597
MCQmedium

An engineer is writing a Python script using the Cisco DevNet sandbox to configure OSPF on a CSR1000v via RESTCONF. What authentication method is typically used for RESTCONF requests?

A.No authentication
B.OAuth2
C.API token only
D.Basic authentication over HTTPS
AnswerD

Basic auth over HTTPS is widely used for RESTCONF on Cisco devices.

Why this answer

RESTCONF typically uses Basic authentication over HTTPS (RFC 7235) because it is a lightweight, stateless mechanism that sends a base64-encoded username:password pair in the Authorization header. In the Cisco DevNet sandbox CSR1000v environment, this is the standard method for authenticating RESTCONF requests, as the sandbox provides a username and password for access.

Exam trap

Cisco often tests the distinction between RESTCONF and NETCONF authentication, where candidates might mistakenly think RESTCONF uses SSH keys or no authentication, but RESTCONF always requires HTTPS-based authentication, typically Basic.

How to eliminate wrong answers

Option A is wrong because RESTCONF requires authentication; no authentication would leave the device open to unauthorized configuration changes. Option B is wrong because OAuth2 is not typically used for RESTCONF on Cisco IOS-XE devices; it is more common in cloud-based APIs like Webex or Meraki. Option C is wrong because API token only is not a standard RESTCONF authentication method; while some Cisco platforms (e.g., DNA Center) use tokens, the CSR1000v sandbox relies on Basic authentication over HTTPS.

598
MCQeasy

What is the default rate limit for the Meraki Dashboard API?

A.20 calls per second
B.1 call per second
C.10 calls per second
D.5 calls per second
AnswerD

This is the documented rate limit.

Why this answer

Meraki Dashboard API enforces a rate limit of 5 calls per second.

599
MCQmedium

A developer needs to retrieve interface configuration from a Cisco IOS XE device using NETCONF. Which operation should be used?

A.<get> with filter
B.<delete-config>
C.<edit-config>
D.<get-config> with filter
AnswerD

Correct operation for configuration retrieval.

Why this answer

To retrieve interface configuration from a Cisco IOS XE device using NETCONF, the <get-config> operation with a filter is the correct choice. <get-config> retrieves the running configuration datastore, and the filter (typically an XML subtree filter) narrows the response to only the interface subtree, avoiding unnecessary data. This is the standard NETCONF operation for reading configuration data, as defined in RFC 6241.

Exam trap

Cisco often tests the distinction between <get> and <get-config>, where candidates mistakenly choose <get> because it sounds like 'get configuration,' but <get> returns both config and state data, which is not the correct operation for retrieving only configuration.

How to eliminate wrong answers

Option A is wrong because <get> retrieves both configuration and state data from the device, which is not limited to configuration and may include operational status, making it less precise for retrieving only interface configuration. Option B is wrong because <delete-config> is used to delete a configuration datastore (e.g., the candidate datastore), not to retrieve configuration; it would remove the interface configuration entirely. Option C is wrong because <edit-config> is used to modify or create configuration, not to retrieve it; it would attempt to change the interface configuration rather than read it.

600
MCQmedium

A network automation script uses the Cisco DNAC Python SDK (dnacentersdk) to retrieve devices. Which method correctly lists all devices?

A.dnac.get_devices()
B.dnac.devices.get_device_list()
C.dnac.sites.get_site_devices()
D.dnac.devices.list_devices()
AnswerB

Correct method.

Why this answer

Option B is correct because the Cisco DNAC Python SDK (dnacentersdk) uses a hierarchical method structure where the `devices` resource is accessed via `dnac.devices`, and the `get_device_list()` method is the exact SDK call to retrieve all devices from the Cisco DNA Center. This matches the official SDK documentation and the REST API endpoint `/dna/intent/api/v1/network-device`.

Exam trap

Cisco often tests the exact method naming conventions in the SDK, and the trap here is that candidates confuse the generic Python list concept (e.g., `list_devices()`) with the SDK's actual method name (`get_device_list()`), or they assume a top-level method exists without the resource hierarchy.

How to eliminate wrong answers

Option A is wrong because `dnac.get_devices()` is not a valid method in the dnacentersdk; the SDK requires resource-specific access (e.g., `dnac.devices`), and calling a top-level method like this would raise an AttributeError. Option C is wrong because `dnac.sites.get_site_devices()` retrieves devices associated with a specific site, not all devices in the network, and is intended for site-scoped queries. Option D is wrong because `dnac.devices.list_devices()` does not exist in the SDK; the correct method name is `get_device_list()`, and using `list_devices()` would result in a method-not-found error.

Page 7

Page 8 of 14

Page 9