Cisco DevNet Associate 200-901 (200-901) — Questions 601675

992 questions total · 14pages · All types, answers revealed

Page 8

Page 9 of 14

Page 10
601
MCQeasy

A network administrator is managing a small office with 10 Cisco 9200 switches. They want to automate the deployment of a standard base configuration (VLANs, STP, management access) to all switches. They have a Linux server with Ansible installed. The administrator writes a playbook that uses the 'ios_config' module to apply configuration blocks. However, when they run the playbook against the first switch, it fails with an authentication error. The administrator can SSH to the switch manually using the same credentials. What is the most likely cause of the failure?

A.The Ansible playbook is missing the 'ansible_connection: network_cli' and 'ansible_network_os: ios' variables.
B.The switch's SSH server does not support the key exchange algorithm used by Ansible.
C.The playbook is using the wrong username because the variable is not defined.
D.The switch is running an incompatible IOS version that does not support the commands in the playbook.
AnswerA

Network devices require these variables to handle the SSH session correctly.

Why this answer

The most likely cause is that the playbook is missing the required connection and platform variables. When using Ansible's `ios_config` module, you must explicitly set `ansible_connection: network_cli` and `ansible_network_os: ios` in the host variables or playbook. Without these, Ansible defaults to the `smart` connection plugin, which attempts an SSH connection using the `paramiko` library but does not properly negotiate the network CLI session, leading to authentication failures even though manual SSH works.

Exam trap

Cisco often tests the distinction between SSH connectivity and Ansible connection method configuration, trapping candidates who assume that successful manual SSH implies the playbook will work without setting `ansible_connection` and `ansible_network_os`.

How to eliminate wrong answers

Option B is wrong because if the SSH server did not support the key exchange algorithm, manual SSH would also fail, but the administrator can SSH successfully. Option C is wrong because the playbook failing with an authentication error while manual SSH works suggests the credentials are correct; the issue is not a missing username variable but the connection method. Option D is wrong because an incompatible IOS version would cause command execution errors, not authentication failures; the playbook hasn't reached the point of applying commands.

602
MCQeasy

Refer to the exhibit. A developer builds this Docker image and runs it. The container starts but cannot be accessed on port 5000 from the host. What is the most likely cause?

A.The requirements.txt is missing Flask.
B.The Python application is not listening on 0.0.0.0.
C.The container is using a different port inside.
D.The EXPOSE instruction does not publish the port; the container was run without -p.
AnswerD

EXPOSE is documentation; without -p, no port is published to the host.

Why this answer

The EXPOSE instruction in a Dockerfile is documentation only; it does not actually publish the container's port to the host. For the container to be accessible on port 5000 from the host, the container must be run with the `-p` (or `--publish`) flag (e.g., `docker run -p 5000:5000 ...`). Without this, the container's port 5000 is only reachable from within the Docker network, not from the host.

Exam trap

Cisco often tests the misconception that EXPOSE publishes the port, when in fact it only documents the port and requires `-p` or `-P` for actual host access.

How to eliminate wrong answers

Option A is wrong because a missing Flask in requirements.txt would cause the application to fail to start or crash, not prevent host access to a running container on port 5000. Option B is wrong because even if the Python app is not listening on 0.0.0.0 (e.g., it listens on 127.0.0.1), the container would still be unreachable from the host, but the question states the container starts and cannot be accessed on port 5000; the most likely cause is the missing `-p` flag, not a binding issue, as the default Flask binding is 127.0.0.1 and would still require port publishing. Option C is wrong because if the container were using a different port inside, the EXPOSE instruction would typically match that port, and the symptom would be a mismatch, but the question implies the container is running and the port is defined; the core issue is that EXPOSE alone does not publish the port.

603
MCQmedium

A developer needs to ensure that environment variables containing database credentials are not hardcoded in the application code. Which approach is most secure for managing secrets in a CI/CD pipeline?

A.Encrypt the .env file and commit it.
B.Store the credentials in a .env file committed to the repository.
C.Use a secrets management tool like Vault to inject secrets during deployment.
AnswerC

Vault securely manages secrets and injects them only at runtime.

Why this answer

Option C is correct because secrets management tools like HashiCorp Vault provide a centralized, encrypted store for sensitive data such as database credentials, and they inject secrets into the CI/CD pipeline at deployment time via secure APIs (e.g., Vault's HTTP API with TLS). This approach avoids storing secrets in version control, eliminates hardcoding, and supports dynamic secrets, rotation, and audit logging, which aligns with security best practices for CI/CD.

Exam trap

Cisco often tests the misconception that encrypting and committing secrets is secure, but the trap is that any encryption key stored alongside or in the pipeline can be compromised, and the encrypted file remains in version control history forever.

How to eliminate wrong answers

Option A is wrong because encrypting the .env file and committing it still stores the encrypted file in the repository, which exposes it to anyone with repository access; the encryption key must be managed separately, and if compromised, all secrets are exposed. Option B is wrong because committing a .env file with credentials to the repository directly exposes secrets in version control history, violating the principle of never storing secrets in code repositories, and any developer with access can read them.

604
Multi-Selectmedium

Which TWO of the following are valid query parameter-based pagination methods used in REST APIs? (Select two.)

Select 2 answers
A.Timestamp-based (e.g., since)
B.Link header with rel="next"
C.Cursor-based (e.g., startingAfter)
D.Offset and limit
E.Page and per_page
AnswersC, D

Used by Meraki and others.

Why this answer

Offset/limit and cursor-based (e.g., startingAfter) are common. Page/per_page is similar to offset/limit. Link header is another method but not a query parameter.

605
Multi-Selectmedium

A developer is using the Meraki Dashboard API and needs to handle paginated responses. Which TWO ways does Meraki indicate pagination? (Choose two.)

Select 2 answers
A.Offset and limit query parameters
B.Link header with rel="next"
C.Multiple pages returned in a single response
D.Total count in response body
E.Cursor-based pagination with startingAfter parameter
AnswersB, E

Meraki includes a Link header.

Why this answer

Meraki uses Link header for pagination (rel="next") and also supports query parameters like perPage and startingAfter (cursor-based). Offset is not used by Meraki.

606
MCQhard

A developer is building a Webex Teams bot that monitors network alerts from Cisco DNA Assurance. The bot must authenticate to the Webex API. Which authentication method should be used?

A.Basic authentication with username/password
B.Session ID cookie
C.OAuth2 client credentials grant with bot token
D.API key in query string
AnswerC

Correct method for Webex bots.

Why this answer

Webex Teams bots require OAuth2 client credentials grant to obtain a bot token, which is a long-lived, scoped token that authenticates the bot without user interaction. This method is designed for server-to-server communication, matching the bot's need to post messages and listen for events via the Webex API. Basic authentication, session cookies, and API keys are not supported or appropriate for bot authentication in Webex.

Exam trap

Cisco often tests the distinction between user-based authentication (OAuth2 authorization code grant) and bot/application authentication (client credentials grant), leading candidates to mistakenly choose Basic auth or API keys due to familiarity with older APIs.

How to eliminate wrong answers

Option A is wrong because Webex API does not support Basic authentication with username/password for bots; bots are not user accounts and require token-based auth. Option B is wrong because session ID cookies are used for browser-based user sessions, not for bot or API authentication, and Webex API does not issue session cookies for bots. Option D is wrong because Webex API does not accept API keys in query strings; it uses Bearer tokens in the Authorization header, and query string keys are insecure and not part of the OAuth2 flow.

607
MCQmedium

A DevOps team uses Ansible to configure Cisco Nexus switches for a new data center. They have a playbook that uses the nxos_vlan module to create VLANs and nxos_interface module to assign access VLANs. The playbook runs successfully on the first Nexus switch but fails on the second with error: 'module_stderr: ntclib: error: unable to connect to switch'. Both switches are reachable via ping and SSH from the Ansible control node. The inventory file has the same SSH credentials for both switches. What is the most likely cause of the connection failure on the second switch?

A.The second switch does not have NX-API enabled.
B.The Ansible control node has an incompatible version of the nxos collection.
C.The second switch has a different VLAN database that conflicts with the playbook.
D.The second switch's SSH key fingerprint has changed and is not accepted.
AnswerA

The error indicates NX-API connection failure; enabling NX-API resolves.

Why this answer

The error 'module_stderr: ntclib: error: unable to connect to switch' indicates that the Ansible nxos modules are attempting to use NX-API (REST-like HTTP/HTTPS API) to communicate with the switch, not SSH. Even though SSH is reachable, the second switch likely has NX-API disabled or not configured, causing the connection failure. The nxos_vlan and nxos_interface modules in Ansible rely on NX-API by default when the connection type is set to 'network_cli' or 'httpapi', and without NX-API enabled, the modules cannot execute.

Exam trap

Cisco often tests the misconception that Ansible nxos modules use SSH for all operations, when in fact they default to NX-API for task execution, so candidates may overlook the need for NX-API to be enabled on the target switch.

How to eliminate wrong answers

Option B is wrong because an incompatible nxos collection version would typically cause module-specific errors (e.g., missing parameters or attributes), not a generic 'unable to connect' error; the connection failure is at the transport layer, not the module logic. Option C is wrong because VLAN database conflicts would result in task-level failures (e.g., 'VLAN already exists') during module execution, not a connection error before the module runs. Option D is wrong because SSH key fingerprint changes would cause an SSH authentication failure (e.g., 'Host key verification failed') in the SSH transport, not an NX-API connection error; the error message specifically references 'ntclib', which is the NX-API client library.

608
MCQmedium

When using RESTCONF on Cisco IOS XE, which URL retrieves the hostname configuration?

A.GET /restconf/data/ietf-interfaces:interfaces
B.GET /restconf/data/openconfig-interfaces:interfaces
C.GET /restconf/data/Cisco-IOS-XE-native:native/interface
D.GET /restconf/data/Cisco-IOS-XE-native:native/hostname
AnswerD

This retrieves the hostname from the native model.

Why this answer

The native YANG model Cisco-IOS-XE-native contains the hostname under /native/hostname.

609
MCQhard

An engineer is using the Cisco Intersight API to manage UCS servers. The API response returns a paginated list. What is the proper way to retrieve all items?

A.Loop through pages using the 'next' link in the response
B.Increase the page size limit to maximum
C.Send multiple requests with different offsets manually
D.Use a single request with a filter to get all
AnswerA

Following pagination links is the recommended pattern.

Why this answer

The Cisco Intersight API uses cursor-based pagination, where each page response includes a 'next' link pointing to the next page of results. To retrieve all items, you must follow that link in a loop until the 'next' field is null or absent, ensuring you get every page without assuming a fixed offset or page size.

Exam trap

Cisco often tests the distinction between offset-based pagination (common in REST APIs) and cursor-based pagination (used by Intersight), trapping candidates who assume they can manually increment a page number or offset.

How to eliminate wrong answers

Option B is wrong because increasing the page size limit to maximum may exceed API-imposed constraints (e.g., 1000 items per page) and does not guarantee all items are retrieved if the total exceeds that limit. Option C is wrong because Intersight uses cursor-based pagination, not offset-based; manually incrementing offsets will cause duplicate or missed items since the API does not support offset parameters. Option D is wrong because a single request with a filter cannot bypass pagination; the API enforces pagination on all list endpoints, and filters only narrow the result set, not the number of pages.

610
MCQeasy

An automation script needs to update the hostname of a Cisco IOS-XE device via RESTCONF. Which HTTP method is appropriate?

A.PUT
B.PATCH
C.GET
D.POST
AnswerA

PUT is used to replace the target resource with the request payload.

Why this answer

To update the hostname of a Cisco IOS-XE device via RESTCONF, the PUT HTTP method is appropriate because it performs a full replacement of the target resource. RESTCONF uses the YANG data model, and the hostname is a leaf node under the Cisco-IOS-XE-native YANG module. A PUT request with the complete updated hostname data replaces the existing configuration, aligning with RESTCONF's semantics for resource replacement.

Exam trap

Cisco often tests the distinction between PUT and PATCH, and the trap here is that candidates familiar with RESTful APIs might assume PATCH is available for partial updates, but RESTCONF explicitly omits PATCH, requiring PUT for all replacements.

How to eliminate wrong answers

Option B (PATCH) is wrong because RESTCONF does not support the PATCH method; it uses PUT for full replacement and POST for operations or data resource creation. Option C (GET) is wrong because it is used to retrieve the current hostname, not to update it. Option D (POST) is wrong because in RESTCONF, POST is used to create a new data resource or invoke an RPC operation, not to replace an existing leaf like the hostname.

611
MCQhard

A Cisco DevNet engineer is configuring model-driven telemetry on a Cisco IOS-XE device. The telemetry subscription includes the following path: 'Cisco-IOS-XE-native:native/interface/GigabitEthernet[Name='1/0/1']/ip/address'. Which part of this path identifies a specific list instance?

A.Cisco-IOS-XE-native
B.[Name='1/0/1']
C.GigabitEthernet
D.ip/address
AnswerB

This specifies the key value to identify the particular interface instance.

Why this answer

Option B is correct because the XPath expression `[Name='1/0/1']` is a predicate filter that selects a specific list instance from the `GigabitEthernet` YANG list. In YANG model-driven telemetry, list keys are used to identify individual entries, and the predicate syntax `[key='value']` pinpoints exactly one instance within the list.

Exam trap

Cisco often tests whether candidates confuse the YANG module name or the list node name with the list instance identifier, leading them to pick the module or the list name instead of the key predicate.

How to eliminate wrong answers

Option A is wrong because `Cisco-IOS-XE-native` is the YANG module name, not a list instance identifier. Option C is wrong because `GigabitEthernet` is the YANG list node name, which represents the entire list of interfaces, not a specific instance. Option D is wrong because `ip/address` is a leaf path within the interface instance, not a list instance identifier.

612
MCQhard

A DevOps team is implementing a CI/CD pipeline for network services using Cisco NSO (Network Services Orchestrator). They have a Python script that uses the NSO RESTCONF API to create a new VPN service instance. The script passes all integration tests in the staging environment, but when deployed to production, the 'POST' request to /api/run/vpn-service returns a 500 Internal Server Error. The team checks the NSO logs and finds the error 'Error: No such device: device-xr-1'. The production NSO instance manages multiple devices, and device-xr-1 is one of them. The team confirms device-xr-1 is reachable and managed by NSO in the production environment. What is the most likely cause of this error?

A.The production NSO instance uses a different authentication method for device-xr-1.
B.The device configuration in NSO is out of sync; a sync-from is needed before service creation.
C.The YANG service model expects a device name that does not match the device's name in NSO's device list.
D.The production NSO instance has insufficient memory to handle the request.
AnswerC

The service template likely uses a device reference that conflicts with the actual device name.

Why this answer

The error 'No such device: device-xr-1' indicates that the YANG service model references a device name that does not match the actual device name configured in NSO's device list. Even though device-xr-1 is reachable and managed by NSO, the service model's 'device' leaf expects a specific name (e.g., 'xr-1' or 'device-xr-1-prod'), and the mismatch causes NSO to fail when trying to map the service to the device. This is a common issue when service YANG models are developed with hardcoded or environment-specific device names that differ between staging and production.

Exam trap

Cisco often tests the distinction between device reachability/authentication errors and device name mismatches in NSO service models, where candidates mistakenly assume a connectivity or sync issue when the actual problem is a YANG model reference mismatch.

How to eliminate wrong answers

Option A is wrong because authentication methods (e.g., SSH keys, passwords) are configured per device in NSO's device list and would cause a connection failure (e.g., 'Authentication failed'), not a 'No such device' error. Option B is wrong because a sync-from operation addresses configuration drift between NSO and the actual device state, but the error here is about the device name not being found in NSO's device list, not about out-of-sync configuration. Option D is wrong because insufficient memory would typically manifest as a timeout or out-of-memory exception in NSO logs, not a specific 'No such device' error referencing a device name.

613
Drag & Dropmedium

Drag and drop the steps to deploy a Python script to a Cisco device via RESTCONF into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

RESTCONF operations require authentication, correct URL, headers, and payload; verify with response.

614
Multi-Selectmedium

Which THREE are common best practices for implementing CI/CD in network automation?

Select 3 answers
A.Perform manual testing after every deployment
B.Use version control for all automation scripts and playbooks
C.Treat infrastructure configurations as code
D.Implement automated unit and integration tests
E.Store credentials and secrets in code repositories
AnswersB, C, D

Version control is essential for tracking changes and collaboration.

Why this answer

Option B is correct because version control (e.g., Git) is a fundamental CI/CD best practice: it tracks changes, enables rollbacks, and supports collaboration on automation scripts and playbooks. Without version control, you lose auditability and the ability to reliably reproduce network states, which violates the principle of infrastructure as code.

Exam trap

Cisco often tests the distinction between 'automation' and 'CI/CD best practices'—candidates may confuse manual testing (Option A) as a safety net, but the exam expects you to recognize that CI/CD relies on automated testing, not manual steps.

615
MCQeasy

Which API is used to execute CLI commands on Cisco IOS XE devices using on-device programmability?

A.RESTCONF
B.DNA Center API
C.Meraki Dashboard API
D.Webex API
AnswerA

RESTCONF can be used to retrieve data and execute operations on IOS XE.

Why this answer

RESTCONF is a RESTful API that uses HTTP methods to access structured data defined in YANG models, and on Cisco IOS XE devices, it can be used to execute CLI commands via the 'cli' YANG data model. This allows programmatic execution of CLI commands without requiring an interactive SSH session, making it the correct choice for on-device programmability.

Exam trap

Cisco often tests the distinction between on-device programmability (RESTCONF/NETCONF) and controller-based APIs (DNA Center), so the trap here is assuming that a centralized management API can directly execute CLI commands on a device, when in fact it only sends configuration intents to the controller.

How to eliminate wrong answers

Option B is wrong because the DNA Center API is a northbound interface for managing the Cisco DNA Center controller, not for directly executing CLI commands on individual IOS XE devices. Option C is wrong because the Meraki Dashboard API is used to manage Meraki cloud-managed devices, which do not run IOS XE and do not support CLI command execution via this API. Option D is wrong because the Webex API is designed for collaboration services (messaging, meetings, etc.) and has no capability to interact with IOS XE device CLI.

616
MCQeasy

A network engineer needs to retrieve a list of all network devices from Cisco DNA Center. Which API endpoint should they use?

A.POST /dna/system/api/v1/auth/token
B.GET /dna/intent/api/v1/issues
C.GET /dna/intent/api/v1/network-device
D.GET /dna/intent/api/v1/topology/l2/{vlanID}
AnswerC

This endpoint returns a list of network devices.

Why this answer

The correct endpoint to retrieve the device list in Cisco DNA Center is GET /dna/intent/api/v1/network-device.

617
MCQmedium

A Meraki API request is receiving HTTP 429 responses. According to the Meraki rate limit, what should the developer do?

A.Switch to the DNA Center API.
B.Use a different API key.
C.Reduce the number of concurrent requests and wait for the Retry-After header value.
D.Immediately retry the request without delay.
AnswerC

Correct. The Retry-After header specifies how long to wait.

Why this answer

Meraki returns 429 with a Retry-After header indicating the number of seconds to wait.

618
MCQhard

A network automation script using Ansible with the cisco.ios.ios_config module fails with "Unsupported parameters for (cisco.ios.ios_config) module: src." What is the most likely issue?

A.The Ansible version is too old
B.The inventory file has incorrect credentials
C.The network device is unreachable
D.The module does not support 'src' parameter; it should use 'lines'
AnswerD

The ios_config module uses 'lines' for configuration commands.

Why this answer

The error message 'Unsupported parameters for (cisco.ios.ios_config) module: src' indicates that the 'src' parameter is not a valid parameter for the cisco.ios.ios_config module. In Ansible, the correct parameter to specify configuration lines directly is 'lines', not 'src'. The 'src' parameter is used by other modules like ios_config (from the older ansible.netcommon collection) or for file-based configuration, but the cisco.ios.ios_config module expects configuration content via 'lines' or 'parents'.

Exam trap

Cisco often tests the specific parameter names of modules in the cisco.ios collection versus the older ansible.netcommon collection, trapping candidates who assume 'src' works universally across all configuration modules.

How to eliminate wrong answers

Option A is wrong because an outdated Ansible version might cause missing modules or features, but the error specifically points to an unsupported parameter, not a missing module; the module exists but the parameter is invalid. Option B is wrong because incorrect credentials in the inventory file would result in authentication or connection failures (e.g., 'invalid username/password' or 'unable to connect'), not a parameter validation error. Option C is wrong because an unreachable network device would produce a timeout or connection refused error, not a module parameter error; the error occurs before any connection attempt during parameter validation.

619
MCQhard

Refer to the exhibit. A developer executes this Python script against a Cisco device. Assuming valid credentials and network connectivity, what is printed to the console?

A.An exception due to invalid credentials
B.The startup configuration of the device in XML format
C.The running configuration of the device in XML format
D.A JSON representation of the device interfaces
AnswerC

The script calls m.get_config(source='running') which returns the running config as XML, then prints it prettified.

Why this answer

The script uses the `ncclient` library to connect to a Cisco device via NETCONF, which defaults to retrieving the running configuration. The `get_config(source='running')` method fetches the running configuration in XML format, so the output printed to the console is the running configuration in XML. Option C is correct because the code explicitly requests the running configuration.

Exam trap

Cisco often tests the distinction between `running` and `startup` configurations in NETCONF, and candidates may confuse `get_config` with `get` (which retrieves state data) or assume the output format is JSON due to common RESTCONF usage.

How to eliminate wrong answers

Option A is wrong because the script assumes valid credentials and network connectivity, so no authentication exception would occur. Option B is wrong because the script uses `get_config(source='running')`, not `source='startup'`, so it retrieves the running configuration, not the startup configuration. Option D is wrong because NETCONF returns configuration data in XML, not JSON, and the script does not request interface-specific data or convert to JSON.

620
MCQeasy

A developer is creating a Helm chart for a stateless web application. Where should the application's configuration settings (like log level and feature flags) be stored?

A.Directly in the Docker image.
B.In values.yaml file of the Helm chart.
C.Hardcoded in the application code.
D.In a Kubernetes Secret.
AnswerB

Standard approach for Helm charts.

Why this answer

In a Helm chart, the `values.yaml` file is the standard location for configuration settings like log level and feature flags. This file allows developers to externalize configuration from the application code and Docker image, enabling environment-specific overrides without rebuilding the image. Helm uses `values.yaml` to inject these settings into Kubernetes manifests via template directives, making the chart reusable across different deployments.

Exam trap

Cisco often tests the distinction between configuration data (stored in ConfigMaps or `values.yaml`) and secret data (stored in Secrets), leading candidates to incorrectly choose Secrets for all configuration settings.

How to eliminate wrong answers

Option A is wrong because storing configuration in the Docker image violates the principle of immutable infrastructure; any change to log level or feature flags would require rebuilding and redeploying the image, which is inefficient and defeats the purpose of configuration externalization. Option C is wrong because hardcoding configuration in the application code tightly couples the application to specific settings, preventing runtime changes without code modification and recompilation, which is contrary to cloud-native best practices. Option D is wrong because Kubernetes Secrets are specifically designed for sensitive data (e.g., passwords, API keys), not for non-sensitive configuration like log level or feature flags; using Secrets for such data adds unnecessary complexity and security overhead without benefit.

621
MCQmedium

A network engineer runs the Ansible playbook shown in the exhibit, but it fails. The error indicates the module 'cisco.ios.ios_vlan' does not exist. What is the most likely cause?

A.The collection 'cisco.ios' is not installed
B.The module name is misspelled; it should be 'ios_vlans'
C.The 'state: present' is invalid for this module
D.The playbook lacks 'become: yes'
AnswerB

The correct module for configuring VLANs on Cisco IOS is 'ios_vlans' (with an 's').

Why this answer

The error indicates that the module 'cisco.ios.ios_vlan' does not exist. In the cisco.ios collection, the correct module name for managing VLANs is 'ios_vlans' (plural), not 'ios_vlan'. This is a common naming mistake because many other Ansible modules use singular names, but the ios_vlan module was deprecated and replaced by ios_vlans in newer versions of the collection.

Exam trap

Cisco often tests the exact module naming convention in the cisco.ios collection, where the trap is that candidates assume the module name is singular ('ios_vlan') because it seems intuitive, but the correct name is plural ('ios_vlans') due to the collection's resource-oriented design.

How to eliminate wrong answers

Option A is wrong because if the collection 'cisco.ios' were not installed, the error would typically state that the collection is missing or that the module could not be found in any installed collection, not specifically that the module does not exist. Option C is wrong because 'state: present' is a valid parameter for the ios_vlans module and is used to ensure a VLAN exists. Option D is wrong because 'become: yes' is used for privilege escalation (e.g., to enter enable mode) and is not related to module existence errors; the error is about the module name itself, not permissions.

622
MCQeasy

A developer wants to send a message to a Webex room using the API. Which HTTP method and endpoint should they use?

A.POST /v1/rooms
B.PUT /v1/messages
C.GET /v1/messages
D.POST /v1/messages
AnswerD

This endpoint creates a new message.

Why this answer

To send a message, use POST to /v1/messages with roomId or toPersonEmail.

623
MCQmedium

A developer is implementing a Python function that makes an HTTP GET request to an API and returns the response time. Which code snippet correctly measures the elapsed time?

A.response = requests.get(url); return response.headers['Date']
B.response = requests.get(url); return response.elapsed.total_seconds()
C.start = time.time(); response = requests.get(url); return time.time() - start
D.import time; start = time.time(); response = requests.get(url); return time.time() - start
AnswerD

This correctly captures the start time, makes the request, and returns the difference.

Why this answer

Using time.time() before and after the request and subtracting gives the elapsed time in seconds.

624
MCQeasy

What does a TTL of 128 indicate about the destination host?

A.It is a network switch
B.It is a Cisco router
C.It is a Windows host
D.It is a Linux host
AnswerC

Windows uses a default TTL of 128.

Why this answer

The Time-to-Live (TTL) value in an IP packet is decremented by each router that forwards the packet. When a host receives a packet, the remaining TTL value can indicate the operating system of the source that sent it. Windows operating systems typically set the initial TTL to 128, so a TTL of 128 in a received packet strongly suggests the destination host (the sender of that packet) is a Windows host.

Exam trap

Cisco often tests the common misconception that TTL values are set by routers or switches, rather than by the originating host's operating system, leading candidates to incorrectly associate a TTL of 128 with a specific network device instead of a Windows host.

How to eliminate wrong answers

Option A is wrong because network switches operate at Layer 2 and do not decrement or set TTL values in IP headers; TTL is a Layer 3 concept. Option B is wrong because Cisco routers, like most routers, set the initial TTL to 255 (or sometimes 64), not 128. Option D is wrong because Linux hosts typically set the initial TTL to 64, not 128.

625
MCQeasy

A developer writes a Python script to read a configuration file. Which code snippet correctly opens the file 'config.json' for reading and ensures the file is closed after use?

A.with open('config.json', 'r') as f:\n data = f.read()
B.open('config.json', 'r') as f:\n data = f.read()
C.with open('config.json', 'r') as f, data = f.read()
D.file = open('config.json', 'r')\ndata = file.read()\nfile.close()
AnswerA

Using with ensures proper acquisition and release of resources.

Why this answer

Option A is correct because it uses the `with` statement, which is a context manager that automatically calls `f.close()` when the block exits, ensuring the file is properly closed even if an exception occurs. The `'r'` mode opens the file for reading, and `f.read()` reads the entire contents into the `data` variable.

Exam trap

Cisco often tests the candidate's understanding of Python's context manager (`with` statement) versus manual file handling, expecting candidates to recognize that only the `with` statement guarantees automatic resource cleanup, while explicit `close()` calls are error-prone in the face of exceptions.

How to eliminate wrong answers

Option B is wrong because it uses `open('config.json', 'r') as f:` without the `with` statement, which is a syntax error in Python; the `as` clause is only valid inside a `with` statement. Option C is wrong because it uses a comma to separate the `with` statement and the assignment, which is invalid syntax; the correct syntax requires a colon and an indented block. Option D is wrong because while it does open the file and explicitly close it, it lacks the automatic cleanup provided by the `with` statement; if an exception occurs between `open()` and `file.close()`, the file may not be closed, leading to resource leaks.

626
MCQhard

A CI/CD pipeline using GitHub Actions needs to build a Docker image and push it to Docker Hub. Which event trigger should be used to run the workflow only when code is pushed to the main branch?

A.on: workflow_dispatch
B.on: push: branches: [ main ]
C.on: release: types: [ published ]
D.on: pull_request: branches: [ main ]
AnswerB

Correct syntax to trigger on push to main branch.

Why this answer

The 'push' event with branch filter triggers on pushes to main. 'pull_request' triggers on PRs, 'release' on releases, 'workflow_dispatch' manual trigger.

627
Multi-Selectmedium

Which TWO of the following are best practices when using REST APIs in Cisco networking environments?

Select 2 answers
A.Send credentials as plain text in every request.
B.Poll the API every second to get real-time updates.
C.Always handle HTTP error codes like 4xx and 5xx.
D.Embed API keys directly in the URL query parameters.
E.Implement caching to reduce redundant API calls.
AnswersC, E

Error handling is critical for robustness.

Why this answer

Option C is correct because handling HTTP error codes like 4xx (client errors) and 5xx (server errors) is essential for robust REST API integration. In Cisco environments, APIs such as those for DNA Center or Meraki return these codes to indicate issues like authentication failure (401), rate limiting (429), or server overload (503). Proper error handling allows the application to retry, log, or alert appropriately, preventing silent failures and ensuring reliable network automation.

Exam trap

Cisco often tests the misconception that polling frequently (e.g., every second) is acceptable for real-time data, but the trap is that this violates API rate-limiting best practices and ignores the recommended use of webhooks or longer intervals.

628
Drag & Dropmedium

Drag and drop the steps to troubleshoot a network connectivity issue using the OSI model from bottom to top.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Troubleshooting follows the OSI model from physical up to application to systematically isolate the problem.

629
MCQmedium

Which Python list comprehension correctly creates a list of squares for even numbers from 0 to 10?

A.[x**2 for x in range(11) if x % 2 == 0]
B.[x*2 for x in range(11) if x % 2 == 0]
C.[x**2 for x in range(10) if x % 2]
D.[x**2 for x in range(10) if x % 2 == 0]
AnswerA

Correct: filters even numbers and squares them.

Why this answer

Option A is correct because it uses list comprehension syntax with `x**2` to square each number, iterates over `range(11)` to include numbers 0 through 10, and applies the condition `if x % 2 == 0` to filter only even numbers. This produces the list `[0, 4, 16, 36, 64, 100]` as required.

Exam trap

Cisco often tests the subtle difference between `range(10)` and `range(11)` to see if candidates remember that `range(n)` generates numbers from 0 to n-1, and also tests the distinction between `x % 2` (odd filter) and `x % 2 == 0` (even filter).

How to eliminate wrong answers

Option B is wrong because it uses `x*2` (multiplication by 2) instead of `x**2` (squaring), so it creates a list of doubled even numbers, not squares. Option C is wrong because it uses `if x % 2` which evaluates to True for odd numbers (since odd numbers have remainder 1), thus filtering for odd numbers instead of even numbers, and also uses `range(10)` which excludes 10. Option D is wrong because it uses `range(10)` which generates numbers 0 through 9, missing the number 10, so the list will not include the square of 10 (100).

630
MCQmedium

A developer is building a REST API for a Cisco DNA Center application. The API must allow external partners to retrieve network device inventory. Which security mechanism should be implemented to ensure that only authorized partners can access the API while maintaining the ability to revoke access for a specific partner without affecting others?

A.Use unique API keys per partner
B.Whitelist partner IP addresses in the API gateway firewall
C.Require HTTP basic authentication with a shared username and password
D.Implement OAuth 2.0 with client credentials grant
AnswerA

API keys are simple to manage and can be revoked individually without impacting other partners.

Why this answer

Option A is correct because unique API keys per partner provide a simple, scalable mechanism to authenticate and authorize individual partners. Each key can be independently revoked without affecting other partners' access, directly meeting the requirement for granular access control. API keys are a common choice for server-to-server integrations where a lightweight, token-based authentication is sufficient.

Exam trap

Cisco often tests the distinction between authentication (verifying identity) and authorization (granting permissions), and the trap here is that candidates may over-engineer the solution by choosing OAuth 2.0 when a simpler API key mechanism fully satisfies the requirement for per-partner revocation without unnecessary complexity.

How to eliminate wrong answers

Option B is wrong because whitelisting IP addresses does not authenticate the partner's identity; IP addresses can be spoofed or shared across multiple partners, and revoking access requires changing the firewall rules, which could affect other partners if they share the same IP range. Option C is wrong because HTTP basic authentication with a shared username and password provides no per-partner granularity; revoking access for one partner would require changing the shared credential, breaking access for all partners. Option D is wrong because OAuth 2.0 with client credentials grant, while more robust, introduces unnecessary complexity for a simple API key use case and still requires managing client IDs and secrets per partner, which is functionally equivalent to API keys but with a heavier protocol overhead; however, the question specifically asks for a mechanism that maintains the ability to revoke access for a specific partner without affecting others, and both API keys and OAuth client credentials can achieve that, but API keys are the simpler, more direct solution for this scenario.

631
MCQmedium

A developer needs to share a Docker image built from a Dockerfile with team members. Which command correctly builds the image and tags it as 'myapp:v1'?

A.docker build --tag myapp:v1 .
B.docker build -t myapp:v1 .
C.docker build . --name myapp:v1
AnswerB

The -t flag specifies the tag name:tag.

Why this answer

docker build -t myapp:v1 . builds the Docker image from the current directory and tags it as myapp:v1.

632
MCQmedium

A developer wants to send a message to a Webex room using the API. The message should contain a simple text body. Which endpoint and parameter are required?

A.GET /v1/messages with query parameter 'roomId'
B.POST /v1/memberships with body parameter 'message'
C.POST /v1/rooms with body parameter 'text'
D.POST /v1/messages with body parameter 'roomId' and 'text'
AnswerD

Correct. This sends a text message to the specified room.

Why this answer

To send a message, a POST request is made to /v1/messages with a JSON body containing roomId and text (or markdown). roomId identifies the target room.

633
Multi-Selecthard

A developer needs to authenticate to the Cisco SD-WAN vManage API. Which two steps are required to obtain a session token?

Select 2 answers
A.POST j_username and j_password to the /j_security_check endpoint.
B.GET the /dataservice/client/token endpoint.
C.Provide an API key in the HTTP header.
D.POST credentials to the /authenticate endpoint.
E.Use OAuth2 client credentials grant.
AnswersA, B

First step for JSESSIONID.

Why this answer

Option A is correct because the Cisco SD-WAN vManage API uses a form-based authentication mechanism where credentials (j_username and j_password) are submitted via a POST request to the /j_security_check endpoint. This endpoint validates the credentials and, upon success, returns a JSESSIONID cookie that serves as the session token for subsequent API calls. Option B is correct because after obtaining the JSESSIONID, a GET request to /dataservice/client/token is required to retrieve an XSRF token, which must be included in the header of all subsequent requests to prevent cross-site request forgery attacks.

Exam trap

Cisco often tests the distinction between the initial credential submission endpoint (/j_security_check) and the token retrieval endpoint (/dataservice/client/token), leading candidates to mistakenly think a single POST to /authenticate is sufficient or that OAuth2 is used.

634
MCQhard

A developer wants to ensure that a containerized application restarts automatically if it exits with a non-zero code. The application is run using Docker. Which flag should be used?

A.--restart on-failure
B.--restart always
C.--restart unless-stopped
D.--restart no
AnswerA

Correct. Restarts only on non-zero exit codes.

Why this answer

The --restart flag with 'on-failure' restarts the container only if it exits with a non-zero code, which indicates an error.

635
MCQhard

A developer needs to retrieve a list of Webex teams that the authenticated user belongs to. Which HTTP request is correct?

A.GET https://api.ciscospark.com/v1/teams
B.POST https://api.ciscospark.com/v1/teams
C.PUT https://api.ciscospark.com/v1/teams
D.GET https://api.webex.com/v1/teams
AnswerA

This is the correct endpoint.

Why this answer

The Webex Teams API uses GET /v1/teams to list teams.

636
MCQmedium

A Cisco SD-WAN vManage API call to retrieve device inventory returns a 401 error. Which step is most likely missing?

A.The authentication token is expired or invalid
B.The request body is missing required fields
C.The device is unreachable
D.The API endpoint is incorrect
AnswerA

401 indicates authentication failure.

Why this answer

A 401 Unauthorized error in Cisco SD-WAN vManage API indicates that the request lacks valid authentication credentials. The vManage API uses token-based authentication (typically a JSON Web Token, JWT) obtained via a POST to /j_security_check or /authenticate. If the token is expired, malformed, or not included in the Authorization header, the API returns 401.

This is the most likely cause because the other options would produce different HTTP status codes (e.g., 400 for missing fields, 502 for unreachable device, 404 for incorrect endpoint).

Exam trap

Cisco often tests the distinction between HTTP status codes (401 vs 400, 404, 502) to see if candidates understand that authentication failures produce a specific code, not generic errors.

How to eliminate wrong answers

Option B is wrong because a missing required field in the request body would result in a 400 Bad Request error, not a 401. Option C is wrong because an unreachable device is a backend issue that would cause a 502 Bad Gateway or timeout, not a 401 authentication error. Option D is wrong because an incorrect API endpoint would return a 404 Not Found error, not a 401.

637
MCQeasy

A developer uses the Cisco DNA Center API to retrieve device inventory. The JSON response is shown. Which Python code snippet correctly extracts the serial number?

A.data['response'][0]['serialNumber']
B.data['serialNumber']
C.data['response']['serialNumber']
D.data[0]['serialNumber']
AnswerA

Correctly accesses first element.

Why this answer

Option A is correct because the JSON response from the Cisco DNA Center device inventory API returns a list of devices under the 'response' key, and each device is a dictionary. The serial number for the first device is accessed by indexing into the list with [0] and then retrieving the 'serialNumber' key from that dictionary.

Exam trap

The trap here is that candidates mistakenly treat the JSON response as a flat dictionary or forget that the 'response' value is a list, leading them to omit the list index and incorrectly access 'serialNumber' directly from 'response'.

How to eliminate wrong answers

Option B is wrong because it assumes 'serialNumber' is a top-level key in the JSON response, but the actual structure nests it inside 'response' and then inside a list. Option C is wrong because it omits the list index, treating 'response' as a direct dictionary containing 'serialNumber', but 'response' is actually a list of device dictionaries. Option D is wrong because it attempts to index the top-level JSON object with [0], but the top-level is a dictionary, not a list, so this would raise a KeyError or TypeError.

638
MCQmedium

A developer is building a REST API client in Python using the requests library. They need to send a JSON payload with authentication. Which code snippet correctly sends a POST request with a JSON body and a Bearer token?

A.requests.post(url, data=payload, auth=token)
B.requests.post(url, json=payload, headers={'Authorization': f'Bearer {token}'})
C.requests.post(url, data=json.dumps(payload), headers={'Authorization': token})
D.requests.post(url, params=payload, auth=('Bearer', token))
AnswerB

Correct: json= automatically sets content-type and serializes.

Why this answer

The correct way is to use json parameter for JSON body and headers for authorization.

639
MCQhard

A Kubernetes Deployment is configured with rolling update strategy. A new version of the image is pushed, and the deployment is updated. During the rollout, the new pods are failing health checks. Which command can be used to pause the rollout and prevent further updates?

A.kubectl rollout undo deployment/myapp
B.kubectl rollout pause deployment/myapp
C.kubectl delete deployment/myapp
D.kubectl rollout status deployment/myapp
AnswerB

Pauses the rollout, preventing further pod updates.

Why this answer

kubectl rollout pause suspends the rollout. kubectl rollout undo rolls back to previous revision. kubectl rollout status shows status, and kubectl delete does not pause rollout.

640
MCQmedium

A developer wants to send a message to a specific room in Webex using the API. The developer already has the room ID. Which API call is correct?

A.POST /v1/messages with body { 'roomId': 'Y2lzY29zcGFyazovL3VzL1JPT00v...', 'text': 'Hello' }
B.PUT /v1/messages with body { 'roomId': '...', 'text': 'Hello' }
C.POST /v1/rooms with body { 'title': 'New Room' }
D.GET /v1/messages with query parameter roomId='...'
AnswerA

Correct. This sends a message to the specified room.

Why this answer

To send a message to a room, POST /v1/messages is used with roomId and text in the body.

641
MCQmedium

Which wireless standard operates in both 2.4 GHz and 5 GHz bands and is commonly known as Wi-Fi 6?

A.802.11n
B.802.11ac
C.802.11ax
D.802.11g
AnswerC

802.11ax is Wi-Fi 6, dual-band.

Why this answer

802.11ax (Wi-Fi 6) supports both 2.4 GHz and 5 GHz bands, offering improved efficiency.

642
MCQmedium

In an SDN architecture, which layer is responsible for making decisions about where traffic should be forwarded?

A.Data plane
B.Application plane
C.Management plane
D.Control plane
AnswerD

The control plane decides how traffic should be routed.

Why this answer

In SDN architecture, the control plane is responsible for making forwarding decisions by maintaining the network topology and computing paths for traffic flows. It communicates these decisions to the data plane via southbound protocols like OpenFlow or NETCONF, ensuring that packets are forwarded according to the desired policies.

Exam trap

Cisco often tests the distinction between the control plane and management plane, where candidates mistakenly think that configuration (management plane) is the same as making forwarding decisions, but the control plane is the one that dynamically determines traffic paths.

How to eliminate wrong answers

Option A is wrong because the data plane (or forwarding plane) is responsible only for the actual forwarding of packets based on flow tables or forwarding information bases (FIBs), not for making routing decisions. Option B is wrong because the application plane contains network applications (e.g., load balancers, firewalls) that express high-level policies, but it does not directly make per-packet forwarding decisions; it relies on the control plane to translate those policies into forwarding rules. Option C is wrong because the management plane handles administrative tasks such as configuration, monitoring, and fault management (e.g., via CLI, SNMP, or REST APIs), but it does not dynamically decide traffic paths in real time.

643
Multi-Selectmedium

A developer wants to use Cisco DNA Center to change the network configuration. Which TWO API categories provide capabilities to modify the network? (Choose two.)

Select 2 answers
A.Platform
B.Run your network
C.Know your network
D.Monitor your network
E.Change your network
AnswersB, E

Command runner can execute commands that change configuration.

Why this answer

Change your network and Run your network (command runner) can modify the network. Know your network is read-only.

644
MCQhard

Refer to the exhibit. A DevOps engineer is using NETCONF to retrieve the OSPF configuration. The <get> response is missing the network statements. What is the most likely cause?

A.The filter used in the NETCONF request did not include the correct path for network commands.
B.The YANG model for OSPF does not include the network statement.
C.The device does not support NETCONF for OSPF.
D.The NETCONF username does not have sufficient privileges.
AnswerA

If the filter subtree does not include the network list, the response will not contain those statements.

Why this answer

The most likely cause is that the NETCONF <get> request used an incorrect or incomplete XML filter that did not specify the correct XPath for the OSPF network statements. NETCONF relies on YANG-defined data paths; if the filter omits the subtree for network commands, the device will not return those configuration elements, even though they exist in the running configuration.

Exam trap

Cisco often tests the nuance that NETCONF filters are not automatically recursive; candidates mistakenly assume that requesting a parent container returns all child elements, but the filter must explicitly include the desired subtree path.

How to eliminate wrong answers

Option B is wrong because YANG models for OSPF (e.g., RFC 7277 or vendor-specific models) do include network statements as part of the OSPF area configuration; the model itself is not the issue. Option C is wrong because the device successfully returned other OSPF configuration (e.g., router-id, area), proving NETCONF support for OSPF is functional. Option D is wrong because insufficient privileges would typically result in an access-denied error or an empty <rpc-reply>, not a partial response missing only the network statements.

645
MCQmedium

An engineer retrieves the list of devices in a Meraki network via the Dashboard API. The API returns HTTP 200 OK with an empty array. What is the most likely reason?

A.The organization has no networks.
B.The network ID provided is incorrect.
C.The API key has expired.
D.The network exists but has no devices.
AnswerD

A 200 with empty array means the network is valid but contains no devices.

Why this answer

An HTTP 200 OK with an empty array indicates the API request was successfully processed and the target resource (the network) exists, but there are no devices associated with it. This is the expected response when the network is valid but has no devices provisioned.

Exam trap

The trap here is that candidates may confuse a successful empty response (200 OK with empty array) with an error condition, leading them to incorrectly assume the network ID is wrong or the API key is invalid, when in fact the request was valid and the network simply has no devices.

How to eliminate wrong answers

Option A is wrong because if the organization had no networks, the API would return a 404 Not Found or an error message, not a 200 OK with an empty array. Option B is wrong because an incorrect network ID would result in a 404 Not Found or a 400 Bad Request, not a successful 200 OK response. Option C is wrong because an expired API key would cause a 401 Unauthorized or 403 Forbidden error, not a 200 OK.

646
MCQmedium

A Kubernetes Deployment is updated with a new image tag, but the rollout fails. Which kubectl command should be used to view the rollout status and troubleshoot?

A.kubectl rollout status deployment/myapp
B.kubectl get events
C.kubectl describe deployment
D.kubectl logs deployment
AnswerA

This command shows the status of the rollout, including any failures.

Why this answer

kubectl rollout status shows the progress of a rollout, and kubectl rollout history shows revisions.

647
MCQeasy

A developer wants to process a list of server hostnames and create a new list containing only hostnames that start with 'web'. Which Python list comprehension correctly accomplishes this?

A.[hostname.startswith('web') for hostname in servers]
B.[hostname for hostname in servers if 'web' in hostname]
C.[hostname for hostname in servers if hostname.startswith('web')]
D.[hostname if hostname.startswith('web') for hostname in servers]
AnswerC

Correct syntax for list comprehension with condition.

Why this answer

The list comprehension filters items based on the condition and produces a new list.

648
MCQhard

An automation engineer is writing a Python script to interact with a REST API that requires authentication. The API returns a 403 Forbidden status. Which scenario best explains this response?

A.The request was malformed and the server cannot process it.
B.The requested resource does not exist on the server.
C.The server is temporarily unavailable due to maintenance.
D.The authentication token is missing or invalid, and the request is not allowed.
AnswerD

403 Forbidden indicates that the server recognized the credentials but they do not have the required permissions.

Why this answer

A 403 Forbidden status code indicates that the server understood the request but refuses to authorize it. In the context of a REST API requiring authentication, this typically means the authentication token is missing, expired, or invalid, and the server is explicitly denying access. This aligns with RFC 7231, which defines 403 as a response when the server 'refuses to fulfill the request' due to insufficient authorization credentials.

Exam trap

Cisco often tests the distinction between 401 (Unauthorized) and 403 (Forbidden), where candidates mistakenly think any authentication failure results in 401, but 403 specifically applies when the server knows the identity but denies access due to insufficient permissions or a rejected token.

How to eliminate wrong answers

Option A is wrong because a malformed request (e.g., bad syntax or invalid JSON) would result in a 400 Bad Request, not 403. Option B is wrong because a non-existent resource returns a 404 Not Found, indicating the server cannot map the URI to a resource. Option C is wrong because temporary unavailability due to maintenance is represented by a 503 Service Unavailable, not 403.

649
Multi-Selecteasy

Which THREE of the following are common stages in a continuous integration pipeline? (Select THREE)

Select 3 answers
A.Monitor
B.Deploy
C.Build
D.Test
E.Lint
AnswersC, D, E

Build compiles code and creates artifacts.

Why this answer

The build stage (C) is a core step in a continuous integration pipeline where source code is compiled, dependencies are resolved, and executable artifacts are produced. Without a successful build, subsequent stages like testing and deployment cannot proceed, making it a foundational stage in CI/CD workflows.

Exam trap

Cisco often tests the distinction between CI and CD stages, so candidates mistakenly include 'Deploy' or 'Monitor' as CI stages when they belong to later delivery or runtime phases.

650
MCQmedium

A DevOps team uses GitLab CI to deploy a containerized application to a Kubernetes cluster. The deployment pipeline fails at the 'deploy' stage with an error: 'unable to connect to server'. What is the most likely cause?

A.The Git repository is private and cannot be accessed.
B.The kubeconfig file for the cluster is missing or invalid.
C.The Docker image was not built successfully.
D.The Kubernetes cluster has insufficient resources to schedule the pod.
AnswerB

Without a valid kubeconfig, kubectl cannot connect to the cluster.

Why this answer

The error 'unable to connect to server' indicates that the GitLab CI runner cannot establish a TCP connection to the Kubernetes API server. This is most commonly caused by a missing or invalid kubeconfig file, which contains the cluster endpoint, credentials, and context required by kubectl to authenticate and communicate with the cluster. Without a valid kubeconfig, the deployment stage cannot proceed.

Exam trap

Cisco often tests the distinction between pipeline-stage-specific errors; the trap here is confusing a Kubernetes connectivity error (missing kubeconfig) with a resource scheduling issue (insufficient resources) or a build failure, which occur at different stages and produce distinct error messages.

How to eliminate wrong answers

Option A is wrong because a private Git repository would cause a 'repository not found' or authentication error during the clone step, not during the deploy stage when connecting to Kubernetes. Option C is wrong because a failed Docker image build would result in an 'image not found' or build failure earlier in the pipeline, not a connection error to the Kubernetes server. Option D is wrong because insufficient cluster resources would produce a pod scheduling failure (e.g., '0/1 nodes are available'), not a 'unable to connect to server' error, which is a network/authentication issue.

651
Multi-Selecthard

A developer is building a chatbot that needs to send a direct message to a user on Webex. Which TWO fields are required in the POST /v1/messages request? (Choose TWO.)

Select 3 answers
A.roomId
B.toPersonId
C.markdown
D.toPersonEmail
E.files
AnswersB, C, D

Identifies the recipient by person ID.

Why this answer

To send a direct message, you must specify either toPersonEmail or toPersonId, and the message text or markdown.

652
MCQmedium

An engineer is troubleshooting a connectivity issue between two devices on different VLANs. The switch connecting the devices is configured with 802.1Q trunking. At which OSI layer do VLANs operate?

A.Layer 2
B.Layer 4
C.Layer 1
D.Layer 3
AnswerA

VLANs are a Layer 2 concept used to separate traffic on a switch.

Why this answer

VLANs operate at Layer 2 (Data Link) because they segment broadcast domains based on MAC addresses and logical grouping, but they do not involve IP routing (Layer 3).

653
MCQmedium

A developer wants to create a new room in Cisco Webex using the API. Which HTTP request is appropriate?

A.GET /v1/rooms
B.PUT /v1/rooms
C.POST /v1/rooms
D.DELETE /v1/rooms
AnswerC

Correct. POST is used to create a new room.

Why this answer

To create a new room, you must send a POST request to /v1/rooms with the room details in the body.

654
MCQmedium

A large enterprise uses Cisco DNA Center to manage their campus network. They have deployed fabric technology for SD-Access. The network team wants to use the DNA Center REST API to automate the addition of new wireless users to a specific virtual network (VN) based on their location (building). They have identified the API endpoint for creating a user device in the fabric. However, when they send a POST request with the appropriate JSON body, they receive a 400 Bad Request error. The JSON payload includes the mandatory fields for hostname, MAC address, and VN name. What is the most likely cause of the error?

A.The API call requires an authentication token that is missing or expired.
B.The virtual network name provided does not exist in the fabric.
C.The MAC address format is incorrect (e.g., lowercase vs uppercase).
D.The user making the API call does not have sufficient privileges.
AnswerB

If the VN doesn't exist, the API returns a 400 error.

Why this answer

The 400 Bad Request error indicates that the server cannot process the request due to a client-side issue, such as invalid data in the payload. Since the mandatory fields (hostname, MAC address, VN name) are provided, the most likely cause is that the virtual network (VN) name does not match any existing VN in the fabric. DNA Center validates the VN name against its fabric configuration; if the VN is not defined, the API rejects the request with a 400 error.

Exam trap

Cisco often tests the distinction between HTTP status codes (400 vs 401 vs 403) to see if candidates understand that 400 errors are client-side payload issues, not authentication or authorization problems.

How to eliminate wrong answers

Option A is wrong because a missing or expired authentication token would result in a 401 Unauthorized error, not a 400 Bad Request. Option C is wrong because DNA Center accepts MAC addresses in various formats (e.g., lowercase, uppercase, with or without colons) and normalizes them internally; an incorrect format would not cause a 400 error. Option D is wrong because insufficient privileges would result in a 403 Forbidden error, not a 400 Bad Request.

655
MCQeasy

Which Cisco platform provides a cloud-managed networking solution with a RESTful API that uses an API key in the X-Cisco-Meraki-API-Key header?

A.Cisco Webex
B.Cisco DNA Center
C.Cisco IOS XE
D.Cisco Meraki
AnswerD

Meraki API uses API key header.

Why this answer

The Meraki Dashboard API uses an API key in the X-Cisco-Meraki-API-Key header.

656
MCQmedium

A network automation engineer is using the Cisco DNA Center intent API to retrieve a list of network devices. Which API endpoint should be used?

A.GET /dna/intent/api/v1/site
B.GET /dna/intent/api/v1/topology
C.GET /dna/intent/api/v1/network-device
D.GET /dna/intent/api/v1/issue
AnswerC

Correct endpoint for listing network devices.

Why this answer

The correct endpoint is GET /dna/intent/api/v1/network-device because the Cisco DNA Center intent API uses this path to retrieve a list of all network devices managed by the controller. The 'network-device' resource is specifically designed for device inventory operations, returning details such as hostname, IP address, platform ID, and software version. This aligns with the intent API's purpose of abstracting underlying complexities into business-relevant resources.

Exam trap

Cisco often tests the distinction between 'network-device' (inventory) and 'topology' (relationships) — candidates mistakenly pick topology because they think 'list of devices' implies a map view, but the intent API separates raw device data from topological connections.

How to eliminate wrong answers

Option A is wrong because GET /dna/intent/api/v1/site retrieves site hierarchy information (buildings, floors, areas), not network device lists. Option B is wrong because GET /dna/intent/api/v1/topology returns the physical or logical topology map of the network, not a flat device inventory. Option D is wrong because GET /dna/intent/api/v1/issue fetches health or assurance issues (e.g., syslog, SNMP traps), not device inventory data.

657
Multi-Selecthard

A developer is designing a Cisco Catalyst Center integration that uses the intent API. Which THREE of the following are available via the intent API? (Select three.)

Select 3 answers
A.Site hierarchy
B.Network device configuration files
C.Issues and health scores
D.List of network devices
E.Real-time interface statistics
AnswersA, C, D

GET /dna/intent/api/v1/site.

Why this answer

The intent API provides access to network devices, site hierarchy, and issues. Command runner is also available but as a separate endpoint.

658
MCQmedium

Based on the routing table, what is the administrative distance of the route to 192.168.1.0/24?

A.10
B.0
C.120
D.1
AnswerC

120 is the administrative distance, indicating a RIP route.

Why this answer

The administrative distance (AD) for a route learned via EIGRP (internal) is 90, but for EIGRP external routes it is 170. However, the route to 192.168.1.0/24 in the routing table shows an AD of 120, which is the default AD for RIP (Routing Information Protocol). Since the question states the AD is 120, the correct answer is C.

Exam trap

Cisco often tests the default administrative distance values for common routing protocols (RIP=120, OSPF=110, EIGRP=90/170, static=1, connected=0), and the trap here is that candidates confuse the AD of RIP with that of OSPF or EIGRP, or mistakenly think a route with AD 120 is from a protocol like BGP (which uses 20 for eBGP).

How to eliminate wrong answers

Option A is wrong because an AD of 10 is the default for static routes, not for a dynamically learned route like RIP. Option B is wrong because an AD of 0 is reserved for directly connected routes, which are not learned via a routing protocol. Option D is wrong because an AD of 1 is the default for static routes with a next-hop IP (or for OSPF, which uses 110, not 1).

659
MCQhard

A developer is working with the Webex API to receive real-time notifications when a message is posted. Which resource should they create?

A.A webhook with resource 'messages' and event 'created'
B.A bot that polls the /v1/messages endpoint every second
C.A membership to the room to receive notifications
D.A webhook with resource 'rooms' and event 'created'
AnswerA

This will trigger when a message is created.

Why this answer

Webex webhooks allow you to subscribe to events like message.created.

660
Multi-Selecthard

Which THREE of the following are valid methods to automatically assign IP addresses to network hosts?

Select 3 answers
A.Static assignment
B.SLAAC
C.DHCP
D.BOOTP
E.DNS
AnswersB, C, D

Stateless Address Autoconfiguration is used in IPv6 for automatic addressing.

Why this answer

SLAAC (Stateless Address Autoconfiguration) is a valid method for automatically assigning IPv6 addresses to network hosts. It uses ICMPv6 Router Advertisement (RA) messages to provide a prefix, and the host generates its own interface identifier (often based on EUI-64 or privacy extensions) to form a complete IPv6 address without a central server.

Exam trap

Cisco often tests the distinction between automatic address assignment methods (SLAAC, DHCP, BOOTP) and services that operate at higher layers (DNS) or manual configuration (static), leading candidates to incorrectly include static or DNS as automatic assignment methods.

661
MCQmedium

An administrator wants to receive real-time notifications when a new message is posted to a Webex room. Which Webex API resource should be used to configure this?

A.People API
B.Messages API
C.Webhooks API
D.Rooms API
AnswerC

Webhooks API allows registering for events such as message.created.

Why this answer

Webhooks allow you to register for events like message.created. The webhook resource is used for this purpose.

662
MCQmedium

Which of the following is a private IPv4 address range as defined by RFC 1918?

A.192.167.0.0/16
B.172.16.0.0/12
C.11.0.0.0/8
D.172.32.0.0/12
AnswerB

Correct. This is a private range.

Why this answer

Option B is correct because RFC 1918 defines the private IPv4 address range 172.16.0.0/12, which includes addresses from 172.16.0.0 to 172.31.255.255. These addresses are reserved for use within private networks and are not routable on the public internet.

Exam trap

Cisco often tests the exact boundaries of the 172.16.0.0/12 range, and the trap here is that candidates mistakenly think any address starting with 172 is private, but only 172.16.0.0 through 172.31.255.255 are reserved.

How to eliminate wrong answers

Option A is wrong because 192.167.0.0/16 is not a private range; the correct private range is 192.168.0.0/16, not 192.167.0.0/16. Option C is wrong because 11.0.0.0/8 is a public IP range (originally assigned to the US Department of Defense) and is not reserved by RFC 1918. Option D is wrong because 172.32.0.0/12 falls outside the RFC 1918 private block; the private range is 172.16.0.0/12, which covers 172.16.0.0 through 172.31.255.255, and 172.32.0.0 is in the public space.

663
MCQmedium

A network administrator wants to use Ansible to automate the configuration of a Cisco IOS-XE device. Which module is designed for this purpose?

A.cisco.ios.ios_config
B.cisco.nxos.nxos_config
C.ansible.netcommon.network_config
D.cisco.asa.asa_config
AnswerA

Specifically designed for Cisco IOS/IOS-XE devices.

Why this answer

The cisco.ios.ios_config module is specifically designed for managing Cisco IOS and IOS-XE device configurations via Ansible. It supports idempotent configuration updates using CLI commands, allowing the administrator to push, merge, or replace configuration snippets on the target device. This module is part of the Cisco IOS collection and directly interacts with the device's CLI to apply configuration changes.

Exam trap

Cisco often tests the candidate's ability to match the correct module to the specific device OS, so the trap here is that candidates may choose the generic ansible.netcommon.network_config module, thinking it works universally, without realizing that dedicated OS-specific modules provide better reliability and feature support.

How to eliminate wrong answers

Option B is wrong because cisco.nxos.nxos_config is designed for Cisco NX-OS devices (e.g., Nexus switches), not IOS-XE. Option C is wrong because ansible.netcommon.network_config is a platform-agnostic module that requires a specific network_cli or netconf connection plugin and does not provide the IOS-XE-specific CLI handling or idempotent behavior of the dedicated ios_config module. Option D is wrong because cisco.asa.asa_config is intended for Cisco ASA firewalls, which run a different operating system (ASA OS) and use a distinct command syntax compared to IOS-XE.

664
MCQeasy

In DNA Center, which API category is used to deploy templates to devices?

A.Platform
B.Know your network
C.Change your network
D.Run your network
AnswerC

Correct. This includes template deployment and PnP.

Why this answer

The 'Change your network' API category in Cisco DNA Center is specifically designed for network configuration and provisioning tasks, including deploying templates to devices. This category encompasses APIs that push configuration changes, such as applying CLI templates via the Template Programmer (formerly Template Editor) or provisioning new network settings, directly aligning with the action of deploying templates to network devices.

Exam trap

The trap here is that candidates confuse 'Run your network' (which involves monitoring and operational state) with 'Change your network' (which involves active configuration changes), leading them to select D because they associate 'running' with executing templates, but Cisco specifically separates read-only operations from write operations in its API categorization.

How to eliminate wrong answers

Option A is wrong because the 'Platform' API category provides foundational services like authentication, RBAC, and event notifications, not template deployment. Option B is wrong because 'Know your network' focuses on read-only APIs for inventory, topology, and assurance data, not on making configuration changes. Option D is wrong because 'Run your network' deals with operational tasks like device health monitoring and troubleshooting, not the active deployment of configuration templates.

665
MCQmedium

An automation engineer runs a Python script using the Cisco NXOS NX-API to retrieve the interface configuration. The JSON response shows the 'switchport access vlan' as '10'. However, VLAN 10 does not exist in the VLAN database. What is the expected behavior of the switch regarding this interface?

A.The interface will work but traffic will be dropped
B.The switch will automatically create the VLAN
C.The interface will be error-disabled
D.The interface will be operationally down
AnswerD

Without the VLAN, the interface cannot function and is placed in down state.

Why this answer

When a switchport is configured with an access VLAN that does not exist in the VLAN database, the interface remains administratively up but is placed in an operationally down state. This occurs because the switch cannot forward traffic for a non-existent VLAN, and the interface will not transition to a forwarding state until the VLAN is created. The NX-API response reflects the configured VLAN ID, but the operational status is determined by the VLAN's existence.

Exam trap

Cisco often tests the distinction between configuration and operational state, trapping candidates who assume a configured VLAN ID automatically makes the interface active even if the VLAN does not exist.

How to eliminate wrong answers

Option A is wrong because the interface will not work at all; traffic is not simply dropped—the interface is operationally down, preventing any frame forwarding. Option B is wrong because Cisco NX-OS does not automatically create VLANs when they are assigned to an interface; VLANs must be explicitly created in the VLAN database. Option C is wrong because error-disabled is a specific state triggered by events like port security violations or STP BPDU guard, not by a missing VLAN assignment.

666
Multi-Selectmedium

Which TWO of the following are common causes of VLAN connectivity issues?

Select 2 answers
A.VLAN not created on all switches
B.Mismatched subnet masks on access ports
C.Incorrect default gateway
D.Mismatched VLAN IDs on trunk ports
E.STP blocking port
AnswersA, D

If a VLAN is missing on a switch, ports assigned to that VLAN will be down.

Why this answer

Option A is correct because VLANs must exist in the VLAN database of every switch that needs to forward traffic for that VLAN. If a VLAN is not created on a switch, interfaces assigned to that VLAN will be in an inactive or error-disabled state, and the switch will not forward frames for that VLAN across trunk links. This is a common misconfiguration when adding a new VLAN to a network without propagating it to all switches.

Exam trap

Cisco often tests the distinction between Layer 2 and Layer 3 issues, so candidates mistakenly select subnet mask or default gateway problems as VLAN connectivity issues when those are actually routing or host configuration problems.

667
MCQmedium

A developer is writing a Dockerfile for a Node.js application. They want to set a build-time variable for the application version that can be changed without modifying the Dockerfile. Which instruction should be used?

A.RUN
B.ARG
C.ENV
D.CMD
AnswerB

ARG defines build-time variables that can be overridden.

Why this answer

ARG allows passing build-time variables. ENV sets environment variables that persist in the container. CMD and RUN are not for variable definition.

668
Multi-Selectmedium

Which TWO of the following are valid branching strategies in Git? (Choose two.)

Select 2 answers
A.Rebase-only
B.Merge avoidance
C.Feature branching
D.Direct commit to main
E.GitFlow
AnswersC, E

Each feature is developed in its own branch.

Why this answer

Feature branching (C) is a valid Git branching strategy where each new feature is developed in its own branch, allowing isolated work without disrupting the main codebase. GitFlow (E) is another valid strategy that defines a strict branching model with master, develop, feature, release, and hotfix branches, commonly used for projects with scheduled releases.

Exam trap

Cisco often tests the distinction between Git operations (like rebase or merge) and actual branching strategies, so candidates mistakenly select 'Rebase-only' or 'Merge avoidance' as strategies when they are merely workflow tactics.

669
MCQhard

An engineer uses Ansible to push a configuration change to 100 switches. The playbook fails on 5 switches. What is the most efficient way to apply the change only to those 5?

A.Use Ansible's --limit with the retry file
B.Use --skip-tags on successful hosts
C.Re-run the playbook on all switches
D.Manually configure the 5 switches
AnswerA

This targets only the failed hosts.

Why this answer

Ansible generates a retry file by default when a playbook fails on some hosts. Using `--limit @<retry-file>` re-runs the playbook only against the failed hosts, avoiding unnecessary execution on the 95 successful switches. This is the most efficient method because it targets only the problematic devices without manual intervention or full re-runs.

Exam trap

Cisco often tests the distinction between host-level filtering (`--limit`) and task-level filtering (`--tags`/`--skip-tags`), leading candidates to confuse `--skip-tags` as a way to skip hosts instead of tasks.

How to eliminate wrong answers

Option B is wrong because `--skip-tags` is used to skip tasks with specific tags, not to filter hosts; it would still run on all hosts. Option C is wrong because re-running the playbook on all 100 switches wastes time and resources on the 95 already-configured switches, which is inefficient. Option D is wrong because manually configuring 5 switches defeats the purpose of automation and is error-prone and time-consuming.

670
Multi-Selectmedium

Which three HTTP methods are used for CRUD operations in REST APIs? (Choose three.)

Select 3 answers
A.DELETE
B.GET
C.PATCH
D.POST
E.PUT
AnswersB, D, E

Read operation.

Why this answer

GET (read), POST (create), PUT (update/replace) are CRUD; DELETE (delete) is also CRUD but question asks for three, and PATCH is partial update not always considered core CRUD.

671
MCQhard

An engineer is developing an EEM applet on a Cisco IOS XE device to run a CLI command when a specific syslog message appears. Which event trigger should be used?

A.event interface
B.event timer
C.event cli match
D.event syslog pattern
AnswerD

Correct. This triggers on syslog message pattern match.

Why this answer

The syslog pattern event trigger allows matching a specific syslog message pattern.

672
MCQhard

A developer notices that after a new deployment, the application is not receiving traffic. The Service selector does not match the pod labels. Which kubectl command can be used to inspect the Service's selector?

A.kubectl describe service my-service
B.kubectl exec service/my-service -- cat /etc/hosts
C.kubectl get service my-service -o yaml
D.kubectl logs service/my-service
AnswerA

kubectl describe provides detailed information including selector.

Why this answer

The `kubectl describe service my-service` command displays detailed information about the Service, including its selector field, which defines the label key-value pairs used to match pods. This allows the developer to directly compare the selector against the pod labels to identify the mismatch. It is the most straightforward way to inspect the selector without needing to parse raw YAML or execute commands inside the service.

Exam trap

Cisco often tests the distinction between commands that operate on resources (like Services) versus those that operate on pods or containers, leading candidates to mistakenly choose `kubectl exec` or `kubectl logs` for a Service.

How to eliminate wrong answers

Option B is wrong because `kubectl exec` runs a command inside a container, but a Service is not a pod or container; it is an abstract resource, so `kubectl exec service/my-service` is invalid and will fail. Option C is wrong because while `kubectl get service my-service -o yaml` does show the selector in the output, it is not the most direct or recommended command for inspecting the selector alone; `kubectl describe` provides a more human-readable summary. Option D is wrong because `kubectl logs` retrieves logs from a pod or container, not from a Service, and a Service does not generate logs; this command would result in an error.

673
MCQhard

A financial services company deploys a multi-tier application on Cisco UCS with separate VMs for web, app, and database tiers. The security team runs a vulnerability scan and finds that the web server is vulnerable to SQL injection. The development team cannot fix the code immediately because of a pending third-party library update. The company needs to deploy a security control to mitigate the vulnerability as soon as possible without changing the application. Which of the following is the best immediate mitigation?

A.Deploy a Web Application Firewall (WAF) in front of the web server to filter malicious SQL patterns
B.Implement network segmentation to isolate the web server from the database server
C.Apply input validation on the web server by configuring the web server itself to sanitize inputs
D.Apply the latest security patches to the web server operating system
AnswerA

A WAF can provide virtual patching without code changes, blocking SQL injection attempts.

Why this answer

A Web Application Firewall (WAF) operates at Layer 7 and can inspect HTTP/HTTPS traffic for malicious payloads, such as SQL injection patterns, without requiring any changes to the application code. By deploying a WAF in front of the web server, the company can immediately filter out malicious SQL patterns (e.g., ' OR 1=1 --) using signature-based or behavioral rules, providing a virtual patch until the code fix is available. This aligns with the requirement to mitigate the vulnerability without modifying the application itself.

Exam trap

Cisco often tests the distinction between network-layer controls (like segmentation) and application-layer controls (like WAF), trapping candidates who think isolating the database server stops SQL injection, when in fact the malicious SQL commands are generated by the web server itself after the attack has already succeeded.

How to eliminate wrong answers

Option B is wrong because network segmentation isolates the web server from the database server at the network layer, but it does not prevent SQL injection attacks that originate from the web server itself; the web server still sends malicious queries to the database. Option C is wrong because applying input validation on the web server requires modifying the web server configuration or code, which contradicts the constraint of not changing the application. Option D is wrong because patching the web server operating system addresses OS-level vulnerabilities, not application-layer SQL injection flaws in the web application code.

674
MCQhard

In a RESTCONF API call to retrieve a specific interface configuration on a Cisco device, an engineer sends a GET request to /restconf/data/interfaces/interface=GigabitEthernet0/1. What Content-Type should be specified in the Accept header to receive YANG-defined JSON?

A.text/plain
B.application/xml
C.application/yang-data+json
D.application/json
AnswerC

This is the correct media type for YANG JSON.

Why this answer

RESTCONF uses application/yang-data+json for JSON encoding of YANG data.

675
Multi-Selecteasy

Which TWO HTTP methods are considered safe according to HTTP/1.1 specification?

Select 2 answers
A.PUT
B.GET
C.DELETE
D.HEAD
E.POST
AnswersB, D

GET is a safe method; it only retrieves resources and does not change server state.

Why this answer

According to RFC 7231, safe methods are those that do not modify the state of the resource on the server. GET and HEAD are both defined as safe because they are intended for retrieval only and must not have side effects. This means a client can make these requests without risk of altering server data.

Exam trap

Cisco often tests the misconception that idempotent methods (like PUT and DELETE) are also safe, but idempotence only guarantees repeated requests have the same effect, not that they are read-only.

Page 8

Page 9 of 14

Page 10