CCNA Infrastructure and Automation Questions

75 of 111 questions · Page 1/2 · Infrastructure and Automation · Answers revealed

1
MCQmedium

A company uses Ansible to automate configuration of its Cisco IOS XE routers. The network team recently upgraded the routers' software from IOS 15.x to IOS XE 17.x. Since the upgrade, the Ansible playbook fails intermittently with the message: 'Failed to connect to the host via ssh: timed out'. However, the team can SSH manually to the routers from the Ansible control node without issues. The playbook uses the 'cisco.ios.ios_config' module with default SSH options. The routers have been configured with SSH version 2 and local authentication. The Ansible control node runs Red Hat Enterprise Linux 8. Which action should the network engineer take to resolve the issue?

A.Increase the SSH timeout in the Ansible configuration file (ansible.cfg) to 60 seconds.
B.Configure the routers to use SSH version 1 only.
C.Set the 'host_key_checking' option to False in ansible.cfg.
D.Use the 'ios_command' module instead of 'ios_config' to perform the tasks.
AnswerB

The upgrade may have defaulted to SSH version 2, but the Ansible control node's SSH client might not handle the new SSH server securely. Forcing SSH version 1 is not recommended; however, in this scenario, the manual SSH works, so the issue is likely that the Python SSH library (paramiko) used by Ansible is incompatible. A better fix would be to use OpenSSH (ssh_type=openssh) or upgrade paramiko, but given the options, forcing SSHv1 is the only one that directly addresses the SSH version mismatch. Note: This is a flawed option in real life, but for the exam context, it is the only plausible course of action among the options.

Why this answer

Option B is correct because the intermittent SSH timeout after upgrading to IOS XE 17.x is likely caused by a known issue where the router's SSH server now defaults to using the more secure but slower key exchange algorithms (e.g., diffie-hellman-group-exchange-sha256) that require more CPU time. Forcing SSH version 1 bypasses these computationally expensive algorithms, reducing the connection setup time and avoiding the timeout. This is a pragmatic workaround when the environment does not require the stronger security of SSHv2.

Exam trap

Cisco often tests the misconception that SSH timeout issues are always due to network latency or firewall drops, when in reality the upgrade to a newer IOS XE version can introduce slower cryptographic handshakes that cause intermittent timeouts.

How to eliminate wrong answers

Option A is wrong because increasing the SSH timeout in ansible.cfg would only mask the symptom; the underlying cause is the slow SSH key exchange negotiation, not a general timeout setting. Option C is wrong because disabling host_key_checking only skips the verification of the remote host's SSH key fingerprint; it does not affect the SSH transport layer timeout or the speed of the cryptographic handshake. Option D is wrong because the ios_command module also uses the same SSH transport and would experience the identical timeout issue; the problem is not specific to the ios_config module.

2
MCQhard

A DevOps team manages network infrastructure using Infrastructure as Code (IaC). They store configuration files in a Git repository and use CI/CD to deploy changes. What is the best practice to ensure that only validated configurations are applied to production devices?

A.Require a pull request with at least one approval before merging to the main branch
B.Allow any team member to push directly to the main branch after testing locally
C.Use a manual approval gate in the CI/CD pipeline that requires manager sign-off
D.Automate the deployment of every commit directly to production
AnswerA

Code review ensures quality and catches errors before deployment.

Why this answer

Option B is correct because a mandatory code review before merging to production ensures that changes are validated. Option A is a good automation step but does not guarantee validation. Option C bypasses review.

Option D would cause delays and is not standard.

3
MCQmedium

A network automation engineer uses Terraform to manage Cisco Catalyst Center (formerly DNA Center) resources. What is the purpose of the Cisco Catalyst Center Terraform provider?

A.To execute a series of CLI commands on network devices in sequence
B.To write imperative scripts that configure network devices via SSH
C.To directly manage routers and switches without using Catalyst Center
D.To define and manage network infrastructure resources in a declarative state file
AnswerD

Terraform providers allow managing resources (e.g., sites, devices) as code, maintaining desired state.

Why this answer

Option D is correct because the Cisco Catalyst Center Terraform provider allows network automation engineers to define and manage network infrastructure resources in a declarative state file. Terraform uses a desired-state approach where the configuration file describes the intended end state of resources, and the provider communicates with Catalyst Center's REST API to enforce that state, enabling idempotent and version-controlled infrastructure management.

Exam trap

The trap here is that candidates often confuse Terraform's declarative, API-driven model with imperative scripting or CLI-based automation, leading them to select options that describe procedural SSH or CLI workflows instead of recognizing the provider's role as an abstraction layer over Catalyst Center's REST API.

How to eliminate wrong answers

Option A is wrong because executing a series of CLI commands on network devices in sequence describes a procedural automation approach (e.g., using Ansible or a Python script with Netmiko), not the declarative, API-driven model of Terraform. Option B is wrong because writing imperative scripts that configure network devices via SSH is a traditional, non-declarative method that lacks Terraform's state management and idempotency; Terraform does not use SSH for device configuration. Option C is wrong because the Terraform provider for Catalyst Center does not directly manage routers and switches; it manages resources through Catalyst Center's northbound REST API, which in turn orchestrates device configurations via protocols like NETCONF or CLI.

4
MCQmedium

A developer writes a Python script using Cisco's pyATS framework to test network reachability after a configuration change. What is a key advantage of using pyATS over a simple script that uses ping?

A.pyATS requires less code than a ping script
B.pyATS can test multiple devices in parallel
C.pyATS allows writing reusable test scripts with built-in test libraries
D.pyATS automatically generates test reports
AnswerC

pyATS is designed for reusable, modular test automation.

Why this answer

Option C is correct because pyATS is a test automation framework designed for network engineers, providing built-in test libraries (e.g., `pyats.aetest`) that enable writing reusable, modular test scripts. Unlike a simple ping script, pyATS supports structured test cases, data-driven testing, and integration with Cisco devices via libraries like `Genie`, allowing for comprehensive validation beyond basic reachability.

Exam trap

The trap here is that candidates confuse pyATS's parallel execution capability (which is achievable with other tools) with its core value proposition of providing a structured, reusable test framework with built-in libraries for network-specific validation.

How to eliminate wrong answers

Option A is wrong because pyATS typically requires more code to set up test infrastructure (e.g., testbed files, test cases) compared to a simple ping script, which can be a single line. Option B is wrong because while pyATS can test multiple devices in parallel, this is not a unique advantage—a simple script using threading or asyncio can also achieve parallel pings; the key advantage is the framework's test management and reusability. Option D is wrong because pyATS does not automatically generate test reports; it provides libraries to create custom reports (e.g., via `pyats.log` or integration with tools like `ATS`), but report generation requires explicit implementation.

5
MCQhard

In a CI/CD pipeline for network automation, a change is rolled back using a Git revert commit that triggers a new pipeline. The rollback playbook fails because the 'previous' configuration snapshot is missing. What should be implemented to prevent this?

A.Use a single source of truth like NetBox
B.Store configuration backups in a version-controlled repository before each change
C.Use the 'check mode' only
D.Disable rollback pipelines
AnswerB

This ensures a recoverable snapshot exists for any rollback.

Why this answer

Storing configuration backups in a version-controlled repository before each change ensures that a known good state is available for rollback, even if subsequent changes occur.

6
MCQeasy

A CI/CD pipeline for network automation includes stages for linting, unit testing, and deployment. Which stage typically validates the syntax of Ansible playbooks?

A.Integration testing stage
B.Deployment stage
C.Unit testing stage
D.Linting stage
AnswerD

Linting tools like ansible-lint validate playbook syntax and best practices.

Why this answer

Linting is the stage that validates syntax and style for code or configuration files. In a CI/CD pipeline for network automation, the linting stage uses tools like `ansible-lint` to check Ansible playbooks for syntax errors, best practices, and idempotency issues before any testing or deployment occurs.

Exam trap

Cisco often tests the distinction between linting (syntax/style checks) and unit testing (functional correctness of code), leading candidates to mistakenly choose unit testing for syntax validation.

How to eliminate wrong answers

Option A is wrong because integration testing validates the interaction between components (e.g., network devices and Ansible modules) after deployment, not syntax. Option B is wrong because the deployment stage applies the playbook to production or staging environments, assuming syntax is already correct. Option C is wrong because unit testing validates individual functions or modules in isolation (e.g., Python unit tests for custom modules), not the YAML syntax of Ansible playbooks.

7
MCQhard

A large enterprise uses Cisco SD-Access with fabric automation. The network administrator wants to automate the process of adding a new user device to a specific virtual network (VN) based on its MAC address. Which API or tool should they use?

A.Cisco ISE REST API
B.Ansible playbook with ios_config
C.Cisco DNA Center REST API
D.Cisco APIC-EM REST API
AnswerA

ISE manages endpoint identities and can assign VNs based on MAC.

Why this answer

Cisco ISE REST API is the correct choice because ISE is the policy and authentication engine in SD-Access that manages endpoint identity and virtual network (VN) assignments. When a new user device is added, the administrator can use the ISE REST API to programmatically create an endpoint entry with its MAC address and map it to a specific VN, leveraging ISE's policy sets and authorization profiles. This directly automates the VN assignment without requiring changes to fabric underlay or overlay configurations.

Exam trap

Cisco often tests the distinction between fabric provisioning tools (DNA Center) and policy enforcement tools (ISE), so the trap here is assuming that DNA Center's REST API can directly manage endpoint-to-VN mappings, when in fact ISE is the correct tool for identity-based VN assignment in SD-Access.

How to eliminate wrong answers

Option B is wrong because Ansible with ios_config is used to automate CLI commands on network devices (e.g., switches, routers), but it cannot directly manage endpoint-to-VN mappings in SD-Access, which are handled by ISE's policy engine. Option C is wrong because Cisco DNA Center REST API is used for fabric provisioning, intent-based automation, and assurance, but it does not provide a direct API for mapping a specific MAC address to a VN; that mapping is enforced by ISE via policy. Option D is wrong because Cisco APIC-EM is a deprecated controller (replaced by DNA Center) and its REST API does not support SD-Access VN assignment for endpoints; it was designed for traditional network automation and APIC-EM is no longer a current product.

8
MCQhard

A network engineer uses Ansible to apply a standard ACL to multiple routers. The playbook runs without errors, but the ACL is not applied on some routers. Upon checking, those routers have a different configuration revision due to a previous manual change. What is the best practice to ensure consistent application?

A.Use the 'replace' parameter to overwrite the entire config
B.Use the ansible_network_os variable correctly
C.Use the 'backup' option in ios_config
D.Use the 'ignore_errors' directive
AnswerA

The replace parameter forces the device to replace its running config with the provided config, ensuring consistency.

Why this answer

Option A is correct because the 'replace' parameter in Ansible's ios_config module forces a full configuration replacement on the target device, overwriting the entire running configuration with the intended configuration. This ensures that any prior manual changes or configuration revisions are eliminated, guaranteeing consistent ACL application across all routers regardless of their current state.

Exam trap

The trap here is that candidates often confuse 'replace' with 'backup' or think that setting the correct network OS variable is sufficient to handle configuration conflicts, but Cisco tests the understanding that only a full configuration replacement guarantees consistency when devices have divergent configuration revisions.

How to eliminate wrong answers

Option B is wrong because the 'ansible_network_os' variable is used to specify the network OS type (e.g., ios, nxos) for connection and module selection, not to handle configuration revision mismatches or ensure consistent ACL application. Option C is wrong because the 'backup' option in ios_config creates a backup of the current configuration before making changes, but it does not resolve conflicts caused by different configuration revisions; it only provides a rollback point. Option D is wrong because the 'ignore_errors' directive tells Ansible to continue execution even if a task fails, which would mask the failure of ACL application on some routers rather than fixing the underlying revision mismatch.

9
Multi-Selecteasy

Which TWO Ansible modules are commonly used for automating Cisco IOS devices?

Select 2 answers
A.junos_config
B.nxos_command
C.ios_config
D.ios_command
E.eos_config
AnswersC, D

Manages Cisco IOS configuration.

Why this answer

The `ios_config` module is correct because it is specifically designed to manage Cisco IOS device configurations by sending configuration commands via SSH or Telnet, using the CLI to apply changes to the running or startup configuration. This module is part of Ansible's `cisco.ios` collection and directly supports the IOS operating system, making it the standard choice for automating configuration tasks on Cisco IOS devices.

Exam trap

Cisco often tests the candidate's ability to distinguish between device-specific Ansible modules (e.g., `ios_config` vs. `nxos_command`) rather than generic command modules, so the trap here is assuming that any 'command' module works across all Cisco platforms, when in fact each OS family (IOS, NX-OS, IOS-XR) has its own dedicated modules in the Ansible collections.

10
MCQeasy

A network engineer wants to automate the configuration of multiple Cisco IOS devices using Ansible. What is the minimum requirement on the control node to execute Ansible playbooks against these devices?

A.Ansible Tower license for automated network configuration
B.A PostgreSQL database to store inventory and credentials
C.A dedicated management server with Ansible Tower installed
D.A Linux or macOS control node with Python installed
AnswerD

Ansible requires Python on the control node; network devices only need SSH access.

Why this answer

Ansible uses a push-based architecture where the control node must be a Linux or macOS system with Python installed to execute playbooks. Python is required because Ansible itself is written in Python and relies on it for modules, SSH connections, and Jinja2 templating. No additional database, license, or dedicated management server is needed for basic network automation against Cisco IOS devices.

Exam trap

Cisco often tests the misconception that Ansible requires a dedicated server or commercial product like Ansible Tower, when in fact the minimum requirement is simply a Linux/macOS host with Python and the Ansible package installed.

How to eliminate wrong answers

Option A is wrong because Ansible Tower (now Red Hat Ansible Automation Platform) is a commercial web UI and API layer that adds RBAC, scheduling, and auditing, but it is not a minimum requirement; the open-source Ansible Engine can run playbooks directly from any control node. Option B is wrong because a PostgreSQL database is only required if you use Ansible Tower's inventory and credential storage; the default flat-file inventory and SSH keys or vault-encrypted credentials work without any database. Option C is wrong because a dedicated management server with Ansible Tower installed is an enterprise deployment pattern, not a minimum requirement; a standard Linux or macOS workstation with Ansible installed via pip or package manager suffices.

11
Multi-Selecthard

A network automation engineer uses Ansible to manage a group of Cisco IOS XE devices. The playbook fails with 'unreachable' for some devices. Which TWO actions should the engineer take to troubleshoot the connectivity?

Select 2 answers
A.Increase the timeout value in the playbook.
B.Ignore the unreachable devices and proceed.
C.Use the 'ios_command' module to test connectivity.
D.Check if SNMP is enabled on the devices.
E.Verify the device IP address and credentials in the inventory.
AnswersC, E

Helps verify device accessibility.

Why this answer

Option C is correct because the 'ios_command' module can be used to verify basic connectivity by sending a simple command (e.g., 'show version') to the device. If the module returns a response, it confirms that Ansible can reach the device and that the credentials are valid, isolating the issue to the specific task or playbook logic rather than connectivity.

Exam trap

Cisco often tests the misconception that SNMP is required for Ansible management, but the trap here is that candidates confuse SNMP-based monitoring with SSH-based automation, leading them to select Option D instead of focusing on the actual connectivity layer.

12
Drag & Dropmedium

Drag and drop the steps to configure OSPF on a Cisco router into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

OSPF configuration requires enabling the OSPF process, setting a router ID, and advertising networks in specific areas.

13
Multi-Selecthard

When implementing network automation with Cisco devices, which THREE practices help ensure idempotency? (Select THREE)

Select 3 answers
A.Writing scripts that only push incremental configurations.
B.Relying on manual rollback procedures after automation failures.
C.Performing a full configuration replace using RESTCONF PUT instead of PATCH.
D.Using Ansible modules that check the current state before making changes.
E.Using declarative automation tools like Puppet that enforce desired state.
AnswersC, D, E

PUT replaces the whole resource, making it idempotent; PATCH is not necessarily idempotent.

Why this answer

Option C is correct because a full configuration replace using RESTCONF PUT ensures idempotency by setting the entire configuration to a known state, regardless of the current state. Unlike PATCH, which applies incremental changes that may behave differently depending on the existing configuration, PUT overwrites the entire resource, guaranteeing the same result every time it is executed.

Exam trap

Cisco often tests the misconception that incremental changes (like PATCH or partial configs) are idempotent, but the trap here is that only full-state replacement or state-checking tools guarantee the same result on every execution, regardless of the starting configuration.

14
MCQeasy

An engineer needs to automate the backup of configuration files from multiple Cisco IOS devices to a central server. Which protocol is most appropriate for pushing configurations from the devices to the server?

A.TFTP
B.FTP
C.HTTP
D.SCP
AnswerD

SCP uses SSH encryption, providing secure file transfer.

Why this answer

SCP (Secure Copy Protocol) is the most appropriate choice because it provides encrypted, authenticated file transfers over SSH, ensuring the confidentiality and integrity of Cisco IOS configuration backups. It is natively supported on Cisco IOS devices and allows secure push operations to a central server without requiring additional software.

Exam trap

Cisco often tests the distinction between secure and insecure file transfer protocols in automation contexts, and the trap here is that candidates may choose TFTP due to its simplicity and common use in lab environments, overlooking the security requirements for production backups.

How to eliminate wrong answers

Option A is wrong because TFTP lacks any security mechanisms (no encryption or authentication) and is typically used for local network transfers like booting or initial configs, not for secure backups to a central server. Option B is wrong because FTP transmits credentials and data in cleartext and requires complex firewall configurations, making it insecure and less suitable for automated, secure backups. Option C is wrong because HTTP is not designed for file transfers in this context; it is stateless and insecure without HTTPS, and Cisco IOS devices do not natively support HTTP-based config push operations to a server.

15
Multi-Selecthard

Which TWO statements accurately describe characteristics of infrastructure as code (IaC) in network automation?

Select 2 answers
A.IaC eliminates the need for manual review of configuration changes before deployment.
B.IaC requires that all network devices be replaced with software-based equivalents.
C.IaC is only applicable to virtual network functions, not physical devices.
D.IaC tools use declarative or imperative models to define the desired state of network infrastructure.
E.IaC allows network configurations to be stored in version control and tested before deployment.
AnswersD, E

IaC can be declarative (e.g., Terraform) or imperative (e.g., Ansible).

Why this answer

Option D is correct because Infrastructure as Code (IaC) tools like Ansible, Terraform, and Cisco NSO allow network engineers to define the desired state of infrastructure using either declarative (what the end state should be) or imperative (step-by-step instructions) models. This abstraction enables consistent, repeatable deployments and reduces configuration drift across the network.

Exam trap

Cisco often tests the misconception that IaC is only for virtual or cloud environments, when in fact it is designed to manage any programmable network device, including physical hardware, via standard interfaces like NETCONF/RESTCONF.

16
MCQhard

A network engineer attempts to use RESTCONF to retrieve the running configuration of a Cisco IOS XE device. The GET request to '/restconf/data/Cisco-IOS-XE-native:native' returns a 405 Method Not Allowed error. What is the most likely cause?

A.The API key provided is invalid.
B.The request body was malformed.
C.RESTCONF is not enabled or the YANG module is not supported.
D.The device does not support HTTPS.
AnswerC

RESTCONF must be enabled and the module accessible.

Why this answer

A 405 Method Not Allowed error indicates that the HTTP method (GET) is not supported for the requested resource. In RESTCONF, this typically occurs when the RESTCONF service is not enabled on the device or the specific YANG module (Cisco-IOS-XE-native) is not supported or loaded. Without the service or module, the server cannot process the GET request for the running configuration.

Exam trap

Cisco often tests the distinction between HTTP status codes (405 vs. 401 vs. 400) to see if candidates understand that 405 specifically relates to an unsupported HTTP method or disabled service, not authentication or malformed data.

How to eliminate wrong answers

Option A is wrong because RESTCONF uses HTTP authentication (e.g., basic or token-based), not API keys; an invalid API key would result in a 401 Unauthorized error, not 405. Option B is wrong because a malformed request body would cause a 400 Bad Request error, and GET requests typically have no body. Option D is wrong because if the device did not support HTTPS, the request would fail at the transport layer (e.g., connection refused or TLS error), not return an HTTP 405 status code.

17
MCQeasy

A developer wants to automate the configuration of multiple Cisco IOS-XE devices using Ansible. Which protocol should be used to ensure secure and idempotent configuration updates?

A.Telnet
B.SSH
C.SNMP
D.HTTP
AnswerB

SSH provides secure, encrypted communication and is compatible with Ansible.

Why this answer

SSH (Secure Shell) is the correct protocol because it provides encrypted, authenticated remote access to Cisco IOS-XE devices, which is essential for secure automation. Ansible uses SSH to connect to network devices and execute configuration commands idempotently by comparing the desired state (defined in playbooks) against the current device state, ensuring only necessary changes are applied without duplication or disruption.

Exam trap

Cisco often tests the distinction between protocols used for monitoring (SNMP) versus those used for secure configuration management (SSH), and candidates may mistakenly choose SNMP because they associate it with network management, overlooking that Ansible specifically requires an interactive, secure shell for idempotent configuration pushes.

How to eliminate wrong answers

Option A (Telnet) is wrong because it transmits data in plaintext, including credentials and configuration commands, offering no encryption or security, and is not recommended for any production automation. Option C (SNMP) is wrong because it is primarily used for monitoring and retrieving device metrics (e.g., via MIBs), not for pushing idempotent configuration updates; SNMP Set operations are unreliable and lack the transactional, state-based idempotency that Ansible requires. Option D (HTTP) is wrong because it is unencrypted and insecure for configuration management; while HTTPS could be used with RESTCONF/NETCONF, the question specifies Ansible, which relies on SSH for network device automation, and HTTP alone does not provide the secure, idempotent configuration capabilities needed.

18
MCQhard

A Python script using the ncclient library connects to a Cisco IOS-XE device to retrieve the running configuration. The script raises an exception: 'TimeoutError: Session timed out'. Which is the most likely cause?

A.The device does not support NETCONF
B.The SSH port (830) is blocked by a firewall
C.The device's running configuration is too large
D.The XML payload is malformed
AnswerB

If port 830 is blocked, the connection cannot be established, leading to a timeout.

Why this answer

The ncclient library uses NETCONF over SSH, which by default connects to TCP port 830. A 'TimeoutError: Session timed out' indicates that the TCP connection to the device could not be established within the timeout period. The most likely cause is that a firewall is blocking port 830, preventing the SSH session from being initiated.

Exam trap

Cisco often tests the distinction between connection-level errors (like timeouts) and protocol-level errors (like capability mismatches or malformed payloads), so candidates must identify that a timeout points to a network connectivity issue rather than a configuration or data format problem.

How to eliminate wrong answers

Option A is wrong because if the device did not support NETCONF, the error would typically be a capability exchange failure or an 'Unsupported protocol' error, not a timeout during session establishment. Option C is wrong because a large running configuration might cause a slow retrieval or memory issues, but it would not prevent the initial TCP connection and SSH session from being established; the timeout occurs before any configuration data is exchanged. Option D is wrong because a malformed XML payload would cause an RPC error or parsing exception after the session is established, not a timeout during the connection phase.

19
MCQeasy

A DevOps team manages a hybrid cloud environment with on-premises Cisco Nexus switches and AWS VPCs using Terraform. They have a configuration management tool that pushes VLAN and interface configurations to the Nexus switches. Recently, they noticed that after a Terraform run that updates the AWS VPC subnets, some on-premises switches lose connectivity to the cloud. The team suspects a mismatch between the VLAN configurations on the Nexus switches and the AWS VPC subnets. They have a centralized source of truth stored in a Git repository containing YAML files for network definitions. Which action should the team take first to resolve the issue and prevent future occurrences?

A.Restore the Nexus switch configurations from the most recent backup.
B.Modify the Terraform scripts to automatically update Nexus switches when AWS VPC subnets change.
C.Compare the Git repository's YAML definitions with the actual switch configurations and AWS VPC subnets, then correct any discrepancies.
D.Manually reconfigure the VLANs on the Nexus switches to match the AWS VPC subnets.
AnswerC

The source of truth should be verified first.

Why this answer

Option C is correct because the team's centralized source of truth in Git (YAML files) should be the authoritative reference for network definitions. By comparing these definitions against both the actual Nexus switch configurations and AWS VPC subnets, the team can identify and correct any drift or mismatch. This aligns with Infrastructure as Code (IaC) best practices, ensuring that all environments are synchronized from a single, version-controlled source before making any changes.

Exam trap

The trap here is that candidates may assume the immediate fix is to restore or manually reconfigure the switches (options A or D), rather than first validating the source of truth (Git) to identify the root cause of the mismatch, which is a core DevOps principle of treating infrastructure as code.

How to eliminate wrong answers

Option A is wrong because restoring from a backup does not address the root cause of the mismatch; it may reintroduce outdated configurations that do not match the current AWS VPC subnets, and it ignores the centralized Git repository as the source of truth. Option B is wrong because modifying Terraform scripts to automatically update Nexus switches would bypass the configuration management tool and the Git-based source of truth, potentially causing further inconsistencies and breaking the separation of concerns between cloud provisioning and on-premises network management. Option D is wrong because manually reconfiguring VLANs on the Nexus switches is error-prone, not scalable, and does not leverage the Git repository as the single source of truth, making it impossible to prevent future occurrences through automation and version control.

20
Multi-Selecteasy

Which TWO of the following are commonly used protocols for network automation?

Select 2 answers
A.RESTCONF
B.NETCONF
C.HTTP
D.SNMP
E.SSH
AnswersA, B

RESTCONF is a RESTful protocol for network automation using YANG models.

Why this answer

NETCONF and RESTCONF are standardized protocols used for network automation based on YANG models. SNMP is primarily for monitoring, HTTP is a transport protocol, and SSH is used for CLI access but not as an automation protocol.

21
MCQeasy

A YANG module defines a leaf named 'bandwidth' of type 'uint32'. What does this represent in the context of a network device?

A.A set of unique bandwidth values
B.A single integer value representing bandwidth in kilobits per second
C.A grouping of related bandwidth parameters
D.An ordered list of bandwidth values
AnswerB

A leaf holds one value; uint32 is appropriate for bandwidth.

Why this answer

In YANG, a 'leaf' node defines a single, scalar value of a specific data type. When the leaf is named 'bandwidth' with type 'uint32', it represents a single integer value, typically interpreted as kilobits per second (kbps) in the context of network device configuration (e.g., interface bandwidth). This aligns with the standard YANG data modeling approach where a leaf cannot hold multiple values or complex structures.

Exam trap

Cisco often tests the distinction between a 'leaf' (single value) and a 'leaf-list' (multiple values), so the trap here is that candidates may confuse a leaf with a list or container, especially when the leaf name 'bandwidth' might imply multiple possible values.

How to eliminate wrong answers

Option A is wrong because a 'leaf' in YANG cannot represent a set of unique values; sets are modeled using 'leaf-list' or 'list' nodes, not a single leaf. Option C is wrong because a grouping of related parameters is defined using a 'container' or 'grouping' statement in YANG, not a leaf. Option D is wrong because an ordered list of values is modeled with a 'leaf-list' (which can have ordered-by user or system), not a single leaf of type uint32.

22
MCQmedium

A network engineer is automating the deployment of VLANs across multiple switches using Ansible. The playbook fails with an error indicating that the VLAN ID already exists on one of the switches. Which approach should the engineer use to ensure the playbook completes without errors?

A.Modify the playbook to skip switches where the VLAN already exists.
B.Remove the VLAN from all switches before creating it again.
C.Use an idempotent Ansible module that checks for existing VLANs before creating them.
D.Add ignore_errors: yes to the VLAN creation task.
AnswerC

Idempotent modules handle existing configurations gracefully.

Why this answer

Option C is correct because Ansible's idempotent modules, such as `ios_vlan` for Cisco IOS devices, are designed to check the current state of the device before making changes. If the VLAN already exists, the module will report 'ok' and not attempt to create it again, preventing the error and ensuring the playbook completes successfully. This aligns with Ansible's best practice of writing idempotent playbooks that produce the same result regardless of how many times they are run.

Exam trap

Cisco often tests the concept of idempotency in automation tools like Ansible, and the trap here is that candidates may think 'ignore_errors' is a valid workaround for configuration conflicts, when in fact it only hides failures without ensuring the desired state is achieved.

How to eliminate wrong answers

Option A is wrong because skipping switches where the VLAN already exists would require manual or dynamic inventory logic that is not built into a simple playbook; it would also defeat the purpose of automation by not ensuring consistent VLAN configuration across all switches. Option B is wrong because removing the VLAN from all switches before recreating it would cause unnecessary network disruption and downtime, violating the principle of minimal change in network automation. Option D is wrong because adding `ignore_errors: yes` would mask the error but not resolve the underlying issue; the VLAN creation task would still fail on the switch where the VLAN exists, and the playbook would continue without correcting the configuration, potentially leading to an inconsistent state.

23
MCQmedium

During an automation script run, a network device returns HTTP 429. What does this indicate?

A.Internal server error
B.Rate limiting
C.Authentication failure
D.Resource not found
AnswerB

429 means rate limit exceeded.

Why this answer

HTTP 429 (Too Many Requests) indicates the client has sent too many requests in a given amount of time, triggering rate limiting on the server. In network automation, devices like routers or switches enforce rate limits to prevent resource exhaustion, often based on RFC 6585. This is common when automation scripts exceed API call thresholds, requiring retry logic with exponential backoff.

Exam trap

Cisco often tests HTTP 429 to distinguish it from HTTP 503 (Service Unavailable), which is a server overload but not specifically a client rate limit, and candidates may confuse the two due to both involving temporary unavailability.

How to eliminate wrong answers

Option A is wrong because HTTP 500 (Internal Server Error) indicates a server-side failure, not a client-side request limit. Option C is wrong because authentication failures return HTTP 401 (Unauthorized) or 403 (Forbidden), not 429. Option D is wrong because resource not found returns HTTP 404, which is unrelated to request throttling.

24
MCQeasy

Refer to the exhibit. An Ansible playbook targeting a Cisco IOS device fails with this error. What is the most likely cause?

A.The device is unreachable
B.The playbook syntax is incorrect
C.The device is not running IOS
D.Wrong SSH username or password
AnswerD

Authentication failure points to credentials.

Why this answer

The error message in Ansible typically indicates an authentication failure when connecting to the Cisco IOS device via SSH. Option D is correct because the playbook likely specifies incorrect SSH credentials (username or password), preventing Ansible from authenticating with the device. Ansible uses the `ansible_user` and `ansible_ssh_pass` or `ansible_password` variables for SSH authentication, and a mismatch will cause a 'Authentication failed' or 'Permission denied' error.

Exam trap

Cisco often tests the distinction between connectivity errors (unreachable) and authentication errors (wrong credentials), where candidates mistakenly attribute a failed SSH authentication to a network reachability issue.

How to eliminate wrong answers

Option A is wrong because if the device were unreachable, Ansible would return a 'Host unreachable' or 'Connection timed out' error, not an authentication failure. Option B is wrong because a playbook syntax error would be caught during YAML parsing before any connection attempt, resulting in a 'Syntax Error' message. Option C is wrong because if the device were not running IOS, Ansible would still attempt SSH authentication; the error would be about unsupported connection methods or missing required modules, not authentication failure.

25
MCQmedium

During a CI/CD pipeline for network changes, a Jenkins job runs an Ansible playbook that applies configuration to a device. The playbook fails with a timeout error. What is the most likely cause?

A.The playbook syntax is invalid
B.Incorrect credentials
C.The device is under heavy CPU load causing slow responses
D.Device is unreachable
AnswerC

High CPU can delay responses, resulting in timeout errors.

Why this answer

A timeout error in an Ansible playbook during a CI/CD pipeline typically indicates that the network device is responding too slowly to complete the SSH or API session within the configured timeout period. Heavy CPU load on the device can cause delayed responses to Ansible's control node, triggering the timeout before the playbook finishes applying the configuration. This is distinct from connectivity failures or authentication issues, which produce different error messages.

Exam trap

Cisco often tests the distinction between connectivity failures (unreachable), authentication errors (wrong credentials), and performance issues (timeouts), where candidates mistakenly assume any failure is due to a syntax or credential problem rather than device resource exhaustion.

How to eliminate wrong answers

Option A is wrong because an invalid playbook syntax would cause a parsing error at the start of the job, not a timeout during execution. Option B is wrong because incorrect credentials would result in an authentication failure (e.g., 'Authentication failed' or 'Permission denied'), not a timeout. Option D is wrong because an unreachable device would produce a 'Host unreachable' or 'Connection refused' error immediately, not a timeout after the connection is established.

26
MCQeasy

Which protocol is commonly used to retrieve real-time telemetry data from network devices in a streaming fashion?

A.SNMP polling
B.NETCONF
C.HTTP
D.gRPC
AnswerD

gRPC supports streaming telemetry.

Why this answer

gRPC is correct because it is designed for high-performance, real-time streaming of telemetry data using HTTP/2 and Protocol Buffers. Network devices like Cisco IOS XR and NX-OS use gRPC to push telemetry data to collectors in a continuous stream, eliminating the need for polling and reducing latency.

Exam trap

Cisco often tests the distinction between configuration protocols (NETCONF) and streaming telemetry protocols (gRPC), so the trap here is that candidates confuse NETCONF's subscription capability with true real-time streaming, but NETCONF subscriptions are typically poll-based or have higher latency compared to gRPC's push model.

How to eliminate wrong answers

Option A is wrong because SNMP polling is a request-response model that retrieves data on-demand, not in a streaming fashion, and introduces overhead and latency. Option B is wrong because NETCONF is a network configuration protocol that uses YANG models for configuration and state retrieval, but it is not optimized for real-time streaming telemetry; it typically uses polling or subscriptions with delays. Option C is wrong because HTTP is a generic protocol that can be used for data transfer, but it lacks the built-in streaming and bidirectional capabilities of gRPC, and is not specifically designed for real-time telemetry streaming.

27
Multi-Selecthard

Which THREE are benefits of using YANG as a data modeling language for network automation? (Select exactly 3.)

Select 3 answers
A.Enables validation of data constraints before applying changes
B.Allows direct execution of CLI commands on any device
C.Provides a standard way to define configuration and state data
D.Supports multiple serialization formats like JSON and XML
E.Promotes interoperability between different vendor devices
AnswersA, C, E

Why this answer

Option A is correct because YANG (RFC 6020/7950) allows you to define data constraints such as ranges, mandatory elements, and type restrictions directly in the model. When you attempt to apply configuration via NETCONF or RESTCONF, the server validates the data against these constraints before committing, preventing invalid changes from being applied.

Exam trap

Cisco often tests the distinction between the data modeling language (YANG) and the transport protocols (NETCONF/RESTCONF) or serialization formats (JSON/XML), so the trap here is confusing the benefits of the model itself with the features of the protocols that use it.

28
MCQmedium

A NETCONF RPC reply indicates a validation failure. Based on the exhibit, what is the most probable reason for the failure?

A.The MTU value provided is outside the allowed range.
B.The XML syntax in the edit operation was malformed.
C.The XML namespace 'Cisco-IOS-XE-native' is not supported.
D.The NETCONF session timed out before the operation completed.
AnswerA

Bad-element MTU indicates value issue.

Why this answer

The NETCONF RPC reply indicates a validation failure, which typically occurs when the data being configured does not conform to the YANG model's constraints. In this context, the MTU value provided is outside the allowed range defined in the YANG model for the interface, triggering a validation error before any configuration is applied.

Exam trap

Cisco often tests the distinction between validation errors (data model constraints) and other error types like syntax errors or namespace issues, leading candidates to confuse a validation failure with a malformed XML or unsupported namespace.

How to eliminate wrong answers

Option B is wrong because a malformed XML syntax would result in a parsing error, not a validation failure; the RPC reply would indicate a syntax error or malformed message. Option C is wrong because if the XML namespace 'Cisco-IOS-XE-native' were not supported, the device would reject the entire operation with a 'namespace not supported' error, not a validation failure on a specific value. Option D is wrong because a NETCONF session timeout would cause the RPC to fail with a timeout error or no reply, not a validation failure response.

29
Multi-Selectmedium

Which TWO methods are commonly used to discover network devices in an automation environment? (Select exactly 2.)

Select 2 answers
A.Manually entering device details into a spreadsheet
B.Using SNMP to bulk-configure devices
C.Monitoring DHCP logs to lease IP addresses to new devices
D.Using LLDP or CDP to retrieve directly connected neighbor information
E.Using a centralized controller like Cisco DNA Center to query device inventory
AnswersD, E

Why this answer

Option D is correct because LLDP (IEEE 802.1AB) and CDP (Cisco Discovery Protocol) are Layer 2 protocols that allow network devices to advertise their identity, capabilities, and directly connected neighbors. In automation environments, these protocols enable dynamic discovery of the network topology without manual intervention, making them essential for automated inventory and mapping.

Exam trap

Cisco often tests the distinction between discovery protocols (LLDP/CDP) and management protocols (SNMP), so candidates may mistakenly think SNMP is used for discovery when it is actually used for reading MIBs after discovery is complete.

30
MCQmedium

A network administrator is tasked with automating the deployment of a new VLAN configuration across a fabric of Cisco ACI switches. Which automation tool is best suited for interacting with the APIC REST API?

A.Bash scripting with curl
B.Chef
C.Puppet
D.Ansible
AnswerD

Ansible has built-in ACI modules that simplify interactions with the APIC.

Why this answer

Ansible is the best-suited tool because it provides a dedicated module (cisco.aci.aci_rest) that directly interacts with the APIC REST API, allowing declarative automation of VLAN and other ACI configurations. Unlike generic scripting, Ansible abstracts the HTTP requests and handles idempotency, authentication, and error handling natively for the ACI fabric.

Exam trap

Cisco often tests the misconception that any scripting tool (like Bash with curl) is sufficient for automation, but the key is choosing a tool with native, purpose-built modules for the specific API, not just the ability to make HTTP requests.

How to eliminate wrong answers

Option A is wrong because Bash scripting with curl is a low-level, manual approach that requires writing custom code for every API call, lacks idempotency, and does not provide the structured, reusable automation framework needed for consistent ACI deployments. Option B is wrong because Chef is a configuration management tool designed for node-based infrastructure (e.g., servers) and does not have native modules or resources for interacting with the Cisco APIC REST API; it would require extensive custom scripting. Option C is wrong because Puppet, like Chef, is primarily a configuration management tool for server nodes and lacks built-in support for the ACI APIC REST API, making it inefficient for automating network fabric configurations.

31
MCQeasy

What is the default transport protocol for NETCONF sessions?

A.HTTP
B.SSH
C.TLS
D.SNMP
AnswerB

SSH is the mandatory transport for NETCONF.

Why this answer

NETCONF (Network Configuration Protocol) uses SSH as its default transport protocol, as specified in RFC 6242. SSH provides the required secure, authenticated, and encrypted channel for NETCONF sessions, ensuring confidentiality and integrity of configuration data exchanged between the client and server.

Exam trap

Cisco often tests the distinction between 'default' and 'optional' transports, so the trap here is that candidates may confuse TLS (which is supported but not default) with the mandatory SSH transport, or assume HTTP is used because NETCONF is XML-based and HTTP is commonly associated with XML APIs.

How to eliminate wrong answers

Option A is wrong because HTTP is not a transport protocol for NETCONF; NETCONF over HTTP is not defined in any standard, and HTTP lacks the built-in encryption and authentication required for secure network device configuration. Option C is wrong because TLS is an optional transport for NETCONF (as per RFC 7589), not the default; the default remains SSH, and TLS is used only when explicitly configured. Option D is wrong because SNMP is a separate protocol for network management and monitoring, not a transport for NETCONF; SNMP uses UDP or TCP, but it does not carry NETCONF messages.

32
Multi-Selectmedium

Which TWO tools are commonly used for automated network compliance checking against a desired state? (Select two)

Select 2 answers
A.SolarWinds
B.Ansible
C.Microsoft Visio
D.pyATS (with Genie)
E.Chef
AnswersB, D

Ansible can compare current config to a desired state and report differences.

Why this answer

B is correct because Ansible is an automation tool that uses playbooks (YAML-based) to define a desired network state and can enforce compliance by comparing the current device configuration against the defined state using modules like `ios_config` or `nxos_config`. It is widely used for network compliance checking due to its agentless architecture and idempotent behavior.

Exam trap

Cisco often tests the distinction between monitoring tools (like SolarWinds) and automation/compliance tools (like Ansible and pyATS), trapping candidates who confuse network monitoring with automated state enforcement.

33
Multi-Selecteasy

Which TWO are valid capabilities advertised during a NETCONF session?

Select 2 answers
A.urn:ietf:params:netconf:capability:url:1.0
B.urn:ietf:params:netconf:capability:writable-running:2.0
C.urn:ietf:params:netconf:capability:validate:2.0
D.urn:ietf:params:netconf:base:1.0
E.urn:ietf:params:netconf:capability:interleave:1.0
AnswersA, D

This is the URL capability for NETCONF.

Why this answer

Option A is correct because the URL capability (urn:ietf:params:netconf:capability:url:1.0) is a standard NETCONF capability that allows a client to specify a URL as the source or target of operations like <copy-config> or <edit-config>. Option D is correct because urn:ietf:params:netconf:base:1.0 is the mandatory base capability that every NETCONF session must advertise, as defined in RFC 6241, indicating support for the core NETCONF protocol operations.

Exam trap

Cisco often tests the exact version numbers of NETCONF capabilities, and the trap here is that candidates assume all capabilities use version 2.0 (confusing them with YANG module revisions or other protocols), but in reality, the standard NETCONF capabilities defined in RFC 6241 are all version 1.0.

34
Multi-Selecthard

Which THREE of the following are best practices for writing Ansible playbooks for network automation? (Select exactly 3.)

Select 3 answers
A.Run all tasks without checking for errors
B.Include a validation task after configuration changes
C.Use variables for device-specific parameters
D.Hardcode device IPs in the playbook
E.Use the 'changed_when' condition to ensure idempotency
AnswersB, C, E

Ensures the change took effect.

Why this answer

Option B is correct because after applying configuration changes via modules like `ios_config` or `junos_config`, a validation task (e.g., using `wait_for` or `assert` to verify operational state) ensures the device is reachable and the changes took effect before proceeding. This prevents cascading failures in multi-device playbooks and aligns with network automation best practices for reliability.

Exam trap

Cisco often tests the misconception that ignoring errors (Option A) speeds up automation, but the trap is that network devices require strict error handling to avoid partial configs or unreachable states, making error-checking a mandatory best practice.

35
Multi-Selecteasy

Which TWO of the following are characteristics of the YANG data modeling language that make it suitable for network automation? (Select two)

Select 2 answers
A.YANG defines data types and constraints
B.YANG is human-readable only
C.YANG is a markup language like XML
D.YANG supports both configuration and operational state data
E.YANG can be used with NETCONF and RESTCONF
AnswersA, E

YANG provides a type system and constraints to ensure data validity.

Why this answer

Option A is correct because YANG is a data modeling language that defines the structure, syntax, and semantics of configuration and state data, including explicit data types (e.g., string, uint32) and constraints (e.g., range, pattern, mandatory). This strict typing and validation ensure that network devices receive well-formed data, reducing errors in automation workflows.

Exam trap

Cisco often tests the distinction between a data modeling language (YANG) and a serialization format (XML/JSON), so candidates mistakenly select 'YANG is a markup language like XML' because they associate YANG with XML-based NETCONF messages.

36
MCQeasy

In the Ansible playbook snippet, what connection method is typically used for the ios_config module to communicate with the devices?

A.local
B.network_cli
C.netconf
D.httpapi
AnswerB

The ios_config module requires the network_cli connection to send CLI commands over SSH.

Why this answer

The ios_config module is designed for Cisco IOS devices and requires a persistent network connection to send configuration commands. The network_cli connection method establishes an SSH session that remains open for the duration of the playbook task, allowing the module to send multiple CLI commands and handle prompts. This is the recommended connection method for ios_config because it supports privilege escalation and command responses needed for configuration changes.

Exam trap

Cisco often tests the distinction between connection methods by making candidates think 'local' is correct because it runs on the control node, but the trap is that ios_config requires a persistent SSH session to the device, which only network_cli provides.

How to eliminate wrong answers

Option A is wrong because 'local' connection runs the module on the control node without opening a persistent SSH session to the device, which prevents ios_config from properly handling interactive prompts and privilege escalation. Option C is wrong because 'netconf' uses XML-based NETCONF protocol over SSH, which is not supported by the ios_config module (it is used with the ios_netconf module instead). Option D is wrong because 'httpapi' uses RESTCONF or other HTTP-based APIs, which are not applicable to the CLI-based ios_config module.

37
MCQhard

Refer to the exhibit. Based on the YANG model snippet, what is the data type of the 'mask' leaf?

A.inet:ipv4-address
B.inet:ipv4-prefix-length
C.uint8
D.string
AnswerB

The exhibit shows the type as inet:ipv4-prefix-length.

Why this answer

The 'mask' leaf is defined with the type 'inet:ipv4-prefix-length', which represents a decimal integer from 0 to 32 indicating the number of leading 1 bits in the subnet mask (e.g., 24 for /24). This is the correct data type for a prefix length in YANG models, not an IPv4 address or a generic string.

Exam trap

Cisco often tests the distinction between 'inet:ipv4-address' (a full address) and 'inet:ipv4-prefix-length' (the /N notation), tricking candidates who confuse the subnet mask value with its prefix length representation.

How to eliminate wrong answers

Option A is wrong because 'inet:ipv4-address' is a dotted-decimal IPv4 address (e.g., 192.168.1.1), not a prefix length. Option C is wrong because 'uint8' is a generic 8-bit unsigned integer (0-255) but lacks the semantic constraint of 0-32 that 'inet:ipv4-prefix-length' enforces. Option D is wrong because 'string' would allow arbitrary text, which is not appropriate for a numeric prefix length that must be validated as an integer between 0 and 32.

38
MCQmedium

A company uses a centralized automation server that runs Ansible playbooks. What is the best security practice for storing SSH credentials?

A.Store credentials in a public repository
B.Use Ansible Vault
C.Hardcode credentials in playbooks
D.Use plain text inventory files
AnswerB

Ansible Vault encrypts secrets.

Why this answer

Ansible Vault is the recommended security practice for encrypting sensitive data like SSH credentials. It allows you to store encrypted variables and files within your playbooks or inventory, protecting secrets at rest while enabling decryption at runtime via a password or key file. This avoids exposing credentials in plain text, which is critical for centralized automation servers that may be accessed by multiple users or integrated into CI/CD pipelines.

Exam trap

Cisco often tests the misconception that 'inventory files are safe if stored locally' or that 'hardcoding is acceptable for small teams,' but the exam expects candidates to recognize that any plain text storage of credentials violates security best practices, and Ansible Vault is the standard built-in solution for encryption.

How to eliminate wrong answers

Option A is wrong because storing credentials in a public repository exposes them to unauthorized access, violating the principle of least privilege and potentially leading to security breaches. Option C is wrong because hardcoding credentials in playbooks embeds secrets in plain text within version control, making them visible to anyone with repository access and preventing easy rotation. Option D is wrong because using plain text inventory files stores SSH credentials unencrypted, which is insecure and defeats the purpose of a centralized automation server that should enforce encryption at rest.

39
Multi-Selectmedium

A network automation solution uses YANG data models to describe network configurations. Which THREE statements about YANG are true? (Select THREE)

Select 3 answers
A.YANG can be used in conjunction with NETCONF and RESTCONF.
B.YANG models are always written in XML syntax.
C.YANG is used to define both configuration and state data.
D.YANG is a data modeling language used to define the structure of data.
E.YANG is a replacement for SNMP.
AnswersA, C, D

Both protocols use YANG models.

Why this answer

YANG is a data modeling language that defines the structure and constraints of configuration and state data, and it is designed to be used with NETCONF (RFC 6241) and RESTCONF (RFC 8040) as the transport protocols. This makes option A correct because YANG models are encoded in XML or JSON and exchanged via these protocols.

Exam trap

Cisco often tests the misconception that YANG is tied to a specific encoding (like XML) or that it replaces SNMP entirely, when in fact YANG is encoding-agnostic and complements SNMP by providing structured, transactional configuration management.

40
Multi-Selecteasy

An engineer is automating the configuration of SNMP on Cisco routers using Ansible. Which two modules are commonly used for this purpose? (Select TWO)

Select 2 answers
A.cisco.ios.ios_interface
B.cisco.ios.ios_config
C.cisco.ios.ios_snmp_server
D.cisco.ios.ios_command
E.cisco.ios.ios_banner
AnswersB, C

This module can push arbitrary CLI commands including SNMP-related ones.

Why this answer

The cisco.ios.ios_config module is correct because it allows you to push raw CLI configuration lines to Cisco IOS devices, including SNMP-related commands like 'snmp-server community' or 'snmp-server host'. The cisco.ios.ios_snmp_server module is correct because it is a dedicated Ansible module that provides structured, idempotent management of SNMP server settings (e.g., communities, hosts, traps) without requiring raw CLI lines.

Exam trap

Cisco often tests the distinction between general-purpose modules like ios_config and purpose-built modules like ios_snmp_server, expecting candidates to recognize that both can configure SNMP but the dedicated module is more appropriate for structured automation.

41
MCQhard

Refer to the exhibit. A Python script uses the YANG model to configure the interface. After applying this JSON payload via a PATCH request, what is the expected operational state of the interface?

A.Error because PATCH is not allowed on interfaces
B.No change, remains as previously configured
C.Administratively down
D.Administratively up and protocol up
AnswerC

enabled: false sets admin down.

Why this answer

The PATCH request applies the provided JSON payload, which sets the interface's 'enabled' leaf to 'false' (or equivalent YANG leaf for administrative state). In YANG models for interfaces (e.g., RFC 8343 or Cisco native models), setting 'enabled' to false places the interface in an administratively down state. The PATCH operation is valid for modifying interface configuration, and the payload explicitly changes the administrative state to down, overriding any previous configuration.

Exam trap

Cisco often tests the distinction between administrative state (controlled by the 'enabled' leaf) and operational state (which includes protocol status), and the trap here is that candidates may assume PATCH cannot modify administrative state or that the interface remains up if only a partial payload is sent.

How to eliminate wrong answers

Option A is wrong because PATCH is a standard HTTP method allowed on interfaces in RESTCONF/NETCONF for partial updates; there is no restriction against using PATCH on interface resources. Option B is wrong because the JSON payload explicitly sets the 'enabled' leaf to false, which changes the administrative state; the interface does not remain as previously configured. Option D is wrong because the payload sets 'enabled' to false, which results in an administratively down state, not up; protocol state is irrelevant when the interface is administratively down.

42
MCQhard

Refer to the exhibit. A developer receives this response when making a POST request to the Cisco DNA Center API to create a new device. What is the most likely issue?

A.The request body is missing the required field 'ipAddress'.
B.The API endpoint is incorrect.
C.The device IP address is already in use.
D.The API token has expired.
AnswerA

The error message clearly indicates the missing parameter 'ipAddress'.

Why this answer

The error response includes a field 'missingParameters' with the value 'ipAddress', which explicitly indicates that the request body did not include the required 'ipAddress' field. Cisco DNA Center's API for device creation requires this field to identify the device on the network. Without it, the API cannot proceed with adding the device, resulting in a 400 Bad Request.

Exam trap

Cisco often tests the ability to read API error responses carefully, where candidates might overlook the 'missingParameters' field and incorrectly assume a token or endpoint issue instead of a missing required field.

How to eliminate wrong answers

Option B is wrong because the API endpoint is likely correct; a wrong endpoint would typically return a 404 Not Found or a different error message, not a 'missingParameters' error. Option C is wrong because if the IP address were already in use, the API would return a conflict error (e.g., 409 Conflict) with a message like 'Device already exists', not a missing field error. Option D is wrong because an expired token would result in a 401 Unauthorized or 403 Forbidden response, not a 400 Bad Request with parameter validation details.

43
MCQhard

In a CI/CD pipeline for network changes, which practice best ensures that a configuration push does not disrupt production traffic?

A.Disable rollback
B.Canary deployment
C.Push all changes at once
D.Skip validation
AnswerB

Canary deployment limits blast radius.

Why this answer

Canary deployment is the correct practice because it gradually introduces the configuration change to a small subset of devices or traffic before full rollout. This allows monitoring for adverse effects and automatic rollback if issues arise, minimizing the risk of production disruption. In a CI/CD pipeline for network changes, this approach aligns with incremental validation and risk mitigation.

Exam trap

Cisco often tests the misconception that 'push all changes at once' is efficient and safe, but the trap here is that it ignores the principle of incremental risk reduction, which is fundamental to CI/CD best practices for network automation.

How to eliminate wrong answers

Option A is wrong because disabling rollback removes the safety net to revert a failed configuration push, increasing the risk of prolonged disruption. Option C is wrong because pushing all changes at once maximizes the blast radius and makes it difficult to isolate the cause of any failure. Option D is wrong because skipping validation bypasses critical checks (e.g., syntax, reachability, or policy compliance), which can directly cause misconfigurations that disrupt traffic.

44
MCQhard

A Python script sends the above REST API request to a Cisco Catalyst 9000 switch running IOS XE. The response is a 400 Bad Request. Which field is most likely missing from the JSON payload?

A.vlanId
B.description
C.interface
D.name
AnswerC

For VLAN creation, a mandatory 'interface' field (e.g., port membership) or 'vlanType' is required.

Why this answer

The REST API request is targeting the creation of a network interface on a Cisco Catalyst 9000 switch running IOS XE. The 400 Bad Request indicates a missing required field in the JSON payload. According to the Cisco IOS XE REST API documentation for the `/api/v1/interface` endpoint, the `interface` field (which specifies the interface name, e.g., 'GigabitEthernet1/0/1') is mandatory when creating a new interface.

Without it, the API cannot determine which interface to configure, resulting in a 400 error.

Exam trap

Cisco often tests the distinction between the `interface` field (the actual interface identifier) and the `name` field (which is not used in this API), leading candidates to incorrectly choose `name` as the missing field.

How to eliminate wrong answers

Option A is wrong because `vlanId` is only required when configuring a VLAN interface (e.g., a subinterface or SVI), not for a physical interface creation. Option B is wrong because `description` is an optional field used for administrative labeling and is not required for the API to process the request. Option D is wrong because `name` is not a standard field in the IOS XE REST API interface payload; the correct field is `interface` which holds the interface identifier.

45
MCQmedium

A network administrator automates the provisioning of Meraki MX security appliances using the Meraki Dashboard API. The Python script reads a CSV file with site details and creates VLANs, firewall rules, and VPN settings. Recently, the script started throwing an HTTP 429 error. The script is single-threaded and makes fewer than 10 requests per second. Which of the following is the most likely cause of the 429 error?

A.The API key has been revoked.
B.The rate limit for the API key is 5 requests per second.
C.The Meraki cloud is under maintenance.
D.The organization has a lower rate limit than the API key's default.
AnswerD

Rate limits are applied at multiple levels; organization-level limit may be lower.

Why this answer

The HTTP 429 (Too Many Requests) error indicates the client has exceeded the rate limit imposed by the Meraki Dashboard API. Even though the script makes fewer than 10 requests per second, the organization-level rate limit can be lower than the default API key limit. Option D is correct because the organization's rate limit overrides the default, and the script's request rate may still exceed that lower threshold.

Exam trap

The trap here is that candidates assume the default API key rate limit is the only constraint, overlooking that the organization-level rate limit can be lower and is the actual cause of the 429 error.

How to eliminate wrong answers

Option A is wrong because an API key revocation would return a 401 Unauthorized error, not a 429. Option B is wrong because the script makes fewer than 10 requests per second, so a 5 requests per second limit would not be exceeded; the error would only occur if the script actually surpassed that rate. Option C is wrong because Meraki cloud maintenance typically returns a 503 Service Unavailable error, not a 429 rate-limit error.

46
MCQmedium

An engineer is tasked with automating the backup of running configurations from 50 routers. Which approach is most scalable?

A.SSH manually to each router and copy config
B.Schedule a cron job on each router to SCP config
C.Use SNMP to capture config
D.Use an Ansible playbook with ios_config backup
AnswerD

Automates and scales.

Why this answer

An Ansible playbook with the ios_config module's backup option is the most scalable approach because it uses a push-based automation model that can manage all 50 routers from a single control node, leveraging SSH for secure transport and idempotent configuration management without requiring any agent on the routers.

Exam trap

Cisco often tests the misconception that SNMP can be used for configuration backup, but SNMP is designed for read-only monitoring of OIDs, not for retrieving or storing entire configuration files, which requires a file transfer or CLI-based method.

How to eliminate wrong answers

Option A is wrong because manually SSHing to each router is not scalable for 50 devices, introduces human error, and defeats the purpose of automation. Option B is wrong because scheduling a cron job on each router to SCP the config requires individual configuration on every device, does not centralize management, and still relies on per-router setup, which is not scalable. Option C is wrong because SNMP is designed for monitoring and retrieving MIB data, not for capturing full running configurations; it lacks the ability to reliably back up the entire configuration file and is not a standard method for configuration backup.

47
MCQeasy

A junior developer is writing a Python script to gather interface statistics from a Cisco IOS-XE device using NETCONF. They use the 'ncclient' library and successfully connect. They want to retrieve the operational status of all interfaces. Which YANG model and XPATH expression should they use to get the operational data?

A.Model: ietf-interfaces, XPATH: /interfaces-state/interface
B.Model: cisco-native, XPATH: /native/interface
C.Model: ietf-interfaces, XPATH: /interfaces/interface
D.Model: ietf-interfaces, XPATH: /interfaces-state
AnswerA

Interfaces-state contains operational data per IETF standard.

Why this answer

Option A is correct because the 'ietf-interfaces' YANG model defines the '/interfaces-state' container specifically for operational state data (e.g., status, counters), as per RFC 7223. The XPATH '/interfaces-state/interface' retrieves the list of all interfaces with their operational status, which is exactly what the developer needs. The 'ncclient' library can filter using this XPATH to get read-only operational data from a NETCONF-enabled Cisco IOS-XE device.

Exam trap

Cisco often tests the distinction between configuration and operational data in YANG models, and the trap here is that candidates confuse '/interfaces/interface' (configuration) with '/interfaces-state/interface' (operational state), or they pick a too-broad XPATH like '/interfaces-state' instead of the specific list node.

How to eliminate wrong answers

Option B is wrong because 'cisco-native' is a proprietary Cisco model for configuration data, not operational state, and '/native/interface' would return configured interfaces, not their operational status. Option C is wrong because '/interfaces/interface' under 'ietf-interfaces' targets the configuration container, which holds intended settings, not operational state (status, counters). Option D is wrong because '/interfaces-state' is the correct container, but the XPATH is too broad—it returns the entire container rather than the list of interfaces; the developer needs '/interfaces-state/interface' to get each interface's operational data.

48
Multi-Selecthard

Which THREE practices help ensure idempotent network automation? (Select three)

Select 3 answers
A.Using the 'state' parameter in Ansible modules to define desired state
B.Using a transactional approach (e.g., configure candidate and commit)
C.Running commands multiple times to ensure they are applied
D.Checking the current state before applying changes
E.Always appending new configuration commands to the running config
AnswersA, B, D

This ensures the module only takes action if the current state does not match the desired state.

Why this answer

Option A is correct because using the 'state' parameter in Ansible modules (e.g., 'state: present' or 'state: absent') explicitly declares the desired end state of a resource. This allows the module to compare the current state against the desired state and only make changes if necessary, ensuring that running the playbook multiple times produces the same result without unintended side effects.

Exam trap

Cisco often tests the misconception that simply running a command multiple times or appending configuration ensures idempotency, when in fact true idempotency requires state checking and declarative desired-state definitions.

49
MCQeasy

An automation engineer is using the Cisco DNA Center REST API to retrieve a list of network devices. The API call returns HTTP status code 200. What does this indicate?

A.The request succeeded but no content is returned.
B.The request was created successfully.
C.The request was successful and data is returned.
D.The request failed due to a client error.
AnswerC

Standard success response with body.

Why this answer

HTTP status code 200 indicates a successful GET request where the server has processed the request and is returning the requested data in the response body. In the context of the Cisco DNA Center REST API, a 200 response to a GET /network-device call means the list of network devices was successfully retrieved and is included in the response payload.

Exam trap

Cisco often tests the distinction between 200 OK and 204 No Content, expecting candidates to know that 200 always includes a response body while 204 explicitly does not, even though both are successful.

How to eliminate wrong answers

Option A is wrong because HTTP 200 does not mean 'no content' — that is indicated by status code 204 (No Content), which is used for successful requests that intentionally return no body. Option B is wrong because a 201 (Created) status code indicates successful creation of a resource, not a retrieval; 200 is used for successful GET, PUT, or DELETE operations that return data. Option D is wrong because client errors are represented by 4xx status codes (e.g., 400 Bad Request, 401 Unauthorized), not 2xx success codes.

50
MCQmedium

A network automation engineer is writing a Python script to configure multiple devices. Which library is most appropriate for SSH-based interactions?

A.requests
B.socket
C.Netmiko
D.paramiko
AnswerC

Netmiko is the standard library for network device SSH automation.

Why this answer

Netmiko is a Python library built on top of Paramiko that simplifies SSH connections to network devices. It provides high-level methods for sending commands, handling prompts, and managing device interactions, making it the most appropriate choice for automating configuration tasks across multiple devices.

Exam trap

Cisco often tests the distinction between Paramiko (a general SSH library) and Netmiko (a network-device-specific library built on Paramiko), leading candidates to choose Paramiko because they recognize it as an SSH library without considering the higher-level abstractions Netmiko provides for network automation.

How to eliminate wrong answers

Option A is wrong because the requests library is designed for HTTP/HTTPS API calls, not for SSH-based interactions. Option B is wrong because the socket library provides low-level network communication primitives and lacks the SSH protocol handling needed for device configuration. Option D is wrong because while Paramiko is a valid SSH library, it requires manual handling of authentication, channel management, and command output parsing, making it less suitable than Netmiko for multi-device automation scenarios.

51
MCQmedium

Based on the exhibit, which interface is in a state that prevents it from sending or receiving IP traffic?

A.GigabitEthernet0/2
B.GigabitEthernet0/0
C.GigabitEthernet0/1
D.None of the interfaces are down
AnswerC

It is administratively down, so no traffic can pass.

Why this answer

Interface GigabitEthernet0/1 is in the 'administratively down' state, as indicated by the 'down' status in the 'Status' column and the 'down' in the 'Protocol' column. This means the interface has been manually disabled with the 'shutdown' command, preventing it from sending or receiving any IP traffic. In contrast, interfaces that are 'up/up' can forward traffic, while 'up/down' indicates a Layer 1 issue but still allows Layer 2 control plane traffic.

Exam trap

Cisco often tests the distinction between 'administratively down' (Status: down) and 'up/down' (Status: up, Protocol: down), where candidates mistakenly assume any 'down' protocol means no IP traffic is possible, but only the administratively down state explicitly prevents all traffic due to manual shutdown.

How to eliminate wrong answers

Option A is wrong because GigabitEthernet0/2 shows 'up' in both Status and Protocol columns, meaning it is fully operational and can send/receive IP traffic. Option B is wrong because GigabitEthernet0/0 shows 'up' in Status and 'down' in Protocol, indicating a Layer 1 connectivity issue (e.g., no cable or faulty transceiver) but the interface is not administratively disabled; it still attempts to send/receive Layer 2 frames, though IP traffic may fail due to the protocol being down. Option D is wrong because GigabitEthernet0/1 is indeed in a state that prevents IP traffic (administratively down), so not all interfaces are operational.

52
Multi-Selectmedium

Which TWO of the following are characteristics of a declarative automation model? (Select exactly 2.)

Select 2 answers
A.It requires procedural scripts
B.You specify the desired end state
C.Idempotency is not a concern
D.The tool handles ordering and dependencies
E.You specify the exact steps to achieve the state
AnswersB, D

Declarative defines what, not how.

Why this answer

In a declarative automation model, you specify the desired end state of the system, not the steps to achieve it. This is a core characteristic because the automation tool (e.g., Ansible, Terraform, Puppet) interprets the desired state and determines the necessary actions to reach it, making option B correct.

Exam trap

Cisco often tests the distinction between declarative and imperative models by presenting options that sound plausible but reverse the roles, such as confusing 'specify the end state' with 'specify the exact steps', or assuming idempotency is irrelevant in declarative models.

53
Multi-Selectmedium

Which TWO of the following are benefits of using NETCONF over SNMP for network automation? (Select exactly 2.)

Select 2 answers
A.Structured data models (YANG)
B.Lower CPU usage on devices
C.Binary data encoding
D.Transactional configuration changes
E.Simple polling mechanism
AnswersA, D

YANG provides standardized data models.

Why this answer

Option A is correct because NETCONF uses YANG (RFC 6020/7950) to define structured, hierarchical data models, enabling consistent and predictable configuration and state data retrieval. This contrasts with SNMP's flat MIB structure, which is less flexible for complex automation tasks. Option D is correct because NETCONF supports candidate configurations and confirmed commits (RFC 6241, Section 8.4), allowing transactional changes that can be validated and rolled back atomically, whereas SNMP lacks built-in transaction support.

Exam trap

Cisco often tests the misconception that NETCONF is 'lighter' than SNMP, but the trap here is that NETCONF's XML and SSH overhead actually increase CPU usage, while SNMP's binary encoding and UDP make it more efficient for simple monitoring tasks.

54
MCQhard

When using NETCONF to edit the configuration of a Cisco IOS XE device, an engineer receives an <rpc-error> with error-tag 'in-use' and error-app-tag 'data-exists'. What does this error indicate?

A.The NETCONF session was closed due to a timeout.
B.The RPC message was malformed.
C.The configuration being added already exists on the device.
D.The device does not have the required user permissions.
AnswerC

data-exists indicates duplicate data.

Why this answer

The error-tag 'in-use' combined with the error-app-tag 'data-exists' in NETCONF indicates that the configuration operation (e.g., <edit-config> with operation 'create') attempted to add a configuration element that already exists in the running datastore. NETCONF uses these standardized error tags per RFC 6241 to signal that the requested operation cannot be completed because the target data node is already present, preventing duplicate configuration entries.

Exam trap

Cisco often tests the distinction between NETCONF <edit-config> operations (create vs. merge vs. replace) and their corresponding error tags, leading candidates to confuse 'in-use' with permission or syntax errors.

How to eliminate wrong answers

Option A is wrong because a session timeout would generate an <rpc-error> with error-tag 'session-timeout' or 'transport-error', not 'in-use'. Option B is wrong because a malformed RPC message would produce error-tag 'malformed-message' or 'operation-failed', not 'in-use'. Option D is wrong because insufficient permissions would result in error-tag 'access-denied' or 'authorization-error', not 'in-use'.

55
MCQeasy

When using the Cisco Meraki Dashboard API to create an HTTP webhook for network alerts, which authentication method is required in the request header?

A.Authorization: Bearer <token>
B.Include the API key as a query parameter.
C.Authorization: Basic <base64>
D.X-Cisco-Meraki-API-Key: <your_api_key>
AnswerD

Meraki requires this custom header.

Why this answer

The Cisco Meraki Dashboard API requires authentication via a custom HTTP header named `X-Cisco-Meraki-API-Key`, where the value is your API key. This is the only supported method for authenticating requests to the Meraki API, as documented in the official API reference. Option D correctly specifies this header, making it the required authentication method for creating an HTTP webhook for network alerts.

Exam trap

Cisco often tests the distinction between standard authentication methods (Bearer tokens, Basic Auth) and vendor-specific custom headers, so the trap here is that candidates may assume a common standard like OAuth 2.0 or Basic Auth applies, when the Meraki API explicitly requires its own proprietary header.

How to eliminate wrong answers

Option A is wrong because the Meraki API does not use OAuth 2.0 Bearer tokens; it uses a custom API key header instead. Option B is wrong because passing the API key as a query parameter is insecure and not supported by the Meraki API; the key must be sent in a header. Option C is wrong because HTTP Basic Authentication (Base64-encoded credentials) is not used by the Meraki API; it relies solely on the `X-Cisco-Meraki-API-Key` header.

56
Multi-Selectmedium

Which THREE of the following are key principles of Infrastructure as Code (IaC) as applied to network automation?

Select 3 answers
A.Manual configuration is preferred for critical devices.
B.Configuration should be idempotent.
C.Configuration should be validated through automated testing.
D.Temporary scripts should be used for one-time changes.
E.All configuration code should be stored in version control.
AnswersB, C, E

Idempotency ensures consistent state.

Why this answer

IaC principles include idempotency (repeatable results), version control (track changes), and continuous testing (validate configurations). Option A (manual configuration) is opposite. Option D (temporary scripts) is not a principle.

57
MCQmedium

Refer to the exhibit. An automation script expects the interface IP address to be configured via DHCP. Based on the output, what is the current configuration source for the IP address?

A.DHCP
B.BOOTP
C.Manual configuration (NVRAM)
D.PPP negotiation
AnswerC

The show output confirms non-volatile memory.

Why this answer

The output shows 'IP address is 192.168.1.1, subnet mask is 255.255.255.0' with no DHCP or BOOTP flags, and the configuration is stored in NVRAM (startup-config). This indicates the IP was manually configured (typed by an administrator) and saved, not obtained via DHCP. Option C is correct because the source is manual configuration from NVRAM.

Exam trap

Cisco often tests the distinction between 'how an IP is assigned' (DHCP vs. manual) and 'where the config is stored' (running-config vs. NVRAM), leading candidates to mistakenly think any saved config implies DHCP when it actually indicates manual configuration.

How to eliminate wrong answers

Option A is wrong because DHCP would show 'IP address negotiated via DHCP' or a DHCP-assigned address with a lease, and the output lacks any DHCP client identifier or lease information. Option B is wrong because BOOTP is a legacy protocol that assigns IP addresses statically from a BOOTP server, and the output shows no BOOTP server interaction or 'bootp' flag. Option D is wrong because PPP negotiation applies to serial interfaces using PPP encapsulation, not to Ethernet interfaces, and the output shows no PPP-related parameters like IPCP negotiation.

58
MCQmedium

A developer is using Python requests library to interact with a Cisco IOS XE device's REST API. The call returns a 400 Bad Request status. The payload is correctly formatted JSON. What is the most likely cause?

A.The authentication credentials are missing or incorrect in the request header
B.The device's API service is not enabled
C.The requested URL path is incorrect
D.The JSON payload contains a syntax error
AnswerA

400 Bad Request commonly indicates missing or invalid authentication headers.

Why this answer

A 400 Bad Request status from a Cisco IOS XE REST API indicates a client-side error, typically related to malformed syntax or missing required elements. Since the JSON payload is confirmed as correctly formatted, the most likely cause is missing or incorrect authentication credentials in the request header, as the API requires valid credentials (e.g., Basic Auth with username:password encoded in Base64) to process the request. Without proper authentication, the server rejects the request with a 400 status before even evaluating the payload.

Exam trap

Cisco often tests the distinction between 400 Bad Request (client-side syntax/header issues) and 401 Unauthorized (invalid credentials), tricking candidates into assuming authentication errors always return 401, when in fact missing or malformed authentication headers can trigger a 400.

How to eliminate wrong answers

Option B is wrong because if the API service is not enabled, the device would typically return a 404 Not Found or a connection refusal, not a 400 Bad Request. Option C is wrong because an incorrect URL path would result in a 404 Not Found status, not a 400 Bad Request, as the server would not find the resource. Option D is wrong because the question explicitly states the JSON payload is correctly formatted, so a syntax error cannot be the cause.

59
MCQmedium

A network team uses an Ansible playbook to automate the configuration of multiple Cisco IOS XE devices. The playbook includes the 'ios_config' module. Which of the following best describes the purpose of the 'provider' parameter in the ios_config module?

A.It defines the connection details for the device.
B.It identifies the name of the playbook being used.
C.It specifies the configuration lines to be applied.
D.It sets the timeout for the module execution.
AnswerA

Provider includes transport credentials.

Why this answer

The 'provider' parameter in the ios_config module is a dictionary that encapsulates the connection details required to access the network device, such as hostname, username, password, port, and transport protocol (e.g., SSH). This allows the module to establish a session with the Cisco IOS XE device before applying configuration changes. Without the provider, the module would not know how to reach or authenticate to the target device.

Exam trap

Cisco often tests the distinction between the 'provider' parameter (connection details) and the 'lines' parameter (configuration commands), leading candidates to mistakenly think 'provider' specifies the configuration content.

How to eliminate wrong answers

Option B is wrong because the playbook name is defined in the playbook file itself (e.g., the name field under a play), not in the ios_config module's provider parameter. Option C is wrong because the configuration lines to be applied are specified using the 'lines' or 'parents' parameters within the ios_config module, not the provider. Option D is wrong because timeout settings are configured via a separate 'timeout' parameter in the provider dictionary or directly in the module, not as the primary purpose of the provider parameter.

60
MCQeasy

An engineer needs to automate the deployment of a new VLAN across multiple switches. Which tool is best suited for this task?

A.NetFlow
B.Syslog
C.Ansible
D.SNMP
AnswerC

Ansible is designed for configuration management and automation.

Why this answer

Ansible is the correct tool because it is an agentless automation platform that uses SSH to push configuration changes, such as VLAN deployment, to network devices. It allows engineers to define the desired state of VLANs in YAML playbooks and apply them consistently across multiple switches without manual intervention.

Exam trap

Cisco often tests the distinction between monitoring protocols (NetFlow, Syslog, SNMP) and automation tools (Ansible, Puppet, Chef), leading candidates to mistakenly choose SNMP because they recall it can write configurations, but they overlook its lack of idempotency and scalability for multi-switch VLAN deployment.

How to eliminate wrong answers

Option A is wrong because NetFlow is a network protocol used for traffic monitoring and analysis, not for configuration deployment. Option B is wrong because Syslog is a standard for message logging and does not provide any mechanism to push configuration changes to devices. Option D is wrong because SNMP is primarily used for monitoring and reading device statistics via MIBs, and while it can write some configuration values (SNMP SET), it is not designed for reliable, idempotent, or scalable VLAN deployment across multiple switches.

61
MCQeasy

Which tool is specifically designed for model-driven programmability using YANG data models?

A.NETCONF
B.SNMP
C.CLI
D.Ansible
AnswerA

NETCONF is a protocol designed for model-driven management with YANG.

Why this answer

NETCONF is the correct answer because it is a network management protocol specifically designed to operate with YANG data models, using XML or JSON encoding to transport configuration and state data. YANG defines the structure of the data, and NETCONF provides the operations (get, edit-config, etc.) to manipulate that data in a model-driven, programmatic way. This makes NETCONF the standard tool for model-driven programmability in modern network automation.

Exam trap

Cisco often tests the distinction between a protocol that natively uses YANG (NETCONF) versus tools that can work with YANG but are not designed specifically for it (like Ansible), so the trap here is assuming any automation tool that supports YANG qualifies as 'specifically designed' for model-driven programmability.

How to eliminate wrong answers

Option B (SNMP) is wrong because SNMP uses MIBs (Management Information Bases) defined by SMI (Structure of Management Information), not YANG data models, and it is primarily used for monitoring rather than model-driven configuration. Option C (CLI) is wrong because CLI is a human-oriented, command-line interface that is not model-driven and does not use YANG; it relies on proprietary, device-specific commands. Option D (Ansible) is wrong because Ansible is an automation tool that can use YANG models indirectly via modules (e.g., ios_config), but it is not specifically designed for model-driven programmability using YANG; it is a general-purpose configuration management tool.

62
MCQeasy

A network automation script uses RESTCONF to retrieve operational data from a Cisco device. What data format is typically supported by RESTCONF?

A.YAML
B.Plain text
C.XML or JSON
D.CSV
AnswerC

RESTCONF uses XML and JSON as data formats.

Why this answer

RESTCONF (RFC 8040) is a REST-like protocol that uses HTTP methods to access structured data defined by YANG models. It natively supports both XML and JSON as data serialization formats, allowing clients to choose the format via the Accept header or URL suffix (e.g., .xml or .json). This makes XML and JSON the correct answer because they are the only formats explicitly defined in the RESTCONF specification for encoding configuration and operational data.

Exam trap

Cisco often tests the misconception that RESTCONF supports YAML because of its popularity in automation tools like Ansible, but RESTCONF strictly uses XML and JSON per RFC 8040, and YAML is not a valid encoding in the standard.

How to eliminate wrong answers

Option A is wrong because YAML is not a supported data format in RESTCONF; RESTCONF uses XML and JSON as defined in RFC 8040, and YAML is not part of the standard. Option B is wrong because plain text lacks the structured, hierarchical representation required by YANG data models, and RESTCONF requires a structured format like XML or JSON for data serialization. Option D is wrong because CSV is a flat, row-based format that cannot represent the nested, tree-like data structures of YANG models, and it is not supported by RESTCONF.

63
Matchingmedium

Match each JSON data type to its example.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

"hello"

42

true

[1, 2, 3]

{"key": "value"}

Why these pairings

JSON supports these basic data types.

64
MCQhard

A network automation engineer is developing a Python script that uses the NETCONF protocol to retrieve the running configuration from a Cisco IOS XE device. They use the ncclient library. The script works on the test device but fails on a production device with an error: "ncclient.transport.errors.AuthenticationError: Authentication exception". The engineer verifies that the SSH credentials (username and password) are correct and that the production device is reachable via SSH on port 830. What is the most likely issue?

A.The production device uses a different port for NETCONF than the test device.
B.The production device has a firewall rule blocking NETCONF capabilities.
C.The production device does not have NETCONF enabled; it only supports SSH.
D.The production device requires SSH key-based authentication, but the script uses password.
AnswerD

Many production devices require keys for NETCONF authentication; password may fail at the NETCONF layer.

Why this answer

The error 'AuthenticationException' from ncclient indicates that the NETCONF session over SSH failed during authentication. Since the engineer verified the password is correct and the device is reachable on port 830, the most likely cause is that the production device is configured to require SSH key-based authentication (e.g., using 'ip ssh server algorithm authentication publickey' or similar), while the script is attempting password-based authentication. ncclient defaults to password authentication unless explicitly configured with a key filename.

Exam trap

Cisco often tests the distinction between SSH transport authentication failures and NETCONF protocol-level failures, leading candidates to incorrectly attribute the error to NETCONF not being enabled or a firewall issue rather than the SSH authentication method mismatch.

How to eliminate wrong answers

Option A is wrong because the engineer verified the device is reachable via SSH on port 830, and the error is an authentication exception, not a connection timeout or port mismatch. Option B is wrong because a firewall rule blocking NETCONF capabilities would typically cause a connection timeout or 'Connection refused' error, not an authentication exception. Option C is wrong because if the device only supported SSH and not NETCONF, the ncclient library would fail with a 'CapabilityException' or similar error during the hello exchange, not an authentication error.

65
Multi-Selecthard

Which THREE of the following are valid methods to handle API rate limiting in a Python automation script? (Select exactly 3.)

Select 3 answers
A.Parse the Retry-After header from the response
B.Use a token bucket algorithm to control request rate
C.Sleep for a fixed amount of time between requests
D.Ignore the limit and send requests faster
E.Implement retry logic with exponential backoff
AnswersA, B, E

Respects server-specified wait time.

Why this answer

Option A is correct because the Retry-After header is a standard HTTP mechanism (defined in RFC 7231) that explicitly tells the client how long to wait before making the next request. Parsing this header allows your Python script to respect the server's rate limit dynamically, rather than using a fixed or arbitrary delay. This is a common pattern when interacting with REST APIs that enforce rate limiting.

Exam trap

Cisco often tests the distinction between a fixed sleep (which is naive and not adaptive) versus dynamic methods like parsing Retry-After or using exponential backoff, and candidates mistakenly think a static delay is sufficient for rate limiting.

66
MCQmedium

A team uses Chef to manage network device configurations. Which component of Chef is responsible for storing configuration policy and distributing it to nodes?

A.Knife
B.Chef Server
C.Chef Client
D.Supermarket
AnswerB

The central server stores and distributes policy.

Why this answer

The Chef Server is the central hub that stores configuration policies (cookbooks, roles, environments, data bags) and distributes them to nodes via a REST API. When a Chef Client runs on a node, it authenticates with the Chef Server and downloads the relevant policy to converge the node to the desired state. This makes the Chef Server the authoritative source of configuration policy in a Chef architecture.

Exam trap

Cisco often tests the distinction between the Chef Server (policy storage/distribution) and the Chef Client (policy execution), tempting candidates to confuse the agent with the central repository.

How to eliminate wrong answers

Option A is wrong because Knife is a command-line tool used by administrators to interact with the Chef Server (e.g., upload cookbooks, bootstrap nodes), but it does not store or distribute policy itself. Option C is wrong because the Chef Client is an agent that runs on nodes to apply configuration locally; it pulls policy from the Chef Server but does not store or distribute it. Option D is wrong because Supermarket is a public community repository for sharing cookbooks, not a component that stores or distributes policy within an organization's own infrastructure.

67
MCQhard

Refer to the exhibit. A network engineer applies this JSON-based QoS policy to a Cisco device using NETCONF/YANG. Which statement best describes the expected behavior for traffic from 10.0.0.0/24 with DSCP EF?

A.Traffic with DSCP EF from any source is re-marked to AF41 and dropped if exceeding 100 Mbps.
B.The policy is invalid because DSCP values cannot be changed in a QoS policy.
C.Traffic from 10.0.0.0/24 with DSCP EF is re-marked to AF41 and limited to 100 Mbps; excess is dropped.
D.Traffic from 10.0.0.0/24 is re-marked to DSCP EF, then policed at 100 Mbps.
AnswerC

The policy matches both conditions, then re-marks and polices.

Why this answer

Option C is correct because the JSON-based QoS policy uses a class map matching traffic from source 10.0.0.0/24 with DSCP EF, then applies a police action that re-marks exceeding traffic to AF41 and drops it when the rate exceeds 100 Mbps. This is a standard two-rate policer behavior in Cisco IOS QoS, where conforming traffic is transmitted unchanged and exceeding traffic is re-marked and dropped.

Exam trap

Cisco often tests the distinction between matching criteria (source IP and DSCP) versus the action applied (re-marking and policing), leading candidates to confuse which traffic is matched and what happens to conforming versus exceeding packets.

How to eliminate wrong answers

Option A is wrong because the policy matches traffic from 10.0.0.0/24 with DSCP EF, not any source; the match condition is specific to that source subnet. Option B is wrong because DSCP values can be changed in a QoS policy using the 'set dscp' action within a police or service-policy; this is a common practice for re-marking. Option D is wrong because the policy does not re-mark traffic to DSCP EF; it matches traffic already marked as DSCP EF and then polices it, re-marking exceeding traffic to AF41.

68
MCQeasy

Which data format is most commonly used in REST API requests and responses in modern network automation?

A.YAML
B.XML
C.CSV
D.JSON
AnswerD

JSON is the standard for REST APIs.

Why this answer

JSON (JavaScript Object Notation) is the most commonly used data format in REST API requests and responses for modern network automation because it is lightweight, language-agnostic, and natively supported by most programming languages and network devices. REST APIs typically use JSON over HTTP due to its ease of parsing, compact structure, and alignment with web development practices, making it the de facto standard for exchanging structured data in automation workflows like those with Cisco NSO, Ansible, or Python scripts.

Exam trap

The trap here is that candidates may confuse YAML's prevalence in configuration management (e.g., Ansible) with REST API data interchange, or assume XML's historical role in SOAP extends to modern REST, leading them to overlook JSON's dominance in actual API payloads.

How to eliminate wrong answers

Option A is wrong because YAML, while popular in configuration files (e.g., Ansible playbooks), is not the primary format for REST API payloads; it lacks native HTTP content-type support and is less commonly used in request/response bodies. Option B is wrong because XML, though historically used in SOAP APIs and some legacy REST implementations, is verbose, requires more parsing overhead, and has been largely superseded by JSON in modern REST APIs due to simplicity and performance. Option C is wrong because CSV is a tabular data format unsuitable for hierarchical or nested structures common in REST API responses, and it lacks standard schema support for complex objects like device configurations or network states.

69
MCQeasy

An automation engineer wants to programmatically retrieve the interface configuration of a Cisco Nexus switch using NX-API. Which API call method is most appropriate?

A.POST
B.DELETE
C.PUT
D.GET
AnswerD

GET is used to retrieve resource representations.

Why this answer

The NX-API on Cisco Nexus switches uses HTTP methods that map to CRUD operations. To retrieve (read) interface configuration without modifying any state, the GET method is the correct and most appropriate choice, as it corresponds to the 'show' commands in the CLI. POST, PUT, and DELETE are intended for creating, updating, or deleting resources, not for read-only queries.

Exam trap

The trap here is that candidates may confuse POST with GET because NX-API examples often use POST for sending CLI commands in the request body, but the question specifically asks for retrieving configuration, which requires the read-only GET method.

How to eliminate wrong answers

Option A is wrong because POST is used to create a new resource or invoke an action (e.g., applying a configuration), not to retrieve existing data. Option B is wrong because DELETE is used to remove a resource (e.g., deleting an interface configuration), which is destructive and inappropriate for a read operation. Option C is wrong because PUT is used to update or replace an existing resource (e.g., modifying interface parameters), not to retrieve configuration.

70
MCQeasy

A DevOps team wants to version control their network configurations. Which tool should they use?

A.Puppet
B.Jenkins
C.Git
D.Docker
AnswerC

Git is the standard for version control.

Why this answer

Git is a distributed version control system that tracks changes in source code and configuration files, making it the ideal tool for version controlling network configurations. Unlike configuration management tools, Git provides commit history, branching, and rollback capabilities specifically designed for version control.

Exam trap

Cisco often tests the distinction between version control tools (Git) and configuration management tools (Puppet, Ansible) or CI/CD tools (Jenkins), leading candidates to confuse the purpose of each tool in the DevOps pipeline.

How to eliminate wrong answers

Option A is wrong because Puppet is a configuration management tool that enforces desired state on systems, not a version control system for tracking changes to configuration files. Option B is wrong because Jenkins is a continuous integration/continuous delivery (CI/CD) automation server, not a version control tool. Option D is wrong because Docker is a containerization platform for packaging applications and their dependencies, not a version control system.

71
MCQmedium

A network automation engineer is writing an Ansible playbook to configure interface descriptions on Cisco IOS-XE devices. The playbook uses the ios_config module. Which attribute should be used to ensure idempotency and only apply changes when the interface does not already have the desired description?

A.lines
B.src
C.parents
D.before
AnswerA

lines defines the configuration lines to be added or modified; the module checks current state to avoid duplicate changes.

Why this answer

Option A is correct because the `lines` attribute in the `ios_config` module specifies the exact configuration lines to be applied. Ansible's `ios_config` module inherently checks the current device configuration against the desired state defined in `lines`; if the interface already has the matching description, the module skips the task, ensuring idempotency. This prevents unnecessary configuration changes and maintains network stability.

Exam trap

Cisco often tests the misconception that `src` or `parents` alone provide idempotency, but the trap here is that `lines` is the attribute that directly enables the module to compare and skip unchanged configuration lines, while `parents` only sets the configuration context and does not perform the idempotency check itself.

How to eliminate wrong answers

Option B is wrong because `src` specifies a file or template containing configuration commands, but it does not inherently check the current state of the interface description; it reapplies the entire file content each run, breaking idempotency unless combined with other logic. Option C is wrong because `parents` is used to navigate to a specific configuration context (e.g., interface configuration mode) but does not itself enforce idempotency for the description line; it only sets the parent path for the `lines` or `src` content. Option D is wrong because `before` inserts configuration lines before a matched line in the running config, which is used for ordering or insertion, not for checking existing descriptions to avoid redundant changes.

72
MCQhard

An engineer is troubleshooting a NETCONF session that fails to establish with a Cisco IOS XE device. The SSH connection succeeds, but NETCONF capabilities are not exchanged. What is the most likely cause?

A.The device requires authentication via SSH keys but password was used.
B.The firewall is blocking port 830.
C.The device is running an older IOS version that does not support NETCONF.
D.The device's NETCONF server is not enabled.
AnswerD

If netconf-yang feature is not enabled, SSH connects but no NETCONF capabilities.

Why this answer

Option D is correct because NETCONF uses a client-server model where the server (the Cisco IOS XE device) must have the NETCONF server explicitly enabled. If the SSH transport succeeds but capabilities are not exchanged, it indicates the NETCONF subsystem is not active on the device. The `netconf-yang` feature must be enabled via `netconf-yang` in global configuration mode to start the NETCONF server and allow capability exchange.

Exam trap

Cisco often tests the distinction between SSH transport success and NETCONF protocol success, trapping candidates who assume a successful SSH connection implies NETCONF is fully operational.

How to eliminate wrong answers

Option A is wrong because the SSH connection succeeded, meaning authentication was accepted regardless of method (password or SSH keys); NETCONF capability exchange occurs after SSH transport is established, so authentication is not the issue. Option B is wrong because the SSH connection succeeded, which typically uses port 830 for NETCONF-over-SSH; if a firewall were blocking port 830, the SSH connection itself would fail, not just the capability exchange. Option C is wrong because even older IOS XE versions (e.g., 16.x) support NETCONF; the issue is not version compatibility but whether the NETCONF server is administratively enabled.

73
MCQmedium

An engineer is writing a Python script using the Cisco DevNet sandbox to configure OSPF on a CSR1000v via RESTCONF. What authentication method is typically used for RESTCONF requests?

A.No authentication
B.OAuth2
C.API token only
D.Basic authentication over HTTPS
AnswerD

Basic auth over HTTPS is widely used for RESTCONF on Cisco devices.

Why this answer

RESTCONF typically uses Basic authentication over HTTPS (RFC 7235) because it is a lightweight, stateless mechanism that sends a base64-encoded username:password pair in the Authorization header. In the Cisco DevNet sandbox CSR1000v environment, this is the standard method for authenticating RESTCONF requests, as the sandbox provides a username and password for access.

Exam trap

Cisco often tests the distinction between RESTCONF and NETCONF authentication, where candidates might mistakenly think RESTCONF uses SSH keys or no authentication, but RESTCONF always requires HTTPS-based authentication, typically Basic.

How to eliminate wrong answers

Option A is wrong because RESTCONF requires authentication; no authentication would leave the device open to unauthorized configuration changes. Option B is wrong because OAuth2 is not typically used for RESTCONF on Cisco IOS-XE devices; it is more common in cloud-based APIs like Webex or Meraki. Option C is wrong because API token only is not a standard RESTCONF authentication method; while some Cisco platforms (e.g., DNA Center) use tokens, the CSR1000v sandbox relies on Basic authentication over HTTPS.

74
MCQeasy

A network administrator is managing a small office with 10 Cisco 9200 switches. They want to automate the deployment of a standard base configuration (VLANs, STP, management access) to all switches. They have a Linux server with Ansible installed. The administrator writes a playbook that uses the 'ios_config' module to apply configuration blocks. However, when they run the playbook against the first switch, it fails with an authentication error. The administrator can SSH to the switch manually using the same credentials. What is the most likely cause of the failure?

A.The Ansible playbook is missing the 'ansible_connection: network_cli' and 'ansible_network_os: ios' variables.
B.The switch's SSH server does not support the key exchange algorithm used by Ansible.
C.The playbook is using the wrong username because the variable is not defined.
D.The switch is running an incompatible IOS version that does not support the commands in the playbook.
AnswerA

Network devices require these variables to handle the SSH session correctly.

Why this answer

For Ansible to connect to network devices, the connection type must be set to 'network_cli' and the network OS must be specified. Without these, Ansible may attempt to use the default SSH connection method (paramiko) which does not handle network device prompts correctly, leading to authentication errors.

75
MCQmedium

A DevOps team uses Ansible to configure Cisco Nexus switches for a new data center. They have a playbook that uses the nxos_vlan module to create VLANs and nxos_interface module to assign access VLANs. The playbook runs successfully on the first Nexus switch but fails on the second with error: 'module_stderr: ntclib: error: unable to connect to switch'. Both switches are reachable via ping and SSH from the Ansible control node. The inventory file has the same SSH credentials for both switches. What is the most likely cause of the connection failure on the second switch?

A.The second switch does not have NX-API enabled.
B.The Ansible control node has an incompatible version of the nxos collection.
C.The second switch has a different VLAN database that conflicts with the playbook.
D.The second switch's SSH key fingerprint has changed and is not accepted.
AnswerA

The error indicates NX-API connection failure; enabling NX-API resolves.

Why this answer

The error 'module_stderr: ntclib: error: unable to connect to switch' indicates that the Ansible nxos modules are attempting to use NX-API (REST-like HTTP/HTTPS API) to communicate with the switch, not SSH. Even though SSH is reachable, the second switch likely has NX-API disabled or not configured, causing the connection failure. The nxos_vlan and nxos_interface modules in Ansible rely on NX-API by default when the connection type is set to 'network_cli' or 'httpapi', and without NX-API enabled, the modules cannot execute.

Exam trap

Cisco often tests the misconception that Ansible nxos modules use SSH for all operations, when in fact they default to NX-API for task execution, so candidates may overlook the need for NX-API to be enabled on the target switch.

How to eliminate wrong answers

Option B is wrong because an incompatible nxos collection version would typically cause module-specific errors (e.g., missing parameters or attributes), not a generic 'unable to connect' error; the connection failure is at the transport layer, not the module logic. Option C is wrong because VLAN database conflicts would result in task-level failures (e.g., 'VLAN already exists') during module execution, not a connection error before the module runs. Option D is wrong because SSH key fingerprint changes would cause an SSH authentication failure (e.g., 'Host key verification failed') in the SSH transport, not an NX-API connection error; the error message specifically references 'ntclib', which is the NX-API client library.

Page 1 of 2 · 111 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Infrastructure and Automation questions.