CCNA App Deployment Security Questions

75 of 92 questions · Page 1/2 · App Deployment Security topic · Answers revealed

1
MCQmedium

A security team wants to ensure that only signed Docker images are deployed in production. Which CI/CD pipeline step validates the image signature before deployment?

A.Use Docker Content Trust with Notary to verify signatures.
B.Compare the image SHA with a known good hash.
C.Run a vulnerability scan on the image.
D.Check the image size on registry.
AnswerA

Standard mechanism for image signing and verification.

Why this answer

Docker Content Trust (DCT) integrates with Notary to provide a framework for signing and verifying Docker images. When DCT is enabled in the CI/CD pipeline, the Docker client verifies the image's signature against a trusted signing key before allowing the image to be pulled or deployed, ensuring only images signed by authorized parties are used in production.

Exam trap

The trap here is that candidates confuse integrity verification (hash comparison) with authenticity verification (digital signatures), assuming a simple SHA check provides the same security as a full PKI-based signing scheme like Docker Content Trust.

How to eliminate wrong answers

Option B is wrong because comparing the image SHA with a known good hash only verifies integrity (that the image hasn't been tampered with during transit), not authenticity (that the image was signed by a trusted publisher). Option C is wrong because a vulnerability scan checks for known security flaws in the image's packages, but does not validate any cryptographic signature or provenance. Option D is wrong because checking the image size on the registry is a trivial metadata check that provides no security assurance about the image's origin or integrity.

2
MCQmedium

During a security audit, an engineer discovers that a CI/CD pipeline is storing API keys in plain text in environment variables. Which best practice should be implemented to mitigate this risk?

A.Store secrets in a .env file and add it to the repository with restricted access.
B.Encrypt the environment variables using a tool like openssl and store the key elsewhere.
C.Use a dedicated secrets management service like HashiCorp Vault or AWS Secrets Manager and retrieve secrets at runtime.
D.Remove the API keys from the pipeline and require manual entry each time a build runs.
AnswerC

Secrets managers provide secure storage, rotation, and audit capabilities, preventing exposure in plaintext.

Why this answer

Option C is correct because dedicated secrets management services like HashiCorp Vault or AWS Secrets Manager provide secure storage, access control, and audit logging for sensitive data. They allow the CI/CD pipeline to retrieve API keys at runtime via authenticated API calls, ensuring secrets are never stored in plain text in environment variables or configuration files. This approach aligns with the principle of least privilege and eliminates the risk of exposure through source code or build logs.

Exam trap

Cisco often tests the misconception that encrypting secrets or storing them in a restricted repository is sufficient, when the correct answer is always to use a dedicated secrets management service that retrieves secrets at runtime, avoiding any persistent storage of sensitive data in the pipeline.

How to eliminate wrong answers

Option A is wrong because storing secrets in a .env file and adding it to the repository, even with restricted access, still embeds the secrets in version control history and exposes them to anyone with repository access, violating the principle of never storing secrets in code. Option B is wrong because encrypting environment variables with openssl and storing the key elsewhere introduces key management complexity and does not prevent the encrypted value from being exposed in logs or environment dumps; the decryption key must still be securely managed, which is often mishandled. Option D is wrong because requiring manual entry of API keys each time a build runs is impractical for automated CI/CD pipelines, introduces human error, and defeats the purpose of continuous integration and deployment.

3
Matchingmedium

Match each Python library to its typical use in network automation.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

HTTP library for REST API calls

SSH protocol implementation

NETCONF client for network devices

Validate JSON data structures

Parse and emit YAML files

Why these pairings

Common Python libraries used in network automation.

4
Multi-Selectmedium

An application is secured using OAuth 2.0 for Cisco Webex API access. Which three components are involved in the authorization code grant flow? (Choose three.)

Select 3 answers
A.Client Secret
B.Client ID
C.Authorization Code
D.Refresh Token
E.API Key
AnswersA, B, C

Client Secret authenticates the application.

Why this answer

The authorization code grant flow in OAuth 2.0 requires the client to present its Client ID and Client Secret to authenticate itself to the authorization server. The flow begins by requesting an authorization code, which is then exchanged for an access token. The three components explicitly involved in this exchange are the Client Secret (A), Client ID (B), and Authorization Code (C).

Exam trap

Cisco often tests the distinction between the components used in the initial authorization code grant flow versus those used in subsequent token refresh, causing candidates to incorrectly include the Refresh Token as a required component of the initial flow.

5
MCQmedium

An engineer is designing a CI/CD pipeline for a Python application. The pipeline should automatically run unit tests, build a Docker image, push it to a private registry, and deploy to a Kubernetes cluster. Which sequence of stages is correct?

A.Build -> Test -> Push -> Deploy
B.Test -> Push -> Deploy
C.Test -> Deploy -> Build -> Push
D.Test -> Build -> Push -> Deploy
AnswerD

Tests run first; if they pass, the image is built, pushed to registry, then deployed.

Why this answer

Option D is correct because a CI/CD pipeline for a Python application must first run unit tests to validate code quality, then build the Docker image from the tested code, push the image to a private registry, and finally deploy to Kubernetes. This sequence ensures that only tested and built artifacts are deployed, preventing deployment of broken or untested code.

Exam trap

Cisco often tests the logical order of CI/CD stages, and the trap here is that candidates may think building before testing is acceptable, but the pipeline must validate code before creating artifacts to avoid deploying untested code.

How to eliminate wrong answers

Option A is wrong because it places Build before Test, which would build a Docker image from untested code, risking deployment of a broken image. Option B is wrong because it omits the Build stage entirely, meaning no Docker image is created before pushing to the registry, which is impossible. Option C is wrong because it attempts to Deploy before Build and Push, which would fail since no image exists in the registry to deploy to Kubernetes.

6
MCQmedium

In a Kubernetes deployment, the container image pull policy is set to "Always". This causes performance issues during rollouts because the image registry is slow. What is the best practice to reduce pull time while maintaining security?

A.Set pullPolicy to "IfNotPresent" for stable releases and use image tags like v1.2.3.
B.Use the ":latest" tag to ensure always fresh images.
C.Set pullPolicy to "Never" and pre-pull images on nodes.
D.Disable image verification to speed up pulls.
AnswerA

Optimizes pulls and uses versioned tags for consistency.

Why this answer

Option A is correct because setting `pullPolicy` to `IfNotPresent` for stable releases (using immutable tags like `v1.2.3`) avoids unnecessary image pulls from a slow registry when the image already exists on the node. This reduces rollout time while maintaining security by ensuring that only explicitly versioned, verified images are used, preventing accidental use of stale or untagged images.

Exam trap

Cisco often tests the misconception that `:latest` is a safe, always-fresh choice, but the trap here is that `:latest` combined with `Always` causes unnecessary pulls and version ambiguity, whereas immutable tags with `IfNotPresent` balance performance and security.

How to eliminate wrong answers

Option B is wrong because using the `:latest` tag with `pullPolicy: Always` (the default for `:latest`) forces a pull every time, which exacerbates the performance issue and introduces unpredictability, as `:latest` is mutable and can change without notice. Option C is wrong because setting `pullPolicy` to `Never` prevents the kubelet from pulling the image at all, which can cause Pod failures if the image is not already present on the node, and pre-pulling images manually is not scalable or secure for dynamic rollouts. Option D is wrong because disabling image verification (e.g., skipping signature validation or using `imagePullPolicy: Always` without digest-based references) weakens security by allowing potentially tampered images to run, and it does not address the root cause of slow pulls.

7
MCQmedium

A developer wants to deploy a containerized application on a Cisco Container Platform (CCP) cluster. The application requires persistent storage. Which Kubernetes resource should be used to provision storage?

A.Secret
B.Service
C.PersistentVolumeClaim
D.ConfigMap
AnswerD

ConfigMap is used for configuration data, not persistent storage.

Why this answer

PersistentVolumeClaim (PVC) is the correct Kubernetes resource for requesting persistent storage in a CCP cluster. A PVC binds to a PersistentVolume (PV) that has been provisioned by the cluster administrator or dynamically via a StorageClass, making it the standard abstraction for storage consumption in containerized applications.

Exam trap

Cisco often tests the distinction between ConfigMap and PersistentVolumeClaim by presenting ConfigMap as a storage option, but ConfigMap is for configuration data, not persistent storage, and cannot survive Pod restarts or provide filesystem-level persistence.

How to eliminate wrong answers

Option A is wrong because a Secret is used to store sensitive data like passwords or tokens, not to provision storage. Option B is wrong because a Service is a networking abstraction that exposes a set of Pods as a network service, not a storage resource. Option D (ConfigMap) is incorrect because ConfigMaps store non-sensitive configuration data as key-value pairs or files, not persistent storage volumes.

8
MCQmedium

During a security audit, it is found that a microservice exposes its internal IP address in error responses. This could help attackers map the network. What is the BEST remediation?

A.Use a service mesh to encrypt traffic.
B.Log the errors and monitor them.
C.Configure the application to return generic error messages without internal details.
D.Add a firewall to block external access to the service.
AnswerC

Eliminates information leakage at the source.

Why this answer

Option C is correct because exposing internal IP addresses in error responses violates the principle of least information disclosure. The best remediation is to configure the application to return generic error messages (e.g., HTTP 500 with a generic body) that strip out internal details like IP addresses, stack traces, or debug data. This prevents attackers from using error responses to map the internal network topology, a common information-gathering technique.

Exam trap

Cisco often tests the misconception that network-level controls (firewalls, encryption) are sufficient to fix application-layer information disclosure, when in fact the application itself must sanitize its output.

How to eliminate wrong answers

Option A is wrong because a service mesh (e.g., Istio, Linkerd) encrypts traffic between microservices (mTLS) but does not modify the content of error responses returned to clients; the internal IP would still leak in the response body. Option B is wrong because logging errors and monitoring them only helps with detection and post-incident analysis, not prevention; the internal IP is still exposed in the live response to the attacker. Option D is wrong because a firewall blocks external access at the network layer, but if the service is meant to be externally accessible (e.g., a public API), the firewall cannot be applied; even if it could, the internal IP would still be exposed to legitimate external clients who receive the error.

9
MCQmedium

Refer to the exhibit. A security audit requires that the container cannot run as root. Which part of the pod spec ensures this?

A.The configMap volume
B.The image tag "latest"
C.allowPrivilegeEscalation: false
D.runAsUser: 1000
AnswerD

Sets the container to run as a non-root user.

Why this answer

Option D is correct because setting `runAsUser: 1000` in the pod's security context explicitly instructs the container runtime to launch the container's main process with a user ID of 1000, which is a non-root user. This directly satisfies the security audit requirement that the container cannot run as root (UID 0). The `runAsUser` field overrides the default behavior where containers run as root unless a non-root user is specified in the container image or security context.

Exam trap

Cisco often tests the distinction between security context fields: candidates confuse `allowPrivilegeEscalation` (which prevents gaining additional privileges after startup) with `runAsUser` (which sets the initial user), leading them to incorrectly select option C when the requirement is to avoid running as root entirely.

How to eliminate wrong answers

Option A is wrong because a ConfigMap volume is used to inject configuration data (key-value pairs) into a container's filesystem or environment variables; it has no effect on the user identity under which the container process runs. Option B is wrong because the image tag 'latest' simply refers to the most recent version of a container image and does not influence the runtime user ID; it is a common anti-pattern for reproducibility but irrelevant to root vs. non-root execution. Option C is wrong because `allowPrivilegeEscalation: false` controls whether a process can gain more privileges than its parent (e.g., via setuid binaries), but it does not prevent the container from starting as root; a container can still run as root with privilege escalation disabled, which would violate the audit requirement.

10
MCQhard

A Python script using the Cisco ACI Toolkit (aciToolkit) fails with 'LoginError: unable to login to APIC'. The APIC is reachable via HTTPS. What is the most likely cause?

A.The APIC has reached its maximum session limit.
B.The script uses HTTP instead of HTTPS.
C.The script uses an incorrect APIC domain (e.g., 'apic' instead of the FQDN).
D.The APIC is running an unsupported firmware version.
AnswerC

The aciToolkit's login() requires the correct APIC domain; an incorrect domain prevents proper authentication.

Why this answer

The Cisco ACI Toolkit (aciToolkit) requires the APIC domain to be specified as a fully qualified domain name (FQDN) or IP address that matches the APIC's certificate. Using a short name like 'apic' instead of the FQDN (e.g., 'apic.example.com') causes a TLS certificate hostname mismatch, leading to a login failure even though the APIC is reachable. The 'LoginError: unable to login to APIC' error typically indicates an authentication or connectivity issue, and in this scenario, the certificate validation fails because the toolkit verifies the server's hostname against the certificate's Subject Alternative Name (SAN).

Exam trap

Cisco often tests the nuance that a reachable APIC via HTTPS does not guarantee successful login if the hostname in the script does not match the APIC's TLS certificate, leading candidates to overlook certificate validation as the root cause.

How to eliminate wrong answers

Option A is wrong because the APIC session limit would produce a different error (e.g., 'maximum sessions reached' or 'login denied'), not a generic 'unable to login' message, and the APIC is reachable via HTTPS. Option B is wrong because the error message explicitly states the APIC is reachable via HTTPS, and if the script used HTTP, it would likely fail with a connection timeout or HTTP error, not a login error. Option D is wrong because an unsupported firmware version would typically cause API incompatibility errors (e.g., 'unsupported version' or 'method not found'), not a login failure, and the APIC is reachable.

11
Multi-Selectmedium

Which TWO statements about Dockerfile best practices are correct? (Choose two.)

Select 2 answers
A.Use the ADD instruction instead of COPY to copy local files into the image.
B.Combine multiple RUN commands into a single RUN statement to reduce image layers.
C.Use a .dockerignore file to exclude unnecessary files from the build context.
D.Use the EXPOSE instruction to secure the container by limiting exposed ports.
E.Prefer official base images from trusted registries.
AnswersC, E

.dockerignore reduces build context size and improves security by excluding sensitive files.

Why this answer

Option C is correct because a .dockerignore file prevents unnecessary files (e.g., node_modules, .git, logs) from being sent to the Docker daemon as part of the build context. This reduces build time, minimizes the risk of including sensitive data, and ensures a cleaner, more efficient image build.

Exam trap

Cisco often tests the misconception that EXPOSE actually secures or opens ports, when in reality it is only documentation and has no effect on container network security.

12
MCQeasy

Which Cisco product provides end-to-end application visibility and performance monitoring across hybrid cloud environments?

A.Cisco Intersight
C.Cisco AppDynamics
D.Cisco SecureX
AnswerA

Intersight is for infrastructure management, not application monitoring.

Why this answer

Cisco Intersight is the correct answer because it provides unified infrastructure management with end-to-end application visibility and performance monitoring across hybrid cloud environments. It integrates telemetry from compute, storage, and network resources, enabling real-time insights into application behavior regardless of whether workloads run on-premises or in public clouds.

Exam trap

Cisco often tests the distinction between application performance monitoring (AppDynamics) and unified infrastructure management with application visibility (Intersight), leading candidates to confuse a specialized APM tool with a broader hybrid cloud management platform.

How to eliminate wrong answers

Option B is wrong because Cisco DNA Center focuses on intent-based networking for campus and branch networks, not on application performance monitoring across hybrid clouds. Option C is wrong because Cisco AppDynamics is an application performance monitoring (APM) tool that provides deep application-level visibility, but it does not offer end-to-end infrastructure visibility across hybrid cloud environments as a unified management platform. Option D is wrong because Cisco SecureX is a cloud-native security platform that integrates security products and automates threat response, not application performance monitoring.

13
MCQeasy

An application exposes a REST API. To ensure that only authorized clients can access the API, the developer implements token-based authentication. Which HTTP header is typically used to transmit the bearer token?

A.Cookie
B.X-API-Key
C.Authorization: Basic
D.Authorization: Bearer
AnswerD

This is the standard header for bearer tokens.

Why this answer

The Authorization header with the Bearer scheme (RFC 6750) is the standard method for transmitting bearer tokens in HTTP requests. When a client authenticates and receives a token, it includes the token in the Authorization header as 'Bearer <token>', allowing the server to validate the token and authorize the request without requiring session state.

Exam trap

Cisco often tests the distinction between Authorization: Basic and Authorization: Bearer, where candidates confuse the two because both use the Authorization header, but Basic transmits credentials while Bearer transmits a token.

How to eliminate wrong answers

Option A is wrong because the Cookie header is used for session-based authentication (e.g., JSESSIONID) and is not the standard for bearer token transmission; cookies are vulnerable to CSRF and require additional security measures. Option B is wrong because X-API-Key is a custom header typically used for API key authentication, not for bearer tokens; it lacks the standardized Bearer scheme defined in RFC 6750. Option C is wrong because Authorization: Basic uses Base64-encoded credentials (username:password) for HTTP Basic Authentication, not a token; it transmits credentials directly rather than a bearer token.

14
MCQmedium

In a Cisco DNA Center environment, an application needs to retrieve the network device list using REST API. Which authentication method is required?

A.OAuth 2.0 client credentials grant with client ID and secret
B.Obtain an API token by POSTing credentials to /dna/system/api/v1/auth/token, then use the token in subsequent requests
C.Basic authentication with username and password in the header
D.API key passed in a query parameter
AnswerB

DNA Center uses a token-based authentication; the token is passed in the X-Auth-Token header.

Why this answer

Cisco DNA Center uses token-based authentication. The correct flow is to first send a POST request to the /dna/system/api/v1/auth/token endpoint with a valid username and password (typically using Basic Authentication over HTTPS). The response contains a JSON Web Token (JWT) that must be included in the Authorization header of all subsequent API requests as 'Bearer <token>'.

This token has a configurable expiry (default 60 minutes) and must be refreshed before it expires.

Exam trap

Cisco often tests the distinction between the authentication method used to obtain a token (Basic Auth) versus the method used to authorize subsequent API calls (Bearer token), leading candidates to mistakenly select Basic Authentication for all requests.

How to eliminate wrong answers

Option A is wrong because OAuth 2.0 client credentials grant is not the authentication method used by Cisco DNA Center; DNA Center uses a custom token-based system, not the OAuth 2.0 framework. Option C is wrong because Basic authentication with username and password in the header is only used for the initial token acquisition step, not for subsequent API calls; sending credentials with every request is insecure and not supported by the API. Option D is wrong because API keys passed in query parameters are not used by Cisco DNA Center; the token must be sent in the Authorization header as a Bearer token, not as a query parameter.

15
MCQeasy

Which Docker command is used to build an image from a Dockerfile?

A.docker run
B.docker commit
C.docker build
D.docker create
AnswerC

docker build is the correct command to build an image.

Why this answer

The `docker build` command reads the instructions in a Dockerfile and assembles a Docker image layer by layer. Each instruction in the Dockerfile (e.g., FROM, RUN, COPY) creates a new layer that is cached and reused, making subsequent builds faster. This is the standard and only command designed specifically for building images from a Dockerfile.

Exam trap

Cisco often tests the distinction between commands that create containers (`docker run`, `docker create`) and the command that builds images (`docker build`), hoping candidates confuse the purpose of `docker run` with image creation.

How to eliminate wrong answers

Option A is wrong because `docker run` creates and starts a container from an existing image, it does not build a new image. Option B is wrong because `docker commit` creates a new image from a container's current state (filesystem changes), but it is not the intended way to build from a Dockerfile; it bypasses the reproducible, layered build process defined in the Dockerfile. Option D is wrong because `docker create` only creates a container from an image without starting it, and it does not perform any image building.

16
MCQhard

A company runs a microservices application on a Kubernetes cluster with 10 worker nodes. The application consists of 3 services: frontend, backend, and database. The database service is stateful and uses persistent volumes. Recently, the operations team noticed that the backend service is experiencing intermittent failures with 'Connection refused' errors when trying to connect to the database. The database service is exposed via a ClusterIP service named 'database-service'. The backend service uses environment variable DB_HOST=database-service to connect. The pod logs show that the connection is attempted to an IP address that does not correspond to any database pod. Further investigation reveals that the database pod has been restarted multiple times due to OOMKilled errors. The backend service is configured with a liveness probe that checks the health endpoint every 10 seconds, and a readiness probe that checks the same endpoint every 5 seconds. The database pod has resource limits set to 512Mi memory and 500m CPU. The node running the database pod has 4Gi memory and 2 CPU cores. What is the most likely cause of the intermittent connection failures?

A.The backend service is using a hardcoded IP address instead of the service DNS name.
B.The backend service's readiness probe is failing, so it is not receiving traffic, but the backend still tries to connect.
C.The database pod is being killed due to memory limits, causing frequent restarts and temporary unavailability; the backend's connection attempts fail during the restart window.
D.The DNS entry for database-service is cached and pointing to the old pod IP after the database pod restarts.
AnswerC

The OOMKilled errors indicate the database pod exceeds memory limits. When it restarts, there is a brief period of unavailability, causing 'Connection refused' errors.

Why this answer

The intermittent 'Connection refused' errors are caused by the database pod being repeatedly killed due to exceeding its memory limit (512Mi), which triggers OOMKilled restarts. During the restart window, the database pod is unavailable, and the backend's connection attempts to the ClusterIP service (which resolves to the pod's IP) fail because no pod is ready to accept connections. The frequent restarts create a pattern of temporary unavailability that aligns with the observed symptoms.

Exam trap

Cisco often tests the distinction between pod-level failures (like OOMKilled causing restarts) and service-level issues (like DNS caching or readiness probes), leading candidates to incorrectly attribute the problem to DNS or probe misconfiguration instead of the resource constraint causing the database pod to be temporarily unavailable.

How to eliminate wrong answers

Option A is wrong because the backend uses the environment variable DB_HOST=database-service, which resolves via DNS to the ClusterIP of the service, not a hardcoded IP; the pod logs show the connection is attempted to an IP that does not correspond to any database pod, which is consistent with the service's ClusterIP, not a hardcoded address. Option B is wrong because the backend's readiness probe checks its own health endpoint, not the database's; a failing readiness probe would remove the backend from service endpoints but would not cause the backend to attempt connections to an incorrect IP or fail with 'Connection refused' to the database. Option D is wrong because DNS caching for a ClusterIP service resolves to the stable virtual IP of the service, not the pod IP; even if the pod restarts, the service's ClusterIP remains unchanged, and DNS entries are not tied to pod IPs in this context.

17
MCQmedium

A network engineer is automating the deployment of a new VLAN across multiple Cisco switches using Ansible. The engineer has written a playbook that uses the ios_vlan module to create VLAN 100 with name 'Users'. The playbook runs successfully on the first switch but fails on the second switch with the error message: 'VLAN name is already in use'. The engineer checks the second switch and confirms that VLAN 100 does not exist, but a different VLAN with the name 'Users' exists. The engineer wants to ensure that the playbook creates VLAN 100 with the exact name 'Users' only if it does not already exist, and without conflicting with existing VLANs. Which approach should the engineer take?

A.Use the ios_vlan module with parameters vlan_id=100 and name='Users' and set state=present. The module will create the VLAN if it does not exist or update the name if it exists with a different name.
B.First use the ios_command module to run 'show vlan name Users' and then conditionally create VLAN 100 if no output is returned.
C.Use the ios_config module to directly apply the configuration 'vlan 100\n name Users' and then use the 'parents' directive to ensure idempotency.
D.Use the ios_vlan module with vlan_id=100 and state=present, but omit the name parameter.
AnswerA

The ios_vlan module idempotently creates or updates VLAN; it will rename the existing VLAN if needed.

Why this answer

Option A is correct because the `ios_vlan` module with `state=present` ensures idempotency: if VLAN 100 does not exist, it creates it with the specified name; if VLAN 100 exists but has a different name, it updates the name to 'Users'. This directly resolves the conflict where a different VLAN ID already uses the name 'Users', as the module will not attempt to reuse a name that is already assigned to another VLAN — instead, it will fail with the observed error only if the name is already in use by a different VLAN ID. The engineer's goal is to create VLAN 100 with name 'Users' only if it does not already exist, and the module's default behavior (without additional checks) will fail when the name is taken, so the correct approach is to rely on the module's built-in idempotency to create or update VLAN 100 without conflicting with existing VLAN names.

Exam trap

Cisco often tests the misconception that omitting the `name` parameter or using raw config modules like `ios_config` can bypass name conflicts, but the actual trap is that the `ios_vlan` module's idempotency only works when the VLAN ID exists — it cannot resolve a name conflict where a different VLAN ID already owns the desired name, so the correct answer is to rely on the module's default behavior of creating or updating the VLAN by ID, which will fail gracefully if the name is taken, prompting the engineer to handle the conflict separately.

How to eliminate wrong answers

Option B is wrong because using `ios_command` to run `show vlan name Users` is not a standard Cisco command (the correct command is `show vlan name Users` but it returns output even if the name exists on a different VLAN, and the conditional logic would still need to handle the name conflict; moreover, this approach adds unnecessary complexity and does not leverage Ansible's idempotent modules, and it would still fail if the name is in use by another VLAN. Option C is wrong because the `ios_config` module with `parents` directive applies raw configuration lines and does not inherently check for name conflicts; applying `vlan 100

name Users` would fail with the same 'VLAN name is already in use' error if the name is already assigned to a different VLAN, and the `parents` directive does not provide idempotency for VLAN name uniqueness. Option D is wrong because omitting the `name` parameter would create VLAN 100 with a default name (e.g., 'VLAN0100') or leave it unnamed, which does not satisfy the requirement to assign the exact name 'Users'; it also does not address the conflict with the existing VLAN that already uses the name 'Users'.

18
MCQhard

An application running on Kubernetes is experiencing intermittent 503 errors. The logs show 'upstream timed out'. The application is behind a Cisco Application Policy Infrastructure Controller (APIC) load balancer. What is the most likely cause?

A.The service port is misconfigured
B.The Readiness probe is not defined
C.The Liveness probe timeout is too low
D.The pod is not ready
AnswerB

Without Readiness probe, the service may send traffic to unready pods causing timeouts.

Why this answer

The 'upstream timed out' error in a Kubernetes environment behind a Cisco APIC load balancer indicates that the load balancer is attempting to forward traffic to a pod that is not ready to accept connections. Without a Readiness probe, Kubernetes assumes the pod is ready as soon as it starts, but the application may still be initializing or unable to handle requests. The APIC load balancer then sends traffic to an unready pod, causing timeouts and 503 errors.

Exam trap

Cisco often tests the distinction between Readiness and Liveness probes, where candidates mistakenly associate 'upstream timed out' with Liveness probe failures, but the correct focus is on traffic routing via Readiness probes.

How to eliminate wrong answers

Option A is wrong because a misconfigured service port would typically cause persistent connectivity failures (e.g., connection refused or no route to host), not intermittent 503 errors with 'upstream timed out' logs. Option C is wrong because the Liveness probe determines when to restart a container, not when to include it in the load balancer pool; a low Liveness probe timeout would cause pod restarts, not upstream timeouts. Option D is wrong because 'the pod is not ready' is a symptom, not the root cause; the underlying issue is the absence of a Readiness probe that would prevent the pod from receiving traffic until it is truly ready.

19
MCQhard

Refer to the exhibit. A Meraki network has a group policy 'Block Social Media' that references a content filtering rule. The policy is applied to VLAN 1. Users in that VLAN cannot access instagram.com but can access facebook.com. What is the most likely reason?

A.The content filtering rule blocks only a specific set of URLs, but not all social media sites.
B.The group policy is not applied to the VLAN.
C.The blocked URL patterns list does not include all social media sites.
D.The content filtering is not enabled on the MX appliance.
AnswerC

The blocked list likely contains patterns for instagram but not facebook, so users can access facebook.

Why this answer

Option C is correct because the group policy 'Block Social Media' references a content filtering rule that likely uses a predefined or custom URL category list. If the rule blocks only specific URL patterns (e.g., 'instagram.com') but does not include all social media sites (e.g., 'facebook.com'), then users can still access unblocked sites. Meraki content filtering operates on URL category matching or explicit URL pattern lists; if the list is incomplete, the policy will not block all intended sites.

Exam trap

Cisco often tests the distinction between a policy being applied (which is true here) and the rule's scope being incomplete, tempting candidates to blame the policy application or appliance configuration rather than the rule's content.

How to eliminate wrong answers

Option A is wrong because it describes the symptom (blocking only a specific set of URLs) rather than the root cause; the question asks for the most likely reason, which is that the blocked URL patterns list does not include all social media sites, not merely that the rule blocks a specific set. Option B is wrong because the scenario explicitly states the policy is applied to VLAN 1, and users cannot access instagram.com, proving the policy is active; if it were not applied, no blocking would occur. Option D is wrong because content filtering must be enabled for any blocking to occur; since instagram.com is blocked, content filtering is clearly enabled on the MX appliance.

20
MCQmedium

Refer to the exhibit. During a rolling update, a developer notices that the new pods are not passing the readiness probe and the update stalls. What is the most likely reason?

A.The rolling update strategy is configured incorrectly with maxUnavailable and maxSurge.
B.The readiness probe path /health is not implemented in the new image.
C.The image tag is incorrect.
D.The selector does not match the new pods' labels.
AnswerB

If the endpoint is missing, the probe fails and pods remain not ready.

Why this answer

The rolling update stalls because the new pods fail the readiness probe. The readiness probe is configured to check the /health endpoint, and if that endpoint is not implemented in the new image, the probe never returns a success status. Kubernetes will not route traffic to pods that fail the readiness probe, and the rolling update will not proceed to replace old pods until the new ones are ready.

Exam trap

Cisco often tests the distinction between readiness and liveness probes, and the trap here is that candidates may confuse a readiness probe failure with a liveness probe failure or assume the issue is with the rolling update strategy configuration rather than the application endpoint not being implemented.

How to eliminate wrong answers

Option A is wrong because maxUnavailable and maxSurge control the speed and number of pods updated, but they do not cause a stall due to probe failure; they would only affect how many pods are updated at once. Option C is wrong because an incorrect image tag would cause an ImagePullBackOff or ErrImagePull, not a readiness probe failure; the pod would never reach the running state. Option D is wrong because if the selector did not match the new pods' labels, the new pods would not be part of the ReplicaSet or Service, and the update would not even create them under the same selector; the issue is specifically with the readiness check, not label matching.

21
MCQhard

An application running in a Kubernetes pod needs to access an external database securely. The database credentials are rotated every 24 hours. Which approach ensures that the pod always uses the current credentials without manual intervention?

A.Embed a token in the application code that refreshes automatically.
B.Use a Secrets Store CSI driver to mount secrets from an external vault as a volume.
C.Store credentials in a Kubernetes Secret and mount as volume; restart pod daily.
D.Use a sidecar container that watches a vault and updates the application config.
AnswerB

Dynamically updates secrets without pod restart.

Why this answer

Option D is correct because a Secrets Store CSI driver can dynamically mount secrets from an external vault, and the application can read the updated secret from the volume without restarting the pod. Option A is incorrect because restarting daily is disruptive. Option B is valid but the CSI driver is more integrated and standard.

Option C is not a specific solution.

22
Multi-Selecteasy

Which TWO of the following are best practices for securely managing API tokens in a CI/CD pipeline?

Select 2 answers
A.Store tokens as plain text in the source code repository for easy access.
B.Hardcode tokens into the Docker image during build.
C.Use environment variables injected by the CI/CD system (e.g., Jenkins secrets).
D.Encrypt tokens with a static key stored in the repository.
E.Use a secrets management service like HashiCorp Vault to retrieve tokens at runtime.
AnswersC, E

CI/CD systems can securely inject tokens as environment variables without storing them in code.

Why this answer

Options B and D are correct because using a secrets management service (e.g., HashiCorp Vault) and injecting tokens via CI/CD environment variables are secure methods. Storing tokens in source code (A) or Docker images (C) is insecure, and encrypting with a static key in the repository (E) is also vulnerable.

23
MCQeasy

A network engineer runs an Ansible playbook to backup a Cisco router configuration. The playbook fails with the error: 'ssh: connect to host 192.168.1.1 port 22: Connection timed out'. What is the most likely cause?

A.The router's IP address is unreachable from the control node.
B.The playbook uses the incorrect gather_facts setting.
C.The SSH key is not authorized on the router.
D.The router does not have SSH enabled.
AnswerA

A connection timeout typically means the host is not reachable, often due to network issues or incorrect IP.

Why this answer

The error 'Connection timed out' indicates that the control node sent a TCP SYN to 192.168.1.1 on port 22 but never received a SYN-ACK response. This occurs when the destination IP is unreachable due to routing issues, a firewall dropping packets, or the host being offline. Since Ansible uses SSH to connect to network devices, a timeout at the transport layer points directly to network reachability problems, not authentication or service configuration.

Exam trap

Cisco often tests the distinction between 'Connection timed out' (network unreachable) and 'Connection refused' (service not listening) to trap candidates who confuse SSH service availability with network connectivity.

How to eliminate wrong answers

Option B is wrong because the gather_facts setting controls whether Ansible collects system information before running tasks; it does not affect TCP connectivity or SSH transport. Option C is wrong because an unauthorized SSH key would produce a 'Permission denied' error, not a connection timeout. Option D is wrong because if SSH were not enabled on the router, the control node would receive a 'Connection refused' (RST) response, not a timeout.

24
MCQhard

A microservice application uses JWT for authentication. The JWT is signed with RS256. Which practice ensures that the public key used for verification is securely distributed to all services?

A.Include the public key in the JWT header.
B.Embed the public key in each service's source code.
C.Use a public key infrastructure (PKI) and distribute via HTTPS.
D.Store the public key in a Kubernetes ConfigMap and mount it into pods.
AnswerD

Standard method for distributing configuration in Kubernetes.

Why this answer

Option D is correct because Kubernetes ConfigMaps allow you to decouple configuration artifacts like public keys from container images, enabling secure, centralized distribution. Mounting the ConfigMap into pods ensures that all microservice instances can access the same public key without embedding it in source code or relying on external PKI for every verification. This approach aligns with cloud-native best practices for managing secrets and configuration in a microservice architecture.

Exam trap

Cisco often tests the misconception that PKI is always required for secure key distribution, but in a microservice environment with a static public key, a simpler configuration management approach (like Kubernetes ConfigMaps) is more practical and aligns with DevOps principles.

How to eliminate wrong answers

Option A is wrong because including the public key in the JWT header (e.g., in the 'jwk' header parameter) would allow an attacker to replace the key and forge tokens, defeating the purpose of signature verification. Option B is wrong because embedding the public key in each service's source code creates a maintenance nightmare, requires redeployment to update the key, and violates the principle of separating configuration from code. Option C is wrong because while PKI and HTTPS distribution are secure, they introduce unnecessary complexity for a static public key; in a microservice environment, the key is typically long-lived and can be distributed more simply via a shared configuration mechanism like ConfigMaps, without the overhead of certificate authorities and revocation checks.

25
MCQeasy

A developer needs to securely store API keys for use in a CI/CD pipeline. Which best practice should be followed?

A.Share the keys via email to the team.
B.Hardcode the keys in the source code.
C.Use built-in pipeline secrets or environment variables.
D.Store the keys in a JSON file committed to the repository.
AnswerC

Pipeline secrets are encrypted and not exposed in logs, providing secure storage.

Why this answer

Option C is correct because CI/CD platforms (e.g., Jenkins, GitLab CI, GitHub Actions) provide built-in mechanisms to store secrets as encrypted environment variables or pipeline secrets. These values are masked in logs and never exposed in source code, ensuring API keys remain confidential throughout the pipeline execution.

Exam trap

Cisco often tests the misconception that storing secrets in a separate configuration file (like a JSON or .env file) is acceptable as long as it is not committed, but the trap is that any file-based storage in the repository—even if ignored—risks accidental exposure, whereas pipeline secrets are designed specifically for secure injection without file persistence.

How to eliminate wrong answers

Option A is wrong because sharing keys via email exposes them in transit and at rest in mail servers, violating security best practices and potentially leading to unauthorized access. Option B is wrong because hardcoding keys in source code embeds them in version control history, making them accessible to anyone with repository access and violating the principle of not storing secrets in code. Option D is wrong because committing a JSON file with keys to the repository stores secrets in plaintext in version control, which can be easily read by anyone with access to the repository history.

26
MCQhard

Refer to the exhibit. What is the most effective action to eliminate both vulnerabilities in the container image?

A.Rebuild the image using the same base image but update the OS packages.
B.Add a .dockerignore file to exclude vulnerable libraries.
C.Only run the container with read-only root filesystem.
D.Switch the base image to a distroless base image that does not include openssl and curl.
AnswerD

Removes these libraries entirely, as they are not needed by the application.

Why this answer

Option D is correct because switching to a distroless base image removes unnecessary packages like openssl and curl entirely, eliminating the vulnerabilities they introduce. Distroless images contain only the application and its runtime dependencies, reducing the attack surface by excluding OS package managers and shell utilities that are common sources of CVEs. This approach directly addresses both vulnerabilities by ensuring the vulnerable components are not present in the image at all.

Exam trap

Cisco often tests the misconception that updating packages (Option A) is sufficient, when the real goal is to eliminate the vulnerable components entirely, not just patch them.

How to eliminate wrong answers

Option A is wrong because rebuilding with the same base image and updating OS packages only patches known vulnerabilities but does not remove the packages themselves; future vulnerabilities in those packages would still require updates, and the attack surface remains. Option B is wrong because a .dockerignore file controls which files are sent to the Docker build context, not which packages are installed in the image; it cannot exclude pre-installed libraries like openssl or curl from the base image. Option C is wrong because running the container with a read-only root filesystem prevents writes at runtime but does not remove the vulnerable binaries from the image; an attacker could still exploit the vulnerable openssl or curl processes if they are executed.

27
MCQmedium

A company uses a blue/green deployment strategy for their web application. The current live version is blue, and a new version green is ready. The load balancer currently routes all traffic to blue. What is the correct next step to switch traffic to green with minimal downtime?

A.Scale down blue pods and scale up green
B.Perform a rolling update from blue to green
C.Delete the blue deployment and create green
D.Update the load balancer to route all traffic to green
AnswerD

This switches traffic instantly with minimal downtime.

Why this answer

In a blue/green deployment, the entire new version (green) is deployed alongside the current live version (blue). The correct next step to switch traffic with minimal downtime is to update the load balancer to route all traffic to green. This instant switch avoids the incremental risk of rolling updates and ensures a clean cutover that can be quickly reverted if issues arise.

Exam trap

Cisco often tests the distinction between deployment strategies, and the trap here is confusing a rolling update (which gradually replaces pods) with a blue/green deployment (which switches traffic at the load balancer level), leading candidates to incorrectly select Option B.

How to eliminate wrong answers

Option A is wrong because scaling down blue and scaling up green is a manual, non-atomic process that does not leverage the load balancer's routing capability, potentially causing partial traffic loss or mixed-version serving. Option B is wrong because a rolling update gradually replaces blue pods with green pods, which contradicts the blue/green strategy's goal of maintaining two fully separate environments for instant rollback. Option C is wrong because deleting the blue deployment before creating green would cause downtime, as there is no live environment to serve traffic during the deletion and creation process.

28
Multi-Selectmedium

Which THREE are valid ways to expose ConfigMap data to a pod in Kubernetes?

Select 3 answers
A.As a Kubernetes Secret
B.As environment variables
C.As a container image label
D.As a volume mounted file
E.As a command-line argument
AnswersB, D, E

You can use envFrom or valueFrom to expose as env vars.

Why this answer

Option B is correct because Kubernetes allows ConfigMap data to be exposed as environment variables inside a pod using the `env` or `envFrom` field in the pod spec. This is a common method for injecting configuration into containers without modifying the container image.

Exam trap

Cisco often tests the distinction between ConfigMaps and Secrets, and the trap here is that candidates may confuse the purpose of Secrets (sensitive data) with ConfigMaps (non-sensitive data), or incorrectly assume that container image labels can be dynamically injected from runtime objects.

29
MCQeasy

A developer wants to ensure that a Docker container running a web application can only accept incoming traffic on port 443. Which Docker run option should be used?

A.docker run --port 443 myapp
B.docker run --net host myapp
C.docker run -p 443:443 myapp
D.docker run --expose 443 myapp
AnswerC

-p 443:443 publishes container port 443 to host port 443, allowing external access only on that port.

Why this answer

Option C is correct because the `-p 443:443` flag publishes container port 443 to the host port 443, mapping incoming traffic on the host's port 443 to the container's port 443. This ensures the web application inside the container only accepts incoming traffic on port 443, as the host firewall and Docker's port mapping restrict access to that specific port.

Exam trap

Cisco often tests the distinction between `--expose` (documentation only) and `-p` (actual port publishing), and the trap here is that candidates confuse `--expose` with making a port externally accessible, when in fact it only informs Docker that the container uses that port internally.

How to eliminate wrong answers

Option A is wrong because `--port` is not a valid Docker run flag; the correct flag is `-p` or `--publish`. Option B is wrong because `--net host` makes the container share the host's network stack, exposing all host ports to the container and bypassing Docker's port isolation, which would allow traffic on any port, not just 443. Option D is wrong because `--expose 443` only documents that the container listens on port 443 but does not actually publish the port to the host, so no external traffic can reach the container on that port.

30
MCQmedium

A DevOps team is using Cisco AppDynamics to monitor a microservices application. They notice that a specific service's response time spikes under load. Which AppDynamics feature should be used to drill down into the transaction trace?

A.Health Rules
B.Transaction Snapshots
C.Business Transactions
D.Service Endpoints
AnswerC

Business Transactions are high-level groupings, not individual traces.

Why this answer

Business Transactions in AppDynamics represent the logical business operations (e.g., checkout, login) that span across multiple tiers. When a response time spike occurs, selecting the specific Business Transaction allows you to drill into its Transaction Snapshots, which capture the full distributed trace including call chains, method timings, and database queries. This is the correct entry point for root-cause analysis of performance degradation.

Exam trap

Cisco often tests the distinction between the logical grouping (Business Transactions) and the raw trace data (Transaction Snapshots), trapping candidates who confuse the container with the content.

How to eliminate wrong answers

Option A is wrong because Health Rules are used to define thresholds and trigger alerts or actions (e.g., email, remediation) when metrics deviate, not to drill into transaction traces. Option B is wrong because Transaction Snapshots are the detailed trace data itself, not the feature used to initiate the drill-down; you must first select a Business Transaction to access its snapshots. Option D is wrong because Service Endpoints represent the specific HTTP or API endpoints (e.g., /api/orders) and are a subset of a Business Transaction; they provide endpoint-level metrics but not the full transaction trace across services.

31
MCQmedium

A DevOps team is deploying a microservices application on Cisco UCS using Docker containers. They need to ensure that secrets such as database credentials are securely managed without hardcoding them in the application code or container images. Which approach should they use?

A.Embed secrets directly in the container image using COPY instructions.
B.Pass secrets as build arguments in the Docker build command.
C.Use a secure secret store like HashiCorp Vault and retrieve secrets at runtime via API.
D.Store secrets as environment variables in the Docker Compose file.
AnswerC

A secret store provides dynamic, audited, and encrypted access to secrets without embedding them in code or images.

Why this answer

Option C is correct because it follows the principle of secret management by decoupling sensitive data from application code and container images. HashiCorp Vault provides a centralized, encrypted secret store with dynamic secrets, access policies, and audit logging, allowing the microservices to authenticate and retrieve credentials at runtime via its REST API, eliminating the need to hardcode secrets.

Exam trap

Cisco often tests the misconception that environment variables in Docker Compose or build arguments are secure enough for secrets, but the trap here is that these methods leave secrets exposed in plaintext within the image layers, logs, or runtime environment, whereas a dedicated secret store like Vault provides encryption, rotation, and access control.

How to eliminate wrong answers

Option A is wrong because embedding secrets directly in a container image using COPY instructions bakes them into the image layers, making them accessible to anyone with image pull access and violating security best practices. Option B is wrong because build arguments in the Docker build command are visible in the image history via `docker history` and can be exposed through build logs or cached layers, so they are not secure for secrets. Option D is wrong because storing secrets as environment variables in a Docker Compose file leaves them in plaintext within the file and the container's environment, which can be leaked through logs, debugging, or process inspection, and does not provide encryption or access control.

32
MCQhard

A network administrator is deploying a custom container application on a Cisco Catalyst 9300 switch running IOS XE 16.12. The application is packaged as a .tar file and installed using 'app-hosting install app myapp flash:myapp.tar'. The administrator configures the app-hosting context as follows: app-hosting app myapp app-default-gateway 192.168.1.1 app-vnic gateway0 guest-interface 0 guest-ipaddress 192.168.1.10 netmask 255.255.255.0 app-resource profile custom cpu 1000 memory 2048 storage 5000 The administrator also creates a virtual port group 'vg0' and assigns it to the management interface. The application fails to start with the error: 'Application failed to start: guest interface not ready'. The administrator verifies that the .tar file is valid, the resources are sufficient, and the gateway is reachable. What is the most likely cause of the failure?

A.The application requires a DHCP server, but the configuration uses a static IP address.
B.The guest-interface is not bound to the virtual port group.
C.The .tar file is corrupt despite appearing valid.
D.The CPU allocation of 1000 units is insufficient for the application.
AnswerB

The virtual port group must be explicitly bound to the app-vnic interface; otherwise, the interface remains 'not ready'.

Why this answer

The error 'guest interface not ready' indicates that the guest-interface (interface 0) is not properly bound to the virtual port group. After creating the virtual port group, the administrator must associate it with the app-vnic using the 'bind' command. Without this binding, the guest interface cannot obtain or use the IP configuration.

33
Multi-Selecteasy

Which THREE are valid methods for managing Kubernetes application configuration?

Select 3 answers
A.Helm values.
B.Secrets.
C.Operator custom resources.
D.Environment variables in the Dockerfile.
E.ConfigMaps.
AnswersA, B, E

Used in Helm charts for template configuration.

Why this answer

Helm values (A) are correct because Helm is a package manager for Kubernetes that uses values.yaml files to inject configuration into templates at deployment time, enabling dynamic, environment-specific application configuration without modifying the underlying chart. This is a standard method for managing Kubernetes application configuration in production workflows.

Exam trap

Cisco often tests the distinction between build-time configuration (Dockerfile ENV) and runtime configuration (ConfigMaps, Secrets, Helm values), trapping candidates who think environment variables in the Dockerfile are a valid runtime management method for Kubernetes.

34
MCQeasy

A developer needs to ensure that microservice A can securely communicate with microservice B over HTTPS within a Kubernetes cluster. What is the simplest approach?

A.Use a Kubernetes Ingress resource with TLS termination for microservice B.
B.Expose microservice B via a LoadBalancer Service and use HTTPS from microservice A.
C.Connect directly using the pod IP of microservice B over HTTP.
D.Create a Kubernetes Service of type ClusterIP for microservice B and configure microservice A to use HTTPS with the service DNS name.
AnswerD

ClusterIP services are internal and can be used with TLS termination within the cluster for secure communication.

Why this answer

Option D is correct because using a ClusterIP Service for microservice B provides a stable DNS name within the cluster, allowing microservice A to communicate over HTTPS without exposing the service externally. This approach leverages Kubernetes' internal service discovery and can be paired with a service mesh or mutual TLS (mTLS) for secure communication, meeting the requirement for simplicity and security.

Exam trap

The trap here is that candidates often assume external-facing components like Ingress or LoadBalancer are required for HTTPS, but Kubernetes internal services can use HTTPS with ClusterIP and proper certificate management, which is simpler and more secure for east-west traffic.

How to eliminate wrong answers

Option A is wrong because an Ingress resource with TLS termination is designed for external traffic entering the cluster, not for internal service-to-service communication within the same cluster, and it adds unnecessary complexity. Option B is wrong because exposing microservice B via a LoadBalancer Service makes it publicly accessible, which is overkill and insecure for internal communication, and it introduces external dependencies. Option C is wrong because connecting directly using the pod IP over HTTP bypasses service abstraction, making the communication insecure (no HTTPS) and brittle, as pod IPs can change on restarts.

35
MCQmedium

A developer is designing an API that needs to support rate limiting per API key. The application is deployed on multiple instances. Which approach ensures consistent rate limiting across all instances?

A.Use a local in-memory counter
B.Use a file-based lock
C.Use environment variables
D.Use a distributed cache like Redis
AnswerD

Redis provides a shared counter accessible from all instances.

Why this answer

Option D is correct because a distributed cache like Redis provides a shared, atomic counter that all application instances can read and increment, ensuring consistent rate limiting across a multi-instance deployment. Redis supports atomic operations like INCR and EXPIRE, which are essential for implementing sliding window or token bucket algorithms without race conditions.

Exam trap

Cisco often tests the misconception that local counters or environment variables can be used for distributed state, when in fact they lack the shared, atomic, and persistent storage required for multi-instance rate limiting.

How to eliminate wrong answers

Option A is wrong because a local in-memory counter is per-instance and cannot synchronize across multiple instances, leading to inconsistent rate limits. Option B is wrong because a file-based lock introduces severe performance bottlenecks and is not designed for high-throughput distributed systems; it also fails to provide atomic counters. Option C is wrong because environment variables are static configuration values and cannot be dynamically updated or shared across instances to track real-time request counts.

36
MCQeasy

Refer to the exhibit. The Docker image built from this Dockerfile is larger than expected. Which optimization should be recommended?

A.Use a smaller base image like python:3.9-alpine.
B.Combine RUN and COPY layers to reduce layers.
C.Remove the EXPOSE instruction.
D.Use a multi-stage build.
AnswerD

Multi-stage builds allow copying only necessary artifacts, significantly reducing the final image size.

Why this answer

Multi-stage builds allow you to use multiple FROM statements in your Dockerfile. You can compile or install dependencies in an intermediate stage using a full-featured base image, then copy only the necessary artifacts (e.g., compiled code, libraries) into a final, minimal runtime image. This dramatically reduces the final image size by discarding build tools, temporary files, and unnecessary layers from the earlier stages.

Exam trap

Cisco often tests the misconception that reducing the number of layers (Option B) or using a smaller base image (Option A) is the primary way to shrink image size, when in fact multi-stage builds are the correct, targeted solution for removing build-time artifacts that inflate the final image.

How to eliminate wrong answers

Option A is wrong because while using a smaller base image like python:3.9-alpine can reduce image size, it is not always the best optimization when the image is larger than expected due to leftover build artifacts or unnecessary dependencies; the question specifically asks for an optimization to address an unexpectedly large image, and multi-stage builds are the standard solution for removing build-time cruft. Option B is wrong because combining RUN and COPY layers does not inherently reduce the final image size; Docker layers are cached and combining them can actually break caching and increase rebuild time, and the size issue is typically caused by including unnecessary files, not by the number of layers. Option C is wrong because the EXPOSE instruction is purely documentation; it does not add any data to the image or affect its size, so removing it has zero impact on image size.

37
MCQhard

An organization uses a private Docker registry with TLS. A developer attempts to pull an image and receives the error: "x509: certificate signed by unknown authority". What is the most likely cause and solution?

A.Add the CA certificate to the client's trust store
B.Use the registry's IP address instead of hostname
C.Disable TLS verification on the client
D.Use HTTP instead of HTTPS
AnswerA

This establishes trust in the registry's certificate.

Why this answer

The error 'x509: certificate signed by unknown authority' occurs because the Docker client does not recognize the certificate authority (CA) that signed the registry's TLS certificate. The correct solution is to add the CA certificate to the client's trust store, typically by placing it in /etc/docker/certs.d/<registry_hostname>:<port>/ca.crt on Linux or the equivalent Docker certs directory on other platforms. This allows the Docker daemon to validate the registry's certificate during the TLS handshake.

Exam trap

The trap here is that candidates may confuse a certificate trust issue with a hostname mismatch or think disabling TLS is an acceptable workaround, but Cisco specifically tests the understanding that the correct enterprise-grade fix is to trust the CA, not to weaken security.

How to eliminate wrong answers

Option B is wrong because using the registry's IP address instead of hostname does not resolve a certificate trust issue; it may cause a hostname mismatch error if the certificate is issued to a specific hostname, but the root cause is the untrusted CA, not the address format. Option C is wrong because disabling TLS verification (e.g., setting 'insecure-registries' in Docker daemon config) bypasses security entirely and is not a best practice; it exposes the connection to man-in-the-middle attacks and is not the intended fix for a missing CA certificate. Option D is wrong because using HTTP instead of HTTPS would eliminate TLS entirely, but the registry is configured with TLS and likely rejects plain HTTP connections; this also compromises security and does not address the trust issue.

38
MCQeasy

A DevOps engineer wants to automate the configuration of network devices using Ansible. Which file format is commonly used for Ansible playbooks?

A.INI
B.YAML
C.XML
AnswerB

Ansible playbooks are written in YAML, which is human-readable and easy to parse.

Why this answer

Ansible playbooks are written in YAML (YAML Ain't Markup Language) because YAML is human-readable, supports complex data structures like lists and dictionaries, and is designed for configuration files. YAML's indentation-based syntax aligns with Ansible's declarative automation model, making it the default and recommended format for defining tasks, variables, and handlers in playbooks.

Exam trap

Cisco often tests the distinction between Ansible inventory files (which can use INI or YAML) and playbook files (which exclusively use YAML), causing candidates to incorrectly associate INI with playbooks.

How to eliminate wrong answers

Option A is wrong because INI files are used for Ansible inventory definitions (e.g., listing hosts and groups), not for playbooks; playbooks require a structured format that supports sequences and mappings, which INI lacks. Option C is wrong because XML is verbose, less human-readable, and not natively supported by Ansible for playbooks; Ansible uses YAML for its simplicity and readability. Option D is wrong because JSON, while valid for some Ansible configurations (e.g., dynamic inventory scripts), is not the standard format for playbooks; YAML is preferred for its cleaner syntax and reduced boilerplate.

39
MCQeasy

A developer is deploying a microservice to a Kubernetes cluster. The application needs to read a database password securely without hardcoding it in the image. Which Kubernetes resource should be used?

A.ConfigMap
B.ServiceAccount
C.PersistentVolume
D.Secret
AnswerD

Secret is designed for sensitive data like passwords.

Why this answer

Option D (Secret) is correct because Kubernetes Secrets are specifically designed to store sensitive data such as database passwords, API keys, and certificates. They can be mounted as files or injected as environment variables into pods, ensuring the password is never hardcoded in the container image. Secrets are base64-encoded and can be encrypted at rest using etcd encryption or external KMS providers, providing a secure mechanism for managing credentials.

Exam trap

Cisco often tests the distinction between ConfigMaps and Secrets, trapping candidates who assume that base64 encoding provides security or that ConfigMaps can safely store passwords because they are 'just configuration.'

How to eliminate wrong answers

Option A is wrong because ConfigMaps are intended for non-sensitive configuration data (e.g., plain text settings) and do not provide encryption or access control for secrets; storing a password in a ConfigMap would expose it in plaintext. Option B is wrong because a ServiceAccount is an identity for pods to authenticate to the Kubernetes API server, not a resource for storing secret data like passwords. Option C is wrong because a PersistentVolume is used for persistent storage of application data (e.g., files, databases) and has no mechanism for securely storing or injecting credentials into a pod.

40
MCQeasy

Refer to the exhibit. An engineer applied this configuration to a Cisco switch port connected to an application server. The server runs a critical business application that should not be disrupted. However, after applying the configuration, the port goes into errdisable state. What is the most likely cause?

A.The VLAN 10 does not exist on the switch.
B.The spanning-tree portfast command is incompatible with access ports.
C.The switchport mode access command is incorrect for a server connection.
D.The server is generating BPDU frames, triggering BPDU guard.
AnswerD

BPDU guard errdisables a port if it receives a BPDU, which can happen if the server runs STP or is connected to another switch.

Why this answer

The correct answer is D because BPDU guard is enabled on the switch port (implicitly or explicitly via spanning-tree bpduguard enable). When the application server sends BPDU frames—perhaps because it is running a software bridge, virtualization host, or has a misconfigured NIC—the switch detects these frames on a port configured with portfast and immediately errdisables the port to prevent a potential bridging loop. This matches the symptom of the port going into errdisable state after applying the configuration.

Exam trap

Cisco often tests the misconception that BPDU guard is only for trunk ports or that PortFast is incompatible with access ports, but the trap here is that candidates overlook how a server can generate BPDU frames (e.g., from a virtual switch or bridging software) and that BPDU guard on an access port will errdisable it.

How to eliminate wrong answers

Option A is wrong because a non-existent VLAN would cause the port to remain in a down or inactive state, not errdisable; the switch would still allow the port to be administratively up but traffic would not pass. Option B is wrong because spanning-tree portfast is specifically designed for access ports (and edge ports) to bypass the listening/learning states; it is fully compatible and commonly used on server-facing access ports. Option C is wrong because switchport mode access is correct for a server connection that belongs to a single VLAN; it is not inherently incorrect and would not cause errdisable by itself.

41
Multi-Selectmedium

A company is implementing an API gateway for its microservices. Which TWO security features should be enabled at the gateway to protect backend services?

Select 2 answers
A.In-depth packet inspection.
B.Database connection pooling.
C.JWT validation.
D.CORS configuration.
E.Rate limiting.
AnswersC, E

Authenticates API requests.

Why this answer

JWT validation at the API gateway ensures that only requests with valid, unexpired, and properly signed JSON Web Tokens are forwarded to backend microservices. This offloads authentication and token verification from individual services, enforcing a consistent security boundary and preventing unauthorized access.

Exam trap

Cisco often tests the distinction between security features that protect the API layer (JWT validation, rate limiting) versus network-level or backend-specific features (DPI, connection pooling), leading candidates to confuse operational optimizations with security controls.

42
Multi-Selectmedium

A developer is deploying a containerized application using Docker Compose. Which TWO statements about Docker Compose are correct?

Select 2 answers
A.Docker Compose can only be used with swarm mode.
B.Services in a compose file can be scaled using the docker-compose scale command.
C.The docker-compose up command builds, (re)creates, starts, and attaches to containers for a service.
D.Docker Compose is used to define and run multi-container Docker applications.
E.Docker Compose files are written in JSON format only.
AnswersC, D

This is the behavior of docker-compose up.

Why this answer

Option C is correct because `docker-compose up` is the primary command that builds images if needed, (re)creates containers, starts them, and attaches to their output. This behavior is documented in the Docker Compose CLI reference and is fundamental to how Compose orchestrates multi-service deployments.

Exam trap

Cisco often tests the misconception that Docker Compose is only for swarm mode or that it requires JSON files, when in fact it works standalone and uses YAML as its native format.

43
MCQeasy

A company uses Cisco Meraki APs and an internal web application hosted on AWS. The application store customer payment data. The security team discovers that sensitive application logs are being transmitted in plaintext over the network to the SIEM. The DevOps team wants to improve security without changing the application code because it is proprietary and cannot be modified. Which solution should be recommended?

A.Modify the application to send logs via syslog over TLS
B.Enable HTTPS on the SIEM receiver to ensure logs are encrypted during transmission
C.Enable TLS on the web application to encrypt data in transit
D.Set up a site-to-site VPN between the Meraki network and AWS to encrypt all traffic, including logs
AnswerD

VPN encrypts all traffic between networks without modifying applications.

Why this answer

Option D is correct because a site-to-site VPN between the Meraki network and AWS encrypts all traffic traversing the link, including the sensitive application logs sent to the SIEM, without requiring any changes to the proprietary application code. This solution operates at the network layer, ensuring that even if the application transmits logs in plaintext, the entire payload is encrypted by the VPN tunnel. Meraki Auto VPN and AWS VPN Gateway can establish an IPsec tunnel, providing confidentiality for all data in transit between the on-premises network and the AWS VPC.

Exam trap

Cisco often tests the distinction between application-layer encryption (e.g., TLS/HTTPS) and network-layer encryption (e.g., VPN), leading candidates to mistakenly choose options that encrypt the wrong traffic or require code changes, when the correct answer is a network-level solution that secures all traffic without modifying the application.

How to eliminate wrong answers

Option A is wrong because modifying the application to send logs via syslog over TLS requires changing the application code, which the DevOps team explicitly cannot do due to the proprietary nature of the application. Option B is wrong because enabling HTTPS on the SIEM receiver only secures the SIEM's web interface; it does not encrypt the log transmission from the application to the SIEM, as the logs are still sent in plaintext over the network. Option C is wrong because enabling TLS on the web application encrypts data between clients and the web server, but the sensitive logs are generated and transmitted by the application server to the SIEM, not during web client interactions; this does not address the log transmission issue.

44
MCQeasy

A team is deploying a new microservice on Cisco Container Platform. The microservice needs to access a database hosted on a separate VM. The security policy requires that only the microservice can communicate with the database, and all traffic must be encrypted. The team is using Kubernetes network policies and mutual TLS. During testing, the microservice cannot reach the database. The database team reports that the database is reachable from other services. What is the most likely cause?

A.A Kubernetes NetworkPolicy is blocking egress from the microservice pod to the database IP
B.The database server is not listening on the expected port
C.The mutual TLS certificates are expired or not trusted
D.The Istio sidecar proxy is misconfigured and rejecting traffic due to a missing ServiceEntry
AnswerA

Network policies can restrict traffic; a default deny or misconfigured policy could block the connection.

Why this answer

The most likely cause is that a Kubernetes NetworkPolicy is blocking egress from the microservice pod to the database IP. Since the database is reachable from other services, the issue is specific to the microservice pod's network access. A NetworkPolicy that does not explicitly allow egress traffic to the database IP will default to denying that traffic, preventing the microservice from reaching the database even though the database itself is operational.

Exam trap

Cisco often tests the default-deny behavior of Kubernetes NetworkPolicy, where candidates mistakenly assume that no policy means all traffic is allowed, but the trap is that once a policy selects a pod, all unallowed traffic is implicitly denied, including egress to external IPs.

How to eliminate wrong answers

Option B is wrong because the database is reachable from other services, indicating it is listening on the expected port. Option C is wrong because mutual TLS certificate issues would typically cause authentication failures or connection resets, not a complete inability to reach the database (the microservice would still establish a TCP connection). Option D is wrong because Istio sidecar proxy misconfiguration or a missing ServiceEntry would affect service mesh routing, but the question states the team is using Kubernetes network policies and mutual TLS, not explicitly Istio; moreover, a missing ServiceEntry would cause traffic to be rejected at the proxy level, but the core issue is network-level egress blocking, which is more directly addressed by NetworkPolicy.

45
MCQhard

A developer is using a Dockerfile to build an image. The image must be based on a minimal Linux distribution to reduce attack surface. Which base image should be used?

A.alpine:latest
B.ubuntu:latest
C.debian:latest
D.centos:latest
AnswerA

Alpine is a minimal distribution (~5 MB) ideal for security.

Why this answer

Alpine Linux is a minimal Linux distribution designed for security, simplicity, and resource efficiency. Its base image is typically around 5 MB, significantly reducing the attack surface compared to full-featured distributions like Ubuntu, Debian, or CentOS. This makes it the ideal choice for minimizing vulnerabilities in containerized applications.

Exam trap

Cisco often tests the concept that 'minimal' means fewer packages and smaller size, not just a different package manager, and the trap here is that candidates may choose a familiar distribution like Ubuntu or CentOS without considering the attack surface implications of a bloated base image.

How to eliminate wrong answers

Option B (ubuntu:latest) is wrong because Ubuntu includes a large set of pre-installed packages and libraries, resulting in a much larger image size (hundreds of MB) and a broader attack surface. Option C (debian:latest) is wrong because Debian, while stable, also ships with many default utilities and libraries that increase the image footprint and potential vulnerabilities. Option D (centos:latest) is wrong because CentOS, based on RHEL, includes a full userland and package manager, leading to a larger image and unnecessary components that expand the attack surface.

46
Multi-Selecthard

A company is implementing a secure CI/CD pipeline. Which THREE practices are essential for securing the pipeline?

Select 3 answers
A.Sign and verify all build artifacts.
B.Allow all container images to be pulled from any public registry.
C.Store secrets (API keys, passwords) in version control.
D.Implement role-based access control (RBAC) on the CI/CD system.
E.Use static application security testing (SAST) tools in the build stage.
AnswersA, D, E

Signing ensures artifacts are not tampered with.

Why this answer

Signing and verifying build artifacts ensures integrity and authenticity, preventing tampered artifacts from being deployed. This is a core supply chain security practice, often implemented using tools like GPG or Sigstore (Cosign) to generate and validate cryptographic signatures. Without verification, an attacker could inject malicious code into the pipeline by replacing a signed artifact with a compromised one.

Exam trap

Cisco often tests the misconception that 'allowing any public registry' is acceptable for speed or convenience, but the correct practice is to restrict registries to trusted, scanned sources to prevent supply chain attacks.

47
Multi-Selecthard

A network automation script using NX-API on a Nexus switch fails intermittently with HTTP 500 errors. Which two troubleshooting steps are most effective in diagnosing the issue? (Choose two.)

Select 2 answers
A.Check the length of the JSON payload sent to the API.
B.Ensure the switch is running NX-OS version 9.3(1) or later.
C.Enable NX-API debugging on the switch to capture detailed logs.
D.Verify that the NX-API sandbox feature is enabled and running.
E.Use HTTP instead of HTTPS for the API requests.
AnswersC, D

Debug logs help identify the exact failure point.

Why this answer

Option C is correct because enabling NX-API debugging on the switch (using the 'debug nxapi' command) captures detailed logs of API requests and responses, including HTTP 500 error details. This allows you to pinpoint the root cause, such as malformed payloads, internal server errors, or resource exhaustion. Without debugging, the generic 500 error provides no insight into the specific failure.

Exam trap

Cisco often tests the misconception that HTTP 500 errors are always client-side issues (like payload size) or can be fixed by changing protocols, when in fact they require server-side debugging to diagnose internal failures.

48
Multi-Selectmedium

Which TWO of the following are recommended practices for securing a CI/CD pipeline in a DevOps environment? (Choose two.)

Select 2 answers
A.Store secrets and credentials in a secure vault and inject them at runtime
B.Grant all developers write access to the production environment to enable faster fixes
C.Deploy code to production first, then run security tests to check for issues
D.Scan container images for known vulnerabilities as part of the build pipeline
E.Use the same API token for all pipeline stages to simplify authentication
AnswersA, D

Keeps secrets out of source code and build logs.

Why this answer

Option A is correct because storing secrets (e.g., API keys, database passwords) in a secure vault (like HashiCorp Vault or AWS Secrets Manager) and injecting them at runtime prevents hard-coded credentials in source code or configuration files. This follows the principle of least privilege and ensures that secrets are never exposed in logs, version control, or build artifacts, which is a fundamental security practice for CI/CD pipelines.

Exam trap

Cisco often tests the misconception that security testing can be deferred to post-production (Option C) or that shared credentials simplify management (Option E), but the correct answers emphasize proactive security (scanning early) and credential isolation (vault injection).

49
MCQeasy

A developer is deploying a containerized application to a Kubernetes cluster. To ensure that the application can securely access a third-party API, what is the best practice for storing the API key?

A.Store it as a Kubernetes Secret and mount it as an environment variable.
B.Hardcode the API key in the Docker image.
C.Use a service account token.
D.Store it in a ConfigMap and reference it from the pod.
AnswerA

Correct approach for sensitive data.

Why this answer

Option A is correct because Kubernetes Secrets are designed for sensitive data and can be mounted as environment variables. Option B is insecure because hardcoding keys in images exposes them. Option C is incorrect because ConfigMaps are for non-sensitive data.

Option D is incorrect because service account tokens are for cluster authentication, not external APIs.

50
MCQhard

A Kubernetes cluster is configured with a NetworkPolicy that allows ingress traffic only from pods with label 'app: frontend'. A new backend service needs to communicate with the database pod. What must be done to allow this?

A.Delete the existing NetworkPolicy
B.Add label 'app: backend' to the database pod
C.Modify the NetworkPolicy to include an additional rule allowing from pods with label 'app: backend'
D.Create a new NetworkPolicy for the database
AnswerA

Deleting the policy would remove all restrictions, which is less secure and not best practice.

Why this answer

Option A is correct because the existing NetworkPolicy explicitly restricts ingress traffic to only pods with the label 'app: frontend'. Since the new backend service does not have this label, its traffic will be blocked by the policy. Deleting the NetworkPolicy removes all ingress restrictions, allowing the backend service to communicate with the database pod.

In Kubernetes, NetworkPolicies are additive and default-deny if any policy selects the pod, so removing the policy is the simplest way to permit all ingress traffic.

Exam trap

The trap here is that candidates assume you must always modify or add policies to allow new traffic, but Cisco tests whether you understand that deleting a restrictive NetworkPolicy is a valid (though less secure) method to permit all traffic, especially when the question does not specify a security requirement.

How to eliminate wrong answers

Option B is wrong because adding the label 'app: backend' to the database pod does not change the source of traffic; the NetworkPolicy filters based on the source pod's labels, not the destination pod's labels. Option C is wrong because modifying the NetworkPolicy to include an additional rule for pods with label 'app: backend' would allow the backend service to reach the database, but this is not the only correct approach; the question asks 'what must be done', and deleting the policy is a valid and simpler solution, but the answer explicitly marks A as correct, so C is not the required action. Option D is wrong because creating a new NetworkPolicy for the database does not override the existing policy; Kubernetes NetworkPolicies are additive, so the existing policy would still block traffic from pods without the 'app: frontend' label, and the new policy would only add additional rules, not remove the restriction.

51
MCQhard

A network engineer is troubleshooting a Kubernetes deployment where pods are failing to start with the error 'CrashLoopBackOff'. The pod log shows 'bind: address already in use'. The deployment runs multiple replicas of a container that listens on port 8080. What is the most likely cause?

A.The container is attempting to bind to a privileged port without the necessary capabilities.
B.The deployment has hostPort: 8080 specified, causing port conflict when multiple replicas are scheduled on the same node.
C.The service is using NodePort and the node port is already in use.
D.Multiple containers in the same pod are trying to bind to the same port.
AnswerB

hostPort reserves the port on the host node, so only one pod per node can use it. With multiple replicas, subsequent pods fail with address in use.

Why this answer

The 'bind: address already in use' error indicates that the container's process cannot bind to port 8080 because it is already occupied. When `hostPort: 8080` is specified in the pod spec, Kubernetes instructs the container runtime to map the container port to the same port on the node's network namespace. If multiple replicas of the deployment are scheduled on the same node, each pod attempts to bind to port 8080 on the host, causing a conflict and the CrashLoopBackOff state.

This is a common misconfiguration when using hostPort without ensuring that replicas are spread across different nodes.

Exam trap

Cisco often tests the distinction between hostPort (which binds to the node's IP) and containerPort (which is informational), leading candidates to overlook that hostPort causes direct port conflicts on the same node.

How to eliminate wrong answers

Option A is wrong because port 8080 is not a privileged port (privileged ports are below 1024), and the error message 'address already in use' is unrelated to capabilities. Option C is wrong because a NodePort service allocates a port on every node's IP (typically in the range 30000-32767), and the error occurs at the pod level, not at the service level; a NodePort conflict would manifest differently, such as service creation failure. Option D is wrong because multiple containers in the same pod share the same network namespace and cannot bind to the same container port without explicit port mapping, but the error is about the host port conflict, not inter-container conflict within a single pod.

52
Multi-Selecthard

Which THREE are best practices for securing a CI/CD pipeline?

Select 3 answers
A.Use dynamic application security testing (DAST) tools
B.Allow manual approval for production deployments
C.Store credentials in the source code repository
D.Run all pipeline steps as the same user
E.Use static application security testing (SAST) tools
AnswersA, B, E

DAST tests running applications for security issues.

Why this answer

Dynamic application security testing (DAST) tools analyze a running application by simulating external attacks, which helps identify runtime vulnerabilities such as SQL injection or cross-site scripting. Integrating DAST into a CI/CD pipeline ensures that security checks are automated and performed before deployment, catching issues that static analysis might miss. This aligns with the DevSecOps principle of shifting security left without slowing down delivery.

Exam trap

Cisco often tests the distinction between DAST and SAST, where candidates may incorrectly think only one is needed, but the exam expects both as complementary practices for comprehensive security coverage.

53
MCQeasy

Refer to the exhibit. A developer builds this Docker image and runs it. The container starts but cannot be accessed on port 5000 from the host. What is the most likely cause?

A.The requirements.txt is missing Flask.
B.The Python application is not listening on 0.0.0.0.
C.The container is using a different port inside.
D.The EXPOSE instruction does not publish the port; the container was run without -p.
AnswerD

EXPOSE is documentation; without -p, no port is published to the host.

Why this answer

The EXPOSE instruction in a Dockerfile is documentation only; it does not actually publish the container's port to the host. For the container to be accessible on port 5000 from the host, the container must be run with the `-p` (or `--publish`) flag (e.g., `docker run -p 5000:5000 ...`). Without this, the container's port 5000 is only reachable from within the Docker network, not from the host.

Exam trap

Cisco often tests the misconception that EXPOSE publishes the port, when in fact it only documents the port and requires `-p` or `-P` for actual host access.

How to eliminate wrong answers

Option A is wrong because a missing Flask in requirements.txt would cause the application to fail to start or crash, not prevent host access to a running container on port 5000. Option B is wrong because even if the Python app is not listening on 0.0.0.0 (e.g., it listens on 127.0.0.1), the container would still be unreachable from the host, but the question states the container starts and cannot be accessed on port 5000; the most likely cause is the missing `-p` flag, not a binding issue, as the default Flask binding is 127.0.0.1 and would still require port publishing. Option C is wrong because if the container were using a different port inside, the EXPOSE instruction would typically match that port, and the symptom would be a mismatch, but the question implies the container is running and the port is defined; the core issue is that EXPOSE alone does not publish the port.

54
MCQeasy

A developer is creating a Helm chart for a stateless web application. Where should the application's configuration settings (like log level and feature flags) be stored?

A.Directly in the Docker image.
B.In values.yaml file of the Helm chart.
C.Hardcoded in the application code.
D.In a Kubernetes Secret.
AnswerB

Standard approach for Helm charts.

Why this answer

In a Helm chart, the `values.yaml` file is the standard location for configuration settings like log level and feature flags. This file allows developers to externalize configuration from the application code and Docker image, enabling environment-specific overrides without rebuilding the image. Helm uses `values.yaml` to inject these settings into Kubernetes manifests via template directives, making the chart reusable across different deployments.

Exam trap

Cisco often tests the distinction between configuration data (stored in ConfigMaps or `values.yaml`) and secret data (stored in Secrets), leading candidates to incorrectly choose Secrets for all configuration settings.

How to eliminate wrong answers

Option A is wrong because storing configuration in the Docker image violates the principle of immutable infrastructure; any change to log level or feature flags would require rebuilding and redeploying the image, which is inefficient and defeats the purpose of configuration externalization. Option C is wrong because hardcoding configuration in the application code tightly couples the application to specific settings, preventing runtime changes without code modification and recompilation, which is contrary to cloud-native best practices. Option D is wrong because Kubernetes Secrets are specifically designed for sensitive data (e.g., passwords, API keys), not for non-sensitive configuration like log level or feature flags; using Secrets for such data adds unnecessary complexity and security overhead without benefit.

55
MCQmedium

A developer is building a REST API for a Cisco DNA Center application. The API must allow external partners to retrieve network device inventory. Which security mechanism should be implemented to ensure that only authorized partners can access the API while maintaining the ability to revoke access for a specific partner without affecting others?

A.Use unique API keys per partner
B.Whitelist partner IP addresses in the API gateway firewall
C.Require HTTP basic authentication with a shared username and password
D.Implement OAuth 2.0 with client credentials grant
AnswerA

API keys are simple to manage and can be revoked individually without impacting other partners.

Why this answer

Option B is correct because API keys are simple tokens that can be issued per partner and easily revoked. Option A is wrong because OAuth 2.0 with client credentials requires a more complex setup but still allows per-client revocation; however, API keys are simpler and sufficient for this scenario. Option C is wrong because basic authentication would require sharing passwords and revoking would change credentials for all.

Option D is wrong because IP whitelisting does not scale well and may not work across different partner networks.

56
MCQmedium

An engineer retrieves the list of devices in a Meraki network via the Dashboard API. The API returns HTTP 200 OK with an empty array. What is the most likely reason?

A.The organization has no networks.
B.The network ID provided is incorrect.
C.The API key has expired.
D.The network exists but has no devices.
AnswerD

A 200 with empty array means the network is valid but contains no devices.

Why this answer

An HTTP 200 OK with an empty array indicates the API request was successfully processed and the target resource (the network) exists, but there are no devices associated with it. This is the expected response when the network is valid but has no devices provisioned.

Exam trap

The trap here is that candidates may confuse a successful empty response (200 OK with empty array) with an error condition, leading them to incorrectly assume the network ID is wrong or the API key is invalid, when in fact the request was valid and the network simply has no devices.

How to eliminate wrong answers

Option A is wrong because if the organization had no networks, the API would return a 404 Not Found or an error message, not a 200 OK with an empty array. Option B is wrong because an incorrect network ID would result in a 404 Not Found or a 400 Bad Request, not a successful 200 OK response. Option C is wrong because an expired API key would cause a 401 Unauthorized or 403 Forbidden error, not a 200 OK.

57
MCQmedium

A DevOps team uses GitLab CI to deploy a containerized application to a Kubernetes cluster. The deployment pipeline fails at the 'deploy' stage with an error: 'unable to connect to server'. What is the most likely cause?

A.The Git repository is private and cannot be accessed.
B.The kubeconfig file for the cluster is missing or invalid.
C.The Docker image was not built successfully.
D.The Kubernetes cluster has insufficient resources to schedule the pod.
AnswerB

Without a valid kubeconfig, kubectl cannot connect to the cluster.

Why this answer

The error 'unable to connect to server' indicates that the GitLab CI runner cannot establish a TCP connection to the Kubernetes API server. This is most commonly caused by a missing or invalid kubeconfig file, which contains the cluster endpoint, credentials, and context required by kubectl to authenticate and communicate with the cluster. Without a valid kubeconfig, the deployment stage cannot proceed.

Exam trap

Cisco often tests the distinction between pipeline-stage-specific errors; the trap here is confusing a Kubernetes connectivity error (missing kubeconfig) with a resource scheduling issue (insufficient resources) or a build failure, which occur at different stages and produce distinct error messages.

How to eliminate wrong answers

Option A is wrong because a private Git repository would cause a 'repository not found' or authentication error during the clone step, not during the deploy stage when connecting to Kubernetes. Option C is wrong because a failed Docker image build would result in an 'image not found' or build failure earlier in the pipeline, not a connection error to the Kubernetes server. Option D is wrong because insufficient cluster resources would produce a pod scheduling failure (e.g., '0/1 nodes are available'), not a 'unable to connect to server' error, which is a network/authentication issue.

58
MCQhard

A financial services company deploys a multi-tier application on Cisco UCS with separate VMs for web, app, and database tiers. The security team runs a vulnerability scan and finds that the web server is vulnerable to SQL injection. The development team cannot fix the code immediately because of a pending third-party library update. The company needs to deploy a security control to mitigate the vulnerability as soon as possible without changing the application. Which of the following is the best immediate mitigation?

A.Deploy a Web Application Firewall (WAF) in front of the web server to filter malicious SQL patterns
B.Implement network segmentation to isolate the web server from the database server
C.Apply input validation on the web server by configuring the web server itself to sanitize inputs
D.Apply the latest security patches to the web server operating system
AnswerA

A WAF can provide virtual patching without code changes, blocking SQL injection attempts.

Why this answer

A Web Application Firewall (WAF) operates at Layer 7 and can inspect HTTP/HTTPS traffic for malicious payloads, such as SQL injection patterns, without requiring any changes to the application code. By deploying a WAF in front of the web server, the company can immediately filter out malicious SQL patterns (e.g., ' OR 1=1 --) using signature-based or behavioral rules, providing a virtual patch until the code fix is available. This aligns with the requirement to mitigate the vulnerability without modifying the application itself.

Exam trap

Cisco often tests the distinction between network-layer controls (like segmentation) and application-layer controls (like WAF), trapping candidates who think isolating the database server stops SQL injection, when in fact the malicious SQL commands are generated by the web server itself after the attack has already succeeded.

How to eliminate wrong answers

Option B is wrong because network segmentation isolates the web server from the database server at the network layer, but it does not prevent SQL injection attacks that originate from the web server itself; the web server still sends malicious queries to the database. Option C is wrong because applying input validation on the web server requires modifying the web server configuration or code, which contradicts the constraint of not changing the application. Option D is wrong because patching the web server operating system addresses OS-level vulnerabilities, not application-layer SQL injection flaws in the web application code.

59
MCQeasy

A team is implementing a CI/CD pipeline using Jenkins. The pipeline must build a Docker image and push it to a private registry. Which Jenkins plugin is specifically designed to handle Docker builds and pushes?

A.Credentials Plugin
B.Pipeline Plugin
C.Docker Pipeline Plugin
D.Git Plugin
AnswerC

This plugin provides Docker build and push steps.

Why this answer

The Docker Pipeline Plugin is the correct choice because it provides Jenkins Pipeline steps specifically for building and pushing Docker images, such as `docker.build()` and `docker.withRegistry()`. This plugin integrates Docker operations directly into Declarative or Scripted Pipelines, enabling seamless CI/CD workflows without requiring shell commands.

Exam trap

The trap here is that candidates may confuse the general-purpose Pipeline Plugin with the Docker-specific Docker Pipeline Plugin, assuming that Pipeline alone can handle Docker builds, when in fact it requires the dedicated plugin for native Docker steps.

How to eliminate wrong answers

Option A is wrong because the Credentials Plugin manages authentication credentials (e.g., usernames, passwords, SSH keys) but does not provide any Docker-specific build or push functionality. Option B is wrong because the Pipeline Plugin is the core plugin that enables defining Jenkins pipelines as code, but it lacks built-in Docker steps; it requires additional plugins like the Docker Pipeline Plugin to handle Docker operations. Option D is wrong because the Git Plugin integrates Git SCM operations (e.g., checkout, fetch) into Jenkins jobs, but it has no capability to build or push Docker images.

60
MCQeasy

An organization uses Ansible for configuration management and wants to secure the automation secrets (e.g., SSH keys, API tokens). The secrets are currently stored in plaintext in inventory files. The security team requires that secrets be encrypted at rest and decrypted only at runtime by authorized users. Which solution should be implemented?

A.Store secrets in an encrypted SSH key file and use it for authentication
B.Set strict file permissions (0600) on the inventory files to limit access
C.Use environment variables to pass secrets at runtime
D.Use Ansible Vault to encrypt sensitive variables in the inventory files
AnswerD

Ansible Vault encrypts data and only decrypts it when the vault password is provided, securing secrets at rest.

Why this answer

Ansible Vault is the built-in tool for encrypting sensitive data such as passwords, API tokens, and SSH keys at rest. It encrypts variables or entire files using AES-256, and decryption occurs only at runtime when the correct vault password is provided, meeting the requirement that secrets are decrypted only by authorized users.

Exam trap

Cisco often tests the distinction between access control (file permissions) and encryption at rest, leading candidates to mistakenly choose strict permissions as sufficient for securing secrets, when encryption is required to protect data from unauthorized access even if the file system is compromised.

How to eliminate wrong answers

Option A is wrong because storing secrets in an encrypted SSH key file does not address encryption of the inventory files themselves; SSH keys are used for authentication, not for encrypting variables in inventory. Option B is wrong because setting file permissions to 0600 only restricts file system access but does not encrypt the data; secrets remain in plaintext and could be read by any process with sufficient privileges or during backup. Option C is wrong because environment variables are not encrypted at rest; they are stored in plaintext in process memory and can be exposed via /proc filesystem or logging, and they do not provide encryption for the inventory files.

61
MCQmedium

A developer needs to run a temporary container that executes a command and then exits. Which Docker command should be used?

A.docker exec
B.docker run -d
C.docker start
D.docker run --rm
AnswerD

This runs a container and removes it after it exits.

Why this answer

The `docker run --rm` command creates a container, runs the specified command, and automatically removes the container filesystem after it exits. This is the correct approach for a temporary, disposable container that should not persist after execution. The `--rm` flag ensures cleanup without manual intervention.

Exam trap

Cisco often tests the distinction between `docker run` (creates and starts a new container) and `docker exec` (attaches to an existing running container), leading candidates to mistakenly choose `docker exec` for running a one-time command.

How to eliminate wrong answers

Option A is wrong because `docker exec` runs a command in an already running container, not a new temporary container. Option B is wrong because `docker run -d` runs a container in detached mode in the background, intended for long-running services, not a one-off command that exits. Option C is wrong because `docker start` restarts an existing stopped container, not a new temporary container.

62
Drag & Dropmedium

Drag and drop the steps to configure a Cisco IOS device for NETCONF access into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

NETCONF requires enabling the service, SSH configuration, user creation, and verification.

63
MCQhard

An application uses OAuth 2.0 for authorization. The developer receives an access token but needs to know the user's identity. Which OAuth flow should be used to also obtain an ID token that contains user claims?

A.Authorization Code Grant without PKCE
B.Authorization Code Grant with OpenID Connect
C.Resource Owner Password Grant
D.Client Credentials Grant
AnswerB

OpenID Connect adds ID token with user claims.

Why this answer

OpenID Connect (OIDC) is an identity layer built on top of OAuth 2.0 that adds an ID token (a JWT) containing user claims such as name, email, and sub. The Authorization Code Grant with OIDC is the correct flow because it allows the client to request both an access token and an ID token, enabling the application to verify the user's identity while obtaining authorization.

Exam trap

Cisco often tests the misconception that any OAuth 2.0 flow can provide user identity, but only OpenID Connect (specifically the Authorization Code Grant with OIDC) adds the ID token for authentication; candidates may incorrectly choose the Client Credentials Grant, which is purely for machine-to-machine authorization and never includes user claims.

How to eliminate wrong answers

Option A is wrong because the Authorization Code Grant without PKCE (or without OIDC) only returns an access token, not an ID token with user claims; it is designed for authorization, not authentication. Option C is wrong because the Resource Owner Password Grant directly exchanges user credentials for an access token, but it does not include an ID token and is deprecated due to security risks (RFC 6749 Section 4.3). Option D is wrong because the Client Credentials Grant is used for server-to-server communication without a user context, so it never returns an ID token or user claims.

64
MCQmedium

A developer is deploying a Python web application on Cisco UCS servers using a CI/CD pipeline that runs on Jenkins. The application uses a PostgreSQL database. The security team mandates that all database credentials must be rotated every 30 days. Currently, credentials are stored as plaintext in a configuration file in the application repository. Which approach should the developer take to meet the rotation requirement without storing secrets in the repository?

A.Integrate with HashiCorp Vault to dynamically generate credentials for each deployment
B.Set the credentials as environment variables in the Jenkins pipeline and generate a new set every month manually
C.Store the credentials in Jenkins credentials store and reference them in the pipeline
D.Store the credentials in a Kubernetes ConfigMap and update it every 30 days
AnswerA

Vault can generate short-lived credentials and rotate them automatically, meeting the rotation requirement.

Why this answer

Integrating with HashiCorp Vault allows the CI/CD pipeline to dynamically generate short-lived database credentials for each deployment, eliminating the need to store secrets in the repository. Vault can be configured to automatically rotate credentials every 30 days (or less) and inject them into the application at runtime via sidecar containers or API calls, meeting the security mandate without manual intervention.

Exam trap

Cisco often tests the distinction between static secret storage (e.g., Jenkins credentials store or ConfigMaps) and dynamic secret generation (e.g., Vault), where the key requirement is automatic rotation without manual intervention.

How to eliminate wrong answers

Option B is wrong because manually generating and setting environment variables every 30 days is not automated, error-prone, and still exposes credentials in the Jenkins pipeline configuration, which may be stored in the Jenkins home directory or logs. Option C is wrong because storing credentials in the Jenkins credentials store avoids plaintext in the repo but does not provide automatic rotation; the credentials would still need to be manually updated every 30 days, and they remain static within the pipeline. Option D is wrong because storing credentials in a Kubernetes ConfigMap is insecure (ConfigMaps are not designed for secrets) and does not support automatic rotation; updating it every 30 days would require manual intervention or additional scripting, and the credentials would still be stored in plaintext within the cluster.

65
MCQmedium

A team uses Ansible Tower for network automation. They need to restrict a user to only view job results without making any changes. Which Tower role should be assigned?

A.Execute
B.Read
C.Auditor
D.Admin
AnswerB

The Read role provides view-only permissions for jobs, inventories, and other resources.

Why this answer

The Read role in Ansible Tower grants read-only access to all resources, including job results, without allowing any modifications. This is the correct choice because the requirement is to restrict the user to viewing job results only, and Read provides exactly that level of access without any write or execute permissions.

Exam trap

Cisco often tests the distinction between Read and Auditor roles, where candidates may mistakenly choose Auditor thinking it is more restrictive, but Auditor actually provides broader read access to all objects including credentials, while Read is the correct role for limiting to job results only.

How to eliminate wrong answers

Option A is wrong because the Execute role allows a user to run jobs and launch playbooks, which would enable changes to the network, not just view results. Option C is wrong because the Auditor role provides read-only access to all objects, including sensitive data like credentials and inventory, but it is designed for auditing purposes and is more permissive than necessary for simply viewing job results; however, the Read role is more appropriate for restricting to job results only. Option D is wrong because the Admin role grants full administrative privileges, including the ability to modify configurations, manage users, and execute jobs, which would allow changes and violate the restriction.

66
MCQmedium

Refer to the exhibit. An application is deployed on a server at 192.168.1.10, listening on TCP port 8080. The ACL is applied inbound on the server's network interface. Which clients will be able to access the application?

A.Clients from any network, because the permit statement overrides the deny
B.Only clients from the 192.168.1.0/24 network
C.No clients, because the deny statement blocks all TCP traffic to port 8080
D.Only clients sending UDP traffic to port 53
AnswerC

The first rule denies all TCP traffic to port 8080, making the subsequent permit ineffective for TCP.

Why this answer

The ACL processes rules in order. The first rule denies all TCP traffic to port 8080 from any source, so even traffic from 192.168.1.0/24 is blocked. The second permit rule is never reached for TCP 8080.

Therefore, no clients can access the application on port 8080.

67
MCQhard

Refer to the exhibit. A security audit reveals that the authentication mechanism is vulnerable. Which attack is most likely possible?

A.Cross-site scripting (XSS) via the token.
B.Token forgery if the secret key is weak.
C.Man-in-the-middle attack due to missing HTTPS.
D.SQL injection through the login endpoint.
AnswerB

The weak secret 'my-secret' can be easily guessed, allowing attacker to forge valid tokens.

Why this answer

The exhibit shows a JSON Web Token (JWT) being used for authentication. If the secret key used to sign the JWT is weak or easily guessable, an attacker can forge a valid token by brute-forcing the secret and then crafting a token with arbitrary claims (e.g., elevated privileges). This is a classic token forgery attack, not a cross-site scripting or injection attack, because the vulnerability lies in the signing mechanism, not in input handling or transport security.

Exam trap

Cisco often tests the distinction between attacks that target the authentication mechanism itself (like token forgery) versus attacks that exploit input handling (XSS, SQLi) or transport security (MITM), leading candidates to pick a wrong option because they focus on a general security flaw (e.g., missing HTTPS) rather than the specific vulnerability implied by the token's weak secret.

How to eliminate wrong answers

Option A is wrong because cross-site scripting (XSS) exploits the injection of malicious scripts into web pages, not the forging of authentication tokens; the token itself is not rendered as HTML or executed in a browser context. Option C is wrong because while missing HTTPS is a security concern, the question specifically asks about an attack made possible by the authentication mechanism's vulnerability, and a man-in-the-middle attack would exploit the lack of encryption, not the token's signing secret. Option D is wrong because SQL injection targets database queries through unsanitized input, whereas the token-based authentication shown does not involve direct SQL queries at the login endpoint; the vulnerability is in the token's cryptographic integrity, not in query construction.

68
Multi-Selecthard

Which TWO of the following are valid security considerations when deploying an application to a Kubernetes cluster managed by Cisco Intersight? (Choose two.)

Select 2 answers
A.Store secrets in ConfigMaps for easy retrieval.
B.Define Network Policies to isolate pods and control traffic flow.
C.Disable RBAC to simplify management and reduce overhead.
D.Use default service accounts for all pods to avoid misconfiguration.
E.Implement Pod Security Policies to restrict privileged containers.
AnswersB, E

Network policies enforce micro-segmentation and limit lateral movement.

Why this answer

Option B is correct because Network Policies in Kubernetes act as a firewall at the pod level, using label selectors and namespace selectors to control ingress and egress traffic. In a Cisco Intersight-managed cluster, defining these policies is a critical security consideration to enforce micro-segmentation and prevent lateral movement of threats. Option E is correct because Pod Security Policies (PSPs) are a cluster-level resource that control security-sensitive aspects of pod specification, such as preventing privileged containers, which is a key security best practice in Kubernetes.

Exam trap

Cisco often tests the misconception that ConfigMaps are suitable for secrets (they are not) and that disabling RBAC simplifies management (it actually creates a massive security hole), while candidates may overlook that Network Policies require a compatible CNI plugin to be effective.

69
MCQhard

A company has a microservices application deployed on Kubernetes. There are three services: frontend, backend, and database. The frontend is exposed via an Ingress. The API gateway is used for authentication. Recently, after updating the backend service, users are experiencing 401 Unauthorized errors when accessing endpoints that previously worked. The authentication mechanism uses JWT tokens issued by an external identity provider. The JWT tokens are validated by the API gateway. The backend service itself does not validate tokens; it relies on the gateway to forward user identity via headers. The development team checked the logs and found that the backend is receiving requests with the correct JWT from the gateway but still returning 401. What is the most likely cause?

A.The Ingress controller is stripping the Authorization header before forwarding to the backend.
B.The API gateway's JWT signing key has changed and the backend is using the old key.
C.The new backend version uses a different HTTP method for the affected endpoints.
D.The backend service code now attempts to validate the JWT itself and fails.
AnswerD

Likely the update added token validation code that is not properly configured.

Why this answer

The scenario states that the backend service relies on the gateway to forward user identity via headers and does not validate JWT tokens itself. If the new backend version now attempts to validate the JWT, it would likely fail because the backend lacks the necessary signing key or validation logic, causing 401 errors even though the gateway correctly forwards the token. This matches option D, as the change in backend behavior introduces a new validation step that was not present before.

Exam trap

Cisco often tests the misconception that JWT validation must happen at the backend, but here the trap is that the backend was never supposed to validate tokens, and a code change introducing such validation causes the 401 errors, not a problem with the gateway or Ingress.

How to eliminate wrong answers

Option A is wrong because the Ingress controller is not involved in JWT validation; the issue occurs after the gateway forwards the request, and the backend receives the correct JWT, so stripping the Authorization header would prevent the token from reaching the backend, contradicting the log evidence. Option B is wrong because the backend does not validate JWT tokens; it relies on the gateway, so a key change would affect the gateway's validation, not the backend's response, and the logs show the gateway is forwarding the correct JWT. Option C is wrong because HTTP method changes would cause 405 Method Not Allowed errors, not 401 Unauthorized, and the problem is specifically about authentication failure.

70
Matchingmedium

Match each network automation tool to its primary purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Configuration management and automation

API testing and development

Network test automation framework

SSH-based network device interaction

Python automation framework for networking

Why these pairings

Tools commonly used in Cisco DevNet environments.

71
MCQhard

A microservices application deployed on Kubernetes uses Istio service mesh. After a recent update, some services cannot communicate with each other. Which diagnostic step is most likely to identify the issue?

A.Verify that Istio sidecar injection is enabled for the affected pods.
B.Review the Istio destination rules for the services.
C.All of the above.
D.Check the logs of the pods that are failing.
AnswerC

Each step is valid; a comprehensive approach is needed to isolate Istio-related issues.

Why this answer

Option C is correct because both verifying sidecar injection and reviewing destination rules are essential diagnostic steps when services in an Istio service mesh cannot communicate after an update. Sidecar injection ensures that the Envoy proxy is present to enforce traffic policies, while destination rules define how traffic is routed and can cause connectivity failures if misconfigured. Checking pod logs alone may reveal symptoms but not the root cause, which is often a policy or proxy configuration issue.

Exam trap

The trap here is that candidates often pick a single option (A or B) thinking one diagnostic step is sufficient, but Cisco tests the understanding that multiple layers (proxy presence and policy configuration) must be verified in a service mesh environment.

How to eliminate wrong answers

Option A is wrong because while verifying sidecar injection is a valid step, it alone may not identify issues caused by misconfigured destination rules or traffic policies. Option B is wrong because reviewing destination rules is important but insufficient if sidecar injection is missing, as the Envoy proxy is required to enforce those rules. Option D is wrong because checking pod logs may show application-level errors but will not directly reveal Istio-specific configuration problems like missing sidecars or incorrect routing rules.

72
MCQmedium

An engineer uses the Cisco Webex Teams API to send a message to a room. The API returns HTTP 403 Forbidden. What is the most likely cause?

A.The message payload is too large.
B.The bot token has expired.
C.The room ID is incorrect.
D.The token does not have permission to post to that room.
AnswerD

A 403 error indicates the token is valid but lacks authorization for the action.

Why this answer

HTTP 403 Forbidden indicates the server understood the request but refuses to authorize it. In the context of the Cisco Webex Teams API, this status code most commonly means the access token provided does not have the required scopes or permissions to post messages to the specified room. The token may be valid and not expired, but it lacks the authorization (e.g., the `spark:rooms_write` scope) needed for the action.

Exam trap

Cisco often tests the distinction between HTTP 401 (authentication failure, e.g., expired or invalid token) and HTTP 403 (authorization failure, e.g., valid token but insufficient permissions), so candidates must not confuse the two.

How to eliminate wrong answers

Option A is wrong because a payload that is too large would typically result in HTTP 413 Payload Too Large, not 403 Forbidden. Option B is wrong because an expired token would return HTTP 401 Unauthorized, not 403 Forbidden. Option C is wrong because an incorrect room ID would return HTTP 404 Not Found, as the API cannot locate the resource; a 403 indicates the resource exists but the token lacks permission.

73
MCQmedium

A company has a web application running on Cisco DNA Center. The application uses OAuth 2.0 for authentication with an external identity provider (IdP). Recently, users have reported that they are being logged out unexpectedly after a few minutes of inactivity, even though the IdP token has a 1-hour expiration. The application developer wants to maintain usability while keeping security controls. What is the most likely cause and solution?

A.The application session timeout is shorter than the token lifetime; align the application session timeout to the token expiration or implement silent token refresh
B.The application is not properly validating the token expiry and needs to refresh tokens proactively
C.The IdP is configured to log out users automatically after 5 minutes; reconfigure IdP session settings
D.The OAuth 2.0 access token is set to expire in 5 minutes; increase it to 1 hour
AnswerA

Short application session timeout causes early logout; aligning or using silent refresh solves it.

Why this answer

The most likely cause is that the application's session timeout is set to a shorter duration than the OAuth 2.0 token's 1-hour expiration. When the application session expires, the user is logged out even though the IdP token is still valid. The solution is to align the application session timeout with the token expiration or implement silent token refresh using a refresh token, which allows the application to obtain a new access token without user interaction, maintaining usability while preserving security.

Exam trap

Cisco often tests the distinction between token expiration and session timeout, where candidates mistakenly focus on token refresh or IdP configuration instead of recognizing that the application's session management is the root cause.

How to eliminate wrong answers

Option B is wrong because the issue is not about token validation or proactive refresh; the token is valid for 1 hour, but the application session expires earlier, causing logout. Option C is wrong because the IdP is not configured to log out users after 5 minutes; the IdP token has a 1-hour expiration, so the problem lies in the application session management. Option D is wrong because the access token expiration is already set to 1 hour, not 5 minutes; increasing it further would not fix the mismatch between the application session timeout and token lifetime.

74
MCQmedium

Refer to the exhibit. A Python script uses the Cisco IOS-XE RESTCONF API to retrieve the device configuration. The returned JSON is shown. What must be done to enable the GigabitEthernet0/1 interface using the API?

A.Send a PATCH request to the interface resource with the JSON payload {"enabled": true}.
B.Send a DELETE request to the interface resource.
C.Send a GET request to the interface resource and parse the response.
D.Send a PUT request to the interface resource with the entire JSON payload.
AnswerA

PATCH partially updates the resource; changing enabled to true will enable the interface.

Why this answer

Option A is correct because RESTCONF uses PATCH for partial updates. To enable an interface, you only need to send the specific field that changes ({"enabled": true}) to the interface resource URI, which modifies the configuration without replacing the entire resource.

Exam trap

Cisco often tests the distinction between PUT (full replace) and PATCH (partial update) in RESTCONF, where candidates mistakenly choose PUT thinking it can be used for single-field changes, but that would require sending the entire resource payload.

How to eliminate wrong answers

Option B is wrong because a DELETE request would remove the entire interface resource, not enable it. Option C is wrong because a GET request only retrieves data; it does not modify the configuration. Option D is wrong because a PUT request replaces the entire resource with the provided JSON payload, which would require sending the full interface configuration, not just the enabled field, and could overwrite other settings.

75
MCQhard

A security policy requires that all container images in a registry are scanned for vulnerabilities before deployment. Which approach best integrates this into a CI/CD pipeline without slowing down the pipeline?

A.Build the image, push it, then scan it, and if vulnerabilities are found, rebuild and repush.
B.Run the vulnerability scan on the image after pushing to the registry and block deployment if critical vulnerabilities are found.
C.Build the image, scan it locally, and if it passes, push it to the registry; run scans in parallel with the build if possible.
D.Scan the source code dependencies before building the image, and skip image scanning.
AnswerC

Local scanning before push catches vulnerabilities early and does not delay the pipeline if done in parallel.

Why this answer

Option C is correct because it shifts the vulnerability scan left in the pipeline: the image is built and scanned locally before being pushed to the registry. If the scan passes, the image is pushed; if it fails, the pipeline stops early, avoiding the overhead of pushing a vulnerable image and then rebuilding. This approach minimizes pipeline latency by running scans in parallel with the build where possible, ensuring security without blocking the deployment flow.

Exam trap

Cisco often tests the concept of 'shifting left' security — candidates mistakenly think scanning after pushing (Option B) is acceptable because it blocks deployment, but the trap is that the policy requires scanning before deployment, not before push, and Option B still allows vulnerable images to reside in the registry.

How to eliminate wrong answers

Option A is wrong because it pushes the image first, then scans it, and if vulnerabilities are found, rebuilds and repushes — this wastes time and registry storage by pushing a vulnerable image that must be replaced, and it introduces a slow feedback loop. Option B is wrong because it scans after pushing to the registry and only blocks deployment for critical vulnerabilities, which still allows non-critical vulnerabilities to be deployed and does not prevent the vulnerable image from being stored in the registry, violating the policy that all images must be scanned before deployment. Option D is wrong because scanning only source code dependencies misses vulnerabilities introduced by the base image, runtime libraries, or configuration files in the container image, leaving the image itself unscanned and failing the security policy requirement.

Page 1 of 2 · 92 questions totalNext →

Ready to test yourself?

Try a timed practice session using only App Deployment Security questions.