CCNA Cisco Platforms Questions

75 of 92 questions · Page 1/2 · Cisco Platforms topic · Answers revealed

1
MCQmedium

A developer is creating a Python script to retrieve interface statistics from a Cisco IOS XE device using RESTCONF. Which HTTP method should be used to get the data?

A.GET
B.POST
C.PUT
D.DELETE
AnswerA

GET retrieves data from the specified endpoint.

Why this answer

RESTCONF uses standard HTTP methods to perform CRUD operations on YANG-defined data. To retrieve interface statistics without modifying any resource, the GET method is correct, as it maps directly to the NETCONF <get> or <get-config> operation for reading data.

Exam trap

Cisco often tests the distinction between HTTP methods in RESTCONF, and the trap here is that candidates may confuse POST (used for creating resources) with GET, especially when thinking of sending a 'request' for data.

How to eliminate wrong answers

Option B is wrong because POST is used to create a new data resource or invoke an operation, not to retrieve existing data. Option C is wrong because PUT is used to replace or update an entire resource, not to read data. Option D is wrong because DELETE is used to remove a resource, which is the opposite of retrieving statistics.

2
MCQmedium

A network engineer needs to automate the deployment of QoS policies across multiple campus switches using Cisco DNA Center. The engineer decides to use the Cisco DNA Center Intent API to create a policy tag and bind it to a group of devices. After sending the PUT request to /dna/intent/api/v1/policy-tag, the API returns a 202 Accepted status. However, the engineer notices that the policy is not being applied consistently across all devices. What is the most likely reason?

A.The payload was not in JSON format, causing a silent failure.
B.The API token expired before the request was processed.
C.The request was asynchronous, and the engineer did not check the task status for completion.
D.The engineer used an incorrect API endpoint for policy tags.
AnswerC

202 Accepted means the request is being processed asynchronously; the task ID must be monitored.

Why this answer

The 202 Accepted status indicates that the request was accepted for asynchronous processing, not that it has completed. Cisco DNA Center Intent API uses asynchronous tasks for operations like policy tag binding, and the engineer must poll the task status endpoint to verify completion and success. Without checking the task status, the engineer cannot know if the policy was applied consistently across all devices, as some tasks may have failed or are still in progress.

Exam trap

Cisco often tests the distinction between synchronous (2xx success) and asynchronous (202 Accepted) responses, and the trap here is that candidates assume a 202 Accepted means the operation completed successfully, when in fact it only means the request was accepted for processing.

How to eliminate wrong answers

Option A is wrong because if the payload were not in JSON format, the API would typically return a 400 Bad Request error, not a 202 Accepted, and the failure would be explicit, not silent. Option B is wrong because an expired API token would cause a 401 Unauthorized error when the request is sent, not a 202 Accepted; the token is validated at request time, not during async processing. Option D is wrong because the endpoint /dna/intent/api/v1/policy-tag is the correct endpoint for creating and updating policy tags in Cisco DNA Center Intent API, as documented in the API reference.

3
MCQeasy

A developer is using Cisco Meraki API to retrieve a list of networks. What is the correct HTTP method and endpoint path for listing networks in an organization?

A.DELETE /organizations/{orgId}/networks
B.POST /organizations/{orgId}/networks
C.PUT /organizations/{orgId}/networks
D.GET /organizations/{orgId}/networks
AnswerD

Correct HTTP method and endpoint for listing networks.

Why this answer

Option D is correct because the HTTP GET method is used to retrieve or list resources, and the endpoint /organizations/{orgId}/networks is the standard Meraki API path for fetching all networks within a specified organization. This follows RESTful conventions where GET requests are idempotent and safe for data retrieval.

Exam trap

Cisco often tests the fundamental RESTful mapping of HTTP methods to CRUD operations, and the trap here is confusing the GET method with POST or PUT because candidates may think 'listing' requires sending data in the request body, when in fact GET is the correct method for read-only retrieval.

How to eliminate wrong answers

Option A is wrong because DELETE is used to remove a resource, not to list networks; using DELETE on this endpoint would attempt to delete all networks in the organization, which is not the intended operation. Option B is wrong because POST is used to create a new resource, such as adding a network to an organization, not to retrieve an existing list. Option C is wrong because PUT is used to update or replace an existing resource, not to retrieve a list; it would attempt to replace the entire collection of networks, which is incorrect.

4
MCQmedium

A DevOps team is using Cisco NSO to manage network devices. They want to ensure that the configuration is compliant with corporate standards. Which NSO feature should they use?

A.Configuration Snapshots
B.NETCONF notifications
C.Configuration Database (CDB) rollback
D.Service reconciliation using FastMap
AnswerD

FastMap reconciles device config with service model to ensure compliance.

Why this answer

Service reconciliation using FastMap is the correct NSO feature for ensuring configuration compliance with corporate standards because it detects and corrects deviations between the intended service model (defined in YANG) and the actual device configuration. FastMap performs a diff and re-applies the service logic to bring the device back into compliance, making it ideal for continuous compliance enforcement.

Exam trap

Cisco often tests the distinction between passive monitoring features (snapshots, notifications, rollback) and active remediation (FastMap), leading candidates to pick a feature that only detects drift rather than one that corrects it.

How to eliminate wrong answers

Option A is wrong because Configuration Snapshots are point-in-time backups of device configurations used for auditing or comparison, not for active compliance enforcement or remediation. Option B is wrong because NETCONF notifications are asynchronous event messages (e.g., YANG-push or syslog) that alert on state changes but do not enforce or correct configuration compliance. Option C is wrong because CDB rollback reverts the NSO configuration database to a previous transaction, which can undo changes but does not proactively ensure ongoing compliance with corporate standards.

5
Multi-Selectmedium

Which three configuration management tools can be used with Cisco devices for automation? (Choose three.)

Select 3 answers
A.Nagios
B.SaltStack
C.Puppet
D.Chef
E.Ansible
AnswersC, D, E

Puppet supports Cisco devices via agents.

Why this answer

Puppet is a configuration management tool that uses a declarative language to define system state. It can manage Cisco devices via the cisco_ios module, which uses SSH or NX-API to apply configurations, making it suitable for network automation.

Exam trap

Cisco often tests the distinction between monitoring tools (like Nagios) and configuration management tools, and candidates may confuse SaltStack as a primary Cisco automation tool due to its general-purpose nature, but it lacks the dedicated Cisco ecosystem support of Puppet, Chef, and Ansible.

6
MCQeasy

A developer needs to retrieve a list of all networks in a Meraki organization using the Dashboard API. Which API call should be made?

A.GET /organizations/{organizationId}/networks
B.GET /organizations/{organizationId}/networks
C.GET /networks
D.GET /organizations/{organizationId}/networks/{networkId}
AnswerB

This endpoint returns a list of all networks in the organization.

Why this answer

The correct API call to retrieve a list of all networks in a Meraki organization is GET /organizations/{organizationId}/networks. This endpoint returns an array of network objects associated with the specified organization, as documented in the Meraki Dashboard API. The path includes the organization ID to scope the request, and the response contains details such as network name, ID, and product types.

Exam trap

Cisco often tests the distinction between list and single-resource endpoints, so the trap here is confusing GET /organizations/{organizationId}/networks (list all networks) with GET /organizations/{organizationId}/networks/{networkId} (get one network), or assuming a root-level /networks endpoint exists without the required organization scope.

How to eliminate wrong answers

Option A is wrong because it is identical to the correct answer (B) but not marked as correct in the question; however, in practice, both A and B represent the same endpoint, so the distinction is artificial. Option C is wrong because GET /networks is not a valid Meraki Dashboard API endpoint; the API requires the organization ID in the path to identify the scope. Option D is wrong because GET /organizations/{organizationId}/networks/{networkId} retrieves a single specific network, not a list of all networks.

7
MCQhard

A developer is integrating with Cisco SD-WAN vManage using REST APIs. After successfully submitting credentials, the API returns a 401 Unauthorized error for subsequent requests. What is the most likely missing step?

A.The request URL must include an API key parameter.
B.The API call must use the HTTPS protocol.
C.The password must be sent in base64 encoding.
D.The session token (X-XSRF-TOKEN) must be obtained and included in subsequent requests.
AnswerD

This is required after initial authentication.

Why this answer

Cisco SD-WAN vManage uses a two-step authentication process: first, credentials are submitted to obtain a session token (X-XSRF-TOKEN) and a JSESSIONID cookie. If subsequent API requests do not include the X-XSRF-TOKEN in the HTTP header, vManage rejects them with a 401 Unauthorized error, as the token is required for CSRF protection and session validation.

Exam trap

Cisco often tests the distinction between session cookies and CSRF tokens, trapping candidates who assume that a successful login alone (cookie) is enough for all subsequent API calls.

How to eliminate wrong answers

Option A is wrong because vManage does not require an API key parameter in the URL; it relies on session-based tokens (X-XSRF-TOKEN) and cookies for authentication. Option B is wrong while HTTPS is strongly recommended for security, its absence would typically cause a connection failure or redirect, not a 401 Unauthorized error after successful credential submission. Option C is wrong because vManage expects credentials in JSON format (plain text or hashed), not base64 encoding; base64 is used for HTTP Basic Authentication, which is not the default for vManage REST APIs.

8
MCQmedium

Refer to the exhibit. A developer needs to authenticate to this router via NETCONF using the devuser credentials. Why might authentication fail?

A.NETCONF requires AAA authentication
B.The devuser has privilege level 1, which is not enough for NETCONF access
C.The password is encrypted with type 5
D.The username does not have SSH access
AnswerB

Privilege level 1 is too low for NETCONF.

Why this answer

NETCONF access requires a minimum privilege level of 15 on Cisco IOS/IOS-XE devices. The devuser has privilege level 1, which restricts the user to basic monitoring commands and prevents NETCONF operations. Even with correct SSH and authentication, the privilege level mismatch causes the NETCONF session to be rejected.

Exam trap

Cisco often tests the misconception that any valid SSH user can use NETCONF, but the trap is that NETCONF requires privilege level 15 regardless of SSH access or authentication method.

How to eliminate wrong answers

Option A is wrong because NETCONF does not require AAA authentication; it can use local authentication (as shown in the exhibit with username/password). Option C is wrong because type 5 encryption (MD5-based) is a valid and supported password encryption for local users; it does not cause authentication failure. Option D is wrong because the exhibit shows the devuser is configured with SSH access (the 'ssh' keyword is present in the username command), so SSH access is explicitly granted.

9
MCQhard

A large enterprise uses Cisco DNA Center to manage its campus network. The network team has automated wireless SSID provisioning using the Intent API. Recently, a new SSID was created but it does not appear on the wireless LAN controllers. The Python script that calls the API returns a 200 OK response, but the SSID is not deployed. The script uses the POST /dna/intent/api/v1/ssid endpoint with a JSON body containing the SSID name and security settings. A day later, the SSID is still missing. The engineer checks the DNA Center GUI and sees the SSID in the 'Design' section but with a 'Provisioning Failed' status. Which step should the engineer take next to resolve the issue?

A.Re-run the same API call and ignore the 200 response
B.Use the 'Provision' API endpoint to deploy the SSID to the targeted sites
C.Delete the SSID and recreate it with a different name
D.Wait for the next scheduled provisioning cycle
AnswerB

A separate provision step is required to push the SSID to controllers.

Why this answer

The 200 OK response from the POST /dna/intent/api/v1/ssid endpoint only confirms that the API request was accepted and the SSID configuration was created in the DNA Center design database. It does not automatically trigger deployment to the wireless LAN controllers. The 'Provisioning Failed' status in the GUI indicates that the SSID was designed but not successfully deployed to the targeted sites.

To complete the deployment, the engineer must use the Intent API's 'Provision' endpoint (e.g., POST /dna/intent/api/v1/provision) to push the SSID configuration to the specific sites or devices, which is the missing step.

Exam trap

Cisco often tests the distinction between design and provisioning phases in the Intent API, and the trap here is that candidates assume a 200 OK response means the configuration is fully deployed, when in reality it only confirms the design was accepted.

How to eliminate wrong answers

Option A is wrong because re-running the same API call will only recreate the design object and return another 200 OK, but it will not trigger deployment; the provisioning step is separate and required. Option C is wrong because deleting and recreating the SSID with a different name does not address the root cause—the design object already exists, and the failure is in the provisioning workflow, not the SSID name. Option D is wrong because DNA Center does not have a scheduled provisioning cycle; provisioning is an explicit action that must be initiated via the API or GUI, and waiting will not resolve the issue.

10
MCQhard

A developer is implementing a Cisco Intersight API solution to manage multiple UCS domains. They receive an HTTP 403 Forbidden response when trying to create an organization. What is the most likely issue?

A.The request body is malformed
B.The user account does not have sufficient privileges
C.The API key is invalid
D.The organization already exists
AnswerB

403 means the server understands the request but refuses to authorize it.

Why this answer

An HTTP 403 Forbidden response indicates that the server understood the request but is refusing to authorize it. In the context of Cisco Intersight, this typically means the API key or user account associated with the request lacks the required privileges to perform the action, such as creating an organization. Only accounts with administrative or appropriate role-based access control (RBAC) permissions can create organizations.

Exam trap

Cisco often tests the distinction between HTTP 401 (authentication failure) and 403 (authorization failure) to trap candidates who confuse invalid credentials with insufficient privileges.

How to eliminate wrong answers

Option A is wrong because a malformed request body would typically result in a 400 Bad Request error, not a 403 Forbidden. Option C is wrong because an invalid API key would result in a 401 Unauthorized error, indicating authentication failure rather than authorization failure. Option D is wrong because attempting to create an organization that already exists would result in a 409 Conflict error, not a 403 Forbidden.

11
Multi-Selecthard

Which two statements about the Cisco DevNet Sandbox are true?

Select 2 answers
A.Sandboxes cannot be used for learning APIs
B.Sandboxes require a paid subscription for basic access
C.Sandboxes can be reserved for a fixed time period
D.Sandboxes provide always-on access to a limited set of devices
E.Sandboxes only support Cisco IOS XE devices
AnswersC, D

Many sandboxes require reservation.

Why this answer

Option C is correct because Cisco DevNet Sandboxes allow users to reserve a sandbox for a fixed time period, typically ranging from 2 to 4 hours, providing exclusive access to a pre-configured lab environment. This reservation model ensures that users have dedicated resources without contention, which is essential for testing APIs, automation scripts, or network configurations. The fixed-time reservation is a core feature of the DevNet Sandbox service, distinguishing it from always-on sandboxes.

Exam trap

Cisco often tests the distinction between 'always-on' sandboxes (which provide persistent but limited access) and 'reserved' sandboxes (which offer full, time-limited access), and candidates may incorrectly assume all sandboxes require payment or only support a single OS.

12
MCQeasy

A Python script using the Cisco Meraki API must update the SSID settings for a network. Which HTTP method should be used to modify an existing SSID?

A.PUT
B.POST
C.DELETE
D.GET
AnswerA

PUT updates an existing resource.

Why this answer

To modify an existing SSID in the Cisco Meraki API, the HTTP PUT method is used because it performs an idempotent update of the resource at the specified URI. The Meraki API follows RESTful conventions where PUT replaces the entire representation of the SSID object, making it the correct choice for updating an existing SSID's settings (e.g., name, encryption, or splash page).

Exam trap

Cisco often tests the distinction between PUT and POST in REST APIs, and the trap here is that candidates mistakenly think POST can be used for updates because they confuse it with 'update' in general CRUD terminology, but POST is specifically for creation in RESTful design.

How to eliminate wrong answers

Option B (POST) is wrong because POST is used to create a new resource (e.g., add a new SSID to a network), not to update an existing one; using POST on an existing SSID would typically result in a 409 Conflict or create a duplicate. Option C (DELETE) is wrong because DELETE is used to remove an SSID entirely, not to modify its settings; calling DELETE on an SSID would remove it from the network. Option D (GET) is wrong because GET is a read-only method used to retrieve the current configuration of an SSID, not to change it.

13
MCQmedium

A company uses Cisco DNA Center to manage their network. A developer wants to retrieve the overall health score of a specific site using the DNA Center REST API. Which API path should be used?

A./dna/intent/api/v1/network-health
B./dna/intent/api/v1/site-health
C./dna/intent/api/v1/assurance/site
D./dna/intent/api/v1/health-score
AnswerB

Correct endpoint for site health.

Why this answer

The correct API path to retrieve the overall health score of a specific site is /dna/intent/api/v1/site-health. This endpoint is part of the Cisco DNA Center Intent API and returns site-level health metrics, including overall health scores for network devices, clients, and applications at a given site. It is specifically designed to aggregate health data per site, unlike broader network-wide endpoints.

Exam trap

Cisco often tests the distinction between network-wide and site-specific health endpoints, and the trap here is that candidates confuse /dna/intent/api/v1/network-health (which returns overall network health) with the site-specific endpoint, or they invent plausible-sounding but non-existent paths like /health-score or /assurance/site.

How to eliminate wrong answers

Option A is wrong because /dna/intent/api/v1/network-health returns the overall network health score across all sites, not a specific site's health. Option C is wrong because /dna/intent/api/v1/assurance/site is not a valid Cisco DNA Center REST API path; the correct assurance-related endpoint for site health uses /site-health. Option D is wrong because /dna/intent/api/v1/health-score is not a valid endpoint; Cisco DNA Center uses specific resource paths like /site-health or /network-health, not a generic /health-score.

14
MCQmedium

An engineer is troubleshooting a Cisco DNA Center API call that returns a 401 error. What is the most likely cause?

A.The authentication token has expired
B.The network device is unreachable
C.The request body is invalid
D.The API endpoint is incorrect
AnswerA

401 indicates missing or invalid authentication credentials.

Why this answer

A 401 Unauthorized error from the Cisco DNA Center API indicates that the request lacks valid authentication credentials. The most common cause is that the authentication token (JWT) obtained via the /dna/system/api/v1/auth/token endpoint has expired. Cisco DNA Center tokens have a default expiry of 60 minutes, after which the API rejects the request with a 401 status.

Exam trap

Cisco often tests the distinction between HTTP status codes (401 vs 400 vs 404 vs 502) to see if candidates understand that each code maps to a specific failure category in REST API interactions.

How to eliminate wrong answers

Option B is wrong because a network device being unreachable would typically result in a 502 Bad Gateway or 504 Gateway Timeout error from the API proxy, not a 401. Option C is wrong because an invalid request body usually produces a 400 Bad Request error, not a 401. Option D is wrong because an incorrect API endpoint typically returns a 404 Not Found error, as the server cannot route the request to a valid resource.

15
MCQeasy

A developer is automating VLAN configuration on a Cisco switch using REST API. Which HTTP method should be used to create a new VLAN?

A.PUT
B.POST
C.GET
D.PATCH
E.DELETE
AnswerB

POST creates a new resource.

Why this answer

To create a new VLAN resource on a Cisco switch via REST API, the POST method is correct because it is designed to create a subordinate resource under a parent collection. In RESTful APIs, POST is used to send data to the server to create a new entity, such as a VLAN, and the server assigns a unique identifier (e.g., VLAN ID) to the new resource. This aligns with the RESTful principle for resource creation, as specified in RFC 7231.

Exam trap

Cisco often tests the distinction between POST and PUT, where candidates mistakenly choose PUT because they think it can 'create or update' a resource, but in REST APIs for Cisco devices, PUT requires a known resource URI and is not used for server-assigned creation of new VLANs.

How to eliminate wrong answers

Option A (PUT) is wrong because PUT is used to replace or update an existing resource at a specific URI, not to create a new resource with a server-assigned identifier; using PUT for creation would require the client to specify the exact VLAN ID in the URI, which is not the standard approach for creating a new VLAN. Option C (GET) is wrong because GET is a safe, idempotent method used only to retrieve existing resources, not to create or modify them. Option D (PATCH) is wrong because PATCH is used for partial modifications to an existing resource, such as changing the name of an existing VLAN, not for creating a new one.

Option E (DELETE) is wrong because DELETE is used to remove an existing resource, such as deleting a VLAN, and has no role in creation.

16
MCQhard

A company uses Cisco NSO to manage multiple network devices. They want to ensure that before deploying a configuration change, all devices are in sync with NSO's CDB. Which approach is the best practice?

A.Configure NSO to automatically sync devices when changes are detected
B.Run 'devices sync-from' on all devices before each deployment
C.Schedule a periodic sync every hour
D.Use the 'check-sync' action and only deploy if all devices are in sync
AnswerA

NSO can automatically sync devices via 'sync-from' triggered by device changes or periodic checks.

Why this answer

Option A is correct because NSO's automatic sync capability (via the 'devices sync' or 'sync-from' action triggered by device changes) ensures that the Configuration Database (CDB) remains the authoritative source of truth without manual intervention. This best practice eliminates the risk of deploying a change to devices that are out of sync, which could cause configuration drift or operational failures. NSO's NETCONF-based synchronization allows it to detect and reconcile differences between CDB and device running configurations automatically.

Exam trap

Cisco often tests the misconception that 'check-sync' is sufficient for safe deployments, but the trap is that it only verifies state without automatically resolving drift, which still requires a separate sync action to ensure CDB accuracy before deployment.

How to eliminate wrong answers

Option B is wrong because running 'devices sync-from' on all devices before each deployment is inefficient and disruptive, as it forces a full configuration pull from every device even if only a subset is out of sync, and it does not leverage NSO's ability to detect changes incrementally. Option C is wrong because scheduling a periodic sync every hour introduces a window of vulnerability where devices could become out of sync between sync intervals, and it does not guarantee that devices are in sync at the exact moment of deployment. Option D is wrong because using the 'check-sync' action only reports the sync status without automatically correcting out-of-sync devices; if a device is out of sync, the deployment would be blocked or proceed with stale data, requiring manual intervention to sync first, which defeats the purpose of an automated best practice.

17
Multi-Selectmedium

Which THREE of the following are typically included in a Cisco DevNet sandbox environment? (Choose three.)

Select 3 answers
A.Ability to run production application traffic
B.Access to production customer data for realistic testing
C.Pre-configured Cisco devices (routers, switches, or firewalls)
D.A sample network topology with an IP plan
E.REST API endpoints for programmatic interaction
AnswersC, D, E

Sandboxes typically include virtual or physical Cisco devices for testing.

Why this answer

Option C is correct because Cisco DevNet sandboxes provide pre-configured Cisco devices (routers, switches, firewalls) to allow developers to test automation scripts and network configurations without needing physical hardware. These sandboxes are isolated environments that mirror production-like setups, enabling safe experimentation with device APIs and CLI commands.

Exam trap

Cisco often tests the distinction between sandbox environments and production systems, and the trap here is that candidates mistakenly assume sandboxes include real customer data or can handle production traffic, when in fact they are strictly for development and testing with simulated resources.

18
MCQhard

An engineer needs to troubleshoot a RESTCONF request that returns a 409 Conflict error when trying to modify a YANG data node. What is the most likely cause?

A.The data node is read-only
B.Authentication failure
C.The resource was modified by another client during the operation
D.The YANG model version mismatch
AnswerC

409 Conflict indicates a conflict with the current state.

Why this answer

A 409 Conflict error in RESTCONF specifically indicates a resource state conflict, typically caused by a YANG data store version mismatch detected via the 'if-match' header or ETag validation. When another client modifies the same resource between the time a client retrieves it and attempts to update it, the server rejects the request to prevent lost updates, enforcing optimistic locking as defined in RFC 8040.

Exam trap

Cisco often tests the distinction between HTTP status codes in RESTCONF, and the trap here is that candidates confuse a 409 Conflict with a generic 'modification failure' and incorrectly attribute it to permissions (401) or model issues (400/404), rather than recognizing it as a concurrency control mechanism.

How to eliminate wrong answers

Option A is wrong because a read-only data node would return a 405 Method Not Allowed or a 403 Forbidden, not a 409 Conflict, as RESTCONF explicitly rejects write operations on read-only nodes. Option B is wrong because authentication failure results in a 401 Unauthorized error, not a 409 Conflict, which is a resource state issue unrelated to credentials. Option D is wrong because a YANG model version mismatch would typically cause a 400 Bad Request or a 404 Not Found if the data node is unrecognized, not a 409 Conflict, which is specific to concurrent modification conflicts.

19
Multi-Selecteasy

A developer is using Cisco Webex Teams REST API. Which two authentication methods are supported for bot accounts? (Choose two.)

Select 2 answers
A.OAuth2 with client credentials
B.Bearer Token
C.JWT
D.Basic Auth
E.API Key
AnswersA, B

OAuth2 client credentials grant is supported for server-to-server.

Why this answer

Option A is correct because OAuth2 with client credentials is the standard authentication flow for server-to-server communication, allowing a bot to authenticate without user interaction. Option B is correct because a Bearer Token, typically obtained via OAuth2, is used in the Authorization header of API requests to authenticate bot accounts in Cisco Webex Teams.

Exam trap

Cisco often tests the distinction between authentication methods supported for bots versus user accounts, and the trap here is that candidates may confuse JWT (used for guest access) or API Key (common in other APIs) with the OAuth2 token-based methods actually required for bot accounts.

20
MCQeasy

A developer uses Cisco Intersight API to manage UCS servers. Which authentication method is required for Intersight API calls?

A.API key with HMAC signature
B.OAuth2 token from Webex
C.Session cookie
D.Basic authentication with username/password
AnswerA

Correct method.

Why this answer

Cisco Intersight API requires API key authentication with HMAC (Hash-Based Message Authentication Code) signing for all REST API calls. The developer generates an API key pair (private and public) in the Intersight GUI, then uses the private key to create an HMAC-SHA256 signature over the request headers and payload. This signature is included in the Authorization header, ensuring request integrity and non-repudiation without transmitting the secret key over the network.

Exam trap

Cisco often tests the distinction between web UI authentication (session cookies) and API authentication (HMAC keys), and candidates mistakenly choose session cookies because they are familiar from the Intersight web interface, forgetting that API calls require a different, stateless mechanism.

How to eliminate wrong answers

Option B is wrong because OAuth2 tokens from Webex are used for Cisco Webex API authentication, not for Intersight; Intersight does not support OAuth2 token exchange from Webex. Option C is wrong because session cookies are used for browser-based web UI sessions, not for programmatic API calls; Intersight API calls are stateless and require per-request authentication via HMAC signatures. Option D is wrong because basic authentication with username/password is not supported for Intersight API calls; it would expose credentials in plaintext and violates Intersight's security model, which mandates key-based HMAC signing.

21
MCQmedium

A network administrator uses the Cisco IOS XE CLI to configure a router. They want to use a Python script to automate this configuration via the guest shell. Which library should they use to interact with the CLI from within the guest shell?

A.cli
B.requests
C.ncclient
D.paramiko
AnswerA

The cli library allows Python to execute IOS XE commands.

Why this answer

The `cli` library is a built-in Python module available within the Cisco Guest Shell that allows scripts to execute IOS XE CLI commands directly on the host device. This library provides functions like `cli.execute()` and `cli.configure()` to send commands and retrieve output, making it the correct choice for automating configuration via the Guest Shell without external dependencies.

Exam trap

Cisco often tests the distinction between on-box automation (using the `cli` library) and off-box automation (using libraries like paramiko, ncclient, or requests), and the trap here is that candidates may assume any SSH library (paramiko) works for local Guest Shell interaction, not realizing the `cli` library is purpose-built for direct host communication.

How to eliminate wrong answers

Option B (requests) is wrong because it is an HTTP client library used for REST API calls, not for interacting with the native IOS XE CLI within the Guest Shell. Option C (ncclient) is wrong because it is a Python library for NETCONF, which uses XML-based YANG models over SSH, not the direct CLI interface. Option D (paramiko) is wrong because it is an SSH implementation for remote connections, but within the Guest Shell, the script runs locally on the device and does not need to SSH back into itself; the `cli` library provides direct, privileged access without additional authentication.

22
MCQhard

A developer is writing a Python script using the Cisco Webex Teams API to send a message to a specific room. The script works for some rooms but fails for others with a 404 error. What is the most likely reason?

A.The API rate limit has been exceeded for those rooms.
B.The access token is invalid for those rooms.
C.The bot does not have permission to send messages in those rooms.
D.The bot is not a member of those rooms.
AnswerD

Non-membership results in 404 when trying to send to a room.

Why this answer

The 404 error indicates that the resource (the room) was not found by the API. In the Cisco Webex Teams API, a bot can only interact with rooms it has been added to as a member. If the bot is not a member of a room, the API cannot locate the room from the bot's perspective, resulting in a 404 error.

This is the most common cause of intermittent 404 errors when the script works for some rooms but not others.

Exam trap

Cisco often tests the distinction between HTTP status codes (404 vs 403 vs 401) and their specific meanings in the context of API authorization and resource existence, leading candidates to confuse permission issues (403) with membership/visibility issues (404).

How to eliminate wrong answers

Option A is wrong because exceeding the API rate limit would return a 429 (Too Many Requests) error, not a 404. Option B is wrong because an invalid access token would cause a 401 (Unauthorized) error for all API calls, not just for specific rooms. Option C is wrong because permission issues (e.g., not having the 'send messages' scope) would typically result in a 403 (Forbidden) error, not a 404; the bot must be a member of the room to even be considered for permission checks.

23
Multi-Selecteasy

Which TWO of the following are common methods for authenticating to Cisco REST APIs? (Choose two.)

Select 2 answers
A.API Key
B.Certificate-based Authentication
C.NTLM Authentication
D.OAuth 2.0
E.Basic Authentication
AnswersA, D

API keys are a common authentication method for Cisco APIs such as Meraki and DNA Center.

Why this answer

API Key authentication (Option A) is a common method for Cisco REST APIs, such as those on Cisco DNA Center and Meraki, where a pre-generated key is included in the HTTP header (e.g., 'X-Cisco-Meraki-API-Key') to identify the client. OAuth 2.0 (Option D) is widely used in Cisco platforms like Webex Teams and Cisco DNA Center for delegated access, issuing a bearer token after an authorization flow. Both methods are officially supported and documented for Cisco REST API authentication.

Exam trap

Cisco often tests the distinction between 'common' and 'possible' authentication methods, leading candidates to select Basic Authentication (Option E) because it is widely known, even though Cisco REST APIs explicitly recommend against it in favor of API keys or OAuth 2.0.

24
MCQmedium

A developer is building a chatbot that retrieves interface status from a Cisco Catalyst 9000 switch using RESTCONF. Which authentication method is most appropriate for programmatic access?

A.HTTP Basic Authentication over HTTPS.
B.API key passed in the HTTP header.
C.OAuth 2.0 with client credentials grant.
D.Client certificate authentication.
AnswerA

RESTCONF on Cisco devices supports basic auth over HTTPS.

Why this answer

RESTCONF on Cisco Catalyst 9000 switches supports HTTP Basic Authentication over HTTPS as a straightforward, standards-based method for programmatic access. Basic authentication sends the username and password in the HTTP Authorization header, and when combined with HTTPS, the credentials are encrypted in transit, providing adequate security for device management without requiring additional infrastructure like an OAuth provider or certificate authority.

Exam trap

Cisco often tests the misconception that RESTCONF requires OAuth or API keys because it is a RESTful API, but in reality, IOS XE devices rely on traditional AAA and HTTP Basic Auth over HTTPS for programmatic access.

How to eliminate wrong answers

Option B is wrong because RESTCONF does not natively support API key authentication; API keys are typically used with REST APIs that have a dedicated key management system, not with NETCONF/RESTCONF on Cisco IOS XE. Option C is wrong because OAuth 2.0 with client credentials grant is not a standard authentication mechanism for RESTCONF on Catalyst 9000 switches; these devices use local or AAA-based authentication, not token-based OAuth flows. Option D is wrong while client certificate authentication is supported for HTTPS, it is not the most appropriate for simple programmatic access because it requires a PKI infrastructure and certificate management, adding complexity that is unnecessary for basic interface status retrieval.

25
MCQmedium

Refer to the exhibit. A Python script using RESTCONF sends a GET request to retrieve the interface configuration. The response is shown. What is the VLAN assigned to GigabitEthernet1/0/1?

A.10
B.1
C.100
D.20
AnswerA

The JSON clearly shows 'vlan': 10.

Why this answer

The correct answer is A (VLAN 10) because the RESTCONF GET response shows the native VLAN for GigabitEthernet1/0/1 is set to 10. In Cisco IOS-XE, the native VLAN is the VLAN assigned to an interface when it is in access mode, and the response explicitly includes the 'native-vlan' field with a value of 10 under the 'Cisco-IOS-XE-native:interface' hierarchy.

Exam trap

Cisco often tests whether candidates can distinguish between the 'native-vlan' field (which represents the access VLAN for an access port) and the default VLAN 1, leading many to incorrectly select VLAN 1 when the response clearly shows a different value.

How to eliminate wrong answers

Option B (VLAN 1) is wrong because VLAN 1 is the default VLAN on Cisco switches, but the RESTCONF response explicitly shows the native VLAN is 10, not 1. Option C (VLAN 100) is wrong because VLAN 100 is not referenced anywhere in the response; it might be a distractor for a trunk port scenario, but this interface is configured as an access port. Option D (VLAN 20) is wrong because VLAN 20 is not present in the response; the only VLAN value shown is 10 under the native-vlan field.

26
Multi-Selecteasy

Which TWO Cisco platforms provide comprehensive REST APIs for network configuration and monitoring?

Select 2 answers
A.Cisco ASA
B.Cisco IOS XE
C.Cisco ISE
D.Cisco Prime Infrastructure
AnswersB, E

Cisco IOS XE supports RESTCONF and NETCONF APIs for device configuration and monitoring.

Why this answer

Cisco DNA Center and Cisco IOS XE both have robust REST APIs. Cisco DNA Center provides a northbound intent API, and Cisco IOS XE supports RESTCONF and NETCONF for programmatic configuration. The other platforms have limited or no REST API for full configuration management.

27
MCQhard

During a migration from legacy to SD-Access, a network team wants to use Cisco DNA Center to automate policy deployment. They have defined a macro-level intent but need to ensure that the fabric devices are correctly configured. Which API call should they use to validate the fabric configuration?

A.PUT /dna/intent/api/v1/business/sda/fabric-device
B.POST /dna/intent/api/v1/business/sda/fabric-site
C.GET /dna/intent/api/v1/business/sda/fabric-site
D.GET /dna/intent/api/v1/business/sda/network-profile
AnswerC

Retrieves the fabric site configuration for validation.

Why this answer

The GET /dna/intent/api/v1/business/sda/fabric-site API call retrieves the current configuration of fabric sites, allowing the team to validate that fabric devices are correctly provisioned and associated with the intended site. This aligns with the intent-based API model where GET operations are used for validation and monitoring of deployed policies.

Exam trap

Cisco often tests the distinction between CRUD operations in intent APIs, and the trap here is that candidates confuse a POST (create) or PUT (update) with a GET (read/validate) when the question specifically asks for validation.

How to eliminate wrong answers

Option A is wrong because PUT /dna/intent/api/v1/business/sda/fabric-device is used to update or add a fabric device, not to validate existing configuration. Option B is wrong because POST /dna/intent/api/v1/business/sda/fabric-site creates a new fabric site, which is a deployment action rather than a validation step. Option D is wrong because GET /dna/intent/api/v1/business/sda/network-profile retrieves network profile definitions, not the actual fabric device configuration or site status.

28
MCQeasy

A Python script using the Cisco Meraki SDK fails with 'APIError: 429 Too Many Requests'. What action should the developer take?

A.Increase the timeout value
B.Change the HTTP method to POST
C.Use a different API key
D.Add a retry mechanism with exponential backoff
AnswerD

Standard best practice to handle rate limiting.

Why this answer

The HTTP 429 status code indicates rate limiting has been exceeded. The Meraki API enforces rate limits to protect its infrastructure, and the SDK's built-in retry mechanism with exponential backoff is the correct way to handle this, as it automatically waits increasing intervals between retries, respecting the Retry-After header if present.

Exam trap

Cisco often tests the distinction between handling rate limiting (429) versus handling request timeouts (408/504), so candidates mistakenly choose to increase the timeout value instead of implementing retry logic with backoff.

How to eliminate wrong answers

Option A is wrong because increasing the timeout value only extends how long the script waits for a single request to complete; it does not address the rate limit being exceeded. Option B is wrong because changing the HTTP method to POST does not affect rate limiting; the 429 error is about request frequency, not the method used. Option C is wrong because using a different API key does not resolve the rate limit issue; the new key would also be subject to the same rate limits, and the problem is the request rate, not authentication.

29
MCQhard

Refer to the exhibit. A developer sends a PUT request to the RESTCONF endpoint with the above JSON payload. The device already has interface GigabitEthernet1/0/1 configured with IP address 10.10.10.1/24. What is the expected outcome?

A.The request fails because the interface already exists.
B.The request creates a new interface with the same configuration.
C.The request fails because the JSON is malformed.
D.The request succeeds and the interface configuration remains unchanged.
AnswerD

PUT replaces the resource with the given data; since it matches, no change occurs but the operation succeeds.

Why this answer

D is correct because the PUT request to the RESTCONF endpoint with the provided JSON payload is an idempotent operation. Since the interface GigabitEthernet1/0/1 already exists with the exact same configuration (IP address 10.10.10.1/24), the PUT request effectively replaces the resource with the same data, resulting in no change. RESTCONF uses the HTTP PUT method to create or replace a resource, and if the resource already exists and the payload matches, the operation succeeds without modification.

Exam trap

Cisco often tests the misconception that PUT will fail or create a duplicate resource when the target already exists, but the correct behavior is that PUT replaces the resource idempotently, and if the data is identical, the configuration remains unchanged.

How to eliminate wrong answers

Option A is wrong because RESTCONF PUT is idempotent and does not fail when the resource already exists; it replaces the resource with the provided data, and if the data is identical, the configuration remains unchanged. Option B is wrong because PUT does not create a new interface when the resource already exists; it replaces the existing resource, and since the payload matches the current configuration, no new interface is created. Option C is wrong because the JSON payload is syntactically valid and correctly structured for a RESTCONF PUT request to modify an interface; there is no malformation.

30
MCQmedium

A developer has created a Webex Teams bot that listens for messages in a specific room and responds with information from an external database. The bot uses the Webex API's 'messages.create' method to post replies. During testing, the bot sometimes fails to respond, but no errors are logged. The developer checks the Webex Developer Portal and sees that the bot's rate limit is set to 10 requests per second. The bot's average load is 5 requests per second, but occasionally spikes to 15 requests per second for a few seconds. The developer wants to ensure the bot functions reliably without exceeding rate limits. Which approach should the developer implement?

A.Implement a request queue that limits outgoing requests to 10 per second and uses exponential backoff on failure.
B.Request a higher rate limit from the Webex API support team.
C.Catch HTTP 429 (Too Many Requests) errors and immediately retry the request.
D.Reduce the bot's overall request rate to 5 per second to stay well within the limit.
AnswerA

This ensures steady request rate and handles errors gracefully.

Why this answer

Option A is correct because implementing a request queue that limits outgoing requests to 10 per second and uses exponential backoff on failure ensures the bot respects the Webex API rate limit of 10 requests per second. The queue smooths out spikes (e.g., 15 req/s) by buffering excess requests, while exponential backoff handles any HTTP 429 responses gracefully by retrying after increasing delays, preventing further rate limit violations. This approach directly addresses the bot's intermittent failure without relying on external support or sacrificing functionality.

Exam trap

Cisco often tests the misconception that simply catching HTTP 429 errors and retrying immediately is sufficient, when in fact exponential backoff is required to avoid compounding the rate limit violation.

How to eliminate wrong answers

Option B is wrong because requesting a higher rate limit from the Webex API support team is not a standard practice for Webex Teams bots; rate limits are fixed per application and cannot be arbitrarily increased, and the developer should first optimize their bot's behavior rather than seeking a limit change. Option C is wrong because catching HTTP 429 errors and immediately retrying the request would likely trigger another 429 response, as the rate limit is still exceeded; proper handling requires a delay (e.g., via exponential backoff) before retrying. Option D is wrong because reducing the bot's overall request rate to 5 per second is an overreaction that unnecessarily limits the bot's throughput and does not address the occasional spikes to 15 req/s, which could still cause failures if not managed with queuing or backoff.

31
MCQeasy

A developer is building a dashboard that displays the health status of network devices managed by Cisco ACI. The developer uses the ACI REST API to query the APIC (Application Policy Infrastructure Controller). The developer sends a GET request to https://apic-ip/api/class/fabricHealthInst.json returns a JSON object with health scores. The dashboard works for a small set of devices, but when scaled to 500 devices, the API responses become slower and sometimes time out. The developer needs to optimize the data retrieval to keep the dashboard responsive. Which approach should the developer use?

A.Break the request into multiple smaller requests, each fetching a subset of devices.
B.Add a query parameter to sort the results by health score to reduce processing time.
C.Switch from JavaScript to Python for the backend to handle larger responses more efficiently.
D.Use the ACI event subscription mechanism to receive health updates only when changes occur.
AnswerD

Subscriptions push updates, reducing the need for frequent polling.

Why this answer

Option A is correct because using bulk APIs or subscribing to events reduces the number of API calls and overhead. Option B is incorrect because sorting doesn't reduce data volume. Option C is incorrect because moving to Python doesn't inherently improve performance.

Option D is incorrect because splitting into many calls increases overhead.

32
Multi-Selecteasy

A software developer is using the Cisco Webex REST API and wants to filter messages by date range. Which two query parameters should be included? (Choose two.)

Select 2 answers
A.since
B.before
C.after
D.end
E.start
AnswersB, C

Used to specify the end date.

Why this answer

The Cisco Webex REST API uses the 'before' and 'after' query parameters to filter messages by date range. 'before' returns messages sent before a specified date/time, and 'after' returns messages sent after a specified date/time, allowing precise range-based filtering.

Exam trap

Cisco often tests the specific parameter names used in the Webex API (before/after) versus generic terms like start/end or since/until, catching candidates who assume common naming conventions from other platforms.

33
MCQeasy

An organization uses Cisco Intersight to manage UCS servers. They want to automate the firmware upgrade process. Which Intersight API should be used to trigger a firmware upgrade on a server?

A.POST /api/v1/ntp/Policies
B.POST /api/v1/equipment/Fex
C.POST /api/v1/fabric/EthNetworkPolicies
D.POST /api/v1/compute/Physical
AnswerD

Physical server resource supports firmware actions.

Why this answer

Option D is correct because the `/api/v1/compute/Physical` endpoint in Cisco Intersight is used to manage physical compute resources, including triggering firmware upgrades on UCS servers. By sending a POST request to this endpoint with the appropriate action payload (e.g., `"Action": "UpgradeFirmware"`), you can initiate a firmware upgrade on a specific server. This aligns with Intersight's RESTful API design for lifecycle management of UCS infrastructure.

Exam trap

The trap here is that candidates may confuse general management endpoints (like NTP policies or network policies) with the specific compute resource endpoint, assuming any POST to a policy-related API can trigger an action, when in fact only the compute resource endpoint supports firmware upgrade actions.

How to eliminate wrong answers

Option A is wrong because `POST /api/v1/ntp/Policies` is used to create or manage NTP (Network Time Protocol) policies, which control time synchronization settings, not firmware upgrades. Option B is wrong because `POST /api/v1/equipment/Fex` targets Fabric Extender (FEX) equipment, which handles port expansion and does not support firmware upgrade actions for servers. Option C is wrong because `POST /api/v1/fabric/EthNetworkPolicies` is for managing Ethernet network policies (e.g., VLAN, QoS) for fabric interconnects, not for triggering server firmware updates.

34
Matchingmedium

Match each CI/CD concept to its definition.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Automatically build and test code changes

Automatically deploy to staging after CI

Automatically deploy to production after CI

Compile source code into artifacts

Sequence of automated steps for delivery

Why these pairings

Core CI/CD concepts in DevOps.

35
Multi-Selectmedium

Which TWO of the following are characteristics of Model-Driven Programmability with YANG models?

Select 2 answers
A.YANG models define a hierarchical data tree.
B.YANG models are only used with the Python library ncclient.
C.NETCONF and RESTCONF use YANG models to manipulate device configurations.
D.The controller directly pushes configurations to network devices without validation.
E.NETCONF requires JSON encoding for configuration data.
AnswersA, C

YANG models represent data as a tree structure.

Why this answer

Option A is correct because YANG models define a hierarchical data tree structure that organizes configuration and state data in a parent-child relationship, mirroring the structure of the device's operational and configuration data. This hierarchical representation allows for precise, path-based access to individual data nodes, which is fundamental to model-driven programmability.

Exam trap

Cisco often tests the misconception that YANG models are tied to a single protocol or encoding format, leading candidates to incorrectly associate YANG exclusively with NETCONF or JSON.

36
MCQeasy

A developer needs to retrieve the list of devices from a Meraki network using the Meraki Dashboard API. Which HTTP method and endpoint should be used?

A.POST /networks/{networkId}/devices
B.GET /devices
C.GET /organizations/{organizationId}/networks
D.GET /networks/{networkId}/devices
AnswerD

Correct endpoint.

Why this answer

Option D is correct because the Meraki Dashboard API uses RESTful conventions: to retrieve a list of devices within a specific network, you send a GET request to the endpoint `/networks/{networkId}/devices`. This follows the standard pattern of using GET for read operations and scoping the resource under the network identifier.

Exam trap

Cisco often tests the distinction between GET and POST for read vs. create operations, and the trap here is that candidates may confuse the endpoint for listing networks (`/organizations/{organizationId}/networks`) with the endpoint for listing devices, or assume a top-level `/devices` path exists without understanding the hierarchical resource model.

How to eliminate wrong answers

Option A is wrong because POST is used to create resources, not retrieve them; sending a POST to `/networks/{networkId}/devices` would attempt to add a new device, not list existing ones. Option B is wrong because `/devices` is not a valid top-level endpoint in the Meraki API; device resources are always nested under a network or organization context. Option C is wrong because `/organizations/{organizationId}/networks` returns a list of networks, not devices; it retrieves the networks within an organization, which is a different resource entirely.

37
MCQeasy

A system administrator wants to use the Cisco Intersight API to collect hardware inventory from a set of UCS servers managed by Intersight. The administrator needs to retrieve the serial numbers, memory, and CPU information. The administrator has an API key with the appropriate permissions. The administrator uses a Python script with the requests library to send a GET request to https://intersight.com/api/v1/compute/PhysicalSummaries. The request returns HTTP 200 with a list of objects. However, each object only contains the 'Moid' and 'Name' fields; the serial number and hardware details are missing. What should the administrator do to get the full inventory details?

A.Change the endpoint to /api/v1/compute/PhysicalSummary?details=true.
B.Add the '?expand=*' query parameter to the request to include all fields.
C.Use the 'Moid' from each summary object to send individual GET requests to /api/v1/compute/PhysicalSummaries/{Moid} for full details.
D.Generate a new API key with broader permissions.
AnswerC

This retrieves the full object with all fields, including serial number and hardware details.

Why this answer

Option C is correct because the `/api/v1/compute/PhysicalSummaries` endpoint returns a list of summary objects containing only the 'Moid' and 'Name' fields by design. To retrieve the full hardware inventory details (serial numbers, memory, CPU), the administrator must use the 'Moid' from each summary object to send individual GET requests to the specific resource endpoint `/api/v1/compute/PhysicalSummaries/{Moid}`. This is a common RESTful API pattern where list endpoints provide lightweight summaries, and full details require fetching each resource individually.

Exam trap

Cisco often tests the misconception that adding a query parameter like `?expand=*` or `?details=true` will magically include all fields in a list response, when in reality the correct approach is to fetch individual resources by their unique identifier (Moid).

How to eliminate wrong answers

Option A is wrong because the endpoint `/api/v1/compute/PhysicalSummary?details=true` does not exist; Intersight API does not support a `details` query parameter on this endpoint, and the correct endpoint for full details is the individual resource endpoint using the Moid. Option B is wrong because the `?expand=*` query parameter is not a valid parameter in the Intersight REST API; Intersight uses a different mechanism (e.g., `$select` or `$expand` in OData-style queries) but `expand=*` is not supported and would be ignored or cause an error. Option D is wrong because the API key permissions are not the issue—the administrator already has appropriate permissions (as stated), and the missing fields are due to the endpoint design, not authorization.

38
MCQmedium

A university IT department manages a Cisco Meraki network with 200 MR access points and 50 MS switches. They use the Meraki dashboard API to automate network provisioning. A new student dormitory was added, and the team needs to create a new network and claim devices. They have a Python script that uses the Meraki API to create the network and then claim devices by serial numbers. The script successfully creates the network but fails when claiming devices with a 400 error: 'Device serial number is not valid or already claimed'. The serial numbers are correct and unused. The API key has full organization access. The script uses the endpoint 'POST /networks/{networkId}/devices/claim' with the correct body. What is the most likely cause of the failure?

A.The API key does not have permission to claim devices.
B.The serial numbers contain a typo.
C.The devices have not been added to the organization's inventory first.
D.The devices are not Meraki MR or MS models.
AnswerC

Devices must be claimed into the organization before being assigned to a network.

Why this answer

Option C is correct because in the Meraki API workflow, devices must first be added to the organization's inventory via the 'POST /organizations/{organizationId}/inventory/devices' endpoint before they can be claimed into a specific network. The 400 error 'Device serial number is not valid or already claimed' occurs when the serial numbers are not present in the organization's inventory, even if they are correct and unused. The script successfully creates the network but fails at the claim step because the devices have not been inventoried at the organization level.

Exam trap

Cisco often tests the distinction between organization-level inventory and network-level claiming, trapping candidates who assume that claiming a device automatically adds it to the organization's inventory or that a valid serial number is sufficient without prior inventory registration.

How to eliminate wrong answers

Option A is wrong because the API key has full organization access, which includes permission to claim devices; a permission issue would typically result in a 403 Forbidden error, not a 400 error. Option B is wrong because the question explicitly states that the serial numbers are correct and unused, so a typo is not the cause. Option D is wrong because the devices are MR and MS models, which are supported by the Meraki dashboard API for claiming; the error message does not indicate an unsupported model.

39
MCQhard

Refer to the exhibit. A service engineer runs a 'check-sync' action on the NSO service 'vpn1'. The result shows 'out-of-sync' for device 'pe1'. What does this indicate?

A.The device pe1 is unreachable via NETCONF.
B.The service model in NSO does not have a configuration for pe1.
C.The device pe1 has a hardware failure.
D.The configuration on pe1 differs from the service model defined in NSO.
AnswerD

Check-sync compares device config with service model.

Why this answer

The 'check-sync' action in NSO compares the actual device configuration (retrieved via NETCONF or CLI) against the configuration that NSO's service model expects. An 'out-of-sync' result for device 'pe1' means the running configuration on pe1 does not match the configuration defined by the NSO service model for that device. This is a standard NSO feature to detect configuration drift.

Exam trap

The trap here is confusing 'out-of-sync' with connectivity or hardware issues; Cisco tests whether you understand that NSO's check-sync is a configuration comparison mechanism, not a reachability or health check.

How to eliminate wrong answers

Option A is wrong because 'out-of-sync' does not indicate reachability; if pe1 were unreachable via NETCONF, the check-sync action would fail with a connection error, not return 'out-of-sync'. Option B is wrong because if the service model had no configuration for pe1, NSO would not attempt a check-sync on that device, or the result would indicate 'no configuration' rather than 'out-of-sync'. Option C is wrong because hardware failures are not detected by NSO's configuration synchronization mechanism; NSO operates at the configuration management layer, not the hardware monitoring layer.

40
MCQhard

A developer is using Cisco NSO to create a service. They are evaluating whether to use Python or Java for plan callbacks. Which consideration is most important?

A.Java is preferred due to better integration with NSO's internal data model
B.Python is the only supported language for custom service code in NSO
C.Both are equally supported, but Python has more extensive libraries for networking
D.Python is preferred due to faster execution
AnswerC

Python's rich ecosystem and readability make it a common choice.

Why this answer

Option C is correct because Cisco NSO supports both Python and Java for plan callbacks, and the choice between them often hinges on the developer's familiarity and the specific requirements of the service. Python is particularly favored in many networking contexts due to its extensive ecosystem of libraries (e.g., for NETCONF, RESTCONF, or SNMP), which can accelerate development. However, Java is equally supported and may be chosen for performance-critical or deeply integrated components within NSO's Java Native Interface (JNI).

Exam trap

Cisco often tests the misconception that Python is the only or primary language for NSO customizations, when in fact both Python and Java are fully supported, and the choice depends on factors like library availability and developer expertise, not exclusivity or raw performance.

How to eliminate wrong answers

Option A is wrong because Java does not have inherently better integration with NSO's internal data model; both Python and Java interact with NSO's CDB and service models through well-defined APIs (e.g., Python's ncs module and Java's Maapi/TransAPI). Option B is wrong because Python is not the only supported language for custom service code; NSO explicitly supports both Python and Java for plan callbacks and action implementations. Option D is wrong because Python is generally slower in execution than Java (due to being interpreted vs. compiled), so faster execution is not a valid reason to prefer Python.

41
MCQeasy

Based on the exhibit, which interface is in a down/down state (both Status and Protocol are down)?

A.None
B.GigabitEthernet0/2
C.GigabitEthernet0/0
D.GigabitEthernet0/1
AnswerD

Gig0/1 shows Status down and Protocol down.

Why this answer

Option D is correct because the exhibit shows that GigabitEthernet0/1 has both Status and Protocol listed as 'down'. In Cisco IOS, the 'Status' column indicates the line protocol state (Layer 1), and the 'Protocol' column indicates the data link layer state (Layer 2). When both are 'down', the interface is administratively down or has a physical layer issue, such as a disconnected cable or a shutdown command.

Exam trap

Cisco often tests the ability to read the 'show interfaces' output correctly, where candidates may confuse the 'Status' and 'Protocol' columns or misinterpret an 'up/up' state as a problem, leading them to select a wrong interface like GigabitEthernet0/0 or GigabitEthernet0/2.

How to eliminate wrong answers

Option A is wrong because the exhibit clearly shows at least one interface (GigabitEthernet0/1) with both Status and Protocol down, so 'None' is incorrect. Option B is wrong because GigabitEthernet0/2 shows Status as 'up' and Protocol as 'up', indicating a fully operational interface. Option C is wrong because GigabitEthernet0/0 shows Status as 'up' and Protocol as 'up', meaning it is also fully functional.

42
MCQhard

A developer wants to automate the provisioning of a UCS server using Cisco Intersight. Which authentication method is recommended for programmatic access?

A.Basic authentication with username and password
B.API Key with HMAC signing
C.Session token from Intersight UI
D.OAuth2 with client credentials
AnswerB

Intersight recommends API keys with HMAC signing for automated access.

Why this answer

Cisco Intersight recommends API key authentication with HMAC signing for programmatic access because it provides a secure, non-interactive method for automation scripts and tools. The API key consists of a key ID and a secret, and each request must include an HMAC signature generated from the request details, ensuring integrity and authenticity without exposing static credentials over the network.

Exam trap

Cisco often tests the distinction between interactive (session-based) and non-interactive (API key) authentication, leading candidates to mistakenly choose session tokens or basic auth because they are familiar from other Cisco platforms like UCS Manager or APIC.

How to eliminate wrong answers

Option A is wrong because basic authentication transmits the username and password in plaintext (Base64-encoded) with each request, which is insecure and not recommended for programmatic access to Intersight. Option C is wrong because a session token obtained from the Intersight UI is tied to a user session and requires interactive login, making it unsuitable for automated, headless provisioning workflows. Option D is wrong because OAuth2 with client credentials is not the standard or recommended method for Intersight; Intersight uses API key-based HMAC signing as its primary programmatic authentication mechanism.

43
MCQmedium

A developer writes a Python script using ncclient to retrieve the running configuration from a Cisco IOS XE device. The script fails with an XML parsing error. What is the most likely cause?

A.The script is not filtering the output correctly and receives multiple root elements
B.The device does not support NETCONF
C.The ncclient library version is too old
D.The username and password are incorrect
AnswerA

If multiple root elements are returned (e.g., unfiltered), the XML parser will throw an error.

Why this answer

The most likely cause is that the script does not filter the NETCONF reply to a specific subtree, so the device returns multiple top-level XML elements (e.g., both <native> and <config>). An XML parser expects a single root element, and receiving multiple roots triggers a parsing error. ncclient's `get_config` with no filter can return the entire configuration as separate elements, violating XML well-formedness.

Exam trap

Cisco often tests the subtle requirement that NETCONF replies must be well-formed XML with a single root element, and candidates mistakenly think the error is due to connectivity or authentication rather than the missing filter.

How to eliminate wrong answers

Option B is wrong because if the device did not support NETCONF, the script would fail with a connection or capability exchange error, not an XML parsing error. Option C is wrong because an outdated ncclient library might cause missing features or deprecation warnings, but it would not directly produce an XML parsing error from a valid reply. Option D is wrong because incorrect credentials would result in an authentication failure (e.g., 'AuthenticationException' or connection refused), not an XML parsing error.

44
MCQmedium

Refer to the exhibit. Which statement correctly describes this subscription configuration?

A.It subscribes to YANG-push notifications for interface state data.
B.It pushes interface operational status changes to a receiver using UDP.
C.It uses XML encoding for the telemetry data.
D.The receiver is configured to listen on port 2000 using TCP.
AnswerA

Correct description.

Why this answer

Option A is correct because the subscription configuration uses YANG-push notifications to stream interface state data. The presence of a subscription ID, a YANG-push filter (e.g., 'ietf-interfaces:interfaces-state'), and a destination group (e.g., '10.1.1.1:2000') indicates that the device is configured to push telemetry data for interface operational state changes to a receiver using the YANG-push model, which is a standard mechanism for streaming data from network devices.

Exam trap

Cisco often tests the distinction between subscription configuration details (e.g., destination IP/port) and the actual transport protocol or encoding used, leading candidates to incorrectly assume that a port number implies a specific protocol (like UDP) or that YANG-push always uses XML encoding.

How to eliminate wrong answers

Option B is wrong because YANG-push notifications typically use TCP (e.g., gRPC or NETCONF) or UDP with DTLS for secure transport, but the subscription configuration does not specify UDP; the destination port 2000 is commonly used for gRPC or custom telemetry receivers, not necessarily UDP. Option C is wrong because YANG-push telemetry data is typically encoded in JSON or CBOR, not XML, unless explicitly configured for NETCONF-based subscriptions; the exhibit shows no XML encoding specification. Option D is wrong because the receiver is not configured to listen on port 2000 using TCP; the subscription defines the destination IP and port (10.1.1.1:2000) for the telemetry data to be sent to, but the receiver's listening protocol (TCP or UDP) is not specified in the subscription configuration.

45
MCQhard

You are a DevNet engineer responsible for automating configuration management across a Cisco SD-WAN fabric. You have been using the vManage REST API to retrieve device inventory and template lists. You generate an API token with read/write scope and successfully execute GET requests to /dataservice/device and /dataservice/template/device to list devices and templates. Now you want to attach a specific template to a device using POST /dataservice/template/device/config/attach. Your Python script uses the correct URL and includes the token in the Authorization header. The request body contains the device UUID and template UUID retrieved earlier. However, the API returns an HTTP 403 Forbidden error. You have verified that the device UUID and template UUID are correct and that the template exists. The vManage server logs indicate no high resource usage. What is the most likely cause of the 403 error?

A.The vManage version does not support the attach API.
B.The template is already attached to the device.
C.The device is not part of any template group.
D.The API token has been issued only with read scope for the attach operation.
AnswerB

If the template is already attached, the API would return a 409 Conflict or 400 Bad Request, not 403.

Why this answer

An HTTP 403 Forbidden error indicates the server understood the request but refuses to authorize it. Since the token worked for GET requests but not for the POST attach operation, the most likely cause is insufficient privileges. The token may have been generated with read-only scope for the attach operation, or the token's scope explicitly denied write access to this API.

The other options are less likely: device group membership does not affect authorization; template already attached would yield a 400 or 409; version incompatibility would give a 404 or 501.

46
MCQeasy

A developer is creating an application that uses the Cisco Webex Teams API to send messages. What authentication method is typically used?

A.Session cookies
B.Basic Auth
C.OAuth 2.0
D.API Key
AnswerC

OAuth 2.0 is the standard for Webex API.

Why this answer

The Cisco Webex Teams API uses OAuth 2.0 as its primary authentication method for applications that need to act on behalf of a user. OAuth 2.0 provides delegated access via access tokens, allowing the application to send messages without exposing user credentials. This is the standard for modern REST APIs that require secure, scoped access.

Exam trap

The trap here is that candidates confuse API Keys with OAuth 2.0 tokens, assuming a simple key is sufficient, but Webex Teams requires the OAuth 2.0 flow for user-specific actions like sending messages, not just a static key.

How to eliminate wrong answers

Option A is wrong because session cookies are used for stateful web applications, not for REST API authentication in Webex Teams, which is stateless and token-based. Option B is wrong because Basic Auth transmits credentials in plaintext (Base64-encoded) and is not supported by the Webex Teams API due to security concerns. Option D is wrong because API Keys are typically used for server-to-server or service account access, but the Webex Teams API requires OAuth 2.0 tokens for user-delegated actions like sending messages.

47
MCQeasy

A network developer wants to quickly prototype an application that interacts with a Cisco Catalyst 9000 switch using REST APIs. What is the most appropriate resource to use?

A.Cisco DevNet Sandbox
C.Cisco Unified Communications Manager
D.Cisco Prime Infrastructure
AnswerA

Cisco DevNet Sandbox provides free, always-on labs with pre-configured devices for development and testing.

Why this answer

Cisco DevNet Sandbox provides free, cloud-hosted lab environments with pre-configured Cisco Catalyst 9000 switches that expose REST APIs (e.g., RESTCONF over HTTPS). This allows a developer to quickly prototype and test applications without needing physical hardware or complex setup, making it the most appropriate resource for rapid prototyping.

Exam trap

Cisco often tests the distinction between a development sandbox (DevNet) and production management platforms (DNA Center, Prime Infrastructure), expecting candidates to recognize that rapid prototyping requires a lightweight, accessible environment rather than a full-scale orchestration tool.

How to eliminate wrong answers

Option B (Cisco DNA Center) is wrong because it is a centralized network management platform that abstracts device-level APIs and is overkill for prototyping a single switch interaction; it requires additional infrastructure and licensing. Option C (Cisco Unified Communications Manager) is wrong because it is a voice and video communications platform, not a resource for interacting with Catalyst 9000 switch REST APIs. Option D (Cisco Prime Infrastructure) is wrong because it is a legacy network management tool that does not provide direct REST API access to Catalyst 9000 switches and is not designed for rapid prototyping.

48
Drag & Dropmedium

Drag and drop the steps to use Git to commit and push code changes to a remote repository into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Typical workflow: stage, commit, pull to sync, resolve conflicts, then push.

49
MCQmedium

A developer needs to retrieve interface configuration from a Cisco IOS XE device using NETCONF. Which operation should be used?

A.<get> with filter
B.<delete-config>
C.<edit-config>
D.<get-config> with filter
AnswerD

Correct operation for configuration retrieval.

Why this answer

To retrieve interface configuration from a Cisco IOS XE device using NETCONF, the <get-config> operation with a filter is the correct choice. <get-config> retrieves the running configuration datastore, and the filter (typically an XML subtree filter) narrows the response to only the interface subtree, avoiding unnecessary data. This is the standard NETCONF operation for reading configuration data, as defined in RFC 6241.

Exam trap

Cisco often tests the distinction between <get> and <get-config>, where candidates mistakenly choose <get> because it sounds like 'get configuration,' but <get> returns both config and state data, which is not the correct operation for retrieving only configuration.

How to eliminate wrong answers

Option A is wrong because <get> retrieves both configuration and state data from the device, which is not limited to configuration and may include operational status, making it less precise for retrieving only interface configuration. Option B is wrong because <delete-config> is used to delete a configuration datastore (e.g., the candidate datastore), not to retrieve configuration; it would remove the interface configuration entirely. Option C is wrong because <edit-config> is used to modify or create configuration, not to retrieve it; it would attempt to change the interface configuration rather than read it.

50
MCQmedium

A network automation script uses the Cisco DNAC Python SDK (dnacentersdk) to retrieve devices. Which method correctly lists all devices?

A.dnac.get_devices()
B.dnac.devices.get_device_list()
C.dnac.sites.get_site_devices()
D.dnac.devices.list_devices()
AnswerB

Correct method.

Why this answer

Option B is correct because the Cisco DNAC Python SDK (dnacentersdk) uses a hierarchical method structure where the `devices` resource is accessed via `dnac.devices`, and the `get_device_list()` method is the exact SDK call to retrieve all devices from the Cisco DNA Center. This matches the official SDK documentation and the REST API endpoint `/dna/intent/api/v1/network-device`.

Exam trap

Cisco often tests the exact method naming conventions in the SDK, and the trap here is that candidates confuse the generic Python list concept (e.g., `list_devices()`) with the SDK's actual method name (`get_device_list()`), or they assume a top-level method exists without the resource hierarchy.

How to eliminate wrong answers

Option A is wrong because `dnac.get_devices()` is not a valid method in the dnacentersdk; the SDK requires resource-specific access (e.g., `dnac.devices`), and calling a top-level method like this would raise an AttributeError. Option C is wrong because `dnac.sites.get_site_devices()` retrieves devices associated with a specific site, not all devices in the network, and is intended for site-scoped queries. Option D is wrong because `dnac.devices.list_devices()` does not exist in the SDK; the correct method name is `get_device_list()`, and using `list_devices()` would result in a method-not-found error.

51
MCQhard

A developer is building a Webex Teams bot that monitors network alerts from Cisco DNA Assurance. The bot must authenticate to the Webex API. Which authentication method should be used?

A.Basic authentication with username/password
B.Session ID cookie
C.OAuth2 client credentials grant with bot token
D.API key in query string
AnswerC

Correct method for Webex bots.

Why this answer

Webex Teams bots require OAuth2 client credentials grant to obtain a bot token, which is a long-lived, scoped token that authenticates the bot without user interaction. This method is designed for server-to-server communication, matching the bot's need to post messages and listen for events via the Webex API. Basic authentication, session cookies, and API keys are not supported or appropriate for bot authentication in Webex.

Exam trap

Cisco often tests the distinction between user-based authentication (OAuth2 authorization code grant) and bot/application authentication (client credentials grant), leading candidates to mistakenly choose Basic auth or API keys due to familiarity with older APIs.

How to eliminate wrong answers

Option A is wrong because Webex API does not support Basic authentication with username/password for bots; bots are not user accounts and require token-based auth. Option B is wrong because session ID cookies are used for browser-based user sessions, not for bot or API authentication, and Webex API does not issue session cookies for bots. Option D is wrong because Webex API does not accept API keys in query strings; it uses Bearer tokens in the Authorization header, and query string keys are insecure and not part of the OAuth2 flow.

52
MCQhard

A DevOps team is implementing a CI/CD pipeline for network services using Cisco NSO (Network Services Orchestrator). They have a Python script that uses the NSO RESTCONF API to create a new VPN service instance. The script passes all integration tests in the staging environment, but when deployed to production, the 'POST' request to /api/run/vpn-service returns a 500 Internal Server Error. The team checks the NSO logs and finds the error 'Error: No such device: device-xr-1'. The production NSO instance manages multiple devices, and device-xr-1 is one of them. The team confirms device-xr-1 is reachable and managed by NSO in the production environment. What is the most likely cause of this error?

A.The production NSO instance uses a different authentication method for device-xr-1.
B.The device configuration in NSO is out of sync; a sync-from is needed before service creation.
C.The YANG service model expects a device name that does not match the device's name in NSO's device list.
D.The production NSO instance has insufficient memory to handle the request.
AnswerC

The service template likely uses a device reference that conflicts with the actual device name.

Why this answer

The error 'No such device: device-xr-1' indicates that the YANG service model references a device name that does not match the actual device name configured in NSO's device list. Even though device-xr-1 is reachable and managed by NSO, the service model's 'device' leaf expects a specific name (e.g., 'xr-1' or 'device-xr-1-prod'), and the mismatch causes NSO to fail when trying to map the service to the device. This is a common issue when service YANG models are developed with hardcoded or environment-specific device names that differ between staging and production.

Exam trap

Cisco often tests the distinction between device reachability/authentication errors and device name mismatches in NSO service models, where candidates mistakenly assume a connectivity or sync issue when the actual problem is a YANG model reference mismatch.

How to eliminate wrong answers

Option A is wrong because authentication methods (e.g., SSH keys, passwords) are configured per device in NSO's device list and would cause a connection failure (e.g., 'Authentication failed'), not a 'No such device' error. Option B is wrong because a sync-from operation addresses configuration drift between NSO and the actual device state, but the error here is about the device name not being found in NSO's device list, not about out-of-sync configuration. Option D is wrong because insufficient memory would typically manifest as a timeout or out-of-memory exception in NSO logs, not a specific 'No such device' error referencing a device name.

53
MCQhard

A network automation script using Ansible with the cisco.ios.ios_config module fails with "Unsupported parameters for (cisco.ios.ios_config) module: src." What is the most likely issue?

A.The Ansible version is too old
B.The inventory file has incorrect credentials
C.The network device is unreachable
D.The module does not support 'src' parameter; it should use 'lines'
AnswerD

The ios_config module uses 'lines' for configuration commands.

Why this answer

The error message 'Unsupported parameters for (cisco.ios.ios_config) module: src' indicates that the 'src' parameter is not a valid parameter for the cisco.ios.ios_config module. In Ansible, the correct parameter to specify configuration lines directly is 'lines', not 'src'. The 'src' parameter is used by other modules like ios_config (from the older ansible.netcommon collection) or for file-based configuration, but the cisco.ios.ios_config module expects configuration content via 'lines' or 'parents'.

Exam trap

Cisco often tests the specific parameter names of modules in the cisco.ios collection versus the older ansible.netcommon collection, trapping candidates who assume 'src' works universally across all configuration modules.

How to eliminate wrong answers

Option A is wrong because an outdated Ansible version might cause missing modules or features, but the error specifically points to an unsupported parameter, not a missing module; the module exists but the parameter is invalid. Option B is wrong because incorrect credentials in the inventory file would result in authentication or connection failures (e.g., 'invalid username/password' or 'unable to connect'), not a parameter validation error. Option C is wrong because an unreachable network device would produce a timeout or connection refused error, not a module parameter error; the error occurs before any connection attempt during parameter validation.

54
Multi-Selecthard

A developer needs to authenticate to the Cisco SD-WAN vManage API. Which two steps are required to obtain a session token?

Select 2 answers
A.POST j_username and j_password to the /j_security_check endpoint.
B.GET the /dataservice/client/token endpoint.
C.Provide an API key in the HTTP header.
D.POST credentials to the /authenticate endpoint.
E.Use OAuth2 client credentials grant.
AnswersA, B

First step for JSESSIONID.

Why this answer

Option A is correct because the Cisco SD-WAN vManage API uses a form-based authentication mechanism where credentials (j_username and j_password) are submitted via a POST request to the /j_security_check endpoint. This endpoint validates the credentials and, upon success, returns a JSESSIONID cookie that serves as the session token for subsequent API calls. Option B is correct because after obtaining the JSESSIONID, a GET request to /dataservice/client/token is required to retrieve an XSRF token, which must be included in the header of all subsequent requests to prevent cross-site request forgery attacks.

Exam trap

Cisco often tests the distinction between the initial credential submission endpoint (/j_security_check) and the token retrieval endpoint (/dataservice/client/token), leading candidates to mistakenly think a single POST to /authenticate is sufficient or that OAuth2 is used.

55
Drag & Dropmedium

Drag and drop the steps to configure a new VLAN on a Cisco switch into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

VLAN creation requires global config mode; ports are assigned after the VLAN exists.

56
MCQmedium

A network administrator wants to use Ansible to automate the configuration of a Cisco IOS-XE device. Which module is designed for this purpose?

A.cisco.ios.ios_config
B.cisco.nxos.nxos_config
C.ansible.netcommon.network_config
D.cisco.asa.asa_config
AnswerA

Specifically designed for Cisco IOS/IOS-XE devices.

Why this answer

The cisco.ios.ios_config module is specifically designed for managing Cisco IOS and IOS-XE device configurations via Ansible. It supports idempotent configuration updates using CLI commands, allowing the administrator to push, merge, or replace configuration snippets on the target device. This module is part of the Cisco IOS collection and directly interacts with the device's CLI to apply configuration changes.

Exam trap

Cisco often tests the candidate's ability to match the correct module to the specific device OS, so the trap here is that candidates may choose the generic ansible.netcommon.network_config module, thinking it works universally, without realizing that dedicated OS-specific modules provide better reliability and feature support.

How to eliminate wrong answers

Option B is wrong because cisco.nxos.nxos_config is designed for Cisco NX-OS devices (e.g., Nexus switches), not IOS-XE. Option C is wrong because ansible.netcommon.network_config is a platform-agnostic module that requires a specific network_cli or netconf connection plugin and does not provide the IOS-XE-specific CLI handling or idempotent behavior of the dedicated ios_config module. Option D is wrong because cisco.asa.asa_config is intended for Cisco ASA firewalls, which run a different operating system (ASA OS) and use a distinct command syntax compared to IOS-XE.

57
Multi-Selecthard

A network developer is using Cisco NSO to manage multi-vendor devices. Which three are valid approaches to handle device-specific differences? (Choose three.)

Select 3 answers
A.Write custom Python code in the service model
B.Use YANG data models to abstract device specifics
C.Use SNMP MIBs for all configurations
D.Configure each device manually through CLI
E.Use NEDs (Network Element Drivers) for each vendor
AnswersA, B, E

Python callbacks can implement vendor-specific logic.

Why this answer

Option A is correct because Cisco NSO allows developers to write custom Python code within the service model to handle device-specific logic, such as translating abstract service parameters into vendor-specific CLI or NETCONF commands. This approach provides flexibility to accommodate non-standard configurations that cannot be expressed purely through YANG models or NEDs.

Exam trap

Cisco often tests the misconception that SNMP MIBs are a primary tool for configuration management in NSO, when in fact NSO uses NEDs and YANG models for configuration abstraction, and SNMP is typically limited to read-only monitoring.

58
MCQmedium

When making API calls to Cisco DNA Center, a developer receives a 401 Unauthorized error. The token was obtained using the token API endpoint. What is the most likely reason?

A.The request body contains invalid JSON
B.The token has expired
C.The API base URL is incorrect
D.The HTTP header for Accept is missing
AnswerB

Tokens have an expiration time; expired tokens cause 401.

Why this answer

A 401 Unauthorized error when using a token obtained from the token API endpoint most commonly indicates that the token has expired. Cisco DNA Center tokens have a configurable Time-To-Live (TTL), typically defaulting to 1 hour, after which the token becomes invalid and must be refreshed via the /dna/system/api/v1/auth/token endpoint.

Exam trap

Cisco often tests the distinction between authentication errors (401) and other HTTP errors (400, 404, 406) to see if candidates understand that a valid but expired token still returns 401, not a different status code.

How to eliminate wrong answers

Option A is wrong because invalid JSON in the request body would typically result in a 400 Bad Request error, not a 401 Unauthorized. Option C is wrong because an incorrect API base URL would cause a connection failure (e.g., DNS resolution error or 404 Not Found), not a 401 status code. Option D is wrong because a missing Accept header might lead to a 406 Not Acceptable or a default response format, but it does not trigger authentication failure.

59
Multi-Selectmedium

Which TWO are benefits of using model-driven programmability (e.g., NETCONF/RESTCONF) over traditional CLI scripting for network automation?

Select 2 answers
A.Reduces network latency because it uses a lighter protocol.
B.Requires no additional learning beyond CLI commands.
C.Easier to debug because it uses the same syntax as CLI.
D.Data is structured and machine-readable (e.g., XML/JSON).
E.Allows network devices to be managed using any programming language with HTTP libraries.
AnswersD, E

Model-driven APIs return structured data.

Why this answer

Option D is correct because model-driven programmability with NETCONF/RESTCONF uses structured data formats like XML or JSON, which are machine-readable. This eliminates the need for screen-scraping or parsing CLI output, making automation scripts more reliable and easier to maintain. Structured data also enables consistent validation and integration with other systems.

Exam trap

Cisco often tests the misconception that model-driven programmability is just a 'new way to type CLI commands,' but the key benefit is the use of structured, machine-readable data (XML/JSON) and protocol-level operations that decouple automation from device-specific CLI syntax.

60
MCQeasy

A Python script uses the Cisco Meraki API to fetch the list of organizations. The script fails with a 401 HTTP status. What is the most likely cause?

A.The API key is invalid or missing.
B.The API request exceeded the rate limit.
C.The API key does not have permission to list organizations.
D.The API endpoint URL is incorrect.
AnswerA

401 Unauthorized means authentication failure.

Why this answer

A 401 HTTP status indicates 'Unauthorized', which in the context of the Meraki API means the request lacks valid authentication credentials. The most common cause is an invalid or missing API key, as the Meraki API requires a valid API key in the `X-Cisco-Meraki-API-Key` header for all requests.

Exam trap

Cisco often tests the distinction between HTTP 401 (authentication failure) and 403 (authorization failure), and candidates frequently confuse these status codes, especially when the API key is valid but lacks permissions for a specific resource.

How to eliminate wrong answers

Option B is wrong because a rate limit exceeded would return a 429 HTTP status (Too Many Requests), not 401. Option C is wrong because permission issues (e.g., insufficient scope) typically result in a 403 Forbidden status, not 401 Unauthorized. Option D is wrong because an incorrect endpoint URL would return a 404 Not Found or a different error, not a 401; the 401 specifically points to authentication failure, not routing issues.

61
MCQeasy

Refer to the exhibit. Which key-value pair indicates whether this Meraki MR is currently connected to the cloud?

A."serial": "Q2XX-XXXX-XXXX"
B."lanIp": "192.168.1.100"
C."status": "online"
D."model": "MR42"
AnswerC

Correct indicator.

Why this answer

The 'status' key with the value 'online' directly indicates that the Meraki MR access point is currently connected to the Meraki cloud. In the Meraki dashboard API response, the 'status' field reflects the device's cloud connectivity state, where 'online' means the device has an active connection to the Meraki cloud controller.

Exam trap

Cisco often tests the distinction between network-layer connectivity (like having an IP address) and application-layer connectivity to the cloud, leading candidates to mistakenly choose 'lanIp' as the indicator of cloud connection.

How to eliminate wrong answers

Option A is wrong because 'serial' is a unique hardware identifier for the device and does not indicate cloud connectivity status. Option B is wrong because 'lanIp' shows the local IP address assigned to the device on the LAN, which can be present even if the device is offline or disconnected from the cloud. Option D is wrong because 'model' specifies the hardware model (e.g., MR42) and has no bearing on the device's current cloud connection state.

62
MCQmedium

Based on the exhibit, what is the purpose of the 'vpn' field in the route object?

A.It is an optional field that sets the VPN label
B.It defines the transport VPN for traffic from this VPN
C.It specifies the VPN that the route belongs to
D.It specifies the VPN ID of the next hop
AnswerD

The next hop is reachable via the specified VPN.

Why this answer

In Cisco NSO (Network Services Orchestrator) and similar routing contexts, the 'vpn' field in a route object specifies the VPN ID of the next hop, not the route's own VPN. This is critical for inter-VPN routing, where a route in one VPN must point to a next hop that resides in a specific VPN to ensure proper forwarding across VPN boundaries. The correct answer is D because the field identifies the VPN context of the next-hop address, enabling the route to be resolved correctly in multi-VPN environments.

Exam trap

Cisco often tests the distinction between a route's own VPN context and the VPN of its next hop, and the trap here is that candidates mistakenly think the 'vpn' field identifies the route's own VPN (Option C) rather than the next hop's VPN, because they overlook the fact that the route's VPN is already defined by the containing VRF or service model.

How to eliminate wrong answers

Option A is wrong because the 'vpn' field is not optional for setting a VPN label; VPN labels are typically assigned via MPLS label operations or separate label-switching configurations, not via a route object's 'vpn' field. Option B is wrong because it does not define the transport VPN for traffic from this VPN; transport VPNs are defined by separate VRF or MPLS transport constructs, not by a per-route field. Option C is wrong because it does not specify the VPN that the route belongs to; the route's own VPN is usually implied by the VRF or routing context in which the route is defined, not by a field pointing to a next-hop VPN.

63
Multi-Selecthard

A developer is using a REST API and receives HTTP status codes. Which two codes indicate a client-side error that the developer should fix? (Choose two.)

Select 2 answers
A.401 Unauthorized
B.500 Internal Server Error
C.400 Bad Request
D.200 OK
E.404 Not Found
AnswersA, C

401 indicates missing or invalid authentication.

Why this answer

A 401 Unauthorized status code indicates that the request lacks valid authentication credentials for the target resource. This is a client-side error because the developer must provide correct credentials (e.g., API key, OAuth token) or fix the authentication header in the request. A 400 Bad Request status code means the server cannot process the request due to malformed syntax, invalid request message framing, or deceptive request routing — all issues the developer must correct on the client side.

Exam trap

Cisco often tests the distinction between client-side (4xx) and server-side (5xx) errors, and the trap here is that 404 Not Found is also a client-side error, but the question asks for two specific codes (401 and 400) that directly indicate the developer must fix the request, not just that the resource is missing.

64
MCQeasy

A network engineer needs to automate the configuration of VLANs across 50 switches. Which approach best follows Cisco’s recommended practices for programmability?

A.Write an Ansible playbook using the ios_vlan module to configure VLANs on all switches.
B.Use a REST API on each switch to push the VLAN configuration individually.
C.Use a Python script that manually SSHes into each switch and applies CLI commands.
D.Configure all VLANs via SNMP MIBs.
AnswerA

Ansible with idempotent modules is a best practice for network automation.

Why this answer

Option A is correct because Ansible's ios_vlan module is purpose-built for automating VLAN configuration on Cisco IOS devices, aligning with Cisco's recommended practices for programmability by using a declarative, agentless automation tool that abstracts the underlying CLI and ensures idempotent configuration across multiple switches.

Exam trap

Cisco often tests the misconception that REST APIs are universally available on all network devices, but in reality, many legacy switches lack REST API support, making Ansible (which uses SSH/CLI abstraction) the more practical and recommended choice for multi-vendor or mixed-platform environments.

How to eliminate wrong answers

Option B is wrong because most Cisco switches do not expose a native REST API for VLAN configuration; REST APIs are typically available on newer platforms like IOS-XE via NETCONF/RESTCONF, but using them individually on each switch is inefficient and not a scalable approach for 50 switches. Option C is wrong because manually SSHing into each switch with a Python script is a legacy, non-programmable approach that lacks idempotency, error handling, and scalability, and does not follow Cisco's recommended practices for network automation. Option D is wrong because SNMP MIBs for VLAN configuration (like BRIDGE-MIB or Q-BRIDGE-MIB) are outdated, cumbersome, and not recommended for modern automation; they require complex OID manipulation and lack the declarative, idempotent capabilities of tools like Ansible.

65
MCQmedium

Refer to the exhibit. Which Cisco DNA Center Intent API request produced this response?

A.GET /dna/intent/api/v1/network-device/{id}
B.GET /dna/intent/api/v1/network-device
C.POST /dna/intent/api/v1/network-device
D.PUT /dna/intent/api/v1/network-device/{id}
AnswerA

This would return a single object, not an array.

Why this answer

The response is an array (list) of network devices, indicating a GET request to the collection endpoint. A GET request to the specific device endpoint would return a single object, not an array. POST and PUT do not return such arrays.

66
MCQeasy

A network engineer needs to automate the configuration of VLANs on a set of Cisco switches using Ansible. Which API should be targeted to ensure idempotent configuration updates?

A.NETCONF/YANG
D.CLI with SSH
AnswerA

NETCONF/YANG supports idempotent operations through data model validation and transaction support.

Why this answer

NETCONF/YANG is the correct choice because NETCONF provides a transactional, lock-based mechanism that ensures idempotent configuration updates—applying the desired state exactly once without side effects from repeated runs. YANG models define the VLAN configuration structure, allowing Ansible to compare the current device state against the desired state and only push changes when necessary, which is the essence of idempotency.

Exam trap

Cisco often tests the misconception that CLI with SSH is sufficient for automation, but the trap here is that CLI commands are not idempotent by default—candidates overlook the need for a structured, transactional protocol like NETCONF to guarantee repeatable, safe configuration updates.

How to eliminate wrong answers

Option B is wrong because the REST API of Cisco DNA Center is a controller-based intent API that abstracts device-level configuration; it is not designed for direct, idempotent per-device VLAN updates and introduces dependency on the DNA Center controller. Option C is wrong because SNMP is a polling-based monitoring protocol that lacks transactional semantics and write operations for VLAN configuration are not idempotent—repeated SETs can cause duplicate entries or errors. Option D is wrong because CLI with SSH is imperative and stateful; running the same VLAN configuration commands multiple times can result in duplicate VLANs or errors, and there is no built-in mechanism to compare current vs. desired state without custom scripting.

67
MCQhard

Refer to the exhibit. A developer receives this response when attempting to send a PATCH request to modify a YANG data node via RESTCONF. What is the most likely cause?

A.The resource does not exist
B.The authentication token is expired
C.The YANG model is not supported
D.The JSON payload is malformed
AnswerD

The error-tag 'malformed-message' indicates JSON syntax error.

Why this answer

A PATCH request to modify a YANG data node via RESTCONF returns a 400 Bad Request status when the JSON payload is malformed. RESTCONF (RFC 8040) requires the request body to conform to the YANG module's data model; if the JSON syntax is invalid or the data does not match the schema (e.g., missing required fields, incorrect data types), the server rejects the request with a 400 error. The 400 status code specifically indicates a client-side error in the request payload, not an authentication or resource existence issue.

Exam trap

Cisco often tests the distinction between HTTP status codes for RESTCONF errors, and the trap here is that candidates confuse a 400 Bad Request (payload issue) with a 404 Not Found (resource missing) or a 401 Unauthorized (auth issue), especially when the question describes a 'modify' operation that might imply the resource exists.

How to eliminate wrong answers

Option A is wrong because a 400 Bad Request does not indicate a missing resource; a nonexistent resource would return a 404 Not Found. Option B is wrong because an expired authentication token would result in a 401 Unauthorized or 403 Forbidden, not a 400. Option C is wrong because an unsupported YANG model would cause a 501 Not Implemented or a 404 if the model is not available, not a 400 Bad Request.

68
MCQeasy

A developer wants to use Cisco Webex Teams API to send a message to a specific room. Which of the following request JSON body fields is required?

A."toPersonId"
B."toPersonEmail"
C."roomId"
D."text"
AnswerC

Required to specify the target room.

Why this answer

The Cisco Webex Teams API requires the 'roomId' field in the request body to identify the specific room where the message will be sent. Without this field, the API cannot determine the destination, and the request will fail with a 400 Bad Request error. The 'roomId' is a mandatory parameter for sending messages to a room, as documented in the Webex API reference.

Exam trap

Cisco often tests the distinction between room messages and direct messages, and the trap here is that candidates may assume 'text' is required because it is the most obvious content field, but the API allows messages without text (e.g., only a file), making 'roomId' the only truly required field for room-targeted messages.

How to eliminate wrong answers

Option A is wrong because 'toPersonId' is used to send a direct message to a specific person, not to a room, and is not required when targeting a room. Option B is wrong because 'toPersonEmail' is also for direct messages to a person by email address, and is mutually exclusive with 'roomId' for room messages. Option D is wrong because 'text' is optional; the message can be sent with other content types like markdown or file attachments, and the API does not require a 'text' field.

69
MCQeasy

A developer wants to use Cisco Modeling Labs (CML) API to control a lab session. Which base URL structure is correct for the CML REST API?

A.https://cml-server/labapi/v1
B.https://cml-server/api/v0
C.https://cml-server/api/v2
D.https://cml-server/rest/v1
AnswerB

Correct base URL for CML API.

Why this answer

The correct base URL for the Cisco Modeling Labs (CML) REST API is `https://cml-server/api/v0`. This is the documented and stable endpoint for interacting with CML lab sessions, including starting, stopping, and managing topologies. The `/api/v0` path is specific to CML and reflects its API versioning scheme, which differs from other Cisco platforms like DNA Center or Meraki.

Exam trap

Cisco often tests the specific API versioning and base URL patterns for each platform (CML vs. DNA Center vs. Meraki), and the trap here is confusing the `/api/v0` of CML with the more common `/api/v2` of DNA Center or `/rest/v1` of Meraki.

How to eliminate wrong answers

Option A is wrong because `/labapi/v1` is not a valid base URL for CML; it resembles the legacy API path used in Cisco VIRL (the predecessor to CML), not the current CML REST API. Option C is wrong because `/api/v2` is the base URL for Cisco DNA Center's REST API, not CML. Option D is wrong because `/rest/v1` is the base URL for Cisco Meraki's REST API, which uses a different versioning and resource structure.

70
MCQhard

Based on the exhibit, what is the most likely reason for the connection timeout?

A.The URL is incorrect; the correct endpoint is /api/system/v1/auth/token
B.The username and password are invalid, causing the server to drop the connection
C.The verify=False parameter causes SSL handshake failure and timeout
D.The network is not able to reach the sandbox server due to firewall or DNS issues
AnswerD

Connection timeout indicates network unreachability.

Why this answer

The connection timeout indicates that the client cannot establish a TCP connection to the server at all. This is most likely caused by a network-level issue such as a firewall blocking the port or DNS resolution failure, which prevents the HTTP request from reaching the sandbox server. Options A, B, and C would produce different HTTP error responses (e.g., 404, 401, or SSL certificate errors), not a timeout.

Exam trap

Cisco often tests the distinction between network-level failures (timeout) and application-level errors (HTTP status codes), trapping candidates who confuse a timeout with authentication or SSL issues.

How to eliminate wrong answers

Option A is wrong because an incorrect URL would result in an HTTP 404 Not Found error, not a connection timeout. Option B is wrong because invalid credentials would return an HTTP 401 Unauthorized response after the TCP connection is established, not a timeout. Option C is wrong because the verify=False parameter disables SSL certificate verification; it does not cause an SSL handshake failure—rather, it allows the handshake to proceed even with an invalid certificate, so a timeout would not occur from this parameter alone.

71
MCQmedium

A DevOps team is building a CI/CD pipeline that configures Cisco NX-OS switches. They want to use model-driven telemetry to stream operational data. Which protocol should they use for on-change telemetry?

A.SSH
B.gRPC
AnswerB

gRPC is used for model-driven telemetry.

Why this answer

gRPC (Google Remote Procedure Call) is the correct protocol for on-change telemetry on Cisco NX-OS because it supports a publish-subscribe model where the switch pushes data only when a monitored value changes, reducing bandwidth and CPU overhead. This is defined in the Cisco MDT (Model-Driven Telemetry) framework, which uses gRPC with Protobuf encoding for efficient streaming of YANG-modeled operational data.

Exam trap

Cisco often tests the distinction between push-based (gRPC) and pull-based (SNMP, HTTP) protocols, trapping candidates who confuse SNMP traps (which are event-driven but not model-driven) with true on-change telemetry.

How to eliminate wrong answers

Option A (SSH) is wrong because SSH is a secure shell protocol used for CLI access and command execution, not for streaming telemetry; it lacks the push-based, subscription-driven mechanism required for on-change telemetry. Option C (HTTP) is wrong because HTTP is a request-response protocol that requires polling, which is inefficient for real-time on-change updates and does not natively support the bidirectional streaming or Protobuf encoding used in Cisco MDT. Option D (SNMP) is wrong because SNMP is a pull-based protocol that relies on polling or traps, but traps are event-driven and not designed for the structured, model-driven, on-change streaming of YANG-modeled data that gRPC provides.

72
Multi-Selectmedium

A DevOps engineer is configuring a CI/CD pipeline that uses Cisco DNA Center API to deploy network configurations. Which two best practices should be followed? (Choose two.)

Select 2 answers
A.Use a single API call for all changes
B.Disable SSL verification for faster execution
C.Store API credentials in environment variables
D.Implement retry logic for API calls
E.Use hardcoded API keys in scripts
AnswersC, D

Keeps secrets out of code and version control.

Why this answer

Storing API credentials in environment variables (Option C) is a security best practice because it prevents hardcoding secrets in source code, which could be exposed in version control. This approach aligns with the principle of least privilege and is recommended for CI/CD pipelines interacting with Cisco DNA Center API, as it allows credentials to be managed externally and rotated without code changes.

Exam trap

Cisco often tests the misconception that disabling SSL verification speeds up execution, but in reality, the overhead is negligible, and the security risk makes it unacceptable in any production pipeline.

73
MCQhard

A developer is integrating a Webex Teams bot with an external system using the Webex API. The bot receives an HTTP POST callback from Webex every time a message is posted in a monitored space. The developer notices that sometimes the callback includes a 'data' object with 'actorId', but other times the 'actorId' is missing. The bot needs to log the identity of the person who posted the message. What should the developer do to reliably obtain the sender's identity?

A.Request additional OAuth scopes to include the actorId in the callback payload.
B.Filter callbacks by the verb 'posted' to ensure the actorId is included.
C.Use the 'createdBy' field from the message details API as a fallback when 'actorId' is missing.
D.Check the 'resource' field in the callback to determine if it is a 'messages' event; only messages events include actorId.
AnswerD

The resource field indicates the object type; actorId is always present for messages events.

Why this answer

Option D is correct because the Webex API callback payload includes the 'actorId' only for certain event types. Specifically, when the 'resource' field is 'messages' and the 'event' field is 'created', the 'actorId' is guaranteed to be present, representing the user who posted the message. Filtering by the 'resource' field ensures the bot processes only message creation events, reliably obtaining the sender's identity.

Exam trap

Cisco often tests the distinction between webhook callback payload fields (like 'resource' and 'event') versus API response fields, leading candidates to confuse the callback structure with the API data model.

How to eliminate wrong answers

Option A is wrong because OAuth scopes control access to API endpoints, not the structure of webhook callback payloads; the 'actorId' is included based on the event type, not scopes. Option B is wrong because the 'verb' field does not exist in Webex webhook callbacks; the relevant field is 'event', and filtering by 'event' as 'created' alone does not guarantee 'actorId' is present—it depends on the 'resource' type. Option C is wrong because the 'createdBy' field is not a standard field in the Webex Messages API; the correct field to retrieve the sender is 'personId' or 'personEmail' via a GET request to the messages endpoint, and using a non-existent field as a fallback would fail.

74
MCQhard

A team is building a CI/CD pipeline for network automation. They want to use Cisco Modeling Labs (CML) to validate configuration changes before production. What is the best approach to integrate CML into the pipeline?

A.Use the pyATS framework to connect to CML and run tests
B.Create a permanent topology in CML for each branch
C.Use Ansible to provision CML nodes directly
D.Use CML's REST API to start a simulation, apply changes, run tests, then tear down
AnswerD

Dynamically starting and stopping simulations ensures clean, isolated testing.

Why this answer

D is correct because CML provides a REST API that allows programmatic lifecycle management of simulations. Integrating this API into a CI/CD pipeline enables the pipeline to dynamically create an isolated test environment, apply configuration changes, run validation tests, and then tear down the simulation to free resources. This approach ensures repeatability, isolation, and efficient resource usage, which are critical for automated network validation.

Exam trap

Cisco often tests the distinction between tools that manage device configuration (Ansible, pyATS) versus tools that manage the simulation environment itself (CML API), leading candidates to pick a tool they know well instead of the correct integration method.

How to eliminate wrong answers

Option A is wrong because pyATS is a test automation framework that can connect to network devices to run tests, but it does not manage CML simulation lifecycles; it would require the simulation to already be running and accessible. Option B is wrong because creating a permanent topology for each branch wastes CML resources and defeats the purpose of ephemeral, on-demand test environments that CI/CD pipelines require. Option C is wrong because Ansible can provision and configure network devices, but it cannot directly control CML simulations; it would need to interact with CML's API or use a module that wraps the API, making the direct statement inaccurate.

75
MCQmedium

A developer is using the Meraki Dashboard API to programmatically change the SSID name of a wireless network. The developer successfully authenticates with an API key and sends a PUT request to /networks/{networkId}/wireless/ssids/{number} with a JSON body containing the updated name. The API returns a 200 OK response, but the SSID name does not change in the Meraki Dashboard. The developer double-checks the networkId and SSID number, and they are correct. The developer also confirms that the API key has full write access to the network. What additional step is most likely required?

A.After the PUT request, send a POST request to /networks/{networkId}/wireless/ssids/{number}/provision to apply the change.
B.Use a PATCH request instead of PUT to update the SSID.
C.Log out of the Meraki Dashboard and re-login to see the change.
D.Regenerate the API key and try again with the new key.
AnswerA

Some Meraki SSID changes require a separate provision API call to take effect.

Why this answer

The Meraki Dashboard API requires an explicit provisioning step to apply configuration changes to SSIDs. After a successful PUT request to update the SSID name, the developer must send a POST request to /networks/{networkId}/wireless/ssids/{number}/provision to push the change to the access points. The 200 OK response only confirms the API accepted the update, but the change is not applied until the provisioning endpoint is called.

Exam trap

Cisco often tests the misconception that a 200 OK response from a PUT request means the change is fully applied, when in fact the Meraki API requires an additional provisioning step to push the configuration to devices.

How to eliminate wrong answers

Option B is wrong because the Meraki Dashboard API supports PUT for full resource updates, and PATCH is not required; the issue is not the HTTP method but the missing provisioning step. Option C is wrong because logging out and back into the Meraki Dashboard does not trigger the provisioning of SSID changes; the API change must be explicitly applied via the provision endpoint. Option D is wrong because the API key has full write access and the authentication is successful; regenerating the key does not address the missing provisioning call.

Page 1 of 2 · 92 questions totalNext →

Ready to test yourself?

Try a timed practice session using only Cisco Platforms questions.