CCNA Cisco Platforms Questions

17 of 92 questions · Page 2/2 · Cisco Platforms topic · Answers revealed

76
MCQmedium

An Ansible playbook using the ios_config module fails with the error 'unable to open connection'. The network device is reachable via SSH from the Ansible control node. What is the most likely cause?

A.The device has an invalid username and password
B.The Ansible user does not have privilege level 15 on the device
C.The SSH key exchange algorithm is not supported by the device
D.The ios_config module requires NETCONF instead of SSH
AnswerC

Unsupported key exchange algorithm causes SSH connection failure.

Why this answer

The error 'unable to open connection' indicates that Ansible cannot establish an SSH session with the device, even though the device is reachable. Since the device is reachable via SSH from the control node, the most likely cause is a mismatch in SSH key exchange algorithms, where the device only supports older algorithms (e.g., diffie-hellman-group1-sha1) that are not enabled by default in modern SSH clients. This is a common issue when connecting to legacy Cisco IOS devices that lack updated SSH configurations.

Exam trap

Cisco often tests the distinction between SSH transport errors (key exchange, ciphers) and authentication/authorization errors, leading candidates to incorrectly blame credentials or privilege levels when the actual issue is a cryptographic algorithm mismatch.

How to eliminate wrong answers

Option A is wrong because invalid username/password would typically produce an 'Authentication failed' or 'Permission denied' error, not 'unable to open connection', which occurs before authentication. Option B is wrong because privilege level 15 is required for executing configuration commands, not for establishing the SSH connection itself; a lower privilege level would cause a different error like 'privilege level is not sufficient'. Option D is wrong because the ios_config module uses SSH (via CLI) by default, not NETCONF; NETCONF is used by the ios_netconf module, and the error message is specific to SSH connection failure.

77
MCQhard

Refer to the exhibit. A developer receives this response from Cisco DNA Center API. What is the most likely cause and solution?

A.The token is expired; generate a new one using /dna/system/api/v1/auth/token.
B.The API path is incorrect; verify the endpoint URL.
C.The request body is malformed; check JSON syntax.
D.The user does not have permission; request admin to grant access.
AnswerA

Correct diagnosis and solution.

Why this answer

The HTTP 401 Unauthorized response indicates that the request lacks valid authentication credentials. In Cisco DNA Center API, tokens are short-lived (default 1 hour) and must be refreshed via POST /dna/system/api/v1/auth/token. The error is not about the endpoint, body syntax, or RBAC permissions — it specifically means the token used is expired or invalid.

Exam trap

Cisco often tests the distinction between HTTP 401 (authentication failure) and 403 (authorization failure) — candidates confuse these two status codes, especially when the question involves API tokens.

How to eliminate wrong answers

Option B is wrong because a 401 error is an authentication issue, not a routing or endpoint issue; an incorrect API path would return a 404 Not Found. Option C is wrong because a malformed JSON body would return a 400 Bad Request, not 401. Option D is wrong because insufficient permissions (RBAC) would return a 403 Forbidden, not 401 Unauthorized.

78
MCQhard

A large enterprise operates a multi-vendor network with Cisco routers and switches, as well as Juniper devices. The network team uses Ansible for automation, with a centralized control node running RHEL. They have been using the 'ios_config' module for Cisco devices and 'junos_config' for Juniper devices. Recently, they added a new Cisco Catalyst 9300 switch to the network. They wrote a playbook to configure VLAN 100 on the switch, but the task fails with the error: 'module_stderr: Could not find platform module for Cisco IOS XE'. The playbook uses the 'cisco.ios.ios_config' module. The control node has the 'cisco.ios' collection installed (version 2.0.0). The target switch runs IOS XE 16.12.3. The control node can SSH to the switch successfully. Which action will most likely resolve the issue?

A.Upgrade the 'cisco.ios' Ansible collection to the latest version.
B.Configure the switch to allow SSH connections from the control node IP.
C.Use the 'raw' module instead of 'ios_config' to send CLI commands directly.
D.Install Python 3.8 on the control node and update the ansible.cfg to use it.
AnswerA

Older collection versions may lack support for newer IOS XE versions.

Why this answer

The error 'Could not find platform module for Cisco IOS XE' indicates that the installed 'cisco.ios' collection (version 2.0.0) does not include a module or plugin that supports the IOS XE platform for the target switch. Upgrading the collection to the latest version ensures compatibility with IOS XE 16.12.3, as newer releases add support for newer platforms and OS versions.

Exam trap

Cisco often tests the misconception that SSH connectivity or Python version is the root cause, when the real issue is a missing or outdated collection that lacks platform support for the specific OS version.

How to eliminate wrong answers

Option B is wrong because the control node can already SSH to the switch successfully, so SSH connectivity is not the issue. Option C is wrong because using the 'raw' module bypasses the structured module logic and would not resolve the missing platform module error; it also loses idempotency and error handling. Option D is wrong because Python 3.8 is not required for the 'cisco.ios' collection (which works with Python 3.6+), and the error is about a missing platform module, not a Python version incompatibility.

79
MCQeasy

A developer wants to send a message to a specific Webex Teams room using the REST API. Which HTTP method and endpoint should be used?

A.POST /rooms/{roomId}/messages
B.POST /messages
C.PUT /messages
D.GET /rooms/{roomId}/messages
AnswerB

POST to /messages with roomId in body sends a message.

Why this answer

The correct endpoint to send a message to a specific Webex Teams room is POST /messages, because the Webex REST API uses a single messages resource for creating new messages. The room ID is included in the request body as a JSON parameter, not in the URL path. This design follows RESTful conventions where POST is used to create a resource, and the /messages endpoint accepts the roomId field to target the desired space.

Exam trap

Cisco often tests the misconception that resources must be nested in the URL path (e.g., /rooms/{roomId}/messages) when the API actually uses a flat endpoint with the identifier in the request body, leading candidates to choose Option A.

How to eliminate wrong answers

Option A is wrong because POST /rooms/{roomId}/messages is not a valid Webex REST API endpoint; the API does not nest messages under rooms in the URL path. Option C is wrong because PUT /messages is not supported; the Webex API uses PUT only for updating existing resources, and messages cannot be updated after creation. Option D is wrong because GET /rooms/{roomId}/messages retrieves existing messages from a room, but the developer wants to send (create) a new message, which requires a POST request.

80
MCQhard

A script using the Meraki Python library fails with an error 'Rate limit exceeded'. The developer needs to handle this. Which approach is correct?

A.Increase the sleep interval between requests and implement exponential backoff.
B.Reduce the number of API calls by caching responses.
C.Use a different API endpoint to avoid the limit.
D.Request a higher rate limit from Meraki support.
AnswerA

Standard rate limiting handling.

Why this answer

Option A is correct because the Meraki API enforces rate limits per organization and per API key. When a 'Rate limit exceeded' error occurs, the proper response is to implement exponential backoff with increased sleep intervals between requests. This approach respects the API's retry-after headers and prevents further throttling, aligning with REST API best practices for handling 429 status codes.

Exam trap

Cisco often tests the distinction between proactive optimization (caching) and reactive error handling (backoff), and candidates may incorrectly choose caching as a way to avoid rate limits entirely, missing that the question specifically asks how to handle the error after it occurs.

How to eliminate wrong answers

Option B is wrong because caching responses reduces the number of API calls but does not handle the immediate rate limit error; it is a proactive optimization, not a reactive solution to a 429 response. Option C is wrong because using a different API endpoint does not bypass the overall rate limit, which is applied at the account or API key level, not per endpoint. Option D is wrong because while requesting a higher rate limit from Meraki support might be a long-term solution, it is not the correct immediate programmatic handling of a rate limit error; the developer must implement backoff in the script.

81
MCQhard

A network automation engineer is tasked with creating a Python script to automatically back up the running configuration of all IOS XE devices in a data center using the Cisco IOS XE REST API. The engineer has credentials for each device and knows the IP addresses. The script uses the requests library and sends a GET request to https://<device-ip>/restconf/data/Cisco-IOS-XE-native:native?content=config. The script runs successfully for some devices but fails with a 401 Unauthorized error for others. The engineer confirms the credentials are correct and the devices are reachable. The working devices are running IOS XE 16.9, while the failing ones are running IOS XE 16.6. The engineer checks the API documentation and finds that RESTCONF is enabled on all devices. However, the engineer notices that the failing devices require a different authentication method. What should the engineer do to fix the authentication for the IOS XE 16.6 devices?

A.Switch from HTTPS to HTTP for the failing devices.
B.Use the NETCONF protocol instead of RESTCONF for all devices.
C.Change the URL to use the Cisco IOS XE CLI-based API instead of RESTCONF.
D.Modify the script to use HTTP Basic Authentication and disable CSRF check on the device.
AnswerD

Older IOS XE versions require basic authentication; disabling CSRF check may be necessary.

Why this answer

Option D is correct because IOS XE 16.6 requires HTTP Basic Authentication with the 'Authorization' header, and the RESTCONF API on these older versions also requires disabling the CSRF (Cross-Site Request Forgery) check. The engineer must modify the script to include the 'requests.auth.HTTPBasicAuth' and set the 'X-CSRF-Token' header to 'false' or disable CSRF on the device. This resolves the 401 error while still using RESTCONF.

Exam trap

Cisco often tests the version-specific RESTCONF authentication differences, where candidates assume all IOS XE versions use the same authentication method (e.g., token-based), but older versions require Basic Auth and CSRF bypass.

How to eliminate wrong answers

Option A is wrong because switching from HTTPS to HTTP would not fix authentication; it would introduce a security risk and the 401 error is due to missing or incorrect authentication headers, not the protocol. Option B is wrong because NETCONF is a different protocol (SSH-based) and does not use RESTCONF URLs or HTTP authentication; the engineer is specifically tasked with using the REST API, and NETCONF would require a completely different script and library (e.g., ncclient). Option C is wrong because the Cisco IOS XE CLI-based API (e.g., 'on-box' Python or guest shell) is not accessed via RESTCONF URLs; the engineer is already using RESTCONF, and changing to a CLI-based API would not address the authentication issue.

82
Matchingmedium

Match each Git command to its function.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Copy a repository to local machine

Save changes to local repository

Upload local changes to remote repository

Fetch and merge changes from remote

List, create, or delete branches

Why these pairings

Common Git commands used in software development.

83
Multi-Selecteasy

Which two statements are true about Cisco DevNet Sandboxes?

Select 2 answers
A.DevNet Sandboxes are only available with a paid subscription.
B.DevNet Sandboxes include reserved labs for fixed time periods and always-on labs.
C.DevNet Sandboxes only support Cisco Catalyst switches.
D.DevNet Sandboxes provide API access to simulate integrations.
E.DevNet Sandboxes do not support third-party devices.
AnswersB, D

Correct; both types exist.

Why this answer

Option B is correct because DevNet Sandboxes offer two primary reservation models: reserved labs, which provide exclusive access to a sandbox for a fixed time period (e.g., 4 hours), and always-on labs, which are perpetually available but shared among users. This flexibility allows developers to choose between dedicated, time-limited environments for intensive testing and persistent, always-available environments for ongoing development and learning.

Exam trap

The trap here is that candidates may assume all sandboxes require payment or only support Cisco hardware, overlooking the free tier and the inclusion of third-party components like Linux VMs or partner APIs for realistic integration testing.

84
MCQmedium

A network engineer needs to automate the deployment of a new VLAN on multiple Cisco switches using RESTCONF. Which URL structure should be used to create a VLAN with ID 100?

A.PUT /restconf/data/Cisco-IOS-XE-vlan:vlans/vlan=100
B.POST /restconf/operations/Cisco-IOS-XE-vlan:create-vlan
C.POST /restconf/data/Cisco-IOS-XE-vlan:vlans/vlan=100
D.PUT /restconf/config/vlan/100
AnswerA

PUT creates or replaces the VLAN resource at the specified URI.

Why this answer

Option A is correct because RESTCONF uses the HTTP PUT method to create or replace a specific data resource, and the URL path follows the YANG module structure. Here, 'Cisco-IOS-XE-vlan:vlans/vlan=100' targets the VLAN list entry with ID 100, creating it if it does not exist. This aligns with RESTCONF's resource-oriented design, where PUT on a specific data node performs a create or replace operation.

Exam trap

Cisco often tests the distinction between PUT and POST in RESTCONF, where candidates mistakenly use POST to create a specific resource instance (like a VLAN by ID) instead of PUT, or confuse the '/operations' RPC path with data resource manipulation.

How to eliminate wrong answers

Option B is wrong because it uses POST to a '/operations' URI, which is associated with NETCONF-style RPCs, not RESTCONF data resource creation; RESTCONF does not use '/operations' for creating data resources. Option C is wrong because POST on a data resource URL is used to create a child resource (e.g., a new entry in a list) when the parent container is targeted, not to create a specific instance by ID; using POST on '/vlan=100' would attempt to create a child of that specific VLAN, which is incorrect. Option D is wrong because it uses a non-standard '/config' path and omits the YANG module namespace; RESTCONF requires the module name prefix (e.g., 'Cisco-IOS-XE-vlan:') to identify the data model, and the path should be under '/restconf/data'.

85
Multi-Selectmedium

Which two of the following are valid ways to authenticate to the Cisco DNA Center API?

Select 2 answers
A.Use SNMP v3
B.Use SAML assertion
C.Provide API token in HTTP header
D.Use SSH key
E.Use OAuth 2.0 client credentials
AnswersC, E

Tokens are obtained via login and passed in headers.

Why this answer

Option C is correct because the Cisco DNA Center API uses token-based authentication. After obtaining a token via a POST request to the /dna/system/api/v1/auth/token endpoint with valid credentials, the token must be included in the HTTP header as 'X-Auth-Token: <token>' for all subsequent API requests. This is the standard method for authenticating REST API calls to Cisco DNA Center.

Exam trap

Cisco often tests the distinction between device-level authentication (SNMP, SSH) and API-level authentication (tokens, OAuth 2.0), leading candidates to mistakenly select protocols used for network device management instead of REST API authentication methods.

86
Multi-Selectmedium

Which three capabilities are offered by the Cisco DNA Center REST API?

Select 3 answers
A.Intent-based API for business intent deployment
B.Real-time packet capture
C.Device discovery and inventory
D.Direct command-line execution on managed devices
E.Site and building management
AnswersA, C, E

DNA Center provides intent APIs.

Why this answer

Cisco DNA Center's REST API offers an intent-based API that allows you to express business intent (e.g., 'deploy QoS for voice traffic') rather than configuring individual device commands. This abstraction layer translates high-level policies into device-specific configurations, enabling network automation and assurance. It is a core capability of the Cisco Platform Abstraction Layer (PAL).

Exam trap

Cisco often tests the distinction between 'intent-based' (policy-driven) and 'direct device management' (CLI/SNMP) capabilities, so the trap here is assuming that DNA Center's API provides low-level device access like packet capture or CLI execution, when in fact it focuses on high-level automation and assurance.

87
MCQhard

A developer is working with the Cisco SD-WAN vManage API to monitor overlay tunnels. They need to retrieve a list of all devices with their site IDs and IP addresses. Which API endpoint is most appropriate?

A.GET /dataservice/device/monitor
B.GET /dataservice/device/device
C.GET /dataservice/device/overlay
D.GET /dataservice/device
AnswerD

Returns list of devices with site ID and system IP.

Why this answer

The GET /dataservice/device endpoint returns a list of all devices managed by the Cisco SD-WAN vManage, including their site IDs and IP addresses. This is the correct endpoint for retrieving device inventory details, as it provides the necessary fields like 'deviceId', 'system-ip', and 'site-id' in the response.

Exam trap

Cisco often tests the distinction between device inventory endpoints and monitoring/overlay-specific endpoints, leading candidates to choose 'monitor' or 'overlay' when they only need basic device information.

How to eliminate wrong answers

Option A is wrong because GET /dataservice/device/monitor is used for retrieving real-time monitoring data (e.g., CPU, memory) for a specific device, not a list of all devices with site IDs and IP addresses. Option B is wrong because GET /dataservice/device/device is not a valid vManage API endpoint; the correct path for device details is /dataservice/device. Option C is wrong because GET /dataservice/device/overlay returns overlay tunnel statistics (e.g., OMP routes, TLOC information) rather than a flat list of devices with site IDs and IP addresses.

88
Multi-Selectmedium

Which three of the following are common data formats used with REST APIs on Cisco platforms?

Select 3 answers
A.CSV
C.XML
D.HTML
E.YAML
AnswersB, C, E

JSON is widely used for REST APIs.

Why this answer

JSON (JavaScript Object Notation) is a lightweight, text-based data interchange format that is natively supported by most programming languages and REST APIs. Cisco platforms, such as Cisco DNA Center and Cisco Meraki, use JSON as the primary data format for API requests and responses because it is easy to parse and has a compact structure. JSON's key-value pair syntax aligns well with RESTful principles, making it the most common choice for modern Cisco REST APIs.

Exam trap

Cisco often tests that candidates recognize JSON, XML, and YAML as common data formats for REST APIs, but the trap here is that YAML is less common for REST API payloads and more associated with configuration management tools like Ansible, leading some to incorrectly exclude it while including CSV or HTML.

89
MCQmedium

When using Cisco Intersight API to manage UCS servers, a script must invoke an API that triggers a firmware upgrade. Which HTTP method and endpoint pattern should be used?

A.PUT to /api/v1/version
B.DELETE to /api/v1/firmware
C.GET to /api/v1/status
D.POST to /api/v1/upgrade
AnswerD

This is consistent with Intersight API patterns for action endpoints.

Why this answer

Option D is correct because triggering a firmware upgrade in Cisco Intersight requires creating a new operation, which aligns with the POST HTTP method. The endpoint /api/v1/upgrade is a typical RESTful pattern for initiating an upgrade action, as POST is used to submit data to a resource to create or trigger a process. In Intersight's API, firmware upgrades are managed via POST requests to specific endpoints like /api/v1/upgrade, not through retrieval, modification, or deletion of existing resources.

Exam trap

Cisco often tests the misconception that firmware upgrades are performed via PUT (update) or GET (status check), but the correct method is POST because it initiates a new action rather than modifying an existing resource.

How to eliminate wrong answers

Option A is wrong because PUT is used to update an existing resource, not to trigger a new operation, and /api/v1/version is a read-only endpoint for retrieving version information, not for initiating upgrades. Option B is wrong because DELETE is used to remove a resource, and /api/v1/firmware would typically represent a firmware resource or collection, not an action endpoint; deleting firmware does not trigger an upgrade. Option C is wrong because GET is used to retrieve data, and /api/v1/status is for checking system status or health, not for performing state-changing operations like firmware upgrades.

90
Multi-Selecteasy

Which TWO are common authentication methods used when interacting with Cisco APIs?

Select 2 answers
A.Client certificate exchange
B.HTTP Basic Authentication
C.API key in HTTP header
D.LDAP bind credentials
E.SNMPv3 authentication
AnswersB, C

Used with RESTCONF over HTTPS.

Why this answer

HTTP Basic Authentication (option B) is a common method for authenticating to Cisco APIs, where the client sends a base64-encoded username:password string in the Authorization header. API keys in HTTP headers (option C) are also widely used, especially with REST APIs like Cisco DNA Center or Meraki, where the key is passed in a custom header (e.g., 'X-Cisco-Meraki-API-Key'). Both are simple, stateless mechanisms supported by many Cisco platforms.

Exam trap

Cisco often tests the distinction between authentication methods used for API access versus those used for network device management (like SNMPv3 or LDAP), leading candidates to confuse management-plane authentication with API-level authentication.

91
Multi-Selecthard

Which THREE are valid reasons to use Cisco DNA Center's Assurance APIs in an enterprise network?

Select 3 answers
A.Automatically enforce QoS policies on switches.
B.Proactively detect client connectivity issues.
C.Collect NetFlow data from all network devices.
D.Identify application performance bottlenecks.
E.Analyze historical network trends for capacity planning.
AnswersB, D, E

Assurance provides client health scores and alerts.

Why this answer

Option B is correct because Cisco DNA Center's Assurance APIs provide proactive monitoring and analytics that can detect client connectivity issues before they impact users, leveraging telemetry data from network devices to identify problems like authentication failures, DHCP timeouts, or signal degradation.

Exam trap

Cisco often tests the distinction between Assurance (monitoring/analytics) and Automation (configuration/policy enforcement) APIs, leading candidates to mistakenly associate QoS enforcement or NetFlow collection with Assurance when those belong to separate functional domains.

92
MCQhard

An organization uses Cisco DNA Center and wants to use its Intent API to retrieve the health score of all wireless clients. Which API endpoint and method should be used?

A.PUT /dna/intent/api/v1/client-health
B.GET /api/v1/health
C.GET /dna/intent/api/v1/client-health
D.POST /dna/intent/api/v1/client-detail
AnswerC

This endpoint returns client health information.

Why this answer

Option C is correct because the Intent API for retrieving client health scores uses the GET HTTP method on the `/dna/intent/api/v1/client-health` endpoint. This endpoint returns the aggregated health data for all wireless clients, aligning with the read-only nature of the operation and the Intent API's resource-oriented design.

Exam trap

Cisco often tests the distinction between Intent API endpoints and the correct HTTP verb for read operations, trapping candidates who confuse the client-health endpoint with the client-detail endpoint or who incorrectly assume that POST or PUT can be used for data retrieval.

How to eliminate wrong answers

Option A is wrong because it uses the PUT method, which is intended for updating or replacing resources, not for retrieving data; the client-health endpoint is read-only and does not support PUT. Option B is wrong because `/api/v1/health` is a generic health-check endpoint for the Cisco DNA Center platform itself, not for querying client health scores. Option D is wrong because it uses the POST method on `/dna/intent/api/v1/client-detail`, which is designed to retrieve detailed information about a specific client (typically by MAC address) rather than the aggregated health score of all wireless clients, and POST is not the correct verb for a read-only query.

← PreviousPage 2 of 2 · 92 questions total

Ready to test yourself?

Try a timed practice session using only Cisco Platforms questions.