CCNA Infra Automation Questions

36 of 111 questions · Page 2/2 · Infra Automation topic · Answers revealed

76
MCQhard

A Cisco DevNet engineer is configuring model-driven telemetry on a Cisco IOS-XE device. The telemetry subscription includes the following path: 'Cisco-IOS-XE-native:native/interface/GigabitEthernet[Name='1/0/1']/ip/address'. Which part of this path identifies a specific list instance?

A.Cisco-IOS-XE-native
B.[Name='1/0/1']
C.GigabitEthernet
D.ip/address
AnswerB

This specifies the key value to identify the particular interface instance.

Why this answer

Option B is correct because the XPath expression `[Name='1/0/1']` is a predicate filter that selects a specific list instance from the `GigabitEthernet` YANG list. In YANG model-driven telemetry, list keys are used to identify individual entries, and the predicate syntax `[key='value']` pinpoints exactly one instance within the list.

Exam trap

Cisco often tests whether candidates confuse the YANG module name or the list node name with the list instance identifier, leading them to pick the module or the list name instead of the key predicate.

How to eliminate wrong answers

Option A is wrong because `Cisco-IOS-XE-native` is the YANG module name, not a list instance identifier. Option C is wrong because `GigabitEthernet` is the YANG list node name, which represents the entire list of interfaces, not a specific instance. Option D is wrong because `ip/address` is a leaf path within the interface instance, not a list instance identifier.

77
Multi-Selectmedium

Which THREE are common best practices for implementing CI/CD in network automation?

Select 3 answers
A.Perform manual testing after every deployment
B.Use version control for all automation scripts and playbooks
C.Treat infrastructure configurations as code
D.Implement automated unit and integration tests
E.Store credentials and secrets in code repositories
AnswersB, C, D

Version control is essential for tracking changes and collaboration.

Why this answer

Option B is correct because version control (e.g., Git) is a fundamental CI/CD best practice: it tracks changes, enables rollbacks, and supports collaboration on automation scripts and playbooks. Without version control, you lose auditability and the ability to reliably reproduce network states, which violates the principle of infrastructure as code.

Exam trap

Cisco often tests the distinction between 'automation' and 'CI/CD best practices'—candidates may confuse manual testing (Option A) as a safety net, but the exam expects you to recognize that CI/CD relies on automated testing, not manual steps.

78
MCQeasy

A developer uses the Cisco DNA Center API to retrieve device inventory. The JSON response is shown. Which Python code snippet correctly extracts the serial number?

A.data['response'][0]['serialNumber']
B.data['serialNumber']
C.data['response']['serialNumber']
D.data[0]['serialNumber']
AnswerA

Correctly accesses first element.

Why this answer

Option A is correct because the JSON response from the Cisco DNA Center device inventory API returns a list of devices under the 'response' key, and each device is a dictionary. The serial number for the first device is accessed by indexing into the list with [0] and then retrieving the 'serialNumber' key from that dictionary.

Exam trap

The trap here is that candidates mistakenly treat the JSON response as a flat dictionary or forget that the 'response' value is a list, leading them to omit the list index and incorrectly access 'serialNumber' directly from 'response'.

How to eliminate wrong answers

Option B is wrong because it assumes 'serialNumber' is a top-level key in the JSON response, but the actual structure nests it inside 'response' and then inside a list. Option C is wrong because it omits the list index, treating 'response' as a direct dictionary containing 'serialNumber', but 'response' is actually a list of device dictionaries. Option D is wrong because it attempts to index the top-level JSON object with [0], but the top-level is a dictionary, not a list, so this would raise a KeyError or TypeError.

79
MCQmedium

A large enterprise uses Cisco DNA Center to manage their campus network. They have deployed fabric technology for SD-Access. The network team wants to use the DNA Center REST API to automate the addition of new wireless users to a specific virtual network (VN) based on their location (building). They have identified the API endpoint for creating a user device in the fabric. However, when they send a POST request with the appropriate JSON body, they receive a 400 Bad Request error. The JSON payload includes the mandatory fields for hostname, MAC address, and VN name. What is the most likely cause of the error?

A.The API call requires an authentication token that is missing or expired.
B.The virtual network name provided does not exist in the fabric.
C.The MAC address format is incorrect (e.g., lowercase vs uppercase).
D.The user making the API call does not have sufficient privileges.
AnswerB

If the VN doesn't exist, the API returns a 400 error.

Why this answer

The 400 Bad Request error indicates that the server cannot process the request due to a client-side issue, such as invalid data in the payload. Since the mandatory fields (hostname, MAC address, VN name) are provided, the most likely cause is that the virtual network (VN) name does not match any existing VN in the fabric. DNA Center validates the VN name against its fabric configuration; if the VN is not defined, the API rejects the request with a 400 error.

Exam trap

Cisco often tests the distinction between HTTP status codes (400 vs 401 vs 403) to see if candidates understand that 400 errors are client-side payload issues, not authentication or authorization problems.

How to eliminate wrong answers

Option A is wrong because a missing or expired authentication token would result in a 401 Unauthorized error, not a 400 Bad Request. Option C is wrong because DNA Center accepts MAC addresses in various formats (e.g., lowercase, uppercase, with or without colons) and normalizes them internally; an incorrect format would not cause a 400 error. Option D is wrong because insufficient privileges would result in a 403 Forbidden error, not a 400 Bad Request.

80
MCQmedium

An automation engineer runs a Python script using the Cisco NXOS NX-API to retrieve the interface configuration. The JSON response shows the 'switchport access vlan' as '10'. However, VLAN 10 does not exist in the VLAN database. What is the expected behavior of the switch regarding this interface?

A.The interface will work but traffic will be dropped
B.The switch will automatically create the VLAN
C.The interface will be error-disabled
D.The interface will be operationally down
AnswerD

Without the VLAN, the interface cannot function and is placed in down state.

Why this answer

When a switchport is configured with an access VLAN that does not exist in the VLAN database, the interface remains administratively up but is placed in an operationally down state. This occurs because the switch cannot forward traffic for a non-existent VLAN, and the interface will not transition to a forwarding state until the VLAN is created. The NX-API response reflects the configured VLAN ID, but the operational status is determined by the VLAN's existence.

Exam trap

Cisco often tests the distinction between configuration and operational state, trapping candidates who assume a configured VLAN ID automatically makes the interface active even if the VLAN does not exist.

How to eliminate wrong answers

Option A is wrong because the interface will not work at all; traffic is not simply dropped—the interface is operationally down, preventing any frame forwarding. Option B is wrong because Cisco NX-OS does not automatically create VLANs when they are assigned to an interface; VLANs must be explicitly created in the VLAN database. Option C is wrong because error-disabled is a specific state triggered by events like port security violations or STP BPDU guard, not by a missing VLAN assignment.

81
MCQhard

An engineer uses Ansible to push a configuration change to 100 switches. The playbook fails on 5 switches. What is the most efficient way to apply the change only to those 5?

A.Use Ansible's --limit with the retry file
B.Use --skip-tags on successful hosts
C.Re-run the playbook on all switches
D.Manually configure the 5 switches
AnswerA

This targets only the failed hosts.

Why this answer

Ansible generates a retry file by default when a playbook fails on some hosts. Using `--limit @<retry-file>` re-runs the playbook only against the failed hosts, avoiding unnecessary execution on the 95 successful switches. This is the most efficient method because it targets only the problematic devices without manual intervention or full re-runs.

Exam trap

Cisco often tests the distinction between host-level filtering (`--limit`) and task-level filtering (`--tags`/`--skip-tags`), leading candidates to confuse `--skip-tags` as a way to skip hosts instead of tasks.

How to eliminate wrong answers

Option B is wrong because `--skip-tags` is used to skip tasks with specific tags, not to filter hosts; it would still run on all hosts. Option C is wrong because re-running the playbook on all 100 switches wastes time and resources on the 95 already-configured switches, which is inefficient. Option D is wrong because manually configuring 5 switches defeats the purpose of automation and is error-prone and time-consuming.

82
MCQeasy

Which tool is designed for infrastructure as code, uses a declarative language, and can automate configuration management across multiple devices?

A.Ansible
B.Git
C.Python
D.Postman
AnswerA

Ansible is an automation tool that uses declarative playbooks for configuration management.

Why this answer

Ansible is the correct answer because it is an infrastructure-as-code tool that uses a declarative YAML-based language (playbooks) to define desired system states. It automates configuration management across multiple devices agentlessly, using SSH or WinRM to push configurations, making it ideal for multi-device environments.

Exam trap

The trap here is that candidates may confuse Git (a version control tool) with infrastructure-as-code because Git is often used to store IaC files, but it does not perform automation or configuration management itself.

How to eliminate wrong answers

Option B (Git) is wrong because Git is a distributed version control system for tracking source code changes, not an infrastructure-as-code tool for automating configuration management. Option C (Python) is wrong because Python is a general-purpose programming language that requires imperative scripting to manage configurations, lacking the declarative language model and built-in multi-device automation of Ansible. Option D (Postman) is wrong because Postman is an API testing and development tool, not designed for infrastructure-as-code or configuration management across devices.

83
MCQmedium

An engineer needs to automate the deployment of VLAN configurations on a fleet of Cisco Catalyst 9000 switches running IOS-XE. The team uses Ansible Tower for automation. Which Ansible module should be used to push VLAN configuration idempotently?

A.ios_vlan
B.ios_command
C.ios_config
D.ios_interface
AnswerA

ios_vlan is specifically designed for VLAN management, ensuring idempotent operations.

Why this answer

The ios_vlan module is purpose-built for idempotent VLAN management on Cisco IOS-XE devices. It ensures that a VLAN with the specified VLAN ID, name, and state (active/suspend) is present or absent without affecting other VLANs, making it the correct choice for automating VLAN deployment idempotently.

Exam trap

Cisco often tests the distinction between generic configuration modules (ios_config) and resource-specific modules (ios_vlan), trapping candidates who assume any module that can push VLAN commands is sufficient for idempotent VLAN management.

How to eliminate wrong answers

Option B (ios_command) is wrong because it sends raw CLI commands and does not enforce idempotency; it blindly executes commands without checking current state, which can cause errors or duplicate configurations. Option C (ios_config) is wrong because it manages arbitrary configuration lines as a whole, not VLAN-specific resources; it can be used to push VLAN commands but lacks the idempotent, declarative VLAN handling that ios_vlan provides (e.g., it does not parse existing VLAN state to avoid re-adding). Option D (ios_interface) is wrong because it manages interface properties (e.g., switchport mode, access VLAN) but does not create, delete, or modify VLAN definitions themselves.

84
MCQhard

A DevOps team uses a CI/CD pipeline to deploy network configurations. They want to ensure that only authorized network engineers can trigger changes to production devices. Which integration is most appropriate?

A.Encrypt the Ansible vault password
B.Implement Role-Based Access Control (RBAC) on the CI/CD tool
C.Use a separate staging environment
D.Use a pre-commit hook in Git to validate YAML syntax
AnswerB

RBAC enforces authorization for pipeline executions.

Why this answer

Option B is correct because Role-Based Access Control (RBAC) on the CI/CD tool directly restricts which users or groups can trigger pipeline jobs that modify production network devices. This ensures that only authorized network engineers have the permissions to execute changes, aligning with the principle of least privilege in deployment pipelines.

Exam trap

The trap here is that candidates confuse technical controls (like encryption or syntax validation) with authorization controls, assuming that protecting secrets or validating code is equivalent to restricting who can trigger a deployment.

How to eliminate wrong answers

Option A is wrong because encrypting the Ansible vault password protects secrets (e.g., credentials) but does not control who can trigger the pipeline or authorize changes to production devices. Option C is wrong because a separate staging environment validates configurations before production but does not enforce authorization on who can trigger the production deployment. Option D is wrong because a pre-commit hook in Git validates YAML syntax locally, which prevents malformed files but does not provide any access control over who can initiate the CI/CD pipeline or deploy to production.

85
MCQhard

You are a network automation engineer at a large enterprise. The network consists of 200 Cisco Catalyst switches distributed across five data centers. Each switch runs IOS-XE and supports NETCONF. Your team uses a centralized Ansible control node to manage configurations. Recently, the security team mandated that all management access must use SSH keys instead of passwords. You updated the Ansible inventory to use SSH keys and tested on a few switches successfully. However, when you run the playbook against all switches, about 30 switches fail with the error: 'Authentication failed.' You verify that the SSH public key is correctly deployed on those switches via the console. What is the most likely cause of the failure?

A.The public key on the switches is not in the correct format
B.The Ansible become method is misconfigured
C.The private key file on the Ansible control node has permissions 644, which SSH rejects
D.The switches are not reachable over the network
AnswerC

SSH requires private key permissions to be 600 or more restrictive.

Why this answer

SSH strictly requires private key files to have permissions no more permissive than 600 (owner read/write) or 640 (owner read/write, group read) on Unix-like systems. A permission of 644 allows group and others to read the key, which SSH interprets as insecure and refuses to use, causing 'Authentication failed' even though the public key is correctly deployed on the switches.

Exam trap

Cisco often tests the subtle distinction between SSH key format issues and file permission issues, where candidates assume the problem is key format when the real issue is the private key file's restrictive permissions required by OpenSSH.

How to eliminate wrong answers

Option A is wrong because if the public key format were incorrect, the switches would reject the key during authentication, but the engineer verified the key is correctly deployed via console, and the same key works on other switches. Option B is wrong because the become method controls privilege escalation (e.g., to enable mode) on the target device, not SSH authentication; the error 'Authentication failed' occurs at the SSH transport layer, before any become operation. Option D is wrong because unreachable switches would produce a 'Host unreachable' or 'Connection timed out' error, not 'Authentication failed'; the error message specifically indicates the SSH handshake failed due to credentials.

86
Multi-Selecthard

Which TWO of the following are true about NETCONF capabilities as defined in RFC 6241?

Select 2 answers
A.The <edit-config> operation supports 'merge', 'replace', 'create', 'delete', and 'remove' operations.
B.The <edit-config> operation replaces the entire configuration by default.
C.The <candidate> configuration datastore is optional and requires the :candidate capability.
D.The :rollback-on-error capability is mandatory.
E.The <running> configuration datastore is optional.
AnswersA, C

Correct – these are the standard operations defined in RFC 6241.

Why this answer

Option A is correct because RFC 6241 defines the <edit-config> operation with the 'merge', 'replace', 'create', 'delete', and 'remove' operations. These allow granular modification of configuration data, with 'merge' being the default behavior if no operation attribute is specified.

Exam trap

Cisco often tests the distinction between mandatory and optional capabilities, and the default operation of <edit-config>, to catch candidates who confuse 'merge' with 'replace' or assume all datastores are optional.

87
MCQhard

An organization implements zero-touch provisioning (ZTP) for new Cisco routers using DHCP and TFTP. The provision script is not being executed even though the device obtains an IP address. The DHCP server logs show the option 67 (bootfile-name) and option 150 (tftp-server) are set. What is the most probable reason?

A.The DHCP server is not authoritative
B.The script file name in option 67 does not match the actual file on the TFTP server
C.The TFTP server IP is unreachable from the router
D.The router does not support ZTP
AnswerB

A mismatch in filename prevents the device from loading the script.

Why this answer

Option B is correct because the most common reason for a ZTP script not executing after a device obtains an IP address is a mismatch between the bootfile name specified in DHCP option 67 and the actual filename on the TFTP server. Even if the DHCP server logs show option 67 and 150 are set, the router will attempt to download the file specified in option 67; if that file does not exist or is named differently on the TFTP server, the download fails and the script is not executed.

Exam trap

Cisco often tests the distinction between DHCP options being configured correctly on the server versus the actual file availability on the TFTP server, leading candidates to incorrectly blame network connectivity (option C) or DHCP server authority (option A) when the real issue is a simple filename mismatch.

How to eliminate wrong answers

Option A is wrong because the DHCP server being 'not authoritative' affects lease assignment and renewal behavior (e.g., sending DHCPNAK for unknown clients), but does not prevent the router from obtaining an IP address or downloading the bootfile; the router already has an IP address, so this is not the issue. Option C is wrong because if the TFTP server IP were unreachable, the router would not be able to download any file, but the question states the device obtains an IP address and the DHCP logs show option 150 is set; the issue is specifically that the script is not executed, which points to a file mismatch rather than connectivity. Option D is wrong because Cisco routers that support ZTP (e.g., IOS-XE devices) are designed to use DHCP options 67 and 150 for automated provisioning; if the router did not support ZTP, it would not even attempt to download the script, but the question implies the router is capable and the failure is in execution.

88
MCQeasy

An automation script using Ansible tries to configure IP address 192.168.1.2 on GigabitEthernet0/1. After running, the interface remains administratively down. What is the first thing to check?

A.The VLAN configuration
B.The IP address is a duplicate
C.The interface is faulty
D.The 'no shutdown' command was not included in the configuration
AnswerD

Without 'no shutdown', the interface remains administratively down.

Why this answer

The 'no shutdown' command is required to administratively enable an interface on Cisco IOS devices. Without it, the interface remains in an administratively down state regardless of IP configuration. Ansible automation scripts must include this command in the task or playbook to bring the interface up.

Exam trap

Cisco often tests the distinction between interface configuration (IP address, VLAN) and interface state (shutdown/no shutdown), trapping candidates who assume that assigning an IP address automatically enables the interface.

How to eliminate wrong answers

Option A is wrong because VLAN configuration affects Layer 2 connectivity and trunking, not the administrative state of a routed interface; an interface can be administratively down even with correct VLAN settings. Option B is wrong because a duplicate IP address would cause a conflict or error message, but it would not prevent the interface from being administratively enabled; the 'no shutdown' command is still required. Option C is wrong because a faulty interface would typically show as 'down/down' or have CRC errors, not 'administratively down'; the administrative state is a software-controlled flag, not a hardware fault.

89
MCQhard

A large enterprise uses Cisco DNA Center to manage over 500 network devices across multiple sites. The network operations team wants to automate the validation of device compliance with a baseline configuration. They have a Python script that uses the Cisco DNA Center REST API to retrieve the device configuration and compare it against a golden configuration stored in a local file. Recently, the script started failing with a 401 HTTP response code when trying to authenticate. The team confirmed the username and password are correct and that the DNA Center server is reachable. The script uses the /api/system/v1/auth/token endpoint to obtain a token. Which of the following is the most likely cause of the 401 error?

A.The API endpoint requires a different HTTP method (e.g., POST vs GET).
B.The script is using an incorrect API version path (e.g., /v2 instead of /v1).
C.CORS (Cross-Origin Resource Sharing) is blocking the request.
D.The authentication token has expired and the script is not refreshing it.
AnswerD

Tokens expire; re-authentication is needed. 401 indicates invalid authentication.

Why this answer

The 401 HTTP response code indicates an authentication failure. Since the username and password are confirmed correct and the server is reachable, the most likely cause is that the script obtained a token earlier but is now using an expired token without refreshing it. Cisco DNA Center tokens have a configurable timeout (default 1 hour), and the script must re-authenticate or refresh the token before it expires.

Exam trap

Cisco often tests the distinction between authentication (401) and authorization (403) errors, and the trap here is that candidates might blame the endpoint version or HTTP method when the real issue is token lifecycle management.

How to eliminate wrong answers

Option A is wrong because the /api/system/v1/auth/token endpoint requires a POST method with Basic Authentication, not a GET; if the script used GET, it would get a 405 Method Not Allowed, not a 401. Option B is wrong because the script is using /v1 which is the correct version for token generation; using /v2 would return a 404 Not Found, not a 401. Option C is wrong because CORS is a browser-enforced security mechanism that blocks cross-origin HTTP requests from JavaScript in a web page, not from a Python script running on a server or CLI; a Python script is not subject to CORS restrictions.

90
Multi-Selecthard

Which TWO statements correctly describe differences between model-driven telemetry and traditional SNMP polling?

Select 2 answers
A.SNMP supports push-based notifications using informs
B.Model-driven telemetry reduces device CPU usage compared to frequent SNMP polling
C.Model-driven telemetry can only be used with NETCONF
D.Model-driven telemetry uses a push model, while SNMP polling is a pull model
E.SNMP uses YANG models for data definition
AnswersB, D

Telemetry is more efficient as devices send data at intervals rather than being polled.

Why this answer

Option B is correct because model-driven telemetry uses a push model that sends data only when there is a change or at a configured interval, which significantly reduces the device CPU overhead compared to frequent SNMP polling, where the device must process and respond to each individual GET request from the NMS. This efficiency gain is a primary advantage of telemetry over traditional polling.

Exam trap

Cisco often tests the misconception that SNMP is purely pull-based and cannot push, but the trap here is that SNMP informs and traps are push mechanisms, so candidates must focus on the 'frequent polling' CPU reduction as the key differentiator, not the push/pull model alone.

91
MCQhard

A developer is designing a data model for network device configurations using YANG. They need to represent a list of interfaces where each interface has a name (string) and speed (enumeration). Which YANG statement correctly defines this structure?

A.leaf interface-list { type string; }
B.leaf-list interface { type string; }
C.list interface { key name; leaf name { type string; } leaf speed { type enumeration; } }
D.list interface { leaf name { type string; } leaf speed { type enumeration; } }
AnswerC

This defines a list with a key, and two leaves for name and speed.

Why this answer

Option C is correct because YANG requires a `list` statement to define a collection of entries with multiple leafs, and a `key` statement to uniquely identify each list entry. The `list interface` with `key name` allows multiple interfaces, each having both a `name` (string) and `speed` (enumeration), matching the requirement exactly.

Exam trap

Cisco often tests the requirement of the `key` statement in a YANG `list`; candidates may forget that a list without a key is syntactically invalid, leading them to choose option D.

How to eliminate wrong answers

Option A is wrong because `leaf` defines a single scalar value, not a list of interfaces with multiple properties. Option B is wrong because `leaf-list` defines an ordered list of simple values (e.g., strings), not entries with multiple leafs like name and speed. Option D is wrong because it omits the mandatory `key` statement, which is required by YANG for any `list` to uniquely identify each entry; without a key, the list is invalid.

92
MCQhard

A network engineer wants to programmatically enable an interface using the YANG model shown. Which XPath expression correctly targets the 'shutdown' leaf for GigabitEthernet0/1?

A.//shut
B./interfaces/GigabitEthernet[name='0/1']/shutdown
C./Cisco-IOS-XE-interface:interfaces/GigabitEthernet[0/1]/shutdown
D./native/interface/GigabitEthernet0/1/shutdown
AnswerB

Correctly uses list instance selection.

Why this answer

Option B is correct because it uses the correct XPath syntax to target the 'shutdown' leaf under a specific GigabitEthernet interface instance. The path starts from the root, navigates to the 'interfaces' container, selects the 'GigabitEthernet' list entry where the 'name' key equals '0/1', and then accesses the 'shutdown' leaf. This matches the YANG model structure where list entries are filtered using a predicate with the key leaf.

Exam trap

Cisco often tests the distinction between using a key-based predicate (e.g., [name='0/1']) versus a positional index (e.g., [0/1]) or a concatenated name (e.g., GigabitEthernet0/1), which are invalid in YANG XPath expressions.

How to eliminate wrong answers

Option A is wrong because '//shut' is an abbreviated XPath that searches for any element named 'shut' anywhere in the document, but the YANG model defines the leaf as 'shutdown', not 'shut', and the path is not scoped to the correct interface. Option C is wrong because it uses '[0/1]' as a positional predicate on a list, but YANG lists are keyed by the 'name' leaf, not by index; the correct predicate is '[name='0/1']'. Option D is wrong because it uses a non-standard root path '/native/interface' which does not match the YANG model's top-level container 'interfaces' and incorrectly concatenates the interface name without a predicate.

93
MCQeasy

In a Python script using the 'requests' library to interact with Cisco DNA Center API, which function call is used to send a POST request with JSON data?

A.requests.post(url, json=data)
B.requests.patch(url, json=data)
C.requests.get(url, json=data)
D.requests.put(url, json=data)
AnswerA

post() sends POST with JSON.

Why this answer

Option A is correct because the `requests.post()` function is specifically designed to send HTTP POST requests, and passing the `json=data` parameter automatically serializes the Python dictionary to JSON and sets the `Content-Type` header to `application/json`. This is the standard way to create a resource via Cisco DNA Center's REST API endpoints that expect JSON payloads.

Exam trap

Cisco often tests the distinction between POST and PUT by having candidates confuse resource creation (POST) with resource replacement (PUT), especially when both methods accept a JSON body.

How to eliminate wrong answers

Option B is wrong because `requests.patch()` sends an HTTP PATCH request, which is used for partial updates to an existing resource, not for creating a new resource via POST. Option C is wrong because `requests.get()` sends an HTTP GET request, which is used to retrieve data, not to send a JSON payload to create a resource. Option D is wrong because `requests.put()` sends an HTTP PUT request, which is used to replace an entire resource, not to create a new one; POST is the correct HTTP method for resource creation in RESTful APIs.

94
MCQeasy

Refer to the exhibit. An Ansible playbook is intended to set the description on GigabitEthernet0/1. However, the playbook fails because the device does not have that interface. What is the most likely reason?

A.The module requires gather_facts to be yes
B.The hosts group is incorrect
C.The lines attribute is misconfigured
D.The specified interface does not exist on the device
AnswerD

If the interface is not present, the module cannot apply configuration under it.

Why this answer

Option D is correct because the playbook explicitly targets GigabitEthernet0/1 using the `interface` attribute under `lines`, and the error indicates the device does not have that interface. Ansible's ios_config module will fail if the specified interface does not exist on the device, as it cannot apply configuration to a non-existent logical or physical interface.

Exam trap

Cisco often tests the distinction between a syntactically correct playbook and a playbook that fails due to device-specific constraints, such as a non-existent interface, to see if candidates confuse configuration syntax errors with device state issues.

How to eliminate wrong answers

Option A is wrong because `gather_facts` is not required for the ios_config module to work; it is optional and only collects device facts, not a prerequisite for configuring interfaces. Option B is wrong because the hosts group being incorrect would cause a connection failure or no matching hosts, not a specific error about a missing interface on a reachable device. Option C is wrong because the `lines` attribute is correctly structured with the `interface GigabitEthernet0/1` line and the `description` line; the misconfiguration is not in the syntax of `lines` but in the target interface name.

95
Multi-Selecteasy

Which TWO statements are correct about Ansible inventory files? (Select exactly 2.)

Select 2 answers
A.Inventory files can be written in YAML format
B.Inventory files cannot contain variables for individual hosts
C.Inventory files must be in INI format only
D.Inventory files can define groups of devices
E.An inventory file can include a [vars] section to define group variables
AnswersA, D

Why this answer

Ansible inventory files define the hosts and groups that Ansible manages. They can be written in YAML format, which is a human-readable data serialization language that Ansible supports alongside the traditional INI format. This flexibility allows users to choose the format that best suits their automation needs, with YAML being particularly useful for complex inventories due to its support for structured data.

Exam trap

Cisco often tests the misconception that Ansible inventory files are limited to INI format, but the exam expects you to know that YAML is also a valid format, and that `[vars]` is not a standard section in Ansible inventories (group variables are handled differently).

96
MCQhard

A NETCONF manager sends a get-config request to a Cisco device and receives the above reply. The automation script expected the interface to be enabled. Which of the following is the best course of action to remediate the issue?

A.Send an rpc to reboot the device
B.Use CLI to enable the interface manually
C.Send an edit-config request with <enabled>true</enabled> for the interface
D.Send a get request again
AnswerC

This changes the configuration to enable the interface.

Why this answer

Option C is correct because NETCONF uses the edit-config operation to modify device configuration programmatically. Since the automation script detected that the interface is disabled (enabled state is false), sending an edit-config request with <enabled>true</enabled> for that interface directly remediates the issue by setting the operational state to enabled, aligning with the expected state without manual intervention.

Exam trap

Cisco often tests the distinction between read-only operations (get, get-config) and write operations (edit-config), and the trap here is that candidates may think re-querying the device (Option D) or using CLI (Option B) is acceptable, when the correct approach is to use the appropriate NETCONF operation to modify the configuration programmatically.

How to eliminate wrong answers

Option A is wrong because rebooting the device via an rpc is an extreme, unnecessary action that does not specifically enable the interface and would cause service disruption. Option B is wrong because using CLI to enable the interface manually defeats the purpose of automation and NETCONF's programmatic management, and it is not a scalable or scripted solution. Option D is wrong because sending a get request again would only retrieve the current configuration again, not change the disabled state of the interface.

97
MCQeasy

A team is using Python scripts with netmiko to back up configurations from a large number of network devices. What is the primary advantage of using netmiko over direct paramiko for this task?

A.Netmiko supports only Cisco devices
B.Netmiko uses REST API instead of SSH
C.Netmiko is faster than paramiko
D.Netmiko simplifies the handling of device-specific prompts and command output
AnswerD

Netmiko abstracts away the complexities of different device interactions.

Why this answer

Netmiko is built on top of Paramiko but adds a higher-level abstraction layer that automatically handles device-specific prompt detection, command output parsing, and SSH session management. This simplifies the backup process across heterogeneous devices by eliminating the need to manually write code for each device's unique prompt patterns and command responses.

Exam trap

Cisco often tests the misconception that Netmiko is a faster alternative to Paramiko, when in reality the advantage is about abstraction and ease of use, not raw performance.

How to eliminate wrong answers

Option A is wrong because Netmiko supports a wide range of vendors (Cisco, Juniper, Arista, HP, etc.), not just Cisco devices. Option B is wrong because Netmiko uses SSH (via Paramiko) for network device access, not REST API; REST API is a separate paradigm used with tools like requests or ncclient. Option C is wrong because Netmiko is not inherently faster than Paramiko; it adds overhead for prompt handling and session management, and performance depends on network latency and device responsiveness, not the library itself.

98
MCQmedium

A developer is using Git to manage automation code. What is the primary advantage of using 'rebase' instead of 'merge' to integrate changes from a feature branch into the main branch?

A.Rebase automatically resolves all conflicts
B.Rebase is faster than merge
C.Rebase preserves the exact commit timestamps
D.Rebase results in a linear project history
AnswerD

Rebase replays commits on top of the base branch, resulting in a linear history.

Why this answer

Option D is correct because `git rebase` rewrites the commit history of the feature branch to appear as if it was branched from the latest commit on the main branch, resulting in a linear, clean project history. This avoids the merge commits that `git merge` creates, making the commit log easier to follow and debug. The primary advantage is not speed or conflict resolution, but a streamlined, non-branching history.

Exam trap

Cisco often tests the misconception that rebase is faster or automatically resolves conflicts, when in fact its true advantage is creating a linear history, which is critical for audit trails and debugging in automation workflows.

How to eliminate wrong answers

Option A is wrong because rebase does not automatically resolve conflicts; it replays each commit one by one, and if a conflict occurs, the developer must resolve it manually for each commit. Option B is wrong because rebase is not inherently faster than merge; in fact, rebase can be slower due to rewriting commits and requiring conflict resolution per commit, whereas merge creates a single merge commit. Option C is wrong because rebase does not preserve exact commit timestamps; it creates new commits with new timestamps (the time of the rebase operation), while merge retains the original commit timestamps.

99
MCQmedium

A company uses Ansible to automate network configuration. They have an Ansible control node that must reach all network devices. Which transport protocol does Ansible use by default to connect to Cisco IOS devices?

AnswerC

Ansible uses SSH by default for network devices.

Why this answer

Ansible uses SSH as its default transport protocol to connect to Cisco IOS devices because SSH provides encrypted, secure remote access and is the standard for network device management in modern environments. Ansible's native architecture relies on SSH for agentless communication, executing modules and playbooks over this secure channel without requiring additional software on the target devices.

Exam trap

Cisco often tests the misconception that Ansible uses Telnet or SNMP for legacy device compatibility, but the trap here is that Ansible defaults to SSH for secure, agentless automation, and candidates may confuse Ansible's connection methods with other tools like NETCONF or RESTCONF.

How to eliminate wrong answers

Option A is wrong because HTTP is not used by Ansible for device connections; it is an unencrypted protocol typically used for web-based management interfaces, not for Ansible's agentless automation. Option B is wrong because Telnet is an unencrypted, legacy protocol that Ansible does not use by default due to security concerns and lack of support for modern automation features. Option D is wrong because SNMP is a monitoring and management protocol used for reading and writing device configuration data via MIBs, but it is not a transport protocol for executing Ansible modules or playbooks.

100
MCQmedium

A network team is implementing automation to provision new switchports across a campus network. They decide to use a controller-based approach with Cisco DNA Center. What is the primary advantage of using DNA Center for this task?

A.It automatically rolls back any configuration that deviates from the standard.
B.It replaces all existing CLI commands with a graphical interface.
C.It allows intent-based automation where the desired state is defined and the controller pushes the necessary configuration.
D.It eliminates the need for any human intervention in network management.
AnswerC

Intent-based automation abstracts low-level configuration from the user.

Why this answer

Option C is correct because Cisco DNA Center uses an intent-based networking model where the administrator defines the desired state (e.g., 'provision a switchport for access VLAN 10') and the controller automatically translates that intent into the necessary device configurations (CLI or NETCONF/YANG). This abstraction reduces manual errors and enforces consistency across the campus network without requiring per-device CLI scripting.

Exam trap

Cisco often tests the distinction between intent-based automation (defining the desired state) versus traditional script-based automation (pushing explicit commands), and the trap here is confusing 'intent-based' with 'fully autonomous' or 'error-correcting' systems.

How to eliminate wrong answers

Option A is wrong because DNA Center does not automatically roll back configurations that deviate from a standard; it can detect drift and alert the operator, but rollback typically requires a manual or policy-driven action. Option B is wrong because DNA Center does not replace all CLI commands with a graphical interface; it provides a GUI for high-level intent but still relies on underlying CLI, NETCONF, or RESTCONF for device-level configuration. Option D is wrong because DNA Center does not eliminate the need for human intervention; it automates many tasks but still requires human oversight for policy definition, troubleshooting, and exception handling.

101
MCQhard

An organization wants to automate the deployment of wireless configurations across multiple Meraki networks using the Meraki Dashboard API. What authentication method should the developer use in the API requests?

A.Provide username and password in the Authorization header with Basic auth
B.Use OAuth2 client credentials grant and pass a bearer token
C.Include an API key in the X-Cisco-Meraki-API-Key header
D.Generate a JSON Web Token (JWT) signed with a shared secret
AnswerC

Meraki API uses a static API key in the request header for authentication.

Why this answer

The Meraki Dashboard API uses a simple API key for authentication, not OAuth2 or JWT. The key must be included in the `X-Cisco-Meraki-API-Key` header of every request. This is the only supported method for authenticating with the Meraki API, as documented by Cisco Meraki.

Exam trap

Cisco often tests the misconception that all REST APIs use OAuth2 or Basic Auth, but the Meraki API specifically uses a custom header-based API key, which candidates may overlook in favor of more common authentication methods.

How to eliminate wrong answers

Option A is wrong because the Meraki Dashboard API does not support HTTP Basic authentication with username and password; it requires an API key. Option B is wrong because the Meraki API does not use OAuth2; it uses a static API key for all requests. Option D is wrong because the Meraki API does not accept JSON Web Tokens (JWTs); it relies solely on the API key in the custom header.

102
MCQhard

Using the Cisco DNA Center API, an engineer wants to create a new site with building and floor information. Which HTTP method and endpoint should be used?

A.PUT /dna/intent/api/v1/site
B.GET /dna/intent/api/v1/site
C.POST /dna/intent/api/v1/site
D.POST /dna/intent/api/v1/site/create
AnswerC

Correct endpoint and method to create a site.

Why this answer

The POST HTTP method is used to create a new resource on the server, and the Cisco DNA Center API endpoint `/dna/intent/api/v1/site` is designed to accept a POST request with a JSON payload containing site, building, and floor details. This follows RESTful conventions where POST is the standard method for resource creation, and the API documentation specifies this exact endpoint for adding a new site hierarchy.

Exam trap

The trap here is that candidates often confuse POST with PUT or assume a 'create' suffix is needed in the endpoint, but Cisco tests the exact RESTful convention where POST on the base resource URI is the correct method for creation.

How to eliminate wrong answers

Option A is wrong because the PUT method is typically used for updating an existing resource or creating a resource at a specific URI, but the Cisco DNA Center API for site creation explicitly requires POST, not PUT. Option B is wrong because the GET method is used for retrieving information, not creating resources; it would return existing site data, not create a new site. Option D is wrong because the endpoint `/dna/intent/api/v1/site/create` does not exist in the Cisco DNA Center API; the correct endpoint is `/dna/intent/api/v1/site` without the `/create` suffix, and the creation action is implied by the POST method.

103
MCQmedium

A Python script uses the ncclient library to connect to a Cisco NX-OS device over NETCONF. After establishing the session, the script executes an editing operation with candidate datastore. Which additional step is required to make the changes take effect immediately on the running configuration?

A.Execute a discard-changes operation on the candidate datastore
B.Execute a validate operation on the candidate datastore
C.No additional step is needed; candidate changes are automatically applied to running
D.Execute a commit operation on the candidate datastore
AnswerD

Commit copies candidate to running, making changes active.

Why this answer

Option D is correct because when using NETCONF with the candidate datastore on Cisco NX-OS, changes are staged in the candidate configuration and do not affect the running configuration until a commit operation is explicitly sent. The commit operation copies the candidate configuration to the running datastore, making the changes take effect immediately. Without this step, the candidate changes remain unapplied.

Exam trap

Cisco often tests the distinction between the candidate and running datastores, trapping candidates who assume that editing the candidate automatically updates the running configuration, which is only true for the 'candidate' datastore on some platforms like Juniper but not for NX-OS NETCONF.

How to eliminate wrong answers

Option A is wrong because discard-changes is used to revert the candidate datastore to the running configuration, discarding any uncommitted edits; it does not apply changes. Option B is wrong because validate checks the syntactic and semantic correctness of the candidate configuration but does not apply it to the running datastore. Option C is wrong because the candidate datastore is a separate, working copy; changes are not automatically applied to running — a commit is required per RFC 6241.

104
MCQeasy

Based on the exhibit, what is the frequency of the telemetry subscription?

A.Every 500 seconds
B.Every 500 milliseconds
C.When the management connection is re-established
D.On-change only
AnswerB

The periodic policy value is in milliseconds; 500 ms is the correct interpretation.

Why this answer

The exhibit shows a telemetry subscription with a 'period' of 500, which in Cisco model-driven telemetry (MDT) is expressed in milliseconds. Therefore, the frequency is every 500 milliseconds, making option B correct.

Exam trap

Cisco often tests the unit of the 'period' value, and the trap here is that candidates assume the value is in seconds (like many other network timers) instead of milliseconds, leading them to choose 'Every 500 seconds'.

How to eliminate wrong answers

Option A is wrong because 500 seconds would be an unusually long interval for telemetry updates and the period value in Cisco MDT is always in milliseconds, not seconds. Option C is wrong because a re-establishment-based subscription is a different type (e.g., 'periodic' vs 'on-change' vs 'connection-based'), and the exhibit explicitly shows a periodic subscription with a numeric period value. Option D is wrong because 'on-change' subscriptions do not use a numeric period; they trigger only when the monitored data changes, whereas the exhibit shows a fixed period of 500.

105
MCQhard

A developer is creating a YANG data model for a new interface feature. The model must allow the user to choose from a predefined set of values for the 'duplex' leaf. Which YANG statement should be used to restrict the values to 'full', 'half', and 'auto'?

A.choice duplex-options { case full; case half; case auto; }
B.type string;
C.type leafref { path '/other:duplex-list'; }
D.type enumeration { enum full; enum half; enum auto; }
AnswerD

Enumeration restricts to listed values.

Why this answer

Option D is correct because the 'type enumeration' statement in YANG defines a leaf that can only take one of the explicitly listed enum values. By specifying 'enum full;', 'enum half;', and 'enum auto;', the developer restricts the 'duplex' leaf to exactly those three predefined strings, which matches the requirement.

Exam trap

Cisco often tests the distinction between YANG's 'choice' statement (which selects among different schema branches) and the 'enumeration' type (which restricts a single leaf's value), leading candidates to mistakenly choose 'choice' when they need a value restriction.

How to eliminate wrong answers

Option A is wrong because 'choice' and 'case' in YANG are used to model a selection among different schema nodes (e.g., different leafs or containers), not to restrict the value of a single leaf to a set of strings. Option B is wrong because 'type string;' would allow any arbitrary string value, providing no restriction to 'full', 'half', or 'auto'. Option C is wrong because 'type leafref' references the value of another leaf in the data tree; it does not define an inline set of allowed values, and the path '/other:duplex-list' would require a separate list node that may not exist or may not contain the desired restriction.

106
MCQhard

You are automating the deployment of a new software image on a fleet of Cisco Nexus switches using Ansible. The switches are in a production environment and must have minimal downtime. You have a maintenance window of 30 minutes per switch. Your playbook performs the following steps: 1) Copy the image to the switch via SCP, 2) Set the boot variable to the new image, 3) Save the configuration, 4) Reload the switch. During a dry run on a test switch, you notice that the reload step takes 8 minutes, but the copy step takes 15 minutes due to slow link speed. For the production rollout, you need to reduce the overall time per switch. Which approach should you take?

A.Skip the save configuration step to save time
B.Use a local file server with HTTP for image transfer to improve speed
C.Use a compressed image to reduce copy time
D.Reload all switches simultaneously in the same maintenance window
AnswerB

HTTP is generally faster than SCP for file transfer.

Why this answer

Option B is correct because the bottleneck is the SCP copy time (15 minutes), which exceeds the 30-minute maintenance window when combined with the reload (8 minutes). Using HTTP for image transfer leverages a more efficient protocol with better throughput and lower overhead than SCP, which uses SSH encryption and can be slower on low-bandwidth links. This directly reduces the copy time, bringing the total per-switch time under the maintenance window limit.

Exam trap

The trap here is that candidates focus on reducing the reload time or configuration steps, when the real bottleneck is the image transfer protocol; Cisco often tests the understanding that protocol choice (SCP vs. HTTP) directly impacts transfer speed in bandwidth-constrained environments.

How to eliminate wrong answers

Option A is wrong because skipping the 'save configuration' step would risk losing the running configuration after reload, potentially causing misconfiguration or downtime, and it does not address the primary bottleneck (copy time). Option C is wrong because while a compressed image reduces file size, the copy time is dominated by link speed and protocol overhead; decompression on the switch adds CPU load and time, and the net gain may be minimal or negative. Option D is wrong because reloading all switches simultaneously would cause a complete network outage, violating the requirement for minimal downtime and exceeding the per-switch maintenance window constraint.

107
MCQmedium

A DevOps engineer is implementing Infrastructure as Code (IaC) for network devices. Which of the following practices is most critical to ensure that the environment state matches the desired configuration defined in code?

A.Using Jinja2 templates to generate device configurations.
B.Ensuring that the automation tool is idempotent.
C.Using version control for all configuration files.
D.Implementing rollback procedures for failed deployments.
AnswerB

Idempotency guarantees consistent state.

Why this answer

Idempotency ensures that applying the same configuration multiple times always results in the same desired state, regardless of the current state of the device. This is the most critical practice for IaC because it prevents configuration drift and guarantees that the environment state matches the code-defined configuration. Without idempotency, repeated runs of the automation tool could introduce unintended changes or fail to correct deviations.

Exam trap

Cisco often tests the concept that idempotency is the core principle of IaC for state convergence, tempting candidates to choose version control or rollback procedures because they are familiar best practices, but they do not directly ensure the environment state matches the code.

How to eliminate wrong answers

Option A is wrong because Jinja2 templates are a tool for generating configuration files from variables, but they do not ensure that the applied configuration matches the desired state; they only help with parameterization and reuse. Option C is wrong because version control tracks changes to configuration files over time but does not enforce that the live environment state matches the code; it is a best practice for auditability, not for state convergence. Option D is wrong because rollback procedures handle failed deployments by reverting to a previous state, but they do not guarantee that the environment state matches the desired configuration defined in code; they are a recovery mechanism, not a preventive or corrective one.

108
MCQmedium

A developer is using the Meraki API to retrieve a list of networks for an organization. Which HTTP method and endpoint should be used?

A.GET /organizations/{organizationId}/networks
B.POST /organizations/{organizationId}/networks
C.GET /networks
D.PUT /organizations/{organizationId}/networks
AnswerA

Correct endpoint and method to list networks.

Why this answer

The Meraki API uses RESTful conventions where retrieving a list of resources is done with a GET request. The endpoint GET /organizations/{organizationId}/networks returns all networks belonging to a specific organization, as documented in the Meraki API reference. This matches the standard pattern for listing child resources under a parent resource.

Exam trap

Cisco often tests the distinction between HTTP methods (GET vs POST vs PUT) and the necessity of proper resource scoping (including the organization ID), so the trap here is assuming a flat /networks endpoint exists or that POST can be used for retrieval.

How to eliminate wrong answers

Option B is wrong because POST is used to create a new resource, not to retrieve a list; using POST for retrieval violates REST principles and the Meraki API specification. Option C is wrong because /networks is not a valid top-level endpoint; the Meraki API requires the organization ID to scope the request, as networks are always associated with an organization. Option D is wrong because PUT is used to update an existing resource, not to retrieve a list; it would either fail or be interpreted incorrectly by the API.

109
MCQhard

In a network automation workflow, a developer needs to ensure idempotency. What does idempotency mean in this context?

A.The script uses a single API call
B.Running the script once produces the same result as running it multiple times
C.The script can recover from failures
D.The script can run on multiple devices simultaneously
AnswerB

This is the definition of idempotency.

Why this answer

Idempotency in network automation means that executing an operation multiple times results in the same network state as executing it once. For example, using a REST API PUT request to set a VLAN configuration will leave the device in the same state whether the request is sent once or repeatedly, because PUT is inherently idempotent. This prevents unintended side effects like duplicate VLANs or interface misconfigurations when a script is retried due to network failures or timeouts.

Exam trap

Cisco often tests idempotency by pairing it with failure recovery or concurrency, hoping candidates confuse idempotency with fault tolerance or parallel execution.

How to eliminate wrong answers

Option A is wrong because a single API call does not guarantee idempotency; for instance, a POST request that creates a resource is not idempotent and can create duplicates. Option C is wrong because failure recovery (e.g., retry logic or rollback) is a separate reliability concern, not a definition of idempotency; idempotency ensures safe retries but does not itself handle recovery. Option D is wrong because running a script on multiple devices simultaneously relates to parallelism or concurrency, not idempotency; idempotency applies per-operation regardless of the number of targets.

110
MCQeasy

An engineer needs to modify the running configuration of a Cisco IOS-XE device using a protocol that is stateless and uses HTTP methods. Which protocol should be used?

A.NETCONF
C.RESTCONF
D.CLI
AnswerC

RESTCONF is stateless, uses HTTP, and aligns with RESTful principles.

Why this answer

RESTCONF is the correct choice because it is a stateless protocol that uses standard HTTP methods (GET, POST, PUT, PATCH, DELETE) to manipulate YANG-defined data stores on a Cisco IOS-XE device. Unlike NETCONF, which is stateful and session-oriented, RESTCONF operates over HTTP without maintaining session state, making it ideal for lightweight, RESTful automation.

Exam trap

Cisco often tests the distinction between NETCONF and RESTCONF, where candidates mistakenly choose NETCONF because it is more familiar for network automation, but the question specifically requires a stateless protocol using HTTP methods, which only RESTCONF satisfies.

How to eliminate wrong answers

Option A is wrong because NETCONF is a stateful protocol that relies on SSH or TLS and uses RPC-based operations, not stateless HTTP methods. Option B is wrong because SNMP uses UDP and a manager-agent model with GET/SET/TRAP operations, not HTTP methods, and is not designed for modifying running configurations via RESTful APIs. Option D is wrong because CLI (Command-Line Interface) is a human-interactive interface that does not use HTTP methods and is not a protocol for programmatic, stateless configuration management.

111
MCQmedium

Refer to the exhibit. Based on the output, which interface is experiencing a Layer 2 issue?

A.Loopback0
B.GigabitEthernet1
C.Serial0/0/0
D.GigabitEthernet2
AnswerC

Protocol is down while Status is up, indicating a Layer 2 issue.

Why this answer

The output shows that Serial0/0/0 is in the 'down/down' state, which indicates a Layer 1 or Layer 2 issue. Since the serial interface is administratively up (not 'administratively down'), the 'down/down' status points to a Layer 2 problem, such as a missing keepalive, encapsulation mismatch, or loss of carrier detect (CD) signal, rather than a Layer 3 addressing or routing issue.

Exam trap

Cisco often tests the distinction between 'up/down' (Layer 1 issue) and 'down/down' (Layer 2 issue), and candidates mistakenly assume any 'down' status is a Layer 1 problem without checking the line protocol state.

How to eliminate wrong answers

Option A is wrong because Loopback0 is a virtual interface that is always up/up unless administratively shut down; it does not experience Layer 2 issues as it has no physical or data-link layer. Option B is wrong because GigabitEthernet1 is shown as up/up, indicating both Layer 1 and Layer 2 are functioning correctly. Option D is wrong because GigabitEthernet2 is also up/up, confirming no Layer 2 problem exists on that interface.

← PreviousPage 2 of 2 · 111 questions total

Ready to test yourself?

Try a timed practice session using only Infra Automation questions.