CCNA Ansible Automation Questions

58 questions · Ansible Automation topic · All types, answers revealed

1
Matchingmedium

Drag and drop each Ansible component on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines the list of managed hosts and groups

YAML file containing ordered tasks to execute

Structured directory for reusable variables, tasks, and handlers

Executable code that performs a specific configuration or operational task

Special task triggered only when notified by another task

Why these pairings

Each component has a distinct role: Inventory defines managed nodes, Playbook is the execution blueprint, Role organizes content, Module is the execution unit, and Handler reacts to changes.

2
MCQmedium

A network engineer is automating the deployment of VLAN configurations on a set of Cisco IOS-XE switches using Ansible. The playbook uses the ios_vlans module and runs successfully on the first switch, but fails on the second switch with an error indicating that the module is not found. Both switches are running the same IOS-XE version and have the same management access configured. What is the most likely cause of this issue?

A.The second switch does not have the ios_vlans module installed locally.
B.The cisco.ios collection is not installed on the Ansible control node.
C.The second switch has a different SSH key that is not accepted by the Ansible control node.
D.The playbook uses a fully qualified collection name (FQCN) incorrectly.
AnswerB

The ios_vlans module is part of the cisco.ios collection; without it, the playbook fails on any device.

Why this answer

The ios_vlans module is part of the cisco.ios collection, which must be installed on the Ansible control node, not on the managed devices. The error 'module not found' typically indicates the collection is missing or not properly referenced in the playbook. The switches themselves do not need to have the module installed.

3
MCQmedium

Given the following Ansible playbook snippet: --- - name: Backup running config hosts: routers gather_facts: no tasks: - name: Save config ios_config: backup: yes backup_options: dir_path: /backup/ What is the purpose of the 'backup_options' parameter?

A.It specifies the directory where the backup file will be saved.
B.It specifies the filename for the backup.
C.It enables compression of the backup file.
D.It is ignored because backup: yes is already set.
AnswerA

Correct. 'dir_path' sets the directory for the backup file.

Why this answer

The 'backup_options' parameter in ios_config allows specifying a custom directory path for the backup file. Without it, the backup is saved in the playbook's directory with a timestamped filename.

4
MCQhard

An engineer is writing an Ansible playbook to configure OSPF on a fleet of Cisco Nexus 9000 switches. The playbook uses the nxos_ospf module. When executed, the playbook reports 'changed' for every switch, even on subsequent runs when no configuration changes are made. The engineer wants to achieve idempotent behavior. What is the most likely cause of the non-idempotent results?

A.The Ansible control node is using an outdated version of the nxos_ospf module that does not support idempotency.
B.The playbook does not specify all OSPF parameters, such as 'router-id', causing the module to detect a difference with the running configuration.
C.The switches have different NX-OS versions, causing the module to behave inconsistently.
D.The engineer forgot to use the '--check' flag to verify idempotency.
AnswerB

If the playbook omits parameters that the module manages (e.g., router-id defaults to a loopback IP), the module sees a change and marks it as 'changed'.

Why this answer

The nxos_ospf module may report changes if the OSPF process configuration includes parameters that are not fully idempotent, such as the 'router-id' being set dynamically. However, a common cause is that the module compares the current state with the desired state, and if the switch returns extra default parameters (like 'log-adjacency-changes' or 'auto-cost') that are not specified in the playbook, the module may see a difference and report 'changed'. The most direct cause here is that the playbook does not specify all parameters that the module manages, leading to a mismatch.

5
Multi-Selectmedium

Which two statements about Ansible inventory and variables are true? (Choose two.)

Select 2 answers
A.Variables defined in the inventory file override variables defined in group_vars/ for the same group.
B.The 'ansible_host' variable can be used to specify the IP address or FQDN for a managed node.
C.Host variables can be defined in the inventory file using the 'host_vars' directory.
D.Group variables can be stored in YAML files under the 'group_vars' directory.
E.Ansible facts are only gathered when the 'gather_facts: no' option is set in the playbook.
AnswersB, D

Correct: 'ansible_host' overrides the hostname in the inventory for connection purposes.

Why this answer

Group variables can be defined in group_vars/ files or directly in the inventory. Host variables can be set inline in the inventory or in host_vars/. The 'ansible_host' variable overrides the hostname for SSH connection.

Variables defined in playbooks override inventory variables. Ansible facts are gathered automatically unless disabled.

6
Matchingeasy

Drag and drop each Ansible task return value on the left to its matching meaning on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The task made a change to the target system

The task completed successfully without making changes

The task encountered an error and did not complete

The task was not executed due to a condition (e.g., when clause)

The target host could not be reached via the connection method

Why these pairings

changed indicates a modification was made, ok means no change but success, failed means error, skipped means condition not met, and unreachable means host could not be contacted.

7
Multi-Selecthard

Which three statements about Ansible roles and directory structure are true? (Choose three.)

Select 3 answers
A.A role must contain at least a 'tasks' directory with a main.yml file to be functional.
B.Variables defined in the 'defaults' directory of a role have the highest precedence.
C.The 'meta' directory in a role can define dependencies on other roles using the 'dependencies' key.
D.Handlers in a role are defined in the 'handlers' directory and are triggered by the 'notify' directive in tasks.
E.Roles cannot be shared or reused across different Ansible projects.
AnswersA, C, D

Correct because the 'tasks/main.yml' file is the core of a role; it defines the list of tasks to execute.

Why this answer

Ansible roles have a predefined directory structure including tasks, handlers, vars, defaults, files, templates, and meta. Roles can be shared via Ansible Galaxy. The 'defaults' directory contains lowest-priority variables.

The 'meta' directory defines role dependencies.

8
Matchingmedium

Drag and drop each Ansible connection type on the left to its matching protocol on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

SSH-based connection for Cisco IOS/IOS-XE CLI

SSH-based connection for NETCONF protocol

HTTP/HTTPS-based connection for REST APIs

Runs modules on the control node, not on the target

Pure Python SSH implementation for legacy devices

Why these pairings

network_cli uses SSH for CLI-based devices; netconf uses SSH for NETCONF-based devices; httpapi uses HTTP/HTTPS for REST APIs like NX-API or IOS-XE RESTCONF.

9
MCQmedium

A RESTCONF request is sent to a Cisco IOS-XE device to retrieve interface statistics: GET /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet1 Accept: application/yang-data+json Response: { "ietf-interfaces:interface": [ { "name": "GigabitEthernet1", "type": "iana-if-type:ethernetCsmacd", "enabled": true, "ietf-ip:ipv4": { "address": [ { "ip": "192.168.1.1", "netmask": "255.255.255.0" } ] } } ] } What does the response indicate about the interface?

A.The interface GigabitEthernet1 is enabled and has an IPv4 address of 192.168.1.1/24.
B.The interface is disabled because the 'enabled' field is missing.
C.The response indicates an error because the interface type is incorrect.
D.The response shows that the interface has no IP address configured.
AnswerA

The 'enabled' field is true, and the IPv4 address with netmask indicates /24.

Why this answer

The response shows the interface configuration, including its name, type, enabled status, and IPv4 address. The correct answer correctly interprets the JSON structure.

10
MCQeasy

Which BGP attribute is preferred with the lowest value?

A.MULTI_EXIT_DISC (MED)
B.LOCAL_PREF
C.AS_PATH
D.WEIGHT
AnswerA

Correct. MED is used to influence inbound traffic and lower values are preferred.

Why this answer

In BGP path selection, the LOCAL_PREF attribute is used to prefer paths within an AS. A higher LOCAL_PREF is preferred, but the question asks for the attribute preferred with the lowest value. The WEIGHT attribute is Cisco-specific and is preferred with the highest value.

The MULTI_EXIT_DISC (MED) attribute is preferred with the lowest value.

11
Drag & Drophard

Drag and drop the steps of cisco.ios.ios_config module idempotent apply flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The ios_config module first connects to the device, retrieves the running config, compares it with the desired config, applies only the necessary changes, and then saves the config if specified, ensuring idempotency.

12
MCQmedium

A Python script using Netmiko is written to send a command to a Cisco router: from netmiko import ConnectHandler device = { 'device_type': 'cisco_ios', 'ip': '192.168.1.1', 'username': 'admin', 'password': 'cisco', 'secret': 'enable' } connection = ConnectHandler(**device) connection.enable() output = connection.send_command('show ip interface brief') print(output) connection.disconnect() What is the potential issue with this script?

A.The script will fail because 'device_type' should be 'cisco_ios_telnet' for telnet connections.
B.The script will work correctly without any issues.
C.The script will fail because 'secret' is misspelled; it should be 'enable_secret'.
D.The script lacks exception handling for authentication or connection failures, which can cause the script to crash.
AnswerD

Netmiko can raise exceptions like AuthenticationException or NetmikoTimeoutException; these should be caught.

Why this answer

The script does not handle authentication failures or connection timeouts. If the device is unreachable or credentials are wrong, the script will throw an unhandled exception and crash. The correct answer identifies the lack of exception handling.

13
MCQmedium

Given the following Ansible playbook snippet: --- - name: Configure interface hosts: routers gather_facts: no tasks: - name: Set IP address ios_config: lines: - ip address 192.168.1.1 255.255.255.0 - no shutdown parents: interface GigabitEthernet0/1 What is the effect of this playbook?

A.It configures IP address 192.168.1.1/24 on interface GigabitEthernet0/1 and enables it.
B.It configures the IP address globally, not under the interface.
C.It only configures the IP address; no shutdown is ignored because it is not a valid command.
D.It fails because 'parents' cannot be used with 'lines' in ios_config.
AnswerA

Correct. The lines are applied under the specified interface, setting the IP and no shutdown.

Why this answer

The playbook uses the ios_config module to push configuration lines to a Cisco IOS device. The 'parents' parameter specifies the parent configuration mode (interface GigabitEthernet0/1), so the lines are applied under that interface. The lines configure an IP address and enable the interface.

14
MCQmedium

Given the following Ansible playbook snippet: --- - name: Configure VLAN hosts: switches gather_facts: no tasks: - name: Create VLAN 100 ios_vlan: vlan_id: 100 name: Engineering state: present Which statement is true about this playbook?

A.It creates VLAN 100 with name Engineering if it does not exist.
B.It only checks if VLAN 100 exists and reports its status.
C.It deletes VLAN 100 if it exists.
D.It fails because 'name' is not a valid parameter for ios_vlan.
AnswerA

Correct. The module idempotently creates the VLAN with the specified name.

Why this answer

The ios_vlan module is used to manage VLANs on Cisco IOS switches. The 'state: present' ensures the VLAN exists. The module will create VLAN 100 with the name 'Engineering' if it does not already exist.

15
Drag & Dropmedium

Drag and drop the steps of Ansible Tower (AWX) job template execution steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Ansible Tower job template execution starts with launching the job template; then, Tower provisions an isolated execution environment; next, it checks out the project from the source control; after that, it runs the playbook against the specified inventory; finally, it collects and displays job results and logs.

16
Drag & Dropmedium

Drag and drop the steps of Ansible Vault encryption and decryption steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Ansible Vault encryption starts with creating a password file; then, encrypting a plaintext file with ansible-vault encrypt; next, viewing the encrypted content with ansible-vault view; after that, decrypting the file for editing with ansible-vault decrypt; finally, re-encrypting after modifications.

17
Multi-Selectmedium

Which two statements about Ansible modules and idempotency are true? (Choose two.)

Select 2 answers
A.Idempotency means that running a playbook multiple times will always result in the same final state on the managed node.
B.The 'command' module is idempotent by default because it always runs the given command.
C.The 'copy' module is idempotent because it checks the checksum of the destination file before copying.
D.All Ansible modules are inherently idempotent regardless of how they are implemented.
E.Idempotency only applies to network modules, not to Linux system modules.
AnswersA, C

Correct because idempotency ensures that repeated application of the same configuration does not change the system beyond the desired state.

Why this answer

Ansible modules are designed to be idempotent, meaning repeated runs produce the same state. The 'command' and 'shell' modules are not idempotent by default. Modules like 'copy' and 'template' check current state before making changes.

18
MCQmedium

Given the following Ansible playbook snippet: --- - name: Configure OSPF hosts: routers gather_facts: no tasks: - name: OSPF config ios_config: lines: - router ospf 1 - network 10.0.0.0 0.255.255.255 area 0 parents: router ospf 1 What is wrong with this playbook?

A.The 'parents' parameter should not be used with 'router ospf 1' in lines; it causes a configuration error.
B.The network statement uses a wildcard mask instead of subnet mask, which is incorrect.
C.The OSPF process ID must be 1, but it can be any number.
D.There is no error; the playbook works correctly.
AnswerA

Correct. The 'parents' parameter already enters the mode, so the 'router ospf 1' line inside lines is redundant and causes an error.

Why this answer

The playbook attempts to enter OSPF router configuration mode by using 'parents: router ospf 1', but the 'lines' also include 'router ospf 1' which would try to enter the mode again from within the mode, causing an error. The correct approach is to either use 'parents' or include the router command in 'lines', but not both.

19
Drag & Dropmedium

Drag and drop the steps of Ansible Tower (AWX) job template execution steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In Ansible Tower/AWX, a job template execution starts with creating the template, launching it, which triggers inventory and credential resolution, then the playbook runs, and finally the job output is displayed for review.

20
Matchinghard

Drag and drop each Ansible variable precedence level on the left to its matching scope on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Highest precedence, passed via --extra-vars on command line

Lowest precedence, defined in defaults/main.yml of a role

Variables specific to a single host, defined in host_vars/

Variables applied to all hosts in a group, defined in group_vars/

Variables defined in the vars: section of a play

Why these pairings

Extra-vars override all others, role defaults have lowest precedence, host vars apply per host, group vars apply per group, and play vars apply to the entire play.

21
MCQeasy

A REST API call is made to Cisco DNA Center to get the list of network devices: GET /dna/intent/api/v1/network-device Headers: X-Auth-Token: <token> The response is: { "response": [ { "id": "123456", "managementIpAddress": "10.10.10.1", "platformId": "C9300-24P", "role": "ACCESS" } ], "version": "1.0" } What does this response indicate?

A.The response contains a single device with management IP 10.10.10.1 and role ACCESS.
B.The response indicates an error because the 'version' field is missing a value.
C.The response contains multiple devices, but only one is shown due to pagination.
D.The response requires authentication because the token is missing.
AnswerA

The JSON array has one element with the given fields.

Why this answer

The response shows a list of devices; each device has an id, management IP, platform ID, and role. The correct answer correctly interprets the JSON structure.

22
MCQmedium

An organization uses Ansible to manage network device configurations. They have a playbook that uses the ios_command module to execute 'show ip route' on multiple routers and then uses the 'debug' module to print the output. Recently, the playbook started failing with 'Timeout (12s) waiting for privilege escalation prompt'. The routers are reachable and SSH credentials are correct. What is the most likely cause?

A.The routers are configured with a different enable secret that does not match the one in the Ansible vault.
B.The 'ansible_connection' is set to 'network_cli' but the 'ansible_become_method' is not set to 'enable'.
C.The SSH key exchange is taking longer than the default 12-second timeout.
D.The ios_command module requires a different privilege level to execute 'show ip route'.
AnswerB

For network_cli connections, the become method must be 'enable'; otherwise, Ansible waits indefinitely for the privilege prompt.

Why this answer

The error 'Timeout waiting for privilege escalation prompt' indicates that Ansible is trying to enter enable mode (or similar) but is not receiving the expected prompt (usually '#'). This often happens when the 'ansible_become' method is not set correctly for network devices. For Cisco IOS, the become method should be 'enable', and the become password must be provided.

If the become method is missing or set to 'sudo', the privilege escalation will fail.

23
MCQeasy

An engineer is using Ansible to automate the configuration of NTP on a group of Cisco IOS-XE switches. The playbook uses the ios_ntp module. The engineer wants to ensure that the NTP configuration is applied only to switches that are in the 'core' group, not the 'access' group. The inventory file defines these groups. Which Ansible feature should the engineer use to restrict the playbook to the 'core' group?

A.Use the 'when' clause to check if the switch is in the 'core' group using the 'group_names' variable.
B.Set the 'hosts' field in the play to 'core' instead of 'all'.
C.Use the 'limit' option when running the ansible-playbook command to specify the 'core' group.
D.Define a variable in the 'core' group and use 'vars_prompt' to ask the engineer which group to run on.
AnswerB

By setting 'hosts: core', the play will only run on switches that are members of the 'core' group.

Why this answer

Ansible playbooks can target specific groups by specifying the group name in the 'hosts' field of the play. This is the simplest and most direct way to restrict execution to a particular inventory group.

24
MCQmedium

Given the following Ansible playbook snippet: --- - name: Configure SNMP hosts: routers gather_facts: no tasks: - name: SNMP community ios_config: lines: - snmp-server community public RO What is the result of this playbook?

A.It configures an SNMP community string 'public' with read-only access.
B.It fails because 'RO' is not a valid keyword; it should be 'read-only'.
C.It configures the community string only for SNMPv3.
D.It removes any existing SNMP community strings.
AnswerA

Correct. The command is applied globally and sets the community string.

Why this answer

The playbook uses ios_config to add a line globally. The command 'snmp-server community public RO' configures an SNMP community string 'public' with read-only access. This is a valid global configuration command.

25
Drag & Dropmedium

Drag and drop the steps of Ansible inventory grouping and variable inheritance into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

In Ansible, inventory grouping starts with defining groups and hosts, then applying group variables with precedence: all group vars are overridden by parent group vars, which are overridden by host vars, and finally by ansible_host connection details.

26
MCQmedium

A Python script uses NAPALM to retrieve the ARP table from a Cisco IOS-XE device: from napalm import get_network_driver driver = get_network_driver('ios') device = driver('192.168.1.1', 'admin', 'cisco') device.open() arp_table = device.get_arp_table() print(arp_table) device.close() What is the issue with this script?

A.The script will fail because the driver name 'ios' is incorrect; it should be 'iosxe' for IOS-XE devices.
B.The script will work correctly because 'ios' is the correct driver for all Cisco IOS devices.
C.The script will fail because the 'get_arp_table()' method requires an argument.
D.The script will work but only if the device is running IOS-XE 16.12 or later.
AnswerA

NAPALM uses 'iosxe' for IOS-XE; 'ios' is for classic IOS.

Why this answer

The NAPALM driver for IOS-XE is 'ios' but the correct driver for IOS-XE is 'iosxe'. Using 'ios' may work for some devices but is deprecated. The correct answer identifies the driver name mismatch.

27
Matchinghard

Drag and drop each Ansible variable precedence level on the left to its matching scope on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Variables passed via --extra-vars, highest precedence

Default variables inside a role, lowest precedence

Variables defined in host_vars/ directory for a specific host

Variables defined in group_vars/ directory for a group

Variables defined in the vars: section of a play

Why these pairings

extra-vars have highest precedence; role defaults have lowest; host vars apply to a specific host; group vars apply to all hosts in a group; play vars are set at the play level.

28
Matchingmedium

Drag and drop each Ansible component on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Defines the managed nodes and their groups

A YAML file containing a list of tasks to execute

A structured collection of tasks, variables, and handlers for reuse

A Python script that performs a specific task on a managed node

A task that runs only when notified by another task

Why these pairings

Inventory defines managed nodes; playbook is a YAML file of tasks; role is a reusable set of tasks; module is a Python script for a specific action; handler is a task triggered by a notify.

29
Drag & Dropmedium

Drag and drop the steps of Ansible role directory structure and task execution into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Ansible roles follow a standard directory layout: tasks/main.yml is executed first, then handlers are notified, defaults provide variables, vars override defaults, and templates are rendered for configuration files.

30
MCQhard

A telemetry subscription is configured on a Cisco IOS-XE device using gRPC dial-out: telemetry ietf subscription 101 encoding encode-kvgpb filter xpath /interfaces/interface/statistics stream yang-push update-policy periodic 500 receiver ip address 10.10.10.10 50001 protocol grpc-tcp What does this configuration do?

A.It sends interface statistics every 500 milliseconds to the receiver using gRPC.
B.It sends interface statistics every 500 seconds to the receiver at 10.10.10.10 port 50001 using gRPC.
C.It sends configuration changes for interfaces to the receiver using gRPC.
D.It sends interface statistics only when there is a change, using a push model.
AnswerB

The periodic value is in seconds; the receiver is correctly specified.

Why this answer

The subscription pushes interface statistics every 500 seconds to a receiver at 10.10.10.10:50001 using gRPC over TCP. The correct answer correctly describes the behavior.

31
MCQhard

A network engineer is using Ansible to automate the deployment of a new VLAN on a Cisco Nexus switch. The playbook uses the nxos_vlan module. The engineer wants to ensure that if the VLAN already exists, the playbook does not make any changes (idempotent). However, the playbook always reports 'changed' even when the VLAN exists with the same configuration. What is a likely reason?

A.The playbook uses the 'vlan_id' parameter but not the 'name' parameter, causing the module to ignore the name mismatch.
B.The playbook does not include the 'vlan_state' parameter, and the existing VLAN is in 'suspend' state, while the module defaults to 'active'.
C.The nxos_vlan module is not idempotent by design and always reports changes.
D.The engineer is using the '--diff' flag, which forces the module to report changes.
AnswerB

If the module defaults to 'active' but the VLAN is 'suspend', the module sees a difference and reports 'changed'.

Why this answer

The nxos_vlan module compares the desired state with the current state. If the playbook specifies parameters that the module does not fully manage or if the switch returns additional default parameters (e.g., 'state: active' vs 'state: suspend'), the module may detect a difference. A common cause is that the playbook does not specify the 'vlan_state' parameter, and the module defaults to 'active', but if the switch has the VLAN in a different state (e.g., 'suspend'), the module will report 'changed'.

32
Drag & Dropmedium

Drag and drop the steps of Ansible playbook execution flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Ansible playbook execution begins with inventory parsing to identify target hosts, then loads variables from group_vars/host_vars. Next, it gathers facts from the managed nodes, applies tasks from the playbook in order, and finally runs post-task handlers if notified.

33
Matchingmedium

Drag and drop each cisco.ios module on the left to its matching purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Pushes configuration commands to Cisco IOS devices

Executes arbitrary show commands on Cisco IOS devices

Gathers facts about Cisco IOS devices

Manages VLANs on Cisco IOS devices

Configures Layer 3 interface properties

Why these pairings

ios_config pushes configuration commands; ios_command executes show commands; ios_facts gathers device facts; ios_vlans manages VLAN configuration; ios_l3_interfaces configures Layer 3 interfaces.

34
Drag & Dropmedium

Drag and drop the steps of cisco.ios.ios_config module idempotent apply flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The cisco.ios.ios_config module first connects to the device; then, it retrieves the running configuration; next, it compares the desired config lines with the running config; after that, it applies only the lines that are missing or different; finally, it saves the configuration if the save parameter is set.

35
Drag & Dropmedium

Drag and drop the steps of creating and applying an Ansible role for network device configuration into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define the role structure with defaults, vars, tasks, and handlers. Then, write the tasks in main.yml to configure interfaces. Next, set default variables in defaults/main.yml.

After that, create a playbook that references the role. Finally, execute the playbook against the target inventory.

36
Matchingmedium

Drag and drop each cisco.ios module on the left to its matching purpose on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Push configuration commands to Cisco IOS devices

Execute show and exec commands on Cisco IOS devices

Collect device facts such as version, interfaces, and serial numbers

Manage VLAN configuration (create, delete, modify)

Configure Layer 3 interface properties like IP address

Why these pairings

ios_config pushes configuration commands, ios_command runs show commands, ios_facts gathers device facts, ios_vlans manages VLANs, and ios_l3_interfaces configures Layer 3 interfaces.

37
Drag & Dropmedium

Drag and drop the steps of Ansible role directory structure and task execution into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Ansible role execution starts with the role's main.yml in tasks directory; then, any pre_tasks defined in the playbook run; next, handlers are loaded from handlers/main.yml; after that, role dependencies are resolved from meta/main.yml; finally, tasks execute in order, triggering handlers as needed.

38
MCQmedium

A company uses Ansible to manage the configuration of 1000 Cisco IOS routers. They have a playbook that uses the ios_config module with the 'src' parameter pointing to a Jinja2 template. The playbook runs successfully for months, but after a recent IOS upgrade on a subset of routers, the playbook fails with 'ERROR! Syntax error while loading YAML script'. The template has not been changed. What is the most likely cause?

A.The IOS upgrade changed the output of a 'show' command that is used to set a fact, and that fact now contains characters that break YAML syntax.
B.The Jinja2 template now contains syntax errors because the IOS upgrade changed the configuration requirements.
C.The ios_config module is incompatible with the new IOS version.
D.The playbook file was corrupted during the IOS upgrade process.
AnswerA

If a fact contains newlines or special characters, it can cause YAML parsing errors when the playbook tries to process it.

Why this answer

The error 'Syntax error while loading YAML script' suggests that the playbook itself has a YAML syntax issue, not the template. However, if the template is included in the playbook via a variable that contains special characters, it could cause a YAML parsing error. But since the template hasn't changed, the most likely cause is that the IOS upgrade changed the output of a command that is used to generate a fact, and that fact is now being passed to the template in a way that breaks YAML.

Alternatively, the playbook might be using a 'vars_prompt' or 'set_fact' that now produces invalid YAML.

39
Drag & Dropmedium

Drag and drop the steps of using Ansible to push a new VLAN configuration to a Cisco IOS switch into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define the VLAN ID and name in a variable file. Then, write a playbook task using ios_vlan module. Next, specify the connection parameters (ansible_network_os, ansible_user, etc.) in the inventory.

After that, run the playbook to apply the configuration. Finally, verify the VLAN on the switch using show vlan.

40
MCQmedium

Given the following Ansible playbook snippet: --- - name: Configure EIGRP hosts: routers gather_facts: no tasks: - name: EIGRP config ios_config: lines: - router eigrp 100 - network 192.168.1.0 parents: router eigrp 100 What is the effect of this playbook?

A.It fails because the network statement requires a wildcard mask.
B.It configures EIGRP AS 100 and advertises network 192.168.1.0/24.
C.It only enters EIGRP configuration mode without applying any network statement.
D.It works correctly because the network statement defaults to a classful mask.
AnswerA

Correct. EIGRP network statements need a wildcard mask; without it, the command is invalid.

Why this answer

Similar to the previous question, this playbook has a redundancy issue. The 'parents' parameter enters EIGRP router configuration mode, and the 'lines' include 'router eigrp 100' again, which would cause an error. Additionally, EIGRP network statements require a wildcard mask; without it, the command is incomplete.

41
MCQmedium

A Python script uses the requests library to interact with Cisco DNA Center's REST API: import requests url = "https://dna-center/api/v1/network-device" headers = { "X-Auth-Token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9..." } response = requests.get(url, headers=headers, verify=False) print(response.json()) What is a security concern with this script?

A.The script uses a hardcoded token, which is a security risk.
B.The script disables SSL certificate verification, making it vulnerable to man-in-the-middle attacks.
C.The script does not handle HTTP errors, which could expose sensitive information.
D.The script uses an incorrect URL; the path should be /dna/intent/api/v1/network-device.
AnswerB

verify=False should only be used in test environments; in production, proper certificates should be used.

Why this answer

The script disables SSL certificate verification with verify=False, which makes it vulnerable to man-in-the-middle attacks. The correct answer identifies this security issue.

42
Matchingmedium

Drag and drop each Ansible connection type on the left to its matching protocol on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

SSH-based CLI connection to network devices

SSH-based NETCONF session for XML configuration

HTTP/HTTPS-based API connection (e.g., NX-API, RESTCONF)

Runs modules on the Ansible control node without SSH to target

Pure Python SSH implementation (fallback when native SSH is unavailable)

Why these pairings

network_cli uses SSH for CLI commands, netconf uses SSH for NETCONF XML, httpapi uses HTTP/HTTPS for REST APIs (e.g., NX-API).

43
MCQmedium

A network engineer writes the following Ansible playbook to configure an interface on a Cisco IOS-XE device: --- - hosts: routers gather_facts: no tasks: - name: Configure interface cisco.ios.ios_config: lines: - ip address 192.168.1.1 255.255.255.0 parents: interface GigabitEthernet0/1 What is the issue with this playbook?

A.The playbook will fail because the 'cisco.ios.ios_config' module requires the 'connection: network_cli' parameter in the play or inventory.
B.The playbook will work correctly because the module automatically detects the device type.
C.The playbook will fail because 'cisco.ios.ios_config' is not a valid module name.
D.The playbook will work but only if the device is running IOS-XE 16.9 or later.
AnswerA

Without setting connection to network_cli, Ansible defaults to 'smart' which may not work for network devices.

Why this answer

The playbook uses the cisco.ios.ios_config module but does not specify the provider or connection details. In Ansible 2.9+, the connection type must be set to 'network_cli' or the module will fail. The correct answer identifies this missing connection parameter.

44
MCQmedium

An Ansible playbook uses the uri module to make a REST API call to Cisco DNA Center: --- - hosts: localhost gather_facts: no tasks: - name: Get devices uri: url: "https://dna-center/api/v1/network-device" method: GET headers: X-Auth-Token: "{{ token }}" return_content: yes register: result - debug: var: result.json What is missing from this playbook?

A.The playbook is missing a task to authenticate and obtain the X-Auth-Token before making the API call.
B.The playbook will work if the token is defined in the inventory file.
C.The playbook should use the 'cisco.dnac' collection instead of the uri module.
D.The playbook is missing the 'validate_certs: no' parameter to ignore SSL errors.
AnswerA

DNA Center requires a token obtained via POST /dna/system/api/v1/auth/token.

Why this answer

The playbook does not include a task to obtain the authentication token. The token variable is used but never defined. The correct answer identifies the missing authentication step.

45
Multi-Selecthard

Which three statements about Ansible playbooks are true? (Choose three.)

Select 3 answers
A.A playbook must contain at least one play, and each play must specify a 'hosts' key.
B.Playbooks are written in YAML format and can include variables, conditionals, and loops.
C.The 'tasks' section of a play can include both module calls and role inclusions.
D.A playbook can only contain a single play.
E.Playbooks must be executed with the 'ansible' command, not 'ansible-playbook'.
AnswersA, B, C

Correct because a playbook is composed of one or more plays, and each play requires the 'hosts' directive to define the target group.

Why this answer

Playbooks are YAML files containing plays, each mapped to a host group. They support variables, conditionals, and loops. The 'hosts' key defines target groups, and 'tasks' lists modules to execute.

Playbooks can include other playbooks or roles.

46
MCQmedium

A network team uses Ansible Tower to manage configuration backups of 500 Cisco IOS routers. They have a playbook that uses the ios_config module with the 'backup: yes' option. Recently, backups started failing for a subset of routers, with errors like 'backup destination path does not exist'. The playbook uses a variable 'backup_dir' set in the Tower job template. What is the most likely cause of these failures?

A.The routers have insufficient storage space to save the backup locally.
B.The 'backup_dir' variable is not defined for those specific routers in their host_vars or group_vars, causing the playbook to use an undefined path.
C.The ios_config module requires the 'backup_options' sub-option to specify the directory, and the playbook is using the deprecated 'backup' parameter.
D.The routers are not reachable via SSH during the backup window.
AnswerB

If the variable is overridden or missing for certain hosts, the backup path may be invalid, leading to the error.

Why this answer

The backup option in ios_config saves the backup file to a local directory on the Ansible control node. If the directory specified by 'backup_dir' does not exist on the control node, the module will fail. Since the error is specific to a subset of routers, it is likely that the variable is not being resolved correctly for those routers, possibly due to host_vars or group_vars overriding the job template variable.

47
MCQhard

An Ansible playbook uses the cisco.nxos.nxos_config module to configure a Nexus switch: --- - hosts: nxos_switches gather_facts: no connection: network_cli tasks: - name: Configure VLAN cisco.nxos.nxos_config: lines: - vlan 100 - name Test_VLAN parents: vlan 100 What will be the result of this playbook?

A.The playbook will successfully create VLAN 100 and set its name to Test_VLAN.
B.The playbook will fail because the 'parents' parameter cannot be the same as the lines.
C.The playbook will fail because 'cisco.nxos.nxos_config' does not support VLAN configuration.
D.The playbook will work but only if the Nexus switch runs NX-OS 7.0 or later.
AnswerB

Using 'parents: vlan 100' when the lines also start with 'vlan 100' creates a conflict; the module may not apply the configuration correctly.

Why this answer

The playbook attempts to configure VLAN 100 with a name. However, the 'parents' parameter is incorrectly set to 'vlan 100', which is the same as the lines being configured. This can cause idempotency issues or errors because the module may try to enter the same configuration mode again.

The correct answer identifies this logical error.

48
Matchingmedium

Drag and drop each Ansible task return value on the left to its matching meaning on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

The task made a modification to the managed node

The task executed successfully with no changes

The task encountered an error and did not complete

The task was not executed because a condition was not met

The managed node could not be contacted via the connection

Why these pairings

changed means the task modified the system; ok means the task ran without changes; failed means the task encountered an error; skipped means the task was not executed due to a condition; unreachable means the host could not be contacted.

49
MCQmedium

What is the maximum hop count for EIGRP?

A.255
B.100
C.15
D.16
AnswerA

Correct. EIGRP supports up to 255 hops.

Why this answer

EIGRP uses a metric based on bandwidth and delay, but it also has a hop count limit. The maximum hop count for EIGRP is 255, though the default is 100.

50
Multi-Selectmedium

Which two statements about Ansible inventory files are true? (Choose two.)

Select 2 answers
A.Ansible can use a dynamic inventory script that queries an external source such as AWS EC2.
B.The default location for the Ansible inventory file is /etc/ansible/hosts.
C.Ansible inventory files can only be written in INI format.
D.Group variables in an inventory must be defined in separate files under the group_vars directory.
E.The inventory file can only contain hostnames, not IP addresses.
AnswersA, B

Correct because dynamic inventory scripts allow Ansible to retrieve host information from external sources like cloud providers.

Why this answer

Ansible inventory files can be static (INI/YAML) or dynamic (script or plugin). The default location is /etc/ansible/hosts. INI format uses [group] headers and YAML uses a structured hierarchy.

Dynamic inventories pull from external sources like cloud APIs.

51
Multi-Selecthard

Which three statements about Ansible modules for Cisco IOS-XE are true? (Choose three.)

Select 3 answers
A.The ios_config module supports idempotent configuration changes by comparing the desired state with the running configuration.
B.The ios_command module can be used to execute show commands and capture output for parsing.
C.The ios_facts module gathers only interface statistics from the device.
D.The ios_vlan module is used to create and delete VLANs on Cisco IOS devices.
E.The ios_lldp module can only enable LLDP globally, not on specific interfaces.
AnswersA, B, D

Correct: ios_config uses the 'lines' parameter and compares with running config to avoid unnecessary changes.

Why this answer

The ios_config module manages configuration snippets and supports idempotency via the 'lines' parameter. The ios_command module sends show commands and returns output. The ios_facts module gathers device facts.

The ios_vlan module is a dedicated resource module for VLANs. The ios_lldp module manages LLDP settings. Idempotency means applying the same config multiple times yields the same result.

52
Drag & Dropmedium

Drag and drop the steps of Ansible Vault encryption and decryption steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

To use Ansible Vault, you first create a password file, then encrypt a plaintext file, optionally edit it while encrypted, and finally decrypt it when needed, with the playbook referencing the vault password at runtime.

53
MCQeasy

What is the default OSPF hello interval on an Ethernet link?

A.10 seconds
B.30 seconds
C.40 seconds
D.5 seconds
AnswerA

Correct. OSPF default hello interval on Ethernet is 10 seconds.

Why this answer

OSPF uses different hello intervals depending on the network type. For broadcast networks like Ethernet, the default hello interval is 10 seconds.

54
Multi-Selectmedium

Which two statements about Ansible automation in a Cisco environment are true? (Choose two.)

Select 2 answers
A.Ansible uses a push-based model to configure network devices.
B.Ansible requires an agent to be installed on managed Cisco devices.
C.Ansible Tower provides a web-based GUI and role-based access control.
D.The default Ansible inventory file is written in YAML format.
E.Ansible playbooks are written in Python.
AnswersA, C

Correct: Ansible pushes configurations from the control node to managed nodes using SSH or APIs.

Why this answer

Ansible uses a push-based model where the control node pushes modules to managed nodes. It is agentless, relying on SSH or API connections. Ansible Tower provides a web UI and RBAC, while the default inventory is INI-based.

Playbooks are written in YAML, not Python. Ansible Galaxy is a community hub for roles.

55
MCQhard

A network engineer is using Ansible to push ACL changes to a group of Cisco IOS routers. The playbook uses the ios_acl_interfaces module to bind ACLs to interfaces. After running the playbook, the engineer notices that some routers have the ACL applied inbound instead of outbound as intended. The playbook specifies 'direction: outbound'. What is the most likely cause of this issue?

A.The routers have a different IOS version that interprets 'outbound' as 'in'.
B.The playbook uses 'direction: outbound' but the module expects 'direction: out'.
C.The engineer forgot to include the 'state: present' parameter, so the module did not apply the ACL.
D.The ACL itself is defined with the wrong direction in the playbook.
AnswerB

The ios_acl_interfaces module expects 'in' or 'out'; 'outbound' is not a valid value, causing the module to either ignore the parameter or default to 'in'.

Why this answer

The ios_acl_interfaces module requires the direction to be specified in lowercase (e.g., 'out'). If the playbook uses 'outbound' instead of 'out', the module may not recognize the value and could default to 'in' or ignore the parameter. The module documentation clearly states the valid values are 'in' or 'out'.

56
MCQeasy

An engineer is automating the configuration of SNMPv3 on a large number of Cisco IOS-XE devices using Ansible. The playbook uses the ios_snmp_server module. The engineer wants to ensure that the SNMP configuration is applied only if the device is running a specific IOS version that supports SNMPv3. Which Ansible feature should the engineer use to conditionally execute the task?

A.Use the 'tags' feature to selectively run the SNMP task only on certain devices.
B.Use the 'register' directive to capture the output and then use 'failed_when' to skip the task.
C.Use the 'when' clause with a condition on the 'ansible_net_version' fact.
D.Use the 'block' and 'rescue' structure to handle version mismatches.
AnswerC

The 'when' clause allows dynamic conditional execution based on gathered facts like the IOS version.

Why this answer

Ansible provides the 'when' clause to conditionally execute tasks based on variables or facts. The engineer can gather facts from the device (e.g., ansible_net_version) and use a 'when' condition to check the IOS version before applying the SNMP configuration.

57
Multi-Selecthard

Which three statements about Ansible playbooks and roles are true? (Choose three.)

Select 3 answers
A.Roles in Ansible use a standardized directory structure that includes 'tasks', 'handlers', 'vars', 'defaults', and 'meta'.
B.The 'import_role' module includes a role dynamically during play execution.
C.Handlers are special tasks that run only when notified by other tasks, and they run only once even if notified multiple times.
D.Variables defined in the 'defaults' directory of a role have the highest precedence.
E.The 'meta' directory in a role is used to define role dependencies.
AnswersA, C, E

Correct: This is the standard role directory layout used by Ansible.

Why this answer

Roles use a predefined directory structure with tasks, handlers, vars, defaults, and meta. The 'import_role' statically includes a role at playbook parse time, while 'include_role' dynamically includes it at runtime. Handlers are triggered by 'notify' and run once even if notified multiple times.

The 'vars' directory holds high-precedence variables, while 'defaults' holds low-precedence defaults. The 'meta' directory contains role dependencies.

58
Drag & Dropmedium

Drag and drop the steps of Ansible inventory grouping and variable inheritance into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Ansible inventory grouping and variable inheritance follows a hierarchy: first, group variables are defined in group_vars files; then, host variables are defined in host_vars files; next, the inventory parser resolves group parent-child relationships; after that, variables are merged with child groups overriding parent groups; finally, host-specific variables take highest precedence.

Ready to test yourself?

Try a timed practice session using only Ansible Automation questions.