CCNA Automation Questions

29 questions · Automation topic · All types, answers revealed

1
Multi-Selecthard

Which THREE are valid methods for automating network device configuration using Cisco IOS XE? (Choose three.)

Select 3 answers
A.NETCONF/YANG
B.SNMP Set requests
C.Telnet with Expect scripts
D.CLI via SSH with Python (e.g., Netmiko)
E.RESTCONF
AnswersA, D, E

NETCONF is a standard protocol for configuration.

Why this answer

NETCONF/YANG is a valid method for automating network device configuration on Cisco IOS XE. NETCONF (RFC 6241) uses an XML-based RPC protocol to establish a secure SSH session (port 830) for configuration operations, while YANG (RFC 7950) provides a structured data model to define the configuration and state data. This combination allows for programmatic, transactional, and standardized configuration management, making it a core automation technology supported by Cisco.

Exam trap

Cisco often tests the distinction between monitoring protocols (SNMP) and configuration automation protocols (NETCONF/RESTCONF), and the trap here is that candidates mistakenly think SNMP Set requests are a valid configuration automation method, overlooking that SNMP is designed for read-heavy monitoring and lacks the transactional, model-driven capabilities of YANG-based protocols.

2
MCQeasy

A company uses Cisco Catalyst Center (formerly DNA Center) for intent-based networking. After upgrading the Catalyst Center appliance, the engineer notices that some devices are unreachable via the network, but the Catalyst Center GUI shows them as 'Managed'. What is the most likely cause?

A.SNMP community strings are misconfigured
B.Devices were reassigned to different roles
C.Certificate trust between devices and Catalyst Center expired
D.The IP address of the Catalyst Center appliance changed after the upgrade
AnswerD

A changed IP address would break management connectivity.

Why this answer

When the Catalyst Center appliance is upgraded, its IP address may change if the upgrade process resets network configuration or if the appliance is redeployed with a new IP. Devices are managed via IP-based communication (e.g., SSH, SNMP, NETCONF), and if the Catalyst Center IP changes, devices will still show as 'Managed' in the GUI because the database retains the device state, but the devices themselves cannot be reached because they are trying to communicate with the old IP address. This mismatch causes unreachability despite the managed status.

Exam trap

Cisco often tests the distinction between GUI state (which can be stale) and actual network reachability, leading candidates to focus on protocol misconfigurations (like SNMP or certificates) rather than the underlying IP connectivity change.

How to eliminate wrong answers

Option A is wrong because SNMP community string misconfigurations would cause polling failures and likely show devices as 'Unmanaged' or with errors, not as 'Managed' while being unreachable. Option B is wrong because reassigning devices to different roles is a configuration change that would not inherently cause unreachability; it would affect policy application, not basic connectivity. Option C is wrong because certificate trust expiration would affect secure communication (e.g., for NETCONF or RESTCONF), but Catalyst Center uses IP-based management and would typically show a certificate error or authentication failure, not a simple unreachability while still showing 'Managed'.

3
MCQmedium

A network engineer is automating the deployment of VLANs across multiple switches using Ansible. The playbook runs successfully on most switches, but one switch fails with an error indicating that the VLAN configuration command is not recognized. What is the most likely cause?

A.Ansible lacks the appropriate module for VLAN configuration
B.The inventory file has a syntax error for that specific host
C.The switch runs a different IOS version with different VLAN CLI syntax
D.SSH connectivity to the switch is blocked by an ACL
AnswerC

VLAN configuration syntax can vary between IOS versions; the playbook may use commands not supported on that version.

Why this answer

The most likely cause is that the switch runs a different IOS version with different VLAN CLI syntax. Ansible executes commands via SSH, and if the switch expects a different command format (e.g., 'vlan 10' vs. 'vlan database' on older CatOS), the playbook will fail with a command-not-recognized error. This is a common issue when automating across heterogeneous network devices.

Exam trap

The trap here is that candidates may assume a module or connectivity issue, but Cisco tests the understanding that different IOS versions or platforms (e.g., IOS vs. CatOS) have distinct VLAN CLI syntax, which Ansible modules must handle via conditional logic or version-specific variables.

How to eliminate wrong answers

Option A is wrong because Ansible has dedicated modules like 'ios_vlan' for VLAN configuration on Cisco IOS devices, so lacking a module is not the issue. Option B is wrong because an inventory file syntax error would typically cause a connection failure or host-not-found error, not a command-not-recognized error during execution. Option D is wrong because if SSH connectivity were blocked by an ACL, the playbook would fail at the connection stage with a timeout or authentication error, not after successfully sending a command.

4
Matchingmedium

Match each network automation tool to its purpose.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Agentless automation using YAML playbooks

Agent-based configuration management using Puppet DSL

Agent-based using Ruby recipes

Agent-based with remote execution

Standard for network configuration and state data

Why these pairings

Automation tools simplify network device management.

5
Multi-Selecteasy

Which THREE benefits does network automation provide over manual configuration?

Select 3 answers
A.Increased security by eliminating the need for SSH access
B.Lower initial investment compared to manual processes
C.Reduced risk of configuration errors
D.Consistent configuration across all devices
E.Faster deployment of configuration changes
AnswersC, D, E

Automation eliminates manual mistakes.

Why this answer

Option C is correct because network automation eliminates human error during repetitive configuration tasks. By using tools like Ansible, Python scripts, or NETCONF/YANG models, configurations are applied consistently without typos or missed commands, which are common in manual CLI entry. This directly reduces the risk of syntax errors, missing parameters, or inconsistent settings that can lead to network outages.

Exam trap

Cisco often tests the misconception that automation eliminates all manual access methods like SSH, but in reality, automation relies on SSH or similar transports for device communication, and the trap is assuming automation reduces security risks by removing SSH entirely.

6
Multi-Selecthard

Which TWO statements are true about RESTCONF and NETCONF in a Cisco IOS XE environment? (Choose two.)

Select 2 answers
A.RESTCONF uses HTTP methods (GET, POST, PUT, DELETE) and supports JSON and XML encoding.
B.RESTCONF supports the candidate datastore for editing configurations.
C.NETCONF uses HTTP as its transport protocol.
D.RESTCONF and NETCONF both support JSON and XML encoding.
E.NETCONF uses XML-encoded RPCs over a secure SSH session.
AnswersA, E

RESTCONF indeed uses HTTP methods and supports JSON and XML.

Why this answer

Option A is correct because RESTCONF is designed to use standard HTTP methods (GET, POST, PUT, DELETE, PATCH) for CRUD operations on YANG-defined data, and it supports both JSON and XML encoding formats. This aligns with its goal of providing a simpler, web-friendly interface compared to NETCONF.

Exam trap

Cisco often tests the misconception that both protocols support JSON and XML equally, or that NETCONF uses HTTP, leading candidates to select option D or C incorrectly.

7
MCQhard

A network engineer uses Netmiko to connect to multiple Cisco IOS XE devices and execute commands. The script runs correctly for most devices but fails for one device with the error: 'ValueError: SSH session not active'. The device is reachable and SSH credentials are correct. What is the most likely cause?

A.The connection timeout is set too low
B.The device has reached the maximum number of SSH sessions
C.The device's SSH server is not fully initialized
D.The device requires an enable password but none was provided
AnswerC

The device may still be booting or SSH service is not started.

Why this answer

The error 'ValueError: SSH session not active' indicates that Netmiko attempted to establish an SSH connection but the session was not fully active. The most likely cause is that the device's SSH server is not fully initialized, which can happen if the device is still booting or the SSH process has not completed startup. This is distinct from reachability or credential issues, as the device responds to pings but the SSH daemon is not ready to accept connections.

Exam trap

The trap here is that candidates often confuse network reachability or credential validity with SSH session state, assuming that if the device is pingable and credentials are correct, the SSH session must work, but Cisco tests the understanding that SSH session initialization is a separate process that can fail even when the device is reachable.

How to eliminate wrong answers

Option A is wrong because a low connection timeout would typically result in a 'Connection timed out' or 'Timeout' error, not a 'ValueError: SSH session not active' which indicates the session was initiated but not active. Option B is wrong because reaching the maximum number of SSH sessions would produce an error like 'Too many connections' or 'Connection refused', not a ValueError about session inactivity. Option D is wrong because a missing enable password would cause an authentication failure or privilege escalation error after the SSH session is established, not a failure to activate the SSH session itself.

8
MCQmedium

An organization uses Cisco DNA Center to automate network provisioning. A network engineer deploys a new access switch but finds that the switch does not receive the intended configuration template. The switch appears in DNA Center inventory with status 'Managed'. What is the most likely cause?

A.The switch has not been discovered by DNA Center
B.The switch is not in Plug and Play mode
C.The switch does not have a valid DNA license
D.The switch is not assigned to a site
AnswerD

Site assignment is required for template application.

Why this answer

In Cisco DNA Center, configuration templates are applied based on site assignment. A switch that appears as 'Managed' in inventory has been discovered and is under DNA Center's control, but if it is not assigned to a specific site, DNA Center cannot determine which template to push. Site assignment is a prerequisite for template-based provisioning; without it, the intended configuration will not be deployed.

Exam trap

Cisco often tests the distinction between 'Managed' and 'Provisioned' states, trapping candidates who assume that a device being managed automatically means it has received its configuration.

How to eliminate wrong answers

Option A is wrong because the switch appears in inventory with status 'Managed', which means it has already been discovered by DNA Center. Option B is wrong because Plug and Play (PnP) is a separate provisioning method; DNA Center can apply templates to switches that are not in PnP mode as long as they are managed and site-assigned. Option C is wrong because a valid DNA license is required for advanced features but not for basic template application; the switch being 'Managed' indicates it has the necessary licensing to be under DNA Center control.

9
MCQmedium

A network engineer is automating configuration backups using Ansible. The playbook uses the ios_config module to retrieve running configurations from Cisco IOS XE devices. However, the playbook fails with a timeout error on a specific device. Other devices respond correctly. What is the most likely cause of the failure?

A.The device is configured for HTTP/HTTPS access only.
B.The device has incorrect SSH credentials configured in the Ansible vault.
C.The device has NetFlow enabled, consuming CPU cycles.
D.The device has SNMPv3 enabled with authentication traps.
AnswerB

Incorrect SSH credentials cause authentication failure and timeout.

Why this answer

The ios_config module in Ansible uses SSH to connect to Cisco IOS XE devices and execute commands. A timeout error on a specific device while others succeed strongly indicates an authentication or authorization failure, such as incorrect SSH credentials stored in the Ansible vault. This prevents the SSH session from being established, causing the playbook to wait until the timeout threshold is reached.

Exam trap

Cisco often tests the distinction between connectivity issues (like SSH credentials) and unrelated features (like NetFlow or SNMP) that candidates might incorrectly assume cause automation failures, leading them to choose a distractor that sounds plausible but is technically irrelevant.

How to eliminate wrong answers

Option A is wrong because the ios_config module relies on SSH (or Telnet) for network device access, not HTTP/HTTPS; HTTP/HTTPS access is used by RESTCONF or NETCONF, not the ios_config module. Option C is wrong because NetFlow, while consuming CPU cycles, does not prevent SSH connectivity or cause a timeout on the ios_config module; it may degrade performance but not block the session. Option D is wrong because SNMPv3 with authentication traps is unrelated to SSH-based Ansible automation; SNMP is a separate management protocol and does not interfere with SSH connections used by the ios_config module.

10
Drag & Dropmedium

Drag and drop the steps for the three-way TCP handshake into the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

TCP uses a three-way handshake (SYN, SYN-ACK, ACK) to establish a connection before data transfer.

11
MCQhard

A DevOps team is implementing a CI/CD pipeline that automates network configuration changes. Which design principle is most important to ensure that a failed deployment does not cause prolonged outages?

A.Use a single source of truth for all configurations
B.Ensure the automation framework supports rollback to a known good state
C.Implement idempotent configuration scripts
D.Run the deployment in a lab environment first
AnswerB

Rollback is critical to quickly restore service after a failed deployment.

Why this answer

Option B is correct because in a CI/CD pipeline for network automation, the ability to roll back to a known good state is the most critical design principle for minimizing downtime. If a deployment fails (e.g., a misapplied ACL or BGP configuration), the automation framework must be able to revert the network device to its previous stable configuration—often by reapplying a saved startup config or using a tool like Ansible's `network_backup` role or Cisco NSO's rollback mechanism. Without this, a failed deployment could leave the network in a broken state until manual intervention, causing prolonged outages.

Exam trap

Cisco often tests the distinction between 'preventing errors' (idempotency, single source of truth) and 'recovering from errors' (rollback), and the trap here is that candidates confuse idempotency with rollback, thinking that re-running a script will fix a failure, when in fact idempotency only ensures consistency, not recovery from a broken state.

How to eliminate wrong answers

Option A is wrong because a single source of truth (e.g., a Git repository for configurations) is important for consistency and auditability, but it does not directly address recovery from a failed deployment; it prevents drift but not the need for rollback. Option C is wrong because idempotent scripts ensure that repeated runs produce the same result, which helps avoid unintended changes, but they do not provide a mechanism to revert to a previous state if a deployment introduces a fault. Option D is wrong because running a deployment in a lab environment first is a best practice for testing, but it does not guarantee that a production deployment won't fail; the question specifically asks about ensuring that a failed deployment does not cause prolonged outages, which requires a rollback capability in production.

12
MCQhard

Refer to the exhibit. A Python script sends the JSON payload shown via a POST request to the RESTCONF URI /restconf/data/ietf-interfaces:interfaces on a Cisco IOS XE device. The API returns 201 Created, but the interface GigabitEthernet1 is not configured. What is the most likely cause?

A.The script is not authenticated
B.The URI should be /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet1
C.The payload is missing a required field for the interface
D.The JSON syntax is invalid
AnswerC

The model may require a description.

Why this answer

The 201 Created response indicates the RESTCONF request was accepted and the resource was created, but the interface GigabitEthernet1 is not configured because the JSON payload is missing a required field. In the ietf-interfaces YANG model, the 'type' leaf under an interface is mandatory; without it, the device cannot complete the interface configuration, even though the API returns a success status for the creation of the container.

Exam trap

Cisco often tests the misconception that a 201 Created status guarantees full configuration success, when in reality the YANG model's mandatory fields must be included in the payload for the interface to be operational.

How to eliminate wrong answers

Option A is wrong because a 201 Created response would not be returned if authentication failed; RESTCONF would return a 401 Unauthorized or 403 Forbidden error. Option B is wrong because the POST request to the collection URI /restconf/data/ietf-interfaces:interfaces is the correct method to create a new interface resource; using a specific URI like /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet1 would be appropriate for a PUT or PATCH operation on an existing resource. Option D is wrong because if the JSON syntax were invalid, the RESTCONF API would return a 400 Bad Request error, not 201 Created.

13
MCQhard

A large enterprise uses a centralized automation platform based on Ansible Tower to manage its network infrastructure. The network consists of 500 Cisco IOS XE routers and switches distributed across multiple sites. The automation team has created a playbook that configures BGP peerings on all devices. The playbook uses the ios_bgp module. Recently, during a maintenance window, the playbook was run against a subset of devices that were supposed to be upgraded to a new IOS XE version. However, after the run, several devices lost their BGP configurations entirely. The team discovers that the new IOS XE version introduced a new BGP configuration model that is not fully compatible with the ios_bgp module's expected CLI commands. The playbook failed silently on those devices, and the existing BGP configuration was removed. The team needs to prevent this from happening in future maintenance windows. Which action should be taken?

A.Add a pre-task that validates the device's OS version and conditionally applies the appropriate module or command set
B.Implement idempotency checks in the playbook using the 'check_mode' option
C.Set 'gather_facts: no' in the playbook to speed up execution and avoid version detection issues
D.Replace the ios_bgp module with the ios_config module and use raw CLI commands for BGP configuration
AnswerA

Pre-validation allows the playbook to use version-appropriate modules or commands, preventing silent failures.

Why this answer

Option A is correct because it directly addresses the root cause: the new IOS XE version uses an incompatible BGP configuration model. By adding a pre-task that validates the OS version, the playbook can conditionally apply the correct module (e.g., ios_bgp for older versions or a different module/CLI for the new model), preventing silent failures and configuration loss. This ensures the automation adapts to version-specific changes, maintaining idempotency and safety.

Exam trap

Cisco often tests the misconception that idempotency (check_mode) or simply using raw CLI commands (ios_config) solves version incompatibility, when the real solution is version-aware conditional logic to handle model changes.

How to eliminate wrong answers

Option B is wrong because 'check_mode' only simulates changes without applying them; it does not prevent the ios_bgp module from removing existing BGP configs due to incompatibility, nor does it handle version-specific behavior. Option C is wrong because setting 'gather_facts: no' would skip version detection entirely, making the playbook blind to the OS version and increasing the risk of applying incompatible commands. Option D is wrong because replacing ios_bgp with ios_config and raw CLI commands bypasses Ansible's structured module logic, losing idempotency and validation, and still requires version-aware logic to avoid the same incompatibility issue.

14
MCQeasy

Refer to the exhibit. A network engineer sends a RESTCONF PATCH request with the above JSON payload to the URL https://192.168.1.100/restconf/data/ietf-interfaces:interface=GigabitEthernet0/0/0. What is the expected outcome?

A.A new interface GigabitEthernet0/0/0 is created with the specified IP address.
B.The description and IP address of the existing interface are updated, and the interface remains enabled.
C.The request fails because a GET request must be sent first to retrieve the current configuration.
D.The entire interface configuration is replaced with only the fields in the payload.
AnswerB

PATCH merges the provided fields with the existing configuration.

Why this answer

A RESTCONF PATCH request uses the HTTP PATCH method to apply a partial update to an existing resource. The payload contains only the fields to be modified (description and IP address), and the request URL targets the specific interface resource. Since the interface already exists, the PATCH updates only those fields without affecting other configuration, such as the interface's enabled state.

This is why the interface remains enabled and only the description and IP address are updated.

Exam trap

Cisco often tests the distinction between HTTP methods in RESTCONF, specifically that PATCH is for partial updates and PUT is for full replacement, and that PATCH does not require a prior GET to retrieve the current configuration.

How to eliminate wrong answers

Option A is wrong because a PATCH request does not create a new resource; it updates an existing one, and the URL targets an existing interface. Option C is wrong because RESTCONF does not require a prior GET request; PATCH can be sent directly to update specific fields. Option D is wrong because PATCH performs a partial update, not a full replacement; a PUT request would replace the entire configuration with the payload.

15
MCQmedium

Refer to the exhibit. A network engineer wants to use Ansible to change the IP address of Loopback100 from 10.1.100.1/24 to 10.1.200.1/24. The playbook uses the ios_config module. The playbook runs successfully, but the IP address remains unchanged. What is the most likely reason?

A.The loopback interface is administratively down
B.The playbook is sending the wrong CLI commands
C.The ios_config module is not configured to replace the existing configuration
D.The SNMP community strings are not configured correctly
AnswerC

Without replace/match, Ansible may not apply the change.

Why this answer

The ios_config module in Ansible, by default, uses a 'set' operation that appends commands to the running configuration. To change an existing IP address on an interface, the module must be configured with the 'replace' option or use a 'before'/'parents' directive to remove the old address first. Without this, the new IP command is added but the old one remains, and the interface retains the original address because Cisco IOS allows multiple IP addresses on a single interface only if the secondary keyword is used, which the module does not automatically apply.

Exam trap

Cisco often tests the misconception that the ios_config module is idempotent by default for all configuration changes, when in reality it only ensures the specified lines are present, not that conflicting lines are removed.

How to eliminate wrong answers

Option A is wrong because the administrative state of the interface does not affect the ability to change its IP address; a shutdown interface can still have its configuration modified. Option B is wrong because the playbook runs successfully, indicating the CLI commands sent are syntactically correct and reach the device; the issue is not the commands themselves but how they are applied. Option D is wrong because SNMP community strings are irrelevant to Ansible's ios_config module, which uses SSH (or CLI over Telnet) for configuration changes, not SNMP.

16
MCQmedium

A company has a large network of 500 Cisco IOS XE routers and switches spread across multiple sites. The network team wants to automate the collection of interface statistics every hour and store them in a central database for historical analysis. The team has a Linux server with Python 3 and access to all devices via SSH with key-based authentication. They have written a Python script using Netmiko to connect to each device, run 'show interfaces', and parse the output to extract key metrics (e.g., input/output errors, packets per second). The script works correctly when tested on a small subset of devices, but when run against all 500 devices, it takes too long (over 2 hours) and sometimes fails due to SSH connection timeouts. The team needs to reduce the execution time and improve reliability. Which approach should they take?

A.Reduce the collection frequency to every 4 hours
B.Implement multiprocessing or multithreading in the Python script to connect to devices concurrently
C.Replace Netmiko with SNMP polling using the pysnmp library
D.Use Ansible playbooks instead of a custom Python script
AnswerB

Concurrency reduces overall execution time significantly.

Why this answer

Option B is correct because the primary bottleneck is sequential SSH connections to 500 devices. By using Python's multiprocessing or multithreading (e.g., concurrent.futures.ThreadPoolExecutor), the script can open multiple SSH sessions in parallel, drastically reducing total wall-clock time. Netmiko itself is not the issue; the serial execution pattern causes the 2-hour runtime and timeouts, which concurrent connections resolve by overlapping I/O wait times.

Exam trap

Cisco often tests the misconception that switching protocols (SNMP) or tools (Ansible) automatically solves performance issues, when the real root cause is lack of concurrency in the execution model.

How to eliminate wrong answers

Option A is wrong because reducing collection frequency to every 4 hours does not solve the underlying performance or reliability problem; it merely masks the symptom by collecting data less often, which may miss hourly trends and still fail when run. Option C is wrong because replacing Netmiko with SNMP polling (pysnmp) introduces a different protocol (UDP-based, community strings) that may require re-engineering the parsing logic and does not inherently improve concurrency; the bottleneck is serial execution, not the library or protocol. Option D is wrong because using Ansible playbooks instead of a custom Python script does not automatically parallelize connections unless explicitly configured with a strategy like 'free' or 'mitogen', and Ansible's default linear strategy still serializes per-batch; the team already has a working script, so switching to Ansible adds complexity without guaranteeing speedup.

17
MCQmedium

A network engineer is troubleshooting an Ansible playbook that uses the ios_config module to apply ACLs. The playbook runs without errors, but the ACLs are not applied to the device. The engineer verifies that the device is reachable and the credentials are correct. What is the most likely cause?

A.The device is in a different VRF and not reachable
B.The playbook is missing the connection parameter set to 'network_cli'
C.The ACL syntax in the playbook is incorrect
D.The ios_config module requires the netmiko library to be installed on the control node
AnswerB

Ansible network modules require the connection: network_cli setting.

Why this answer

The ios_config module requires the connection parameter to be set to 'network_cli' (or 'ansible.netcommon.network_cli') to use the CLI transport for sending configuration commands to network devices. Without this, Ansible defaults to the 'smart' connection, which may not properly interact with network device CLIs, causing the playbook to run without errors but not apply the ACLs.

Exam trap

Cisco often tests the misconception that Ansible modules automatically handle network device connections, but in reality, the 'connection: network_cli' parameter is mandatory for network modules to function correctly.

How to eliminate wrong answers

Option A is wrong because the engineer already verified the device is reachable, so a VRF mismatch would cause unreachability, not silent failure. Option C is wrong because incorrect ACL syntax would typically cause an error from the device, not a silent failure; the playbook runs without errors, indicating the syntax is accepted. Option D is wrong because the ios_config module uses the built-in ansible.netcommon collection and does not require netmiko; netmiko is used by other modules like ios_command with the 'ansible.netcommon.network_cli' connection, but ios_config relies on the Ansible network connection framework.

18
MCQeasy

A company uses Chef to automate network device configuration. The network devices are Cisco IOS XE running in a brownfield environment. Which Chef component is used to manage the state of the devices?

A.Ohai
B.Chef client
C.Chef workstation
D.Chef server
AnswerB

The client runs on each managed device to enforce desired state.

Why this answer

In a Chef-managed brownfield environment with Cisco IOS XE devices, the Chef client is the agent that runs on each device (or on a proxy like a guest shell) and applies the desired state defined in cookbooks. It is responsible for converging the device's configuration to match the policy, making it the correct component for state management.

Exam trap

Cisco often tests the distinction between the Chef client (the agent that enforces state) and the Chef server (the repository), leading candidates to mistakenly select the server as the component that manages device state.

How to eliminate wrong answers

Option A is wrong because Ohai is a tool that collects system metadata (e.g., platform, interfaces) on the node and makes it available as attributes, but it does not manage state or apply configurations. Option C is wrong because the Chef workstation is where cookbooks are authored and uploaded to the Chef server; it does not run on the network devices or directly manage their state. Option D is wrong because the Chef server stores cookbooks, node data, and policies, but it does not execute configuration changes on devices; it acts as a central repository and API endpoint.

19
Drag & Dropmedium

Drag and drop the steps to configure an extended access control list (ACL) on a Cisco router in the correct order.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order

Why this order

Extended ACLs filter based on source/destination IP, protocol, and port; must be applied to an interface.

20
MCQhard

A network team uses Ansible to automate VLAN configuration on Cisco IOS devices. The playbook fails with the error 'Failed to connect to the host via ssh: Permission denied (publickey)'. The control node runs Ubuntu, and the network devices are configured with SSH key authentication. Which solution should the engineer implement?

A.Set ansible_ssh_private_key_file in the inventory but omit the passphrase
B.Set ansible_user to the correct username in the inventory
C.Run ssh-add on the control node to add the private key to the SSH agent
D.Enable keyboard-interactive authentication on the IOS devices
AnswerC

The SSH agent must have the key loaded for authentication.

Why this answer

The error 'Permission denied (publickey)' indicates that the SSH key is not being presented to the IOS device. Running ssh-add on the control node loads the private key into the SSH agent, which Ansible uses by default when connecting via SSH. This resolves the authentication failure without requiring a passphrase or changing the inventory.

Exam trap

Cisco often tests the misconception that setting inventory variables like ansible_ssh_private_key_file or ansible_user alone fixes SSH key issues, when the real problem is that the key is not loaded into the SSH agent on the control node.

How to eliminate wrong answers

Option A is wrong because setting ansible_ssh_private_key_file without a passphrase does not help if the key is not loaded into the agent or if the key file is encrypted; Ansible will still fail to authenticate if the key is not accessible. Option B is wrong because setting ansible_user to the correct username addresses only the username, not the missing private key authentication; the error is about key-based authentication, not user identity. Option D is wrong because enabling keyboard-interactive authentication on IOS devices would allow password-based methods, but the issue is that the private key is not being presented; keyboard-interactive does not solve the missing key problem and may introduce security risks.

21
Multi-Selecteasy

Which TWO statements are true about Cisco DNA Center automation? (Choose two.)

Select 2 answers
A.DNA Center primarily uses SNMP to manage devices.
B.DNA Center only supports greenfield deployments.
C.DNA Center uses a declarative model for network configuration.
D.DNA Center provides a single dashboard for network management.
E.DNA Center uses an imperative model for network configuration.
AnswersC, D

DNA Center is declarative.

Why this answer

Option C is correct because Cisco DNA Center uses a declarative model for network configuration. In a declarative model, the administrator specifies the desired end-state of the network (e.g., 'VLAN 10 should exist on all access switches'), and DNA Center's automation engine determines the necessary steps to achieve that state, handling dependencies and ordering automatically. This contrasts with imperative models where each step must be explicitly scripted.

Exam trap

Cisco often tests the distinction between declarative and imperative models, and the trap here is that candidates mistakenly associate DNA Center's automation with imperative scripting (like Python or Ansible playbooks) rather than recognizing its intent-based, declarative nature.

22
MCQmedium

An organization uses Chef to manage network device configurations. A cookbook that configures SNMP community strings is applied to a group of routers. After the run, one router loses SNMP access. The cookbook uses the following resource: snmp_community 'public' do action :remove end. What is the most likely cause of the issue?

A.The router's Chef client encountered a syntax error and stopped mid-execution
B.The cookbook accidentally applied a 'private' community string instead of 'public'
C.The cookbook removed the only configured SNMP community string
D.The cookbook is not idempotent and reapplied the change multiple times
AnswerC

If 'public' was the only community, removing it disables SNMP access.

Why this answer

Option C is correct because the `snmp_community 'public' do action :remove end` resource explicitly removes the SNMP community string named 'public'. If 'public' was the only SNMP community string configured on the router, its removal would leave the router with no valid SNMP community, causing all SNMP access to be lost. Chef applies the resource as defined; the issue is not a syntax error or misapplication of a different string, but the direct consequence of removing the sole community.

Exam trap

The trap here is that candidates may assume the issue is a syntax error or a misapplied community string, but Cisco tests the understanding that Chef resources execute exactly as written, and removing the only SNMP community string will break SNMP access regardless of other factors.

How to eliminate wrong answers

Option A is wrong because a syntax error in the Chef client would typically cause the entire run to fail or produce an error in the Chef logs, not silently remove a community string and then stop mid-execution; the resource shown is syntactically correct. Option B is wrong because the cookbook explicitly targets the 'public' community string with the `:remove` action; there is no mention or evidence of a 'private' string being applied, and the issue is removal, not misapplication. Option D is wrong because idempotency is not the problem; the `:remove` action is inherently idempotent (removing an already-removed community does nothing), and reapplying the change multiple times would not cause the initial loss of access—the first removal alone is sufficient.

23
MCQhard

A service provider uses Cisco IOS XE routers with NETCONF/YANG for configuration management. They have a centralized automation system that pushes configuration changes via NETCONF. Recently, after a maintenance window, several routers lost connectivity to the NETCONF server. The automation system can still SSH to the routers and execute CLI commands. The engineer suspects that the NETCONF server's SSH key changed, causing the routers to reject the connection. However, checking the routers' configuration, the engineer finds that the 'netconf ssh' command is present and the SSH server is enabled. The engineer also notices that the routers have an 'ip ssh server algorithm publickey' configuration specifying a list of allowed public keys. What is the most likely cause of the NETCONF connectivity loss?

A.The NETCONF server is using a non-standard port
B.The routers have reached the maximum number of SSH sessions
C.The NETCONF server's SSH public key is not in the allowed list on the routers
D.The 'netconf ssh' command was removed from the router configuration
AnswerC

The public key algorithm filter may be blocking the server's key.

Why this answer

The routers have an 'ip ssh server algorithm publickey' configuration that explicitly lists allowed public keys. If the NETCONF server's SSH key was changed during the maintenance window, its new public key would not match any entry in this allowed list, causing the routers to reject the SSH connection for NETCONF even though SSH itself is enabled and the 'netconf ssh' command is present. This is a common security hardening practice that restricts which SSH clients can connect.

Exam trap

Cisco often tests the distinction between SSH being enabled (via 'ip ssh server' or 'netconf ssh') and SSH authentication being blocked by a public key allowlist, leading candidates to overlook the 'ip ssh server algorithm publickey' restriction as the root cause.

How to eliminate wrong answers

Option A is wrong because the question states the automation system can still SSH to the routers, which would also fail if a non-standard port were used unless the port was changed only for NETCONF, but there is no evidence of that; the core issue is key-based authentication failure, not port mismatch. Option B is wrong because the engineer can still SSH to the routers and execute CLI commands, indicating that SSH sessions are not exhausted; the maximum session limit would affect all SSH connections, not just NETCONF. Option D is wrong because the engineer explicitly verified that the 'netconf ssh' command is present in the router configuration, so it was not removed.

24
Matchingmedium

Match each QoS feature to its description.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Identifying traffic based on specific fields

Setting the DSCP or CoS value in a packet

Dropping packets that exceed a configured rate

Buffering packets to maintain a configured rate

Managing packet order during congestion

Why these pairings

These are fundamental QoS mechanisms used in Cisco networks.

25
MCQmedium

A network engineer is creating a Python script using the Cisco IOS XE RESTCONF API to configure a loopback interface. The script sends a PUT request to the URI /restconf/data/Cisco-IOS-XE-native:native/interface/Loopback=100 with a JSON body that includes the IP address. The API returns a 201 Created status, but the loopback interface does not appear in the running configuration. What is the most likely issue?

A.The RESTCONF API returned an error but the script ignored it
B.The loopback interface number is incorrect in the URI
C.The script is not authenticated properly
D.The PUT request should be a POST request to create a new resource
AnswerD

POST is used to create a new resource; PUT replaces an existing one.

Why this answer

D is correct because RESTCONF uses PUT to create or replace a resource only when the client specifies the entire resource URI, including the resource identifier (e.g., Loopback=100). However, for a new resource, the API may require a POST to the parent collection (e.g., /restconf/data/Cisco-IOS-XE-native:native/interface/Loopback) to trigger creation, depending on the YANG module's data model. A 201 Created response indicates the request was accepted, but if the resource was not actually created in the running configuration, it suggests the PUT was treated as a no-op or the data was not applied due to a mismatch in the expected resource state.

Exam trap

Cisco often tests the distinction between PUT and POST in RESTCONF, where candidates mistakenly assume PUT always creates a new resource, but the correct behavior depends on the YANG module's definition and whether the resource identifier is part of the URI or the payload.

How to eliminate wrong answers

Option A is wrong because the script received a 201 Created status, which is a success code, not an error; if an error had occurred, the API would return a 4xx or 5xx status. Option B is wrong because the URI includes Loopback=100, which is a valid identifier, and the 201 response confirms the resource was targeted correctly; an incorrect number would result in a 404 or 409 error. Option C is wrong because authentication failures would return a 401 Unauthorized or 403 Forbidden status, not a 201 Created.

26
MCQeasy

A network engineer is troubleshooting an automated configuration change that caused a routing loop. The change was pushed via an Ansible playbook that modified OSPF cost values on multiple routers simultaneously. What is the most likely reason for the loop?

A.OSPF does not support changing costs on multiple routers at the same time
B.OSPF uses hop count as a metric, and the changes caused a count-to-infinity issue
C.The changes were applied simultaneously without allowing OSPF to converge between updates
D.The OSPF cost values were changed to non-standard values that OSPF cannot process
AnswerC

Simultaneous changes can create temporary inconsistencies leading to loops.

Why this answer

Option C is correct because applying OSPF cost changes simultaneously on multiple routers without allowing convergence between updates can cause transient routing loops. OSPF relies on the SPF algorithm to calculate loop-free paths based on consistent link-state databases across the network. When costs are changed on multiple routers at once, some routers may have outdated LSAs, leading to inconsistent forwarding tables and temporary loops until all routers reconverge.

Exam trap

Cisco often tests the misconception that OSPF can handle simultaneous changes without issue, but the trap here is that candidates overlook the need for convergence between updates, confusing protocol capability with operational best practices.

How to eliminate wrong answers

Option A is wrong because OSPF fully supports changing costs on multiple routers simultaneously; the issue is not a protocol limitation but the lack of convergence between updates. Option B is wrong because OSPF uses cost (based on bandwidth) as its metric, not hop count; hop count is used by RIP, and count-to-infinity is a RIP-specific problem. Option D is wrong because OSPF can process any positive integer cost value (1 to 65535) as defined in RFC 2328; non-standard values are not a cause of loops.

27
Multi-Selecthard

Which TWO statements about NETCONF and YANG are true?

Select 2 answers
A.NETCONF sessions are stateless
B.YANG defines both the data model and the RPC operations for network devices
C.NETCONF uses TLS as the mandatory transport protocol
D.YANG is a data modeling language used to define the structure of configuration and state data
E.NETCONF uses XML as the data encoding format
AnswersD, E

YANG models the data that NETCONF retrieves and modifies.

Why this answer

Option D is correct because YANG (RFC 7950) is a data modeling language specifically designed to define the structure of configuration and state data, as well as notifications and RPCs, for network devices. It provides a hierarchical, schema-based representation of data that can be serialized into XML or JSON, making it the standard for modeling NETCONF and RESTCONF datastores.

Exam trap

The trap here is confusing YANG's role in defining data models with NETCONF's role in defining transport and RPC operations, leading candidates to incorrectly select Option B, while also mistaking NETCONF's mandatory SSH transport for TLS.

28
MCQeasy

A network engineer needs to automate the backup of running configurations from multiple Cisco IOS XE devices to a central TFTP server. Which tool is best suited for this task in a Python-based automation framework?

A.RESTCONF
B.Ansible
C.Paramiko
D.Netmiko
AnswerC

Paramiko provides SSH connectivity to network devices.

Why this answer

Paramiko is a Python library that implements the SSHv2 protocol, allowing direct, low-level SSH connections to network devices. For backing up running configurations to a TFTP server, Paramiko can execute the `copy running-config tftp:` command on each device, providing the necessary interactive session handling. While Netmiko is built on Paramiko, it is a higher-level library that abstracts away some of the low-level control; for a simple, script-driven backup task, Paramiko offers the direct SSH access needed without additional overhead.

Exam trap

Cisco often tests the distinction between low-level SSH libraries (Paramiko) and higher-level abstractions (Netmiko), trapping candidates who assume Netmiko is always better because it is more popular, when the question emphasizes a simple, direct SSH task where Paramiko's lower-level control is actually more appropriate.

How to eliminate wrong answers

Option A is wrong because RESTCONF is a RESTful API for YANG-defined data models, used for programmatic configuration and state retrieval, but it does not provide a mechanism to execute CLI commands like `copy running-config tftp:`; it is designed for NETCONF/YANG-based automation, not for sending arbitrary IOS commands. Option B is wrong because Ansible is a configuration management and automation tool that can be used for network backups, but it is not a Python library; the question specifically asks for a tool in a Python-based automation framework, and Ansible is a separate tool that uses YAML playbooks, not a Python library for direct SSH scripting. Option D is wrong because Netmiko is a high-level Python library that simplifies SSH connections to network devices, but it is built on top of Paramiko and adds abstractions like multi-vendor support and simplified command execution; for a straightforward backup task, Paramiko is more fundamental and directly suited, and Netmiko's additional features are unnecessary overhead.

29
Multi-Selectmedium

Which THREE attributes are typically included in a YANG module for interface configuration? (Choose three.)

Select 3 answers
A.switchport mode
B.description
C.mtu
D.ip address
AnswersB, C, D

Description is a common attribute.

Why this answer

Option B is correct because the 'description' leaf is a standard attribute in YANG models for interface configuration, providing a human-readable text string to document the interface's purpose. It is defined in the IETF interface model (RFC 8343) and is widely supported across Cisco IOS-XE and NX-OS YANG models.

Exam trap

Cisco often tests the distinction between configurable YANG leaves (like 'description', 'mtu', 'ip address') and operational state leaves (like 'mac address') or platform-specific extensions (like 'switchport mode') to see if candidates understand the standard IETF interface model versus proprietary additions.

Ready to test yourself?

Try a timed practice session using only Automation questions.