Practice Questions
Test your knowledge on this topic in the ENAUTO Exam Trainer — 186 questions across 5 interactive modes.
ENAUTO v2 (300-435) Question Bank
About this Question Bank
85 new questions covering all 5 exam domains. Created from public exam samples (nwexam.com, Cisco Learning Network) and high-quality practice questions based on official Cisco exam topics and documentation. Deduplicated against
new_questions.json(49 existing questions).
1.0 Network Automation Foundation (10%) — 12 Questions
Q001 — Topic 1.1 (Easy)
YANG Model Types
Which YANG model type is defined by an equipment vendor to describe platform-specific features not covered by IETF or OpenConfig models?
- A) IETF YANG model
- B) OpenConfig YANG model
- C) Native YANG model
- D) RFC-standard YANG model
Answer: C
Native YANG models (e.g., Cisco-IOS-XE-native) are vendor-specific and describe platform-unique features like Cisco-specific CLI knobs. IETF models (ietf-interfaces) are standards-based. OpenConfig models are vendor-neutral but defined by operator consortium, not IETF. Source: Practice Question — Exam Topic 1.1
Q002 — Topic 1.1 (Medium)
OpenConfig vs IETF
What is the primary difference between OpenConfig and IETF YANG models?
- A) OpenConfig models are defined by a consortium of network operators for multi-vendor interoperability; IETF models are standards-track RFCs
- B) OpenConfig models use XML; IETF models use JSON
- C) OpenConfig models are only for routing; IETF models cover all network features
- D) OpenConfig models require RESTCONF; IETF models require NETCONF
Answer: A
OpenConfig is an operator-led working group (Google, Microsoft, etc.) that creates vendor-neutral models focused on operational needs. IETF models go through the RFC standards process. Both use YANG syntax and work with either NETCONF or RESTCONF. Source: Practice Question — Exam Topic 1.1
Q003 — Topic 1.3 (Hard)
pyang JSON Output
Which pyang command generates a JSON payload skeleton from a YANG model?
- A) pyang -f json-skeleton model.yang
- B) pyang -f jtox model.yang
- C) pyang -f tree —json model.yang
- D) pyang -f jsonschema model.yang
Answer: B
pyang -f jtox generates a JSON translation table (JTOX) from YANG that can be used to create JSON instance documents. The ‘json-skeleton’ format is not a real pyang output. ‘tree’ produces human-readable tree diagrams. Source: Practice Question — Exam Topic 1.3
Q004 — Topic 1.4 (Hard)
NETCONF XML Merge Attribute
When constructing an XML payload for NETCONF
<edit-config>based on a YANG model, which attribute specifies the merge behavior for a container element?
- A) operation=“merge”
- B) nc:operation=“merge”
- C) xmlns:nc with operation=“merge”
- D) xc:default-operation=“merge”
Answer: B
In NETCONF XML payloads, the operation attribute uses the NETCONF namespace prefix (nc):
nc:operation='merge|replace|delete|create|remove'. The namespace must be declared asxmlns:nc='urn:ietf:params:xml:ns:netconf:base:1.0'. Default operation (when no attribute is set) is ‘merge’. Source: Practice Question — Exam Topic 1.4
Q005 — Topic 1.5 (Medium)
YANG Tree rw Notation
In a YANG tree diagram generated per RFC 8340, what does ‘rw’ indicate next to a node?
- A) The node is read-write (configuration data)
- B) The node is a required wrapper element
- C) The node supports both read and write-back operations
- D) The node uses row-based indexing in the datastore
Answer: A
RFC 8340 defines tree diagram notation: ‘rw’ = read-write (configuration data that can be set), ‘ro’ = read-only (operational/state data). Other symbols: ’?’ = optional, ’*’ = list/leaf-list, ’+’ = mandatory choice. Source: Practice Question — Exam Topic 1.5
Q006 — Topic 1.5 (Medium)
YANG Tree List Notation
In a pyang-generated YANG tree, what does the notation
+--rw server* [name]represent?
- A) A YANG list named ‘server’ with ‘name’ as the key leaf, containing read-write configuration data
- B) A mandatory leaf named ‘server’ that must contain a name string
- C) A container named ‘server’ that is required in every configuration
- D) A leaf-list named ‘server’ indexed by a numeric name field
Answer: A
In RFC 8340 tree notation: '' after the node name indicates a list (or leaf-list), and ‘[name]’ shows the key leaf(s). ‘rw’ means configuration data. So ‘server [name]’ is a YANG list with key ‘name’. Source: Practice Question — Exam Topic 1.5
Q007 — Topic 1.3 (Easy)
YANG Suite
What tool provides a GUI-based approach to explore YANG models, generate API payloads, and test RESTCONF/NETCONF requests against devices?
- A) YANG Suite
- B) pyang CLI
- C) Postman
- D) YANG Catalog
Answer: A
YANG Suite (developer.cisco.com) is Cisco’s GUI tool for browsing YANG models, generating JSON/XML payloads, and sending NETCONF/RESTCONF requests to devices. pyang is CLI-only. Postman is a generic REST client without YANG awareness. Source: Practice Question — Exam Topic 1.3
Q008 — Topic 1.2 (Hard)
NETCONF Candidate Datastore Capability
Which NETCONF capability must be advertised by the server to support the candidate configuration datastore?
- A) urn:ietf:params:netconf:capability:candidate:1.0
- B) urn:ietf:params:netconf:capability:confirmed-commit:1.0
- C) urn:ietf:params:netconf:capability:writable-running:1.0
- D) urn:ietf:params:netconf:capability:validate:1.0
Answer: A
NETCONF capabilities are exchanged during the
<hello>handshake. The candidate datastore capability allows edit-config on a staging datastore, then<commit>to apply changes atomically. Source: Practice Question — Exam Topic 1.2
Q009 — Topic 1.4 (Medium)
YANG Leaf XML Representation
Given a YANG leaf defined as
leaf mtu { type uint16; default 1500; }, what is the correct XML representation for setting the MTU to 9000?
- A)
<mtu>9000</mtu>- B)
<mtu type="uint16">9000</mtu>- C)
<mtu xmlns:yang="...">9000</mtu>- D)
<mtu value="9000"/>
Answer: A
YANG leaf values in XML are simple element text content:
<mtu>9000</mtu>. The YANG type (uint16) is not included in the XML — it is validated by the server against the YANG schema. Source: Practice Question — Exam Topic 1.4
Q010 — Topic 1.1 (Medium)
YANG Grouping Statement
Which YANG statement defines a reusable set of nodes that can be incorporated into multiple places in a data model?
- A) grouping
- B) augment
- C) typedef
- D) container
Answer: A
‘grouping’ defines a reusable collection of nodes; ‘uses’ incorporates a grouping into the data tree. ‘augment’ adds nodes to an existing model. ‘typedef’ defines a reusable data type, not a node structure. Source: Practice Question — Exam Topic 1.1
Q071 — Topic 1.2 (Hard)
RESTCONF-NETCONF Method Mapping
Which RESTCONF HTTP method is equivalent to the NETCONF
<edit-config>operation with default merge behavior?
- A) PATCH
- B) PUT
- C) POST
- D) GET
Answer: A
RESTCONF PATCH maps to NETCONF edit-config with merge (partial update). PUT maps to edit-config with replace. POST maps to edit-config with create. GET maps to get-config/get. Source: Practice Question — Exam Topic 1.2
Q082 — Topic 1.3 (Medium)
RESTCONF URI Colon Separator
In a RESTCONF URL, what does the colon (:) between module name and node name represent?
- A) It separates the YANG module name from the data node name to avoid ambiguity
- B) It indicates a namespace separator for XML encoding
- C) It specifies the API version number
- D) It separates the host from the port in the URL
Answer: A
In RESTCONF URIs like
/restconf/data/ietf-interfaces:interfaces, the colon separates the YANG module name from the top-level data node to prevent ambiguity. Source: Practice Question — Exam Topic 1.3
2.0 Device-Level Network Automation (25%) — 19 Questions
Q011 — Topic 2.1 (Medium)
Netmiko Config Methods
Which Netmiko method should be used to send configuration commands that require entering global configuration mode?
- A) send_config_set()
- B) send_command()
- C) send_config_from_file()
- D) Both A and C
Answer: D
send_config_set() and send_config_from_file() both automatically enter/exit config mode. send_command() is for exec-mode only. Source: Practice Question — Exam Topic 2.1
Q012 — Topic 2.1 (Medium)
Netmiko Paging
What happens when Netmiko’s send_command() encounters output that exceeds the terminal length?
- A) Netmiko automatically sends the spacebar to page through output by default
- B) The command times out with a ReadTimeout exception
- C) Output is truncated at the first page boundary
- D) Netmiko sends ‘terminal length 0’ before every command automatically
Answer: A
Netmiko’s ConnectHandler automatically sends ‘terminal length 0’ during session setup to disable paging. If paging is still active, send_command() handles —More— prompts. Source: Practice Question — Exam Topic 2.1
Q013 — Topic 2.2 (Medium)
ncclient edit_config
When using ncclient to edit the running configuration, which method applies changes and what is the default operation?
- A) edit_config() with default operation ‘merge’
- B) edit_config() with default operation ‘replace’
- C) put_config() with default operation ‘merge’
- D) set_config() with default operation ‘create’
Answer: A
ncclient’s edit_config(target=‘running’, config=xml_payload) applies changes. The default NETCONF operation is ‘merge’. Use default_operation=‘replace’ to overwrite. Source: Practice Question — Exam Topic 2.2
Q014 — Topic 2.2 (Medium)
ncclient Lock
Which ncclient method locks a NETCONF datastore to prevent concurrent modifications?
- A) m.lock(target=‘running’)
- B) m.lock_config(datastore=‘running’)
- C) m.exclusive_lock(‘running’)
- D) m.session_lock(target=‘running’)
Answer: A
ncclient uses m.lock(target=‘running’) and m.unlock(target=‘running’) for exclusive datastore access. Always use try/finally to ensure unlock. Source: Practice Question — Exam Topic 2.2
Q015 — Topic 2.3 (Medium)
RESTCONF PATCH vs PUT
When using Python requests to send a RESTCONF PATCH request, what is the key difference from a PUT request?
- A) PATCH merges changes with existing config; PUT replaces the entire target resource
- B) PATCH creates new resources; PUT only updates existing ones
- C) PATCH uses XML only; PUT supports both JSON and XML
- D) PATCH requires authentication; PUT does not
Answer: A
RESTCONF follows HTTP semantics: PATCH = partial update (merge), PUT = full replacement. For updating a single attribute, PATCH is safer. Source: Practice Question — Exam Topic 2.3
Q016 — Topic 2.4 (Medium)
Ansible for IOS-XE Benefits
What are two benefits of leveraging Ansible for automation of Cisco IOS XE Software? (Choose two)
- A) Ansible playbooks are packaged and installed on IOS XE devices
- B) It is a device-independent method and can be used with any type of device or OS
- C) Ansible playbooks can be written from the IOS XE EXEC command line
- D) It does not require any modules except SSH to be loaded on the network device
- E) All IOS XE operating systems include Ansible playbooks
Answer: B, D
Ansible is agentless (needs only SSH on target), device-independent, and multi-vendor. It runs from a control node, not on the device. Source: nwexam.com Sample Question
Q017 — Topic 2.4 (Medium)
Ansible ios_config parents
In an Ansible playbook using cisco.ios.ios_config, what does the ‘parents’ parameter specify?
- A) The configuration hierarchy path where the ‘lines’ commands should be applied
- B) The list of parent playbooks that must run before this task
- C) The inventory group containing the target devices
- D) The rollback configuration to restore if the task fails
Answer: A
‘parents’ specifies the config mode context. Example:
parents: ['interface GigabitEthernet1']withlines: ['ip address 10.0.0.1 255.255.255.0']. Source: Practice Question — Exam Topic 2.4
Q018 — Topic 2.5 (Easy)
IOS-XE Zero-Touch Provisioning
Which Cisco IOS-XE feature enables zero-touch provisioning for new devices connecting to the network for the first time?
- A) PnP Agent (Plug and Play)
- B) Smart Install
- C) AutoInstall via TFTP
- D) ZTP with DHCP option 67
Answer: A
IOS-XE devices ship with a built-in PnP agent that contacts Catalyst Center on first boot. ZTP (option D) is for IOS-XR/NX-OS. Smart Install is deprecated. Source: Practice Question — Exam Topic 2.5
Q019 — Topic 2.6 (Medium)
RESTCONF 404 Troubleshooting
A RESTCONF GET request to /restconf/data/ietf-interfaces:interfaces returns a 404 error. Which troubleshooting step should you take first?
- A) Verify ‘restconf’ is enabled in device config and check that the YANG model is supported
- B) Change the request to use XML instead of JSON
- C) Restart the HTTP server process on the device
- D) Switch to NETCONF since RESTCONF is not supported
Answer: A
404 means resource path not found. Common causes: restconf not enabled, YANG module not supported on this IOS version, URL typo. Source: Practice Question — Exam Topic 2.6
Q020 — Topic 2.6 (Hard)
NETCONF data-missing Error
A NETCONF edit-config operation returns an
<rpc-error>with error-tag ‘data-missing’. What is the most likely cause?
- A) The target node specified in the XML filter does not exist in the running configuration
- B) The NETCONF session has timed out
- C) The user does not have sufficient privileges
- D) The XML payload has a namespace mismatch
Answer: A
‘data-missing’ means the operation references data that doesn’t exist — e.g., trying to delete a non-existent element. Source: Practice Question — Exam Topic 2.6
Q021 — Topic 2.7 (Hard)
Guest Shell + EEM Workflow
On IOS-XE, what is the correct sequence to run a Python script from Guest Shell triggered by an EEM event?
- A) Enable IOx, activate Guest Shell, copy script to flash:guest-share, create EEM applet with
action cli command guestshell run python3 /flash/guest-share/script.py- B) Install Python package on IOS-XE, enable EEM, run
python3 script.pyfrom exec mode- C) Enable NETCONF, copy Python script to bootflash, create cron job in IOS scheduler
- D) Enable Guest Shell, upload script via SCP, create EEM with
action python script.py
Answer: A
The on-box Python workflow: 1) ‘iox’ enables IOx, 2) ‘guestshell enable’ activates the container, 3) copy scripts to flash:guest-share/, 4) EEM applet triggers via guestshell run. Source: Practice Question — Exam Topic 2.7
Q022 — Topic 2.7 (Medium)
Guest Shell cli Module
Inside IOS-XE Guest Shell, which Python module provides access to execute IOS CLI commands?
- A) cli
- B) ios
- C) netmiko
- D) subprocess
Answer: A
The ‘cli’ module is pre-installed in Guest Shell:
cli.execute('show ip route')returns output,cli.configure('...')applies config. No SSH needed — runs locally. Source: Practice Question — Exam Topic 2.7
Q023 — Topic 2.5 (Hard)
PnP DHCP Option
When building a Day-0 provisioning solution for IOS-XE devices, which DHCP option directs the PnP agent to the Catalyst Center server?
- A) Option 43 with PnP server IP in suboption
- B) Option 66 with TFTP server hostname
- C) Option 67 with bootfile name
- D) Option 150 with TFTP server IP list
Answer: A
DHCP Option 43 (vendor-specific information) carries the PnP server address. Options 66/67 are for legacy TFTP provisioning. DNS-based discovery (pnpserver.domain) is an alternative. Source: Practice Question — Exam Topic 2.5
Q024 — Topic 2.3 (Easy)
RESTCONF Create Method
Which HTTP method is used in RESTCONF to create a new resource that does not yet exist?
- A) POST
- B) PUT
- C) PATCH
- D) CREATE
Answer: A
POST creates new resources (201 Created). PUT creates or replaces. PATCH partially updates. There is no CREATE method in HTTP. Source: Practice Question — Exam Topic 2.3
Q069 — Topic 2.7 (Medium)
EEM Cron Timer
Which EEM event detector would you use to trigger a Python script every day at midnight?
- A) event timer cron cron-entry “0 0 * * *”
- B) event timer watchdog time 86400
- C) event timer countdown time 86400
- D) event syslog pattern “midnight”
Answer: A
EEM’s ‘event timer cron’ uses standard cron syntax. ‘0 0 * * *’ = midnight daily. ‘countdown’ fires once. Cron is the correct choice for recurring schedules. Source: Practice Question — Exam Topic 2.7
Q075 — Topic 2.1 (Easy)
Netmiko Save Config
Which Netmiko method saves the running configuration to the startup configuration on a Cisco IOS device?
- A) conn.save_config()
- B) conn.send_command(‘write memory’)
- C) conn.commit()
- D) Both A and B achieve the same result
Answer: D
save_config() sends the platform-appropriate save command (‘write memory’ for Cisco IOS). Both A and B achieve the same result. commit() is for IOS-XR/Junos. Source: Practice Question — Exam Topic 2.1
Q081 — Topic 2.4 (Medium)
Ansible register Keyword
What is the purpose of the ‘register’ keyword in an Ansible task?
- A) Stores the task output in a variable for use in subsequent tasks or conditional logic
- B) Registers the device in the Ansible inventory dynamically
- C) Creates a backup of the device configuration
- D) Registers the playbook with Ansible Galaxy
Answer: A
‘register: result’ captures task output (stdout, changed, failed) into a variable. Essential for network automation where you parse show command output for decisions. Source: Practice Question — Exam Topic 2.4
Q085 — Topic 2.6 (Hard)
RESTCONF 409 Conflict
A RESTCONF request returns HTTP 409 Conflict. What does this typically indicate?
- A) The requested operation conflicts with current device state
- B) The server is overloaded
- C) Authentication credentials are invalid
- D) The YANG model is not supported
Answer: A
HTTP 409 means the operation conflicts with the target resource’s state. Common cause: POST on a resource that already exists — use PUT or PATCH instead. Source: Practice Question — Exam Topic 2.6
3.0 Controller-Based Network Automation (30%) — 20 Questions
Q025 — Topic 3.1 (Hard)
Catalyst Center PnP Claim API
Which Catalyst Center API endpoint is used to claim a PnP device and assign it to a site?
- A) POST /dna/intent/api/v1/onboarding/pnp-device/site-claim
- B) POST /dna/intent/api/v1/pnp/device/claim
- C) PUT /dna/intent/api/v1/onboarding/pnp-device
- D) POST /dna/intent/api/v1/site/device/assign
Answer: A
The PnP site-claim endpoint assigns an unclaimed device to a site with a Day-0 template. Part of the 28-endpoint Device Onboarding API. Source: Practice Question — Exam Topic 3.1
Q026 — Topic 3.1 (Medium)
Meraki Day-0 Claiming
In Meraki, what API call is used to claim devices into an organization during Day-0 onboarding?
- A) POST /organizations/{orgId}/claim
- B) POST /organizations/{orgId}/inventory/claim
- C) PUT /organizations/{orgId}/devices
- D) POST /networks/{netId}/devices/claim
Answer: A
Meraki Day-0 claiming uses POST /organizations/{orgId}/claim with serial numbers. Two-step: org-claim first, then network-assign. Source: Practice Question — Exam Topic 3.1
Q027 — Topic 3.2 (Medium)
Meraki Webhook + Webex
A programmer is creating a Meraki webhook Python script to send a message to Webex Teams. Which two elements should be configured? (Choose two)
- A) gRPC credentials
- B) Webex Teams access token
- C) XML formatted request
- D) User authentication count
- E) Webhook server secret
Answer: B, E
Needs: webhook secret (HMAC verification) + Webex access token (to send messages). Meraki webhooks use JSON, not XML or gRPC. Source: nwexam.com Sample Question
Q028 — Topic 3.2 (Easy)
Meraki Create Network
Which HTTP method to /organizations/{orgId}/networks results in a 201 response?
- A) GET
- B) POST
- C) PUT
- D) PATCH
Answer: B
POST creates a new resource (201 Created). GET returns existing (200). PUT/PATCH update existing resources. Source: nwexam.com Sample Question
Q029 — Topic 3.2 (Easy)
Catalyst Center Intent API Direction
In which direction does the Cisco Catalyst Center Intent API communicate?
- A) Westbound
- B) Eastbound
- C) Northbound
- D) Southbound
Answer: C
The Intent API is Catalyst Center’s northbound REST API — it faces external applications. Southbound interfaces communicate with managed devices. Source: nwexam.com Sample Question
Q030 — Topic 3.2 (Medium)
Synchronous API Characteristics
What are two characteristics of synchronous API calls? (Choose two)
- A) They block until a response is returned from the server
- B) They make an application less portable
- C) They add perceived latency if data is not received quickly
- D) Calls are limited to specific programming languages
- E) They do not block while waiting
Answer: A, C
Synchronous calls block the calling thread. Meraki uses synchronous responses; Catalyst Center uses asynchronous (taskId polling). Source: nwexam.com Sample Question
Q031 — Topic 3.3 (Medium)
Jinja2 Conditional
Which Jinja2 construct conditionally includes a configuration block only when a variable is defined?
- A) {% if ntp_server is defined %}
- B) {% when ntp_server exists %}
- C) {% check ntp_server %}
- D) {% ifdef ntp_server %}
Answer: A
Jinja2 uses
{% if variable is defined %}.{% ifdef %}is C preprocessor syntax, not Jinja2. Source: Practice Question — Exam Topic 3.3
Q032 — Topic 3.3 (Easy)
Jinja2 Default Filter
In a Jinja2 template, what does the
| defaultfilter do?
- A) Provides a fallback value when a variable is undefined or empty
- B) Sets the variable as the default for all subsequent templates
- C) Marks the variable as required during deployment
- D) Converts the variable to platform default format
Answer: A
{{ ntp_server | default('10.0.0.1') }}provides a fallback. Prevents UndefinedError during template rendering. Source: Practice Question — Exam Topic 3.3
Q033 — Topic 3.4 (Medium)
Ansible Collection for Catalyst Center
Which Ansible collection provides modules for automating Cisco Catalyst Center?
- A) cisco.dnac
- B) cisco.catalyst
- C) cisco.dna
- D) cisco.catcenter
Answer: A
cisco.dnac (name kept for backward compatibility). Other collections: cisco.meraki, cisco.ise, cisco.catalystwan. Source: Practice Question — Exam Topic 3.4
Q034 — Topic 3.4 (Medium)
Meraki Ansible Connection Plugin
In an Ansible playbook automating Meraki, which connection plugin type is used?
- A) httpapi
- B) network_cli
- C) netconf
- D) local
Answer: A
cisco.meraki uses httpapi to communicate with Meraki cloud Dashboard API. network_cli is for device-level SSH. Source: Practice Question — Exam Topic 3.4
Q035 — Topic 3.5 (Hard)
ISE ANC Quarantine API
Which ISE API is used to quarantine an endpoint by applying an ANC policy?
- A) POST /ers/config/ancendpoint/apply
- B) PUT /ers/config/endpoint/{id}/quarantine
- C) POST /api/v1/anc/endpoint/apply
- D) POST /ers/config/ancpolicy/apply
Answer: A
ISE ERS API: /ers/config/ancendpoint/apply with MAC address and policy name. This triggers CoA to the NAD. Source: Practice Question — Exam Topic 3.5
Q036 — Topic 3.5 (Hard)
Catalyst Center Command Runner
Which API enables running CLI commands on managed devices for troubleshooting?
- A) POST /dna/intent/api/v1/network-device-poller/cli/read-request
- B) POST /dna/intent/api/v1/device/cli/execute
- C) POST /dna/intent/api/v1/ssh/command
- D) GET /dna/intent/api/v1/device/{id}/cli
Answer: A
Command Runner API sends show commands to devices via Catalyst Center. Returns a taskId — poll the file service for results. Read-only. Source: Practice Question — Exam Topic 3.5
Q037 — Topic 3.6 (Medium)
Catalyst Center 401 Unauthorized
A Catalyst Center API call returns HTTP 401. What is the most common cause?
- A) The X-Auth-Token has expired (default 1 hour) and needs to be refreshed
- B) The API endpoint does not exist
- C) The request body JSON is malformed
- D) Rate limiting has been triggered
Answer: A
Tokens expire after ~1 hour. Re-authenticate via POST /dna/system/api/v1/auth/token with Basic Auth. Source: Practice Question — Exam Topic 3.6
Q038 — Topic 3.6 (Hard)
SD-WAN XSRF Token
An SD-WAN API write operation fails with HTTP 403 even though GET requests work. What is the likely issue?
- A) The X-XSRF-TOKEN header is missing from the write request
- B) The vManage user does not have write permissions
- C) SD-WAN does not support POST operations
- D) The JSESSIONID cookie has expired
Answer: A
SD-WAN requires X-XSRF-TOKEN for write operations (CSRF protection). GET works without it. Token from GET /dataservice/client/token. Source: Practice Question — Exam Topic 3.6
Q039 — Topic 3.2 (Medium)
Catalyst Center device-detail searchBy
When accessing /device-detail in Catalyst Center, what is an acceptable searchBy parameter?
- A) Platform type
- B) IP address
- C) Software version
- D) MAC address
Answer: D
The /device-detail endpoint accepts searchBy with ‘macAddress’. IP address and platform type are not valid for this specific endpoint. Source: nwexam.com Sample Question
Q040 — Topic 3.2 (Medium)
Catalyst Center Sites API
The Sites API must retrieve a site identifier but only the site name is available. Which API call?
- A) /dna/intent/api/site/siteId
- B) /dna/intent/api/site
- C) /dna/intent/api/v1/site
- D) /dna/intent/api/v1/site/siteName
Answer: C
GET /dna/intent/api/v1/site with ?name=siteName returns site details including siteId. Note the v1 in the path. Source: nwexam.com Sample Question
Q070 — Topic 3.3 (Medium)
Jinja2 For Loop
What does
{% for vlan in vlans %}vlan {{ vlan.id }}\n name {{ vlan.name }}\n{% endfor %}produce?
- A) A VLAN configuration block repeated for each item in the vlans list
- B) A single VLAN with the name ‘vlans’
- C) A syntax error — Jinja2 doesn’t support for loops
- D) A comment block ignored during rendering
Answer: A
Jinja2 for-loops iterate over list variables. Catalyst Center templates use this pattern for multi-VLAN, multi-interface configs. Source: Practice Question — Exam Topic 3.3
Q072 — Topic 3.2 (Hard)
SD-WAN vs Catalyst Center Auth
How does SD-WAN authentication differ from Catalyst Center authentication?
- A) SD-WAN uses session cookies (JSESSIONID) with form-urlencoded login; Catalyst Center uses token-based auth (X-Auth-Token) with Basic Auth
- B) Both use identical Bearer token authentication
- C) SD-WAN uses API keys; Catalyst Center uses OAuth2
- D) SD-WAN uses SAML; Catalyst Center uses LDAP
Answer: A
SD-WAN: POST /j_security_check with form-urlencoded → JSESSIONID cookie. Catalyst Center: POST /auth/token with Basic Auth → X-Auth-Token header. Source: Practice Question — Exam Topic 3.2
Q073 — Topic 3.5 (Medium)
ISE ANC Quarantine
Which ISE feature allows automated endpoint isolation when a security threat is detected?
- A) Adaptive Network Control (ANC) with quarantine policy triggering CoA
- B) RADIUS authentication with MAC-based access control
- C) TrustSec SGT assignment via SGACL
- D) Posture assessment with compliance remediation
Answer: A
ANC quarantine: API trigger → apply policy to MAC → ISE sends CoA to NAD → endpoint moved to quarantine VLAN. Source: Practice Question — Exam Topic 3.5
Q077 — Topic 3.6 (Easy)
Meraki 429 Rate Limit
A Meraki API request returns HTTP 429 with Retry-After header. What should the script do?
- A) Wait for the seconds specified in Retry-After, then retry
- B) Immediately retry with different credentials
- C) Switch to a different endpoint
- D) Stop execution and report error
Answer: A
HTTP 429 = rate limited. Meraki allows 5 calls/sec per org. Wait the Retry-After duration. The Meraki SDK handles this automatically. Source: Practice Question — Exam Topic 3.6
Q083 — Topic 3.4 (Medium)
SD-WAN Ansible Connection Plugin
Which connection plugin does cisco.catalystwan use?
- A) httpapi
- B) network_cli
- C) netconf
- D) local
Answer: A
All four controller collections use httpapi: cisco.dnac, cisco.meraki, cisco.catalystwan, cisco.ise. Source: Practice Question — Exam Topic 3.4
4.0 Operations (20%) — 19 Questions
Q041 — Topic 4.1 (Easy)
pyATS Framework
Which Cisco tool provides a Python-based framework for network testing and validation?
- A) pyATS with Genie parsers
- B) Netmiko with TextFSM
- C) Ansible with assert module
- D) RESTCONF with JSON output
Answer: A
pyATS is Cisco’s testing framework. Genie parsers convert CLI output into structured Python dictionaries for automated validation. Source: Practice Question — Exam Topic 4.1
Q042 — Topic 4.1 (Medium)
pyATS Testbed
In a pyATS testbed YAML file, which section defines how to connect to a network device?
- A) devices.<name>.connections
- B) devices.<name>.protocols
- C) topology.links
- D) devices.<name>.transport
Answer: A
The testbed YAML ‘devices’ section defines ‘connections’ with protocol, IP, port, and credentials. Source: Practice Question — Exam Topic 4.1
Q043 — Topic 4.1 (Medium)
Genie Diff
What is the pyATS Genie ‘diff’ feature used for?
- A) Comparing two parsed device snapshots to identify state changes
- B) Generating a unified diff patch file
- C) Calculating performance metric differences
- D) Comparing YANG models between IOS versions
Answer: A
Genie Diff compares pre/post-change parsed snapshots to highlight additions, removals, and modifications. Essential for change validation. Source: Practice Question — Exam Topic 4.1
Q044 — Topic 4.2 (Easy)
Network Topology Simulation
Which Cisco platform provides network topology simulation for testing automation?
- A) Cisco Modeling Labs (CML)
- B) Cisco Packet Tracer
- C) GNS3 only
- D) Cisco DevNet Sandbox only
Answer: A
CML runs real Cisco images in virtual topologies. Has a REST API for programmatic lab management. Ideal for testing automation. Source: Practice Question — Exam Topic 4.2
Q045 — Topic 4.2 (Medium)
CML CI/CD Integration
How can CML be integrated into a CI/CD pipeline?
- A) Use CML REST API to create/start/stop topologies and run pyATS tests
- B) CML only supports manual GUI-based topology creation
- C) CML exports Ansible inventory directly to Jenkins
- D) CML requires physical hardware
Answer: A
CML’s REST API (and Python SDK ‘virl2-client’) enables full automation: create topology, start nodes, run tests, tear down. Source: Practice Question — Exam Topic 4.2
Q046 — Topic 4.4 (Medium)
Meraki Client Health
Which Meraki API endpoint provides client health information?
- A) GET /networks/{networkId}/clients
- B) GET /networks/{networkId}/health/alerts
- C) GET /organizations/{orgId}/summary/top/clients/byUsage
- D) GET /networks/{networkId}/wireless/clients/healthScores
Answer: A
GET /networks/{networkId}/clients returns client details including health and status. Wireless-specific: /wireless/clients/healthScores. Source: Practice Question — Exam Topic 4.4
Q047 — Topic 4.3 (Hard)
SD-WAN Software Images
Which API endpoint retrieves available software images for SD-WAN device upgrades?
- A) GET /dataservice/device/action/software
- B) GET /dataservice/device/image/list
- C) GET /dataservice/software/images
- D) GET /dataservice/device/software/version
Answer: A
SD-WAN uses /dataservice/device/action/software for image listing. POST /dataservice/device/action/install triggers upgrades. Source: Practice Question — Exam Topic 4.3
Q048 — Topic 4.5 (Hard)
MDT Configuration
Which IOS-XE CLI configures periodic model-driven telemetry?
- A) telemetry ietf subscription with encoding encode-kvgpb, source-address, and receiver config
- B) ip telemetry netconf periodic
- C) netconf-yang telemetry subscription
- D) model-driven-telemetry netconf enable
Answer: A
IOS-XE MDT:
telemetry ietf subscription <id>→ encoding → filter xpath → update-policy periodic → receiver config. Source: Practice Question — Exam Topic 4.5
Q049 — Topic 4.5 (Medium)
YANG-push vs SNMP
Which two are benefits of YANG-push telemetry over SNMP? (Choose two)
- A) Subscription requests use less bandwidth
- B) It uses UDP rather than TCP
- C) You can precisely define data subscriptions using XPath filters
- D) It scales better than SNMP
- E) Supported on more devices than SNMP
Answer: C, D
YANG-push advantages: precise XPath subscriptions and better scalability (push model). It uses TCP (gRPC/NETCONF), not UDP. Source: nwexam.com Sample Question (corrected)
Q050 — Topic 4.6 (Easy)
Catalyst Center Webhook Format
Webhooks from Catalyst Center use which properties?
- A) JSON payload via PUT
- B) XML payload via POST
- C) JSON payload via POST
- D) XML payload via PUT
Answer: C
Catalyst Center sends webhooks as HTTP POST with JSON payload. Receiver must accept POST with Content-Type: application/json. Source: nwexam.com Sample Question
Q051 — Topic 4.6 (Medium)
Meraki Webhook Profile
What must be configured in a Meraki webhook alert profile?
- A) Receiver URL, shared secret, and alert types
- B) SNMP community string and trap receiver
- C) gRPC endpoint and TLS certificate
- D) Syslog server IP and severity filter
Answer: A
Meraki webhooks need: URL, shared secret (HMAC-SHA256), and selected alert types. Configure via Dashboard or API. Source: Practice Question — Exam Topic 4.6
Q052 — Topic 4.4 (Medium)
Device Health API
Which Catalyst Center API provides device-level health scores?
- A) GET /dna/intent/api/v1/device-health
- B) GET /dna/intent/api/v1/device-detail
- C) GET /dna/intent/api/v1/network-device
- D) GET /dna/intent/api/v1/device/health-summary
Answer: A
/device-health returns health scores for all devices. /device-detail returns details for a single device. /network-device returns inventory. Source: Practice Question — Exam Topic 4.4
Q053 — Topic 4.1 (Medium)
Path Trace API
Which API validates connectivity between endpoints?
- A) Catalyst Center Path Trace API
- B) Meraki Dashboard topology API
- C) ISE profiling API
- D) SD-WAN OMP route API
Answer: A
POST /dna/intent/api/v1/flow-analysis traces the path between source/destination, showing hops, interfaces, QoS, and ACLs. Source: Practice Question — Exam Topic 4.1
Q054 — Topic 4.2 (Easy)
ThousandEyes Purpose
What is the primary purpose of Cisco ThousandEyes?
- A) Digital experience monitoring from user perspective across internet/cloud paths
- B) Network device configuration management
- C) Firewall rule optimization
- D) Automated VLAN provisioning
Answer: A
ThousandEyes monitors application delivery end-to-end. Its REST API (v7) enables automated test creation and result retrieval. Source: Practice Question — Exam Topic 4.2
Q055 — Topic 4.5 (Medium)
Telemetry Encoding
When configuring gRPC dial-out telemetry, which encoding is most efficient?
- A) encode-kvgpb (Key-Value Google Protocol Buffers)
- B) encode-json
- C) encode-xml
- D) encode-csv
Answer: A
KV-GPB is binary — smaller payloads than JSON/XML. Self-describing format. Preferred for production telemetry at scale. Source: Practice Question — Exam Topic 4.5
Q074 — Topic 4.6 (Easy)
Meraki Device Offline Alert
Which Meraki webhook alert type notifies when a device goes offline?
- A) Device went offline alert
- B) API rate limit exceeded
- C) Configuration changed
- D) New DHCP lease assigned
Answer: A
Meraki supports device connectivity alerts (online/offline). Webhook payloads include alertType, deviceSerial, networkId in JSON. Source: Practice Question — Exam Topic 4.6
Q078 — Topic 4.3 (Medium)
SWIM Distribution Verification
After distributing a software image via SWIM API, what must you do before activating?
- A) Poll the distribution task until success, verify image on device flash
- B) Immediately send activation — it waits for distribution
- C) Reboot the device manually first
- D) Mark the image as golden after distribution
Answer: A
SWIM operations are async and sequential. Poll GET /task/{taskId} until complete before activation. Correct sequence: Import → Golden → Distribute (poll) → Activate (poll). Source: Practice Question — Exam Topic 4.3
Q084 — Topic 4.5 (Hard)
Dynamic vs Static Telemetry
What is the difference between NETCONF-based and CLI-configured telemetry on IOS-XE?
- A) NETCONF subscriptions are dynamic (runtime); CLI subscriptions are static (persist across reboots)
- B) NETCONF subscriptions are faster
- C) CLI subscriptions support on-change; NETCONF does not
- D) No difference
Answer: A
Dynamic subscriptions exist for the session lifetime. Static (CLI) subscriptions persist in running config. Both support periodic and on-change. Source: Practice Question — Exam Topic 4.5
5.0 AI in Automation (15%) — 15 Questions
Q056 — Topic 5.1 (Medium)
Catalyst Center AI Analytics
Which Catalyst Center feature uses ML to identify anomalous network behavior?
- A) AI Network Analytics with baselining and anomaly detection
- B) Command Runner with pattern matching
- C) Template deployment with validation rules
- D) Site health with threshold alerts
Answer: A
AI Network Analytics continuously baselines behavior and uses ML to detect anomalies. No manual threshold configuration needed. Source: Practice Question — Exam Topic 5.1
Q057 — Topic 5.1 (Medium)
Meraki AI/ML
How does Meraki use AI/ML in its wireless platform?
- A) RF optimization and automatic channel/power adjustment, plus client device fingerprinting
- B) Automated VLAN creation based on device types
- C) AI-generated firewall rules
- D) Natural language interface for configuration
Answer: A
Meraki’s Auto RF uses ML for channel/power optimization. Client fingerprinting classifies devices using traffic patterns. Source: Practice Question — Exam Topic 5.1
Q058 — Topic 5.2 (Easy)
AI Coding Assistant Best Practice
When using an AI coding assistant for network automation, what is recommended?
- A) Always review generated code against API docs, test in lab, validate security
- B) AI code is always correct — deploy directly
- C) Only use AI for documentation
- D) AI should only generate boilerplate
Answer: A
AI assistants can hallucinate incorrect endpoints. Best practice: review, test in sandbox, check for hardcoded credentials. Source: Practice Question — Exam Topic 5.2
Q059 — Topic 5.2 (Easy)
AI-Assisted Development Approach
Which approach best leverages AI-assisted development for Catalyst Center automation?
- A) Describe outcome in prompt, let AI generate code, iteratively refine by testing against DevNet Sandbox
- B) Have AI write entire production codebase without review
- C) Use AI only for comments
- D) Copy code without understanding, debug in production
Answer: A
Iterative pattern: describe intent → review → test against sandbox → refine. DevNet Sandboxes provide safe validation environments. Source: Practice Question — Exam Topic 5.2
Q060 — Topic 5.3 (Hard)
AI Agent Security Risk
What is the primary risk when an AI agent has write access to network configs?
- A) Prompt injection could manipulate the AI into unauthorized configuration changes
- B) AI agents consume too much bandwidth
- C) AI agents require root access
- D) AI configs are incompatible with devices
Answer: A
Prompt injection is critical: malicious input could trick AI into harmful commands. Mitigations: read-only tokens, human-in-the-loop, allow-lists, audit logging. Source: Practice Question — Exam Topic 5.3
Q061 — Topic 5.3 (Medium)
MCP Server Security
Which security measure should be implemented for an MCP server providing network data to AI?
- A) Least privilege — API credentials with only read access to specific data needed
- B) Admin-level credentials for flexibility
- C) No authentication needed for local servers
- D) AI should share admin credentials
Answer: A
MCP server credentials define blast radius. Best practices: read-only tokens, scoped endpoints, rotation, rate limiting, audit logging. Source: Practice Question — Exam Topic 5.3
Q062 — Topic 5.3 (Medium)
LLM Hallucination Risk
An AI solution uses LLM to interpret alerts and suggest remediation. What is the hallucination risk?
- A) The LLM may confidently suggest incorrect steps that could cause outages
- B) The LLM may refuse to process alerts
- C) Hallucination only affects text, not technical recommendations
- D) Modern LLMs don’t hallucinate with structured input
Answer: A
LLM hallucination in network ops: may suggest wrong interfaces, incorrect ACLs, non-existent commands. Always require human approval. Source: Practice Question — Exam Topic 5.3
Q063 — Topic 5.4 (Easy)
FastMCP Tool Decorator
Which decorator registers a function as a callable tool in FastMCP?
- A) @mcp.tool()
- B) @mcp.route()
- C) @mcp.endpoint()
- D) @mcp.handler()
Answer: A
@mcp.tool() registers async functions as MCP tools. Type annotations become input schema, docstring becomes description. Source: Practice Question — Exam Topic 5.4
Q064 — Topic 5.4 (Medium)
MCP Tool vs Resource
What is the difference between an MCP ‘tool’ and an MCP ‘resource’?
- A) Tool is callable (performs actions); resource provides read-only data by URI
- B) Tool reads data; resource writes changes
- C) Tools use HTTP; resources use WebSocket
- D) They are identical
Answer: A
Tools (@mcp.tool()) are callable functions. Resources (@mcp.resource()) expose data at URIs. Resources are like GET endpoints; tools are like POST. Source: Practice Question — Exam Topic 5.4
Q065 — Topic 5.4 (Medium)
MCP Transport Protocol
Which transport does an MCP server typically use with Claude Code?
- A) stdio (standard input/output)
- B) HTTP REST
- C) WebSocket
- D) gRPC
Answer: A
MCP for Claude Code uses stdio — process spawned with JSON-RPC over stdin/stdout. SSE transport available for remote servers. Source: Practice Question — Exam Topic 5.4
Q066 — Topic 5.4 (Medium)
MCP Tool Discovery
How does an AI agent discover available MCP tools and their schemas?
- A) MCP protocol includes tools/list method returning schemas from Python type hints and docstrings
- B) AI reads the Python source code
- C) Manual OpenAPI spec file required
- D) Developer describes tools in a config file
Answer: A
MCP’s tools/list returns all tools with name, description, and inputSchema. FastMCP auto-generates schemas from type annotations. Source: Practice Question — Exam Topic 5.4
Q067 — Topic 5.1 (Medium)
SD-WAN AI Routing
Which SD-WAN feature uses AI/ML to optimize routing?
- A) Predictive path recommendations based on ML analysis of path quality metrics
- B) Static policy-based routing with manual SLA thresholds
- C) AI-generated OSPF cost calculations
- D) Automated BGP peering with ML-selected neighbors
Answer: A
SD-WAN AI/ML analyzes historical path performance to predict future quality, enabling proactive path switching before SLA violations. Source: Practice Question — Exam Topic 5.1
Q068 — Topic 5.3 (Easy)
AI + Network Automation Security
Which is a security best practice for AI + network automation?
- A) Human-in-the-loop approval for all AI-initiated config changes
- B) Full admin access for speed
- C) Disable logging to save storage
- D) Let AI create its own credentials
Answer: A
HITL is the most important safeguard. Combined with least-privilege, audit logging, change validation, and rollback capabilities. Source: Practice Question — Exam Topic 5.3
Q076 — Topic 5.2 (Easy)
AI Coding Assistant Value
What key capability does an AI assistant provide for unfamiliar APIs?
- A) Generating boilerplate with correct API patterns, auth headers, and error handling
- B) Automatically deploying code to production
- C) Replacing API documentation
- D) Guaranteeing zero bugs
Answer: A
AI excels at scaffolding correct patterns. Doesn’t replace docs (can hallucinate) and never guarantees bug-free code. Source: Practice Question — Exam Topic 5.2
Q079 — Topic 5.4 (Medium)
FastMCP Code Pattern
Which Python code correctly defines a basic MCP server?
- A)
mcp = FastMCP('Network'); @mcp.tool() async def list_devices() -> list: ...- B)
mcp = MCPServer(); @mcp.route('/devices') def list_devices(): ...- C)
mcp = FastMCP(); mcp.register_tool(list_devices)- D)
mcp = MCP(); @mcp.api() def list_devices(): ...
Answer: A
FastMCP pattern: create server with name, decorate async functions with @mcp.tool(), use type hints for schema. The function becomes callable by AI agents. Source: Practice Question — Exam Topic 5.4
Q080 — Topic 5.1 (Medium)
Intent-Based Networking
How does Cisco’s AI-driven IBN differ from traditional management?
- A) IBN translates business intent into policies, uses ML for assurance, provides closed-loop remediation
- B) IBN only generates reports
- C) IBN replaces all manual config with autonomous AI
- D) IBN is SNMP management with an AI label
Answer: A
Intent-Based Networking: translate intent → automate deployment → continuous assurance → closed-loop remediation. Foundation of Catalyst Center. Source: Practice Question — Exam Topic 5.1
Question Distribution Summary
| Domain | Questions | Target | Status |
|---|---|---|---|
| 1.0 Network Automation Foundation | 12 | 15 | Good |
| 2.0 Device-Level Automation | 19 | 15 | Exceeds |
| 3.0 Controller-Based Automation | 20 | 15 | Exceeds |
| 4.0 Operations | 19 | 15 | Exceeds |
| 5.0 AI in Automation | 15 | 15 | Meets |
| Total | 85 | 75 | Exceeds |
Sources
- Cisco 300-435 Sample Questions — nwexam.com
- ENAUTO Exam Topics — Cisco Learning Network
- ENAUTO v2.0 Exam Blueprint — Cisco
- Catalyst Center API — Cisco DevNet
- ThousandEyes API — Cisco DevNet
- Practice Questions based on official exam topic descriptions and Cisco documentation
See Also
- 1.0_Foundation_Deep_Dive · 2.0_Device_Level_Deep_Dive · 4.0_Operations_Deep_Dive · 5.0_AI_Automation_Deep_Dive — Study notes by domain
- Catalyst_Center_Deep_Dive · Meraki_Deep_Dive · SDWAN_Deep_Dive · ISE_Deep_Dive — Controller deep dives
- API_Endpoint_Glossary — API reference for verifying answers
- README — Hands-on practice to reinforce concepts