Visit here for our full Cisco 350-901 exam dumps and practice test questions.
Question 1:
A developer needs to authenticate API requests to a Cisco DNA Center. Which authentication method should be used?
A) Token-based authentication with username and password
B) No authentication for public APIs
C) SSH keys for API access
D) SNMP community strings
Answer: A
Explanation:
Cisco DNA Center uses token-based authentication for API access, requiring developers to first obtain an authentication token by sending credentials to the authentication endpoint. The authentication process involves making a POST request to the /dna/system/api/v1/auth/token endpoint with Basic Authentication headers containing base64-encoded username and password. Upon successful authentication, DNA Center returns a JSON Web Token (JWT) that must be included in subsequent API requests using the X-Auth-Token header. This token has a limited lifespan, typically 60 minutes, after which a new token must be obtained through re-authentication.
Token-based authentication provides several security advantages including session management without storing credentials, token expiration for time-limited access, and the ability to revoke tokens without changing passwords. The workflow involves authenticating once to receive a token, using that token for multiple API calls during its validity period, and refreshing the token before expiration or re-authenticating when expired. DNA Center APIs follow RESTful principles with JSON payloads, and proper authentication is mandatory for all API operations including retrieving network device information, configuring policies, or accessing telemetry data. Developers should implement error handling for authentication failures and token expiration, typically by catching 401 Unauthorized responses and automatically re-authenticating.
Option B is incorrect because DNA Center requires authentication for all API access to protect sensitive network configuration and operational data. Public unauthenticated access would create severe security vulnerabilities. Option C is incorrect because SSH keys are used for CLI access to network devices, not for DNA Center REST API authentication which uses HTTP-based token mechanisms. Option D is incorrect because SNMP community strings are legacy network management protocol credentials, not applicable to modern REST APIs which use HTTP authentication methods.
Question 2:
A developer is creating an application that consumes Cisco Webex APIs. What data format is primarily used for API requests and responses?
A) JSON
B) XML
C) YAML
D) Plain text
Answer: A
Explanation:
Cisco Webex APIs primarily use JSON (JavaScript Object Notation) for both request payloads and response data, following modern REST API design practices. JSON provides a lightweight, human-readable data interchange format that’s easy to parse in virtually all programming languages. Webex API endpoints accept JSON-formatted data in POST, PUT, and PATCH requests with the Content-Type: application/json header, and return JSON responses containing requested data or operation results. For example, creating a Webex Teams space involves sending a JSON payload with properties like title and teamId, and receiving a JSON response containing the created space’s details including ID, creation timestamp, and creator information.
JSON’s widespread adoption in Webex APIs stems from its advantages including native JavaScript support making it ideal for web applications, compact representation reducing bandwidth compared to XML, ease of parsing without complex schemas, and strong support across programming languages through libraries like Python’s json module, Node.js built-in JSON methods, and Java’s Jackson or Gson libraries. Developers working with Webex APIs should ensure proper JSON formatting including correct quotation marks around strings and property names, proper nesting of objects and arrays, and valid data types. Authentication tokens must be included in the Authorization: Bearer <token> header alongside JSON payloads. Webex provides comprehensive API documentation with JSON examples for all endpoints covering messaging, meetings, teams, rooms, and administrative functions.
Option B is incorrect because while XML was common in older APIs, Webex uses JSON as its primary data format for better performance and developer experience. Option C is incorrect because YAML is typically used for configuration files rather than API data exchange, despite being convertible to JSON. Option D is incorrect because plain text doesn’t provide the structure needed for complex API data containing nested objects, arrays, and multiple data types.
Question 3:
A developer needs to create a bot that posts messages to Cisco Webex Teams spaces. What must be obtained first?
A) Bot access token from Webex developer portal
B) SNMP credentials
C) SSH private key
D) Database connection string
Answer: A
Explanation:
Creating a Webex bot requires obtaining a bot access token from the Webex developer portal, which provides the authentication credentials necessary for the bot to interact with Webex APIs. The process begins by visiting developer.webex.com, signing in with Webex credentials, navigating to “My Webex Apps,” and creating a new bot application. During bot creation, developers specify the bot’s display name, username, icon, and description. Upon creation, Webex generates a unique bot access token that must be securely stored and used in API requests. Unlike user access tokens that expire, bot tokens remain valid indefinitely unless manually regenerated, making them suitable for long-running automated applications.
Bot tokens authenticate API requests using the Bearer token scheme in the Authorization header: Authorization: Bearer <bot_token>. Bots can perform various operations including posting messages to spaces, receiving webhooks for incoming messages, reading space membership, and retrieving message details. Important bot limitations include inability to create spaces (they must be added by users), visibility only to messages mentioning the bot or sent in 1:1 spaces, and restrictions on administrative operations. Developers should implement webhook listeners to receive real-time notifications when users mention the bot or send direct messages, enabling interactive conversational applications. Security best practices include storing tokens in environment variables or secret management systems rather than hardcoding in source code, implementing token validation, and handling token regeneration scenarios.
Option B is incorrect because SNMP credentials are network device management credentials unrelated to Webex bot authentication. Option C is incorrect because SSH private keys are used for secure shell access to systems, not for Webex API authentication which uses HTTP bearer tokens. Option D is incorrect because database connections are unrelated to Webex bot creation, though bots might use databases for storing state or conversation history.
Question 4:
What HTTP method should be used to retrieve device information from Cisco DNA Center API?
A) GET
B) POST
C) PUT
D) DELETE
Answer: A
Explanation:
The GET HTTP method is the appropriate choice for retrieving device information from Cisco DNA Center APIs, following RESTful API design principles where GET requests retrieve resources without modifying server state. DNA Center provides numerous GET endpoints for querying network devices, including /dna/intent/api/v1/network-device for listing all devices and /dna/intent/api/v1/network-device/{id} for retrieving specific device details. GET requests are idempotent, meaning multiple identical requests produce the same result without side effects, making them safe for repeated queries. Developers construct GET requests with the authentication token in headers and optional query parameters for filtering, pagination, or sorting results.
When retrieving device information, GET requests return JSON responses containing device attributes such as hostname, IP address, device type, software version, reachability status, location, and associated site information. Query parameters enable filtering by device family, role, serial number, or management IP address, allowing precise data retrieval. For example, /dna/intent/api/v1/network-device?family=Switches and Hubs retrieves only switch devices. DNA Center implements pagination for large result sets using offset and limit parameters, requiring developers to handle multi-page responses when retrieving complete device inventories. Response status codes indicate success (200 OK) or errors (401 Unauthorized, 404 Not Found), and developers should implement appropriate error handling for network failures, authentication issues, or invalid device IDs.
Option B is incorrect because POST creates new resources or submits data for processing, not for retrieving existing information. DNA Center uses POST for operations like initiating device discoveries or creating configuration templates. Option C is incorrect because PUT updates entire resources, used for modifying device attributes or configurations rather than querying. Option D is incorrect because DELETE removes resources, such as deleting devices from inventory, opposite of retrieval operations.
Question 5:
A developer is implementing OAuth 2.0 authentication for a Cisco Webex integration. What is the first step in the authorization code flow?
A) Redirect user to Webex authorization URL
B) Store client credentials in code
C) Create database connection
D) Generate random access token
Answer: A
Explanation:
The OAuth 2.0 authorization code flow for Webex integrations begins by redirecting the user to Webex’s authorization URL where they grant permission for the application to access their Webex account. This redirection constructs a URL to https://webexapis.com/v1/authorize with query parameters including client_id identifying the application, redirect_uri specifying where Webex should send the authorization code, scope defining requested permissions like spark:messages_write or spark:rooms_read, and state providing CSRF protection. When users click the authorization link, they’re taken to Webex’s login page if not already authenticated, then presented with a consent screen showing what permissions the application requests.
After users approve the request, Webex redirects back to the specified redirect_uri with an authorization code in the query parameters. The application captures this code and exchanges it for an access token by making a POST request to https://webexapis.com/v1/access_token with the authorization code, client_id, client_secret, redirect_uri, and grant_type set to “authorization_code”. Webex responds with a JSON payload containing the access token, refresh token, token expiration time, and token type. This flow is more secure than implicit flow because the client secret never reaches the browser, and access tokens are obtained through secure server-to-server communication. Developers must implement redirect URI handling, state validation for security, and error handling for declined authorizations or invalid codes.
Option B is incorrect because storing client credentials in code violates security best practices; credentials should be environment variables or secure configuration. Redirection happens before credential usage. Option C is incorrect because database connections are unrelated to OAuth flow initialization. Option D is incorrect because access tokens are generated by the authorization server after successful authentication, not randomly by the application.
Question 6:
What is the purpose of a webhook in Cisco Webex Teams?
A) Receive real-time notifications of events
B) Store chat message history
C) Encrypt messages end-to-end
D) Compress media files
Answer: A
Explanation:
Webhooks in Cisco Webex Teams provide real-time event notifications by sending HTTP POST requests to developer-specified URLs when specific events occur, enabling applications to react immediately to activities without constant polling. Webhooks follow a publish-subscribe pattern where applications register interest in specific event types such as message creation, membership changes, or meeting updates, and Webex calls the registered webhook URL whenever those events occur. Common use cases include bot applications that respond to mentions, integration systems that sync Webex messages with other platforms, compliance applications that archive conversations, and notification systems that alert external services about team activities.
Creating webhooks requires POST requests to the /webhooks endpoint with JSON payload specifying name, targetUrl for receiving events, resource indicating what to monitor like “messages” or “memberships,” event type such as “created” or “deleted,” and optional filter limiting notifications to specific spaces. When events occur, Webex sends POST requests to the webhook URL containing JSON payloads with event details including resource IDs, event type, creation timestamps, and actor information. Applications must respond with 2xx status codes within 10 seconds to acknowledge receipt, or Webex will retry delivery with exponential backoff. Security considerations include validating webhook signatures to ensure requests originate from Webex, implementing HTTPS endpoints for encryption, and handling payload decryption for end-to-end encrypted spaces which deliver only metadata requiring subsequent API calls to retrieve actual content.
Option B is incorrect because webhooks deliver event notifications rather than storing message history, though applications receiving webhook data might choose to store it. Option C is incorrect because end-to-end encryption is a message security feature independent of webhooks, which deliver encrypted message metadata. Option D is incorrect because media compression is a content delivery optimization unrelated to webhook event notification functionality.
Question 7:
A developer needs to retrieve a list of all sites from Cisco DNA Center. Which API endpoint should be used?
A) GET /dna/intent/api/v1/site
B) POST /dna/intent/api/v1/site
C) PUT /dna/intent/api/v1/network-device
D) DELETE /dna/intent/api/v1/template
Answer: A
Explanation:
The GET /dna/intent/api/v1/site endpoint retrieves site hierarchy information from Cisco DNA Center, returning a structured representation of sites, buildings, floors, and areas defined in the network design. This endpoint requires authentication via the X-Auth-Token header with a valid JWT token obtained from the auth endpoint. The response contains a JSON array of site objects with properties including site ID, name, parent ID for hierarchical relationships, site type like area, building, or floor, and additional metadata such as latitude, longitude for buildings, and floor dimensions. Sites in DNA Center organize the network topology hierarchically, associating devices with physical locations for policy application, assurance analytics, and visualization.
Query parameters enable filtering site results by name, type, or offset/limit for pagination when dealing with large site hierarchies. The endpoint supports retrieving the complete site tree starting from root Global site or querying specific subtrees using site ID path filters. Response data includes site hierarchy paths in format like “Global/North America/San Jose/Building 14/Floor 3” enabling applications to understand organizational structure. Developers commonly use this endpoint for inventory applications displaying site-based device organization, configuration management systems needing location context for device policies, or monitoring dashboards showing site health metrics. Error handling should address authentication failures returning 401 status, invalid query parameters returning 400, or internal server errors with 500 status codes, implementing appropriate retry logic and user feedback.
Option B is incorrect because POST creates new sites rather than retrieving existing ones, used when adding locations to the hierarchy. Option C is incorrect because this endpoint operates on network devices, not site hierarchy, and PUT updates existing resources. Option D is incorrect because template deletion is unrelated to site retrieval and DELETE removes rather than queries resources.
Question 8:
What response format does Cisco DNA Center API typically return?
A) JSON
B) Binary
C) HTML
D) CSV
Answer: A
Explanation:
Cisco DNA Center APIs consistently return responses in JSON format, providing structured data that applications can easily parse and process across different programming languages. JSON responses contain hierarchical data structures with objects and arrays representing network entities, configurations, and operational states. For example, device inventory queries return JSON arrays of device objects containing properties like hostname, managementIpAddress, platformId, softwareVersion, and reachabilityStatus. DNA Center’s JSON responses follow consistent patterns with response wrapper objects containing properties like “response” for actual data and “version” for API version information, facilitating standardized client parsing logic.
JSON’s advantages for DNA Center APIs include strong typing support representing strings, numbers, booleans, and null values appropriately, nested structures modeling complex relationships like device locations within sites, array support for collections like interface lists or configuration templates, and wide language support with native parsing in JavaScript and robust libraries in Python (json module), Java (Jackson/Gson), Go (encoding/json), and others. Developers should implement proper JSON parsing with error handling for malformed responses, extract relevant data using language-appropriate methods like Python’s dictionary access or Java’s object mapping, and handle pagination in list responses where data exceeds single-page limits. Response content-type headers specify “application/json” enabling automatic parsing by HTTP client libraries. DNA Center’s API documentation provides JSON schema definitions and examples for all endpoints, helping developers understand expected response structures.
Option B is incorrect because binary formats are used for file downloads or image data, not standard API responses returning network information. Option C is incorrect because HTML is for web page rendering, while APIs return machine-readable JSON for programmatic consumption. Option D is incorrect because CSV is tabular format useful for reports but not for structured API responses with nested relationships and multiple data types.
Question 9:
A developer needs to update device credentials in Cisco DNA Center. Which HTTP method should be used?
A) PUT
B) GET
C) POST
D) OPTIONS
Answer: A
Explanation:
The PUT HTTP method is appropriate for updating existing device credentials in Cisco DNA Center, following REST principles where PUT replaces or updates entire resources at specific endpoints. DNA Center’s credential management APIs use PUT requests to /dna/intent/api/v1/global-credential endpoints for modifying existing credentials including CLI credentials (username/password), SNMP v2c read/write communities, or SNMPv3 credentials. PUT requests must include the complete credential object with updated values, the credential ID identifying which credential to update, and appropriate authentication tokens in request headers. The request payload contains JSON data with credential-specific fields like username, password, enablePassword for CLI credentials, or community strings for SNMP credentials.
PUT differs from POST in REST semantics: PUT updates existing resources and is idempotent meaning multiple identical requests produce the same result, while POST typically creates new resources. When updating credentials, DNA Center validates the request payload, checks user permissions for credential management, updates the credential in its database, and returns JSON responses indicating success or describing validation errors. After credential updates, DNA Center may need to re-discover devices using the new credentials to establish connectivity. Developers should implement error handling for common scenarios including invalid credential IDs returning 404 Not Found, insufficient permissions resulting in 403 Forbidden, malformed payloads causing 400 Bad Request, and authentication failures with 401 Unauthorized. Best practices include validating credential formats before submission, implementing confirmation workflows for credential changes affecting multiple devices, and logging credential updates for audit purposes while avoiding logging actual passwords.
Option B is incorrect because GET retrieves data without modifications, used for querying existing credentials (though passwords should be masked in responses). Option C is incorrect because POST creates new credentials rather than updating existing ones. Option D is incorrect because OPTIONS retrieves allowed HTTP methods for endpoints, used for CORS preflight requests rather than data modification.
Question 10:
What authentication scheme is used in the Authorization header for Cisco Webex API requests?
A) Bearer token
B) Basic authentication
C) Digest authentication
D) API key
Answer: A
Explanation:
Cisco Webex APIs use the Bearer token authentication scheme in the Authorization header, where access tokens obtained through OAuth 2.0 or bot token creation are prefixed with “Bearer” and sent with every API request. The complete header format is Authorization: Bearer <access_token> where the token is a JWT (JSON Web Token) containing encoded user identity, permissions, and expiration information. Webex validates this token on every API call, checking signature authenticity, expiration time, and granted scopes against requested operations. Bearer tokens provide stateless authentication enabling Webex to scale API services without maintaining session state, and they encapsulate authorization scopes ensuring tokens only grant access to permitted operations.
Access tokens for Webex come from multiple sources depending on use case: personal access tokens from developer portal for testing and development with 12-hour expiration, OAuth access tokens from authorization flows for integrations with user-specific permissions, bot tokens that don’t expire for automated bot applications, and guest tokens for anonymous users in embedded applications with limited capabilities. Developers must securely store tokens avoiding hard-coding in source code, implement token refresh logic for OAuth tokens before expiration, handle 401 Unauthorized responses indicating expired or invalid tokens, and ensure HTTPS usage preventing token interception. Webex APIs inspect token scopes ensuring requests match granted permissions; for example, posting messages requires spark:messages_write scope. Common authentication errors include missing tokens (401), insufficient permissions (403), and malformed headers (400).
Option B is incorrect because while DNA Center uses Basic authentication for initial token acquisition, Webex uses Bearer tokens for API requests after authentication. Option C is incorrect because Digest authentication is an older HTTP authentication method not used by modern REST APIs like Webex. Option D is incorrect because although conceptually similar, Webex specifically uses Bearer token scheme rather than custom API key headers.
Question 11:
A developer is implementing rate limiting handling for Cisco Webex API calls. What HTTP status code indicates rate limit exceeded?
A) 429 Too Many Requests
B) 401 Unauthorized
C) 404 Not Found
D) 500 Internal Server Error
Answer: A
Explanation:
The 429 Too Many Requests HTTP status code indicates that rate limits have been exceeded when calling Cisco Webex APIs, signaling that the application has made too many requests within a given timeframe and should implement backoff strategies. Webex enforces rate limits to ensure fair API usage and platform stability, with limits typically around 300 requests per minute per access token though specific limits vary by endpoint. When receiving 429 responses, Webex includes the Retry-After header specifying how many seconds the client should wait before making additional requests. Well-designed applications detect 429 responses, parse the Retry-After value, pause execution for the specified duration, and automatically retry the failed request.
Implementing proper rate limit handling involves catching 429 status codes in HTTP client code, reading the Retry-After header value, implementing exponential backoff for subsequent retries if Retry-After isn’t provided starting with short delays like 1 second and doubling up to maximum thresholds, logging rate limit events for monitoring and optimization, and potentially implementing local rate limiting to prevent reaching platform limits. Advanced strategies include request queueing to smooth traffic spikes, caching API responses to reduce redundant calls, batch operations where APIs support it, and using webhooks instead of polling for real-time updates. Applications should also monitor rate limit headers in successful responses like X-Rate-Limit-Limit showing total allowed requests and X-Rate-Limit-Remaining indicating available requests. Production applications require rate limit monitoring dashboards, alerts for consistent rate limiting indicating need for optimization, and graceful degradation strategies handling extended rate-limited periods.
Option B is incorrect because 401 indicates authentication failures from invalid or expired tokens, unrelated to rate limits. Option C is incorrect because 404 indicates requested resources don’t exist, not rate limiting. Option D is incorrect because 500 indicates server errors in Webex infrastructure, distinct from client-side rate limiting.
Question 12:
What Cisco DNA Center API capability allows viewing historical network health data?
A) Assurance APIs
B) Configuration APIs
C) Discovery APIs
D) Template APIs
Answer: A
Explanation:
Cisco DNA Center’s Assurance APIs provide access to historical network health data, enabling developers to retrieve performance metrics, issue information, and health scores across time ranges for analysis and reporting. Assurance APIs expose the same network intelligence that DNA Center’s Assurance dashboard displays, including site health scores, device health metrics, client health data, application health statistics, and network issue histories. These APIs support querying data by time ranges using epoch timestamp parameters for startTime and endTime, allowing analysis of trends, patterns, and historical incidents. Common use cases include custom monitoring dashboards displaying health metrics in corporate tools, automated reporting systems generating executive summaries, analytics platforms correlating network health with business metrics, and troubleshooting tools investigating incident timelines.
Key Assurance API endpoints include /dna/intent/api/v1/site-health for site-level health aggregations with scores for overall health, client health, network device health, and application health; /dna/intent/api/v1/issue for retrieving network issues detected by DNA Center’s analytics including descriptions, impacted entities, severity levels, and occurrence timestamps; /dna/intent/api/v1/client-health for wireless and wired client performance data; and device-specific health endpoints providing CPU utilization, memory usage, temperature, and interface statistics. Response data includes health scores as numerical values or percentages, issue counts categorized by priority, and detailed metrics with timestamps enabling time-series visualization. Applications can poll these endpoints periodically for monitoring, trigger on health score thresholds for alerting, or generate historical reports by querying extended time ranges.
Option B is incorrect because Configuration APIs manage device configurations and templates, not health metrics and historical performance data. Option C is incorrect because Discovery APIs handle network device discovery and inventory, not health monitoring. Option D is incorrect because Template APIs manage configuration templates for device provisioning, unrelated to health data access.
Question 13:
A developer needs to send a message with a file attachment using Webex APIs. Which endpoint should be used?
A) POST /messages with files parameter
B) GET /messages
C) DELETE /attachments
D) PUT /files
Answer: A
Explanation:
Sending messages with file attachments in Webex requires POST requests to the /messages endpoint with the files parameter containing either local file uploads or publicly accessible URLs. Webex supports two attachment methods: multipart/form-data requests uploading files directly from the client application, or JSON requests specifying public file URLs that Webex downloads and attaches. For direct uploads, applications construct multipart requests with separate parts for message properties (roomId, text, toPersonEmail) and file data with Content-Disposition headers specifying filenames. Webex supports various file types including documents, images, videos, and archives with individual file size limits of 100 MB and total message size including text and attachments limited to approximately 100 MB.
The direct upload approach involves reading files from local filesystem or memory, creating multipart form data with appropriate boundaries, including the file binary data with correct MIME types in Content-Type headers, and sending the POST request with Bearer token authentication. URL-based attachment passes publicly accessible URLs in the files JSON array parameter, causing Webex to fetch and attach the files, useful for sharing files already hosted on cloud storage or web servers. After successful posting, Webex responds with the message object including a files array with file metadata containing file IDs, names, sizes, and content types. Recipients see attached files in their Webex clients with download or preview options. Security considerations include scanning uploaded files for malware, validating file types and sizes before upload, ensuring URL-based attachments point to trusted sources, and being aware that files are stored on Webex servers subject to Webex data policies.
Option B is incorrect because GET /messages retrieves existing messages and can’t send new ones with attachments. Option C is incorrect because DELETE removes messages but can’t send attachments, and /attachments isn’t a valid endpoint. Option D is incorrect because PUT /files isn’t a Webex API endpoint; attachment sending integrates with message creation.
Question 14:
What is the purpose of the RESTCONF protocol in network device programmability?
A) Provide RESTful API access to device configuration
B) Monitor network traffic patterns
C) Encrypt configuration backups
D) Compress device logs
Answer: A
Explanation:
RESTCONF provides standardized RESTful API access to network device configurations and operational state, offering a modern programmatic interface as an alternative to NETCONF’s SSH-based XML-RPC approach. RESTCONF enables network automation by exposing device configuration using HTTP/HTTPS protocols with JSON or XML data encoding, following REST principles with resource-oriented URLs, standard HTTP methods (GET, POST, PUT, PATCH, DELETE), and stateless request-response patterns. Cisco devices including IOS XE routers and switches support RESTCONF through native capabilities, allowing applications to configure interfaces, routing protocols, ACLs, and other device features using HTTP APIs instead of CLI scraping or SNMP.
RESTCONF URLs follow a hierarchical structure like https://{device-ip}/restconf/data/{YANG-module}:{container}/{leaf} where YANG modules define data models standardizing configuration structure across vendors. For example, retrieving interface configuration might use GET /restconf/data/ietf-interfaces:interfaces/interface=GigabitEthernet1 returning JSON or XML with interface properties. Configuration changes use PUT or PATCH methods sending modified data structures. RESTCONF advantages include HTTP-based access working with existing web infrastructure, JSON support simplifying integration with modern applications, YANG data models ensuring consistent structure, and built-in validation preventing invalid configurations. Applications authenticate using basic auth, token-based auth, or certificates, and should implement HTTPS for encryption. Error responses use standard HTTP status codes: 2xx for success, 4xx for client errors like invalid data, and 5xx for server-side failures.
Option B is incorrect because traffic monitoring uses protocols like NetFlow or packet capture, not RESTCONF which focuses on configuration and operational state. Option C is incorrect because configuration encryption is a security function independent of RESTCONF’s API access purpose. Option D is incorrect because log compression is a data management function unrelated to RESTCONF’s configuration API capabilities.
Question 15:
A developer needs to retrieve device interface information from a Cisco IOS XE device using RESTCONF. Which HTTP method should be used?
A) GET
B) POST
C) DELETE
D) HEAD
Answer: A
Explanation:
The GET HTTP method retrieves interface information from Cisco IOS XE devices via RESTCONF, following REST principles where GET requests fetch resources without modifying device state. RESTCONF interface queries use URLs structured as /restconf/data/ietf-interfaces:interfaces for all interfaces or /restconf/data/ietf-interfaces:interfaces/interface={name} for specific interfaces like GigabitEthernet1. Requests require authentication typically using HTTP Basic Auth with device credentials encoded in the Authorization header, and Accept headers specifying desired response format (application/yang-data+json or application/yang-data+xml). Successful responses return 200 OK with JSON or XML payloads containing interface details including admin and operational status, IP addresses, MAC addresses, speed, duplex, counters, and descriptions.
YANG data models standardize interface representation across devices using modules like ietf-interfaces and iana-if-type defining interface structure. Developers can query operational state showing current interface status using /restconf/data/ietf-interfaces:interfaces-state or configuration data using /restconf/data/ietf-interfaces:interfaces. Response parsing extracts relevant interface properties for network inventory systems, monitoring applications, or automation workflows. RESTCONF supports filtering, pagination, and selective field retrieval through query parameters reducing payload sizes for efficient data transfer. Applications should handle errors including 401 for authentication failures, 404 when interfaces don’t exist, 406 if requested data format isn’t supported, and network errors with appropriate timeouts and retries. Performance considerations include caching interface data that changes infrequently and using bulk queries retrieving multiple interfaces in single requests rather than individual per-interface queries.
Option B is incorrect because POST creates new configuration resources, not appropriate for querying existing interface information. Option C is incorrect because DELETE removes configuration elements, opposite of retrieval operations. Option D is incorrect because HEAD requests retrieve only response headers without body data, useful for checking resource existence but not for retrieving interface details.
Question 16:
What is the primary purpose of YANG data models in network programmability?
A) Define structure and constraints for configuration data
B) Encrypt network traffic
C) Compress configuration files
D) Monitor CPU usage
Answer: A
Explanation:
YANG (Yet Another Next Generation) data models define the structure, syntax, and constraints for network device configuration and operational data, providing a standardized way to represent network information across different vendors and platforms. YANG models act as schemas describing what configuration elements exist, their data types, valid value ranges, mandatory versus optional fields, relationships between elements, and validation rules. Industry-standard YANG models like ietf-interfaces, ietf-ip, and openconfig-bgp ensure consistent representation of common networking concepts, while vendor-specific models extend standards for proprietary features. Network management protocols including NETCONF and RESTCONF leverage YANG models to enforce configuration correctness, auto-generate API schemas, and enable model-driven programmability.
YANG models use hierarchical syntax defining containers grouping related data, lists for repeatable elements like interfaces, leafs for individual data values, and typedefs for custom data types. Constraints include must expressions validating field relationships, when statements for conditional configuration elements, and default values. For example, an interface YANG model defines containers for interface configuration with leafs for name, description, enabled status, and nested containers for IPv4/IPv6 addresses. Developers use YANG models to generate client code libraries with type-safe APIs, validate configurations before applying to devices, auto-generate API documentation, and build intuitive configuration tools. Tools like pyang compile YANG models into tree representations, Python bindings, or HTML documentation. Model-driven automation ensures configuration correctness, reduces errors from manual CLI entry, enables abstraction layers hiding vendor differences, and supports intent-based networking where applications specify desired states and systems generate device configurations.
Option B is incorrect because traffic encryption uses protocols like IPsec or TLS, independent of YANG’s data modeling purpose. Option C is incorrect because compression reduces data size, unrelated to YANG’s schema definition role. Option D is incorrect because CPU monitoring uses telemetry collection protocols, though YANG models may define monitoring data structure.
Question 17:
A developer needs to configure a VLAN on a Cisco switch using RESTCONF. Which HTTP method should be used?
A) PUT or PATCH
B) GET
C) DELETE
D) OPTIONS
Answer: A
Explanation:
Configuring VLANs on Cisco switches via RESTCONF uses PUT or PATCH HTTP methods to create or modify VLAN configuration data, following REST principles where these methods update resources. PUT requests replace entire configuration elements, requiring complete resource representation including all required fields, while PATCH performs partial updates modifying only specified fields within existing configurations. For VLAN configuration, typical requests target URLs like /restconf/data/Cisco-IOS-XE-native:native/vlan/vlan-list={id} with JSON or XML payloads containing VLAN properties including VLAN ID, name, and state. Authentication requires device credentials, and Content-Type headers specify payload format as application/yang-data+json or application/yang-data+xml.
PUT creates new VLANs if they don’t exist or replaces existing VLAN configurations entirely, requiring all mandatory YANG model fields. PATCH updates specific VLAN properties like changing VLAN names without affecting other attributes, offering more efficient selective updates. Example PUT payload might include {“Cisco-IOS-XE-vlan:vlan-list”: [{“id”: 100, “name”: “Engineering”}]} creating VLAN 100. Successful operations return 201 Created for new resources or 204 No Content for updates. Configuration changes via RESTCONF typically apply immediately to device running configuration but may require explicit saves to startup configuration using separate API calls. Error responses include 400 Bad Request for invalid VLAN IDs or malformed payloads, 409 Conflict for VLAN ID collisions, and 422 Unprocessable Entity for YANG model constraint violations. Developers should implement validation before submission, handle errors gracefully, and potentially verify configuration success through subsequent GET requests retrieving the configured VLAN and confirming expected properties. Rollback strategies should handle failures by restoring previous configurations using saved state or configuration checkpoints.
Option B is incorrect because GET retrieves existing VLAN configuration without making changes, used for querying current state. Option C is incorrect because DELETE removes VLANs rather than creating or modifying them. Option D is incorrect because OPTIONS retrieves supported HTTP methods for endpoints, used in CORS preflight checks rather than configuration operations.
Question 18:
What authentication mechanism does NETCONF typically use when connecting to network devices?
A) SSH with username and password or public key
B) HTTP Basic Authentication
C) OAuth 2.0 tokens
D) SNMP community strings
Answer: A
Explanation:
NETCONF (Network Configuration Protocol) typically uses SSH (Secure Shell) as its transport layer, leveraging SSH’s authentication mechanisms including username/password authentication or public key cryptography for secure device access. When establishing NETCONF sessions, clients connect to network devices on TCP port 830 (the standard NETCONF over SSH port) using SSH protocol, which handles encryption, authentication, and session integrity. SSH username/password authentication verifies user credentials against device local databases or centralized AAA (Authentication, Authorization, and Accounting) servers like TACACS+ or RADIUS. Public key authentication offers enhanced security through cryptographic key pairs where the client’s private key proves identity without transmitting passwords, particularly useful for automated systems requiring programmatic access without storing passwords.
NETCONF over SSH provides several security advantages including encrypted communication protecting configuration data in transit, mutual authentication where devices verify clients and clients optionally verify devices through host key checking, and standardized security leveraging mature SSH implementations. After SSH authentication succeeds, NETCONF protocol handshake occurs with capability exchange where client and device announce supported NETCONF features, YANG models, and protocol versions. Applications using NETCONF libraries like ncclient (Python) or Netconf4j (Java) configure SSH connection parameters including host address, port, credentials, and optional host key verification. SSH key-based authentication for automation requires generating key pairs, installing public keys on network devices through authorized_keys configuration, and protecting private keys with appropriate file permissions and encryption. Multi-factor authentication can enhance security by combining SSH keys with additional verification layers. Connection failures may result from incorrect credentials, SSH service disabled on devices, firewall blocking port 830, or host key verification mismatches.
Option B is incorrect because HTTP Basic Authentication is used by RESTCONF over HTTPS, not NETCONF which operates over SSH. Option C is incorrect because OAuth tokens authenticate web APIs like Webex or DNA Center, not device-level protocols like NETCONF. Option D is incorrect because SNMP community strings authenticate SNMP protocol operations, completely separate from NETCONF’s SSH-based authentication.
Question 19:
A developer needs to subscribe to real-time telemetry data from network devices. Which protocol is most appropriate?
A) Model-driven telemetry with gRPC or NETCONF subscriptions
B) SNMP polling
C) CLI scraping
D) FTP file transfer
Answer: A
Explanation:
Model-driven telemetry using protocols like gRPC dial-out subscriptions or NETCONF/YANG push mechanisms provides efficient real-time streaming of network device telemetry data, overcoming limitations of traditional polling-based monitoring. Model-driven telemetry enables devices to push operational state data to collectors at configured intervals or upon value changes, dramatically reducing monitoring overhead compared to SNMP polling that repeatedly queries devices for the same data. gRPC (Google Remote Procedure Call) telemetry uses HTTP/2 transport with Protocol Buffers encoding for compact, efficient data serialization, supporting high-frequency data streaming with minimal latency. NETCONF subscriptions use YANG-defined data models standardizing telemetry structure across vendors and device types.
Telemetry subscriptions are configured on network devices specifying what data to stream (sensor paths identifying specific YANG model elements like interface counters or routing tables), update intervals defining push frequency (every 10 seconds, 1 minute, etc.), or event-driven triggers sending data when thresholds are crossed or values change. Collector applications listen for incoming telemetry streams, decode Protocol Buffer or XML-encoded data, process metrics for storage in time-series databases like InfluxDB, and enable real-time visualization and alerting. Benefits include reduced device CPU load since devices push data at optimal intervals rather than responding to constant polls, sub-second granularity for detecting transient issues, bandwidth efficiency through compressed encoding, and standards-based models ensuring consistent interpretation. Common telemetry data includes interface statistics (bandwidth utilization, errors, drops), routing protocol state, environmental sensors (temperature, power), and hardware metrics. Implementation requires devices with telemetry support, collectors running pipeline software like Telegraf or custom applications, and infrastructure for time-series data storage and analysis.
Option B is incorrect because SNMP polling is traditional pull-based monitoring requiring collectors to repeatedly query devices, causing higher overhead, limited update frequency, and increased network traffic compared to push-based telemetry. Option C is incorrect because CLI scraping parses command output, extremely inefficient, brittle, and inappropriate for real-time monitoring. Option D is incorrect because FTP transfers files but doesn’t provide real-time streaming or structured telemetry data collection.
Question 20:
What is the purpose of the Cisco SD-WAN vManage API?
A) Programmatic management of SD-WAN infrastructure
B) Voice call routing
C) Email spam filtering
D) Printer configuration
Answer: A
Explanation:
The Cisco SD-WAN vManage API provides programmatic management capabilities for SD-WAN infrastructure, enabling automation of configuration, monitoring, troubleshooting, and lifecycle management tasks across distributed SD-WAN deployments. vManage serves as the centralized management and orchestration platform for Cisco SD-WAN, and its RESTful API exposes management functions including device onboarding and provisioning, template-based configuration deployment, policy management for routing, security, and QoS, monitoring and operational data retrieval, software image management and upgrades, and certificate management for secure overlay establishment. Organizations use vManage API to integrate SD-WAN management with broader automation workflows, custom portals, or third-party management platforms.
vManage API authentication uses session-based tokens obtained by POST requests to the /j_security_check endpoint with username and password, returning JSESSIONID cookies included in subsequent API requests. Common API operations include retrieving device inventory through /dataservice/device showing all SD-WAN routers and their operational state, creating configuration templates defining device settings using feature and device templates, attaching templates to devices triggering configuration deployment, monitoring real-time statistics including tunnel status, application traffic, and link quality through various statistics endpoints, and managing security policies controlling traffic flows across the SD-WAN fabric. The API returns JSON responses with structured data enabling programmatic parsing. Advanced use cases include automated provisioning of new branch sites by API-driven template attachment, integration with IT service management systems for operational visibility, custom monitoring dashboards aggregating SD-WAN health metrics, and automated remediation workflows responding to detected issues by triggering API-based configuration changes or health checks.
Option B is incorrect because voice routing is a network application function, not the purpose of SD-WAN management APIs. Option C is incorrect because email filtering is a security service unrelated to SD-WAN infrastructure management. Option D is incorrect because printer configuration is endpoint management completely separate from SD-WAN network automation.
