Free Cisco 350-601 Actual Exam Questions

It’s A. The question says they don’t want to manage infrastructure but want control over app deployment and config settings. IaaS (C) would mean managing VMs and OS, which they want to avoid. SaaS (D) wouldn’t let them control deployment or environment settings. Function as a Service (B) is too limited since it’s just running functions without broader app environment control. So PaaS fits best because it handles the infrastructure but still gives control over how the app runs and is set up.

A/D? Since they don’t want to manage infrastructure but want control over deployment, SaaS (D) is too limited. PaaS (A) gives more control than SaaS without the infrastructure hassle, so A still feels right.

I agree that D targets the tenant specifically, but I’m thinking about C too since it mentions subnets explicitly. Maybe the best approach is combining both to ensure the API call filters on tenant Production and pulls only subnets. If the API requires both tenant and resource type filtering, just using D might return more than subnets. So, dropping C and D makes sense to narrow down the request exactly to subnets under Production.

D seems right since it specifically targets subnets under tenant Production.

Makes sense that it’s D since dynamically managing space avoids downtime. D

I don’t think it’s A because aborting updates due to pending commits would cause disruptions, which goes against the whole point of a nondisruptive update. B feels shaky too, since merging zone servers is a sensitive operation and usually wouldn’t be left running uninterrupted during an update. D makes the most sense since dynamically allocating space lets the switch load new images without downtime, which aligns with the nondisruptive goal. C seems off because BIOS updates are typically separate and more invasive. So, I’m with D on this one.

A vs C? The question mentions creating two vPCs, which means two separate PortChannels logically, but the policies controlling interface behavior are defined in interface policy groups. So it’s likely you need two vPC interface policy groups (A) to properly apply different settings per vPC. C refers more to the PortChannel group itself, which might not be an ACI object in this context.

C imo, since each vPC needs a PortChannel group for correct aggregation. Interface policy groups handle settings like speed but don’t create the actual channel bundles needed here.

Maybe C, because setting 0 on Eth1/2 could block User2’s excess traffic.

C/D? If Eth1/2 is User2’s port, setting 0 there blocks their excess traffic, while 100 on Eth1/1 leaves User1 unaffected. Without clear port mapping, this seems the best guess.

B, suppressing ARP and using anycast gateway is standard for VXLAN L3 VNI setups.

It’s D here. Attaching the VRF to the Layer 3 VNI lets the hosts communicate across VLANs within the same routing domain. Suppressing ARP on the Layer 3 VNI interface avoids unnecessary broadcast traffic in VXLAN, which fits the data center fabric design. The other options either miss suppressing ARP or don’t tie the VRF correctly to the L3 VNI, which is critical for routing between hosts in different VLANs mapped to VXLAN.

Good point, but I think B works better since it uses dictionary keys directly. B

A/B? If "interfaces" is a list, then option A’s use of an index makes sense. But if it’s a dict, B fits better. Without knowing the exact JSON structure, both could be plausible.

Option D is best since it uses simple YAML and Python modules, no agents needed.

Not A, since Puppet doesn’t natively use YAML and tends to have a steeper learning curve. B seems solid too, but Ansible’s agentless setup and straightforward YAML playbooks make it way simpler overall.

C, since vNICs and vHBAs are server profile components, not network fabric settings.

I thought it was C because vHBAs and vNICs are linked to server profiles, which falls under server-compute. But I’m wondering if "server port types" might mean physical ports that network admins handle more often. If that’s the case, A could be right. Is there a clear definition of "server port types" in UCS that points more to one role? That would help decide between the two.

Maybe D doesn’t really fit since object tracking is more about failover and interface state monitoring, not MAC address handling in vPC. C also seems off because L3 Peer Router is for routing redundancy, not fixing Layer 2 MAC issues causing drops. Between A and B, Peer Gateway (A) is designed to let both vPC peers forward traffic using their own MACs, which directly tackles the loop prevention problem caused by the SVI MAC being different from HSRP. So yeah, A definitely makes the most sense here.

Option A makes the most sense here because Peer Gateway lets each vPC peer forward traffic using the MAC address of the local switch, even if it’s different from the HSRP MAC. That prevents the loop prevention mechanism from dropping packets when the SVI MAC is used, which is exactly what’s happening. ARP Sync (B) is more about syncing ARP tables, so it wouldn’t directly fix the MAC mismatch issue causing drops. Object Tracking (D) and L3 Peer Router (C) don’t really address this problem either. So Peer Gateway is the feature designed to handle this specific scenario.

D/B? D seems solid since guest shell sync is designed for syncing scripts between supervisors, and SCP meets the secure transfer requirement. But B uses a scheduler too, which might be simpler for periodic tasks, though TFTP lacks encryption. Since encryption is mandatory, B doesn’t fit well. So, between secure transfer and the right sync method, D seems to cover all bases better.

D imo, guest shell sync handles redundancy and SCP covers secure transfer well.

Option B looks strong too since it sets the SNMPv3 user with authentication and privacy, plus it specifies the community name. That covers both security and community requirements clearly.

D imo, since it specifies the SNMP version 3 with both auth and privacy settings, matching the “most secure” requirement better than just setting version or community alone.

A/E? SAN connectivity policy is designed for WWPN and zoning types, while vHBA policy manages interface settings like interrupts and queues. Storage connection policy feels more general, not as specific.

Maybe D and E. Storage connection policy sounds like it covers zoning and WWPN stuff, while vHBA policy would handle the vHBA-specific settings like interrupts and queues. Feels like a good split to me.

I noticed that the ACL uses “permit” and “deny” explicitly, but the JSON keys are case-sensitive, so those should be lowercase. Also, since the ACL specifies conditions for certain IPs and protocols, the JSON needs to include those fields exactly as shown. Some snippets like “ipv4” and “permit” have to be placed carefully to match the ACL hierarchy. The unused snippets probably don't fit logically into the structure, so it’s about fitting the actual rules rather than using all parts given.

I think the code needs "permit" in lowercase as shown on the ACL diagram.

I think it’s crucial to not just set the switch names and enable VSAN security but also to explicitly deny unknown switches from joining. So any snippet related to “switchname MDS-2” and “vsan security enable” should be there, plus something like “deny unknown switch” or similar. That way, you prevent any other switches from sneaking in. Without that, you might allow undesired devices to join the fabric. The question probably wants a tight control mechanism, not just basic naming and enabling.

I’d say disabling unknown switch joining is important too, so besides naming MDS-2, the config should include a command to block any other switches from joining the VSANs. That’s a good extra layer of security.