Cisco DevNet Associate (200-901) Practice Exam

What the Cisco DevNet Associate (200-901) exam covers

• Software Development and Design47 questions
• Understanding and Using APIs64 questions
• Cisco Platforms and Development47 questions
• Application Deployment and Security52 questions
• Infrastructure and Automation57 questions
• Network Fundamentals30 questions

Free Cisco DevNet Associate (200-901) sample questions

A sample of 10 questions with answers and explanations. Sign up free to practice all 297.

1. Question 1Software Development and DesignSelect all that apply

   Which TWO are common software design patterns/principles? (Choose TWO)

   • ANo version control
   • BHard-coding all values
   • CSeparation of concerns / modularityCorrect
   • DMVC (Model-View-Controller)Correct
   ✓ Correct answer: C, D

   Separation of concerns and modularity are foundational software design principles that promote breaking applications into distinct, independent sections, each handling a specific aspect of functionality. MVC is an architectural pattern that implements separation of concerns by dividing an application into Model (data/business logic), View (presentation/UI), and Controller (input handling/routing). Both principles enable easier testing, parallel development, code reuse, and maintainability.

   Why the other options are wrong

   • ANo version control is incorrect because version control is a best practice, not a design pattern, and its absence is an anti-pattern.
   • BHard-coding all values is incorrect because it is an anti-pattern that reduces flexibility and violates the principle of externalized configuration.
2. Question 2Software Development and Design

   Which HTTP status code indicates a successful resource creation?

   • A201 CreatedCorrect
   • B301 Moved Permanently
   • C404 Not Found
   • D500 Internal Server Error
   ✓ Correct answer: A

   HTTP 201 Created is the standard status code returned when a server successfully processes a request that results in a new resource being created. It is commonly returned in response to POST requests in REST APIs and typically includes a Location header pointing to the URI of the newly created resource. The response body usually contains a representation of the created resource.

   Why the other options are wrong

   • B301 Moved Permanently is incorrect because it indicates a URL redirection, not resource creation.
   • C404 Not Found is incorrect because it indicates the requested resource does not exist on the server.
   • D500 Internal Server Error is incorrect because it indicates an unexpected server-side failure.
3. Question 3Understanding and Using APIs

   An HTTP 200 status code indicates what?

   • ANot Found
   • BSuccess (the request succeeded)Correct
   • CServer error
   • DUnauthorized
   ✓ Correct answer: B

   HTTP 200 OK is the standard response status code indicating that a request has been successfully processed by the server. It is the most common success code in REST APIs, returned for successful GET, PUT, PATCH, and sometimes POST requests. The response body typically contains the requested resource representation or the result of the operation performed.

   Why the other options are wrong

   • ANot Found is incorrect because that is HTTP 404, indicating the resource does not exist.
   • CServer error is incorrect because server errors use the 5xx status code range (e.g., 500, 502, 503).
   • DUnauthorized is incorrect because that is HTTP 401, indicating missing or invalid authentication.
4. Question 4Understanding and Using APIsSelect all that apply

   Which TWO HTTP methods modify server-side resources? (Choose TWO)

   • AGET (read-only)
   • BHEAD (headers only)
   • CPUT/PATCH (update)Correct
   • DPOST (create)Correct
   ✓ Correct answer: C, D

   PUT and PATCH are HTTP methods used to modify existing server-side resources: PUT replaces the entire resource with the provided representation, while PATCH applies partial modifications. POST is used to create new resources on the server, with the server typically assigning the URI for the new resource. These methods change server state, distinguishing them from safe methods like GET and HEAD.

   Why the other options are wrong

   • AGET (read-only) is incorrect because GET only retrieves resources without modifying server state.
   • BHEAD (headers only) is incorrect because HEAD retrieves only response headers without a body and does not modify resources.
5. Question 5Understanding and Using APIs

   Which mechanism limits how many API calls a client can make in a window?

   • APrint spooling
   • BDHCP leasing
   • CRate limitingCorrect
   • DDNS caching
   ✓ Correct answer: C

   Rate limiting restricts the number of API requests a client can make within a specified time window (e.g., 100 requests per minute). It protects APIs from abuse, ensures fair usage across clients, and prevents server overload. Rate limits are typically communicated through response headers such as X-RateLimit-Limit, X-RateLimit-Remaining, and Retry-After, with HTTP 429 Too Many Requests returned when limits are exceeded.

   Why the other options are wrong

   • APrint spooling is incorrect because it manages print job queues, not API request rates.
   • BDHCP leasing is incorrect because it assigns temporary IP addresses to network clients.
   • DDNS caching is incorrect because it stores previously resolved domain name lookups.
6. Question 6Understanding and Using APIs

   Which status code family (4xx) indicates client-side errors?

   • A3xx are server errors
   • B4xx = client errors (e.g., 400, 404)Correct
   • C5xx are success
   • D2xx are errors
   ✓ Correct answer: B

   The 4xx HTTP status code family indicates that the client sent a request the server cannot or will not process due to a client-side error. Common examples include 400 Bad Request (malformed syntax), 401 Unauthorized (missing authentication), 403 Forbidden (insufficient permissions), 404 Not Found (resource does not exist), and 429 Too Many Requests (rate limit exceeded). These codes help clients understand and correct their requests.

   Why the other options are wrong

   • A3xx are server errors is incorrect because 3xx codes indicate redirections, not server errors.
   • C5xx are success is incorrect because 5xx codes indicate server-side errors, not success.
   • D2xx are errors is incorrect because 2xx codes indicate successful request processing.
7. Question 7Cisco Platforms and Development

   Which Cisco security platform offers APIs for programmatically managing firewall policy (e.g., FMC)?

   • AA VLAN
   • BCisco Secure Firewall Management Center (FMC) APIsCorrect
   • CA DNS record
   • DA DHCP scope
   ✓ Correct answer: B

   Cisco Secure Firewall Management Center (FMC) provides REST APIs for programmatically managing firewall policies, access control rules, NAT configurations, and security intelligence feeds. These APIs enable automation of security policy deployment, compliance auditing, and incident response workflows across multiple managed firewall devices. FMC APIs support CRUD operations on policy objects and provide event and audit log access.

   Why the other options are wrong

   • AA VLAN is incorrect because it is a network segmentation technology, not a security management platform.
   • CA DNS record is incorrect because DNS records map domain names to IP addresses.
   • DA DHCP scope is incorrect because it defines IP address ranges for automatic assignment.
8. Question 8Application Deployment and SecuritySelect all that apply

   Which TWO are secure handling practices for application secrets? (Choose TWO)

   • ALog secrets to the console
   • Buse HTTPS/TLS for API callsCorrect
   • CCommit API keys to the Git repo
   • DStore secrets in environment variables or a secrets manager (not in code)Correct
   ✓ Correct answer: B, D

   HTTPS/TLS encrypts API communications in transit, preventing interception of sensitive data including authentication tokens and API keys. Storing secrets in environment variables or dedicated secrets managers (such as HashiCorp Vault or AWS Secrets Manager) keeps credentials out of source code and version control, following the twelve-factor app methodology. Together, these practices form the foundation of secure application secret management.

   Why the other options are wrong

   • ALog secrets to the console is incorrect because logging secrets exposes them in log files and monitoring systems.
   • CCommit API keys to the Git repo is incorrect because secrets in version control are accessible to anyone with repository access and persist in Git history.
9. Question 9Application Deployment and Security

   Where should API keys/secrets be stored for an application?

   • AIn a public Gist
   • BIn environment variables or a secrets manager, not in sourceCorrect
   • CHardcoded in the repo
   • DIn client-side JavaScript
   ✓ Correct answer: B

   API keys and secrets should be stored in environment variables or dedicated secrets management systems such as HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault. This practice keeps sensitive credentials out of source code repositories where they could be exposed through version history, forks, or accidental public access. The twelve-factor app methodology explicitly recommends strict separation of configuration from code.

   Why the other options are wrong

   • AIn a public Gist is incorrect because public Gists are accessible to anyone on the internet.
   • CHardcoded in the repo is incorrect because secrets in source code are exposed in version control history and to all repository collaborators.
   • DIn client-side JavaScript is incorrect because client-side code is visible to all users through browser developer tools.
10. Question 10Infrastructure and AutomationSelect all that apply

    Which TWO are benefits of network automation/Infrastructure as Code? (Choose TWO)

    • Aconsistency/repeatability and fewer manual errorsCorrect
    • BVersion-controlled, auditable changesCorrect
    • CNo documentation
    • DSlower deployments by design
    ✓ Correct answer: A, B

    Network automation and Infrastructure as Code (IaC) ensure that configurations are applied consistently across devices, eliminating manual configuration drift and reducing human errors that cause outages. Storing infrastructure definitions in version control provides a complete audit trail of who changed what and when, enables peer review of changes, and allows rollback to known-good configurations. These benefits collectively improve network reliability, compliance, and operational efficiency.

    Why the other options are wrong

    • CNo documentation is incorrect because automation actually improves documentation through self-documenting code and version history.
    • DSlower deployments by design is incorrect because automation significantly accelerates deployments compared to manual processes.

Cisco DevNet Associate (200-901) practice exam FAQ