Cisco Study Guide

Cisco DevNet Associate (200-901) Study Guide

The Cisco DevNet Associate (200-901) exam validates foundational software development and automation skills for Cisco platforms, covering APIs, Python, network automation, application deployment, and core networking. It is aimed at developers, network engineers, and DevOps staff beginning to build and automate against Cisco infrastructure. The 120-minute exam has roughly 90-110 questions, a passing score around 825/1000, and spans six weighted domains.

Domain 1 Domain 2 Domain 3 Domain 4 Domain 5 Domain 6

Practice Cisco DevNet Associate (200-901) questions free Create free account

Domain 1: Software Development and Design

Key concepts you must know · 117 practice questions

Git is a distributed version control system: every clone holds the full history, enabling offline commits, branching, and merging without a central server being reachable.
The basic Git save flow is git add <file> to stage changes, then git commit -m "msg" to record them; git status and git diff inspect the working tree against the last commit.
git checkout -b feature creates and switches to a new branch in one command; git merge (or git rebase) integrates one branch's changes into another.
git checkout -- file.txt discards local uncommitted changes and restores the file from the last commit; git reset --soft HEAD~1 undoes the last commit but keeps its changes staged.
JSON is the dominant lightweight, human-readable data-interchange format for REST payloads and config; YAML and XML are common alternatives.
In Python, json.dumps(data) serializes a dict to a JSON string and json.loads(text) parses a JSON string back into a dict.
Separation of concerns and modularity break an application into independent parts; MVC (Model-View-Controller) is the pattern that implements this by splitting data, presentation, and control logic.
Microservices split an app into small services that each own their data and expose an API, gaining independent scalability and resilience at the cost of operational and network complexity.
A CI/CD pipeline automates building, testing, and deploying code reliably and frequently on every commit; CI integrates changes often, CD automates release to environments.
Idempotency means repeating the same request produces the same end state with no extra side effects - critical so retries after network failures are safe (PUT and DELETE are idempotent; POST generally is not).
HTTP 201 Created is returned when a request (typically POST) successfully creates a new resource, usually with a Location header pointing to the new resource URI.
Unit testing verifies individual functions or components in isolation; it is the foundation of the test pyramid below integration and end-to-end tests.
A hash-based dictionary (Python dict) gives O(1) average-case lookup, making it the most scalable choice for key-based access versus O(n) list scans.
Performance and resilience patterns: paginate or stream large datasets, cache results with a sensible TTL and invalidate on change, and use a circuit breaker that fails fast after repeated errors to prevent resource exhaustion.

Domain 2: Understanding and Using APIs

Key concepts you must know · 166 practice questions

REST is an architectural style using stateless HTTP requests against resource URIs; GET reads a resource, POST creates, PUT fully replaces, PATCH partially updates, and DELETE removes.
GET is safe and idempotent (no side effects); PUT and DELETE are idempotent; POST is neither safe nor idempotent.
HTTP status classes: 2xx success (200 OK, 201 Created), 3xx redirection (304 Not Modified), 4xx client errors (400, 401, 404), 5xx server errors (500, 503).
401 Unauthorized means authentication is missing or failed and includes a WWW-Authenticate header; 403 Forbidden means the request was authenticated but not permitted.
Common API auth schemes are API keys (a static token identifying the caller) and OAuth 2.0 bearer tokens (time-limited access tokens sent as Authorization: Bearer <token>).
REST is client-initiated request/response; a webhook is server-initiated - the server pushes an HTTP callback to a registered URL when an event occurs, eliminating the need to poll.
Pagination returns large result sets in manageable chunks using limit/offset or cursor parameters, avoiding timeouts and oversized responses.
Rate limiting caps how many requests a client may send in a window; exceeding it returns HTTP 429 Too Many Requests, often with a Retry-After header.
When throttled with 429, the correct client behavior is to honor Retry-After and use exponential backoff with jitter rather than retrying immediately.
Conditional requests use ETag plus If-None-Match so the server can return 304 Not Modified, letting a client reuse its cached copy and save bandwidth.
REST APIs commonly return JSON or XML; the client signals the desired format via the Accept header and labels its own payload with Content-Type.
Accept-Encoding: gzip asks the server to compress the response body, reducing transfer size for large payloads.
Reduce API round trips by batching operations, requesting only needed fields (field filtering), and using larger pages instead of many small requests.
Reusing a persistent connection pool with HTTP keep-alive improves throughput and reduces the overhead of repeatedly setting up TCP/TLS connections.

Domain 3: Cisco Platforms and Development

Key concepts you must know · 112 practice questions

Cisco Catalyst Center (formerly DNA Center) exposes intent-based networking REST APIs for discovery, provisioning, path tracing, policy, and assurance; calls require an X-Auth-Token header and Content-Type: application/json.
Catalyst Center auth tokens should be cached and reused until they expire, then refreshed, rather than generating a new token on every call.
Cisco Meraki Dashboard API v1 base URL is https://api.meraki.com/api/v1 and uses the X-Cisco-Meraki-API-Key header for authentication.
Cisco Webex APIs provide messaging, meetings, and calling integration; developers build bots, manage rooms and memberships, send adaptive cards, and subscribe to webhooks for real-time events.
Cisco Secure Firewall Management Center (FMC) APIs automate access-control rules, NAT, and security policy; Cisco Umbrella and SecureX/XDR APIs cover DNS-layer security and threat orchestration.
YANG (RFC 6020) is the data-modeling language that defines the structure of configuration and state data; it is consumed by both NETCONF and RESTCONF.
NETCONF (RFC 6241) runs over SSH on TCP port 830, exchanges XML-encoded RPCs, and supports candidate/running datastores with commit, lock, and rollback for transactional changes.
RESTCONF (RFC 8040) provides a RESTful HTTPS interface over YANG models using standard HTTP verbs and JSON or XML encoding, making model-driven config approachable for REST developers.
On IOS XE, ip http secure-server then restconf enables RESTCONF; on NX-OS, feature netconf (and feature restconf) enables those protocols.
Model-driven telemetry streams operational data in near real time via gRPC/gNMI (push) and is far more efficient than frequent SNMP polling (pull).
A Genie parser, called as device.parse('show ...') in pyATS, converts raw CLI output into structured Python data (dictionaries) for programmatic processing.
Cisco DevNet provides always-on and reservable Sandboxes plus the Code Exchange and Learning Labs so developers can test API automation against real platforms safely.
Reduce Cisco platform API load by requesting only needed fields, using pagination (limit/offset), and subscribing to event notifications instead of repeated polling.
Cisco ACI uses the APIC controller with a REST API and an object-model (managed objects in the MIT), distinct from the campus-focused Catalyst Center.

Domain 4: Application Deployment and Security

Key concepts you must know · 113 practice questions

Containers (Docker) package an app with its dependencies and runtime into one portable image, so the same artifact runs consistently across dev, test, and prod.
A Dockerfile defines how an image is built; docker build -t myapp:1.0 . builds and tags an image from the current directory's Dockerfile.
docker run -p 8080:80 web maps host port 8080 to container port 80; CMD ["python","app.py"] sets the default process a container runs at startup.
Inspect running containers with docker logs <id> for stdout/stderr and docker exec -it <id> sh to open an interactive shell inside the container.
Multi-stage builds with a minimal base image (such as alpine or distroless) most reduce final image size, and Docker layer/build-cache reuse skips rebuilding unchanged layers.
Serverless / Function as a Service (AWS Lambda, Azure Functions, Google Cloud Functions) runs code on events and scales to zero when idle, minimizing cost for bursty workloads.
Twelve-factor config externalizes environment-specific settings so the same build artifact is promoted across environments without code changes.
Never store secrets in source code; inject API keys and credentials at runtime via environment variables or a secrets manager such as HashiCorp Vault, AWS Secrets Manager, or Azure Key Vault.
Always use HTTPS/TLS for API calls to encrypt data in transit and protect tokens and credentials from interception.
Kubernetes orchestrates containers; setting CPU/memory requests and limits plus a Horizontal Pod Autoscaler controls cost and protects performance, and Kubernetes Secrets inject sensitive values.
Canary deployment releases a new version to a small subset of users first to limit blast radius before a full rollout.
Blue-green deployment keeps two identical environments and switches traffic between them, giving near-instant cutover and rollback.
Rolling deployment gradually replaces old instances with new ones to update without downtime, while keeping some capacity serving at all times.
Application security basics include input validation, least-privilege credentials, scanning images for known CVEs, and keeping dependencies patched.

Domain 5: Infrastructure and Automation

Key concepts you must know · 155 practice questions

NETCONF over SSH (port 830) with YANG models provides transactional configuration (candidate datastore, commit, lock, rollback), making it suited to reliable programmatic network changes.
RESTCONF gives a RESTful HTTP/JSON interface to the same YANG-modeled data using standard verbs, easier for developers already comfortable with REST.
Ansible is agentless (no software on managed nodes), connects over SSH, and defines tasks in YAML playbooks; nothing needs to be installed on the network device.
An Ansible play uses hosts: to target devices from an inventory; ansible-playbook -i hosts.ini site.yml runs a playbook against that inventory.
cisco.ios.ios_config sends configuration to Cisco IOS/IOS XE devices; vendor collections like cisco.ios, cisco.nxos, and cisco.iosxr supply the platform modules.
Ansible modules should be idempotent: re-running a playbook converges to the desired state and makes no change when the device already matches.
Tune Ansible performance with forks (parallel host connections) and gather_facts: no to skip slow fact collection when facts are not needed.
Run Ansible in --check (dry-run) mode and test against a Cisco DevNet Sandbox to validate changes safely before touching production.
Infrastructure as Code (IaC) describes infrastructure declaratively so it can be version-controlled, peer-reviewed, and audited - giving consistency, repeatability, and fewer manual errors.
The Python requests library is the de facto standard for calling REST APIs: requests.get(url), requests.post(url, json=payload), with .json() to decode the response and .status_code to check it.
requests.get(url, verify=False) disables TLS certificate verification (useful for self-signed lab devices) but should not be used in production.
YAML (or JSON) is the standard format for structured automation data and playbooks; YAML is whitespace-sensitive and uses key: value pairs and - list items.
Reduce monitoring load by increasing polling intervals or switching to event-driven model-driven telemetry while keeping needed visibility.
Key benefits of network automation are faster, error-reduced changes at scale and consistent, repeatable, version-controlled configuration.

Domain 6: Network Fundamentals

Key concepts you must know · 48 practice questions

TCP is a connection-oriented, reliable Layer 4 protocol using a three-way handshake (SYN, SYN-ACK, ACK), sequence numbers, and acknowledgments for ordered, error-checked delivery.
UDP is connectionless with only an 8-byte header and no retransmission or ordering, making it ideal for latency-sensitive, loss-tolerant traffic like real-time voice, video, and streaming.
A switch operates at Layer 2, forwarding Ethernet frames by destination MAC using its CAM table; a router operates at Layer 3, forwarding packets by IP address between networks.
The default gateway is the next-hop router a host uses to reach destinations outside its own subnet; without it, off-subnet traffic cannot be delivered.
RFC 1918 private ranges are 10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16; NAT translates these to public IPv4 to conserve address space and shield internal hosts.
A /26 mask is 255.255.255.192, giving 64 addresses per subnet (62 usable); hosts .50 and .70 fall in different /26 subnets (0-63 vs 64-127) and require a router to communicate.
MTU (Maximum Transmission Unit) is the largest frame payload a link carries; matching it to the path improves efficiency, while an MTU/MSS mismatch with blocked PMTUD black-holes large packets.
DNS resolves names to IPs; if you can reach a host by IP but not by name, DNS resolution is broken while IP routing still works.
A longer DNS TTL means fewer resolver lookups but slower propagation of record changes - a caching-versus-agility trade-off.
A load balancer distributes client requests across a backend pool (round-robin, least-connections, IP hash) and provides a single stable address with health-based routing.
A CDN caches content on globally distributed edge nodes near users, reducing latency, offloading the origin, and improving availability.
Syslog traditionally uses UDP port 514 to transport log messages; NTP-synchronized clocks let timestamps and events be correlated consistently across systems.
Manage congestion and prioritize traffic with QoS marking and queuing plus traffic shaping (buffers excess) or policing (drops excess).
Secure the network edge with a DMZ and firewall rules, terminating TLS at the edge and segmenting internal zones to limit lateral movement.

Cisco DevNet Associate (200-901) exam tips

Memorize HTTP methods and status codes cold (GET/POST/PUT/PATCH/DELETE; 200, 201, 400, 401, 403, 404, 429, 500) - they appear throughout the API and Cisco-platform domains.
Be able to read and write basic Python with the requests library and json module, plus interpret short Ansible YAML playbooks and small Git command sequences; the exam shows real code and CLI snippets.
Know which Cisco platform owns which task: Catalyst Center for campus intent-based networking, Meraki for cloud-managed, FMC/Umbrella/SecureX for security, Webex for collaboration, and ACI/APIC for data center.
Distinguish NETCONF (SSH, port 830, XML, transactional datastores) from RESTCONF (HTTPS, REST verbs, JSON/XML) and remember both are driven by YANG models.
Use the free Cisco DevNet Sandboxes and Learning Labs to make real API calls and run NETCONF/RESTCONF and Ansible - hands-on practice cements the concepts far better than reading alone.

Study guide FAQ

What are the exam logistics for the DevNet Associate 200-901?

It is a 120-minute exam of roughly 90-110 questions with a passing score around 825 on a 300-1000 scale. It is the single required exam for the Cisco Certified DevNet Associate certification and uses multiple-choice and drag-and-drop formats.

How much programming do I need to know?

You need working familiarity with Python basics (variables, data structures, loops, functions), the requests library for REST calls, and the json module for serialization. You should also read YAML, basic Git commands, and short JSON/XML payloads, but you will not write large or complex programs.

What is the difference between NETCONF and RESTCONF, and when is each used?

Both configure devices using YANG data models. NETCONF runs over SSH on port 830, uses XML-encoded RPCs, and supports candidate datastores with commit, lock, and rollback for transactional changes. RESTCONF runs over HTTPS using standard REST verbs and JSON or XML, which is simpler for developers already comfortable with REST but lacks NETCONF's full transaction semantics.

Which domain carries the most weight and where should I focus?

Understanding and Using APIs and Infrastructure and Automation are the largest domains, so prioritize HTTP/REST mechanics, authentication, pagination and rate limiting, Python requests, Ansible, and NETCONF/RESTCONF. Cisco Platforms, Software Design, and Application Deployment are mid-weight, and Network Fundamentals is the smallest but still tests subnetting, TCP/UDP, and core services.

Test yourself: 711 Cisco DevNet Associate (200-901) practice questions