CCNA Netflow Questions

14 questions · Netflow topic · All types, answers revealed

1
PBQhard

You are connected to R1, a Cisco ISR 4331 router running IOS-XE. Your task is to enable SNMP v2c with community string 'public' (read-only) and 'private' (read-write), and configure SNMP v3 with a user 'admin' using SHA authentication (password 'Cisco123') and AES 128 encryption (password 'Cisco456'). Additionally, configure SNMP traps to be sent to a management server at 203.0.113.10 for both v2c and v3. Finally, enable NetFlow export to a collector at 203.0.113.20, using version 9. Verify your configuration using 'show snmp' and 'show ip cache flow'.

Hints

  • Remember to apply NetFlow on an interface for traffic capture.
  • SNMPv3 user requires both auth and priv passwords.
  • Use 'snmp-server enable traps' before configuring trap hosts.
A.snmp-server community public RO snmp-server community private RW snmp-server user admin v3group v3 auth sha Cisco123 priv aes 128 Cisco456 snmp-server enable traps snmp-server host 203.0.113.10 version 2c public snmp-server host 203.0.113.10 version 3 auth admin ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
B.snmp-server community public snmp-server community private snmp-server user admin v3 auth md5 Cisco123 priv des56 Cisco456 snmp-server enable traps snmp-server host 203.0.113.10 version 2c public snmp-server host 203.0.113.10 version 3 auth admin ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
C.snmp-server community public RO snmp-server community private RW snmp-server user admin v3 auth sha Cisco123 priv aes 128 Cisco456 snmp-server enable traps snmp-server host 203.0.113.10 version 2c private snmp-server host 203.0.113.10 version 3 auth admin ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
D.snmp-server community public RO snmp-server community private RW snmp-server user admin v3 auth sha Cisco123 priv aes 128 Cisco456 snmp-server enable traps snmp-server host 203.0.113.10 version 2c public snmp-server host 203.0.113.10 version 3 auth admin ip flow-export destination 203.0.113.20 2055 ip flow-export version 5
AnswerA
solution
! R1
snmp-server community public RO
snmp-server community private RW
snmp-server user admin v3 auth sha Cisco123 priv aes 128 Cisco456
snmp-server enable traps
snmp-server host 203.0.113.10 version 2c public
snmp-server host 203.0.113.10 version 3 auth admin
ip flow-export destination 203.0.113.20 2055
ip flow-export version 9
interface GigabitEthernet0/1
ip flow ingress
exit

Why this answer

The router lacks SNMP and NetFlow configuration. For SNMP v2c, you must define community strings with 'snmp-server community public RO' and 'snmp-server community private RW'. For SNMP v3, you create a user within a group; the command requires a group name, e.g., 'snmp-server user admin v3group v3 auth sha Cisco123 priv aes 128 Cisco456'.

Traps are enabled and sent to 203.0.113.10 via v2c with the public community and v3 with the admin user. NetFlow export uses version 9 to collector 203.0.113.20. Verification commands show SNMP details and flow cache export settings.

Exam trap

Watch out for common mistakes: using MD5/DES instead of SHA/AES for SNMPv3, forgetting RO/RW keywords on community strings, using the wrong community string for traps, and selecting the wrong NetFlow version. Always verify the exact requirements in the question.

Why the other options are wrong

B

The specific factual error: SNMPv3 user is configured with MD5 and DES instead of SHA and AES 128; community strings are missing RO/RW keywords.

C

The specific factual error: The v2c trap host uses 'private' instead of 'public' community string.

D

The specific factual error: NetFlow export version is set to 5 instead of 9.

2
PBQhard

You are connected to R1. Configure SNMPv3 with authentication (SHA) and encryption (AES-128) for user 'monitor' in group 'AdminGroup', and also configure SNMPv2c read-only community string 'cisco123' to send traps to the management server at 192.0.2.100. Additionally, configure NetFlow on interface GigabitEthernet0/0 to export flow data to 198.51.100.50 using version 9. Verify your configuration using the appropriate show commands.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/1203.0.113.1/30G0/1203.0.113.2/30linkR1R2R3

Hints

  • SNMPv3 requires a view before creating the group.
  • Remember to enable NetFlow on the interface in both ingress and egress directions.
  • The SNMPv2c community string must be configured before the trap host can reference it.
A.snmp-server group AdminGroup v3 priv read AdminView; snmp-server user monitor AdminGroup v3 auth sha cisco123 priv aes 128 cisco123; snmp-server community cisco123 ro; snmp-server host 192.0.2.100 traps version 2c cisco123; interface GigabitEthernet0/0; ip flow-export destination 198.51.100.50 9996; ip flow-export version 9; ip flow ingress
B.snmp-server group AdminGroup v3 auth read AdminView; snmp-server user monitor AdminGroup v3 auth sha cisco123 priv aes 128 cisco123; snmp-server community cisco123 ro; snmp-server host 192.0.2.100 traps version 2c cisco123; interface GigabitEthernet0/0; ip flow-export destination 198.51.100.50 9996; ip flow-export version 9; ip flow ingress
C.snmp-server group AdminGroup v3 priv read AdminView; snmp-server user monitor AdminGroup v3 auth sha cisco123 priv des 56 cisco123; snmp-server community cisco123 ro; snmp-server host 192.0.2.100 traps version 2c cisco123; interface GigabitEthernet0/0; ip flow-export destination 198.51.100.50 9996; ip flow-export version 9; ip flow ingress
D.snmp-server group AdminGroup v3 priv read AdminView; snmp-server user monitor AdminGroup v3 auth sha cisco123 priv aes 128 cisco123; snmp-server community cisco123 ro; snmp-server host 192.0.2.100 traps version 2c cisco123; interface GigabitEthernet0/0; ip flow-export destination 198.51.100.50 9996; ip flow-export version 5; ip flow ingress
AnswerA
solution
! R1
snmp-server group AdminGroup v3 priv read AdminView
snmp-server view AdminView iso included
snmp-server user monitor AdminGroup v3 auth sha cisco123 priv aes 128 cisco123
snmp-server community cisco123 RO
snmp-server host 192.0.2.100 version 2c cisco123
snmp-server enable traps
interface GigabitEthernet0/0
ip flow ingress
ip flow egress
exit
ip flow-export destination 198.51.100.50 2055
ip flow-export version 9

Why this answer

The configuration was missing SNMPv3 user, group, and trap settings. We added the SNMPv3 user 'monitor' with SHA authentication and AES-128 encryption, created a view and group 'AdminGroup' with read access, and configured the SNMPv2c community string 'cisco123' for read-only access. We also enabled SNMP traps to the manager at 192.0.2.100 and configured NetFlow on GigabitEthernet0/0 to export to 198.51.100.50 using version 9.

Verification commands show the SNMP configuration and NetFlow flow cache.

Exam trap

Pay close attention to the exact security requirements: 'priv' for encryption, AES-128 specifically, and NetFlow version 9. The exam often tests subtle differences between 'auth' and 'priv' levels, encryption algorithms, and NetFlow versions.

Why the other options are wrong

B

The group level 'auth' does not permit encryption; 'priv' is required for AES-128 encryption.

C

The encryption algorithm specified is DES (56-bit) instead of AES-128.

D

NetFlow export version is 5, not 9 as required.

3
Drag & Dropmedium

Drag and drop the following phases into the correct order to configure gRPC streaming telemetry subscription setup and then the NetFlow data path sequence.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4

Why this order

First configure telemetry, then set up NetFlow export, define the flow monitor, and finally apply it to an interface.

Exam trap

Be careful not to apply a flow monitor to an interface before it is defined, and remember that telemetry configuration must precede NetFlow export setup.

4
PBQhard

You are connected to R1, a Cisco router running IOS-XE. Configure SNMP v2c with a read-only community string 'publicRW' (note: the string is intentionally misnamed for the task), and SNMP v3 with user 'admin' using MD5 authentication (password 'cisco123') and DES encryption (password 'cisco456'). Ensure SNMP traps for linkUp/linkDown are sent to the management server at 192.0.2.100. Additionally, configure NetFlow export to send version 9 flow records to 192.0.2.200 on UDP port 2055, and ensure that only inbound traffic on GigabitEthernet0/0 is monitored. Finally, verify your configuration using 'show snmp' and 'show ip cache flow'.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Remember to create the SNMP v3 user with both auth and priv parameters.
  • NetFlow requires both a destination and version; also apply flow monitoring on an interface.
  • Use 'snmp-server enable traps' to activate trap generation before specifying the host.
A.snmp-server community publicRW ro snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456 snmp-server enable traps snmp linkdown linkup snmp-server host 192.0.2.100 traps version 2c publicRW ip flow-export destination 192.0.2.200 2055 ip flow-export version 9 interface GigabitEthernet0/0 ip flow ingress
B.snmp-server community publicRW ro snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456 snmp-server enable traps snmp linkdown linkup snmp-server host 192.0.2.100 traps version 2c publicRW ip flow-export destination 192.0.2.200 2055 ip flow-export version 9
C.snmp-server community publicRW ro snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456 snmp-server enable traps snmp linkdown linkup snmp-server host 192.0.2.100 traps version 2c publicRW ip flow-export destination 192.0.2.200 2055 ip flow-export version 9 interface GigabitEthernet0/0 ip flow egress
D.snmp-server community publicRW ro snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456 snmp-server enable traps snmp linkdown linkup snmp-server host 192.0.2.100 traps version 2c publicRW ip flow-export destination 192.0.2.200 2055 ip flow-export version 9 interface GigabitEthernet0/0 ip flow monitor FLOW-MONITOR input
AnswerA
solution
! R1
snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456
snmp-server enable traps snmp linkdown linkup
snmp-server host 192.0.2.100 traps version 2c publicRW
ip flow-export destination 192.0.2.200 2055
ip flow-export version 9
interface GigabitEthernet0/0
ip flow ingress
end

Why this answer

The initial configuration has an SNMP v2c community string 'publicRW' set as RO, but the task requires it to be the read-only string. The SNMP v3 user 'admin' with MD5/DES is missing entirely, as are trap destinations and NetFlow export. To fix, first add the SNMP v3 user with 'snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456', then enable traps with 'snmp-server enable traps snmp linkdown linkup' and 'snmp-server host 192.0.2.100 traps version 2c publicRW'.

For NetFlow, configure 'ip flow-export destination 192.0.2.200 2055', 'ip flow-export version 9', and apply flow monitoring on an interface (e.g., 'interface GigabitEthernet0/0' with 'ip flow ingress'). The 'show snmp' command will display the community strings and trap receivers, while 'show ip cache flow' will show flow records.

Exam trap

Students often forget to apply NetFlow on an interface with 'ip flow ingress' or confuse it with Flexible NetFlow commands. Also, they may omit the trap enable command or use the wrong SNMP version for trap delivery. Always ensure that NetFlow collection is enabled on an interface and that SNMP traps are both enabled globally and sent to the correct host.

Why the other options are wrong

B

The configuration omits the 'ip flow ingress' (or any) interface command, so NetFlow will not collect any traffic.

C

The 'ip flow egress' command monitors outbound traffic, not the specified inbound traffic on GigabitEthernet0/0.

D

The 'ip flow monitor FLOW-MONITOR input' command references a flexible NetFlow monitor that does not exist; traditional 'ip flow ingress' is required.

5
PBQhard

You are connected to R1, a Cisco ISR 4321 running IOS-XE. Configure SNMPv2c with a read-only community string 'public' and SNMPv3 with user 'admin' using SHA authentication and AES encryption. Ensure SNMP traps are sent to the management server at 203.0.113.10. Additionally, configure NetFlow export to destination 203.0.113.20 on UDP port 2055 using version 9. Verify your configuration with appropriate show commands. The current running-config is incomplete; you must add the missing commands.

Network Topology
G0/0192.168.1.1/24Management NetworkR1Server

Hints

  • SNMPv3 user configuration requires both auth and priv algorithms and passwords.
  • For SNMP traps, specify the trap receiver IP and community string.
  • NetFlow export configuration uses global commands; no interface-level configuration is needed for basic export setup.
A.snmp-server community public ro snmp-server user admin snmp-group v3 auth sha cisco priv aes 128 cisco snmp-server host 203.0.113.10 traps version 2c public ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
B.snmp-server community public ro snmp-server user admin snmp-group v3 auth sha cisco priv aes 128 cisco snmp-server host 203.0.113.10 traps version 3 auth public ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
C.snmp-server community public ro snmp-server user admin snmp-group v3 auth md5 cisco priv des56 cisco snmp-server host 203.0.113.10 traps version 2c public ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
D.snmp-server community public ro snmp-server user admin snmp-group v3 auth sha cisco priv aes 128 cisco snmp-server host 203.0.113.10 traps version 2c public ip flow-export destination 203.0.113.20 2055 ip flow-export version 5
AnswerA
solution
! R1
snmp-server user admin auth sha cisco priv aes 128 cisco
snmp-server host 203.0.113.10 traps version 2c public
ip flow-export destination 203.0.113.20 2055
ip flow-export version 9

Why this answer

The initial config has only a basic SNMPv2c community string. To meet requirements: enable SNMPv3 with a user 'admin' using SHA authentication and AES 128-bit encryption. The correct command requires a group name and the 'v3' keyword, e.g., 'snmp-server user admin snmp-group v3 auth sha cisco priv aes 128 cisco'.

Configure SNMP trap destination with 'snmp-server host 203.0.113.10 traps version 2c public'. For NetFlow, use 'ip flow-export destination 203.0.113.20 2055' and 'ip flow-export version 9'. Verify with 'show snmp' and 'show ip cache flow'.

Option B incorrectly uses version 3 traps with a community string; version 3 requires a security name. Option C uses insecure MD5/DES56 instead of SHA/AES. Option D uses NetFlow version 5 instead of version 9.

Exam trap

Forgetting to include a group name and the 'v3' keyword in the 'snmp-server user' command is a common syntax error that will cause the configuration to be rejected on real devices.

Why the other options are wrong

B

The trap host line uses 'version 3' and a community string ('public'), but SNMPv3 traps require a security name (the user) and an authentication level, not a community.

C

The SNMPv3 user is configured with MD5 and DES56, while the requirement is SHA authentication and AES 128‑bit encryption.

D

The NetFlow export version is set to 5 instead of the required version 9.

6
Multi-Selectmedium

Which two statements accurately describe why NetFlow is useful for operations teams?

Select 2 answers
A.It helps identify which conversations or applications contribute to link utilization.
B.It can provide more detail than simple interface counters alone.
C.It replaces the need for all routing protocols.
D.It is the main wireless encryption protocol for guest access.
E.It eliminates the usefulness of Syslog.
AnswersA, B

This is correct because NetFlow provides flow-level visibility.

Why this answer

NetFlow is useful because it helps teams move beyond simple interface utilization and see which traffic conversations are responsible for usage. In practical terms, it can reveal which hosts, protocols, or applications are contributing to the traffic profile, making it valuable for troubleshooting, capacity planning, and security investigations. Option E is incorrect because NetFlow does not eliminate the usefulness of Syslog; Syslog provides device event logging while NetFlow provides traffic flow data, and both tools complement each other in network operations.

Exam trap

A frequent exam trap is mistaking NetFlow for a routing protocol, a security mechanism, or a replacement for Syslog.

Why the other options are wrong

C

Option C is incorrect because NetFlow does not replace routing protocols; it is a monitoring technology that provides visibility into traffic flows but does not perform routing functions or influence path selection.

D

Option D is incorrect as NetFlow is unrelated to wireless encryption protocols. Wireless encryption standards like WPA2 or WPA3 handle security, whereas NetFlow focuses on traffic flow monitoring.

E

Option E is incorrect because NetFlow does not eliminate the usefulness of Syslog. Syslog provides event logging and system messages, which complement NetFlow’s traffic flow data for comprehensive network monitoring.

7
PBQhard

You are connected to R1 via the console. R1 is a Cisco ISR 4331 router. Your task is to configure SNMPv2c and SNMPv3 traps, and NetFlow export, so that SNMP traps are sent to the NMS at 192.0.2.100 using SNMPv2c with community string 'PublicTrap', and also using SNMPv3 with user 'Admin' (authentication SHA, encryption AES) to the same NMS. Additionally, configure NetFlow to export version 9 flow records to 192.0.2.200 on UDP port 2055. Finally, verify your configurations.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/010.0.0.2/30192.0.2.100/24linkR2R1NMS

Hints

  • SNMPv3 requires a group with 'priv' keyword for encryption.
  • NetFlow export is not active unless applied to an interface with 'ip flow ingress'.
  • Use 'show running-config | section snmp' to verify SNMP commands.
A.Configure SNMPv2c trap community 'PublicTrap' and destination 192.0.2.100, create SNMPv3 user 'Admin' with auth SHA priv AES, set SNMPv3 trap destination 192.0.2.100 user 'Admin', configure NetFlow exporter to 192.0.2.200 port 2055 version 9, apply exporter to an interface, and verify with 'show snmp' and 'show ip cache flow'.
B.Configure SNMPv2c trap community 'PublicTrap' and destination 192.0.2.100, create SNMPv3 user 'Admin' with auth MD5 priv DES, set SNMPv3 trap destination 192.0.2.100 user 'Admin', configure NetFlow exporter to 192.0.2.200 port 2055 version 5, apply exporter to an interface, and verify with 'show snmp' and 'show ip cache flow'.
C.Configure SNMPv2c trap community 'PublicTrap' and destination 192.0.2.100, create SNMPv3 user 'Admin' with auth SHA priv AES, set SNMPv3 trap destination 192.0.2.100 user 'Admin', configure NetFlow exporter to 192.0.2.200 port 2055 version 9, and verify with 'show snmp' and 'show ip flow export'.
D.Configure SNMPv2c trap community 'PublicTrap' and destination 192.0.2.100, create SNMPv3 user 'Admin' with auth SHA priv AES, set SNMPv3 trap destination 192.0.2.100 user 'Admin', configure NetFlow exporter to 192.0.2.200 port 2055 version 9, apply exporter to an interface, and verify with 'show snmp' and 'show ip flow export'.
AnswerA
solution
! R1
snmp-server community PublicTrap RO
snmp-server host 192.0.2.100 version 2c PublicTrap
snmp-server group AdminGroup v3 priv
snmp-server user Admin AdminGroup v3 auth sha Cisco123 priv aes 128 Cisco123
snmp-server host 192.0.2.100 version 3 priv Admin
ip flow-export destination 192.0.2.200 2055
ip flow-export version 9
interface GigabitEthernet0/0
ip flow ingress
exit
interface GigabitEthernet0/1
ip flow ingress

Why this answer

The router had only a basic SNMP read-only community configured. To send SNMPv2c traps, you need to configure the trap community and destination. For SNMPv3, you must create the user with authentication and privacy parameters, then configure the trap destination with that user.

NetFlow export requires defining the destination IP and UDP port, enabling version 9, and optionally applying the flow exporter to an interface. The 'show snmp' command confirms SNMP configuration, and 'show ip cache flow' shows NetFlow statistics.

Exam trap

Watch out for incorrect SNMPv3 authentication/privacy algorithms (e.g., MD5/DES instead of SHA/AES) and NetFlow version (version 5 vs 9). Also, remember that NetFlow exporter must be applied to an interface, and verification commands must be exact.

Why the other options are wrong

B

Uses outdated security algorithms MD5/DES for SNMPv3 and sets NetFlow version 5 instead of 9.

C

Omits the critical step of applying the NetFlow exporter to an interface, so flows are not captured.

D

Incorrectly uses 'show ip flow export' for verification; the correct command to view NetFlow cache is 'show ip cache flow'.

8
PBQhard

You are connected to R1 via console. R1 is a Cisco ISR 4321 running IOS-XE 17.3. The initial configuration on R1 already includes the SNMPv2c community string 'CourseivaRO' with read-only access and a corresponding SNMPv2c trap host for 192.0.2.100 (these are already in place and do not need to be reconfigured). Your task is to add the following additional configurations: (a) [already configured] (b) Create an SNMPv3 user 'monitor' with SHA authentication and AES 128-bit encryption, using authentication password 'AuthPass123' and privacy password 'PrivPass456'; (c) Configure SNMP traps (linkUp, linkDown, authenticationFailure) to be sent to the NMS server at 192.0.2.100 using SNMPv3 with only authentication (no privacy). (d) Enable NetFlow on GigabitEthernet0/0/0, with flow export to collector 203.0.113.50 using UDP port 2055, NetFlow version 9, and set the source interface to Loopback0 (IP 10.0.0.1/32). Finally, verify your configuration with show snmp and show ip cache flow.

Network Topology
G0/0192.168.1.1/30192.0.2.100InternetR1NMS

Hints

  • The SNMPv3 user must be configured before the trap host for v3, and the user must reference the v3 group (use the community string as the group name).
  • NetFlow requires both global export parameters and interface-level ip flow ingress (or egress) command.
  • Use 'show run | section snmp' to verify SNMP configs and 'show run | include flow' for NetFlow.
A.snmp-server user monitor CourseivaRO v3 auth sha AuthPass123 priv aes 128 PrivPass456 snmp-server host 192.0.2.100 version 3 auth monitor interface GigabitEthernet0/0/0 ip flow ingress ip flow-export destination 203.0.113.50 2055 ip flow-export source Loopback0 ip flow-export version 9
B.snmp-server user monitor CourseivaRO v3 auth md5 AuthPass123 priv des56 PrivPass456 snmp-server host 192.0.2.100 version 3 priv monitor interface GigabitEthernet0/0/0 ip flow egress ip flow-export destination 203.0.113.50 2055 ip flow-export source Loopback0 ip flow-export version 5
C.snmp-server user monitor CourseivaRO v3 auth sha AuthPass123 priv aes 128 PrivPass456 snmp-server host 192.0.2.100 version 3 priv monitor interface GigabitEthernet0/0/0 ip flow ingress ip flow-export destination 203.0.113.50 2055 ip flow-export source Loopback0 ip flow-export version 9
D.snmp-server user monitor CourseivaRO v3 auth sha AuthPass123 priv aes 128 PrivPass456 snmp-server host 192.0.2.100 version 3 auth monitor interface GigabitEthernet0/0/0 ip flow ingress ip flow-export destination 203.0.113.50 2055 ip flow-export source Loopback0 ip flow-export version 5
AnswerA
solution
! R1
snmp-server user monitor CourseivaRO v3 auth sha AuthPass123 priv aes 128 PrivPass456
snmp-server host 192.0.2.100 version 3 auth monitor
ip flow-export destination 203.0.113.50 2055
ip flow-export source loopback0
ip flow-export version 9
interface GigabitEthernet0/0/0
ip flow ingress

Why this answer

Option A is correct because it uses the correct SNMPv3 user creation with SHA and AES 128, and the trap host command specifies 'auth' (authentication only) as required by the updated stem. Option B is wrong because it uses MD5/DES and egress flow, and version 5. Option C is wrong because it uses 'priv' for traps, which would include encryption – the stem requires only authentication.

Option D is wrong because it uses version 5 for NetFlow and B also uses incorrect auth/priv algorithms.

Exam trap

Pay close attention to the exact security level for traps: 'auth' means authentication only, while 'priv' includes encryption. Also, ensure NetFlow is enabled on the correct direction (ingress) and that the version is explicitly set to 9. Do not assume default values.

Why the other options are wrong

B

The specific factual errors: MD5 and DES are not the required algorithms; 'priv' level requires encryption but the question specifies 'auth' level; NetFlow egress is not the default and not requested; version 5 is not version 9.

C

The specific factual error: The trap host command specifies 'priv' security level, which requires the user to have a privacy password and sends encrypted traps, but the requirement is for 'auth' only.

D

The specific factual error: NetFlow version 5 is an older version that does not support templates and is not the required version 9.

9
PBQhard

You are connected to R1, a router that must send SNMP traps to a management server at 203.0.113.10 and export NetFlow data to a collector at 203.0.113.20. Currently, SNMPv2c traps are not being sent, and SNMPv3 is not configured for read-only access with authentication and privacy. Additionally, NetFlow export is missing the destination and version configuration. Configure the necessary commands on R1 to enable SNMPv2c traps (community string 'public'), configure SNMPv3 user 'admin' with SHA authentication and AES 128 encryption (password 'cisco123' for both auth and priv), and set NetFlow export to version 9.

Network Topology
G0/0203.0.113.1/24203.0.113.10linkR1Management Server

Hints

  • Use the 'snmp-server host' command to specify the trap destination and community.
  • For SNMPv3, you must first create a group with the appropriate security level before creating the user.
  • NetFlow export version is configured globally with 'ip flow-export version'.
A.snmp-server host 203.0.113.10 traps version 2c public snmp-server group MyGroup v3 priv snmp-server user admin MyGroup v3 auth sha cisco123 priv aes 128 cisco123 ip flow-export version 9
B.snmp-server host 203.0.113.10 traps version 2c public snmp-server group MyGroup v3 auth snmp-server user admin MyGroup v3 auth sha cisco123 priv aes 128 cisco123 ip flow-export version 9
C.snmp-server host 203.0.113.10 traps version 2c public snmp-server user admin v3 auth sha cisco123 priv aes 128 cisco123 ip flow-export version 9
D.snmp-server host 203.0.113.10 traps version 2c public snmp-server group MyGroup v3 priv snmp-server user admin MyGroup v3 auth sha cisco123 priv aes 128 cisco123 ip flow-export destination 203.0.113.20 2055
AnswerA
solution
! R1
snmp-server host 203.0.113.10 traps version 2c public
snmp-server group MyGroup v3 priv
snmp-server user admin MyGroup v3 auth sha cisco123 priv aes 128 cisco123
ip flow-export version 9

Why this answer

The configuration is missing SNMPv3 user setup, trap destination, and NetFlow export version. First, enable SNMPv2c traps with `snmp-server host 203.0.113.10 traps version 2c public`. Then, configure SNMPv3 user with `snmp-server user admin MyGroup v3 auth sha cisco123 priv aes 128 cisco123` after creating a group with `snmp-server group MyGroup v3 priv`.

For NetFlow, set the export version with `ip flow-export version 9`. Finally, verify with `show snmp` to see trap host and v3 user, and `show ip cache flow` to confirm export configuration.

Exam trap

Watch out for the SNMPv3 group keyword: 'priv' is required when using encryption (AES 128), not just 'auth'. Also, remember that the 'snmp-server user' command requires a group name. For NetFlow, the version is set with 'ip flow-export version 9', not 'ip flow-export destination'.

Why the other options are wrong

B

The group keyword 'auth' only enables authentication, not encryption. AES 128 requires the 'priv' keyword.

C

The 'snmp-server user' command requires a group name. Omitting the group will result in an error or incomplete configuration.

D

The command 'ip flow-export destination' sets the collector IP and port, not the export version. The version is set with 'ip flow-export version 9'.

10
Multi-Selectmedium

A network team wants to collect flow-level traffic statistics from routers to identify top talkers and bandwidth consumers. Which two statements about NetFlow are correct?

Select 2 answers
A.It summarizes traffic into flows instead of capturing every packet payload
B.It is primarily used to distribute time from an authoritative clock
C.It can help identify which conversations consume the most bandwidth
D.It replaces routing protocols by advertising reachability information
AnswersA, C

NetFlow tracks metadata about flows, not full payload captures.

Why this answer

NetFlow provides visibility into who is talking to whom, with what protocols and volume, making it valuable for capacity planning, troubleshooting, and security analysis.

Exam trap

A frequent exam trap is mistaking NetFlow for protocols that distribute time or routing information. For example, option B incorrectly associates NetFlow with NTP, which synchronizes clocks, and option D wrongly suggests NetFlow replaces routing protocols by advertising reachability. These misconceptions arise because candidates may not clearly differentiate between monitoring technologies and control plane protocols.

Remember, NetFlow only summarizes traffic flows for analysis and does not participate in routing or time synchronization. Confusing these roles can lead to selecting incorrect answers under exam pressure.

Why the other options are wrong

B

Option B is incorrect because distributing time from an authoritative clock is the function of NTP, not NetFlow, which is a traffic monitoring protocol.

D

Option D is incorrect because NetFlow does not replace routing protocols or advertise reachability information; it only monitors traffic flows.

11
PBQhard

You are connected to R1, a Cisco IOS-XE router. Configure SNMP v2c with read-only community 'NetOpsRO' and SNMP v3 with user 'AdminUser' using SHA authentication (password: AuthPass1) and AES-128 encryption (password: PrivPass2). Also enable SNMP traps to the NMS at 192.0.2.10 with community 'TrapComm'. Additionally, configure NetFlow export to 192.0.2.20 using version 9, and ensure the flow exporter is applied to GigabitEthernet0/0. Verify your configuration using 'show snmp' and 'show ip cache flow'.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • SNMPv3 requires both a group and a user; the group defines the security level (auth/priv).
  • NetFlow export requires a flow exporter and a flow monitor applied to the interface.
  • Use 'snmp-server enable traps' without specific traps to enable all supported traps.
A.snmp-server community NetOpsRO ro snmp-server group AdminGroup v3 priv snmp-server user AdminUser AdminGroup v3 auth sha AuthPass1 priv aes 128 PrivPass2 snmp-server enable traps snmp-server host 192.0.2.10 TrapComm flow exporter EXPORTER destination 192.0.2.20 version 9 ! flow monitor FLOW-MONITOR exporter EXPORTER record netflow ipv4 original-input ! interface GigabitEthernet0/0 ip flow monitor FLOW-MONITOR input
B.snmp-server community NetOpsRO ro snmp-server user AdminUser v3 auth sha AuthPass1 priv aes 128 PrivPass2 snmp-server enable traps snmp-server host 192.0.2.10 TrapComm flow exporter EXPORTER destination 192.0.2.20 version 9 ! interface GigabitEthernet0/0 ip flow export EXPORTER
C.snmp-server community NetOpsRO ro snmp-server group AdminGroup v3 priv snmp-server user AdminUser AdminGroup v3 auth sha AuthPass1 priv aes 128 PrivPass2 snmp-server enable traps snmp-server host 192.0.2.10 version 2c TrapComm flow exporter EXPORTER destination 192.0.2.20 version 9 ! interface GigabitEthernet0/0 ip flow monitor FLOW-MONITOR input
D.snmp-server community NetOpsRO ro snmp-server group AdminGroup v3 priv snmp-server user AdminUser AdminGroup v3 auth sha AuthPass1 priv aes 128 PrivPass2 snmp-server enable traps snmp-server host 192.0.2.10 TrapComm flow exporter EXPORTER destination 192.0.2.20 version 9 ! interface GigabitEthernet0/0 ip flow monitor FLOW-MONITOR input flow monitor FLOW-MONITOR exporter EXPORTER
AnswerA
solution
! R1
snmp-server group AdminGroup v3 priv
snmp-server user AdminUser AdminGroup v3 auth sha AuthPass1 priv aes 128 PrivPass2
snmp-server enable traps
flow exporter EXPORTER
 destination 192.0.2.20
 transport udp 9996
 template data timeout 60
 exit
flow monitor FLOW-MONITOR
 exporter EXPORTER
 record netflow ipv4 original-input
 exit
interface GigabitEthernet0/0
 ip flow monitor FLOW-MONITOR input
 exit

Why this answer

Option A is the only complete configuration. It defines the SNMPv3 group and user, enables traps, sets up the flow exporter, and crucially defines a flow monitor globally before applying it to the interface. Without the global `flow monitor` definition, the `ip flow monitor ... input` command on the interface would be rejected.

Option B omits the SNMP group and uses the deprecated `ip flow export` instead of the modern flow monitor method. Option C is missing the flow monitor definition, and its `snmp-server host` version syntax is unnecessary but not harmful; the real flaw is the absent monitor. Option D attempts to add the flow monitor but incorrectly places the global definition commands inside the interface configuration, which would cause a syntax error.

Exam trap

The most common oversight is forgetting to define the flow monitor globally; without it, the `ip flow monitor` command on the interface will fail. Also, learners sometimes mistakenly use the deprecated `ip flow export` command instead of the modern flow monitor approach.

Why the other options are wrong

B

Missing the required SNMPv3 group and relies on the deprecated interface command 'ip flow export' instead of the modern flow monitor method.

C

Lacks the required global flow monitor definition block; the 'ip flow monitor' command on the interface refers to a nonexistent monitor.

D

Places the flow monitor definition commands inside the interface configuration context, where they would be rejected as invalid.

12
PBQhard

You are connected to R1. Configure SNMP v2c with a read-only community string 'monitorRO' and a read-write community string 'controlRW', and enable SNMP traps for link status to the management server at 203.0.113.100. Additionally, configure NetFlow to export version 9 flow records to the same server on UDP port 2055, and ensure that only traffic from the 10.10.10.0/24 network is monitored. Finally, verify your configurations with the appropriate show commands.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/110.10.10.1/2410.10.10.0/24linkR1R2Internal Network

Hints

  • Remember to specify the SNMP version when configuring the trap receiver host.
  • NetFlow version 9 must be explicitly configured; otherwise, version 5 is used by default.
  • Apply the flow monitor to the interface that connects to the network you want to monitor (G0/1).
A.Configure SNMP community strings, enable link-status traps, set trap destination, configure NetFlow export version 9, and apply flow monitor to interface(s) carrying 10.10.10.0/24 traffic.
B.Configure SNMP community strings, enable link-status traps, set trap destination, and configure NetFlow export version 5. Apply flow monitor to all interfaces.
C.Configure SNMP community strings, enable all SNMP traps, set trap destination, and configure NetFlow export version 9. Apply flow monitor to interface with IP 10.10.10.0/24.
D.Configure SNMP community strings, enable link-status traps, set trap destination, and configure NetFlow export version 9. Do not apply any flow monitor; NetFlow automatically monitors all traffic.
AnswerA
solution
! R1
snmp-server community monitorRO RO
snmp-server community controlRW RW
snmp-server enable traps snmp linkdown linkup
snmp-server host 203.0.113.100 version 2c monitorRO
ip flow-export version 9
flow record NETFLOW-RECORD
 match ipv4 source address
 match ipv4 destination address
 match ipv4 protocol
 match transport source-port
 match transport destination-port
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime
 exit
flow exporter EXPORTER-TO-SERVER
 destination 203.0.113.100
 transport udp 2055
 source Loopback0
 exit
flow monitor MONITOR-10NET
 record NETFLOW-RECORD
 exporter EXPORTER-TO-SERVER
 cache timeout active 300
 exit
interface GigabitEthernet0/1
 ip flow monitor MONITOR-10NET input
 ip flow monitor MONITOR-10NET output
 exit

Why this answer

The solution correctly configures SNMP v2c with the required read-only and read-write community strings, enables only link-status traps, and sets the trap destination. For NetFlow, it uses Flexible NetFlow by defining a flow record, an exporter, and a monitor. Importantly, the export version (9) must be configured under the flow exporter, not with the legacy global `ip flow-export version 9` command.

The flow monitor is applied to GigabitEthernet0/1, which carries traffic from the 10.10.10.0/24 network. Verification can be done with `show snmp` to confirm communities and trap receivers, and `show flow monitor name MONITOR-10NET cache` or `show ip cache flow` to view exported flow records.

Exam trap

Common mistakes include mixing legacy and Flexible NetFlow commands (e.g., using the global `ip flow-export version` instead of setting it under the flow exporter), forgetting to apply the flow monitor to an interface, and enabling all SNMP traps rather than only link-status traps.

Why the other options are wrong

B

The question explicitly requires NetFlow version 9, and traffic monitoring must be limited to the 10.10.10.0/24 network.

C

Enabling all traps is unnecessary and may cause unwanted overhead; the flow monitor must be applied to the correct interface(s) based on traffic flow, not the network address.

D

NetFlow requires a flow monitor to be applied to an interface to capture traffic; it does not automatically monitor all traffic.

13
PBQhard

You are connected to R1 via the console. SNMP v2c community strings (public RO, private RW) are already configured. The network has a management server at 10.1.1.100 and a NetFlow collector at 10.1.1.200. Configure SNMP traps to the management server for link status changes. Also configure NetFlow on interface GigabitEthernet0/0 to export version 9 to the collector, with a source interface of Loopback0 (10.255.255.1/32).

Network Topology
G0/0G0/010.1.1.10010.1.1.200R210.0.0.1/30R1MGMT_ServerNMS_Collector

Hints

  • SNMP traps require both a host command and enabling specific trap types.
  • NetFlow export needs destination, version, and source interface, plus flow ingress on the interface.
  • Use 'show running-config | section snmp|flow' to verify your changes.
A.snmp-server host 10.1.1.100 version 2c public snmp-server enable traps snmp linkdown linkup ip flow-export destination 10.1.1.200 2055 ip flow-export version 9 ip flow-export source Loopback0 interface GigabitEthernet0/0 ip flow ingress
B.snmp-server host 10.1.1.200 version 2c private snmp-server enable traps ip flow-export destination 10.1.1.100 2055 version 9 ip flow-export source Loopback0 interface GigabitEthernet0/0 ip flow egress
C.snmp-server host 10.1.1.100 version 2c private snmp-server enable traps ip flow-export destination 10.1.1.200 2055 version 9 ip flow-export source Loopback0 interface GigabitEthernet0/0 ip flow ingress
D.snmp-server host 10.1.1.100 version 2c public snmp-server enable traps snmp linkdown linkup ip flow-export destination 10.1.1.200 2055 version 5 ip flow-export source Loopback0 interface GigabitEthernet0/0 ip flow ingress
AnswerA
solution
! R1
snmp-server host 10.1.1.100 version 2c public
snmp-server enable traps snmp linkdown linkup
ip flow-export destination 10.1.1.200 2055
ip flow-export version 9
ip flow-export source Loopback0
interface GigabitEthernet0/0
ip flow ingress

Why this answer

The current configuration has SNMP community strings but lacks trap destinations and NetFlow export. To fix, you must configure snmp-server host 10.1.1.100 version 2c public to send traps, and snmp-server enable traps snmp linkdown linkup is required to send link status changes. For NetFlow, you need ip flow-export destination 10.1.1.200 2055 and then ip flow-export version 9 to set the export version.

Also configure ip flow-export source Loopback0 and apply ip flow ingress on GigabitEthernet0/0. Verification commands confirm the settings.

Exam trap

Pay close attention to the IP addresses: the management server (10.1.1.100) is for SNMP traps, and the collector (10.1.1.200) is for NetFlow. Also, remember that SNMP traps use the read-only community, and NetFlow version must match the requirement (version 9).

Why the other options are wrong

B

The specific factual error: The SNMP trap destination and NetFlow export destination are swapped, and the flow direction is egress instead of ingress.

C

The specific factual error: SNMP traps should use the read-only community string 'public', not the read-write 'private'.

D

The specific factual error: NetFlow export version is set to 5, but the requirement is version 9.

14
MCQhard

A network administrator notices that syslog messages from a core router are arriving at the syslog server with timestamps that are hours behind other devices. The router’s NetFlow exports also show incorrect start and end times for flows, making traffic analysis unreliable. The administrator verifies that all router interfaces are up and that the SNMP community strings on the router match the NMS.

A.The logging trap level is set to informational, so only high-severity messages are sent with correct timestamps.
B.The router’s NTP client is configured with an incorrect authentication key.
C.The SNMP v3 user’s privacy password is incorrect, causing the NMS to reject syslog traps.
D.The IP flow cache timeout is set too low, causing NetFlow timestamps to appear skewed.
AnswerB

NTP can use authentication keys to verify server identity. If the client key does not match the server’s key, the router will not trust the time updates and will fail to synchronize. This leaves the router’s clock uncorrected, causing incorrect timestamps in syslog and NetFlow records.

Why this answer

The router's timestamps are incorrect for both syslog messages and NetFlow exports, which points to a system-wide time synchronization issue. NTP (Network Time Protocol) is responsible for maintaining accurate time on network devices, and if the NTP client is configured with an incorrect authentication key, it will fail to synchronize with the NTP server, causing the router's clock to drift. This explains why all time-stamped data (syslog and NetFlow) is consistently behind.

Exam trap

Cisco often tests the distinction between time synchronization issues (NTP) and logging/SNMP configuration issues, so candidates may incorrectly attribute timestamp problems to syslog or SNMP settings rather than the underlying system clock.

Why the other options are wrong

A

Logging trap level controls which severity messages are forwarded, not the accuracy of the timestamps.

C

SNMP v3 misconfiguration impacts SNMP traps, not syslog messages, which are sent independently via a different transport.

D

Cache timeout affects flow export frequency, not the accuracy of the timestamps inside the flow data.

Ready to test yourself?

Try a timed practice session using only Netflow questions.