CCNA Snmp Questions

18 questions · Snmp topic · All types, answers revealed

1
MCQmedium

What is a key difference between SNMPv3 and earlier SNMP versions?

A.SNMPv3 supports IPv4 only
B.SNMPv3 adds authentication and encryption features
C.SNMPv3 cannot be used for monitoring interface counters
D.SNMPv3 replaces syslog completely
AnswerB

Correct. Stronger security is the primary differentiator.

Why this answer

SNMPv3 improves security by adding authentication, message integrity, and privacy features. Earlier versions, especially SNMPv1 and v2c, rely on community strings and provide much weaker protection.

Exam trap

A common exam trap is to mistakenly believe that SNMPv3 restricts network monitoring capabilities or IP protocol support. Some candidates incorrectly think SNMPv3 supports only IPv4 or that it replaces syslog entirely. These misconceptions arise because the question emphasizes SNMPv3’s differences without clarifying what remains unchanged.

The trap is to focus on unrelated protocol features rather than the core improvement: security. Selecting options that mention monitoring limitations or protocol replacement leads to incorrect answers. Understanding that SNMPv3’s main advancement is adding authentication and encryption prevents falling into this trap.

Why the other options are wrong

A

Option A is incorrect because SNMPv3 supports both IPv4 and IPv6 networks. It is not limited to IPv4 only, so this option misrepresents SNMPv3’s capabilities.

C

Option C is incorrect since SNMPv3 continues to support monitoring functions such as interface counters. It does not remove or restrict these capabilities.

D

Option D is incorrect because SNMPv3 does not replace syslog. Both protocols coexist and serve different roles in network management and logging.

2
Multi-Selectmedium

Which TWO statements correctly describe characteristics of SNMPv2c and SNMPv3 for network monitoring?

Select 2 answers
A.SNMPv3 supports authentication and encryption for secure network monitoring.
B.SNMPv2c uses community strings sent in clear text to authenticate requests.
C.SNMPv3 provides the same security level as SNMPv2c but with additional trap support.
D.SNMPv2c supports only GET and SET operations, but not traps.
E.SNMPv3 uses community strings to authenticate agents and managers.
AnswersA, B

SNMPv3 includes security features such as authentication (MD5/SHA) and encryption (DES/AES) to protect data in transit.

Why this answer

SNMPv3 is correct because it introduces authentication (MD5/SHA) and encryption (DES/AES) for secure monitoring. SNMPv2c is correct because it uses community strings transmitted in cleartext, lacking security. Option C is wrong: SNMPv3 is more secure than v2c, not the same.

Option D is wrong: SNMPv2c supports traps in addition to GET and SET. Option E is wrong: SNMPv3 uses usernames and security models, not community strings.

Exam trap

Cisco often tests the misconception that SNMPv3 is merely an extension of SNMPv2c with added trap support, when in fact the key differentiator is the security model (authentication and encryption), and both versions support traps.

Why the other options are wrong

C

SNMPv3 provides significantly higher security than SNMPv2c by adding authentication and encryption, whereas SNMPv2c uses only community strings in clear text. Both versions support traps, so the statement incorrectly claims SNMPv3 has additional trap support, which is not a distinguishing feature.

D

SNMPv2c supports GET, SET, and trap operations, just like SNMPv1 and SNMPv3. The statement is incorrect because it claims SNMPv2c does not support traps, which is false; traps are a key feature for asynchronous notifications in network monitoring.

E

SNMPv3 uses the User-based Security Model (USM) with usernames and authentication keys, not community strings. Community strings are a feature of SNMPv1 and SNMPv2c, which are transmitted in clear text and provide weak security.

3
PBQhard

You are connected to R1, a Cisco ISR 4331 router running IOS-XE. Your task is to enable SNMP v2c with community string 'public' (read-only) and 'private' (read-write), and configure SNMP v3 with a user 'admin' using SHA authentication (password 'Cisco123') and AES 128 encryption (password 'Cisco456'). Additionally, configure SNMP traps to be sent to a management server at 203.0.113.10 for both v2c and v3. Finally, enable NetFlow export to a collector at 203.0.113.20, using version 9. Verify your configuration using 'show snmp' and 'show ip cache flow'.

Hints

  • Remember to apply NetFlow on an interface for traffic capture.
  • SNMPv3 user requires both auth and priv passwords.
  • Use 'snmp-server enable traps' before configuring trap hosts.
A.snmp-server community public RO snmp-server community private RW snmp-server user admin v3group v3 auth sha Cisco123 priv aes 128 Cisco456 snmp-server enable traps snmp-server host 203.0.113.10 version 2c public snmp-server host 203.0.113.10 version 3 auth admin ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
B.snmp-server community public snmp-server community private snmp-server user admin v3 auth md5 Cisco123 priv des56 Cisco456 snmp-server enable traps snmp-server host 203.0.113.10 version 2c public snmp-server host 203.0.113.10 version 3 auth admin ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
C.snmp-server community public RO snmp-server community private RW snmp-server user admin v3 auth sha Cisco123 priv aes 128 Cisco456 snmp-server enable traps snmp-server host 203.0.113.10 version 2c private snmp-server host 203.0.113.10 version 3 auth admin ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
D.snmp-server community public RO snmp-server community private RW snmp-server user admin v3 auth sha Cisco123 priv aes 128 Cisco456 snmp-server enable traps snmp-server host 203.0.113.10 version 2c public snmp-server host 203.0.113.10 version 3 auth admin ip flow-export destination 203.0.113.20 2055 ip flow-export version 5
AnswerA
solution
! R1
snmp-server community public RO
snmp-server community private RW
snmp-server user admin v3 auth sha Cisco123 priv aes 128 Cisco456
snmp-server enable traps
snmp-server host 203.0.113.10 version 2c public
snmp-server host 203.0.113.10 version 3 auth admin
ip flow-export destination 203.0.113.20 2055
ip flow-export version 9
interface GigabitEthernet0/1
ip flow ingress
exit

Why this answer

The router lacks SNMP and NetFlow configuration. For SNMP v2c, you must define community strings with 'snmp-server community public RO' and 'snmp-server community private RW'. For SNMP v3, you create a user within a group; the command requires a group name, e.g., 'snmp-server user admin v3group v3 auth sha Cisco123 priv aes 128 Cisco456'.

Traps are enabled and sent to 203.0.113.10 via v2c with the public community and v3 with the admin user. NetFlow export uses version 9 to collector 203.0.113.20. Verification commands show SNMP details and flow cache export settings.

Exam trap

Watch out for common mistakes: using MD5/DES instead of SHA/AES for SNMPv3, forgetting RO/RW keywords on community strings, using the wrong community string for traps, and selecting the wrong NetFlow version. Always verify the exact requirements in the question.

Why the other options are wrong

B

The specific factual error: SNMPv3 user is configured with MD5 and DES instead of SHA and AES 128; community strings are missing RO/RW keywords.

C

The specific factual error: The v2c trap host uses 'private' instead of 'public' community string.

D

The specific factual error: NetFlow export version is set to 5 instead of 9.

4
PBQhard

You are connected to R1. Configure SNMPv3 with authentication (SHA) and encryption (AES-128) for user 'monitor' in group 'AdminGroup', and also configure SNMPv2c read-only community string 'cisco123' to send traps to the management server at 192.0.2.100. Additionally, configure NetFlow on interface GigabitEthernet0/0 to export flow data to 198.51.100.50 using version 9. Verify your configuration using the appropriate show commands.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/1203.0.113.1/30G0/1203.0.113.2/30linkR1R2R3

Hints

  • SNMPv3 requires a view before creating the group.
  • Remember to enable NetFlow on the interface in both ingress and egress directions.
  • The SNMPv2c community string must be configured before the trap host can reference it.
A.snmp-server group AdminGroup v3 priv read AdminView; snmp-server user monitor AdminGroup v3 auth sha cisco123 priv aes 128 cisco123; snmp-server community cisco123 ro; snmp-server host 192.0.2.100 traps version 2c cisco123; interface GigabitEthernet0/0; ip flow-export destination 198.51.100.50 9996; ip flow-export version 9; ip flow ingress
B.snmp-server group AdminGroup v3 auth read AdminView; snmp-server user monitor AdminGroup v3 auth sha cisco123 priv aes 128 cisco123; snmp-server community cisco123 ro; snmp-server host 192.0.2.100 traps version 2c cisco123; interface GigabitEthernet0/0; ip flow-export destination 198.51.100.50 9996; ip flow-export version 9; ip flow ingress
C.snmp-server group AdminGroup v3 priv read AdminView; snmp-server user monitor AdminGroup v3 auth sha cisco123 priv des 56 cisco123; snmp-server community cisco123 ro; snmp-server host 192.0.2.100 traps version 2c cisco123; interface GigabitEthernet0/0; ip flow-export destination 198.51.100.50 9996; ip flow-export version 9; ip flow ingress
D.snmp-server group AdminGroup v3 priv read AdminView; snmp-server user monitor AdminGroup v3 auth sha cisco123 priv aes 128 cisco123; snmp-server community cisco123 ro; snmp-server host 192.0.2.100 traps version 2c cisco123; interface GigabitEthernet0/0; ip flow-export destination 198.51.100.50 9996; ip flow-export version 5; ip flow ingress
AnswerA
solution
! R1
snmp-server group AdminGroup v3 priv read AdminView
snmp-server view AdminView iso included
snmp-server user monitor AdminGroup v3 auth sha cisco123 priv aes 128 cisco123
snmp-server community cisco123 RO
snmp-server host 192.0.2.100 version 2c cisco123
snmp-server enable traps
interface GigabitEthernet0/0
ip flow ingress
ip flow egress
exit
ip flow-export destination 198.51.100.50 2055
ip flow-export version 9

Why this answer

The configuration was missing SNMPv3 user, group, and trap settings. We added the SNMPv3 user 'monitor' with SHA authentication and AES-128 encryption, created a view and group 'AdminGroup' with read access, and configured the SNMPv2c community string 'cisco123' for read-only access. We also enabled SNMP traps to the manager at 192.0.2.100 and configured NetFlow on GigabitEthernet0/0 to export to 198.51.100.50 using version 9.

Verification commands show the SNMP configuration and NetFlow flow cache.

Exam trap

Pay close attention to the exact security requirements: 'priv' for encryption, AES-128 specifically, and NetFlow version 9. The exam often tests subtle differences between 'auth' and 'priv' levels, encryption algorithms, and NetFlow versions.

Why the other options are wrong

B

The group level 'auth' does not permit encryption; 'priv' is required for AES-128 encryption.

C

The encryption algorithm specified is DES (56-bit) instead of AES-128.

D

NetFlow export version is 5, not 9 as required.

5
PBQhard

You are connected to R1, a Cisco router running IOS-XE. Configure SNMP v2c with a read-only community string 'publicRW' (note: the string is intentionally misnamed for the task), and SNMP v3 with user 'admin' using MD5 authentication (password 'cisco123') and DES encryption (password 'cisco456'). Ensure SNMP traps for linkUp/linkDown are sent to the management server at 192.0.2.100. Additionally, configure NetFlow export to send version 9 flow records to 192.0.2.200 on UDP port 2055, and ensure that only inbound traffic on GigabitEthernet0/0 is monitored. Finally, verify your configuration using 'show snmp' and 'show ip cache flow'.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • Remember to create the SNMP v3 user with both auth and priv parameters.
  • NetFlow requires both a destination and version; also apply flow monitoring on an interface.
  • Use 'snmp-server enable traps' to activate trap generation before specifying the host.
A.snmp-server community publicRW ro snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456 snmp-server enable traps snmp linkdown linkup snmp-server host 192.0.2.100 traps version 2c publicRW ip flow-export destination 192.0.2.200 2055 ip flow-export version 9 interface GigabitEthernet0/0 ip flow ingress
B.snmp-server community publicRW ro snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456 snmp-server enable traps snmp linkdown linkup snmp-server host 192.0.2.100 traps version 2c publicRW ip flow-export destination 192.0.2.200 2055 ip flow-export version 9
C.snmp-server community publicRW ro snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456 snmp-server enable traps snmp linkdown linkup snmp-server host 192.0.2.100 traps version 2c publicRW ip flow-export destination 192.0.2.200 2055 ip flow-export version 9 interface GigabitEthernet0/0 ip flow egress
D.snmp-server community publicRW ro snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456 snmp-server enable traps snmp linkdown linkup snmp-server host 192.0.2.100 traps version 2c publicRW ip flow-export destination 192.0.2.200 2055 ip flow-export version 9 interface GigabitEthernet0/0 ip flow monitor FLOW-MONITOR input
AnswerA
solution
! R1
snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456
snmp-server enable traps snmp linkdown linkup
snmp-server host 192.0.2.100 traps version 2c publicRW
ip flow-export destination 192.0.2.200 2055
ip flow-export version 9
interface GigabitEthernet0/0
ip flow ingress
end

Why this answer

The initial configuration has an SNMP v2c community string 'publicRW' set as RO, but the task requires it to be the read-only string. The SNMP v3 user 'admin' with MD5/DES is missing entirely, as are trap destinations and NetFlow export. To fix, first add the SNMP v3 user with 'snmp-server user admin admin v3 auth md5 cisco123 priv des cisco456', then enable traps with 'snmp-server enable traps snmp linkdown linkup' and 'snmp-server host 192.0.2.100 traps version 2c publicRW'.

For NetFlow, configure 'ip flow-export destination 192.0.2.200 2055', 'ip flow-export version 9', and apply flow monitoring on an interface (e.g., 'interface GigabitEthernet0/0' with 'ip flow ingress'). The 'show snmp' command will display the community strings and trap receivers, while 'show ip cache flow' will show flow records.

Exam trap

Students often forget to apply NetFlow on an interface with 'ip flow ingress' or confuse it with Flexible NetFlow commands. Also, they may omit the trap enable command or use the wrong SNMP version for trap delivery. Always ensure that NetFlow collection is enabled on an interface and that SNMP traps are both enabled globally and sent to the correct host.

Why the other options are wrong

B

The configuration omits the 'ip flow ingress' (or any) interface command, so NetFlow will not collect any traffic.

C

The 'ip flow egress' command monitors outbound traffic, not the specified inbound traffic on GigabitEthernet0/0.

D

The 'ip flow monitor FLOW-MONITOR input' command references a flexible NetFlow monitor that does not exist; traditional 'ip flow ingress' is required.

6
MCQhard

A network engineer notices that an NMS at 10.1.1.200 cannot poll a router that has SNMPv2c configured with community string 'public'. What is causing this issue?

A.SNMPv2c is not enabled on the router.
B.The SNMP community 'public' has an access list that only permits host 10.1.1.100.
C.The NMS is using the wrong community string.
D.The router's SNMP agent is not listening on the interface facing 10.1.1.200.
AnswerB

The ACL applied to the community string restricts inbound SNMP requests to the permitted IP address. Since the NMS is 10.1.1.200, the router discards its polls, preventing a response.

Why this answer

The SNMP community 'public' has an ACL that permits only host 10.1.1.100, so the NMS at 10.1.1.200 is explicitly denied. No other condition explains the symptom because the community string matches, SNMPv2c is enabled by the configuration, and the agent listens on all interfaces by default.

Exam trap

Candidates often assume the NMS has the wrong community string when polling fails, but here the string matches; the ACL restriction produces the same timeout behavior as a community mismatch, making C a tempting misconception.

Why the other options are wrong

A

Many believe SNMP requires an additional global command to start; on Cisco IOS, a community string entry enables the agent.

C

Polling failures are often attributed to community string errors, but when the string matches, an ACL restriction produces identical symptoms.

D

Candidates may assume the agent must be bound to an interface, but Cisco IOS SNMP agents respond on any interface unless limited by an ACL or VRF.

7
PBQhard

You are connected to R1, a Cisco ISR 4321 running IOS-XE. Configure SNMPv2c with a read-only community string 'public' and SNMPv3 with user 'admin' using SHA authentication and AES encryption. Ensure SNMP traps are sent to the management server at 203.0.113.10. Additionally, configure NetFlow export to destination 203.0.113.20 on UDP port 2055 using version 9. Verify your configuration with appropriate show commands. The current running-config is incomplete; you must add the missing commands.

Network Topology
G0/0192.168.1.1/24Management NetworkR1Server

Hints

  • SNMPv3 user configuration requires both auth and priv algorithms and passwords.
  • For SNMP traps, specify the trap receiver IP and community string.
  • NetFlow export configuration uses global commands; no interface-level configuration is needed for basic export setup.
A.snmp-server community public ro snmp-server user admin snmp-group v3 auth sha cisco priv aes 128 cisco snmp-server host 203.0.113.10 traps version 2c public ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
B.snmp-server community public ro snmp-server user admin snmp-group v3 auth sha cisco priv aes 128 cisco snmp-server host 203.0.113.10 traps version 3 auth public ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
C.snmp-server community public ro snmp-server user admin snmp-group v3 auth md5 cisco priv des56 cisco snmp-server host 203.0.113.10 traps version 2c public ip flow-export destination 203.0.113.20 2055 ip flow-export version 9
D.snmp-server community public ro snmp-server user admin snmp-group v3 auth sha cisco priv aes 128 cisco snmp-server host 203.0.113.10 traps version 2c public ip flow-export destination 203.0.113.20 2055 ip flow-export version 5
AnswerA
solution
! R1
snmp-server user admin auth sha cisco priv aes 128 cisco
snmp-server host 203.0.113.10 traps version 2c public
ip flow-export destination 203.0.113.20 2055
ip flow-export version 9

Why this answer

The initial config has only a basic SNMPv2c community string. To meet requirements: enable SNMPv3 with a user 'admin' using SHA authentication and AES 128-bit encryption. The correct command requires a group name and the 'v3' keyword, e.g., 'snmp-server user admin snmp-group v3 auth sha cisco priv aes 128 cisco'.

Configure SNMP trap destination with 'snmp-server host 203.0.113.10 traps version 2c public'. For NetFlow, use 'ip flow-export destination 203.0.113.20 2055' and 'ip flow-export version 9'. Verify with 'show snmp' and 'show ip cache flow'.

Option B incorrectly uses version 3 traps with a community string; version 3 requires a security name. Option C uses insecure MD5/DES56 instead of SHA/AES. Option D uses NetFlow version 5 instead of version 9.

Exam trap

Forgetting to include a group name and the 'v3' keyword in the 'snmp-server user' command is a common syntax error that will cause the configuration to be rejected on real devices.

Why the other options are wrong

B

The trap host line uses 'version 3' and a community string ('public'), but SNMPv3 traps require a security name (the user) and an authentication level, not a community.

C

The SNMPv3 user is configured with MD5 and DES56, while the requirement is SHA authentication and AES 128‑bit encryption.

D

The NetFlow export version is set to 5 instead of the required version 9.

8
MCQhard

An administrator sees high interface utilization through SNMP graphs but wants to identify which conversations are responsible. Which addition best closes that visibility gap?

A.NetFlow
B.Another DHCP scope
C.A new STP priority
D.A larger OSPF metric
AnswerA

This is correct because NetFlow adds detailed visibility into traffic conversations behind utilization.

Why this answer

NetFlow provides conversation-level visibility into which hosts and applications are consuming bandwidth, closing the gap left by SNMP's interface totals. A new DHCP scope assigns IP addresses but offers no traffic insight. An STP priority manages loop-free topology and does not affect monitoring.

A larger OSPF metric influences routing path selection, not traffic analysis.

Exam trap

Avoid assuming all network monitoring tools provide the same level of detail. Understand the specific capabilities of each tool.

Why the other options are wrong

B

A DHCP scope handles address assignment and has no role in traffic conversation visibility.

C

An STP priority manages spanning-tree topology and does not provide bandwidth usage details.

D

A larger OSPF metric affects routing path selection but does not reveal which conversations are using bandwidth.

9
MCQhard

A network administrator wants to receive an immediate notification from a device when a significant event occurs, rather than polling the device repeatedly. Which SNMP feature is most associated with that requirement?

A.SNMP traps
B.Syslog severity 7
C.DHCP relay
D.NetFlow exporters
AnswerA

This is correct because traps are unsolicited event notifications sent by the device.

Why this answer

SNMP traps are the correct answer because they are an SNMP feature that sends unsolicited, event-driven notifications from the device to the management system when a significant event occurs, eliminating the need for polling. Option B (syslog severity 7) is incorrect because syslog is a separate protocol for logging; while syslog messages are also sent unsolicited, the question specifically asks for an SNMP feature. Options C (DHCP relay) and D (NetFlow exporters) are unrelated to immediate event notifications: DHCP relay forwards broadcast requests, and NetFlow exports traffic flow data for analysis.

Exam trap

A frequent exam trap is mistaking syslog messages or NetFlow exporters as the mechanism for immediate event notifications in SNMP. Syslog severity levels, such as severity 7, relate to logging detail but do not trigger unsolicited alerts to management stations. Similarly, NetFlow exporters focus on traffic flow analysis rather than event-driven notifications.

Candidates may also confuse DHCP relay, which is unrelated to SNMP, with notification features. The key is to remember that only SNMP traps send unsolicited, immediate notifications, distinguishing them from polling or other monitoring tools.

Why the other options are wrong

B

Syslog severity 7 refers to debug-level logging detail but does not trigger unsolicited alerts; syslog messages require polling or log monitoring and are not part of SNMP's event-driven notification.

C

DHCP relay is a mechanism to forward DHCP requests across networks and has no role in SNMP or event-driven notifications, making it irrelevant to the question.

D

NetFlow exporters provide detailed traffic flow information for analysis but do not send immediate event notifications; they are unrelated to SNMP traps or polling mechanisms.

10
PBQhard

You are connected to R1 via the console. R1 is a Cisco ISR 4331 router. Your task is to configure SNMPv2c and SNMPv3 traps, and NetFlow export, so that SNMP traps are sent to the NMS at 192.0.2.100 using SNMPv2c with community string 'PublicTrap', and also using SNMPv3 with user 'Admin' (authentication SHA, encryption AES) to the same NMS. Additionally, configure NetFlow to export version 9 flow records to 192.0.2.200 on UDP port 2055. Finally, verify your configurations.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/010.0.0.2/30192.0.2.100/24linkR2R1NMS

Hints

  • SNMPv3 requires a group with 'priv' keyword for encryption.
  • NetFlow export is not active unless applied to an interface with 'ip flow ingress'.
  • Use 'show running-config | section snmp' to verify SNMP commands.
A.Configure SNMPv2c trap community 'PublicTrap' and destination 192.0.2.100, create SNMPv3 user 'Admin' with auth SHA priv AES, set SNMPv3 trap destination 192.0.2.100 user 'Admin', configure NetFlow exporter to 192.0.2.200 port 2055 version 9, apply exporter to an interface, and verify with 'show snmp' and 'show ip cache flow'.
B.Configure SNMPv2c trap community 'PublicTrap' and destination 192.0.2.100, create SNMPv3 user 'Admin' with auth MD5 priv DES, set SNMPv3 trap destination 192.0.2.100 user 'Admin', configure NetFlow exporter to 192.0.2.200 port 2055 version 5, apply exporter to an interface, and verify with 'show snmp' and 'show ip cache flow'.
C.Configure SNMPv2c trap community 'PublicTrap' and destination 192.0.2.100, create SNMPv3 user 'Admin' with auth SHA priv AES, set SNMPv3 trap destination 192.0.2.100 user 'Admin', configure NetFlow exporter to 192.0.2.200 port 2055 version 9, and verify with 'show snmp' and 'show ip flow export'.
D.Configure SNMPv2c trap community 'PublicTrap' and destination 192.0.2.100, create SNMPv3 user 'Admin' with auth SHA priv AES, set SNMPv3 trap destination 192.0.2.100 user 'Admin', configure NetFlow exporter to 192.0.2.200 port 2055 version 9, apply exporter to an interface, and verify with 'show snmp' and 'show ip flow export'.
AnswerA
solution
! R1
snmp-server community PublicTrap RO
snmp-server host 192.0.2.100 version 2c PublicTrap
snmp-server group AdminGroup v3 priv
snmp-server user Admin AdminGroup v3 auth sha Cisco123 priv aes 128 Cisco123
snmp-server host 192.0.2.100 version 3 priv Admin
ip flow-export destination 192.0.2.200 2055
ip flow-export version 9
interface GigabitEthernet0/0
ip flow ingress
exit
interface GigabitEthernet0/1
ip flow ingress

Why this answer

The router had only a basic SNMP read-only community configured. To send SNMPv2c traps, you need to configure the trap community and destination. For SNMPv3, you must create the user with authentication and privacy parameters, then configure the trap destination with that user.

NetFlow export requires defining the destination IP and UDP port, enabling version 9, and optionally applying the flow exporter to an interface. The 'show snmp' command confirms SNMP configuration, and 'show ip cache flow' shows NetFlow statistics.

Exam trap

Watch out for incorrect SNMPv3 authentication/privacy algorithms (e.g., MD5/DES instead of SHA/AES) and NetFlow version (version 5 vs 9). Also, remember that NetFlow exporter must be applied to an interface, and verification commands must be exact.

Why the other options are wrong

B

Uses outdated security algorithms MD5/DES for SNMPv3 and sets NetFlow version 5 instead of 9.

C

Omits the critical step of applying the NetFlow exporter to an interface, so flows are not captured.

D

Incorrectly uses 'show ip flow export' for verification; the correct command to view NetFlow cache is 'show ip cache flow'.

11
MCQmedium

Which port-security violation mode drops frames from unauthorized MAC addresses but keeps the interface up and does not send an SNMP trap or syslog message?

A.protect
B.restrict
C.shutdown
D.shutdown vlan
AnswerA

Correct. Protect is the quietest enforcement mode.

Why this answer

Protect silently drops frames from unauthorized sources while leaving the interface up. Restrict also drops frames but increments the violation counter and can generate notifications.

Exam trap

Be careful not to confuse Protect with Restrict, as both drop frames but only Restrict sends notifications.

Why the other options are wrong

B

The 'restrict' mode allows frames from unauthorized MAC addresses to be dropped while sending SNMP traps and syslog messages, which contradicts the requirement of keeping the interface up without notifications.

C

The 'shutdown' mode disables the interface when a violation occurs, which is contrary to the requirement of keeping the interface up. It also does not align with the need to drop frames without sending SNMP traps or syslog messages.

D

The 'shutdown vlan' mode disables the entire VLAN when a violation occurs, which is not aligned with the requirement to keep the interface up. This option also typically sends SNMP traps or syslog messages, which contradicts the question's criteria.

12
PBQhard

You are connected to R1 via console. R1 is a Cisco ISR 4321 running IOS-XE 17.3. The initial configuration on R1 already includes the SNMPv2c community string 'CourseivaRO' with read-only access and a corresponding SNMPv2c trap host for 192.0.2.100 (these are already in place and do not need to be reconfigured). Your task is to add the following additional configurations: (a) [already configured] (b) Create an SNMPv3 user 'monitor' with SHA authentication and AES 128-bit encryption, using authentication password 'AuthPass123' and privacy password 'PrivPass456'; (c) Configure SNMP traps (linkUp, linkDown, authenticationFailure) to be sent to the NMS server at 192.0.2.100 using SNMPv3 with only authentication (no privacy). (d) Enable NetFlow on GigabitEthernet0/0/0, with flow export to collector 203.0.113.50 using UDP port 2055, NetFlow version 9, and set the source interface to Loopback0 (IP 10.0.0.1/32). Finally, verify your configuration with show snmp and show ip cache flow.

Network Topology
G0/0192.168.1.1/30192.0.2.100InternetR1NMS

Hints

  • The SNMPv3 user must be configured before the trap host for v3, and the user must reference the v3 group (use the community string as the group name).
  • NetFlow requires both global export parameters and interface-level ip flow ingress (or egress) command.
  • Use 'show run | section snmp' to verify SNMP configs and 'show run | include flow' for NetFlow.
A.snmp-server user monitor CourseivaRO v3 auth sha AuthPass123 priv aes 128 PrivPass456 snmp-server host 192.0.2.100 version 3 auth monitor interface GigabitEthernet0/0/0 ip flow ingress ip flow-export destination 203.0.113.50 2055 ip flow-export source Loopback0 ip flow-export version 9
B.snmp-server user monitor CourseivaRO v3 auth md5 AuthPass123 priv des56 PrivPass456 snmp-server host 192.0.2.100 version 3 priv monitor interface GigabitEthernet0/0/0 ip flow egress ip flow-export destination 203.0.113.50 2055 ip flow-export source Loopback0 ip flow-export version 5
C.snmp-server user monitor CourseivaRO v3 auth sha AuthPass123 priv aes 128 PrivPass456 snmp-server host 192.0.2.100 version 3 priv monitor interface GigabitEthernet0/0/0 ip flow ingress ip flow-export destination 203.0.113.50 2055 ip flow-export source Loopback0 ip flow-export version 9
D.snmp-server user monitor CourseivaRO v3 auth sha AuthPass123 priv aes 128 PrivPass456 snmp-server host 192.0.2.100 version 3 auth monitor interface GigabitEthernet0/0/0 ip flow ingress ip flow-export destination 203.0.113.50 2055 ip flow-export source Loopback0 ip flow-export version 5
AnswerA
solution
! R1
snmp-server user monitor CourseivaRO v3 auth sha AuthPass123 priv aes 128 PrivPass456
snmp-server host 192.0.2.100 version 3 auth monitor
ip flow-export destination 203.0.113.50 2055
ip flow-export source loopback0
ip flow-export version 9
interface GigabitEthernet0/0/0
ip flow ingress

Why this answer

Option A is correct because it uses the correct SNMPv3 user creation with SHA and AES 128, and the trap host command specifies 'auth' (authentication only) as required by the updated stem. Option B is wrong because it uses MD5/DES and egress flow, and version 5. Option C is wrong because it uses 'priv' for traps, which would include encryption – the stem requires only authentication.

Option D is wrong because it uses version 5 for NetFlow and B also uses incorrect auth/priv algorithms.

Exam trap

Pay close attention to the exact security level for traps: 'auth' means authentication only, while 'priv' includes encryption. Also, ensure NetFlow is enabled on the correct direction (ingress) and that the version is explicitly set to 9. Do not assume default values.

Why the other options are wrong

B

The specific factual errors: MD5 and DES are not the required algorithms; 'priv' level requires encryption but the question specifies 'auth' level; NetFlow egress is not the default and not requested; version 5 is not version 9.

C

The specific factual error: The trap host command specifies 'priv' security level, which requires the user to have a privacy password and sends encrypted traps, but the requirement is for 'auth' only.

D

The specific factual error: NetFlow version 5 is an older version that does not support templates and is not the required version 9.

13
PBQhard

You are connected to R1, a router that must send SNMP traps to a management server at 203.0.113.10 and export NetFlow data to a collector at 203.0.113.20. Currently, SNMPv2c traps are not being sent, and SNMPv3 is not configured for read-only access with authentication and privacy. Additionally, NetFlow export is missing the destination and version configuration. Configure the necessary commands on R1 to enable SNMPv2c traps (community string 'public'), configure SNMPv3 user 'admin' with SHA authentication and AES 128 encryption (password 'cisco123' for both auth and priv), and set NetFlow export to version 9.

Network Topology
G0/0203.0.113.1/24203.0.113.10linkR1Management Server

Hints

  • Use the 'snmp-server host' command to specify the trap destination and community.
  • For SNMPv3, you must first create a group with the appropriate security level before creating the user.
  • NetFlow export version is configured globally with 'ip flow-export version'.
A.snmp-server host 203.0.113.10 traps version 2c public snmp-server group MyGroup v3 priv snmp-server user admin MyGroup v3 auth sha cisco123 priv aes 128 cisco123 ip flow-export version 9
B.snmp-server host 203.0.113.10 traps version 2c public snmp-server group MyGroup v3 auth snmp-server user admin MyGroup v3 auth sha cisco123 priv aes 128 cisco123 ip flow-export version 9
C.snmp-server host 203.0.113.10 traps version 2c public snmp-server user admin v3 auth sha cisco123 priv aes 128 cisco123 ip flow-export version 9
D.snmp-server host 203.0.113.10 traps version 2c public snmp-server group MyGroup v3 priv snmp-server user admin MyGroup v3 auth sha cisco123 priv aes 128 cisco123 ip flow-export destination 203.0.113.20 2055
AnswerA
solution
! R1
snmp-server host 203.0.113.10 traps version 2c public
snmp-server group MyGroup v3 priv
snmp-server user admin MyGroup v3 auth sha cisco123 priv aes 128 cisco123
ip flow-export version 9

Why this answer

The configuration is missing SNMPv3 user setup, trap destination, and NetFlow export version. First, enable SNMPv2c traps with `snmp-server host 203.0.113.10 traps version 2c public`. Then, configure SNMPv3 user with `snmp-server user admin MyGroup v3 auth sha cisco123 priv aes 128 cisco123` after creating a group with `snmp-server group MyGroup v3 priv`.

For NetFlow, set the export version with `ip flow-export version 9`. Finally, verify with `show snmp` to see trap host and v3 user, and `show ip cache flow` to confirm export configuration.

Exam trap

Watch out for the SNMPv3 group keyword: 'priv' is required when using encryption (AES 128), not just 'auth'. Also, remember that the 'snmp-server user' command requires a group name. For NetFlow, the version is set with 'ip flow-export version 9', not 'ip flow-export destination'.

Why the other options are wrong

B

The group keyword 'auth' only enables authentication, not encryption. AES 128 requires the 'priv' keyword.

C

The 'snmp-server user' command requires a group name. Omitting the group will result in an error or incomplete configuration.

D

The command 'ip flow-export destination' sets the collector IP and port, not the export version. The version is set with 'ip flow-export version 9'.

14
PBQhard

You are connected to R1, a Cisco IOS-XE router. Configure SNMP v2c with read-only community 'NetOpsRO' and SNMP v3 with user 'AdminUser' using SHA authentication (password: AuthPass1) and AES-128 encryption (password: PrivPass2). Also enable SNMP traps to the NMS at 192.0.2.10 with community 'TrapComm'. Additionally, configure NetFlow export to 192.0.2.20 using version 9, and ensure the flow exporter is applied to GigabitEthernet0/0. Verify your configuration using 'show snmp' and 'show ip cache flow'.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkR1R2

Hints

  • SNMPv3 requires both a group and a user; the group defines the security level (auth/priv).
  • NetFlow export requires a flow exporter and a flow monitor applied to the interface.
  • Use 'snmp-server enable traps' without specific traps to enable all supported traps.
A.snmp-server community NetOpsRO ro snmp-server group AdminGroup v3 priv snmp-server user AdminUser AdminGroup v3 auth sha AuthPass1 priv aes 128 PrivPass2 snmp-server enable traps snmp-server host 192.0.2.10 TrapComm flow exporter EXPORTER destination 192.0.2.20 version 9 ! flow monitor FLOW-MONITOR exporter EXPORTER record netflow ipv4 original-input ! interface GigabitEthernet0/0 ip flow monitor FLOW-MONITOR input
B.snmp-server community NetOpsRO ro snmp-server user AdminUser v3 auth sha AuthPass1 priv aes 128 PrivPass2 snmp-server enable traps snmp-server host 192.0.2.10 TrapComm flow exporter EXPORTER destination 192.0.2.20 version 9 ! interface GigabitEthernet0/0 ip flow export EXPORTER
C.snmp-server community NetOpsRO ro snmp-server group AdminGroup v3 priv snmp-server user AdminUser AdminGroup v3 auth sha AuthPass1 priv aes 128 PrivPass2 snmp-server enable traps snmp-server host 192.0.2.10 version 2c TrapComm flow exporter EXPORTER destination 192.0.2.20 version 9 ! interface GigabitEthernet0/0 ip flow monitor FLOW-MONITOR input
D.snmp-server community NetOpsRO ro snmp-server group AdminGroup v3 priv snmp-server user AdminUser AdminGroup v3 auth sha AuthPass1 priv aes 128 PrivPass2 snmp-server enable traps snmp-server host 192.0.2.10 TrapComm flow exporter EXPORTER destination 192.0.2.20 version 9 ! interface GigabitEthernet0/0 ip flow monitor FLOW-MONITOR input flow monitor FLOW-MONITOR exporter EXPORTER
AnswerA
solution
! R1
snmp-server group AdminGroup v3 priv
snmp-server user AdminUser AdminGroup v3 auth sha AuthPass1 priv aes 128 PrivPass2
snmp-server enable traps
flow exporter EXPORTER
 destination 192.0.2.20
 transport udp 9996
 template data timeout 60
 exit
flow monitor FLOW-MONITOR
 exporter EXPORTER
 record netflow ipv4 original-input
 exit
interface GigabitEthernet0/0
 ip flow monitor FLOW-MONITOR input
 exit

Why this answer

Option A is the only complete configuration. It defines the SNMPv3 group and user, enables traps, sets up the flow exporter, and crucially defines a flow monitor globally before applying it to the interface. Without the global `flow monitor` definition, the `ip flow monitor ... input` command on the interface would be rejected.

Option B omits the SNMP group and uses the deprecated `ip flow export` instead of the modern flow monitor method. Option C is missing the flow monitor definition, and its `snmp-server host` version syntax is unnecessary but not harmful; the real flaw is the absent monitor. Option D attempts to add the flow monitor but incorrectly places the global definition commands inside the interface configuration, which would cause a syntax error.

Exam trap

The most common oversight is forgetting to define the flow monitor globally; without it, the `ip flow monitor` command on the interface will fail. Also, learners sometimes mistakenly use the deprecated `ip flow export` command instead of the modern flow monitor approach.

Why the other options are wrong

B

Missing the required SNMPv3 group and relies on the deprecated interface command 'ip flow export' instead of the modern flow monitor method.

C

Lacks the required global flow monitor definition block; the 'ip flow monitor' command on the interface refers to a nonexistent monitor.

D

Places the flow monitor definition commands inside the interface configuration context, where they would be rejected as invalid.

15
PBQhard

You are connected to R1. Configure SNMP v2c with a read-only community string 'monitorRO' and a read-write community string 'controlRW', and enable SNMP traps for link status to the management server at 203.0.113.100. Additionally, configure NetFlow to export version 9 flow records to the same server on UDP port 2055, and ensure that only traffic from the 10.10.10.0/24 network is monitored. Finally, verify your configurations with the appropriate show commands.

Network Topology
G0/010.0.0.1/30G0/010.0.0.2/30linkG0/110.10.10.1/2410.10.10.0/24linkR1R2Internal Network

Hints

  • Remember to specify the SNMP version when configuring the trap receiver host.
  • NetFlow version 9 must be explicitly configured; otherwise, version 5 is used by default.
  • Apply the flow monitor to the interface that connects to the network you want to monitor (G0/1).
A.Configure SNMP community strings, enable link-status traps, set trap destination, configure NetFlow export version 9, and apply flow monitor to interface(s) carrying 10.10.10.0/24 traffic.
B.Configure SNMP community strings, enable link-status traps, set trap destination, and configure NetFlow export version 5. Apply flow monitor to all interfaces.
C.Configure SNMP community strings, enable all SNMP traps, set trap destination, and configure NetFlow export version 9. Apply flow monitor to interface with IP 10.10.10.0/24.
D.Configure SNMP community strings, enable link-status traps, set trap destination, and configure NetFlow export version 9. Do not apply any flow monitor; NetFlow automatically monitors all traffic.
AnswerA
solution
! R1
snmp-server community monitorRO RO
snmp-server community controlRW RW
snmp-server enable traps snmp linkdown linkup
snmp-server host 203.0.113.100 version 2c monitorRO
ip flow-export version 9
flow record NETFLOW-RECORD
 match ipv4 source address
 match ipv4 destination address
 match ipv4 protocol
 match transport source-port
 match transport destination-port
 collect counter bytes
 collect counter packets
 collect timestamp sys-uptime
 exit
flow exporter EXPORTER-TO-SERVER
 destination 203.0.113.100
 transport udp 2055
 source Loopback0
 exit
flow monitor MONITOR-10NET
 record NETFLOW-RECORD
 exporter EXPORTER-TO-SERVER
 cache timeout active 300
 exit
interface GigabitEthernet0/1
 ip flow monitor MONITOR-10NET input
 ip flow monitor MONITOR-10NET output
 exit

Why this answer

The solution correctly configures SNMP v2c with the required read-only and read-write community strings, enables only link-status traps, and sets the trap destination. For NetFlow, it uses Flexible NetFlow by defining a flow record, an exporter, and a monitor. Importantly, the export version (9) must be configured under the flow exporter, not with the legacy global `ip flow-export version 9` command.

The flow monitor is applied to GigabitEthernet0/1, which carries traffic from the 10.10.10.0/24 network. Verification can be done with `show snmp` to confirm communities and trap receivers, and `show flow monitor name MONITOR-10NET cache` or `show ip cache flow` to view exported flow records.

Exam trap

Common mistakes include mixing legacy and Flexible NetFlow commands (e.g., using the global `ip flow-export version` instead of setting it under the flow exporter), forgetting to apply the flow monitor to an interface, and enabling all SNMP traps rather than only link-status traps.

Why the other options are wrong

B

The question explicitly requires NetFlow version 9, and traffic monitoring must be limited to the 10.10.10.0/24 network.

C

Enabling all traps is unnecessary and may cause unwanted overhead; the flow monitor must be applied to the correct interface(s) based on traffic flow, not the network address.

D

NetFlow requires a flow monitor to be applied to an interface to capture traffic; it does not automatically monitor all traffic.

16
MCQhard

A monitoring system already collects Syslog and SNMP data. The network team now wants visibility into which applications or host conversations are driving link utilization. What is the strongest addition?

A.NetFlow
B.Another SSID
D.A larger wildcard mask
AnswerA

This is correct because NetFlow provides detailed flow-level visibility into traffic usage.

Why this answer

The strongest addition is NetFlow because it provides traffic-flow visibility. In practical terms, Syslog and SNMP are useful, but they do not directly answer detailed conversation-level questions such as which hosts, protocols, or flows are consuming the most bandwidth. NetFlow is designed to answer exactly that kind of question.

This is about choosing the right operational tool for the visibility gap.

Exam trap

A frequent exam trap is selecting options like PortFast or adding another SSID, which are unrelated to traffic flow monitoring. PortFast is an STP feature that speeds up port transitions but does not provide any insight into bandwidth usage or application-level traffic. Similarly, adding another SSID only affects wireless network segmentation and does not offer visibility into which hosts or applications consume bandwidth.

Another trap is thinking that changing ACL wildcard masks can help analyze traffic flows, but ACLs only filter traffic and do not provide analytics. Recognizing that only NetFlow delivers detailed flow-level data prevents these common mistakes.

Why the other options are wrong

B

Adding another SSID is incorrect because it only creates a new wireless network segment and does not provide any traffic flow or bandwidth usage information. It does not help identify which applications or hosts are using the link.

C

PortFast is an STP feature that speeds up port transitions on edge ports but does not monitor or analyze traffic flows. It has no relevance to identifying bandwidth usage or application-level visibility.

D

Using a larger wildcard mask in ACLs affects traffic filtering rules but does not provide analytics or visibility into traffic flows. ACLs do not report on bandwidth consumption or application usage.

17
PBQhard

You are connected to R1 via the console. SNMP v2c community strings (public RO, private RW) are already configured. The network has a management server at 10.1.1.100 and a NetFlow collector at 10.1.1.200. Configure SNMP traps to the management server for link status changes. Also configure NetFlow on interface GigabitEthernet0/0 to export version 9 to the collector, with a source interface of Loopback0 (10.255.255.1/32).

Network Topology
G0/0G0/010.1.1.10010.1.1.200R210.0.0.1/30R1MGMT_ServerNMS_Collector

Hints

  • SNMP traps require both a host command and enabling specific trap types.
  • NetFlow export needs destination, version, and source interface, plus flow ingress on the interface.
  • Use 'show running-config | section snmp|flow' to verify your changes.
A.snmp-server host 10.1.1.100 version 2c public snmp-server enable traps snmp linkdown linkup ip flow-export destination 10.1.1.200 2055 ip flow-export version 9 ip flow-export source Loopback0 interface GigabitEthernet0/0 ip flow ingress
B.snmp-server host 10.1.1.200 version 2c private snmp-server enable traps ip flow-export destination 10.1.1.100 2055 version 9 ip flow-export source Loopback0 interface GigabitEthernet0/0 ip flow egress
C.snmp-server host 10.1.1.100 version 2c private snmp-server enable traps ip flow-export destination 10.1.1.200 2055 version 9 ip flow-export source Loopback0 interface GigabitEthernet0/0 ip flow ingress
D.snmp-server host 10.1.1.100 version 2c public snmp-server enable traps snmp linkdown linkup ip flow-export destination 10.1.1.200 2055 version 5 ip flow-export source Loopback0 interface GigabitEthernet0/0 ip flow ingress
AnswerA
solution
! R1
snmp-server host 10.1.1.100 version 2c public
snmp-server enable traps snmp linkdown linkup
ip flow-export destination 10.1.1.200 2055
ip flow-export version 9
ip flow-export source Loopback0
interface GigabitEthernet0/0
ip flow ingress

Why this answer

The current configuration has SNMP community strings but lacks trap destinations and NetFlow export. To fix, you must configure snmp-server host 10.1.1.100 version 2c public to send traps, and snmp-server enable traps snmp linkdown linkup is required to send link status changes. For NetFlow, you need ip flow-export destination 10.1.1.200 2055 and then ip flow-export version 9 to set the export version.

Also configure ip flow-export source Loopback0 and apply ip flow ingress on GigabitEthernet0/0. Verification commands confirm the settings.

Exam trap

Pay close attention to the IP addresses: the management server (10.1.1.100) is for SNMP traps, and the collector (10.1.1.200) is for NetFlow. Also, remember that SNMP traps use the read-only community, and NetFlow version must match the requirement (version 9).

Why the other options are wrong

B

The specific factual error: The SNMP trap destination and NetFlow export destination are swapped, and the flow direction is egress instead of ingress.

C

The specific factual error: SNMP traps should use the read-only community string 'public', not the read-write 'private'.

D

The specific factual error: NetFlow export version is set to 5, but the requirement is version 9.

18
MCQhard

A network administrator notices that syslog messages from a core router are arriving at the syslog server with timestamps that are hours behind other devices. The router’s NetFlow exports also show incorrect start and end times for flows, making traffic analysis unreliable. The administrator verifies that all router interfaces are up and that the SNMP community strings on the router match the NMS.

A.The logging trap level is set to informational, so only high-severity messages are sent with correct timestamps.
B.The router’s NTP client is configured with an incorrect authentication key.
C.The SNMP v3 user’s privacy password is incorrect, causing the NMS to reject syslog traps.
D.The IP flow cache timeout is set too low, causing NetFlow timestamps to appear skewed.
AnswerB

NTP can use authentication keys to verify server identity. If the client key does not match the server’s key, the router will not trust the time updates and will fail to synchronize. This leaves the router’s clock uncorrected, causing incorrect timestamps in syslog and NetFlow records.

Why this answer

The router's timestamps are incorrect for both syslog messages and NetFlow exports, which points to a system-wide time synchronization issue. NTP (Network Time Protocol) is responsible for maintaining accurate time on network devices, and if the NTP client is configured with an incorrect authentication key, it will fail to synchronize with the NTP server, causing the router's clock to drift. This explains why all time-stamped data (syslog and NetFlow) is consistently behind.

Exam trap

Cisco often tests the distinction between time synchronization issues (NTP) and logging/SNMP configuration issues, so candidates may incorrectly attribute timestamp problems to syslog or SNMP settings rather than the underlying system clock.

Why the other options are wrong

A

Logging trap level controls which severity messages are forwarded, not the accuracy of the timestamps.

C

SNMP v3 misconfiguration impacts SNMP traps, not syslog messages, which are sent independently via a different transport.

D

Cache timeout affects flow export frequency, not the accuracy of the timestamps inside the flow data.

Ready to test yourself?

Try a timed practice session using only Snmp questions.