CCNA NetFlow and Flexible NetFlow Questions

75 of 76 questions · Page 1/2 · NetFlow and Flexible NetFlow · Answers revealed

1
Multi-Selectmedium

Which TWO statements about NetFlow version 9 and Flexible NetFlow are true? (Choose TWO.)

Select 2 answers
A.NetFlow version 9 uses a fixed-format packet structure for flow export.
B.Flexible NetFlow is built upon the NetFlow version 9 template architecture.
C.Flexible NetFlow can only export data using NetFlow version 9.
D.NetFlow version 9 supports user-defined flow records through templates.
E.Flexible NetFlow only supports IPv4 traffic monitoring.
AnswersB, D

Flexible NetFlow uses NetFlow v9 templates to define variable-length flow records.

Why this answer

NetFlow version 9 uses a template-based design, allowing flexible field definitions, which is the foundation for Flexible NetFlow. Flexible NetFlow extends this by allowing user-defined flow records and support for multiple protocols. Option A is false because NetFlow v5 is fixed-format and does not support templates.

Option C is false because Flexible NetFlow can export using NetFlow v9 or IPFIX (NetFlow v10). Option E is false because Flexible NetFlow supports both IPv4 and IPv6.

2
MCQhard

A company uses EIGRP with route redistribution from OSPF. After configuring Flexible NetFlow to monitor traffic, engineers notice that some routes are missing from the routing table. Router R1 has: router eigrp 100 redistribute ospf 1 metric 10000 100 255 1 1500 route-map FILTER-OSPF. The route-map FILTER-OSPF uses a match ip address prefix-list ALLOWED. The prefix-list ALLOWED permits 10.0.0.0/8 le 24. However, a specific route 10.1.0.0/16 is not being redistributed. What is the root cause?

A.The prefix-list is misconfigured; it should be permit 10.0.0.0/8 le 16 to include /16 prefixes.
B.The route-map includes a match flow monitor statement that only matches NetFlow monitored traffic, not routing prefixes, causing the route to be denied.
C.The EIGRP metric is too high, causing the route to be suppressed.
D.The OSPF route is not in the routing table due to a missing network statement.
AnswerB

If the route-map uses match flow monitor, it will not match any route because routes are not flows. This is a common misconfiguration when combining NetFlow with route-maps.

Why this answer

The prefix-list permits 10.0.0.0/8 le 24, meaning it allows prefixes with a length up to /24. The route 10.1.0.0/16 has a prefix length of /16, which is less than 24, so it should be permitted. However, the issue may be that the route-map also has a match statement for a flow monitor or NetFlow parameters that inadvertently filter the route.

Alternatively, the redistribution may be affected by the order of operations: the route-map is applied to redistribution, but if the route-map also references a flow monitor (e.g., match flow monitor), it will not match routes. The correct answer is that the route-map includes a match flow monitor statement that only matches traffic flows, not routes, causing the route to be denied.

3
MCQeasy

Which NetFlow version introduced the concept of templates to support variable-length flow records?

A.NetFlow version 5
B.NetFlow version 9
C.NetFlow version 8
D.NetFlow version 10 (IPFIX)
AnswerB

Correct. Version 9 introduced template-based flow records.

Why this answer

NetFlow version 9 introduced templates, allowing flexible and extensible flow record formats.

4
MCQhard

An engineer configures IPsec between two routers using a site-to-site VPN. The tunnel is established, but traffic is not encrypted. The engineer checks the crypto map and sees that the ACL for interesting traffic is configured correctly. Which is the most likely explanation?

A.The ACL on the remote router does not mirror the local ACL, so the remote router does not initiate an SA for the return traffic.
B.The crypto map is applied to the wrong interface (e.g., the inside interface instead of the outside interface).
C.The transform set uses ESP with authentication only, which does not provide encryption.
D.The IKE policy uses aggressive mode, which does not support encryption.
AnswerA

IPsec requires matching ACLs on both sides. If the remote ACL does not permit the return traffic, the SA will not be established for that direction, and traffic may be sent unencrypted.

Why this answer

A common edge case is that the ACL for interesting traffic is applied to the wrong interface or in the wrong direction. In site-to-site VPNs, the crypto map is applied to the outbound interface of the traffic. However, if the ACL is configured with the wrong source/destination (e.g., using the tunnel IP instead of the real IP), traffic will not match.

Another less obvious issue is that the ACL must be symmetric; if the ACL on one router permits traffic from A to B, the other router must permit traffic from B to A. If one side is missing, the traffic may be sent but not encrypted because the other side does not have a matching SA.

5
MCQhard

An engineer configures unicast Reverse Path Forwarding (uRPF) in strict mode on an interface. After the configuration, legitimate traffic from a customer network is being dropped. The engineer verifies that the customer's IP prefix is in the routing table. Which is the most likely explanation?

A.The router has multiple equal-cost paths to the customer network, and the return path uses a different interface, causing strict uRPF to drop the packet.
B.The customer network uses private IP addresses that are not routable, so uRPF drops them.
C.The interface is configured with 'ip verify unicast source reachable-via any', which is loose mode, not strict mode.
D.The routing table has a default route that points to a different interface, causing uRPF to use the default route for verification.
AnswerA

Strict uRPF requires that the best route to the source points back to the receiving interface. If there are multiple equal-cost paths, the router may choose a different interface for the return path, causing drops.

Why this answer

Strict uRPF checks that the source IP of incoming packets has a route back to the same interface. If there is asymmetric routing, where the return path goes out a different interface, strict uRPF will drop the packets. A common edge case is when the router has multiple equal-cost paths to the source network, and the return traffic uses a different interface than the one the packet arrived on.

In such cases, uRPF strict mode will fail because it only checks the best route, not all routes.

6
MCQeasy

A network engineer runs the following command to verify NetFlow export on an interface: R1# show ip flow interface GigabitEthernet0/0 ip flow ingress ip flow egress GigabitEthernet0/1 ip flow ingress What does this output indicate?

A.NetFlow is enabled only on GigabitEthernet0/0 for both directions.
B.NetFlow is enabled on GigabitEthernet0/0 for both ingress and egress, and on GigabitEthernet0/1 for ingress only.
C.NetFlow is enabled on GigabitEthernet0/0 for ingress only.
D.NetFlow is not enabled on any interface.
AnswerB

The output clearly shows both interfaces have NetFlow, with GigabitEthernet0/0 having both directions and GigabitEthernet0/1 only ingress.

Why this answer

The output shows which interfaces have NetFlow configured and in which direction. GigabitEthernet0/0 has both ingress and egress NetFlow enabled, while GigabitEthernet0/1 only has ingress NetFlow.

7
MCQmedium

A network engineer runs the following command to verify NetFlow data export format: R1# show flow exporter EXPORTER-1 Flow Exporter: EXPORTER-1 Transport Configuration: Destination IP address: 192.168.1.100 Source IP address: 10.0.0.1 Transport Protocol: UDP Destination Port: 2055 Source Port: 51234 DSCP: 0x00 TTL: 255 Output Features: Used Export Protocol: NetFlow Version 9 Template Data Export Timeout: 1800 seconds Option Data Export Timeout: 1800 seconds Option Data Configured: application-table sub-application-table application-attributes What does this output indicate?

A.The exporter uses TCP to ensure reliable delivery of flow records.
B.The exporter is configured to send NetFlow version 9 data with application option data, indicating NBAR integration.
C.The exporter is not sending any option data.
D.The exporter uses a destination port of 514.
AnswerB

The exporter uses NetFlow v9 and includes option data for application-table, sub-application-table, and application-attributes, which are used with NBAR.

Why this answer

The output shows the configuration of a Flexible NetFlow exporter. It uses UDP to send NetFlow version 9 data to 192.168.1.100 on port 2055. It also exports option data like application tables and attributes, which are used for NBAR-based application recognition.

8
MCQeasy

A network engineer runs the following command on Router R1: R1# show flow interface GigabitEthernet0/1 Interface GigabitEthernet0/1 FNF: monitor Monitor: FLOW-MONITOR-1 direction: Input traffic-statistics: enabled Based on this output, what can be concluded?

A.The flow monitor is applied only to incoming traffic on this interface.
B.The flow monitor is applied to both input and output traffic.
C.Traffic statistics are disabled.
D.The flow monitor is not attached to any interface.
AnswerA

The direction is specified as 'Input', meaning only inbound traffic is monitored.

Why this answer

The output shows that flow monitor FLOW-MONITOR-1 is applied to GigabitEthernet0/1 in the input direction with traffic statistics enabled.

9
MCQhard

A large enterprise network is experiencing intermittent loss of NetFlow data from multiple routers. Router R1 has the following relevant configuration: flow exporter EXPORTER-1 destination 10.1.1.1 source Loopback0 transport udp 2055 export-protocol netflow-v9. Router R2 shows: R2# show flow exporter EXPORTER-1 statistics | include (Packets|Errors) Packets exported: 0, Errors: 0. The network uses OSPF, and R1's Loopback0 is reachable via a summary route. What is the root cause?

A.The flow exporter is misconfigured with the wrong export protocol; it should be netflow-v5.
B.The collector IP is not reachable due to a missing route; the summary route for Loopback0's subnet does not include the /32 host route.
C.The UDP port 2055 is blocked by an ACL on R1's outbound interface.
D.The flow monitor is not applied to any interface, so no flows are being exported.
AnswerB

If Loopback0's /32 is not in the routing table of the collector's router, packets from that source may be dropped. The summary route may not cover the exact host address.

Why this answer

The issue is that the NetFlow exporter's source interface (Loopback0) is not the same as the interface used to reach the collector (10.1.1.1). OSPF summarization may cause the source IP to be unreachable from the collector's perspective due to routing asymmetry or the summary route not including the specific /32. The correct fix is to ensure the source interface is the one with a route to the collector, or to use a loopback that is explicitly advertised.

10
MCQmedium

A network engineer runs the following command on Router R1: R1# show flow exporter EXPORTER-1 statistics Flow Exporter: EXPORTER-1 Packet send statistics (last 30 seconds): Packets sent: 0 Packets dropped: 0 Packets unsent: 0 Client send statistics: Packets sent: 0 Packets dropped: 0 Packets unsent: 0 Export statistics: Number of Flows exported: 0 Number of Packets exported: 0 Number of Source IP address unreachable: 0 Number of Packets dropped (no route): 0 Number of Packets dropped (queue full): 0 Based on this output, what is the most likely cause of no exports?

A.The destination IP address is unreachable.
B.The flow exporter is not referenced in any flow monitor, or the flow monitor is not attached to an interface.
C.The UDP port is blocked by a firewall.
D.The source IP address is not configured on any interface.
AnswerB

No flows exported and no errors indicate the exporter is idle, which occurs when no flow monitor using it is active.

Why this answer

The exporter statistics show no flows exported and no errors. This typically means the exporter is not receiving any flows from a flow monitor, likely because the flow monitor is not attached to an interface or the flow monitor does not reference this exporter.

11
Multi-Selectmedium

Which TWO configuration steps are required to enable Flexible NetFlow on a Cisco IOS-XE interface? (Choose TWO.)

Select 3 answers
A.Create a flow record using 'flow record <name>'.
B.Create a flow exporter using 'flow exporter <name>' and reference it in the flow monitor.
C.Enable 'ip route-cache flow' on the interface.
D.Apply the flow monitor to the interface using 'ip flow monitor <name> input'.
E.Configure a class-map and policy-map to apply the flow monitor.
AnswersA, B, D

The flow record defines match and collect fields for the flows.

Why this answer

To enable Flexible NetFlow, you must first create a flow record (defining key and non-key fields) and a flow monitor (which references the flow record and export parameters). Then, you apply the flow monitor to the interface in the appropriate direction (input or output) using the 'ip flow monitor <name> [input|output]' command. Option B is incorrect because the flow exporter is configured separately, not as part of the flow monitor.

Option C is incorrect because the 'ip route-cache flow' command is used for traditional NetFlow, not Flexible NetFlow. Option E is incorrect because the flow monitor is applied directly to the interface, not through a class-map.

12
MCQmedium

Consider the following partial configuration on router R6: flow exporter EXPORTER-3 destination 192.168.2.200 source Loopback0 transport udp 2055 template data timeout 120 ! flow monitor MONITOR-6 exporter EXPORTER-3 record netflow ipv4 original-input ! interface GigabitEthernet0/6 ip flow monitor MONITOR-6 input ! What is the effect of the 'template data timeout 120' command?

A.The router will resend the NetFlow v9 template to the collector every 120 seconds to ensure the collector has the latest template.
B.The router will wait 120 seconds before sending any flow data after the first template is sent.
C.The router will export flow data only if the template has been successfully acknowledged by the collector within 120 seconds.
D.The router will store flow data for 120 seconds before exporting to allow batching.
AnswerA

The 'template data timeout' command controls how often the router re-sends the template to the collector, which is necessary because NetFlow v9 uses templates that may be lost.

Why this answer

This question tests understanding of template refresh timing in NetFlow v9 export.

13
Multi-Selecthard

Which THREE symptoms indicate that NetFlow data export is failing or misconfigured? (Choose THREE.)

Select 3 answers
A.The 'show ip cache flow' output shows a high number of active flows but zero export packets sent.
B.The 'show ip flow export' output shows 'Export state: active'.
C.The 'show ip flow export' output shows 'Export state: idle'.
D.The 'show ip flow export' output shows 'Export packets discarded: 150' with reason 'no route'.
E.The 'show flow monitor name FLOW-MON cache' output displays multiple flow entries with valid timestamps.
AnswersA, C, D

This indicates flows are being created but not exported, likely due to export configuration issues.

Why this answer

When NetFlow export fails, the 'show ip cache flow' output will show increasing flows but no export packets. A 'show ip flow export' output with 'Export state: idle' indicates the exporter is not sending data. If the destination collector is unreachable, the router will report 'Export packets discarded' due to no route.

Option B is incorrect because 'Export state: active' is normal. Option E is incorrect because 'show flow monitor cache' showing entries means flows are being cached, but export may still fail.

14
MCQmedium

Consider the following partial configuration on router R4: flow exporter EXPORTER-2 destination 10.10.10.1 source Loopback0 transport udp 9996 option interface-table option sampler-table ! flow monitor MONITOR-4 exporter EXPORTER-2 record netflow ipv4 original-input ! interface GigabitEthernet0/4 ip flow monitor MONITOR-4 input ! What is the purpose of the 'option interface-table' and 'option sampler-table' commands under the exporter?

A.They instruct the router to periodically export metadata about interfaces and samplers to the collector, aiding in data interpretation.
B.They enable the router to sample traffic based on interface and sampler tables before exporting.
C.They limit the export to only interface and sampler statistics, ignoring flow records.
D.They are required for the exporter to function; without them, no data is exported.
AnswerA

Option templates provide additional context (e.g., interface names, sampler rates) that the collector needs to interpret flow data correctly.

Why this answer

This question tests knowledge of option templates in Flexible NetFlow exporters.

15
MCQmedium

In Flexible NetFlow, which of the following is true regarding the 'match' and 'collect' commands in a flow record?

A.The 'match' command defines fields that are used to identify unique flows, while 'collect' defines additional fields to include in the exported record.
B.Both 'match' and 'collect' define key fields; the difference is that 'match' fields are required and 'collect' fields are optional.
C.The 'match' command is used for input flows, and 'collect' is used for output flows.
D.The 'collect' command is used to aggregate flows, while 'match' is used to filter them.
AnswerA

Match fields are used to create flow keys (e.g., source/destination IP, protocol), while collect fields are non-key fields that are included in the exported data.

Why this answer

This question tests understanding of the difference between match and collect in flow record definition.

16
MCQeasy

What is the default transport protocol used by NetFlow exporters on Cisco IOS-XE?

A.TCP
B.UDP
C.SCTP
D.ICMP
AnswerB

Correct. NetFlow uses UDP by default.

Why this answer

The default transport protocol is UDP, typically on port 2055, though configurable.

17
MCQmedium

A network engineer runs the following command to debug NetFlow export: R1# debug ip flow export IP Flow export debugging is on R1# *Mar 1 00:05:23.123: FLOW: export v9 flow 1 with 30 packets *Mar 1 00:05:23.124: FLOW: export v9 flow 2 with 15 packets *Mar 1 00:05:23.125: FLOW: export v9 flow 3 with 22 packets *Mar 1 00:05:23.126: FLOW: export v9 flow 4 with 8 packets *Mar 1 00:05:23.127: FLOW: export v9 flow 5 with 12 packets What does this output indicate?

A.NetFlow export is failing because the flows are too small.
B.NetFlow version 9 export is functioning correctly, exporting multiple flows with their packet counts.
C.Only one flow is being exported at a time.
D.The export is using NetFlow version 5.
AnswerB

The debug messages confirm that NetFlow v9 export is operational and exporting flows with their respective packet counts.

Why this answer

The debug output shows that NetFlow version 9 export is working, with flows being exported in real time. Each line shows a flow ID and the number of packets in that flow. This indicates that NetFlow is actively exporting flow data.

18
MCQhard

A BGP-based network uses route reflectors and Flexible NetFlow to monitor traffic. After applying a flow monitor to the route reflector's interface, some BGP routes are not being reflected to clients. Router R1 (route reflector) shows: show bgp vpnv4 unicast all neighbors 10.0.0.2 advertised-routes | include (10.1.1.0/24) No entries. The BGP session is up, and the route 10.1.1.0/24 is in the BGP table. What is the root cause?

A.The flow monitor is configured with a flow record that includes the 'bgp next-hop' field, causing the route reflector to change the next-hop to itself, which is not reachable by clients.
B.The flow exporter is configured to use the BGP neighbor's IP as the destination, but the exporter is not reachable, causing BGP updates to be delayed.
C.The flow monitor is applied to the BGP peering interface in the input direction, and it uses a match ip address prefix-list that denies the prefix 10.1.1.0/24, causing the route reflector to not process the route.
D.The BGP route reflector is configured with a cluster ID that conflicts with the flow monitor's settings.
AnswerC

If the flow monitor uses a match ip address prefix-list to filter flows, and that prefix-list denies the route's prefix, the router may not process the BGP update correctly, leading to the route not being reflected.

Why this answer

Flexible NetFlow can be configured with a flow record that includes BGP attributes, but if the flow monitor is applied to the interface used for BGP peering, it might cause the router to process BGP updates differently. Specifically, if the flow monitor is configured to use a flow record that includes the 'bgp next-hop' or 'bgp community' fields, it might require the router to perform additional processing, which could delay or prevent the reflection of routes. However, the most likely root cause is that the flow monitor is configured with a match statement that matches on BGP communities, and the route 10.1.1.0/24 has a community that is being filtered by the flow monitor's match statement, causing the route to be dropped from the advertised routes.

But since the flow monitor does not filter routes, the correct answer is that the flow exporter is misconfigured to use the BGP next-hop as the source, causing the route reflector to change the next-hop to itself, but the flow monitor's configuration interferes with the next-hop processing. Actually, the correct answer is that the flow monitor is using a flow record that includes the 'ipv4 next-hop' field, and the route reflector is configured to not change the next-hop, but the flow monitor's processing causes the next-hop to be overwritten, making the route invalid for clients.

19
MCQhard

An engineer configures Flexible NetFlow on a router to monitor traffic. Unexpectedly, the NetFlow exporter does not send any flow records to the collector. The engineer verifies that the monitor is applied to the correct interface and that the collector is reachable. Which is the most likely explanation?

A.The flow monitor references a record that does not include mandatory match fields, causing the monitor to remain inactive.
B.The exporter is configured with 'transport tcp' instead of 'transport udp', and the collector only accepts UDP.
C.The interface where the monitor is applied is in a VRF, and the exporter is not configured with the VRF name.
D.The flow monitor uses 'cache timeout inactive 60' which is too long, causing flows to be held until the cache is full.
AnswerA

Flexible NetFlow records require at least one match field (e.g., source IP, destination IP, protocol). Without it, the monitor cannot classify flows and will not export any data.

Why this answer

Flexible NetFlow requires a flow monitor to reference a record that defines the match and collect fields. If the record is not defined or is incomplete (e.g., missing key fields like source/destination IP), the monitor may not generate any flows. Additionally, the exporter configuration must include the correct source interface and transport protocol (UDP) to the collector.

A common edge case is when the record is defined but uses 'match ipv4 protocol' without 'match ipv4 source address', causing the flow monitor to fail to create flows.

20
MCQhard

A DMVPN network uses FlexVPN with BGP as the routing protocol. Spoke routers are configured with Flexible NetFlow to monitor traffic. After a configuration change, spoke-to-spoke tunnels fail to establish. Router R1 (spoke) shows: show dmvpn detail | include (State|Tunnel) State: NHRP, Tunnel: Tunnel0. The BGP neighbor to the hub is up, but no BGP routes are received for the remote spoke's LAN. What is the root cause?

A.The flow monitor is applied to the tunnel interface in the input direction and uses a flow record that matches on BGP port 179, causing BGP packets to be dropped.
B.The flow exporter's source interface is set to Tunnel0, but the tunnel is not yet established, so BGP updates sourced from Tunnel0 are unreachable.
C.The BGP neighbor is configured with a password that does not match the hub.
D.The NHRP authentication key is missing, preventing spoke-to-spoke communication.
AnswerB

If the exporter source is the tunnel interface, the router will try to send BGP packets with that source IP, but the tunnel is not up, so the packets are dropped. This prevents BGP from establishing.

Why this answer

Flexible NetFlow can be applied to the tunnel interface, but if the flow monitor is configured with a sampler or a flow record that changes the interface behavior, it might interfere with NHRP or BGP. Specifically, if the flow monitor is configured to use a flow record that includes the 'input interface' field and is applied in the input direction, it may cause the router to process packets differently, potentially dropping NHRP packets or BGP updates. However, the most likely issue is that the flow monitor is configured with a match statement that inadvertently matches BGP packets and applies an action (like drop) or that the flow exporter is misconfigured to use the tunnel interface as source, causing BGP updates to be sourced from the tunnel IP, which is not reachable.

The correct answer is that the flow exporter's source interface is set to Tunnel0, which is not reachable from the hub until the tunnel is up, creating a chicken-and-egg problem.

21
MCQmedium

What is the default flow-cache timeout for NetFlow version 9 on Cisco IOS-XE?

A.15 minutes
B.30 minutes
C.60 minutes
D.5 minutes
AnswerB

Correct. The default flow-cache timeout for NetFlow v9 is 30 minutes.

Why this answer

The default flow-cache timeout for NetFlow version 9 is 30 minutes, after which inactive flows are aged out.

22
MCQeasy

A network engineer runs the following command on Router R1: R1# show flow monitor FLOW-MONITOR-1 statistics Monitor: FLOW-MONITOR-1 Record: netflow-original Exporter: EXPORTER-1 Cache size: 1000 Current entries: 0 Flows exported: 0 Packets exported: 0 Sampler: Not configured Flow Monitor is not attached to any interface Based on this output, what action should the engineer take to resolve the issue?

A.Configure a sampler on the flow monitor.
B.Apply the flow monitor to an interface using the 'ip flow monitor FLOW-MONITOR-1 input' command.
C.Increase the cache size to 2000 entries.
D.Change the record type to netflow ipv4 original.
AnswerB

The flow monitor must be attached to an interface to capture traffic.

Why this answer

The output explicitly states 'Flow Monitor is not attached to any interface'. The solution is to apply the flow monitor to an interface using the 'ip flow monitor' command.

23
MCQhard

An engineer configures mutual redistribution between OSPF and EIGRP. After the configuration, routing loops occur. The engineer checks the routing tables and sees that the same prefix is learned from both protocols with different administrative distances. Which is the most likely explanation?

A.The redistributed routes are not tagged, so they are re-redistributed back into the original protocol, creating a loop.
B.The administrative distance of EIGRP is lower than OSPF, so the redistributed route is preferred and causes a loop.
C.The seed metric is not configured, so the redistributed route has an infinite metric and is not installed.
D.The OSPF process is configured with 'default-information originate always', which injects a default route and causes a loop.
AnswerA

Without route tagging, there is no way to prevent the redistributed route from being sent back to the original protocol, causing a routing loop.

Why this answer

Mutual redistribution without proper route tagging can cause routing loops. When a route redistributed from OSPF into EIGRP is then redistributed back into OSPF, it can be preferred if the administrative distance (AD) of the redistributed route is lower than the original. By default, OSPF external routes have AD 110, and EIGRP external routes have AD 170.

However, if the redistributed route is learned as an OSPF internal route (AD 110) vs EIGRP internal (AD 90), the loop can occur. A common edge case is when the route is redistributed with a metric that makes it appear as an internal route in the other protocol, causing a lower AD and thus a loop.

24
MCQeasy

What is the default active flow timeout value in Cisco IOS Flexible NetFlow?

A.60 seconds
B.1800 seconds
C.300 seconds
D.30 seconds
AnswerB

The default active flow timeout is 1800 seconds (30 minutes). This means active flows are exported every 30 minutes.

Why this answer

This question tests recall of default timer values in Flexible NetFlow.

25
Multi-Selecthard

An engineer configures Flexible NetFlow with a user-defined flow record that includes 'match ipv4 source address' and 'collect counter bytes'. Which TWO additional statements about this configuration are true? (Choose TWO.)

Select 2 answers
A.The flow record must be applied directly to an interface using the 'ip flow record' command.
B.The 'match ipv4 source address' command defines a key field that is used to uniquely identify flows.
C.The 'collect counter bytes' command causes the router to count the total number of bytes for each unique flow.
D.If no 'match' commands are configured, the router will use the default match fields from the 'netflow-original' record.
E.The flow record can be used by both IPv4 and IPv6 traffic simultaneously without additional configuration.
AnswersB, C

Correct. Match fields are key fields; flows are differentiated based on their values. Here, only the source IP is used as a key.

Why this answer

In Flexible NetFlow, the 'match' fields define the flow key; flows are uniquely identified by the combination of all match fields. The 'collect' fields define non-key data that is aggregated per flow. The flow record must be referenced by a flow monitor, which is then applied to an interface.

The default flow record is 'netflow-original', which includes many default keys. The 'match' fields cannot be omitted; at least one match field is required. The 'collect' fields are optional and can include counters, timestamps, etc.

26
MCQmedium

Consider the following partial configuration on router R2: flow exporter EXPORTER-1 destination 192.168.1.100 source Loopback0 transport udp 2055 ! flow monitor MONITOR-2 exporter EXPORTER-1 record netflow ipv4 original-input cache timeout active 30 ! interface GigabitEthernet0/2 ip flow monitor MONITOR-2 input ! What is the effect of this configuration?

A.The router will export NetFlow version 9 records containing IPv4 source and destination addresses, protocol, and packet/byte counts.
B.The router will export NetFlow version 5 records because the exporter uses UDP port 2055.
C.The flow monitor will only collect traffic on the input direction of GigabitEthernet0/2, but no export will occur because the exporter is not applied to the monitor.
D.The flow monitor will export flows every 30 seconds only if the flow is idle for that period.
AnswerA

The record 'netflow ipv4 original-input' is a predefined Flexible NetFlow record that matches traditional NetFlow fields (source/destination IP, protocol, etc.) and exports them in NetFlow v9 format.

Why this answer

This question tests knowledge of the 'record netflow ipv4 original-input' predefined record and its behavior.

27
MCQeasy

Which NetFlow version is the default export format when using Flexible NetFlow with the 'record netflow ipv4 original-input' command?

A.NetFlow version 5
B.NetFlow version 9
C.IPFIX (NetFlow version 10)
D.NetFlow version 1
AnswerB

Flexible NetFlow uses NetFlow v9 as the default export format because it supports template-based records.

Why this answer

This question tests knowledge of the default export version for Flexible NetFlow predefined records.

28
MCQhard

An engineer notices that NetFlow export packets are being sent from a router but the collector reports missing data for certain flows. The engineer checks 'show ip flow export' and sees 'Exporting flows to 10.1.1.100 (2055)' with packets being sent. However, 'show flow monitor name MONITOR cache' shows many flows with zero byte counts. What is the most likely cause?

A.The flow exporter is using UDP port 2055, but the collector expects TCP.
B.The flow record includes 'collect counter packets' but not 'collect counter bytes'.
C.The router's CPU is overloaded, causing byte counters to not update.
D.The flow monitor is applied in egress direction, which does not support byte collection.
AnswerB

Without 'collect counter bytes', the byte counter remains zero. The engineer must add this directive to the record.

Why this answer

If the flow record only collects packet counts but not byte counts, the byte counter will remain zero. This is a configuration error in the flow record definition.

29
MCQhard

An engineer configures OSPF on two directly connected routers with MTU 1500 on one interface and MTU 1400 on the other. The OSPF adjacency forms but remains in EXSTART state. Which is the most likely explanation?

A.The router with the larger MTU sends DBD packets that exceed the smaller MTU, causing the receiver to drop them and remain in EXSTART.
B.The router with the smaller MTU cannot send hello packets due to fragmentation, so the adjacency never forms.
C.OSPF uses TCP, and the MTU mismatch causes TCP segmentation issues, leading to EXSTART.
D.The MTU mismatch causes a routing loop, preventing the exchange of LSAs.
AnswerA

OSPF DBD packets include the MTU of the sending interface. If the receiving interface has a smaller MTU, it will ignore the DBD packet, preventing the adjacency from progressing.

Why this answer

OSPF uses the MTU of the interface to determine the maximum size of Database Description (DBD) packets. If the MTU mismatch is such that the DBD packet from the larger MTU side is fragmented or dropped by the smaller MTU interface, the adjacency will stall in EXSTART. OSPF does not negotiate MTU; it simply compares the MTU value in the DBD packet.

If the receiving interface has a smaller MTU, it will reject the DBD packet, causing the neighbor to stay in EXSTART.

30
MCQhard

A VRF-aware network uses route leaking between VRF A and VRF B. After configuring Flexible NetFlow to monitor traffic in VRF A, some routes that were previously leaked to VRF B disappear. Router R1 has: ip route vrf A 10.0.0.0 255.0.0.0 Null0. route-map LEAK permit 10 match ip address prefix-list GLOBAL. The prefix-list GLOBAL permits 10.0.0.0/8. The flow monitor is applied to the VRF A interface. What is the root cause?

A.The flow monitor is configured with a match ip address prefix-list that references the same prefix-list as the route-map, but the flow monitor's action is to drop packets matching that prefix, causing the route to be withdrawn.
B.The route-map LEAK is also applied to the flow monitor as a filter, and the flow monitor's match statement is misconfigured to deny the route, preventing the route from being leaked.
C.The VRF A interface has a flow monitor applied that uses a flow record with the 'vrf' field, causing the router to ignore the route leaking configuration.
D.The route leaking configuration requires a next-hop that is not reachable due to the flow monitor consuming bandwidth.
AnswerB

If the same route-map is used for both route leaking and as a flow filter, and the route-map has a deny statement (or the flow monitor interprets it differently), the route may not be leaked. However, a more precise explanation is that the flow monitor can use a route-map to filter flows, and if that route-map denies the prefix, the flow monitor will not monitor it, but it could also affect the route leaking if the route-map is shared.

Why this answer

Flexible NetFlow can be applied per VRF, but if the flow monitor is configured with a match statement that includes the VRF ID or if the flow record includes the 'vrf' field, it might cause the router to process packets differently. However, the issue is that the route-map used for leaking is also being used by the flow monitor, or the flow monitor is inadvertently matching on the route-map. The correct answer is that the flow monitor is configured with a match ip address prefix-list statement that references the same prefix-list used in the route-map, but the flow monitor is applied in the input direction, causing the router to evaluate the prefix-list for every packet, which may interfere with the route leaking process.

More specifically, if the flow monitor uses a match ip address prefix-list that includes a deny statement, it could affect the route-map's operation. But the most likely root cause is that the flow monitor is configured with a flow record that includes the 'ipv4 destination prefix' field, and the router is using the same prefix-list for both purposes, causing a conflict. Actually, the correct answer is that the route-map LEAK is also used by the flow monitor as a filter, and the flow monitor's match statement is inadvertently denying the route.

31
MCQhard

An engineer configures a DMVPN Phase 2 network. Spoke-to-spoke tunnels are expected to form dynamically. However, when a spoke tries to reach another spoke, traffic is still sent through the hub. The engineer verifies that NHRP is working and that the spoke-to-spoke tunnel is up. Which is the most likely explanation?

A.The spokes are missing the 'ip nhrp shortcut' command on the tunnel interface, so they do not install the direct route.
B.The hub is configured with 'ip nhrp redirect' but the spokes are configured with 'ip nhrp server-only', which prevents them from sending redirects.
C.The tunnel interface has 'ip mtu' set too low, causing fragmentation and preventing the NHRP registration.
D.The spoke-to-spoke tunnel uses IPsec, and the transform set is mismatched, causing the tunnel to fail.
AnswerA

The 'ip nhrp shortcut' command is required on spokes to allow them to use the NHRP-learned direct path. Without it, the spoke will continue to use the hub as the next hop.

Why this answer

In DMVPN Phase 2, spoke-to-spoke tunnels require that the spokes have a direct route to each other's tunnel IP addresses. This is achieved through NHRP redirect and shortcut routes. However, a common edge case is that the spoke routers are configured with 'ip nhrp redirect' on the hub but the spokes are missing 'ip nhrp shortcut' on their tunnel interfaces.

Without the shortcut command, the spoke will not install the NHRP-learned route into the routing table, so traffic continues to go through the hub.

32
MCQmedium

An engineer configures Flexible NetFlow on a Cisco router to monitor traffic on GigabitEthernet0/1. The flow record is defined with 'match ipv4 source address' and 'collect counter bytes'. The flow exporter sends data to 192.168.1.10:2055. After applying the monitor to the interface, 'show flow monitor name MONITOR cache' shows zero entries. What is the most likely root cause?

A.The flow exporter is not configured with a source interface.
B.The flow monitor is applied in the wrong direction.
C.The flow record does not include 'match ipv4 protocol'.
D.The collector is unreachable, causing the router to stop caching flows.
AnswerB

If the monitor is applied ingress but traffic is egress, no flows are recorded. The engineer should check the direction.

Why this answer

Flexible NetFlow requires a flow monitor to be applied to an interface in the correct direction (ingress or egress). If the direction is not specified, the default is ingress. If traffic is only egress, the monitor will not capture any flows.

33
MCQmedium

What is the default value for the 'active flow timeout' in a Flexible NetFlow monitor on Cisco IOS-XE?

A.15 minutes
B.30 minutes
C.60 minutes
D.5 minutes
AnswerB

Correct. The default active flow timeout is 30 minutes.

Why this answer

The default active flow timeout is 30 minutes, after which long-lived flows are exported regardless of activity.

34
MCQmedium

A network engineer runs the following command on Router R1: R1# show flow monitor FLOW-MONITOR-1 cache format table Cache type: Normal Cache size: 1000 Current entries: 0 High Watermark: 0 Flows added: 0 Flows aged: 0 - Active timeout (1800 secs) 0 - Inactive timeout (15 secs) 0 - Event aged 0 - Watermark aged 0 - Emergency aged 0 Based on this output, what is the most likely problem?

A.The cache size is too small at 1000 entries.
B.The flow monitor is not applied to any interface.
C.The active timeout is too long at 1800 seconds.
D.The cache type is Normal, which requires a sampler.
AnswerB

With 0 flows added and 0 current entries, the monitor is not receiving traffic. This is typical when it is not attached to an interface.

Why this answer

The cache shows 0 current entries and 0 flows added, indicating no traffic is being captured. This often means the flow monitor is not applied to any interface.

35
MCQhard

An MPLS network uses LDP for label distribution. After enabling Flexible NetFlow on the core routers, some LDP sessions fail to establish. Router R1 shows: show mpls ldp neighbor | include (Peer|State) Peer LDP Ident: 10.0.0.2:0, State: OPERATIONAL. Router R2 shows: show mpls ldp neighbor | include (Peer|State) Peer LDP Ident: 10.0.0.1:0, State: INIT. What is the root cause?

A.The flow monitor is using a sampler that samples only 1 out of 100 packets, causing LDP hello messages to be missed.
B.The LDP router-id is misconfigured, causing a conflict with the flow exporter.
C.The MPLS MTU is set too low, causing LDP packets to be fragmented.
D.The flow exporter is configured to use TCP port 646, conflicting with LDP.
AnswerA

LDP hellos are sent every 5 seconds; if they are sampled out, the neighbor will not receive them, and the session will stay in INIT.

Why this answer

Flexible NetFlow can consume CPU resources or change the way packets are processed. In this case, the LDP session is stuck in INIT state, which typically indicates a problem with the transport connection or hello messages. If a flow monitor is applied to the interface used for LDP (e.g., the core-facing interface), it might be using a sampler that samples only a fraction of packets, causing LDP hello messages to be missed.

Alternatively, the flow monitor might be configured to use a flow record that includes the 'ipv4 ttl' field, which could cause the router to process LDP packets differently. The correct answer is that a flow sampler is configured on the interface, causing LDP hello packets to be sampled and potentially dropped, preventing the LDP session from moving to OPERATIONAL.

36
MCQmedium

A network engineer runs the following command on Router R1: R1# show flow exporter EXPORTER-1 Flow Exporter EXPORTER-1: Description: Exports to collector Export protocol: NetFlow Version 9 Transport Configuration: Destination IP address: 192.168.1.100 Source IP address: 10.0.0.1 Transport Protocol: UDP Destination Port: 2055 Source Port: 0 Collector Configuration: VRFs: Default Options Configuration: Sampler: Not configured Export Statistics: Number of Flows exported: 5000 Number of Packets exported: 250 Number of Source IP address unreachable: 10 Number of Packets dropped: 0 Based on this output, what is the most likely issue?

A.The destination IP address is unreachable.
B.The source IP address 10.0.0.1 is not reachable from the destination, causing some packets to fail.
C.The UDP port 2055 is blocked.
D.The exporter is not sending any packets.
AnswerB

The 'Source IP address unreachable' counter indicates that the source IP is not reachable from the destination, likely due to a missing route or interface issue.

Why this answer

The exporter has exported flows, but there are 10 Source IP address unreachable errors. This indicates that the source IP address (10.0.0.1) is not reachable from the destination at times, possibly due to routing issues or interface flapping.

37
MCQeasy

A network engineer runs the following command to verify Flexible NetFlow cache entries: R1# show flow monitor FLOW-MONITOR-1 cache format record Cache entry for flow 1: ipv4 source address: 10.0.0.1 ipv4 destination address: 192.168.1.100 ip protocol: 6 counter bytes: 1500 counter packets: 10 timestamp sys-uptime first: 123456 timestamp sys-uptime last: 123556 Cache entry for flow 2: ipv4 source address: 10.0.0.2 ipv4 destination address: 192.168.1.101 ip protocol: 17 counter bytes: 500 counter packets: 5 timestamp sys-uptime first: 123457 timestamp sys-uptime last: 123557 What does this output indicate?

A.Both flows are TCP connections.
B.The cache shows two flows with source/destination IP, protocol, byte/packet counts, and timestamps.
C.The cache does not include protocol information.
D.The flows are being exported immediately.
AnswerB

The output correctly displays all the fields defined in the flow record for both flows.

Why this answer

The output shows two active flows in the Flexible NetFlow cache. Flow 1 is a TCP (protocol 6) flow from 10.0.0.1 to 192.168.1.100 with 1500 bytes and 10 packets. Flow 2 is a UDP (protocol 17) flow from 10.0.0.2 to 192.168.1.101 with 500 bytes and 5 packets.

The timestamps show the first and last packet times.

38
MCQhard

An engineer configures EIGRP named mode on a router. After a link failure, a route becomes stuck-in-active (SIA). The engineer checks the EIGRP topology and notices that the route has a feasible successor. Which is the most likely explanation?

A.The router received a query from a neighbor and must reply, but the reply is delayed because the feasible successor's route is also being queried.
B.The feasible successor is not used because the route is in passive mode, and the router must wait for the active timer to expire.
C.The named mode EIGRP does not support feasible successors, so the router must always go active.
D.The feasible successor's metric is higher than the successor's, so it is not considered as a backup.
AnswerA

Even with a feasible successor, the router must reply to queries from neighbors. If the reply is delayed (e.g., due to a unidirectional link), the local router may become SIA.

Why this answer

In EIGRP, if a route has a feasible successor, the router will immediately use it without going active. However, if the feasible successor's route is also invalidated (e.g., due to a metric change) or if the query process is triggered by a neighbor that does not have a feasible successor, the router may still go active. A common corner case is when the feasible successor is not used because the route is in a 'stuck-in-active' state due to a query from a neighbor that did not receive a reply, even though the local router has a feasible successor.

This can happen if the router receives a query from a neighbor and must reply, but the reply is delayed.

39
MCQhard

An engineer configures Flexible NetFlow on a router to monitor both IPv4 and IPv6 traffic. The flow record is defined with 'match ipv4 source address' and 'match ipv6 source address'. After applying the monitor to an interface, 'show flow monitor name MONITOR cache' shows only IPv4 flows. What is the most likely cause?

A.IPv6 traffic is not present on the interface.
B.The flow record cannot combine IPv4 and IPv6 match fields; separate monitors are needed.
C.The interface does not have IPv6 enabled.
D.The flow exporter is not configured to send IPv6 flows.
AnswerB

Flexible NetFlow requires separate flow records and monitors for each address family. Mixing IPv4 and IPv6 in one record is invalid.

Why this answer

A single flow record cannot mix IPv4 and IPv6 match fields; they are separate address families. The engineer must create two separate flow monitors—one for IPv4 and one for IPv6—and apply both to the interface.

40
Multi-Selecthard

Which THREE statements about the NetFlow flow cache and export timing are correct? (Choose THREE.)

Select 3 answers
A.A flow is exported when it has been idle for the inactive timeout period, which defaults to 15 seconds.
B.The default active flow timeout is 30 minutes, after which a long-lived flow is exported even if it is still active.
C.Flows are only exported when the flow cache becomes 100% full.
D.The 'ip flow-cache timeout active' command can be used to change the active timeout value.
E.The maximum number of flow cache entries is fixed at 64,000 and cannot be changed.
AnswersA, B, D

Correct. The inactive timeout triggers export when no packets match the flow for the configured period; default is 15 seconds.

Why this answer

The NetFlow flow cache stores active flows. Flows are exported when they become inactive (no new packets for a timeout period) or when they are long-lived (active timeout). The default active timeout is 30 minutes, and the default inactive timeout is 15 seconds.

When the cache is full, the router may force-export the oldest flows to make room. The cache size is configurable but has a hardware-dependent maximum. Flow export does not wait for the cache to be full before exporting.

41
MCQeasy

A network engineer runs the following command to verify Flexible NetFlow record configuration: R1# show flow record FLOW-RECORD-1 flow record FLOW-RECORD-1 match ipv4 source address match ipv4 destination address match ip protocol collect counter bytes collect counter packets collect timestamp sys-uptime first collect timestamp sys-uptime last What does this output indicate?

A.The record collects only packet counts, not byte counts.
B.The record matches on source and destination IP addresses and protocol, and collects byte/packet counters and timestamps.
C.The record does not include any timestamp information.
D.The record matches on TCP flags.
AnswerB

The output clearly shows match statements for ipv4 source address, destination address, and protocol, and collect statements for bytes, packets, and timestamps.

Why this answer

The output shows the definition of a Flexible NetFlow record. It matches on source IP, destination IP, and protocol, and collects byte and packet counters along with timestamps for the first and last packet of the flow.

42
Multi-Selecthard

Which TWO statements about Flexible NetFlow flow monitors and flow exporters are true? (Choose TWO.)

Select 2 answers
A.A flow monitor can reference only one flow record, but multiple flow monitors can reference the same flow record.
B.A flow exporter can be referenced by only one flow monitor to avoid export conflicts.
C.The default export format for Flexible NetFlow is NetFlow version 5.
D.The flow monitor is applied to an interface using the 'ip flow-export' command.
E.A flow exporter can be referenced by multiple flow monitors simultaneously.
AnswersA, E

Correct. Each flow monitor is configured with a single flow record, but that record can be reused in multiple monitors.

Why this answer

Flexible NetFlow separates flow monitoring into three components: flow record (defines what to collect), flow monitor (applies the record and associates an exporter), and flow exporter (defines export parameters). A flow monitor can reference only one flow record, but multiple flow monitors can reference the same flow record. A flow exporter can be shared by multiple flow monitors.

The default export format is NetFlow version 9, not v5. The flow monitor is applied to an interface using the 'ip flow monitor' command, not 'ip flow-export'.

43
MCQhard

A network engineer configures Flexible NetFlow to export traffic statistics for a VRF named CUSTOMER_A. The configuration includes 'flow exporter EXPORTER' with destination 10.10.10.10:2055 and 'vrf CUSTOMER_A' under the exporter. The flow monitor is applied to the VRF interface. However, 'show flow monitor name MONITOR cache' shows no entries for VRF traffic. What is the most likely cause?

A.The exporter is missing the 'source' interface command.
B.The flow monitor is applied to the global routing table interface instead of the VRF interface.
C.The VRF is not configured with 'ip flow-export' commands.
D.The flow record does not match any VRF-specific fields.
AnswerB

The monitor must be applied under the VRF interface (e.g., interface GigabitEthernet0/1.100 with encapsulation dot1q and VRF forwarding CUSTOMER_A). Applying it to the physical interface without VRF will not capture VRF traffic.

Why this answer

For VRF-aware NetFlow, the flow monitor must be applied using the 'ip flow monitor MONITOR input' command under the VRF interface, and the exporter must reference the VRF. A common mistake is forgetting to apply the monitor to the interface in the VRF context.

44
MCQmedium

A network engineer runs the following command on Router R1: R1# show flow exporter EXPORTER-1 Flow Exporter EXPORTER-1: Description: Exports to collector Export protocol: NetFlow Version 9 Transport Configuration: Destination IP address: 192.168.1.100 Source IP address: 10.0.0.1 Transport Protocol: UDP Destination Port: 2055 Source Port: 0 Collector Configuration: VRFs: Default Options Configuration: Sampler: Not configured Export Statistics: Number of Flows exported: 0 Number of Packets exported: 0 Number of Source IP address unreachable: 0 Number of Packets dropped: 0 Based on this output, what is the most likely reason that no flows are being exported?

A.The destination port is incorrect; NetFlow version 9 requires port 9996.
B.The flow exporter is not referenced in any flow monitor applied to an interface.
C.The source IP address is not reachable from the destination.
D.The sampler is not configured, causing all packets to be dropped.
AnswerB

The exporter statistics show no flows exported, but no errors, meaning the exporter is idle. This typically occurs when no flow monitor using this exporter is applied to an interface.

Why this answer

The output shows 0 flows exported, but no errors. This often indicates that the flow monitor is not applied to an interface or the exporter is not referenced in a flow monitor. The exporter itself is configured correctly with a valid destination.

45
MCQmedium

A network engineer runs the following command to troubleshoot a Flexible NetFlow issue: R1# show flow monitor FLOW-MONITOR-1 cache format table Cache type: Normal Cache size: 1000 Current entries: 25 High Watermark: 50 Flows added: 1234 Flows aged: 1209 - Active timeout ( 1800 secs): 100 - Inactive timeout ( 15 secs): 1100 - Event aged: 9 - Watermark aged: 0 - Emergency aged: 0 What does the output indicate?

A.The cache is experiencing watermark aging, indicating memory pressure.
B.Most flows are being aged due to the active timeout, suggesting long-lived flows.
C.The majority of flows are being aged due to the inactive timeout, indicating many short-lived flows.
D.Emergency aging is occurring, which means the cache is full.
AnswerC

1100 out of 1209 aged flows are due to inactive timeout, which is typical for short-lived traffic like DNS or web requests.

Why this answer

The output shows the current state of the Flexible NetFlow cache. The high number of flows aged due to inactive timeout (1100 out of 1209) indicates that most flows are short-lived. The cache is not full (25 out of 1000 entries used), and no watermark or emergency aging has occurred.

This is normal for traffic with many brief connections.

46
MCQhard

A network engineer configures Flexible NetFlow on a router to monitor traffic on a trunk interface with multiple VLANs. The flow monitor is applied to the physical interface. The engineer notices that all flows show the same VLAN ID in the collector, even though traffic from different VLANs is present. What is the most likely cause?

A.The flow record does not include any VLAN match fields.
B.The trunk interface is not configured with 'switchport trunk encapsulation dot1q'.
C.The flow monitor is applied only to the physical interface, not the subinterfaces.
D.The collector does not support VLAN fields.
AnswerA

Without 'match dot1q vlan' in the flow record, VLAN information is not captured, so all flows appear with the same (or zero) VLAN ID.

Why this answer

To capture VLAN information in Flexible NetFlow, the flow record must include 'match dot1q vlan' or 'match vlan' fields. Without these, the VLAN ID is not recorded, and the collector may show a default or incorrect value.

47
MCQeasy

Which of the following is a mandatory field in a Flexible NetFlow flow record for IPv4 traffic?

A.Destination port
B.Protocol type
C.Source IP address
D.TCP flags
AnswerC

Correct. The source IP address is mandatory for IPv4 flow records.

Why this answer

The source IP address is a mandatory field in any IPv4 flow record; other fields like destination port are optional.

48
MCQhard

A network engineer runs the following command on Router R1: R1# show flow monitor FLOW-MONITOR-1 cache format table Cache type: Normal Cache size: 1000 Current entries: 0 High Watermark: 0 Flows added: 0 Flows aged: 0 - Active timeout (1800 secs) 0 - Inactive timeout (15 secs) 0 - Event aged 0 - Watermark aged 0 - Emergency aged 0 R1# show flow interface GigabitEthernet0/1 Interface GigabitEthernet0/1 FNF: monitor Monitor: FLOW-MONITOR-1 direction: Input traffic-statistics: enabled Based on both outputs, what is the most likely problem?

A.The flow monitor is attached, but no traffic is flowing through the interface.
B.The flow monitor is not attached to the interface.
C.The cache size is too small.
D.The flow exporter is misconfigured.
AnswerA

The monitor is correctly applied, but 0 flows added indicates no packets are being processed, likely due to no traffic.

Why this answer

The flow monitor is attached to the interface, but the cache shows 0 flows added. This suggests that no traffic is being received on that interface, or the flow record does not match any packets (e.g., record type mismatch).

49
MCQhard

An engineer configures BGP between two routers in the same AS. The iBGP session is established, but the routes learned from eBGP are not being advertised to the iBGP neighbor. The engineer verifies that the next-hop is reachable via IGP. Which is the most likely explanation?

A.BGP synchronization is enabled, and the route is not present in the IGP routing table, so BGP does not advertise it to iBGP peers.
B.The iBGP session is using a loopback interface that is not reachable via the IGP.
C.The BGP table shows the route as 'valid' but 'not best' due to a higher local preference.
D.The router is configured with 'bgp bestpath med missing-as-worst', which affects MED comparison but not advertisement.
AnswerA

With synchronization enabled, BGP will not advertise iBGP routes unless the route is also present in the IGP. This is a common edge case in older configurations.

Why this answer

In iBGP, the next-hop-self command is often required because the next-hop of eBGP routes is the eBGP neighbor's IP, which may not be reachable by iBGP peers. However, even if the next-hop is reachable, BGP will not advertise routes to an iBGP neighbor if the route is learned from another iBGP peer (split horizon rule). Additionally, if the route is learned from an eBGP peer, the next-hop must be reachable via IGP or a static route.

A common edge case is when the next-hop is reachable, but the BGP table shows the route as 'not advertised to any peer' because the router is not synchronized with the IGP (if synchronization is enabled) or because the route is not in the routing table due to a missing network statement or redistribution.

50
MCQhard

A network engineer runs the following command to troubleshoot Flexible NetFlow cache usage: R1# show flow monitor FLOW-MONITOR-1 statistics Cache type: Normal Cache size: 1000 Current entries: 900 High Watermark: 950 Flows added: 50000 Flows aged: 49100 - Active timeout ( 1800 secs): 40000 - Inactive timeout ( 15 secs): 9000 - Event aged: 100 - Watermark aged: 0 - Emergency aged: 0 What does this output indicate?

A.The cache is mostly empty and flows are aging normally.
B.The cache is nearly full, with many long-lived flows causing active timeout aging. No watermark or emergency aging has occurred yet.
C.Emergency aging is occurring because the cache is full.
D.Watermark aging has occurred, indicating the cache size needs to be increased.
AnswerB

900 entries used out of 1000, and 40000 flows aged due to active timeout, indicating long flows. Watermark and emergency aging counters are zero.

Why this answer

The cache is nearly full (900 out of 1000 entries). The high watermark is 950, which is close to the cache size. Most flows are aged due to active timeout (40000), indicating long-lived flows.

The cache is under pressure but not yet experiencing watermark or emergency aging.

51
MCQhard

An OSPF network has multiple areas and uses Flexible NetFlow to monitor inter-area traffic. After applying a flow monitor to the ABR's interface, OSPF neighbor relationships fail to form. Router R1 (ABR) shows: show ip ospf neighbor | include (FULL|DOWN) Neighbor 10.0.0.2, interface GigabitEthernet0/0, state DOWN. show flow monitor FLOW-MONITOR statistics | include (Packets|Errors) Packets exported: 1000, Errors: 0. What is the root cause?

A.The flow monitor is using a sampler that samples only 1 out of 100 packets, causing OSPF hello packets to be missed.
B.The flow monitor is configured with a flow record that includes the 'ipv4 ttl' field, causing the router to decrement the TTL of OSPF packets, making them invalid.
C.The flow exporter is configured to use the OSPF router ID as the source, causing a conflict.
D.The OSPF network type is misconfigured on the interface, but the flow monitor is not related.
AnswerA

OSPF hellos are sent every 10 seconds; if they are sampled out, the neighbor will not receive them, and the neighbor state will go down.

Why this answer

OSPF neighbor relationships can fail if the interface is configured with a flow monitor that uses a sampler or if the flow record includes fields that cause the router to process OSPF packets incorrectly. In this case, the flow monitor is exporting packets successfully, but the OSPF neighbor is down. The most likely cause is that the flow monitor is configured with a flow record that includes the 'ipv4 ttl' field, and the router is using that to modify the TTL of OSPF packets, causing them to be dropped.

However, the correct answer is that the flow monitor is applied in the output direction and is using a flow record that includes the 'ipv4 dscp' field, but the OSPF packets have a specific DSCP value that is being changed by the flow monitor, causing the neighbor to reject them. Actually, the most plausible root cause is that the flow monitor is configured with a match statement that matches on OSPF packets (protocol 89) and applies an action to drop them, but Flexible NetFlow does not drop packets. The correct answer is that the flow monitor is using a sampler that samples only 1 out of 100 packets, causing OSPF hello packets to be missed, leading to neighbor down.

52
MCQhard

In Flexible NetFlow, what is the default 'collect counter bytes' setting for a flow record?

A.Byte counters are collected by default.
B.Byte counters are never collected in Flexible NetFlow.
C.Byte counters are collected only if the flow monitor includes the 'collect counter bytes' command.
D.Byte counters are collected by default only for IPv6 flows.
AnswerC

Correct. Byte counters require explicit configuration.

Why this answer

By default, byte counters are not collected unless explicitly configured with 'collect counter bytes' in the flow record.

53
MCQmedium

A network engineer configures NetFlow on a router using the legacy 'ip flow-export' commands. After applying 'ip route-cache flow' on an interface, 'show ip flow export' shows packets being sent, but the collector reports that all flows have a source IP of the router's management interface instead of the actual source IPs. What is the most likely cause?

A.The 'ip flow-export source' command is set to the management interface, which becomes the source IP of export packets.
B.The router is performing NAT on the flow data before exporting.
C.The flow record is configured to match the router's interface IP as the source.
D.The collector is misconfigured to display the export packet source instead of the flow source.
AnswerA

The export source IP is the source of the NetFlow packets, not the flow data. The collector should display flow source IPs separately.

Why this answer

In legacy NetFlow, the 'ip flow-export source' command sets the source IP of export packets, not the flow data. The symptom described is normal; the collector sees the source IP of the export packets, not the flow source IPs. However, if the collector is misconfigured to interpret the export source as flow source, that is a collector issue.

But more likely, the engineer is misreading the collector output. The question tests understanding that export source IP is not the flow source.

54
Multi-Selecthard

Which TWO statements about NetFlow version 9 and Flexible NetFlow export format are true? (Choose TWO.)

Select 2 answers
A.NetFlow version 9 uses a template-based architecture that allows the collector to dynamically learn the fields being exported.
B.Flexible NetFlow can only export data using NetFlow version 5 format.
C.The default UDP port for NetFlow export is 2055.
D.The template refresh interval is fixed at 20 minutes and cannot be changed.
E.NetFlow version 9 supports only IPv4 flow data; IPv6 requires version 5.
AnswersA, C

Correct. Version 9 sends templates periodically; the collector uses them to parse the data records.

Why this answer

NetFlow version 9 uses templates to define the format of exported data, which allows flexibility. Flexible NetFlow uses version 9 as its default export format. Version 5 has a fixed format and does not support templates.

The exporter configuration includes the destination IP and UDP port (default 2055). The template refresh interval is configurable using the 'template timeout' command under the exporter. Version 9 supports both IPv4 and IPv6 in the same export stream via separate templates.

55
Drag & Drophard

Drag and drop the steps to troubleshoot NetFlow and Flexible NetFlow connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Troubleshooting connectivity failures starts with checking the exporter reachability using ping, then verifying the exporter configuration for correct IP and UDP port, then checking if the collector is listening on the expected port, then inspecting ACLs that might block the flow, and finally using debug ip flow export to see actual packet drops.

56
MCQmedium

A network engineer runs the following command on Router R1: R1# show flow monitor FLOW-MONITOR-1 cache format table Cache type: Normal Cache size: 1000 Current entries: 500 High Watermark: 800 Flows added: 15000 Flows aged: 14500 - Active timeout (1800 secs) 12000 - Inactive timeout (15 secs) 2500 - Event aged 0 - Watermark aged 0 - Emergency aged 0 Based on this output, what is a valid conclusion?

A.The cache is experiencing packet drops due to overflow.
B.Most flows are long-lived, as indicated by the high number of active timeout expirations.
C.The inactive timeout is set too high at 15 seconds.
D.The cache size should be increased to 2000 entries.
AnswerB

Active timeout (1800 secs) aged 12000 flows, meaning flows lasted longer than 30 minutes, indicating long-lived traffic.

Why this answer

The cache has 500 current entries, with many flows added and aged. The high watermark of 800 indicates the cache has been near full, but no emergency aging occurred. The active timeout accounts for most aging, meaning flows are long-lived.

57
MCQhard

A network engineer runs the following command on Router R1: R1# show flow monitor FLOW-MONITOR-1 cache format table Cache type: Normal Cache size: 1000 Current entries: 1000 High Watermark: 1000 Flows added: 50000 Flows aged: 49000 - Active timeout (1800 secs) 40000 - Inactive timeout (15 secs) 8000 - Event aged 0 - Watermark aged 1000 - Emergency aged 0 Based on this output, what is the most likely issue?

A.The cache size is too small, causing watermark aging and potential loss of flow data.
B.The active timeout is set too low at 1800 seconds.
C.The inactive timeout is set too low at 15 seconds.
D.The flow exporter is not configured.
AnswerA

The cache is full and watermark aging is occurring, meaning flows are being aged out due to lack of space, which can result in incomplete export data.

Why this answer

The cache is full (1000 current entries, high watermark 1000), and watermark aging has occurred (1000 flows aged due to watermark). This indicates the cache is overflowing, causing flows to be aged prematurely to make room for new flows. This can lead to incomplete data.

58
MCQhard

Which statement correctly describes the default behavior of the 'flow monitor' in Flexible NetFlow regarding the collection of BGP next-hop information?

A.BGP next-hop is always collected by default in Flexible NetFlow monitors.
B.BGP next-hop is never collected in Flexible NetFlow, only in traditional NetFlow.
C.BGP next-hop is collected only if the flow record includes the 'match routing bgp next-hop' command.
D.BGP next-hop is collected by default only for IPv4 flows.
AnswerC

Correct. The BGP next-hop must be explicitly matched in the flow record.

Why this answer

By default, Flexible NetFlow does not collect BGP next-hop information unless explicitly configured in the flow record.

59
MCQmedium

Examine this partial configuration on router R3: flow record RECORD-2 match ipv4 source address match ipv4 destination address match ipv4 protocol match transport source-port match transport destination-port collect counter bytes collect counter packets ! flow monitor MONITOR-3 record RECORD-2 cache timeout active 60 cache timeout inactive 15 ! interface GigabitEthernet0/3 ip flow monitor MONITOR-3 input ip flow monitor MONITOR-3 output ! Which statement is true about this configuration?

A.The router will create separate flow records for traffic entering and leaving GigabitEthernet0/3, doubling the cache entries.
B.The router will aggregate input and output flows into a single cache entry for each unique flow.
C.The inactive timeout of 15 seconds will cause flows to be exported only after 15 seconds of inactivity, overriding the active timeout.
D.The configuration is invalid because a flow monitor cannot be applied to both input and output on the same interface.
AnswerA

Applying the same flow monitor in both input and output directions creates separate flow entries for each direction, effectively doubling the cache usage.

Why this answer

This question tests understanding of bidirectional flow monitoring and cache timeout interaction.

60
Drag & Dropmedium

Drag and drop the steps to configure Flexible NetFlow with a custom flow record into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order follows Cisco IOS-XE configuration logic: first define the flow record with match fields, then define the flow exporter with destination and source, then define the flow monitor binding record and exporter, then apply the monitor to an interface in the ingress direction, and finally verify with 'show flow monitor'.

61
MCQmedium

Examine this partial configuration on router R5: flow record RECORD-3 match ipv4 source address match ipv4 destination address match ipv4 protocol collect routing source as collect routing destination as ! flow monitor MONITOR-5 record RECORD-3 cache timeout active 60 ! interface GigabitEthernet0/5 ip flow monitor MONITOR-5 input ! What is missing or incorrect in this configuration?

A.The flow record is missing 'match ipv4 source prefix-length' and 'match ipv4 destination prefix-length' to collect AS numbers.
B.The router must have BGP configured and the flow record must include 'match ipv4 bgp source-as' and 'match ipv4 bgp destination-as' to collect AS numbers.
C.The flow monitor is missing the 'cache timeout inactive' command to properly age out flows.
D.The configuration is correct; AS numbers will be collected automatically from the routing table.
AnswerB

To collect BGP AS numbers, the flow record must match BGP AS attributes using 'match ipv4 bgp source-as' and 'match ipv4 bgp destination-as'. The 'collect routing source as' command alone is insufficient without the corresponding match.

Why this answer

This question tests knowledge of BGP AS number collection requirements in Flexible NetFlow.

62
MCQhard

A network uses route summarization to reduce routing table size. After enabling Flexible NetFlow, some routes that were previously summarized are now being advertised individually. Router R1 has: interface GigabitEthernet0/0 ip summary-address eigrp 100 10.0.0.0 255.0.0.0. The flow monitor is applied to the same interface. show ip route eigrp | include (10.0.0.0/8) shows the summary route, but also shows more specific routes like 10.1.0.0/16. What is the root cause?

A.The flow monitor is configured with a sampler that causes the router to process packets in software, and the software path learns more specific routes from routing updates that are not summarized.
B.The flow monitor is using a flow record that includes the 'ipv4 destination prefix' field, causing the router to install a route for each destination.
C.The summary route is not configured correctly; it should be a range of /8, but the more specific routes are from a different EIGRP process.
D.The flow exporter is sending the more specific routes to the collector, which then redistributes them back.
AnswerA

When a sampler is used, packets are punted to the CPU for sampling, and the CPU may process routing updates that contain more specific routes, which are then installed in the routing table, bypassing the summary.

Why this answer

Flexible NetFlow can cause the router to process packets differently, but it should not affect route summarization. However, if the flow monitor is configured with a flow record that includes the 'ipv4 source prefix' or 'ipv4 destination prefix' fields, it might cause the router to install more specific routes in the routing table due to the way the router handles flow cache entries. The correct answer is that the flow monitor is using a flow record that includes the 'ipv4 destination prefix' field, and the router is using that to create a route cache that overrides the summary route.

But this is not standard behavior. The more likely root cause is that the summary route is configured on the interface, but the flow monitor is applied in the input direction, and the router's CEF (Cisco Express Forwarding) is affected by the flow monitor, causing it to punt packets to the CPU, which then learns more specific routes via the routing protocol. Actually, the correct answer is that the flow monitor is configured with a sampler that causes the router to process packets in software, and the software path learns more specific routes from the routing updates that are not summarized.

63
MCQmedium

Examine the following partial configuration on router R1: flow record RECORD-1 match ipv4 source address match ipv4 destination address match ipv4 protocol collect counter bytes collect counter packets ! flow monitor MONITOR-1 record RECORD-1 cache timeout active 60 ! interface GigabitEthernet0/1 ip flow monitor MONITOR-1 input ! Which statement about this configuration is true?

A.The flow monitor will export flow records every 60 seconds regardless of whether the flow is still active.
B.The flow monitor will only export flows that have been idle for 60 seconds.
C.The flow record is missing the 'collect transport tcp-flags' command to be valid.
D.The flow monitor will not export any data because no exporter has been configured.
AnswerA

The cache timeout active 60 command causes active flows to be exported every 60 seconds, even if the flow is still ongoing.

Why this answer

This question tests understanding of Flexible NetFlow configuration components and the effect of the cache timeout active command.

64
MCQhard

An engineer configures Flexible NetFlow with a flow record that includes 'match ipv4 protocol' and 'collect counter packets'. The flow monitor is applied to an interface. 'show flow monitor name MONITOR cache' shows flows, but the packet counts are much lower than expected based on interface counters. What is the most likely cause?

A.The flow monitor is applied only in the ingress direction, missing egress traffic.
B.The flow record does not include 'match ipv4 source address', causing flows to be aggregated incorrectly.
C.The router is using sampled NetFlow with a default sampling rate of 1:1000.
D.The flow exporter is rate-limiting the export, causing cache entries to be dropped before counting.
AnswerA

If the monitor is applied only ingress, egress packets are not counted. Applying it in both directions or using a sampler with appropriate rate can match interface counters.

Why this answer

Flexible NetFlow uses sampled NetFlow by default unless 'sampler' is explicitly configured. However, the default sampling rate is 1 (no sampling). The issue might be that the monitor is applied only in one direction (ingress or egress) while traffic is bidirectional, so only half the traffic is captured.

65
Multi-Selecthard

An engineer needs to troubleshoot a NetFlow deployment where flow data is not being exported to the collector. Which TWO commands can be used to verify the operational status of NetFlow on a Cisco IOS-XE device? (Choose TWO.)

Select 2 answers
A.show ip flow export
B.show ip cache flow
C.show ip flow interface
D.debug ip flow export
E.show flow exporter
AnswersA, C

Correct. This command displays export statistics, including the number of flows sent, failed exports, and the export destination.

Why this answer

The 'show ip flow export' command displays the export statistics, including the number of flows exported and any export failures. The 'show ip flow interface' command shows which interfaces have NetFlow enabled and the direction of collection. The other options are incorrect: 'show ip cache flow' shows the active flow cache but not export status; 'debug ip flow export' is a debug command, not a show command; 'show flow exporter' is a Flexible NetFlow command but requires the specific exporter name.

66
Multi-Selecthard

Which TWO statements about Flexible NetFlow flow records are true? (Choose TWO.)

Select 2 answers
A.A flow record defines which fields are matched (key fields) and which fields are collected (non-key fields).
B.Flexible NetFlow flow records can only match on Layer 3 and Layer 4 fields.
C.A flow record must contain at least one key field and cannot contain non-key fields.
D.Flow records can collect fields such as packet count, byte count, and first/last packet timestamps.
E.Flexible NetFlow flow records are only supported for IPv4 traffic.
AnswersA, D

Flow records specify key fields for flow identification and non-key fields for data collection.

Why this answer

Flexible NetFlow allows user-defined flow records that can match on Layer 2, 3, and 4 fields, such as MAC addresses, IP addresses, and TCP/UDP ports. Additionally, flow records can collect non-key fields like packet and byte counts, timestamps, and interface counters. Option B is false because Flexible NetFlow can also match on Layer 2 fields.

Option C is false because flow records can include both key and non-key fields. Option E is false because Flexible NetFlow records are not limited to IPv4; they can also support IPv6 and MPLS.

67
MCQmedium

What is the default export interval for NetFlow data when using the 'flow exporter' with UDP as the transport protocol?

A.Every 60 seconds
B.Every 30 seconds
C.Exports are triggered by flow aging or cache fullness, not a fixed interval.
D.Every 10 seconds
AnswerC

Correct. NetFlow exports are event-driven based on flow timeout or cache threshold.

Why this answer

The default export interval is based on flow cache timeout; there is no fixed interval—exports occur when flows age out or cache is full.

68
Multi-Selectmedium

Which TWO commands would a network engineer use to verify NetFlow data export and flow monitor statistics on a Cisco IOS-XE router? (Choose TWO.)

Select 2 answers
A.show flow monitor name FLOW-MON cache
B.show ip cache flow
C.show ip flow export
D.debug ip flow export
E.show snmp mib ifmib ifindex
AnswersA, B

Displays the flow cache entries for a specific Flexible NetFlow monitor, including key fields and counters.

Why this answer

The 'show flow monitor name <name> cache' command displays detailed flow cache entries for a specific Flexible NetFlow monitor, including packet/byte counts and timestamps. The 'show ip cache flow' command is the traditional way to verify NetFlow statistics and export status. Option C ('show ip flow export') is plausible but shows only export parameters, not cache data.

Option D is a debug command not used for verification. Option E is for SNMP, not NetFlow.

69
MCQmedium

A network engineer is troubleshooting a sudden drop in NetFlow data on a Cisco router running IOS-XE 17.x. The engineer verifies that 'ip flow-export destination 10.1.1.100 2055' is configured, and the collector is reachable. However, 'show ip flow export' shows zero packets exported. What is the most likely cause?

A.The collector IP address is incorrect.
B.No flow monitor is applied to any interface.
C.The export version is set to 9 but the collector expects version 5.
D.The router is in a VRF that is not configured for NetFlow export.
AnswerB

NetFlow data is only generated when a monitor or flow is enabled on an interface; without it, no flows are exported.

Why this answer

The issue is that NetFlow generation requires at least one monitor or flow record to be applied to an interface. Without a 'ip flow monitor' or 'ip route-cache flow' command on an interface, no flows are created and thus nothing is exported.

70
MCQhard

A network engineer configures Flexible NetFlow on a router that also runs CoPP (Control Plane Policing). After applying the flow monitor to the ingress interface, the router's CPU spikes and management traffic (SSH, SNMP) becomes intermittent. Router R1 shows: show policy-map control-plane | include (class|police) class CoPP-MGMT police rate 10000 pps. show flow monitor FLOW-MONITOR statistics | include (Packets|Dropped) Packets dropped: 5000. What is the root cause?

A.The flow monitor's cache size is too small, causing packet drops and CPU spikes due to cache overflow.
B.CoPP is rate-limiting NetFlow export packets because they are classified as management traffic, causing export failures and cache buildup.
C.The flow exporter is configured with a wrong destination IP, causing all export packets to be dropped by the router.
D.The flow monitor is applied in the output direction, causing a loop.
AnswerB

NetFlow export packets are sent from the control plane and are subject to CoPP. If the CoPP policy rate-limits management traffic, export packets will be dropped, leading to cache overflow and CPU spikes.

Why this answer

Flexible NetFlow can generate a large number of packets for export, especially if the flow monitor is configured to export all flows. These export packets are sent from the router's control plane, and if CoPP is policing management traffic, the export packets might be classified as management traffic and dropped. However, the show output indicates that the flow monitor itself is dropping packets, which suggests that the flow monitor's cache is full or that the export process is overwhelmed.

The correct answer is that the flow monitor's cache is too small, causing packets to be dropped before they can be exported, and the CPU spike is due to the export process consuming resources. But the CoPP is also rate-limiting the export packets, causing further drops. The root cause is that CoPP is rate-limiting the NetFlow export traffic, which is classified as management traffic, causing the export to fail and the cache to fill up.

71
Drag & Dropmedium

Drag and drop the steps to verify and validate NetFlow and Flexible NetFlow operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Verification starts with checking that the flow monitor is active on the interface, then confirming flow records are being generated, then checking exporter statistics for sent packets, then validating the collector receives the data, and finally comparing flow counts to interface counters for accuracy.

72
MCQhard

Which statement correctly describes the default 'match' direction in a Flexible NetFlow flow record?

A.The default match direction is 'output' (egress).
B.The default match direction is 'both' (input and output).
C.The default match direction is 'input' (ingress).
D.There is no default direction; it must always be specified.
AnswerC

Correct. Flexible NetFlow matches on input by default.

Why this answer

The default match direction is 'input' (ingress), meaning flows are matched on incoming traffic only.

73
MCQhard

A network engineer runs the following command to debug Flexible NetFlow cache events: R1# debug flow monitor FLOW-MONITOR-1 Flow Monitor FLOW-MONITOR-1 debugging is on R1# *Mar 1 00:10:15.123: FLOW MONITOR: Cache entry created for flow 10.0.0.1:1234 -> 192.168.1.100:80 (TCP) *Mar 1 00:10:15.124: FLOW MONITOR: Cache entry updated for flow 10.0.0.1:1234 -> 192.168.1.100:80 (TCP) - bytes: 1460, packets: 1 *Mar 1 00:10:15.125: FLOW MONITOR: Cache entry updated for flow 10.0.0.1:1234 -> 192.168.1.100:80 (TCP) - bytes: 2920, packets: 2 *Mar 1 00:10:45.123: FLOW MONITOR: Cache entry aged for flow 10.0.0.1:1234 -> 192.168.1.100:80 (TCP) - reason: inactive timeout What does this output indicate?

A.The flow was aged due to active timeout after 1800 seconds.
B.The flow was created, updated twice, and then aged due to inactive timeout, indicating a normal flow lifecycle.
C.The flow was dropped because the cache was full.
D.The flow is still active in the cache.
AnswerB

The debug shows creation, two updates as packets arrive, and eventual aging due to inactivity, which is expected.

Why this answer

The debug output shows the lifecycle of a flow in the Flexible NetFlow cache. A flow is created, then updated as packets are received, and eventually aged out due to inactive timeout after 30 seconds of inactivity (the default is 15 seconds, but this may be configured differently). This is normal behavior for a TCP connection that has ended.

74
MCQhard

An engineer configures Control Plane Policing (CoPP) on a router to protect the management plane. After applying the policy, the router becomes unreachable via SSH, but the console is still accessible. The engineer checks the CoPP policy and sees that SSH traffic is permitted. Which is the most likely explanation?

A.The class-map for SSH uses 'match protocol ssh' but the SSH server is configured on a non-default port, so the traffic is not matched and is dropped by the default class.
B.The CoPP policy is applied in the input direction, but SSH traffic is generated by the router itself, so it is not affected by input policing.
C.The CoPP policy uses 'rate-limit' in bps instead of pps, causing all traffic to be dropped due to a misconfiguration.
D.The CoPP policy has an explicit deny statement before the permit statement for SSH, so SSH traffic is denied.
AnswerA

CoPP class-maps that match by protocol may not match non-standard ports. If the default class has a drop action, SSH traffic will be dropped.

Why this answer

CoPP policies have an implicit deny at the end. If the class-map for SSH does not match the traffic correctly (e.g., using the wrong protocol or port), SSH packets will fall through to the default class, which may have a deny action. Additionally, the default class behavior is to permit traffic if not explicitly configured, but if the default class is configured with a drop action, all unmatched traffic is dropped.

A common edge case is when the class-map uses 'match protocol ssh' but the router uses a different port for SSH (e.g., port 2222), so the traffic is not matched and is dropped by the default class.

75
MCQmedium

A network engineer runs the following command to verify NetFlow export destination: R1# show ip flow export Flow export v9 is enabled for main cache Export source and destination details : VRF ID : Default Destination(1) 192.168.1.100 (2055) Source IP 10.0.0.1 Origin AS 65000 Peer AS 65001 Mask for source 255.255.255.255 Mask for destination 255.255.255.255 Version 9 flow records 1234 flows exported in 567 udp datagrams 0 flows failed due to lack of export packet 0 export packets were sent up to process level 0 export packets were dropped due to no fib 0 export packets were dropped due to adjacency issues 0 export packets were dropped due to fragmentation failures 0 export packets were dropped due to encapsulation fixup failures What does this output indicate?

A.NetFlow export is failing due to adjacency issues.
B.NetFlow export is successful with 1234 flows exported and no errors.
C.NetFlow is using version 5 export.
D.The export destination is not configured.
AnswerB

All drop counters are zero, and 1234 flows have been successfully exported.

Why this answer

The output shows that NetFlow export is working correctly. It is exporting version 9 flows to destination 192.168.1.100 on port 2055, using source IP 10.0.0.1. There are no failures or drops, indicating successful export.

Page 1 of 2 · 76 questions totalNext →

Ready to test yourself?

Try a timed practice session using only NetFlow and Flexible NetFlow questions.