CCNA SNMP Troubleshooting Questions

75 of 76 questions · Page 1/2 · SNMP Troubleshooting · Answers revealed

1
MCQhard

A network engineer runs the following command on Router R1: R1# show snmp statistics SNMP packets input: 150 Bad SNMP version errors: 0 Unknown community name: 25 Illegal operation for community name: 0 Encoding errors: 0 Number of requested variables: 300 Number of altered variables: 0 Get-request PDUs: 120 Get-next PDUs: 30 Set-request PDUs: 0 SNMP packets output: 200 Too big errors: 0 No such name errors: 10 Bad values errors: 0 General errors: 0 Response PDUs: 200 Trap PDUs: 0 Based on this output, which statement is correct?

A.There are 25 SNMP requests with invalid community strings.
B.The router has sent 150 trap PDUs.
C.There were 10 set requests that failed due to bad values.
D.The router received 200 SNMP packets.
AnswerA

The 'Unknown community name' counter of 25 indicates that many requests used community strings not recognized by the router.

Why this answer

The output shows SNMP statistics. There are 25 'Unknown community name' errors, indicating that some SNMP requests are using community strings not configured on the router. Additionally, there are 10 'No such name errors' in the output, meaning the requested MIB objects do not exist.

No set requests were received.

2
MCQhard

An engineer configures SNMPv2c with a community string 'public' and an ACL that permits only the NMS IP address. The NMS can poll the router successfully. Later, the engineer adds a second community string 'monitor' with a different ACL that permits a second NMS. The first NMS now fails to poll. Which is the most likely explanation?

A.The ACL for the 'public' community string was accidentally removed when the 'monitor' community string was added.
B.The second community string 'monitor' has a higher priority and overrides the first.
C.The router can only support one community string at a time.
D.The first NMS must be reconfigured to use the 'monitor' community string.
AnswerA

If the engineer used the 'no snmp-server community public' command to reconfigure, the ACL might have been removed; the new configuration might not include the ACL, allowing all IPs or none.

Why this answer

When multiple community strings are configured, the router matches the community string from the request. If the first NMS sends the community string 'public', it should still work. However, if the ACL for 'public' is inadvertently removed or modified, or if the second community string's ACL inadvertently blocks the first NMS, issues can arise.

3
MCQhard

Router R4 is configured as an SNMP agent for a large network. The NMS is at 10.10.10.10. The configuration includes: snmp-server community mycom RO, snmp-server host 10.10.10.10 version 2c mycom, snmp-server enable traps. However, the NMS receives no traps. R4's show snmp statistics shows TrapsSent: 0, and show snmp pending shows no pending. The NMS can poll R4 using the community string 'mycom'. What is the root cause?

A.The community string 'mycom' is configured as read-only (RO), but SNMP trap notifications require a read-write (RW) community string on some IOS versions.
B.The NMS is not listening on UDP port 162.
C.The router's SNMP agent is disabled due to low memory.
D.The 'snmp-server enable traps' command is missing specific trap types.
AnswerA

In certain IOS versions, traps are only sent if the community string has RW privileges. The RO community cannot be used for trap generation.

Why this answer

The community string 'mycom' is used for both read-only access and trap notification. However, the 'snmp-server host' command uses the community string as a key for trap authentication. If the community string is configured as RO, it may not be allowed to send traps because traps require RW access in some implementations.

But more commonly, the issue is that the trap source interface is not configured, and the router uses the outgoing interface IP, which may not be reachable from the NMS. However, the NMS can poll, so reachability is fine. The correct answer is: 'The community string 'mycom' is configured as read-only (RO), but SNMP trap notifications require a read-write (RW) community string on some IOS versions.'

4
MCQmedium

A network engineer runs the following command to troubleshoot SNMP access lists: R1# show snmp access Access-list: 10 Community: public View: v1default Access-list: 20 Community: private View: v1default What does this output indicate?

A.SNMP access is controlled by ACLs: ACL 10 for 'public' and ACL 20 for 'private'.
B.No ACLs are applied to SNMP, so all access is allowed.
C.The router uses SNMPv3 exclusively.
D.The 'public' community has read-write access.
AnswerA

The output shows the mapping between ACLs and communities.

Why this answer

The show snmp access command displays SNMP access control lists. The output shows that access-list 10 is used for community 'public' and access-list 20 for community 'private', both using view 'v1default'.

5
Multi-Selecthard

Which TWO actions will prevent an SNMPv2c NMS from receiving traps from a Cisco router? (Choose TWO.)

Select 3 answers
A.The NMS is configured with a community string that does not match the community string used in the 'snmp-server host' command on the router.
B.The router has an ACL applied to its VTY lines that denies UDP port 162.
C.The 'snmp-server enable traps' command is missing from the router configuration.
D.The NMS is listening on UDP port 161 instead of UDP port 162.
E.The 'snmp-server host' command specifies the IP address of a different NMS.
AnswersA, C, E

The NMS must use the same community string as the router's trap community; otherwise, the NMS will discard the traps.

Why this answer

To receive traps, the NMS must be configured as a trap receiver with the correct community string, and the router must send traps to the correct IP and UDP port 162. If the community string on the NMS does not match the router's trap community, traps are discarded. If the router is configured to send traps to a different IP than the NMS, the NMS never receives them.

The 'snmp-server enable traps' command enables trap generation; without it, no traps are sent. The 'snmp-server host' command specifies the destination; if omitted, traps are not sent. ACLs applied to the router's VTY lines do not affect SNMP trap traffic, which uses UDP port 162.

6
MCQmedium

snmp-server enable traps\nsnmp-server host 192.168.1.100 traps version 2c public\nsnmp-server host 192.168.1.200 informs version 2c public What is the effect of this configuration?

A.Traps are sent to 192.168.1.100 and informs are sent to 192.168.1.200.
B.Both hosts receive traps.
C.Both hosts receive informs.
D.Only traps are enabled; informs require SNMPv3.
AnswerA

The first host is configured for traps, the second for informs, as specified by the 'traps' and 'informs' keywords.

Why this answer

This enables all SNMP traps and configures two hosts: one to receive traps (unacknowledged) and one to receive informs (acknowledged). Both use SNMPv2c with the community string 'public'.

7
Multi-Selecthard

Which TWO configuration steps are required to enable SNMPv3 with authentication and encryption on a Cisco router? (Choose TWO.)

Select 2 answers
A.snmp-server group GROUP v3 priv
B.snmp-server user USER GROUP v3 auth sha PASSWORD priv aes 128 PASSWORD
C.snmp-server community PUBLIC ro
D.snmp-server host 10.1.1.1 version 3 priv USER
E.snmp-server enable traps
AnswersA, B

Creates an SNMPv3 group with the 'priv' keyword to enable encryption.

Why this answer

To configure SNMPv3 with authPriv, you must first define an SNMP group with the appropriate security level using 'snmp-server group', then create a user associated with that group using 'snmp-server user' with authentication and privacy passwords. The 'snmp-server community' command is for SNMPv1/v2c, and 'snmp-server host' is for trap destinations.

8
MCQmedium

When troubleshooting SNMPv3 authentication failures, which default HMAC algorithm is used if the user is configured with "auth md5"?

A.HMAC-SHA-96
B.HMAC-MD5-96
C.HMAC-SHA-256
D.No HMAC is used; MD5 is used directly.
AnswerB

RFC 3414 defines HMAC-MD5-96 as the authentication protocol for usmHMACMD5AuthProtocol.

Why this answer

SNMPv3 uses HMAC-MD5-96 for authentication when MD5 is specified.

9
MCQhard

A network engineer configures SNMPv3 with authentication only (no privacy) on a router. The NMS can poll the router successfully. Later, the engineer adds the 'priv' option to the user configuration. The NMS now fails to poll the router. Which is the most likely explanation?

A.The NMS is still configured with the old credentials that do not include the privacy protocol and key.
B.The router's SNMP engine ID changed when the user was modified.
C.The privacy protocol (e.g., AES) is not supported on the router.
D.The NMS must restart to recognize the new security level.
AnswerA

SNMPv3 requires that both the agent and NMS agree on the security level; if the agent requires privacy but the NMS does not provide it, the request fails.

Why this answer

When privacy is added to an SNMPv3 user, the NMS must be configured with the privacy protocol and key. If the NMS is still using the old credentials without privacy, authentication may succeed but privacy decryption fails, causing the response to be discarded.

10
MCQhard

A network engineer configures SNMPv3 with authentication and privacy on a router. The NMS polls the router successfully. The engineer then configures IPsec to encrypt all traffic between the router and the NMS. The NMS now fails to poll the router. Which is the most likely explanation?

A.The IPsec configuration does not include an ACL that matches SNMP traffic (UDP port 161).
B.SNMPv3 encryption and IPsec encryption are incompatible and cannot be used together.
C.The IPsec configuration uses aggressive mode, which is incompatible with SNMPv3.
D.The router's SNMP process must be restarted after IPsec is configured.
AnswerA

If the IPsec crypto map's ACL does not match SNMP packets, the traffic is sent in clear text, but the NMS may expect encrypted traffic or the router may not process the packets correctly.

Why this answer

IPsec encryption of SNMP traffic can cause issues if the IPsec configuration does not match the SNMP traffic or if the IPsec security association (SA) is not established. Additionally, SNMPv3 already provides encryption; double encryption may cause performance issues or misconfiguration.

11
MCQmedium

A network engineer is troubleshooting why the NMS cannot poll the CPU utilization of router R7 via SNMP. The router has 'snmp-server community cisco RO' configured. The NMS can poll interface statistics and routing table entries successfully. What is the most likely cause?

A.The engineer configured an SNMP view that excludes the CPU utilization OID tree.
B.The router needs the 'snmp-server enable traps cpu' command to allow CPU polling.
C.The NMS is using an incorrect OID for CPU utilization; the correct OID is in the CISCO-PROCESS-MIB.
D.The router's CPU is not supported for SNMP polling due to hardware limitations.
AnswerA

Correct because an SNMP view can restrict access to specific MIB objects; if the view does not include the CPU OIDs, polling fails.

Why this answer

CPU utilization OIDs are part of the CISCO-PROCESS-MIB, which may not be loaded by default. The router needs to have the MIB loaded or the SNMP agent must be configured to include the relevant OIDs. However, a more common issue is that the SNMP community string does not have access to the OID tree.

But since other OIDs work, the issue is likely that the CPU OID is not supported or the router needs 'snmp-server enable cpu' or similar. Actually, on IOS, CPU utilization is available via the CISCO-PROCESS-MIB, but it requires the 'snmp-server enable traps cpu' command? No, that's for traps. For polling, the MIB is usually available.

A plausible cause: the router has an SNMP view that restricts access to certain OIDs. The engineer might have applied a view to the community. But the stem doesn't mention a view.

Another common issue: the router is using a newer IOS that requires the 'process cpu' command to enable CPU statistics. Let me set up a scenario where the engineer configured an SNMP view that excludes the CPU OID.

12
MCQmedium

What is the default SNMPv3 security level for a user configured with the "snmp-server user username groupname v3 auth sha password" command?

A.noAuthNoPriv
B.authNoPriv
C.authPriv
D.The command is invalid without specifying a security level.
AnswerB

When only auth is configured without priv, the default security level is authNoPriv per RFC 3414.

Why this answer

The command specifies authentication (SHA) but no privacy, so the default security level is authNoPriv.

13
MCQmedium

A network engineer notices that an SNMPv3 poll from the NMS to router R1 fails with an authentication error. The engineer has configured 'snmp-server group ADMIN v3 priv' and 'snmp-server user admin ADMIN v3 auth sha cisco123 priv aes 128 cisco456'. The NMS is configured with the same credentials. What is the most likely cause of the failure?

A.The SNMP group is missing the 'access' ACL that permits the NMS IP address.
B.The SNMP user password must be at least 8 characters; 'cisco123' is only 8, but the hash algorithm requires a minimum of 12 characters.
C.The NMS is using SNMPv2c, which is incompatible with SNMPv3 configuration.
D.The 'priv' keyword in the group definition should be 'auth' instead to match the user's authentication settings.
AnswerA

Correct because SNMPv3 requires an access list on the group to allow the NMS; without it, the NMS is denied despite correct credentials.

Why this answer

The SNMPv3 user configuration must include the 'access' keyword to associate the user with an ACL that permits the NMS; without it, the default behavior may deny all access. The error indicates authentication fails, but the credentials match, so the issue is likely an access control restriction.

14
MCQhard

A network engineer runs the following command to troubleshoot SNMPv3 group configuration: R1# show snmp group group name: admin-group security model: v3 auth priv read view: v1default write view: v1default notify view: v1default Group name: monitor-group security model: v3 auth no priv read view: v1default write view: none notify view: v1default What does this output indicate?

A.The 'admin-group' requires authentication and encryption, while 'monitor-group' requires only authentication.
B.Both groups require authentication and encryption.
C.The 'monitor-group' has read-write access.
D.The groups use SNMPv2c security model.
AnswerA

admin-group uses 'auth priv' (auth + encryption), monitor-group uses 'auth no priv' (auth only).

Why this answer

The show snmp group command displays SNMPv3 groups. The output shows 'admin-group' with auth and privacy (encryption) and full access, while 'monitor-group' has auth but no privacy and read-only access.

15
MCQhard

Router R7 is part of an MPLS VPN network. It has multiple VRFs. The NMS is in the global routing table and needs to poll SNMP from devices in VRF BLUE. The configuration includes: snmp-server community public RO, snmp-server vrf BLUE community public RO. However, the NMS cannot poll the loopback interface of a router in VRF BLUE. The NMS can poll R7's global interfaces. What is the root cause?

A.The NMS is trying to poll a device in VRF BLUE, but the SNMP agent on R7 is not configured to respond to SNMP requests for that VRF because the 'snmp-server vrf' command is missing the 'community' keyword or the VRF is not properly associated with the SNMP process.
B.The loopback interface of the device in VRF BLUE is not advertised into the VRF's routing table.
C.The SNMP community string 'public' is not allowed in VRF BLUE due to an ACL.
D.The NMS is using SNMPv3, but the VRF configuration only supports v2c.
AnswerA

The 'snmp-server vrf BLUE community public RO' command is correct, but if the VRF is not defined or the interface is not in the VRF, SNMP may not respond. However, the most common issue is that the NMS's source IP is not in the VRF, so the SNMP agent uses the global routing table to respond, causing a mismatch.

Why this answer

SNMP community strings for VRFs require the 'snmp-server vrf' command to associate the community with the VRF. However, the NMS must have reachability to the VRF's loopback. If the NMS is in the global table, it needs a route to the VRF's loopback via route leaking or MPLS VPN.

The issue is that the NMS cannot reach the VRF loopback because there is no route. But the question states the NMS can poll R7's global interfaces, so reachability to R7 is fine. The correct answer is: 'The NMS is trying to poll a device in VRF BLUE, but the SNMP agent on R7 is not configured to respond to SNMP requests for that VRF because the 'snmp-server vrf' command is missing the 'community' keyword or the VRF is not properly associated with the SNMP process.'

16
MCQmedium

Which SNMP version introduced the use of a User-based Security Model (USM) and View-based Access Control Model (VACM)?

A.SNMPv1
B.SNMPv2c
C.SNMPv3
D.SNMPv2u
AnswerC

SNMPv3 introduced USM and VACM for security and access control.

Why this answer

SNMPv3 introduced USM for authentication and encryption, and VACM for fine-grained access control. SNMPv1 and v2c use community strings and do not support these security models.

17
MCQmedium

A network engineer runs the following command to troubleshoot an SNMP issue: R1# debug snmp packets SNMP: Packet received via UDP from 10.1.1.1 on port 161 SNMP: GetRequest, reqid 12345, errstat 0, errindex 0 SNMP: Community string: public SNMP: MIB object: 1.3.6.1.2.1.1.1.0 (sysDescr) SNMP: Value: Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.7(3)M SNMP: Packet sent via UDP to 10.1.1.1 on port 161 SNMP: GetResponse, reqid 12345, errstat 0, errindex 0 What does this debug output indicate?

A.The SNMP agent is correctly responding to a GetRequest from the NMS at 10.1.1.1.
B.The SNMP agent is failing to process the request due to a community string mismatch.
C.The SNMP agent is sending a trap to the NMS at 10.1.1.1.
D.The SNMP agent is ignoring the request due to an ACL blocking the NMS.
AnswerA

The debug output shows a GetRequest followed by a GetResponse with errstat 0, indicating successful communication.

Why this answer

The debug snmp packets command shows SNMP packet exchanges. The output shows a successful GetRequest from 10.1.1.1 with community 'public' for sysDescr, and a GetResponse with no errors, indicating the SNMP agent is responding correctly.

18
MCQmedium

snmp-server community public RO\nsnmp-server community private RW\nsnmp-server location DataCenter\nsnmp-server contact admin@example.com What is the effect of this configuration?

A.SNMPv3 is enabled with authentication.
B.SNMPv2c is enabled with read-only community 'public' and read-write community 'private'.
C.Only read-only access is allowed using the 'private' community.
D.SNMP traps are enabled to the location DataCenter.
AnswerB

The 'snmp-server community' commands define SNMPv2c community strings with specified access levels.

Why this answer

The configuration enables SNMPv2c with two community strings: public for read-only access and private for read-write access. It also sets the location and contact information for the device.

19
MCQeasy

What is the default SNMPv2c community string on most Cisco IOS devices?

A.public
B.private
C.cisco
D.No default community string is configured.
AnswerA

Many Cisco devices come with a default 'public' community string for read-only access.

Why this answer

By default, many Cisco IOS devices have no SNMP community configured. However, if a community is preconfigured, it is often 'public' with read-only access. The question tests the default state.

20
MCQmedium

snmp-server group MyGroup v3 priv\nsnmp-server user MyUser MyGroup v3 auth sha MyPassword priv aes 128 MyPrivKey What is missing from this SNMPv3 configuration?

A.The group is missing a view definition to allow access to MIB objects.
B.The authentication protocol should be MD5 instead of SHA.
C.The privacy password must be at least 16 characters long.
D.The user must be configured under a different group name.
AnswerA

By default, an SNMPv3 group without a view has no access to MIB objects; a view must be configured using 'snmp-server view' and associated with the group.

Why this answer

The configuration creates an SNMPv3 group with privacy (encryption) and a user with authentication and privacy. However, it does not specify an access list to restrict which hosts can use this user, nor does it define a view for the group. Without a view, the group defaults to no access (or limited access depending on IOS version).

21
MCQhard

A network engineer configures SNMPv3 with authentication and privacy on a router. The NMS can poll the router successfully. After a router reload, the NMS fails to poll the router, but the SNMP configuration is unchanged. Which is the most likely explanation?

A.The SNMP engine ID changed after the reload because it was not explicitly configured, causing authentication keys to be recalculated.
B.The router lost its SNMP configuration due to a failed startup config.
C.The NMS's SNMPv3 credentials were deleted during the reload.
D.The router's SNMP process failed to start after reload.
AnswerA

SNMPv3 keys are derived from the engine ID; if the engine ID changes, the NMS must be reconfigured with the new engine ID or the router must have a persistent engine ID configured.

Why this answer

The SNMP engine ID is generated based on the router's MAC address or a configured value. If the router's MAC address changes (e.g., due to a hardware change) or if the engine ID is not explicitly configured, the engine ID may change after reload, causing key mismatch.

22
Multi-Selecthard

Which TWO statements about SNMPv3 engine ID configuration are true? (Choose TWO.)

Select 2 answers
A.The engine ID must be manually configured for SNMPv3 to function.
B.If the engine ID is changed, all existing SNMPv3 users must be reconfigured.
C.The engine ID is used to generate the authentication and encryption keys for SNMPv3 users.
D.The engine ID can be up to 64 octets in length.
E.The engine ID is automatically generated based on the router's serial number.
AnswersB, C

Changing the engine ID invalidates the authentication and encryption keys derived from the old engine ID, requiring users to be reconfigured.

Why this answer

The SNMP engine ID uniquely identifies an SNMPv3 entity. It can be manually configured with the 'snmp-server engine-id' command. If not configured, it is automatically generated based on the router's MAC address.

The engine ID must be unique within a management domain. Changing the engine ID invalidates existing SNMPv3 users (keys are re-derived). The engine ID is used for message processing and key generation.

23
MCQeasy

A network engineer runs the following command on Router R1: R1# show snmp mib ifmib ifindex ifIndex: 1 Interface: GigabitEthernet0/0 Description: GigabitEthernet0/0 ifIndex: 2 Interface: GigabitEthernet0/1 Description: GigabitEthernet0/1 ifIndex: 3 Interface: Loopback0 Description: Loopback0 ifIndex: 10 Interface: Tunnel0 Description: Tunnel0 Based on this output, which statement is correct?

A.The ifIndex for Loopback0 is 3.
B.The ifIndex values are assigned sequentially starting from 0.
C.GigabitEthernet0/0 has ifIndex 2.
D.Tunnel0 has ifIndex 3.
AnswerA

The output clearly shows Loopback0 with ifIndex 3.

Why this answer

The output shows the mapping between SNMP ifIndex values and interface names. The ifIndex values are not sequential (1,2,3,10), which is normal. The Tunnel0 interface has ifIndex 10.

This mapping is used by SNMP managers to identify interfaces.

24
MCQhard

A network engineer configures SNMP traps on router R3 to monitor BGP events. R3 is an iBGP route reflector with multiple clients. The configuration includes: snmp-server enable traps bgp, snmp-server host 192.168.1.100 version 2c public. However, the NMS receives no BGP traps. R3's show snmp pending shows no pending traps. show snmp statistics shows TrapsSent: 0. The NMS can poll R3 successfully via SNMP. What is the root cause?

A.The BGP process is not configured to send traps to the SNMP agent; the command 'snmp-server enable traps bgp' is insufficient on some IOS versions without also enabling 'bgp snmp trap' under the BGP router configuration.
B.The NMS is using SNMPv3 but the router is configured for v2c, causing trap rejection.
C.An ACL on the NMS is blocking UDP port 162 from the router.
D.The router's SNMP trap queue is full, causing traps to be dropped.
AnswerA

In some IOS versions, the SNMP agent needs explicit BGP notification enablement via 'bgp snmp trap' under the BGP router config. Without it, no BGP traps are generated.

Why this answer

SNMP traps for BGP require the BGP MIB to be loaded and the bgp trap sub-type to be enabled. The command 'snmp-server enable traps bgp' enables all BGP traps, but some platforms require additional configuration like 'snmp-server trap-source' to ensure the source IP is reachable. However, the NMS can poll, so reachability is fine.

The issue is that the router's SNMP agent is not generating traps because the BGP process is not sending notifications due to a missing 'bgp snmp trap' configuration under the BGP address-family or the router's SNMP trap queue is full. But show snmp pending shows none, so queue is fine. The correct answer is: 'The BGP process is not configured to send traps to the SNMP agent; the command 'snmp-server enable traps bgp' is insufficient on some IOS versions without also enabling 'bgp snmp trap' under the BGP router configuration.'

25
Multi-Selectmedium

Which TWO commands would a network engineer use to verify SNMP agent configuration and connectivity on a Cisco IOS router? (Choose TWO.)

Select 2 answers
A.show snmp
B.show snmp host
C.show snmp group
D.show snmp user
E.debug snmp packets
AnswersA, B

Displays SNMP agent statistics, community strings, and trap status.

Why this answer

The 'show snmp' command displays SNMP agent status, community strings, and counters, while 'show snmp host' shows the configured SNMP notification receivers. 'show snmp group' and 'show snmp user' are for SNMPv3 configuration, and 'debug snmp packets' is a troubleshooting tool, not a verification command.

26
MCQhard

An engineer configures SNMPv2c with a community string 'public' and an ACL that permits the NMS. The NMS can poll the router. The engineer then applies a CoPP policy that drops SNMP packets (UDP port 161) from all sources except the NMS. The NMS now fails to poll. Which is the most likely explanation?

A.The CoPP policy's ACL does not include the NMS IP address, so SNMP packets from the NMS are dropped by the class-default.
B.CoPP only affects routing protocol traffic, not SNMP.
C.The SNMP community string ACL is overridden by the CoPP policy.
D.The router requires a reload for the CoPP policy to take effect.
AnswerA

CoPP policies typically have a class that matches traffic to be permitted; if the NMS is not matched, its packets fall into class-default, which may be set to drop.

Why this answer

CoPP applies to control plane traffic. If the CoPP policy is misconfigured, it may drop SNMP packets even from permitted sources. Additionally, the ACL in the CoPP policy must match the source IP of the NMS; if the ACL is incorrect or if the CoPP class-default drops all traffic, polling fails.

27
MCQeasy

Which SNMPv3 message type is used by an SNMP agent to send unsolicited notifications to a manager?

A.GetRequest
B.Response
C.Trap or Inform
D.GetBulkRequest
AnswerC

Traps and informs are unsolicited notifications from agent to manager; informs require acknowledgment.

Why this answer

SNMPv3 uses the same PDU types as v2c; traps and informs are both used for unsolicited notifications.

28
MCQhard

Router R5 is configured with SNMPv3 for secure management. The configuration includes: snmp-server group mygroup v3 priv, snmp-server user myuser mygroup v3 auth sha myauth priv aes 128 mypriv. The NMS is configured with the same credentials. However, the NMS cannot poll R5. The debug snmp packet shows: 'Authentication failure'. The NMS and R5 have correct time synchronization via NTP. What is the root cause?

A.The NMS is configured to use MD5 authentication, but the router is configured with SHA.
B.The SNMP engine ID on the router has changed due to a hardware replacement, causing the NMS to have a stale engine ID.
C.The NMS is using SNMPv2c community string instead of SNMPv3.
D.The router's clock is not synchronized with NTP, causing authentication key mismatch.
AnswerA

SNMPv3 authentication failure occurs if the authentication protocol mismatches. The debug shows authentication failure, not privacy, so the issue is auth protocol mismatch.

Why this answer

SNMPv3 authentication failure can be due to incorrect passwords, but the debug shows 'Authentication failure' specifically. Even with correct passwords, the SNMPv3 engine ID must match. The engine ID is generated from the router's MAC address or configured manually.

If the NMS has a different engine ID, authentication fails. However, the most common subtle issue is that the SNMPv3 user is configured with a different authentication protocol than the NMS expects. The debug shows authentication failure, not privacy failure.

The correct answer is: 'The NMS is configured to use MD5 authentication, but the router is configured with SHA.'

29
Multi-Selecthard

Which TWO commands are used to troubleshoot SNMPv3 authentication or encryption failures? (Choose TWO.)

Select 2 answers
A.debug snmp packets
B.show snmp user
C.show snmp group
D.show running-config | include snmp
E.ping <NMS-IP>
AnswersA, B

Shows detailed SNMP packet exchanges, including authentication failures.

Why this answer

To troubleshoot SNMPv3 issues, 'debug snmp packets' shows the actual SNMP packets being sent/received, including authentication and encryption details. 'show snmp user' displays the configured users and their authentication/privacy settings. 'show snmp group' shows group-level security, but not user-specific details. 'show running-config | include snmp' is too broad, and 'ping' is irrelevant.

30
MCQmedium

A network engineer runs the following command to troubleshoot SNMP trap generation: R1# show snmp mib sysDescr.0 = Cisco IOS Software, C1900 Software (C1900-UNIVERSALK9-M), Version 15.7(3)M sysObjectID.0 = .1.3.6.1.4.1.9.1.1 sysUpTime.0 = 123456789 sysContact.0 = admin@example.com sysName.0 = R1 sysLocation.0 = Lab What does this output indicate?

A.The router's system MIB is populated with correct values, including contact and location.
B.The router's sysContact is not configured, causing SNMP traps to fail.
C.The router is not responding to SNMP queries.
D.The router uses SNMPv3 only.
AnswerA

All system MIB objects have values, indicating proper configuration.

Why this answer

The show snmp mib command displays the system MIB objects. The output shows standard system group values: sysDescr (description), sysObjectID (enterprise OID), sysUpTime (uptime), sysContact, sysName, and sysLocation.

31
MCQmedium

A network engineer runs the following command on Router R1: R1# show snmp user User name: monitor Engine ID: 800000090300001122334455 storage-type: nonvolatile Authentication Protocol: MD5 Privacy Protocol: DES Group-name: readonly User name: admin Engine ID: 800000090300AABBCCDDEEFF storage-type: nonvolatile Authentication Protocol: SHA Privacy Protocol: AES256 Group-name: admin Based on this output, which statement is correct?

A.The 'monitor' user uses deprecated authentication and privacy protocols.
B.The 'admin' user can only read MIB objects.
C.Both users use the same engine ID.
D.The 'monitor' user cannot authenticate because MD5 is not supported.
AnswerA

MD5 and DES are deprecated in favor of SHA and AES due to security vulnerabilities.

Why this answer

The output shows two SNMPv3 users. The 'monitor' user uses MD5 authentication and DES privacy, which are considered weak and deprecated. The 'admin' user uses stronger SHA authentication and AES256 privacy.

The group names indicate the SNMP access level, but the group configuration is not shown here.

32
MCQhard

A network engineer runs the following command to troubleshoot SNMP statistics: R1# show snmp statistics 0 SNMP packets input 0 Bad SNMP version errors 0 Unknown community name 0 Illegal operation for community name supplied 0 Encoding errors 0 Number of requested variables 0 Number of altered variables 0 Get-request PDUs 0 Get-next PDUs 0 Set-request PDUs 0 Input queue drops 0 SNMP packets output 0 Too big errors 0 No such name errors 0 Bad values errors 0 General errors 0 Get-response PDUs 0 SNMP trap PDUs What does this output indicate?

A.No SNMP traffic has been processed, which may indicate a configuration or connectivity issue.
B.SNMP is working correctly with many successful requests.
C.The router is sending many SNMP traps.
D.There are errors due to bad community names.
AnswerA

All counters at zero suggest no SNMP communication has occurred.

Why this answer

The show snmp statistics command displays SNMP packet counters. All counters are zero, indicating that no SNMP packets have been processed since the last counter reset or router reload.

33
MCQmedium

snmp-server community public RO\nsnmp-server community private RW\nsnmp-server community secret RW What is wrong with this configuration?

A.There is no access list to restrict SNMP access.
B.The community strings must be at least 8 characters.
C.Only one read-write community is allowed.
D.The 'public' community should be read-write.
AnswerA

Without an ACL, any host can query the device using these community strings, which is a security concern.

Why this answer

Multiple read-write communities are configured (private and secret). While this is allowed, it can be a security risk. More importantly, the 'public' community is read-only, which is typical, but the configuration lacks any access list restrictions, making SNMP accessible from any source if not filtered elsewhere.

34
MCQeasy

A network engineer runs the following command on Router R1: R1# show snmp mib MIB: IF-MIB MIB: SNMPv2-MIB MIB: IP-MIB MIB: CISCO-CONFIG-MAN-MIB MIB: ENTITY-MIB Based on this output, which statement is correct?

A.The router supports monitoring of configuration changes via SNMP.
B.The router does not support the IF-MIB.
C.The router only supports Cisco proprietary MIBs.
D.The ENTITY-MIB is used for entity authentication.
AnswerA

CISCO-CONFIG-MAN-MIB provides objects to monitor configuration changes.

Why this answer

The output lists the MIBs supported by the router. The presence of CISCO-CONFIG-MAN-MIB indicates support for configuration management, such as monitoring configuration changes via SNMP. The other MIBs are standard for interface, SNMP, IP, and entity information.

35
MCQeasy

A network engineer runs the following command on Router R1: R1# show snmp engineID Local SNMP engineID: 800000090300001122334455 Local SNMP engineBoots: 5 Based on this output, which statement is correct?

A.The SNMP engine has rebooted 5 times.
B.The engine ID is 800000090300001122334455, which is the default for all Cisco devices.
C.The engineBoots value is used for SNMPv2c community authentication.
D.The engine ID must be the same on all devices in the network.
AnswerA

The engineBoots value of 5 indicates the engine has been restarted 5 times.

Why this answer

The output shows the local SNMP engine ID and the number of times the engine has rebooted (engineBoots). The engine ID is used to uniquely identify the SNMP agent. The engineBoots counter is used for SNMPv3 message freshness and security.

36
Multi-Selectmedium

Which THREE symptoms indicate a problem with SNMP trap delivery from a Cisco router? (Choose THREE.)

Select 3 answers
A.The NMS does not receive traps, but other SNMP operations (gets) work.
B.The 'show snmp' command shows increasing 'SNMP queue overflow' counters.
C.Syslog messages show '%SNMP-3-AUTHFAIL' for the trap receiver.
D.The router CPU utilization is consistently above 90%.
E.The NMS can ping the router successfully.
AnswersA, B, C

Indicates a specific issue with trap generation or delivery, not general SNMP connectivity.

Why this answer

Symptoms of SNMP trap delivery issues include: the 'show snmp' command showing incrementing 'Input queue drops' or 'SNMP queue overflow', traps not appearing at the NMS, and syslog messages indicating SNMP authentication failures. A high CPU load is not specific to SNMP traps, and a successful ping does not guarantee trap delivery.

37
Multi-Selecthard

An engineer is troubleshooting an issue where an SNMPv2c NMS cannot poll interface counters on a Cisco router. Which THREE commands can be used to verify the SNMP configuration and connectivity? (Choose THREE.)

Select 3 answers
A.show snmp
B.show snmp mib ifmib ifindex
C.show ip snmp
D.show snmp community
E.debug snmp packet
AnswersA, B, D

This command displays SNMP configuration, including community strings, trap receivers, and packet statistics.

Why this answer

To verify SNMP configuration, 'show snmp' displays community strings, trap receivers, and statistics. 'show snmp mib ifmib ifindex' shows interface indices used by SNMP. 'show snmp community' displays configured community strings and their access (RO/RW). 'show ip snmp' is not a valid command. 'debug snmp packet' shows SNMP packets in real time but is not a verification command; it is a troubleshooting tool that can impact performance.

38
MCQmedium

What is the default SNMP trap queue length on Cisco IOS?

A.10
B.100
C.Unlimited
D.5
AnswerA

The default queue length is 10.

Why this answer

The default trap queue length is 10 messages. If the queue is full, new traps may be dropped. This can be adjusted with the 'snmp-server queue-length' command.

39
MCQeasy

A network engineer configures SNMPv2c on router R3 with 'snmp-server community cisco RO' and 'snmp-server community cisco RW'. The NMS can poll read-only data but fails when trying to write a configuration value. The NMS uses the RW community string. What is the most likely cause?

A.The community string 'cisco' is used for both RO and RW; the router applies the first matching community, which is RO.
B.The NMS is sending the community string in uppercase, but the router expects lowercase.
C.The router needs the 'snmp-server enable traps' command to allow write operations.
D.The NMS must use SNMPv3 for write operations; SNMPv2c does not support writes.
AnswerA

Correct because identical community strings cause the router to use the RO access, preventing writes.

Why this answer

The RW community string is 'cisco', but the RO community string is also 'cisco'. When both are identical, the router treats the community as read-only, ignoring the RW privilege. The engineer must use different community strings for RO and RW.

40
MCQeasy

Which SNMPv2c PDU type is used by the manager to request a large amount of data efficiently, such as an entire routing table?

A.GetRequest
B.GetNextRequest
C.GetBulkRequest
D.SetRequest
AnswerC

GetBulkRequest allows retrieval of multiple variable bindings in one request, ideal for large tables.

Why this answer

GetBulkRequest is designed to retrieve multiple rows of a table in a single request.

41
MCQhard

Router R6 is configured to send SNMP inform requests to the NMS at 192.168.1.1. Configuration: snmp-server host 192.168.1.1 informs version 2c public, snmp-server enable traps. The NMS receives no informs. R6's show snmp statistics shows InformRequestsSent: 0, and show snmp pending shows no pending. The NMS can poll R6 successfully. The network has a firewall between R6 and the NMS that allows UDP 162. What is the root cause?

A.The 'snmp-server host' command for informs requires the 'informs' keyword to be placed correctly, but the router may not support informs with v2c; informs are only supported with SNMPv3.
B.The NMS is not configured to send SNMP responses to informs.
C.The firewall is blocking UDP 162 from the NMS to the router.
D.The router's SNMP agent is not enabled due to a missing 'snmp-server' command.
AnswerA

SNMPv2c does not support informs; it only supports traps. Informs require SNMPv3. The configuration uses v2c, so no informs are sent.

Why this answer

SNMP informs require a response from the NMS. The NMS must be configured to send an SNMP response to the inform. If the NMS does not support informs or is not configured to respond, the router will not send informs.

However, the show statistics shows 0 sends, meaning the router is not even attempting. The issue is that the router's SNMP agent is not generating the inform because the trap source is not reachable or the inform timeout is too low. But the NMS can poll, so reachability is fine.

The correct answer is: 'The 'snmp-server host' command for informs requires the 'informs' keyword to be placed correctly, but the router may not support informs with v2c; informs are only supported with SNMPv3.'

42
MCQmedium

snmp-server ifindex persist What is the effect of this configuration?

A.Interface indices are preserved after a device reload.
B.Interface statistics are cleared on reload.
C.SNMP traps are sent for interface state changes.
D.The ifIndex is based on the interface name.
AnswerA

The 'snmp-server ifindex persist' command ensures that ifIndex values remain consistent across reboots.

Why this answer

This command makes SNMP interface indices persistent across reboots. Without it, interface indices may change after a reload, which can cause issues for NMS systems that rely on consistent ifIndex values.

43
MCQhard

Router R8 is configured with SNMP and IP SLA. The IP SLA operation sends SNMP traps to the NMS when a threshold is crossed. The configuration includes: ip sla 1, icmp-echo 192.168.1.1, threshold 100, timeout 1000, frequency 10, ip sla schedule 1 life forever start-time now, snmp-server enable traps ip sla. However, the NMS receives no traps when the threshold is crossed. The IP SLA operation shows 'Over threshold' in show ip sla statistics. What is the root cause?

A.The IP SLA operation is missing the 'ip sla reaction-configuration' command to trigger SNMP traps when the threshold is exceeded.
B.The NMS is not configured to receive IP SLA traps.
C.The SNMP community string is incorrect for trap sending.
D.The IP SLA operation is not scheduled correctly.
AnswerA

IP SLA traps require a reaction configuration that specifies the threshold and action (e.g., 'ip sla reaction-configuration 1 react timeout threshold 100 action trapOnly'). Without it, no traps are sent.

Why this answer

IP SLA traps require the 'snmp-server enable traps ip sla' command, but also the IP SLA operation must be configured to send traps via the 'ip sla reaction-configuration' command. Without a reaction configuration, no traps are generated even if the threshold is crossed. The correct answer is: 'The IP SLA operation is missing the 'ip sla reaction-configuration' command to trigger SNMP traps when the threshold is exceeded.'

44
MCQmedium

An engineer is troubleshooting why the NMS is not receiving SNMP traps for interface up/down events on router R4. The configuration includes 'snmp-server enable traps snmp linkdown linkup' and 'snmp-server host 10.1.1.200 version 2c public'. The NMS can receive other traps from R4. What is the most likely cause?

A.The engineer combined 'linkdown' and 'linkup' in a single command; they must be configured as separate 'snmp-server enable traps' commands.
B.The NMS is configured to filter out link up/down traps, so they are not displayed.
C.The router needs the 'snmp-server trap-source' command to specify the loopback interface for traps.
D.The 'snmp-server host' command must include the 'udp-port' option to specify port 162.
AnswerA

Correct because the IOS syntax requires separate commands for each trap type; combining them is invalid.

Why this answer

The command 'snmp-server enable traps snmp linkdown linkup' is incorrect; the correct syntax is 'snmp-server enable traps snmp linkdown' and 'snmp-server enable traps snmp linkup' as separate commands. The combined keyword is not recognized, so those traps are not enabled.

45
MCQhard

What is the default retransmission timeout for SNMP informs on a Cisco IOS device?

A.5 seconds
B.30 seconds
C.60 seconds
D.10 seconds
AnswerB

Cisco IOS defaults to a 30-second timeout for inform acknowledgments.

Why this answer

The default timeout is 30 seconds; this is the time the agent waits for a Response before retransmitting.

46
MCQmedium

An engineer is troubleshooting why the NMS is not receiving SNMP traps from router R2. The configuration includes 'snmp-server enable traps', 'snmp-server host 10.1.1.100 version 2c public', and an extended ACL 100 that permits UDP port 162 from 10.1.1.100. The NMS can ping R2. What is the most likely cause?

A.The ACL is applied inbound on the interface, but it should be applied outbound to allow trap packets to leave the router.
B.The 'snmp-server host' command is missing the 'trap' keyword, causing the router to send informs instead.
C.The community string 'public' is case-sensitive; the NMS is using 'Public' with a capital P.
D.The router needs the 'snmp-server trap-source' command to specify the source interface for traps.
AnswerA

Correct because traps are sent from the router; the ACL must permit outbound UDP port 162 to the NMS, not inbound.

Why this answer

SNMP traps are sent from the router (source port 162) to the NMS (destination port 162), but the ACL on the router must permit outgoing traffic from the router's source port 162 to the NMS. The ACL as described only permits incoming UDP 162 from the NMS, which is incorrect.

47
MCQmedium

A network engineer runs the following command on Router R1: R1# show snmp trap SNMP Trap: enabled Trap receiver: 192.168.1.100 Community: PUBLIC Version: 2c UDP port: 162 Enable traps: snmp, interface, bgp Trap receiver: 192.168.1.200 Community: PRIVATE Version: 2c UDP port: 162 Enable traps: snmp, ospf Based on this output, which statement is correct?

A.BGP traps will be sent to 192.168.1.100 but not to 192.168.1.200.
B.Both receivers will receive OSPF traps.
C.The traps are sent using SNMPv3.
D.Interface traps are sent to 192.168.1.200.
AnswerA

The first receiver has 'bgp' in its enable traps list, while the second does not.

Why this answer

The output shows two trap receivers with different enabled traps. The first receiver is configured to receive snmp, interface, and bgp traps. The second receiver is configured for snmp and ospf traps.

Both use SNMPv2c with community strings.

48
MCQhard

A network engineer is troubleshooting why the NMS cannot poll SNMP data from router R5. The router has 'snmp-server community cisco RO' configured. The NMS is on subnet 192.168.1.0/24, and the router has an ACL applied to the VTY lines that permits only 10.0.0.0/8. The NMS can ping the router. What is the most likely cause?

A.The engineer applied an ACL to the SNMP community that denies the NMS subnet, but the VTY ACL is unrelated.
B.The VTY ACL is blocking SNMP packets because SNMP uses TCP port 161.
C.The router needs the 'snmp-server ifindex persist' command to enable polling.
D.The NMS is using SNMPv3, but the router only has SNMPv2c configured.
AnswerA

Correct because the community string's ACL must permit the NMS; the VTY ACL does not affect SNMP.

Why this answer

SNMP access is controlled by the community string's optional ACL, not VTY ACLs. However, if the community string does not have an ACL, SNMP access is permitted by default. The VTY ACL only affects SSH/Telnet, not SNMP.

Therefore, the issue must be something else, such as the router not having an SNMP view or the NMS using the wrong SNMP version. But given the symptom, the most likely cause is that the community string is missing the 'RO' keyword? No, it's there. Actually, the correct answer is that the NMS is using SNMPv3, but the router only has SNMPv2c configured.

However, the question states 'snmp-server community cisco RO' which is v2c. The NMS might be trying SNMPv3. But the stem doesn't specify version.

A more plausible issue: the router has an ACL applied to the SNMP community that denies the NMS. The engineer forgot to add the ACL to the community. The VTY ACL is a distractor.

So the most likely cause is that the community string is not associated with an ACL that permits the NMS, but since no ACL is mentioned, the default is permit all. Wait, the question says 'the router has an ACL applied to the VTY lines' but not to SNMP. So SNMP should work.

Let me re-evaluate. The symptom is that the NMS cannot poll. The router has a VTY ACL that restricts management access, but SNMP is not affected by VTY ACLs.

The engineer might think the VTY ACL blocks SNMP, but it doesn't. The real issue could be that the NMS is on a different subnet and the router's SNMP agent is not listening on the correct interface. Actually, a common mistake is that the 'snmp-server community' command without an ACL allows all, but if the router has a firewall or CoPP, that could block.

But the most direct cause: the engineer might have applied an ACL to the community but used the wrong ACL number. Let me craft a better scenario: The engineer configured 'snmp-server community cisco RO 10' where ACL 10 permits only 10.0.0.0/8, but the NMS is on 192.168.1.0/24. That would block.

But the stem says 'the router has an ACL applied to the VTY lines' – that is a distractor. The correct answer is that the SNMP community is missing an ACL that permits the NMS, but since no ACL is mentioned, the default is permit. I need to adjust the stem to include an ACL on the community.

Let me rewrite the question.

49
MCQhard

What is the default SNMPv3 engine ID format on a Cisco IOS device?

A.A random 32-bit integer
B.The IP address of the management interface
C.The MAC address of the lowest-numbered interface
D.A manually configured string; no default exists
AnswerC

Cisco IOS uses the MAC address of the lowest-numbered interface (e.g., GigabitEthernet0/0) to form the engine ID.

Why this answer

The default engine ID is derived from the MAC address of the lowest-numbered interface, per RFC 3411 and Cisco implementation.

50
MCQmedium

A network engineer runs the following command on Router R1: R1# show snmp host Host: 192.168.1.100 Port: 162 Timeout: 1.5 seconds Retries: 3 Version: 2c Community: PUBLIC Host: 192.168.1.200 Port: 162 Timeout: 3 seconds Retries: 5 Version: 3 User: admin Security level: authPriv Based on this output, which statement is correct?

A.SNMP traps sent to 192.168.1.200 will be encrypted.
B.Both hosts use the same SNMP version.
C.The host at 192.168.1.100 uses SNMPv3 with user 'admin'.
D.Traps to 192.168.1.200 will be sent with community string 'admin'.
AnswerA

The security level 'authPriv' requires both authentication and privacy (encryption).

Why this answer

The output shows two SNMP trap receivers. The first uses SNMPv2c with community 'PUBLIC', while the second uses SNMPv3 with user 'admin' and security level authPriv. The timeout and retry values differ between the two hosts.

51
MCQhard

A network engineer runs the following command to troubleshoot SNMPv3: R1# show snmp user User name: admin Engine ID: 800000090300001122334455 Storage-type: nonvolatile Authentication Protocol: SHA Privacy Protocol: AES128 Group: admin-group User name: monitor Engine ID: 800000090300001122334455 Storage-type: nonvolatile Authentication Protocol: MD5 Privacy Protocol: DES Group: monitor-group What does this output indicate?

A.Two SNMPv3 users are configured: 'admin' with SHA/AES128 and 'monitor' with MD5/DES.
B.SNMPv3 is not configured because no users are shown.
C.Both users use the same authentication and privacy protocols.
D.The users are in the same SNMP group.
AnswerA

The output shows the authentication and privacy protocols for each user.

Why this answer

The show snmp user command displays SNMPv3 users. The output shows two users: 'admin' with SHA authentication and AES128 encryption in group 'admin-group', and 'monitor' with MD5 authentication and DES encryption in group 'monitor-group'.

52
MCQmedium

A network engineer runs the following command on Router R1: R1# show snmp group group name: readonly security model: v3 security level: authNoPriv context: <none> read view: iso write view: <none> notify view: <none> Group name: admin security model: v3 security level: authPriv context: <none> read view: iso write view: iso notify view: iso Based on this output, which statement is correct?

A.The 'readonly' group can read all MIB objects because its read view is 'iso'.
B.The 'admin' group requires only authentication, not encryption.
C.The 'readonly' group can send SNMP traps.
D.Both groups have the same security level.
AnswerA

The read view 'iso' typically includes the entire MIB tree, allowing read access to all objects.

Why this answer

The output shows two SNMPv3 groups. The 'readonly' group has security level 'authNoPriv', meaning authentication is required but no privacy. The 'admin' group has 'authPriv', requiring both authentication and privacy.

The 'readonly' group has no write view, so it cannot modify configurations.

53
MCQeasy

Which SNMPv3 security model provides both authentication and encryption by default?

A.Community-based Security Model (CSM)
B.User-based Security Model (USM) with authPriv
C.View-based Access Control Model (VACM)
D.Transport Layer Security (TLS) model
AnswerB

USM with authPriv provides both authentication and encryption (privacy).

Why this answer

The User-based Security Model (USM) supports authNoPriv and authPriv; authPriv provides encryption.

54
MCQmedium

An engineer is troubleshooting why the NMS is receiving duplicate SNMP traps from router R9 for the same event. The router has two 'snmp-server host' commands pointing to the same NMS IP address but with different community strings: 'public' and 'private'. The NMS is configured to process traps from both communities. What is the most likely cause?

A.The router sends one trap per 'snmp-server host' command, resulting in duplicate traps for the same event.
B.The NMS is configured to listen on two different ports, causing duplicate reception.
C.The router has an SNMP trap filter that is misconfigured, causing the same trap to be sent twice.
D.The engineer enabled both 'snmp-server enable traps' and 'snmp-server enable informs', causing duplicate notifications.
AnswerA

Correct because each host command generates a separate trap; using two communities causes duplication.

Why this answer

When multiple 'snmp-server host' commands point to the same NMS with different community strings, the router sends a separate trap for each community. This results in duplicate traps. The engineer should either use a single community or configure the NMS to deduplicate.

55
MCQmedium

When an SNMP agent sends an InformRequest, what is the default behavior regarding acknowledgment?

A.The agent does not expect any acknowledgment; it is fire-and-forget.
B.The agent expects a Response PDU from the manager; if not received, it retransmits.
C.The manager sends an acknowledgment at the transport layer only.
D.The agent sends the inform multiple times by default regardless of acknowledgment.
AnswerB

Informs are confirmed notifications; the agent waits for a Response and retransmits if needed.

Why this answer

InformRequest requires the manager to send a Response; if no response is received, the agent retransmits.

56
MCQhard

An engineer configures SNMPv2c with a read-write community string 'private' on a router. The NMS can poll interface statistics and modify some objects, but when trying to shut down an interface via SNMP, the NMS receives an error. Which is the most likely explanation?

A.The interface is a loopback interface, which does not support the ifAdminStatus transition to down via SNMP.
B.The community string 'private' is read-only, not read-write.
C.The NMS is using the wrong OID for the interface.
D.The router requires SNMPv3 for write operations.
AnswerA

Loopback interfaces are virtual and cannot be shut down via SNMP; the MIB returns an error because the operation is not supported.

Why this answer

SNMP write access to certain objects may be restricted by the MIB implementation or by the view. The ifAdminStatus object is writable, but some interfaces (e.g., loopback) may not support being shut down via SNMP, or the view may exclude that object.

57
MCQmedium

snmp-server community MyCommunity RO 10\naccess-list 10 permit 192.168.1.0 0.0.0.255 What is the effect of this configuration?

A.SNMP read-only access is allowed only from the 192.168.1.0/24 subnet.
B.SNMP read-write access is allowed from any host.
C.SNMP access is allowed from any host, but only read-only.
D.The community string is encrypted in the configuration.
AnswerA

The access-list is applied to the community, limiting source addresses.

Why this answer

The SNMP community 'MyCommunity' is restricted to read-only access and is associated with access-list 10, which permits only the 192.168.1.0/24 subnet. This means only SNMP managers in that subnet can use this community for read-only queries.

58
MCQhard

A network engineer configures SNMPv3 on a router with the 'snmp-server group' and 'snmp-server user' commands, using SHA for authentication and AES for privacy. The NMS can poll the router successfully, but SNMP traps are not received. Which is the most likely explanation?

A.The SNMP engine ID on the router changed after the NMS was configured, causing authentication failures for traps.
B.The 'snmp-server enable traps' command was omitted, so no traps are generated.
C.The NMS is using SNMPv2c for trap reception, which is incompatible with SNMPv3.
D.The 'snmp-server host' command specifies a community string instead of the SNMPv3 username.
AnswerA

The engine ID is used to derive keys; if it changes, the NMS cannot decrypt or authenticate traps, even though polling still works if the NMS uses the old engine ID.

Why this answer

SNMPv3 traps require that the engine ID be known to both the agent and the NMS. If the engine ID changes (e.g., due to a reload or configuration change), the NMS may not recognize the trap sender, causing traps to be dropped. Additionally, traps use a different notification view than the read view used for polling.

59
MCQmedium

A network engineer runs the following command to troubleshoot SNMP traps: R1# show snmp host Host: 10.1.1.2 Port: 162 Timeout: 30 Retries: 3 Community: trap-public Version: 2c Filter: none Host: 10.1.1.3 Port: 162 Timeout: 30 Retries: 3 Community: trap-public Version: 2c Filter: none What does this output indicate?

A.SNMP traps are sent to two NMS hosts: 10.1.1.2 and 10.1.1.3 using SNMPv2c.
B.SNMP traps are sent to host 10.1.1.2 only.
C.The router is configured to receive traps from these hosts.
D.SNMPv3 is used for trap communication.
AnswerA

The output shows two hosts configured for trap reception with SNMPv2c.

Why this answer

The show snmp host command displays configured SNMP trap receivers. The output shows two hosts (10.1.1.2 and 10.1.1.3) configured to receive SNMPv2c traps with community 'trap-public'.

60
MCQhard

A network engineer configures SNMPv3 with authentication and privacy on a router. The NMS polls the router via the management interface. The engineer then adds a loopback interface and configures the router to send SNMP traps sourced from the loopback IP. The NMS stops receiving traps. Which is the most likely explanation?

A.The NMS is configured to accept traps only from the management interface IP address, not the loopback IP.
B.The loopback interface does not support SNMP trap generation.
C.The SNMP engine ID changed when the loopback interface was added.
D.The 'snmp-server trap-source' command requires a specific interface type.
AnswerA

NMS trap receivers often filter or authenticate based on source IP; if the source IP changes, traps may be dropped.

Why this answer

When traps are sourced from a different IP address, the NMS may not recognize the sender if it expects traps from the original IP. Additionally, if the loopback IP is not reachable from the NMS, traps are lost.

61
MCQhard

Router R9 is configured with SNMP and NetFlow. The NMS uses SNMP to poll NetFlow statistics. The configuration includes: snmp-server community public RO, snmp-server enable traps netflow. However, the NMS cannot poll NetFlow MIB objects. The router's show snmp mib shows that the NetFlow MIB is not loaded. What is the root cause?

A.The NetFlow MIB is not loaded because NetFlow data export is not configured; the 'ip flow-export' command is missing.
B.The SNMP community string does not have read access to the NetFlow MIB.
C.The router's SNMP agent is not compatible with the NetFlow MIB.
D.The NMS is using an incorrect OID for NetFlow statistics.
AnswerA

The NetFlow MIB is only loaded when NetFlow is configured with 'ip flow-export' commands. Without it, the MIB is not available for SNMP polling.

Why this answer

NetFlow MIB is not loaded by default; it requires the 'ip flow-export' command to enable NetFlow and load the MIB. Additionally, the SNMP agent may need to have the MIB loaded via 'snmp-server mib' command. The correct answer is: 'The NetFlow MIB is not loaded because NetFlow data export is not configured; the 'ip flow-export' command is missing.'

62
MCQmedium

A network engineer runs the following command to troubleshoot SNMP access control: R1# show snmp view v1default - includes all objects up to OID 1.3.6.1.2.1.1 v1system - includes system MIB only (1.3.6.1.2.1.1) What does this output indicate?

A.Two SNMP views are configured: 'v1default' with broader access and 'v1system' limited to the system MIB.
B.The router uses SNMPv3 views exclusively.
C.The 'v1default' view includes all MIB objects.
D.No views are configured, so SNMP access is denied.
AnswerA

The output shows two views with different scopes.

Why this answer

The show snmp view command displays configured SNMP views. The output shows two views: 'v1default' includes objects up to OID 1.3.6.1.2.1.1 (system group), and 'v1system' includes only the system MIB.

63
MCQhard

Router R10 is configured with SNMP and EEM. An EEM applet is configured to send an SNMP trap when a specific syslog message is generated. The applet uses the 'action snmp-trap' command. However, the NMS receives no trap. The syslog message is generated and logged. The router's show snmp statistics shows TrapsSent: 0. What is the root cause?

A.The EEM applet is configured to send a trap, but the 'snmp-server host' command is missing, so the router has no destination for the trap.
B.The syslog message is not matching the EEM trigger pattern correctly.
C.The EEM applet is not registered due to a syntax error.
D.The SNMP community string is not configured with RW privileges.
AnswerA

Without 'snmp-server host', the router does not know where to send the trap. The EEM action will fail silently.

Why this answer

EEM applets that send SNMP traps require the 'snmp-server enable traps' command to be enabled globally, and also the EEM applet must have the correct privilege level. Additionally, the 'action snmp-trap' command in EEM uses the SNMP community string configured globally. If the community string is not configured or the trap host is not set, the trap is not sent.

The correct answer is: 'The EEM applet is configured to send a trap, but the 'snmp-server host' command is missing, so the router has no destination for the trap.'

64
Drag & Dropmedium

Drag and drop the steps to verify and validate the SNMP operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by checking the SNMP agent status with show snmp. Then, view the SNMP community strings and access permissions. Next, examine SNMP trap and inform configurations.

After that, use show snmp mib to verify MIB object accessibility. Finally, perform a test poll from the NMS to confirm end-to-end functionality.

65
Multi-Selecthard

Which TWO statements correctly describe the behavior of SNMPv3 when using the 'noAuthNoPriv' security level? (Choose TWO.)

Select 2 answers
A.The username and password are sent in clear text.
B.The SNMP engine ID is still used for message processing and identification.
C.The 'snmp-server user' command must include the 'auth' and 'priv' keywords set to 'md5' and 'des' respectively.
D.The security level is configured per user, not per group.
E.The engine ID can be manually configured or automatically generated based on the router's MAC address.
AnswersB, E

The engine ID is always used in SNMPv3 for message processing, regardless of the security level.

Why this answer

SNMPv3 'noAuthNoPriv' provides no authentication and no encryption. The engine ID is still used for message processing, and the community string is replaced by the username. The security level is configured per user, not per group.

The 'auth' and 'priv' keywords are omitted from the 'snmp-server user' command. The engine ID is automatically generated based on the router's MAC address or manually configured.

66
MCQmedium

A network engineer runs the following command on Router R1: R1# show snmp community Community name: PUBLIC Community Index: PUBLIC Permission: read-only View: v1default Community name: PRIVATE Community Index: PRIVATE Permission: read-write View: v1default Community name: MONITOR Community Index: MONITOR Permission: read-only View: restricted Based on this output, which statement is correct?

A.The 'MONITOR' community may not have access to any MIB objects if the 'restricted' view is not configured.
B.The 'PUBLIC' community can be used to modify router configurations.
C.The 'PRIVATE' community uses a view named 'restricted'.
D.All three communities have the same access rights.
AnswerA

If the view 'restricted' is not defined, SNMP requests using the 'MONITOR' community will fail or return no data.

Why this answer

The output shows three SNMP communities. The 'MONITOR' community uses a view named 'restricted', which may not be defined, potentially causing access issues. The 'PUBLIC' and 'PRIVATE' communities use the default 'v1default' view, which typically includes the entire MIB tree.

The 'PRIVATE' community has read-write permission, allowing configuration changes via SNMP.

67
Multi-Selecthard

Which TWO statements correctly describe the use of SNMP inform requests compared to traps? (Choose TWO.)

Select 3 answers
A.Informs require the NMS to send an acknowledgment back to the router.
B.Traps are more reliable than informs because they use UDP with a higher priority.
C.The default retransmission timeout for informs is 30 seconds.
D.Informs and traps are mutually exclusive; a router can only send one type to a given NMS.
E.Both informs and traps are enabled using the 'snmp-server enable traps' command.
AnswersA, C, E

Informs are confirmed notifications; the NMS must respond with an acknowledgment, or the router retransmits.

Why this answer

Informs are confirmed notifications; the NMS sends an acknowledgment, and the router retransmits if no ack is received. Traps are unconfirmed. Informs consume more resources (memory, CPU) due to retransmission handling.

Both can be enabled with 'snmp-server enable traps' and directed with 'snmp-server host' using the 'informs' keyword. The default retransmission timeout for informs is 30 seconds. Informs are more reliable than traps.

68
MCQmedium

A network engineer runs the following command to troubleshoot SNMP access: R1# show snmp community Community name: public Community Index: public Storage-Type: nonvolatile Access: read-only View: v1default Community name: private Community Index: private Storage-Type: nonvolatile Access: read-write View: v1default What does this output indicate?

A.The router has two SNMP communities: 'public' for read-only and 'private' for read-write access.
B.The router only allows SNMP writes with the 'public' community.
C.The router is not configured for SNMP because no community strings are shown.
D.The router uses SNMPv3 and these communities are for backward compatibility.
AnswerA

The output clearly shows 'public' with read-only and 'private' with read-write access.

Why this answer

The show snmp community command displays configured SNMP community strings and their access levels. The output shows two communities: 'public' with read-only access and 'private' with read-write access, both using the default view.

69
MCQhard

What is the default SNMP community string on a Cisco IOS device that has not been configured with any SNMP commands?

A.public
B.private
C.cisco
D.No default community string exists; SNMP is disabled.
AnswerD

Cisco IOS does not preconfigure any community; the device must have an snmp-server community command to enable SNMP.

Why this answer

By default, no community strings exist; SNMP is disabled until a community is configured.

70
Drag & Dropmedium

Drag and drop the steps to configure SNMPv3 with auth-priv and verify traps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, define the SNMPv3 group with security model and privacy settings. Next, create the user with authentication and privacy passwords. Then, enable SNMP traps globally.

After that, specify the trap receiver host with the correct security parameters. Finally, verify the configuration using show snmp user and show snmp host.

71
MCQhard

An engineer is troubleshooting why SNMPv3 informs are not being received by the NMS from router R6. The configuration includes 'snmp-server group ADMIN v3 priv', 'snmp-server user admin ADMIN v3 auth sha cisco123 priv aes 128 cisco456', and 'snmp-server host 10.1.1.100 informs version 3 priv admin'. The NMS can receive SNMPv3 traps from other routers. What is the most likely cause?

A.The NMS is not configured to respond to SNMP informs, so the router does not receive acknowledgment.
B.The 'snmp-server host' command should use 'traps' instead of 'informs' for SNMPv3.
C.The router needs the 'snmp-server enable informs' command globally.
D.The SNMPv3 user must have the 'auth' privilege instead of 'priv' to send informs.
AnswerA

Correct because informs require an acknowledgment; if the NMS does not support it, informs fail.

Why this answer

SNMP informs require a response from the NMS, and the NMS must be configured to send back an acknowledgment. If the NMS does not support informs or has not enabled inform processing, the router will keep retrying and eventually fail. The router's configuration is correct, so the issue is on the NMS side.

72
Drag & Drophard

Drag and drop the steps to troubleshoot SNMP adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by checking basic IP connectivity using ping to the SNMP manager. Next, verify that the SNMP agent is enabled and listening on the correct port. Then, review ACLs and firewall rules that might block SNMP traffic.

After that, examine SNMP community strings or security credentials for mismatches. Finally, enable debug snmp packets to capture and analyze packet exchanges.

73
MCQhard

An engineer configures SNMPv2c with a read-only community string 'public' on a router. The NMS can poll interface statistics, but when trying to poll OSPF neighbor states, the NMS receives no response. Which is the most likely explanation?

A.The OSPF MIB is not supported or not loaded on the router.
B.The community string 'public' is not allowed to access the OSPF MIB due to a missing 'snmp-server view' command.
C.OSPF neighbor states are only available via SNMPv3 due to security restrictions.
D.The NMS must use the OSPF process ID in the OID to poll neighbor states.
AnswerA

Some routers require the 'snmp-server enable traps ospf' command or the OSPF process to be configured to load the OSPF MIB; otherwise, the MIB objects are not available.

Why this answer

SNMP view-based access control (VACM) can restrict which MIB objects are accessible. The default view for SNMPv2c includes many objects, but OSPF MIB objects may be excluded if the view is customized or if the OSPF MIB is not loaded.

74
MCQeasy

An engineer is troubleshooting why the NMS is not receiving SNMP traps from router R8 after a recent configuration change. The engineer added 'snmp-server host 10.1.1.100 version 2c public' and 'snmp-server enable traps' but forgot to remove the old 'snmp-server host 10.1.1.200 version 2c public' command. The NMS at 10.1.1.100 can receive traps from other devices. What is the most likely cause?

A.The engineer did not configure the SNMP community string 'public' on the router.
B.The old 'snmp-server host' command for 10.1.1.200 is causing a conflict, preventing traps to the new host.
C.The engineer needs to remove the old host command before adding the new one.
D.The router requires a reload after adding a new 'snmp-server host' command.
AnswerA

Correct because the 'snmp-server host' command references a community string that must be defined; without it, traps are not sent.

Why this answer

The router can have multiple 'snmp-server host' commands, and all are active. The old host is still configured, but that should not prevent traps to the new host. The issue might be that the old host is causing the router to send traps to both, but the new host should still receive them.

However, if the old host is unreachable, the router might be delaying traps due to retransmission? No, traps are sent without acknowledgment. The most likely cause is that the engineer did not enable the specific trap types. The 'snmp-server enable traps' command without keywords enables only a default set, which may not include all traps.

But the NMS can receive traps from other devices, so the NMS is fine. A better cause: the new host command is missing the 'trap' keyword? No, it's default. Actually, a common mistake is that the engineer used 'snmp-server host' with the wrong community string.

But the stem says 'public'. Let me think: if the router has two host commands with the same community, both should work. The issue could be that the old host command is using a different community that conflicts? No.

Perhaps the engineer configured the new host command on the wrong VRF? The stem doesn't mention VRF. I'll go with a different angle: the engineer forgot to configure the SNMP community string 'public' on the router. The 'snmp-server host' command references 'public', but if the community 'public' is not defined with 'snmp-server community public RO', the router will not send traps because the community is invalid.

That is a plausible cause.

75
Multi-Selecthard

Which TWO statements about SNMPv3 security models are true? (Choose TWO.)

Select 2 answers
A.The noAuthNoPriv security level provides no authentication and no encryption.
B.The authPriv security level requires both authentication and encryption.
C.The authNoPriv security level uses encryption but no authentication.
D.SNMPv3 always requires encryption for all security levels.
E.The 'priv' keyword in the snmp-server group command disables authentication.
AnswersA, B

This is the least secure level, often used for read-only access.

Why this answer

SNMPv3 supports three security levels: noAuthNoPriv (no authentication, no encryption), authNoPriv (authentication with MD5 or SHA, no encryption), and authPriv (authentication and encryption using DES or AES). The 'priv' keyword enables encryption, and authentication is required for both authNoPriv and authPriv.

Page 1 of 2 · 76 questions totalNext →

Ready to test yourself?

Try a timed practice session using only SNMP Troubleshooting questions.