CCNA Netflow And Telemetry Questions

58 questions · Netflow And Telemetry topic · All types, answers revealed

1
MCQmedium

A network engineer is troubleshooting intermittent packet loss on a WAN link connecting two data centers. The engineer suspects that certain traffic types are being dropped but needs to confirm this without impacting production. The engineer has access to Cisco IOS-XE routers at both ends. Which approach should the engineer use to identify the specific flows being dropped?

A.Configure Flexible NetFlow on the routers with a flow monitor that includes the 'drop' keyword to capture dropped packets per flow.
B.Enable SNMP polling of interface counters to identify the total number of dropped packets on the WAN interface.
C.Use Embedded Event Manager (EEM) to trigger on interface drops and capture a packet trace.
D.Deploy IP SLA probes to measure latency and jitter, and correlate with drop events.
AnswerA

Correct because Flexible NetFlow with the 'drop' keyword allows per-flow drop monitoring, directly identifying which flows are being dropped.

Why this answer

NetFlow can be used to monitor traffic flows and identify drops, but traditional NetFlow does not capture drops. The correct answer uses Flexible NetFlow with a flow monitor that includes the 'drop' keyword to capture dropped packets, which is the most direct method. Option B is incorrect because SNMP polling of interface counters shows aggregate drops but not per-flow.

Option C is incorrect because EEM alone cannot capture per-flow drop details. Option D is incorrect because IP SLA measures performance but not drop causation per flow.

2
Drag & Dropmedium

Drag and drop the steps of troubleshooting NetFlow export issues into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Start by verifying NetFlow is enabled on the interface. Then check the exporter configuration and collector reachability. Next, inspect the flow cache for active records.

Finally, review export statistics for errors.

3
MCQmedium

Examine the following configuration: flow exporter EXPORTER-1 destination 10.0.0.1 source Loopback0 transport udp 2055 option interface-table option application-table ! What is the purpose of the 'option interface-table' and 'option application-table' commands?

A.They cause the exporter to send interface and application metadata to the collector periodically.
B.They filter the flow data to include only traffic from the specified interfaces and applications.
C.They enable the exporter to collect interface and application statistics locally.
D.They are required only when using IPFIX, not NetFlow v9.
AnswerA

Option data records include interface names, descriptions, and application IDs.

Why this answer

These commands enable the exporter to send option data records to the collector. Option data provides metadata about the router's interfaces and applications, helping the collector interpret the flow data correctly.

4
MCQeasy

Which BGP attribute is preferred when it has the lowest value?

A.MED (Multi-Exit Discriminator)
B.Local Preference
C.Weight
D.Origin
AnswerA

MED is a non-transitive attribute; lower values are preferred.

Why this answer

In BGP path selection, the MULTI_EXIT_DISC (MED) attribute is used to influence inbound traffic to an AS. A lower MED value is preferred over a higher one.

5
MCQhard

A network engineer is troubleshooting a performance issue on a Cisco Catalyst 9300 switch. The engineer suspects that a specific application is using excessive bandwidth. The switch supports Flexible NetFlow. The engineer wants to monitor only the traffic from that application without affecting the switch's CPU. What is the most efficient way to configure this?

A.Define a flow record that matches the specific application using NBAR or an ACL, and apply a flow monitor with a sampler rate to reduce CPU impact.
B.Enable NetFlow on all interfaces and export all flows to the collector, then filter at the collector.
C.Use SNMP to poll interface counters and calculate the bandwidth used by the application.
D.Configure port mirroring (SPAN) to send all traffic to an external probe for analysis.
AnswerA

Correct because matching only the application of interest and using a sampler minimizes the number of flows processed, reducing CPU load.

Why this answer

Flexible NetFlow allows filtering to reduce CPU impact. Option A is correct because using a flow record with a match on the application (e.g., NBAR or ACL) and a sampler reduces the number of flows processed. Option B is incorrect because capturing all flows would increase CPU load.

Option C is incorrect because SNMP polling gives aggregate data, not per-application. Option D is incorrect because mirroring all traffic to a probe would also increase CPU load.

6
Matchingmedium

Drag and drop each YANG module on the left to its matching standard body on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

OpenConfig

IETF

Cisco-IOS-XE

OpenConfig

IETF

Why these pairings

OpenConfig is an operator-led effort. IETF publishes standard YANG models. Cisco-IOS-XE modules are Cisco proprietary.

7
Drag & Dropmedium

Drag and drop the steps of YANG data model traversal for interface stats into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

YANG traversal starts with identifying the YANG module for interfaces, then navigating to the interfaces container, selecting the specific interface list entry, accessing the statistics container, and finally reading the desired leaf values like in-octets.

8
Drag & Dropmedium

Drag and drop the steps of Flexible NetFlow flow record and exporter setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The correct order begins with defining the flow record, then the flow exporter, then the flow monitor, then applying it to an interface, and finally verifying with show commands.

9
MCQeasy

A network engineer is deploying streaming telemetry from a Cisco ASR 1000 router to a collector using gRPC. The engineer notices that the telemetry data is not being received by the collector. The router shows that the gRPC server is running and the collector is reachable. What is the most likely cause?

A.No telemetry subscription is configured on the router for the desired data paths.
B.The gRPC server is configured with the wrong port number.
C.The collector is not listening on the same IP address as configured on the router.
D.The telemetry data is encoded in GPB, but the collector expects JSON.
AnswerA

Correct because a subscription defines what data to stream and to which collector; without it, no data is sent.

Why this answer

For gRPC telemetry, the router must have a subscription configured to send data. Option A is correct because without a subscription, no data is streamed. Option B is incorrect because the server is running.

Option C is incorrect because the collector is reachable. Option D is incorrect because the encoding format does not prevent data from being sent if the server is up.

10
Drag & Dropmedium

Drag and drop the steps of configuring model-driven telemetry with gRPC on a Cisco IOS-XE device into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, enable telemetry and define the destination. Then, create a subscription with a sensor path. Next, set the update policy.

Finally, verify the telemetry data is being sent.

11
Matchingmedium

Drag and drop each telemetry model on the left to its matching push type (dial-in or dial-out) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collector initiates connection to the device

Device initiates connection to the collector

Device streams data to collector

Device sends data to collector

Device sends unsolicited data to collector

Why these pairings

Dial-in models require the collector to initiate the connection (e.g., gRPC dial-in). Dial-out models let the network device push data to the collector (e.g., gRPC dial-out, NETCONF YANG-push).

12
MCQeasy

What is the maximum hop count for EIGRP?

A.255
B.15
C.224
D.Unlimited
AnswerA

EIGRP's maximum hop count is 255, inherited from IGRP.

Why this answer

EIGRP uses a hop count metric as one of the factors in its composite metric. The maximum hop count is 255, beyond which a route is considered unreachable.

13
Drag & Dropmedium

Drag and drop the steps of NetFlow v9 cache export process into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

NetFlow v9 export starts with packet arrival, then flow creation and cache update. When export conditions are met, the template is sent first, followed by data records. Finally, the flow is aged out.

14
Multi-Selectmedium

Which two statements about NetFlow are true? (Choose two.)

Select 2 answers
A.NetFlow records are unidirectional by default.
B.Sampled NetFlow reduces CPU impact by analyzing only a subset of packets.
C.Flexible NetFlow can export user-defined flow keys using NetFlow v5 format.
D.NetFlow can be used as a replacement for SNMP polling for interface utilization.
E.NetFlow v9 supports only IPv4 traffic.
AnswersA, B

Correct because NetFlow aggregates packets based on flow keys (e.g., source/destination IP, ports) and records traffic in one direction only.

Why this answer

NetFlow is a Cisco technology that collects IP traffic statistics. Traditional NetFlow (v5/v9) is unidirectional and sampled flow is used to reduce CPU load. Flexible NetFlow allows user-defined keys but still exports in NetFlow v9 or IPFIX format.

NetFlow does not replace SNMP; they serve different purposes.

15
Drag & Dropmedium

Drag and drop the steps of sFlow agent sampling and forwarding steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

sFlow begins with the agent sampling packets at a configured rate, then extracts header and counter information, encapsulates the sample into an sFlow datagram, sends the datagram to the collector via UDP, and finally the collector analyzes the samples for monitoring.

16
Matchingmedium

Drag and drop each flow record field on the left to its matching category (key or non-key) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Key field

Key field

Key field

Non-key field

Non-key field

Why these pairings

Key fields define the flow identity (e.g., IP addresses, ports, protocol). Non-key fields provide additional information about the flow (e.g., packet counts, timestamps, TCP flags).

17
MCQmedium

Consider the following configuration: flow monitor FM-1 exporter EXPORTER-1 record netflow ipv4 original-input cache entries 16000 ! Which statement about this configuration is correct?

A.The flow cache can hold up to 16,000 flow entries simultaneously.
B.The flow cache will export flows every 16,000 seconds.
C.The flow cache will store only 16,000 bytes of flow data.
D.The flow cache will automatically increase to 32,000 entries if needed.
AnswerA

The 'cache entries' command defines the size of the flow cache.

Why this answer

The 'cache entries' command sets the maximum number of flow entries that the cache can hold. When the cache is full, the router may need to age out flows prematurely or drop new flows.

18
MCQhard

A network engineer is configuring NetFlow on a Cisco Nexus 7000 switch to monitor traffic between two data centers. The engineer wants to ensure that flow records are exported even if the export destination is temporarily unreachable. Which feature should the engineer enable?

A.Increase the NetFlow export buffer size and configure the export retry interval.
B.Change the export protocol to TCP to ensure reliable delivery.
C.Enable SNMP traps to notify the collector of flow data.
D.Configure IP SLA to monitor the collector and buffer flows locally.
AnswerA

Correct because increasing the buffer allows storing more records during outages, and retry intervals ensure re-transmission attempts.

Why this answer

NetFlow export uses UDP, which is unreliable. Option A is correct because NetFlow export buffer and retry mechanisms (like 'ip flow-export buffer-size' and 'ip flow-export retry') can store and retransmit records. Option B is incorrect because TCP is not supported for NetFlow export.

Option C is incorrect because SNMP traps are not for flow data. Option D is incorrect because IP SLA does not buffer NetFlow records.

19
Drag & Dropmedium

Drag and drop the steps of IPFIX template negotiation and export into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The exporter first sends a template set to the collector, the collector acknowledges, then the exporter sends data records using that template, and templates may be withdrawn or resent periodically.

20
MCQmedium

Given the configuration: flow monitor FM-1 exporter EXPORTER-1 record netflow ipv4 original-input cache timeout active 60 cache timeout inactive 15 ! What is the effect of the 'cache timeout active 60' command?

A.Flows that are active for more than 60 seconds are exported immediately and then removed from the cache.
B.Flows that are inactive for 60 seconds are exported and removed from the cache.
C.The cache will hold a maximum of 60 active flows at any time.
D.Flow records are sent to the exporter every 60 seconds.
AnswerA

When the active timeout expires, the flow is exported and a new cache entry is created for the continuation.

Why this answer

The 'cache timeout active' command sets the maximum lifetime (in seconds) for an active flow in the cache. After 60 seconds, the flow is exported even if it is still ongoing. This prevents long-lived flows from being delayed indefinitely.

21
MCQmedium

A network engineer is configuring NetFlow on a Cisco ISR 4451 router to analyze traffic patterns. The engineer wants to export flow data to a collector every 60 seconds. After applying the configuration, the engineer notices that the export packets are not reaching the collector. The collector is reachable via ICMP. What is the most likely cause?

A.The 'ip flow-export destination' command is missing or specifies an incorrect UDP port number.
B.The router is using TCP for NetFlow export, but the collector only supports UDP.
C.The flow monitor is not applied to any interface, so no flows are being collected.
D.The 'ip flow-export timeout rate' is set too high, causing export packets to be delayed.
AnswerA

Correct because the export destination must include the correct IP and UDP port; if missing or wrong, export packets won't reach the collector.

Why this answer

NetFlow export uses UDP as the transport protocol, and the collector must be listening on the correct UDP port. Option A is correct because the export destination must specify the correct UDP port. Option B is incorrect because NetFlow does not require TCP.

Option C is incorrect because the flow monitor is needed for Flexible NetFlow, but traditional NetFlow uses 'ip flow-export'. Option D is incorrect because the timeout setting affects when flows are exported, not the reachability of export packets.

22
Matchingmedium

Drag and drop each sFlow component on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Samples packets and exports flow data

Receives and processes sFlow datagrams

Encapsulation of sampled packet headers and counters

Why these pairings

The sFlow agent samples packets and sends datagrams. The collector receives and analyzes datagrams. The datagram is the packet sent from agent to collector.

23
Matchingmedium

Drag and drop each NetFlow version on the left to its matching feature description on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fixed 7-tuple flow keys, IPv4 only

Template-based, supports IPv6 and MPLS

IETF standard, extensible fields, NetFlow v10

Why these pairings

NetFlow v5 uses fixed 7-tuple keys and is IPv4-only. NetFlow v9 is template-based and supports IPv6 and MPLS. IPFIX (NetFlow v10) is the IETF standard based on v9 with extensible fields.

24
Matchingmedium

Drag and drop each sFlow component on the left to its matching function on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Samples packets and exports datagrams

Receives and processes sFlow datagrams

Contains sampled packet headers and counters

Why these pairings

sFlow agent: embedded in the network device, samples packets and sends datagrams. sFlow collector: receives and analyzes datagrams. sFlow datagram: the packet sent from agent to collector containing sampled data.

25
MCQmedium

Examine the following configuration: flow record REC-1 match ipv4 source address match ipv4 destination address match ipv4 protocol collect interface input collect interface output collect counter bytes collect counter packets ! flow monitor MON-1 record REC-1 exporter EXPORTER-1 ! interface GigabitEthernet0/1 ip flow monitor MON-1 input ! What is the purpose of this configuration?

A.It collects NetFlow data for incoming traffic, including source/destination IP, protocol, and byte/packet counts.
B.It collects NetFlow data for both incoming and outgoing traffic on the interface.
C.It configures Flexible NetFlow with a user-defined record that includes TCP flags.
D.It sends flow data to the exporter using IPFIX format.
AnswerA

The match and collect statements define the fields to be recorded; the monitor applies to input traffic.

Why this answer

This configuration defines a custom flow record that captures key fields (source/destination IP, protocol) and collects interface and counter information. The flow monitor applies this record to incoming traffic on GigabitEthernet0/1.

26
MCQmedium

Consider the following configuration: flow exporter EXPORTER-1 destination 10.0.0.1 source Loopback0 transport udp 9996 template data timeout 60 ! Which statement about this configuration is true?

A.Template data records are sent every 60 seconds to the collector.
B.The exporter uses UDP port 9996 to send flow data and templates.
C.The source interface Loopback0 is used only for flow data, not for templates.
D.The exporter will send template data only when a new flow is detected.
AnswerA

The 'template data timeout' command defines the refresh interval for template records.

Why this answer

The 'template data timeout' command sets the interval (in seconds) at which the exporter sends NetFlow template data records to the collector. A shorter timeout ensures the collector has up-to-date templates but increases overhead.

27
MCQhard

A network engineer runs the following command on Router R1: R1# show mpls ldp neighbor Peer LDP Ident: 10.0.0.2:0, Local LDP Ident: 10.0.0.1:0 TCP connection: 10.0.0.2.646 - 10.0.0.1.179 State: Oper; Msgs sent/rcvd: 100/95; Downstream Up time: 00:10:00 LDP discovery sources: GigabitEthernet0/0, Src IP: 10.0.0.2 Addresses bound to peer LDP Ident: 10.0.0.2 192.168.2.2 Peer LDP Ident: 10.0.0.3:0, Local LDP Ident: 10.0.0.1:0 TCP connection: 10.0.0.3.646 - 10.0.0.1.179 State: Oper; Msgs sent/rcvd: 200/190; Downstream Up time: 00:20:00 LDP discovery sources: GigabitEthernet0/1, Src IP: 10.0.0.3 Addresses bound to peer LDP Ident: 10.0.0.3 192.168.3.3 Based on this output, what can be concluded?

A.The router has two LDP peers that are both operational
B.The router is using LDP in downstream-on-demand mode
C.The LDP session with 10.0.0.2 is down
D.The router has only one LDP neighbor
AnswerA

Both peers show 'State: Oper', indicating they are operational.

Why this answer

The output shows LDP neighbors. Both neighbors are in Oper (operational) state. The local LDP identifier is 10.0.0.1:0.

The peers are discovered via different interfaces (GigabitEthernet0/0 and GigabitEthernet0/1). The correct answer is that the router has two LDP peers that are both operational.

28
Drag & Dropmedium

Drag and drop the steps of Flexible NetFlow flow record and exporter setup into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Flexible NetFlow setup begins with defining the flow record to specify what to match and collect, then defining the flow exporter to set destination and transport, followed by creating the flow monitor that binds record and exporter, then applying the monitor to an interface, and finally verifying with show commands.

29
Drag & Dropmedium

Drag and drop the steps of Streaming telemetry sensor path subscription flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First a sensor path is defined, then a subscription is created with destination, the device pushes data periodically, the collector receives and processes, and the subscription can be updated or deleted.

30
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show etherchannel summary Flags: D - down P - bundled in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use N - not in use, no aggregation f - failed to allocate aggregator M - not in use, minimum links not met u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1 Group Port-channel Protocol Ports ------+-------------+-----------+-------------------------------------------- 1 Po1(SU) LACP Gi0/1(P) Gi0/2(P) Gi0/3(D) Based on this output, what can be concluded?

A.The EtherChannel is fully operational with three active links
B.The EtherChannel is operational with two active links
C.The EtherChannel is using PAgP protocol
D.The EtherChannel is a Layer 3 port-channel
AnswerB

Gi0/1 and Gi0/2 are bundled (P), and the port-channel is up (SU), so the EtherChannel is working with two links.

Why this answer

The output shows an EtherChannel summary. Port-channel 1 is in use (U) and Layer2 (S). The protocol is LACP.

Two ports (Gi0/1 and Gi0/2) are bundled (P), but Gi0/3 is down (D). The correct answer is that the EtherChannel is operational with two active links.

31
Drag & Dropmedium

Drag and drop the steps of YANG data model traversal for interface stats into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The process starts with identifying the YANG module, then navigating the tree to the interface container, retrieving statistics, and optionally filtering or using NETCONF/RESTCONF.

32
Multi-Selecthard

Which three statements about model-driven telemetry are true? (Choose three.)

Select 3 answers
A.Model-driven telemetry uses YANG data models to define the data to be streamed.
B.Telemetry data can be pushed from the network device to a collector using gRPC or gNMI.
C.Model-driven telemetry supports both periodic and on-change subscriptions.
D.Model-driven telemetry requires SSH for secure data transport.
E.Model-driven telemetry increases the polling overhead compared to SNMP.
AnswersA, B, C

Correct because YANG models describe the structure and semantics of the data, enabling structured telemetry.

Why this answer

Model-driven telemetry uses YANG data models and can push data via gRPC or gNMI. It supports both periodic and on-change subscriptions. It reduces polling overhead compared to SNMP.

It does not require SSH for transport (gRPC uses HTTP/2).

33
MCQmedium

A network operations center (NOC) is deploying streaming telemetry from Cisco IOS-XE devices to a Kafka-based analytics platform. The engineer needs to ensure that the telemetry data is encoded in a compact, efficient format for high-volume streaming. Which encoding format should the engineer configure?

A.Google Protocol Buffers (GPB) encoding.
B.JSON encoding.
C.XML encoding.
D.CSV encoding.
AnswerA

Correct because GPB is a binary, compact format that minimizes bandwidth and CPU usage for high-volume streaming.

Why this answer

For high-volume streaming telemetry, efficient encoding is critical. Option A is correct because GPB (Google Protocol Buffers) is a compact binary format that reduces bandwidth and parsing overhead. Option B is incorrect because JSON is text-based and verbose.

Option C is incorrect because XML is even more verbose. Option D is incorrect because CSV is not a standard telemetry encoding and lacks structure.

34
MCQeasy

A network engineer runs the following command on Switch SW1: SW1# show vlan brief VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2, Gi0/3 10 Sales active Gi0/4, Gi0/5 20 Engineering active Gi0/6, Gi0/7 1002 fddi-default act/unsup 1003 token-ring-default act/unsup 1004 fddinet-default act/unsup 1005 trnet-default act/unsup Based on this output, what can be concluded?

A.VLANs 10 and 20 are configured and have ports assigned
B.All VLANs are in the active state and supported
C.VLAN 1 is the only VLAN with ports assigned
D.The switch is running VTP transparent mode
AnswerA

The output shows VLANs 10 and 20 with status 'active' and ports assigned (Gi0/4, Gi0/5 for VLAN 10; Gi0/6, Gi0/7 for VLAN 20).

Why this answer

The output shows VLANs configured on the switch. VLANs 1, 10, and 20 are active and have ports assigned. VLANs 1002-1005 are default VLANs that are not supported on this platform (act/unsup).

The correct answer is that VLANs 10 and 20 are configured and have ports assigned.

35
MCQeasy

A company is deploying Cisco DNA Center and wants to use streaming telemetry from its network devices to provide real-time visibility. The network consists of Cisco Catalyst 9000 switches running IOS-XE. The engineer needs to configure the devices to stream telemetry data to DNA Center. Which protocol should the engineer use for the telemetry transport?

A.gRPC (Google Remote Procedure Call).
B.NetFlow v9.
C.SNMPv3.
AnswerA

Correct because gRPC is the standard transport for model-driven telemetry in Cisco DNA Center deployments.

Why this answer

Cisco DNA Center uses model-driven telemetry with gRPC as the preferred transport for streaming data from IOS-XE devices. Option A is correct because gRPC is the standard for MDT. Option B is incorrect because NetFlow is for flow data, not device state.

Option C is incorrect because SNMP is not used for streaming telemetry in DNA Center. Option D is incorrect because syslog is for log messages, not structured telemetry.

36
MCQmedium

A large enterprise is migrating from traditional SNMP-based monitoring to streaming telemetry for better scalability and real-time visibility. The network team has Cisco Nexus 9000 switches running NX-OS. They want to stream interface counters and BGP neighbor state changes to a collector. Which telemetry technology should they implement?

A.Configure model-driven telemetry (MDT) using gRPC or gNMI to subscribe to the desired YANG data models for interface counters and BGP state.
B.Enable NetFlow v9 on the switches and configure the collector to receive flow records that include interface statistics.
C.Use SNMP traps to send interface and BGP state changes to the collector.
D.Deploy IP SLA responders on the switches to measure performance and send results via syslog.
AnswerA

Correct because MDT with gRPC/gNMI provides scalable, real-time streaming of structured data from NX-OS devices.

Why this answer

Model-driven telemetry (MDT) using gRPC or gNMI is the modern approach for streaming structured data from NX-OS devices. Option A is correct because MDT supports both periodic and event-driven subscriptions. Option B is incorrect because NetFlow is for flow data, not interface counters or BGP state.

Option C is incorrect because SNMP traps are event-driven but not scalable for high-frequency streaming. Option D is incorrect because IP SLA is for active measurements, not streaming device state.

37
Drag & Dropmedium

Drag and drop the steps of IPFIX template negotiation and export into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

IPFIX starts with the exporter defining a template with field definitions, then the exporter sends the template record to the collector, the collector acknowledges (optional), the exporter sends data records referencing the template ID, and finally the collector interprets data using the stored template.

38
Matchingmedium

Drag and drop each YANG module on the left to its matching standard body on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

OpenConfig

IETF

Cisco-IOS-XE

OpenConfig

IETF

Why these pairings

OpenConfig: vendor-neutral YANG models. IETF: RFC-based YANG models. Cisco-IOS-XE: Cisco proprietary YANG models for IOS-XE.

39
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip ospf neighbor Neighbor ID Pri State Dead Time Address Interface 10.0.0.2 1 FULL/DR 00:00:34 192.168.1.2 GigabitEthernet0/0 10.0.0.3 1 2WAY/DROTHER 00:00:38 192.168.1.3 GigabitEthernet0/0 Based on this output, what can be concluded?

A.The local router is the Designated Router (DR)
B.The local router is the Backup Designated Router (BDR)
C.The local router is a DROTHER
D.The OSPF network type is point-to-point
AnswerB

Since the DR is 10.0.0.2 and the BDR is not shown, the local router must be the BDR because it has a FULL adjacency with the DR and a 2WAY adjacency with the DROTHER.

Why this answer

The output shows OSPF neighbors on a multi-access network. The neighbor with state FULL/DR is the Designated Router, and the neighbor with state 2WAY/DROTHER is a non-DR/BDR router that has formed a two-way adjacency but is not adjacent to the DR. The local router must be either the BDR or a DROTHER, as it is not listed as DR.

The correct answer is that the local router is the Backup Designated Router (BDR).

40
MCQhard

A service provider is using Cisco ASR 9000 routers and needs to collect NetFlow data from multiple customers' traffic. The engineer wants to ensure that flow records from different customers are not mixed and can be identified separately. The router supports Flexible NetFlow. What is the best approach?

A.Define a custom flow record that includes the 'match ipv4 vlan' or 'match ipv4 vrf' field to identify each customer's traffic, and apply a single flow monitor on the shared interface.
B.Configure a separate flow monitor for each customer interface and export to different collectors.
C.Use NetFlow v9 export with the 'match ipv4 source address' field only, and rely on the collector to separate by source IP.
D.Enable SNMP interface polling to track per-customer traffic statistics.
AnswerA

Correct because including the VRF or VLAN match field in the flow record allows the collector to distinguish flows per customer.

Why this answer

Flexible NetFlow allows customization of flow records. Option A is correct by using a flow record with a 'match ipv4 vlan' or 'match ipv4 vrf' field to tag flows per customer. Option B is incorrect because separate flow monitors for each interface would still mix flows if multiple customers share an interface.

Option C is incorrect because NetFlow v9 export format does not inherently separate customers. Option D is incorrect because SNMP is not suitable for per-customer flow identification.

41
MCQmedium

A network engineer runs the following command on Router R1: R1# show bgp summary BGP router identifier 192.168.1.1, local AS number 65001 BGP table version is 10, main routing table version 10 Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd 192.168.1.2 4 65002 1024 1020 10 0 0 00:12:34 15 192.168.1.3 4 65003 2048 2040 10 0 0 00:24:56 20 Based on this output, what can be concluded?

A.Both BGP sessions are in the established state
B.The BGP session with 192.168.1.2 is idle
C.Router R1 is using iBGP with both neighbors
D.The BGP table version is 10, meaning 10 prefixes are in the table
AnswerA

The State/PfxRcd column shows prefix counts (15 and 20), indicating the sessions are established and exchanging routes.

Why this answer

The output shows BGP neighbors and their state. Both neighbors are in established state (PfxRcd shows number of prefixes received). The local AS is 65001, and the neighbors are in different AS numbers (65002 and 65003), indicating eBGP sessions.

The correct answer is that both BGP sessions are established and exchanging prefixes.

42
MCQeasy

A network engineer runs the following command on Router R1: R1# show ip route 192.168.2.0 Routing entry for 192.168.2.0/24 Known via "ospf 1", distance 110, metric 20, type inter area Last update from 10.0.0.2 on GigabitEthernet0/0, 00:05:23 ago Routing Descriptor Blocks: * 10.0.0.2, via GigabitEthernet0/0, 00:05:23 ago Route metric is 20, traffic share count is 1 Based on this output, what can be concluded?

A.The route is an OSPF intra-area route
B.The route is an OSPF inter-area route
C.The route is an OSPF external route
D.The route is learned via EIGRP
AnswerB

The output explicitly states 'type inter area', indicating it is an inter-area route.

Why this answer

The output shows a specific route in the routing table. The route is learned via OSPF, with a metric of 20, and is an inter-area route (type inter area). The next hop is 10.0.0.2 via GigabitEthernet0/0.

The correct answer is that the route is an OSPF inter-area route.

43
Multi-Selecthard

Which three statements about telemetry data collection methods are true? (Choose three.)

Select 3 answers
A.SNMP is a push-based telemetry method where agents send traps to the NMS.
B.Syslog messages can be used as a form of telemetry to report events and state changes.
C.Model-driven telemetry supports both periodic and event-driven subscriptions.
D.gNMI is a protocol used to retrieve and manipulate configuration state, and it also supports telemetry subscriptions.
E.Telemetry data can only be encoded in XML format.
AnswersB, C, D

Syslog sends event-driven data from devices to a collector, fitting the telemetry definition.

Why this answer

Telemetry can be collected via SNMP (pull), Syslog (push), and model-driven telemetry (push). SNMP polling is a classic pull method, while Syslog and MDT are push-based. MDT offers higher scale and flexibility compared to SNMP.

44
MCQmedium

Examine the following configuration snippet: interface GigabitEthernet0/1 ip flow monitor FLOW-MONITOR input ip flow monitor FLOW-MONITOR output ! flow monitor FLOW-MONITOR exporter EXPORTER-1 record netflow ipv4 original-input ! flow exporter EXPORTER-1 destination 192.168.1.100 transport udp 2055 ! What is the effect of this configuration?

A.NetFlow v9 records are sent to the collector at 192.168.1.100 on UDP port 2055.
B.NetFlow v5 records are sent to the collector at 192.168.1.100 on UDP port 2055.
C.IPFIX records are sent to the collector at 192.168.1.100 on UDP port 2055.
D.The configuration is missing the 'ip flow-export source' command to specify the source interface.
AnswerA

The flow monitor uses the exporter to send NetFlow v9 records (default) to the specified collector.

Why this answer

This configuration enables NetFlow on an interface using a flow monitor that references a flow exporter. The record type 'netflow ipv4 original-input' is valid for collecting IPv4 flow data. The exporter sends UDP packets to the collector at 192.168.1.100 on port 2055.

45
MCQhard

A network engineer runs the following command on Router R1: R1# show ip pim neighbor PIM Neighbor Table Neighbor Address Interface Uptime Expires Mode 10.0.0.2 GigabitEthernet0/0 00:10:00 00:01:30 Dense 10.0.0.3 GigabitEthernet0/1 00:20:00 00:01:20 Sparse Based on this output, what can be concluded?

A.All PIM neighbors are operating in sparse mode
B.The router is configured with mixed PIM modes on different interfaces
C.The router is using PIM version 2 exclusively
D.The neighbor 10.0.0.3 is not a valid PIM neighbor
AnswerB

One neighbor is Dense and the other is Sparse, indicating the router has interfaces in different PIM modes.

Why this answer

The output shows PIM neighbors. One neighbor (10.0.0.2) is in Dense mode, and the other (10.0.0.3) is in Sparse mode. This indicates that the router has interfaces operating in different PIM modes.

The correct answer is that the router is configured with mixed PIM modes on different interfaces.

46
MCQmedium

A network engineer runs the following command on Router R1: R1# show ip nat translations Pro Inside global Inside local Outside local Outside global --- 192.168.1.10:1024 10.0.0.10:1024 203.0.113.5:80 203.0.113.5:80 tcp 192.168.1.10:1025 10.0.0.10:1025 203.0.113.5:80 203.0.113.5:80 --- 192.168.1.11:2048 10.0.0.11:2048 198.51.100.2:443 198.51.100.2:443 Based on this output, what can be concluded?

A.The router is performing static NAT
B.The router is performing dynamic NAT without overload
C.The router is performing NAT overload (PAT)
D.The router is performing destination NAT
AnswerC

Multiple inside local addresses (10.0.0.10 and 10.0.0.11) are using the same inside global address (192.168.1.10) with different port numbers, which is characteristic of PAT.

Why this answer

The output shows NAT translations. Inside global addresses are the public IPs seen on the outside, and inside local are the private IPs. The first entry has no protocol (---) indicating a static NAT or a translation that has timed out.

The second and third entries are TCP translations. The correct answer is that the router is performing NAT overload (PAT) because multiple inside local addresses are mapped to the same inside global address (192.168.1.10).

47
Matchingmedium

Drag and drop each flow record field on the left to its matching category (key or non-key) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Key field

Key field

Key field

Non-key field

Non-key field

Why these pairings

Key fields define a unique flow (e.g., source IP, destination IP, protocol). Non-key fields provide additional data (e.g., byte count, packet count, timestamps).

48
Multi-Selecthard

Which three statements about model-driven telemetry are true? (Choose three.)

Select 3 answers
A.Model-driven telemetry uses a pull model where the collector requests data from network devices.
B.Telemetry subscriptions can be configured to report data on a periodic interval or when a value changes.
C.gRPC and gNMI are common transport protocols used for model-driven telemetry.
D.Model-driven telemetry requires the use of SNMP for data encoding.
E.YANG data models define the structure and semantics of telemetry data.
AnswersB, C, E

Subscriptions support both periodic (cadence-based) and on-change reporting.

Why this answer

Model-driven telemetry (MDT) uses YANG data models and supports both periodic and on-change subscriptions. It uses a push model, reducing polling overhead. gRPC and gNMI are common transport protocols. Telemetry data can be encoded in JSON or GPB.

49
MCQmedium

A network engineer runs the following command on Switch SW1: SW1# show spanning-tree vlan 10 VLAN0010 Spanning tree enabled protocol ieee Root ID Priority 32778 Address 0011.2233.4455 Cost 19 Port 1 (GigabitEthernet0/1) Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 32778 (priority 32768 sys-id-ext 10) Address 0011.2233.4466 Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Aging Time 300 sec Interface Role Sts Cost Prio.Nbr Type ------------------- ---- --- --------- -------- -------------------------------- Gi0/1 Root FWD 19 128.1 P2p Gi0/2 Altn BLK 19 128.2 P2p Based on this output, what can be concluded?

A.The local switch is the root bridge for VLAN 10
B.The local switch is not the root bridge for VLAN 10
C.Interface Gi0/2 is in a forwarding state
D.The spanning-tree mode is Rapid PVST+
AnswerB

The root ID shows a different MAC address than the bridge ID of the local switch, indicating the local switch is not the root.

Why this answer

The output shows spanning-tree information for VLAN 10. The root bridge has priority 32778 and address 0011.2233.4455. The local switch has a different bridge ID (0011.2233.4466), so it is not the root.

Interface Gi0/1 is the root port (Root, FWD), and Gi0/2 is an alternate port (Altn, BLK). The correct answer is that the local switch is not the root bridge for VLAN 10.

50
Drag & Dropmedium

Drag and drop the steps of sFlow agent sampling and forwarding steps into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

The sFlow agent samples packets, encapsulates them with headers, sends to collector, which decodes and analyzes, and the agent maintains counters for periodic export.

51
Matchingmedium

Drag and drop each telemetry model on the left to its matching push type (dial-in or dial-out) on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Collector connects to device, device listens

Collector initiates SSH session to device

Device connects to collector, collector listens

Device pushes data to collector

Collector requests data from device

Why these pairings

Dial-in: collector initiates connection to the network device (e.g., gRPC dial-in, NETCONF). Dial-out: device initiates connection to the collector (e.g., gRPC dial-out, model-driven telemetry).

52
Multi-Selectmedium

Which two statements about NetFlow are true? (Choose two.)

Select 2 answers
A.NetFlow uses TCP port 2055 for exporting flow records.
B.NetFlow v9 is template-based, allowing flexible and extensible flow record formats.
C.Sampled NetFlow reduces CPU impact by analyzing only a subset of packets.
D.NetFlow records include the full payload of each packet.
E.NetFlow can be used for both IPv4 and IPv6 traffic monitoring.
AnswersB, C

NetFlow v9 introduced templates that define the format of exported data, making it extensible.

Why this answer

NetFlow is a Cisco technology that collects IP traffic statistics and can export them to a collector. Traditional NetFlow uses UDP for export, and sampled NetFlow (sFlow-like) is used to reduce CPU load. NetFlow v9 is template-based, allowing flexible field definitions.

53
Matchingmedium

Drag and drop each NetFlow version on the left to its matching feature on the right.

Drag a concept onto its matching description — or click a concept then click the description.

Concepts
Matches

Fixed-format records with no templates

Template-based flow records with user-defined fields

Standardized version of NetFlow with variable-length fields

Why these pairings

NetFlow v5 sends fixed-format records with no user-defined fields. v9 supports templates and flexible field definitions. IPFIX is the standardized version of v9 with additional fields and variable-length support.

54
Multi-Selecteasy

Which two statements about NetFlow flow records and export are correct? (Choose two.)

Select 2 answers
A.NetFlow v9 uses a template-based export format.
B.IPFIX is the IETF standard version of NetFlow, based on NetFlow v9.
C.NetFlow v5 supports variable-length fields and custom flow keys.
D.NetFlow export uses TCP by default to ensure reliable delivery.
E.NetFlow v5 can export IPv6 flow information.
AnswersA, B

Correct because v9 introduces templates that define which fields are exported, allowing flexibility.

Why this answer

NetFlow v5 has a fixed format with 7 key fields, while v9 is template-based and flexible. IPFIX is the IETF standard based on v9. NetFlow export uses UDP by default (port 2055 for v5, 4729 for IPFIX).

TCP is not the default transport.

55
Drag & Dropmedium

Drag and drop the steps of streaming telemetry sensor path subscription flow into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Streaming telemetry starts with the collector subscribing to a sensor path on the device, the device authenticates the subscription, then periodically collects data from the YANG model, encodes it (e.g., GPB or JSON), and pushes it to the collector via gRPC or UDP.

56
Multi-Selectmedium

Which two statements about Flexible NetFlow are true? (Choose two.)

Select 2 answers
A.Flexible NetFlow allows administrators to define custom flow records with specific match and collect fields.
B.Flexible NetFlow can only export data in NetFlow v5 format.
C.A single flow monitor can be attached to multiple interfaces in both directions.
D.Flexible NetFlow requires the use of a dedicated hardware module for flow processing.
E.Flexible NetFlow cannot be used with MPLS traffic.
AnswersA, C

FNF lets you create custom records specifying key (match) and non-key (collect) fields.

Why this answer

Flexible NetFlow (FNF) extends traditional NetFlow by allowing user-defined flow records, keys, and non-key fields. It supports multiple flow exporters and can aggregate data using flow caches. FNF is configured using the 'flow record' and 'flow monitor' CLI commands.

57
Multi-Selectmedium

Which three statements about telemetry protocols and data collection are true? (Choose three.)

Select 3 answers
A.gNMI is a gRPC-based network management protocol that supports telemetry streaming.
B.In dial-out telemetry, the network device initiates the connection to the collector.
C.Telemetry can provide higher granularity and lower latency compared to SNMP polling.
D.SNMP is the only protocol supported for telemetry data collection on Cisco IOS XE devices.
E.gNMI requires the device to be configured with a CLI-based telemetry profile.
AnswersA, B, C

Correct because gNMI (gRPC Network Management Interface) is designed for streaming telemetry and configuration management.

Why this answer

gNMI is a gRPC-based protocol for streaming telemetry and managing network devices. Dial-out telemetry pushes data from the device to a collector. Telemetry can provide more granular data than SNMP.

SNMP is still widely used for legacy monitoring. gNMI does not require CLI configuration for telemetry.

58
MCQeasy

What is the default OSPF hello interval on a broadcast multi-access network (e.g., Ethernet)?

A.10 seconds
B.30 seconds
C.40 seconds
D.20 seconds
AnswerA

This is the default hello interval for broadcast and point-to-point OSPF networks.

Why this answer

OSPF uses different hello intervals depending on the network type. On broadcast and point-to-point networks, the default hello interval is 10 seconds.

Ready to test yourself?

Try a timed practice session using only Netflow And Telemetry questions.