NetFlow

NetFlow is a network protocol to report information about the traffic on a router/switch or other network device. NetFlow collects and summaries the data that is carried over a device, and then transmitting that summary to a NetFlow collector for storage and analysis. An IP flow is based on a set of five, and up to seven, IP packet attributes, which may include the following:
+ Destination IP address
+ Source IP address
+ Source port
+ Destination port
+ Layer 3 protocol type
+ Class of Service (optional)
+ Router or switch interface (optional)

Question 1

A network engineer executes the show ip flow export command. Which line in the output indicates that the send queue is full and export packets are not being sent?

A. output drops
B. enqueuing for the RP
C. fragmentation failures
D. adjacency issues

Answer: A

Explanation

The “show ip flow export” command is used to display the status and the statistics for NetFlow accounting data export, including the main cache and all other enabled caches. An example of the output of this command is shown below:

Router# show ip flow export
Flow export v5 is enabled for main cache
Exporting flows to 10.51.12.4 (9991) 10.1.97.50 (9111)
Exporting using source IP address 10.1.97.17
Version 5 flow records
11 flows exported in 8 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
0 export packets were dropped due to output drops

The “output drops” line indicates the total number of export packets that were dropped because the send queue was full while the packet was being transmitted.

Reference: http://www.cisco.com/en/US/docs/ios/12_3t/netflow/command/reference/nfl_a1gt_ps5207_TSD_Products_Command_Reference_Chapter.html#wp1188401

Question 2

An organization decides to implement NetFlow on its network to monitor the fluctuation of traffic that is disrupting core services. After reviewing the output of NetFlow, the network engineer is unable to see OUT traffic on the interfaces. What can you determine based on this information?

A. Cisco Express Forwarding has not been configured globally.
B. NetFlow output has been filtered by default.
C. Flow Export version 9 is in use.
D. The command ip flow-capture fragment-offset has been enabled.

Answer: A

Explanation

In general, NetFlow requires CEF to be configured in most recent IOS releases. CEF decides which interface the traffic is sent out. With CEF disabled, router will not have specific destination interface in the NetFlow report packets. Therefore a NetFlow Collector cannot show the OUT traffic for the interface.

Question 3

A network engineer has left a NetFlow capture enabled over the weekend to gather information regarding excessive bandwidth utilization. The following command is entered:

switch#show flow exporter Flow_Exporter-1

What is the expected output?

A. configuration of the specified flow exporter
B. current status of the specified flow exporter
C. status and statistics of the specified flow monitor
D. configuration of the specified flow monitor

Answer: B

Explanation

This command is used to display the current status of the specific flow exporter, in this case Flow_Exporter-1. For example

N7K1# show flow export
Flow exporter Flow_Exporter-1:
    Description: Fluke Collector
    Destination: 10.255.255.100
    VRF: default (1)
    Destination UDP Port 2055
    Source Interface Vlan10 (10.10.10.5)
    Export Version 9
    Exporter Statistics
        Number of Flow Records Exported 726
        Number of Templates Exported 1
        Number of Export Packets Sent 37
        Number of Export Bytes Sent 38712
        Number of Destination Unreachable Events 0
        Number of No Buffer Events 0
        Number of Packets Dropped (No Route to Host) 0
        Number of Packets Dropped (other) 0
        Number of Packets Dropped (LC to RP Error) 0
        Number of Packets Dropped (Output Drops) 0
        Time statistics were last cleared: Thu Feb 15 21:12:06 2015

Question 4

Refer to the exhibit.

Sampler: mysampler, id: 1, packets matched: 10, mode random sampling mode
sampling interval is : 100

Which statement about the output of the show flow-sampler command is true?

A. The sampler matched 10 packets, each packet randomly chosen from every group of 100 packets.
B. The sampler matched 10 packets, one packet every 100 packets.
C. The sampler matched 10 packets, each one randomly chosen from every 100-second interval.
D. The sampler matched 10 packets, one packet every 100 seconds.

Answer: A

Explanation

The sampling mode determines the algorithm that selects a subset of traffic for NetFlow processing. In the random sampling mode, incoming packets are randomly selected so that one out of each n sequential packets is selected on average for NetFlow processing. For example, if you set the sampling rate to 1 out of 100 packets, then NetFlow might sample the 5th, 120th, 299th, 302nd, and so on packets. This sample configuration provides NetFlow data on 1 percent of total traffic. The n value is a parameter from 1 to 65535 packets that you can configure.

In the above output we can learn the number of packets that has been sampled is 10. The sampling mode is “random sampling mode” and sampling interval is 100 (NetFlow samples 1 out of 100 packets).

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/nfstatsa.html

Question 5

What is the result of the command ip flow-export destination 10.10.10.1 5858?

A. It configures the router to export cache flow information to IP 10.10.10.1 on port UDP/5858.
B. It configures the router to export cache flow information about flows with destination IP 10.10.10.1 and port UDP/5858.
C. It configures the router to receive cache flow information from IP 10.10.10.1 on port UDP/5858.
D. It configures the router to receive cache flow information about flows with destination IP 10.10.10.1 and port UDP/5858.

Answer: A

Explanation

The “ip flow-export destination 10.10.10.1 5858” command is used to export the information captured by the “ip flow-capture” command to the destination 10.10.10.1. “5858” is the UDP port to which NetFlow packets are sent (default is 2055). The syntax of this command is:

ip flow-export destination ip-address [udp-port] [version 5 {origin-as | peer-as}]

Question 6

Which NetFlow component is applied to an interface and collects information about flows?

A. flow monitor
B. flow exporter
C. flow sampler
D. flow collector

Answer: A

Explanation

Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic monitoring. Flow monitors consist of a record and a cache. You add the record to the flow monitor after you create the flow monitor. The flow monitor cache is automatically created at the time the flow monitor is applied to the first interface. Flow data is collected from the network traffic during the monitoring process based on the key and nonkey fields in the record, which is configured for the flow monitor and stored in the flow monitor cache.
For example, the following example creates a flow monitor named FLOW-MONITOR-1 and enters Flexible NetFlow flow monitor configuration mode:
Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)#

(Reference: http://www.cisco.com/c/en/us/td/docs/ios/fnetflow/command/reference/fnf_book/fnf_01.html#wp1314030)

Question 7

A network engineer is notified that several employees are experiencing network performance related issues, and bandwidth-intensive applications are identified as the root cause. In order to identify which specific type of traffic is causing this slowness, information such as the source/destination IP and Layer 4 port numbers is required. Which feature should the engineer use to gather the required information?

A. SNMP
B. Cisco IOS EEM
C. NetFlow
D. Syslog
E. WCCP

Answer: C

Question 8

An engineer executes the ip flow ingress command in interface configuration mode. What is the result of this action?

A. It enables the collection of IP flow samples arriving to the interface.
B. It enables the collection of IP flow samples leaving the interface.
C. It enables IP flow while disabling IP CEF on the interface.
D. It enables IP flow collection on the physical interface and its subinterfaces.

Answer: A

Explanation

The following is an example of configuring an interface to capture flows into the NetFlow cache. CEF followed by NetFlow flow capture is configured on the interface:

Router(config)# ip cef
Router(config)# interface ethernet 1/0
Router(config-if)# ip flow ingress
or
Router(config-if)# ip route-cache flow

Note: Either ip flow ingress or ip route-cache flow command can be used depending on the Cisco IOS Software version. Ip flow ingress is available in Cisco IOS Software Release 12.2(15)T or above.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html

Question 9

Refer to the exhibit. Which statement about the command output is true?

A. The router exports flow information to 10.10.10.1 on UDP port 5127.
B. The router receives flow information from 10.10.10.2 on UDP port 5127.
C. The router exports flow information to 10.10.10.1 on TCP port 5127.
D. The router receives flow information from 10.10.10.2 on TCP port 5127.

Answer: A

Question 10

In which two ways can NetFlow data be viewed? (Choose two)

A. CLI
B. NetFlow collector
C. built-in GUI
D. syslog server interface
E. web interface

Answer: A B

Explanation

There are two primary methods to access NetFlow data: the Command Line Interface (CLI) with show commands or utilizing an application reporting tool. If you are interested in an immediate view of what is happening in your network, the CLI can be used. The other choice is to export NetFlow to a reporting server or what is called the “NetFlow collector”.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html

Question 11

A network engineer is configuring the router for NetFlow data exporting. What is required in order for NDE to begin exporting data?

A. Source
B. Flow mask
C. Destination
D. Interface type
E. Traffic type
F. NetFlow version

Answer: C

Explanation

NetFlow collects statistics about traffic that flows through the router. NetFlow Data Export (NDE) enables you to export those statistics to an external data collector for analysis.

An example of configuring NetFlow data exporting is shown below:

Router(config)#interface fa0/1
Router(config-if)#ip route-cache flow
Router(config-if)#exit
Router(config)#ip flow-export destination 10.1.1.1 2055
Router(config)#ip flow-export source fa0/2 //NetFlow will use Fa0/2 as the source IP address for the UDP datagrams sent to the NetFlow Collector
Router(config)#ip flow-export version 5
Router(config)#ip flow-cache timeout active 1 //export flow records every minute.

The most important parameter when configuring NetFlow is the destination where NetFlow sends data to. Other parameters can be ignored and they will use default values (except the command “ip route-cache flow” to enable NetFlow).

Question 12

A network engineer executes the “show ip cache flow” command. Which two types of information are displayed in the report that is generated? (Choose two)

A. top talkers
B. flow export statistics
C. flow sample for specific protocols
D. MLS flow traffic
E. IP packet distribution

Answer: C E

Explanation

Below is an example of the “show ip cache flow” output:

Information provided includes packet size distribution (the answer says “IP packet distribution” but maybe it is “IP packet size distribution”); basic statistics about number of flows and export timer setting, a view of the protocol distribution statistics and the NetFlow cache.

Also we can see the flow samples for TCP and UDP protocols (including Total Flows, Flows/Sec, Packets/Flow…).

Question 13

Where can NetFlow export data for long term storage and analysis?

A. syslog
B. collector
C. another network device
D. flat file

Answer: B

Explanation

NetFlow_example.jpg

NetFlow Collector: collects flow records sent from the NetFlow exporters, parsing and storing the flows. Usually a collector is a separate software running on a network server. NetFlow records are exported to a NetFlow collector using User Datagram Protocol (UDP).

Question 14

Refer to the exhibit. How can you configure a second export destination for IP address 192.168.10.1?

configure terminal
ip flow-export destination 192.168.10.1 9991
ip flow-export version 9

A. Specify a different TCP port
B. Specify a different UDP port
C. Specify a VRF
D. Configure a version 5 flow-export to the same destination
E. Specify a different flow ID

Answer: B

Explanation

To configure multiple NetFlow export destinations to a router, use the following commands in global configuration mode:

Step 1: Router(config)# ip flow-export destination ip-address udp-port
Step 2: Router(config)# ip flow-export destination ip-address udp-port

The following example enables the exporting of information in NetFlow cache entries:

ip flow-export destination 10.42.42.1 9991
ip flow-export destination 10.0.101.254 1999

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/12s_mdnf.html

Question 15

Which two statements about NetFlow templates are true? (Choose two)

A. Only NetFlow version 9 is template based
B. NetFlow Version 5 and version 9 are template based
C. Only NetFlow version 5 is template based
D. Template can increased bandwidth usage
E. They can increase overall performance
F. They can reduce bandwidth usage

Answer: A D

Explanation

The distinguishing feature of the NetFlow Version 9 format is that it is template based -> Answer A is correct.

Reference: https://www.cisco.com/en/US/technologies/tk648/tk362/technologies_white_paper09186a00800a3db9.html

Export bandwidth increases for version 9 (because of template flowsets) versus version 5 -> Answer D is correct.

Version 9 slightly decreases overall performance, because generating and maintaining valid template flowsets requires additional processing -> Answer E is not correct.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/nfexpfv9.html

Question 16

Which version or versions of NetFlow support MPLS?

A. all versions of NetFlow
B. NetFlow version 9
C. NetFlow version 8
D. NetFlow version 5
E. NetFlow version 8 and 9

Answer: B

Explanation

MPLS-aware NetFlow uses the NetFlow Version 9 export format. MPLS-aware NetFlow exports up to three labels of interest from the incoming label stack, the IP address associated with the top label, as well as traditional NetFlow data.

Reference: https://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/fsmnf24.html