Home > NetFlow Questions

NetFlow Questions

August 13th, 2015 in ROUTE 300-101 Go to comments

If you are not sure about NetFlow, please read our NetFlow tutorial.

Quick review:

NetFlow is a network protocol to report information about the traffic on a router/switch or other network device. NetFlow collects and summaries the data that is carried over a device, and then transmitting that summary to a NetFlow collector for storage and analysis. An IP flow is based on a set of five, and up to seven, IP packet attributes, which may include the following:
+ Destination IP address
+ Source IP address
+ Source port
+ Destination port
+ Layer 3 protocol type
+ Class of Service (optional)
+ Router or switch interface (optional)

Question 1

Explanation

The “show ip flow export” command is used to display the status and the statistics for NetFlow accounting data export, including the main cache and all other enabled caches. An example of the output of this command is shown below:

Router# show ip flow export
Flow export v5 is enabled for main cache
Exporting flows to 10.51.12.4 (9991) 10.1.97.50 (9111)
Exporting using source IP address 10.1.97.17
Version 5 flow records
11 flows exported in 8 udp datagrams
0 flows failed due to lack of export packet
0 export packets were sent up to process level
0 export packets were dropped due to no fib
0 export packets were dropped due to adjacency issues
0 export packets were dropped due to fragmentation failures
0 export packets were dropped due to encapsulation fixup failures
0 export packets were dropped enqueuing for the RP
0 export packets were dropped due to IPC rate limiting
0 export packets were dropped due to output drops

The “output drops” line indicates the total number of export packets that were dropped because the send queue was full while the packet was being transmitted.

Reference: http://www.cisco.com/en/US/docs/ios/12_3t/netflow/command/reference/nfl_a1gt_ps5207_TSD_Products_Command_Reference_Chapter.html#wp1188401

Question 2

Explanation

In general, NetFlow requires CEF to be configured in most recent IOS releases. CEF decides which interface the traffic is sent out. With CEF disabled, router will not have specific destination interface in the NetFlow report packets. Therefore a NetFlow Collector cannot show the OUT traffic for the interface.

Question 3

Explanation

This command is used to display the current status of the specific flow exporter, in this case Flow_Exporter-1. For example

N7K1# show flow export
Flow exporter Flow_Exporter-1:
    Description: Fluke Collector
    Destination: 10.255.255.100
    VRF: default (1)
    Destination UDP Port 2055
    Source Interface Vlan10 (10.10.10.5)
    Export Version 9
    Exporter Statistics
        Number of Flow Records Exported 726
        Number of Templates Exported 1
        Number of Export Packets Sent 37
        Number of Export Bytes Sent 38712
        Number of Destination Unreachable Events 0
        Number of No Buffer Events 0
        Number of Packets Dropped (No Route to Host) 0
        Number of Packets Dropped (other) 0
        Number of Packets Dropped (LC to RP Error) 0
        Number of Packets Dropped (Output Drops) 0
        Time statistics were last cleared: Thu Feb 15 21:12:06 2015

Question 4

Explanation

The sampling mode determines the algorithm that selects a subset of traffic for NetFlow processing. In the random sampling mode, incoming packets are randomly selected so that one out of each n sequential packets is selected on average for NetFlow processing. For example, if you set the sampling rate to 1 out of 100 packets, then NetFlow might sample the 5th, 120th, 299th, 302nd, and so on packets. This sample configuration provides NetFlow data on 1 percent of total traffic. The n value is a parameter from 1 to 65535 packets that you can configure.

In the above output we can learn the number of packets that has been sampled is 10. The sampling mode is “random sampling mode” and sampling interval is 100 (NetFlow samples 1 out of 100 packets).

Reference: http://www.cisco.com/c/en/us/td/docs/ios/12_0s/feature/guide/nfstatsa.html

Question 5

Explanation

The “ip flow-export destination 10.10.10.1 5858” command is used to export the information captured by the “ip flow-capture” command to the destination 10.10.10.1. “5858” is the UDP port to which NetFlow packets are sent (default is 2055). The syntax of this command is:

ip flow-export destination ip-address [udp-port] [version 5 {origin-as | peer-as}]

Question 6

Explanation

Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic monitoring. Flow monitors consist of a record and a cache. You add the record to the flow monitor after you create the flow monitor. The flow monitor cache is automatically created at the time the flow monitor is applied to the first interface. Flow data is collected from the network traffic during the monitoring process based on the key and nonkey fields in the record, which is configured for the flow monitor and stored in the flow monitor cache.
For example, the following example creates a flow monitor named FLOW-MONITOR-1 and enters Flexible NetFlow flow monitor configuration mode:
Router(config)# flow monitor FLOW-MONITOR-1
Router(config-flow-monitor)#

(Reference: http://www.cisco.com/c/en/us/td/docs/ios/fnetflow/command/reference/fnf_book/fnf_01.html#wp1314030)

Question 7

Question 8

Explanation

The following is an example of configuring an interface to capture flows into the NetFlow cache. CEF followed by NetFlow flow capture is configured on the interface:

Router(config)# ip cef
Router(config)# interface ethernet 1/0
Router(config-if)# ip flow ingress
or
Router(config-if)# ip route-cache flow

Note: Either ip flow ingress or ip route-cache flow command can be used depending on the Cisco IOS Software version. Ip flow ingress is available in Cisco IOS Software Release 12.2(15)T or above.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html

Question 9

Question 10

Explanation

There are two primary methods to access NetFlow data: the Command Line Interface (CLI) with show commands or utilizing an application reporting tool. If you are interested in an immediate view of what is happening in your network, the CLI can be used. The other choice is to export NetFlow to a reporting server or what is called the “NetFlow collector”.

Reference: http://www.cisco.com/c/en/us/products/collateral/ios-nx-os-software/ios-netflow/prod_white_paper0900aecd80406232.html

Comments
  1. thanhle
    July 28th, 2016

    Q10 in my exam. answer are CLI and netflow (no see collector word)

  2. AN Ethiopian
    July 28th, 2016

    @Thanhle:
    I see the same choices ,too.

  3. Notmyrealname
    August 14th, 2016

    Small note on q 10. I just took the test and on mine answer B was a little vaguer. They wrote “Netflow” rather than “Netflow collector”, making it harder to discern as a proper collection method.

  4. louie
    August 31st, 2016

    hi guys!anyone who have a latest version of vce. Please email me @{email not allowed}. I really appreciate the help

  5. Recent Route Examinee
    September 15th, 2016

    NOTE: Notmyrealname is absolutely correct.

    The test was super ambiguous and listed “Netflow” rather than “Netflow collector.”

    That bothered me greatly. “How do you view Netflow?” Well, CLI and Netflow, duh. (smh)

    I am disappointed in the exam. For $250, you would think someone would check for test errors.

  6. no good
    October 4th, 2016

    Guys, I failed today with a 640. The ‘300-101: Implementing Cisco IP Routing’ exam is completely different then what is on this site. Not even close. There are maybe 10 questions that are the same… What happened???

  7. ott75
    January 5th, 2017

    failed the exam with 770
    a lot of NTP and frame relay new questions.
    can someone send me the new questions?
    ottavio(dot)backup(AT)gmail(dot)com

  1. No trackbacks yet.