ICND2 – NetFlow

ICND2 – NetFlow

Question 1
NetFlow traditionally enables several key customer applications including:
Network Monitoring – NetFlow data enables extensive near real time network monitoring capabilities. Flow-based analysis techniques may be utilized to visualize traffic patterns associated with individual routers and switches as well as on a network-wide basis (providing aggregate traffic or application based views) to provide proactive problem detection, efficient troubleshooting, and rapid problem resolution.
Application Monitoring and Profiling – NetFlow data enables network managers to gain a detailed, time-based, view of application usage over the network. This information is used to plan, understand new services, and allocate network and application resources (e.g. Web server sizing and VoIP deployment) to responsively meet customer demands.
User Monitoring and Profiling – NetFlow data enables network engineers to gain detailed understanding of customer/user utilization of network and application resources. This information may then be utilized to efficiently plan and allocate access, backbone and application resources as well as to detect and resolve potential security and policy violations.
Network Planning – NetFlow can be used to capture data over a long period of time producing the opportunity to track and anticipate network growth and plan upgrades to increase the number of routing devices, ports, or higher- bandwidth interfaces. NetFlow services data optimizes network planning including peering, backbone upgrade planning, and routing policy planning. NetFlow helps to minimize the total cost of network operations while maximizing network performance, capacity, and reliability. NetFlow detects unwanted WAN traffic, validates bandwidth and Quality of Service (QOS) and allows the analysis of new network applications. NetFlow will give you valuable information to reduce the cost of operating your network.
Security Analysis – NetFlow identifies and classifies DDOS attacks, viruses and worms in real-time. Changes in network behavior indicate anomalies that are clearly demonstrated in NetFlow data. The data is also a valuable forensic tool to understand and replay the history of security incidents.
Accounting/Billing – NetFlow data provides fine-grained metering (e.g. flow data includes details such as IP addresses, packet and byte counts, timestamps, type-of-service and application ports, etc.) for highly flexible and detailed resource utilization accounting. Service providers may utilize the information for billing based on time-of-day, bandwidth usage, application usage, quality of service, etc. Enterprise customers may utilize the information for departmental charge-back or cost allocation for resource utilization.
Question 2
What is an IP Flow?
Each packet that is forwarded within a router or switch is examined for a set of IP packet attributes. These attributes are the IP packet identity or fingerprint of the packet and determine if the packet is unique or similar to other packets.
Traditionally, an IP Flow is based on a set of 5 and up to 7 IP packet attributes.
IP Packet attributes used by NetFlow:
IP source address
IP destination address
Source port
Destination port
Layer 3 protocol type
+ Class of Service
+ Router or switch interface
Question 3
Flow monitors are the Flexible NetFlow component that is applied to interfaces to perform network traffic monitoring. Flow monitors consist of a record and a cache. You add the record to the flow monitor after you create the flow monitor. The flow monitor cache is automatically created at the time the flow monitor is applied to the first interface. Flow data is collected from the network traffic during the monitoring process based on the key and nonkey fields in the record, which is configured for the flow monitor and stored in the flow monitor cache.
For example, the following example creates a flow monitor named FLOW-MONITOR-1 and enters Flexible NetFlow flow monitor configuration mode:
Router(config)# flow monitor FLOW-MONITOR-1
Question 4
The “show ip cache flow” command displays a summary of the NetFlow accounting statistics.
Question 5
NetFlow facilitates solutions to many common problems encountered by IT professionals.
Analyze new applications and their network impact
Identify new application network loads such as VoIP or remote site additions.
Reduction in peak WAN traffic
Use NetFlow statistics to measure WAN traffic improvement from application-policy changes; understand who is utilizing the network and the network top talkers.
Troubleshooting and understanding network pain points
Diagnose slow network performance, bandwidth hogs and bandwidth utilization quickly with command line interface or reporting tools. -> D is correct.
Detection of unauthorized WAN traffic
Avoid costly upgrades by identifying the applications causing congestion. -> A is correct.
Security and anomaly detection
NetFlow can be used for anomaly detection and worm diagnosis along with applications such as Cisco CS-Mars.
Validation of QoS parameters
Confirm that appropriate bandwidth has been allocated to each Class of Service (CoS) and that no CoS is over- or under-subscribed.-> F is correct.


Question 1
With HSRP, two or more devices support a virtual router with a fictitious MAC address and unique IP address. There are two version of HSRP.
+ With HSRP version 1, the virtual router’s MAC address is 0000.0c07.ACxx , in which xx is the HSRP group.
+ With HSRP version 2, the virtual MAC address if 0000.0C9F.Fxxx, in which xxx is the HSRP group.
Note: Another case is HSRP for IPv6, in which the MAC address range from 0005.73A0.0000 through 0005.73A0.0FFF.
-> A is correct.
Question 2
The virtual MAC address of HSRP version 1 is 0000.0C07.ACxx, where xx is the HSRP group number in hexadecimal based on the respective interface. For example, HSRP group 10 uses the HSRP virtual MAC address of 0000.0C07.AC0A. HSRP version 2 uses a virtual MAC address of 0000.0C9F.FXXX (XXX: HSRP group in hexadecimal)
For more information about HSRP operation, please read our HSRP tutorial.
Question 3
Object tracking is the process of tracking the state of a configured object and uses that state to determine the priority of the VRRP router in a VRRP group -> B is correct.
Note: Unlike HSRP which can track interface status directly, VRRP can only track interface status through a tracked object.
Question 4
One disadvantage of HSRP and VRRP is that only one router is in use, other routers must wait for the primary to fail because they can be used. However, Gateway Load Balancing Protocol (GLBP) can use of up to four routers simultaneously. In GLBP, there is still only one virtual IP address but each router has a different virtual MAC address. First a GLBP group must elect an Active Virtual Gateway (AVG). The AVG is responsible for replying ARP requests from hosts/clients. It replies with different virtual MAC addresses that correspond to different routers (known as Active Virtual Forwarders – AVFs) so that clients can send traffic to different routers in that GLBP group (load sharing).
Question 5
Question 6

Frame Relay Sim

Frame Relay Sim

Enter IOS commands on the Dubai router to verify network operation and answer four multiple-choice questions. THIS TASK DOES NOT REQUIRE DEVICE CONFIGURATION.
Note: If you are not sure about Frame-Relay, please read my Frame Relay tutorial.
To answer 4 questions below, you have to type show frame-relay map and show running-config to get its configuration. You can use the outputs of these commands to answer all 4 multiple-choice questions.
Dubai#sh frame-relay map
Serial1/0 (up): ip dlci 704 (0x7B,0x1CB0), dynamic,
                    broadcast,, status defined, active
Serial1/0 (up): ip dlci 196 (0xEA,0x38A0), dynamic,
                    broadcast,, status defined, active
Serial1/0 (up): ip dlci 702 (0x159,0x5490), dynamic,
                    broadcast,, status defined, active
Serial1/0 (up): ip dlci 344 (0x1CB,0x7080), dynamic,
                    broadcast,, status defined, active 
Dubai#sh run
interface Serial1/0
 ip address
 encapsulation frame-relay
interface Serial1/1
 ip address
interface Serial1/2
 ip address
 encapsulation ppp
interface Serial1/3
 ip address
 encapsulation ppp
 ppp authentication chap
router rip
 version 2
 no auto-summary
line con 0
 exec-timeout 0 0
line aux 0
line vty 0 4
 password T1net
Question 1
To see what DLCI is used for the destination we can check the output of “show frame-relay map” command:
Serial1/0 (up): ip dlci 702 … -> The DLCI in this case is 702.
Question 2
From the output of “show frame-relay map” command, we learn the IP address of S-AMER is and the DLCI used to reach there is 196 so B is the correct answer.
Question 3
From the output of “show running-config” command we learn that interface S1/1 (connected to MidEast) does not declare any encapsulation -> It uses the default encapsulation HDLC.
Note: High-Level Data Link Protocol (HDLC) is the default WAN encapsulation for Cisco routers.
Question 4
This question is not clear for a long time but now maybe the trick was solved. What Cisco wants to ask is the word used as password, not the type of connection, so in the exam you might see some strange words for answers like “En8ble”, “T1net”, “C0nsole”. All you have to do is to use the command “show running-config” as wx4 mentioned below to find the answer.
wx4 commented:
Q4: if password required which?
in my example it was connection to North!
How to figure out which pw is required?
#show running-config
1. check the interface to the router you need connection to. If there is “ppp authentication” you need a password!
2. you will find the password on the top of your running-config output
check the area:
username North password c0nsole
username xxxxx yyyyy
in my case it was c0nsole, in your case it can be no password needed or a different password.
If you are still not clear, please read anton‘s comment:
A big question I noticed here was about the FR Lab regarding the password. You have to perform a show running-config and look for USERNAME and PASSWORD.
username South_Router password c0nsol3
username North_Router password t31net
Obviously this has to be en PPP encapsulation, if asked for a posible password for SOUTH_ROUTER you pick c0nsol3, and for NORTH_ROUTER you pick t31net. If you’re running HDLC, i would pick “no password is required”.
VTP Configuration Sim

VTP Configuration Sim


Answer and Explanation
If you are not sure about VTP, please read my VTP tutorial
The question states we can’t access the router so we can only get required information from switch building_1. Click on the PC connected with switch building_1 (through a console line) to access switch building_1’s CLI. On this switch use the show running-config command:
building_1#show running-config
Next use the show vtp status command to learn about the vtp domain on this switch
building_1#show vtp status
(Notice: the IP address, IP default-gateway and VTP domain name might be different!!!)
You should write down these 3 parameters carefully.
Configuring the new switch
+ Determine and configure the IP host address of the new switch
The question requires “for the switch host address, you should use the last available IP address on the management subnet”. The building_1 switch’s IP address, which is, belongs to the management subnet.
Increment: 32 (because 224 = 1110 0000)
Network address:
Broadcast address:
->The last available IP address on the management subnet is and it hasn’t been used (notice that the IP address of Fa0/1 interface of the router is also the default gateway address
Also notice that the management IP address of a switch should be configured in Vlan1 interface. After it is configured, we can connect to it via telnet or SSH to manage it.
Switch2#configure terminal
Switch2(config)#interface Vlan1
Switch2(config-if)#ip address shutdown
+ Determine and configure the default gateway of the new switch
The default gateway of this new switch is same as that of building_1 switch, which is
Switch2(config)#ip default-gateway
+ Determine and configure the correct VTP domain name for the new switch
The VTP domain name shown on building_1 switch is 9tut so we have to use it in the new switch (notice: the VTP domain name will be different in the exam and it is case sensitive so be careful)
Switch2(config)# vtp domain 9tut
+ Configure the new switch as a VTP client
Switch2(config)#vtp mode client
We should check the new configuration with the “show running-config” & “show vtp status”; also try pinging from the new switch to the the default gateway to make sure it works well.
Finally save the configuration
Switch2#copy running-config startup-config
Nat Sim

Nat Sim

A network associate is configuring a router for the TUT company to provide internet access. The ISP has provided the company six public IP addresses of The company has 14 hosts that need to access the internet simultaneously. The hosts in the company LAN have been assigned private space addresses in the range of –
The following have already been configured on the router:
– The basic router configuration
– The appropriate interfaces have been configured for NAT inside and NAT outside
– The appropriate static routes have also been configured (since the company will be a stub network, no routing protocol will be required.)
– All passwords have been temporarily set to “cisco”
+ Use NAT to provide Internet access to all hosts in the company LAN.
+ Name the router TUT
+ Inside global addresses:
+ Inside local addresses: –
+ Numer of inside hosts: 14

The company has 14 hosts that need to access the internet simultaneously but we just have 6 public IP addresses from to Therefore we have to use NAT overload (or PAT) Double click on the Weaver router to open it
configure terminal
First you should change the router’s name to TUT
Router(config)#hostname TUT
Create a NAT pool of global addresses to be allocated with their subnet mask.
TUT(config)#ip nat pool mypool netmask
Create a standard access control list that permits the addresses that are to be translated
TUT(config)#access-list 1 permit
Establish dynamic source translation, specifying the access list that was defined in the prior step
TUT(config)#ip nat inside source list 1 pool mypool overload
This command translates all source addresses that pass access list 1, which means a source address from to, into an address from the pool named mypool (the pool contains addresses from to
Overload keyword allows to map multiple IP addresses to a single registered IP address (many-to-one) by using different ports.
The question said that appropriate interfaces have been configured for NAT inside and NAT outside statements. This is how to configure the NAT inside and NAT outside, just for your understanding:
TUT(config)#interface fa0/0 
ip nat inside 
interface s0/0 
ip nat outside 
Finally, we should save all your work with the following command:
TUT#copy running-config startup-config
Check your configuration by going to “Host for testing” and type:
The ping should work well and you will be replied from
You can download this sim and practice with Packet Tracer here: CCNA_NAT_sim_question.zip


9tut.net company has decided to network three locations to improve efficiency in inventory control. The routers have been named to reflect the location: Boston, Frankfurt, Lancaster.
The necessary networking has been completed at each location, and the routers have been configured with single area OSPF as the routing protocol. The Boston router was recently installed but connectivity is not complete because of incomplete routing tables. Identify and correct any problem you see in the configuration.
Note: The OSPF process must be configured to allow interfaces in specific subnets to participate in the routing process.
You can download this lab and open with Packet Tracer here: OSPF_Sim_with_Solution.zip. Please say thanks to Renan who shared the files with us!
Answer and Explanation:
The question mentioned Boston router was not configured correctly or incomplete so we should check this router first. Click on PC-B to access the command line interface (CLI) of Boston router.

Boston>enable (type cisco as its password here)
Boston#show running-config

First, remember that the current OSPF Process ID is 2 because we will need it for later configuration. Next notice that in the second “network” command the network and wildcard mask are and which is equivalent to in term of subnet mask. Therefore this subnetwork’s range is from to but the ip address of s0/0 interface of Boston router is don’t belong to this range -> this is the reason why OSPF did not recognize s0 interface of Boston router as a part of area 0. So we need to find a subnetwork that s0 interface belongs to.
IP address of S0 interface:
Subnet mask: /30 = 1111 1111.1111 1111.1111 1111.1111 1100
Increment: 4
Network address (which IP address of s0 interface belongs to): (because 4 * 1 = 4 < 5)
Therefore we must use this network instead of network
Boston#configure terminal
Boston(config)#router ospf 2
Boston(config-router)#no network area 0
Boston(config-router)#network area 0
Boston#copy running-config startup-config
Finally, you should issue a ping command from Boston router to Lancaster router to make sure it works well.

Other lab-sims might appear in the real ICND 2 exam, read and understand them if you have enough time.
EIGRP Troubleshooting Sim

EIGRP Troubleshooting Sim

We don’t have enough information about this sim to make a complete solution but here is some information from the candidates about this sim so far:
“NEW EIGRP non-config sim with 6 routers had 4 questions:
1. Why loopback interfaces’ networks from one router do not come to another one via eigrp? weren’t advertised by network command on the 1st router (sh run).
2. Why two routers cannot establish neighbor relationship? weren’t advertised by network command on the 1st router (sh run).
3. Which route will be used for packets to get to R1 from R5? R1 -> R2 (i didn’t have load balancing)
4. Why R1 cannot ping loopback interface IP address on R5? address was not advertised on R5 by network subcommand (sh run).
The EIGRP non-config sim with 6 routers had 4 questions:
1. Why loopback interfaces’ networks from one router do not come to another one via eigrp? In my case an answer was because they weren’t advertised by network command on the 1st router (sh run).
2. Why two routers cannot establish neighbour relationship? The answer was mismatched K-values (sh ip protocols).
3. Which route will be used for packets to get to R1 from R5? The answer was that the packets will go R1->R2->R5 AND R1->R3->R5 with equal-cost balancing (sh ip route and you’ll see two possible routes to R5 with equal eigrp metric).
4. Why R1 cannot ping loopback interface IP address on R5? The answer was that this address was not advertised on R5 by network subcommand (sh run).
EIGRP Sim 4 questions embedded.(6 routers and 2 switches). Know your show commands to troubleshoot EIGRP. K-Values, AS, Routing Table etc. Frame-Relay Sim was same concept as Dubai Sim but different locations. Again show commands and frame-relay show commands to troubleshoot
 the new EIGRP SIM has similar topology to OSPF SIM with 6 Routers the one which is usually asked in ICND1.
1) R4 has loopback routes and these routes are not displayed in R6 — Summary was on
2) R1 cannot ping R5 x.x.x.x address — interface shutdown
3) Which path would R1 take to reach R5 — equal Successor routes
4) R4 and R5 cannot form neighbor relationship — R5 has passive interface enabled.”