Home > Articles > NetFlow for Cybersecurity

NetFlow for Cybersecurity

Chapter Description

In this sample chapter from CCNA Cyber Ops SECOPS 210-255 Official Cert Guide, readers learn how to configure basic NetFlow in a Cisco device. Content also covers the industry standard IPFIX as well as how NetFlow is used for cybersecurity and incident response.


The answers to these questions appear in Appendix A, “Answers to the ‘Do I Know This Already’ Quizzes and Q&A.” For more practice with exam format questions, use the exam engine on the website.

  1. Using NetFlow along with identity management systems, an administrator can detect which of the following? (Select all that apply.)

    1. Who initiated the data transfer

    2. The hosts (IP addresses) involved

    3. Who configured NetFlow

    4. Which RADIUS server has an active NetFlow connection

  2. Network forensics can be an intimidating topic for many security professionals. Everyone knows that forensic investigation may entail many other sources of information, including end hosts, servers, and any affected systems. Each forensics team needs to have awareness of many different areas, such as which of the following? (Select all that apply.)

    1. Assets, risks, impacts, and the likelihood of events

    2. Incident response policies and procedures in mock events as well as NetFlow to analyze what is happening in the network

    3. The current budget

    4. Evidence handling and chain of custody (even NetFlow events can be used as evidence)

  3. What are some telemetry sources that are good for attribution? (Select all that apply.)

    1. DHCP server logs

    2. VPN server logs

    3. 802.1x authentication logs

    4. IP route table

  4. What are some of the necessary steps in order to configure Flexible NetFlow in a Cisco IOS or Cisco IOS-XE device? (Select all that apply.)

    1. Configure a flow record.

    2. Configure a flow monitor.

    3. Configure a neighbor.

    4. Apply a crypto map to an interface.

  5. It is extremely important that your syslog and other messages are timestamped with the correct date and time. The use of which of the following protocols is strongly recommended?

    1. SNMP

    2. BGP

    3. TNP

    4. NTP

  6. Which of the following is not an example of a Flexible NetFlow component?

    1. Flow records

    2. Flow monitors

    3. Flow NTP

    4. Flow samplers

  7. Which of the following is not a component of the 5-tuple of a flow in NetFlow?

    1. Source IP address

    2. Destination IP address

    3. Gateway

    4. Source port

    5. Destination port

  8. Which of the following is not true about the NetFlow immediate cache?

    1. It is the default cache used in many NetFlow implementations.

    2. The flow accounts for a single packet.

    3. It is desirable for real-time traffic monitoring and DDoS detection.

    4. It is used when only very small flows are expected (NetFlow sampling).

  9. Flexible NetFlow can track a wide range of Layer 2, IPv4, and IPv6 flow information, except which of the following?

    1. Source and destination MAC addresses

    2. ToS

    3. DSCP

    4. Encryption security association serial numbers

  10. Which of the following statements is true about Flexible NetFlow?

    1. It is supported in IPv6 and IPv4, but only when IPv6 tunnels are used.

    2. It supports IPv4, but not IPv6.

    3. It supports encryption of NetFlow data to a collector.

    4. It uses the concept of templates.

There are currently no related articles. Please check back later.