A WAN link normally runs at 40% utilization during business hours. An alert threshold is set at 85%. What is the primary reason for choosing 85% rather than, say, 95% or 50%?
A85% is universally recognized as the safe maximum for any WAN link, regardless of network type
B85% deviates significantly from this network's established baseline, indicating a likely anomaly relative to expected behavior
CSNMP agents can only report utilization in 5% increments, making 85% the nearest measurable value
DRouter hardware begins degrading at 85% utilization due to buffer exhaustion
Thresholds are meaningful only relative to baselines. An 85% alert is appropriate here because it represents a large deviation from the 40% norm — not because 85% is universally dangerous. A different link that normally runs at 80% would need a different threshold. Context-sensitive thresholds based on baselines are the core principle of effective monitoring.
Question 2 Multiple Choice
In the SNMP agent-manager architecture, what is the Management Information Base (MIB)?
AA centralized database on the management station that aggregates metrics collected from all devices
BA structured, hierarchical database of variables on each network device that agents expose for polling or trap-based notification
CA log file on the management station recording the history of all GET requests sent to agents
DA protocol for pushing configuration templates from the management station to multiple devices simultaneously
The MIB lives on each device — not the management station. It is a tree-structured namespace of objects describing everything the device can report: interface counters, CPU load, error rates, routing table size. The management station polls these variables via SNMP GET requests or receives unsolicited traps. Thinking of it as a standardized 'dashboard' on each device clarifies the architecture.
Question 3 True / False
SNMP traps are sent proactively by device agents to the management station when noteworthy events occur, without waiting for a polling request.
TTrue
FFalse
Answer: True
Unlike normal SNMP polling (manager queries agent via GET), traps are agent-initiated: the agent detects an event — an interface going down, a CPU threshold exceeded — and sends an unsolicited notification to the management station. This allows rapid alerting without waiting for the next polling cycle.
Question 4 True / False
An alert that fires immediately on any threshold violation is preferable to one with dampening, because faster detection typically leads to faster problem resolution.
TTrue
FFalse
Answer: False
Dampening — requiring a condition to persist for some interval before firing — is essential to prevent alert fatigue. Brief threshold violations are common and usually harmless (a burst of traffic, a momentary CPU spike). Firing on every transient event buries operators in noise, causing them to ignore alerts — including real problems. Dampening distinguishes sustained anomalies (actionable) from transient spikes (harmless).
Question 5 Short Answer
Why is establishing a baseline of normal network behavior essential for effective monitoring, rather than simply configuring absolute threshold values that apply to all links and devices?
Think about your answer, then reveal below.
Model answer: What counts as 'high' utilization or 'slow' response time is entirely context-dependent. A WAN link at 70% utilization might be normal for one link and alarming for another that never exceeds 20%. Absolute thresholds applied uniformly generate false positives on high-traffic links and miss problems on low-traffic ones. Baselines capture what is normal for each specific device or link, so deviations from that norm trigger alerts — not deviations from some arbitrary universal value. Additionally, performance trending using historical baselines enables capacity planning (detecting gradual degradation) that reactive absolute thresholds cannot provide.
Effective monitoring is about detecting anomalies relative to expected behavior, not about applying universal cutoffs. Baselines are what transform raw metrics into meaningful signals.