350-401 Network Assurance
Network Assurance
Detailed list of 350-401 knowledge points
Network Assurance Detailed Explanation
1. Monitoring Protocols and Tools
These tools help you watch the network continuously — collecting data, detecting problems early, and documenting network behavior.
1.1 SNMP (Simple Network Management Protocol)
SNMP is the most widely used protocol for monitoring network devices like routers, switches, firewalls, and servers.
Components of SNMP:
| Component | Role |
|---|---|
| Manager | The Network Management System (NMS) that requests or receives data |
| Agent | Runs on the network device (router/switch) and responds to the manager |
| MIB | The Management Information Base is a structured database of monitored parameters (e.g., interface status, CPU load) |
SNMP Versions:
| Version | Features |
|---|---|
| v1 | Basic, no encryption, obsolete |
| v2c | Adds bulk data transfers, but still no encryption |
| v3 | Adds authentication (MD5/SHA) and encryption (DES/AES) — most secure and preferred |
SNMP Message Types:
| Type | Purpose |
|---|---|
| GET | Manager requests info from an agent |
| SET | Manager changes config on agent |
| TRAP | Agent sends alert to the manager |
| INFORM | Like a TRAP but waits for acknowledgment |
Use Case:
A switch goes down → it sends a TRAP to the NMS.
The NMS polls devices every 5 minutes using GET to check CPU/memory/interface status.
SNMP Security Tip:
Always use SNMPv3 where possible. Limit community string exposure (public/private in v2c) and apply ACLs.
1.2 Syslog
Syslog is a logging protocol that collects messages from devices (e.g., startup events, interface status changes, configuration changes).
Syslog Severity Levels:
| Level | Description |
|---|---|
| 0 | Emergency |
| 1 | Alert |
| 2 | Critical |
| 3 | Error |
| 4 | Warning |
| 5 | Notice |
| 6 | Informational |
| 7 | Debug |
Lower number = more urgent.
Use Case:
You can configure your router to send warning-level logs and above to a Syslog server for centralized analysis.
logging host 192.168.1.50
logging trap warnings
Benefits:
Centralized log collection
Historical event tracking
Useful for compliance and auditing
1.3 NetFlow
NetFlow is a Cisco protocol used to analyze traffic flows through your network — helping you answer questions like:
Who is using the most bandwidth?
What applications are being used?
Is there suspicious traffic behavior?
Key Metrics Collected:
Source and destination IPs
Ports (TCP/UDP)
Protocol type
Interface
Number of packets and bytes
Variants:
| Type | Description |
|---|---|
| Original NetFlow | Basic flow collection |
| Flexible NetFlow | Customizable templates |
| IPFIX | Standards-based (IETF) version of NetFlow |
Use Case:
Identify top 10 bandwidth consumers by exporting NetFlow to a tool like SolarWinds NTA, ntop, or Cisco Stealthwatch.
1.4 SPAN (Switched Port Analyzer)
SPAN is used to mirror live traffic from a switch port or VLAN to a monitoring port for analysis (e.g., Wireshark).
SPAN Types:
| Type | Description |
|---|---|
| Local SPAN | Mirror traffic within the same switch |
| RSPAN | Mirror traffic across switches using a special VLAN |
| ERSPAN | Encapsulated in GRE tunnels for transport over an IP network — very flexible |
Use Case:
You want to analyze suspicious traffic. You configure SPAN to mirror all traffic from a VLAN to a port where Wireshark is connected.
monitor session 1 source interface g0/1
monitor session 1 destination interface g0/2
Summary of Monitoring Tools
| Tool | Purpose | Key Strength |
|---|---|---|
| SNMP | Device health/status | Polling + alerting |
| Syslog | Event logging | Severity-based alerts |
| NetFlow | Traffic flow analysis | App and user visibility |
| SPAN | Live packet capture | Protocol-level analysis |
2. Cisco DNA Center & Assurance
Cisco DNA Center is a centralized controller and analytics platform that offers automation, policy control, and assurance for enterprise networks. It supports both Day 0 (design) through Day N (monitoring and optimization) tasks.
2.1 Cisco DNA Center Overview
What is DNA Center?
DNA Center (short for Digital Network Architecture Center) is Cisco’s flagship platform for:
Device provisioning (automated onboarding)
Network-wide configuration (template-based)
Policy-based control (segmentation, security)
Real-time telemetry and analytics
Functional Areas:
| Area | Purpose |
|---|---|
| Design | Create sites, IP pools, device roles |
| Policy | Apply access control and segmentation (e.g., SGTs) |
| Provision | Push configurations and onboard new devices |
| Assurance | Monitor performance, generate insights |
Integrations:
Cisco ISE for identity policies
Meraki Dashboard
NetFlow and Syslog feeds
REST APIs for external automation tools
2.2 Assurance Services
DNA Assurance provides continuous monitoring and scoring of network performance, user experience, and application responsiveness.
Health Scores
Health scores help you quantify network quality in real time and historically:
| Score Type | Evaluates |
|---|---|
| Device Health | CPU, memory, interface errors, config compliance |
| Client Health | RSSI, authentication success, DHCP/DNS failures |
| Application Health | Delay, packet loss, response time of apps (e.g., HTTP, VoIP) |
Key Assurance Features:
Client 360 view: all data about a specific user/device (e.g., signal strength, last login, failure reasons)
Time-travel analytics: investigate issues that happened in the past
Path trace: visualize packet flow across the network for a specific session
Troubleshooting Example:
A user complains their Zoom call drops frequently.
DNA Center shows:
Poor SNR (signal-to-noise ratio)
High retransmissions on the AP
Congested channel usage → recommends channel reallocation
2.3 AI/ML Integration
DNA Center leverages Artificial Intelligence (AI) and Machine Learning (ML) to detect, analyze, and resolve anomalies in real time.
AI-Driven Features:
| Feature | Description |
|---|---|
| Anomaly Detection | Finds unusual patterns (e.g., sudden traffic drops, misbehaving clients) |
| Root-Cause Analysis | Identifies the real issue and affected devices |
| Suggested Remediation | Offers automatic or guided fixes |
| Proactive Alerts | Warns about degrading conditions (e.g., cable quality, wireless channel saturation) |
Example: AI Insight Flow
High DHCP failure rate for clients on VLAN 20
DNA Center traces this to:
A misconfigured
ip helper-addressOr failed DHCP server
It highlights the change log and recommends reconfiguration
Summary Table
| Feature | Function | Benefit |
|---|---|---|
| DNA Center | Network controller and manager | Centralized control |
| Assurance | Health scoring and insights | Proactive operations |
| AI/ML | Smart analytics | Faster problem resolution |
| Time Travel | Historical diagnostics | Root-cause correlation |
3. Troubleshooting Tools
Network engineers use a variety of tools to diagnose, isolate, and resolve problems. Cisco IOS provides both active tools (like ping and traceroute) and passive tools (like show and logging commands).
3.1 Ping and Traceroute
Ping
Tests basic IP connectivity between two devices.
Uses ICMP Echo Request and waits for Echo Reply.
ping 192.168.1.1
Output Interpretation:
| Output | Meaning |
|---|---|
!!!!! |
Successful replies |
..... |
No response (timeout) |
U.U.U. |
Destination unreachable |
Traceroute
Identifies each hop between source and destination.
Uses TTL values in IP headers to reveal intermediate routers.
traceroute 8.8.8.8
Use Case:
- Ping succeeds but app is slow? → Use
tracerouteto find delays or dropped hops.
3.2 Debug Commands
Debug commands show live, detailed internal processing — ideal for in-depth problem analysis, but they can consume CPU, so use them with caution.
Common Debug Commands:
| Command | Purpose |
|---|---|
debug ip routing |
View dynamic routing updates |
debug dhcp detail |
Watch DHCP request/response process |
debug arp |
Monitor ARP traffic |
debug aaa authentication |
Troubleshoot login/auth issues |
Warnings:
Use in a test environment or during a maintenance window.
Always disable after use:
undebug all
3.3 Show Commands
Show commands are non-intrusive and safe for production environments. They're your first line of investigation.
Common Show Commands:
| Command | Description |
|---|---|
show ip route |
Displays routing table |
show interfaces |
Traffic stats, errors, and status |
show vlan |
VLAN membership and configuration |
show spanning-tree |
STP roles and port states |
show mac address-table |
MAC-to-port mapping |
show ip arp |
View ARP cache |
show ip dhcp binding |
See DHCP-assigned addresses |
3.4 Log Buffer (show logging)
Cisco devices maintain an internal buffer of recent log messages (Syslog). These are essential for tracking recent changes or faults.
Viewing Logs:
show logging
Supports filtering by:
Severity
Timestamp
Module/subsystem
Best Practices:
- Set an appropriate logging level:
logging buffered 4096 debugging
- Export logs to a Syslog server for long-term storage.
Troubleshooting Summary Table
| Tool | Type | Purpose |
|---|---|---|
ping |
Active | IP connectivity check |
traceroute |
Active | Identify network path |
debug |
Active | Real-time detailed output |
show |
Passive | View current state of configs/stats |
show logging |
Passive | Check recent events/messages |
4. Performance Metrics
Performance metrics allow you to quantify how well your network is performing. These indicators are critical for maintaining SLAs (Service Level Agreements), ensuring client satisfaction, and detecting problems early.
4.1 SLA (Service Level Agreement) Monitoring
Cisco routers support IP SLA, which creates probes that simulate real-world traffic to measure performance.
What is IP SLA?
IP SLA generates synthetic traffic to:
Simulate ping, HTTP, VoIP calls, DNS queries, etc.
Measure latency, jitter, packet loss, and response time
Use Cases:
| Scenario | Example |
|---|---|
| Voice network | Measure jitter between sites |
| Web app | Test HTTP availability from branch to data center |
| DNS | Validate external DNS resolution time |
Example: Configure IP SLA Echo Probe
ip sla 1
icmp-echo 8.8.8.8
frequency 60
!
ip sla schedule 1 life forever start-time now
4.2 Device Health Monitoring
Device health refers to the operational status and resource usage of network hardware.
Common Health Indicators:
| Metric | Description |
|---|---|
| CPU Utilization | % of CPU used — high levels may mean routing loops, DoS attacks, or bad processes |
| Memory Usage | Low available memory can cause crashes or slow response |
| Interface Errors | CRC errors, late collisions, input/output drops |
| Temperature and Fan Status | Physical environment checks |
| PoE Failures | For powered devices like phones, cameras, or APs |
Key Commands:
show processes cpu sorted
show memory statistics
show interfaces status
show environment all
4.3 Client Connectivity Metrics
These focus on wireless client health — particularly useful when troubleshooting Wi-Fi performance issues.
Wireless Metrics:
| Metric | Description |
|---|---|
| RSSI (Received Signal Strength Indicator) | Strength of signal received by client — ideal: > -67 dBm |
| SNR (Signal-to-Noise Ratio) | Difference between signal and background noise — ideal: > 25 dB |
| Authentication Failures | Often caused by incorrect credentials or RADIUS issues |
| DHCP Failures | Could be due to misconfigurations or DHCP exhaustion |
| Roaming Failures | Result from misconfigured SSIDs, overlapping channels, or excessive AP spacing |
Client Troubleshooting Flow:
Check RSSI/SNR
Check authentication success
Check IP address assignment
Look for application success/failures
Summary Table
| Metric Area | Focus | Tools |
|---|---|---|
| SLA Monitoring | Latency, jitter, packet loss | ip sla, DNA Center |
| Device Health | CPU, memory, interface status | show processes, show interfaces |
| Client Metrics | RSSI, SNR, DHCP/Auth stats | DNA Center, wireless controller logs |
5. Network Telemetry and Automation Feedback
As networks become more complex and dynamic, real-time telemetry and feedback from automation tools are essential to understand what's happening instantly and accurately. Traditional methods like SNMP polling are no longer enough.
5.1 Streaming Telemetry
What is Streaming Telemetry?
Streaming telemetry is a push-based monitoring model where the device sends data continuously to a collector — unlike traditional polling methods that pull data periodically.
Traditional SNMP Polling vs. Streaming Telemetry:
| Feature | SNMP Polling | Streaming Telemetry |
|---|---|---|
| Model | Pull | Push |
| Frequency | Every X minutes | Real-time or near real-time |
| Overhead | Higher (CPU intensive) | Lower |
| Format | Flat, limited | Rich, structured (JSON, XML) |
| Protocols | SNMP | gRPC, NETCONF, RESTCONF |
Benefits:
Near real-time insights
Lightweight on devices
Highly scalable
Better data granularity
Protocols Used:
| Protocol | Description |
|---|---|
| gRPC | Google-developed, high-performance telemetry transport |
| NETCONF | XML-based protocol for configuration and data retrieval |
| RESTCONF | RESTful API using HTTP for NETCONF-style data |
Use Case:
- Instead of polling CPU stats every 5 minutes, the router streams updates every second to a collector like InfluxDB, Prometheus, or Cisco DNA Center.
5.2 Model-Driven Telemetry
Model-driven telemetry uses structured data models (typically YANG) to define:
What data is collected
How it is structured
How it can be consumed by analytics tools
YANG (Yet Another Next Generation)
A data modeling language used with NETCONF/RESTCONF.
Ensures consistent structure and predictable output across platforms.
Advantages of Model-Driven Approach:
| Benefit | Description |
|---|---|
| Standardized | Devices use the same data model (YANG) |
| Machine-readable | Easily parsed by visualization/analysis tools |
| Rich data sets | Includes operational state, configuration, counters |
| Better integration | Works seamlessly with automation and cloud tools |
Integration Targets:
| Tool | Use |
|---|---|
| InfluxDB | Time-series database for storing telemetry |
| Grafana | Visualization and dashboarding |
| Cisco DNA Center | Ingests streaming telemetry for Assurance analytics |
| Elastic Stack (ELK) | Advanced searching and alerting |
Summary Table
| Feature | Purpose | Protocols/Tools |
|---|---|---|
| Streaming Telemetry | Real-time monitoring | gRPC, NETCONF, RESTCONF |
| Model-Driven Telemetry | Structured data via models | YANG, InfluxDB, Grafana |
| Benefits | Low overhead, high precision | AI/ML-friendly integration |
Network Assurance (Additional Content)
1. SNMP Trap vs. Inform Behavior
Simple Network Management Protocol (SNMP) provides mechanisms to report events to a Network Management System (NMS), primarily through Trap and Inform messages.
| Feature | SNMP Trap | SNMP Inform |
|---|---|---|
| Supported Versions | v1, v2c, v3 | v2c, v3 |
| Acknowledged by NMS? | No | Yes |
| Reliability | Unreliable (best-effort) | Reliable (requires acknowledgment) |
| Use Case | Low-overhead alerting | Critical alerting in reliable networks |
| Response Required? | No | Yes (NMS must reply) |
Exam Tip: SNMPv3 supports both trap and inform, making it suitable for environments where reliable notifications are needed.
2. SPAN Configuration Recommendations and Limitations
SPAN (Switched Port Analyzer) is used to mirror traffic to a monitoring port, but hardware limitations must be considered:
Key Limitations:
Cannot capture ingress and egress on VLAN simultaneously on many platforms.
A source port/interface can only participate in one SPAN session at a time.
When using RSPAN, both source and destination VLANs must be configured correctly across all switches involved.
Best Practice:
Use local SPAN for simple setups, and ERSPAN for multi-device analysis (encapsulates mirrored traffic in GRE).
3. DNA Assurance Integration with Cisco ISE
Cisco DNA Center integrates with Cisco ISE (Identity Services Engine) to enhance policy enforcement based on identity and security posture.
Key Integration Points:
DNA Center consumes Security Group Tags (SGTs) from ISE.
DNA Assurance uses SGT data for:
Policy-based segmentation
Quarantine actions
Dynamic rate limiting or VLAN assignment
Use Case:
An infected device is detected via telemetry; DNA Center applies a policy to isolate the endpoint based on SGT via programmable enforcement.
4. Logging Best Practices for Troubleshooting
Network assurance depends heavily on accurate and meaningful logs. Two features are vital here:
a. Logging Discriminator:
Filters messages based on criteria like severity, facility, or message text.
Useful in high-traffic environments to reduce log noise.
logging discriminator CRIT level 0-3
logging buffered discriminator CRIT 4096
b. Time Synchronization (NTP):
Logs must be timestamped consistently across devices.
Use NTP (Network Time Protocol) to synchronize all device clocks.
ntp server 10.1.1.1
5. IP SLA with Static Route Tracking
A highly testable feature in ENCOR involves using IP SLA + Object Tracking + Static Route for automatic failover.
Configuration Workflow:
ip sla 1
icmp-echo 8.8.8.8
frequency 10
ip sla schedule 1 life forever start-time now
track 1 ip sla 1 reachability
ip route 0.0.0.0 0.0.0.0 192.168.1.1 track 1
If the IP SLA target becomes unreachable, the tracked route is removed.
Common for Internet failover or backup link automation.
6. Path Trace in DNA Assurance
Path Trace is a powerful feature in Cisco DNA Center Assurance that helps visualize end-to-end traffic flows across the network.
How It Works:
Uses application telemetry, device flow mapping, and identity data.
Visualizes:
Source and destination nodes
Intermediate devices (switches, routers)
Applied QoS, ACLs, SGTs
VLAN or VXLAN segmentation info
Use Case:
Troubleshoot why a user's video call is failing — Path Trace shows that an intermediate switch has an ACL blocking the traffic.
Frequently Asked Questions
What is the purpose of IP SLA in network monitoring?
IP SLA measures network performance metrics such as latency, jitter, and packet loss.
IP Service Level Agreements (IP SLA) allow network devices to generate synthetic traffic to test connectivity and performance between devices. These probes measure response time, availability, and quality metrics across the network. Administrators often use IP SLA with tracking features to trigger failover actions when performance thresholds are exceeded. For example, if latency on a primary path increases beyond a defined limit, the router can automatically switch to a backup route. This proactive monitoring helps maintain service availability and detect degradation before users are affected.
Demand Score: 59
Exam Relevance Score: 83
What is the main difference between SPAN and RSPAN?
SPAN mirrors traffic within the same switch, while RSPAN allows mirrored traffic to be sent across multiple switches.
Switch Port Analyzer (SPAN) copies traffic from one or more source ports to a monitoring port on the same switch. Remote SPAN (RSPAN) extends this capability across the network by sending mirrored traffic through a special VLAN to another switch where the monitoring device resides. RSPAN is useful when the analyzer cannot be directly connected to the source switch. Engineers must ensure the RSPAN VLAN is properly configured across trunk links; otherwise mirrored traffic will not reach the destination analyzer.
Demand Score: 58
Exam Relevance Score: 80
What is the primary purpose of Flexible NetFlow in enterprise networks?
Flexible NetFlow collects and analyzes network traffic flow information for monitoring and troubleshooting.
Flexible NetFlow allows administrators to define custom flow records that capture specific packet attributes such as source IP, destination IP, ports, and protocol information. This data is exported to collectors where it can be analyzed for traffic patterns, performance monitoring, or security analysis. Compared to traditional NetFlow, Flexible NetFlow provides greater flexibility in defining which fields are monitored and exported. Engineers commonly use it to detect abnormal traffic patterns or identify bandwidth-intensive applications in enterprise environments.
Demand Score: 60
Exam Relevance Score: 82
