Exam weight: 10% | Labs: 6 | ← Back to CCNP ENCOR
4.1 Network Diagnostic Tools
| Tool | Protocol | Purpose | Extended Options |
|---|---|---|---|
| ping | ICMP Echo | End-to-end reachability | Source interface, size, repeat, DF bit |
| traceroute | UDP (IOS) / ICMP | Discover forwarding path | Timeout, probe count, TTL, source |
Return codes: ! (success), . (timeout), U (unreachable), M (MTU exceeded / DF bit set), ? (unknown).
Conditional Debug
Always redirect debug output to buffer, not console. Safe workflow: set condition → enable debug → collect with show log → undebug all.
debug condition interface GigabitEthernet0/1
debug condition ip 10.1.1.10
debug ip packet detail
show debug condition
undebug all4.2 SNMP and Syslog
SNMP Versions
| Version | Auth | Encryption | Note |
|---|---|---|---|
| SNMPv1 | Community string (cleartext) | None | Deprecated; 32-bit counters |
| SNMPv2c | Community string (cleartext) | None | 64-bit counters, GetBulk; common but insecure |
| SNMPv3 | User-based (HMAC-MD5/SHA) | DES/3DES/AES | noAuthNoPriv / authNoPriv / authPriv |
Operations: GET, GETNEXT, GETBULK, SET, TRAP (fire-and-forget), INFORM (acknowledged, v2c+).
Syslog Severity Levels
| Level | Keyword | Description |
|---|---|---|
| 0 | emergencies | System unusable |
| 1 | alerts | Immediate action needed |
| 2 | critical | Critical conditions |
| 3 | errors | Error conditions |
| 4 | warnings | Warning conditions |
| 5 | notifications | Normal but significant |
| 6 | informational | Informational messages |
| 7 | debugging | Debug output |
4.3 NetFlow and Flexible NetFlow
| Feature | Traditional NetFlow | Flexible NetFlow | IPFIX (v10) |
|---|---|---|---|
| Fields | Fixed 7-tuple | User-configurable | Standards-based |
| Standard | Cisco proprietary | Cisco | IETF RFC 7011 |
| Port | UDP 2055/9995 | UDP 2055/9995 | UDP 4739 |
Flexible NetFlow build order: Flow Record → Flow Exporter → Flow Monitor (applied to interface).
4.4 SPAN / RSPAN / ERSPAN
| Type | Destination | Transport | Use Case |
|---|---|---|---|
| SPAN | Same switch | Direct copy | Local analyzer |
| RSPAN | Different switch (same L2) | Dedicated VLAN | Central analyzer |
| ERSPAN | Anywhere via IP | GRE encapsulation | Remote site/data center |
- RSPAN VLAN must be declared with
remote-spanunder VLAN config - Destination port disables STP and MAC learning
4.5 IP SLA
| Operation | Measures | Use |
|---|---|---|
| icmp-echo | RTT, loss, reachability | WAN reachability |
| udp-jitter | Jitter, one-way delay, MOS | VoIP/video quality |
| tcp-connect | TCP handshake time | Server reachability |
| http | DNS + TCP + HTTP time | Web app monitoring |
Only udp-jitter measures jitter and requires an IP SLA Responder on the far end.
4.6 Cisco Catalyst Center Assurance
Four Pillars: Design → Policy → Provision → Assurance
- Health Scores (0–10): Device, Client, Application, Network
- Path Trace: End-to-end flow visualization with per-hop stats
- Machine Reasoning Engine (MRE): Guided troubleshooting workflows
- AI Network Analytics: Cloud-based ML vs. global baselines
Data sources: SNMP, syslog, NetFlow, Streaming Telemetry/gRPC, wireless data, sensor results.
4.7 NETCONF, RESTCONF, and Model-Driven Telemetry
| Protocol | Transport | Encoding | Port |
|---|---|---|---|
| NETCONF | SSH | XML | 830 |
| RESTCONF | HTTPS | JSON or XML | 443 |
| gNMI | gRPC/HTTP/2 | Protobuf | 57400 |
YANG (RFC 7950) is the data modeling language. Three flavors: Native (Cisco-specific), OpenConfig (vendor-neutral), IETF (standards track).
Model-Driven Telemetry (MDT)
- Cadence-based (periodic): Every N milliseconds
- On-change: Only when monitored leaf value changes
- Dial-out: Device → Collector
- Dial-in: Collector → Device (gNMI Subscribe)
Hands-On Labs
Lab 1: Conditional Debug and Ping/Traceroute Troubleshooting
Configure debug output to buffer; scope debug to interface; use extended ping with source-spoofing and DF-bit; traceroute with probe control.
Lab 2: SNMPv3 (authPriv) and Remote Syslog
Configure SNMPv3 with AES-256 encryption; configure remote syslog over TCP/6514 sourced from Loopback0.
Lab 3: Flexible NetFlow to Collector
Define flow record with 7-tuple match fields; create exporter to collector on UDP 2055; apply flow monitor to interface in/out.
Lab 4: Local SPAN, RSPAN, and ERSPAN
Configure all three mirroring types. For RSPAN: declare VLAN with remote-span. For ERSPAN: bind to origin/destination IP.
Lab 5: IP SLA with Object Tracking and EEM
Create ICMP-echo and udp-jitter probes; bind to track object; trigger EEM applet to insert floating static route on probe failure.
Lab 6: NETCONF/RESTCONF and Model-Driven Telemetry
Enable netconf-yang and restconf; query interfaces via curl/JSON; configure periodic MDT subscription with KVGPB encoding to gRPC collector.
