Cisco Designing and Implementing Enterprise Network Assurance 300-445 ENNA Exam Questions

Answer : B, D

The architecture for Designing and Implementing Enterprise Network Assurance (300-445 ENNA) specifies that ThousandEyes WAN Insights relies on deep integration with the Cisco SD-WAN management stack. To generate its predictive path recommendations, the platform must ingest specific telemetry data that reflects both the network's behavior and the applications traversing it.

The first essential data source is historical network performance metrics collected by vAnalytics (Option B). Before WAN Insights can be activated, vAnalytics must be enabled to collect and enrich raw network telemetry from the edge routers.34 This data includes granular metrics for every SD-WAN tunnel, such as packet loss, latency, and jitter.35 WAN Insights analyzes these historical trends to forecast future path quality and determine which transport circuits are most likely to meet application SLAs over a long-term period.

The second essential data source is application traffic flow data (Option D). WAN Insights must understand which applications are currently active in the fabric to prioritize recommendations for 'business-critical' services like Office 365, Webex, or custom internal apps.38 This information is ingested as flow records from the SD-WAN data plane and categorized based on the Application Lists defined in Cisco Catalyst SD-WAN Manager (vManage).

Options A and E are configuration or logging data that, while useful for general management, are not the raw telemetry inputs used by the WAN Insights predictive engine. Option C is incorrect because WAN Insights explicitly uses infrastructure telemetry rather than ThousandEyes agent-based synthetic data for its SD-WAN fabric calculations. By combining vAnalytics performance metrics and application flow data, WAN Insights can provide the 'Predictive Path Recommendatio41ns' that are a hallmark of modern network assurance.

Answer : A

In the Designing and Implementing Enterprise Network Assurance (300-445 ENNA) architecture, a critical challenge in active synthetic monitoring is ensuring that test probes accurately reflect user traffic without being dropped by intermediate security appliances. Standard network tests often utilize separate connections for measuring performance metrics (latency/loss) and for path discovery (hop-by-hop visualization). This behavior can be flagged by stateful firewalls or Intrusion Prevention Systems (IPS) as suspicious or malicious scanning activity.

To mitigate this, the engineer should enable Path Trace Mode: In Session (Option A). When this mode is active, ThousandEyes performs path discovery using the exact same TCP session established for the performance measurement. By embedding path discovery probes within an active, established session, the traffic appears to firewalls as part of a legitimate, ongoing communication stream rather than an independent series of probes with varying TTL values that might trigger 'anti-spoofing' or 'scanning' alerts.

Reviewing the alternative options:

Protocol: TCP (Option B): While using TCP is generally more firewall-friendly than ICMP, the exhibit shows TCP is already selected. The issue is not the protocol itself, but how the path discovery probes are handled relative to the session.

Port: 5000 (Option C): Changing the port to a non-standard value like 5000 often makes traffic more likely to be scrutinized or blocked by default firewall policies compared to standard web ports like 80.

Probing Mode: Force SYN (Option D): Forcing SYN packets is a technique used to bypass certain types of load balancers but does not address the fundamental issue of path discovery probes being seen as a separate, malicious scan by stateful inspection engines.

Therefore, enabling In Session path trace mode is the most effective way to ensure consistent visibility through security-hardened environments.

Answer : A

In the Designing and Implementing Enterprise Network Assurance (300-445 ENNA) curriculum, the objective of modern network assurance is to bridge the gap between 'visibility' and 'action'. When an organization requires an automated workflow to handle network performance anomalies, the most efficient architecture is the native ServiceNow Integration (Option A). This integration is categorized as a 'Custom-Built' or native integration within the ThousandEyes platform, designed specifically to facilitate the delivery of direct notifications into a ServiceNow account.

According to the ENNA implementation standards, the ThousandEyes ServiceNow integration utilizes the ServiceNow Incident Management module. When a predefined alert rule (such as a 5% packet loss threshold on a critical SaaS path) is violated, ThousandEyes triggers an event and immediately pushes the alert data to ServiceNow via an OAuth-authenticated connection. Within ServiceNow, this data is used to automatically generate an Incident, complete with relevant metadata such as the test name, agent location, and the specific metrics that triggered the violation. This automation eliminates the manual overhead of 'copy-pasting' alert details from a monitoring dashboard into a ticketing system, thereby significantly reducing the Mean Time to Identification (MTTI).

While Custom Webhooks (Option C) can achieve a similar result by sending JSON payloads to a REST API, they require additional development effort to parse the data on the receiver side. The native ServiceNow integration provides a pre-configured template that maps ThousandEyes alert fields directly to ServiceNow incident fields, offering a 'one-click' setup experience that is preferred for enterprise-grade deployments. Options B and D are irrelevant for the specific goal of ITSM incident generation. Therefore, for direct ITSM notification and incident creation, the native ServiceNow Integration is the verified recommendation.

Answer : D

According to the Designing and Implementing Enterprise Network Assurance (300-445 ENNA) guidelines, troubleshooting widespread performance issues for a public or data center-hosted app17lication requires an 'outside-in' perspective. When reports are widespread,18 the goal is to determine if the issue is global, regional, or specific to certain ISP paths leading to the data center.

The Cloud Agent (Option D) is the most effective tool for this task because these agents are maintained by Cisco ThousandEyes in over 240+ locations worldwide within Tier 1, 2, and 3 ISPs and cloud provider regions.19 Because they are pre-deployed and immediately available, a network engineer can instantly run tests from multiple global locations toward the data center-hosted application without having to install any software or manage any infrastructure. This allows the engineer to quickly compare performance metrics (latency, loss, and page load times) across different geographies. If Cloud Agents in London report no issues while those in New York report high packet loss, the engineer can immediately pinpoint the root cause as a regional ISP or peering issue rather than a failure within the data center itself.

Enterprise Agent (Option B): While these could be used if they were already installed in various branch offices, they require ownership of the infrastructure and deployment time. They are better suited for 'inside-out' monitoring.

Endpoint Agent (Option C): These are useful for troubleshooting individual user experience but are not the 'quickest' way to baseline global performance against a data center application during a widespread event.

Synthetic Agent (Option A): As noted previously, this is a generic term describing the underlying technology used by all ThousandEyes agent types.

Therefore, Cloud Agents provide the necessary breadth and immediate availability to perform rapid root cause analysis for widespread application performance issues.

Answer : B

In the context of Designing and Implementing Enterprise Network Assurance (300-445 ENNA), capacity planning requires accurate baselining of interface bandwidth against its theoretical and provisioned limits. Analyzing Exhibit 4.5 Question 4 (image_79d4fc.jpg) reveals a significant discrepancy between the physical reality of the link and its configuration within the monitoring tool.

The exhibit displays a capacity planning dashboard with a calendar heatmap and traffic graphs. The heatmap for February through May shows a high frequency of 'Severe' (red) utilization blocks. Looking at the Egress graph for Tue May 07 2024, the traffic spikes clearly exceed 40.0 Mbps. Crucially, the dashboard indicates an 'Egress Capacity' of 49.5 Mbps and reports that the 'Highest consumption' was 48.0 Mbps, representing 97% of the available bandwidth.

However, the question states that the ISP provides a 1 Gbps (1000 Mbps) connection. Since the actual traffic being sent is less than 50 Mbps, the link is nowhere near physical saturation. The 'Severe' alerts and high utilization percentages are occurring only because the monitoring software (likely ThousandEyes or a similar NMS) is configured with a Maximum Capacity of only 49.5 Mbps for this interface. This misconfiguration causes the tool to calculate utilization based on a much smaller 'pipe' than what actually exists, leading to false-positive alerts.

Therefore, the most likely action to fix this observed behavior is to reconfigure maximum capacity for the interface (Option B) to match the 1 Gbps specification.

Option A is unnecessary because the current link is only being utilized at ~5% of its 1 Gbps potential.

Option C is a restrictive policy change that is not justified given the actual available headroom.

Option D might shift how data is displayed but will not fix the underlying mathematical error in utilization calculations.

Answer : B

In the framework of Designing and Implementing En8terprise Network Assurance (300-445 ENNA), selecting the correct agent type depends heavily on the vantage point required for the specific observation. For this scenario, the architect must collect metrics from the internal network access layer---the point closest to where the users or devices reside within the corporate perimeter---towards a cloud-hosted destination.

The Enterprise Agent (Option B) is the most appropriate choice because it is specifically designed to be deployed on infrastructure owned and managed by the organization. These agents are 'inside-out' vantage points that can be installed directly on Cisco Catalyst 9300 or 9400 Series switches at the access layer using Docker containers. By deploying an Enterprise Agent at the access layer, the architect gains visibility into the entire network path, starting from the internal LAN, traversing the edge/WAN, and reaching into the cloud-hosted web server. This allows for the identification of issues such as local congestion, ISP peering problems, or cloud provider latency.

Other options do not meet the criteria:

Synthetic Agent (Option A): This is a distractor term. All ThousandEyes agents (Cloud, Enterprise, and Endpoint) are synthetic agents because they all perform active synthetic testing.

Cloud Agent (Option C): These are pre-deployed by Cisco in global ISP data centers and provide an 'outside-in' view.14 While useful for monitoring public-facing availability, they cannot provide visibility into the internal network or the access layer of the organization.

Endpoint Agent (Option D): While these are installed on end-user machines and provide a 'user-centric' view, they are generally not used for infrastructure-level path analysis from the access layer switches themselves.

Thus, the Enterprise Agent is the definitive choice for monitoring from the access layer to the cloud.

Answer : B

In wireless network assurance, high channel utilization and increased retransmissions are clear indicators of RF interference or over-subscription. Retransmissions are particularly damaging to voice call quality because they introduce significant jitter and late-arrival packet loss that the jitter buffer cannot overcome.

The recommended optimization is to change the access point to a different, less congested channel (Option B). This directly reduces the competition for airtime (Channel Utilization) and the likelihood of collisions from neighboring access points (Co-Channel Interference), which in turn lowers the retransmission rate. Modern wireless controllers using Radio Resource Management (RRM) often automate this, but a manual adjustment based on SNMP telemetry is a valid operational fix.

Other options are technically flawed:

Option A: Increasing transmit power often increases interference and channel utilization for surrounding cells, making the problem worse for everyone.

Option C: Disabling all non-voice traffic is an extreme measure that is rarely feasible in a real business environment.

Option D: Admission control limits the number of users but doesn't solve the underlying issue of poor channel health for those already connected.