AI-Ready Network Implementation Guide¶
1. IMPLEMENTATION OVERVIEW¶
1.1 Prerequisites Verification¶
Phase 1 & 2 Completion Checklist:
| Prerequisite | Verification Method | Status | Required Value |
|---|---|---|---|
| Phase 1 Complete | ISE pxGrid enabled | [X] | Verified |
| Phase 1 Complete | XDR platform operational | [X] | Verified |
| Phase 1 Complete | Duo Beyond deployed | [X] | Verified |
| Phase 1 Complete | FTD firewalls migrated | [X] | 18 units |
| Phase 2 Complete | Splunk Observability operational | [X] | 100 GB/day ingestion |
| Phase 2 Complete | ThousandEyes agents deployed | [X] | 6 agents active |
| Phase 2 Complete | AppDynamics APM configured | [X] | 5 apps instrumented |
| Phase 2 Complete | 14-Day Baseline Collected | [X] | CRITICAL |
| DNAC Version | Current version check | [X] | 2.3.7.6 |
| DNAC Cluster Health | All 3 nodes operational | [X] | 3/3 nodes green |
| Storage Availability | DNAC storage capacity | [X] | >50% free |
| Backup Status | Recent full backup | [X] | <7 days old |
Critical Validation: 14-Day Baseline
# Verify baseline data availability in Splunk
index=dnac_assurance earliest=-14d | stats count by _time | table _time count
# Expected result: Continuous data for 14+ days, no gaps >4 hours
# Minimum events: ~40GB/day x 14 days = 560 GB total
# Verify ThousandEyes data
index=thousandeyes earliest=-14d | stats count by test_name | table test_name count
# Expected result: All 25 tests with data for 14+ days
# Verify AppDynamics data
index=appdynamics earliest=-14d | stats count by app_name | table app_name count
# Expected result: All 5 apps with APM traces for 14+ days
1.2 Implementation Team¶
Roles & Responsibilities:
| Role | Name | Responsibilities | Availability |
|---|---|---|---|
| Project Manager | TBD | Overall project coordination, stakeholder management | Full-time (16 weeks) |
| Network Architect | TBD | Catalyst Center upgrade, DNM configuration | Full-time (Weeks 1-8) |
| Security Architect | TBD | AgenticOps guardrails, XDR integration | Part-time (as needed) |
| Automation Engineer | TBD | Workflow YAML development, API integrations | Full-time (Weeks 9-16) |
| NOC Team Lead | TBD | Operational procedures, training | Part-time (Weeks 13-16) |
| Cisco TAC Support | Assigned | Catalyst Center upgrade support | On-demand |
| AppDynamics Support | Assigned | Cognition Engine integration | On-demand |
1.3 High-Level Timeline¶
+============================================================================+
| PHASE 3: AI-READY NETWORK (16 WEEKS) |
+============================================================================+
| |
| PHASE 3A: CATALYST CENTER UPGRADE (Weeks 1-4) |
| -------------------------------------------------------- |
| Week 1: Staging environment build & testing |
| Week 2: Production cluster upgrade (NJ) |
| Week 3: AI Assistant & AIEA enablement |
| Week 4: DR cluster upgrade (London), ISE sync validation |
| |
| Deliverables: |
| [X] Catalyst Center 2.3.5+ operational |
| [X] AI Assistant enabled for NOC |
| [X] AI Endpoint Analytics feeding ISE |
| |
| --------------------------------------------------------------------------|
| |
| PHASE 3B: DEEP NETWORK MODEL (Weeks 5-8) |
| ------------------------------------------------ |
| Week 5: DNM configuration, baseline validation |
| Week 6-7: ML model training (5 models) |
| Week 8: Model validation, threshold tuning |
| |
| Deliverables: |
| [X] 5 DNM models trained and operational |
| [X] Anomaly detection active |
| [X] Failure predictions (14-day horizon) |
| |
| --------------------------------------------------------------------------|
| |
| PHASE 3C: AGENTICOPS OBSERVE (Weeks 9-12) |
| -------------------------------------------------- |
| Week 9-10: AgenticOps framework setup, WF-001 to WF-004 |
| Week 10-11: WF-005 to WF-008, API credentials |
| Week 11-12: Guardrails configuration, 2-week observation |
| |
| Deliverables: |
| [X] 8 workflows operational (Observe mode) |
| [X] Guardrails validated (SGT 11, 60, 80-83 protected) |
| [X] Recommendation logs (2 weeks of data) |
| |
| --------------------------------------------------------------------------|
| |
| PHASE 3D: AGENTICOPS AUTO (Weeks 13-16) |
| ----------------------------------------------- |
| Week 13-14: WF-001, WF-002, WF-007 -> Auto mode |
| Week 14: WF-005, WF-006 -> Approve mode |
| Week 15: ServiceNow change control integration |
| Week 16: Documentation, NOC training, handover |
| |
| Deliverables: |
| [X] 3 workflows in Auto mode |
| [X] 2 workflows in Approve mode |
| [X] ServiceNow integration operational |
| [X] NOC team trained and certified |
| |
+============================================================================+
2. BILL OF MATERIALS & LICENSING¶
2.1 Software Licensing¶
NOTE: All pricing is illustrative and subject to vendor quote. Contact vendors directly for current pricing.
Catalyst Center AI Licensing:
| License Type | Quantity | Unit | Notes |
|---|---|---|---|
| DNA Advantage (to Catalyst AI Advantage) | 854 devices | Network device | Upgrade from existing DNA Advantage |
| Catalyst Center AI Assistant | 3-node cluster | Cluster | Included with AI Advantage |
| AI Endpoint Analytics | 12,000 endpoints | Endpoint | Included with AI Advantage |
| Deep Network Model | 854 devices | Network device | Included with AI Advantage |
Procurement Process:
1. Contact Cisco Sales Rep (Abhavtech Account Team)
2. Provide current DNA Advantage contract number
3. Request upgrade quote: DNA Advantage -> Catalyst AI Advantage
4. Expected discount: 20-30% (existing customer)
5. Lead time: 2-4 weeks (license key generation)
6. Procurement method: Cisco CCW (Commerce Workspace)
AgenticOps Platform:
| Component | Licensing Model | Notes |
|---|---|---|
| Catalyst Center API | Included | No additional cost |
| vManage API | Included | SD-WAN license |
| ISE pxGrid | Included | ISE Apex license |
| Splunk API | Included | Part of Observability Cloud |
| ThousandEyes API | Included | Enterprise agent license |
| AppDynamics API | Included | APM Pro license |
| ServiceNow Integration | ServiceNow license | ITOM/ITSM license required |
Total Software Investment (Incremental):
Catalyst AI Advantage Upgrade: [Contact Cisco for Quote]
- Estimated: $X per network device
- Total estimated: 854 devices
ServiceNow ITOM Add-on (if not already licensed): [Contact ServiceNow for Quote]
- Estimated: $X per month
TOTAL ESTIMATED SOFTWARE COST: [Contact Vendors]
2.2 Hardware Requirements¶
Catalyst Center Cluster (Existing):
| Component | Model | Quantity | Location | Status |
|---|---|---|---|---|
| Primary Cluster | DN2-HW-APL-XL | 3 nodes | New Jersey | [X] Existing |
| DR Cluster | DN2-HW-APL-XL | 3 nodes | London | [X] Existing |
Hardware Specifications (DN2-HW-APL-XL):
+============================================================================+
| CATALYST CENTER APPLIANCE SPECIFICATIONS |
+============================================================================+
| |
| Model: DN2-HW-APL-XL (Extra Large Appliance) |
| |
| Capacity: |
| * Network Devices: Up to 8,000 |
| * Endpoints: Up to 200,000 |
| * Access Points: Up to 16,000 |
| * Sites: Up to 500 |
| |
| Hardware: |
| * CPU: 56 cores (Intel Xeon) |
| * Memory: 512 GB RAM |
| * Storage: 12 TB SSD (RAID 10) |
| * Network: 4 x 10 GbE, 2 x 1 GbE |
| |
| High Availability: |
| * 3-node cluster (Primary, Secondary, Tertiary) |
| * Automatic failover |
| * Data replication across nodes |
| |
| AI Capabilities: |
| * AI Assistant: Supported |
| * AI Endpoint Analytics: Supported |
| * Deep Network Model: Supported |
| * ML Training: GPU-accelerated |
| |
| Abhavtech Current Utilization: |
| * Network Devices: 854 / 8,000 (10.7%) |
| * Endpoints: 12,000 / 200,000 (6%) |
| * Access Points: 450 / 16,000 (2.8%) |
| * Storage: 5.6 TB / 36 TB (15.5%) |
| -> Well within capacity, no hardware upgrade required |
| |
+============================================================================+
No Additional Hardware Required:
All Phase 3 capabilities are enabled through software licensing upgrades to the existing Catalyst Center infrastructure. The DN2-HW-APL-XL appliances have sufficient capacity for AI workloads.
2.3 Network Requirements¶
Bandwidth Requirements (AgenticOps API Traffic):
| Integration | API Traffic Volume | Frequency | Notes |
|---|---|---|---|
| Catalyst Center -> Splunk | 40 GB/day telemetry | Continuous | Already provisioned (Phase 2) |
| AgenticOps -> vManage API | 1 MB/day | On-demand | Negligible |
| AgenticOps -> ISE API | 5 MB/day | On-demand | Negligible |
| AgenticOps -> FTD API | 2 MB/day | On-demand | Negligible |
| AgenticOps -> ServiceNow | 10 MB/day | Per-action | Negligible |
Total Incremental Bandwidth: <20 MB/day (negligible compared to Phase 2 telemetry)
3. CATALYST CENTER UPGRADE PROCEDURES¶
3.1 Pre-Upgrade Checklist¶
Week 1, Day 1: Pre-Upgrade Validation
# Step 1: Verify current DNAC version
ssh admin@10.252.10.1
show version
# Expected output:
# Cisco DNA Center, Version 2.3.7.6
# Build: 2.3.7.6-123456
# Step 2: Verify cluster health
show cluster
# Expected output:
# Cluster Status: Healthy
# Primary: 10.252.10.1 (ACTIVE)
# Secondary: 10.252.10.2 (STANDBY)
# Tertiary: 10.252.10.3 (STANDBY)
# Step 3: Verify storage capacity
show disk-usage
# Expected output:
# Total: 12 TB
# Used: 5.6 TB (47%)
# Available: 6.4 TB (53%)
# [X] >50% available (PASS)
# Step 4: Verify all services running
show service-status
# Expected output:
# All services: RUNNING (green)
# Step 5: Full cluster backup
backup create full
# Expected output:
# Backup job started: backup-20260118-001
# Estimated time: 2-3 hours
# Location: /nfs/backup/
# Wait for backup completion
show backup status
# Expected output:
# backup-20260118-001: COMPLETED
# Size: 4.2 TB
# Status: SUCCESS
Pre-Upgrade Testing:
| Test | Procedure | Expected Result |
|---|---|---|
| Fabric Connectivity | Ping all fabric nodes from DNAC | 100% reachability |
| ISE Integration | Test pxGrid connection | Active session |
| Assurance Data | Query last 24 hours telemetry | Data present, no gaps |
| API Availability | REST API health check | 200 OK response |
3.2 Staging Environment Build¶
Week 1, Days 2-5: Staging Environment
Purpose: Validate upgrade procedure in isolated environment before production deployment.
Staging Environment Specifications:
| Component | Production | Staging |
|---|---|---|
| Cluster Size | 3 nodes | 1 node (acceptable for staging) |
| Network Devices | 854 | 10 (representative sample) |
| Endpoints | 12,000 | 100 |
| Data | Full production | Last 14 days only |
| Location | New Jersey DC | Lab environment |
Staging Build Procedure:
# Step 1: Deploy staging DNAC appliance
# - Use DN2-HW-APL-L (Large, not XL) if available
# - Or use VM-based Catalyst Center for staging
# Step 2: Restore partial production data
# Extract last 14 days data from production backup
backup extract --days 14 --output staging-backup.tar
# Transfer to staging appliance
scp staging-backup.tar admin@staging-dnac:/nfs/restore/
# Restore on staging
ssh admin@staging-dnac
restore import staging-backup.tar
# Step 3: Connect staging to lab fabric
# - 10 switches (C9300)
# - 2 WLCs (C9800)
# - 20 APs
# - ISE connection (read-only)
# Step 4: Verify staging environment
show devices
# Expected: 10 switches, 2 WLCs, 20 APs
show assurance summary
# Expected: Telemetry from lab devices
# Step 5: Perform upgrade on staging
# (Upgrade procedure documented in Section 3.3)
# Step 6: Validate AI features post-upgrade
# - AI Assistant queries
# - AIEA endpoint classification
# - DNM model training (sample data)
# Step 7: Document any issues encountered
# - Create upgrade runbook with lessons learned
3.3 Production Cluster Upgrade¶
Week 2: Production Upgrade (New Jersey)
Upgrade Window: Sunday, 2026-01-26, 02:00-06:00 IST (Saturday night, minimal user impact)
Upgrade Sequence: Tertiary -> Secondary -> Primary (minimizes service disruption)
Step-by-Step Upgrade Procedure:
#################################################################
# UPGRADE NODE 3 (TERTIARY) - 10.252.10.3
#################################################################
# Step 1: Pre-upgrade checks on Node 3
ssh admin@10.252.10.3
show version
show service-status
show cluster
# Step 2: Download Catalyst Center upgrade file
# Location: Cisco Software Download Center
# File: catalyst-center-2.3.5.6-upgrade.bin
# Size: ~8 GB
# Download to DNAC: /nfs/upgrade/
# Step 3: Verify download integrity
verify-checksum /nfs/upgrade/catalyst-center-2.3.5.6-upgrade.bin
# Expected: MD5 checksum matches Cisco documentation
# Step 4: Initiate upgrade on Node 3
upgrade install /nfs/upgrade/catalyst-center-2.3.5.6-upgrade.bin --node 10.252.10.3
# Expected output:
# Upgrade initiated on node 10.252.10.3
# Estimated time: 90-120 minutes
# Node will reboot automatically
# Services will be unavailable on this node during upgrade
# Step 5: Monitor upgrade progress
show upgrade status
# Expected output (every 5 minutes):
# Node 10.252.10.3: UPGRADING (35% complete)
# Step 6: Wait for Node 3 upgrade completion (~2 hours)
# Expected output:
# Node 10.252.10.3: UPGRADE COMPLETE
# Version: 2.3.5.6
# Status: STANDBY (rejoined cluster)
# Step 7: Validate Node 3 post-upgrade
ssh admin@10.252.10.3
show version
# Expected: Cisco Catalyst Center, Version 2.3.5.6
show cluster
# Expected: Node 3 status STANDBY, cluster healthy
show service-status
# Expected: All services RUNNING
#################################################################
# UPGRADE NODE 2 (SECONDARY) - 10.252.10.2
#################################################################
# Repeat Steps 1-7 for Node 2
# Wait 30 minutes after Node 3 completion before starting Node 2
# Allows cluster stabilization
ssh admin@10.252.10.2
upgrade install /nfs/upgrade/catalyst-center-2.3.5.6-upgrade.bin --node 10.252.10.2
# Monitor and validate as with Node 3
#################################################################
# UPGRADE NODE 1 (PRIMARY) - 10.252.10.1
#################################################################
# Wait 30 minutes after Node 2 completion
# This is the most critical upgrade (active node)
ssh admin@10.252.10.1
upgrade install /nfs/upgrade/catalyst-center-2.3.5.6-upgrade.bin --node 10.252.10.1
# During Node 1 upgrade:
# - Node 2 automatically becomes PRIMARY (failover)
# - Fabric continues operating (data plane unaffected)
# - Assurance data collection continues
# - No user impact
# Monitor and validate
#################################################################
# POST-UPGRADE VALIDATION (All 3 Nodes)
#################################################################
# Step 1: Verify cluster health
ssh admin@10.252.10.1
show cluster
# Expected output:
# Cluster Status: Healthy
# Primary: 10.252.10.1 (ACTIVE) - Version 2.3.5.6
# Secondary: 10.252.10.2 (STANDBY) - Version 2.3.5.6
# Tertiary: 10.252.10.3 (STANDBY) - Version 2.3.5.6
# Step 2: Verify all devices managed
show devices
# Expected: 854 devices (same as pre-upgrade)
# Step 3: Verify Assurance data continuity
show assurance summary --last 24h
# Expected: No data gaps during upgrade
# Step 4: Verify ISE integration
show integrations ise
# Expected: pxGrid connection ACTIVE
# Step 5: Verify AI features available
show ai-capabilities
# Expected output:
# AI Assistant: Enabled
# AI Endpoint Analytics: Enabled
# Deep Network Model: Ready (training required)
# Step 6: Test AI Assistant
# GUI: Catalyst Center -> AI Assistant
# Query: "Show me all switches with high CPU"
# Expected: Natural language response with results
# Step 7: Verify AIEA started profiling
# GUI: Catalyst Center -> Inventory -> Endpoints
# Check: Endpoint profiles show "AIEA" source
# Expected: New endpoints automatically classified
# Step 8: Document upgrade completion
# - Total upgrade time: ~5 hours (3 nodes x 90 min + wait times)
# - Service disruption: 0 minutes (fabric remained operational)
# - Issues encountered: None (or document any)
3.4 AI Feature Enablement¶
Week 3: AI Assistant & AI Endpoint Analytics
AI Assistant Configuration:
# Step 1: Enable AI Assistant
ssh admin@10.252.10.1
configure terminal
ai-assistant enable
# Step 2: Configure AI Assistant settings
ai-assistant language en-US
ai-assistant max-tokens 2000
ai-assistant temperature 0.7
# Step 3: Configure RBAC for AI Assistant
# GUI: Catalyst Center -> System -> Settings -> User Management
# Add role: AI-Assistant-User
# Permissions:
# - Assurance: Read
# - Inventory: Read
# - AI Assistant: Use
# Assign role to NOC engineers
# Step 4: Test AI Assistant queries
# GUI: Catalyst Center -> AI Assistant (icon in top-right)
# Test Query 1: "Show me all APs with high CPU"
# Expected: List of APs with CPU >75%
# Test Query 2: "Why is Wi-Fi slow at Mumbai office?"
# Expected: Root cause analysis with recommendations
# Test Query 3: "Predict switch failures for next 2 weeks"
# Expected: DNM predictions (if models trained)
AI Endpoint Analytics Configuration:
# Step 1: Enable AIEA
ssh admin@10.252.10.1
configure terminal
aiea enable
# Step 2: Configure AIEA settings
aiea confidence-threshold 80
# Only classifications >80% confidence pushed to ISE
aiea update-frequency realtime
# Push updates to ISE immediately on classification change
aiea behavioral-baseline-days 14
# Use 14-day baseline for anomaly detection
# Step 3: Configure ISE integration for AIEA
# GUI: Catalyst Center -> System -> Settings -> External Services -> ISE
# Enable: "AI Endpoint Analytics Profile Sync"
# pxGrid Topic: /Session/EndpointProfile
# Update Frequency: Real-time
# Step 4: Verify AIEA profiling endpoints
# GUI: Catalyst Center -> Inventory -> Endpoints
# Columns: Device Type, OS, Manufacturer, Confidence, Source
# Expected:
# MAC: aa:bb:cc:dd:ee:ff
# Device Type: IP Camera
# OS: Embedded Linux
# Manufacturer: Axis Communications
# Model: AXIS P1375
# Confidence: 98%
# Source: AIEA (not static ISE profiler)
# Step 5: Verify ISE receiving AIEA profiles
# ISE GUI: Context Visibility -> Endpoints
# Check: Profile Source column shows "AIEA"
# Expected:
# Endpoint: aa:bb:cc:dd:ee:ff
# Profile: IP-Camera-Axis
# Source: AIEA (pxGrid)
# Certainty: 98
# SGT: 62 (IP Cameras)
# Step 6: Monitor AIEA accuracy
# Dashboard: AIEA Classification Accuracy
# Target: >95% accuracy within 30 days
3.5 DR Cluster Upgrade¶
Week 4: DR Cluster Upgrade (London)
Pre-Requisites: - Production cluster (NJ) upgraded successfully - 48-hour soak test completed (no issues) - Backup of London cluster completed
Upgrade Procedure: Same as Section 3.3 (Production Cluster Upgrade)
Upgrade Window: Sunday, 2026-02-02, 02:00-06:00 GMT
Post-Upgrade Validation: - Verify DR cluster version matches production (2.3.5.6) - Test failover scenario (optional): Shut down NJ cluster, verify London takes over - Document DR cluster upgrade completion
4. AGENTICOPS WORKFLOW DEFINITIONS¶
4.1 Workflow Development Framework¶
Workflow YAML Structure:
# AgenticOps Workflow Template
# Version: 1.0
workflow:
id: "WF-XXX"
name: "Workflow-Name"
version: "1.0"
description: "Brief description of workflow purpose"
metadata:
owner: "Abhavtech Network Operations"
created: "2026-01-18"
last_modified: "2026-01-18"
mode: "observe | recommend | approve | auto"
triggers:
- type: "alert | schedule | manual"
source: "AI engine name"
condition: "Trigger logic"
inputs:
- name: "input_variable_name"
source: "AI engine or platform"
type: "string | number | boolean | object"
required: true | false
decision_logic:
guardrails:
protected_sgt:
- 11 # Executives
- 60 # OT/Medical
- 80 # Servers-Critical
- 81 # Servers-Production
- 82 # Servers-Development
- 83 # Servers-DMZ
rate_limit:
max_actions_per_hour: X
max_actions_per_day: Y
conditions:
- if: "condition_expression"
then: "action_sequence"
else: "alternative_action"
actions:
- name: "action_name"
platform: "vManage | ISE | FTD | DNAC"
api: "API endpoint"
method: "GET | POST | PUT | DELETE"
parameters: {}
rollback:
enabled: true | false
timeout: "duration in minutes"
condition: "rollback trigger condition"
logging:
splunk_index: "agenticops"
log_level: "info | warning | error"
include_full_decision_chain: true
notification:
servicenow:
create_ticket: true
priority: "low | medium | high | critical"
assignment_group: "NOC | SecOps | NetOps"
webex:
send_alert: true | false
room: "room_name"
4.2 WF-001: Webex-Branch-Optimize (Complete Definition)¶
#################################################################
# WF-001: WEBEX-BRANCH-OPTIMIZE
# Purpose: Automatically optimize Webex voice quality by adjusting
# SD-WAN QoS policies when MOS degrades below threshold
#################################################################
workflow:
id: "WF-001"
name: "Webex-Branch-Optimize"
version: "1.0"
description: "Auto-optimize Webex voice quality via SD-WAN QoS adjustment"
metadata:
owner: "Abhavtech Network Operations"
created: "2026-01-18"
last_modified: "2026-01-18"
mode: "auto" # Final mode (Phase 3D)
initial_mode: "observe" # Starting mode (Phase 3C)
triggers:
- type: "alert"
source: "ThousandEyes"
condition: |
(mos < 4.0 OR jitter > 25 OR packet_loss > 1.5)
AND duration > 120 # 2 minutes
webhook: "https://agenticops.abhavtech.com/webhook/thousandeyes"
inputs:
- name: "thousandeyes_alert"
source: "ThousandEyes"
type: "object"
required: true
schema:
site: "string" # Branch site name
agent_name: "string"
test_name: "string"
mos: "number"
jitter: "number"
packet_loss: "number"
duration: "number" # seconds
- name: "circuit_utilization"
source: "Splunk (vManage logs)"
type: "number"
required: true
query: |
index=vmanage source=circuit_stats
site="{{site}}"
| stats avg(utilization) as util by circuit_name
- name: "client_count"
source: "DNAC Assurance"
type: "number"
required: false
api: "/dna/intent/api/v1/client-health?siteId={{site_id}}"
decision_logic:
guardrails:
protected_sgt: [11, 60, 80, 81, 82, 83]
rate_limit:
max_actions_per_hour: 3
max_actions_per_site_per_hour: 1
cooldown_period: 30 # minutes
conditions:
# Condition 1: Guardrail check
- if: "target_sgt IN protected_sgt"
then:
- action: "log_blocked"
message: "WF-001 blocked: Protected SGT {{target_sgt}}"
- action: "alert_noc"
priority: "high"
- action: "exit_workflow"
# Condition 2: Rate limit check
- if: "actions_last_hour >= rate_limit.max_actions_per_hour"
then:
- action: "log_rate_limited"
- action: "alert_noc"
message: "WF-001 rate limited: {{actions_last_hour}} actions in last hour"
- action: "exit_workflow"
# Condition 3: Main decision logic
- if: |
(mos < 4.0 OR jitter > 25 OR packet_loss > 1.5)
AND circuit_utilization > 80
AND NOT (target_sgt IN protected_sgt)
AND actions_last_hour < rate_limit.max_actions_per_hour
then:
# Check if backup circuit available
- action: "query_vmanage"
api: "/dataservice/device/bfd/sessions"
parameters:
deviceId: "{{edge_device_id}}"
store_result: "backup_circuits"
# Decision branch: Backup available?
- if: "backup_circuits.count > 0 AND backup_circuits[0].state == 'up'"
then:
# Action: Reroute to backup
- action: "execute"
name: "reroute_to_backup"
platform: "vManage"
api: "/dataservice/template/policy/vedge/{{policy_id}}"
method: "PUT"
parameters:
policyName: "Webex-Failover-{{site}}"
sequences:
- match:
dscp: [46] # EF (Webex voice)
actions:
- type: "route"
parameter: "backup"
rollback:
enabled: true
timeout: 30 # minutes
condition: "mos_improvement < 0.3 OR mos still < 4.0"
else:
# Action: Increase QoS bandwidth allocation
- action: "execute"
name: "increase_webex_qos"
platform: "vManage"
api: "/dataservice/template/feature/{{template_id}}"
method: "PUT"
parameters:
shaping_rate:
# Increase Webex bandwidth by 15%
webex_bandwidth_percent: "{{current_percent + 15}}"
queue:
name: "voice"
bandwidth_percent: "{{current_percent + 15}}"
rollback:
enabled: true
timeout: 30
condition: "mos_improvement < 0.3 OR mos still < 4.0"
else:
- action: "log"
message: "WF-001 conditions not met, no action taken"
actions:
# Defined inline above in decision_logic
logging:
splunk_index: "agenticops"
log_level: "info"
include_full_decision_chain: true
log_fields:
- workflow_id
- site
- mos_before
- mos_after
- action_taken
- rollback_triggered
- execution_time
notification:
servicenow:
create_ticket: true
priority: "medium"
assignment_group: "NOC"
short_description: "WF-001: Webex QoS adjustment at {{site}}"
description_template: |
AgenticOps WF-001 executed automatic remediation:
Site: {{site}}
Issue: Webex voice quality degraded
MOS: {{mos}} (target: >4.2)
Jitter: {{jitter}}ms
Packet Loss: {{packet_loss}}%
Action Taken: {{action_name}}
Expected Improvement: MOS {{mos}} -> {{predicted_mos}}
Rollback: Automatic after 30 minutes if no improvement
Monitor: ThousandEyes test "{{test_name}}"
webex:
send_alert: false # Only alert on failures
room: "network-operations"
monitoring:
post_action_validation:
enabled: true
wait_time: 900 # 15 minutes
success_criteria:
- mos > 4.0
- jitter < 25
- packet_loss < 1.0
failure_action:
- rollback_action
- alert_noc_failure
4.3 WF-002: Malware-Containment (Complete Definition)¶
#################################################################
# WF-002: MALWARE-CONTAINMENT
# Purpose: Automatically quarantine endpoints and block C2
# communication when malware is detected
#################################################################
workflow:
id: "WF-002"
name: "Malware-Containment"
version: "1.0"
description: "Auto-quarantine malware-infected endpoints and block C2"
metadata:
owner: "Abhavtech Security Operations"
created: "2026-01-18"
last_modified: "2026-01-18"
mode: "auto" # Final mode (Phase 3D)
triggers:
- type: "alert"
source: "XDR (AMP for Endpoints)"
condition: "malware_detected AND severity >= high"
webhook: "https://agenticops.abhavtech.com/webhook/xdr"
inputs:
- name: "xdr_alert"
source: "Cisco XDR"
type: "object"
required: true
schema:
endpoint_hostname: "string"
endpoint_ip: "string"
endpoint_mac: "string"
malware_name: "string"
malware_hash_sha256: "string"
severity: "string" # low, medium, high, critical
c2_ips: "array"
c2_domains: "array"
detection_time: "timestamp"
- name: "endpoint_context"
source: "ISE pxGrid"
type: "object"
required: true
api: "/pxgrid/control/SessionQuery"
parameters:
macAddress: "{{endpoint_mac}}"
schema:
username: "string"
sgt: "number"
location: "string"
auth_status: "string"
- name: "endpoint_behavioral_profile"
source: "AI Endpoint Analytics"
type: "object"
required: false
api: "/dna/intent/api/v1/endpoint/{{mac}}/behavioral-profile"
decision_logic:
guardrails:
protected_sgt: [11, 60, 80, 81, 82, 83]
protected_users:
- "ceo@abhavtech.com"
- "cto@abhavtech.com"
- "ciso@abhavtech.com"
rate_limit:
max_actions_per_hour: 10
# Higher limit for security workflows
conditions:
# Condition 1: Severity check
- if: "severity NOT IN ['high', 'critical']"
then:
- action: "log"
message: "WF-002: Severity {{severity}} below threshold, alerting only"
- action: "alert_secops"
priority: "medium"
- action: "exit_workflow"
# Condition 2: Guardrail check
- if: "endpoint_context.sgt IN protected_sgt"
then:
- action: "log_blocked"
message: "WF-002 blocked: Protected SGT {{endpoint_context.sgt}}"
- action: "alert_secops"
priority: "critical"
message: |
CRITICAL: Malware detected on PROTECTED endpoint
Endpoint: {{endpoint_hostname}}
User: {{endpoint_context.username}}
SGT: {{endpoint_context.sgt}} (PROTECTED - NO AUTO-QUARANTINE)
Malware: {{malware_name}}
MANUAL INVESTIGATION REQUIRED
- action: "create_incident"
platform: "XDR"
priority: "critical"
- action: "exit_workflow"
# Condition 3: Main containment logic
- if: |
severity IN ['high', 'critical']
AND NOT (endpoint_context.sgt IN protected_sgt)
AND NOT (endpoint_context.username IN protected_users)
then:
# Parallel execution of containment actions
- action_group: "containment"
execute: "parallel"
actions:
# Action 1: AMP Endpoint Isolation
- action: "isolate_endpoint"
platform: "AMP"
api: "/v1/computers/{{endpoint_guid}}"
method: "PATCH"
parameters:
isolation: true
timeout: 30 # seconds
# Action 2: ISE VLAN Quarantine
- action: "quarantine_ise"
platform: "ISE"
api: "/ers/config/ancendpoint/apply"
method: "POST"
parameters:
macAddress: "{{endpoint_mac}}"
policyName: "ANC-Quarantine"
timeout: 30
# Action 3: Block C2 IPs in FTD
- action: "block_c2_ips"
platform: "FTD (via FMC)"
api: "/policy/accesspolicies/{{policy_id}}/accessrules"
method: "POST"
parameters:
name: "Block-C2-{{malware_hash_sha256[:8]}}"
action: "BLOCK"
sourceNetworks:
- type: "Host"
value: "{{endpoint_ip}}"
destinationNetworks:
- type: "Host"
value: "{{c2_ip}}"
for_each: "c2_ip in xdr_alert.c2_ips"
deployNow: true
timeout: 60
# Action 4: Block C2 Domains in Umbrella
- action: "block_c2_domains"
platform: "Umbrella"
api: "/policies/{{policy_id}}/destinations"
method: "POST"
parameters:
destinations: "{{xdr_alert.c2_domains}}"
action: "BLOCK"
timeout: 30
# Sequential: Search for lateral movement
- action: "search_lateral_movement"
platform: "XDR"
api: "/v1/events/search"
method: "POST"
parameters:
query: |
sha256:{{malware_hash_sha256}}
AND NOT hostname:{{endpoint_hostname}}
timeRange: "last_24_hours"
store_result: "other_infected_endpoints"
# If lateral movement found, recurse
- if: "other_infected_endpoints.count > 0"
then:
- action: "log"
message: "Lateral movement detected: {{other_infected_endpoints.count}} additional endpoints"
- action: "for_each"
items: "other_infected_endpoints"
execute: "workflow"
workflow_id: "WF-002" # Recursive call
parameters:
endpoint_mac: "{{item.mac}}"
malware_hash_sha256: "{{malware_hash_sha256}}"
actions:
# Defined inline above
logging:
splunk_index: "agenticops_security"
log_level: "info"
include_full_decision_chain: true
log_fields:
- workflow_id
- endpoint_hostname
- endpoint_mac
- endpoint_ip
- username
- sgt
- malware_name
- malware_hash
- c2_ips
- c2_domains
- containment_time_seconds
- lateral_movement_found
- endpoints_quarantined_total
notification:
servicenow:
create_ticket: true
priority: "high"
assignment_group: "SecOps"
short_description: "WF-002: Malware containment {{endpoint_hostname}}"
description_template: |
AgenticOps WF-002 executed automatic malware containment:
Endpoint Details:
- Hostname: {{endpoint_hostname}}
- IP: {{endpoint_ip}}
- MAC: {{endpoint_mac}}
- User: {{endpoint_context.username}}
- SGT: {{endpoint_context.sgt}}
- Location: {{endpoint_context.location}}
Malware Details:
- Name: {{malware_name}}
- SHA256: {{malware_hash_sha256}}
- Severity: {{severity}}
- Detection Time: {{detection_time}}
C2 Communication:
- IPs: {{c2_ips | join(', ')}}
- Domains: {{c2_domains | join(', ')}}
Actions Taken:
1. Endpoint isolated (AMP)
2. VLAN quarantined (ISE)
3. C2 IPs blocked (FTD)
4. C2 domains blocked (Umbrella)
Lateral Movement:
- Additional infected endpoints: {{other_infected_endpoints.count}}
Total containment time: {{containment_time_seconds}} seconds
Next Steps:
1. Investigate malware source (phishing email, drive-by download?)
2. Remove malware from endpoint
3. Validate endpoint clean
4. Release from quarantine
webex:
send_alert: true
room: "security-alerts"
message_template: |
ALERT MALWARE CONTAINMENT (WF-002)
Endpoint: {{endpoint_hostname}} ({{endpoint_context.username}})
Malware: {{malware_name}}
Status: QUARANTINED ({{containment_time_seconds}}s)
ServiceNow: {{ticket_id}}
monitoring:
post_action_validation:
enabled: true
wait_time: 300 # 5 minutes
success_criteria:
- endpoint_isolated == true
- ise_quarantine_active == true
- c2_blocked_ftd == true
- c2_blocked_umbrella == true
failure_action:
- alert_secops_critical
- create_incident_xdr
- manual_intervention_required
4.4 WF-003 through WF-008 (Simplified Definitions)¶
WF-003: Client-Troubleshoot (Manual)
workflow:
id: "WF-003"
name: "Client-Troubleshoot"
mode: "manual" # NOC-initiated, no automated actions
triggers:
- type: "manual"
source: "AI Assistant"
condition: "NOC engineer enters client identifier"
inputs:
- name: "client_identifier"
source: "NOC input (username, MAC, or IP)"
type: "string"
required: true
decision_logic:
steps:
1. Query DNAC Assurance for client health (wireless/wired metrics)
2. Query ISE pxGrid for authentication context
3. Query DNM for predictions (known issues at location?)
4. Correlate with Splunk logs (recent network changes?)
5. Generate troubleshooting recommendations (ranked by likelihood)
output:
- Root cause analysis with confidence score
- Ranked recommendations (most likely -> least likely)
- Related issues (similar problems at same site)
actions:
- None (Manual - NOC executes recommended actions)
WF-004: Capacity-Alert (Manual)
workflow:
id: "WF-004"
name: "Capacity-Alert"
mode: "manual" # Requires procurement/budget approval
triggers:
- type: "schedule"
frequency: "daily 08:00 IST"
- type: "alert"
source: "Deep Network Model"
condition: "port_exhaustion_days <= 14 OR bandwidth_exhaustion_days <= 30"
inputs:
- name: "capacity_forecast"
source: "DNM Capacity Forecasting Model"
type: "object"
required: true
output:
- Capacity exhaustion date (predicted)
- Growth rate (current trend)
- Recommended action (add ports, upgrade bandwidth, add equipment)
- Procurement recommendation (specific equipment models)
actions:
- Create ServiceNow ticket (assignment: Capacity Planning team)
- Email report to network architect + CTO
- No automated procurement (requires budget approval)
WF-005: Compliance-Remediate (Approve)
workflow:
id: "WF-005"
name: "Compliance-Remediate"
mode: "approve" # Requires NOC approval before config change
triggers:
- type: "alert"
source: "Splunk MLTK"
condition: "compliance_violation_detected == true"
inputs:
- name: "compliance_violation"
source: "Splunk MLTK Compliance-Check Model"
type: "object"
required: true
examples:
- "SNMPv2 detected (should be SNMPv3)"
- "Weak SSH cipher detected"
- "NTP server not configured"
decision_logic:
steps:
1. Identify non-compliant configuration
2. Generate remediation plan (DNAC template)
3. Check device health (is device stable for config change?)
4. Request approval from NOC
5. IF approved: Apply DNAC template
actions:
- Create ServiceNow change request
- Wait for approval (timeout: 24 hours)
- IF approved: Apply compliance template via DNAC
- Rollback: Auto-revert if device becomes unreachable
guardrails:
- No action on SGT 80-83 (server infrastructure)
WF-006: Wi-Fi-Optimize (Approve)
workflow:
id: "WF-006"
name: "Wi-Fi-Optimize"
mode: "approve" # Requires wireless engineer approval
triggers:
- type: "alert"
source: "Deep Network Model"
condition: "rf_optimization_opportunity == true"
examples:
- "Channel overlap detected (APs on same channel)"
- "Coverage gap detected (weak signal area)"
- "Co-channel interference >30%"
inputs:
- name: "rf_optimization_plan"
source: "DNM RF Optimization Model"
type: "object"
required: true
output:
- RF plan (channel reassignment, power adjustment)
- Expected improvement (client health increase %)
- Risk assessment (coverage impact)
decision_logic:
steps:
1. DNM detects RF optimization opportunity
2. Generate RF plan with expected improvement
3. Request approval from wireless engineer
4. IF approved: Apply RF configuration via DNAC
5. Monitor client health for 24 hours
6. IF client health degrades: Rollback automatically
actions:
- Create ServiceNow change request
- Wait for approval (timeout: 24 hours)
- IF approved: Apply RF configuration via DNAC
- Rollback: Auto-revert after 24 hours if client health degrades
guardrails:
- Max 2 actions per site per day (prevent RF churn)
WF-007: SaaS-Failover (Auto)
workflow:
id: "WF-007"
name: "SaaS-Failover"
mode: "auto" # Low risk, time-critical
triggers:
- type: "alert"
source: "ThousandEyes"
condition: "saas_path_degraded == true AND duration > 300"
examples:
- "Office365 latency >200ms for 5 minutes"
- "Salesforce packet loss >2% for 5 minutes"
inputs:
- name: "thousandeyes_alert"
source: "ThousandEyes"
type: "object"
required: true
decision_logic:
steps:
1. ThousandEyes detects SaaS path degraded
2. Check if backup path (DIA) is healthy
3. IF backup healthy: Reroute SaaS traffic to DIA
4. Monitor for 30 minutes
5. IF latency not improved: Rollback to original path
actions:
- Reroute SaaS traffic (Office365, Salesforce, Webex) to DIA backup
- Expected: Latency improvement 200ms -> 50ms
- Rollback: Auto-revert after 30 minutes if latency not improved
guardrails:
- No action on SGT 80-83 (server traffic)
- Rate limit: 5 actions/hour
WF-008: Insider-Threat (Manual)
workflow:
id: "WF-008"
name: "Insider-Threat"
mode: "manual" # Requires SecOps/legal investigation
triggers:
- type: "alert"
source: "Splunk MLTK + XDR"
condition: "insider_threat_score > 80"
indicators:
- "Large data exfiltration (>5 GB in 24 hours)"
- "Unusual access patterns (off-hours, unusual destinations)"
- "Privilege escalation attempts"
inputs:
- name: "insider_threat_analysis"
source: "Splunk MLTK Insider-Threat Model"
type: "object"
required: true
output:
- Investigation case with evidence timeline
- Behavioral analysis (deviation from baseline)
- Risk score (0-100, >80 = high risk)
actions:
- Create XDR investigation case
- Alert SecOps team (critical priority)
- Notify legal team (potential insider threat)
- No automated quarantine (requires investigation)
guardrails:
- No automated actions (investigation-only workflow)
5. API INTEGRATION SPECIFICATIONS¶
5.1 API Credentials Management¶
Secure Credential Storage:
| Platform | Authentication Method | Credential Storage | Rotation Policy |
|---|---|---|---|
| Catalyst Center | API Token | HashiCorp Vault | 90 days |
| vManage | OAuth 2.0 | HashiCorp Vault | 90 days |
| ISE | ERS Username/Password | HashiCorp Vault | 90 days |
| FTD (FMC) | API Token | HashiCorp Vault | 90 days |
| Umbrella | API Key + Secret | HashiCorp Vault | 180 days |
| AMP | API Key + Client ID | HashiCorp Vault | 180 days |
| Splunk | API Token | HashiCorp Vault | 90 days |
| ThousandEyes | OAuth Token | HashiCorp Vault | 90 days |
| AppDynamics | API Client | HashiCorp Vault | 90 days |
| ServiceNow | OAuth 2.0 | HashiCorp Vault | 90 days |
HashiCorp Vault Setup:
# Install HashiCorp Vault (if not already deployed)
# Location: Dedicated vault server in secure network segment
# Create Vault policy for AgenticOps
vault policy write agenticops-policy - <<EOF
path "secret/data/agenticops/*" {
capabilities = ["read", "list"]
}
EOF
# Create AppRole for AgenticOps
vault write auth/approle/role/agenticops \
token_policies="agenticops-policy" \
token_ttl=1h \
token_max_ttl=4h
# Store API credentials
vault kv put secret/agenticops/catalyst-center \
username="agenticops-api" \
password="<generated-password>" \
base_url="https://10.252.10.1"
vault kv put secret/agenticops/vmanage \
client_id="agenticops" \
client_secret="<generated-secret>" \
base_url="https://vmanage.abhavtech.com"
# AgenticOps retrieves credentials at runtime
vault kv get -field=password secret/agenticops/catalyst-center
5.2 Catalyst Center API Integration¶
API Authentication:
import requests
import json
import hvac
# Retrieve credentials from Vault
vault_client = hvac.Client(url='https://vault.abhavtech.com:8200')
vault_client.auth.approle.login(
role_id='<role-id>',
secret_id='<secret-id>'
)
creds = vault_client.secrets.kv.v2.read_secret_version(
path='agenticops/catalyst-center'
)['data']['data']
# Authenticate to Catalyst Center
auth_url = f"{creds['base_url']}/dna/system/api/v1/auth/token"
response = requests.post(
auth_url,
auth=(creds['username'], creds['password']),
headers={'Content-Type': 'application/json'},
verify=False # Use proper cert in production
)
token = response.json()['Token']
# Use token for subsequent API calls
headers = {
'X-Auth-Token': token,
'Content-Type': 'application/json'
}
# Example API calls
# Get device list
devices_url = f"{creds['base_url']}/dna/intent/api/v1/network-device"
response = requests.get(devices_url, headers=headers, verify=False)
devices = response.json()['response']
# Get client health
client_health_url = f"{creds['base_url']}/dna/intent/api/v1/client-health"
response = requests.get(client_health_url, headers=headers, verify=False)
client_health = response.json()['response']
5.3 Error Handling & Rate Limiting¶
Rate Limiting Strategy:
| Platform | Rate Limit | Handling Strategy |
|---|---|---|
| Catalyst Center | 100 req/min | Queue requests, retry with exponential backoff |
| vManage | 50 req/min | Queue requests |
| ISE | 20 req/min | Queue requests, use pxGrid for bulk queries |
| FMC | 120 req/min | Batch operations when possible |
Error Handling Template:
import time
import logging
def api_call_with_retry(func, *args, max_retries=3, **kwargs):
"""Wrapper for API calls with exponential backoff retry logic"""
for attempt in range(max_retries):
try:
response = func(*args, **kwargs)
if response.status_code == 200:
return response.json()
elif response.status_code == 429: # Rate limit
retry_after = int(response.headers.get('Retry-After', 60))
logging.warning(f"Rate limited, retrying after {retry_after}s")
time.sleep(retry_after)
elif response.status_code >= 500: # Server error
wait_time = 2 ** attempt
logging.error(f"Server error, retrying after {wait_time}s")
time.sleep(wait_time)
else:
logging.error(f"API call failed: {response.status_code}")
return None
except requests.exceptions.RequestException as e:
logging.error(f"Request exception: {e}")
if attempt < max_retries - 1:
time.sleep(2 ** attempt)
else:
logging.critical(f"API call failed after {max_retries} attempts")
return None
return None
6. GUARDRAIL CONFIGURATION¶
6.1 Protected Security Group Tags¶
Protected SGT Configuration:
# /etc/agenticops/guardrails.yaml
protected_sgt:
# SGT 11: Executives - NEVER auto-quarantine or modify
- sgt: 11
name: "Executives"
protection_level: "critical"
allowed_workflows: [] # NO workflows allowed
alert_on_trigger: true
alert_recipients:
- "ciso@abhavtech.com"
- "noc-lead@abhavtech.com"
rationale: "Executive devices require manual investigation"
# SGT 60: OT/Medical Devices - NEVER auto-modify
- sgt: 60
name: "OT-Medical"
protection_level: "critical"
allowed_workflows: []
alert_on_trigger: true
alert_recipients:
- "ot-team@abhavtech.com"
- "ciso@abhavtech.com"
rationale: "Patient safety - manual intervention only"
# SGT 80-83: Server Infrastructure
- sgt: 80
name: "Servers-Critical"
protection_level: "high"
allowed_workflows: []
- sgt: 81
name: "Servers-Production"
protection_level: "high"
allowed_workflows: []
- sgt: 82
name: "Servers-Development"
protection_level: "medium"
allowed_workflows: ["WF-005"] # Compliance only (with approval)
- sgt: 83
name: "Servers-DMZ"
protection_level: "high"
allowed_workflows: []
enforcement:
mode: "strict"
log_all_checks: true
log_index: "agenticops_guardrails"
Guardrail Enforcement Logic:
# guardrails.py
import yaml
import logging
from datetime import datetime
class GuardrailValidator:
def __init__(self, config_file='/etc/agenticops/guardrails.yaml'):
with open(config_file, 'r') as f:
self.config = yaml.safe_load(f)
def validate_workflow_action(self, workflow_id, target_sgt, action_type):
"""
Validate if workflow is allowed to act on target SGT
Returns: (allowed: bool, reason: str)
"""
for protected in self.config['protected_sgt']:
if protected['sgt'] == target_sgt:
if workflow_id not in protected.get('allowed_workflows', []):
self.log_blocked_action(workflow_id, target_sgt, action_type, protected)
self.send_alert(protected, workflow_id, target_sgt)
return False, f"SGT {target_sgt} ({protected['name']}) is protected"
return True, "Guardrails passed"
def log_blocked_action(self, workflow_id, target_sgt, action_type, protected):
"""Log guardrail block to Splunk"""
log_data = {
'timestamp': datetime.now().isoformat(),
'workflow_id': workflow_id,
'target_sgt': target_sgt,
'sgt_name': protected['name'],
'action_type': action_type,
'status': 'BLOCKED'
}
logging.warning(f"Guardrail BLOCKED: WF {workflow_id} on SGT {target_sgt}")
6.2 Rate Limiting¶
Rate Limit Configuration:
# /etc/agenticops/rate_limits.yaml
rate_limits:
global:
max_actions_per_hour: 20
max_actions_per_day: 100
per_workflow:
WF-001:
max_actions_per_hour: 3
max_actions_per_site_per_hour: 1
cooldown_period_minutes: 30
WF-002:
max_actions_per_hour: 10
max_actions_per_endpoint_per_hour: 1
WF-007:
max_actions_per_hour: 5
max_actions_per_circuit_per_hour: 2
7. SERVICENOW INTEGRATION¶
7.1 ServiceNow Configuration¶
Integration Architecture:
AgenticOps -> ServiceNow REST API -> ITSM Workflows
Ticket Types:
- Informational (Auto mode actions)
- Approval Request (Approve mode actions)
- Incident (Failures, guardrail violations)
ServiceNow API Setup:
# ServiceNow Instance: abhavtech.service-now.com
# Create Integration User
Username: agenticops_api
Role: itil, rest_api_explorer
# Generate OAuth Credentials
Application Name: AgenticOps Integration
Client ID: <generated>
Client Secret: <generated>
# Store in Vault
vault kv put secret/agenticops/servicenow \
client_id="<client-id>" \
client_secret="<client-secret>" \
instance_url="https://abhavtech.service-now.com"
7.2 ServiceNow API Client¶
Python Client:
import requests
from datetime import datetime, timedelta
class ServiceNowClient:
def __init__(self, instance_url, client_id, client_secret):
self.instance_url = instance_url
self.client_id = client_id
self.client_secret = client_secret
self.access_token = None
def authenticate(self):
"""Get OAuth access token"""
token_url = f"{self.instance_url}/oauth_token.do"
response = requests.post(
token_url,
data={
'grant_type': 'client_credentials',
'client_id': self.client_id,
'client_secret': self.client_secret
}
)
self.access_token = response.json()['access_token']
def create_informational_ticket(self, workflow_id, description, details):
"""Create informational ticket for Auto mode workflows"""
headers = {
'Authorization': f'Bearer {self.access_token}',
'Content-Type': 'application/json'
}
payload = {
'short_description': f"AgenticOps: {workflow_id} - {description}",
'priority': 3,
'state': 6, # Resolved
'u_workflow_id': workflow_id
}
response = requests.post(
f"{self.instance_url}/api/now/table/incident",
headers=headers,
json=payload
)
return response.json()['result']['number']
8. TESTING & VALIDATION¶
8.1 Phase 3C Testing (Observe Mode)¶
Testing Objective: Validate all 8 workflows generate correct recommendations without executing actions.
Test Matrix:
| Workflow | Test Scenario | Expected Result | Pass/Fail |
|---|---|---|---|
| WF-001 | Degrade Webex MOS at Mumbai (reduce bandwidth) | Recommends QoS increase, logs to Splunk, NO action | [ ] |
| WF-002 | Upload test malware (EICAR) to lab endpoint | Identifies endpoint, recommends quarantine, NO action | [ ] |
| WF-003 | NOC queries: "Why can't user X connect to Wi-Fi?" | AI Assistant provides root cause + recommendations | [ ] |
| WF-004 | DNM predicts port exhaustion in 10 days | Creates ServiceNow ticket, NO procurement action | [ ] |
| WF-005 | Non-compliant config (SNMP v2 vs v3) | Generates remediation plan, NO config change | [ ] |
| WF-006 | RF channel overlap at London | Recommends channel reassignment, NO RF change | [ ] |
| WF-007 | O365 path degradation >200ms for 5 min | Recommends path failover, NO route change | [ ] |
| WF-008 | Data exfiltration (5 GB from HR user) | Creates investigation case, NO quarantine | [ ] |
Phase 3C Exit Criteria:
| Criteria | Target | Status |
|---|---|---|
| All 8 workflows triggered successfully | 8/8 | [ ] |
| Recommendations logged to Splunk | 100% | [ ] |
| NO automated actions executed | 0 actions | [ ] |
| Guardrails validated | 100% | [ ] |
| 2-week observation completed | 14 days | [ ] |
| False positive rate | <10% | [ ] |
8.2 Phase 3D Testing (Auto/Approve Mode)¶
Testing Objective: Validate workflows execute actions correctly with proper rollback.
Critical Tests:
- WF-001 Auto Execution + Rollback
- WF-002 Auto Quarantine + Lateral Movement
- WF-006 Approval Required + Manual Override
- Guardrail Protection (Attempt action on SGT-11)
Test Procedure Example (WF-002):
# Test: WF-002 Auto Quarantine
# Step 1: Baseline check
# ISE: Endpoint NOT quarantined
# Step 2: Upload EICAR test file
scp eicar.com testuser@lab-endpoint-01:/tmp/
ssh testuser@lab-endpoint-01
chmod +x /tmp/eicar.com
./eicar.com
# Step 3: Wait 60 seconds for WF-002
# Step 4: Verify quarantine
# ISE: Endpoint QUARANTINED
# AMP: Endpoint ISOLATED
# FTD: C2 blocked (if applicable)
# Step 5: Verify ServiceNow ticket created
# Step 6: Verify Splunk logging
index=agenticops_security workflow_id="WF-002"
| stats count by endpoint_mac
# Expected: 1 endpoint quarantined, containment time <5 seconds
9. OPERATIONAL RUNBOOKS¶
9.1 Daily Operations¶
Daily Checklist (NOC Team Lead):
TIME: 08:00 IST - Morning Review
[ ] 1. Check AgenticOps Dashboard
- Workflow executions (last 24 hours)
- Success rate (target: >95%)
- Average MTTR (target: <10 min)
[ ] 2. Review Splunk Alerts
- Guardrail blocks: Any false positives?
- Rate limit violations: Why?
- Workflow failures: Root cause?
[ ] 3. Review ServiceNow Tickets
- Pending approvals (WF-005, WF-006): Approve or reject
- Open incidents: Follow up on failures
[ ] 4. Check AI Model Performance
- DNM accuracy: >90%?
- AIEA false positives: <2%?
- Splunk MLTK performance: Normal?
[ ] 5. Respond to Failures
- Investigate root cause
- Manual intervention if needed
- Update workflow logic if pattern detected
Splunk Queries for Daily Review:
# Workflow executions (last 24 hours)
index=agenticops earliest=-24h
| stats count by workflow_id, outcome
| table workflow_id, count, outcome
# Guardrail blocks
index=agenticops_guardrails earliest=-24h status="BLOCKED"
| stats count by workflow_id, target_sgt
| table workflow_id, target_sgt, count
# Workflow performance (MTTR)
index=agenticops earliest=-24h action_taken=*
| eval mttr_minutes = execution_time_seconds / 60
| stats avg(mttr_minutes) by workflow_id
| where avg(mttr_minutes) < 10
9.2 Weekly Operations¶
Weekly Review Meeting (Mondays, 10:00 IST):
Attendees: - Network Architect - NOC Team Lead - Security Analyst - Automation Engineer (if needed)
Agenda:
1. WORKFLOW PERFORMANCE REVIEW (15 min)
- Success rate by workflow (target: >95%)
- MTTR trends (target: <10 min)
- False positive trends (target: <2%)
2. GUARDRAIL BLOCKS ANALYSIS (10 min)
- Protected SGT violations: Why?
- False positives: Adjust thresholds?
- New protected entities: Add to guardrails?
3. AI MODEL PERFORMANCE (15 min)
- DNM accuracy: 90-95%?
- AIEA classification accuracy: >95%?
- Splunk MLTK false positives: <2%?
- Model retraining: Any issues?
4. WORKFLOW TUNING (10 min)
- Threshold adjustments needed?
- New trigger conditions?
- Rate limit changes?
5. INCIDENT REVIEW (10 min)
- Failures last week: Root causes?
- Escalations: Why?
- Lessons learned?
6. ACTION ITEMS (5 min)
- Assign tasks
- Set deadlines
Weekly Report Template:
# AGENTICOPS WEEKLY REPORT
Week of: [Date]
## EXECUTIVE SUMMARY
- Workflows executed: [count]
- Success rate: [percentage]
- Average MTTR: [minutes]
- Incidents: [count]
## WORKFLOW PERFORMANCE
| Workflow | Executions | Success Rate | Avg MTTR | Incidents |
|----------|-----------|--------------|----------|-----------|
| WF-001 | 45 | 96% | 8 min | 0 |
| WF-002 | 12 | 100% | 3 min | 0 |
| ... | ... | ... | ... | ... |
## AI MODEL PERFORMANCE
- DNM Accuracy: 92.5% (target: >90%) [X]
- AIEA Accuracy: 96.2% (target: >95%) [X]
- Splunk MLTK FP Rate: 1.8% (target: <2%) [X]
## GUARDRAIL BLOCKS
- Total blocks: 3
- WF-002 on SGT-11 (Executive): 2 blocks
- WF-001 rate limited: 1 block
## INCIDENTS & ESCALATIONS
- None this week
## RECOMMENDATIONS
1. Increase WF-001 rate limit from 3 to 5 actions/hour (high success rate)
2. Tune AIEA threshold from 80% to 85% (reduce false positives)
## ACTION ITEMS
- [ ] Network Architect: Approve rate limit change
- [ ] Automation Engineer: Update AIEA threshold
9.3 Monthly Operations¶
Monthly Tasks:
[ ] 1. GENERATE PERFORMANCE REPORT (1st of month)
- Workflow MTTR trends
- AI accuracy trends
- NOC productivity savings
- Submit to CTO
[ ] 2. REVIEW PROTECTED SGTs (Mid-month)
- Any new executives hired? Add to SGT-11
- Any new OT devices? Add to SGT-60
- Any server decommissions? Remove from SGT 80-83
[ ] 3. UPDATE WORKFLOW LOGIC (End of month)
- Incorporate lessons learned
- Adjust thresholds based on false positive analysis
- Update documentation
[ ] 4. VENDOR ENGAGEMENT (As needed)
- Cisco TAC: DNAC issues?
- AppDynamics: Cognition Engine questions?
- ThousandEyes: Path monitoring issues?
9.4 Quarterly Operations¶
Quarterly Review (Network Architect + CTO):
1. STRATEGIC REVIEW
- Are we meeting KPIs?
- MTTR <10 minutes: [X] or [ ]
- Success rate >95%: [X] or [ ]
- NOC productivity +70%: [X] or [ ]
2. WORKFLOW EXPANSION
- Should we add new workflows?
- Should we move more workflows to Auto mode?
- Should we deprecate any workflows?
3. AI MODEL MATURITY
- DNM: 6 months of data = optimal performance?
- AIEA: Accuracy trends improving?
- Splunk MLTK: New models needed?
4. INFRASTRUCTURE SCALING
- Catalyst Center capacity: Still <20% utilized?
- Splunk license: Approaching limit?
- ServiceNow: Ticket volume trends?
5. BUDGET PLANNING
- License renewals due?
- New equipment needed (from WF-004 alerts)?
- Training needs for new NOC hires?
10. TROUBLESHOOTING GUIDE¶
10.1 Common Issues & Resolutions¶
Issue 1: Workflow Not Triggering
SYMPTOM: WF-001 not executing despite Webex quality degradation
POSSIBLE CAUSES:
1. ThousandEyes webhook not reaching AgenticOps
2. AgenticOps service down
3. Trigger condition not met (duration <2 minutes?)
TROUBLESHOOTING STEPS:
1. Check ThousandEyes alert history
- GUI: Alerts -> Active Alerts
- Verify alert was generated
2. Check AgenticOps webhook logs
ssh agenticops-server
tail -f /var/log/agenticops/webhooks.log
# Expected: Incoming POST from ThousandEyes
3. Check AgenticOps service status
systemctl status agenticops
# Expected: active (running)
4. Check Splunk for workflow trigger attempts
index=agenticops workflow_id="WF-001"
| table _time, trigger_result, trigger_condition_met
RESOLUTION:
- If webhook not received: Check firewall rules, verify webhook URL in ThousandEyes
- If service down: systemctl restart agenticops
- If trigger condition not met: Review trigger logic, adjust thresholds if needed
Issue 2: Guardrail False Block
SYMPTOM: WF-002 blocked quarantine on legitimate corporate user (SGT-10)
POSSIBLE CAUSES:
1. ISE pxGrid returned incorrect SGT
2. User's SGT recently changed (promotion to executive?)
3. Guardrail configuration outdated
TROUBLESHOOTING STEPS:
1. Verify user's actual SGT in ISE
ISE GUI: Context Visibility -> Endpoints -> Search by MAC
# Check SGT assignment
2. Check guardrail configuration
cat /etc/agenticops/guardrails.yaml
# Is SGT-10 in protected list? (Should NOT be)
3. Check Splunk for guardrail decision
index=agenticops_guardrails endpoint_mac="aa:bb:cc:dd:ee:ff"
| table _time, workflow_id, target_sgt, sgt_name, status
RESOLUTION:
- If ISE returned wrong SGT: Fix ISE authorization policy
- If user promoted to executive: Add to SGT-11, update guardrails
- If guardrail config outdated: Update /etc/agenticops/guardrails.yaml
Issue 3: Action Rollback Triggered
SYMPTOM: WF-001 increased Webex QoS, but rolled back after 30 minutes
POSSIBLE CAUSES:
1. MOS did not improve as expected (root cause elsewhere)
2. Rollback condition too strict
3. WAN circuit issue not resolved by QoS change
TROUBLESHOOTING STEPS:
1. Check ThousandEyes MOS after action
index=thousandeyes test_name="Voice-Quality-Mumbai"
| timechart avg(mos)
# Did MOS improve at all?
2. Check vManage for QoS policy application
vManage GUI: Configuration -> Policies
# Verify policy was applied and then rolled back
3. Check Splunk for rollback decision
index=agenticops workflow_id="WF-001" action="rollback"
| table _time, rollback_reason, mos_after_action
RESOLUTION:
- If MOS improved slightly but <0.3: Adjust rollback threshold
- If root cause was ISP (not WAN congestion): Consider WF-007 (SaaS Failover)
- If rollback condition too strict: Update workflow YAML
Issue 4: ServiceNow Ticket Not Created
SYMPTOM: WF-001 executed successfully but no ServiceNow ticket
POSSIBLE CAUSES:
1. ServiceNow OAuth token expired
2. ServiceNow API down
3. AgenticOps ServiceNow integration configuration issue
TROUBLESHOOTING STEPS:
1. Check AgenticOps logs for ServiceNow API errors
tail -f /var/log/agenticops/servicenow.log
# Look for 401 Unauthorized or 500 errors
2. Test ServiceNow OAuth token
curl -X POST "https://abhavtech.service-now.com/oauth_token.do" \
-d "grant_type=client_credentials" \
-d "client_id=<id>" \
-d "client_secret=<secret>"
# Expected: access_token in response
3. Check ServiceNow instance status
https://status.servicenow.com
# Is abhavtech instance healthy?
RESOLUTION:
- If token expired: Refresh token in HashiCorp Vault
vault kv put secret/agenticops/servicenow client_secret="<new-secret>"
- If ServiceNow down: Wait for service restoration
- If config issue: Verify /etc/agenticops/servicenow_config.yaml
Issue 5: High False Positive Rate
SYMPTOM: DNM predicting 10+ switch failures per week, but none actually fail
POSSIBLE CAUSES:
1. DNM model threshold too sensitive
2. Seasonal patterns not learned (insufficient training data)
3. Recent network changes affecting baseline
TROUBLESHOOTING STEPS:
1. Check DNM prediction accuracy
Catalyst Center GUI: AI Network Analytics -> DNM Dashboard
# Precision, Recall, F1 scores
2. Review false positive examples
index=dnac_assurance source=dnm_predictions
| where actual_failure=false AND predicted_failure=true
| table device_id, prediction_confidence, features
3. Check DNM training data completeness
show ai-network-analytics training-data
# Expected: 90+ days of data
RESOLUTION:
- If threshold too sensitive: Tune detection threshold from 75 to 85
Catalyst Center GUI: AI Network Analytics -> Settings
- If insufficient data: Wait for more training data (DNM improves over time)
- If network changes: Retrain model with updated baseline
ssh admin@catalyst-center
ai-network-analytics retrain-model switch-failure
10.2 Escalation Procedures¶
Escalation Matrix:
| Issue Type | Severity | First Responder | Escalation (if not resolved in) | Final Escalation |
|---|---|---|---|---|
| Workflow failure (single) | Low | NOC Engineer | 2 hours -> NOC Lead | 4 hours -> Network Architect |
| Workflow failure (multiple) | High | NOC Lead | 1 hour -> Network Architect | 2 hours -> CTO |
| Guardrail violation | Critical | NOC Lead + CISO | Immediate | N/A (executive notification) |
| AI model degradation | Medium | Network Architect | 24 hours -> Cisco TAC | 48 hours -> Vendor escalation |
| ServiceNow outage | High | NOC Lead | 30 min -> ServiceNow CSM | 1 hour -> Emergency ticket |
| Catalyst Center outage | Critical | Network Architect | Immediate -> Cisco TAC | 30 min -> Critical TAC case |
Escalation Contact List:
NOC Engineer: noc-engineer@abhavtech.com
NOC Lead: noc-lead@abhavtech.com
Network Architect: network-arch@abhavtech.com
Security Analyst: secops@abhavtech.com
CISO: ciso@abhavtech.com
CTO: cto@abhavtech.com
Cisco TAC: +1-800-553-2447 (24/7)
ServiceNow Support: support.servicenow.com (Portal)
AppDynamics Support: support@appdynamics.com
ThousandEyes Support: support@thousandeyes.com
10.3 Emergency Procedures¶
Emergency Shutdown (If AgenticOps Causing Issues):
# CRITICAL: Use only if AgenticOps is causing network-wide issues
# Step 1: Disable all Auto mode workflows
ssh agenticops-server
cd /etc/agenticops/workflows
for workflow in WF-001 WF-002 WF-007; do
sed -i 's/mode: auto/mode: observe/' ${workflow}.yaml
done
# Step 2: Restart AgenticOps service
systemctl restart agenticops
# Step 3: Verify workflows in Observe mode
curl -X GET http://localhost:8080/api/workflows | jq '.[] | {id, mode}'
# Expected: All workflows in "observe" mode
# Step 4: Notify team
# Send email to NOC Lead + Network Architect
# Subject: "EMERGENCY: AgenticOps disabled (auto -> observe)"
# Step 5: Investigate root cause
tail -f /var/log/agenticops/agenticops.log
# Look for error patterns
Rollback All Recent Actions:
# CRITICAL: Use if multiple workflows caused issues simultaneously
# Step 1: Identify recent actions (last 1 hour)
index=agenticops earliest=-1h action_taken=*
| table _time, workflow_id, action_name, platform, parameters
# Step 2: Rollback manually
# For each action:
# - WF-001: Revert vManage QoS to original values
# - WF-002: Release endpoints from quarantine (ISE + AMP)
# - WF-007: Revert SaaS routing to original path
# Step 3: Create incident ticket
# ServiceNow: Priority Critical
# Title: "Mass rollback of AgenticOps actions - investigate"
# Step 4: Disable AgenticOps (as above)
APPENDICES¶
APPENDIX A: Acronyms & Definitions¶
| Acronym | Full Form | Definition |
|---|---|---|
| AIEA | AI Endpoint Analytics | Catalyst Center ML-driven endpoint classification |
| ANC | Adaptive Network Control | ISE feature for dynamic VLAN quarantine |
| DNM | Deep Network Model | Catalyst Center ML engine for network predictions |
| MAPE | Mean Absolute Percentage Error | Accuracy metric for forecasting models |
| MOS | Mean Opinion Score | Voice quality metric (1-5 scale, target: >4.2) |
| MTTR | Mean Time to Resolution | Average time from alert to resolution |
| pxGrid | Platform Exchange Grid | Cisco ISE API for real-time context sharing |
| SGT | Security Group Tag | Cisco TrustSec tag for policy enforcement |
| XDR | Extended Detection and Response | Cisco security platform (AMP, FTD, Umbrella) |
APPENDIX B: Reference Commands¶
Catalyst Center Commands:
# Show version
show version
# Show cluster health
show cluster
# Show AI capabilities
show ai-capabilities
# Enable AI Assistant
configure terminal
ai-assistant enable
# Enable AIEA
configure terminal
aiea enable
# Show DNM models
show ai-network-analytics models
# Retrain DNM model
ai-network-analytics retrain-model <model-name>
AgenticOps Commands:
# Check service status
systemctl status agenticops
# View logs
tail -f /var/log/agenticops/agenticops.log
# List workflows
curl http://localhost:8080/api/workflows | jq
# Get workflow status
curl http://localhost:8080/api/workflows/WF-001 | jq
# Disable workflow
curl -X PATCH http://localhost:8080/api/workflows/WF-001 \
-d '{"mode": "observe"}' \
-H "Content-Type: application/json"
Splunk Queries:
# All workflow executions
index=agenticops | stats count by workflow_id
# Guardrail blocks
index=agenticops_guardrails status="BLOCKED"
# Workflow failures
index=agenticops outcome="failure"
# Performance by workflow
index=agenticops action_taken=*
| eval mttr = execution_time_seconds / 60
| stats avg(mttr) by workflow_id
APPENDIX C: Configuration File Locations¶
/etc/agenticops/
├── agenticops.conf # Main configuration
├── guardrails.yaml # Protected SGTs
├── rate_limits.yaml # Rate limit definitions
├── servicenow_config.yaml # ServiceNow integration
├── workflows/
│ ├── WF-001.yaml # Webex Optimize workflow
│ ├── WF-002.yaml # Malware Containment workflow
│ ├── WF-003.yaml # Client Troubleshoot workflow
│ ├── WF-004.yaml # Capacity Alert workflow
│ ├── WF-005.yaml # Compliance Remediate workflow
│ ├── WF-006.yaml # Wi-Fi Optimize workflow
│ ├── WF-007.yaml # SaaS Failover workflow
│ └── WF-008.yaml # Insider Threat workflow
└── logs/
├── agenticops.log # Main log
├── webhooks.log # Webhook events
├── servicenow.log # ServiceNow API calls
└── api_errors.log # API error log
APPENDIX D: Vendor Contact Information¶
| Vendor | Product | Support Contact | Escalation |
|---|---|---|---|
| Cisco | Catalyst Center, ISE, SD-WAN | TAC: +1-800-553-2447 | Account Manager: [Contact] |
| Cisco | XDR (AMP, FTD, Umbrella) | TAC: +1-800-553-2447 | Security Specialist: [Contact] |
| Splunk | Observability Cloud | support@splunk.com | Account Manager: [Contact] |
| AppDynamics | APM, Cognition Engine | support@appdynamics.com | TAM: [Contact] |
| ThousandEyes | Internet/WAN Monitoring | support@thousandeyes.com | SE: [Contact] |
| ServiceNow | ITSM/ITOM | Support Portal | CSM: [Contact] |
APPENDIX E: Training Resources¶
NOC Engineer Training (8 hours):
HOUR 1: AI-Ready Network Overview
- Multi-AI ecosystem architecture
- AgenticOps principles
HOUR 2-3: Catalyst Center AI Features
- AI Assistant: Natural language queries
- AI Endpoint Analytics
- Deep Network Model
HOUR 4-6: AgenticOps Workflows
- WF-001 to WF-008: Triggers, actions, guardrails
- Hands-on labs
HOUR 7: Approval Workflows
- ServiceNow approval process
- Hands-on: Approve WF-006
HOUR 8: Troubleshooting & Operations
- Common issues
- Dashboard navigation
- Escalation procedures
Certification: - NOC Engineer AgenticOps Certification (NEAC) - Exam: 50 questions, 80% passing score - Valid: 1 year
APPENDIX F: Compliance & Standards¶
Regulatory Compliance: - GDPR: Endpoint data processing complies with Article 6 - HIPAA: OT/Medical devices (SGT-60) protected - SOX: Financial servers (SGT-80) excluded - PCI-DSS: Payment servers (SGT-83) protected
Industry Standards: - NIST Cybersecurity Framework: Aligns with all 5 functions - ITIL v4: ServiceNow integration follows ITIL practices - ISO 27001: Audit trails support compliance
APPENDIX G: Change Log¶
| Version | Date | Author | Changes |
|---|---|---|---|
| v1.0 | 2026-01-18 | Network Architect | Initial release |
APPENDIX H: Glossary¶
Autonomous Mode: Workflow executes actions automatically without human approval (WF-001, WF-002, WF-007)
Approve Mode: Workflow generates recommendation, requires approval before execution (WF-005, WF-006)
Guardrail: Protection mechanism preventing AI actions on critical infrastructure (SGT 11, 60, 80-83)
Manual Mode: Workflow provides AI assistance, human executes actions (WF-003, WF-004, WF-008)
Observe Mode: Workflow logs recommendations only, no automated actions (Phase 3C testing)
Rollback: Automatic reversion of action if expected outcome not achieved (30-minute timeout)
DOCUMENT COMPLETION¶
Document Status: Complete (All Sections + Appendices)
Total Pages: ~150 pages (detailed implementation level)
Document History:
| Version | Date | Author | Changes |
|---|---|---|---|
| v1.0 | 2026-01-18 | Automation Engineer | Complete implementation guide with all workflows, runbooks, troubleshooting |
© 2025 Abhavtech.com - Confidential - Document 3B: AI-Ready Network - Detailed Implementation Guide v1.0
END OF DOCUMENT 3B
This document provides complete implementation specifications for Phase 3 (AI-Ready Network). For architectural overview and high-level specifications, refer to Document 3: AI-Ready Network Architecture.