393 production templates with full scripts, customization, and downloads.
Checking catalog syncโฆ (templates are ready below)
Configure OSPF inter-area (area range) and external (summary-address) route summarization across ABRs/ASBRs with pre/post route-table verification.
Convert OSPF areas between normal, stub, totally-stubby and NSSA types consistently across all routers in the area, verifying LSA propagation.
Provision OSPF virtual links to repair a partitioned backbone (area 0) across a transit area, with authentication and adjacency verification.
Enable/audit BGP soft-reconfiguration inbound (or route-refresh) and perform non-disruptive soft clears across selected neighbors.
Provision redundant BGP route reflectors with a shared cluster-id, configure RR clients, and verify reflected NLRI and cluster-list loop prevention.
Configure BGP confederations: sub-AS identifiers, confederation peers, and verify AS_CONFED_SEQUENCE handling end to end.
Enable and verify BGP maximum-paths (eBGP and iBGP) for load sharing, including bestpath as-path multipath-relax where supported.
Collect and audit route-maps, prefix-lists and policy bindings across the fleet, flagging unused, shadowed, or unreferenced policy objects.
Deploy policy-based routing: match ACL traffic and set next-hop / interface, apply to ingress interfaces, and verify with PBR counters.
Provision IS-IS L1/L2 adjacencies, NET addressing, metric-style wide, and verify level-1/level-2 LSP database synchronization.
Redistribute OSPF routes into IS-IS with route-tag mapping and loop-prevention filtering, verifying tag preservation across the boundary.
Stage a controlled RIPโOSPF migration: enable OSPF in parallel, raise RIP admin distance, validate parity, then remove RIP with rollback safety.
Automate EIGRPโOSPF migration with parallel run, administrative-distance steering, route parity checks, and staged EIGRP removal.
Provision BGP FlowSpec (RFC 5575) rules for on-demand DDoS mitigation: match flows and apply rate-limit/discard actions, with validation.
Provision dual-stack routing: OSPFv3 for IPv6 IGP plus BGP IPv4/IPv6 address-families, verifying both AFI/SAFI come up cleanly.
Audit MPLS LDP neighbor sessions, label bindings and discovery, flagging down/flapping sessions and missing label allocations.
Verify per-VRF PE-CE routing on MPLS L3VPN PEs: confirm expected prefixes in each VRF and route-target import/export correctness.
Enforce consistent BGP route flap dampening parameters across edge routers and report currently dampened/suppressed prefixes.
Safely test routing redundancy: capture baseline, shut a primary path, measure reconvergence and traffic-path change, then restore automatically.
Measure FIB/RIB convergence time after a topology change by polling routing/forwarding tables at sub-second intervals and reporting deltas.
Enable OSPF NSF/graceful-restart helper and restarting modes to preserve forwarding during control-plane switchover, verifying GR capability exchange.
Associate BFD with OSPF on selected interfaces for sub-second failure detection, verifying BFD session state and OSPF reconvergence.
Normalize OSPF auto-cost reference-bandwidth fleet-wide and audit per-interface cost so path selection matches design intent on high-speed links.
Generate and apply inbound/outbound BGP prefix-lists and AS-path access-lists from an allow/deny intent, with route-refresh and accepted-prefix verification.
Tag inbound routes with BGP communities and set local-preference via route-maps to steer egress traffic, verifying community propagation and best-path changes.
Drain traffic from a router before maintenance by applying GRACEFUL_SHUTDOWN community / lowering local-pref, then restore, verifying traffic moved off the node.
Apply per-neighbor maximum-prefix limits with warning thresholds and restart timers to protect the RIB from route leaks, verifying limits are enforced.
Configure EIGRP stub routing and interface summary-addresses to shrink query domains and bound SIA risk, verifying query scope and summary advertisement.
Migrate classic EIGRP to named-mode configuration preserving metrics, authentication and timers, with adjacency and topology-table verification.
Provision primary and floating static routes with administrative distances for backup paths, verifying RIB installation and failover behavior.
Bind static routes to IP SLA ICMP/HTTP probes via track objects so routes withdraw when the probe fails, verifying track state transitions.
Create VRFs, assign interfaces, and configure controlled inter-VRF route leaking via route-targets / static leaks, verifying per-VRF routing isolation.
Bring up MP-BGP VPNv4 address-family between PE routers, configure RD/RT import-export and verify VPNv4 prefix exchange across the MPLS core.
Enable SR-MPLS, assign prefix-SIDs from the SRGB to loopbacks, and verify label bindings and SR forwarding across the IGP domain.
Provision SRv6 locators and micro-SID behaviors (uN/uA) and verify SID allocation and SRv6 forwarding entries on the platform.
Configure PIM sparse-mode, static/Auto-RP/BSR rendezvous points and verify RP mappings, (*,G) and (S,G) state across the multicast domain.
Enable IGMP snooping and configure a snooping querier per-VLAN to constrain L2 multicast flooding, verifying group membership tables.
Provision multihop BFD templates for BGP/static next-hop tracking over multiple L3 hops, verifying session establishment and timer negotiation.
Audit and harden mutual redistribution points with route-tags and prefix filters to prevent feedback loops, verifying tagged routes are blocked on re-entry.
Enable strict/loose unicast RPF on edge interfaces to drop spoofed source addresses, verifying drop counters and exempt ACLs.
Apply IPsec AH/ESP authentication to OSPFv3 adjacencies for IPv6 and verify SPI/auth state and neighbor stability.
Verify BGP EVPN MAC/IP (Type-2) and IP-Prefix (Type-5) route advertisement and import across a VXLAN fabric, flagging missing routes per VNI.
Provision L2/L3 VNIs, map VLAN-to-VNI, and configure NVE source/ingress-replication or multicast, verifying VTEP peer discovery.
Configure RPKI-to-router (RTR) sessions and origin-validation policy to drop invalid prefixes, verifying validation states (valid/invalid/notfound).
Provision DMVPN phase-3 with mGRE, NHRP, and IPsec profiles on hubs and spokes, verifying NHRP registration and dynamic spoke-to-spoke tunnels.
Audit GRE-over-IPsec tunnels for line/protocol state, IPsec SA presence, MTU/MSS settings and recursive-routing risk, summarizing per-tunnel health.
Configure LISP xTR/MS-MR roles, EID-to-RLOC registration and map-cache, verifying EID registration and on-demand map resolution.
Audit HSRP/VRRP/GLBP groups and anycast-gateway MAC consistency across the fabric, flagging mismatched VIPs, priorities, and preempt settings.
Inspect installed ECMP next-hops, CEF/hardware load-share hashing and per-flow distribution, flagging polarization and uneven member utilization.
Report RIB/FIB route counts against platform TCAM/route-scale limits per address-family, flagging capacity risk before exhaustion.
Capture running routing-protocol config, diff against a golden baseline and emit a structured per-line drift report with severity classification.
Collect best-path, AS-path and next-hop detail for a target prefix from multiple routers and assemble a consolidated looking-glass report.
Correlate interface flap counters with routing-protocol adjacency resets and prefix churn to localize instability sources, ranking offenders.
Validate IGP area/level design against rules (ABR count, area size, summarization presence) and emit a design-conformance scorecard.
Provision the SD-Access underlay on a Catalyst 9000 node: loopback0 RLOC, IS-IS (or OSPF) underlay adjacency, and jumbo MTU for VXLAN encapsulation, then verify IGP neighbors and loopback reachability.
Configure a Catalyst 9000 as an SD-Access fabric border: enable the border LISP role, set up external BGP handoff per VRF (SDA transit / VRF-Lite), and import/export fabric prefixes, verifying the handoff session and route exchange.
Provision a Catalyst 9000 as an SD-Access fabric edge: enable the edge LISP role, register to the control-plane map-servers, and map an access host pool / IP pool to a virtual network, verifying ETR registration and SVI gateway state.
Configure a Catalyst 9000 as an SD-Access control-plane node: enable the LISP map-server and map-resolver roles, bind site registration policy and authentication keys per instance-id, and verify the CP service and registered sites.
Create a LISP instance-id mapped to a virtual network's EID-table (VRF) and register its EID prefixes, isolating overlay forwarding per VN, then verify the instance-id database and EID-table binding.
Build ETR/ITR registration sessions from an edge/border node to the control-plane map-server and map-resolver, configuring locator-set and authentication, then verify session establishment and registration state.
Provision dynamic-EID detection for roaming hosts and verify host mobility across fabric edges: confirm dynamic-EID registration, map-cache learning, and that the host's RLOC updates after a move.
Sweep fabric nodes to audit LISP control-plane health: registered sites vs expected, stale/incomplete map-cache entries, and RLOC reachability, flagging instance-ids with missing or down registrations.
Push a new SD-Access virtual network consistently across control-plane, border, and edge nodes in one play: instance-id/EID-table, host pool gateway, and SGT mapping, with idempotent config and per-role verification.
Orchestrate a full fabric site bring-up in dependency order (underlay -> control-plane -> border -> edge) with pre-checks and post-checks at each stage, halting on failure to keep the site in a known-good state.
Bind virtual networks and host pools to Scalable Group Tags and enforce TrustSec, then verify SGT-to-IP mappings and that role-based policy was downloaded from ISE for the fabric edge.
Run end-to-end fabric assurance: confirm control-plane site registration, border BGP handoff, edge ETR registration, and validate EID-to-RLOC resolution plus underlay RLOC reachability, producing a per-node health report.
Audit network devices against PCI-DSS v4 control requirements (segmentation, logging, encryption, access) and score compliance per device.
Validate AC/AU/SC control families against device configuration and produce a NIST 800-53 mapped findings report.
Generate an ISO 27001 Annex A network-control evidence report from live device state.
Verify network segmentation isolating PHI systems via ACL/VLAN inspection and flag inadequate separation.
Test SOC2 common-criteria network controls (logging, change, access) and produce auditor-ready evidence.
Score a device against all CIS Cisco IOS Benchmark controls (Level 1 & 2), producing per-control pass/fail and a 0-100 score.
Score Juniper devices against the CIS JunOS Benchmark with per-control findings and remediation hints.
Score Arista EOS devices against the CIS EOS Benchmark, aggregating results across the fleet.
Detect shadowed, redundant and conflicting firewall/ACL rules by analyzing rule ordering and overlap.
Identify and stage removal of stale (zero-hit) and shadowed ACL/firewall rules with a reviewable change plan.
Compare deployed IDS/IPS signature coverage against MITRE ATT&CK techniques and report detection gaps.
Audit DNS Response Policy Zone configuration and feed freshness, flagging missing or stale RPZ policies.
Build a VLAN-to-VLAN reachability matrix from ACL/SVI config and verify it against the intended policy.
Enforce management-plane hardening: VTY ACLs, exec-timeout, transport ssh, login banners and AAA on all access lines.
Verify CoPP/CPP policy presence and policed-rate correctness protecting the route processor, reporting drops.
Enable and verify uRPF (BCP38 anti-spoofing) on edge interfaces, reporting interfaces missing the protection.
Enable DHCP snooping and Dynamic ARP Inspection on access VLANs with trusted-port config and verification.
Audit access ports for VLAN-hopping exposure: disable DTP, set non-default native VLAN, prune trunks.
Enforce BPDU Guard on edge ports and Root Guard on designated links, reporting non-compliant ports.
Audit NAT/PAT translations and rules for overlaps, unused statics and translation-table exhaustion.
Deploy and verify IPv6 first-hop security: RA Guard, ND inspection, and DHCPv6 guard on access ports.
Enforce BGP GTSM (ttl-security hops) on eBGP neighbors to mitigate spoofed remote attacks, with verification.
Force SSHv2, disable password auth where supported, set strong KEX/ciphers and verify across the fleet.
Migrate to SNMPv3 (authPriv), remove SNMP v1/v2c communities, and verify polling works post-migration.
Inventory management-plane certificates (HTTPS, SSH host, RADIUS) and flag those expiring within a threshold.
Collect device OS versions and match them against a CVE/PSIRT feed to report exploitable advisories per device.
Detect configuration changes during an active change-freeze window by diffing against the last approved baseline.
Rapidly deploy a containment ACL to isolate compromised segments, with one-command rollback to the prior policy.
Collect volatile forensic state (sessions, ARP, MAC, logs, running-config hash) into a timestamped evidence bundle.
Verify syslog/SIEM forwarding configuration: server reachability, severity, source-interface, and timestamp settings.
Audit AAA method lists, server groups and fallback config for consistency and secure fallbacks across devices.
Detect weak password types (type 0/5), default/shared secrets and enforce service password-encryption and type-8/9.
Enforce authenticated NTP with trusted keys and approved servers, flagging stratum/unauthenticated drift.
Apply port-security (max MAC, sticky, violation shutdown) to access ports and report violations and err-disabled ports.
Verify dot1x/MAB configuration, authentication order, and that critical-auth fallback policies are present.
Validate infrastructure ACLs protecting the control plane on edge interfaces against the standard iACL template.
Verify MACsec (802.1AE) is active on designated links with the correct cipher and key-server roles.
Detect and disable insecure management services (telnet, HTTP server, finger, CDP on edge) fleet-wide.
Audit WLAN security profiles for WPA3/802.11w, rogue-AP detection and management-frame protection.
Aggregate hardening, AAA, logging and patch findings into a single weighted security posture score per device and site.
Generate ZBFW zones, zone-pairs, class-maps and policy-maps from an intent matrix and verify inspected sessions and drop counters.
Audit ASA/FTD access-lists for any-any rules, shadowed/redundant entries and hit-count of zero, emitting a prioritized cleanup report.
Push Palo Alto security rules (zones, apps, services, log-forwarding) via the XML API/Ansible and commit, verifying rule hit and shadow status.
Sync FortiGate firewall policies, address objects and service groups from source-of-truth and verify policy ordering and counters.
Provision IKEv2 site-to-site IPsec tunnels (proposals, profiles, crypto-maps) and verify SA establishment and encrypted/decrypted packet counts.
Build remote-access SSL-VPN group-policies, tunnel-groups and split-tunnel ACLs, verifying active sessions and assigned pools.
Configure 802.1X with MAB fallback, host-modes and critical-auth on access ports, verifying authentication sessions and authorized state.
Enable MACsec with MKA pre-shared keys on inter-switch links and verify secure-channel/secure-association state and cipher.
Generate CoPP class-maps and policy for routing/management/critical traffic with rate limits, verifying conformed/exceeded counters.
Apply a CIS-style hardening baseline (SSHv2 only, exec-timeout, no http server, login banners, password policy) and audit compliance.
Provision AAA with TACACS+/RADIUS server-groups, method-lists and command authorization, verifying fallback to local and server reachability.
Configure port-security with sticky MACs, max-addresses and violation actions on access ports, verifying secured addresses and violation counts.
Enable DHCP snooping, dynamic ARP inspection and trusted-port configuration per VLAN, verifying binding table and inspection drops.
Deploy IPv6 RA-Guard, ND inspection and DHCPv6-Guard policies to block rogue routers and spoofed NDP, verifying policy attachment and drops.
Analyze ACLs to merge contiguous entries, remove shadowed/duplicate ACEs and reorder by hit-count, emitting an optimized, behavior-equivalent ACL.
Provision SNMPv3 users/groups/views with auth-priv (SHA/AES), restrict access by ACL and verify engine and user configuration.
Configure Flexible NetFlow/IPFIX exporters and monitors for security analytics (Stealthwatch), verifying cache and export counters.
Scan device config against PCI-DSS network requirements (segmentation, insecure services, logging, default creds) and emit a pass/fail control report.
Map device configuration to NIST 800-53 AC/AU/SC controls and produce an evidence-backed compliance report with remediation hints.
Collect software version/feature set and cross-reference against a PSIRT/CVE feed to report applicable advisories and fixed releases.
Detect rogue DHCP servers and rogue APs from snooping/wireless data and switchport learning, flagging offending ports/MACs for containment.
Audit enabled SSH/TLS algorithms, key exchange and host-key sizes against a hardened allow-list, flagging weak ciphers for removal.
Audit local users, privilege levels, enable secrets and unused/default accounts, emitting a least-privilege remediation report.
Restrict management protocols to designated interfaces/VRFs via MPP and VTY ACLs, verifying that out-of-policy management access is denied.
Apply broadcast/multicast storm-control thresholds and BPDU-Guard/Root-Guard on edge ports, verifying err-disable behavior and recovery.
Push WLAN security profiles (WPA3-Enterprise, 802.1X, PMF) to controllers and verify SSID security settings and RADIUS bindings.
Define TrustSec SGTs, SGACLs and environment data, verifying SGT propagation and enforced SGACL drops between groups.
Configure remote syslog with severity, source-interface, timestamps and login/command accounting, verifying log delivery to collectors.
Configure authenticated NTP with trusted servers and ACL restriction, verifying sync state and stratum for forensic time accuracy.
Audit installed identity/CA certificates for expiry, key size and trustpoint config, flagging certs nearing expiry for rotation.
Provision remotely-triggered black-hole routing and BGP FlowSpec rules for rapid DDoS mitigation, verifying discard route installation.
Scan configuration for type-7/cleartext passwords, default community strings and known default usernames, emitting risk-ranked findings.
Analyze a multi-vendor rulebase export for shadowed, redundant and conflicting rules, producing an ordered remediation plan.
Configure secure logging (TLS syslog, log integrity, config-change notifications) to support tamper-evident audit trails, verifying secure transport.
Validate east-west microsegmentation policy against an allow-matrix using SGACL/contract state, flagging unintended permitted flows.
Audit VTY/console lines for transport, access-class, exec-timeout, logging-sync and login methods, emitting a hardening conformance score.
Ingest an external IP threat feed and inject deny ACEs / null-routes for malicious prefixes, verifying enforcement and rollback safety.
Enforce type-8/9 password encryption, AES config encryption and master-key configuration, verifying no recoverable secrets remain in config.
Run the CIS Cisco IOS benchmark checks (management, control-plane, logging, access) and emit a scored report with per-control remediation.
Audit AWS Transit Gateway route tables for blackholes, missing propagations and unintended cross-VPC reachability.
Validate VPC peering connections and the route-table entries needed for bidirectional reachability across peered VPCs.
Monitor Direct Connect virtual interfaces and their BGP session state, alerting on down/idle peers.
Check ExpressRoute circuit provisioning, peering state and BGP route counts; alert on degraded circuits.
Audit Azure vNet peerings and effective routes for gateway-transit, forwarded-traffic and reachability correctness.
Monitor GCP Cloud Interconnect attachments and Cloud Router BGP sessions for health and advertised prefixes.
Audit AWS security groups for overly-permissive (0.0.0.0/0) ingress, unused groups and risky port exposure.
Verify SD-WAN tunnels between cloud on-ramps and the data center: tunnel state, routing and SLA path selection.
Discover and map network topology across AWS/Azure/GCP (VPCs, peerings, gateways) into a unified graph export.
Analyze flow/billing data to identify high-cost egress paths and recommend routing or peering changes to cut spend.
Audit AWS Network Firewall rule groups and policies for coverage gaps, conflicting rules and logging config.
Check Azure Firewall application/network rule collections against policy and flag any-any or unused rules.
Monitor Route53/Azure DNS zones and records for health-check status, propagation and dangling records.
Check site-to-site VPN gateway tunnels (AWS/Azure/GCP) for UP state, IKE/IPsec status and rekey health.
Track SD-WAN cloud on-ramp path metrics (latency/loss/jitter) and validate SLA-driven path selection.
Aggregate ALB/NLB/Azure LB target-group health into a single dashboard-ready view, flagging unhealthy targets.
Parse VPC/NSG flow logs to surface top talkers, rejected flows and anomalous east-west traffic.
Compare advertised/received prefixes across cloud routers to detect route leaks and unexpected prefix origination.
Verify intended micro-segmentation/isolation between workloads using security groups, NSGs and firewall policy.
Detect statistically anomalous network/data-transfer cost spikes and correlate them with traffic changes.
Provision an AWS VPC with public/private subnets across AZs, route tables, IGW and NAT gateways, outputting subnet IDs for downstream modules.
Create a Transit Gateway, VPC attachments and route-table associations/propagations for hub-and-spoke connectivity, with route verification outputs.
Audit AWS security groups via boto3 for 0.0.0.0/0 ingress on sensitive ports and unused groups, emitting a risk-ranked findings report.
Reconcile Route53 record sets from a desired-state file (A/AAAA/CNAME/ALIAS), performing idempotent UPSERTs and reporting drift.
Provision Direct Connect private/transit virtual interfaces with BGP peering and VLAN tagging, outputting peer state for verification.
Create Azure VNets, subnets and Network Security Groups with rule sets, and associate NSGs to subnets/NICs with output of resource IDs.
Establish bidirectional VNet peerings with gateway-transit and forwarded-traffic settings across hub/spoke VNets, verifying peering state.
Push Azure Firewall network/application rule collections and DNAT rules from intent, verifying rule priority and effective routes.
Provision GCP VPC networks, subnetworks and hierarchical firewall rules with logging, outputting network self-links for reuse.
Configure Cloud Router with BGP sessions over Cloud VPN/Interconnect for dynamic route exchange, outputting learned-route status.
Collect VPC/VNet CIDRs across AWS/Azure/GCP and detect overlaps that would break peering/transit, emitting a conflict matrix.
Report NAT gateway port/connection utilization and SNAT exhaustion risk across clouds, flagging gateways nearing limits.
Generate Kubernetes NetworkPolicies from an allow-matrix (namespace/pod selectors, ports) implementing default-deny with explicit allows.
Provision Ingress resources with host/path routing, TLS secrets and annotations for the ingress controller, verifying endpoint readiness.
Apply Istio PeerAuthentication/DestinationRule for strict mTLS and authorization policies, verifying mutual-TLS enforcement between workloads.
Audit cloud load balancers (ALB/NLB, App Gateway, GCLB) for unhealthy targets, listener/cert issues and idle backends across clouds.
Provision IPsec VPN connections from on-prem to cloud VPN gateways with BGP, outputting tunnel and BGP session status for verification.
Enable VPC/NSG flow logs to a central sink and parse them for top talkers, rejected flows and anomalous destinations.
Synchronize private DNS zone records across clouds for hybrid name resolution, performing idempotent upserts and drift reporting.
Aggregate cross-AZ/region/internet egress data-transfer metrics and estimate cost, flagging the top egress sources for optimization.
Provision interface/gateway VPC endpoints (PrivateLink) for AWS services and partner services with security groups and DNS, verifying endpoint state.
Manage Azure user-defined routes for forced-tunneling and NVA insertion, associating route tables to subnets and verifying effective routes.
Provision Private Service Connect endpoints/backends for private access to Google and published services, verifying connection status.
Discover VPCs/VNets, peerings, gateways and endpoints across clouds and emit a normalized topology graph (JSON) for visualization.
Sync managed/custom WAF rules (AWS WAFv2, Azure WAF) from source-of-truth and verify rule priority, action and counter metrics.
Run terraform plan in detailed-exitcode mode against committed state and report resource drift with a structured change summary.
Verify BGP session state, received/advertised prefix counts and MED on cloud interconnects/Direct Connect, flagging down or flapping sessions.
Check CNI plugin health, pod CIDR allocation, IPAM exhaustion and node-to-pod reachability, emitting a cluster network health report.
Scan cloud network resources for public exposure, open management ports, missing flow logs and permissive rules, emitting a posture scorecard.
Provision SD-WAN cloud on-ramp gateways and policies connecting branches to cloud VPCs/VNets, verifying tunnel and BFD session health.
Subscribe to OpenConfig paths over gNMI and expose collected metrics on a Prometheus scrape endpoint.
Walk selected SNMP MIBs across the fleet and push time-series points into InfluxDB with tags per device/interface.
Receive NetFlow v9/IPFIX records and produce normalized flow events to a Kafka topic for downstream analytics.
Decode sFlow samples and index enriched flow documents into Elasticsearch for search and visualization.
Parse RFC 5424 syslog into structured fields and forward to Splunk/Loki with severity and facility tagging.
Export per-prefix BGP community telemetry to enable traffic-engineering and policy observability dashboards.
Poll interface utilization and raise email/Slack/PagerDuty alerts when sustained thresholds are crossed.
Correlate logs, traps and config changes into a unified chronological event timeline per device/site.
Receive SNMP traps, normalize varbinds and forward as JSON webhooks to chat/incident systems.
Generate network-specific Prometheus alerting rules (interface, BGP, CPU) from device inventory and thresholds.
Generate Grafana dashboard JSON for network KPIs (throughput, errors, BGP, latency) from a device list.
Compute latency/loss/jitter/availability SLA metrics from probe data and produce per-link/site SLA reports.
Provision and collect IP SLA / Y.1731 probes for synthetic path monitoring and SLA validation.
Train an isolation-forest model on historical interface/flow metrics to flag anomalous network behavior.
Analyze incident records to compute MTTR/MTTF/MTBF per device and site and identify reliability outliers.
Correlate configuration changes with subsequent incidents to surface change-induced failures.
Forecast per-interface and per-site capacity exhaustion using time-series regression on utilization history.
Rank top applications/talkers by bandwidth using NBAR/DPI/flow data for a chosen interval and interface.
Build a latency heat-map across hops/sites from probe and traceroute data for visual hotspot analysis.
Detect hardware/software inventory changes (modules, SFPs, versions) across vendors against a saved baseline.
Match device/module PIDs against EOL/EOS data to report end-of-life risk and replacement timelines.
Hourly diff of running-config against the golden config to detect and report drift with unified diffs.
Aggregate weekly KPIs (availability, errors, capacity, incidents) into an automated executive report.
Classify incidents from syslog patterns using an ML text model to auto-tag category and severity.
Capture a normal-behavior performance baseline (CPU, memory, interface, latency) for later comparison.
Correlate application performance metrics with underlying network latency/loss to localize degradation.
Compute a stability index per prefix from update/withdraw churn to highlight flapping or unstable routes.
Track CRC/input/output error and discard trends per interface and flag degrading optics/links.
Correlate packet loss events with queue drops, errors and CPU to identify the most likely root cause.
Compute a composite network health index from availability, errors, capacity and compliance sub-scores.
Poll IF-MIB counters via SNMP, compute per-interface bps/pps utilization deltas and flag interfaces over a threshold, exporting CSV/JSON.
Subscribe to gNMI sample/on-change paths for interface and BGP state, decoding updates into a normalized metrics stream for a TSDB.
Configure dial-out model-driven telemetry subscriptions (sensor-groups, destination-groups, intervals) and verify subscription state.
Ingest syslog, classify messages by signature, baseline normal rates and flag anomalous spikes (flaps, auth failures), emitting ranked alerts.
Run scheduled ICMP/HTTP/DNS probes against targets, record latency/loss/jitter time-series and push to a dashboard backend.
Collect interface error/CRC/discard counters over time, compute trend slopes and flag degrading optics/cabling before hard failure.
Read DOM/DDM optical Tx/Rx power, temperature and bias and compare against vendor thresholds, flagging optics outside operating range.
Poll BGP neighbor states, uptime and prefix counts, detect session flaps and prefix-count anomalies and raise structured alerts.
Poll power-supply, fan and temperature sensors across the fleet and emit a hardware-health report with predictive failure flags.
Sample CPU and memory utilization, identify top processes during spikes and correlate with control-plane events, alerting on sustained pressure.
Parse NetFlow/IPFIX exports to rank top talkers, conversations and applications per interface, emitting time-windowed traffic reports.
Configure sFlow agents, sampling rate, polling interval and collectors on switches, verifying datagram export and sample counters.
Configure TWAMP/IP SLA sessions to baseline one-way/round-trip latency and jitter between sites, storing baselines for SLA alerting.
Capture EEM/archive config-change events and correlate them with subsequent alarms/flaps to attribute incidents to changes.
Validate end-to-end telemetry pipeline (collector ingestion lag, gap detection, cardinality) and alert on missing or stale device streams.
Poll WLC for AP channel utilization, noise, client RSSI/SNR and roaming events, flagging RF degradation and sticky clients.
Run periodic MPLS LSP ping/traceroute across LSPs to detect broken label paths and FEC mismatches, emitting LSP-health alerts.
Collect per-class queue depths, drops and marking statistics from QoS policies and flag classes experiencing tail-drop or remark anomalies.
Monitor PoE budget allocation/consumption per switch and port, flagging over-subscription and powered-device class anomalies.
Verify NTP stratum/offset and PTP clock-class/lock state across devices, alerting on time-drift that breaks logging/telemetry correlation.
Transform gNMI/MDT updates into Prometheus exposition format and serve a /metrics endpoint, mapping paths to labeled gauges/counters.
Run synthetic multi-step HTTP and DNS transactions from probe locations, recording response time and correctness, alerting on SLO breaches.
Fit utilization time-series per interface and forecast time-to-saturation using linear/Holt-Winters trends, ranking links by exhaustion date.
Track RIB/FIB size and per-minute route churn over time per address-family, alerting on abnormal table growth or instability.
Monitor (*,G)/(S,G) state counts, RPF failures and outgoing-interface flaps in the multicast control plane, alerting on RPF drops.
Sweep the device inventory with ICMP and SSH login latency probes, classifying devices by reachability tier and alerting on outages.
Sample hardware buffer/queue watermark counters at high frequency to detect microbursts and tail-drops not visible in 5-minute averages.
Take periodic config snapshots, hash sections and emit time-series of compliance state and change frequency per device for trend dashboards.
Monitor VTEP peer counts, EVPN route counts per VNI and tunnel state across a VXLAN fabric, flagging missing peers and route imbalances.
Aggregate alarms from syslog/SNMP-trap/telemetry sources, dedup by signature and topology, and emit correlated incidents with severity rollup.
Report per-VRF route counts, interface utilization and reachability so multi-tenant SLAs can be tracked independently per customer VRF.
Capture a structured pre-change baseline (routing, neighbors, interfaces, config hash) for later comparison.
Re-collect state after a change and diff against the pre-change snapshot to confirm intended-only changes.
Restore the last known-good configuration via configure replace/rollback with verification and abort safety.
Gracefully drain traffic before maintenance by raising IGP/BGP costs and verifying traffic has shifted away.
Reconcile live device inventory with NetBox, creating/updating devices, interfaces and IP assignments.
Onboard new devices into NetBox: create device, assign role/site, populate interfaces and primary IP.
Generate a dynamic Ansible inventory (groups by role/site/platform) from NetBox as the source of truth.
Back up running/startup configs fleet-wide to TFTP/SCP/FTP with per-device success tracking and retention.
Render per-device golden configurations from Jinja2 templates and a variables source, ready for deployment.
Score running configs against compliance rules and produce a per-device/site compliance percentage report.
Stage multi-vendor OS upgrades with pre-checks, image transfer/verify, reload windows and rollback on boot failure.
Rotate local/enable credentials across vendors safely with verification and vault writeback.
Check a proposed change window against the change calendar/freeze periods and flag scheduling conflicts.
Correlate network alerts with ServiceNow incidents/CIs and update or create records via the Table API.
Generate LLD/HLD documentation sections (interfaces, addressing, routing, neighbors) from live device data.
Discover L2/L3 neighbors and emit/refresh a draw.io (mxGraph XML) topology diagram automatically.
Detect expiring device certificates and orchestrate SCEP/manual renewal with verification.
Audit Cisco Smart Licensing / Juniper license usage and entitlement compliance across the fleet.
Collect serials, models and modules and sync them into the CMDB for asset lifecycle tracking.
Aggregate EOL, vulnerability, drift and single-point-of-failure findings into a prioritized risk register.
Scan device versions against the latest vendor advisories on patch cycles and report required updates.
Compare equivalent-role devices across sites and flag configuration inconsistencies and outliers.
Generate a per-site emergency runbook with device contacts, console/OOB access and escalation paths.
Run a guided multi-step troubleshooting playbook (L1โL3) with decision branching and evidence capture.
Deduplicate and suppress flapping/duplicate events to reduce alert noise before forwarding to NOC tools.
Create Jira/ServiceNow tickets automatically from qualified alerts with enriched device context.
Produce an executive-summary network audit report covering compliance, risk, capacity and inventory.
Generate an EOL/EOS hardware risk report with replacement priority and budget-planning data.
Notify the right approvers (by site/role) when a change request is raised, with context and links.
Draft a post-incident report (timeline, impact, root cause, actions) from logs and change records.
Push a config template to a device group inside a change window, capturing pre/post state snapshots and a structured diff for the change record.
Generate and stage a rollback config from a pre-change snapshot, validate it, and apply on failure or operator command with verification.
Back up running/startup configs fleet-wide to a versioned store with hashing and retention, and report devices that failed to back up.
Orchestrate staged OS upgrades: pre-checks, image transfer/verify (MD5), boot variable set, reload and post-upgrade validation with auto-abort.
Run pre-change health gates (CPU, redundancy, neighbor counts, error baselines) and block the change if any gate fails, emitting a go/no-go report.
Execute a post-change validation suite (reachability, neighbor parity, route counts vs baseline) and produce a pass/fail certification report.
Execute a change playbook only within an approved maintenance window, enforcing freeze rules and recording start/stop and outcomes.
Compare running config to the golden template, generate the minimal remediation delta and apply it with approval, verifying drift is cleared.
Set interface descriptions from CDP/LLDP neighbor data to standardize documentation, reporting links with missing or inconsistent neighbors.
Reconcile VLAN database and trunk allowed-lists against intent across switches, flagging missing VLANs and trunk mismatches before they break L2.
Rotate local credentials and SSH keys fleet-wide with staged verification and rollback, ensuring no device is locked out mid-rotation.
Build per-model ZTP/DHCP-option-67 bootstrap scripts and day-0 configs from inventory, validating template rendering before publish.
Generate a complete day-0 onboarding config (mgmt, AAA, logging, NTP, SNMP, banners) from site variables and validate against the hardening baseline.
Safely decommission a device: drain routing, archive final config, wipe credentials/keys and produce a decommission evidence report.
Run a configurable show-command bundle across devices and archive timestamped outputs for troubleshooting and forensic baselining.
Open/update ITSM change tickets via API, gate execution on approval state and write back execution results and diffs to the ticket.
Render device configs from Jinja2 templates and a per-device variables file, validating required variables and producing a render report.
Build an any-to-any reachability matrix by running ping/traceroute between selected sources and destinations, highlighting broken paths.
Collect hardware/software inventory and cross-reference EoL/EoS dates and support contracts, emitting a refresh-planning report.
Push standardized login/MOTD/exec banners and login block-for policy fleet-wide, verifying banner presence and brute-force protection.
Deploy a standardized QoS class/policy-map model fleet-wide from a service-class definition and verify marking/queueing consistency.
Reconcile NTP servers, DNS resolvers and logging hosts to a standard across the fleet, removing stale entries and adding missing ones.
Verify switch-stack/VSS/MLAG member roles, priorities and link health, flagging split-brain risk and unbalanced member loads.
Deploy Embedded Event Manager applets for self-healing actions (interface recovery, log capture on event) and verify applet registration.
Diff two config snapshots, classify added/removed/modified lines by section and severity, and produce a human-readable change report.
Safely shut/no-shut interface sets with dependency checks and staggered timing to drain traffic for maintenance, verifying state transitions.
Audit and enforce STP root priority, port roles, guards and timers to stabilize the L2 topology and prevent unexpected root changes.
Onboard a device group into monitoring by pushing SNMPv3/telemetry config and registering them with the collector, verifying first data receipt.
Restore a known-good config bundle to replacement hardware (RMA), adapt interface mappings and validate post-restore reachability.
Translate an intent (e.g., 'show BGP neighbors') into the correct per-vendor CLI and execute across a mixed fleet, normalizing the output.
Compare running firmware against an approved-version matrix, schedule non-compliant devices for upgrade and track remediation to closure.
Provision voice VLANs on access ports with data+voice config, trust boundaries and CDP/LLDP voice advertisement.
Verify voice traffic is marked EF (DSCP 46) end to end and flag interfaces with incorrect or missing marking.
Correlate IP SLA jitter/loss/latency with estimated MOS scores to localize voice-quality degradation.
Audit phone discovery via CDP/LLDP-MED, ensuring voice VLAN and PoE TLVs are advertised correctly.
Calculate per-switch PoE budget vs. consumption, prioritize critical devices and flag over-subscription.
Audit dial-peer/route-pattern configuration on voice gateways for overlaps, gaps and digit-manipulation issues.
Validate network readiness for Teams/Webex Calling: QoS marking, port/IP reachability and bandwidth headroom.
Generate an 8-class enterprise QoS policy (voice, video, signaling, data tiers) and apply it consistently.
Monitor CUBE/SBC health: active calls, DSP usage, SIP trunk registration and media resource availability.
Verify DSCPโCoS mapping tables are consistent across L2/L3 boundaries so markings survive end to end.
Audit voice/data VLAN separation and ACLs to prevent data hosts from reaching the voice segment.
Verify E911 location/ELIN configuration and that emergency calls map to correct location info per port/VLAN.
Verify bandwidth reservation/admission control for video conferencing queues and CAC where configured.
Verify PIM-SM multicast routing for video distribution: RP reachability, (S,G)/(*,G) state and IGMP joins.
Trace QoS marking hop by hop along a path to confirm DSCP values are preserved end to end for UC traffic.
Query CUCM via AXL for phone registration state, firmware and device-pool assignment, flagging unregistered or misconfigured endpoints.
Monitor SIP trunk OPTIONS keepalive status, registration and call-leg counters on CUBE/SBC, alerting on trunk-down and one-way-audio risk.
Validate EF/CS3 marking and LLQ priority-queue configuration along the voice path end-to-end, flagging mismarked or non-prioritized voice.
Audit CUCM route patterns, partitions and CSS for overlaps, unreachable patterns and toll-fraud-risky wildcards, emitting a dial-plan report.
Provision inbound/outbound VoIP and POTS dial-peers with codec, DTMF and number translation on CUBE/voice gateways, verifying call routing.
Collect RTCP/RTP jitter, loss and latency per call leg, compute estimated MOS and flag calls below the quality threshold for investigation.
Validate E911/RedSky configuration: ERLs, ELINs, device-to-location mapping and CER reachability, flagging endpoints with missing location data.
Provision voice VLANs, LLDP-MED network policy and PoE for IP phones on access ports, verifying phone power and VLAN assignment.
Enforce call-admission-control limits and toll-fraud protections (allowed prefixes, IP trusted-list) on the SBC, verifying blocked unauthorized calls.
Check Webex Calling / cloud-connector reachability, certificate validity and trunk status, alerting on hybrid connectivity degradation.
Analyze CUCM CDR/CMR records for abnormal call patterns (after-hours international, high-volume to premium numbers) indicating fraud.
Audit DSP/transcoding/conferencing resource usage and codec mismatches across voice gateways, flagging exhaustion and unnecessary transcoding.
Assist migration of MGCP/H.323 gateways to SIP by generating equivalent SIP dial-peers and bindings, with side-by-side verification.
Validate IM&Presence service health, intercluster peers and high-availability replication state, alerting on failed presence subscriptions.
Report Cisco Meeting Server call-bridge load, license usage and concurrent conference capacity, flagging clusters nearing capacity.
Validate SRST/Enhanced-SRST configuration, max-ephones/dn, dial-peer fallback and verify branch phones fail over correctly during WAN loss.
Audit UC application and SIP-TLS certificates (CUCM, CUBE, Expressway) for expiry and trust-chain validity, flagging certs needing rotation.
Validate Expressway-C/E MRA traversal zones, certificate trust and registration counts for mobile/remote access, alerting on edge failures.
Audit National Long Distance (NLD) and International Long Distance (ILD) BGP policies against DoT Unified License (UL) guidelines โ verify route advertisement scope, AS-path filters, and prefix limits per gateway.
Provision an Airtel-style hierarchical L3VPN with per-circle VRF design โ generate VRF, RD/RT, PE-CE BGP/static, and verification of imported/exported routes.
Deploy Metro-Ethernet EVPN services (E-LINE / E-LAN) on fiber metro rings โ configure EVPN instance, MAC-VRF, ESI multihoming, and verify Type-2/Type-3 routes.
Configure eBGP peering for DE-CIX Mumbai / IX Mumbai / AMS-IX India with standard community sets, max-prefix protection, and inbound/outbound filtering.
Validate route-server session health and community-based filtering policy at IX Mumbai, NIXI, and DE-CIX Mumbai โ check session state, accepted/filtered prefix counts, and BGP large communities.
Verify NIXI peering requirements โ RPKI route origin validation state, IRR registration of advertised prefixes, and no-export of NIXI peering prefixes to upstreams.
Audit QoS marking and SLA conformance for interconnect links per the TRAI Interconnection Regulation 2020 โ verify DSCP markings, queue policy, and latency/jitter/loss thresholds.
Verify Law Enforcement Agency (LEA) lawful-intercept mediation port configuration, access controls, and logging compliance โ checks tap interface state, ACLs guarding mediation devices, and audit logging.
Generate a consistent RD/RT numbering scheme that follows the Indian ISP telecom-circle topology (AP, MH, KA, TN, DL, GJ, etc.) and emit per-circle VRF stanzas with hub-and-spoke import/export.
Auto-generate CERT-In mandated network security incident reports (6-hour reporting rule) with event timeline, affected assets, and IOC data collected from devices and logs.
Pre-migration readiness check for MPLSโSD-WAN across an Indian enterprise multi-circle WAN โ inventory transports, validate underlay reachability, and flag sites lacking dual-transport or sufficient bandwidth.
Audit network controls against the RBI Cybersecurity Framework for banks and NBFCs โ segmentation between CBS/DMZ/corp zones, ingress/egress filtering, NTP/logging, and management-plane hardening.
Map network segmentation and access controls to the SEBI Cybersecurity & Cyber Resilience Framework (CSCRF) โ verify zone isolation, least-privilege ACLs, and monitoring coverage for regulated entities.
Identify and map cross-border data flows and flag unencrypted paths carrying personal data per the Digital Personal Data Protection (DPDP) Act 2023 โ inspect routes/NAT/tunnels to foreign destinations and IPsec coverage.
Automate OLT/ONT provisioning for BharatNet last-mile fiber circuits โ create ONT profiles, assign service VLANs/T-CONTs/GEM ports, and verify ONT registration and optical levels.
Audit N9 (inter-UPF) and N6 (data network) interface routing, UPF BGP peering, and slice-based QoS for a 5G Standalone (SA) core โ verify reachability, ECMP, and 5QI-to-DSCP mapping.
Compute 95th-percentile billing for IX peering ports using interface counters polled over a billing period, formatted for Indian operator billing โ per-port ingress/egress and burstable commit checks.
Validate IGP domain boundaries and redistribution points across a multi-circle topology โ detect leaked routes between circles, asymmetric redistribution, and inconsistent metrics.
Monitor point-to-point leased-line health (BSNL / TATA / Airtel) using IP SLA and Y.1731 ethernet OAM โ track RTT, jitter, loss, and CFM/DMM measurements for SLA reporting.
Generate an audit-ready network report mapped to TRAI, DoT, and CERT-In regulatory requirements โ aggregate device inventory, config compliance, QoS, logging, and intercept-readiness into a single signed report.
Drive the gNOI OS.Install RPC stream end-to-end โ TransferRequest, chunked TransferContent, TransferEnd, then Activate โ to push and activate a new network OS image with hash verification and rollback-on-failure.
Issue a controlled gNOI System.Reboot with method (COLD/WARM/NSF), pre-checks via RebootStatus, a maintenance message, and post-reboot reachability confirmation before cancelling the timer.
Rotate device identity certificates with the gNOI Cert RPCs โ GenerateCSR / Rotate / Install โ load the CA-signed cert, validate the new chain, then finalize, with automatic rollback if validation fails.
Back up and restore device artifacts using the gNOI File RPCs โ Get (streamed read with hash), Put (chunked write), Stat, and Remove โ to archive running config / startup files and push a known-good restore.
Run device-sourced reachability and path diagnostics via gNOI System.Ping and System.Traceroute (streamed results), plus SetPackage-free Time/SwitchControlProcessor checks, and assert loss/latency thresholds.
Onboard a Catalyst SD-WAN (Viptela) WAN edge via vManage: attach device templates, configure transport colors/TLOCs, and push app-route SLA policy, then verify control and BFD sessions.
Stage an MPLSโCatalyst SD-WAN cutover: validate dual-transport readiness, bring up overlay alongside legacy MPLS, shift traffic per app-route policy, and keep a rollback path until BFD/OMP are stable.
Day-2 health sweep across Catalyst SD-WAN edges: control connections, BFD/OMP peer state, and per-tunnel app-route SLA stats, flagging brownouts and policy SLA breaches.
Provision a VeloCloud Edge through the VCO API: activate the edge, assign profile/business policy, configure WAN links and DMPO, and verify tunnel and link quality.
Migrate a branch onto VeloCloud: pre-stage edge config from VCO, validate WAN link discovery, cut traffic to DMPO overlay with business policy, and retain rollback to legacy routing.
Operational monitor for VeloCloud edges via VCO: edge reachability, per-WAN-link quality (loss/latency/jitter), and business-policy path selection, alerting on SLA degradation.
Build Fortinet Secure SD-WAN on FortiGate via FortiManager: configure SD-WAN zones/members, performance SLAs (health-checks), and SD-WAN rules, then verify member status and SLA health.
Cut a branch FortiGate from MPLS to Secure SD-WAN: validate dual WAN members, stage SD-WAN rules with SLA steering, shift traffic, and preserve a rollback policy package in FortiManager.
Day-2 operations for Fortinet Secure SD-WAN: SD-WAN member/health-check status, SLA pass/fail per link, and service-rule path selection, alerting when a member leaves SLA.
Provision an Aruba EdgeConnect (Silver Peak) appliance via Orchestrator: apply business intent overlays, configure WAN labels and tunnels, enable Boost/path conditioning, and verify tunnel health.
Migrate a site to Aruba EdgeConnect: validate WAN label discovery, stand up business-intent overlays alongside MPLS, shift traffic with path conditioning, and keep a rollback to legacy transport.
Operational monitor for Aruba EdgeConnect via Orchestrator: appliance reachability, tunnel up/down and real-time tunnel metrics (loss/latency/jitter), alerting on overlay SLA breaches.
Onboard a Versa branch (CPE/FlexVNF) through Versa Director: bind device templates, configure WAN interfaces and SD-WAN traffic-steering/SLA profiles, then verify control and path state.
Migrate a branch onto Versa SD-WAN: validate dual-transport readiness in Director, stage SD-WAN policies alongside MPLS, steer traffic per SLA, and retain a rollback template binding.
Day-2 operations for Versa SD-WAN via Director: device health, SD-WAN path/SLA monitor state, and traffic-steering decisions, alerting on SLA-monitor failures.
Provision a Prisma SD-WAN (CloudGenix) ION branch via the controller API: claim the element, bind a site profile, configure WAN interfaces and app/path policies, and verify VPN link state.
Migrate a site to Prisma SD-WAN: validate dual-WAN element readiness, stage app/path policies alongside MPLS, cut traffic to the fabric, and keep rollback via prior site policy set.
Operational monitor for Prisma SD-WAN: element and VPN-link health, per-app path performance (loss/latency/jitter), and policy-driven path selection, alerting on SLA breaches.