Cisco Blogs

Assuring the Full Promise of Intent-Based Networking: Introducing the Cisco Network Assurance Engine

- January 30, 2018 - 2 Comments

Capture your network’s intent, accelerate change, predict outages and assure policy compliance

As digital enterprise rapidly accelerates, we’ve seen an explosion of new applications – housed across containers, virtualized environments, and clouds  – acting on massive datasets. How do you ensure your network policies follow those applications wherever they reside? With Intent-Based Networking (IBN) for the Data Center.

IBN really changes the data center networking game by capturing the intent you want from your network, then automating, enforcing, and assuring it across your diverse data center network.

We’ve been capturing this intent and implementing it within the network with our Application-Centric Infrastructure (ACI) for years, using programmatic interfaces and expressive policy constructs. With Tetration, we have done what no one else has done: automatically generated your likely intent for you, using data-driven inference from observed application behavior in all of its aspects, locally and across the network, with unprecedented high resolution.

Now, the Cisco Network Assurance Engine closes the loop on IBN with continuous, formal verification, insights, and corrective actions. In short, we assure that your infrastructure is doing what you intended it to do – enabling you to accelerate change, predict outages and assure compliance.

What’s the practical consequence of the current assurance gap in today’s data center networks?

  • When intent breaks in operations, we spend hours troubleshooting
  • When intent breaks in network security, it’s often difficult to discover. And when it’s found, we scramble to fix it…fast
  • When intent breaks in compliance, we fail audits
  • When intent breaks with changes, we attempt to undo the changes under pressure and frequently worsen our lot from inability to assess the consequences

With the Cisco Network Assurance Engine, we close this assurance gap. I can tell you in one word why our Network Assurance Engine is so amazing: Math! By analyzing the rules inside your network, we model them, continuously verify the network is following those rules, and ensure those rules are self-consistent.

We perform this mathematically precise modeling for all aspects of the network control plane and data plane, including your complex policy rules and their exact impacts, at a speed humans simply can’t match. All continuously reasserted and re-verified across underlay, overlay, and virtualization layers. What do you get from this? Some very critical business outcomes.

Predictive change management = Less risk & lower cost

Human error is by far the largest contributor to network outages in data centers. Some estimates attribute as much as 40% of outages to human error.1  Most of the time, data center issues occur during the change process. The reality in our multi-cloud, virtualized world is that change is constant – and even more so when you are doing large-scale change like consolidating data centers. It’s hard to feel confident to change when you don’t know where your applications reside and how your policies are intertwined. With the Cisco Network Assurance Engine, you can verify changes and their impact before the change, significantly reducing the risk of human error-induced network failures.

Proactive & continuous verification of network-wide behavior = Detect potential outages

Intent starts with availability. Your network needs to be up and running at the highest levels no matter what. The best defense against outages is to change from a reactive to a proactive posture. By combining your models with 5000+ built-in models from our 30+ years of experience, we can proactively pinpoint deviations from intended behavior and also recommend remediation – preventing outages before they occur. Whether it’s something simple yet devastating, like overlapping subnets, or conflicts across thousands of policies in a containerized, multi-cloud infrastructure, the Network Assurance Engine can help you transform your operational paradigm closer to one of certainty of delivered intent.

Assure network security policies = Provable, continuous policy compliance and consistency

Static audits simply can’t provide the level of detail you need to see where your risks are, and with accelerating pace of change, network state drifts instantly away from the last audit. Without an understanding of what exists and the intent, you are unable to pinpoint if the problem is non-compliance with policies, conflicting policies, or absent policies. With the Network Assurance Engine, we assure network security policies and check for compliance against business rules to reduce network security risk and achieve provable continuous compliance – by policy and by state.

I’ve already witnessed the value that the Network Assurance Engine is bringing to our first customers – like Bosch, Axians, and Vecozo. With ACI and Tetration, we’ve delivered the ability to translate application intent and activate policies across the network or on the endpoints where applications reside, including leading public clouds like AWS and Azure. Now with the Network Assurance Engine, we’re changing the game – delivering intent, ensuring availability, minimizing risk, and propelling us towards an automated data center future.

To learn more about how Cisco Network Assurance Engine is delivering on Intent-Based Networking, please click here.




In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. Thank you for sharing, this is an exciting topic. I am curious: * How would you compare Cisco's product to those offered by companies, such as NetBrain, Veriflow, Forward Networks, Intentionet? * Does Cisco have a technical paper that describes its underlying network verification technology in more detail? In particular, from an algorithmic point of view, it would be interesting to better understand how it compares to, say, ddNF [HVC'16] and Delta-net [NSDI'17], to cite a few. Many thanks in advance!

    • Hello Alex, and thanks for your note. Cisco's Network Assurance Engine is indeed based on formal verification techniques against the user-intended graph of connectivity and policy, as declared via an SDN controller. Doing justice to your question at the level of depth of a technical paper would be a good thing for us to do. I'll prod us into working on that. :) Thanks again for your interest! Roland