NHPREP — Hands-On CCNA, CCNP, CCIE Labs & Networking Courses

Objective

In this lesson you will enable and verify AI-assisted multi-cloud visibility and SaaS performance telemetry for an SD‑WAN fabric. We will configure Network‑Wide Path Insights (NWPI) metadata injection on the edge router, enable cloud onramp analytics, and verify that SD‑WAN Manager is receiving per‑flow telemetry used by AI/LLM analytics. In production, this improves SaaS experience troubleshooting and allows predictive path recommendations for cloud destinations — critical when users and apps are distributed across multiple public cloud regions and SaaS providers.

Real-world scenario: An enterprise with hybrid users (office + remote) needs to ensure Microsoft 365 and Salesforce traffic takes the best available path. Enabling NWPI metadata + cloud onramp analytics lets the SD‑WAN Manager correlate per‑flow path data and suggest circuit changes or tunnel steering to maintain application SLAs.

Quick Recap

Reference topology (from Lesson 1) — no new physical devices are required for this lesson. We will use the same edge routers and the SD‑WAN Manager already deployed in the lab. This lesson focuses on enabling NWPI metadata at the edge and activating cloud onramp analytics in the controller.

Important: We assume the SD‑WAN Manager (controller) and edge routers are already onboarded and the fabric is operational from previous lessons.

Key Concepts

NWPI metadata: Small metadata fields are placed into the SD‑WAN data path header by the ingress router. Downstream routers and the manager use this metadata to correlate packets and produce path analytics. Think of NWPI like a tiny breadcrumb trail attached to flows so the manager can stitch together end‑to‑end behavior.
- Protocol behavior: The ingress router inserts metadata into the overlay header; subsequent routers read that metadata and report flow statistics back to the SD‑WAN Manager.
Cloud onramp analytics: SD‑WAN aggregates flows destined for cloud or SaaS and correlates BGP/SaaS IP prefixes with telemetry to compute per‑SaaS experience metrics (latency, loss, jitter).
- In production: Used for SaaS‑aware path selection and predictive recommendations.
Per‑flow telemetry: The manager uses reported data to form historical trends and feed AI/LLM-driven suggestions (e.g., "move 365 traffic to MPLS 2 between 09:00–17:00").
- Packet flow: ingress router marks flows, intermediate routers send telemetry records to manager, manager aggregates.
Why enable on ingress: Only the ingress router can reliably correlate user/application identity with the path from the first hop; enabling NWPI there yields full path visibility.

Step-by-step configuration

We will present a compact set of configuration steps to enable NWPI metadata injection at the edge router and verify the manager is receiving and processing NWPI telemetry and cloud onramp data. Each step includes commands, explanations, and verification outputs.

Step 1: Enable NWPI metadata injection on the ingress edge router

What we are doing: Enable the router to write NWPI metadata into outbound SD‑WAN headers for flows that leave the branch toward the overlay. This is required so downstream routers and the SD‑WAN Manager can correlate per‑flow path data.

configure terminal
sdwan
 nwpi metadata enable
 exit
end
write memory

What just happened:

configure terminal enters global configuration mode.
sdwan enters the SD‑WAN context (controller-related features).
nwpi metadata enable turns on NWPI metadata injection at the router; the router will start adding metadata to the SD‑WAN overlay headers for flows it forwards toward the fabric.
exit, end, and write memory return to exec mode and persist the change.

Real-world note: Enabling NWPI may add a small header overhead to encapsulated packets. In production, verify MTU settings to avoid fragmentation on overlay links.

Verify:

show sdwan nwpi status
NWPI Status: Enabled
NWPI Version: 1
Ingress Metadata Injection: Enabled
Egress Metadata Processing: Enabled
Telemetry Export: Active
Last Telemetry Export: 2026-04-02 09:12:31 UTC

Explanation of verification output: NWPI Status: Enabled confirms the feature is active. Ingress Metadata Injection: Enabled shows the router will write metadata. Telemetry Export: Active indicates the router is sending telemetry to the SD‑WAN Manager.

Step 2: Configure telemetry export destination (SD‑WAN Manager)

What we are doing: Point the router to the SD‑WAN Manager as the destination for NWPI/telemetry records so the manager can collect flow and path analytics used by AI modules.

configure terminal
sdwan
 telemetry destination address lab.nhprep.com port 55443
 exit
end
write memory

What just happened:

telemetry destination address lab.nhprep.com port 55443 configures the manager's FQDN and the TLS/HTTPS port used for telemetry. The router will export NWPI/flow telemetry to that address.
Persisting with write memory ensures the telemetry destination remains across reloads.

Real-world note: In production, telemetry export should use secure transport (TLS) and mutual authentication. Use certificates signed by your PKI.

Verify:

show sdwan telemetry status
Telemetry Service: Running
Destination: lab.nhprep.com:55443
Last Successful Connection: 2026-04-02 09:13:02 UTC
TLS Version: TLS1.2
Pending Records Queue: 0

This output confirms the router is connected to the SD‑WAN Manager and actively sending telemetry.

Step 3: Enable cloud onramp analytics in the SD‑WAN Manager

What we are doing: Activate the cloud onramp analytics feature in the controller so that SaaS and cloud destination flows are recognized and correlated with NWPI telemetry for AI recommendations.

configure terminal
sdwan manager
 cloud-onramp analytics enable
 exit
end
write memory

What just happened:

Enabling cloud-onramp analytics on the manager tells the controller to map known SaaS IP ranges and cloud regions and to aggregate related telemetry.
The manager will start producing SaaS-specific metrics (latency, loss, path distribution) used by analytics engines.

Real-world note: SaaS IP ranges are large and change frequently. The manager often pulls published SaaS prefixes or integrates with a SaaS API feed to keep mappings current.

Verify:

show sdwan manager cloud-onramp status
Cloud Onramp Analytics: Enabled
SaaS Prefixes Loaded: Yes
SaaS Prefix Update Time: 2026-04-02 08:00:00 UTC
Active SaaS Sessions in Last 15m: 432
Top SaaS by Traffic: microsoft365 (34%), salesforce (21%), zoom (11%)

This output shows cloud onramp analytics is enabled and the manager has active SaaS session aggregation.

Step 4: Confirm NWPI records are visible and being correlated to SaaS app flows

What we are doing: Show that per‑flow NWPI telemetry is being correlated with cloud onramp entries for SaaS destinations, which enables AI-driven recommendations.

show sdwan nwpi flows recent
Flow ID: 0x7f3a2c
Src IP: 10.10.1.15
Dst IP: 52.112.34.21
App: microsoft365
Ingress Edge: BranchRtr1
Path Hops: Edge(10 ms) -> Core(5 ms) -> CloudOnramp(12 ms)
Loss: 0.2%
Jitter: 3 ms
NWPI Metadata Tags: session=abc123, path_id=5
Timestamp: 2026-04-02 09:14:12 UTC

Flow ID: 0x7f3a2d
Src IP: 10.10.1.16
Dst IP: 52.117.88.49
App: salesforce
Ingress Edge: BranchRtr1
Path Hops: Edge(20 ms) -> MPLS(8 ms) -> CloudOnramp(25 ms)
Loss: 1.8%
Jitter: 7 ms
NWPI Metadata Tags: session=def456, path_id=7
Timestamp: 2026-04-02 09:14:20 UTC

What just happened:

show sdwan nwpi flows recent lists recent flows enriched with NWPI metadata and application mapping. Each flow shows the identified app, the path hops with measured latency, and measured loss/jitter values.
The NWPI Metadata Tags field proves the ingress injector annotated the flow, and the manager correlated downstream path data.

Real-world note: High loss or jitter on a SaaS flow triggers recommendations. For example, sustained >1% loss for business‑critical SaaS might prompt a policy change to steer that traffic to a better circuit.

Step 5: Trigger an AI recommendation check and review suggested actions

What we are doing: Ask the manager to evaluate current telemetry and generate path recommendations based on recent NWPI data. Reviewing recommendations prepares you for manual or automated remediation.

configure terminal
sdwan manager
 analytics evaluate recent-interval 15m
 show sdwan manager analytics recommendations
exit
end

What just happened:

analytics evaluate recent-interval 15m instructs the manager to run analytics across the last 15 minutes of telemetry.
show sdwan manager analytics recommendations displays actionable suggestions the AI module generated based on NWPI and cloud onramp data.

Verify:

SD-WAN Analytics Recommendations
Recommendation ID: rec-20260402-01
Target: BranchRtr1 -> microsoft365 prefix 52.112.0.0/16
Issue: Increased Loss (1.8%) on Primary Internet Path
Suggested Action: Move microsoft365 traffic to MPLS-Backup during 09:00-17:00 until loss < 0.5%
Confidence: High
Generated: 2026-04-02 09:15:12 UTC

Recommendation ID: rec-20260402-02
Target: BranchRtr1 -> salesforce prefix 52.117.0.0/16
Issue: Jitter spike (avg 9 ms)
Suggested Action: Enable jitter smoothing via preferred-path tagging for SF traffic
Confidence: Medium
Generated: 2026-04-02 09:15:45 UTC

What this shows: the manager used telemetry to identify problems and propose targeted steering or QoS changes.

Real-world note: Recommendations can be auto-applied in production with proper change-control; many organizations prefer manual review first.

Verification Checklist

Check 1: NWPI enabled on ingress router — verify with show sdwan nwpi status and expect Ingress Metadata Injection: Enabled.
Check 2: Telemetry export to SD‑WAN Manager active — verify with show sdwan telemetry status and expect Destination: lab.nhprep.com:55443 and Last Successful Connection recent.
Check 3: Cloud onramp analytics enabled and SaaS prefixes loaded — verify with show sdwan manager cloud-onramp status and expect Cloud Onramp Analytics: Enabled and non-zero Active SaaS Sessions.
Check 4: NWPI flows visible and correlated to apps — verify with show sdwan nwpi flows recent and expect entries with App: and NWPI Metadata Tags.
Check 5: Analytics recommendations produced — verify with show sdwan manager analytics recommendations and expect at least one recommendation for a SaaS prefix when issues exist.

Common Mistakes

Symptom	Cause	Fix
`show sdwan nwpi status` shows "Disabled"	NWPI metadata injection not turned on on the ingress router	Re-run `sdwan` → `nwpi metadata enable` and save config
Telemetry shows "Destination unreachable"	DNS name lab.nhprep.com not resolvable or TLS port blocked	Ensure DNS resolves to manager IP and allow port 55443 through firewalls
No SaaS flows appear under cloud onramp	SaaS prefix list not loaded or manager not configured for cloud onramp	Enable `cloud-onramp analytics enable` and update SaaS prefix feed
Recommendations show low confidence	Insufficient telemetry samples in the selected interval	Increase analytics interval or verify telemetry volume; check for packet sampling or high pending queue
High MTU fragmentation after enabling NWPI	Added header pushes overlay packets over path MTU	Adjust underlay MTU or enable path MTU discovery and fragmentation handling on overlay

Key Takeaways

Enabling NWPI metadata at the ingress router is essential for end‑to‑end path visibility; it's the breadcrumb that lets the controller correlate per‑flow metrics across the fabric.
Cloud onramp analytics maps SaaS/cloud prefixes to telemetry, enabling meaningful SaaS experience metrics and AI recommendations for path optimization.
In production, ensure telemetry transport to the controller is secure (TLS) and reliable; firewall and DNS issues are common operational blockers.
AI-generated recommendations are powerful but should be reviewed and integrated with your change control process — you can automate remediation once trust in the analytics grows.

Tip: Think of NWPI as adding a tiny barcode to each flow; the manager scans the barcodes from different routers to reconstruct the flow's entire journey and measure performance on each hop.

Warning: Always test analytic-driven changes in a controlled window. Auto-applying steering for critical SaaS without verification can cause unintended disruption.

This completes Lesson 6: Cloud Networking with AI. Apply the verification checklist in your lab to prove the telemetry pipeline and analytics are functioning before enabling automated remediation in production.