This chapter covers a NEW objective in the CCNA v2 exam (200-301 v2.0, 2026 blueprint) — Network Management Approaches: Device, Cloud, Controller, Automation, and Infrastructure as Code (IaC). Cisco added this to reflect the industry shift from CLI-based device-by-device management to programmatic, centralized, and cloud-driven operations. Understanding these approaches is critical because real-world networks now span on-premises, cloud, and hybrid environments, and automation is no longer optional. This chapter will equip you with the conceptual and practical knowledge needed to compare these methods and answer exam questions that test your ability to choose the right management approach for a given scenario.
Jump to a section
Imagine you run a delivery company with 500 trucks. In the old days (traditional device management), you'd visit each truck individually to check the oil, tire pressure, and route logs. That's like SSHing into each router or switch — time-consuming, error-prone, and impossible at scale. Now consider cloud-based management: you install a telematics device in each truck that reports real-time data to a central cloud dashboard. You can see fuel efficiency, engine diagnostics, and location from your phone. That's Cisco Meraki or Catalyst Cloud Monitoring — the network devices phone home to a cloud portal for configuration and monitoring. Next, think of controller-based management: you have a fleet manager (the controller) sitting in a central office. All trucks report to the manager, who pushes route updates and maintenance schedules. If a truck has an issue, the manager can remotely diagnose and even push a software update. That's Cisco DNA Center or SD-Access — a centralized controller that manages the entire network fabric. Automation is like having a script that checks every truck's oil level at 3 AM and automatically schedules a service if low. You don't touch each truck; you write a Python script that talks to the telematics API. Infrastructure as Code (IaC) takes it further: you define the entire fleet configuration — routes, drivers, schedules — in a text file (like a YAML file). If you need to add 50 new trucks, you just update the file and run a tool (like Ansible or Terraform) that applies the changes automatically. No manual steps, no drift — the fleet is always in the desired state.
What Are Network Management Approaches?
Network management approaches define how network devices (routers, switches, firewalls, wireless controllers) are configured, monitored, and maintained. The CCNA v2 exam expects you to understand five distinct approaches: device-based (traditional), cloud-based, controller-based, automation, and Infrastructure as Code (IaC). Each has different use cases, scalability, and operational complexity.
Device-Based Management (Traditional CLI/SNMP)
This is the oldest approach. An engineer connects to each device individually via SSH, Telnet, or console, enters configuration mode, and types commands. Monitoring uses SNMP (Simple Network Management Protocol) polls or syslog. The device stores its configuration locally (startup-config in NVRAM). Changes are made manually, one device at a time. This approach is still used for small networks or for initial bootstrap, but it does not scale beyond a handful of devices. Cisco tests your understanding that device-based management is slow, error-prone, and lacks centralized visibility.
Cloud-Based Management
In cloud-based management, network devices connect to a cloud-hosted platform (e.g., Cisco Meraki Dashboard, Cisco Catalyst Cloud Monitor). The device initiates an outbound HTTPS or VPN connection to the cloud. Configuration is pushed from the cloud portal; the device does not require on-premises management servers. Monitoring is real-time via dashboards. Key advantages: no on-premises controller hardware, automatic software updates, and simplified troubleshooting. The exam will test that cloud management requires internet connectivity and that the cloud provider handles data storage and security.
Controller-Based Management
Here, a centralized on-premises or virtual controller manages a group of devices. Examples: Cisco DNA Center for wired/wireless, Cisco Wireless LAN Controller (WLC) for access points, Cisco SD-WAN vManage for routers. The controller is the single source of truth for policies, configurations, and telemetry. Devices (e.g., access points, switches) register with the controller using protocols like CAPWAP or NETCONF. The controller can push configurations, monitor health, and enforce policies. Controller-based management is more scalable than device-based but requires initial controller deployment and maintenance. The exam emphasizes that the controller is a central point of management and potential failure — redundancy is critical.
Automation (Scripting and Tools)
Automation uses scripts (Python, Bash) or tools (Ansible, Puppet, Chef) to configure and manage devices programmatically. Instead of typing commands, the engineer writes playbooks or scripts that interact with device APIs (RESTCONF, NETCONF) or CLI via SSH. Automation reduces human error and speeds up repetitive tasks like VLAN creation, ACL updates, or firmware upgrades. The exam expects you to know that automation can be done with or without a controller, and that it relies on standard data models (YANG) and protocols (NETCONF, RESTCONF).
Infrastructure as Code (IaC)
IaC extends automation by treating network configuration as code. The desired state of the network is defined in declarative files (YAML, JSON, HCL). Tools like Ansible, Terraform, or Cisco NSO compare the current state to the desired state and make only the necessary changes. IaC enables version control (Git), peer review, and automated testing. The exam will test that IaC is a paradigm shift from imperative (step-by-step) to declarative (desired state) management. Key concepts: idempotency (running the same code multiple times produces the same result), drift detection, and CI/CD pipelines for network changes.
How They Interact
In practice, these approaches are not mutually exclusive. A network might use cloud-based monitoring (Meraki) with a controller-based SD-WAN (vManage) and automate day-2 operations with Ansible playbooks. The CCNA exam asks you to identify which approach best fits a given requirement — for example, "Which management method allows a network engineer to define the entire network configuration in a version-controlled file?" Answer: Infrastructure as Code.
Cisco's 5-Domain Blueprint Context
Network management approaches fall under the "AI and Network Operations and Management" domain, which is 10% of the exam. This domain also includes AI for operations (AIOps) and traditional management protocols. Understanding the differences between these approaches is foundational for the other 90% of the exam, as automation and centralized management are now embedded in switching, routing, and security topics.
Identify Management Requirements
Before choosing an approach, determine the network size, scale, and operational needs. For a small branch with 5 devices, device-based CLI may be sufficient. For a campus with 500 devices, controller-based (DNA Center) or cloud-based (Meraki) is better. For frequent changes and automation, consider IaC. The exam often presents a scenario: 'A company with 50 remote branches wants zero-touch provisioning and centralized monitoring. Which approach?' Eliminate device-based (too manual) and consider cloud or controller. If internet connectivity is reliable, cloud; if strict data sovereignty, controller.
Compare On-Premises vs Cloud Overhead
Device-based requires no additional infrastructure. Cloud-based requires internet and cloud subscription. Controller-based requires initial CAPEX for controller hardware/VM and ongoing maintenance. Automation tools (Ansible) require a control node (Linux server). IaC adds version control system (Git) and CI/CD pipeline. The exam tests trade-offs: cloud reduces on-premises maintenance but depends on internet; controller gives full control but adds complexity.
Evaluate Configuration Methods
Device-based: CLI commands entered manually. Cloud-based: web GUI or API. Controller-based: GUI or API from controller. Automation: scripts or playbooks that push config via API. IaC: declarative files applied by tools. The exam expects you to know that NETCONF/YANG is a standard for automated configuration, and RESTCONF uses HTTP methods. Example: 'An engineer wants to automate VLAN creation across 100 switches using a standard data model. Which protocol?' Answer: NETCONF with YANG.
Consider Monitoring and Telemetry
Device-based uses SNMP polls (pull) and syslog. Cloud-based provides real-time dashboards and alerts. Controller-based offers centralized telemetry and analytics (e.g., DNA Center Assurance). Automation can collect telemetry via APIs and store in databases. IaC includes drift detection — alerts when device config differs from desired state. The exam may ask: 'Which approach provides built-in AI-driven insights?' Answer: Cloud or controller-based (Meraki AI, DNA Center AI Analytics).
Assess Security and Compliance
Device-based: each device must be secured individually. Cloud-based: data leaves premises; consider encryption and compliance. Controller-based: controller is a high-value target; secure it with RBAC, TACACS+, and certificates. Automation: scripts must be stored securely; use vaults for credentials. IaC: code review and versioning improve security. The exam tests that cloud management requires trust in the provider's security posture.
Make the Final Selection
Based on requirements, select the best approach. Example: A retail chain with 200 stores, each with a small network, wants to manage from HQ without IT staff at stores. Best: cloud-based (Meraki). A university campus with 5000 devices and strict compliance: controller-based (DNA Center). A DevOps team that wants to treat network as code: IaC with Ansible/Terraform. The exam gives scenarios and expects you to choose the most appropriate method.
In a real enterprise, the choice of management approach often follows a hybrid model. Consider a large bank with a headquarters, data centers, and hundreds of branches. The data center switches are managed via CLI for critical changes, but day-2 operations like firmware upgrades are automated with Ansible playbooks. The branch offices use Cisco Meraki (cloud-based) because they lack on-premises IT staff. The bank also deploys Cisco DNA Center in the campus for policy-based segmentation and AI-driven assurance. The WAN is managed via Cisco SD-WAN vManage (controller-based). This hybrid approach leverages the strengths of each method. A common pitfall is assuming one size fits all — a candidate might think controller-based is always better, but cloud-based may be simpler for small sites. Another real-world issue is configuration drift: when engineers make ad-hoc CLI changes on devices managed by a controller, the controller may overwrite them or flag them as out-of-compliance. IaC solves this by enforcing desired state. Performance considerations: cloud-based management generates outbound traffic from devices; if the internet link is congested, monitoring may be delayed. Controller-based management requires adequate CPU/memory for the controller; DNA Center appliances have specific sizing guidelines (e.g., for 1000 devices, use a large appliance). Misconfiguration example: An engineer sets up a controller but forgets to configure backups — when the controller fails, all management is lost. Always have redundancy and backup strategies.
The 200-301 v2.0 exam tests objective 5.3 "Network Management Approaches" with scenario-based questions. You must be able to identify the correct approach given a business requirement. The most common wrong answers: (1) Choosing device-based management when the scenario mentions 'centralized monitoring' — candidates forget that device-based is per-device. (2) Confusing controller-based with cloud-based — both provide centralized management, but controller is on-premises, cloud is off-premises. (3) Thinking IaC is just automation — IaC specifically uses declarative files and version control. (4) Assuming automation always requires a controller — Ansible can work directly with devices via SSH or API. Specific values: Know that NETCONF uses port 830, RESTCONF uses 443. SNMP uses UDP 161/162. Remember that YANG is a data modeling language, not a protocol. Trap: A question says 'Which approach uses a centralized server that devices must register with?' Both controller and cloud, but the server location matters. If the question says 'on-premises server,' it's controller. If 'third-party cloud,' it's cloud-based. Elimination strategy: For scenario questions, first eliminate device-based if any automation or centralization is mentioned. Then check if the scenario requires internet (cloud) or on-premises (controller). If version control and code review are mentioned, choose IaC. If repetitive tasks are automated but no desired state files, choose automation.
[CCNA v2 NEW] Network management approaches (device, cloud, controller, automation, IaC) are a new exam objective — not in v1.1.
Device-based management uses CLI/SNMP per device — not scalable.
Cloud-based management (Meraki) requires internet connectivity; devices phone home.
Controller-based management (DNA Center, WLC) uses an on-premises or virtual controller.
Automation uses scripts/playbooks (Ansible) to configure devices via APIs or SSH.
IaC treats config as code — declarative, version-controlled, idempotent.
NETCONF port 830, RESTCONF port 443 — both use YANG data models.
The 5-domain blueprint allocates 10% to AI and Network Operations and Management.
Hybrid approaches are common in real networks — know trade-offs.
Scenario questions: match approach to business need (scale, location, compliance).
These come up on the exam all the time. Here's how to tell them apart.
Cloud-Based Management
No on-premises controller hardware
Requires internet connectivity
Data stored in cloud provider's servers
Automatic software updates from cloud
Subscription-based licensing (e.g., Meraki)
Controller-Based Management
On-premises or virtual controller required
Can operate without internet (internal network)
Data stays on-premises
Admin controls update schedule
Perpetual or subscription licensing (e.g., DNA Center)
Mistake
Cloud-based management and controller-based management are the same thing.
Correct
Cloud-based management (e.g., Meraki) uses a cloud-hosted platform; controller-based (e.g., DNA Center) is on-premises. Both centralize management but differ in deployment and data residency.
Both provide a central dashboard, leading candidates to conflate them.
Mistake
Automation always requires a controller.
Correct
Automation can be done directly via Ansible or Python scripts that SSH/API into devices without a controller. Controllers are one platform for automation, not a requirement.
Many associate automation with SDN controllers, but automation tools can work independently.
Mistake
Infrastructure as Code is just another name for automation.
Correct
IaC is a subset of automation that uses declarative desired-state files and version control (Git). Automation includes imperative scripts that may not be idempotent.
Both involve programmatic configuration, leading to overlap in terminology.
Mistake
Device-based management is obsolete and never used.
Correct
Device-based CLI is still used for initial bootstrap, troubleshooting, and small networks. It is not scalable but remains a valid approach.
Candidates think 'old' means 'never used,' but CCNA tests that it still has valid use cases.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
NETCONF is a network configuration protocol that uses SSH (port 830) and XML encoding. It supports operations like get, edit-config, and commit. RESTCONF is a RESTful API that uses HTTPS (port 443) and supports JSON or XML. Both use YANG data models. NETCONF is more mature and supports transactional changes; RESTCONF is simpler and web-friendly. On the exam, know the ports and that both are used for automated configuration.
Cloud-based management (e.g., Meraki) uses encrypted connections (HTTPS, VPN) from devices to the cloud. The cloud provider implements security measures like encryption at rest, access controls, and compliance certifications. However, data leaves the premises, so organizations with strict data sovereignty may prefer on-premises controller-based management. The exam expects you to understand this trade-off.
Yes. Ansible can connect to devices via SSH (CLI) or API (NETCONF, RESTCONF). It does not require a controller. Ansible playbooks can automate configuration tasks on devices that are otherwise managed manually. This is a form of automation, not device-based management, because the configuration is applied programmatically.
YANG (Yet Another Next Generation) is a data modeling language used to define the structure of configuration and state data. It is used with NETCONF and RESTCONF to provide a standardized way to access and modify device configurations. YANG models are like schemas that define what can be configured. The exam tests that YANG is not a protocol but a modeling language.
Yes. The exam expects familiarity with Cisco Meraki (cloud-based), Cisco DNA Center (controller-based), Cisco SD-WAN vManage (controller-based), and Cisco NSO (IaC). You don't need deep product knowledge, but you should know which product fits which approach. For example, Meraki is cloud, DNA Center is controller.
Configuration drift occurs when a device's actual configuration differs from the intended configuration, often due to manual changes or inconsistent updates. IaC helps by defining the desired state in version-controlled files. Tools like Ansible or Terraform periodically reconcile the actual state with the desired state, correcting any drift. This ensures consistency and reduces errors.
No. Automation is a broad term that includes any programmatic configuration, including imperative scripts (e.g., Python that runs CLI commands). IaC is a specific practice that uses declarative files (YAML, JSON, HCL) to define the desired state, and tools that enforce that state idempotently. IaC also typically uses version control and CI/CD pipelines. All IaC is automation, but not all automation is IaC.
You've just covered Network Management Approaches: Device, Cloud, Controller, Automation, and IaC — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?