Domain 4 of 4 · Chapter 4 of 5

LLM Conversational Agents

Unlock the complete study guide + 1,040 practice questions across 16 full exams.

Bundled into the existing Designing, Deploying and Managing Network Automation Systems premium course — no separate purchase.

14-day money-back guarantee — no questions asked.

Included in this chapter:

  • The agent loop: the model asks, your code acts
  • Defining the tools the model can call
  • Trust nothing the model returns
  • What the model knows: prompt, context, history
  • Grounding the agent in real network data
  • Guardrails belong in code, not the prompt
  • Reading the stem: exam patterns and traps

Who does what: the LLM vs the orchestrator (your code)

ConcernThe LLM (model)The orchestrator (your code)
Choose the next step / toolSelects the tool and argumentsNothing (the choice is advisory)
Execute a tool / touch a deviceOnly requests the callRuns it and returns the result
Hold conversation state & historyStateless between callsPersists and replays the message history
Supply real data (grounding / RAG)Sees only what is in contextRetrieves from the source of truth and injects it
Enforce guardrails & approvalsCan be overridden by injectionAllow-lists, argument validation, approval gates
Bound the loopWould keep calling toolsCaps retries and steps, sets stop conditions

Decision tree

Action changesdevice state?Allowread-only toolOn the allow-list?Denynot permittedHuman approved?Holdapproval gateExecute the changeafter approvalNoYesNoYesNoYesEnforced in code, not the system prompt

Cheat sheet

  • Tools are defined to the model by name, description, and schema
  • The tool-use loop: model requests, app executes
  • Validate model-supplied tool arguments before acting
  • An MCP server becomes the agent's action surface
  • Multi-step tasks chain several tool calls
  • Grounding supplies real data to reduce hallucination
  • RAG retrieves and injects relevant context
  • Ground a network agent on the source of truth
  • RAG quality depends on retrieval freshness and integrity
  • The system prompt defines role, scope, and constraints
  • Guardrails constrain the agent independent of the prompt
  • Security controls must live in code, not only the prompt
  • Only in-context data informs the response
  • An orchestrator manages the tool-use loop
  • Conversational agents persist multi-turn message history
  • Wait for a complete tool-call block before executing
  • Return tool errors to the model and bound the loop

Unlock with Premium — includes all practice exams and the complete study guide.

References

  1. Model Context Protocol — Architecture overview (host/client/server, tools, tool execution)
  2. FastMCP — Tools (deriving name, description, and schema from a decorated Python function)
  3. Cisco Catalyst Center Platform (DNA Center) API — device inventory and intent APIs
  4. FastMCP — Client tools (CallToolResult.is_error and ToolError on tool failure)
  5. OWASP Top 10 for LLM Applications — LLM06:2025 Excessive Agency Whitepaper
  6. OWASP Top 10 for LLM Applications — LLM09:2025 Misinformation (RAG as a mitigation) Whitepaper
  7. Cisco pyATS / Genie — test automation and parsed device state (source of truth for live telemetry)
  8. OWASP Top 10 for LLM Applications — LLM04:2025 Data and Model Poisoning Whitepaper
  9. OWASP Top 10 for LLM Applications — LLM01:2025 Prompt Injection (mitigations: functions in code, least privilege, human-in-the-loop) Whitepaper