Part 1 of the 2-part Cisco DNA Center Planning and Adoption
My goal for this series is to help you get started with Cisco DNA Center and get the most out of your investment. I am not going to sell you on why you want or need Cisco DNA Center because if you are reading this, it is because you are ready to get started but have some questions or concerns about what the heck Cisco DNA Center does.
I will start by explaining the fundamentals of Device Controllability and the configuration changes made through the Base Automation. After that I’ll explain the relevant settings in the Design menu (Site Hierarchy, Network Settings) and in the Provision menu (Inventory and Plug and Play). Then I will show you what Cisco DNA Center will Add, Change, or Delete from the configuration of your infrastructure be it existing Brownfield devices or brand-new Greenfield devices. Once you understand what will change, then you’ll be able make the decision of when or when not to use the settings that are part the Base Automation. Having that understanding will save you time and will greatly improve the success of your Cisco DNA Center adoption.
The first thing you must do is be open to change and let go of the ways that you’ve “always” done things. Cisco DNA Center is a paradigm change in the way that you plan, operate, and optimize your network. You have to get comfortable with doing less in CLI and more with DNA Center. This is a huge shift for most of us who are very deep in the manual mindset.
Not to worry you’ll still use the CLI and IOS commands but hopefully far less and in new and exciting ways… Configuration Templates.
Trust me you will get more work done and have more time for the fun things like projects if you leverage the workflows and automate your operations. If you do not use, I mean really use Cisco DNA Center you will not realize the benefit of the tool.
The three truths of Automation
Automation is no longer a luxury. It’s a necessity!
The manual mindset does not scale and is prone to error.
We as Network Engineers must evolve in mindset and in our skills to automate.
What is Cisco DNA Center?
Before we begin let’s start with a quick level set of what Cisco DNA Center is not, and what it is intended to do.
Cisco DNA Center is a powerful network controller that lets you optimize your network and lower your IT spending. Cisco DNA Center provides that digital agility to drive network insights, automation, and security.
It is the platform for AIOps, NetOps, SecOps, DevOps, and Internet of Things (IoT) where all of the Telemetry and Assurance data collected is constantly analyzed with AI/ML technology to give you a single dashboard for every function in your network.
Cisco DNA Center is:
- A management platform for your Campus Enterprise Network
- An Automation platform for device configuration of policy and services
- Overseen by a Compliance System to ensure that your network is operating to the standard that you set, which is the “Intent”
- An Assurance and Analytics engine to guarantee the best network experience for all your users
Cisco DNA Center is much more than a Network Management System (NMS) and if you mistake it for one you will not realize its capabilities and your expectations will be misaligned for the product.
The workflows in the DNA Center are governed by RBAC and organized by task (Design, Policy, Provision, and Assurance) which are based on the roles and responsibilities of the IT Staff and align to the ITIL Framework; Design, Transition, Operation, and Continual Improvement. So, in short, the tasks in the controller are aligned to how your Architecture, Engineering, Security, and Operations teams work.
How does it work?
In order to do all those great things, we need to discover and control the infrastructure and with DNA Center we do that through the Base Automation settings found in the Design menu and applied to your infrastructure when devices are Discovered, manually or PnP added to the network hierarchy, and when devices are provisioned.
So, when you think of the Base Automation, you must keep in mind that they are there to automate the configuration in the interest of Cisco DNA Center. What I mean by that is that the automations are there for the controller to manage the network. Your custom configurations are not part of that intent so you have to understand exactly what is happening so that you can make an informed decision on how to use the Base Automation and the associated configuration settings to meet your needs. So don’t blindly fill out the Network Settings like a medical form, be aware of their impact! The good news is that you can still realize the value of Base Automation but you need to know when to use them and how you can maintain your site-specific configuration with Configuration Templates.
I will show you what changes, when it changes, and give you the testing and validation tools so that you can validate the automation and configuration changes in your environment. Understanding these configurations and automations will allow you to properly use the Base Automation and Configuration Templates to build a base configuration that will align with your organizations existing configuration policies. And you’ll be able to ensure that configuration intent is applied correctly and consistently in your network.
I’ll start with the Design menu covering Network Settings, Device Credentials, and Telemetry. I will leave the other settings in the Design menu (IP Address Pools, SP Profiles, and Wireless) to another blog because they are beyond the scope of Device Controllability and Base Automation. After I cover the settings, we will move to the workflows that push the configuration and then I’ll introduce pyATS to validate the changes that the controller made to the devices.
I want to take a moment to explain the importance of Device Controllability. Device Controllability is a system-level process on Cisco DNA Center that enforces state synchronization for some device-layer features. Its purpose is to aid in the deployment of required network settings that Cisco DNA Center needs to manage devices. Changes are made on network devices during discovery, when adding a device to Inventory, or when assigning a device to a site. If changes are made to any settings that are under the scope of this process, these changes are applied to the network devices during the Provision and Update Telemetry Settings operations, even if Device Controllability is disabled. The following device settings will be enabled as part of Device Controllability when devices are discovered:
- SNMP Credentials
- NETCONF Credentials
Subsequent to discovery, devices will be added to Inventory. The following device settings will be enabled when devices are added to inventory:
- Cisco TrustSec (CTS) Credentials
The following device settings will be enabled when devices are assigned to a site. Some of these settings can be defined at a site level under Design > Network Settings > Telemetry & Wireless.
- IPDT Enablement
- Controller Certificates
- SNMP Trap Server Definitions
- Syslog Server Definitions
- NetFlow Server Definitions
- Wireless Service Assurance (WSA)
- Wireless Telemetry
- DTLS Ciphersuite
- AP Impersonation
If Device Controllability is disabled, Cisco DNA Center does not configure any of the credentials or settings mentioned above on devices during discovery, at runtime, or during site assignment.
If you disable Device Controllability you will lose real-time Assurance information, the configuration settings needed in the Base Automation to properly control the network devices in your network, and you will not be able to implement SD-Access.
Network Hierarchy is how you build a logical structure for your network into Areas, Buildings, and Floors. Areas are a grouping of other Areas or Buildings that can be multiple layers deep. You can also have multiple Buildings in an Area with multiple floors in each building. Network Hierarchy is also how you set Global “centralized” or site specific “localized” configuration settings for the organization.
Note that the Global Network Settings and your custom configuration applied with Configuration Templates can be inherited from the Global level in the hierarchy or over ridden at lower levels in the hierarchy. This gives you a very flexible, fully customizable solution for device configuration in your network.
These settings are optional and do not have to be used unless you want Cisco DNA Center to administer the configuration and ensure compliance of the follow items;
- DNS Server
- Time Zone
- Message of the Day
- AAA (for network devices)
- Image Distribution
- Cisco Secure Network Analytics (formerly known as Stealthwatch)
These are required to connect, configure, and manage the devices in your network. There are some caveats with Device Credentials:
- If the Credential configuration exists on the device, then it will be ignored.
- If a fallback user (static user account) and Enable is not configured on the device, then it will be configured as part of the Discovery and add device to inventory workflows.
- Device sync will add it back if you remove it from configuration.
- If you have an ACL applied to the SNMP community, it will get removed.
You will have to use a DayN template to add back or remove any unwanted configuration that the Base Automation makes to the device.
At a minimum you must configure the following credentials;
- CLI Username, Password and Enable Password
- SNMPv2 RO
- SNMPv2 RW or an SNMPv3
The HTTP(S) credentials are required for connecting to Meraki, Firepower Management Center, Application Hosting, and NFV/Compute devices. The HTTP(S) credentials are not validated for Network Devices. However, Application Hosting does require HTTP(S) access for its automation workflow so that can be configured on per device basis from Inventory.
- HTTP(S) Read
- HTTP(S) Write
The Telemetry settings configure Cisco DNA Center or your existing servers for collection of SNMP, Syslog, NetFlow, and IP Device Tracking (IPDT) for Wired and Wireless Controller Streaming Telemetry. You could disable these options but that would limit to usefulness of the controller. For example, if you were to disable IPDT you would not be able to do SD-Access or gain Assurance data on the end hosts connected to your network.
Below are the metrics gathered from devices and the frequencies with which they are collected. (Note: that this is a setting on Cisco DNA Center. It does not cause any configuration change on devices.)
- Device Health – Includes CPU, Memory, Environment Temperature and Device Availability metrics. Polled every 10 minutes
- Interface Health – Includes Interface Availability and Ethernet metrics. Polled every 10 minutes
- TCAM – Polled every 30 minutes
- Fabric Health – Includes IPSLA, RTTMON and LISP metrics.
So, we’ve covered the background, the settings, and I’ve given you some guidance on how, when and when not to use the base automation configuration settings. In the next edition, I will show you what will change, when the base Automation will make changes to your devices, and give you the tools to validate the configuration change in your devices.
Hopefully, you’ve picked up something new or maybe something that was unclear is now glaringly obvious. Challenge and test yourself every day. Never give up, you always have more to give, and anything worth doing is worth overdoing!
Cisco DNA Center End-User Guides (User/Platform/Assurance/Rouge/Bonjour/Secure Analytics/SDA)
Release Notes, Version 2.2.3 – Always, I mean ALWAYS read the release notes.
Cisco DNA Center Security Best Practices Guide – Because you should read it!