Clear visibility of device compliance is key for network operations. One of the biggest challenges though is to agree upon the definition of compliance since different environments have different requirements. The purpose of this blog is to share the current compliance capabilities in Cisco DNA Center that will help network administrators to keep the infrastructure safe and consistent.
The current version of Cisco DNA Center, looks at device compliance from five different lenses in a non-SD-Access network: startup vs. running-config, network profiles, application visibility, software image, and critical security advisories.
Startup vs Running Configuration
Have you ever configured a device and forgotten to save the running configuration only to have the device reboot unexpectedly? The result of this could be catastrophic resulting in numerous issues in the network. Even though the preferred method for device configuration is through Cisco DNA Center, manual changes are still permitted. To avoid inconsistencies between startup and running configurations, Cisco DNA Center provides a compliance check by flagging any devices that have a startup and running configurations that don’t match.
In the snapshot below, we see how Cisco DNA Center provides visualization of the differences between the running and startup configuration. In this example, the network administrator manually added a description to an interface and forgot to save the new configuration. Cisco DNA Center also provides a way to remediate this problem with a button to “Synch Device Config” which saves the running-config into startup-config.
Network Profiles
One of Cisco DNA Center’s greatest values is the automation it brings by leveraging Intent-Based Networking (IBN). One of the constructs that Cisco DNA Center uses to implement IBN is network profiles. Network profiles contain different aspects of intent-based networking including wireless and model-based configuration (for wireless devices) and templates (for all devices). Via compliance checks, Cisco DNA Center can flag any configuration deviation from these constructs.
Let’s say that we have a simple template in Cisco DNA Center pushing a “vlan” configuration to a port:
TBRANCH-C9200L-2#show run int gig 1/0/7 Building configuration... Current configuration : 344 bytes ! interface GigabitEthernet1/0/7 description Description pushed by DNAC Template -- lan switchport access vlan 419 switchport mode access device-tracking attach-policy IPDT_POLICY ip flow monitor dnacmonitor input ip flow monitor dnacmonitor output service-policy input DNA-MARKING_IN service-policy output DNA-dscp#APIC_QOS_Q_OUT end
In this example, we will assume that someone manually removed the “vlan” configuration that has been pushed by Cisco DNA Center templates:
TBRANCH-C9200L-2#conf t Enter configuration commands, one per line. End with CNTL/Z. TBRANCH-C9200L-2(config)#int gig 1/0/7 TBRANCH-C9200L-2(config-if)#no switchport access vlan 419 TBRANCH-C9200L-2(config-if)#
This action will trigger a “Network Profile” compliance violation as seen in the snapshots below:
Cisco DNA Center clearly identifies the template that has been changed in the device and the specific lines of configuration that have been removed:
Application Visibility
Cisco DNA Center also leverages Intent-Based Networking (IBN) to provision devices for visibility of applications through CBAR and NBAR. If there are any changes to this intent, the devices will be marked as non-compliant for “Application Visibility” as seen in the example below.
The device has CBAR (Controller Based Application Recognition) enabled via DNA Center:
interface GigabitEthernet1/0/7
description Description pushed by DNAC Template -- lan
switchport access vlan 419
switchport mode access
device-tracking attach-policy IPDT_POLICY
ip flow monitor dnacmonitor input
ip flow monitor dnacmonitor output
service-policy input DNA-MARKING_IN
service-policy output DNA-dscp#APIC_QOS_Q_OUT
ip nbar protocol-discovery
end
Configuration is manually removed from the device:
TBRANCH-C9200L-2(config)#int gig 1/0/7
TBRANCH-C9200L-2(config-if)#no ip nbar protocol-discovery
TBRANCH-C9200L-2(config-if)#
Software Image
Cisco DNA Center uses the concept of “Golden Image” to support image consistency within a site. When devices have images different from “Golden Image”, it will trigger the “Software Image” compliance violation as seen in the snapshots below:
Critical Security Advisories
Devices with critical security vulnerabilities will also trigger a compliance check as shown in the snapshots below:
Our next blog will be covering aspects of Cisco DNA Center and configuration management.
Stay tuned!
Another outstanding knowledge article from Lila!
Thanks Lila , great insights
As we transition from Prime to DNA Center, it’s great to know the compliance options available! Thanks!
Great article, thanks Lila.
Quick question: are there any prereq.? We are running 2.3.3.4 but only Startup vs Running, Software image and Advisories are visible.
Thanks Joe! In order to see Network Profile, the device needs to have been provisioned using DNA Center. For switches, you need to have the templates provisioned and for WLC’s, it would be the wireless provision and (optionally) model based configs and templates. If the device hasn’t been provisioned with DNA Center, you’d not se the network profile tab.