Register now for better personalized quote!

HOT NEWS

Compliant or not? Cisco DNA Center will help you figure this out.

Aug, 04, 2022 Hi-network.com

Clear visibility of device compliance is key for network operations. One of the biggest challenges though is to agree upon the definition of compliance since different environments have different requirements. The purpose of this blog is to share the current compliance capabilities in Cisco DNA Center that will help network administrators to keep the infrastructure safe and consistent.

The current version of Cisco DNA Center, looks at device compliance from five different lenses in a non-SD-Access network: startup vs. running-config, network profiles, application visibility, software image, and critical security advisories.

Figure 1: Compliance Types

Startup vs Running Configuration

Have you ever configured a device and forgotten to save the running configuration only to have the device reboot unexpectedly?  The result of this could be catastrophic resulting in numerous issues in the network. Even though the preferred method for device configuration is through Cisco DNA Center, manual changes are still permitted. To avoid inconsistencies between startup and running configurations, Cisco DNA Center provides a compliance check by flagging any devices that have a startup and running configurations that don't match.

In the snapshot below, we see how Cisco DNA Center provides visualization of the differences between the running and startup configuration.  In this example, the network administrator manually added a description to an interface and forgot to save the new configuration. Cisco DNA Center also provides a way to remediate this problem with a button to "Synch Device Config" which saves the running-config into startup-config.

Figure 2: Config Differences and Remediation option

Network Profiles

One of Cisco DNA Center's greatest values is the automation it brings by leveraging Intent-Based Networking (IBN). One of the constructs that Cisco DNA Center uses to implement IBN is network profiles. Network profiles contain different aspects of intent-based networking including wireless and model-based configuration (for wireless devices) and templates (for all devices). Via compliance checks, Cisco DNA Center can flag any configuration deviation from these constructs.

Let's say that we have a simple template in Cisco DNA Center pushing a "vlan" configuration to a port:

TBRANCH-C9200L-2#show run int gig 1/0/7Building configuration...Current configuration : 344 bytes!interface GigabitEthernet1/0/7description Description pushed by DNAC Template -- lanswitchport access vlan 419switchport mode accessdevice-tracking attach-policy IPDT_POLICYip flow monitor dnacmonitor inputip flow monitor dnacmonitor outputservice-policy input DNA-MARKING_INservice-policy output DNA-dscp#APIC_QOS_Q_OUTend

In this example, we will assume that someone manually removed the "vlan" configuration that has been pushed by Cisco DNA Center templates:

TBRANCH-C9200L-2#conf tEnter configuration commands, one per line. End with CNTL/Z.TBRANCH-C9200L-2(config)#int gig 1/0/7TBRANCH-C9200L-2(config-if)#no switchport access vlan 419TBRANCH-C9200L-2(config-if)#

This action will trigger a "Network Profile" compliance violation as seen in the snapshots below:

Figure 3: Network Profile Compliance Violation

Cisco DNA Center clearly identifies the template that has been changed in the device and the specific lines of configuration that have been removed:

Figure 4: CLI commands from Template not present in the config

Application Visibility

Cisco DNA Center also leverages Intent-Based Networking (IBN) to provision devices for visibility of applications through CBAR and NBAR.  If there are any changes to this intent, the devices will be marked as non-compliant for "Application Visibility" as seen in the example below.

The device has CBAR (Controller Based Application Recognition) enabled via DNA Center:

interface GigabitEthernet1/0/7description Description pushed by DNAC Template -- lanswitchport access vlan 419switchport mode accessdevice-tracking attach-policy IPDT_POLICYip flow monitor dnacmonitor inputip flow monitor dnacmonitor outputservice-policy input DNA-MARKING_INservice-policy output DNA-dscp#APIC_QOS_Q_OUTip nbar protocol-discoveryend

Configuration is manually removed from the device:

TBRANCH-C9200L-2(config)#int gig 1/0/7TBRANCH-C9200L-2(config-if)#no ip nbar protocol-discoveryTBRANCH-C9200L-2(config-if)#

 

Figure 5: Application Visibility Compliance Violation

 

Figure 6: Configuration removed for this interface

Software Image

Cisco DNA Center uses the concept of "Golden Image" to support image consistency within a site. When devices have images different from "Golden Image", it will trigger the "Software Image" compliance violation as seen in the snapshots below:

Figure 7: Software Compliance Violation

 

Figure 8: Device Image different from Golden Image

Critical Security Advisories

Devices with critical security vulnerabilities will also trigger a compliance check as shown in the snapshots below:

Figure 9: Critical Security Advisories Compliance Violation

 

Figure 10: Detailed list of security advisories

 

Our next blog will be covering aspects of Cisco DNA Center and configuration management.
Stay tuned!


tag-icon Hot Tags : Cisco DNA Center intent-based networking (IBN) application visibility Cisco IBN

Copyright © 2014-2024 Hi-Network.com | HAILIAN TECHNOLOGY CO., LIMITED | All Rights Reserved.