Release Notes for Cisco DNA Center, Release 2.3.2.x
Cisco DNA Center 2.3.2.x is a Commercial Availability release. Contact your Cisco sales representative to request this release.
This document describes the features, limitations, and bugs for Cisco DNA Center, Release 2.3.2.x.
For links to all of the guides in this release, see Cisco DNA Center 2.3.2 Documentation.
Change History
The following table lists changes to this document since its initial release.
Date | Change | Location |
---|---|---|
2023-11-07 |
Added a limitation about maintenance mode for APs |
|
2023-02-17 |
Added a limitation about In-Service Software Upgrade (ISSU). |
|
2022-05-25 |
Added the list of packages in Cisco DNA Center 2.3.2.3. |
|
Added the Resolved Bugs table for 2.3.2.3. |
||
Noted that Cisco DNA Center 2.3.2.3 contains fixes for the Spring4Shell vulnerability. |
||
Added the open bugs CSCwa92273 and CSCwa00990. |
||
Added the new and changed Interactive Help information for 2.3.2.3. |
||
Added the new feature information for the Cisco Wide Area Bonjour application. |
||
2022-01-20 |
Added the list of packages in Cisco DNA Center 2.3.2.1. |
|
Noted that Cisco DNA Center 2.3.2.1 contains fixes for the Apache Log4j vulnerability. |
||
2021-12-15 |
Initial release. |
— |
Upgrade to the Latest Cisco DNA Center Release
For information about upgrading your current release of Cisco DNA Center, see the Cisco DNA Center Upgrade Guide.
Before you upgrade, run the Audit & Upgrade Readiness Analyzer (AURA) precheck. AURA is a command-line tool that performs health, scale, and upgrade readiness checks for Cisco DNA Center and the fabric network. For more information, see Enhanced Visibility into Cisco DNA Center Using AURA.
Package Versions in Cisco DNA Center, Release 2.3.2.x
The following table shows the updated packages and the versions in Cisco DNA Center, Release 2.3.2.x.
Package Name | Release 2.3.2.3 | Release 2.3.2.1 | Release 2.3.2.0 |
---|---|---|---|
Release Build Version |
|||
Release Version |
2.3.2.3.72213 |
2.3.2.1-70507 |
2.3.2.0-70475 |
System Updates | |||
System |
1.7.609 |
1.7.534 |
1.7.523 |
System Commons |
2.1.461.62272 |
2.1.460.60859 |
2.1.460.60853 |
Package Updates |
|||
Access Control Application |
2.1.461.62272 |
2.1.460.60859 |
2.1.460.60853 |
AI Endpoint Analytics |
1.6.615 |
1.6.557 |
1.6.540 |
AI Network Analytics |
2.8.16.459 |
2.8.15.455 |
2.8.15.455 |
Application Hosting |
1.8.1.2201310931 |
1.8.1.2112171046 |
1.8.0.2110260825 |
Application Policy |
2.1.461.170220 |
2.1.460.117490 |
2.1.460.117441 |
Application Registry |
2.1.461.170220 |
2.1.460.117490 |
2.1.460.117441 |
Application Visibility Service |
2.1.461.170220 |
2.1.460.117490 |
2.1.460.117441 |
Assurance - Base |
2.3.2.351 |
2.3.2.287 |
2.3.2.279 |
Assurance - Sensor |
2.3.2.339 |
2.3.2.286 |
2.3.2.260 |
Automation - Base |
2.1.461.62272 |
2.1.460.60859 |
2.1.460.60853 |
Automation - Intelligent Capture |
2.1.461.62272 |
2.1.460.60859 |
2.1.460.60853 |
Automation - Sensor |
2.1.461.62272 |
2.1.460.60859 |
2.1.460.60853 |
Cisco DNA Center Global Search |
1.7.1.103 |
1.7.1.102 |
1.7.1.97 |
Cisco DNA Center Platform |
1.7.1.132 |
1.7.1.107 |
1.7.1.106 |
Cisco DNA Center UI |
1.7.0.1036 |
1.7.0.970 |
1.7.0.970 |
Cisco Identity Services Engine Bridge |
2.1.461.394 |
2.1.460.380 |
2.1.460.380 |
Cisco Umbrella |
2.1.461.592131 |
2.1.460.590229 |
2.1.460.590184 |
Cloud Connectivity - Contextual Content |
1.3.1.441 |
1.3.1.441 |
1.3.1.441 |
Cloud Connectivity - Data Hub |
1.7.13 |
1.6.0.380 |
1.6.0.380 |
Cloud Connectivity - Tethering |
2.30.1.59 |
2.21.1.3 |
2.21.1.3 |
Cloud Device Provisioning Application |
2.1.461.62272 |
2.1.460.60859 |
2.1.460.60853 |
Command Runner |
2.1.461.62272 |
2.1.460.60859 |
2.1.460.60853 |
Device Onboarding |
2.1.461.62272 |
2.1.460.60859 |
2.1.460.60853 |
Disaster Recovery |
2.1.461.3620050 |
2.1.460.36097 |
2.1.460.36097 |
Group-Based Policy Analytics |
2.3.2.41 |
2.3.2.40 |
2.3.2.39 |
Image Management |
2.1.461.62272 |
2.1.460.60859 |
2.1.460.60853 |
Machine Reasoning |
2.1.461.212131 |
2.1.460.210115 |
2.1.460.210110 |
NCP - Base |
2.1.461.62272 |
2.1.460.60859 |
2.1.460.60853 |
NCP - Services |
2.1.461.62272 |
2.1.460.60859 |
2.1.460.60853 |
Network Controller Platform |
2.1.461.62272 |
2.1.460.60859 |
2.1.460.60853 |
Network Data Platform - Base Analytics |
1.7.189 |
1.7.188 |
1.7.185 |
Network Data Platform - Core |
1.7.287 |
1.7.286 |
1.7.282 |
Network Data Platform - Manager |
1.7.144 |
1.7.144 |
1.7.141 |
Network Experience Platform - Core |
2.1.461.62272 |
2.1.460.60859 |
2.1.460.60853 |
Path Trace |
2.1.461.62272 |
2.1.460.60859 |
2.1.460.60853 |
RBAC Extensions |
2.1.461.1902002 |
2.1.460.1900012 |
2.1.460.1900012 |
Rogue and aWIPS |
2.4.0.34 |
2.4.0.33 |
2.4.0.33 |
SD-Access |
2.1.461.62272 |
2.1.460.60859 |
2.1.460.60853 |
Stealthwatch Security Analytics |
2.1.461.1093118 |
2.1.460.1092227 |
2.1.460.1092183 |
Support Services |
2.1.461.880012 |
2.1.460.880040 |
2.1.460.880040 |
Wide Area Bonjour |
2.4.461.75209 |
2.4.368.75006 |
2.4.364.75035 |
New and Changed Information
New and Changed Features in Cisco DNA Center
Important Updates in Cisco DNA Center 2.3.2.3
Feature | Description |
---|---|
Fixes for the Spring4Shell Vulnerability |
In March 2022, VMware disclosed vulnerabilities in the Spring4Shell Spring Framework. Cisco is committed to transparency and we have published a security advisory to make sure our customers understand the issue and how to address it. Please refer to our advisory for the latest information: Cisco Security Advisory: Vulnerability in Spring Framework Affecting Cisco Products: March 2022 Cisco DNA Center 2.3.2.3 contains fixes for the Spring4Shell vulnerability. This effort is being tracked as CSCwb43650 for the Cisco DNA Center product and contains the following fix:
To help assess, identify, and reduce exposure to vulnerabilities, consider running a trusted vulnerability scanner. For example:
|
Support for Cisco Nexus 9000 Series Switches on the Cisco Wide Area Bonjour Application |
Cisco DNA Service for Bonjour supports Cisco Nexus 9000 Series Switches as an SDG agent in multicast mode. |
Important Updates in Cisco DNA Center 2.3.2.1
Feature | Description |
---|---|
Fixes for the Apache Log4j Vulnerability |
In December 2021, the Apache Software Foundation disclosed vulnerabilities in the open-source Log4j logging library. At this time, almost all affected Cisco products have either been remediated or have a software update scheduled for release. Cisco is committed to transparency and we have published a security advisory to make sure our customers understand the issue and how to address it. Please refer to our advisory for the latest information: Cisco DNA Center 2.3.2.1 contains fixes for the Apache Log4j vulnerability. This effort is being tracked as CSCwa47322 for the Cisco DNA Center product and contains the following fixes:
To help assess, identify, and reduce exposure to vulnerabilities, consider running a trusted vulnerability scanner. For example: |
Feature | Description |
---|---|
IP Access Control |
You can control the access to Cisco DNA Center based on the IP address of the host or network. By default, all IP addresses can access Cisco DNA Center. |
License Consumption Report Upload Support for Cisco AireOS Controllers |
You can register Cisco DNA Center to a specific smart account and virtual account in Cisco SSM so that Cisco DNA Center uploads the license utilization details on behalf of Cisco AireOS Controllers to Cisco SSM. This feature addresses the limitation that Cisco AireOS Controllers do not recognize Cisco DNA Center licenses and Network licenses and therefore do not send license utilization details directly to Cisco SSM. |
Device Certificate Lifecycle Management |
You can view and manage the certificates that Cisco DNA Center issues for managed devices to authenticate and identify the devices. |
Certificate Signing Request (CSR) Support for Cisco DNA Center |
You can create your CSR, and then submit it to your provider to generate your certificate. |
Recognize Existing Licensing Configuration in Customer's Environment with Satellite Server |
Cisco DNA Center discovers the registration state of devices after a connection mode change. You can reregister the devices with the updated SSM. |
License Manager GUI Enhancements |
The License Manager window has the following changes:
|
Create Custom Prompts |
Cisco DNA Center lets you create custom prompts for the username and password. You can configure the devices in your network to use custom prompts and collect information about the devices. |
Configure Device Configuration Backup Settings |
Cisco DNA Center lets you configure your device configuration backup settings. You can choose the day and time and the total number of config drifts that can be saved per device. |
Configure External Server for Archiving Device Configuration |
Cisco DNA Center lets you configure an external SFTP server for archiving the running configuration of devices. |
Label Configuration Drift |
You can label the configuration drift of device. The labeled configuration drift is saved and can be used for future reference. |
Support for Restricted Shell |
For added security, Cisco DNA Center supports restricted shell. If your network uses any CLI-based scripts or troubleshooting commands, you have the option of disabling the restricted shell in the current Cisco DNA Center release. For more information, see "Disable Restricted Shell" in the Cisco DNA Center 2.3.2 Administrator Guide. |
3D Wireless Maps Enhancements |
Enhancements to 3D wireless maps include:
|
Network Profiles for Assurance |
You can configure issue settings in an Assurance network profile and apply the profile to a site or group of sites independently from the global issues settings. You can enable or disable an issue, and you can change its priority. |
Install Hosted Application on Switches Workflow Enhancements |
You can view the configuration template before deploying an application on switches. |
Device Pack Support for Legacy Devices |
You can display the device pack support for legacy devices. In the Support Type for legacy devices is shown as Limited. window, the |
Display Information About Your Inventory |
You can display the following inventory details in the table:
|
View Flow Count Details and Policy Enforcement Statistics |
You can view additional details about scalable groups:
|
Schedule Maintenance for Devices |
You can place devices into maintenance mode in Cisco DNA Center. If a device is in maintenance mode, Cisco DNA Center does not process any telemetry data associated with the device. By placing faulty devices into maintenance mode, you can avoid receiving unnecessary alerts from these devices. |
Learn Device Configuration from Brownfield Devices (Beta Feature) |
Cisco DNA Center can learn configurations from devices, such as Cisco Wireless Controllers, in an existing deployment and save the configurations at the global level. |
Application Visibility |
Cisco DNA Center support is extended for the following enhancements in Application Visibility:
|
Enable Application Telemetry for Wireless Controllers. |
When you enable Application Telemetry for a new or existing device, you can select the SSID type. Available SSID types are Local and Flex/Fabric. You can also select Guest SSID. |
System Analyzer Tool |
Using the System Analyzer tool, you can retrieve log files to help you troubleshoot system issues. To help you troubleshoot Cisco SD-Access or software image management (SWIM) issues, you can also retrieve log files that are specific to those components. |
Disk Utilization Event Notifications |
You can now subscribe to and receive notifications that are sent whenever disk utilization by the nodes in your system reaches a level that can impact network operations. |
Software Management Window |
The look and feel of the Software Updates window that was provided in earlier Cisco DNA Center releases has been updated. In this release, you can initiate system and application updates from the new Software Management window (menu icon > ). |
Configure ThousandEyes Integration |
You can configure an external ThousandEyes APIs agent to enable ThousandEyes Integration using the authentication token. After integration, Cisco DNA Center provides ThousandEyes agent test data in the Application Health dashboard. |
Two-Site Failure Response Updates |
Cisco DNA Center's response to failures involving at least two of a disaster recovery system's sites has been enhanced. |
NTP Server Authentication |
When configuring your Cisco DNA Center appliance using the Advanced Install Configuration wizard, you can now enable the authentication of your NTP server before it is synchronized with Cisco DNA Center. |
New and Changed Features in Cisco DNA Assurance
Feature | Description |
---|---|
Wireless Controller Event Viewer |
Event Viewer has been updated to include events logged by Cisco AireOS and Cisco IOS wireless controllers. |
Wireless Controller 360 KPIs |
Cisco DNA Assurance now provides temperature and interface information on the Device 360 window for wireless controllers. |
Custom Issue Settings (Network Profiles for Assurance) |
You can create custom issue settings for a specific site or group of sites. These settings are called network profiles for Assurance and can be managed from both Assurance and Cisco DNA Center. By creating a network profile for Assurance, you can control which issue settings are monitored, and you can change the issue priority. |
Maintenance Mode |
While a network device is in maintenance mode, Cisco DNA Center does not gather health data, collect interface statistics, trigger issues, or include the device in calculating health scores. Devices that are under maintenance are displayed in the Under Maintenance banner below the timeline slider in the Application 360 window. |
Enhanced RRM Dashboard |
With this release, Cisco AI Network Analytics uses artificial intelligence to define the behavior of a radio frequency (RF) network within a building enabled with enhanced Radio Resource Management (RRM). |
Export Assurance Windows |
With this release, you can export the following Assurance Health windows to PDF format:
|
Webex Client 360 |
In the Webex Client 360, the client meetings table is enhanced with the following columns to indicate the overall health for each meeting:
|
Floor Filters |
In the Assurance Network Heatmap window, you can filter heatmap data for specific floors from the Building drop-down list in the site hierarchy. |
Wi-Fi 6E |
With this release, Wi-Fi 6E support is added to the Wi-Fi 6 dashboard.
|
NetFlow Visibility |
In the Application Health dashboard, the summary dashlet displays the total number of packets and the exporters in the NETFLOW area. |
Application Health Dashboard Enhancement |
With this release, the Application Health dashboard includes ThousandEyes Integration with enterprise agent tests. The dashboard is populated with agent tests only when NetFlow is received for at least one device on the site. |
Cisco AI Network Analytics - Radio Insights Based on Client Experience |
Cisco AI Network Analytics uses machine learning algorithms to identify wireless access points with a potentially poor client experience. APs are continually analyzed over long periods and those suspected of providing a suboptimal client experience are grouped by underlying root cause and suggested improvements. |
New and Changed Features in Cisco DNA Automation
Feature | Description | ||||
---|---|---|---|---|---|
Remote Teleworker Site |
You can use Cisco DNA Center to configure remote teleworker sites. Remote teleworker sites provide a more secure connection, proper application prioritization, and a simple installation and onboarding experience for remote workers. |
||||
Network Bug Identifier Tool |
The Network Bug Identifier Tool GUI has been enhanced due to integration improvements between the Network Bug Identifier Tool and the Cisco CX Cloud. The GUI no longer shows the number of affected routers, switches, and hubs in the summary pane at the top of the results window. Instead, the GUI shows the scan mode, either Essential using the Cisco Machine Reasoning Engine (MRE) or CX Cloud. The results table also shows the scan status for each device. For the Network Bug Identifier Tool and bugs supported through the Cisco CX Cloud, the supported families are switches and hubs, routers. |
||||
Download Error Report |
In the Tasks window, Download Error Report link is added in the slide-in pane of a failed task that allows you to download the contextual troubleshooting information of a particular task. |
||||
Default Home Page |
The default home page includes the following enhancements:
|
||||
Remote Support Authorization Dashboard |
You can create, cancel, and view past remote support authorizations along with total, scheduled, and completed remote support authorizations.
|
||||
Create Remote Support Authorization |
With this release, Cisco DNA Center allows you to create remote support authorization to grant remote access to a Cisco specialist for troubleshooting the network. |
||||
View Security Advisories |
|
||||
Machine Reasoning Knowledge Base |
Machine reasoning knowledge base support is extended for the Cisco CX Cloud service for network bug identifier and security advisory. |
||||
Manage Your Inventory |
While assigning a device to a site, Generate Configuration Preview allows you to preview the configuration. |
||||
Configure Telemetry |
When you update a device configuration using telemetry, Generate Configuration Preview allows you to preview the configuration. |
||||
Configure Network Settings |
Cisco DNA Center support is extended for AI Radio Frequency (RF) profiles, which allows you to define the behavior of an RF network within a building enabled with enhanced Radio Resource Management (RRM). |
||||
Support for New Model Config Designs |
|
||||
AP Reboot for Troubleshooting |
Using the AP Reboot feature, you can reboot one or more APs for troubleshooting and maintenance using the Cisco DNA Center GUI. |
||||
Support for AP LED Flash Status |
You can locate APs on the physical site by enabling LED Flash Status for APs using the Cisco DNA Center GUI. |
||||
Custom Redirect ACL for Enterprise SSID |
Using the Pre-Authentication ACL feature, you can create a pre-authentication ACL for web authentication to allow certain types of traffic before authentication is complete. This ACL is referenced in the access-accept of Cisco Identity Services Engine (ISE) and defines what traffic to be permitted and what traffic to be denied by the ACL. After ACLs are configured on the wireless controller, they can be applied to the management interface, the AP-manager interface, any of the dynamic interfaces, or a WLAN to control data traffic to and from wireless clients or to the controller central processing unit (CPU) to control all traffic destined for the CPU. You can configure both IPv4 and IPv6 ACLs. |
||||
URL Filtering |
Using URL filtering, you can add specific URLs to the allowed list for web authentication of captive portals and walled gardens. Authentication is not required to access the allowed list of URLs. When you try to access sites that are not in the allowed list, you are redirected to the login page. |
||||
Posture Assessment |
Posture is a service in Cisco ISE that allows you to check the state, also known as posture, of all the endpoints that are connecting to a network for compliance with corporate security policies. This allows you to control clients to access protected areas of a network. |
||||
Create an Event Notification |
You can use the Cisco DNA Center event notification to associate multiple channels inside one notification. The notification delivers the details of selected events that occur at multiple points. |
||||
Artificial Intelligence (AI) Radio Frequency (RF) Profile |
You can create, edit, delete, configure, assign, and unassign an AI RF profile. An AI RF profile allows you to define the behavior of an RF network within a building that is enabled with enhanced Radio Resource Management (RRM). You can also upgrade a basic RF profile to an AI RF profile. |
New and Changed Features in Cisco Software-Defined Access
Feature | Description |
---|---|
Support for Supplicant-Based Extended Nodes |
You can onboard supplicant-based extended nodes by configuring an authenticator port on the fabric edge with a Closed Authentication Template. Only specific platforms support supplicant-based extended node onboarding. Supplicant-based extended nodes are extended node devices that receive an 802.1X supplicant configuration and are onboarded into the SD-Access network only after a complete authentication and authorization. The authenticator port on the edge node must be configured with a Closed Authentication Template. Supplicant-based extended node onboarding is a one-touch process. After the network administrator claims the supplicant device through the Cisco DNA Center Plug and Play menu options, the supplicant device is onboarded into the network. Cisco Catalyst 9200 Series, 9300 Series, 9400 Series, 9500 Series, and 9500H Series switches that run on Cisco IOS XE 17.7.1 or later release can be configured as a supplicant-based extended node. Cisco Catalyst 9300 Series, 9400 Series, 9500 Series, and 9500H Series switches that run on Cisco IOS XE 17.7.1 or later release can be configured as an edge node. |
DHCP Snooping on Extended Nodes |
DHCP Snooping is now provisioned on the Cisco Catalyst 9000 Series switches that are configured as extended nodes. Extended node devices share the device sensor configuration data of the endpoints with the Cisco Identity Services Engine (ISE). Cisco ISE uses this data to profile the endpoints. |
Bridge-Mode Virtual Machine in a Fabric-Enabled Wireless Network |
The virtual machines that run inside a host computer must be identifiable. To profile the virtual machines, create the virtual machines in a bridge mode. In the bridge mode, each virtual machine is assigned an IP address and all the virtual machines are connected by a bridge. Each virtual machine is individually authenticated and authorized into the Cisco SD-Access network. This release of Cisco DNA Center supports onboarding of wireless bridge-mode virtual machines. You can configure a Wireless IP address pool with Bridge Mode VM enabled to authenticate and profile wireless bridge-mode virtual machines. For more information, see the Cisco DNA Center User Guide. |
Support for FQDN-Based Certificate in LAN Automation and Plug and Play Workflows |
LAN Automation workflows now support the onboarding of factory default devices with a fully qualified domain name (FQDN)-based certificate. |
IS-IS Configuration Through LAN Automation |
LAN Automation now configures devices to operate at IS-IS Level 2, instead of operating at both Level 1 and Level 2. |
REP Ring Topology Support for Extended Nodes and Policy Extended Nodes |
When extended nodes are connected to a fabric network, they onboard as a Spanning Tree Protocol (STP) ring, by default. In Cisco DNA Center 2.3.2 and later releases, you can configure the extended nodes and policy extended nodes in a Resilient Ethernet Protocol (REP) ring. Multiple rings within a given ring and a ring of rings aren't supported. However, a fabric edge node can support multiple independent rings. REP rings can only start and end on the same fabric edge node. REP rings starting and ending on extended nodes aren't supported. A REP ring or a daisy chain can't be a mix of extended nodes and policy extended nodes. A REP ring or a daisy chain must consist entirely of either extended nodes or policy extended nodes. The following devices can be configured in a REP ring:
|
Application Hosting support for ThousandEyes in a Cisco SD-Access network |
Cisco DNA Center Application Hosting Service already supports ThousandEyes Enterprise Agent on nonfabric devices. Cisco DNA Center Release 2.3.2.0 introduces the support for ThousandEyes Enterprise Agent on the devices in your fabric network too. In the App Hosting for Switches workflow, select a fabric device and select the VLAN to map with the ThousandEyes Enterprise Agent network interface. For more information on installing an application and its maintenance, see “Application Hosting” in the Cisco DNA Center User Guide. Cisco Catalyst 9300 Series switches, Cisco Catalyst 9300L Series switches and Cisco Catalyst 9400 Series switches that run Cisco IOS XE 17.3.1 and later releases support the hosting of ThousandEyes Enterprise Agent application in a fabric network. |
New and Changed Features in Interactive Help
Feature | Description |
---|---|
Additional Interactive Help Walkthroughs |
Added the following walkthroughs:
|
Deprecated Walkthroughs |
The following walkthrough is deprecated: Create a Fabric |
Feature | Description |
---|---|
Additional Interactive Help Walkthroughs |
Added the following walkthroughs:
|
Additional Resources Pages |
Added the following resources:
|
Deprecated Features
Cisco Enterprise Network Functions Virtualization Infrastructure Software (NFVIS) provisioning use cases are deprecated. The option to provision an NFV profile has been removed from the Cisco DNA Center GUI. However, image upgrade of NFV is still supported. Also, you can still manage NFVIS devices in Cisco DNA Center by adding them manually or through Plug and Play.
Cisco DNA Center Compatibility Matrix
For information about devices, such as routers, switches, wireless APs, NFVIS platforms, and software releases supported by each application in Cisco DNA Center, see the Cisco DNA Center Compatibility Matrix.
Cisco SD-Access Compatibility Matrix
For information about Cisco SD-Access hardware and software support for Cisco DNA Center, see the Cisco Software-Defined Access Compatibility Matrix. This information is helpful for deploying Cisco SD-Access.
Compatible Browsers
The Cisco DNA Center GUI is compatible with the following HTTPS-enabled browsers:
-
Google Chrome: Version 93 or later.
-
Mozilla Firefox: Version 92 or later.
We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.
Note |
For an upgrade to Cisco DNA Center 2.3.2, we recommend that you use Chrome, not Firefox, during the upgrade. |
Supported Firmware
Cisco Integrated Management Controller (Cisco IMC) versions are independent from Cisco DNA Center releases. This release of Cisco DNA Center has been validated against the following firmware:
-
Cisco IMC Version 3.0(3f) and 4.1(2g) for appliance model DN1-HW-APL
-
Cisco IMC Version 4.1(1h) for appliance model DN2-HW-APL
-
Cisco IMC Version 4.1(1h) for appliance model DN2-HW-APL-L
-
Cisco IMC Version 4.1(1h) for appliance model DN2-HW-APL-XL
Cisco DNA Center Scale
For Cisco DNA Center scale numbers, see the Cisco DNA Center Data Sheet.
IP Address and FQDN Firewall Requirements
To determine the IP addresses and fully qualified domain names (FQDNs) that must be made accessible to Cisco DNA Center through an existing network firewall, see "Required Internet URLs and Fully Qualified Domain Names" in the "Plan the Deployment" chapter of the Cisco DNA Center Installation Guide.
About Telemetry Collection
Telemetry data is collected by default in Cisco DNA Center, but you can opt out of some data collection. The data collection is designed to help the development of product features and address any operational issues, providing greater value and return on investment (ROI). Cisco collects the following categories of data: Cisco.com ID, System, Feature Usage, Network Device Inventory, and License Entitlement. See the Cisco DNA Center Data Sheet for a more expansive list of data that we collect. To opt out of some of data collection, contact your Cisco account representative and the Cisco TAC.
Supported Hardware Appliances
Cisco supplies Cisco DNA Center in the form of a rack-mountable, physical appliance. The following versions of the Cisco DNA Center appliance are available:
-
First generation
-
44-core appliance: DN1-HW-APL
-
-
Second generation
-
44-core appliance: DN2-HW-APL
-
44-core promotional appliance: DN2-HW-APL-U
-
56-core appliance: DN2-HW-APL-L
-
56-core promotional appliance: DN2-HW-APL-L-U
-
112-core appliance: DN2-HW-APL-XL
-
112-core promotional appliance: DN2-HW-APL-XL-U
-
Installing Cisco DNA Center
You install Cisco DNA Center as a dedicated physical appliance purchased from Cisco with the Cisco DNA Center ISO image preinstalled. See the Cisco DNA Center Installation Guide for information about installation and deployment procedures.
Note |
Certain applications, like Group-Based Policy Analytics, are optional applications that are not installed on Cisco DNA Center by default. If you need any of the optional applications, you must manually download and install the packages separately. For more information about downloading and installing a package, see "Manage Applications" in the Cisco DNA Center Administrator Guide. |
Cisco DNA Center Platform Support
For information about the Cisco DNA Center platform, including information about new features and open and resolved bugs, see the Cisco DNA Center Platform Release Notes.
Support for Cisco Connected Mobile Experiences
Cisco DNA Center supports Cisco Connected Mobile Experiences (CMX) Release 10.6.2 or later. Earlier versions of Cisco CMX are not supported.
Caution |
While configuring the CMX settings, do not include the # symbol in the CMX admin password. The CMX integration fails if you include the # symbol in the CMX admin password. |
Plug and Play Considerations
Plug and Play Support
General Feature Support
Plug and Play supports the following features, depending on the Cisco IOS software release on the device:
-
AAA device credential support: The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release Cisco IOS 15.2(6)E1, Cisco IOS 15.6(3)M1, Cisco IOS XE 16.3.2, or Cisco IOS XE 16.4 or later on the device.
-
Image install and upgrade for Cisco Catalyst 9200 Series, Catalyst 9300 Series, Catalyst 9400 Series, Catalyst 9500 Series, Catalyst 3650 Series, and Catalyst 3850 Series switches are supported only when the switch is booted in install mode. (Image install and upgrade is not supported for switches booted in bundle mode.)
Secure Unique Device Identifier Support
The Secure Unique Device Identifier (SUDI) feature that allows secure device authentication is available on the following platforms:
-
Cisco routers:
-
Cisco Catalyst IR 1800 Series with software release Cisco IOS XE 17.5.1 and later
-
Cisco ISR 1100 Series with software release Cisco IOS XE 16.6.2
-
Cisco ISR 4000 Series with software release Cisco IOS XE 3.16.1 or later, except for the ISR 4221, which requires release Cisco IOS XE 16.4.1 or later
-
Cisco ASR 1000 Series (except for the ASR 1002-x) with software release Cisco IOS XE 16.6.1
-
-
Cisco switches:
-
Cisco Catalyst 3850 Series with software release Cisco IOS XE 3.6.3E or Cisco IOS XE 16.1.2E or later
-
Cisco Catalyst 3650 Series and 4500 Series with Supervisor 7-E/8-E, with software release 3.6.3E, Cisco IOS XE 3.7.3E, or Cisco IOS XE 16.1.2E or later
-
Cisco Catalyst 4500 Series with Supervisor 8L-E with software release Cisco IOS XE 3.8.1E or later
-
Cisco Catalyst 4500 Series with Supervisor 9-E with software release Cisco IOS XE 3.10.0E or later
-
Cisco Catalyst 9300 Series with software release Cisco IOS XE 16.6.1 or later
-
Cisco Catalyst 9400 Series with software release Cisco IOS XE 16.6.1 or later
-
Cisco Catalyst 9500 Series with software release Cisco IOS XE 16.6.1 or later
-
Cisco Catalyst IE3300 Series with software release Cisco IOS XE 16.10.1e or later
-
Cisco Catalyst IE3400 Series with software release Cisco IOS XE 16.11.1a or later
-
-
NFVIS platforms:
-
Cisco ENCS 5400 Series with software release 3.7.1 or later
-
Cisco ENCS 5104 with software release 3.7.1 or later
-
Note |
Devices that support SUDI have two serial numbers: the chassis serial number and the SUDI serial number (called the License SN on the device label). You must enter the SUDI serial number in the Serial Number field when adding a device that uses SUDI authentication. The following device models have a SUDI serial number that is different from the chassis serial number:
|
Management Interface VRF Support
Plug and Play operates over the device management interface on the following platforms:
-
Cisco routers:
-
Cisco ASR 1000 Series with software release Cisco IOS XE 16.3.2 or later
-
Cisco ISR 4000 Series with software release Cisco IOS XE 16.3.2 or later
-
-
Cisco switches:
-
Cisco Catalyst 3650 Series and 3850 Series with software release Cisco IOS XE 16.6.1 or later
-
Cisco Catalyst 9300 Series with software release Cisco IOS XE 16.6.1 or later
-
Cisco Catalyst 9400 Series with software release Cisco IOS XE 16.6.1 or later
-
Cisco Catalyst 9500 Series with software release Cisco IOS XE 16.6.1 or later
-
4G Interface Support
Plug and Play operates over a 4G network interface module on the following Cisco routers:
-
Cisco 1100 Series ISR with software release Cisco IOS XE 16.6.2 or later
-
Cisco Catalyst IR 1800 Series
Configure Server Identity
To ensure successful Cisco DNA Center discovery by Cisco devices, the server SSL certificate offered by Cisco DNA Center during the SSL handshake must contain an appropriate Subject Alternate Name (SAN) value so that the Cisco Plug and Play IOS Agent can verify the server identity. This may require the administrator to upload a new server SSL certificate, which has the appropriate SAN values, to Cisco DNA Center.
The SAN requirement applies to devices running the following Cisco IOS releases:
-
Cisco IOS Release 15.2(6)E2 and later
-
Cisco IOS Release 15.6(3)M4 and later
-
Cisco IOS Release 15.7(3)M2 and later
-
Cisco IOS XE Denali 16.3.6 and later
-
Cisco IOS XE Everest 16.5.3 and later
-
Cisco IOS Everest 16.6.3 and later
-
All Cisco IOS releases from 16.7.1 and later
The value of the SAN field in the Cisco DNA Center certificate must be set according to the type of discovery being used by devices, as follows:
-
For DHCP option-43 or option-17 discovery using an explicit IPv4 or IPv6 address, set the SAN field to the specific IPv4 or IPv6 address of Cisco DNA Center.
-
For DHCP option-43 or option-17 discovery using a hostname, set the SAN field to the Cisco DNA Center hostname.
-
For DNS discovery, set the SAN field to the Plug and Play hostname, in the format pnpserver.domain.
-
For Cisco Plug and Play Connect cloud portal discovery, set the SAN field to the Cisco DNA Center IP address if the IP address is used in the Plug and Play Connect profile. If the profile uses the Cisco DNA Center hostname, the SAN field must be set to the FQDN of the controller.
If the Cisco DNA Center IP address that is used in the Plug and Play profile is a public IP address that is assigned by a Network Address Translation (NAT) router, this public IP address must be included in the SAN field of the server certificate.
If an HTTP proxy server is used between the devices and Cisco DNA Center, ensure that the proxy certificate has the same SAN fields with the appropriate IP address or hostname.
We recommend that you include multiple SAN values in the certificate, in case discovery methods vary. For example, you can include both the Cisco DNA Center FQDN and IP address (or NAT IP address) in the SAN field. If you do include both, set the FQDN as the first SAN value followed by the IP address.
If the SAN field in the Cisco DNA Center certificate does not contain the appropriate value, the device cannot successfully complete the Plug and Play process.
Note |
The Cisco Plug and Play IOS Agent checks only the certificate SAN field for the server identity. It does not check the common name (CN) field. |
Bugs
Open Bugs
The following table lists the open bugs in Cisco DNA Center for this release.
Bug Identifier | Headline | ||
---|---|---|---|
In a Cisco DNA Center system where file system utilization exceeds 60%, if you upgrade to Cisco DNA Center 2.3.2, you can see the warning or critical notifications for file system utilization only on the window; you are not notified via email. If you subscribe to the event after the upgrade, only events that occur after the subscription generate email notifications. |
|||
In the Wide Area Bonjour Dashboard, you cannot select the year and date in the Average Service Query Statistics area. |
|||
For Wide Area Bonjour, restoring a NIC-bonded cluster link in three-node HA sometimes causes Service Discovery Gateway (SDG) agents to remain in inactive status. In an operational three-node cluster running the Cisco Wide Area Bonjour application, when the cluster becomes operational with only two nodes after a node is lost from the cluster or a previously lost third node becomes operational due to manual administrative actions or network malfunction, the following issue may be seen sometimes for the Wide Area Bonjour service: The status of some SDG agents in the Wide Area Bonjour SDG dashlet, where the state of the affected SDG agents is Reachable, but Down. Wide Area Bonjour shows the status of the services learned from these affected SDG agents as inactive and doesn't process queries from these SDG agents. window may remain inactive, even if they were active before the incident. This issue is also reflected inRunning the show mdns controller summary command on any affected SDG agent switch shows the connection state as negotiating (although a ping to the controller IP from the interface is successful). This issue doesn’t affect the operation of any other service on Cisco DNA Center. |
|||
Devices health information is missing in multiple Assurance dashboards for few devices randomly. |
|||
The window shows some inconsistencies in the X-axis values for the Trend charts. Some dates and timestamps are missing from the X axis on the graphs. |
|||
In Cisco DNA Center 2.3.2, there is a new "Software Management" feature for upgrading. If you use a Firefox browser for the Cisco DNA Center upgrade, there are some problems with maintenance mode updates and exiting the original browser connection. When you use a Chrome browser for the upgrade, the problems are not seen.
|
|||
On the window, filtering is slightly delayed when the table contains large amounts of data. For example, if you have more than 5000 values for endpoint type or hardware manufacturer, filtering may take approximately 20 seconds or more. |
|||
The Cisco DNA Center GUI allows the same minimum and maximum power level value in a radio frequency profile. The expected behavior is that the minimum and maximum power levels must be different. |
|||
CTS credentials of the device are not in sync with the ISE NAD entry. |
|||
Deleting faulty device from inventory failed in RMA flow. |
|||
Assurance data of wired clients is inconsistent in a disaster recovery setup after failover. |
|||
For Wide Area Bonjour, inactive services are not flushed after the inactive timer expires. |
|||
NetFlow are not processed by Cisco DNA Center. NetFlow information doesn't appear in the window. |
|||
After an upgrade, some devices under the tab are tagged incorrectly with "Needs Registration." |
|||
During HA, the pipeline-taskmgr-assurance service goes into a crash loop. |
|||
On the Device 360 window, CPU and Memory values do not populate for Cisco Catalyst 9300 switches. |
|||
During HA, the pipeline-task mgr-assurance service keeps restarting. |
|||
In the Learn Device Configuration workflow, if a non-flex SSID is learned, the site tag has "default-flex-profile" as the flex profile name. Under , the same non-flex site tag is mapped with "default-flex-profile" as the profile name.This behavior is inline with the device configuration. |
|||
The dnacp-formatter-service is not starting after upgrading from Cisco DNA Center 2.1.2.6 to 2.2.2.8. |
|||
While deploying Cisco DNA Center 2.3.2.3, packages do not download correctly. To work around this problem, do the following:
|
Resolved Bugs
The following table lists the resolved bugs in Cisco DNA Center, Release 2.3.2.3.
Bug Identifier | Headline |
---|---|
Cisco DNA Center may fail to provision a Cisco Catalyst 9800 Series Wireless Controller, citing the following error:
|
|
Adding and removing a fabric edge provisions wireless controllers randomly with different configurations. |
|
Many manually generated reports in Cisco DNA Center result in blank pages. |
|
Ekahau file import fails with the following API error:
|
|
Unable to start LAN automation due to the following error:
|
|
SBEN nodes toggle between inbuilt templates, resulting in error disabled. |
|
Cisco DNA Center 2.2.3.3: PnP fails to claim a device. |
|
Fabric deploy sends an incorrect RADIUS authentication server command, and provisioning fails for an AireOS wireless controller. |
|
A user intent validation failure occurs when provisioning a wireless controller. |
|
Assurance shows an end host MAC in an old user's client 360 window. |
|
Banner push for LISP key change fails in Cisco DNA Center 2.2.2.x if there are wireless devices. |
|
A null pointer exception occurs while accessing Show Task from the Image Repository window. |
|
The new Cisco DNA Center Platform UI API docs are missing the API URL. |
|
The banner must be updated with a warning that wireless controller provisioning must succeed before attempting a LISP key change. |
|
During an attempt to activate the Cisco DNA Center Disaster Recovery system after registration, the DR activation workflow never completes. On the Main cluster, the "Configure active" flow completes properly, and the Main site moves to a "Waiting Standby Configuration" state. But on the "Configure standby" flow, the Configure replication step doesn't complete, leaving the Recovery site in the "Configuring Standby" state indefinitely. |
|
After a DR Pause + Backup and Restore + DR Rejoin workflow, the Config Preview workflow for provisioning fails. Also, device reprovisioning fails for all devices with the following error:
|
The following table lists the resolved bugs in Cisco DNA Center, Release 2.3.2.0.
Bug Identifier | Headline |
---|---|
Cisco DNA Center silently pushes Identity-Based Networking Services (IBNS) 2.0 "new-style" commands to any switch that is provisioned. If there is no Cisco ISE integration to replace these commands, the port security configurations might be removed. |
|
Containers from one Cisco DNA Center node may become stuck in the state "ContainerCreating, failing to pull image" due to issues with GlusterFS mounting on one node, and replication across all nodes. |
|
AAA/Cisco ISE inheritance settings do not display correctly between Global and sites in certain flows. |
|
A package upgrade fails because the table "lispmssiteeidprefix" violates a foreign key constraint. |
|
The large MongoDB database size causes a MongoDB clustering failure. |
|
Creating a segment with non-alphanumeric characters in the VLAN name fails with a provisioning error. |
|
Virtual routing and forwarding (VRF)-specific name servers are removed by Cisco DNA Center. |
|
Provisioning fails when adding a AAA server using a port number greater than 32767 to Cisco DNA Center. |
|
During an upgrade of Cisco DNA Center application packages, the upgrade may appear to be stuck for hours at 20% with no obvious movement forward. The migration logs show a deadlock on the Postgres executionevent table. This issue stems from a large database table upon which database update queries pile up, causing a deadlock. |
|
Interface information takes a long time to populate after LAN automation. |
|
Client Detail, Client Session, and AP Radio reports fail. |
|
In stacked devices, the TrustSec ID and password are set to primary/active serial numbers only. |
|
Cisco DNA Center may fail to provision a Nexus 7710 if there is an octothorp "#" character in the device login banner. |
|
Messages in the "dna.lan.common.service" queue block subsequent LAN automation. |
|
When importing an .esx file from an Ekahau project, the azimuth is always off by 90 degrees. |
|
SNMP traps are not configured after a device is deleted and readded. |
|
Templates created and exported from Cisco DNA Center 2.1.2.6 may not be able to be imported into Cisco DNA Center 2.1.2.5. |
|
Offline APs are shown as active on a heatmap. |
|
When attempting to set up the integration between Cisco DNA Center and Cisco DNA Spaces, the integration may fail with the error message, "Unable to export hierarchy to the CMX DNA Spaces for one or more domains." |
|
Cisco DNA Center may fail to synchronize a Cisco Catalyst 9000 series switch that is configured with an access-list associated to the netconfig-yang configuration. |
|
Cisco DNA Center may push a different Anycast Gateway MAC address to some fabric edge nodes, which causes multiple edge nodes to register a single wired client with the MSMR and control plane, even though the wired client is connected to a single edge node and is not roaming. |
|
The config archive tries to capture data from unreachable devices. |
|
The Assurance event notifications device parameter returns the device UUID, not the device IP address. |
|
Wireless controller provisioning fails on IRCM version validation. |
|
An upgrade to Cisco DNA Center 2.1.2.x fails with the PSQLException error, "ERROR: could not create unique index mdfproductfamily_pkey." |
|
Cisco DNA Center may fail to provision a device, citing the error, "Unable to push CLI 'timeout 0' to device x.x.x.x." |
|
Updating many devices frequently may cause Cisco DNA Center's scheduler service to restart. |
|
Cisco DNA Center fails to generate a PKCS12 certificate due to the error, "Failed to find internal Trustpoint." |
|
Reserved child pools for L3 handoff are not released after a failed fabric provision. |
|
Cisco DNA Center cannot assign some Meraki APs to a site. |
|
An error occurs while using the Cisco DNA Center BAPI connector on ServiceNow. |
|
Cisco DNA Center may not generate a heatmap for the 2.4-GHz band of Cisco Catalyst 9120 APs, even though it is generated for the 5-GHz band as expected. |
|
Cisco ISE integration fails with the error, "FQDN x doesn't match the common name contained in the system certificate." |
|
The Inventory service may crash if the managed devices send a high volume of syslogs to Cisco DNA Center. |
|
After upgrading to Cisco DNA Center 2.1.2.7, inventory collection from an existing Catalyst 9500 switch fails, citing the exception, "ERROR: update or delete on table 'protocolendpoint' violates foreign key constraint 'fkad4b72e9a8fce39d' on table 'vxlannvesettings'." |
|
Cisco DNA Center fails to display an ROI report. |
|
Provisioning fails after segment deletion and site rename while a device is offline. |
|
Cisco DNA Center may be unable to remove a managed device from a fabric-in-a-box installation, citing the following error in the network programmer service's logs:
|
|
An appliance mismatch occurs between the main (DN2-HW-APL-XL) and the recovery (DN2-HW-APL-XL-U) appliance. |
|
After setting TLS v1.2 as the minimum supported version, some ports still show TLS v1.1. |
|
A device fails inventory collection due to missing database entries after an image upgrade. |
|
LAN automation may not configure the L3 link between the peer seed and the PnP agent. |
|
NetFlow table updates are too aggressive for large-scale deployments. |
|
Cisco DNA Center may create a duplicate site tag with the default-flex-profile linked to it when an existing wireless LAN controller is reprovisioned. |
|
A system upgrade fails from Cisco DNA Center 2.2.2.x to Cisco DNA Center 2.2.3.x. |
|
When Cisco DNA Center attempts to configure Application Visibility and Control (AVC) to an eight-member stack of Catalyst 9000 switches, the process may fail with the error, "NBAR Error: Cannot enable Protocol-discovery - platform interface limit reached." |
|
Cisco DNA Center may fail to provision a wireless LAN controller that had previously been removed from a fabric and inventory, citing a null pointer exception during the updateApN1HAConfig process. |
|
The NAC RADIUS configuration on the WLAN profile is lost when the wireless controller reloads. |
|
Fabric provisioning fails when a border device is removed. |
|
When Cisco DNA Center provisions a managed wireless controller, the affected wireless SSID may go down because the required interface description on the SSID's switched virtual interface (SVI) is overwritten with null. |
|
Clear Port Config succeeds from the GUI, but the config is still present on the device. |
|
LAN automation doesn't release the DHCP subnet while LAN Auto start fails. |
|
WLANs on a foreign wireless controller get disabled on provisioning of the anchor wireless controller. |
|
An upgrade to Cisco DNA Center removes the TACACS key to network devices from Cisco ISE. |
|
Cisco DNA Center may become unresponsive in two to four weeks after being rebooted. When this happens, there is no GUI access, no SSH access, or response from the Cisco IMC's KVM console. |
|
The wrong L2 instance is pushed to the anchoring site if a different VLAN name is used. |
|
SSA to address route lookup gaps for interface selection. |
|
Create or update floormaps API documentation does not include the payload request schema. |
|
Cannot edit email parameters after the first entry in destinations in Cisco DNA Center 2.2.2.x. |
|
Cisco DNA Center may fail to configure native Any-Source Multicast (ASM), citing the error, "Unable to push CLI 'ip pim lisp transport multicast' to device xx.xx.xx.xx using protocol ssh2". |
|
While adding additional edge switches to an existing fabric, Cisco DNA Center may alter the AAA configuration of an existing wireless LAN controller from TACACS to RADIUS. |
|
Image import fails with the error, "File exists in Softwareimageinfo but unable to add to File Service." |
|
LAN automation fails with "Error while reserving link subnet:..." when there are more than 31 dummy pools. |
|
When the maps API calls Assurance APIs, the sensor API fails. |
|
An interface (like GigabitEthernet0/0/0, 0/0/1) selected from the drop-down list reverts to GigabitEthernet0. |
|
Deployment of the security fix fabric banner removes RADIUS PAC from extended nodes. |
|
All wireless controllers are implicitly configured when IP pools are assigned or removed from fabric WLANs on the Host Onboarding window. |
|
Cannot delete a segment from host onboarding. |
|
LAN automation must align to the Cisco DNA Center Security Best Practices Guide. |
|
A Cisco ISE node PSN that is added as a AAA server in Cisco DNA Center cannot be removed, even if no WLAN is using the node as AAA. |
|
A supplicant-based extended node fails to onboard via Plug and Play using a Cisco DNA Center-provisioned ACL. |
|
EVENT_BASED_WIRED_WIRELESS_SYNC causes an internal error for the protocol endpoint. |
|
Device discovery tasks remain stuck in RUNNING state for a long time, clogging up the inventory service, which in turn prevents global credentials from being displayed. Because the global credentials don't load, new discovery tasks cannot start. The inventory service logs contain the following error logs:
|
Limitations and Restrictions
Upgrade Limitation
-
If you are upgrading to Cisco DNA Center and all of the following conditions apply, the upgrade never starts:
-
Cisco ISE is already configured in Cisco DNA Center.
-
The version of Cisco ISE is not 2.6 patch 1, 2.4 patch 7, or later.
-
Cisco DNA Center contains an existing fabric site.
-
The number of DNS servers must not exceed three.
Although the UI does not indicate that the upgrade failed to start, the logs contain messages related to the upgrade failure.
To work around this problem, upgrade Cisco ISE to 2.6 patch 1, 2.4 patch 7, or later, and retry the Cisco DNA Center upgrade.
-
-
In-Service Software Upgrade (ISSU) is not supported in Cisco SD-Access deployments.
Backup and Restore Limitations
-
You cannot take a backup of one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken.
-
After performing a restore operation, update your integration of Cisco ISE with Cisco DNA Center. After a restore operation, Cisco ISE and Cisco DNA Center might not be in sync. To update your Cisco ISE integration with Cisco DNA Center, choose . Choose Edit for the server. Enter your Cisco ISE password to update.
-
After performing a restore operation, the configuration of devices in the network might not be in sync with the restored database. In such a scenario, you should manually revert the CLI commands pushed for authentication, authorization, and accounting (AAA) and configuration on the network devices. Refer to the individual network device documentation for information about the CLI commands to enter.
-
Re-enter the device credentials in the restored database. If you updated the site-level credentials before the database restore, and the backup that is being restored does not have the credential change information, all the devices go to partial collection after the restore. You must then manually update the device credentials on the devices for synchronization with Cisco DNA Center, or perform a rediscovery of those devices to learn the device credentials.
-
Perform AAA provisioning only after adjusting network device differential changes to the restored database. Otherwise, device lockouts might occur.
-
You can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.
Cisco ISE Integration Limitations
-
ECDSA keys are not supported as either SSH keys for Cisco ISE SSH access or in certificates in Cisco DNA Center and Cisco ISE.
-
Full certificate chains must be uploaded to Cisco DNA Center while replacing an existing certificate. If a Cisco DNA Center certificate is issued by a subCA of a rootCA, the certificate chain uploaded to Cisco DNA Center while replacing the Cisco DNA Center certificate must contain all three certificates.
-
Self-signed certificates applied on Cisco DNA Center must have the Basic Constraints extension with cA:TRUE (RFC5280 section-4.2.19).
-
The IP address or FQDN of both Cisco ISE and Cisco DNA Center must be present in either the Subject Name field or the Subject Alt Name field of the corresponding certificates.
-
If a certificate is replaced or renewed in either Cisco ISE or Cisco DNA Center, trust must be re-established.
-
The Cisco DNA Center and Cisco ISE IP or FQDN must be present in the proxy exceptions list if there is a web proxy between Cisco DNA Center and Cisco ISE.
-
Cisco DNA Center and Cisco ISE nodes cannot be behind a NAT device.
-
Cisco DNA Center and Cisco ISE cannot integrate if the ISE Admin and ISE pxGrid certificates are issued by different enterprise certificate authorities.
Specifically, if the ISE Admin certificate is issued by CA server A, the ISE pxGrid certificate is issued by CA server B, and the pxGrid persona is running on a node other than ISE PPAN, the pxGrid session from Cisco DNA Center to Cisco ISE does not work.
License Limitation
The Cisco DNA Center License Manager supports Smart Licensing only for wireless LAN controller models that run Cisco IOS XE. License Manager does not support wireless LAN controller models that run Cisco AireOS.
Fabric Limitations
-
Cisco DNA Center supports up to a maximum of 1.2 million interfaces on fabric devices. Fabric interfaces include physical and virtual interfaces like switched virtual interfaces, loopback interfaces, and so on.
Physical ports cannot exceed 480,000 ports on a 112-core appliance.
-
IP address pools reserved at the area level are shown as inherited at the building level on the Host Onboarding window if the fabric site is defined at the building level. If the fabric site is defined at the building level, you must reserve the IP address pools at the building level. If the fabric site is defined at the area level, you must reserve the IP address pools at the area level.
window; however, these IP address pools are not listed on theTo work around this issue, release and reserve the IP address pool at the same level (area or building) as the fabric site, or reconfigure the fabric site at the same level as the reserved IP address pool.
-
Cisco DNA Center does not support multicast across multiple fabric sites that are connected by an SD-Access transit network.
Existing Feature-Related Limitations
-
Cisco DNA Center cannot learn device credentials.
-
You must enter the preshared key (PSK) or shared secret for the AAA server as a part of the import flow.
-
Cisco DNA Center does not learn the details about DNS, WebAuth redirect URL, and syslog.
-
Cisco DNA Center can learn the device configuration only one time per controller.
-
Cisco DNA Center can learn only one wireless controller at a time.
-
For site profile creation, only the AP groups with AP and SSID entries are considered.
-
Automatic site assignment is not possible.
-
SSIDs with an unsupported security type and radio policy are discarded.
-
For authentication and accounting servers, if the RADIUS server is present in the device, it is given first preference. If the RADIUS server is not present, the TACACS server is considered for design.
-
The Cisco ISE server (AAA) configuration is not learned through existing device provisioning.
-
The authentication and accounting servers must have the same IP addresses for them to be learned through existing device provisioning.
-
When an SSID is associated with different interfaces in different AP groups, during provisioning, the newly created AP group with the SSID is associated with the same interface.
-
A wireless conflict is based only on the SSID name and does not consider other attributes.
Wireless Policy Limitation
If an AP is migrated after a policy is created, you must manually edit the policy and point the policy to an appropriate AP
location before deploying the policy. Otherwise, Policy Deployment failed
is displayed.
AP Limitations
-
AP as a sensor is not supported in this release of Cisco DNA Center.
-
Configuring APs in FlexConnect mode before provisioning the locally switched WLANs bypasses the AP provisioning error. Otherwise, the AP provisioning fails when the locally switched WLANs are provisioned on the wireless controller or APs through Cisco DNA Center.
After the provisioning failure, the AP rejoins the wireless controller. You can reprovision the AP for a successful provisioning.
-
Provisioning of 100 APs takes longer in this release as compared to 3 minutes in earlier releases. The amount of time varies depending on the "wr mem" time of the Cisco Catalyst 9800 Series Controller, which includes Cisco Catalyst 9800-40 Wireless Controller, Cisco Catalyst 9800-80 Wireless Controller, and Cisco Catalyst 9800-CL Cloud Wireless Controller devices.
-
When a wireless controller is in maintenance mode, all the associated APs are automatically placed in maintenance mode. However, you can't place the APs in maintenance mode individually if the associated wireless controller is not in maintenance mode.
Inter-Release Controller Mobility (IRCM) Limitation
The interface or VLAN configuration is not differentiated between foreign and anchor controllers. The VLAN or interface that is provided in Cisco DNA Center is configured on both foreign and anchor controllers.
IP Device Tracking on Trunk Port Limitation
Rogue-on-wire detection is impacted; Cisco DNA Center does not show all clients connected to a switch via an access point in bridge mode. The trunk port is used to exchange all VLAN information. When you enable IP device tracking on the trunk port, clients connected on the neighbor switch are also shown. Cisco DNA Center does not collect client data if the connected interface is a trunk port and the neighbor is a switch. As a best practice, disable the IP device tracking on the trunk port. The rogue on wire is not detected if the IP device tracking is enabled on the trunk port. See Disabling IP Device Tracking for more information.
IP Address Manager Limitations
-
You might see the following error when editing an existing IPAM integration or when adding a new IPAM manager.
NCIP10283: The remote server presented a certificate with an incorrect CN of the owner
To correct this, regenerate a new certificate for IPAM and verify that any one of the following conditions is met:
-
No values are configured in the SAN field of the certificate.
-
If there is a value configured, the value and type (IP address or FQDN) must match the configured URL in the
window.
-
-
Cisco DNA Center supports integration with an external IPAM server that has trusted certificates. In the Cisco DNA Center GUI, under , you might see the following error:
NCIP10282: Unable to find the valid certification path to the requested target.
To correct this error for a self-signed certificate:
-
Using OpenSSL, enter one of the following commands to download the self-signed certificate, depending on your IPAM type. (You can specify the FQDN [domain name] or IP address in the command.)
openssl s_client -showcerts -connect Infoblox-FQDN:443
openssl s_client -showcerts -connect Bluecat-FQDN:443
-
From the output, use the content from ---BEGIN CERTIFICATE--- to ---END CERTIFICATE--- to create a new .pem file.
-
Go to Import, and upload the certificate (.pem file).
, click -
Go to
and configure the external IPAM server. (If the IPAM server is already configured, skip this step.)
To correct this error for a CA-signed certificate, install the root certificate and any intermediate certificates of the CA that is installed on the IPAM into the Cisco DNA Center trustpool ( ).
-
-
You might see the following error if a CA-signed certificate is revoked by the certificate authority:
NCIP10286: The remote server presented with a revoked certificate. Please verify the certificate.
To correct this, obtain a new certificate from the certificate authority and upload it to
. -
You might see the following error after configuring the external IPAM details:
IPAM external sync failed: NCIP10264: Non Empty DNAC parent pool <CIDR> exists in external ipam.
To correct this, log in to the external IPAM server (such as BlueCat). Confirm that the parent pool CIDR exists in the external IPAM server, and remove all the child pools that are configured under that parent pool. Then, return to the Cisco DNA Center GUI and reconfigure the IPAM server under .
-
You might see the following error while using IP Address Manager to configure an external IPAM:
NCIP10114: I/O error on GET request for "https://<IP>/wapi/v1.2/": Host name '<IP>' does not match the certificate subject provided by the peer (CN=www.infoblox.com, OU=Engineering, O=Infoblox, L=Sunnyvale, ST=California, C=US); nested exception is javax.net.ssl.SSLPeerUnverifiedException: Host name '<IP>' does not match the certificate subject provided by the peer (CN=www.infoblox.com, OU=Engineering, O=Infoblox, L=Sunnyvale, ST=California, C=US) |
To correct this, log in to the external IPAM server (such as Infoblox) and regenerate your external IPAM certificate with the common name (CN) value as the valid hostname or IP address. In the preceding example, the CN value is www.infoblox.com, which is not the valid hostname or IP address of the external IPAM.
After you regenerate the certificate with a valid CN value, go to Import and upload the new certificate (.pem file).
. ClickThen, go to
and configure the external IPAM server with the server URL as the valid hostname or IP address (as listed as the CN value in the certificate).
Encryption Limitation with SNMPv3
AES192 and AES256 encryption is not fully supported for SNMPv3 configuration. If you add devices with AES192 or AES256 encryption to Cisco DNA Center, Assurance data is not collected for those devices.
As a workaround, to collect Assurance data, add a device with AES128 encryption. Cisco DNA Center supports AES128 and gathers Assurance data for devices with AES128 encryption.
IPv6 Limitations
If you choose to run Cisco DNA Center in IPv6 mode:
-
Access Control Application, Group-Based Policy Analytics, and Cisco AI Endpoint Analytics packages are disabled and cannot be downloaded or installed.
-
Communication through Cisco ISE pxGrid is disabled because Cisco ISE pxGrid does not support IPv6.
Cisco Plug and Play Limitations
-
Virtual Switching System (VSS) is not supported.
-
The Cisco Plug and Play Mobile app is not supported with Plug and Play in Cisco DNA Center.
-
The Stack License workflow task is supported for Cisco Catalyst 3650 and 3850 Series switches running Cisco IOS XE 16.7.1 and later.
-
The Plug and Play agent on the switch is initiated on VLAN 1 by default. Most deployments recommend that VLAN 1 be disabled. If you do not want to use VLAN 1 when PnP starts, enter the following command on the upstream device:
pnp startup-vlan <vlan_number>
Cisco Group-Based Policy Analytics Limitations
-
Cisco Group-Based Policy Analytics supports up to five concurrent requests based on realistic customer data. While it is desirable for GUI operations to respond within 5 seconds or less, for extreme cases based on realistic data, it can take up to 20 seconds. There is no mechanism to prevent more than five simultaneous requests at a time, but if it does happen, it might cause some GUI operations to fail. Operations that take longer than 1 minute will time out.
-
Data aggregation occurs at hourly offsets from UTC in Cisco Group-Based Policy Analytics. However, some time zones are at a 30 minute or 45 minute offset from UTC. If the Cisco DNA Center server is located in a time zone with a 30 minute or 45 minute offset from UTC and the client is located in a time zone with an hourly offset from UTC, or vice versa, the time ranges for data aggregation in Cisco Group-Based Policy Analytics are incorrect for the client.
For example, assume that the Cisco DNA Center server is located in California PDT (UTC-7) where data aggregations occur at hourly offsets (8:00 a.m., 9:00 a.m., 10:00 a.m., and so on). When a client located in India IST (UTC+5.30) wants to see the data between 10:00 - 11:00 p.m. IST, which corresponds to the time range 9:30 - 10:30 a.m. PDT in California, no aggregations are seen.
-
Group changes that occur within an hour are not captured. When an endpoint changes from one scalable group to another, Cisco Group-Based Policy Analytics is unaware of this change until the next hour.
-
You cannot sort the Scalable Group and Stealthwatch Host Group columns in the Search Results window.
-
You might see discrepancies in the information related to Network Access Device (including location) between Cisco DNA Assurance and Cisco Group-Based Policy Analytics.
Application Telemetry Limitation
When configuring application telemetry on a device, Cisco DNA Center might choose the wrong interface as the source for NetFlow data.
To force Cisco DNA Center to choose a specific interface, add netflow-source in the description of the interface. You can use a special character followed by a space after netflow-source but not before it. For example, the following syntax is valid:
netflow-source
MANAGEMENT netflow-source
MANAGEMENTnetflow-source
netflow-source MANAGEMENT
netflow-sourceMANAGEMENT
netflow-source & MANAGEMENT
netflow-source |MANAGEMENT
The following syntax is invalid:
MANAGEMENT | netflow-source
* netflow-source
netflow-source|MANAGEMENT
Communications, Services, and Additional Information
-
To receive timely, relevant information from Cisco, sign up at Cisco Profile Manager.
-
To get the business impact you’re looking for with the technologies that matter, visit Cisco Services.
-
To submit a service request, visit Cisco Support.
-
To discover and browse secure, validated enterprise-class apps, products, solutions, and services, visit Cisco DevNet.
-
To obtain general networking, training, and certification titles, visit Cisco Press.
-
To find warranty information for a specific product or product family, access Cisco Warranty Finder.
Cisco Bug Search Tool
Cisco Bug Search Tool (BST) is a gateway to the Cisco bug-tracking system, which maintains a comprehensive list of defects and vulnerabilities in Cisco products and software. The BST provides you with detailed defect information about your products and software.
Documentation Feedback
To provide feedback about Cisco technical documentation, use the feedback form available in the right pane of every online document.
Related Documentation
We recommend that you read the following documents relating to Cisco DNA Center.
For This Type of Information... | See This Document... |
---|---|
Release information, including new features, limitations, and open and resolved bugs. |
|
Installation and configuration of Cisco DNA Center, including postinstallation tasks. |
|
Upgrade information for your current release of Cisco DNA Center. |
|
Use of the Cisco DNA Center GUI and its applications. |
|
Configuration of user accounts, security certificates, authentication and password policies, and backup and restore. |
|
Security features, hardening, and best practices to ensure a secure deployment. |
|
Supported devices, such as routers, switches, wireless APs, and software releases. |
|
Hardware and software support for Cisco SD-Access. |
|
Technical references and validated solutions. |
|
Use of the Cisco DNA Assurance GUI. |
|
Use of the Cisco DNA Center platform GUI and its applications. |
|
Cisco DNA Center ITSM integration and Cisco DNA Center ITSM support. |
|
Use of the Cisco Wide Area Bonjour Application GUI. |
|
Use of the Stealthwatch Security Analytics Service on Cisco DNA Center. |
|
Use of Rogue and aWIPS functionality to monitor threats in Cisco DNA Center. |
Cisco DNA Center Rogue Management and aWIPS Application Quick Start Guide |