Device controllability is a system-level process on Cisco DNA Center that enforces state synchronization for some device-layer features. Its purpose is to aid in the deployment of network settings
that Cisco DNA Center needs to manage devices. Changes are made on network devices when running discovery, when adding a device to inventory, or
when assigning a device to a site.
To view the configuration that is pushed to the device, go to and from the Focus drop-down list, choose Provision. In the Provision Status column, click See Details.
Note
|
When Cisco DNA Center configures or updates devices, the transactions are captured in the audit logs, which you can use to track changes and troubleshoot
issues.
|
The following device settings are enabled as part of device controllability:
-
Device Discovery
-
SNMP Credentials
-
NETCONF Credentials
-
Adding Devices to Inventory
Cisco TrustSec (CTS) Credentials
Note
|
Cisco TrustSec (CTS) Credentials are pushed during inventory only if the Global site is configured with Cisco ISE as AAA. Otherwise, CTS is pushed to devices during "Assign to Site" when the site is configured with Cisco ISE as AAA.
|
-
Assigning Devices to a Site
-
Controller Certificates
Note
|
For Cisco IOS devices, we recommend that you configure the time zone from the device UI console to prevent any issues in the
processing of PKCS certificate expiry time.
|
-
SNMP Trap Server Definitions
-
Syslog Server Definitions
-
NetFlow Server Definitions
-
Wireless Service Assurance (WSA)
-
IPDT Enablement
Device controllability is enabled by default. If you do not want device controllability enabled, disable it manually. For
more information, see Configure Device Controllability.
When device controllability is disabled, Cisco DNA Center does not configure any of the preceding credentials or features on devices while running discovery or when the devices are
assigned to a site.
The following circumstances dictate whether or not device controllability configures network settings on devices:
-
Device Discovery: If SNMP and NETCONF credentials are not already present on a device, these settings are configured during the discovery
process.
-
Device in Inventory: After a successful initial inventory collection, IPDT is configured on the devices.
In earlier releases, the following IPDT commands were configured:
ip device tracking
ip device tracking probe delay 60
ip device tracking probe use-svi
For each interface:
interface $physicalInterface
ip device tracking maximum 65535
In the current release, the following IPDT commands are configured for any newly discovered device:
device-tracking tracking
device-tracking policy IPDT_POLICY
tracking enable
For each interface:
interface $physicalInterface
device-tracking attach-policy IPDT_POLICY
-
Device in Global Site: When you successfully add, import, or discover a device, Cisco DNA Center places the device in the Managed state and assigns it to the Global site by default. Even if you have defined SNMP server, Syslog server, and NetFlow collector settings for the Global site, Cisco DNA Center
does not change these settings on the device.
-
Device Moved to Site: If you move a device from the Global site to a new site that has SNMP server, Syslog server, and NetFlow collector settings configured, Cisco DNA Center changes these settings on the device to the settings configured for the new site.
-
Device Removed from Site: If you remove a device from a site, Cisco DNA Center does not remove the SNMP server, Syslog server, and NetFlow collector settings from the device.
-
Device Deleted from Cisco DNA Center: If you delete a device from Cisco DNA Center and check the Configuration Clean-up check box, the SNMP server, Syslog server, and NetFlow collector settings are removed from the device.
-
Device Moved from Site to Site: If you move a device—for example, from Site A to Site B—Cisco DNA Center replaces the SNMP server, Syslog server, and NetFlow collector settings on the device with the settings assigned to Site
B.
-
Update Site Telemetry Changes: The changes made to any settings that are under the scope of device controllability are applied to the network devices during
device provisioning or when the Update Telemetry Settings action is performed.
When device controllability is enabled, if Cisco DNA Center can't connect to the device through the user-provided SNMP credentials and collect device information, Cisco DNA Center pushes the user-provided SNMP credentials to the device. For SNMPv3, the user is created under the default group.
Note
|
For Cisco AireOS devices, the user-provided SNMPv3 passphrase must contain from 12 to 31 characters.
|