The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To start using Cisco DNA Center, you must first configure the system settings so that the server can communicate outside the network, ensure secure communications, authenticate users, and perform other key tasks. Use the procedures described in this chapter to configure the system settings.
 Note |
|
Cisco DNA Center supports role-based access control (RBAC). The roles assigned to a user profile define the capabilities that a user has permission to perform. Cisco DNA Center has three main default user roles:
SUPER-ADMIN-ROLE
NETWORK-ADMIN-ROLE
OBSERVER-ROLE
The SUPER-ADMIN-ROLE gives users broad capabilities and permits them to perform all actions in the Cisco DNA Center GUI, including creating custom roles and assigning them to user profiles. The NETWORK-ADMIN-ROLE and the OBSERVER-ROLE have more limited and restricted capabilities in the Cisco DNA Center GUI.
If you’re unable to perform an action in Cisco DNA Center, the reason might be that your user profile is assigned a role that doesn’t permit it. For more information, check with your system administrator or see the Cisco DNA Center Administrator Guide.
The System 360 tab provides at-a-glance information about Cisco DNA Center.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||||||||||
|
Step 2 |
On the System 360 dashboard, review the following displayed data metrics: Cluster
System Management
|
Cisco ISE has three use cases with Cisco DNA Center:
Cisco ISE can be used as a AAA (pronounced "triple A") server for user, device, and client authentication. If you are not using access control policies, or are not using Cisco ISE as a AAA server for device authentication, you do not have to install and configure Cisco ISE.
Access control policies use Cisco ISE to enforce access control. Before you create and use access control policies, integrate Cisco DNA Center and Cisco ISE. The process involves installing and configuring Cisco ISE with specific services, and configuring Cisco ISE settings in Cisco DNA Center. For more information about installing and configuring Cisco ISE with Cisco DNA Center, see the Cisco DNA Center Installation Guide.
If your network uses Cisco ISE for user authentication, configure Assurance for Cisco ISE integration. This integration lets you see more information about wired clients, such as the username and operating system, in Assurance. For more information, see "About Cisco ISE Configuration for Cisco DNA Center" in the Cisco DNA Assurance User Guide.
Cisco DNA Center allows you to anonymize wired and wireless endpoints data. You can scramble personally identifiable data, such as the user ID, and device hostname of wired and wireless endpoints.
Ensure that you enable anonymization before you run Discovery. If you anonymize the data after you run Discovery, the new data coming into the system is anonymized, but the existing data isn’t anonymized.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
In the Anonymize Data window, check the Enable Anonymization check box. |
|
Step 3 |
Click Save. |
Cisco DNA Center uses AAA servers for user authentication and Cisco ISE for both user authentication and access control. Use this procedure to configure AAA servers, including Cisco ISE.
If you are using Cisco ISE to perform both policy and AAA functions, make sure that Cisco DNA Center and Cisco ISE are integrated.
If you are using another product (not Cisco ISE) to perform AAA functions, make sure to do the following:
Register Cisco DNA Center with the AAA server, including defining the shared secret on both the AAA server and Cisco DNA Center.
Define an attribute name for Cisco DNA Center on the AAA server.
For a Cisco DNA Center multihost cluster configuration, define all individual host IP addresses and the virtual IP address for the multihost cluster on the AAA server.
Before you configure Cisco ISE, confirm that:
You have deployed Cisco ISE on your network. For information on supported Cisco ISE versions, see the Cisco DNA Center Compatibility Matrix. For information on installing Cisco ISE, see the Cisco Identity Services Engine Install and Upgrade guides.
If you have a standalone ISE deployment, you must integrate Cisco DNA Center with the Cisco ISE node and enable the pxGrid service and External RESTful Services (ERS) on that node.
Note |
Although pxGrid 2.0 allows up to four pxGrid nodes in the Cisco ISE deployment, Cisco DNA Center releases earlier than 2.2.1.x do not support more than two pxGrid nodes. |
If you have a distributed Cisco ISE deployment:
You must integrate Cisco DNA Center with the primary policy administration node (PAN), and enable ERS on the PAN.
Note |
We recommend that you use ERS through the PAN. However, for backup, you can enable ERS on the PSNs. |
You must enable the pxGrid service on one of the Cisco ISE nodes within the distributed deployment. Although you can choose to do so, you do not have to enable pxGrid on the PAN. You can enable pxGrid on any Cisco ISE node in your distributed deployment.
The PSNs that you configure in Cisco ISE to handle TrustSec or SD Access content and PACs must also be defined in . For more information, see the Cisco Identity Services Engine Administrator Guide.
You must enable communication between Cisco DNA Center and Cisco ISE on the following ports: 443, 5222, 8910, and 9060.
The Cisco ISE host on which pxGrid is enabled must be reachable from Cisco DNA Center on the IP address of the Cisco ISE eth0 interface.
The Cisco ISE node can reach the fabric underlay network via the appliance's NIC.
The Cisco ISE admin node certificate must contain the Cisco ISE IP address or FQDN in either the certificate subject name or the Subject Alternative Name (SAN).
The Cisco DNA Center system certificate must list both the Cisco DNA Center appliance IP address and FQDN in the SAN field.
Note |
For Cisco ISE 2.4 Patch 13, 2.6 Patch 7, and 2.7 Patch 3, if you are using the Cisco ISE default self-signed certificate as the pxGrid certificate, Cisco ISE might reject that certificate after applying those patches. This is because the older versions of that certificate have the Netscape Cert Type extension specified as the SSL server, which now fails (because a client certificate is required). This issue doesn’t occur in Cisco ISE 3.0 and later. For more information, see the Cisco ISE Release Notes. |
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||||
|
Step 2 |
From the Add drop-down list, choose AAA or ISE. |
||||
|
Step 3 |
To configure the primary AAA server, enter the following information:
|
||||
|
Step 4 |
To configure a Cisco ISE server, enter the following details:
|
||||
|
Step 5 |
Click Advanced Settings and configure the settings:
|
||||
|
Step 6 |
Click Add. |
||||
|
Step 7 |
To add a secondary server, repeat the preceding steps. |
Use this procedure to enable the Cisco AI Analytics features to export network event data from network devices and inventory, site hierarchy, and topology data to the Cisco AI Cloud.
Make sure that you have the Cisco DNA Advantage software license for Cisco DNA Center. The AI Network Analytics application is part of the Cisco DNA Advantage software license.
Make sure that the latest version of the AI Network Analytics application is installed.
Make sure that your network or HTTP proxy is configured to allow outbound HTTPS (TCP 443) access to the following cloud hosts:
api.use1.prd.kairos.ciscolabs.com (US East Region)
api.euc1.prd.kairos.ciscolabs.com (EU Central Region)
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Scroll down to External Services and choose Cisco AI Analytics. |
|
Step 3 |
Do one of the following:
|
|
Step 4 |
In the Success dialog box, click Okay.  .
|
|
Step 5 |
(Recommended) In the AI Network Analytics window, click Download Configuration file. |
AI agents use X.509 client certificates to authenticate to the AI Cloud. Certificates are created and signed by the AI Cloud CA upon tenant onboarding to the AI Cloud and remain valid for three years (reduced to one year in August 2021). Before their expiration, client certificates must be renewed to avoid losing cloud connectivity. An automatic certificate renewal mechanism is in place. This mechanism requires that you manually back up the certificate after renewal. The backup is required in case you restore or migrate to a new Cisco DNA Center.
After renewal, a notification is shown on every AI Analytics window (Peer Comparison, Heatmap, Network Comparison, Trends and Insights) to tell you to back up the new AI Network Analytics configuration.
To disable Cisco AI Network Analytics data collection, you must disable the AI Network Analytics feature, as follows:
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Scroll down to External Services and choose Cisco AI Analytics.  ) indicates that the feature is enabled. If the check box is unchecked (  ), the feature is disabled.
|
|
Step 3 |
In the AI Network Analytics area, click the Enable AI Network Analytics toggle button so that it’s unchecked ( |
|
Step 4 |
Click Update. |
|
Step 5 |
To delete your network data from the Cisco AI Network Analytics cloud, contact the Cisco Technical Response Center (TAC) and open a support request. |
|
Step 6 |
If you have misplaced your previous configuration, click Download configuration file. |
Machine Reasoning knowledge packs are step-by-step workflows that are used by the Machine Reasoning Engine (MRE) to identify security issues and improve automated root cause analysis. These knowledge packs are continuously updated as more information is received. The Machine Reasoning Knowledge Base is a repository of these knowledge packs (workflows). To have access to the latest knowledge packs, you can either configure Cisco DNA Center to automatically update the Machine Reasoning Knowledge Base daily, or you can perform a manual update.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Scroll down to External Services and choose Machine Reasoning Knowledge Base.
When there’s a new update to the Machine Reasoning Knowledge Base, the AVAILABLE UPDATE area is displayed in the Machine Reasoning Knowledge Base window, which provides the Version and Details about the update.
|
|
Step 3 |
(Recommended) Check the AUTO UPDATE check box to automatically update the Machine Reasoning Knowledge Base. You can perform an automatic update only if Cisco DNA Center is successfully connected to the Machine Reasoning Engine in the cloud. |
|
Step 4 |
To manually update the Machine Reasoning Knowledge Base in Cisco DNA Center, do one of the following:
|
|
Step 5 |
Check the CISCO CX CLOUD SERVICE FOR NETWORK BUG IDENTIFIER AND SECURITY ADVISORY check box to enable Cisco CX Cloud connection with network bug identifier and security advisory. |
|
Step 6 |
In the Security Advisories Settings area click the RECURRING SCAN toggle button to enable or disable the weekly recurring scan. |
|
Step 7 |
Click the CISCO CX CLOUD toggle button to enable or disable the Cisco CX cloud. |
You can configure Cisco credentials for Cisco DNA Center. Cisco credentials are the username and password that you use to log in to the Cisco website to access software and services.
Note |
The Cisco credentials configured for Cisco DNA Center using this procedure are used for software image and update downloads. The Cisco credentials are also encrypted by this process for security purposes. |
Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Enter your Cisco username and password. |
|
Step 3 |
Click Save. Your cisco.com credentials are configured for the software and services. |
To delete the cisco.com credentials that are currently configured for Cisco DNA Center, complete the following procedure.
Note |
|
Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Click Clear. |
|
Step 3 |
In the resulting dialog box, click Continue to confirm the operation. |
Connection mode manages the connections between smart-enabled devices in your network that interact with Cisco DNA Center and the Cisco Smart Software Manager (SSM). Ensure that you have SUPER-ADMIN access permission to configure the different connection modes.
|
Step 1 |
From the top-left corner, click the menu icon and choose . The following connection modes are available:
|
|
Step 2 |
Choose Direct to enable a direct connection to the Cisco SSM cloud. |
|
Step 3 |
If your organization is security sensitive, choose On-Prem CSSM. The on-prem option lets you access a subset of Cisco SSM functionality without using a direct internet connection to manage your licenses with the Cisco SSM cloud. |
|
Step 4 |
Choose Smart proxy to register your smart-enabled devices with the Cisco SSM cloud through Cisco DNA Center. With this mode, devices do not need a direct connection to the Cisco SSM cloud. Cisco DNA Center proxies the requests from the device to the Cisco SSM cloud through itself. While provisioning the call-home configuration to the device, if the satellite is configured with FQDN, the FQDN of the satellite is pushed instead of the IP address. |
You can register Cisco DNA Center as a controller for Cisco Plug and Play (PnP) Connect, in a Cisco Smart Account for redirection services. This lets you synchronize the device inventory from the Cisco PnP Connect cloud portal to PnP in Cisco DNA Center.
Only a user with SUPER-ADMIN-ROLE or CUSTOM-ROLE with system management permissions can perform this procedure.
In the Smart account, users are assigned roles that specify the functions and authorized to perform:
Smart Account Admin user can access all the Virtual Accounts.
Users can access assigned Virtual Accounts only.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Click Register to register a virtual account. |
|
Step 3 |
In the Register Virtual Account window, the Smart Account you configured is displayed in the Select Smart Account drop-down list. You can select an account from the Select Virtual Account drop-down list. |
|
Step 4 |
Click the required IP or FQDN radio button. |
|
Step 5 |
Enter the IP address or FQDN (Fully Qualified Domain Name) of the controller. |
|
Step 6 |
Enter the profile name. A profile is created for the selected virtual account with the configuration that you provided. |
|
Step 7 |
Check the Use as Default Controller Profile check box to register this Cisco DNA Center controller as the default controller in the Cisco PnP Connect cloud portal. |
|
Step 8 |
Click Register. |
You receive a notification whenever a Plug and Play (PnP) event takes place in Cisco DNA Center by creating event notifications. See the "Work with Event Notifications" topic in the Cisco DNA Center Platform User Guide to configure the supported channels and create event notifications.
Ensure that you create event notifications for the following PnP events:
| Event Name | Event ID | Description |
|---|---|---|
|
Add device failed |
NETWORK-TASK_FAILURE-3-008 |
Device(s) are not added through single or bulk import. An error occurs when adding devices through single or bulk import. |
|
Add device successful |
NETWORK-TASK_COMPLETE-4-007 |
Device(s) are added through single or bulk import successfully. |
|
Device in error state |
NETWORK-ERROR_1-002 |
Device goes to Error state. |
|
Device in provisioned state |
NETWORK-INFO_4-003 |
Device goes to Provisioned state. |
|
Device stuck in onboarding state |
NETWORK-TASK_PROGRESS-2-006 |
Device is stuck in onboarding state for more than 15 minutes. |
|
Device waiting to be claimed |
NETWORK-INFO_2-001 |
Device reaches Unclaimed state and is ready to be provisioned. |
|
Smart Account sync failed |
NETWORK-TASK_FAILURE-1-005 |
Smart Account sync is failed for some devices. |
|
Smart Account sync successful |
NETWORK-TASK_COMPLETE-4-004 |
Smart Account sync is successful for some devices. |
Cisco Smart Account credentials are used for connecting to your Smart Licensing account. The License Manager tool uses the details of license information from this Smart Account for entitlement and license management.
Ensure that you have SUPER-ADMIN-ROLE permissions.
|
Step 1 |
From the top-left corner, click the menu icon and choose System > Settings > Cisco Accounts > Smart Account. |
||
|
Step 2 |
Click the Add button. You are prompted to provide Smart Account credentials. |
||
|
Step 3 |
If you want to change the selected Smart Account Name, click Change. You will be prompted to select the Smart Account that will be used for connecting to your Smart Licensing Account on Cisco SSM cloud.
|
||
|
Step 4 |
Click View all virtual accounts to view all the virtual accounts associated with the Smart Account.
|
||
|
Step 5 |
(Optional) If you want to register smart license-enabled devices automatically to a virtual account, check the Auto register smart license enabled devices check box. A list of virtual accounts associated with the smart account is displayed. |
||
|
Step 6 |
Select the required virtual account. Whenever a smart license-enabled device is added in the inventory, it’s automatically registered to the selected virtual account. |
||
|
Step 7 |
If you want to remove the licensed smart account users and their associated historical data, click Delete historical information. The Delete Historical Data slide-in pane displays the licensed smart account users. It also displays the existing smart accounts that aren’t currently present in Cisco DNA Center, but their historical data is still available. |
||
|
Step 8 |
In the Smart Account list area check the check box next to the smart account that you want to delete. |
||
|
Step 9 |
Click Delete. |
||
|
Step 10 |
Click Delete in the subsequent confirmation window. |
||
|
Step 11 |
Check the Delete the associated license historical information check box to delete the historical information of the associated license. |
Cisco Smart licensing allows you to register Cisco DNA Center on to the Cisco SSM.
To use Smart Licensing, you must first set up a Smart Account on Cisco Software Central (software.cisco.com).
For a more detailed overview on Cisco licensing, go to cisco.com/go/licensingguide.
To enable Smart Licensing, you must configure Cisco Credentials (see Configure Cisco Credentials) and upload Cisco DNA Center license conventions in Cisco SSM.
To enable Smart Licensing, you must add Smart Account in . For more information, see Configure Smart Account.
|
Step 1 |
From the top-left corner, click the menu icon and choose . By default, Smart Account details are displayed. |
|
Step 2 |
Choose a virtual account from the Search Virtual Account drop-down list to register. |
|
Step 3 |
Click Register. |
|
Step 4 |
After successful registration, click the View Available Licenses link to view the available Cisco DNA Center licenses. |
Device controllability is a system-level process on Cisco DNA Center that enforces state synchronization for some device-layer features. Its purpose is to aid in the deployment of network settings that Cisco DNA Center needs to manage devices. Changes are made on network devices when running discovery, when adding a device to inventory, or when assigning a device to a site.
To view the configuration that is pushed to the device, go to and from the Focus drop-down list, choose Provision. In the Provision Status column, click See Details.
Note |
When Cisco DNA Center configures or updates devices, the transactions are captured in the audit logs, which you can use to track changes and troubleshoot issues. |
The following device settings are enabled as part of device controllability:
Device Discovery
SNMP Credentials
NETCONF Credentials
Adding Devices to Inventory
Cisco TrustSec (CTS) Credentials
Note |
Cisco TrustSec (CTS) Credentials are pushed during inventory only if the Global site is configured with Cisco ISE as AAA. Otherwise, CTS is pushed to devices during "Assign to Site" when the site is configured with Cisco ISE as AAA. |
Assigning Devices to a Site
Controller Certificates
Note |
For Cisco IOS devices, we recommend that you configure the time zone from the device UI console to prevent any issues in the processing of PKCS certificate expiry time. |
SNMP Trap Server Definitions
Syslog Server Definitions
NetFlow Server Definitions
Wireless Service Assurance (WSA)
IPDT Enablement
Device controllability is enabled by default. If you do not want device controllability enabled, disable it manually. For more information, see Configure Device Controllability.
When device controllability is disabled, Cisco DNA Center does not configure any of the preceding credentials or features on devices while running discovery or when the devices are assigned to a site.
The following circumstances dictate whether or not device controllability configures network settings on devices:
Device Discovery: If SNMP and NETCONF credentials are not already present on a device, these settings are configured during the discovery process.
Device in Inventory: After a successful initial inventory collection, IPDT is configured on the devices.
In earlier releases, the following IPDT commands were configured:
ip device tracking
ip device tracking probe delay 60
ip device tracking probe use-sviFor each interface:
interface $physicalInterface
ip device tracking maximum 65535In the current release, the following IPDT commands are configured for any newly discovered device:
device-tracking tracking
device-tracking policy IPDT_POLICY
tracking enableFor each interface:
interface $physicalInterface
device-tracking attach-policy IPDT_POLICYDevice in Global Site: When you successfully add, import, or discover a device, Cisco DNA Center places the device in the Managed state and assigns it to the Global site by default. Even if you have defined SNMP server, Syslog server, and NetFlow collector settings for the Global site, Cisco DNA Center does not change these settings on the device.
Device Moved to Site: If you move a device from the Global site to a new site that has SNMP server, Syslog server, and NetFlow collector settings configured, Cisco DNA Center changes these settings on the device to the settings configured for the new site.
Device Removed from Site: If you remove a device from a site, Cisco DNA Center does not remove the SNMP server, Syslog server, and NetFlow collector settings from the device.
Device Deleted from Cisco DNA Center: If you delete a device from Cisco DNA Center and check the Configuration Clean-up check box, the SNMP server, Syslog server, and NetFlow collector settings are removed from the device.
Device Moved from Site to Site: If you move a device—for example, from Site A to Site B—Cisco DNA Center replaces the SNMP server, Syslog server, and NetFlow collector settings on the device with the settings assigned to Site B.
Update Site Telemetry Changes: The changes made to any settings that are under the scope of device controllability are applied to the network devices during device provisioning or when the Update Telemetry Settings action is performed.
When device controllability is enabled, if Cisco DNA Center can't connect to the device through the user-provided SNMP credentials and collect device information, Cisco DNA Center pushes the user-provided SNMP credentials to the device. For SNMPv3, the user is created under the default group.
Note |
For Cisco AireOS devices, the user-provided SNMPv3 passphrase must contain from 12 to 31 characters. |
Device controllability aids deployment of the required network settings that Cisco DNA Center needs to manage devices.
Note |
If you disable device controllability, none of the credentials or features described in the Device Controllability page will be configured on the devices during discovery or at runtime. |
Device controllability is enabled by default. To manually disable device controllability, do the following:
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Uncheck the Enable Device Controllability check box. |
|
Step 3 |
Click Save. |
You must accept the end-user license agreement (EULA) before downloading software or provisioning a device.
Note |
If you have not yet configured cisco.com credentials, you are prompted to configure them in the Device EULA Acceptance window before proceeding. |
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Click the Cisco End User License Agreement link and read the EULA. |
|
Step 3 |
Check the I have read and accept the Device EULA check box. |
|
Step 4 |
Click Save. |
You can configure retry and timeout values for SNMP.
Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Configure the following fields:
|
|
Step 3 |
Click Save. |
|
Step 4 |
(Optional) To return to the default settings, click Reset and Save. |
When Internet Control Message Protocol (ICMP) ping is enabled and there are unreachable access points in FlexConnect mode, Cisco DNA Center uses ICMP to ping these access points every 5 minutes to enhance reachability.
The following procedure describes how to enable an ICMP ping.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Check the Enable ICMP ping for unreachable access points in FlexConnect mode check box. |
|
Step 3 |
Click Save. |
Cisco DNA Center allows you to use the site assigned during the PnP claim as the AP location for PnP onboarding. If you check the Configure AP Location check box, Cisco DNA Center configures the assigned site as the AP location for PnP onboarding. If you uncheck this check box, use the Configure Access Points workflow to configure the AP location for PnP onboarding. For more information, see "AP Configuration in Cisco DNA Center" in the Cisco DNA Center User Guide.
Note |
These settings aren’t applicable during the day-n operations. To configure the AP location for day-n operations, you can use the Configure Access Points workflow. |
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Check the Configure AP Location check box. |
|
Step 3 |
Click Save. |
An image distribution server helps in the storage and distribution of software images. You can configure up to three external image distribution servers to distribute software images. You can also set up one or more protocols for the newly added image distribution servers.
For information about the supported servers, see the Server Requirements for Automation Data Backup section in the “Backup Server Requirements” topic in the Cisco DNA Center Administrator Guide.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
|
Step 2 |
In the Image Distribution Servers window, click Servers. The table displays details about the host, username, SFTP, SCP, and connectivity of image distribution servers. |
||
|
Step 3 |
Click Add to add a new image distribution server. The Add a New Image Distribution Server slide-in pane is displayed. |
||
|
Step 4 |
Configure the following image distribution server settings:
|
||
|
Step 5 |
Click Save. |
||
|
Step 6 |
Because some legacy wireless controller software versions support only weak ciphers (such as SHA1-based ciphers) for SFTP, Cisco DNA Center should enable SFTP compatibility mode for SFTP connections from wireless controllers for software image management and wireless assurance. You can temporarily enable support for weak ciphers on the Cisco DNA Center SFTP server for up to 90 days. To allow weak ciphers:
|
||
|
Step 7 |
(Optional) To edit the settings, click the Edit icon next to the corresponding image distribution server, make the required changes, and click Save. |
||
|
Step 8 |
(Optional) To delete an image distribution server, click the Delete icon next to the corresponding image distribution server and click Delete. |
The following procedure describes how to enable authorization on a device.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
|
Step 2 |
From the Device Settings drop-down list, choose PnP Device Authorization.
|
||
|
Step 3 |
Check the Device Authorization check box to enable authorization on the device. |
||
|
Step 4 |
Click Save. |
Cisco DNA Center allows you to create custom prompts for the username and password. You can configure the devices in your network to use custom prompts and collect information about the devices.
|
Step 1 |
From the top-left corner, click the menu icon and choose . The Device Prompts window opens. |
||
|
Step 2 |
Click Create Custom Prompt. The Create Custom Prompt slide-in pane opens. |
||
|
Step 3 |
To create custom prompts for the username, do the following:
|
||
|
Step 4 |
To create custom prompts for the password, do the following:
|
||
|
Step 5 |
Drag and drop the custom prompts in the order that you want.
|
||
|
Step 6 |
Click the edit icon to edit a custom prompt. |
||
|
Step 7 |
Click the delete icon to delete a custom prompt.
|
Cisco DNA Center performs periodic backup of your device running configuration. You can choose the day and time for the backup and the total number of config drifts that can be saved per device.
Note |
|
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
|
Step 2 |
In the Configuration Archive window, click the Internal tab. |
||
|
Step 3 |
Click the Number of config drift per device drop-down list and choose the number of config drifts to save per device. You can save 7–50 config drifts per device. The total config drifts to save include all the labeled configs for the device.
|
||
|
Step 4 |
Choose the backup day and time. The selected backup date and time is based on the time zone of the Cisco DNA Center cluster deployed for your network. |
||
|
Step 5 |
Click Save. After the backup is scheduled, you can view it in the activity center. |
||
|
Step 6 |
Click the External tab to configure an external server for archiving the device configuration. For more information, see Configure an External Server for Archiving Device Configuration. |
You can configure an external SFTP server for archiving the running configuration of devices.
Confirm that SSH, SFTP, and SCP are enabled on the external server.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
|
Step 2 |
In the Configuration Archive window, click the External tab. |
||
|
Step 3 |
Click Add to add an External Repository.
|
||
|
Step 4 |
In the Add New External Repository slide-in pane, complete the following details: |
||
|
Step 5 |
Click Save. |
||
|
Step 6 |
To edit the SFTP server details, click the edit button under the Action column. |
||
|
Step 7 |
To remove the SFTP server, click the delete button under the Action column. |
Integrity Verification (IV) monitors key device data for unexpected changes or invalid values that indicate possible compromise, if any, of the device. The objective is to minimize the impact of a compromise by substantially reducing the time to detect unauthorized changes to a Cisco device.
Note |
For this release, IV runs integrity verification checks on software images that are uploaded into Cisco DNA Center. To run these checks, the IV service needs the Known Good Value (KGV) file to be uploaded. |
To provide security integrity, Cisco devices must be verified as running authentic and valid software. Currently, Cisco devices have no point of reference to determine whether they are running authentic Cisco software. IV uses a system to compare the collected image integrity data with the KGV for Cisco software.
Cisco produces and publishes a KGV data file that contains KGVs for many of its products. This KGV file is in standard JSON format, is signed by Cisco, and is bundled with other files into a single KGV file that can be retrieved from the Cisco website. The KGV file is posted at:
https://tools.cisco.com/cscrdr/security/center/files/trust/Cisco_KnownGoodValues.tar
The KGV file is imported into IV and used to verify integrity measurements obtained from the network devices.
Note |
Device integrity measurements are made available to and used entirely within the IV. Connectivity between IV and cisco.com is not required. The KGV file can be air-gap transferred into a protected environment and loaded into the IV. |
Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
|
Step 2 |
Review the current KGV file information:
|
||
|
Step 3 |
To import the KGV file, perform one of the following steps:
|
||
|
Step 4 |
If you clicked Import Latest from Cisco, a connection is made to cisco.com and the latest KGV file is automatically imported to Cisco DNA Center.
|
||
|
Step 5 |
If you clicked Import New from Local, the Import KGV window appears. |
||
|
Step 6 |
Perform one of the following procedures to import locally:
|
||
|
Step 7 |
Click Import. The KGV file is imported into Cisco DNA Center. |
||
|
Step 8 |
After the import is finished, verify the current KGV file information in the GUI to ensure that it has been updated. IV automatically downloads the latest KGV file from cisco.com to your system 7 days after Cisco DNA Center is deployed. The auto downloads continue every 7 days. You can also download the KGV file manually to your local system and then import it to Cisco DNA Center. For example, if a new KGV file is available on a Friday and the auto download is every 7 days (on a Monday), you can download it manually. The following KGV auto download information is displayed:
|
After importing the latest KGV file, choose to view the integrity of the imported images.
Note |
The effect of importing a KGV file can be seen in the Image Repository window, if the images that are already imported have an Unable to verify status (physical or virtual). Additionally, future image imports, if any, will also refer to the newly uploaded KGV for verification. |
You can configure Cisco DNA Center to communicate with an external IP address manager (IPAM). When you use Cisco DNA Center to create, reserve, or delete any IP address pool, Cisco DNA Center conveys this information to your external IPAM.
Confirm that your external IP address manager is set up and functional.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
|
Step 2 |
In the Server Name field, enter the name of the IPAM server. |
||
|
Step 3 |
In the Server URL field, enter the URL or IP address of the IPAM server. A warning icon and message appear, indicating that the certificate is not trusted for this server. To import the trust certificate directly from the IPAM, follow these steps: |
||
|
Step 4 |
In the Username and Password fields, enter the IPAM credentials. |
||
|
Step 5 |
From the Provider drop-down list, choose a provider.
|
||
|
Step 6 |
From the View drop-down list, choose a default IPAM network view. If you only have one view configured, only default appears in the drop-down list. The network view is created in the IPAM and is used as a container for IP address pools. |
||
|
Step 7 |
Click Save. |
Go to to verify that the certificate has been successfully added.
Note |
In trusted certificates, the certificate is referenced as a third-party trusted certificate. |
Go to and verify the information to ensure that your external IP address manager configuration succeeded.
Cisco DNA Center provides Webex meeting session information for client 360.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Click Authenticate to Webex. |
|
Step 3 |
In the Cisco Webex pop-up window, enter the email address and click Sign In. |
|
Step 4 |
Enter the password and click Sign In. Webex authentication is completed successfully. |
|
Step 5 |
Under Default Email Domain for Webex Meetings Sign-In, enter the Webex user’s email domain and click Save. The Webex domain is organization-wide, and all users who use the domain can host or attend meetings. |
|
Step 6 |
(Optional) Under Authentication Token, click Delete to delete Webex authentication. |
Once activated, Cisco DNA Center provides call quality metrics information for Application 360 and Client 360 dashboards.
You must have a Microsoft Teams account with admin privileges.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
From the Region drop-down list, choose the desired region. |
|
Step 3 |
Click the |
|
Step 4 |
Click Activate. You are redirected to the Cisco DNA - Cloud window. |
|
Step 5 |
In the Cisco DNA - Cloud window, do the following: |
Use this procedure to activate, deactivate, or check the status of MS-Teams integration on the devices through the Cisco DNA - Cloud service.
You must have a Microsoft Teams account with admin privileges.
|
Step 1 |
Log in to Cisco DNA - Cloud with your cisco.com credentials. If you do not have cisco.com credentials, you can create them. |
|
Step 2 |
From the top-left corner, click the menu icon and choose Applications and Products. |
|
Step 3 |
From the Region drop-down list, choose the desired region. |
|
Step 4 |
Click the |
|
Step 5 |
In the AppX MS-Teams tile, click Activate. For details, see Configure an AppX MS-Teams Integration. |
|
Step 6 |
After the product is activated, click Exit. |
|
Step 7 |
You are redirected to the Applications window. |
|
Step 8 |
Click the AppX MS-Team tile to view the details in the App 360 window. |
|
Step 9 |
(Optional) To activate products from the App 360 window, do the following: |
|
Step 10 |
(Optional) To deactivate the product, do the following:
|
|
Step 11 |
(Optional) To disconnect the product from AppX MS-Teams application, do the following: |
You can configure Cisco DNA Center to communicate with an external ThousandEyes API agent to enable ThousandEyes integration using an authentication token. After integration, Cisco DNA Center provides ThousandEyes agent test data in the Application Health dashboard.
For Thousandeyes integration to work, upon deploying Thousandeyes agent on the device you must set the agent hostname similar to the Device Name in the Provision > Network Devices > Inventory table.
Ensure that you have deployed the ThousandEyes agent through application hosting, which supports Cisco Catalyst 9300 and 9400 Series switches.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
|
Step 2 |
In the Insert new token here field, enter the authentication token.
|
||
|
Step 3 |
Click Save. |
||
|
Step 4 |
(Optional) Click Delete to delete the OAuth Bearer Token. |
To assist in troubleshooting service issues, you can change the logging level for the Cisco DNA Center services.
A logging level determines the amount of data that is captured in the log files. Each logging level is cumulative; that is, each level contains all the data generated by the specified level and higher levels, if any. For example, setting the logging level to Info also captures Warn and Error logs. We recommend that you adjust the logging level to assist in troubleshooting issues by capturing more data. For example, by adjusting the logging level, you can capture more data to review in a root cause analysis or RCA support file.
The default logging level for services is informational (Info). You can change the logging level from informational to a different logging level (Debug or Trace) to capture more information.
 Caution |
Due to the type of information that might be disclosed, logs collected at the Debug level or higher should have restricted access. |
Note |
Log files are created and stored in a centralized location on your Cisco DNA Center host for display in the GUI. From this location, Cisco DNA Center can query and display logs in the GUI (). Logs are available to query for only the last 2 days. Logs that are older than 2 days are purged automatically from this location. |
Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure.
|
Step 1 |
From the top-left corner, click the menu icon and choose . The Debugging Logs window is displayed. |
|
Step 2 |
From the Service drop-down list, choose a service to adjust its logging level. The Service drop-down list displays the services that are currently configured and running on Cisco DNA Center. |
|
Step 3 |
Enter the Logger Name. This is an advanced feature that has been added to control which software components emit messages into the logging framework. Use this feature with care. Misuse of this feature can result in loss of information needed for technical support purposes. Log messages will be written only for the loggers (packages) specified here. By default, the Logger Name includes packages that start with com.cisco. You can enter additional package names as comma-separated values. Do not remove the default values unless you are explicitly directed to do so. Use * to log all packages. |
|
Step 4 |
From the Logging Level drop-down list, choose the new logging level for the service. Cisco DNA Center supports the following logging levels in descending order of detail:
|
|
Step 5 |
From the Time Out field, choose the time period for the logging level. Configure logging-level time periods in increments of 15 minutes up to an unlimited time period. If you specify an unlimited time period, the default level of logging should be reset each time a troubleshooting activity is completed. |
|
Step 6 |
Review your selection and click Save. |
You can update the polling interval at the global level for all devices by choosing . Or, you can update the polling interval at the device level for a specific device by choosing Device Inventory. When you set the polling interval using the Network Resync Interval, that value takes precedence over the Device Inventory polling interval value.
Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure.
Make sure that you have devices in your inventory. If not, discover devices using the Discovery feature.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
In the Resync Interval field, enter a new time value (in minutes). |
|
Step 3 |
(Optional) Check the Override for all devices check box to override the existing configured polling interval for all devices. |
|
Step 4 |
Click Save. |
Audit logs capture information about the various applications running on Cisco DNA Center. Audit logs also capture information about device public key infrastructure (PKI) notifications. The information in these audit logs can be used to help in troubleshooting issues, if any, involving the applications or the device CA certificates.
Audit logs also record system events that occurred, when and where they occurred, and which users initiated them. With audit logging, configuration changes to the system get logged in separate log files for auditing.
|
Step 1 |
From the top-left corner, click the menu icon and choose . The Audit Logs window opens, where you can view logs about the current policies in your network. These policies are applied to network devices by the applications installed on Cisco DNA Center. |
||
|
Step 2 |
Click the timeline slider to specify the time range of data you want displayed on the window:
|
||
|
Step 3 |
Click the arrow next to an audit log to view the corresponding child audit logs. Each audit log can be a parent to several child audit logs. By clicking the arrow, you can view a series of additional child audit logs.
|
||
|
Step 4 |
(Optional) From the list of audit logs in the left pane, click a specific audit log message. In the right pane, click Event ID > Copy Event ID to Clipboard. With the copied ID, you can use the API to retrieve the audit log message based on the event ID. The audit log displays the Description, User, Interface, and Destination of each policy in the right pane.
|
||
|
Step 5 |
(Optional) Click Filter to filter the log by User ID, Log ID, or Description. |
||
|
Step 6 |
Click Subscribe to subscribe to the audit log events. A list of syslog servers is displayed. |
||
|
Step 7 |
Check the syslog server check box that you want to subscribe to and click Save.
|
||
|
Step 8 |
In the right pane, use the Search field to search for specific text in the log message. |
||
|
Step 9 |
From the top-left corner, click the menu icon and choose to view the upcoming, in-progress, completed, and failed administrative tasks, such as operating system updates or device replacements. |
||
|
Step 10 |
From the top-left corner, click the menu icon and choose tab to view the in-progress, completed, and failed work items. |
Security Recommendation: We strongly encourage you to export audit logs from Cisco DNA Center to a remote syslog server in your network, for more secure and easier log monitoring.
You can export the audit logs from Cisco DNA Center to multiple syslog servers by subscribing to them.
Configure the syslog servers in the area.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Click Subscribe. |
|
Step 3 |
Select the syslog servers that you want to subscribe to and click Save. |
|
Step 4 |
(Optional) To unsubscribe, deselect the syslog servers and click Save. |
With the Cisco DNA Center platform, you can use APIs to view audit logs in syslog servers. Using the Create Syslog Event Subscription API from the Developer Toolkit, create a syslog subscription for audit log events.
Whenever an audit log event occurs, the syslog server lists the audit log events.
The Visibility and Control of Configurations feature provides a solution to further secure your planned network configurations before deploying them on to your devices. With enhanced visibility, you can enforce the previewing of device configurations (CLI and NETCONF commands) before deploying them. Visibility is enabled by default. When visibility is enabled, you cannot deploy your device configurations until you review them. With enhanced control, you can send the planned network configurations to IT Service Management (ITSM) for approval. When control is enabled, you cannot deploy the configurations until an IT administrator approves them.
Note |
A workflow supports visibility and control if it displays the following banner message when you schedule the deployment of your task: This workflow supports enforcing network administrators and other users to preview configurations before deploying them on the network devices. To configure this setting, go to . |
Make sure that ITSM is enabled and configured in Cisco DNA Center so that you can enable ITSM Approval. For information about how to enable and configure ITSM, see “Configure the Cisco DNA Center Automation Events for ITSM (ServiceNow) Bundle” in the Cisco DNA Center ITSM Integration Guide.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Click the Configuration Preview toggle button to enable or disable visibility. Enabling visibility means you must preview the device configurations before deploying them. Disabling visibility means you are not enforcing the previewing of device configurations before deploying them. When visibility is disabled, you can schedule and deploy the configurations with or without previewing them. |
|
Step 3 |
(Optional) Click the ITSM Approval toggle button to enable or disable control. Enabling control means you must submit the planned network configurations to an ITSM administrator for approval before deploying them. Disabling control means you are not requiring ITSM approval before the deployment of planned network configurations. When control is disabled, you can deploy the configurations without ITSM approval. |
You can view information about in-progress, completed, and failed tasks and work items running on Cisco DNA Center.
A task is an operation that you or the system scheduled, which can reoccur. If you have a task, this means that you have no corresponding work items to complete for it to deploy as scheduled.
VMware vSphere High Availability (HA) provides high availability for Cisco DNA Center on ESXi by linking the virtual machines and their hosts in the same vSphere cluster. vSphere HA requires shared storage to function. If a host failure occurs, the virtual machines restart on alternate hosts. vSphere HA responds to the failure based on its configuration, and vSphere HA detects the failure at the following levels:
Host level
Virtual machine (VM) level
Application level
In the current release, Cisco DNA Center only supports high availability for host-level failures.
To configure vSphere HA for host-level failures, complete the following procedure.
For the Cisco DNA Center virtual appliance to take over from the failed hosts, at least two hosts must have the unreserved CPU/Memory resources described in the Cisco DNA Center on ESXi Release Notes.
Note |
Enable HA Admission Control with the appropriate configuration to ensure that the Cisco DNA Center virtual appliance has sufficient resources to take over for the failed host. The configuration should allow the virtual appliance to be restarted on another host without any impact to the system. If the necessary resources are not reserved, the virtual appliance restarted on the failover host may fail due to resource shortage. |
|
Step 1 |
Log in to the vSphere Client. |
|
Step 2 |
Choose the appropriate Cisco DNA Center cluster in the device menu. |
|
Step 3 |
To configure the cluster, choose . |
|
Step 4 |
From the top-right corner, click Edit. |
|
Step 5 |
Click the toggle button to enable vSphere HA. |
|
Step 6 |
Choose Failures and responses and configure the following settings:
|
|
Step 7 |
Click OK. |
For the Cisco DNA Center on ESXi virtual appliance to have priority restart upon host failure, complete the following procedure.
|
Step 1 |
Log in to the vSphere Client. |
|
Step 2 |
Choose the appropriate Cisco DNA Center on ESXi cluster in the device menu. |
|
Step 3 |
To configure the cluster, choose . |
|
Step 4 |
In the Select a VM window, choose the deployed Cisco DNA Center on ESXi virtual machine. |
|
Step 5 |
Click OK. |
|
Step 6 |
In the Add VM Override window, go to and configure the following settings:
|
|
Step 7 |
Click FINISH. |
Cisco DNA Center on ESXi supports high availability through VMware vSphere HA functionality. For information about VMware vSphere's implementation and requirements for creating and using a vSphere HA cluster, see the following VMware vSphere Product Documentation:
In cases where firewalls or other rules exist between Cisco DNA Center and any third-party apps that need to reach the Cisco DNA Center platform, you must configure Integration Settings. These cases occur when the IP address of Cisco DNA Center is internally mapped to another IP address that connects to the internet or an external network.
Important |
After a backup and restore of Cisco DNA Center, you need to access the Integration Settings page and update (if necessary) the Callback URL Host Name or IP Address using this procedure. |
You have installed the Cisco DNA Center platform.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
|
Step 2 |
Enter the Callback URL Host Name or IP Address that the third-party app needs to connect to when communicating with the Cisco DNA Center platform.
|
||
|
Step 3 |
Click Apply. |
You can set up a message that is displayed to all users after they log in to Cisco DNA Center.
Only a user with SUPER-ADMIN-ROLE or CUSTOM-ROLE with system management permissions can perform this procedure.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
In the Login Message text box, enter the message. |
|
Step 3 |
Click Save. The message appears below the Log In button on the Cisco DNA Center login page. Later, if you want to remove this message, do the following:
|
If Cisco DNA Center on ESXi has a proxy server configured as an intermediary between itself and the network devices that it manages, you must configure access to the proxy server.
Note |
Cisco DNA Center on ESXi does not support a proxy server that uses Windows New Technology LAN Manager (NTLM) authentication. |
Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
|
Step 2 |
From the System Configuration drop-down list, choose . |
||
|
Step 3 |
Enter the proxy server's URL address. |
||
|
Step 4 |
Enter the proxy server's port number.
|
||
|
Step 5 |
(Optional) If the proxy server requires authentication, click Update and enter the username and password for access to the proxy server. |
||
|
Step 6 |
Check the Validate Settings check box to have Cisco DNA Center on ESXi validate your proxy configuration settings when applying them. |
||
|
Step 7 |
Review your selections and click Save. To cancel your selection, click Reset. To delete an existing proxy configuration, click Delete. After configuring the proxy, you can view the configuration in the Proxy window.
|
Cisco DNA Center provides many security features for itself, for the hosts and network devices that it monitors and manages. You must clearly understand and configure the security features correctly. We strongly recommend that you follow these security recommendations:
Deploy Cisco DNA Center in a private internal network and behind a firewall that does not expose Cisco DNA Center to an untrusted network, such as the internet.
If you have separate management and enterprise networks, connect Cisco DNA Center's management and enterprise interfaces to your management and enterprise networks, respectively. Doing so ensures network isolation between the services used to administer and manage Cisco DNA Center and the services used to communicate with and manage your network devices.
If deploying Cisco DNA Center in a three-node cluster setup, verify that the cluster interfaces are connected in an isolated network.
Upgrade Cisco DNA Center with critical upgrades, including security patches, as soon as possible after a patch announcement. For more information, see the Cisco DNA Center Upgrade Guide.
Restrict the remote URLs accessed by Cisco DNA Center using an HTTPS proxy server. Cisco DNA Center is configured to access the internet to download software updates, licenses, and device software, as well as provide up-to-date map information, user feedback, and so on. Providing internet connections for these purposes is a mandatory requirement. However, provide connections securely through an HTTPS proxy server.
Restrict the ingress and egress management and enterprise network connections to and from Cisco DNA Center using a firewall, by only allowing known IP addresses and ranges and blocking network connections to unused ports.
Replace the self-signed server certificate from Cisco DNA Center with the certificate signed by your internal certificate authority (CA).
If possible in your network environment, disable SFTP Compatibility Mode. This mode allows legacy network devices to connect to Cisco DNA Center using older cipher suites.
Disable the browser-based appliance configuration wizard, which comes with a self-signed certificate.
In some network configurations, proxy gateways might exist between Cisco DNA Center and the remote network it manages (containing various network devices). Common ports, such as 80 and 443, pass through the gateway proxy in the DMZ, and for this reason, SSL sessions from the network devices meant for Cisco DNA Center terminate at the proxy gateway. Therefore, the network devices located within these remote networks can only communicate with Cisco DNA Center through the proxy gateway. For the network devices to establish secure and trusted connections with Cisco DNA Center, or, if present, a proxy gateway, the network devices should have their PKI trust stores appropriately provisioned with the relevant CA root certificates or the server’s own certificate under certain circumstances.
If such a proxy is in place during onboarding of devices through PnP Discovery/Services, we recommend that the proxy and the Cisco DNA Center server certificate be the same so that network devices can trust and authenticate Cisco DNA Center securely.
In network topologies where a proxy gateway is present between Cisco DNA Center and the remote network it manages, perform the following procedure to import a proxy gateway certificate in to Cisco DNA Center.
Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure.
You must use the proxy gateway's IP address to reach Cisco DNA Center and its services.
You should have the certificate file that is currently being used by the proxy gateway. The certificate file contents should consist of any of the following:
The proxy gateway’s certificate in PEM or DER format, with the certificate being self-signed.
The proxy gateway’s certificate in PEM or DER format, with the certificate being issued by a valid, well-known CA.
The proxy gateway's certificate and its chain in PEM or DER format.
The certificate used by the devices and the proxy gateway must be imported in to Cisco DNA Center by following this procedure.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
|
Step 2 |
From the System Configuration drop-down list, choose . |
||
|
Step 3 |
In the Proxy Certificate window, view the current proxy gateway certificate data (if it exists).
|
||
|
Step 4 |
To add a proxy gateway certificate, drag and drop the self-signed or CA certificate into the Drag and Drop Here area.
|
||
|
Step 5 |
Click Save. |
||
|
Step 6 |
Refresh the Proxy Certificate window to view the updated proxy gateway certificate data. |
||
|
Step 7 |
Click the Enable button to enable the proxy gateway certificate functionality. If you click the Enable button, the controller returns the imported proxy gateway certificate when requested by a proxy gateway. If you don't click the Enable button, the controller returns its own self-signed or imported CA certificate to the proxy gateway. The Enable button is dimmed if the proxy gateway certificate functionality is used. |
If SSL decryption is enabled on the proxy server that is configured between Cisco DNA Center and the Cisco cloud from which it downloads software updates, ensure that the proxy is configured with a certificate that is issued from an official certificate authority. If you are using a private certificate, complete the following steps.
Note |
For added security, access to the root shell is disabled in Cisco DNA Center. With restricted shell, users can't access the underlying operating system and file system, which reduces operational risk. However, the commands in this section require that you contact the Cisco TAC to access the root shell temporarily. See About Restricted Shell. |
|
Step 1 |
Transfer your proxy server’s certificate (in .pem format) to a directory on the Cisco DNA Center server. |
|
Step 2 |
As a maglev user, SSH to the Cisco DNA Center server and enter the following command, where <directory> is the location of the certificate file and<proxy.pem> is your proxy server’s TLS/SSL certificate file: The command returns an output that is similar to the following: |
|
Step 3 |
In the command output, look for the line “1 added” and confirm that the number added is not zero. The number can be 1 or more than 1, based on the certificates in the chain. |
|
Step 4 |
Enter the following commands to restart docker and the catalog server: |
|
Step 5 |
Log in to Cisco DNA Center GUI and do the following:
|
Cisco DNA Center supports the Certificate Authority Management feature, which is used to authenticate sessions (HTTPS). These sessions use commonly recognized trusted agents that are called CAs. Cisco DNA Center uses the Certificate Authority Management feature to import, store, and manage X.509 certificates from your internal CA. The imported certificate becomes an identity certificate for Cisco DNA Center, and Cisco DNA Center presents this certificate to its clients for authentication. The clients are the northbound API applications and network devices.
You can import the following files (in either PEM or PKCS file format) using the Cisco DNA Center GUI:
X.509 certificate
Private key
Note |
For the private key, Cisco DNA Center supports the import of RSA keys. Keep the private key secure in your own key management system. The private key must have a minimum modulus size of 2048 bits. With Cisco DNA Center 2.3.4.x and earlier, do not import DSA, DH, ECDH, and ECDSA key types, because they are not supported. Cisco DNA Center 2.3.4.x and earlier does not support any form of ECDH and ECDSA, which includes any leaf certificate tied to the certificate chain. Cisco DNA Center 2.3.5 and later supports all key types. |
Prior to import, you must obtain a valid X.509 certificate and private key that is issued by your internal CA and the certificate must correspond to a private key in your possession. After import, the security functionality that is based on the X.509 certificate and private key is automatically activated. Cisco DNA Center presents the certificate to any device or application that requests it. Northbound API applications and network devices can use these credentials to establish a trust relationship with Cisco DNA Center.
Note |
We recommend that you do not use and import a self-signed certificate to Cisco DNA Center. We recommend that you import a valid X.509 certificate from your internal CA. Additionally, you must replace the self-signed certificate (installed in Cisco DNA Center by default) with a certificate that is signed by your internal CA for the Plug and Play functionality to work correctly. |
Cisco DNA Center supports only one imported X.509 certificate and private key at a time. When you import a second certificate and private key, the latter overwrites the first (existing) imported certificate and private key values.
Cisco DNA Center is able to import certificates and private keys through its GUI. If subordinate certificates are involved in a certificate chain leading to the certificate that is to be imported into Cisco DNA Center (signed certificate), both the subordinate certificates as well as the root certificate of these subordinate CAs must be appended together into a single file to be imported. When appending these certificates, you must append them in the same order as the actual chain of certification.
The following certificates should be pasted together into a single PEM file. Review the certificate subject name and issuer to ensure that the correct certificates are being imported and correct order is maintained. Ensure that all of the certificates in the chain are pasted together.
Signed Cisco DNA Center certificate: Its Subject field includes CN=<FQDN of Cisco DNA Center>, and the issuer has the CN of the issuing authority.
Note |
If you install a certificate signed by your internal certificate authority (CA), ensure that the certificate specifies all of the DNS names (including the Cisco DNA Center FQDN) that are used to access Cisco DNA Center in the alt_names section. For more information, see "Generate a Certificate Request Using Open SSL" in the Cisco DNA Center Security Best Practices Guide. |
Issuing (subordinate) CA certificate that issues the Cisco DNA Center certificate: Its Subject field has CN of the (subordinate) CA that issues the Cisco DNA Center certificate, and the issuer is that of the root CA.
Next issuing (root/subordinate CA) certificate that issues the subordinate CA certificate: Its Subject field is the root CA, and the issuer has the same value as the Subject field. If they are not the same, you must append the next issuer, and so on.
Cisco DNA Center supports the import and storage of an X.509 certificate and private key into Cisco DNA Center. After import, the certificate and private key can be used to create a secure and trusted environment between Cisco DNA Center, northbound API applications, and network devices.
You can import a certificate and a private key using the Certificates window in the GUI.
Obtain a valid X.509 certificate that is issued by your internal Certificate Authority. The certificate must correspond to a private key in your possession.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||||
|
Step 2 |
In the System tab, view the current certificate data. When you first view this window, the current certificate data that is displayed in the Cisco DNA Center self-signed certificate. The self-signed certificate's expiry is set for several years in the future.
The System tab displays the following fields:
|
||||
|
Step 3 |
In the System Certificates window, click Replace Certificate. Otherwise, the Download existing CSR link is displayed. You can download the existing CSR and submit it to your provider to generate your certificate. If you don't want to use the existing CSR, click Delete existing CSR, and then click Accept in the subsequent Confirmation window. You can now see the Generate New CSR link. |
||||
|
Step 4 |
Click the Generate New CSR link. |
||||
|
Step 5 |
In the Certificate Signing Request Generator window, provide information in the required fields. |
||||
|
Step 6 |
Click Generate New CSR. The generated new CSR is downloaded automatically. The Certificate Signing window shows the CSR properties and allows you to do the following:
|
||||
|
Step 7 |
Choose the file format type for the certificate that you are importing into Cisco DNA Center:
|
||||
|
Step 8 |
Confirm that the certificate issuer provides the certificate full chain (server and CA) in p7b. When in doubt, do the following to examine and assemble the chain: |
||||
|
Step 9 |
If the certificate issuer provides the certificate and its issuer CA chain in loose files, do the following: |
||||
|
Step 10 |
For a PEM file, perform the following tasks:
|
||||
|
Step 11 |
For a PKCS file, perform the following tasks:
|
||||
|
Step 12 |
Click Save.
|
||||
|
Step 13 |
Return to the Certificates window to view the updated certificate data. |
Cisco DNA Center uses the Simple Certificate Enrollment Protocol (SCEP) for enrollment and the provisioning of certificates to network devices. You can use your own SCEP broker and certificate service, or you can use an external SCEP broker. To set up an external SCEP broker, complete the following procedure:
Note |
For more information regarding SCEP, see Simple Certificate Enrollment Protocol Overview. |
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
|
Step 2 |
In the Certificate Authority window, click the Use external SCEP broker radio button. |
||
|
Step 3 |
Use one of the following options to upload an external certificate:
|
||
|
Step 4 |
Click Upload. |
||
|
Step 5 |
By default, Manages Device Trustpoint is enabled, meaning Cisco DNA Center configures the sdn-network-infra-iwan trustpoint on the device. You must complete the following steps:
If Manages Device Trustpoint is disabled, for devices to send wired and wireless Assurance telemetry to Cisco DNA Center, you must manually configure the sdn-network-infra-iwan trustpoint on the device and then import a certificate. See Configure the Device Certificate Trustpoint. |
||
|
Step 6 |
Click Save. The external CA certificate is uploaded. If you want to replace the uploaded external certificate, click Replace Certificate and enter the required details. |
After uploading an external certificate, if you want to switch back to the internal certificate, do the following:
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
In the Certificate Authority window, click the Use Cisco DNA Center radio button. |
|
Step 3 |
In the Switching back to Internal Certificate Authority alert, click Apply. The Settings have been updated message appears. For more information, see Change the Role of the Certificate Authority from Root to Subordinate. |
Cisco DNA Center allows you to download the device certificates that are required to set up an external entity such as an AAA server or a Cisco ISE server to authenticate the devices.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Click Download to export the device CA and add it as the trusted CA on the external entities. |
Certificate Management
You can view and manage certificates that are issued by Cisco DNA Center for managed devices to authenticate and identify the devices.
|
Step 1 |
From the top-left corner, click the menu icon and choose . The Device Certificate window shows the status of issued certificates in separate status tabs:
|
|
Step 2 |
You can filter the certificates, based on the Device Name and Issue To value. |
|
Step 3 |
If you want to revoke a valid certificate, do the following:
|
|
Step 4 |
If you want to delete an expired certificate, do the following:
|
|
Step 5 |
If you want to export the certificate details, click Export. The certificate details are exported in CSV format. |
Cisco DNA Center lets you change the certificate lifetime of network devices that the private (internal) Cisco DNA Center CA manages and monitors. The Cisco DNA Center default value for the certificate lifetime is 365 days. After the certificate lifetime value is changed using the Cisco DNA Center GUI, network devices that subsequently request a certificate from Cisco DNA Center are assigned this lifetime value.
Note |
The device certificate lifetime value cannot exceed the CA certificate lifetime value. Also, if the remaining lifetime of the CA certificate is less than the configured device's certificate lifetime, the device gets a certificate lifetime value that is equal to the remaining CA certificate lifetime. |
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Review the device certificate and the current device certificate lifetime. |
|
Step 3 |
In the Device Certificate window, click Modify. |
|
Step 4 |
In the Device Certificate Lifetime dialog box, enter a new value, in days. |
|
Step 5 |
Click Save. |
The device CA, a private CA that is provided by Cisco DNA Center, manages the certificates and keys that are used to establish and secure server-client connections. To change the role of the device CA from a root CA to a subordinate CA, complete the following procedure.
You can change the role of the private (internal) Cisco DNA Center CA from a root CA to a subordinate CA using the Certificate Authority Management window in the GUI. When making this change, do the following:
If you intend to have Cisco DNA Center act as a subordinate CA, it is assumed that you already have a root CA, for example, Microsoft CA, and you are willing to accept Cisco DNA Center as a subordinate CA.
As long as the subordinate CA is not fully configured, Cisco DNA Center continues to operate as an internal root CA.
You must generate a Certificate Signing Request file for Cisco DNA Center (as described in the following procedure) and have it manually signed by your external root CA.
Note |
Cisco DNA Center continues to run as an internal root CA during this time period. |
After the Certificate Signing Request is signed by the external root CA, this signed file must be imported back into Cisco DNA Center using the GUI (as described in the following procedure).
After the import, Cisco DNA Center initializes itself as the subordinate CA and provides all the existing functionalities of a subordinate CA.
If device controllability is enabled (which is the default) before the switchover from the internal root CA to the subordinate CA, the new device certificate is updated automatically.
The subordinate CA certificate lifetime, as displayed in the GUI, is just read from the certificate; it is not computed against the system time. Therefore, if you install a certificate with a lifespan of 1 year today and look at it in the GUI the same time next year, the GUI will still show that the certificate has a 1-year lifetime.
The subordinate CA certificate must be in PEM or DER format only.
The subordinate CA does not interact with the higher CAs; therefore, it is not aware of revocation, if any, of the certificates at a higher level. Because of this, any information about certificate revocation is also not communicated from the subordinate CA to the network devices. Because the subordinate CA does not have this information, all the network devices use only the subordinate CA as the Cisco Discovery Protocol (CDP) source.
You must have a copy of the root CA certificate.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Click the CA Management tab. |
|
Step 3 |
Review the existing root or subordinate CA certificate configuration information from the GUI:
|
|
Step 4 |
In the CA Management tab, check the Sub CA Mode check box. |
|
Step 5 |
Click Next. |
|
Step 6 |
Review the warnings that are displayed: For example,
|
|
Step 7 |
Click OK to proceed. The Certificate Authority Management window displays the Import External Root CA Certificate field. |
|
Step 8 |
Drag and drop your root CA certificate into the Import External Root CA Certificate field and click Upload. The root CA certificate is uploaded into Cisco DNA Center and used to generate a Certificate Signing Request. After the upload process finishes, a |
|
Step 9 |
Click Next. Cisco DNA Center generates and displays the Certificate Signing Request. |
|
Step 10 |
View the Cisco DNA Center-generated Certificate Signing Request in the GUI and perform one of the following actions:
|
|
Step 11 |
Send the Certificate Signing Request file to your root CA. Your root CA will then return a subordinate CA file, which you must import back into Cisco DNA Center. |
|
Step 12 |
After receiving the subordinate CA file from your root CA, access the Cisco DNA Center GUI again and return to the Certificate Authority Management window. |
|
Step 13 |
Click the CA Management tab. |
|
Step 14 |
Click Yes for the Change CA mode button. After clicking Yes, the GUI view with the Certificate Signing Request is displayed. |
|
Step 15 |
Click Next. The Certificate Authority Management window displays the Import Sub CA Certificate field. |
|
Step 16 |
Drag and drop your subordinate CA certificate into the Import Sub CA Certificate field and click Apply. The subordinate CA certificate is uploaded into Cisco DNA Center. After the upload finishes, the GUI displays the subordinate CA mode under the CA Management tab. |
|
Step 17 |
Review the fields under the CA Management tab:
|
Cisco DNA Center lets you apply a subordinate certificate as a rollover subordinate CA when 70 percent of the existing subordinate CA lifetime has elapsed.
To initiate subordinate CA rollover provisioning, you must have changed the certificate authority role to subordinate CA mode. See Change the Role of the Certificate Authority from Root to Subordinate.
70 percent or more of the lifetime of the current subordinate CA certificate must have expired. When this occurs, Cisco DNA Center displays a Renew button under the CA Management tab.
You must have a signed copy of the rollover subordinate CA certificate.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Click the CA Management tab. |
|
Step 3 |
Review the CA certificate configuration information:
|
|
Step 4 |
Click Renew. Cisco DNA Center uses the existing subordinate CA to generate and display the rollover subordinate CA Certificate Signing Request. |
|
Step 5 |
View the generated Certificate Signing Request in the GUI and perform one of the following actions:
|
|
Step 6 |
Send the Certificate Signing Request file to your root CA. Your root CA will then return a rollover subordinate CA file that you must import back into Cisco DNA Center. The Certificate Signing Request for the subordinate CA rollover must be signed by the same root CA who signed the subordinate CA you imported when you switched from RootCA mode to SubCA mode. |
|
Step 7 |
After receiving the rollover subordinate CA file from your root CA, return to the Certificate Authority Management window. |
|
Step 8 |
Click the CA Management tab. |
|
Step 9 |
Click Next in the GUI in which the Certificate Signing Request is displayed. The Certificate Authority Management window displays the Import Sub CA Certificate field. |
|
Step 10 |
Drag and drop your subordinate rollover CA certificate into the Import Sub CA Certificate field and click Apply. The rollover subordinate CA certificate is uploaded into Cisco DNA Center. After the upload finishes, the GUI changes to disable the Renew button under the CA Management tab. |
If Manages Device Trustpoint is disabled in Cisco DNA Center, for devices to send wired and wireless Assurance telemetry to Cisco DNA Center, you must manually configure the sdn-network-infra-iwan trustpoint on the device and then import a certificate.
The following manual configuration is required to enroll from an external CA via SCEP.
|
Step 1 |
Enter the following commands: |
|
Step 2 |
(Optional, but recommended) Automatically renew the certificate and avoid certificate expiry: |
|
Step 3 |
(Optional) Specify the interface that is reachable to the enrollment URL. Otherwise, the default is the source interface of the http service. |
Cisco DNA Center uses a number of certificates, such as the ones generated by Kubernetes and the ones used by Kong and Credential Manager Services. These certificates are valid for one year, which starts as soon as you install your cluster. Cisco DNA Center automatically renews these certificates for another year before they are set to expire.
We recommend that you renew certificates before they expire, not after.
You can only renew certificates that are set to expire up to 100 days from now. This procedure does not do anything to certificates that will expire later than that.
The script refreshes only self-signed certificates, not third-party/certificate authority (CA)-signed certificates. For third-party/CA-signed certificates, the script updates the internal certificates used by Kubernetes and the Credential Manager.
For self-signed certificates, the renewal process does not require you to push certificates back out to devices, because the root CA is unchanged.
The term cluster applies to both single-node and three-node Cisco DNA Center setups.
|
Step 1 |
Ensure that each cluster node is healthy and not experiencing any issues. |
|
Step 2 |
To view a list of the certificates that are currently used by that node and their expiration date, enter the following command: |
|
Step 3 |
Renew the certificates that are set to expire soon by entering the following command: |
|
Step 4 |
Repeat the preceding steps for the other cluster nodes. |
|
Step 5 |
For utility help, enter: |
Cisco DNA Center contains a preinstalled Cisco trusted certificates bundle (Cisco Trusted External Root Bundle). Cisco DNA Center also supports the import and storage of an updated trusted certificates bundle from Cisco. The trusted certificates bundle is used by supported Cisco networking devices to establish a trust relationship with Cisco DNA Center and its applications.
Note |
The Cisco trusted certificates bundle is a file called ios.p7b that only supported Cisco devices can unbundle and use. This ios.p7b file contains root certificates of valid certificate authorities, including Cisco. This Cisco trusted certificates bundle is available on the Cisco cloud (Cisco InfoSec). The link is located at https://www.cisco.com/security/pki/. |
The trusted certificates bundle provides you with a safe and convenient way to use the same CA to manage all your network device certificates, as well as your Cisco DNA Center certificate. The trusted certificates bundle is used by Cisco DNA Center to validate its own certificate as well as a proxy gateway certificate (if any), to determine whether it is a valid CA-signed certificate. Additionally, the trusted certificates bundle is available for upload to Network PnP-enabled devices at the beginning of their PnP workflow so that they can trust Cisco DNA Center for subsequent HTTPS-based connections.
You import the Cisco trust bundle using the Trusted Certificates window in the GUI.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
In the Trusted Certificates window, click the Update button to initiate a new download and install of the trusted certificates bundle. The Update button becomes active only when an updated version of the ios.p7b file is available and internet access is available. After the new trusted certificates bundle is downloaded and installed on Cisco DNA Center, Cisco DNA Center makes this trusted certificates bundle available to supported Cisco devices for download. |
|
Step 3 |
If you want to import a new certificate file, click Import, choose a valid certificate file from your local system, and click Import in the Import Certificate window. |
|
Step 4 |
Click Export to export the certificate details in CSV format. |
For added security, access to the root shell is disabled. With restricted shell, users can't access the underlying operating system and file system, which reduces operational risk.
Restricted shell is enabled for security purposes. However, if you want to access the root shell temporarily, you must contact the Cisco TAC for assistance.
If necessary, you can use the following restricted list of commands:
icon, search by name, and locate $ help
Help:
cat concatenate and print files in restricted mode
clear clear the terminal screen
date display the current time in the given FORMAT, or set the system date
debug enable console debug logs
df file system information
dmesg print or control the kernel ring buffer.
du summarize disk usage of the set of FILEs, recursively for directories.
free quick summary of memory usage
history enable shell commands history
htop interactive process viewer.
ip print routing, network devices, interfaces and tunnels.
kubectl Interact with Kubernetes Cluster in a restricted manner.
last show a listing of last logged in users.
ls restricted file system view chrooted to maglev Home
lscpu print information about the CPU architecture.
magctl tool to manage a Maglev deployment
maglev-config tool to configure a Maglev deployment
manufacture_check tool to perform manufacturing checks
netstat print networking information.
nslookup query Internet name servers interactively.
ntpq standard NTP query program.
ping send ICMP ECHO_REQUEST to network hosts.
ps check status of active processes in the system
rca root cause analysis collection utilities
reboot Reboot the machine
rm delete files in restricted mode
route print the IP routing table.
runonce Execute runonce scripts
scp restricted secure copy
sftp secure file transfer
shutdown Shutdown the machine
ssh OpenSSH SSH client.
tail Print the last 10 lines of each FILE to standard output
top display sorted list of system processes
traceroute print the route packets trace to network host.
uname print system information.
uptime tell how long the system has been running.
vi text editor
w show who is logged on and what they are doing.Telemetry data is collected by default in Cisco DNA Center, but you can opt out of some data collection. The data collection is designed to help the development of product features and address any operational issues, providing greater value and return on investment (ROI). Cisco collects the following categories of data: Cisco.com ID, System, Feature Usage, Network Device Inventory, and License Entitlement. See the Cisco DNA Center Data Sheet for a more expansive list of data that we collect. To opt out of some of data collection, contact your Cisco account representative and the Cisco Technical Assistance Center (TAC).
From the top-left corner, click the menu icon and choose . You can review the license agreement, the privacy statement, and the privacy data sheet from the Telemetry Collection window.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
To review the agreement for Telemetry Collection, click End User License Agreement. |
|
Step 3 |
(Optional) To disable Telemetry Collection, uncheck the Telemetry Collection check box and click Update. |
Cisco DNA Center supports Cisco vEdge deployment by using integrated vManage setups. You can save the vManage details from the Settings window before provisioning any vEdge topologies.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Configure the vManage Properties:
|
|
Step 3 |
To upload the vManage certificate, click Select a file from your computer. |
|
Step 4 |
Click Save. |
You can configure the account lockout policy to manage user login attempts, account lockout period, and number of login retries.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
|
Step 2 |
Click the Enforce Account Lockout toggle button so that you see a check mark. |
||
|
Step 3 |
Enter values for the following Enforce Account Lockout parameters:
|
||
|
Step 4 |
Choose the Idle Session Timeout value from the drop-down list. |
||
|
Step 5 |
Click Save. If you leave the session idle, a Session Timeout dialog box appears five minutes before the session timeout. Click Stay signed in if you want to continue the session. You can click Sign out to end the session immediately. |
You can configure the password expiration policy to manage the following:
Password expiration frequency.
Number of days that users are notified before their password expires.
Grace period.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
|
Step 2 |
Click the Enforce Password Expiry toggle button so that you see a check mark. |
||
|
Step 3 |
Enter values for the following Enforce Password Expiry parameters:
|
||
|
Step 4 |
Click Save to set the password expiry settings. |
IP access control allows you to control the access to Cisco DNA Center based on the IP address of the host or network. Cisco DNA Center provides the following options for IP access control:
Allow all IP addresses to access Cisco DNA Center. By default, all IP addresses can access Cisco DNA Center.
Allow only selected IP addresses to access Cisco DNA Center.
To configure IP access control and allow only selected IP addresses to access Cisco DNA Center, perform the following steps:
Ensure that you have SUPER-ADMIN-ROLE permissions.
Add the Cisco DNA Center services subnet, cluster service subnet, and cluster interface subnet to the list of allowed subnets.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
||
|
Step 2 |
Click the Allow only listed IP addresses to connect radio button. |
||
|
Step 3 |
Click Add IP List. |
||
|
Step 4 |
In the IP Address field of the Add IP slide-in pane, enter your IPv4 address.
|
||
|
Step 5 |
In the Subnet Mask field, enter the subnet mask. The valid range for subnet mask is from 0 through 32. |
||
|
Step 6 |
Click Save. |
To add more IP addresses to the IP access list, perform the following steps.
Ensure that you enable IP access control. For more information, see Enable IP Access Control.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Click Add. |
|
Step 3 |
In the IP Address field of the Add IP slide-in pane, enter the IPv4 address of the host or network. |
|
Step 4 |
In the Subnet Mask field, enter the subnet mask. 
|
|
Step 5 |
Click Save. |
To delete an IP address from the IP access list and disable its access to Cisco DNA Center, perform the following steps.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
In the Action column, click the Delete icon for the corresponding IP address. |
|
Step 3 |
Click Delete. |
Ensure that you have SUPER-ADMIN-ROLE permissions.
|
Step 1 |
From the top-left corner, click the menu icon and choose . |
|
Step 2 |
Click the Allow all IP addresses to connect radio button. |
Feedback