Clear visibility of machine compliance is vital for community operations. One of many greatest challenges although is to agree upon the definition of compliance since totally different environments have totally different necessities. The aim of this weblog is to share the present compliance capabilities in Cisco DNA Middle that can assist community directors to maintain the infrastructure protected and constant.
The present model of Cisco DNA Middle, appears at machine compliance from 5 totally different lenses in a non-SD-Entry community: startup vs. running-config, community profiles, utility visibility, software program picture, and important safety advisories.
Startup vs Operating Configuration
Have you ever ever configured a tool and forgotten to avoid wasting the operating configuration solely to have the machine reboot unexpectedly? The results of this could possibly be catastrophic leading to quite a few points within the community. Although the popular technique for machine configuration is thru Cisco DNA Middle, handbook modifications are nonetheless permitted. To keep away from inconsistencies between startup and operating configurations, Cisco DNA Middle offers a compliance test by flagging any units which have a startup and operating configurations that don’t match.
Within the snapshot beneath, we see how Cisco DNA Middle offers visualization of the variations between the operating and startup configuration. On this instance, the community administrator manually added an outline to an interface and forgot to avoid wasting the brand new configuration. Cisco DNA Middle additionally offers a strategy to remediate this downside with a button to “Synch Machine Config” which saves the running-config into startup-config.
One in every of Cisco DNA Middle’s biggest values is the automation it brings by leveraging Intent-Primarily based Networking (IBN). One of many constructs that Cisco DNA Middle makes use of to implement IBN is community profiles. Community profiles comprise totally different facets of intent-based networking together with wi-fi and model-based configuration (for wi-fi units) and templates (for all units). By way of compliance checks, Cisco DNA Middle can flag any configuration deviation from these constructs.
Let’s say that we’ve a easy template in Cisco DNA Middle pushing a “vlan” configuration to a port:
TBRANCH-C9200L-2#present run int gig 1/0/7 Constructing configuration... Present configuration : 344 bytes ! interface GigabitEthernet1/0/7 description Description pushed by DNAC Template -- lan switchport entry vlan 419 switchport mode entry device-tracking attach-policy IPDT_POLICY ip move monitor dnacmonitor enter ip move monitor dnacmonitor output service-policy enter DNA-MARKING_IN service-policy output DNA-dscp#APIC_QOS_Q_OUT finish
On this instance, we are going to assume that somebody manually eliminated the “vlan” configuration that has been pushed by Cisco DNA Middle templates:
TBRANCH-C9200L-2#conf t Enter configuration instructions, one per line. Finish with CNTL/Z. TBRANCH-C9200L-2(config)#int gig 1/0/7 TBRANCH-C9200L-2(config-if)#no switchport entry vlan 419 TBRANCH-C9200L-2(config-if)#
This motion will set off a “Community Profile” compliance violation as seen within the snapshots beneath:
Cisco DNA Middle clearly identifies the template that has been modified within the machine and the precise traces of configuration which have been eliminated:
Cisco DNA Middle additionally leverages Intent-Primarily based Networking (IBN) to provision units for visibility of purposes by CBAR and NBAR. If there are any modifications to this intent, the units shall be marked as non-compliant for “Utility Visibility” as seen within the instance beneath.
The machine has CBAR (Controller Primarily based Utility Recognition) enabled by way of DNA Middle:
interface GigabitEthernet1/0/7 description Description pushed by DNAC Template -- lan switchport entry vlan 419 switchport mode entry device-tracking attach-policy IPDT_POLICY ip move monitor dnacmonitor enter ip move monitor dnacmonitor output service-policy enter DNA-MARKING_IN service-policy output DNA-dscp#APIC_QOS_Q_OUT ip nbar protocol-discovery finish
Configuration is manually faraway from the machine:
TBRANCH-C9200L-2(config)#int gig 1/0/7 TBRANCH-C9200L-2(config-if)#no ip nbar protocol-discovery TBRANCH-C9200L-2(config-if)#
Software program Picture
Cisco DNA Middle makes use of the idea of “Golden Picture” to help picture consistency inside a web site. When units have pictures totally different from “Golden Picture”, it’ll set off the “Software program Picture” compliance violation as seen within the snapshots beneath:
Essential Safety Advisories
Gadgets with important safety vulnerabilities may also set off a compliance test as proven within the snapshots beneath:
Our subsequent weblog shall be overlaying facets of Cisco DNA Middle and configuration administration.