Cisco Digital Network Architecture Center Administrator Guide, Release 1.2.5

Transcription

1 Cisco Digital Network Architecture Center Administrator Guide, Release First Published: Last Modified: Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA USA Tel: NETS (6387) Fax:

2 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: go trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R) 2018 Cisco Systems, Inc. All rights reserved.

3 CONTENTS CHAPTER 1 New and Changed Information 1 New and Changed Information 1 CHAPTER 2 Get Started with Cisco DNA Center 3 About Cisco DNA Center 3 Log In 3 Log In for the First Time as a Network Administrator 4 Default Home Page 5 Use Global Search 8 Where to Start 9 CHAPTER 3 Configure System Settings 11 About System Settings 11 View the Overview in System 360 View the Services in System About Cisco DNA Center and Cisco ISE Integration 14 Configure Authentication and Policy Servers 16 Configure Cisco Credentials 17 Device Controllability 18 Configure Device Controllability 19 Integrity Verification 20 Upload the KGV File 20 Configure an IP Address Manager 22 Configure Debugging Logs 23 Configure the Network Resync Interval 24 View Audit Logs 24 iii

4 Contents Configure the Proxy 26 Configure Security for Cisco DNA Center 26 Enable TLS and RC4-SHA 27 Configure Proxy Certificate 28 Certificate and Private Key Support 29 Certificate Chain Support 30 Configure a Certificate 31 Certificate Management 32 Configure Device Certificate Lifetime 32 Change the Role of the PKI Certificate from Root to Subordinate 33 Provision a Rollover SubCA Certificate 35 Configure Trustpool 37 Configure SFTP Server 37 Configure SNMP Properties 38 About Telemetry Collection 39 Configure Telemetry Collection 39 Configure vmanage Properties 39 CHAPTER 4 Manage High Availability 41 Multi-Host Configurations for High Availability 41 Multi-Host Deployment Overview 42 Clustering and Database Replication 42 Security Replication 42 Multi-Host Synchronization 43 Multi-Host Upgrade 43 Split Brain and Network Partition 43 Recover Failed Hosts in a Cluster 44 Remove the Assurance Seed Node 44 Add the Assurance Seed Node 45 CHAPTER 5 Manage Applications 47 Application Management 47 Downloading and Updating System Updates 48 Downloading and Installing Packages and Updates 48 iv

5 Contents Uninstalling Packages 49 CHAPTER 6 Manage Users 51 About User Profiles 51 About User Roles 51 Create Local Users 52 Edit Local Users 52 Delete Local Users 53 Change Your Own User Password 53 Reset Forgotten Password 53 Display Role-Based Access Control Statistics 54 Configure External Authentication 54 Display External Users 56 CHAPTER 7 Manage Licenses 57 License Manager Overview 57 Integration with Cisco Smart Accounts 61 Set Up License Manager 61 Visualize License Usage and Expiration 62 View License Details 62 Change License Level 63 Export License Information 64 Auto Registration of Smart License Enabled Device 64 Day 0 Configuration for Smart License Enabled Device 65 Apply Specific License Reservation or Permanent License Reservation to Devices 65 Cancel SLR or PLR Applied to Devices 66 CHAPTER 8 Backup and Restore 67 About Backup and Restore 67 Automation Backup Server Requirements 68 Assurance Backup Server Requirements 69 Example of NFS Server Configuration 69 Configure Backup Servers 70 Back Up Data Now 71 v

6 Contents Schedule Data Backups 73 Restore Data from Backups 74 vi

7 New and Changed Information CHAPTER 1 This chapter provides release-specific information for each new and changed feature. New and Changed Information, on page 1 New and Changed Information This table summarizes the new and changed features in Cisco DNA Center, Release and tells you where they are documented. Table 1: New and Changed Features for Cisco DNA Center, Release Feature Backup and Restore Smart License Specific License Reservation (SLR) and Permanent License Reservation (PLR) Description You can now back up Assurance data from the GUI, like you can with Automation data. You can enable auto registration of Smart License (SL)-enabled devices. After auto registration is enabled, any SL-enabled devices added to Cisco DNA Center are automatically registered to the chosen virtual account. You can now apply SLR or PLR to devices in a highly secured network. Where Documented Backup and Restore, on page 67 Manage Licenses, on page 57 Manage Licenses, on page 57 1

8 New and Changed Information New and Changed Information 2

9 CHAPTER 2 Get Started with Cisco DNA Center About Cisco DNA Center About Cisco DNA Center, on page 3 Log In, on page 3 Log In for the First Time as a Network Administrator, on page 4 Default Home Page, on page 5 Use Global Search, on page 8 Where to Start, on page 9 Cisco Digital Network Architecture (DNA) offers centralized, intuitive management that makes it fast and easy to design, provision, and apply policies across your network environment. The Cisco DNA Center GUI provides end-to-end network visibility and uses network insights to optimize network performance and deliver the best user and application experience. Cisco DNA Center allows you to: Move faster: Provision thousands of devices across your enterprise network. Act fast with centralized management and automate device deployment. Lower costs: Reduce errors with automation. Policy-driven deployment and onboarding deliver better uptime and improved security. Reduce risk: Predict problems early. Use actionable insights for optimal performance of your network, devices, and applications. Log In Access Cisco DNA Center by entering its network IP address in your browser. For compatible browsers, see the Cisco DNA Center Release s for the version of Cisco DNA Center that you are using currently. This IP address connects to the external network and is configured during the Cisco DNA Center installation. For more information about installing and configuring Cisco DNA Center, see the Cisco Digital Network Architecture Center Installation Guide. You should continuously use Cisco DNA Center to remain logged in. If you are inactive for too long, Cisco DNA Center logs you out of your session automatically. 3

10 Log In for the First Time as a Network Administrator Get Started with Cisco DNA Center Step 1 Enter an address in your web browser's address field in the following format. Here server-ip is the IP address (or the hostname) of the server on which you have installed Cisco DNA Center: Example: Depending on your network configuration, you may have to update your browser to trust the Cisco DNA Center server security certificate. Doing so will help ensure the security of the connection between your client and Cisco DNA Center. Enter the Cisco DNA Center username and password assigned to you by the system administrator. Cisco DNA Center displays its home page. If your user ID has the NETWORK-ADMIN-ROLE and no other user with the same role has logged in before, you will see a first-time setup wizard instead of the home page. For details, see Log In for the First Time as a Network Administrator, on page 4. To log out, click the Gear icon at the top-right corner and click Sign Out. Log In for the First Time as a Network Administrator If your user ID has the NETWORK-ADMIN-ROLE assigned, and no other user with the same role has logged in before, you will see a "Getting Started" wizard instead of the home page dashboard the first time you log in to Cisco DNA Center. The wizard is a quick way to get immediate value from Cisco DNA Center. It consists of a few screens that collect information needed to discover and monitor the condition of your network devices, and then help you visualize your network's overall health using the Cisco DNA Center home page dashboard. You can perform all of the same tasks the wizard does using other Cisco DNA Center features. Using the wizard does not prevent you from using those features. You can choose to skip the wizard entirely at any point and it will not be shown again for you. However, Cisco DNA Center will continue to display the wizard at login to any user with the same role until one such user completes the wizard steps. After that, Cisco DNA Center never displays the wizard again. Before you begin You need to have the following information to complete the wizard: The IP addresses of your SYSLOG and SNMP servers The IP address and port of your Netflow server For discovery: The IP address to start from (if choosing CDP discovery) or the starting and ending IP addresses (if choosing Range discovery) Optional: Your preferred management IP address Device CLI credentials, including the Enable password SNMP v2c credentials, including the read community string 4

11 Get Started with Cisco DNA Center Default Home Page Step 1 If you have not already done so, log in to Cisco DNA Center normally, as explained in Log In, on page 3. With the wizard displayed, click Get Started. In the fields on the following screens, enter the information listed in "Before You Begin" above. Click Save & Next to continue, Back to return to the previous screen and revise your entries, or Skip to cancel the wizard and display the Cisco DNA Center home page. Step 4 When you are finished, click Begin Discovery. Cisco DNA Center displays the home page, which slowly fills with network health information as discovery completes. Default Home Page After you log in, Cisco DNA Center displays its home page. The home page has three main areas: Network Snapshot, Network Configuration, and Tools. The Network Snapshot area includes: Sites: Provides the number of sites discovered on your network along with the number of DNS and NTP servers. Clicking Add Sites takes you to the Add Site page. Network Devices: Provides the number of network devices discovered on your network along with the number of unclaimed, unprovisioned, and unreachable devices count. Clicking Find New Devices takes you to the New Discovery page. Profiles: Provides the number of profiles discovered on your network. Clicking Add New Profiles takes you to the Network Profiles page. Images: Provides the number of images discovered on your network along with the number of untagged and unverified images. Clicking Import Images/SMUs takes you to the Image Repository page. Licensed Devices: Provides the number of devices that have a Cisco DNA Center license along with the number of switches, routers, and access points. Clicking Manage Licenses takes you to the License Management page. The Network Configuration area includes: Design: Create the structure and framework of your network, including the physical topology, network settings, and device type profiles that you can apply to devices throughout your network. Policy: Create policies that reflect your organization's business intent for a particular aspect of the network, such as network access. Cisco DNA Center takes the information collected in a policy and translates it into network-specific and device-specific configurations required by the different types, makes, models, operating systems, roles, and resource constraints of your network devices. Provision: Prepare and configure devices, including adding devices to sites, assigning devices to the Cisco DNA Center inventory, deploying the required settings and policies, creating fabric domains, and adding devices to the fabric. Assurance: Provide proactive and predictive actionable insights about the performance and health of the network infrastructure, applications, and end-user clients. 5

12 Default Home Page Get Started with Cisco DNA Center Tools: Use the Tools area to configure and manage your network. Figure 1: Home Page Different Views of Home Page: Getting Started When you log in to Cisco DNA Center for the first time, or when there are no devices in the system, you see the following message. Click Discover to discover new devices in your network. Day 0 Home Page If you skipped getting started, or when there are no devices in the system, you see the following home page. 6

13 Get Started with Cisco DNA Center Default Home Page When discovery is in progress, you see a progress message with a link to the Discovery window. When there are devices in the system, you see a network snapshot of discovered devices. Click any icons in the main areas to launch the corresponding application or tool. In addition to the Network Snapshot, Network Configuration, and Tool icons, you can click any icons at the top-right corner of the home page to perform important common tasks: Software Updates: See a list of available software updates. Click the Go to Software Updates link to view Platform and App updates. Search icon: Search for devices, users, hosts, and other items, anywhere they are stored in the Cisco DNA Center database. For tips on using Search, see Use Global Search, on page 8. Applications icon: Return to the Cisco DNA Center home page from any other page and access the applications and tools. You can do the same thing by clicking the Cisco DNA Center logo in the top-left corner of the home page. Settings icon: View audit logs, configure Cisco DNA Center system settings, see the Cisco DNA Center version you are using, and log out. Notifications icon: See recently scheduled tasks and other notifications. Finally, you can click the following icons, which appear at the right side of every page in Cisco DNA Center: Feedback icon: Submit your comments and suggestions to Cisco's Cisco DNA Center product team. Help icon: Launch Cisco DNA Center's context-sensitive online help in a separate tab in your browser. If you are new to Cisco DNA Center, see Where to Start, on page 9 for tips and suggestions on how to begin. 7

14 Use Global Search Get Started with Cisco DNA Center By default, the login name you provided is displayed in the Welcome text. To change the name, click the name link; for example, admin. You are taken to Users > User Management, where you can edit the display name. Use Global Search Use the global Search function to find items in the following categories anywhere in Cisco DNA Center: Activities: Search for Cisco DNA Center menu items, workflows, and features by name. Applications: Search for them by name. Application Groups: Search for them by name. Hosts and Endpoints: Search for them by name, IP address, or MAC address. IP Pools: Search for them by name or IP address. Network Devices: Search for them by name, IP address, serial number, software version, platform, product family, or MAC address. Sites: Search for them by name. Users: Search for them by username. Case-insensitivity and substring search are not supported for usernames. Other items, as new versions of Cisco DNA Center are released. To start a global Search, click the Figure 2: Global Search Icon icon in the top-right corner of any Cisco DNA Center page. When you click the icon, Cisco DNA Center displays a pop-up global search window, with a Search field where you can begin entering identifying information about the item you are looking for. You can enter all or part of the target item's name, address, serial number, or other identifying information. The Search field is case-insensitive and can contain any character or combination of characters. As you begin entering your search string, Cisco DNA Center displays a list of possible search targets that match your entry. If more than one category of item matches your search string, Cisco DNA Center sorts them by category, with a maximum of five items in each category. The first item in the first category is selected automatically, and summary information for that item appears in the summary panel on the right. You can scroll the list as needed, and click any of the suggested search targets to see information for that item in the summary panel. If there are more than five items in a category, click View All next to the category name in the list. To return to the categorized list from the complete list of search targets, click Go Back. As you add more characters to the search string, global Search automatically narrows the displayed list of categories and items. 8

15 Get Started with Cisco DNA Center Where to Start The summary panel includes links to more information. The link varies as appropriate for each category and item. For example, with Activities, the summary panel displays links to menu items and workflows elsewhere in the Cisco DNA Center system. For Applications, there is the Application 360 view. You will see links to Client 360 and Topology views for hosts and endpoints, and links to Device 360 and Topology views for network devices. Click the link to see the appropriate menu item, workflow, or detail view. When you are finished, click to close the window. Global search can display a maximum of 500 results at a time. Where to Start To start using Cisco DNA Center, you must first configure the Cisco DNA Center settings so that the server can communicate outside the network. After you configure the Cisco DNA Center settings, your current environment determines how you start using Cisco DNA Center: Existing infrastructure: If you have an existing infrastructure (brownfield deployment), start by running Discovery. After you run Discovery, all your devices are displayed on the Inventory window. For information about running Discovery, see the Cisco Digital Network Architecture Center User Guide. New or nonexisting infrastructure: If you have no existing infrastructure and are starting from scratch, (greenfield deployment), create a network hierarchy. For information about creating a network hierarchy, see the Cisco Digital Network Architecture Center User Guide. 9

16 Where to Start Get Started with Cisco DNA Center 10

17 CHAPTER 3 Configure System Settings About System Settings, on page 11 View the Overview in System 360, on page 11 View the Services in System 360, on page 13 About Cisco DNA Center and Cisco ISE Integration, on page 14 Configure Authentication and Policy Servers, on page 16 Configure Cisco Credentials, on page 17 Device Controllability, on page 18 Integrity Verification, on page 20 Configure an IP Address Manager, on page 22 Configure Debugging Logs, on page 23 Configure the Network Resync Interval, on page 24 View Audit Logs, on page 24 Configure the Proxy, on page 26 Configure Security for Cisco DNA Center, on page 26 Configure SFTP Server, on page 37 Configure SNMP Properties, on page 38 About Telemetry Collection, on page 39 Configure vmanage Properties, on page 39 About System Settings To start using Cisco DNA Center, you must first configure the system settings so that the server can communicate outside the network, ensure secure communications, authenticate users, and perform other key tasks. Use the procedures described in this chapter to configure the system settings. View the Overview in System 360 The System 360 Overview tab provides at-a-glance information about Cisco DNA Center. Step 1 Click and select System Settings. The System 360 and Overview tab should display by default. If not, click System 360 > Overview. 11

18 View the Overview in System 360 Configure System Settings Review the following displayed data metrics: Hosts Displays information about the Cisco DNA Center host or hosts. The information that is displayed includes the IP address of the hosts and detailed data about services running on the host(s). Click in the Services field and a side panel opens. The side panel displays the following information: Name Service name Status Status of service Version Version of service Modified Date and time of last update Logs Click the icon to open and view service logs in Kibana. Kibana is an open-source analytics and visualization platform. You can troubleshoot issues with the host by reviewing the service logs. For information about Kibana, see Grafana icon Click the icon to open and view service monitoring data in Grafana. Grafana is an open-source metric analytics and visualization suite. You can troubleshoot issues with the host by reviewing the service monitoring data. For information about Grafana, see Important Three hosts are required for high availability to work in Cisco DNA Center. External Network Services Displays information about external network services used by Cisco DNA Center. The information displayed includes the following: IP Address Manager Displays IP address manager configuration data. Click the Configure Settings link to configure the IP Address Manager. Cisco ISE Displays Cisco ISE configuration data. Click the Configure Settings link to configure Cisco DNA Center for integration with Cisco ISE. Tools Provides a drop-down list that helps you access the following tools: Monitoring This helps you access multiple dashboards of Cisco DNA Center components using Grafana, which is an open-source metric analytics and visualization suite. Use the Monitoring tool to review and analyze key Cisco DNA Center metrics, such as memory and CPU usage. For information about Grafana, see In a multi-host Cisco DNA Center environment, expect duplication in the Grafana data due to the multiple hosts. Log Explorer This helps you access detailed logs of Cisco DNA Center activity using Kibana, which is an open-source analytics and visualization platform designed to work with Elasticsearch. Use the Log Explorer tool to review detailed activity logs. For information about Kibana, see Workflow This helps you access Workflow Visualizer, which provides detailed graphical representations of Cisco DNA Center tasks, including Success, Failure, Pending status markings. Use the Workflow tool to determine the location of a failure in a Cisco DNA Center task. 12

19 Configure System Settings View the Services in System 360 The Monitoring and Log Explorer data accessible from the Tools drop-down list is the same as data accessible from the Hosts > Services side panel; although, the data is presented differently when accessed through the Services side panel. When troubleshooting by a specific application and known service, you may wish to view the data from the Services side panel. View the Services in System 360 The System 360 Services tab provides detailed information about the AppStacks and services running on Cisco DNA Center. You can use this tab to assist in troubleshooting issues with specific applications and/or services. For example, if you are having issues with Cisco DNA Assurance, you can open and view monitoring data and logs for the ndp AppStack and its component services. Step 1 Click and choose System Settings. The System 360 and Overview tab should display by default. If not, click System 360 > Overview. Click the Services tab. The following windows open: AppStack list appears on the left side panel (including maglev-system, fusion, and so on). A Grafana display window appears to the right of the side panel. An Appstack is defined as a loosely coupled, but closely related multi-tenant network of services and applications. A service in this environment is a horizontally scalable application that adds instances of itself when demand increases, and frees instances of itself when demand decreases. Step 4 Click the arrow (>) next to one of the displayed AppStacks. AppStack and Services links appear directly below the AppStack name. Click AppStack > Monitoring. The Grafana window at the right displays the AppStack monitoring information: CPU usage Memory usage Network usage File system usage Depending on the selected service, some of the preceding data may or may not be displayed. Step 5 Step 6 Click the arrow (>) next to Services. The list of services in that AppStack appears. Click one of the services in the list by clicking the arrow (>) next to the name. 13

20 About Cisco DNA Center and Cisco ISE Integration Configure System Settings The following links appear: Monitoring Log Explorer Step 7 Click Monitoring. Monitoring helps you access multiple dashboards of Cisco DNA Center components using Grafana, which is an open-source metric analytics and visualization suite. Use the Monitoring tool to review and analyze key Cisco DNA Center metrics, such as memory and CPU usage. For information about Grafana, see In a multi-host Cisco DNA Center environment, expect duplication in the Grafana data due to the multiple hosts. Step 8 Click Log Explorer. Log Explorer helps you access detailed logs of Cisco DNA Center activity using Kibana, which is an open-source analytics and visualization platform designed to work with Elasticsearch. Use the Log Explorer tool to review detailed activity logs. For information about Kibana, see About Cisco DNA Center and Cisco ISE Integration Cisco ISE has three different use cases with Cisco DNA Center: 1. Cisco ISE can be used as an AAA server for user, device, and client authentication. If you are not using access control policies or if you are not using Cisco ISE as an AAA server for device authentication, you do not need to install and configure Cisco ISE. 2. Access control policies use Cisco ISE to enforce access control. Before you can create and use access control policies, you need to integrate Cisco DNA Center and Cisco ISE. The process involves installing and configuring Cisco ISE with specific services and configuring Cisco ISE settings in Cisco DNA Center. For more information about installing and configuring Cisco ISE with Cisco DNA Center, see the Cisco Digital Network Architecture Center Installation Guide. 3. If your network uses Cisco ISE for user authentication, you can configure Cisco DNA Center Assurance for Cisco ISE integration. This integration allows you to see more information about wired clients, such as the username and operating system, in Cisco DNA Center Assurance. For more information, see "Cisco DNA Center Assurance and Cisco ISE Integration" in the Cisco DNA Assurance User Guide. After Cisco ISE has successfully registered and its trust established with Cisco DNA Center, Cisco DNA Center shares information with Cisco ISE. Cisco DNA Center devices that are assigned to a site that is configured with Cisco ISE as its AAA server have their inventory data propagated to Cisco ISE. Additionally, any updates on these Cisco DNA Center devices (for example, device credentials) in Cisco DNA Center also updates Cisco ISE with the changes. If a Cisco DNA Center device associated to a site with Cisco ISE as its AAA server is not propagated to Cisco ISE as expected, Cisco DNA Center automatically retries after waiting for a specific time interval. This subsequent attempt occurs when the initial Cisco DNA Center device push to Cisco ISE fails due to any networking issue, Cisco ISE downtime, or any other auto correctable errors. Cisco DNA Center attempts to establish eventual consistency with Cisco ISE by retrying to add the device or update its data to Cisco ISE. 14

21 Configure System Settings About Cisco DNA Center and Cisco ISE Integration However, a retry is not attempted if the failure to propagate the device or device data to Cisco ISE is due to a rejection from Cisco ISE itself, as a input validation error. Similarly, if you change the RADIUS shared secret for Cisco ISE, Cisco ISE updates Cisco DNA Center with the changes. However, Cisco ISE does not share existing device information with Cisco DNA Center. The only way for Cisco DNA Center to know about the devices in Cisco ISE is if the devices have the same name in Cisco DNA Center; Cisco DNA Center and Cisco ISE uniquely identify devices for this integration through the device's hostname variable. The process that propagates Cisco DNA Center inventory devices to Cisco ISE and updates the changes to it are all captured in the Cisco DNA Center audit logs. If there are any issues in the Cisco DNA Center-to-Cisco ISE workflow, view the audit logs in the Cisco DNA Center GUI for information. Cisco DNA Center integrates with the primary Administration ISE node. When you access Cisco ISE from Cisco DNA Center, you connect with this node. Cisco DNA Center polls Cisco ISE every 15 minutes. If the ISE server is down, the System 360 window ( > System Settings > System 360) shows the Cisco ISE server as red (unreachable). When the Cisco ISE server is unreachable, Cisco DNA Center increases polling to 15 seconds, then doubles the polling time to 30 seconds, 1 minute, 2 minutes, 4 minutes, and so on, until it reaches the maximum polling time of 15 minutes. Cisco DNA Center continues to poll every 15 minutes for 3 days. If Cisco DNA Center has not regained connectivity, it stops polling, and updates the Cisco ISE server status to Untrusted. If this happens, you will need to reestablish trust between Cisco DNA Center and the Cisco ISE server. Review the following additional requirements and recommendations to verify Cisco DNA Center and Cisco ISE integration: Cisco DNA Center and Cisco ISE integration is not supported over a proxy server. If you have Cisco ISE configured with a proxy server in your network, configure Cisco DNA Center such that it does not use the proxy server; it can do this by bypassing the proxy server's IP address. Cisco DNA Center and Cisco ISE integration is not currently supported through a Cisco DNA Center virtual IP address (VIP). If you are using an enterprise CA-issued certificate for Cisco DNA Center, make sure the Cisco DNA Center certificate includes the IP addresses of all interfaces on the Cisco DNA Center in the Subject Alternative Name (SAN) extension. If Cisco DNA Center is a three-node cluster, the IP addresses of all interfaces from all three nodes must be included in the SAN extension of the Cisco DNA Center certificate. Cisco DNA Center needs access to both the Cisco ISE CLI (through an Ethernet routing switch) and GUI (through an SSH connection). Because you can define only one set of Cisco ISE credentials in Cisco DNA Center, make sure these credentials are the same for both the Cisco ISE GUI and CLI user accounts. Disable password expiry for the Admin user in Cisco ISE. Alternatively, make sure that you update the password before it expires. For more information, see the Cisco Identity Services Engine Administrator Guide. 15

22 Configure Authentication and Policy Servers Configure System Settings Configure Authentication and Policy Servers Cisco DNA Center uses AAA servers for user authentication and Cisco ISE for both user authentication and access control. Use this procedure to configure AAA servers, including Cisco ISE. Before you begin If you are using Cisco ISE to perform both policy and AAA functions, make sure that Cisco DNA Center and Cisco ISE are integrated as described in the Cisco Digital Network Architecture Center Installation Guide. If you are using another product (not Cisco ISE) to perform AAA functions, make sure to do the following: Register Cisco DNA Center with the AAA server, including defining the shared-secret on both the AAA server and Cisco DNA Center. Define an attribute name for Cisco DNA Center on the AAA server. For a Cisco DNA Center multi-host cluster configuration, define all individual host IP addresses and the virtual IP address for the multi-host cluster on the AAA server. Step 1 From the Cisco DNA Center home page, click and then choose System Settings > Settings > Authentication and Policy Servers. Click. Configure the primary AAA server by providing the following information: Server IP Address IP address of the AAA server. Shared Secret Key for device authentications. The shared secret can be up to 128 characters in length. Step 4 To configure a AAA server (not Cisco ISE), leave the Cisco ISE Server button in the Off position and proceed to the next step. To configure a Cisco ISE server, click the Cisco ISE server button to the On position and enter information in the following fields: Cisco ISE Setting that indicates whether the server is a Cisco ISE server. Click the Cisco ISE setting to enable Cisco ISE. Username Name that is used to log in to the Cisco ISE command-line interface (CLI). This user must be a Super Admin. Password Password for the Cisco ISE CLI username. FQDN Fully qualified domain name (FQDN) of the Cisco ISE server. We recommend that you copy the FQDN that is defined in Cisco ISE (Administration > Deployment > Deployment Nodes > List) and paste it directly into this field. The FQDN that you enter must match the FQDN, Common Name (CN), or Subject Alternative Name (SAN) defined in the Cisco ISE certificate. 16

23 Configure System Settings Configure Cisco Credentials The FQDN consists of two parts, a hostname and the domain name, in the following format: hostname.domainname.com. For example, the FQDN for a Cisco ISE server might be ise.cisco.com. Subscriber Name Unique text string that identifies a pxgrid client registering for Cisco ISE pxgrid services, for example dnac. The subscriber name is used during Cisco DNA Center-to-Cisco ISE integration. SSH Key Diffie-Hellman-Group14-SHA1 SSH key used to connect and authenticate with Cisco ISE. Virtual IP Address(es) Virtual IP address of the load balancer behind which the Cisco ISE policy service nodes (PSNs) are located. If you have multiple PSN farms behind different load balancers, you can enter a maximum of six virtual IP addresses. Step 5 Click View Advanced Settings and configure the settings: Protocol TACACS or RADIUS. Radius is the default. You can only choose one option. The option that is dimmed is the chosen option. To select the other option, you need to choose it and then manually deselect the other option. Step 6 Authentication Port Port used to relay authentication messages to the AAA server. The default is UDP port Accounting Port Port used to relay important events to the AAA server. The information in these events is used for security and billing purposes. The default UDP port is Retries Number of times that Cisco DNA Center attempts to connect with the AAA server before abandoning the attempt to connect. The default number of attempts is 1. Timeout The length of time that device waits for the AAA server to respond before abandoning the attempt to connect. Click Add. Step 7 To add a secondary server, repeat through Step 6. Configure Cisco Credentials You can configure Cisco credentials for Cisco DNA Center. Cisco credentials are the username and password that you use to log into the Cisco website to access restricted locations as either a Cisco customer or partner. Additionally, you can also link your Cisco credentials to your Smart Account. The Cisco credentials configured for Cisco DNA Center using this procedure are used for software image and update downloads. The Cisco credentials are also encrypted by this process for security purposes. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page

24 Device Controllability Configure System Settings Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and choose System Settings > Settings > Cisco Credentials. Enter your Cisco username and password. If your Cisco credentials are different from your Smart Account credentials, you are prompted to link your Cisco credentials to your Smart Account, click Use different credentials. For more information, see Integration with Cisco Smart Accounts, on page 61. Step 4 Step 5 Enter your Smart Account username and password. Click Reset. Device Controllability Device Controllability is a system-level process on Cisco DNA Center that enforces state synchronization for some device-layer features. Its purpose is to aid in the deployment of network settings that Cisco DNA Center needs to manage devices. Changes are made on network devices when running Discovery, when adding a device to Inventory, or when assigning a device to a site. Device Controllability is also a run-time condition. Therefore, if you change any of the settings that are under the scope of this process, Cisco DNA Center updates these settings on the network devices immediately. If a device is not configured with network settings, but its configuration is saved to the site that the device is associated with and device controllability is enabled, then Cisco DNA Center automatically tries to push the configuration to the device. This only occurs when the initial device configuration fails due to a network issue or when Cisco DNA Center is momentarily unreachable. Cisco DNA Center attempts to establish eventual consistency by retrying to configure the network settings on the device. However, an attempt to retry does not occur if the failure to push the configuration to the device is because of a programming error on Cisco DNA Center itself. When Cisco DNA Center configures or updates devices, the transactions are captured in the Cisco DNA Center audit logs. You can use the audit logs to track changes and troubleshoot issues. For more information about the Cisco DNA Center audit logs, see View Audit Logs, on page 24. The following device settings are within the scope of Device Controllability: SNMP credentials NETCONF credentials Cisco TrustSec (CTS) credentials IPDT and IPSG enablement Controller certificates SNMP trap server definitions Syslog server definitions 18

25 Configure System Settings Configure Device Controllability Netflow collector definitions Device controllability is enabled by default. If you do not want Device Controllability enabled, disable it manually. For more information, see Configure Device Controllability, on page 19. When Device Controllability is disabled, Cisco DNA Center does not configure any of the credentials or features listed above on devices while running Discovery or at run-time. Additionally, if Device Controllability is disabled and the devices are assigned to different sites and applied with new network settings, then once Device Controllability is enabled, none of these existing network settings are pushed to the devices. At the time of the network settings creation on the site, if Device Controllability is enabled then the associated devices are configured accordingly. The following circumstances dictate whether or not Device Controllability configures network settings on devices: Device Discovery If SNMP and NETCONF credentials are not already present on a device, these settings are configured during the Discovery process. Device in Inventory After a successful initial inventory collection, IPDT, IPSG, and controller certificates are configured on devices. Device in Global Site When you successfully add, import, or discover a device, Cisco DNA Center places the device in the Managed state and assigns it to the Global site by default. Even if you have defined SNMP server, Syslog server, and NetFlow collector settings for the Global site, Cisco DNA Center does not change these settings on the device. Device Moved to Site If you move a device from the Global site to a new site that has SNMP server, Syslog server, and NetFlow collector settings configured, Cisco DNA Center changes these settings on the device to the settings configured for the new site. Device Removed from Site If you remove a device from a site, Cisco DNA Center does not remove the SNMP server, Syslog server, and NetFlow collector settings from the device. Device Deleted from Cisco DNA Center If you delete a device from Cisco DNA Center, then Cisco DNA Center does not remove the SNMP server, Syslog server, and NetFlow collector settings from the device. Device Moved from Site to Site If you move a device, for example, from Site A to Site B, Cisco DNA Center replaces the SNMP server, Syslog server, and NetFlow collector settings on the device, with the settings assigned to Site B. Configure Device Controllability Device Controllability is enabled by default. If you do not want Device Controllability enabled, disable it manually. For more information, see Device Controllability, on page 18. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 51. Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and choose System Settings > Settings > Device Controllability. 19

26 Integrity Verification Configure System Settings Click Enable Device Control. Integrity Verification Integrity Verification (IV) monitors key device data for unexpected changes or invalid values that indicate possible compromise, if any, of the device. The objective is to minimize the impact of a compromise by substantially reducing the time-to-detect unauthorized changes to a Cisco device. For this release, IV runs integrity verification checks on software images that are uploaded into Cisco DNA Center. In order to run these checks, the IV service needs the Known Good Value or KGV file to be uploaded. For information on how to upload the KGV file, see Upload the KGV File, on page 20. Upload the KGV File In order to provide security integrity, Cisco devices must be verified as running authentic and valid software. Currently, Cisco devices have no point of reference to determine whether they are running authentic Cisco software. IV uses a system to compare the collected image integrity data with KGV for Cisco software. Cisco produces and publishes a KGV data file that contains KGVs for many of its products. This KGV file is in standard JSON format, is signed by Cisco, and is bundled with other files into a single KGV file that can be retrieved from the Cisco website. The KGV file is posted at: The KGV file will be automatically downloaded to your system every 7 days. You can still download it manually to your local system and then upload to Cisco DNA Center. For example, if the new KGV file is available on a Friday and the auto download is every 7 days (on a Monday), you can click to download it manually. The KGV file is uploaded into IV and used to verify integrity measurements obtained from the network devices. Device integrity measurements are made available to and used entirely within the IV. Connectivity between IV and Cisco.com is not required. The KGV file can be air-gap transferred into a protected environment and loaded into the IV. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page

27 Configure System Settings Upload the KGV File Step 1 From the Cisco DNA Center home page, click the gear icon ( ), and choose System Settings > Settings > Integrity Verification. Review the current KGV file information: File Name Name of KGV tar file Uploaded by Cisco DNA Center user who uploaded the KGV file Uploaded time Time at which the KGV file was uploaded to Cisco DNA Center Uploaded mode Local or remote upload mode Records (processed) Records processed File Hash File hash for KGV file Published Publication date of KGV file Step 4 Step 5 Step 6 Step 7 Step 8 To update the KGV file, perform one of the following steps: Click Upload New from Local to upload a KGV file locally. Click Upload Latest from Cisco to upload a KGV file from Cisco.com. The Upload Latest from Cisco option does not require a firewall setup. However, if a firewall is already set up, only connections to must be open. If you clicked Upload Latest from Cisco, a connection is made to Cisco.com and the latest KGV file is automatically uploaded to Cisco DNA Center. A secure connection to is made using the certificates added to Cisco DNA Center and its proxy (if one was configured during the first-time setup). If you clicked Upload New from Local, the Upload KGV window appears. Perform one of the following procedures to import locally: Drag and drop a local KGV file into the Upload KGV field. Click Click here to select a KGV file from your computer to select a KGV file from a folder on your computer. Click the Latest KGV file link and download the latest KGV file before dragging and dropping it into the Upload KGV field. Click Upload. The KGV file is then uploaded into the Cisco DNA Center. After the upload is finished, verify the current KGV file information in the UI to ensure that it has been updated. What to do next After uploading the latest KGV file, choose Design > Image Repository to view the integrity of the imported images. 21

28 Configure an IP Address Manager Configure System Settings The effect of uploading a KGV file can be seen in the Image Repository window, if the images that are already imported have an -Unable to verify- status (physical or virtual). Additionally, future image imports, if any, will also refer to the newly uploaded KGV for verification. Configure an IP Address Manager You can configure Cisco DNA Center to communicate with an external IP address manager. When you use Cisco DNA Center to create, reserve, or delete any IP address pool, Cisco DNA Center conveys this information to your external IP address manager. Similarly, if you use an external IP address manager to create, reserve, or delete any IP address pool, that information is communicated to Cisco DNA Center. This way, Cisco DNA Center and the external IP address manager remain in synch and no conflicting IP address pools are created. Before you begin You should have an external IP address manager already set up and functional. Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and choose System Settings > Settings > IP Address Manager. In the IP Address Manager section, enter the required information in the following fields: Server Name Name of server. Server URL IP address of server. Username Required username for server access. Password Required password for server access. Provider Choose a provider from the drop-down list. If you choose BlueCat as your provider, ensure that your user has been granted API access in the BlueCat Address Manager. See your BlueCat documentation for information about configuring API access for your user or users. View Choose a view from the drop-down list. If you only have one view configured, only default appears in the drop-down list. Click Apply to apply and save your settings. What to do next Click the System 360 tab and verify the information to ensure that your external IP address manager configuration was successful. 22

29 Configure System Settings Configure Debugging Logs Configure Debugging Logs To assist in troubleshooting service issues, you can change the logging level for the Cisco DNA Center services by using the Debugging Logs window in the GUI. A logging level determines the amount of data that is captured in the log files. Each logging level is cumulative, that is, each level contains all the data generated by the specified level and higher levels, if any. For example, setting the logging level to Info also captures Warn and Error logs. We recommend that you adjust the logging level to assist in troubleshooting issues by capturing more data. For example, by adjusting the logging level, you can capture more data to review in a root cause analysis or RCA support file. The default logging level for services is informational (Info). You can change the logging level from informational (Info) to a different logging level (Debug or Trace) to capture more information. Caution Due to the type of information that might be disclosed, logs collected at the Debug level or higher should have restricted access. The log files are created and stored in a centralized location on your Cisco DNA Center host. From this location, the Cisco DNA Center can query and display them in the GUI. The total compressed size of the log files is 2 GB. If the log files that are created are in excess of 2 GB, the pre-existing log files are overwritten with the newer log files. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 51. Step 1 From the Cisco DNA Center home page, click the gear icon ( ), and choose System Settings > Settings > Debugging Logs. The Debugging Logs window containing the following fields is displayed: Services Logging Level Timeout In the Debugging Logs window, choose a service from the Services drop-down list to adjust its logging level. The Services drop-down list displays the services that are currently configured and running on the Cisco DNA Center. In the Debugging Logs window, choose the new logging level for the service from the Logging Level drop-down list. The following logging levels are supported on the Cisco DNA Center; they are listed below in descending order of detail: Trace Trace messages 23

30 Configure the Network Resync Interval Configure System Settings Debug Debugging messages Info Normal, but significant condition messages Warn Warning condition messages Error Error condition messages Step 4 Step 5 In the Debugging Logs window, choose the time period for the logging level from the Timeout field for logging-level adjustment. Configure logging-level time periods in increments of 15 minutes up to an unlimited time period. If an unlimited time period is configured, the default level of logging should be reset each time a troubleshooting activity is completed. Review your selection and click Apply. To cancel your selection, click Cancel. The logging level for the specified service is set. Configure the Network Resync Interval You can update the polling interval at the global level for all devices by choosing Settings > Network Resync Interval, or, at the device level for a specific device by choosing Device Inventory. When you set the polling interval using the Network Resync Interval, that value takes precedence over the Device Inventory polling interval value. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 51. Make sure that you have devices in your inventory. If not, discover devices using the Discovery function. Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and choose System Settings > Settings > Network Resync Interval. Step 4 In the Polling Interval field, enter a new time value (in minutes). Click Yes Override for all devices to override the existing configured polling interval for all devices. Click Save to apply and save your new settings. View Audit Logs Audit logs capture information about the various applications running on Cisco DNA Center. Additionally, audit logs also capture information about device PKI notifications. The information in these audit logs can 24

31 Configure System Settings View Audit Logs be used to assist in troubleshooting issues, if any, involving the applications or the device public key infrastructure (PKI) certificates. You can view audit logs using the Audit Logs window in the GUI. The Cisco DNA Center also supports the export of audit logs to a local system. Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and choose Audit Logs. The Audit Logs window appears. In the Audit Logs window, you can view logs about the current policies in your network. These policies are applied to network devices by the applications installed on Cisco DNA Center. The following information is displayed for each policy: Description Application or policy audit log description Site Name of the site for the specific audit log Device Device or devices for the audit log Requestor User requesting an audit log Source Source of an audit log Created On Date on which the application or policy audit log was created. Click the plus icon (+) next to an audit log to view the corresponding child audit logs. Each audit log can be a parent to several child audit logs. By clicking this plus icon, you can view a series of additional child audit logs. An audit log captures data about a task performed by the Cisco DNA Center. Child audit logs are subtasks to a task performed by the Cisco DNA Center. Filter the audit logs by clicking the Filter icon, entering a specific parameter, and then clicking Apply. You can filter audit logs by using the following parameters: Description Site Device Requestor Source Start Date End Date Step 4 Step 5 (Optional) Click the dual arrow icon to refresh the data displayed in the window. The data displayed in the window is refreshed with the latest audit log data. (Optional) Click the download icon to download a local copy of the audit log in.csv file format. 25

32 Configure the Proxy Configure System Settings A.csv file containing audit log data is downloaded locally to your system. You can use the.csv file for additional review of the audit log or archive it as a record of activity on the Cisco DNA Center. What to do next Proceed to review additional log files, if any, using the Cisco DNA Center's GUI, or download individual audit logs as.csv files for further review or archiving purposes. Configure the Proxy If Cisco DNA Center has a proxy server configured as an intermediary between itself and the network devices it manages and/or the Cisco cloud from which it downloads software updates, then you need to configure access to the proxy server(s). You configure access using the Proxy Config window in the Cisco DNA Center GUI. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 51. Step 1 From the Cisco DNA Center home page, click the gear icon ( ), and then choose System Settings > Settings > Proxy Config. Enter the proxy server's URL address. Enter the proxy server's port number. For HTTP, the port number is usually 80. Step 4 Step 5 Step 6 (Optional) If the proxy server requires authentication, then enter the username and password for access to the proxy server. Check the Validate Settings box to have Cisco DNA Center validate your proxy configuration settings when applying them. Review your selection and click Apply. To cancel your selection, click Reset. To delete an existing proxy configuration, click Delete. After configuring the proxy, you are able to view the configuration in the Proxy Config window. Configure Security for Cisco DNA Center Cisco DNA Center provides many security features for itself, as well as for the hosts and network devices that it monitors and manages. We strongly suggest that the following security recommendations be followed: Deploy Cisco DNA Center behind a firewall that does not expose the management ports to an untrusted network, such as the Internet. 26

33 Configure System Settings Enable TLS and RC4-SHA Enable RC4-SHA (only if TLS 1.0 is being used) for the Cisco DNA Center HTTPS servers. Both TLS and RC4-SHA are disabled by default. Enable these security features using the CLI. For additional information about this procedure, see Enable TLS and RC4-SHA, on page 27. Configure a proxy gateway between Cisco DNA Center and the network devices it monitors and manages. For additional information about this procedure, see Configure Proxy Certificate, on page 28. Replace the self-signed server certificate from Cisco DNA Center with one signed by a well-known Certificate Authority. For additional information about this procedure, see Certificate and Private Key Support, on page 29. When using the Cisco DNA Center discovery functionality, use SNMPv3 with authentication and privacy enabled for the network devices. For additional information about this procedure, refer to the SNMP configuration procedures in the Cisco Digital Network Architecture Center User Guide. Enable TLS and RC4-SHA Northbound REST API requests from the external network to the Cisco DNA Center (from northbound REST API- based apps, browsers, and network devices connecting to the Cisco DNA Center using HTTPS) are made secure using the Transport Layer Security protocol (TLS). RH4-SHA is a stream cipher that is also used to secure the Cisco DNA Center. Enable TLS and RC4-SHA for the Cisco DNA Center by logging into the appliance and using the CLI. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 51. You must have Maglev SSH access privileges to perform this procedure. Important This security feature applies to port 443 on the Cisco DNA Center. Performing this procedure may disable traffic on the port to the Cisco DNA Center infrastructure for a few seconds. For this reason, you should configure TLS infrequently and only during off-peak hours or during a maintenance period. Step 1 Using a Secure Shell (SSH) client, log into the Cisco DNA Center appliance with the IP address that you specified using the configuration wizard. The IP address to enter for the SSH client is the IP address that you configured for the network adapter. This IP address connects the appliance to the external network. When prompted, enter your username and password for SSH access. Enter the following command to enable TLS on the cluster: $ magctl service tls_version --tls-v1=enable kong Enabling TLSv1 is recommended only for legacy devices Do you want to continue? [y/n]: y deployment "kong" patched 27

34 Configure Proxy Certificate Configure System Settings Step 4 Enter the following command to enable RC4 on the cluster: $ magctl service ciphers --ciphers-rc4=enable kong Enabling RC4-SHA cipher will have security risk Do you want to continue? [y/n]:y deployment "kong" patched Step 5 Enter the following command at the prompt to confirm that TLS and RC4-SHA are configured: $ magctl service display kong containers: - env: - name: TLS_V1 value: enabled - name: RC4_CIPHERS value: enable If RC4 and TLS_V1 are set respectively, they will be listed in the env: of the magctl service display kong command. If these values are not set, they will not appear in the env:. Step 6 Log out of the Cisco DNA Center appliance. Configure Proxy Certificate In some network configurations, proxy gateways might exist between Cisco DNA Center and the remote network it manages (containing various network devices). Common ports, such as 80 and 443, pass through the gateway proxy in the DMZ, and for this reason, SSL sessions from the network devices meant for the Cisco DNA Center terminate at the proxy gateway. Therefore, the network devices located within these remote networks can only communicate with the Cisco DNA Center through the proxy gateway. For the network devices to establish secure and trusted connections with the Cisco DNA Center, or, if present, a proxy gateway, the network devices should have their PKI trust stores appropriately provisioned with the relevant CA root certificates or the server s own certificate under certain circumstances. In network topologies where a proxy gateway is present between Cisco DNA Center and the remote network it manages, perform the procedure described below to import a proxy gateway certificate into Cisco DNA Center. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 51. Additionally, in your network, an HTTP proxy gateway exists between Cisco DNA Center and the remote network it manages (containing various network devices). These network devices use the proxy gateway's IP address to reach Cisco DNA Center and its services. You should have the certificate file that is currently being used by the proxy gateway. The certificate file contents should consist of any of the following: The proxy gateway s certificate in PEM or DER format, with the certificate being self-signed. 28

35 Configure System Settings Certificate and Private Key Support The proxy gateway s certificate in PEM or DER format, with the certificate being issued by a valid, well-known CA. The proxy gateway's certificate and its chain in PEM or DER format. The certificate used by the devices and the proxy gateway must be imported into the Cisco DNA Center by following this procedure. Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and choose System Settings > Settings > Proxy Certificate. In the Proxy Certificate window, view the current proxy gateway certificate data (if it exists). The Expiration Date and Time is displayed as a Greenwich Mean Time (GMT) value. A system notification will appear in the Cisco DNA Center's GUI 2 months before the date and time at which the certificate expires. Step 4 Step 5 To add a proxy gateway certificate, drag and drop the self-signed or CA certificate into the Drag n' Drop a File Here area. Click Save. Only PEM or DER files (public-key cryptography standard file formats) can be imported into the Cisco DNA Center using this area. Additionally, private keys are neither required nor uploaded into the Cisco DNA Center for this procedure. Refresh the Proxy Certificate window to view the updated proxy gateway certificate data. The information displayed in the Proxy Certificate window should have changed to reflect the new certificate name, issuer, and certificate authority. Certificate and Private Key Support Cisco DNA Center supports a PKI Certificate Management feature that is used to authenticate sessions (HTTPS). These sessions use commonly recognized trusted agents called certificate authorities (CAs). The Cisco DNA Center uses the PKI Certificate Management feature to import, store, and manage an X.509 certificate from well-known CAs. The imported certificate becomes an identity certificate for the Cisco DNA Center, and the Cisco DNA Center presents this certificate to its clients for authentication. The clients are the NB API applications and network devices. The Cisco DNA Center can import the following files (in either PEM or PKCS file format) using the Cisco DNA Center's GUI: X.509 certificate Private key For the private key, Cisco DNA Center supports the import of RSA keys. You should not import DSA, DH, ECDH, and ECDSA key types; since they are not supported. You should also keep the private key secure in your own key management system. 29

36 Certificate Chain Support Configure System Settings Prior to import, you must obtain a valid X.509 certificate and private key from a well-known CA or create your own self-signed certificate. After import, the security functionality based upon the X.509 certificate and private key is automatically activated. The Cisco DNA Center presents the certificate to any device or application that requests them. Both the northbound API applications and network devices can use these credentials to establish a trust relationship with the Cisco DNA Center. We recommend that you do not use and import a self-signed certificate into the Cisco DNA Center. We recommend that you import a valid X.509 certificate from a well-known CA. Additionally, you must replace the self-signed certificate (installed in the Cisco DNA Center by default) with a certificate that is signed by a well-known CA for the Network PnP functionality to work properly. The Cisco DNA Center supports only one imported X.509 certificate and private key at a time. When you import a second certificate and private key, the latter overwrites the first (existing) imported certificate and private key values. If the external IP address changes for your Cisco DNA Center for any reason, reimport a new certificate with the changed or new IP address. Certificate Chain Support Cisco DNA Center is able to import certificates and private keys through its GUI. If there are subordinate certificates involved in a certificate chain leading to the certificate that is to be imported into Cisco DNA Center (signed certificate), then both the subordinate certificates as well as the root certificate of these subordinate CAs must be appended together into a single file to be imported. When appending these certificates, you must append them in the same order as the actual chain of certification. The certificates listed below should be pasted together into a single PEM file. Review the certificate subject name and issuer to ensure that the correct certificates are being imported and proper order is maintained. Ensure that all of the certificates in the chain are pasted together. Signed Cisco DNA Center Certificate: Its Subject field includes CN=<name or IP address of Cisco DNA Center>, and that the Issuer has the CN of the issuing authority. Issuing (Subordinate) CA Certificate that issues the Cisco DNA Center certificate: Its Subject field has CN of the (Subordinate) CA that issues the Cisco DNA Center certificate, and that the Issuer is that of the root CA. Next Issuing (Root/Subordinate CA) Certificate that issues the Subordinate CA certificate Its Subject field is the root CA, and the issuer has the same value as the Subject field. If they are not the same, then you need to append the next issuer and so on. The PEM file should have multiple certificates, as shown in the example below: -----BEGIN CERTIFICATE----- MIIDxzCCAq+gAwIBAgIUKRRFiJcFgjV0KDE5iRQYADJyUnMwDQYJKoZIhvcNAQEL : HZSwUQaYJWXMwbW8X5VA93tLUPDgT2xFYpGmJU4zNgjEZ7LLsojQSkZaWcss+BL/ d8s7y1eqe58ojjo= -----END CERTIFICATE BEGIN CERTIFICATE

37 Configure System Settings Configure a Certificate Configure a Certificate MIIDrzCCApegAwIBAgIGCEkx9EqbMA0GCSqGSIb3DQEBCwUAMIGIMS0wKwYDVQQD : MwazjpSIRVMezXIUn7PXwm6BnUX2TSCDAevrCLovwpewnwA= -----END CERTIFICATE----- The Cisco DNA Center supports the import and storing of an X.509 certificate and private key into the Cisco DNA Center. After import, the certificate and private key can be used to create a secure and trusted environment between the Cisco DNA Center, NB API applications, and network devices. You can import a certificate and private key using the Certificate window in the GUI. Important The Cisco DNA Center does not interact with any external CA directly; therefore, it does not check any Certificate Revocation Lists and does not know its server certificate has been revoked by an external CA., also, that the Cisco DNA Center does not automatically update its server certificate. Replacement of an expired or revoked server certificate requires explicit action on the part of a SUPER-ADMIN-ROLE user. Although the Cisco DNA Center has no direct means of discovering the revocation of its server certificate by an external CA, it does notify the admin about the expiry of its server certificate as well as about the self-signed key being operational. Before you begin You must have an X.509 certificate and private key from a well-known CA for importing. Step 1 From the Cisco DNA Center home page, click and choose System Settings > Settings > Certificate. In the Certificate window, view the current certificate data. When you first view this window, the current certificate data that is displayed is the Cisco DNA Center's self-signed certificate. The self-signed certificate's expiry is set for several years in the future. The Expiration Date and Time is displayed as a Greenwich Mean Time (GMT) value. A system notification will appear in the Cisco DNA Center's GUI 2 months before the expiration date and time of the certificate. The additional displayed fields in the Certificate window include: Current Certificate Name Name of the current certificate. Issuer Name of the entity that has signed and issued the certificate. Certificate Authority Either self-signed or name of the CA. Expires On Expiry date of the certificate. To replace the current certificate, click the Replace Certificate button. The following new fields appear: Certificate Fields to enter certificate data Private Key Fields to enter private key data Step 4 In the Certificate field, choose the file format type for the certificate that you are importing into Cisco DNA Center: 31

38 Certificate Management Configure System Settings PEM Privacy-enhanced mail file format PKCS Public-key cryptography standard file format Step 5 If you choose PEM, perform the following tasks: For the Certificate field, import the PEM file by dragging and dropping this file into the Drag n' Drop a File Here field. A PEM file must have a valid PEM format extension (.pem,.cert,.crt). The maximum file size for the certificate is 10 KB. For the Private Key field, import the private key by dragging and dropping this file into the Drag n' Drop a File Here field. Choose the encryption option from the Encrypted drop-down list for the private key. If you chose encryption, enter the passphrase for the private key in the Passphrase field. Private keys must have a valid private key format extension (.pem or.key). Step 6 If you choose PKCS, perform the following tasks: For the Certificate field, import the PKCS file by dragging and dropping this file into the Drag n' Drop a File Here field. A PKCS file must have a valid PKCS format extension (.pfx,.p12). The maximum file size for the certificate is 10 KB. For the Certificate field, enter the passphrase for the certificate using the Passphrase field. For PKCS, the imported certificate also requires a passphrase. For the Private Key field, choose the encryption option for the private key using the drop-down list. For the Private Key field, if encryption is chosen, enter the passphrase for the private key in the Passphrase field. Step 7 Step 8 Click the Upload/Activate button. Return to the Certificate window to view the updated certificate data. The information displayed in the Certificate window should have changed to reflect the new certificate name, issuer, and certificate authority. Certificate Management Configure Device Certificate Lifetime Cisco DNA Center enables users to change the certificate lifetime of network devices that are managed and monitored by the private (internal) Cisco DNA Center's CA. The Cisco DNA Center's default value for the certificate lifetime is 365 days. After the certificate lifetime value is changed using the Cisco DNA Center's GUI, network devices that subsequently request a certificate from the Cisco DNA Center are assigned this lifetime value. 32

39 Configure System Settings Change the Role of the PKI Certificate from Root to Subordinate The device certificate lifetime value cannot exceed the CA certificate lifetime value. Additionally, if the remaining lifetime of the CA certificate is less than the configured device's certificate lifetime, the device will get a certificate lifetime value equal to the remaining CA certificate lifetime. You can change the device certificate lifetime using the PKI Certificate Management window in the GUI. Step 1 From the Cisco DNA Center home page, click and choose System Settings > Settings > PKI Certificate Management. Click the Device Certificate tab. Review the device certificate and the current device certificate lifetime. Step 4 In the Device Certificate Lifetime field, enter a new value, in days. Step 5 Click the Apply button. Step 6 (Optional) Refresh the PKI Certificate Management window to confirm the new device certificate lifetime value. Change the Role of the PKI Certificate from Root to Subordinate Cisco DNA Center permits users to change the role of the Device PKI CA from a root CA to a subordinate CA. When changing the private Cisco DNA Center's CA from a root CA to a subordinate CA, note the following: If you intend to have the Cisco DNA Center act as a subordinate CA, it is assumed that you already have a root CA, for example, Microsoft CA, and you are willing to accept the Cisco DNA Center as a subordinate CA. As long as the subordinate CA is not fully configured, the Cisco DNA Center will continue to operate as an internal root CA. You will have to generate a Certificate Signing Request (CSR) file for the Cisco DNA Center (as described in this procedure) and have it manually signed by your external root CA. The Cisco DNA Center will continue to run as an internal root CA during this time period. After the CSR is signed by the external root CA, this signed file must be imported back into the Cisco DNA Center using the GUI (as described below, in this procedure). After the import, the Cisco DNA Center will initialize itself as the subordinate CA and provide all the existing functionalities of a subordinate CA. The switchover from internal root CA to subordinate CA used by managed devices is not automatically supported; therefore, it is assumed that no devices have been configured with the internal root CA as yet. In case any devices are configured, it is the responsibility of the network administrator to manually revoke the existing device ID certificates before switching to the subordinate CA. 33

40 Change the Role of the PKI Certificate from Root to Subordinate Configure System Settings The subordinate CA certificate lifetime, as displayed in the GUI, is just read from the certificate; it is not computed against the system time. So, if you install a certificate with a lifespan of 1 year today and look at it in the GUI next July, the GUI will still show that the certificate has a 1-year lifetime. The subordinate CA certificate must be in PEM or DER format only. The subordinate CA does not interact with the higher CAs; therefore, it will not be aware of a revocation, if any, of the certificates at a higher level. Due to this, any information about certificate revocation will also not be communicated from the subordinate CA to the network devices. Since the subordinate CA does not have this information, all the network devices will only use the subordinate CA as the CDP source. You can change the role of the private (internal) Cisco DNA Center's CA from a root CA to a subordinate CA using the PKI Certificate Management window in the GUI. Before you begin You must have a copy of the root CA certificate to which you will subordinate the private (internal) Cisco DNA Center's PKI certificate. Step 1 From the Cisco DNA Center home page, click and choose System Settings > Settings > PKI Certificate Management. Click the CA Management tab. Review the existing root or subordinate CA certificate configuration information from the GUI: Root CA Certificate Displays current root CA certificate (either external or internal). Root CA Certificate Lifetime Displays the current lifetime value of the current root CA certificate, in days. Current CA Mode Displays the current CA mode (root CA or subordinate CA). Change to Sub CA mode Enables change from a root CA to subordinate CA. Step 4 Step 5 Step 6 In the CA Management tab, for Change to Sub CA mode click Yes. In the CA Management tab, click Next. Review the Root CA to Sub CA warnings that appear: Changing from root CA to subordinate CA is a process that cannot be reversed. You must ensure that no network devices have been enrolled or issued a certificate in root CA mode. Any network devices accidentally enrolled in root CA mode must be revoked before changing from root CA to subordinate CA. Network devices must come online only after this subordinate CA configuration process is finished. Step 7 Step 8 Click OK to proceed. The PKI Certificate Management window changes and displays an Import External Root CA Certificate field. Drag and drop your root CA certificate into the Import External Root CA Certificate field and click Upload. The root CA certificate will then be uploaded into the Cisco DNA Center and used to generate a Certificate Signing Request (CSR). When the upload process is finished a Certificate Uploaded Successfully message appears. 34

41 Configure System Settings Provision a Rollover SubCA Certificate Step 9 Step 10 After the upload process is finished and the success message appears, click Next to proceed. The Cisco DNA Center generates and displays the CSR. View the Cisco DNA Center-generated Certificate Signing Request (CSR) in the GUI and perform one of the following actions: Click the Download link to download a local copy of the CSR file. You can then attach this CSR file to an to send to your root CA. Click the Copy to the Clipboard link to copy the CSR file's content. You can then paste this CSR content to an or include it as an attachment to an and send to your root CA. Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Send the CSR file to your root CA. You must send the CSR file to your root CA. Your root CA will then return a subordinate CA file that you must import back into the Cisco DNA Center. After receiving the subordinate CA file from your root CA, access the Cisco DNA Center's GUI again and return to the PKI Certificate Management window. Click the CA Management tab. Click Yes for the Change CA mode button in the CA Management tab. After clicking Yes, the GUI view with the CSR is displayed. Click Next in the GUI view with the CSR being displayed. The PKI Certificate Management window changes and displays an Import Sub CA Certificate field. Drag and drop your subordinate CA certificate into the Import Sub CA Certificate field and click Apply. The subordinate CA certificate will then be uploaded into the Cisco DNA Center. After the upload finishes, the GUI window displays the subordinate CA mode in the CA Management tab. Review the fields in the CA Management tab: Sub CA Certificate Displays current subordinate CA certificate. External Root CA Certificate Displays Root CA certificate. Sub CA Certificate Lifetime Displays the lifetime value of the subordinate CA certificate, in days. Current CA Mode Displays SubCA mode. Provision a Rollover SubCA Certificate Cisco DNA Center permits the user to apply a subordinate certificate as a rollover sub CA when 70 percent of the existing subordinate CA's lifetime has elapsed. 35

42 Provision a Rollover SubCA Certificate Configure System Settings Before you begin To initiate subordinate CA rollover provisioning, you must have already changed the PKI certificate role to subordinate CA mode. For details on how to change to subordinate CA mode, see Change the Role of the PKI Certificate from Root to Subordinate, on page 33. Seventy percent or more of the lifetime of the current subordinate CA certificate must have expired. Cisco DNA Center indicates when this has happened by displaying a Renew button on the CA Management tab. You must have a signed copy of the rollover subordinate CA PKI certificate. Step 1 From the Cisco DNA Center home page, click and then choose System Settings > Settings > PKI Certificate Management. Click the CA Management tab. Review the CA certificate configuration information from the GUI. Sub CA Certificate External Root CA Certificate Sub CA Certificate Lifetime Current CA Mode Displays the current subordinate CA certificate. Displays the Root CA certificate. Displays the lifetime value of the current subordinate CA certificate in days. Displays SubCA mode. Step 4 Step 5 Click Renew. The Cisco DNA Center will then use the existing subordinate CA to generate and display the rollover subordinate CA Certificate Signing Request (CSR). View the generated CSR in the GUI and perform one of the following actions: Click the Download link to download a local copy of the CSR file. You can then attach this CSR file to an to send to your root CA. Click the Copy to the Clipboard link to copy the CSR file's content. You can then paste this CSR content to an or attachment to an and send to your root CA. Step 6 Step 7 Step 8 Step 9 Step 10 Send the CSR file to your root CA. You must send the CSR file to your root CA. Your root CA will then return to you a rollover subordinate CA file that you must import back into the Cisco DNA Center. The CSR for the SubCA rollover must be signed by the same rootca who signed the SubCA you imported when you switched from RootCA to SubCA mode. After receiving the rollover subordinate CA file from your root CA, return to the PKI Certificate Management window. Click the CA Management tab. Click Next in the GUI view with the CSR being displayed. The PKI Certificate Management window changes and displays an Import Sub CA Certificate field. Drag and drop your subordinate rollover CA certificate into the Import Sub CA Certificate field and click Apply. 36

43 Configure System Settings Configure Trustpool The rollover subordinate CA certificate will then be uploaded into the Cisco DNA Center. After the upload finishes, the GUI window changes to disable the Renew button in the CA Management tab. Configure Trustpool Cisco DNA Center contains a pre-installed Cisco trustpool bundle (Cisco Trusted External Root Bundle). Cisco DNA Center also supports the import and storage of an updated trustpool bundle from Cisco. The trustpool bundle is used by supported Cisco networking devices to establish a trust relationship with the Cisco DNA Center and its applications. The Cisco trustpool bundle is a file called ios.p7b that only supported Cisco devices can unbundle and use. This ios.p7b file contains root certificates of valid certificate authorities including Cisco itself. This Cisco trustpool bundle is available on the Cisco cloud (Cisco InfoSec). The link is located at: security/pki/ The trustpool bundle provides you with a safe and convenient way to use the same CA to manage all your network device certificates, as well as your Cisco DNA Center certificate. The trustpool bundle is used by the Cisco DNA Center to validate its own certificate as well as a proxy gateway certificate (if any), to determine whether it is valid CA signed certificate or not. Additionally, the trustpool bundle is available to be uploaded to the Network PnP enabled devices at the beginning of their PnP workflow so that they can trust the Cisco DNA Center for subsequent HTTPS-based connections. You import the Cisco trust bundle using the Trustpool window in the GUI. Step 1 From the Cisco DNA Center home page, click and then choose System Settings > Settings > Trustpool. In the Trustpool window, view the Update button. The Update button in the Cisco DNA Center's Trustpool window becomes active when an updated version of ios.p7b file is available and Internet access is available. The Update button remains inactive if there is no Internet access or if there is no updated version of the ios.p7b file. Click the Update button to initiate a new download and install of the trustpool bundle. After the new trustpool bundle is downloaded and installed on the Cisco DNA Center, the Cisco DNA Center then makes this trustpool bundle available to the supported Cisco devices to download. Configure SFTP Server You can configure Cisco DNA Center to upload files needed for an image upgrade (SWIM) to a remote SFTP server. You configure Cisco DNA Center using the SFTP GUI window. Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and then choose System Settings > Settings > SFTP. 37

44 Configure SNMP Properties Configure System Settings Configure the SFTP settings as follows: Host IP address of the SFTP server. Username Name that is used to log into the SFTP server. Password Password that is used to log into the SFTP server. Port Port that is used to log into the SFTP server. Root Location Enter the location of the SFTP root directory. Step 4 Click Apply. Review the new SFTP settings in the SFTP window. Configure SNMP Properties You can configure retry and timeout values for SNMP. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 51. Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and then choose System Settings > Settings > SNMP Properties. Configure the following fields: Table 2: SNMP Properties Field Retries Timeout (in Seconds) Description Number of attempts allowed to connect to the device. Valid values are from 1 to 3. The default is 3. Number of seconds Cisco DNA Center waits for when trying to establish a connection with a device before timing out. Valid values are from 1 to 300 seconds in intervals of 5 seconds. The default is 5 seconds. Click Apply. To return to the default settings, click Revert to Defaults. 38

45 Configure System Settings About Telemetry Collection About Telemetry Collection Cisco DNA Center collects information about user's experience with Cisco DNA Center and securely transfers it to the Cisco Clean Access Agent (CAA) infrastructure at Cisco. This information is collected for the following reasons: To proactively identify issues, if any, with Cisco DNA Center. To better understand the Cisco DNA Center features that are most frequently used. To improve and enhance the overall user experience. Telemetry collection is enabled by default, but you can disable it if you want to opt out. Configure Telemetry Collection Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and then choose System Settings > Settings > Telemetry Collection. Telemetry collection is enabled by default. (Optional) To review the agreement for telemetry collection, click End User License Agreement. (Optional) To disable telemetry collection, uncheck the Telemetry Collection check box and click Update. Configure vmanage Properties Cisco DNA Center supports Cisco's vedge deployment by using integrated vmanage setups. You can save the vmanage details from the Settings page before provisioning any vedge topologies. Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and then choose System Settings > Settings > vmanage Properties. Configure the vmanage Properties: Host Name/IP Address: IP address of vmanage. User ID: Name that is used to log in to vmanage. Password: Password that is used to log in to vmanage. Port Number: Port that is used to log in to vmanage. vbond Host Name/IP Address: IP address of vbond. Organization Name: Name of the organization. To upload the vmanage certificate, click Choose file. 39

46 Configure vmanage Properties Configure System Settings Step 4 Click Apply. 40

47 CHAPTER 4 Manage High Availability Multi-Host Configurations for High Availability, on page 41 Multi-Host Deployment Overview, on page 42 Clustering and Database Replication, on page 42 Security Replication, on page 42 Multi-Host Synchronization, on page 43 Multi-Host Upgrade, on page 43 Split Brain and Network Partition, on page 43 Recover Failed Hosts in a Cluster, on page 44 Multi-Host Configurations for High Availability Cisco DNA Center supports a single host or three host cluster configuration. Cisco DNA Center does not support a cluster with more than three hosts. For example, a multi-host cluster with five or seven hosts is not currently supported. The three host cluster provides both software and hardware high availability. The single host cluster only provides software high availability; it does not provide hardware high availability. For this reason, we strongly recommend that for a multi-host configuration three hosts be used. A hardware failure occurs when the appliance itself malfunctions or fails. A software failure occurs when a service on a host fails. Software high availability involves the ability of the services on the host or hosts to be restarted and respun. For example, on a single host, if a service fails then that service is respun on that host. In a three host cluster, if a service fails on one host, then that service is either re-spun on that one host or on one of the other two remaining hosts. When setting up a three host cluster, you should never set up the hosts to span a LAN across slow links. This may impact the recovery time if a service fails on one of the hosts. Additionally, when configuring a three host cluster, all of the hosts in that cluster must reside in the same subnet. Failure tolerance for a three host cluster is designed to handle single host failure. In other words, Cisco DNA Center tries to provide high availability across specific services even if a single host fails. If two hosts fail near-simultaneously, data loss may occur and is not a supported scenario. 41

48 Multi-Host Deployment Overview Manage High Availability Multi-Host Deployment Overview Deploying Cisco DNA Center in multi-host mode for High Availability involves the following procedures: 1. Configure Cisco DNA Center as a single host on the appliance using the Cisco DNA Center single host configuration wizard. For information about this procedure, see the Cisco Digital Network Architecture Center Installation Guide. 2. Configure Cisco DNA Center using the Cisco DNA Center second host configuration wizard with changes required for the second cluster in the configuration. For information about this procedure, see the Cisco Digital Network Architecture Center Installation Guide. 3. Configure Cisco DNA Center using the Cisco DNA Center third host configuration wizard with changes required for third cluster in the configuration. For information about this procedure, see the Cisco Digital Network Architecture Center Installation Guide. 4. Enable high availability for Cisco DNA Center. In the Systems 360 Overview tab, click on Enable Service Distribution. After you click Enable Service Distribution using the GUI, Cisco DNA Center enters into maintenance mode. In maintenance mode, Cisco DNA Center will be unavailable until the process completes. You should take this into account when scheduling a high availability deployment. Cisco DNA Center goes into maintenance mode when you restore the database, perform a system upgrade (not a package upgrade), and enable a service redistribution to support high availability in System Settings > System 360 > Overview (as described above). To enable external authentication with a AAA server in a multi-host environment, you must configure all individual Cisco DNA Center host IP addresses and the Virtual IP address for the multi-host cluster on the AAA server. Clustering and Database Replication Security Replication Cisco DNA Center provides a mechanism for distributing processing and database replication among multiple hosts. Clustering provides both a sharing of resources and features, as well as enabling high availability and scalability. In a multi-host environment, the security features of a single host are replicated among the other two hosts,including any X.509 certificates or trustpools. Once you join a host to another host or to a cluster, the Cisco DNA Center credentials are shared and become the same as that of the host you are joining or the pre-existing cluster. Cisco DNA Center credentials are cluster-wide (across hosts) and not per-host. 42

49 Manage High Availability Multi-Host Synchronization Multi-Host Synchronization Whenever there is a configuration change on one of the hosts, Maglev synchronizes the change with the other two hosts. The supported types of synchronization include: Database Synchronization includes any database updates related to the configuration, performance, and monitoring data. File Synchronization includes any changes to the configuration files. Multi-Host Upgrade In a multi-host cluster, you can trigger an upgrade of the whole cluster from the Cisco DNA Center GUI (the GUI represents the entire cluster and not just a single host). An upgrade triggered from the GUI automatically upgrades all the hosts in the cluster. After you initiate a system upgrade (not a package upgrade) Cisco DNA Center goes into maintenance mode. In maintenance mode, Cisco DNA Center will be unavailable until the upgrade process completes. You should take this into account when scheduling a Cisco DNA Center system upgrade. Once the system upgrade does complete, you can verify its success in the GUI by accessing System Settings > Software Updates > Updates and checking the installed version. Split Brain and Network Partition When Cisco DNA Center is configured as a multi-host cluster, a private network connection is set up between the hosts. This private network connection is used by each host to monitor the health and status of the other cluster hosts. A split brain occurs when there is a temporary failure of the network connection between the hosts, for example, due to any of the following occurrences: Physical disconnection of the network connection from a host Loss of power to one or more hosts Cisco Cisco DNA Center appliance failure During a split brain occurrence, situations can arise where each separate host is sending commands to a given network device without any coordination with the other hosts, and the results can be problematic. To correct for a split brain event, when the private network connection fails between one of the hosts, the other two hosts create a quorum and establish a network partition between themselves and the failed host with the following results: The split brain or network partition scenarios are be handled by ensuring quorum (majority reads and rights) to the database. The side of the partition with the "minority" stops operating, since it is be unable to perform quorum (majority reads and rights) to the database. 43

50 Recover Failed Hosts in a Cluster Manage High Availability The side of the partition with the "majority" continues to operate, since they are *able* to perform quorum (majority reads and rights) to the database. Recover Failed Hosts in a Cluster If a host fails within a multi-host cluster configuration, the time for the cluster to recover is usually 20 minutes. In a multi-host cluster with three hosts, if a single host (host A) is removed from the cluster for any reason, and the second host (host B) fails, then the last host (host C) will also immediately fail. To remove the failed node (host), log into the healthy node and execute the following CLI: maglev node remove. This will remove the faulty node (host) from the cluster. To add back the removed node, you must reinstall it using the Configuration Wizard's Add to cluster option. For information about using the Configuration Wizard, see Cisco Digital Network Architecture Center Installation Guide. After adding the node (host) back to the cluster, log into the node and execute the following CLI: maglev service nodescale refresh to enable high availability. In certain circumstances, you may have only two operational hosts within a multi-host cluster (three hosts). For example, when in the process of setting up a multi-host cluster, you may have only two hosts set up before configuring the third, or a single host may fail in your existing multi-host cluster. In these cases, the following functionality is unsupported for a multi-host cluster (three hosts) consisting of only two operational hosts: Upgrading the software version Installing the applications Restoring a backup file Restarting the cluster Removing an active host, when there is an already a faulty host that exists and there is no reachability (IP connectivity) to the multi-host cluster Important The above functionality is only supported on a multi-host cluster that consists of three hosts. Simultaneous removal of two hosts from a multi-host cluster (three hosts) at once or a simultaneous addition of two hosts to a multi-host cluster (three hosts) at once is not supported. Cisco DNA Center does not support shutting down two hosts in a three-host cluster running a High Availability (HA) configuration. Only a single host at a time can be shut down and restarted when performing maintenance or troubleshooting in a three-host cluster with HA. Remove the Assurance Seed Node An Assurance seed node is the node that is hosting the Assurance elastic search service. If an Assurance seed node fails, you must remove it so that you can replace it with a working node. Removing the Assurance seed node takes about 30 minutes. 44

51 Manage High Availability Add the Assurance Seed Node Minimize the time between removing the failed node and adding the new node to the cluster. When you remove an Assurance seed node, the existing Assurance data is lost, but the remaining nodes begin gathering new Assurance data. However, this data is lost as soon as the new Assurance seed node is added and begins gathering data. Before you begin Make sure that you: Have a backup of the Assurance data. Unfortunately, if you are performing this procedure due to a node failure, you will not be able to create a backup now. Instead, you must rely on backups that you have been routinely creating. Have allocated at least 30 minutes to perform this procedure. Step 1 Step 4 Step 5 Step 6 Shut down the node that you want to remove. The shutdown process takes about 10 minutes. Enter the following command to verify that the node is down: magctl node display The node status should be NOT_READY. Check the appstack status: magctl appstack status The pods for the node that was shut down should show NODE LOST or Pending as their status. Log in to one of the nodes that you are not removing (a non-seed node): maglev login -u admin -p admin-password -c nodeip:443 Remove the failed seed node from the cluster: maglev node remove nodeip The node removal process takes about 30 minutes to complete. Check that all services are running on the remaining two nodes: magctl node display magctl appstack status Add the Assurance Seed Node After removing the failed Assurance seed node, you can add the new node to the cluster. Before you begin Make sure that you: 45

52 Add the Assurance Seed Node Manage High Availability Removed the failed Assurance seed node. For information, see Remove the Assurance Seed Node, on page 44. Have allocated at least 30 minutes to perform this procedure. Step 1 On the new node, install the same software version that the other nodes in the cluster are running. During the installation, chose the Join an Existing Cluster option and enter the required configuration information using the Config wizard. For information, see the Cisco Digital Network Architecture Center Installation Guide. After the installation is complete, enter the following command: magctl node display The new node should show the Ready status. From the new node, do the following: a) Enter the following command: maglev node allow nodeip b) Redistribute services to the new node: maglev service nodescale refresh c) Verify that services have been redistributed: magctl appstack status The new node should show a Running status. Step 4 Restore the backup of Assurance data, if you have one. For information, see Restore Data from Backups, on page 74. As soon as the old data is restored, the new node begins gathering new data, and any data that the remaining nodes gathered while the new node was offline is lost. 46

53 CHAPTER 5 Manage Applications Application Management, on page 47 Downloading and Updating System Updates, on page 48 Downloading and Installing Packages and Updates, on page 48 Uninstalling Packages, on page 49 Application Management Cisco DNA Center provides many of its functions as individual applications, packaged separately from the Cisco DNA Center's core infrastructure. This permits you to install and run the applications that you want to and uninstall those you are not using, depending upon your preferences. However, be aware that application packages are not backward compatible. For example, if you are running base system version 1.2.0, you cannot install the SD Access application version You must first upgrade the base system version to and then install or upgrade the SD Access application to The number and type of application packages you see displayed in the Software Updates tab will vary, depending on the release version of Cisco DNA Center you have deployed at the moment, and your Cisco DNA Center licensing level (for example, Essentials or Advantage). All application packages available to you will be displayed, whether they are currently installed or not. Some applications are so basic, they are required on nearly every Cisco DNA Center deployment. To get a dialog box description of any package and whether it is required or not, hover your mouse cursor over that package's name in the Updates tab. Each Cisco DNA Center application package consists of service bundles, meta data files, and scripts. Important All application management procedures should be performed using the Cisco DNA Center GUI. Although you are able to perform many of these same procedures using the CLI (after logging into the shell), this is not recommended. In particular, if you use the CLI to deploy or upgrade packages, you must ensure that no deploy or upgrade command is issued unless the results of the "maglev package status" command show all packages as either NOT_DEPLOYED, DEPLOYED, or DEPLOYMENT_ERROR. Any other state indicates activity in progress, and parallel deployments or upgrades are not supported. 47

54 Downloading and Updating System Updates Manage Applications Downloading and Updating System Updates You can perform application management procedures from the Software Updates window, including downloading and installing system updates. Before you begin Only a user with SUPER-ADMIN-ROLE permissions may perform this procedure. For more information, see About User Roles, on page 51. Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and then choose System Settings > Software Updates. Alternately, click the cloud icon and click the Go to Software Updates link. Review the Software Updates window that now appears. The Software Updates window consists of the following two side tabs: Updates Shows the platform and the application updates. The Platform Update shows the system version that is installed and the system updates that are available and have been downloaded from the Cisco cloud. The App Updates shows the available applications that can be downloaded and installed from Cisco cloud, size of the application and the appropriate action (Download, Install, or Update). You can hover your mouse cursor over the package to view the available application version and a basic description about the application. Installed Apps Shows the application packages that are currently installed. Important Once you launch the Software Updates page, a connectivity check is performed and the status is displayed. If there is any connectivity issue, the Software Updates page will not show the new updates. If a system update appears in the Software Update page, click Update to update the Cisco DNA Center. Downloading and Installing Packages and Updates Cisco DNA Center treats individual applications as separate from the core infrastructure. Specifically, individual packages for applications can be installed to run on the Cisco DNA Center. You can perform the application management procedures from the Software Updates tab. Packages for applications may take time to install and deploy. Therefore, install the packages during a maintenance period for your network. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page

55 Manage Applications Uninstalling Packages Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and then choose System Settings > Software Updates. Alternately, click the cloud icon and click the Go to Software Updates link. Review the Software Updates window that now appears. The Software Updates window consists of the following two side tabs: Updates Shows the platform and the application updates. The Platform Update shows the system version that is installed and the system updates that are available and have been downloaded from the Cisco cloud. The App Updates shows the available applications that can be downloaded and installed from Cisco cloud, size of the application and the appropriate action (Download, Install, or Update). You can hover your mouse cursor over the package to view the available application version and a basic description about the application. Installed Apps Shows the application packages that are currently installed. Important Once you launch the Software Updates page, a connectivity check is performed and the status is displayed. If there is any connectivity issue, the Software Updates page will not show the new updates. Download the applications by doing one of the following: To download all applications at once, click Download All at the top of the App Updates field. To download a specific application group, click Download All next to that group. To download a specific application, click Download next to that application. Step 4 Update the applications by doing one of the following: To update all applications at once, click Update All at the top of the App Updates field. To update a specific application group, click Update All next to that group. To update a specific application, click Update next to that application. Step 5 Ensure that each application has been updated by reviewing its version in the Installed Apps page. The application versions should be updated in this page. There may be some new application packages that were not part of your previous Cisco DNA Center configuration, and for this reason have not been installed by this procedure (for example, the Test Support package listed on this page). Uninstalling Packages Cisco DNA Center treats individual applications as separate from the core infrastructure. Specifically, individual packages for the applications can be installed and uninstalled on the Cisco DNA Center. You can perform the application management procedures from the Software Updates window in the Cisco DNA Center GUI. 49

56 Uninstalling Packages Manage Applications Only packages for applications that are not system critical can be uninstalled and will display an Uninstall option. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 51. Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and then choose System Settings > Software Updates. Alternately, click the cloud icon and click the Go to Software Updates link. Click the Installed Apps side tab to view the installed applications. Click Uninstall corresponding to the package you want to remove from Cisco DNA Center. You cannot uninstall multiple packages simultaneously. Once the package is uninstalled, it get removed from the Installed Apps page. 50

57 CHAPTER 6 Manage Users About User Profiles, on page 51 About User Roles, on page 51 Create Local Users, on page 52 Edit Local Users, on page 52 Delete Local Users, on page 53 Change Your Own User Password, on page 53 Reset Forgotten Password, on page 53 Display Role-Based Access Control Statistics, on page 54 Configure External Authentication, on page 54 Display External Users, on page 56 About User Profiles A user profile defines a user's login, password, and role (permissions). You can configure both internal and external user profiles for any user. Internal user profiles reside in Cisco DNA Center and external user profiles reside on an external AAA server. One default user profile with SUPER-ADMIN-ROLE permissions is created when you install Cisco DNA Center. About User Roles Users are assigned user roles that specify the functions that they are permitted to perform: Administrator (SUPER-ADMIN-ROLE) Users with this role have full access to all of the Cisco DNA Center functions. They can create other user profiles with various roles, including those with the SUPER-ADMIN-ROLE. Although administrators cannot directly change another user's password in the user interface, they can delete and recreate a user with new password. For security reasons, passwords are not displayed to any user, not even those with administrator privileges. 51

58 Create Local Users Manage Users Network Administrator (NETWORK-ADMIN-ROLE) Users with this role have full access to all of the network-related Cisco DNA Center functions. They do not have access to system-related functions, such as App Management, Users (except for changing their own passwords), and Backup and Restore. Observer (OBSERVER-ROLE) Users with this role have view-only access to the Cisco DNA Center functions. Users with an observer role cannot access any functions that configure or control Cisco DNA Center or the devices it manages. A fourth default role, called TELEMETRY-ADMIN-ROLE, also exists, but this role is not accessible from the user interface and is only used for system-level functions within Cisco DNA Center. Create Local Users You can create a user and assign it one of the following user roles: SUPER-ADMIN-ROLE, NETWORK-ADMIN-ROLE, or OBSERVER-ROLE. For more information, see About User Roles, on page 51. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 51. Step 1 From the Cisco DNA Center home page, click > System Settings > Users > User Management. Click. Step 4 Enter a username for the new user. From the Role drop-down list, choose one of the following roles: SUPER-ADMIN-ROLE, NETWORK-ADMIN-ROLE, or OBSERVER-ROLE. Although the TELEMETRY-ADMIN-ROLE appears as an option, it is not available for use, so you cannot choose this role. Step 5 Step 6 Enter a password and confirm it. Click Save. Edit Local Users You can change only the user role. The username or password cannot be changed. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page

59 Manage Users Delete Local Users Step 1 Click > System Settings > Users > User Management. Step 4 Step 5 Click the radio button next to the user that you want to modify. Click Edit. From the Role drop-down list, choose a new role: SUPER-ADMIN-ROLE, NETWORK-ADMIN-ROLE, or OBSERVER-ROLE. Click Save. Delete Local Users Only an administrator with SUPER-ADMIN-ROLE permissions may delete a user. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 51. Step 1 From the Cisco DNA Center home page, click > System Settings > Users > User Management. Select the radio button next to the user that you want to delete. Click Delete. Step 4 Click OK. Change Your Own User Password Only you can change the password that you enter to log in to Cisco DNA Center. Even a user with administrator privileges cannot change another user's password. If an administrator needs to change another user's password, they need to delete and readd the user with a new password. Step 1 From the Cisco DNA Center home page, click > System Settings > Users. Click Change Password. Enter information in the required fields and click Update. Reset Forgotten Password If you have forgotten your password, you can reset your password through CLI. Follow the below steps to reset your password: 53

60 Display Role-Based Access Control Statistics Manage Users Step 1 Check if the user is created in the system using the below command: magctl user display <username> This command will return the tenant-name which can be used to reset the password. The sample output will be: User admin present in tenant TNT0 (where TNT0 is the tenant-name) Enter the tenant-name in the below command to reset the password. magctl user password update <username> <tenant-name> You will be prompted to enter a new password. Step 4 Enter a new password. You will be prompted to re-enter the new password to confirm. Enter the new password. The password is reset and you can login to Cisco DNA Center using the new password. Display Role-Based Access Control Statistics You can display statistics that show how many users of each user role exist. You can also drill down to view a list of users who have the selected role. Step 1 From the Cisco DNA Center home page, click > System Settings > Users > Role Based Access Control. Click See details to display a list of users with the selected role. Configure External Authentication If you are using an external server for authentication and authorization of external users, you need to enable external authentication in Cisco DNA Center. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 51. You must configure at least one authentication server. Step 1 From the Cisco DNA Center home page, click > System Settings > Users > External Authentication. To enable external authentication on Cisco DNA Center, select the Enable External User checkbox. (Optional) Configure the AAA attribute. For most cases, the default AAA attribute setting (Cisco-AVPair) is sufficient, as long as you have set the Cisco DNA Center user profile on the AAA server with cisco-av-pair as the AAA attribute. You only need to change the default 54

61 Manage Users Configure External Authentication setting in Cisco DNA Center if you have a different value set in the Cisco DNA Center user profile on the AAA server. For example, you might manually define the AAA attribute as Cisco-AVPair=Role=SUPER-ADMIN-ROLE. a) In the AAA Attribute field, leave the default value of Cisco-AVPair or enter the new AAA attribute value. b) Click Update. Step 4 (Optional) Configure the AAA server(s). You need to configure these settings only if the order (primary/secondary) or the AAA servers that you configured in System Settings > Settings > Authentication and Policy Servers need to be different. a) From the Primary AAA Server IP Address drop-down field, choose an IP address of one of the preconfigured AAA servers. b) From the Secondary AAA Server IP Address drop-down field, choose an IP address of one of the preconfigured AAA servers. c) (Optional) If you are using a Cisco ISE server, you can update the settings, if necessary. Table 3: Cisco ISE Server Settings Name Shared Secret Username Password FQDN Description Key for device authentications. The shared secret can be up to 128 characters in length. Name that is used to log in to the Cisco ISE command-line interface (CLI). Password for the Cisco ISE CLI username. Fully qualified domain name (FQDN) of the Cisco ISE server. The FQDN consists of two parts, a hostname and the domain name, in the following format: hostname.domainname.com. For example, the FQDN for a Cisco ISE server might be ise.cisco.com. Subscriber Name SSH Key Virtual IP Address(es) A unique text string, for example dnac, that is used during Cisco DNA Center to Cisco ISE integration to setup a new pxgrid client in Cisco ISE. Diffie-Hellman-Group14-SHA1 SSH key used to connect and authenticate with Cisco ISE. Virtual IP Address(es) Virtual IP address of the load balancer behind which the Cisco ISE policy service nodes (PSNs) are located. If you have multiple PSN farms behind different load balancers, you can enter a maximum of six virtual IP addresses. d) (Optional) To update advanced settings, click View Advanced Settings and update the settings, if necessary. Table 4: AAA Server Advanced Settings Name Protocol Authentication Port Accounting Port Description TACACS or RADIUS Port used to relay authentication messages to the AAA server. The default is UDP port Port used to relay important events to the AAA server. The information in these events is used for security and billing purposes. The default UDP port is

62 Display External Users Manage Users Name Retries Timeout Description Number of times that Cisco DNA Center attempts to connect with Cisco ISE before abandoning the attempt to connect. The default number of attempts is 1. The length of time that Cisco DNA Center waits for Cisco ISE to respond before abandoning the attempt to connect. e) Click Update. Display External Users You can view a list of external users who have logged in through Radius/TACACS for the first time. The information that is displayed includes their user names and roles. Step 1 From the Cisco DNA Center home page, click > System Settings > Users > External Authentication. Scroll to the bottom of the window. The External Users area lists the external users. 56

63 CHAPTER 7 Manage Licenses This chapter contains the following topics: License Manager Overview, on page 57 Integration with Cisco Smart Accounts, on page 61 Set Up License Manager, on page 61 Visualize License Usage and Expiration, on page 62 View License Details, on page 62 Change License Level, on page 63 Export License Information, on page 64 Auto Registration of Smart License Enabled Device, on page 64 Day 0 Configuration for Smart License Enabled Device, on page 65 Apply Specific License Reservation or Permanent License Reservation to Devices, on page 65 Cancel SLR or PLR Applied to Devices, on page 66 License Manager Overview The Cisco DNA Center License Manager feature helps you visualize and manage all of your Cisco product licenses, including Smart Account licenses. From the Cisco DNA Center Home Page, select License Manager from the Tools tiles. The License Management page contains tabs with the following information: Switches Shows purchased and in-use information for all switches. Routers Shows purchased and in-use license information all routers. Access Points Shows purchased and in-use license information for all wireless controllers and access points. ISE Shows purchased and in-use license information for devices managed by Cisco Identity Services Engine (ISE). All Licenses Shows comprehensive details for all types of licenses for all Cisco devices. To manage licenses, you can use the controls shown above the table listings in each tab. License Management Controls describes each of the controls. Please note that not all controls are shown in all tabs. 57

64 License Manager Overview Manage Licenses Table 5: License Management Controls Control Filter Change DNA License Change Virtual Account Manage Smart License > Register Manage Smart License > Deregister Manage License Reservation > Enable License Reservation Manage License Reservation > Cancel/Return License Reservation Manage License Reservation > Factory License Reservation Recent Tasks Description Click Filter to specify one or more filter values and then click Apply. You can apply multiple filters. To remove a filter, click the x icon next to the corresponding filter value. Select one or more licenses and click Actions > Change DNA License to change the level of a selected Cisco DNA Center license to Essential or Advantage. You can also use this control to remove a Cisco DNA Center license. For more information, see Change License Level, on page 63. Select one or more licenses and click Actions > Change Virtual Account to specify the Virtual Account used to manage these licenses. Select one or more Smart License enabled devices and click Actions > Manage Smart License > Register to register the Smart License enabled devices. Select one or more Smart License enabled devices and click Actions > Manage Smart License > Deregister to unregister the Smart License enabled devices. Choose the device for which you want to apply Specific License Reservation (SLR) or Permanent License Reservation (PLR), and click Actions > Manage License Reservation > Enable License Reservation. Choose the device and click Actions > Manage License Reservation > Cancel/Return License Reservation to cancel or return the Specific License Reservation or Permanent License Reservation applied to the device. Choose the device and click Actions > Manage License Reservation > Factory License Reservation to enable the factory installed Specific License Reservation (SLR) on to the device. Click Recent Tasks to see a list of All 50 of the most recently performed Cisco DNA Center tasks. Use the drop-down at the top of the list to narrow the list to show only those tasks that ended in Success or Failure, those that are still In Progress. 58

65 Manage Licenses License Manager Overview Control Refresh Export Find Show entries Description Click this control to refresh the window. Click to export the list of displayed licenses as a CSV file. For more information, see Export License Information, on page 64. Enter a search term in the Find field to find all licenses in the list that have that term in any column. Use the asterisk (*) character as a wildcard anywhere in the search string. Select the total number of entries to show in each page of the table. The Licenses table displays the information shown for each device. All of the columns support sorting. Click the column header to sort the rows in ascending order. Click the column header again to sort the rows in descending order. Not all columns are used in every tab. Additionally, some of the columns are hidden in the default column view setting, which can be customized by clicking the More icon ( ) at the right end of the column headings. Table 6: License Usage Information Column Device Type: Device Series Device Type: Total Devices Purchased Licenses: DNA Purchased Licenses: Network/Legacy Used Licenses: DNA Used Licenses: Network/Legacy Feature Licenses (applicable only for Routers) Description Name of the device product series (for example: Catalyst 3850 Series Ethernet Stackable Switch). Click this link to view the license details window. For more information, see View License Details, on page 62. The total number of devices in this product series that are under active management by Cisco DNA Center. The total number of purchased Cisco DNA Center subscription licenses for the devices in this product series. The total number of purchased Network (or Legacy) perpetual licenses for the devices in this product series. The total number of Cisco DNA Center subscription licenses applied to the devices in this product series. The total number of Network perpetual licenses for the devices in this product series. The number of licenses purchased for specific features like security, AVC and so on. 59

66 License Manager Overview Manage Licenses Table 7: All Licenses Information Column Device Name Device Family IP Address Device Series DNA Level DNA License Expiry License Mode Network License Virtual Account Site Registration Status Authorization Status Reservation Status Last Updated Time MAC Address DNA Term DNA Days to Expiry Software Version Description Name of the device. Click this link to view the license details window. For more information, see View License Details, on page 62 The category of device as defined by Cisco DNA Center (for example: Switches and Hubs). IP address of the device. The full name of the Cisco product series to which the listed device belongs (for example: Cisco Catalyst 3850 Series Ethernet Stackable Switch). The Cisco DNA Center license level. The date the Cisco DNA Center license expires. The Cisco DNA Center license mode. The type network license. The name of the Cisco Virtual Account managing the license for this device. The Cisco DNA Center site where the device is located. The registration status of the device. The authorization status of the device. The reservation status of the devices. Last time this entry in the table was updated/ The MAC address of the licensed device. The total term during which the Cisco DNA Center subscription license is in effect. The number of days remaining until the Cisco DNA Center license term expires. The version of the network operating system currently running on the device. 60

67 Manage Licenses Integration with Cisco Smart Accounts Integration with Cisco Smart Accounts Cisco DNA Center supports Cisco Smart Accounts, an online Cisco service that provides simplified, flexible, automated software- and device-license purchasing, deployment, and management across your organization. If you already have a Cisco Smart Account, you can use Cisco DNA Center to: Track your license consumption and expiration. Apply and activate new licenses, without intervention. Promote each device's license level from Essentials to Advantage (or vice versa) and reboot the device with the newly changed level of feature licensing. Identify and re-apply unused licenses. Retire unused licenses. You can accomplish this automatically, without leaving Cisco DNA Center. For more on the service itself, see Cisco Smart Accounts on Cisco.com. For more on setting up your Cisco Smart Account for use with Cisco DNA Center, see Set Up License Manager, on page 61. Set Up License Manager You must set up access to your Cisco Smart Account before you can use the Cisco DNA Center License Manager tools. Before you begin You will need to: Make sure you have SUPER-ADMIN-ROLE permissions and the appropriate RBAC scope to perform this procedure. For information about the user permissions required to perform tasks using the Cisco DNA Center, see the chapter, Managing Users and Roles, in this guide. Collect the Cisco user ID and password for your Smart Account. If you have one or more Smart Accounts: Select the smart Account that you want to use with Cisco DNA Center, and collect that account's user ID and password. Step 1 Log on using a Cisco DNA Center system administrator user name and password. Click, then select System Settings > Settings > Cisco Credentials. Step 4 Under Cisco.com Credentials, enter the username and password for your Smart Account. To access your Smart Account using a virtual or subordinate Smart Account name and password, under Link Your Smart Account, choose: Use Cisco.com user ID if your Cisco.com and Smart Account credentials are the same. Use different credentials if your Cisco.com and Smart Account credentials are different, and then enter your Smart Account credentials. 61

68 Visualize License Usage and Expiration Manage Licenses Step 5 Step 6 Click View all virtual accounts to view all virtual Smart License Accounts. When you are finished, click Apply. Visualize License Usage and Expiration Cisco DNA Center can display graphical representations of your purchased DNA licenses, how many of them are in use (that is, assigned to devices), and their duration. Step 1 Step 4 From the Cisco DNA Center Home page, select License Manager from the Tools tiles. Select the type of device category whose license usage you want to see: Switches, Routers, Access Points, ISE, or All Licenses. The License Usage graphs at the top of the window display the aggregate number of purchased DNA licenses and the number of those licenses currently in use for the device category you selected. The graphs also indicate the proportion of Essentials versus Advantage licenses within each total. Under the graphs, the License Usage table gives subtotals for used and unused licenses, listed alphabetically by product family name. To see detailed comparisons for a particular product family, click on the name of the product family given in the Device Series column in the table. Cisco DNA Center displays a window giving details for the product family you selected. To see a graphical representation of license duration, scroll down to the License Timeline section of the window. The timeline graph for each product family is a visual representation of when the DNA licenses in the configured Smart Account will expire for that product family. View License Details There are many ways to find and view license details in Cisco DNA Center. For example, you can click on the license usage and term graphs displayed in the Switches, Routers, Access Points, ISE, or All Licenses tabs in the License Manager window. Each of these will display popups with aggregated facts about licenses for each of these product families. The simplest method for getting the most comprehensive license details for a single device is to use the License Manager's All Licenses table, as explained in the following steps. Step 1 Select Tools > License Manager > All Licenses. The License Manager window displays a table listing all of your discovered devices and their licenses. Information in the table includes only basic device and license information, such as device type, license expiration dates, and so on. Scroll through the table to find the device whose license details you want to see. If you are having trouble finding the device you want, you can: 62

69 Manage Licenses Change License Level Filter: Click and then enter your filter criteria in the appropriate field (for example: enter all or part of the device name in the Device Name field). You may enter filter criteria in multiple fields. When you click Apply, the table displays only the rows displaying information that matches your filter criteria. Find: Click in the Find field and enter the text you want to find in any of the table columns. When your press Enter, the table scrolls to the first row with text matching your entry in the Find field. Customize: Click and select the columns you want displayed in the table. For example: Deselect Device Model or select Days to Expiry. When you click Apply, the table displays only the columns you selected. When you have found the device you want, click the Device Name link in the row for that device. Cisco DNA Center displays a popup License Details window giving complete license details for the device you selected. The Actions displays actions that can be performed on the device or its licenses. When you are finished, click to close the License Details window. Change License Level You can upgrade or downgrade the feature level of your device licenses. You can do this with DNA (subscription) licenses. Your feature level choices are either the basic Essentials level or the comprehensive Advantage level. ( that Network license conversion is available for products in the Cisco Catalyst 9000 device family only and Network license conversion is handled implicitly when DNA license level is changed.) Whenever you change a device's license level, Cisco DNA Center automatically downloads and applies your licenses behind the scenes, using your Smart Account. As applying a license level change requires a device reboot, License Manager will prompt you to confirm that you want to reboot the device as soon as the license level change is complete. You can choose not to reboot with the license change, but you will need to schedule the reboot at a later time, or your license level change will not be applied. Step 1 Step 4 Step 5 Select Tools > Licenses > All Licenses The License Manager window displays a table listing all of your discovered devices and their licenses. Use Find or scroll through the table to find the devices whose license level you want to change. If you are having trouble finding the device you want, or want to select multiple devices, follow the tips in the related topic, View License Details, on page 62, to change the table to display just the devices you want. Click the checkbox next to each device for which you want to change the license level link, then click Actions > Change DNA License. Cisco DNA Center displays a Change License Level window appropriate for the license type you want to change. Click the license level you want for these devices: Essentials or Advantage If you would like to remove the license from the device, select Remove. Click Next to continue. Cisco DNA Center asks if you want the change to be applied right away or at a later time. You must also choose whether you want to reboot the device as soon as its license status is updated. To continue: 63

70 Export License Information Manage Licenses If you are not ready to make the change: Click Back to change your License Level selection, or click window and cancel the change. to close the If you are ready to make the change immediately: Click Now, then click Confirm. The device using this license will reboot as soon as the change is applied. If you want the change to be applied later: Click Later, enter a name for the scheduled task, and specify the date and time when you want the change to be applied. If you want the change to take place as scheduled in the time zone of the site where the device is located, select Site Settings. When you are finished specifying the schedule parameters, click Confirm. Export License Information You can quickly export license information from Cisco DNA Center to backup PDF or Microsoft Excel files. These license backup files are intended to assist your organization's accounting and reporting needs. Step 1 Step 4 Step 5 Step 6 Select Tools > License Manager. Select All Licenses. Cisco DNA Center displays a list of all your currently assigned licenses. Click Export. Cisco DNA Center displays the Export Licenses window. Select the destination file format. (Optional) Click on the checkboxes next to each type of license information you want to exclude or include in the export. Click the checkbox at the bottom if you want to save your choices as the default for later exports. When you are finished, click Export and specify the location and file name for the exported license file. Then click OK to complete the export. Auto Registration of Smart License Enabled Device You can enable auto registration of Smart License (SL) enabled devices. Once auto registration is enabled, any SL enabled devices added to Cisco DNA Center will get auto registered to the chosen virtual account. To enable auto registration of SL enabled devices, do the following: Step 1 Log on using a Cisco DNA Center system administrator user name and password. Click, then select System Settings > Settings > Cisco Credentials. Under Link your Smart Account, check the Auto register Smart License Enabled device checkbox. Step 4 Choose a virtual account. Step 5 Click Apply. 64

71 Manage Licenses Day 0 Configuration for Smart License Enabled Device Day 0 Configuration for Smart License Enabled Device The devices that are already added to Cisco DNA Center before enabling auto registration will not get auto registered. The smart license enabled devices that are not registered can be viewed in the All Licenses page. Step 1 Select Tools > Licenses > All Licenses. The License Manager window displays a banner message with the number of SL enabled devices that are not auto registered and a table listing all of your discovered devices and their licensesa link to set up Auto Registration. Alternatively, you can filter the unregistered devices by using the Registration Status column. Step 4 Choose the SL enabled devices that you want to register and click Actions > Manage Smart License > Register. Choose the virtual account and click Continue. To register the devices, do any of the following as required: a) If you want to register the devices immediately, choose Now and click Confirm. b) If you want to register the devices later, choose Later, and specify the date and time when you want to register the device. When you are finished specifying the schedule parameters, click Confirm. Apply Specific License Reservation or Permanent License Reservation to Devices Smart Licensing requires a smart device instance to regularly sync with Cisco Smart Software Management (CSSM) so that the latest license status is refreshed and compliance reported. Some customers have devices that are within highly secured networks with limited internet access. In these types of networks, devices cannot regularly sync with CSSM and show out of compliance. To support these customer environments, Specific License Reservation (SLR) and Permanent License Reservation (PLR) have been introduced. The License Manager enables Cisco DNA Center customers to securely reserve licenses from CSSM using an API-based workflow. In Cisco DNA Center, it requires a one-time connectivity to CSSM in the staging environment. Then the devices never need to connect to Cisco in SLR or PLR mode. If no connectivity to CSSM or staging is possible, you can resort to the manual SLR/PLR workflow available in CSSM. SLR lets you install a node-locked license file (SLR authorization code) on a product instance. This license file enables individual (specific) licenses (entitlement tags). PLR lets you install an authorization code that enables all licensed features on the product. Both SLR and PLR require pre-approval at the Smart Account level. Contact licensing@cisco.com for support. To enable SLR or PLR, do the following: Step 1 Choose Tools > Licenses > All Licenses. Choose the devices for which you want to apply SLR or PLR, and click Actions > Manage License Reservation > Enable License Reservation. 65

72 Cancel SLR or PLR Applied to Devices Manage Licenses Step 4 Step 5 Step 6 Step 7 Choose Specific License Reservation (SLR) or Permanent License Reservation (PLR) and click Continue to obtain the request codes for the selected devices. After the request codes are generated for the selected devices, click Continue. Choose a virtual account from where you want to reserve licenses and click Continue to generate the authorization codes for the selected devices. After the authorization codes are generated, do any of the following: To apply SLR immediately, choose the devices and click Continue. To apply SLR at a later time, click Apply Later. Click Confirm to apply SLR/PLR to the selected device. You can now view the updated status of the devices under Reservation Status on the All Licenses page. Cancel SLR or PLR Applied to Devices If you want to cancel or return the SLR or PLR applied to the device, do the following: Step 1 Select Tools > Licenses > All Licenses. Choose the device and click Actions > Manage License Reservation > Cancel/Return License Reservation. Click Cancel to return the licenses. You can now view the updated status of the devices under Reservation Status on All Licenses page. 66

73 CHAPTER 8 Backup and Restore About Backup and Restore, on page 67 Automation Backup Server Requirements, on page 68 Assurance Backup Server Requirements, on page 69 Example of NFS Server Configuration, on page 69 Configure Backup Servers, on page 70 Back Up Data Now, on page 71 Schedule Data Backups, on page 73 Restore Data from Backups, on page 74 About Backup and Restore You can use the backup and restore functions for the following purposes: To create backup files for disaster recovery for the appliance To create backup files to restore to a different appliance (if required for your network configuration) Backup Before Release 1.2.5, you could only back up Automation data through the GUI. If you needed a backup of Assurance data, you had to use the CLI. Beginning with Release 1.2.5, you can back up both Automation and Assurance data using the GUI. The procedures for performing a backup using the CLI are no longer included in this document. You can back up Automation data only or both Automation and Assurance data. The Automation data consists of Cisco DNA Center databases, credentials, file systems, and files. The Automation backup is a full backup. The Assurance data consists of network assurance and analytics data. The first backup of Assurance data is a full backup. After that, backups are incremental. 67

74 Automation Backup Server Requirements Backup and Restore Important Do not modify the backup files. If you do, you might not be able to restore the backup files to Cisco DNA Center. Cisco DNA Center creates the backup files and posts them to a remote server. Each backup is uniquely stored using the UUID as the directory name. For information about the remote server requirements, see Automation Backup Server Requirements, on page 68 and Assurance Backup Server Requirements, on page 69. Only a single backup can be performed at a time. Performing multiple backups at once is not supported. While a backup is being performed, you cannot delete any files that have been uploaded to the file service, and any changes that you make to files might not be captured by the backup process. When performing a backup, we recommend the following: Perform a daily backup to maintain a current version of your database and files. Perform a backup after making any changes to your configuration; for example, when changing or creating a new policy on a device. Only perform a backup during a low impact or maintenance time period. You can schedule weekly backups on a specific day of the week and time. Restore You restore the backup files from the remote server using Cisco DNA Center. When you restore the backup files, Cisco DNA Center removes and replaces the existing database and files with the backup database and files. While a restore is being performed, Cisco DNA Center is unavailable. You cannot take a backup from one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken. To view the current applications and versions on Cisco DNA Center, choose > System Settings > App Management. You can restore a backup to a Cisco DNA Center appliance with a different IP address. This situation could happen if the IP address is changed on Cisco DNA Center and you need to restore from an older system. Automation Backup Server Requirements The server that stores Automation data backups must meet the following requirements: Must use SSH (port22)/rsync. Cisco DNA Center does not support using FTP (port 21) when performing a backup. Running Red Hat Enterprise Linux 6 or greater, or any of its derivatives such as CentOS, Ubuntu or greater and its derivatives (Mint), or any other modern Linux operating system. Linux rsync utility must be installed. The destination folder for the backup should be owned by the backup user or the backup user should have read-write permissions for the user's group. For example, assuming the backup user is 'backup' and 68

75 Backup and Restore Assurance Backup Server Requirements user's group is 'staff ', then the following sample outputs show the required permissions for the backup directory: Example 1: Backup directory is owned by 'backup' user: $ ls -l /srv/ drwxr-xr-x 4 backup root 4096 Apr 10 15:57 dnac Example 2: 'backup' user's group has required permissions: $ ls -l /srv/ drwxrwxr-x. 7 root staff 4096 Jul dnac SFTP sub-system must be enabled. The following line needs to be uncommented and present in the SSHD configuration: Subsystem sftp /usr/libexec/openssh/sftp-server The file where you need to uncomment the above line is generally located in: /etc/ssh/sshd_config Assurance Backup Server Requirements The server that you use to back up Assurance data must meet the following requirements: Run one of the following operating systems: Ubuntu 16 Ubuntu Linux CentOS 7 Support NFS v4 and NFS v3. (To verify this support, from the server, enter nfsstat -s.) Have read and write permissions on the NFS export directory. Have a stable network connection between Cisco DNA Center and the NFS server. Have sufficient network speed between Cisco DNA Center and the NFS server. Example of NFS Server Configuration The remote share for backing up an Assurance database (NDP) must be an NFS share. If you need to configure an NFS server, use the following procedure (Ubuntu distribution) as an example. Step 1 Run the sudo apt-get update command to access and update the advanced packaging tool (APT) for the NFS server. For example, enter a command similar to the following: $ sudo apt-get update Run the sudo apt-get install command to install the advanced packaging tool for NFS. 69

76 Configure Backup Servers Backup and Restore For example, enter a command similar to the following: $ sudo apt-get install -y nfs-kernel-server Step 4 Step 5 Step 6 Step 7 Run the sudo mkdir -p command to create nested directories for the NFS server. For example, enter a command similar to the following: $ sudo mkdir -p /var/nfsshare/ Run the sudo chown nobody:nogroup command to change the ownership of the group to nobody and nogroup. For example, enter a command similar to the following: $ sudo chown nobody:nogroup /var/nfsshare Run the sudo vi /etc/exports command to add the following line to the end of /etc/exports: $ sudo vi /etc/exports /var/nfsshare *(rw,all_squash,sync,no_subtree_check) Run the sudo exportfs -a command to export the file systems for the NFS server. For example, enter a command similar to the following: $ sudo exportfs -a Run the sudo systemctl start nfs-server command to restart the NFS server. For example, enter a command similar to the following: $ sudo systemctl start nfs-server Step 8 Enter the following command to set the permission on the NSF directory to 777: chmod 777 -R <your_nfs_directory> What to do next After you configure an NFS share, back up the Cisco DNA Center Assurance data or schedule a backup for a later time. For information, see Back Up Data Now, on page 71 or Schedule Data Backups, on page 73. Configure Backup Servers If you plan to back up only the Automation data, you need to configure the DNAC Core System server. If you plan to back up both the Automation and Assurance data, you need to configure the DNAC Core System backup server and the Network Data Platform backup server. This procedure shows you how to set up both servers. Before you begin Make sure the following requirements have been met: Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page

77 Backup and Restore Back Up Data Now The server that you plan to use for Automation data backups must meet the requirements described in Automation Backup Server Requirements, on page 68. The server that you plan to use for Assurance data backups must meet the requirements described in Assurance Backup Server Requirements, on page 69. Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and then choose System Settings > Backup & Restore > Configure. To configure the DNAC Core System backup server, do the following: a) Define the following settings: Table 8: DNAC Core System Backup Server Field SSH IP Address SSH Port Server Path Username Password Encryption Passphrase Description IP address of the remote server that you can SSH into. Port address of the remote server that you can SSH into. Path to the folder on the server where the backup files are saved. Username used to protect the encrypted backup. Password used to protect the encrypted backup. Passphrase used to encrypt the security-sensitive components of the backup. These security-sensitive components include certificates and credentials. This is a required passphrase that you will be prompted for and that must be entered when restoring the backup files. Without this passphrase, backup files are not restored. b) Click Apply. To configure the Network Data Platform backup server, click Network Data Platform and define the following settings: Table 9: Network Data Platform Backup Server Field Host Server Path Description IP address or host name of the remote server that you can SSH into. Path to the folder on the server where the backup files are saved. Step 4 Click Apply. Back Up Data Now You can choose to back up one of the following data sets: Automation data only. 71

78 Back Up Data Now Backup and Restore Both Automation and Assurance data. When you perform a backup, Cisco DNA Center copies and exports the data to the location on the remote server that you configured. Data is backed up using SSH/Rsync. Cisco DNA Center does not support using FTP (port 21) when performing a backup. Before you begin Make sure the following requirements have been met: Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 51. Backup servers meet the requirements described in Automation Backup Server Requirements, on page 68. Backup servers have been configured in Cisco DNA Center. For information, see Configure Backup Servers, on page 70. Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and then choose System Settings > Backup & Restore > Backups. If you have not yet configured a backup server, Cisco DNA Center requires that you configure one before proceeding. Click Configure your backups and see Configure Backup Servers, on page 70 for information. Step 4 Step 5 Step 6 Click Add. The Create Backup pane appears. In the Backup Name field, enter a unique name for the backup. Click Create now to perform the backup immediately. Define the scope of the backup: Click DNA Center (All data) to back up the Automation and Assurance data. Click DNA Center (without Assurance data) to back up only the Automation data. Click Create. During the backup process, Cisco DNA Center creates the backup database and files. The backup files are saved to the specified location on the remote server. You are not limited to a single set of backup files, but can create multiple backup files that are identified with their unique names. You receive a Backup done! notification when the process is finished. If the backup process fails, there is no impact to the appliance or its database. Cisco DNA Center displays an error message stating the cause of the backup failure. The most common reason for a failed backup is insufficient disk space. If your backup process fails, make sure that there is sufficient disk space on the remote server and attempt another backup. 72

79 Backup and Restore Schedule Data Backups Schedule Data Backups You can schedule recurring backups and define the day of the week and the time of day when they will occur. Before you begin Make sure the following requirements have been met: Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 51. Backup servers meet the requirements described in Automation Backup Server Requirements, on page 68. Backup servers have been configured in Cisco DNA Center. For information, see Configure Backup Servers, on page 70. Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and then choose System Settings > Backup & Restore > Schedule. The Schedule window appears. Step 4 Step 5 Step 6 Step 7 Click Add. The Create Backup pane appears. In the Backup Name field, enter a unique name for the backup. Click Schedule later. In the Schedule field, choose the day of the week and time of day when you want the backup to occur. Define the scope of the backup: Click DNA Center (All data) to back up the Automation and Assurance data. Click DNA Center (without Assurance data) to back up only the Automation data. Click Schedule. During the backup process, Cisco DNA Center creates the backup database and files. The backup files are saved to the specified location on the remote server. You are not limited to a single set of backup files, but can create multiple backup files that are identified with their unique names. You receive a Backup done! notification when the process is finished. If the backup process fails, there is no impact to the appliance or its database. Cisco DNA Center displays an error message stating the cause of the backup failure. The most common reason for a failed backup is insufficient disk space. If your backup process fails, make sure that there is sufficient disk space on the remote server and attempt another backup. 73

80 Restore Data from Backups Backup and Restore Restore Data from Backups When you restore data from a backup file, Cisco DNA Center removes and replaces the existing database and files with the backup database and files. The data that is restored depends on what is on the backup: Automation data backup Cisco DNA Center restores the full Automation data. Automation and Assurance data backup Cisco DNA Center restores the full Automation data and the Assurance data as far back as the date that you choose. Caution The Cisco DNA Center restore process only restores the database and files. The restore process does not restore your network state and any changes made since the last backup, including any new or updated network policies, passwords, certificates, or trustpool bundles. You cannot do a backup from one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken. To view the current apps and versions, choose > System Settings > App Management. Before you begin Make sure the following requirements have been met: Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 51. You have backups from which to restore data. When you restore data, Cisco DNA Center enters maintenance mode and is unavailable until the restore process is done. Make sure you restore data at a time when Cisco DNA Center can be unavailable. Step 1 From the Cisco DNA Center home page, click the gear icon ( ) and then choose System Settings > Backup & Restore. The Backup & Restore window displays the following tabs: Backups, Schedule, and Activity. If you already successfully created a backup on a remote server, it appears in the Backups tab. In the Backup Name column, locate the backup that you want to restore. In the Actions column, choose Restore. The Cisco DNA Center restore process restores the database and files. The restore process does not restore your network state and any changes made since the last backup, including any new network policies that have been created, any new or updated passwords, or any new or updated certificates and trustpool bundles. During a restore, the backup files remove and replace the current database. 74