Cisco Digital Network Architecture Center Administrator Guide, Release 1.2

Transcription

1 Cisco Digital Network Architecture Center Administrator Guide, Release 1.2 First Published: Last Modified: Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA USA Tel: NETS (6387) Fax:

2 THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS, INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS. THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY. The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of the UNIX operating system. All rights reserved. Copyright 1981, Regents of the University of California. NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED AS IS" WITH ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE. IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R) 2018 Cisco Systems, Inc. All rights reserved.

3 CONTENTS CHAPTER 1 Get Started with Cisco DNA Center 1 About Cisco DNA Center 1 Log In 1 Log In for the First Time as a Network Administrator 2 Default Home Page 3 Use Global Search 5 Where to Start 6 CHAPTER 2 Configure System Settings 7 About System Settings 7 View the Overview in System 360 View the Services in System About DNA Center and Cisco ISE Integration 10 Configure Authentication and Policy Servers 11 Configure Cisco Credentials 13 Device Controllability 13 Configure Device Controllability 15 Integrity Verification 15 Upload the KGV File 15 Configure an IP Address Manager 17 Configure Debugging Logs 18 Configure the Network Resync Interval 19 View Audit Logs 20 Configure the Proxy 21 Configure Security for Cisco DNA Center 22 Enable TLS and RC4-SHA 22 iii

4 Contents Configure Proxy Certificate 23 Certificate and Private Key Support 24 Certificate Chain Support 25 Configure a Certificate 26 Certificate Management 28 Configure Device Certificate Lifetime 28 Change the Role of the PKI Certificate from Root to Subordinate 28 Provision a Rollover SubCA Certificate 30 Configure Trustpool 32 Configure SFTP Server 32 Configure SNMP Properties 33 About Telemetry Collection 33 Configure Telemetry Collection 34 Configure vmanage Properties 34 CHAPTER 3 Manage High Availability 37 Multi-Host Configurations for High Availability 37 Multi-Host Deployment Overview 38 Clustering and Database Replication 38 Security Replication 38 Multi-Host Synchronization 39 Multi-Host Upgrade 39 Split Brain and Network Partition 39 Recover Failed Hosts in a Cluster 40 CHAPTER 4 Manage Applications 41 Application Management 41 Downloading and Updating System Updates 42 Downloading and Installing Packages and Updates 42 Uninstalling Packages 43 CHAPTER 5 Manage Users 45 About User Profiles 45 About User Roles 45 iv

5 Contents Create Local Users 46 Edit Local Users 46 Delete Local Users 47 Change Your Own User Password 47 Reset Forgotten Password 47 Display Role-Based Access Control Statistics 48 Configure External Authentication 48 Display External Users 50 CHAPTER 6 Manage Licenses 51 License Manager Overview 51 Integration with Cisco Smart Accounts 54 Set Up License Manager 55 Visualize License Usage and Expiration 55 View License Details 56 Change License Level 57 Export License Information 58 CHAPTER 7 Backup and Restore 59 About Backup and Restore 59 Backup Server Requirements 60 Supported Backup and Restore Procedures 61 Back Up Automation Data Using the GUI 62 Restore Automation Data Using the GUI 64 Schedule a Backup of Automation Data Using the GUI 65 Back Up Automation Data Using the CLI 66 Restore Automation Data Using the CLI 67 Configure an NFS Server 68 Back Up Assurance Data Using the CLI 69 Restore Assurance Data Using the CLI 70 v

6 Contents vi

7 CHAPTER 1 Get Started with Cisco DNA Center About Cisco DNA Center, on page 1 Log In, on page 1 Log In for the First Time as a Network Administrator, on page 2 Default Home Page, on page 3 Use Global Search, on page 5 Where to Start, on page 6 About Cisco DNA Center Cisco Digital Network Architecture (DNA) offers centralized, intuitive management that makes it fast and easy to design, provision, and apply policies across your network environment. The DNA Center GUI provides end-to-end network visibility and uses network insights to optimize network performance and deliver the best user and application experience. DNA Center allows you to: Move faster Provision thousands of devices across your enterprise network. Act fast with centralized management, and automate device deployment. Lower costs Reduce errors with automation. Policy-driven deployment and onboarding deliver better uptime and improved security. Reduce risk Predict problems early. Use actionable insights for optimal performance of your network, devices, and applications. Log In Access DNA Center by entering its network IP address in your browser. This IP address connects to the external network and is configured during the DNA Center installation. For more information about installing and configuring DNA Center, see the Cisco Digital Network Architecture Center Installation Guide. You should continuously use DNA Center to remain logged in. If you are inactive for too long, DNA Center logs you out of your session automatically. Step 1 Enter an address in your web browser's address field in the following format. Here server-ip is the IP address (or the hostname) of the server on which you have installed DNA Center: 1

8 Log In for the First Time as a Network Administrator Get Started with Cisco DNA Center Example: Depending on your network configuration, you may have to update your browser to trust the DNA Center server security certificate. Doing so will help ensure the security of the connection between your client and DNA Center. Step 2 Enter the DNA Center username and password assigned to you by the system administrator. DNA Center displays its Home page. If your user ID has the NETWORK-ADMIN-ROLE and no other user with the same role has logged in before, you will see a first-time setup wizard instead of the Home page. For details, see Log In for the First Time as a Network Administrator, on page 2. Step 3 To log out, click the Gear icon at the top-right corner and click Sign Out. Log In for the First Time as a Network Administrator If your user ID has the NETWORK-ADMIN-ROLE assigned, and no other user with the same role has logged in before, you will see a "Getting Started" wizard instead of the Home dashboard the first time you log in to DNA Center. The wizard is a quick way to get immediate value from DNA Center. It consists of a few screens that collect information needed to discover and monitor the condition of your network devices, and then help you visualize your network's overall health using the DNA Center Assurance dashboard. You can perform all of the same tasks the wizard does using other DNA Center features. Using the wizard will not prevent you from using those features. You can choose to skip the wizard entirely at any point and it will not be shown again for you. However, DNA Center will continue to display the wizard at login to any user with the same role until one such user completes the wizard steps. After that, DNA Center never displays the wizard again. Before you begin You will need to have the following information to complete the wizard: The IP addresses of your SYSLOG and SNMP servers. The IP address and port of your Netflow server. For discovery: The IP address to start from (if choosing CDP discovery) or the starting and ending IP addresses (if choosing Range discovery). Optional: Your preferred management IP address. Device CLI credentials, including the Enable password SNMP v2c credentials, including the read community string Step 1 If you have not already done so. Log in to DNA Center normally, as explained in Log In, on page 1. Step 2 With the wizard displayed, click Get Started. Step 3 In the fields on the following screens, enter the information listed in "Before You Begin", above. 2

9 Get Started with Cisco DNA Center Default Home Page Click Save & Next to continue, Back to return to the previous screen and revise your entries, or Skip to cancel the wizard and display the DNA Center Home page. Step 4 When you are finished, click Begin Discovery. DNA Center displays the Assurance dashboard, which will slowly fill with network health information as discovery completes. Default Home Page After you log in to DNA Center, you are taken to the DNA Center home page, which is divided into two main areas Applications and Tools: The Applications area include: Design Create the structure and framework of your network, including the physical topology, network settings, and device type profiles that you can apply to devices throughout your network. Policy Create policies that reflect your organization's business intent for a particular aspect of the network, such as network access. DNA Center takes the information collected in a policy and translates it into network-specific and device-specific configurations required by the different types, makes, models, operating systems, roles, and resource constraints of your network devices. Provision Prepare and configure devices, including adding devices to sites, assigning devices to the DNA Center inventory, deploying the required settings and policies, creating fabric domains, and adding devices to the fabric. Assurance Provides proactive and predictive actionable insights about the performance and health of the network infrastructure, applications, and end-user clients. Tools Use the Tools area to help you configure and manage your network. 3

10 Default Home Page Get Started with Cisco DNA Center Figure 1: DNA Center Home Page Click any of the icons in the two main areas to launch the corresponding application or tool. In addition to the Application and Tool icons, you can click any of the icons at the top-right corner of the home page to perform important common tasks: Search icon Lets you search for devices, users, hosts, and other items, anywhere they are stored in the DNA Center database. For tips on using Search, see Use Global Search, on page 5. Applications icon Lets you return to the DNA Center home page from any other page and access the applications and tools. You can do the same thing by clicking on the Cisco DNA Center logo in the upper-left corner of the home page. Settings icon Lets you view audit logs, configure DNA Center system settings, see the DNA Center version you are using, and log out. Notifications icon Lets you see recently scheduled tasks and other notifications. Finally, you can click the following icons, which appear at the right side of every page in DNA Center: Feedback icon Lets you submit your comments and suggestions to Cisco's DNA Center product team. 4

11 Get Started with Cisco DNA Center Use Global Search Help icon Launches DNA Center's context-sensitive online help in a separate tab in your browser. If you are new to DNA Center, see Where to Start, on page 6 for tips and suggestions on how to begin using it. Use Global Search Use the global Search function to find items in the following categories anywhere in DNA Center: Activities: Search for DNA Center menu items, workflows and features by name. Applications: Search for them by name. Application Groups: Search for them by name. Hosts and Endpoints: Search for them by name, IP address, or MAC address. IP Pools: Search for them by name or IP address. Network Devices: Search for them by name, IP address, serial number, software version, platform, product family, or MAC address. Sites: Search for them by name. Users: Search for them by user name. Please note that case-insensitivity and substring search are not supported for user names in this release. Other items, as new versions of DNA Center are released. To start a global Search, click the Figure 2: Global Search Icon icon in the upper-right corner of any DNA Center page. When you click the icon, DNA Center displays a popup global search window, with a search field where you can begin entering identifying information about the item you are looking for. You can enter all or part of the target item's name, address, serial number, or other identifying information in the search field. The Search field is case-insensitive and can contain any character or combination of characters. As you begin entering your search string, DNA Center displays a list of possible search targets that match your entry, in whole or in part. If more than one category of item matches your search string, DNA Center sorts them by category, with a maximum of five items in each category.the first item in the first category is selected automatically, and summary information for that item appears in the summary panel to the right. You can scroll the list as needed, and click on any of the suggested search targets to see information for that item in the summary panel. If there are more than five items in a category, click View All next to the category name in the list. When you want to return to the categorized list from the complete list of search targets, click Go Back. As you add more characters to the search string, global search will automatically narrow the displayed list of categories and items. 5

12 Where to Start Get Started with Cisco DNA Center The summary panel includes links to more information. The link will vary as appropriate for each category and item. For example: With Activities, the summary panel shows you links to menu items and workflows elsewhere in the DNA Center system. For Applications, there is the Application 360 view. You will see links to Client 360 and Topology views for Hosts/Endpoints, and links to Device 360 and Topology views for Network Devices. Click on the link to see the appropriate menu item, workflow, or detail view. When you are finished, click to close the global search window. Global search can display a maximum of 500 results at one time. Where to Start To start using DNA Center, you must first configure the DNA Center settings so that the server can communicate outside the network. After you configure the DNA Center settings, your current environment determines how you start using DNA Center: Existing infrastructure If you have an existing infrastructure (brownfield deployment), start by running Discovery. After running Discovery, all your devices are displayed on the Inventory window. For information about running Discovery, see the Cisco Digital Network Architecture Center User Guide. New or nonexisting infrastructure If you have no existing infrastructure and are starting from scratch, (green field deployment), create a network hierarchy. For information about creating a network hierarchy, see the Cisco Digital Network Architecture Center User Guide. 6

13 CHAPTER 2 Configure System Settings About System Settings, on page 7 View the Overview in System 360, on page 7 View the Services in System 360, on page 9 About DNA Center and Cisco ISE Integration, on page 10 Configure Authentication and Policy Servers, on page 11 Configure Cisco Credentials, on page 13 Device Controllability, on page 13 Integrity Verification, on page 15 Configure an IP Address Manager, on page 17 Configure Debugging Logs, on page 18 Configure the Network Resync Interval, on page 19 View Audit Logs, on page 20 Configure the Proxy, on page 21 Configure Security for Cisco DNA Center, on page 22 Configure SFTP Server, on page 32 Configure SNMP Properties, on page 33 About Telemetry Collection, on page 33 Configure vmanage Properties, on page 34 About System Settings To start using DNA Center, you must first configure the system settings so that the server can communicate outside the network, ensure secure communications, authenticate users, and perform other key tasks. Use the procedures described in this chapter to configure the system settings. View the Overview in System 360 The System 360 Overview tab provides at-a-glance information about DNA Center. Step 1 Click and select System Settings. The System 360 and Overview tab should display by default. If not, click System 360 > Overview. 7

14 View the Overview in System 360 Configure System Settings Step 2 Review the following displayed data metrics: Hosts Displays information about the DNA Center host or hosts. The information that is displayed includes the IP address of the hosts and detailed data about services running on the host(s). Click in the Services field and a side panel opens. The side panel displays the following information: Name Service name Status Status of service Version Version of service Modified Date and time of last update Logs Click the icon to open and view service logs in Kibana. Kibana is an open-source analytics and visualization platform. You can troubleshoot issues with the host by reviewing the service logs. For information about Kibana, see Grafana icon Click the icon to open and view service monitoring data in Grafana. Grafana is an open-source metric analytics and visualization suite. You can troubleshoot issues with the host by reviewing the service monitoring data. For information about Grafana, see Important Three hosts are required for high availability to work in DNA Center. External Network Services Displays information about external network services used by DNA Center. The information displayed includes the following: IP Address Manager Displays IP address manager configuration data. Click the Configure Settings link to configure the IP Address Manager. Cisco ISE Displays Cisco ISE configuration data. Click the Configure Settings link to configure DNA Center for integration with Cisco ISE. Tools Provides a drop-down list that helps you access the following tools: Monitoring This helps you access multiple dashboards of DNA Center components using Grafana, which is an open-source metric analytics and visualization suite. Use the Monitoring tool to review and analyze key DNA Center metrics, such as memory and CPU usage. For information about Grafana, see In a multi-host DNA Center environment, expect duplication in the Grafana data due to the multiple hosts. Log Explorer This helps you access detailed logs of DNA Center activity using Kibana, which is an open-source analytics and visualization platform designed to work with Elasticsearch. Use the Log Explorer tool to review detailed activity logs. For information about Kibana, see Workflow This helps you access Workflow Visualizer, which provides detailed graphical representations of DNA Center tasks, including Success, Failure, Pending status markings. Use the Workflow tool to determine the location of a failure in a DNA Center task. 8

15 Configure System Settings View the Services in System 360 The Monitoring and Log Explorer data accessible from the Tools drop-down list is the same as data accessible from the Hosts > Services side panel; although, the data is presented differently when accessed through the Services side panel. When troubleshooting by a specific application and known service, you may wish to view the data from the Services side panel. View the Services in System 360 The System 360 Services tab provides detailed information about the AppStacks and services running on DNA Center. You can use this tab to assist in troubleshooting issues with specific applications and/or services. For example, if you are having issues with Assurance, you can open and view monitoring data and logs for the ndp AppStack and its component services. Step 1 Click and select System Settings. The System 360 and Overview tab should display by default. If not, click System 360 > Overview. Step 2 Click the Services tab. The following windows open: AppStack list appears on the left side panel (including maglev-system, fusion, etc.) A Grafana display window appears to the right of the side panel. An Appstack is defined as a loosely coupled, but closely related multi-tenant network of services and applications. A service in this environment is a horizontally scalable application that adds instances of itself when demand increases, and frees instances of itself when demand decreases. Step 3 Step 4 Click the arrow (>) next to one of the displayed AppStacks. An AppStack and Services link appear directly below the AppStack name. Click AppStack > Monitoring. The Grafana window at the right displays the AppStack monitoring information: CPU usage Memory usage Network usage File system usage Depending upon the selected service, some of the above data may or may not be displayed. Step 5 Step 6 Click the arrow (>) next to Services. The list of services in that AppStack appears. Click one of the services in the list by clicking on the arrow (>) next to the name. 9

16 About DNA Center and Cisco ISE Integration Configure System Settings The following links appear: Monitoring Log Explorer Step 7 Click on Monitoring. Monitoring helps you access multiple dashboards of DNA Center components using Grafana, which is an open-source metric analytics and visualization suite. Use the Monitoring tool to review and analyze key DNA Center metrics, such as memory and CPU usage. For information about Grafana, see In a multi-host DNA Center environment, expect duplication in the Grafana data due to the multiple hosts. Step 8 Click on Log Explorer. Log Explorer helps you access detailed logs of DNA Center activity using Kibana, which is an open-source analytics and visualization platform designed to work with Elasticsearch. Use the Log Explorer tool to review detailed activity logs. For information about Kibana, see Step 9 Proceed to view another AppStack and/or service or exist Services by clicking another GUI option in DNA Center. About DNA Center and Cisco ISE Integration Cisco ISE has two different use cases in DNA Center. Cisco ISE can be used as a AAA server for user, device, and client authentication or it can be used with an access control policy to enforce access control. If you are not using access control policies or if you are not using Cisco ISE as a AAA server for device authentication, you do not need to install and configure Cisco ISE. For more information about using Cisco ISE for device authentication, see the Cisco Digital Network Architecture Center User Guide. Before you can create and use access control policies, you need to configure DNA Center and Cisco ISE to integrate with one another. The process involves installing and configuring Cisco ISE with specific services and configuring Cisco ISE settings in DNA Center. For more information about installing and configuring Cisco ISE with DNA Center, see the Cisco Digital Network Architecture Center Installation Guide. After Cisco ISE has successfully registered and its trust established with DNA Center, DNA Center shares information with Cisco ISE. DNA Center devices that are assigned to a site which is configured with Cisco ISE as its AAA server have their inventory data propagated to Cisco ISE. Additionally, any updates on these DNA Center devices (for example, device credentials) in DNA Center also updates Cisco ISE with the changes. If a DNA Center device associated to a site with Cisco ISE as its AAA server is not propagated to Cisco ISE as expected, then DNA Center automatically retries after waiting for a specific time interval. This subsequent attempt occurs when the initial DNA Center device push to Cisco ISE fails due to any networking issue, Cisco ISE downtime, or any other auto correctable errors. DNA Center attempts to establish eventual consistency with Cisco ISE by retrying to add the device or update its data to Cisco ISE. However, a retry is not attempted if the failure to propagate the device or device data to Cisco ISE is due to a rejection from Cisco ISE itself, as a input validation error. Similarly, if you change the RADIUS shared secret for Cisco ISE, Cisco ISE updates DNA Center with the changes. However, Cisco ISE does not share existing device information with DNA Center. The only way for DNA Center to know about the devices in Cisco ISE is if the devices have the same name in DNA Center; 10

17 Configure System Settings Configure Authentication and Policy Servers DNA Center and Cisco ISE uniquely identify devices for this integration through the device's host name variable. The process that propagates DNA Center inventory devices to Cisco ISE and updates the changes to it are all captured in the DNA Center audit logs. If there are any issues in the DNA Center to Cisco ISE workflow, then access and view the audit logs in the DNA Center GUI for information. DNA Center integrates with the primary Administration ISE node. When you access Cisco ISE from DNA Center, you connect with this node. DNA Center polls Cisco ISE every 15 minutes. If the ISE server is down, the System 360 window ( > System Settings > System 360) shows the Cisco ISE server as red, which means the Cisco ISE server is unreachable. When the Cisco ISE server is unreachable, DNA Center increases polling to 15 seconds, then doubles the polling time to 30 seconds, 1 minute, 2 minutes, 4 minutes, and so on, until it reaches the maximum polling time of 15 minutes. DNA Center continues to poll every 15 minutes for 3 days. If DNA Center has not regained connectivity, it stops polling, and updates the Cisco ISE server status to Untrusted. If this happens, you will need to reestablish trust between DNA Center and the Cisco ISE server. Review the following additional requirements and recommendations to verify DNA Center and Cisco ISE integration: DNA Center and Cisco ISE integration is not supported over a proxy server. If you have Cisco ISE configured with a proxy server in your network, then configure DNA Center such that it does not use the proxy server; it can do this by bypassing the proxy server's IP address. Although DNA Center and Cisco ISE integration is not supported through a virtual IP (VIP) address, as long as the VIP address is configured in DNA Center and in the certificate SAN field, the DNA Center-to-Cisco ISE integration works successfully. Ensure that both DNA Center CLI and GUI passwords match those on Cisco ISE. Disable password expiry for the Admin user on Cisco ISE. Alternatively, make sure that you update the password before it expires. Configure Authentication and Policy Servers DNA Center uses AAA servers for user authentication and Cisco ISE for both user authentication and access control. Use this procedure to configure AAA servers, including Cisco ISE. Before you begin If you are using Cisco ISE to perform both policy and AAA functions, make sure that DNA Center and Cisco ISE are integrated as described in the Cisco Digital Network Architecture Center Installation Guide. If you are using another product (not Cisco ISE) to perform AAA functions, make sure to do the following: 11

18 Configure Authentication and Policy Servers Configure System Settings Register DNA Center with the AAA server, including defining the shared-secret on both the AAA server and DNA Center. Define an attribute name for DNA Center on the AAA server. For a DNA Center multi-host cluster configuration, define all individual host IP addresses and the virtual IP address for the multi-host cluster on the AAA server. Step 1 From the DNA Center home page, click and then choose System Settings > Settings > Authentication and Policy Servers. Step 2 Click. Step 3 Configure the primary AAA server by providing the following information: Server IP Address IP address of the AAA server. Shared Secret Key for device authentications. The shared secret can be up to 128 characters in length. Step 4 To configure a AAA server (not Cisco ISE), leave the Cisco ISE Server button in the Off position and proceed to the next step. To configure a Cisco ISE server, click the Cisco ISE server button to the On position and enter information in the following fields: Cisco ISE Setting that indicates whether the server is a Cisco ISE server. Click the Cisco ISE setting to enable Cisco ISE. Username Name that is used to log in to the Cisco ISE command-line interface (CLI). Password Password for the Cisco ISE CLI username. FQDN Fully qualified domain name (FQDN) of the Cisco ISE server. The FQDN consists of two parts, a hostname and the domain name, in the following format: hostname.domainname.com. For example, the FQDN for a Cisco ISE server might be ise.cisco.com. Subscriber Name A unique text string, for example dnac, that is used during DNA Center to Cisco ISE integration to setup a new pxgrid client in Cisco ISE. SSH Key Diffie-Hellman-Group14-SHA1 SSH key used to connect and authenticate with Cisco ISE. Virtual IP Address(es) Virtual IP address of the load balancer behind which the Cisco ISE policy service nodes (PSNs) are located. If you have multiple PSN farms behind different load balancers, you can enter multiple Virtual IP addresses. Step 5 Click View Advanced Settings and configure the settings: Protocol TACACS or RADIUS. Radius is the default. You can only choose one option. The option that is dimmed is the chosen option. To select the other option, you need to choose it and then manually deselect the other option. Authentication Port Port used to relay authentication messages to the AAA server. The default is UDP port

19 Configure System Settings Configure Cisco Credentials Step 6 Accounting Port Port used to relay important events to the AAA server. The information in these events is used for security and billing purposes. The default UDP port is Retries Number of times that DNA Center attempts to connect with the AAA server before abandoning the attempt to connect. The default number of attempts is 1. Timeout The length of time that device waits for the AAA server to respond before abandoning the attempt to connect. Click Add. Step 7 To add a secondary server, repeat Step 2 through Step 6. Configure Cisco Credentials You can configure Cisco credentials for DNA Center. Cisco credentials are the username and password that you use to log into the Cisco website to access restricted locations as either a Cisco customer or partner. Additionally, you can also link your Cisco credentials to your Smart Account. The Cisco credentials configured for DNA Center using this procedure are used for software image and update downloads. The Cisco credentials are also encrypted by this process for security purposes. Before you begin Only a user with SUPER-ADMIN-ROLE or NETWORK-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 45. Step 1 From the DNA Center home page, click the gear icon ( ) and choose System Settings > Settings > Cisco Credentials. Step 2 Step 3 Enter your Cisco username and password. If your Cisco credentials are different from your Smart Account credentials, you are prompted to link your Cisco credentials to your Smart Account, click Use different credentials. For more information, see Integration with Cisco Smart Accounts, on page 54. Step 4 Step 5 Enter your Smart Account username and password. Click Reset. Device Controllability Device Controllability is a system-level process on DNA Center that enforces state synchronization for some device-layer features. Its purpose is to aid in the deployment of network settings that DNA Center needs to manage devices. Changes are made on network devices when running Discovery, when adding a device to Inventory, or when assigning a device to a site. Device Controllability is also a run-time condition. Therefore, 13

20 Device Controllability Configure System Settings if you change any of the settings that are under the scope of this process, DNA Center updates these settings on the network devices immediately. If a device is not configured with network settings, but its configuration is saved to the site that the device is associated with and device controllability is enabled, then DNA Center automatically tries to push the configuration to the device. This only occurs when the initial device configuration fails due to a network issue or when DNA Center is momentarily unreachable. DNA Center attempts to establish eventual consistency by retrying to configure the network settings on the device. However, an attempt to retry does not occur if the failure to push the configuration to the device is because of a programming error on DNA Center itself. When DNA Center configures or updates devices, the transactions are captured in the DNA Center audit logs. You can use the audit logs to track changes and troubleshoot issues. For more information about the DNA Center audit logs, see View Audit Logs, on page 20. The following device settings are within the scope of Device Controllability: SNMP credentials NETCONF credentials Cisco TrustSec (CTS) credentials IPDT and IPSG enablement Controller certificates SNMP trap server definitions Syslog server definitions Netflow collector definitions Device controllability is enabled by default. If you do not want Device Controllability enabled, disable it manually. For more information, see Configure Device Controllability, on page 15. When Device Controllability is disabled, DNA Center does not configure any of the credentials or features listed above on devices while running Discovery or at run-time. Additionally, if Device Controllability is disabled and the devices are assigned to different sites and applied with new network settings, then once Device Controllability is enabled, none of these existing network settings are pushed to the devices. At the time of the network settings creation on the site, if Device Controllability is enabled then the associated devices are configured accordingly. The following circumstances dictate whether or not Device Controllability configures network settings on devices: Device Discovery If SNMP and NETCONF credentials are not already present on a device, these settings are configured during the Discovery process. Device in Inventory After a successful initial inventory collection, IPDT, IPSG, and controller certificates are configured on devices. Device in Global Site When you successfully add, import, or discover a device, DNA Center places the device in the Managed state and assigns it to the Global site by default. Even if you have defined SNMP server, Syslog server, and NetFlow collector settings for the Global site, DNA Center does not change these settings on the device. 14

21 Configure System Settings Configure Device Controllability Device Moved to Site If you move a device from the Global site to a new site that has SNMP server, Syslog server, and NetFlow collector settings configured, DNA Center changes these settings on the device to the settings configured for the new site. Device Removed from Site If you remove a device from a site, DNA Center does not remove the SNMP server, Syslog server, and NetFlow collector settings from the device. Device Deleted from DNA Center If you delete a device from DNA Center, then DNA Center does not remove the SNMP server, Syslog server, and NetFlow collector settings from the device. Device Moved from Site to Site If you move a device, for example, from Site A to Site B, DNA Center replaces the SNMP server, Syslog server, and NetFlow collector settings on the device, with the settings assigned to Site B. Configure Device Controllability Device Controllability is enabled by default. If you do not want Device Controllability enabled, disable it manually. For more information, see Device Controllability, on page 13. Before you begin Only a user with SUPER-ADMIN-ROLE or NETWORK-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 45. Step 1 From the DNA Center home page, click the gear icon ( ) and choose System Settings > Settings > Device Controllability. Step 2 Click Enable Device Control. Integrity Verification Integrity Verification (IV) monitors key device data for unexpected changes or invalid values that indicate possible compromise, if any, of the device. The objective is to minimize the impact of a compromise by substantially reducing the time-to-detect unauthorized changes to a Cisco device. For this release, IV runs integrity verification checks on software images that are uploaded into DNA Center. In order to run these checks, the IV service needs the Known Good Value or KGV file to be uploaded. For information on how to upload the KGV file, see Upload the KGV File, on page 15. Upload the KGV File In order to provide security integrity, Cisco devices must be verified as running authentic and valid software. Currently, Cisco devices have no point of reference to determine whether they are running authentic Cisco software. IV uses a system to compare the collected image integrity data with KGV for Cisco software. 15

22 Upload the KGV File Configure System Settings Cisco produces and publishes a KGV data file that contains KGVs for many of its products. This KGV file is in standard JSON format, is signed by Cisco, and is bundled with other files into a single KGV file that can be retrieved from the Cisco website. The KGV file is posted at: The KGV file is uploaded into IV and used to verify integrity measurements obtained from the network devices. Device integrity measurements are made available to and used entirely within the IV. Connectivity between IV and Cisco.com is not required. The KGV file can be air-gap transferred into a protected environment and loaded into the IV. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 45. Step 1 From the DNA Center home page, click the gear icon ( ), and choose System Settings > Settings > Integrity Verification. Step 2 Review the current KGV file information: File Name Name of KGV tar file Uploaded by DNA Center user who uploaded the KGV file Uploaded time Time at which the KGV file was uploaded to DNA Center Uploaded mode Local or remote upload mode Records (processed) Records processed File Hash File hash for KGV file Published Publication date of KGV file Step 3 Step 4 Step 5 Step 6 To update the KGV file, perform one of the following steps: Click Upload New from Local to upload a KGV file locally. Click Upload Latest from Cisco to upload a KGV file from Cisco.com. The Upload Latest from Cisco option does not require a firewall setup. However, if a firewall is already set up, only connections to must be open. If you clicked Upload Latest from Cisco, a connection is made to Cisco.com and the latest KGV file is automatically uploaded to DNA Center. A secure connection to is made using the certificates added to DNA Center and its proxy (if one was configured during the first-time setup). If you clicked Upload New from Local, the Upload KGV window appears. Perform one of the following procedures to import locally: 16

23 Configure System Settings Configure an IP Address Manager Drag and drop a local KGV file into the Upload KGV field. Click Click here to select a KGV file from your computer to select a KGV file from a folder on your computer. Click the Latest KGV file link and download the latest KGV file before dragging and dropping it into the Upload KGV field. Step 7 Click Upload. The KGV file is then uploaded into the DNA Center. Step 8 After the upload is finished, verify the current KGV file information in the UI to ensure that it has been updated. What to do next After uploading the latest KGV file, choose Design > Image Repository to view the integrity of the imported images. The effect of uploading a KGV file can be seen in the Image Repository window, if the images that are already imported have an -Unable to verify- status (physical or virtual). Additionally, future image imports, if any, will also refer to the newly uploaded KGV for verification. Configure an IP Address Manager You can configure DNA Center to communicate with an external IP address manager. When you use DNA Center to create, reserve, or delete any IP address pool, DNA Center conveys this information to your external IP address manager. Similarly, if you use an external IP address manager to create, reserve, or delete any IP address pool, that information is communicated to DNA Center. This way, DNA Center and the external IP address manager remain in synch and no conflicting IP address pools are created. Before you begin You should have an external IP address manager already set up and functional. Step 1 From the DNA Center home page, click the gear icon ( ) and choose System Settings > Settings > IP Address Manager. Step 2 In the IP Address Manager section, enter the required information in the following fields: Server Name Name of server. Server URL IP address of server. Username Required username for server access. Password Required password for server access. Provider Choose a provider from the drop-down list. If you choose BlueCat as your provider, ensure that your user has been granted API access in the BlueCat Address Manager. See your BlueCat documentation for information about configuring API access for your user or users. 17

24 Configure Debugging Logs Configure System Settings View Choose a view from the drop-down list. If you only have one view configured, only default appears in the drop-down list. Step 3 Click Apply to apply and save your settings. What to do next Click the System 360 tab and verify the information to ensure that your external IP address manager configuration was successful. Configure Debugging Logs To assist in troubleshooting service issues, you can change the logging level for the DNA Center services by using the Debugging Logs window in the GUI. A logging level determines the amount of data that is captured in the log files. Each logging level is cumulative, that is, each level contains all the data generated by the specified level and higher levels, if any. For example, setting the logging level to Info also captures Warn and Error logs. We recommend that you adjust the logging level to assist in troubleshooting issues by capturing more data. For example, by adjusting the logging level, you can capture more data to review in a root cause analysis or RCA support file. The default logging level for services is informational (Info). You can change the logging level from informational (Info) to a different logging level (Debug or Trace) to capture more information. Caution Due to the type of information that might be disclosed, logs collected at the Debug level or higher should have restricted access. The log files are created and stored in a centralized location on your DNA Center host. From this location, the DNA Center can query and display them in the GUI. The total compressed size of the log files is 2 GB. If the log files that are created are in excess of 2 GB, the pre-existing log files are overwritten with the newer log files. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 45. Step 1 From the DNA Center home page, click the gear icon ( ), and choose System Settings > Settings > Debugging Logs. The Debugging Logs window containing the following fields is displayed: Services Logging Level Timeout 18

25 Configure System Settings Configure the Network Resync Interval Step 2 Step 3 In the Debugging Logs window, choose a service from the Services drop-down list to adjust its logging level. The Services drop-down list displays the services that are currently configured and running on the DNA Center. In the Debugging Logs window, choose the new logging level for the service from the Logging Level drop-down list. The following logging levels are supported on the DNA Center; they are listed below in descending order of detail: Trace Trace messages Debug Debugging messages Info Normal, but significant condition messages Warn Warning condition messages Error Error condition messages Step 4 Step 5 In the Debugging Logs window, choose the time period for the logging level from the Timeout field for logging-level adjustment. Configure logging-level time periods in increments of 15 minutes up to an unlimited time period. If an unlimited time period is configured, the default level of logging should be reset each time a troubleshooting activity is completed. Review your selection and click Apply. To cancel your selection, click Cancel. The logging level for the specified service is set. Configure the Network Resync Interval You can update the polling interval at the global level for all devices by choosing Settings > Network Resync Interval, or, at the device level for a specific device by choosing Device Inventory. When you set the polling interval using the Network Resync Interval, that value takes precedence over the Device Inventory polling interval value. Before you begin Only a user with SUPER-ADMIN-ROLE or NETWORK-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 45. Make sure that you have devices in your inventory. If not, discover devices using the Discovery function. Step 1 From the DNA Center home page, click the gear icon ( ) and choose System Settings > Settings > Network Resync Interval. Step 2 Step 3 In the Polling Interval field, enter a new time value (in minutes). Click Yes Override for all devices to override the existing configured polling interval for all devices. 19

26 View Audit Logs Configure System Settings Step 4 Click Save to apply and save your new settings. View Audit Logs Audit logs capture information about the various applications running on DNA Center. Additionally, audit logs also capture information about device PKI notifications. The information in these audit logs can be used to assist in troubleshooting issues, if any, involving the applications or the device public key infrastructure (PKI) certificates. You can view audit logs using the Audit Logs window in the GUI. The DNA Center also supports the export of audit logs to a local system. Step 1 From the DNA Center home page, click the gear icon ( ) and choose Audit Logs. The Audit Logs window appears. In the Audit Logs window, you can view logs about the current policies in your network. These policies are applied to network devices by the applications installed on DNA Center. The following information is displayed for each policy: Description Application or policy audit log description Site Name of the site for the specific audit log Device Device or devices for the audit log Requestor User requesting an audit log Source Source of an audit log Created On Date on which the application or policy audit log was created. Step 2 Step 3 Click the plus icon (+) next to an audit log to view the corresponding child audit logs. Each audit log can be a parent to several child audit logs. By clicking this plus icon, you can view a series of additional child audit logs. An audit log captures data about a task performed by the DNA Center. Child audit logs are subtasks to a task performed by the DNA Center. Filter the audit logs by clicking the Filter icon, entering a specific parameter, and then clicking Apply. You can filter audit logs by using the following parameters: Description Site Device Requestor Source Start Date 20

27 Configure System Settings Configure the Proxy End Date Step 4 Step 5 (Optional) Click the dual arrow icon to refresh the data displayed in the window. The data displayed in the window is refreshed with the latest audit log data. (Optional) Click the download icon to download a local copy of the audit log in.csv file format. A.csv file containing audit log data is downloaded locally to your system. You can use the.csv file for additional review of the audit log or archive it as a record of activity on the DNA Center. What to do next Proceed to review additional log files, if any, using the DNA Center's GUI, or download individual audit logs as.csv files for further review or archiving purposes. Configure the Proxy If DNA Center has a proxy server configured as an intermediary between itself and the network devices it manages and/or the Cisco cloud from which it downloads software updates, then you need to configure access to the proxy server(s). You configure access using the Proxy Config window in the DNA Center GUI. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 45. Step 1 From the DNA Center home page, click the gear icon ( ), and then choose System Settings > Settings > Proxy Config. Step 2 Enter the proxy server's URL address. Step 3 Enter the proxy server's port number. For HTTP, the port number is usually 80. Step 4 Step 5 Step 6 (Optional) If the proxy server requires authentication, then enter the username and password for access to the proxy server. Check the Validate Settings box to have DNA Center validate your proxy configuration settings when applying them. Review your selection and click Apply. To cancel your selection, click Reset. To delete an existing proxy configuration, click Delete. After configuring the proxy, you are able to view the configuration in the Proxy Config window. 21

28 Configure Security for Cisco DNA Center Configure System Settings Configure Security for Cisco DNA Center The DNA Center provides many security features for itself, as well as the hosts and network devices that it monitors and manages. We strongly suggest that the following security recommendations be followed: Deploy DNA Center behind a firewall that does not expose the management ports to an untrusted network, such as the Internet. Enable RC4-SHA (only if TLS 1.0 is being used) for the DNA Center HTTPS servers. Both TLS and RC4-SHA are disabled by default. Enable these security features using the CLI. For additional information about this procedure, see Enable TLS and RC4-SHA, on page 22. Configure a proxy gateway between DNA Center and the network devices it monitors and manages. For additional information about this procedure, see Configure Proxy Certificate, on page 23. Replace the self-signed server certificate from DNA Center with one signed by a well-known Certificate Authority. For additional information about this procedure, see Certificate and Private Key Support, on page 24. When using the DNA Center discovery functionality, use SNMPv3 with authentication and privacy enabled for the network devices. For additional information about this procedure, refer to the SNMP configuration procedures in the Cisco Digital Network Architecture Center User Guide. Enable TLS and RC4-SHA Northbound REST API requests from the external network to the DNA Center (from northbound REST APIbased apps, browsers, and network devices connecting to the DNA Center using HTTPS) are made secure using the Transport Layer Security protocol (TLS). RH4-SHA is a stream cipher that is also used to secure the DNA Center. Enable TLS and RC4-SHA for the DNA Center by logging into the appliance and using the CLI. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 45. You must have Maglev SSH access privileges to perform this procedure. Important This security feature applies to port 443 on the DNA Center. Performing this procedure may disable traffic on the port to the DNA Center infrastructure for a few seconds. For this reason, you should configure TLS infrequently and only during off-peak hours or during a maintenance period. Step 1 Using a Secure Shell (SSH) client, log into the DNA Center appliance with the IP address that you specified using the configuration wizard. The IP address to enter for the SSH client is the IP address that you configured for the network adapter. This IP address connects the appliance to the external network. 22

29 Configure System Settings Configure Proxy Certificate Step 2 Step 3 When prompted, enter your username and password for SSH access. Enter the following command to enable TLS on the cluster: $ magctl service tls_version --tls-v1=enable kong Enabling TLSv1 is recommended only for legacy devices Do you want to continue? [y/n]: y deployment "kong" patched Step 4 Enter the following command to enable RC4 on the cluster: $ magctl service ciphers --ciphers-rc4=enable kong Enabling RC4-SHA cipher will have security risk Do you want to continue? [y/n]:y deployment "kong" patched Step 5 Enter the following command at the prompt to confirm that TLS and RC4-SHA are configured: $ magctl service display kong containers: - env: - name: TLS_V1 value: enabled - name: RC4_CIPHERS value: enable If RC4 and TLS_V1 are set respectively, they will be listed in the env: of the magctl service display kong command. If these values are not set, they will not appear in the env:. Step 6 Log out of the DNA Center appliance. Configure Proxy Certificate In some network configurations, proxy gateways might exist between DNA Center and the remote network it manages (containing various network devices). Common ports, such as 80 and 443, pass through the gateway proxy in the DMZ, and for this reason, SSL sessions from the network devices meant for the DNA Center terminate at the proxy gateway. Therefore, the network devices located within these remote networks can only communicate with the DNA Center through the proxy gateway. For the network devices to establish secure and trusted connections with the DNA Center, or, if present, a proxy gateway, the network devices should have their PKI trust stores appropriately provisioned with the relevant CA root certificates or the server s own certificate under certain circumstances. In network topologies where a proxy gateway is present between DNA Center and the remote network it manages, perform the procedure described below to import a proxy gateway certificate into DNA Center. Before you begin Only a user with SUPER-ADMIN-ROLE or NETWORK-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page

30 Certificate and Private Key Support Configure System Settings Additionally, in your network, an HTTP proxy gateway exists between DNA Center and the remote network it manages (containing various network devices). These network devices use the proxy gateway's IP address to reach DNA Center and its services. You should have the certificate file that is currently being used by the proxy gateway. The certificate file contents should consist of any of the following: The proxy gateway s certificate in PEM or DER format, with the certificate being self-signed. The proxy gateway s certificate in PEM or DER format, with the certificate being issued by a valid, well-known CA. The proxy gateway's certificate and its chain in PEM or DER format. The certificate used by the devices and the proxy gateway must be imported into the DNA Center by following this procedure. Step 1 From the DNA Center home page, click the gear icon ( ) and choose System Settings > Settings > Proxy Certificate. Step 2 In the Proxy Certificate window, view the current proxy gateway certificate data (if it exists). The Expiration Date and Time is displayed as a Greenwich Mean Time (GMT) value. A system notification will appear in the DNA Center's GUI 2 months before the date and time at which the certificate expires. Step 3 Step 4 Step 5 To add a proxy gateway certificate, drag and drop the self-signed or CA certificate into the Drag n' Drop a File Here area. Click Save. Only PEM or DER files (public-key cryptography standard file formats) can be imported into the DNA Center using this area. Additionally, private keys are neither required nor uploaded into the DNA Center for this procedure. Refresh the Proxy Certificate window to view the updated proxy gateway certificate data. The information displayed in the Proxy Certificate window should have changed to reflect the new certificate name, issuer, and certificate authority. Certificate and Private Key Support DNA Center supports a PKI Certificate Management feature that is used to authenticate sessions (HTTPS). These sessions use commonly recognized trusted agents called certificate authorities (CAs). The DNA Center uses the PKI Certificate Management feature to import, store, and manage an X.509 certificate from well-known CAs. The imported certificate becomes an identity certificate for the DNA Center, and the DNA Center presents this certificate to its clients for authentication. The clients are the NB API applications and network devices. The DNA Center can import the following files (in either PEM or PKCS file format) using the DNA Center's GUI: X.509 certificate Private key 24

31 Configure System Settings Certificate Chain Support For the private key, DNA Center supports the import of RSA keys. You should not import DSA, DH, ECDH, and ECDSA key types; since they are not supported. You should also keep the private key secure in your own key management system. Prior to import, you must obtain a valid X.509 certificate and private key from a well-known CA or create your own self-signed certificate. After import, the security functionality based upon the X.509 certificate and private key is automatically activated. The DNA Center presents the certificate to any device or application that requests them. Both the northbound API applications and network devices can use these credentials to establish a trust relationship with the DNA Center. We recommend that you do not use and import a self-signed certificate into the DNA Center. We recommend that you import a valid X.509 certificate from a well-known CA. Additionally, you must replace the self-signed certificate (installed in the DNA Center by default) with a certificate that is signed by a well-known CA for the Network PnP functionality to work properly. The DNA Center supports only one imported X.509 certificate and private key at a time. When you import a second certificate and private key, the latter overwrites the first (existing) imported certificate and private key values. If the external IP address changes for your DNA Center for any reason, reimport a new certificate with the changed or new IP address. Certificate Chain Support DNA Center is able to import certificates and private keys through its GUI. If there are subordinate certificates involved in a certificate chain leading to the certificate that is to be imported into DNA Center (signed certificate), then both the subordinate certificates as well as the root certificate of these subordinate CAs must be appended together into a single file to be imported. When appending these certificates, you must append them in the same order as the actual chain of certification. The certificates listed below should be pasted together into a single PEM file. Review the certificate subject name and issuer to ensure that the correct certificates are being imported and proper order is maintained. Ensure that all of the certificates in the chain are pasted together. Signed DNA Center Certificate: Its Subject field includes CN=<name or IP address of DNA Center>, and that the Issuer has the CN of the issuing authority. Issuing (Subordinate) CA Certificate that issues the DNA Center certificate: Its Subject field has CN of the (Subordinate) CA that issues the DNA Center certificate, and that the Issuer is that of the root CA. Next Issuing (Root/Subordinate CA) Certificate that issues the Subordinate CA certificate Its Subject field is the root CA, and the issuer has the same value as the Subject field. If they are not the same, then you need to append the next issuer and so on. The PEM file should have multiple certificates, as shown in the example below: -----BEGIN CERTIFICATE

32 Configure a Certificate Configure System Settings Configure a Certificate MIIDxzCCAq+gAwIBAgIUKRRFiJcFgjV0KDE5iRQYADJyUnMwDQYJKoZIhvcNAQEL : HZSwUQaYJWXMwbW8X5VA93tLUPDgT2xFYpGmJU4zNgjEZ7LLsojQSkZaWcss+BL/ d8s7y1eqe58ojjo= -----END CERTIFICATE BEGIN CERTIFICATE----- MIIDrzCCApegAwIBAgIGCEkx9EqbMA0GCSqGSIb3DQEBCwUAMIGIMS0wKwYDVQQD : MwazjpSIRVMezXIUn7PXwm6BnUX2TSCDAevrCLovwpewnwA= -----END CERTIFICATE----- The DNA Center supports the import and storing of an X.509 certificate and private key into the DNA Center. After import, the certificate and private key can be used to create a secure and trusted environment between the DNA Center, NB API applications, and network devices. You can import a certificate and private key using the Certificate window in the GUI. Important The DNA Center does not interact with any external CA directly; therefore, it does not check any Certificate Revocation Lists and does not know its server certificate has been revoked by an external CA., also, that the DNA Center does not automatically update its server certificate. Replacement of an expired or revoked server certificate requires explicit action on the part of a SUPER-ADMIN-ROLE user. Although the DNA Center has no direct means of discovering the revocation of its server certificate by an external CA, it does notify the admin about the expiry of its server certificate as well as about the self-signed key being operational. Before you begin You must have an X.509 certificate and private key from a well-known CA for importing. Step 1 From the DNA Center home page, click and choose System Settings > Settings > Certificate. Step 2 In the Certificate window, view the current certificate data. When you first view this window, the current certificate data that is displayed is the DNA Center's self-signed certificate. The self-signed certificate's expiry is set for several years in the future. The Expiration Date and Time is displayed as a Greenwich Mean Time (GMT) value. A system notification will appear in the DNA Center's GUI 2 months before the expiration date and time of the certificate. The additional displayed fields in the Certificate window include: Current Certificate Name Name of the current certificate. Issuer Name of the entity that has signed and issued the certificate. Certificate Authority Either self-signed or name of the CA. Expires On Expiry date of the certificate. Step 3 To replace the current certificate, click the Replace Certificate button. The following new fields appear: Certificate Fields to enter certificate data 26

33 Configure System Settings Configure a Certificate Private Key Fields to enter private key data Step 4 In the Certificate field, choose the file format type for the certificate that you are importing into DNA Center: PEM Privacy-enhanced mail file format PKCS Public-key cryptography standard file format Step 5 If you choose PEM, perform the following tasks: For the Certificate field, import the PEM file by dragging and dropping this file into the Drag n' Drop a File Here field. A PEM file must have a valid PEM format extension (.pem,.cert,.crt). The maximum file size for the certificate is 10 KB. For the Private Key field, import the private key by dragging and dropping this file into the Drag n' Drop a File Here field. Choose the encryption option from the Encrypted drop-down list for the private key. If you chose encryption, enter the passphrase for the private key in the Passphrase field. Private keys must have a valid private key format extension (.pem or.key). Step 6 If you choose PKCS, perform the following tasks: For the Certificate field, import the PKCS file by dragging and dropping this file into the Drag n' Drop a File Here field. A PKCS file must have a valid PKCS format extension (.pfx,.p12). The maximum file size for the certificate is 10 KB. For the Certificate field, enter the passphrase for the certificate using the Passphrase field. For PKCS, the imported certificate also requires a passphrase. For the Private Key field, choose the encryption option for the private key using the drop-down list. For the Private Key field, if encryption is chosen, enter the passphrase for the private key in the Passphrase field. Step 7 Step 8 Click the Upload/Activate button. Return to the Certificate window to view the updated certificate data. The information displayed in the Certificate window should have changed to reflect the new certificate name, issuer, and certificate authority. 27

34 Certificate Management Configure System Settings Certificate Management Configure Device Certificate Lifetime DNA Center enables users to change the certificate lifetime of network devices that are managed and monitored by the private (internal) DNA Center's CA. The DNA Center's default value for the certificate lifetime is 365 days. After the certificate lifetime value is changed using the DNA Center's GUI, network devices that subsequently request a certificate from the DNA Center are assigned this lifetime value. The device certificate lifetime value cannot exceed the CA certificate lifetime value. Additionally, if the remaining lifetime of the CA certificate is less than the configured device's certificate lifetime, the device will get a certificate lifetime value equal to the remaining CA certificate lifetime. You can change the device certificate lifetime using the PKI Certificate Management window in the GUI. Step 1 From the DNA Center home page, click and choose System Settings > Settings > PKI Certificate Management. Step 2 Click the Device Certificate tab. Step 3 Review the device certificate and the current device certificate lifetime. Step 4 In the Device Certificate Lifetime field, enter a new value, in days. Step 5 Click the Apply button. Step 6 (Optional) Refresh the PKI Certificate Management window to confirm the new device certificate lifetime value. Change the Role of the PKI Certificate from Root to Subordinate DNA Center permits users to change the role of the Device PKI CA from a root CA to a subordinate CA. When changing the private DNA Center's CA from a root CA to a subordinate CA, note the following: If you intend to have the DNA Center act as a subordinate CA, it is assumed that you already have a root CA, for example, Microsoft CA, and you are willing to accept the DNA Center as a subordinate CA. As long as the subordinate CA is not fully configured, the DNA Center will continue to operate as an internal root CA. You will have to generate a Certificate Signing Request (CSR) file for the DNA Center (as described in this procedure) and have it manually signed by your external root CA. The DNA Center will continue to run as an internal root CA during this time period. After the CSR is signed by the external root CA, this signed file must be imported back into the DNA Center using the GUI (as described below, in this procedure). After the import, the DNA Center will initialize itself as the subordinate CA and provide all the existing functionalities of a subordinate CA. 28

35 Configure System Settings Change the Role of the PKI Certificate from Root to Subordinate The switchover from internal root CA to subordinate CA used by managed devices is not automatically supported; therefore, it is assumed that no devices have been configured with the internal root CA as yet. In case any devices are configured, it is the responsibility of the network administrator to manually revoke the existing device ID certificates before switching to the subordinate CA. The subordinate CA certificate lifetime, as displayed in the GUI, is just read from the certificate; it is not computed against the system time. So, if you install a certificate with a lifespan of 1 year today and look at it in the GUI next July, the GUI will still show that the certificate has a 1-year lifetime. The subordinate CA certificate must be in PEM or DER format only. The subordinate CA does not interact with the higher CAs; therefore, it will not be aware of a revocation, if any, of the certificates at a higher level. Due to this, any information about certificate revocation will also not be communicated from the subordinate CA to the network devices. Since the subordinate CA does not have this information, all the network devices will only use the subordinate CA as the CDP source. You can change the role of the private (internal) DNA Center's CA from a root CA to a subordinate CA using the PKI Certificate Management window in the GUI. Before you begin You must have a copy of the root CA certificate to which you will subordinate the private (internal) DNA Center's PKI certificate. Step 1 From the DNA Center home page, click and choose System Settings > Settings > PKI Certificate Management. Step 2 Click the CA Management tab. Step 3 Review the existing root or subordinate CA certificate configuration information from the GUI: Root CA Certificate Displays current root CA certificate (either external or internal). Root CA Certificate Lifetime Displays the current lifetime value of the current root CA certificate, in days. Current CA Mode Displays the current CA mode (root CA or subordinate CA). Change to Sub CA mode Enables change from a root CA to subordinate CA. Step 4 Step 5 Step 6 In the CA Management tab, for Change to Sub CA mode click Yes. In the CA Management tab, click Next. Review the Root CA to Sub CA warnings that appear: Changing from root CA to subordinate CA is a process that cannot be reversed. You must ensure that no network devices have been enrolled or issued a certificate in root CA mode. Any network devices accidentally enrolled in root CA mode must be revoked before changing from root CA to subordinate CA. Network devices must come online only after this subordinate CA configuration process is finished. Step 7 Step 8 Click OK to proceed. The PKI Certificate Management window changes and displays an Import External Root CA Certificate field. Drag and drop your root CA certificate into the Import External Root CA Certificate field and click Upload. 29

36 Provision a Rollover SubCA Certificate Configure System Settings The root CA certificate will then be uploaded into the DNA Center and used to generate a Certificate Signing Request (CSR). When the upload process is finished a Certificate Uploaded Successfully message appears. Step 9 Step 10 After the upload process is finished and the success message appears, click Next to proceed. The DNA Center generates and displays the CSR. View the DNA Center-generated Certificate Signing Request (CSR) in the GUI and perform one of the following actions: Click the Download link to download a local copy of the CSR file. You can then attach this CSR file to an to send to your root CA. Click the Copy to the Clipboard link to copy the CSR file's content. You can then paste this CSR content to an or include it as an attachment to an and send to your root CA. Step 11 Step 12 Step 13 Step 14 Step 15 Step 16 Step 17 Send the CSR file to your root CA. You must send the CSR file to your root CA. Your root CA will then return a subordinate CA file that you must import back into the DNA Center. After receiving the subordinate CA file from your root CA, access the DNA Center's GUI again and return to the PKI Certificate Management window. Click the CA Management tab. Click Yes for the Change CA mode button in the CA Management tab. After clicking Yes, the GUI view with the CSR is displayed. Click Next in the GUI view with the CSR being displayed. The PKI Certificate Management window changes and displays an Import Sub CA Certificate field. Drag and drop your subordinate CA certificate into the Import Sub CA Certificate field and click Apply. The subordinate CA certificate will then be uploaded into the DNA Center. After the upload finishes, the GUI window displays the subordinate CA mode in the CA Management tab. Review the fields in the CA Management tab: Sub CA Certificate Displays current subordinate CA certificate. External Root CA Certificate Displays Root CA certificate. Sub CA Certificate Lifetime Displays the lifetime value of the subordinate CA certificate, in days. Current CA Mode Displays SubCA mode. Provision a Rollover SubCA Certificate DNA Center permits the user to apply a subordinate certificate as a rollover sub CA when 70 percent of the existing subordinate CA's lifetime has elapsed. 30

37 Configure System Settings Provision a Rollover SubCA Certificate Before you begin To initiate subordinate CA rollover provisioning, you must have already changed the PKI certificate role to subordinate CA mode. For details on how to change to subordinate CA mode, see Change the Role of the PKI Certificate from Root to Subordinate, on page 28. Seventy percent or more of the lifetime of the current subordinate CA certificate must have expired. DNA Center indicates when this has happened by displaying a Renew button on the CA Management tab. You must have a signed copy of the rollover subordinate CA PKI certificate. Step 1 From the DNA Center home page, click and then choose System Settings > Settings > PKI Certificate Management. Step 2 Click the CA Management tab. Step 3 Review the CA certificate configuration information from the GUI. Sub CA Certificate External Root CA Certificate Sub CA Certificate Lifetime Current CA Mode Displays the current subordinate CA certificate. Displays the Root CA certificate. Displays the lifetime value of the current subordinate CA certificate in days. Displays SubCA mode. Step 4 Step 5 Click Renew. The DNA Center will then use the existing subordinate CA to generate and display the rollover subordinate CA Certificate Signing Request (CSR). View the generated CSR in the GUI and perform one of the following actions: Click the Download link to download a local copy of the CSR file. You can then attach this CSR file to an to send to your root CA. Click the Copy to the Clipboard link to copy the CSR file's content. You can then paste this CSR content to an or attachment to an and send to your root CA. Step 6 Step 7 Step 8 Step 9 Step 10 Send the CSR file to your root CA. You must send the CSR file to your root CA. Your root CA will then return to you a rollover subordinate CA file that you must import back into the DNA Center. The CSR for the SubCA rollover must be signed by the same rootca who signed the SubCA you imported when you switched from RootCA to SubCA mode. After receiving the rollover subordinate CA file from your root CA, return to the PKI Certificate Management window. Click the CA Management tab. Click Next in the GUI view with the CSR being displayed. The PKI Certificate Management window changes and displays an Import Sub CA Certificate field. Drag and drop your subordinate rollover CA certificate into the Import Sub CA Certificate field and click Apply. The rollover subordinate CA certificate will then be uploaded into the DNA Center. 31

38 Configure Trustpool Configure System Settings After the upload finishes, the GUI window changes to disable the Renew button in the CA Management tab. Configure Trustpool DNA Center contains a pre-installed Cisco trustpool bundle (Cisco Trusted External Root Bundle). DNA Center also supports the import and storage of an updated trustpool bundle from Cisco. The trustpool bundle is used by supported Cisco networking devices to establish a trust relationship with the DNA Center and its applications. The Cisco trustpool bundle is a file called ios.p7b that only supported Cisco devices can unbundle and use. This ios.p7b file contains root certificates of valid certificate authorities including Cisco itself. This Cisco trustpool bundle is available on the Cisco cloud (Cisco InfoSec). The link is located at: security/pki/ The trustpool bundle provides you with a safe and convenient way to use the same CA to manage all your network device certificates, as well as your DNA Center certificate. The trustpool bundle is used by the DNA Center to validate its own certificate as well as a proxy gateway certificate (if any), to determine whether it is valid CA signed certificate or not. Additionally, the trustpool bundle is available to be uploaded to the Network PnP enabled devices at the beginning of their PnP workflow so that they can trust the DNA Center for subsequent HTTPS-based connections. You import the Cisco trust bundle using the Trustpool window in the GUI. Step 1 From the DNA Center home page, click and then choose System Settings > Settings > Trustpool. Step 2 In the Trustpool window, view the Update button. The Update button in the DNA Center's Trustpool window becomes active when an updated version of ios.p7b file is available and Internet access is available. The Update button remains inactive if there is no Internet access or if there is no updated version of the ios.p7b file. Step 3 Click the Update button to initiate a new download and install of the trustpool bundle. After the new trustpool bundle is downloaded and installed on the DNA Center, the DNA Center then makes this trustpool bundle available to the supported Cisco devices to download. Configure SFTP Server You can configure DNA Center to upload files needed for an image upgrade (SWIM) to a remote SFTP server. You configure DNA Center using the SFTP GUI window. Step 1 From the DNA Center home page, click the gear icon ( ) and then choose System Settings > Settings > SFTP. Step 2 Configure the SFTP settings as follows: 32

39 Configure System Settings Configure SNMP Properties Host IP address of the SFTP server. Username Name that is used to log into the SFTP server. Password Password that is used to log into the SFTP server. Port Port that is used to log into the SFTP server. Root Location Enter the location of the SFTP root directory. Step 3 Step 4 Click Apply. Review the new SFTP settings in the SFTP window. Configure SNMP Properties You can configure retry and timeout values for SNMP. Before you begin Only a user with SUPER-ADMIN-ROLE or NETWORK-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 45. Step 1 From the DNA Center home page, click the gear icon ( ) and then choose System Settings > Settings > SNMP Properties.. Step 2 Configure the following fields: Table 1: SNMP Properties Field Retries Timeout (in Seconds) Description Number of attempts to connect to the device. Valid values are from 1 to 3. The default is 3. Number of seconds DNA Center waits when trying to establish a connection with a device before timing out. Valid values are from 1 to 300 seconds in intervals of 5 seconds. The default is 5 seconds. Step 3 Click Apply. To return to the default settings, click Revert to Defaults. About Telemetry Collection DNA Center collects information about user's experience with DNA Center and securely transfers it to the Cisco Clean Access Agent (CAA) infrastructure at Cisco. This information is collected for the following reasons: 33

40 Configure Telemetry Collection Configure System Settings To proactively identify issues, if any, with DNA Center. To better understand the DNA Center features that are most frequently used. To improve and enhance the overall user experience. Telemetry collection is enabled by default, but you can disable it if you want to opt out. Configure Telemetry Collection Step 1 From the DNA Center home page, click the gear icon ( ) and then choose System Settings > Settings > Telemetry Collection. Telemetry collection is enabled by default. Step 2 Step 3 (Optional) To review the agreement for telemetry collection, click End User License Agreement. (Optional) To disable telemetry collection, uncheck the Telemetry Collection check box and click Update. Configure vmanage Properties DNA Center supports Cisco's vedge deployment by using integrated vmanage setups. You can save the vmanage details from DNA center Settings page, before provisioning any vedge topologies. SUMMARY STEPS 1. From the DNA Center home page, click the gear icon ( ) and then choose System Settings > Settings > vmanage Properties. 2. Configure the vmanage Properties as follows: 3. To upload the vmanage certificate click Choose file. 4. Click Apply. DETAILED STEPS Step 1 From the DNA Center home page, click the gear icon ( ) and then choose System Settings > Settings > vmanage Properties. Step 2 Configure the vmanage Properties as follows: Host Name / IP Address - IP address of vmanage. User ID - Name that is used to log into vmanager. Password - Password that is used to log into vmanage. Port Number - Port that is used to log into vmanage. vbond Host Name/IP Address - IP address of vbond. 34

41 Configure System Settings Configure vmanage Properties Organization Name - Name of the organization. Step 3 Step 4 To upload the vmanage certificate click Choose file. Click Apply. 35

42 Configure vmanage Properties Configure System Settings 36

43 CHAPTER 3 Manage High Availability Multi-Host Configurations for High Availability, on page 37 Multi-Host Deployment Overview, on page 38 Clustering and Database Replication, on page 38 Security Replication, on page 38 Multi-Host Synchronization, on page 39 Multi-Host Upgrade, on page 39 Split Brain and Network Partition, on page 39 Recover Failed Hosts in a Cluster, on page 40 Multi-Host Configurations for High Availability DNA Center supports a single host or three host cluster configuration. DNA Center does not support a cluster with more than three hosts. For example, a multi-host cluster with five or seven hosts is not currently supported. The three host cluster provides both software and hardware high availability. The single host cluster only provides software high availability; it does not provide hardware high availability. For this reason, we strongly recommend that for a multi-host configuration three hosts be used. A hardware failure occurs when the appliance itself malfunctions or fails. A software failure occurs when a service on a host fails. Software high availability involves the ability of the services on the host or hosts to be restarted and respun. For example, on a single host, if a service fails then that service is respun on that host. In a three host cluster, if a service fails on one host, then that service is either re-spun on that one host or on one of the other two remaining hosts. When setting up a three host cluster, you should never set up the hosts to span a LAN across slow links. This may impact the recovery time if a service fails on one of the hosts. Additionally, when configuring a three host cluster, all of the hosts in that cluster must reside in the same subnet. Failure tolerance for a three host cluster is designed to handle single host failure. In other words, DNA Center tries to provide high availability across specific services even if a single host fails. If two hosts fail near-simultaneously, data loss may occur and is not a supported scenario. 37

44 Multi-Host Deployment Overview Manage High Availability Multi-Host Deployment Overview Deploying DNA Center in multi-host mode for High Availability involves the following procedures: 1. Configure DNA Center as a single host on the appliance using the DNA Center single host configuration wizard. For information about this procedure, see the Cisco Digital Network Architecture Center Installation Guide. 2. Configure DNA Center using the DNA Center second host configuration wizard with changes required for the second cluster in the configuration. For information about this procedure, see the Cisco Digital Network Architecture Center Installation Guide. 3. Configure DNA Center using the DNA Center third host configuration wizard with changes required for third cluster in the configuration. For information about this procedure, see the Cisco Digital Network Architecture Center Installation Guide. 4. Enable high availability for DNA Center. In the Systems 360 Overview tab, click on Enable Service Distribution. After you click Enable Service Distribution using the GUI, DNA Center enters into maintenance mode. In maintenance mode, DNA Center will be unavailable until the process completes. You should take this into account when scheduling a high availability deployment. DNA Center goes into maintenance mode when you restore the database, perform a system upgrade (not a package upgrade), and enable a service redistribution to support high availability in System Settings > System 360 > Overview (as described above). To enable external authentication with a AAA server in a multi-host environment, you must configure all individual DNA Center host IP addresses and the Virtual IP address for the multi-host cluster on the AAA server. Clustering and Database Replication Security Replication DNA Center provides a mechanism for distributing processing and database replication among multiple hosts. Clustering provides both a sharing of resources and features, as well as enabling high availability and scalability. In a multi-host environment, the security features of a single host are replicated among the other two hosts,including any X.509 certificates or trustpools. Once you join a host to another host or to a cluster, the DNA Center credentials are shared and become the same as that of the host you are joining or the pre-existing cluster. DNA Center credentials are cluster-wide (across hosts) and not per-host. 38

45 Manage High Availability Multi-Host Synchronization Multi-Host Synchronization Whenever there is a configuration change on one of the hosts, Maglev synchronizes the change with the other two hosts. The supported types of synchronization include: Database Synchronization includes any database updates related to the configuration, performance, and monitoring data. File Synchronization includes any changes to the configuration files. Multi-Host Upgrade In a multi-host cluster, you can trigger an upgrade of the whole cluster from the DNA Center GUI (the GUI represents the entire cluster and not just a single host). An upgrade triggered from the GUI automatically upgrades all the hosts in the cluster. After you initiate a system upgrade (not a package upgrade) DNA Center goes into maintenance mode. In maintenance mode, DNA Center will be unavailable until the upgrade process completes. You should take this into account when scheduling a DNA Center system upgrade. Once the system upgrade does complete, you can verify its success in the GUI by accessing System Settings > Software Updates > Updates and checking the installed version. Split Brain and Network Partition When DNA Center is configured as a multi-host cluster, a private network connection is set up between the hosts. This private network connection is used by each host to monitor the health and status of the other cluster hosts. A split brain occurs when there is a temporary failure of the network connection between the hosts, for example, due to any of the following occurrences: Physical disconnection of the network connection from a host Loss of power to one or more hosts Cisco DNA Center appliance failure During a split brain occurrence, situations can arise where each separate host is sending commands to a given network device without any coordination with the other hosts, and the results can be problematic. To correct for a split brain event, when the private network connection fails between one of the hosts, the other two hosts create a quorum and establish a network partition between themselves and the failed host with the following results: The split brain or network partition scenarios are be handled by ensuring quorum (majority reads and rights) to the database. The side of the partition with the "minority" stops operating, since it is be unable to perform quorum (majority reads and rights) to the database. 39

46 Recover Failed Hosts in a Cluster Manage High Availability The side of the partition with the "majority" continues to operate, since they are *able* to perform quorum (majority reads and rights) to the database. Recover Failed Hosts in a Cluster If a host fails within a multi-host cluster configuration, the time for the cluster to recover is usually 20 minutes. In a multi-host cluster with three hosts, if a single host (host A) is removed from the cluster for any reason, and the second host (host B) fails, then the last host (host C) will also immediately fail. To remove the failed node (host), log into the healthy node and execute the following CLI: maglev node remove. This will remove the faulty node (host) from the cluster. To add back the removed node, you must reinstall it using the Configuration Wizard's Add to cluster option. For information about using the Configuration Wizard, see Cisco Digital Network Architecture Center Installation Guide. After adding the node (host) back to the cluster, log into the node and execute the following CLI: maglev service nodescale refresh to enable high availability. In certain circumstances, you may have only two operational hosts within a multi-host cluster (three hosts). For example, when in the process of setting up a multi-host cluster, you may have only two hosts set up before configuring the third, or a single host may fail in your existing multi-host cluster. In these cases, the following functionality is unsupported for a multi-host cluster (three hosts) consisting of only two operational hosts: Upgrading the software version Installing the applications Restoring a backup file Restarting the cluster Removing an active host, when there is an already a faulty host that exists and there is no reachability (IP connectivity) to the multi-host cluster Important The above functionality is only supported on a multi-host cluster that consists of three hosts. Simultaneous removal of two hosts from a multi-host cluster (three hosts) at once or a simultaneous addition of two hosts to a multi-host cluster (three hosts) at once is not supported. DNA Center does not support shutting down two hosts in a three-host cluster running a High Availability (HA) configuration. Only a single host at a time can be shut down and restarted when performing maintenance or troubleshooting in a three-host cluster with HA. 40

47 CHAPTER 4 Manage Applications Application Management, on page 41 Downloading and Updating System Updates, on page 42 Downloading and Installing Packages and Updates, on page 42 Uninstalling Packages, on page 43 Application Management DNA Center provides many of its functions as individual applications, packaged separately from the DNA Center's core infrastructure. This permits you to install and run the applications that you want to and uninstall those you are not using, depending upon your preferences. However, be aware that application packages are not backward compatible. For example, if you are running base system version 1.2.0, you cannot install the SD Access application version You must first upgrade the base system version to and then install or upgrade the SD Access application to The number and type of application packages you see displayed in the Software Updates tab will vary, depending on the release version of DNA Center you have deployed at the moment, and your DNA Center licensing level (for example, DNA Essentials or DNA Advantage). All application packages available to you will be displayed, whether they are currently installed or not. Some applications are so basic, they are required on nearly every DNA Center deployment. To get a dialog box description of any package and whether it is required or not, hover your mouse cursor over that package's name in the Updates tab. Each DNA Center application package consists of service bundles, meta data files, and scripts. Important All application management procedures should be performed using the DNA Center GUI. Although you are able to perform many of these same procedures using the CLI (after logging into the shell), this is not recommended. In particular, if you use the CLI to deploy or upgrade packages, you must ensure that no deploy or upgrade command is issued unless the results of the "maglev package status" command show all packages as either NOT_DEPLOYED, DEPLOYED or DEPLOYMENT_ERROR. Any other state indicates activity in progress, and parallel deployments or upgrades are not supported. 41

48 Downloading and Updating System Updates Manage Applications Downloading and Updating System Updates You can perform application management procedures from the Software Updates window, including downloading and installing system updates. Before you begin Only a user with SUPER-ADMIN-ROLE permissions may perform this procedure. For more information, see About User Roles, on page 45. Step 1 From the DNA Center home page, click the gear icon ( ) and then choose System Settings > Software Updates. Alternately, click the cloud icon and click the Go to Software Updates link. Step 2 Review the Software Updates window that now appears. The Software Updates window consists of the following two side tabs: Updates Shows the platform and the application updates. The Platform Update shows the system version that is installed and the system updates that are available and have been downloaded from the Cisco cloud. The App Updates shows the available applications that can be downloaded and installed from Cisco cloud, size of the application and the appropriate action (Download, Install, or Update). You can hover your mouse cursor over the package to view the available application version and a basic description about the application. Installed Apps Shows the application packages that are currently installed. Important Once you launch the Software Updates page, a connectivity check is performed and the status is displayed. If there is any connectivity issue, the Software Updates page will not show the new updates. Step 3 If a system update appears in the Software Update page, click Update to update the DNA Center. Downloading and Installing Packages and Updates DNA Center treats individual applications as separate from the core infrastructure. Specifically, individual packages for applications can be installed to run on the DNA Center. You can perform the application management procedures from the Software Updates tab. Packages for applications may take time to install and deploy. Therefore, install the packages during a maintenance period for your network. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page

49 Manage Applications Uninstalling Packages Step 1 From the DNA Center home page, click the gear icon ( ) and then choose System Settings > Software Updates. Alternately, click the cloud icon and click the Go to Software Updates link. Step 2 Review the Software Updates window that now appears. The Software Updates window consists of the following two side tabs: Updates Shows the platform and the application updates. The Platform Update shows the system version that is installed and the system updates that are available and have been downloaded from the Cisco cloud. The App Updates shows the available applications that can be downloaded and installed from Cisco cloud, size of the application and the appropriate action (Download, Install, or Update). You can hover your mouse cursor over the package to view the available application version and a basic description about the application. Installed Apps Shows the application packages that are currently installed. Important Once you launch the Software Updates page, a connectivity check is performed and the status is displayed. If there is any connectivity issue, the Software Updates page will not show the new updates. Step 3 Step 4 To install the package, do the following actions as required: a) Click Download from the Actions drop-down list corresponding to the package name if the package does not exist in DNA Center. b) Click Install from the Actions drop-down list corresponding to the package name after the package is downloaded. c) Click Update from the Actionsdrop-down list corresponding to the package name if you want to update the existing package to the latest version available on Cisco cloud. Proceed to click any other packages that require the same type of action (download, install, update, or uninstall). You can create a work flow for several packages that require the same action. You cannot create a work flow that consists of different actions; for example, download and install. To download and install different packages with different statuses, you need to click all packages that require a download and then perform the package downloads. After this activity (action) is completed, then click all the packages that require an installation and proceed with the package installations. Packages are not installed in the order you selected. Packages are installed in the appropriate order as required by the DNA Center. Uninstalling Packages DNA Center treats individual applications as separate from the core infrastructure. Specifically, individual packages for the applications can be installed and uninstalled on the DNA Center. You can perform the application management procedures from the Software Updates window in the DNA Center GUI. Only packages for applications that are not system critical can be uninstalled and will display an Uninstall option. 43

50 Uninstalling Packages Manage Applications Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 45. Step 1 From the DNA Center home page, click the gear icon ( ) and then choose System Settings > Software Updates. Alternately, click the cloud icon and click the Go to Software Updates link. Step 2 Step 3 Click the Installed Apps side tab to view the installed applications. Click Uninstall corresponding to the package you want to remove from DNA Center. You cannot uninstall multiple packages simultaneously. Once the package is uninstalled, it get removed from the Installed Apps page. 44

51 CHAPTER 5 Manage Users About User Profiles, on page 45 About User Roles, on page 45 Create Local Users, on page 46 Edit Local Users, on page 46 Delete Local Users, on page 47 Change Your Own User Password, on page 47 Reset Forgotten Password, on page 47 Display Role-Based Access Control Statistics, on page 48 Configure External Authentication, on page 48 Display External Users, on page 50 About User Profiles A user profile defines a user's login, password, and role (permissions). You can configure both internal and external user profiles for any user. Internal user profiles reside in DNA Center and external user profiles reside on an external AAA server. One default user profile with SUPER-ADMIN-ROLE permissions is created when you install DNA Center. About User Roles Users are assigned user roles that specify the functions that they are permitted to perform: Administrator (SUPER-ADMIN-ROLE) Users with this role have full access to all of the DNA Center functions. They can create other user profiles with various roles, including those with the SUPER-ADMIN-ROLE. Although administrators cannot directly change another user's password in the user interface, they can delete and recreate a user with new password. For security reasons, passwords are not displayed to any user, not even those with administrator privileges. 45

52 Create Local Users Manage Users Network Administrator (NETWORK-ADMIN-ROLE) Users with this role have full access to all of the network-related DNA Center functions. They do not have access to system-related functions, such as App Management, Users (except for changing their own passwords), and Backup and Restore. Observer (OBSERVER-ROLE) Users with this role have view-only access to the DNA Center functions. Users with an observer role cannot access any functions that configure or control DNA Center or the devices it manages. A fourth default role, called TELEMETRY-ADMIN-ROLE, also exists, but this role is not accessible from the user interface and is only used for system-level functions within DNA Center. Create Local Users You can create a user and assign it one of the following user roles: SUPER-ADMIN-ROLE, NETWORK-ADMIN-ROLE, or OBSERVER-ROLE. For more information, see About User Roles, on page 45. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 45. Step 1 From the DNA Center home page, click > System Settings > Users > User Management. Step 2 Click. Step 3 Step 4 Enter a username for the new user. From the Role drop-down list, choose one of the following roles: SUPER-ADMIN-ROLE, NETWORK-ADMIN-ROLE, or OBSERVER-ROLE. Although the TELEMETRY-ADMIN-ROLE appears as an option, it is not available for use, so you cannot choose this role. Step 5 Step 6 Enter a password and confirm it. Click Save. Edit Local Users You can change only the user role. The username or password cannot be changed. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page

53 Manage Users Delete Local Users Step 1 Click > System Settings > Users > User Management. Step 2 Step 3 Step 4 Step 5 Click the radio button next to the user that you want to modify. Click Edit. From the Role drop-down list, choose a new role: SUPER-ADMIN-ROLE, NETWORK-ADMIN-ROLE, or OBSERVER-ROLE. Click Save. Delete Local Users Only an administrator with SUPER-ADMIN-ROLE permissions may delete a user. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 45. Step 1 From the DNA Center home page, click > System Settings > Users > User Management. Step 2 Select the radio button next to the user that you want to delete. Step 3 Click Delete. Step 4 Click OK. Change Your Own User Password Only you can change the password that you enter to log in to DNA Center. Even a user with administrator privileges cannot change another user's password. If an administrator needs to change another user's password, they need to delete and readd the user with a new password. Step 1 From the DNA Center home page, click > System Settings > Users. Step 2 Click Change Password. Step 3 Enter information in the required fields and click Update. Reset Forgotten Password If you have forgotten your password, you can reset your password through CLI. Follow the below steps to reset your password: 47

54 Display Role-Based Access Control Statistics Manage Users Step 1 Check if the user is created in the system using the below command: magctl user display <username> This command will return the tenant-name which can be used to reset the password. The sample output will be: User admin present in tenant TNT0 (where TNT0 is the tenant-name) Step 2 Enter the tenant-name in the below command to reset the password. magctl user password update <username> <tenant-name> You will be prompted to enter a new password. Step 3 Step 4 Enter a new password. You will be prompted to re-enter the new password to confirm. Enter the new password. The password is reset and you can login to DNA Center using the new password. What to do next Display Role-Based Access Control Statistics You can display statistics that show how many users of each user role exist. You can also drill down to view a list of users who have the selected role. Step 1 From the DNA Center home page, click > System Settings > Users > Role Based Access Control. Step 2 Click See details to display a list of users with the selected role. Configure External Authentication If you are using an external server for authentication and authorization of external users, you need to enable external authentication in DNA Center. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 45. You must configure at least one authentication server. Step 1 From the DNA Center home page, click > System Settings > Users > External Authentication. Step 2 To enable external authentication on DNA Center, select the Enable External User checkbox. Step 3 (Optional) Configure the AAA attribute. 48

55 Manage Users Configure External Authentication For most cases, the default AAA attribute setting (Cisco-AVPair) is sufficient, as long as you have set the DNA Center user profile on the AAA server with cisco-av-pair as the AAA attribute. You only need to change the default setting in DNA Center if you have a different value set in the DNA Center user profile on the AAA server. For example, you might manually define the AAA attribute as Cisco-AVPair=Role=SUPER-ADMIN-ROLE. a) In the AAA Attribute field, leave the default value of Cisco-AVPair or enter the new AAA attribute value. b) Click Update. Step 4 (Optional) Configure the AAA server(s). You need to configure these settings only if the order (primary/secondary) or the AAA servers that you configured in System Settings > Settings > Authentication and Policy Servers need to be different. a) From the Primary AAA Server IP Address drop-down field, choose an IP address of one of the preconfigured AAA servers. b) From the Secondary AAA Server IP Address drop-down field, choose an IP address of one of the preconfigured AAA servers. c) (Optional) If you are using a Cisco ISE server, you can update the settings, if necessary. Table 2: Cisco ISE Server Settings Name Shared Secret Username Password FQDN Description Key for device authentications. The shared secret can be up to 128 characters in length. Name that is used to log in to the Cisco ISE command-line interface (CLI). Password for the Cisco ISE CLI username. Fully qualified domain name (FQDN) of the Cisco ISE server. The FQDN consists of two parts, a hostname and the domain name, in the following format: hostname.domainname.com. For example, the FQDN for a Cisco ISE server might be ise.cisco.com. Subscriber Name SSH Key Virtual IP Address(es) A unique text string, for example dnac, that is used during DNA Center to Cisco ISE integration to setup a new pxgrid client in Cisco ISE. Diffie-Hellman-Group14-SHA1 SSH key used to connect and authenticate with Cisco ISE. Virtual IP Address(es) Virtual IP address of the load balancer behind which the Cisco ISE policy service nodes (PSNs) are located. If you have multiple PSN farms behind different load balancers, you can enter a maximum of six virtual IP addresses. d) (Optional) To update advanced settings, click View Advanced Settings and update the settings, if necessary. Table 3: AAA Server Advanced Settings Name Protocol Authentication Port Description TACACS or RADIUS Port used to relay authentication messages to the AAA server. The default is UDP port

56 Display External Users Manage Users Name Accounting Port Retries Timeout Description Port used to relay important events to the AAA server. The information in these events is used for security and billing purposes. The default UDP port is Number of times that DNA Center attempts to connect with Cisco ISE before abandoning the attempt to connect. The default number of attempts is 1. The length of time that DNA Center waits for Cisco ISE to respond before abandoning the attempt to connect. e) Click Update. Display External Users You can view a list of external users who have logged in through Radius/TACACS for the first time. The information that is displayed includes their user names and roles. Step 1 From the DNA Center home page, click > System Settings > Users > External Authentication. Step 2 Scroll to the bottom of the window. The External Users area lists the external users. 50

57 CHAPTER 6 Manage Licenses This chapter contains the following topics: License Manager Overview, on page 51 Integration with Cisco Smart Accounts, on page 54 Set Up License Manager, on page 55 Visualize License Usage and Expiration, on page 55 View License Details, on page 56 Change License Level, on page 57 Export License Information, on page 58 License Manager Overview The Cisco DNA Center License Manager feature helps you visualize and manage all of your Cisco product licenses, including Smart Account licenses. From the Cisco DNA Center Home Page, select License Manager from the Tools tiles. The License Management page contains tabs with the following information: Switches Shows purchased and in-use information for all switches. Routers Shows purchased and in-use license information all routers. Access Points Shows purchased and in-use license information for all wireless controllers and access points. ISE Shows purchased and in-use license information for devices managed by Cisco Identity Services Engine (ISE). All Licenses Shows comprehensive details for all types of licenses for all Cisco devices. To manage licenses, you can use the controls shown above the table listings in each tab. License Management Controls describes each of the controls. Please note that not all controls are shown in all tabs. 51

58 License Manager Overview Manage Licenses Table 4: License Management Controls Control Filter Change Network License Change DNA License Change License Mode Change Virtual Account Recent Tasks Refresh Export Find Description Click Filter to specify one or more filter values and then click Apply. Use the asterisk (*) character as a wildcard anywhere in the string. You can apply multiple filters. To remove a filter, click the x icon next to the corresponding filter value. Select one or more licenses and click Actions > Change Network License to convert a network license into a Cisco DNA Center license. that this kind of license conversion is available for Catalyst 9000 devices only. For more information, see Change License Level, on page 57. Select one or more licenses and click Actions > Change DNA License to change the level of a selected Cisco DNA Center license to Essential or Advantage. You can also use this control to remove a Cisco DNA Center license. For more information, see Change License Level, on page 57. Select one or more devices and click Actions > Change License Mode to change the license mode. License mode conversion is applicable only for CAT 9k devices with version 16.7 or above. If you attempt to change the license mode for any other device, a warning message will be displayed. Select one or more licenses and click Actions > Change Virtual Account to specify the Virtual Account used to manage these licenses. Click Recent Tasks to see a list of All 50 of the most recently performed DNA Center tasks. Use the drop-down at the top of the list to narrow the list to show only those tasks that ended in Success or Failure, those that are still In Progress. Click this control to refresh the window. Click to export the list of displayed licenses as a CSV file. For more information, see Export License Information, on page 58. Enter a search term in the Find field to find all licenses in the list that have that term in any column. Use the asterisk (*) character as a wildcard anywhere in the search string. 52

59 Manage Licenses License Manager Overview Control Show entries Description Select the total number of entries to show in each page of the table. The Licenses table displays the information shown for each device. All of the columns support sorting. Click the column header to sort the rows in ascending order. Click the column header again to sort the rows in descending order. Not all columns are used in every tab. Additionally, some of the columns are hidden in the default column view setting, which can be customized by clicking the More icon ( ) at the right end of the column headings. Table 5: License Usage Information Column Device Type: Device Series Device Type: Total Devices Purchased Licenses: DNA Purchased Licenses: Network/Legacy Used Licenses: DNA Used Licenses: Network/Legacy Description Name of the device product series (for example: Catalyst 3850 Series Ethernet Stackable Switch). Click this link to view the license details window. For more information, see View License Details, on page 56. The total number of devices in this product series that are under active management by DNA Center. The total number of purchased Cisco DNA Center subscription licenses for the devices in this product series. The total number of purchased Network (or Legacy) perpetual licenses for the devices in this product series. The total number of Cisco DNA Center subscription licenses applied to the devices in this product series. The total number of Network perpetual licenses for the devices in this product series. Table 6: All Licenses Information Column Device Name Device Series Number Description Name of the device. Click this link to view the license details window. For more information, see View License Details, on page 56 The full name of the Cisco product series to which the listed device belongs (for example: Cisco Catalyst 3850 Series Ethernet Stackable Switch). 53

60 Integration with Cisco Smart Accounts Manage Licenses Column Device Type DNA Level DNA License Expiry License Mode Network License Virtual Account Site Last Updated Time MAC Address DNA Term DNA Days to Expiry Software Version Description The category of device as defined by DNA Center (for example: Switches and Hubs). The DNA Center license level. The date the DNA Center license expires. The DNA Center license mode. The type network license. The name of the Cisco Virtual Account managing the license for this device. The DNA Center site where the device is located. Last time this entry in the table was updated/ The MAC address of the licensed device. The total term during which the Cisco DNA Center subscription license is in effect. The number of days remaining until the Cisco DNA Center license term expires. The version of the network operating system currently running on the device. Integration with Cisco Smart Accounts Cisco DNA Center supports Cisco Smart Accounts, an online Cisco service that provides simplified, flexible, automated software- and device-license purchasing, deployment, and management across your organization. If you already have a Cisco Smart Account, you can use DNA Center to: Track your license consumption and expiration. Apply and activate new licenses, without intervention. Promote each device's license level from Essentials to Advantage (or vice versa) and reboot the device with the newly changed level of feature licensing. Identify and re-apply unused licenses. Retire unused licenses. You can accomplish this automatically, without leaving DNA Center. For more on the service itself, see Cisco Smart Accounts on Cisco.com. For more on setting up your Cisco Smart Account for use with DNA Center, see Set Up License Manager, on page

61 Manage Licenses Set Up License Manager Set Up License Manager You must set up access to your Cisco Smart Account before you can use the DNA Center License Manager tools. Before you begin You will need to: Make sure you have SUPER-ADMIN-ROLE permissions and the appropriate RBAC scope to perform this procedure. For information about the user permissions required to perform tasks using the DNA Center, see the chapter, Managing Users and Roles, in this guide. Collect the Cisco user ID and password for your Smart Account. If you have one or more Smart Accounts: Select the smart Account that you want to use with DNA Center, and collect that account's user ID and password. Step 1 Log on using a DNA Center system administrator user name and password. Step 2 Click, then select System Settings > Settings > Cisco Credentials. Step 3 Step 4 Under Cisco.com Credentials, enter the username and password for your Smart Account. To access your Smart Account using a virtual or subordinate Smart Account name and password, under Link Your Smart Account, choose: Use Cisco.com user ID if your Cisco.com and Smart Account credentials are the same. Use different credentials if your Cisco.com and Smart Account credentials are different, and then enter your Smart Account credentials. Step 5 Step 6 Click View all virtual accounts to view all virtual Smart License Accounts. When you are finished, click Apply. Visualize License Usage and Expiration DNA Center can display graphical representations of your purchased DNA licenses, how many of them are in use (that is, assigned to devices), and their duration. Step 1 Step 2 From the DNA Center Home page, select License Manager from the Tools tiles. Select the type of device category whose license usage you want to see: Switches, Routers, Access Points, ISE, or All Licenses. The License Usage graphs at the top of the window display the aggregate number of purchased DNA licenses and the number of those licenses currently in use for the device category you selected. The graphs also indicate the proportion of Essentials versus Advantage licenses within each total. 55

62 View License Details Manage Licenses Under the graphs, the License Usage table gives subtotals for used and unused licenses, listed alphabetically by product family name. Step 3 Step 4 To see detailed comparisons for a particular product family, click on the name of the product family given in the Device Series column in the table. DNA Center displays a window giving details for the product family you selected. To see a graphical representation of license duration, scroll down to the License Timeline section of the window. The timeline graph for each product family is a visual representation of when the DNA licenses in the configured Smart Account will expire for that product family. View License Details There are many ways to find and view license details in DNA Center. For example, you can click on the license usage and term graphs displayed in the Switches, Routers, Access Points, ISE, or All Licenses tabs in the License Manager window. Each of these will display popups with aggregated facts about licenses for each of these product families. The simplest method for getting the most comprehensive license details for a single device is to use the License Manager's All Licenses table, as explained in the following steps. Step 1 Step 2 Select Tools > License Manager > All Licenses. The License Manager window displays a table listing all of your discovered devices and their licenses. Information in the table includes only basic device and license information, such as device type, license expiration dates, and so on. Scroll through the table to find the device whose license details you want to see. If you are having trouble finding the device you want, you can: Filter: Click and then enter your filter criteria in the appropriate field (for example: enter all or part of the device name in the Device Name field). You may enter filter criteria in multiple fields. When you click Apply, the table displays only the rows displaying information that matches your filter criteria. Find: Click in the Find field and enter the text you want to find in any of the table columns. When your press Enter, the table scrolls to the first row with text matching your entry in the Find field. Customize: Click and select the columns you want displayed in the table. For example: Deselect Device Model or select Days to Expiry. When you click Apply, the table displays only the columns you selected. Step 3 When you have found the device you want, click the Device Name link in the row for that device. DNA Center displays a popup License Details window giving complete license details for the device you selected. The Actions displays actions that can be performed on the device or its licenses. When you are finished, click to close the License Details window. 56

63 Manage Licenses Change License Level Change License Level You can upgrade or downgrade the feature level of your device licenses. You can do this with both your Network (perpetual) and DNA (subscription) licenses. In both cases, your feature level choices are either the basic Essentials level or the comprehensive Advantage level. ( that Network license conversion is available for products in the Cisco Catalyst 9000 device family only.) Whenever you change a device's license level, DNA Center automatically purchases, downloads and applies your licenses behind the scenes, using your Smart Account. As applying a license level change requires a device reboot, License Manager will prompt you to confirm that you want to reboot the device as soon as the license level change is complete. You can choose not to reboot with the license change, but you will need to remember to schedule the reboot at a later time, or your license level change will not be applied. Step 1 Step 2 Step 3 Select Tools > Licenses > All Licenses The License Manager window displays a table listing all of your discovered devices and their licenses. Use Find or scroll through the table to find the devices whose license level you want to change. If you are having trouble finding the device you want, or want to select multiple devices, follow the tips in the related topic, View License Details, on page 56, to change the table to display just the devices you want. Click the checkbox next to each device for which you want to change the license level link, then: If the license is a Network license, click Actions > Change Network License. If the license is a subscription DNA license, click Actions > Change DNA License. DNA Center displays a Change License Level window appropriate for the license type you want to change. Step 4 Step 5 Click the license level you want for these devices: Essentials or Advantage If you would like to remove the license from the device, select Remove. Click Next to continue. DNA Center asks if you want the change to be applied right away or at a later time. You must also choose whether you want to reboot the device as soon as its license status is updated. To continue: If you are not ready to make the change: Click Back to change your License Level selection, or click window and cancel the change. to close the If you are ready to make the change immediately: Click Now, then click Confirm. The device using this license will reboot as soon as the change is applied. If you want the change to be applied later: Click Later, enter a name for the scheduled task, and specify the date and time when you want the change to be applied. If you want the change to take place as scheduled in the time zone of the site where the device is located, select Site Settings. When you are finished specifying the schedule parameters, click Confirm. 57

64 Export License Information Manage Licenses Export License Information You can quickly export license information from DNA Center to backup PDF or Microsoft Excel files. These license backup files are intended to assist your organization's accounting and reporting needs. Step 1 Step 2 Step 3 Step 4 Step 5 Step 6 Select Tools > License Manager. Select All Licenses. DNA Center displays a list of all your currently assigned licenses. Click Export. DNA Center displays the Export Licenses window. Select the destination file format. (Optional) Click on the checkboxes next to each type of license information you want to exclude or include in the export. Click the checkbox at the bottom if you want to save your choices as the default for later exports. When you are finished, click Export and specify the location and file name for the exported license file. Then click OK to complete the export. 58

65 CHAPTER 7 Backup and Restore About Backup and Restore, on page 59 Supported Backup and Restore Procedures, on page 61 Back Up Automation Data Using the GUI, on page 62 Restore Automation Data Using the GUI, on page 64 Schedule a Backup of Automation Data Using the GUI, on page 65 Back Up Automation Data Using the CLI, on page 66 Restore Automation Data Using the CLI, on page 67 Configure an NFS Server, on page 68 Back Up Assurance Data Using the CLI, on page 69 Restore Assurance Data Using the CLI, on page 70 About Backup and Restore The backup and restore procedures for DNA Center can be used for the following purposes: To create backup files for disaster recovery for the appliance To create backup files to restore to a different appliance (if required for your network configuration) Backup When you perform a backup, DNA Center creates a copy of the following files and exports the files to a specific location on a remote server: DNA Center databases DNA Center credentials DNA Center file system and files Important The backup files should not be modified by the user. The backup files are created and posted to a remote server. You are able to restore the backup files from the remote server using DNA Center. For information about the remote server requirements, see Backup Server Requirements, on page

66 Backup Server Requirements Backup and Restore DNA Center does not support using FTP (port 21) when performing a backup. Use SSH (port22)/rsync when backing up the DNA Center. Only a single backup can be performed at a time. Performing multiple backups at once are not permitted. Additionally, only a full backup is supported. Other types of backups (for example, incremental backups) are not supported. While a backup is being performed, you will be unable to delete any files that have been uploaded to the file service and any changes that you make to files might not be captured by the backup process. When performing a backup, we recommend the following: Perform a backup everyday to maintain a current version of your database and files. Perform a backup after making any changes to your configuration. For example, when changing or creating a new policy on a device. Only perform a backup during a low impact or maintenance time period. You are able to schedule or automate a backup for a specific date and time using the DNA Center's GUI. For information about this procedure, see Schedule a Backup of Automation Data Using the GUI, on page 65. Each backup is uniquely stored using the UUID as directory name. Restore When you restore the backup files, DNA Center removes and replaces the existing database and files with the backup files. You restore the backup files from the remote server. When a restore is being performed, DNA Center is unavailable. You cannot take a backup from one version of DNA Center and restore it to another version of DNA Center. You can only restore a backup to an appliance that is running the same DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken. To view the current applications and versions on DNA Center, click, then System Settings, then App Management. You can restore a backup to a DNA Center system with a different IP address. This could happen if for any reason the IP address is changed on DNA Center and you need to backup from an older system. Backup Server Requirements The following are the requirements for the backup server: Running Red Hat Enterprise Linux 6 or greater, or any of its derivatives such as CentOS, Ubuntu or greater and its derivatives (Mint), or any other modern Linux operating system. Linux rsync utility must be installed. The destination folder for the backup should be owned by the backup user or the backup user should have read-write permissions for the user's group. For example, assuming the backup user is 'backup' and 60

67 Backup and Restore Supported Backup and Restore Procedures user's group is 'staff ', then the following sample outputs show the required permissions for the backup directory: Example 1: Backup directory is owned by 'backup' user: $ ls -l /srv/ drwxr-xr-x 4 backup root 4096 Apr 10 15:57 dnac Example 2: 'backup' user's group has required permissions: $ ls -l /srv/ drwxrwxr-x. 7 root staff 4096 Jul dnac Ensure that the SFTP sub-system is enabled. The following line needs to be uncommented and present in the SSHD configuration: Subsystem sftp /usr/libexec/openssh/sftp-server The file where you need to uncomment the above line is generally located in: /etc/ssh/sshd_config Supported Backup and Restore Procedures For this release, you can backup and restore the Automation data using either the DNA Center GUI or by running the CLI commands on the appliance. To backup and restore the Assurance data, you can only run the CLI commands on the appliance. Automation data consists of system and network automation configuration data. Assurance data consists of network assurance and analytics data. For a complete backup and restore (both Automation and Assurance data) use one of the following two supported procedure sets: GUI and CLI Supported Procedures 1. Backup the Automation data using the DNA Center GUI. See Back Up Automation Data Using the GUI, on page Backup the Assurance data using the CLI commands. See Back Up Assurance Data Using the CLI, on page Restore the Automation data using the DNA Center GUI. See Restore Automation Data Using the GUI, on page Restore the Assurance data using the CLI commands. See Restore Assurance Data Using the CLI, on page 70. CLI Only Supported Procedures 1. Backup the Automation data using the CLI commands. See Back Up Automation Data Using the CLI, on page Backup the Assurance data using the CLI commands. 61

68 Back Up Automation Data Using the GUI Backup and Restore See Back Up Assurance Data Using the CLI, on page Restore the Automation data using the CLI commands. See Restore Automation Data Using the CLI, on page Restore the Assurance data using the CLI commands. See Restore Assurance Data Using the CLI, on page 70. Important When restoring a backup on a completely new cluster, you must first restore the Automation data before restoring the Assurance data. Restoring a backup to the same preexisting cluster does not require that this specific procedural order be followed. Back Up Automation Data Using the GUI You can back up and restore the DNA Center Automation database and files. When you perform a backup, DNA Center copies and exports the database and files to a location on a remote server that you configure. When you restore the backup files, DNA Center removes and replaces the existing database and files with the backup files. For more information, see About Backup and Restore, on page 59. Data is backed up using SSH/Rsync. DNA Center does not support using FTP (port 21) when performing a backup. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 45. Ensure that you have set up your backup server and have met all of the requirements. For information, see Backup Server Requirements, on page 60. Step 1 From the DNA Center home page, click the gear icon ( ) and then choose System Settings > Backup & Restore. The Backup & Restore window appears consisting of three tabs: Backups, Schedule, and Activity. The first time you access this window, the Set up backup server field also appears. Step 2 Step 3 Click Configure in this field. The Remote Backup Server side panel appears. Configure the remote backup server for the DNA Center backups. Enter configuration values for the remote backup server. SSH IP Address SSH Port IP address of the remote server that you can SSH into. Port address of the remote server that you can SSH into. 62

69 Backup and Restore Back Up Automation Data Using the GUI Server Path Username Password Encryption Passphrase Path to folder on the server where the backup files will be sent to and saved. Username used to protect the encrypted backup. Password used to protect the encrypted backup. This passphrase encrypts the security-sensitive components of the backup. These security-sensitive components include both certificates and credentials. This is a required passphrase that you will be prompted for and that must be entered when restoring the backup files. Without this passphrase, backup files will not be restored. Step 4 Step 5 Step 6 Click Apply to save the Remote Backup Server configuration. Other options are Cancel to cancel this configuration or Remove to remove an earlier remote backup server configuration. Click Create New Backup. To view the backup's progress, click the Activity tab and review the Status column. During the backup process, DNA Center creates the backup database and files. The backup files are saved to the specified location on the remote server. You are not limited to a single set of backup files, but can create multiple backup files that are identified with their unique names. You receive a Backup done! notification when the back up process is finished. If the back up process fails, there is no impact to the appliance or its database. DNA Center displays an error message stating the cause of the backup failure. The most common reason for a failed backup is insufficient disk space. If your backup process fails, make sure that there is sufficient disk space on the remote server and attempt another backup. (Optional) Verify the final backup status in the Backup & Restore window (Backups tab). The following information is displayed: Date Local date and time of the backup or restore. Backup Name Name of the file that was backed up or restored. File Size Size of the file that was backed up or restored. Status Success or failure status of the operation. Place your cursor over the failure status to display additional details about the failure. Operation Type of operation, either backup or restore. Action Possible actions to take with the backup files. For example, restore the DNA Center with the backup files or proceed to delete the backup files. Step 7 (Optional) To download a.csv file of what is displayed in this window for your records, click Export.. 63

70 Restore Automation Data Using the GUI Backup and Restore What to do next When necessary and at the appropriate time, you can restore the backup file to DNA Center by clicking the Restore link in the Backups tab for the backup. You can also schedule a future backup using the configuration options displayed in the Schedule tab. For information about this procedure, see Schedule a Backup of Automation Data Using the GUI, on page 65. Restore Automation Data Using the GUI You can restore DNA Center Automation database from the backup files on the remote server that you configured. When you restore from the backup files located on the remote server, DNA Center removes and replaces the existing database and files. For more information, see About Backup and Restore, on page 59. Caution The DNA Center restore process only restores the database and files. The restore process does not restore your network state and any changes made since the last back up, including any new network policies that have been created, any new or updated passwords, or any new or updated certificates and trustpool bundles. You cannot do a backup from one version of DNA Center and restore to another version of DNA Center. You can only restore a backup to an appliance that is running the same DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken. To view the current apps and versions, click, then System Settings, then App Management. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 45. After you initiate the restore process using the GUI, DNA Center enters into maintenance mode. In maintenance mode, DNA Center will be unavailable until the restore process completes. You should take this into account when scheduling a DNA Center restore. DNA Center goes into maintenance mode when you restore the database, perform a system upgrade (not a package upgrade), and enable a service redistribution to support high availability in System Settings > System 360 > Overview. Step 1 From the DNA Center home page, click the gear icon ( ) and then choose System Settings > Backup & Restore. The Backup & Restore window displays the following three tabs: Backups, Schedule, and Activity. The default tab that displays is Backups. If you have already successfully created a backup on a remote server, then it will display in the Backups tab. Step 2 Step 3 In the Backup Name column, locate the backup that you wish to restore. In the Actions column, select Restore. 64

71 Backup and Restore Schedule a Backup of Automation Data Using the GUI The DNA Center restore process restores the database and files. The restore process does not restore your network state and any changes made since the last backup, including any new network policies that have been created, any new or updated passwords, or any new or updated certificates and trustpool bundles. During a restore, the backup files remove and replace the current database. During the restore process, DNA Center goes into maintenance mode. Wait until DNA Center exists maintenance mode before proceeding. Step 4 Click the Backups tab to view the results for a successful restore process. Schedule a Backup of Automation Data Using the GUI You can schedule a backup of the DNA Center Automation database and files at a future date and time. You schedule this backup using the DNA Center GUI. Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About User Roles, on page 45. Step 1 From the DNA Center home page, click the gear icon ( ) and then choose System Settings > Backup & Restore. The Backup & Restore window displays the following three tabs: Backups, Schedule, and Activity. The default tab that displays is Backups. Step 2 Step 3 Step 4 Step 5 Step 6 Step 7 Step 8 Step 9 Click the Schedule tab header. The Schedule window appears. Click + Add at the upper right of the Schedule tab. The Create Backup side panel appears. Enter a name for the backup file. Click the Schedule Later option. Enter the date for the scheduled backup or use the month icon to select a date. Enter a time for the scheduled backup including an AM or PM value. Click the Schedule button. Click the close icon at the upper right of the side panel to close the panel. After scheduling a future backup, the following information is displayed: Date Date of scheduled backup Backup Name Name of the backup Status Whether backup is scheduled or not Operation Backup operation 65

72 Back Up Automation Data Using the CLI Backup and Restore Scheduled Run Date and time of scheduled backup Action Option to delete scheduled backup With the current release, you can only configure one scheduled backup at a time. Not more than one scheduled backup is permitted. What to do next When necessary and at the appropriate time, you can restore the backup files to DNA Center. Back Up Automation Data Using the CLI You can back up and restore the DNA Center Automation database and files using the CLI. When you perform a backup, DNA Center copies and exports the database and files to a location on a remote server that you configure. When you restore the backup files, DNA Center removes and replaces the existing database and files with the backup files. For more information, see About Backup and Restore, on page 59. Data is backed up using SSH/Rsync. DNA Center does not support using FTP (port 21) when performing a backup. Before you begin Ensure that you have set up your backup server and have met all of the requirements. For information, see Backup Server Requirements, on page 60. Step 1 Step 2 Step 3 Using a Secure Shell (SSH) client, log into the DNA Center appliance, using the IP address of the OOB management network adapter, on port When prompted, enter your Linux username and password for SSH access. Use the maglev backup remote update command to configure the remote backup server details on your cluster. The command syntax is maglev backup remote update -s IP_of_remote_server -t port_number -d full_path_of_directory_of_remote_repository -u remote_server_username -p remote_server_password -r passphrase_of_backup For example, enter a command similar to the following: $ maglev backup remote update -s t 22 -d /home/maglev/test_system/116_bck -u maglev -p Cisco123 -r Maglev123 Step 4 Use the maglev backup remove verify command to verify the remote server settings. For example, enter a command similar to the following: $ maglev backup remote verify message: Remote server settings verified successfully. status: ok 66

73 Backup and Restore Restore Automation Data Using the CLI For other command options, use the following help command: $ maglev backup remote update --help Step 5 Step 6 Use the maglev backup create command to start the backup. For example, enter a command similar to the following: $ maglev backup create For other command options, use the following help command: $ maglev backup --help Use the maglev backup progress command to monitor the progress in creating the backup. For example, enter a command similar to the following: $ maglev backup progress For other command options, use the following help command: $ maglev backup --help What to do next When necessary and at the appropriate time, you can restore the backup file to DNA Center using the CLI. Restore Automation Data Using the CLI You can restore DNA Center Automation database from the backup files on the remote server that you configured. When you restore from the backup files located on the remote server, DNA Center removes and replaces the existing database and files. For more information, see About Backup and Restore, on page 59. Caution The DNA Center restore process only restores the database and files. The restore process does not restore your network state and any changes made since the last back up, including any new network policies that have been created, any new or updated passwords, or any new or updated certificates and trustpool bundles. You cannot do a backup from one version of DNA Center and restore to another version of DNA Center. You can only restore a backup to an appliance that is running the same DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken. To view the current apps and versions, click, then System Settings, then App Management. 67