Cisco Dna

Cisco Digital Network Architecture Center User Guide, Release 1.2.
5
First Published: 2018-10-01
Last Modified: 2019-01-15
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
THE SPECIFICATIONS AND INFORMATION REGARDING THE PRODUCTS IN THIS MANUAL ARE SUBJECT TO CHANGE WITHOUT NOTICE. ALL STATEMENTS,
INFORMATION, AND RECOMMENDATIONS IN THIS MANUAL ARE BELIEVED TO BE ACCURATE BUT ARE PRESENTED WITHOUT WARRANTY OF ANY KIND,
EXPRESS OR IMPLIED. USERS MUST TAKE FULL RESPONSIBILITY FOR THEIR APPLICATION OF ANY PRODUCTS.
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT SHIPPED WITH
THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE OR LIMITED WARRANTY,
CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB's public domain version of
the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS" WITH ALL FAULTS.
CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THOSE OF
MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING, WITHOUT
LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network
topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional
and coincidental.
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com
go trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any
other company. (1721R)
© 2017–2019 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 1 New and Changed Information 1

New and Changed Information 1
CHAPTER 2 Get Started with Cisco DNA Center 3

About Cisco DNA Center 3
Log In 3
Log In for the First Time as a Network Administrator 4
Default Home Page 5
Use Global Search 8
Where to Start 9
CHAPTER 3 Discover Your Network 11

About Discovery 11
Discovery Prerequisites 12
Discovery Credentials 12
Discovery Credentials and Cisco ISE 13
Guidelines and Limitations for Discovery Credentials 13
Discovery Credentials Example 14
Preferred Management IP Address 14
Discovery Configuration Guidelines and Limitations 15
Perform Discovery 15
Discover Your Network Using CDP 15
Discover Your Network Using an IP Address Range 21
Discover Your Network Using LLDP 26
Manage Discovery Jobs 31
Stop and Start a Discovery Job 31
Cisco Digital Network Architecture Center User Guide, Release 1.2.5

iii
Contents
Edit a Discovery Job 31

Change Credentials in a Discovery Job 32
Clone a Discovery Job 35
Delete a Discovery Job 35
View Discovery Job Information 35
CHAPTER 4 Onboard Devices with Network Plug and Play 37

About Network Plug and Play 37
Network Plug and Play Use Cases 39
Manage Plug and Play Devices 40
Devices Overview 40
View Devices 43
Add or Edit a Device 43
Add Devices in Bulk 44
Claim a Device 45
Delete or Reset a Device 47
Manage Plug and Play Workflows 47
Workflows Overview 47
View a Workflow 49
Create or Edit a Workflow 49
Clone a Workflow 52
Delete a Workflow 54
Manage Plug and Play Settings 55
Settings Overview 55
Accept the EULA 55
Manage Cisco Smart Accounts 55
Register or Edit a Virtual Account 55
View, Synchronize, and Deregister Smart Accounts 57
CHAPTER 5 Manage Your Inventory 59

About Inventory 59
Inventory and Cisco ISE Authentication 60
Display Information About Your Inventory 60
Types of Devices in the Cisco DNA Center Inventory 64

iv
Contents
Manage Network Devices 65

Add a Network Device 65
Update Network Device Credentials 68

Manage Compute Devices 72
Add a Compute Device 72
Update Compute Device Credentials 72
Manage Meraki Dashboards 73
Integrate Meraki Dashboard 73
Update Meraki Dashboard Credentials 73
Filter Devices 74
Change Devices Layout View 75
Change Device Role (Inventory) 75
Update a Device's Management IP Address 76
Update Device Resync Interval 77
Resync Device Information 77
Delete a Network Device 78
Launch Command Runner (Inventory) 78
Use a CSV File to Import and Export Device Configurations 79
Import Device Configurations from a CSV File 80
Export Device Configurations 80
Export Device Credentials 81
CHAPTER 6 Manage Software Images 83

About Image Repository 83
Integrity Verification of Software Images 83
View Software Images 84
Use a Recommended Software Image 84
Import Software Images 85
Upload Software Images for Devices in Install Mode 85
About Golden Software Images 86
Create Golden Software Images 86
Provision Software Images 87
List of Device Upgrade Readiness Prechecks 88
Troubleshooting SCP and HTTPS Connectivity 89

v
Contents
Troubleshoot HTTPS Connectivity 89

Troubleshooting SCP Connectivity 90
Auto Flash Cleanup 90
CHAPTER 7 Display Your Network Topology 91

About Topology 91
Display the Topology of Areas, Sites, Buildings, and Floors 92
Filter Devices on the Topology Map 92
Display Device Information 93
Display Link Information 93
Pin Devices to the Topology Map 94
Assign Devices to Sites 94
Save a Topology Map Layout 95
Open a Topology Map Layout 95
Export the Topology Layout 95
CHAPTER 8 Design Network Hierarchy and Settings 97

Design a New Network Infrastructure 97
About Network Hierarchy 98
Guidelines for Preparing Image Files to Use Within Maps 98
Create a Site in a Network Hierarchy 98
Upload an Existing Site Hierarchy 99
Search the Network Hierarchy 100
Edit Sites 100
Delete Sites 101
Add Buildings 101
Edit a Building 101
Delete Buildings 102
Add a Floor to a Building 102
Edit a Floor 103
Monitor a Floor Map 103
Edit Floor Elements and Overlays 105
Guidelines for Placing Access Points 106
Add, Position, and Delete APs 106

vi
Contents
Quick View of APs 108

Add, Position, and Delete Sensors 109
Add Coverage Areas 110
Create Obstacles 111
Location Region Creation 112
Guidelines for Placing Inclusion and Exclusion Areas on a Floor Map 112
Define an Inclusion Region on a Floor 112
Define a Exclusion Region on a Floor 113
Edit Location Regions 113
Delete Location Regions 113
Rail Creation 114
Place Markers 114
Floor View Options 115
View Options for Access Points 115
View Options for Sensors 117
View Options for Overlay Objects 117
Configure Map Properties 117
Configure Global Maps Properties 117
Data Filtering 118
Filtering Access Points Data 118
Filtering Sensors Data 118
Configure Global Wireless Settings 119
Create SSIDs for an Enterprise Wireless Network 119
Preshared Key Override 121
Create SSIDs for a Guest Wireless Network 121
Create a Wireless Interface 124
Create a Wireless Radio Frequency Profile 124
Create a Wireless Sensor Device Profile 127
About Cisco Connected Mobile Experiences Integration 127
Create Cisco CMX Settings 128
Configure Native VLAN for a Flex Group 129
Create Network Profiles 129
Create Network Profiles for Routing and NFV 130
About Global Network Settings 131

vii
Contents
About Device Credentials 132

CLI Credentials 132
SNMPv2c Credentials 133
SNMPv3 Credentials 133
HTTPS Credentials 134
About Global Device Credentials 134
Configure Global CLI Credentials 134
Configure Global SNMPv2c Credentials 136
Configure Global SNMPv3 Credentials 137
Configure Global HTTPS Credentials 138
Guidelines and Limitations for Editing Global Device Credentials 140
Edit Global Device Credentials 140
Associate Device Credentials to Sites 141
Configure IP Address Pools 142
Import IP Address Pools 142
Configure Service Provider Profiles 143
Configure Global Network Servers 143
Add Cisco ISE or Other AAA Servers 144
Configure Cisco WLC High Availability from Cisco DNA Center 145
Prerequisites for Configuring Cisco Wireless Controller High Availability 145
Configuring Cisco Wireless Controller High Availability from Cisco DNA Center 145
What Happens During or After the High Availability Process is Complete 146
Commands to Configure and Verify Cisco Wireless Controller High Availability 147
CHAPTER 9 Create Templates to Automate Device Configuration Changes 149

About Template Editor 149
Create Projects 149
Create Templates 150
Create a Regular Template 150
Blacklisted Commands 152
Sample Templates 152
Create a Composite Template 152
Edit Templates 154
Template Simulation 155

viii
Contents
Template Form Editor 156

Variable Binding 157
Special Keywords 157
Create and Associate Templates to Wireless Profiles 158
CHAPTER 10 Run Diagnostic Commands on Devices 161

About Command Runner 161
Run Diagnostic Commands on Devices 161
CHAPTER 11 Configure Telemetry Profile 163

About Telemetry 163
Configure a Telemetry Profile 163
Apply a Telemetry Profile to a Device 164
CHAPTER 12 Configure Policies 167

Policy Overview 167
Policy Dashboard 167
Group-Based Access Control Policies 168
Workflow to Configure a Group-Based Access Control Policy 169
Create a Group-Based Scalable Group 169
Create a Group-Based Access Control Contract 170
Edit or Delete a Group-Based Access Control Contract 170
Create a Group-Based Access Control Policy 171
Edit or Delete a Group-Based Access Control Policy 172
Deploy a Group-Based Access Control Policy 172
IP-Based Access Control Policies 173
Workflow to Configure an IP-Based Access Control Policy 173
Configure Global Network Servers 174
Create an IP Network Group 175
Edit or Delete an IP Network Group 175
Create an IP-Based Access Control Contract 175
Edit or Delete an IP-Based Access Control Contract 176
Create an IP-Based Access Control Policy 176
Edit or Delete an IP-Based Access Control Policy 178

ix
Contents
Deploy an IP-Based Access Control Policy 178

Application Policies 179
CVD-Based Settings in Application Policies 179
Site Scope 180
Applications and Application Sets 180
Business-Relevance Groups 180
Unidirectional and Bidirectional Application Traffic 181
Consumers and Producers 182
Marking, Queuing, and Dropping Treatments 182
Custom Applications 184
Favorite Applications 185
Service Provider Profiles 185
Queuing Profiles 187
Processing Order for Devices with Limited Resources 188
Policy Drafts 190
Policy Preview 191
Policy Precheck 191
Policy Scheduling 192
Policy Versioning 192
Original Policy Restore 192
Stale Application Policies 193
Application Policy Guidelines and Limitations 193
Configure Applications and Application Sets 194
Change an Application's Settings 194
Create a Server Name-Based Custom Application 195
Create an IP Address and Port-Based Custom Application 195
Create a URL-Based Custom Application 197
Edit or Delete a Custom Application 197
Move an Application from an Application Set 198
Create a Custom Application Set 198
Edit or Delete a Custom Application Set 199
Mark an Application as Favorite 199
Manage Application Policies 200
Prerequisites 200

x
Contents
Create an Application Policy 200

View Application Policy Information 203
Edit an Application Policy 204
Save a Draft of an Application Policy 204
Deploy an Application Policy 205
Cancel a Policy Deployment 205
Delete an Application Policy 205
Clone an Application Policy 206
Restore an Application Policy 206
Reset the Default CVD Application Policy 207
Preview an Application Policy 207
Precheck an Application Policy 208
Display Application Policy History 208
Roll Back to a Previous Policy Version 208
Manage Queuing Profiles 209
Create a Queuing Profile 209
Edit or Delete a Queuing Profile 210
Manage Application Policies for WAN Interfaces 210
Customize Service Provider Profile SLA Attributes 210
Assign a Service Provider Profile to a WAN Interface 211
Traffic Copy Policies 212
Sources, Destinations, and Traffic Copy Destinations 213
Guidelines and Limitations of Traffic Copy Policy 213
Workflow to Configure a Traffic Copy Policy 214
Create a Traffic Copy Destination 214
Edit or Delete a Traffic Copy Destination 215
Create a Traffic Copy Contract 215
Edit or Delete a Traffic Copy Contract 215
Create a Traffic Copy Policy 216
Edit or Delete a Traffic Copy Policy 216
Virtual Networks 216
Guidelines and Limitations for Virtual Networks 217
Create a Virtual Network 217
Edit or Delete a Virtual Network 218

xi
Contents
CHAPTER 13 Provision Your Network 219

Provisioning 219
Add Devices to Sites 219
Tag Devices 220
Tag Devices Using Rules 220
Edit Device Tags 221
Provisioning Devices 222
Provision a Cisco Wireless Controller 222
Onboard APs with Zero Touch Provisioning—Day 0 Provisioning 223
Provision a Cisco AP—Day 1 AP Provisioning 224
Provision a Brownfield Device 225
Guest Anchor Configuration and Provisioning 227
Provision a Sensor Device 228
Provision LAN Underlay 229
Peer Device in LAN Automation Use Case 231
Check the LAN Automation Status 232
Delete a Device After Provisioning 233
Fabric Sites and Fabric Domains 233
Multi-Site Fabric Domain 234
Transit Sites 234
Create an IP Transit Network 234
Create an SDA Transit Network 235
Configuring Fabric Domains 235
Fabric Overview 235
Create a Fabric Domain 236
Configure a Fabric Domain 236
Add Devices to a Fabric 236
Add Device as a Border Node 238
Configure Host Onboarding 239
Select Authentication Template 239
Associate Virtual Networks to the Fabric Domain 240
Configure Wireless SSIDs for the Fabric Domain 240
Configure Ports Within the Fabric Domain 241

xii
Contents
Multicast Overview 241

Configure Multicast Settings 241
CHAPTER 14 Cisco DNA Assurance 245

Cisco DNA Assurance 245
CHAPTER 15 Troubleshoot Cisco DNA Center Using Data Platform 247

About Data Platform 247
Troubleshoot Cisco DNA Center Using the Analytics Ops Center 248
View or Update Collector Configuration Information 249
Configure Data Retention Settings 250
View Pipeline Status 251

xiii
Contents

xiv
CHAPTER 1
New and Changed Information
This chapter provides release-specific information for each new and changed feature.
• New and Changed Information, on page 1

This table summarizes the new and changed features in the Cisco DNA Center User Guide, Release 1.2.5 and
tells you where they are documented.
Table 1: New and Changed Features for Cisco DNA Center, Release 1.2.5
Feature Description Where Documented
New Home Page The Cisco DNA Center home page now includes a Default Home Page, on page 5
Network Snapshot section along with Network
Configuration and Tools sections.
Topology Enhancements You can assign devices to specific sites using the Assign Devices to Sites, on page 94
topology map. You can unpin devices in a group. You
can export a snapshot of your topology layout in SVG
or PDF format. Some keyboard shortcuts are included.
Software Image Management The upgrade readiness precheck now includes the Provision Software Images, on page 87
device management status and a file transfer check.
Also, the Distribute and Activate processes are now
separate processes. An automatic flash cleanup process
is included to create the space required for the image
upgrade.
Fabric in a Box You can now add the selected device as a control plane, Add Devices to a Fabric, on page 236
a border node, and an edge node.
Layer 2 Selective Flooding You can enable Layer 2 selective flooding for a segment Associate Virtual Networks to the
when a Layer 2 extension is enabled for the same Fabric Domain, on page 240
segment.

1
Feature Description Where Documented
Server Connectivity During host onboarding, you can designate a port on Configure Host Onboarding, on page
the edge device as the server port during port 239
assignment.
Layer 2 Border Handoff Layer 2 handoff achieves Layer 2 connectivity between Add Device as a Border Node, on page
hosts in the fabric and an external Layer 2 domain. 238
Important Cisco DNA Assurance is an application that is available from Cisco DNA Center. From Cisco DNA Center,
Release 1.2.5, we are providing you with a separate user guide, which deals exclusively with Assurance. For
details, see the Cisco DNA Assurance User Guide.

2
CHAPTER 2
Get Started with Cisco DNA Center
• About Cisco DNA Center, on page 3
• Log In, on page 3
• Log In for the First Time as a Network Administrator, on page 4
• Default Home Page, on page 5
• Use Global Search, on page 8
• Where to Start, on page 9
About Cisco DNA Center

Cisco Digital Network Architecture (DNA) offers centralized, intuitive management that makes it fast and
easy to design, provision, and apply policies across your network environment. The Cisco DNA Center GUI
provides end-to-end network visibility and uses network insights to optimize network performance and deliver
the best user and application experience. Cisco DNA Center allows you to:
• Move faster: Provision thousands of devices across your enterprise network. Act fast with centralized
management and automate device deployment.
• Lower costs: Reduce errors with automation. Policy-driven deployment and onboarding deliver better
uptime and improved security.
• Reduce risk: Predict problems early. Use actionable insights for optimal performance of your network,
devices, and applications.
Log In
Access Cisco DNA Center by entering its network IP address in your browser. For compatible browsers, see
the Cisco DNA Center Release Notes for the version of Cisco DNA Center that you are using currently. This
IP address connects to the external network and is configured during the Cisco DNA Center installation. For
more information about installing and configuring Cisco DNA Center, see the Cisco Digital Network
Architecture Center Installation Guide.
You should continuously use Cisco DNA Center to remain logged in. If you are inactive for too long, Cisco
DNA Center logs you out of your session automatically.

3
Log In for the First Time as a Network Administrator
Procedure
Step 1 Enter an address in your web browser's address field in the following format. Here server-ip is the IP address
(or the hostname) of the server on which you have installed Cisco DNA Center:
https://server-ip
Example: https://192.0.2.1
Depending on your network configuration, you may have to update your browser to trust the Cisco DNA
Center server security certificate. Doing so will help ensure the security of the connection between your client
and Cisco DNA Center.
Step 2 Enter the Cisco DNA Center username and password assigned to you by the system administrator. Cisco DNA
Center displays its home page.
If your user ID has the NETWORK-ADMIN-ROLE and no other user with the same role has logged in before,
you will see a first-time setup wizard instead of the home page. For details, see Log In for the First Time as
a Network Administrator, on page 4.
Step 3 To log out, click the Gear icon at the top-right corner and click Sign Out.
Log In for the First Time as a Network Administrator

If your user ID has the NETWORK-ADMIN-ROLE assigned, and no other user with the same role has logged
in before, you will see a "Getting Started" wizard instead of the home page dashboard the first time you log
in to Cisco DNA Center.
The wizard is a quick way to get immediate value from Cisco DNA Center. It consists of a few screens that
collect information needed to discover and monitor the condition of your network devices, and then help you
visualize your network's overall health using the Cisco DNA Center home page dashboard.
You can perform all of the same tasks the wizard does using other Cisco DNA Center features. Using the
wizard does not prevent you from using those features. You can choose to skip the wizard entirely at any
point and it will not be shown again for you. However, Cisco DNA Center will continue to display the wizard
at login to any user with the same role until one such user completes the wizard steps. After that, Cisco DNA
Center never displays the wizard again.
Before you begin

You need to have the following information to complete the wizard:
• The IP addresses of your SYSLOG and SNMP servers
• The IP address and port of your Netflow server
• For discovery: The IP address to start from (if choosing CDP discovery) or the starting and ending IP
addresses (if choosing Range discovery)
• Optional: Your preferred management IP address
• Device CLI credentials, including the Enable password

4
Default Home Page
• SNMP v2c credentials, including the read community string
Procedure
Step 1 If you have not already done so, log in to Cisco DNA Center normally, as explained in Log In, on page 3.
Step 2 With the wizard displayed, click Get Started.
Step 3 In the fields on the following screens, enter the information listed in "Before You Begin" above.
Click Save & Next to continue, Back to return to the previous screen and revise your entries, or Skip to cancel
the wizard and display the Cisco DNA Center home page.
Step 4 When you are finished, click Begin Discovery. Cisco DNA Center displays the home page, which slowly
fills with network health information as discovery completes.
Default Home Page

After you log in, Cisco DNA Center displays its home page. The home page has three main areas: Network
Snapshot, Network Configuration, and Tools.
The Network Snapshot area includes:
• Sites: Provides the number of sites discovered on your network along with the number of DNS and NTP
servers. Clicking Add Sites takes you to the Add Site page.
• Network Devices: Provides the number of network devices discovered on your network along with the
number of unclaimed, unprovisioned, and unreachable devices count. Clicking Find New Devices takes
you to the New Discovery page.
• Profiles: Provides the number of profiles discovered on your network. Clicking Add New Profiles takes
you to the Network Profiles page.
• Images: Provides the number of images discovered on your network along with the number of untagged
and unverified images. Clicking Import Images/SMUs takes you to the Image Repository page.
• Licensed Devices: Provides the number of devices that have a Cisco DNA Center license along with the
number of switches, routers, and access points. Clicking Manage Licenses takes you to the License
Management page.
The Network Configuration area includes:

• Design: Create the structure and framework of your network, including the physical topology, network
settings, and device type profiles that you can apply to devices throughout your network.
• Policy: Create policies that reflect your organization's business intent for a particular aspect of the network,
such as network access. Cisco DNA Center takes the information collected in a policy and translates it
into network-specific and device-specific configurations required by the different types, makes, models,
operating systems, roles, and resource constraints of your network devices.
• Provision: Prepare and configure devices, including adding devices to sites, assigning devices to the
Cisco DNA Center inventory, deploying the required settings and policies, creating fabric domains, and
adding devices to the fabric.

5
Default Home Page
• Assurance: Provide proactive and predictive actionable insights about the performance and health of
the network infrastructure, applications, and end-user clients.
Tools: Use the Tools area to configure and manage your network.
Figure 1: Home Page
Different Views of Home Page:

Getting Started
When you log in to Cisco DNA Center for the first time, or when there are no devices in the system, you see
the following message. Click Discover to discover new devices in your network.
Day 0 Home Page

If you skipped getting started, or when there are no devices in the system, you see the following home page.

6
Default Home Page
When discovery is in progress, you see a progress message with a link to the Discovery window.
When there are devices in the system, you see a network snapshot of discovered devices.
Click any icons in the main areas to launch the corresponding application or tool.
In addition to the Network Snapshot, Network Configuration, and Tool icons, you can click any icons at
the top-right corner of the home page to perform important common tasks:
• Software Updates: See a list of available software updates. Click the Go to Software Updates link
to view Platform and App updates.
• Search icon: Search for devices, users, hosts, and other items, anywhere they are stored in the Cisco
DNA Center database. For tips on using Search, see Use Global Search, on page 8.
• Applications icon: Return to the Cisco DNA Center home page from any other page and access the
applications and tools. You can do the same thing by clicking the Cisco DNA Center logo in the top-left
corner of the home page.
• Settings icon: View audit logs, configure Cisco DNA Center system settings, see the Cisco DNA
Center version you are using, and log out.
• Notifications icon: See recently scheduled tasks and other notifications.
Finally, you can click the following icons, which appear at the right side of every page in Cisco DNA Center:
• Feedback icon: Submit your comments and suggestions to Cisco's Cisco DNA Center
product team.
• Help icon: Launch Cisco DNA Center's context-sensitive online help in a separate tab in your browser.
If you are new to Cisco DNA Center, see Where to Start, on page 9 for tips and suggestions on how to begin.

7
Use Global Search
Note By default, the login name you provided is displayed in the Welcome text. To change the name, click the
name link; for example, admin. You are taken to Users > User Management, where you can edit the display
name.
Use Global Search

Use the global Search function to find items in the following categories anywhere in Cisco DNA Center:
• Activities: Search for Cisco DNA Center menu items, workflows, and features by name.
• Applications: Search for them by name.
• Application Groups: Search for them by name.
• Hosts and Endpoints: Search for them by name, IP address, or MAC address.
• IP Pools: Search for them by name or IP address.
• Network Devices: Search for them by name, IP address, serial number, software version, platform,
product family, or MAC address.
• Sites: Search for them by name.
• Users: Search for them by username. Case-insensitivity and substring search are not supported for
usernames.
• Other items, as new versions of Cisco DNA Center are released.
To start a global Search, click the icon in the top-right corner of any Cisco DNA Center page.
Figure 2: Global Search Icon
When you click the icon, Cisco DNA Center displays a pop-up global search window, with a Search field
where you can begin entering identifying information about the item you are looking for.
You can enter all or part of the target item's name, address, serial number, or other identifying information.
The Search field is case-insensitive and can contain any character or combination of characters.
As you begin entering your search string, Cisco DNA Center displays a list of possible search targets that
match your entry. If more than one category of item matches your search string, Cisco DNA Center sorts them
by category, with a maximum of five items in each category. The first item in the first category is selected
automatically, and summary information for that item appears in the summary panel on the right.
You can scroll the list as needed, and click any of the suggested search targets to see information for that item
in the summary panel. If there are more than five items in a category, click View All next to the category
name in the list. To return to the categorized list from the complete list of search targets, click Go Back.
As you add more characters to the search string, global Search automatically narrows the displayed list of
categories and items.

8
Where to Start
The summary panel includes links to more information. The link varies as appropriate for each category and
item. For example, with Activities, the summary panel displays links to menu items and workflows elsewhere
in the Cisco DNA Center system. For Applications, there is the Application 360 view. You will see links to
Client 360 and Topology views for hosts and endpoints, and links to Device 360 and Topology views for
network devices. Click the link to see the appropriate menu item, workflow, or detail view.
When you are finished, click to close the window.

Global search can display a maximum of 500 results at a time.
Where to Start
To start using Cisco DNA Center, you must first configure the Cisco DNA Center settings so that the server
can communicate outside the network.
After you configure the Cisco DNA Center settings, your current environment determines how you start using
Cisco DNA Center:
• Existing infrastructure: If you have an existing infrastructure (brownfield deployment), start by running
Discovery. After you run Discovery, all your devices are displayed on the Inventory window. For
information about running Discovery, see Discover Your Network, on page 11.
• New or nonexisting infrastructure: If you have no existing infrastructure and are starting from scratch,
(greenfield deployment), create a network hierarchy.

9
Where to Start

10
CHAPTER 3
Discover Your Network
• About Discovery, on page 11
• Discovery Prerequisites, on page 12
• Discovery Credentials, on page 12
• Preferred Management IP Address, on page 14
• Discovery Configuration Guidelines and Limitations, on page 15
• Perform Discovery, on page 15
• Manage Discovery Jobs, on page 31
About Discovery
The Discovery feature scans the devices in your network and sends the list of discovered devices to Inventory.
The Discovery feature can also work with the Device Controllability feature to configure the required network
settings on devices, if these settings are not already present on the device. For more information about Device
Controllability, see the Cisco Digital Network Architecture Center Administrator Guide.
There are three ways for you to discover devices:
• Use Cisco Discovery Protocol (CDP) and provide a seed IP address.
• Specify a range of IP addresses. (A maximum range of 4096 devices is supported.)
• Use Link Layer Discovery Protocol (LLDP) and provide a seed IP address.
When configuring the Discovery criteria, remember that there are settings that you can use to help reduce the
amount of time it takes to discover your network:
• CDP Level and LLDP Level—If you use CDP or LLDP as the Discovery method, you can set the CDP
or LLDP level to indicate the number of hops from the seed device that you want to scan. The default,
level 16, might take a long time on a large network. So, if fewer devices have to be discovered, you can
set the level to a lower value.
• Subnet Filters—If you use an IP address range, you can specify devices in specific IP subnets for
Discovery to ignore.
• Preferred Management IP—Whether you use CDP, LLDP, or an IP address range, you can specify
whether you want Cisco DNA Center to add any of the device's IP addresses or only the device's loopback
address.

11
Discovery Prerequisites
Note For Software-Defined Access (SD-Access) Fabric and Cisco DNA Assurance,
we recommend that you specify the device's loopback address.
Regardless of the method you use, you must be able to reach the device from Cisco DNA Center and configure
specific credentials and protocols in Cisco DNA Center to discover your devices. These credentials can be
configured and saved in the Design > Network Settings > Device Credentials window or on a per-job basis
in the Discovery window.
Note If a device uses a first hop resolution protocol like Hot Standby Router Protocol (HSRP) or Virtual Router
Redundancy Protocol (VRRP), the device might be discovered and added to the inventory with its floating
IP address. Later, if HSRP or VRRP fails, the IP address might be reassigned to a different device. This
situation can cause issues with the data that Cisco DNA Center retrieves for analysis.
Discovery Prerequisites
Before you run Discovery, complete the following minimum prerequisites:
• Understand what devices will be discovered by Cisco DNA Center by viewing the Cisco DNA Center
Supported Devices List.
• Ensure at least one SNMP credential is configured on your devices for use by Cisco DNA Center. At a
minimum, this can be an SNMP v2C read credential. For more information, see Discovery Credentials,
on page 12.
• Configure SSH credentials on the devices you want Cisco DNA Center to discover and manage. Cisco
DNA Center discovers and adds a device to its inventory if at least one of the following two criteria are
met:
• The account that is being used by Cisco DNA Center to SSH into your devices has privileged EXEC
mode (level 15).
• You configure the device’s enable password as part of the CLI credentials configured in the Discovery
job. For more information, see Discovery Configuration Guidelines and Limitations, on page 15.
Discovery Credentials
Discovery credentials are the CLI, SNMPv2c, SNMPv3, HTTP(S), and NETCONF configuration values for
the devices that you want to discover. You need to specify the credentials based on the types of devices you
are trying to discover:
• Standard Cisco devices—CLI and SNMP credentials.
• NFVIS devices—HTTP(S) credentials.
• Both standard and NFVIS devices—CLI, SNMP, and HTTP(S) credentials

12
Discovery Credentials and Cisco ISE
Because the various devices in a network can have different sets of credentials, you can configure multiple
sets of credentials in Cisco DNA Center. The Discovery process iterates through all sets of credentials that
are configured for the Discovery job until it finds a set that works for the device.
If you use the same credential values for the majority of devices in your network, you can configure and save
them to reuse in multiple Discovery jobs. To discover devices with unique credentials, you can add job-specific
Discovery credentials when you run Discovery jobs. You can define up to 5 saved and one job-specific
credential for each of the credential types.
Discovery Credentials and Cisco ISE

If you are using Cisco ISE as an authentication server, the Discovery feature authenticates devices using Cisco
ISE as part of the discovery process. To make sure that your devices are discovered properly, follow these
guidelines:
• Do not use Discovery credentials that have fewer than 4 alphanumeric characters. Although devices may
have credentials with fewer than 4 alphanumeric characters, Cisco ISE allows 4 alphanumeric characters
as the minimum username and password length. If the device credentials have fewer than 4 characters,
Cisco DNA Center cannot collect the device’s inventory data, and the device will go into a partial
collection state.
• Do not use credentials that have the same username, but different passwords (cisco/cisco123 and
cisco/pw123). While Cisco DNA Center allows the discovery of devices with the same username but
different passwords, Cisco ISE does not allow this. If a duplicate username is used, Cisco DNA Center
cannot authenticate the device and collect its inventory data, and the device will go into a partial collection
state.
For information on how to define Cisco ISE as a AAA server, see Add Cisco ISE or Other AAA Servers, on
page 144.
Guidelines and Limitations for Discovery Credentials

The following are the guidelines and limitations for the Cisco DNA Center Discovery credentials:
• To change the device credentials used in a Discovery job, you need to edit the Discovery job and deselect
the credentials that you no longer want to use. Then, you need to add the new credentials and start the
discovery. For more information, see Change Credentials in a Discovery Job, on page 32.
• If you change a device's credential after successfully discovering the device, subsequent polling cycles
for that device fail. To correct this situation, use one of the following options:
• Use the Discovery tool to:
• Run a new Discovery job with job-specific credentials that match the device's new credential.
• Edit the existing Discovery job and rerun the Discovery job.
• Use the Design tool to:

• Create a new global credential and run a new Discovery job using the correct global credential.
• Edit an existing global credential and re-run the Discovery job.

13
Discovery Credentials Example
• If an ongoing Discovery polling cycle fails because of a device authentication failure, you can correct
the situation using one of following options:
• Use the Discovery tool to:
• Stop or delete the current Discovery job and run a new Discovery job with job-specific
credentials that match the device's credential.
• Stop or delete the current Discovery job, edit the existing Discovery job, and rerun the Discovery
job.
• Use the Design tool to:

• Create a new global credential and run a new Discovery job using the correct global credential.
• Edit an existing global credential and re-run the Discovery job.
• Deleting a global credential does not affect previously discovered devices. The status of the previously
discovered devices does not indicate an authentication failure. However, the next Discovery job that tries
to use the deleted credential will fail. The Discovery job will fail before it tries to contact any devices.
For example, 25 minutes after you delete the credential, Discovery jobs that use it will fail.
Discovery Credentials Example

The devices that form a typical network can have widely varying Discovery requirements. Cisco DNA Center
lets you create multiple Discovery jobs to support these varying requirements. For example, assume that a
network of 200 devices form a Cisco Discovery Protocol (CDP) neighborhood. In this network, 190 devices
share a global credential (Credential 0) and the remaining devices each have their own unique credential
(Credential-1 through Credential-10).
To discover all the devices in this network using Cisco DNA Center, perform the following task:
Procedure
Step 1 Configure the CLI global credentials as Credential-0.

Step 2 Configure the SNMP (v2c or v3) global credentials.
Step 3 Run a Discovery job using one of the 190 device IP addresses (190 devices that share the global credentials)
and the global Credential-0.
Step 4 Run 10 separate Discovery jobs for each of the remaining 10 devices using the appropriate job-specific
credentials, for example, Credential-1, Credential-2, Credential-3, and so on.
Step 5 Review the results in the Inventory window.
Preferred Management IP Address

When Cisco DNA Center discovers a device, it logs one of the device's IP addresses as the preferred
management IP address for the device. You can configure Cisco DNA Center to log the device's loopback IP
address as the preferred management IP address, provided the IP address is reachable from Cisco DNA Center.

14
Discovery Configuration Guidelines and Limitations
If you choose to use a device's loopback IP address as the preferred management IP address, Cisco DNA
Center determines the preferred management IP address as follows:
• If the device has one loopback interface, Cisco DNA Center uses that loopback interface IP address.
• If the device has multiple loopback interfaces, Cisco DNA Center uses the loopback interface with the
highest IP address.
• If there are no loopback interfaces, Cisco DNA Center uses the Ethernet interface with the highest IP
address. (Subinterface IP addresses are not considered.)
• If there are no Ethernet interfaces, Cisco DNA Center uses the serial interface with the highest IP address.
After a device is discovered, you can update the management IP address from the Inventory window. For
more information, see Update Device Resync Interval, on page 77.
Discovery Configuration Guidelines and Limitations

The following are the guidelines and limitations for Cisco DNA Center to discover your Cisco Catalyst 3000
Series Switches and Catalyst 6000 Series Switches:
• Configure the CLI username and password with privileged EXEC mode (level 15). This is the same CLI
username and password that you configure in Cisco DNA Center for the Discovery function. Cisco DNA
Center requires the highest access level to the device.
• Explicitly specify the transport protocols allowed on individual interfaces for both incoming and outgoing
connections. Use the transport input and transport output commands for this configuration. For
information about these commands, see the command reference document for the specific device type.
• Do not change the default login method for a device's console port and the VTY lines. Cisco DNA Center
cannot discover devices that enforce the AAA login method.
• Cisco Wireless Controllers must be discovered using the Management IP address instead of the Service
Port IP address. If not, the related wireless controller 360 and AP 360 pages will not display any data.
Perform Discovery
Discover Your Network Using CDP
You can discover devices using Cisco Discovery Protocol (CDP), an IP address range, or LLDP. This procedure
shows you how to discover devices and hosts using CDP. For more information about the other discovery
methods, see Discover Your Network Using an IP Address Range, on page 21 and Discover Your Network
Using LLDP, on page 26.

15
Note • The Discovery function requires the correct SNMP Read Only (RO) community string. If an SNMP RO
community string is not provided, as a best effort, the Discovery function uses the default SNMP RO
community string, public.
• CLI credentials are not required to discover hosts; hosts are discovered through the network devices that
they are connected to.
Before you begin

• Enable CDP on your network devices.
• Configure your network devices, as described in Discovery Prerequisites, on page 12.
• Configure your network device's host IP address as the client IP address. (A host is an end-user device,
such as a laptop computer or mobile device.)
Procedure
Step 1 From the Cisco DNA Center home page, click Discovery.
Step 2 In the Discovery Name field, enter a name.
Step 3 Expand the IP Address/Ranges area if it is not already visible, and configure the following fields:
a) For Discovery Type, click CDP.
b) In the IP Address field, enter a seed IP address for Cisco DNA Center to start the Discovery scan.
c) (Optional) In the Subnet Filter field, enter an IP address or subnet to exclude from the Discovery scan.
You can enter addresses either as an individual IP address (x.x.x.x) or as a classless inter-domain routing
(CIDR) address (x.x.x.x/y), where x.x.x.x refers to the IP address and y refers to the subnet mask. The
subnet mask can be a value from 0 to 32.
d) Click .
Repeat Step c and Step d to exclude multiple subnets from the Discovery job.
e) (Optional) In the CDP Level field, enter the number of hops from the seed device that you want to scan.
Valid values are from 1 to 16. The default value is 16. For example, CDP level 3 means that CDP will
scan up to three hops from the seed device.
f) From the Preferred Management IP drop-down list, choose either None or Use Loopback.
Choose None to allow the device use any of its IP addresses or choose Use Loopback IP to specify the
device's loopback interface IP address. If you choose Use Loopback IP and the device does not have a
loopback interface, Cisco DNA Center chooses a management IP address using the logic described in
Preferred Management IP Address, on page 14.
Note To use the loopback interface IP address as the preferred management IP address, make sure
that the CDP neighbor's IP address is reachable from Cisco DNA Center.
Step 4 Expand the Credentials area and configure the credentials that you want to use for the Discovery job.

16
Choose any of the global credentials that have already been created or configure your own Discovery credentials.
If you configure your own credentials, you can save them for only the current job by clicking Save or you
can save them for the current and future jobs by checking the Save as global settings check box and then
clicking Save.
a) Make sure that the global credentials that you want to use are selected. If you do not want to use a credential,
deselect it.
b) To add additional credentials, click Add Credentials.
c) To configure CLI credentials, configure the following fields:
Table 2: CLI Credentials
Field Description
Name/Description Name or phrase that describes the CLI credentials.
Username Name that is used to log in to the CLI of the devices

in your network.
Password Password that is used to log in to the CLI of the

devices in your network.
For security reasons, enter the password again as
confirmation.
Note Passwords are encrypted for security
reasons and are not displayed in the
configuration.
Enable Password Password used to move to a higher privilege level

in the CLI. Configure this password only if your
network devices require it.
For security reasons, enter the enable password
again.
configuration.
d) Click SNMP v2c and configure the following fields:
Table 3: SNMPv2c Credentials
Field Description
Read • Name/Description—Name or description of the SNMPv2c settings that you

are adding.
• Read Community—Read-only community string password used only to view
SNMP information on the device.
Note Passwords are encrypted for security reasons and are not displayed in
the configuration.

17
Field Description
Write • Name/Description—Name or description of the SNMPv2c settings that you

are adding.
• Write Community—Write community string used to make changes to the
the configuration.
e) (Optional) Click SNMP v3 and configure the following fields:
Table 4: SNMPv3 Credentials
Field Description
Name/Description Name or description of the SNMPv3 settings that you are adding.
Username Name associated with the SNMPv3 settings.
Mode Security level that an SNMP message requires. Choose one of the following modes:
• noAuthNoPriv—Does not provide authentication or encryption.
• AuthNoPriv—Provides authentication, but does not provide encryption.
• AuthPriv—Provides both authentication and encryption.
Auth Type Authentication type to be used. (Enabled if you select AuthPriv or AuthNoPriv
as the authentication mode.) Choose one of the following authentication types:
• SHA—Authentication based on HMAC-SHA.
• MD5—Authentication based on HMAC-MD5.
Auth Password SNMPv3 password used for gaining access to information from devices that use
SNMPv3. These passwords (or passphrases) must be at least 8 characters in length.
Note • Some wireless controllers require that passwords (or passphrases)
be at least 12 characters long. Be sure to check the minimum
password requirements for your wireless controllers. Failure to
ensure these required minimum character lengths for passwords
results in devices not being discovered, monitored, or managed by
Cisco DNA Center.
• Passwords are encrypted for security reasons and are not displayed
in the configuration.

18
Field Description
Privacy Type Privacy type. (Enabled if you select AuthPriv as a the authentication mode.) Choose
one of the following privacy types:
• DES—DES 56-bit (DES-56) encryption in addition to authentication based
on the CBC DES-56 standard.
• AES128—CBC mode AES for encryption.
• None—No privacy.
Privacy Password SNMPv3 privacy password that is used to generate the secret key for encrypting
messages that are exchanged with devices that support DES or AES128 encryption.
Passwords (or passphrases) must be at least 8 characters long.
Cisco DNA Center.
f) (Optional) Click SNMP PROPERTIES and configure the following fields:
Table 5: SNMP Properties
Field Description
Retries Number of times Cisco DNA Center tries to

communicate with network devices using SNMP.
Timeout Number of seconds between retries.
g) (Optional) Click HTTP(S) and configure the following fields:
Table 6: HTTP(S) Credentials
Field Description
Type Specifies the kind of HTTPS credentials you are configuring. Valid types are Read
or Write.

19
Field Description
Read You can configure up to 5 HTTPS read credentials:

• Name/Description—Name or description of the HTTPS credentials that you
are adding.
• Username—Name used to authenticate the HTTPS connection.
• Password—Password used to authenticate the HTTPS connection.
• Port—Number of the TCP/UDP port used for HTTPS traffic. The default is
port number 443 (the well-known port for HTTPS).
Note The password must contain at least one lower case, one upper case, one
digit, and a special character and must not contain < > @ ' , : ; ! or spaces.
For security reasons, enter the password again as confirmation. Passwords
are encrypted for security reasons and are not displayed in the
configuration.
Write You can configure up to 5 HTTPS write credentials:

are adding.
configuration.
h) (Optional) If you have network devices with NETCONF enabled, click NETCONF and enter a port
number in the Port field.
Note For an Evolved Converged Access (eCA) switch, enter the port number 830. If NETCONF is
not already enabled on the devices, you can set up Device Controllability to configure NETCONF
for you. For more information about Device Controllability, see the Cisco Digital Network
Architecture Center Administrator Guide
.
Step 5 (Optional) To configure the protocols to be used to connect with devices, expand the Advanced area and do
the following tasks:
a) Click the names of the protocols that you want to use. A green check mark indicates that the protocol is
selected.
Valid protocols are SSH (default) and Telnet.

20
Discover Your Network Using an IP Address Range
b) Drag and drop the protocols in the order that you want them to be used.
Step 6 Click Start.
The Discoveries window displays the results of your scan.
The Discovery Details pane shows the status (active or inactive) and the Discovery configuration. The
Discovery Devices pane displays the host names, IP addresses, and status of the discovered devices.

You can discover devices using an IP address range, CDP, or LLDP. This procedure shows you how to discover
devices and hosts using an IP address range. For more information about the other Discovery methods, see
Discover Your Network Using CDP, on page 15 and Discover Your Network Using LLDP, on page 26.
Before you begin

Your devices must have the required device configurations, as described in Discovery Prerequisites, on page
12.
Procedure
Step 3 Expand the IP Address/Ranges area, if it is not already visible, and configure the following fields:
a) For Discovery Type, click Range.
b) In the IP Ranges field, enter the beginning and ending IP addresses (IP address range) for Cisco DNA
Center to scan and click .
You can enter a single IP address range or multiple IP addresses for the discovery scan.
Note Cisco Wireless Controllers must be discovered using the Management IP address instead of the
Service Port IP address. If not, the related wireless controller 360 and AP 360 pages will not
display any data.
c) (Optional) Repeat Step b to enter additional IP address ranges.

d) From the Preferred Management IP drop-down list, choose either None or Use Loopback.
Choose None to allow the device to use any of its IP addresses, or Use Loopback IP to specify the device's
loopback interface IP address. If you choose Use Loopback IP and the device does not have a loopback
interface, Cisco DNA Center chooses a management IP address using the logic described in Preferred
Management IP Address, on page 14.
Choose any of the global credentials that have already been created or configure your own Discovery credentials.
If you configure your own credentials, you can save them for only the current job by clicking Save, or you
can save them for the current and future jobs by checking the Save as global settings check box and then
clicking Save.

21
deselect it.
c) To configure CLI credentials, configure the following fields:
Field Description

in your network.

confirmation.
configuration.

again.
configuration.
Field Description

are adding.
the configuration.

22
Field Description

are adding.
the configuration.
Field Description
Cisco DNA Center.

23
Field Description
Cisco DNA Center.
Field Description

Field Description
or Write.

24
Field Description

are adding.
configuration.

are adding.
configuration.
h) (Optional) If you have network devices with NETCONF enabled, click NETCONF and enter a port
number in the Port field.
Note If NETCONF is not already enabled on the devices, you can set up Device Controllability to
configure NETCONF for you. For more information about Device Controllability, see the Cisco
Digital Network Architecture Center Administrator Guide.
Step 5 (Optional) To configure the protocols that are to be used to connect with devices, expand the Advanced area
and do the following tasks:
a) Click the protocols that you want to use. A green check mark indicates that the protocol is selected.
Valid protocols are SSH (default) and Telnet.
Step 6 Click Start.

25
Discover Your Network Using LLDP

Discovery Devices pane displays the host names, IP addresses, and status of the discovered devices for the
selected discovery.

You can discover devices using Link Layer Discovery Protocol (LLDP), CDP, or an IP address range. This
procedure shows you how to discover devices and hosts using LLDP. For more information about the other
discovery methods, see Discover Your Network Using CDP, on page 15 and Discover Your Network Using
an IP Address Range, on page 21.
Note • The Discovery function requires the correct SNMP Read Only (RO) community string. If an SNMP RO
community string is not provided, as a best effort, the Discovery function uses the default SNMP RO
community string, public.
• CLI credentials are not required to discover hosts; hosts are discovered through the network devices that
they are connected to.
Before you begin

• Enable LLDP on your network devices.
• Configure your network devices, as described in Discovery Prerequisites, on page 12.
• Configure your network device's host IP address as the client IP address. (A host is an end-user device,
such as a laptop computer or mobile device.)
Procedure
Step 3 Expand the IP Address/Range area if it is not already visible, and configure the following fields:
a) For Discovery Type, click LLDP.
b) In the IP Address field, enter a seed IP address for Cisco DNA Center to start the Discovery scan.
c) (Optional) In the Subnet Filter field, enter an IP address or subnet to exclude from the Discovery scan.
You can enter addresses either as an individual IP address (x.x.x.x) or as a classless inter-domain routing
(CIDR) address (x.x.x.x/y), where x.x.x.x refers to the IP address and y refers to the subnet mask. The
subnet mask can be a value from 0 to 32.
d) Click .
Repeat Step c and Step d to exclude multiple subnets from the Discovery job.

26
e) (Optional) In the LLDP Level field, enter the number of hops from the seed device that you want to scan.
Valid values are from 1 to 16. The default value is 16. For example, LLDP level 3 means that LLDP will
scan up to three hops from the seed device.
f) From the Preferred Management IP drop-down list, choose either None or Use Loopback.
Choose None to allow the device use any of its IP addresses, or choose Use Loopback IP to specify the
device's loopback interface IP address. If you choose Use Loopback IP and the device does not have a
loopback interface, Cisco DNA Center chooses a management IP address using the logic described in
Preferred Management IP Address, on page 14.
Note To use the loopback interface IP address as the preferred management IP address, make sure
that the LLDP neighbor's IP address is reachable from Cisco DNA Center.
Choose any of the global credentials that have already been created, or configure your own Discovery
credentials. If you configure the credentials, you can choose to save them for future jobs by checking the Save
as global settings check box.
deselect it.
c) For CLI credentials, configure the following fields:
Field Description

in your network.

confirmation.
configuration.

again.
configuration.

27
Field Description

are adding.
the configuration.

are adding.
the configuration.
Field Description

28
Field Description
Cisco DNA Center.
Cisco DNA Center.
Field Description


29
Field Description
or Write.

are adding.
configuration.

are adding.
configuration.
Step 5 (Optional) To configure the protocols to be used to connect with devices, expand the Advanced area and do
the following tasks:
a) Click the names of the protocols that you want to use. A green check mark indicates that the protocol is
selected. Valid protocols are SSH (default) and Telnet.
Step 6 Click Start.

30
Manage Discovery Jobs
Discovery Devices pane displays the host names, IP addresses, and status of the discovered devices.
Manage Discovery Jobs

Stop and Start a Discovery Job
Procedure
Step 2 To stop an active Discovery job, perform these steps:
a) From the Discoveries pane, select the corresponding Discovery job.
b) Click Stop.
Step 3 To restart an inactive Discovery job, perform these steps:
a) From the Discoveries pane, select the corresponding Discovery job.
b) Click Start.
Edit a Discovery Job

You can edit a Discovery job and then rerun the Discovery job.
Before you begin

You should have created at least one Discovery job.
Procedure
Step 2 From the Discoveries pane, select the Discovery job.
Step 3 Click Edit.
Step 4 Depending on the Discovery type, you can change the type of Discovery job, except for the following fields:
• CDP—Discovery name, Discovery type, IP address. For more information about the fields you can
change, see Discover Your Network Using CDP, on page 15.
• IP Range—Discovery name, Discovery type, IP address range (although you can add additional IP
address ranges). For more information about the fields you can change, see Discover Your Network
Using an IP Address Range, on page 21.
• LLDP—Discovery name, Discovery type, IP address. For more information about the fields you can
change, see Discover Your Network Using LLDP, on page 26.

31
Change Credentials in a Discovery Job
Step 5 Click Start.

You can change the credentials used in a Discovery job and then rerun the Discovery job.
Before you begin

You should have created at least one Discovery job.
Procedure
Step 3 Click Edit.
Step 4 Expand the Credentials area.
Step 5 Deselect the credentials that you do not want to use.
Step 6 Configure the credentials that you want to use:
a) Click Add Credentials.
b) To configure CLI credentials, configure the following fields:
Field Description

in your network.

confirmation.
configuration.

32
Field Description

again.
configuration.
c) Click SNMP v2c and configure the following fields:
Field Description

are adding.
the configuration.

are adding.
the configuration.
d) (Optional) Click SNMP v3 and configure the following fields:
Field Description

33
Field Description
Cisco DNA Center.
Cisco DNA Center.
Step 7 Click Start.

34
Clone a Discovery Job
Clone a Discovery Job

You can clone a Discovery job and retain all of the information defined for the Discovery job.
Before you begin

You should have run at least one Discovery job.
Procedure
Step 3 Click Clone.
Cisco DNA Center creates a copy of the Discovery job, named Copy of Discovery_Job.
Step 4 (Optional) Change the name of the Discovery job.

Step 5 Define or update the parameters for the new Discovery job.
Delete a Discovery Job

You can delete a Discovery job whether it is active or inactive.
Before you begin

You should have run at least one Discovery job.
Procedure
Step 2 From the Discoveries pane, select the Discovery job that you want to delete.
Step 3 Click Delete.
Step 4 Click OK to confirm.
View Discovery Job Information

You can view information about a Discovery job, such as the settings and credentials that were used. You
can also view the historical information about each Discovery job that was run, including information about
the specific devices that were discovered or that failed to be discovered.
Before you begin

You should run at least one Discovery job.

35
View Discovery Job Information
Procedure
Step 2 From the Discoveries pane, select the Discovery job. Alternatively, use the Search function to find a Discovery
job by device IP address or name.
Step 3 Click the down arrow next to one of the following areas for more information:
• Discovery Details—Displays the parameters that were used to run the Discovery job. Parameters include
attributes such as the CDP or LLDP level, IP address range, and protocol order.
• Credentials—Provides the names of the credentials that were used.
• History—Lists each Discovery job that was run, including the status (completed or in progress), the time
it was run, its duration, and whether any devices were discovered. You can click View to display discovery
information per device, such as the status of the device and which device credentials were successful.
User the Filter function to display devices by any combination of IP addresses or ICMP, CLI, HTTPS,
or NETCONF values.

36
CHAPTER 4
Onboard Devices with Network Plug and Play
• About Network Plug and Play, on page 37
• Network Plug and Play Use Cases, on page 39
• Manage Plug and Play Devices, on page 40
• Manage Plug and Play Workflows, on page 47
• Manage Plug and Play Settings, on page 55
About Network Plug and Play

The Network Plug and Play application provides a way to automatically and remotely provision and onboard
new network devices with minimal network administrator and field personnel involvement.
The Network Plug and Play application is not installed in Cisco DNA Center by default. You must download
and install the package named Device Onboarding UI, and then you can find the application in the Tools
section. For more information about installing a package, see the chapter "Manage Applications" in the Cisco
Digital Network Architecture Center Administrator Guide.
Using Network Plug and Play, you can do the following:
• Display the detailed onboarding status of network devices.
• Define provisioning workflows that include a series of actions such as installing a software image,
applying a device configuration, and so on.
• Plan devices before their installation by entering device information and associating the device with a
workflow. When the device comes online, it contacts Cisco DNA Center and the workflow provisions
and onboards the device automatically.
• Provision unclaimed network devices, which are new devices that appear on the network, without prior
planning.
• Synchronize the device inventory from the Cisco Plug and Play Connect cloud portal in a Cisco Smart
Account to the Network Plug and Play application, so that all the devices appear in Cisco DNA Center.
For more information on typical use cases and workflows, see Network Plug and Play Use Cases, on page
39.
To access the Network Plug and Play application after it is installed, from the Cisco DNA Center home
page, click the Network Plug and Play tool. Table 20: Network Plug and Play Dashboard Elements, on page
38 describes the elements in the Network Plug and Play dashboard.

37
About Network Plug and Play
Table 20: Network Plug and Play Dashboard Elements
Element Description
Add images, or Manage x images Shows the number of software images that are
available in the Cisco DNA Center image repository,
or shows Add, if there are none. Click the link to go
to the image repository. For more information, see
Manage Software Images, on page 83.
Add templates, or Manage x templates Shows the number of configuration templates that are
available in the Cisco DNA Center template editor,
or shows Add, if there are none. Click the link to go
to the template editor. For more information, see
Create Templates to Automate Device Configuration
Changes, on page 149.
Add workflows, or Manage x workflows Shows the number of Network Plug and Play
workflows that are defined, or shows Add, if there
are none. Click the link to go to the Workflows tab.
For more information, see Workflows Overview, on
page 47.
Manage Smart Account Sync Click Manage to go to Settings > Smart Accounts
to manage Smart Account synchronization. For more
information, see Manage Cisco Smart Accounts, on
page 55.
Add devices Click Add to go to the Add Devices dialog where

you can add devices. For more information, see Add
or Edit a Device, on page 43 or Add Devices in Bulk,
on page 44.
x devices are in error state Click the number to go to the Devices tab that is
filtered on devices in the Error state.
x devices called in Click the number to go to the Devices tab that is

filtered on devices in the Unclaimed state and that
have been contacted.
x planned devices not called in Click the number to go to the Devices tab that is
filtered on devices in the Planned state and that have
not been contacted.
x devices have been provisioned Click the number to go to the Devices tab that is
filtered on devices in the Provisioned state.

38
Network Plug and Play Use Cases
Element Description
Devices States chart Pie chart showing the number of devices in each of
the following states:
• Error—Device had an error and could not be
provisioned.
• Unclaimed—Device has not been assigned a
workflow.
• Planned—Device is added to Network Plug and
Play and has been assigned a workflow, but has
not yet contacted the server.
• Provisioned—Device is successfully onboarded
and added to inventory.
Device Sources chart Pie chart showing the number of devices from each
of the following sources:
• User—Devices added by a user.
• Network—Devices that appeared on the network
and were not added by a user.
• SmartAccount—Devices added through
synchronization with a Cisco Smart Account.
• Migrated—Devices that were migrated from
Cisco DNA Center 1.1.
Network Plug and Play Use Cases

This section describes typical use cases and workflows for Network Plug and Play.
Planned Provisioning
An administrator can plan the provisioning of a new site or other group of network devices as follows:
1. Upload software images to be deployed to devices. See Import Software Images, on page 85.
2. Define configuration templates or files to be applied to devices. See Create Templates to Automate Device
Configuration Changes, on page 149.
3. Create a workflow for the different types of devices to be deployed. See Create or Edit a Workflow, on
page 49.
4. Add details about planned devices one at a time or in bulk with a CSV file. See Add or Edit a Device, on
page 43 or Add Devices in Bulk, on page 44.
5. Devices boot up and are automatically provisioned according to their workflows.

39
Manage Plug and Play Devices
Unclaimed Provisioning
If a new network device is added to the network before it can be planned, it is labeled as an unclaimed device.
An administrator can claim it by assigning it a workflow, or by directly provisioning it with a software image
and a configuration template, as follows:
1. Find the device on the unclaimed devices list. See View Devices, on page 43.
2. Claim the device by assigning a workflow or by directly assigning a software image and configuration
template. See Claim a Device, on page 45.
Note When provisioning Cisco Firepower Threat Defense Virtual through the NFV provisioning flow, the default
credential username is retained and the password is updated based on the settings in the credential profile
assigned to the site in Network Settings.
Cisco Smart Account Synchronization and Provisioning

Network devices can be automatically registered through a Cisco Smart Account with the Cisco Plug and
Play Connect cloud service. An administrator can synchronize the device inventory from Cisco Plug and Play
Connect to Network Plug and Play, so that all the devices appear in Cisco DNA Center. These devices can
then be claimed and provisioned.
1. Register a Smart Account and virtual account to synchronize with. See Register or Edit a Virtual Account,
on page 55.
2. Synchronize the device inventory from the Smart Account. See View, Synchronize, and Deregister Smart
Accounts, on page 57.
3. Find the devices on the unclaimed devices list. See View Devices, on page 43.
4. Claim the devices by assigning a workflow or by directly assigning a software image and configuration
template. See Claim a Device, on page 45.
5. Devices boot up and are automatically provisioned according to their workflows.
Manage Plug and Play Devices

Devices Overview
The Network Plug and Play > Devices window shows all the network devices that the Network Plug and
Play tool is onboarding and provisioning. The following tabs are available:
• All Devices—Lists all the devices, including unclaimed, provisioned, and devices with an error.
• Unclaimed—Lists unclaimed devices, which are devices that have not yet been claimed for provisioning.
• Provisioned—Lists devices that have completed provisioning successfully.
• Errors—Lists devices that have had an error in provisioning.

40
Devices Overview
To manage devices, you can use the controls above the device list, shown in Table 21: Device Controls, on
page 41.
Note Not all options are available under each device tab. For example, the Edit and Claim options are available
only from the All Devices and Unclaimed tabs. Additionally, some of the options are available from the
device details window that opens when you click a device name.
Table 21: Device Controls
Control Description
Filter Click Filter to specify one or more filter values and

then click Apply. Use the asterisk (*) character as a
wildcard anywhere in the string. You can apply
multiple filters. To remove a filter, click the x icon
next to the corresponding filter value.
Claim Select one or more devices and click Claim to claim

the device. For more information, see Claim a Device,
on page 45.
Edit Select one device and click Edit to edit the device.
For more information, see Add or Edit a Device, on
page 43.
Delete Select one or more devices and click Delete to delete

and reset the devices. For more information, see
Delete or Reset a Device, on page 47.
Reset Select one or more devices and click Reset to reset

the devices. For more information, see Delete or Reset
a Device, on page 47.
Refresh Click to refresh the device list.
Export Click to export the list as a CSV file.
Add Click to add a device. For more information, see Add

or Edit a Device, on page 43 or Add Devices in Bulk,
on page 44.
Find Enter a search term in the Find field to find all the
devices that have that term in a column. Use the
asterisk (*) character as a wildcard anywhere in the
search string.
Show entries Select the number of device entries to show in each

page of the table.

41
Devices Overview
The Device table displays the information shown in Table 22: Device Information, on page 42 for each device.
All of the columns support sorting. Click the column header to sort the rows in ascending order. Click the
column header again to sort the rows in descending order.
Note Not all columns are used in each device tab. Additionally, some of the columns are hidden in the default
column view setting, which can be customized by clicking on the 3 dots ( ) at the right end of the column
headings.
Table 22: Device Information
Column Description
Name Name of the device. Click this link to open the device
details window. For more information, see View
Devices, on page 43. A stack icon indicates a switch
stack.
Serial Number Device serial number.
Product ID Device product ID.
Source Source of the device entry.
State • Unclaimed—Device has not been assigned a

workflow.
• Planned—Device has been assigned a workflow
but has not yet contacted the server.
• Onboarding—Device onboarding is in progress.
• Provisioned—Device is successfully onboarded
and added to inventory.
• Error—Device had an error and could not be
provisioned.
Onboarding State Onboarding state of the device.
Last Contact Last date and time the device contacted Network Plug
and Play.
Workflow Workflow that the device is using.
Smart Acct Cisco Smart Account with which the device is

associated.
Virtual Acct Virtual Account (within the Cisco Smart Account)

with which the device is associated.
Added On Date and time when the device was added to Network
Plug and Play.

42
View Devices
View Devices
Procedure
Step 1 From the Cisco DNA Center home page, choose Network Plug and Play.
Step 2 Click the Devices tab.
The All Devices tab lists all of the devices. You can use the Filter or Find option to find a device, or click
the Unclaimed, Provisioned, or Errors tab to see specific types of devices.
Step 3 Click the name of a device.

A window with the device details is displayed.
Step 4 Click the Details, History, Workflow, and Stack tabs to view the different types of information for the device.
Some tabs have additional links that you can click for more information.
The Stack tab appears only for a switch stack device.
Step 5 Click the following actions at the top of the dialog box to perform specific tasks on the device. Available
actions depend on the device state.
• Refresh—Refreshes the device state information.
• Claim—Claims the device. See Claim a Device, on page 45.
• Edit—Edits the device. See Add or Edit a Device, on page 43.
• Reset—Resets the device. See Delete or Reset a Device, on page 47.
• Delete—Deletes the device. See Delete or Reset a Device, on page 47.
Add or Edit a Device

This procedure shows how to add or edit a device from the Devices tab. Alternately, you can add a device
from the Dashboard by clicking Add devices, and you can edit a device from the device details window by
clicking Edit.
Table 23: Device Fields
Field Description
Serial Number Device serial number (read only if you are editing a
device).
Product ID Device product ID (read only if you are editing a

device).
Device Name Device name.
Enable SUDI Authorization Enables secure unique device identifier (SUDI)

authorization on devices that support it.

43
Add Devices in Bulk
Field Description
SUDI Serial Numbers Devices that support SUDI have two serial numbers:
the chassis serial number and the SUDI serial number
(called the License SN on the device label). Enter one
or more comma-separated SUDI serial numbers in
this field when adding a device that uses SUDI
authentication. This field appears only if Enable
SUDI Authorization is checked.
This Device Represents a Stack Device represents a stack (this item is read only if you
are editing a device). Applicable only for supported
stackable switches that are being planned.
Before you begin

If the device requires credentials, be sure that the global device credentials are set in the Design > Network
Settings > Device Credentials page. For more information, see Configure Global CLI Credentials, on page
134.
Procedure
the Unclaimed tab to see only the unclaimed devices.
Step 3 Add or edit a device as follows:

• To add a device, click Add and the Add Devices dialog is displayed.
• To edit a device, check the check box next to the name of the device you want to edit and click Edit in
the menu bar above the device table. The Edit Device dialog is displayed.
Step 4 Set the fields as needed, referring to Table 23: Device Fields, on page 43 for more information.
Step 5 Save the settings by doing one of the following:
• If you are adding a device and will claim it later, click Add Device.
• If you are adding a device and want to claim it by assigning a workflow to it, click Add + Claim. For
more information, see Claim a Device, on page 45
• If you are editing a device, click Edit Device.
Add Devices in Bulk

This procedure shows how to add devices in bulk from a CSV file.

44
Claim a Device
Note If you add a device that already exists in Network Plug and Play, there is no change to the existing device.
Procedure
Step 3 Click Add.
The Add Devices dialog is displayed.
Step 4 Click the Bulk Devices tab.

Step 5 Click Download File Template to download the sample file.
Step 6 Add the information for each device to the file and save the file.
Step 7 Upload the CSV file by doing one of the following actions:
• Drag and drop the file to the drag and drop area.
• Click where it says "click to select" and select the file.
Step 8 Click Import Devices.

The devices in the CSV file are listed in a table.
Step 9 Check the box next to each device to import, or click the check box at the top to select all devices.
Step 10 Add the devices by doing one of the following:
• To add the devices and claim them later, click Add Devices.
• To add the devices and claim them by assigning one workflow to the whole group, click Add + Claim.
For more information, see Claim a Device, on page 45
Claim a Device
Claiming a device assigns a provisioning workflow to it. If you claim a device that has not yet booted for the
first time, then you are planning the device so that it is automatically provisioned when it boots.
This procedure shows how to claim a device from the Devices tab. Alternatively, you can claim a device from
the device details window by clicking Claim.
Before you begin

• Upload to the Cisco DNA Center image repository the software images that you want to deploy to devices.
For more information, see Import Software Images, on page 85. Alternatively, identify the network
location of the software images to be deployed by URL.
• Optionally, use the Cisco DNA Center Template Editor to define one or more configuration templates
that you want to use to provision devices. For more information, see Create Templates to Automate
Device Configuration Changes, on page 149. Alternatively, identify the network location of the
configuration files to be deployed by URL.

45
Claim a Device
• Optionally, define one or more workflows that you want to use to provision devices. For more information,
see Create or Edit a Workflow, on page 49.
Procedure
the Unclaimed tab to see only the unclaimed devices.
Step 3 Click the Unclaimed tab.

Step 4 Check the check box next to one or more devices that you want to claim.
Step 5 Click Claim in the top bar.
The Claim Devices dialog opens.
Step 6 (Optional) From the Workflow drop-down list, optionally choose a workflow to assign to the devices.
Skip to Step 9 if you selected a workflow, or continue with the Step 7 if you want to directly assign a software
image or configuration.
Step 7 (Optional) In the Image area, choose a software image to apply to the devices, by doing one of the following:
• Click Image and choose an image that has been uploaded to the Cisco DNA Center image repository.
After you choose an image, you can view details about it by clicking Image Details.
• Click Import Image to open the Cisco DNA Center image repository in a new tab and import an image.
After you import an image, you can view details about it by clicking Image Details.
• Click URL and specify a TFTP or USB source from which the device can download the software image.
Step 8 (Optional) In the Configuration area, choose a configuration file or template to apply to the devices, by doing
one of the following:
• Click File and choose a configuration file that has been previously imported. After you choose a file,
you can view it by clicking View File.
• Click Import File and import a configuration file. After you import a file, you can view it by clicking
View File.
• Click Template and choose a template project and template that has been previously defined in the Cisco
DNA Center Template Editor tool. After you choose a template, you can view it by clicking View
Template.
• Click URL and specify a TFTP or USB source from which the device can download the configuration
file.
Step 9 If a configuration template is part of the selected workflow or was chosen directly, specify the values for the
parameters that were defined in the template.
A row for each device is displayed in a table and template parameter names are shown as column names.
Enter the values for each parameter in the fields for each device. A red asterisk indicates required fields.
Step 10 (Optional) Click Add Workflow if you want to add a new workflow.
For more information, see Create or Edit a Workflow, on page 49.

46
Delete or Reset a Device
Step 11 Click Claim to claim the devices and start the provisioning process.
Delete or Reset a Device

Deleting a device removes it from the Network Plug and Play database but does not reset the device.
Resetting a device resets it to the factory state but does not remove it from the Network Plug and Play database.
You can use this option to cause the device to restart the provisioning process.
Procedure
the Unclaimed, Provisioned, or Errors tab to see specific types of devices.
Step 3 Check the check box next to one or more devices that you want to delete or reset.
Step 4 Click Delete or Reset.
A confirmation dialog box is displayed.
Step 5 If you are resetting a device, choose one of the following workflow options:
• Reset and keep current workflow—Current workflow remains and device goes to Planned state.
• Reset and remove current workflow—Workflow is removed and device goes to Unclaimed state.
Step 6 Click Delete or Reset.
Manage Plug and Play Workflows

Workflows Overview
A workflow defines a network device provisioning process that include a series of actions such as installing
a software image, applying a device configuration, renumbering a switch stack, and specifying a switch stack
license. A workflow is applied to a device when the device is claimed and the workflow executes when the
device boots up. After a workflow completes successfully, the device is added to the Cisco DNA Center
inventory, as long as the device credentials are configured in the global network settings.
The Network Plug and Play > Workflows window lists all the workflows. To manage workflows, you can
use the controls above the list, shown in Table 24: Workflow Controls, on page 48.
Some of the options are also available from the workflow details window that opens when you click a workflow
name.

47
Workflows Overview
Table 24: Workflow Controls
Control Description
Filter Click Filter to specify one or more filter values and

then click Apply. Use the asterisk (*) character as a
wildcard anywhere in the string. You can apply
multiple filters. To remove a filter, click the x icon
next to the corresponding filter value.
Clone Select a workflow and click Clone to copy the

workflow. For more information, see Clone a
Workflow, on page 52.
Edit Select a workflow and click Edit to edit the workflow.

For more information, see Create or Edit a Workflow,
on page 49.
Delete Select a workflow and click Delete to delete the

workflow. For more information, see Delete a
Workflow, on page 54.
Refresh Click to refresh the workflow list.
Add Click to add a workflow. For more information, see

Create or Edit a Workflow, on page 49.
Find Enter a search term in the Find field to find all the
workflows that have that term in a column. Use the
asterisk (*) character as a wildcard anywhere in the
search string.
Show entries Select the number of workflow entries to show in each

page of the table.
The Workflows table displays the fields shown in Table 25: Workflows Information, on page 48 for each
workflow. The Workflow column supports sorting. Click the column header to sort the rows in ascending
order. Click the column header again to sort the rows in descending order.
Note Some of the columns are hidden in the default column view setting, which can be customized by clicking the
3 dots ( ) at the right end of the column headings.
Table 25: Workflows Information
Column Description
Workflow Name of the workflow. Click this link to open the

workflow details window. For more information, see
View a Workflow, on page 49.
Tasks Icons depicting the tasks in the workflow.

48
View a Workflow
Column Description
Devices Number of devices using the workflow.
Completes Onboarding A checkmark indicates that the devices that complete

this workflow are provisioned and ready for
management, and no other workflows can be applied.
Created Date and time when the workflow was created
Modified Date and time when the workflow was last modified.
View a Workflow
Procedure
Step 2 Click the Workflows tab.
The Workflows tab lists all of the workflows. You can use the Filter or Find option to find a workflow.
Step 3 Click the name of a workflow.

A window with the workflow details and tasks is displayed.
Step 4 Click the arrow next to a task to expand the task and display the details.
Step 5 Click the Devices tab to see the devices that are using the workflow.
Step 6 Click the following actions at the top of the dialog to perform specific tasks on the workflow.
• Clone—Clones the workflow. See Clone a Workflow, on page 52.
• Edit—Edits the workflow. See Create or Edit a Workflow, on page 49.
• Delete—Deletes the workflow. See Delete a Workflow, on page 54.
Create or Edit a Workflow

A workflow is a series of provisioning tasks that are performed on a network device.
Note You cannot edit a workflow that is in use.
Table 26: Workflow Fields
Field Description
Name Workflow name.
Description Optional description.

49
Field Description
Tasks > Image Installs a software image on the device.
Reload after image upgrade—Reloads the network device following the

image installation.
Options for choosing an image:

• Image—Choose an image that has been uploaded to the Cisco DNA
Center image repository.
• Import Image—Open the Cisco DNA Center image repository in a
new tab and import an image.
• URL—Specify a TFTP or USB source from which the device can
download the software image.
Tasks > Configuration Applies a configuration to the device.
Save to startup—Saves the new configuration as the startup configuration

on the device.
Note Save to startup uses the command copy running-config
startup-config. This operation requires the user privilege to be
set to level 15 in the username username privilege level# secret
password command. If a configuration template is used, ensure
the username command sets the user privilege level to 15.
Rollback on connection loss—Roll back the configuration on the device to

the previous configuration, if there is a connection loss before the new
configuration is successfully applied.
Options for choosing a configuration:

• File—Choose a configuration file that has been previously imported.
After you choose a file, you can view it by clicking View Configuration.
• Import Configuration—Import a configuration file.
• Template—Choose a template project and template that has been
previously defined in the Cisco DNA Center Template Editor tool.
Note The template is expected to contain basic device commands.
Special keywords such as #MODE_ENABLE,
#INTERACTIVE, and #MLTCMD are not supported. Also,
any SNMP and CLI credentials in the template must match
the device credentials in Cisco DNA Center or device sync
will fail in Inventory.
download the configuration template.

50
Field Description
Tasks > Renumber Stack Renumbers a switch stack. A user is asked during the claim process to set
the device that is at the top of the stack. This task applies only to the Cisco
Catalyst 3650, 3850, and 9000 Series switches that support stacking, and only
if they use the following stack-cabling scheme:
Figure 3: Stack Cabling Required for Renumbering
Tasks > Stack License Specifies a switch stack license level. A user is asked during the claim process
to specify the license level of the stack. Applies only to the Cisco Catalyst
3650, 3850, and 9000 Series switches that support stacking.
Before you begin

• Upload to the Cisco DNA Center image repository the software images that you want to deploy to devices.
For more information, see Import Software Images, on page 85. Alternatively, identify the network
location of software images to be deployed by URL.
• Optionally, use the Cisco DNA Center Template Editor to define one or more configuration templates
that you want to use to provision devices. For more information, see Create a Regular Template, on page
150. Alternatively, identify the network location of the configuration files to be deployed by URL.
Procedure
Step 2 Click Workflows.
Step 3 You can add or edit a workflow:
• To add a new workflow, click Add.
• To edit an existing workflow, click the radio button next to the workflow name and click Edit.
Step 4 Set the fields as needed by referring to Table 26: Workflow Fields, on page 49.
Step 5 By default, Image and Configuration tasks are included in a new workflow. If you do not need a task, you
can delete it by clicking the trash can icon next to the task.
Step 6 Click New Task and optionally add one or more additional tasks to the workflow.
Step 7 To change the order of tasks in the workflow, click the up or down arrow icons next to a task to adjust its
order.

51
Clone a Workflow
Step 8 Click Add to create the new workflow or Update to save an edited workflow.
Clone a Workflow
Cloning a workflow makes a copy of it and allows you to change the copy.
This procedure shows how to clone a workflow from the Workflows tab. Alternately, you can clone a workflow
from the workflow details pane by clicking Clone.
Table 27: Workflow Fields
Field Description
Name Workflow name.
Description Optional description.
Tasks > Image Installs a software image on the device.
Reload after image upgrade—Reloads the network device following the

image installation.
Options for choosing an image:

• Image—Choose an image that has been uploaded to the Cisco DNA
Center image repository.
• Import Image—Open the Cisco DNA Center image repository in a
new tab and import an image.
download the software image.

52
Clone a Workflow
Field Description
Tasks > Configuration Applies a configuration to the device.
Save to startup—Saves the new configuration as the startup configuration

on the device.
Note Save to startup uses the command copy running-config
startup-config. This operation requires the user privilege to be
set to level 15 in the username username privilege level# secret
password command. If a configuration template is used, ensure
the username command sets the user privilege level to 15.
Rollback on connection loss—Roll back the configuration on the device to

the previous configuration, if there is a connection loss before the new
configuration is successfully applied.
Options for choosing a configuration:

• File—Choose a configuration file that has been previously imported.
After you choose a file, you can view it by clicking View Configuration.
• Import Configuration—Import a configuration file.
• Template—Choose a template project and template that has been
previously defined in the Cisco DNA Center Template Editor tool.
Note The template is expected to contain basic device commands.
Special keywords such as #MODE_ENABLE,
#INTERACTIVE, and #MLTCMD are not supported. Also,
any SNMP and CLI credentials in the template must match
the device credentials in Cisco DNA Center or device sync
will fail in Inventory.
download the configuration template.
Tasks > Renumber Stack Renumbers a switch stack. A user is asked during the claim process to set
the device that is at the top of the stack. This task applies only to the Cisco
Catalyst 3650, 3850, and 9000 Series switches that support stacking, and only
if they use the following stack-cabling scheme:
Figure 4: Stack Cabling Required for Renumbering

53
Delete a Workflow
Field Description
Tasks > Stack License Specifies a switch stack license level. A user is asked during the claim process
to specify the license level of the stack. Applies only to the Cisco Catalyst
3650, 3850, and 9000 Series switches that support stacking.
Before you begin

There must be a workflow defined in order to clone it.
Procedure
Step 2 Click the Workflows tab.
The Workflows tab lists all of the workflows. You can use the Filter or Find option to find a workflow.
Step 3 Click the radio button next to the name of a workflow.

Step 4 Click Clone.
Step 5 Set the fields as needed by referring to Table 27: Workflow Fields, on page 52.
Step 6 If you do not need a task, you can delete it by clicking the trash can icon next to the task.
Step 7 Click New Task and optionally add one or more additional tasks to the workflow.
Step 8 To change the order of tasks in the workflow, click the up or down arrow icons next to a task to adjust its
order.
Step 9 Click Clone to save the workflow copy with your changes.
Delete a Workflow
You cannot delete a workflow that has devices assigned to it. You must first assign those devices to a different
workflow before deleting it.
Procedure
Step 1 From the Cisco DNA Center home page, click Network Plug and Play.
Step 2 Click Workflows.
Step 3 Click the radio button next to the workflow name and click Delete.
Step 4 Click Delete in the confirmation dialog.

54
Manage Plug and Play Settings
Manage Plug and Play Settings

Settings Overview
The Network Plug and Play > Settings window allows you to do the following configuration tasks that are
specific to Network Plug and Play:
• Accept the End User License Agreement, which is required for using Network Plug and Play. For more
information, see Accept the EULA, on page 55.
• Register Cisco DNA Center as a controller for Cisco Plug and Play Connect in a Cisco Smart Account,
for redirection services. This lets you synchronize the device inventory from the Cisco Plug and Play
Connect cloud portal to Network Plug and Play in Cisco DNA Center. For more information, see Manage
Cisco Smart Accounts, on page 55.
Accept the EULA

You must accept the End User License Agreement (EULA) before using Network Plug and Play.
Procedure
Step 2 Choose Settings > EULA Acceptance.
Step 3 To read the EULA, click the End User License Agreement link.
Step 4 Check the Accept EULA check box.
Step 5 Click Apply.
Manage Cisco Smart Accounts

The Network Plug and Play > Settings > Smart Accounts window allows you to do the following tasks:
• Register Cisco DNA Center as a controller for Cisco Plug and Play Connect in a Cisco Smart Account,
for redirection services. This lets you synchronize the device inventory from the Cisco Plug and Play
Connect cloud portal to Network Plug and Play in Cisco DNA Center. For more information, see Register
or Edit a Virtual Account, on page 55.
• View, Synchronize, and Deregister Smart Accounts, on page 57
Register or Edit a Virtual Account

This procedure lets you register the Cisco DNA Center controller as a controller for Cisco Plug and Play
Connect in a Cisco Smart Account, for redirection services. Also, this lets you synchronize the device inventory
from Cisco Plug and Play Connect to Network Plug and Play.

55
Register or Edit a Virtual Account
Table 28: Virtual Account Fields
Field Description
Select Smart Account Cisco Smart Account name.
Select Virtual Account Virtual Account name. Virtual accounts are

sub-accounts within a Cisco Smart Account.
Use as Default Controller Profile Check this check box to register this Cisco DNA
Center controller as the default controller in the Cisco
Plug and Play Connect cloud portal.
Controller IP IP address of this Cisco DNA Center controller.
Profile Name Controller profile name.
Before you begin

Set the Cisco Smart Account credentials in the main Cisco DNA Center settings by using System Settings >
Settings > Cisco Credentials. For more information, see "Configure Cisco Credentials" in the Cisco Digital
Network Architecture Center Administrator Guide.
Procedure
Step 2 Choose Settings > Smart Accounts.
The table lists all of the registered virtual account profiles.
Step 3 Either add or edit a virtual account profile, as follows:

• To register a virtual account, click Add and the register virtual account dialog is displayed.
• To edit a registered virtual account profile, click the radio button next to the name of the profile that you
want to edit and click Edit Profile in the menu bar above the table. The edit virtual account dialog is
displayed.
Step 4 Set the fields as needed by referring to Table 28: Virtual Account Fields, on page 56.
Step 5 Save the settings by doing one of the following:
• If you are registering a new virtual account profile, click Register.
• If you are editing a virtual account profile, click Change.
What to do next
Synchronize the device inventory from Cisco Plug and Play Connect to Network Plug and Play. For more
information, see View, Synchronize, and Deregister Smart Accounts, on page 57.

56
View, Synchronize, and Deregister Smart Accounts

The Network Plug and Play > Settings > Smart Accounts window lists all the registered virtual account
profiles. To manage virtual account profiles, use the controls above the list, shown in Table 29: Virtual Account
Controls, on page 57.
Table 29: Virtual Account Controls
Control Description
Edit Profile Select a virtual account profile and click Edit Profile
to edit it. For more information, see Register or Edit
a Virtual Account, on page 55.
Refresh Refreshes the virtual account profile list.
Export Exports the table as a CSV file.
Add Click Add to register a virtual account. For more

information, see Register or Edit a Virtual Account,
on page 55.
Find Enter a search term in the Find field to find all virtual
account profiles that have that term in a column. Use
the asterisk (*) character as a wildcard anywhere in
the search string.
The Virtual Accounts table displays the information shown in Table 30: Virtual Accounts Information, on
page 57 for each profile.
Table 30: Virtual Accounts Information
Column Description
Virtual Accounts Virtual account name.
Smart Accounts Smart account that the virtual account is associated

with.
Profile Profile name.
Last Sync Time Last time the device inventory from the virtual account
was synchronized with Network Plug and Play.
Sync Status Status of the last synchronization process
Sync Result Number of devices added, updated, and removed in

the last synchronization
Before you begin

Before you can synchronize the device inventory from the Cisco Plug and Play Connect cloud portal, you
must register a virtual account. See Register or Edit a Virtual Account, on page 55.

57
Procedure
Step 2 Choose Settings > Smart Accounts.
Step 3 Click the name of a virtual account profile to display detailed information.
Step 4 Click Sync to synchronize the device inventory from Cisco Plug and Play Connect in this virtual account to
Network Plug and Play.
Step 5 To remove this virtual account profile, click Deregister.
Step 6 In the confirmation dialog box, click Deregister.
What to do next
Claim the newly synchronized devices by assigning a workflow, or by directly assigning a software image
and configuration template. For more information, see Claim a Device, on page 45.

58
CHAPTER 5
Manage Your Inventory
• About Inventory, on page 59
• Inventory and Cisco ISE Authentication, on page 60
• Display Information About Your Inventory, on page 60
• Types of Devices in the Cisco DNA Center Inventory, on page 64
• Filter Devices, on page 74
• Change Devices Layout View, on page 75
• Change Device Role (Inventory), on page 75
• Update a Device's Management IP Address, on page 76
• Update Device Resync Interval, on page 77
• Resync Device Information, on page 77
• Delete a Network Device, on page 78
• Launch Command Runner (Inventory), on page 78
• Use a CSV File to Import and Export Device Configurations, on page 79
About Inventory
The Inventory function retrieves and saves details, such as host IP addresses, MAC addresses, and network
attachment points about devices in its database.
The Inventory feature can also work with the Device Controllability feature to configure the required network
settings on devices, if these settings are not already present on the device. For more information about Device
Controllability, see the Cisco Digital Network Architecture Center Administrator Guide.
Inventory uses the following protocols, as required:
• Link Layer Discovery Protocol (LLDP).
• IP Device Tracking (IPDT) or Switch Integrated Security Features (SISF). (IPDT or SISF must be enabled
on the device.)
• LLDP Media End-point Discovery. (This protocol is used to discover IP phones and some servers.)
• Network Configuration Protocol (NETCONF). For a list of devices, see Discovery Prerequisites, on page
12.
After the initial discovery, Cisco DNA Center maintains the inventory by polling the devices at regular
intervals. The default and minimum interval is every 25 minutes. However, you can change this interval up

59
Inventory and Cisco ISE Authentication
to 24 hours, as required for your network environment. For more information, see Update Device Resync
Interval, on page 77. Polling occurs for each device, link, host, and interface. Only the devices that have been
active for less than a day are displayed. This prevents stale device data, if any, from being displayed. On an
average, polling 500 devices takes approximately 20 minutes.
Inventory and Cisco ISE Authentication

Cisco ISE has two different use cases in Cisco DNA Center:
• If your network uses Cisco ISE for device authentication, you need to configure the Cisco ISE settings
in Cisco DNA Center. As a result of this, when provisioning devices, Cisco DNA Center configures the
devices with the Cisco ISE server information that you defined. In addition, Cisco DNA Center configures
the devices on the Cisco ISE server and propagates subsequent updates to the devices. For information
about configuring Cisco ISE settings in Cisco DNA Center, see Configure Global Network Servers, on
page 143.
If a device is not configured or updated on the Cisco ISE server as expected due to a network failure or
the Cisco ISE server being down, Cisco DNA Center automatically retries the operation after a certain
wait period. However, Cisco DNA Center does not retry the operation if the failure is due to a rejection
from Cisco ISE, as a input validation error.
When Cisco DNA Center configures and updates devices in the Cisco ISE server, the transactions are
captured in the Cisco DNA Center audit logs. You can use the audit logs to help you troubleshoot issues
related to the Cisco DNA Center and Cisco ISE inventories. For more information about the Cisco DNA
Center audit logs, see the Cisco Digital Network Architecture Center Administrator Guide.
After you provision a device, Cisco DNA Center authenticates the device with Cisco ISE. If Cisco ISE
is not reachable (no RADIUS response), the device uses the local login credentials. If Cisco ISE is
reachable, but the device does not exist in Cisco ISE or its credentials do not match the credentials
configured in Cisco DNA Center, the device does not fall back to use the local login credentials. Instead,
it goes into a partial collection state.
To avoid this situation, make sure that before you provision devices using Cisco DNA Center, you have
configured the devices in Cisco ISE with the same device credentials that you are using in Cisco DNA
Center. Also, make sure that you configured valid discovery credentials. For more information, see
Discovery Credentials, on page 12.
• If required, you can use Cisco ISE to enforce access control to groups of devices. For information about
this use case, see the Cisco Digital Network Architecture Center Administrator Guide.
Display Information About Your Inventory

The Inventory table displays information for each discovered device. All of the columns, except the Config
column, support sorting. Click the column header to sort the rows in ascending order. Click the column header
again to sort the rows in descending order.
Before you begin

Make sure that you have devices in your inventory. If not, discover devices using the Discovery feature.

60
Procedure
Step 1 From the Cisco DNA Center home page, click Inventory.
Table 31: Inventory, on page 61 describes the information that is available.
Table 31: Inventory
Column Description
Device Name Name of the device.

Click the name to display the Device Overview dialog box with the
following information:
• Name
• IP Address
• MAC Address
• IOS Version
• Uptime
• Product Id
• Associated WLC
• Interface Name, MAC Address, and Status of the interfaces on
the device.
Note A device name that is displayed in red means that inventory

has not polled the device and updated its information for more
than 30 minutes.
IP Address IP address of the device.

61
Column Description
Reachability Status The following is a list of the various statuses:

• Connecting—Cisco DNA Center is connecting to the device.
• Reachable—Cisco DNA Center has connected to the device and is
able to execute Cisco commands using the CLI.
Note A failure indicates that Cisco DNA Center is connected
to the device, but is unable to execute Cisco commands
using the CLI. This status usually indicates that the device
is not a Cisco device.
• Authentication Failed—Cisco DNA Center has connected to the

device, but is unable to determine what type of device it is.
• Unreachable—Cisco DNA Center is unable to connect to the device.
Note Sometimes a device is unreachable because the Discovery
job does not have its credentials or the Discovery job has
the wrong credentials. If you suspect this might be the
case, run a new Discovery job and make sure to specify
the device's correct credentials.
MAC Address MAC address of the device.
OS Version Cisco IOS software that is currently running on the device.
Platform Cisco product part number.
Serial Number Cisco device serial number.
Uptime Period of time that the device has been up and running.
Config Configuration information. Click View to display detailed configuration

information similar to what is displayed in the output of the show
running-config command.
Note This feature is not supported for access points (APs) and
wireless controllers. Therefore, configuration data is not
returned for these device types.

62
Column Description
Device Role Role assigned to each discovered device during the scan process. The
device role is used to identify and group devices according to their
responsibilities and placement within the network. If Cisco DNA Center
is unable to determine a device role, it sets the device role to Unknown.
Note If you manually change the device role, the assignment remains
static. Cisco DNA Center does not update the device role even
if it detects a change during a subsequent device
resynchronization.
If required, you can use the drop-down list in this column to change the
assigned device role. The following device roles are available:
• Unknown
• Access
• Core
• Distribution
• Border Router
Site The site to which the device is assigned. For more information, see About
Network Hierarchy, on page 98.
Last Updated Most recent date and time that Cisco DNA Center scanned the device and
updated the database with new information about the device.
Device Family Group of related devices, such as routers, switches and hubs, or wireless
controllers.
Device Series Series number of the device, for example, Cisco Catalyst 4500 Series
Switches.
Resync Interval The polling interval for the device. This interval can be set globally in
Settings or for a specific device in Inventory. For more information, see
the Cisco Digital Network Architecture Center Administrator Guide.

63
Types of Devices in the Cisco DNA Center Inventory
Column Description
Last Sync Status Status of the last Discovery scan for the device:
• Managed—Device is in a fully managed state.
• Partial Collection Failure—Device is in a partial collected state
and not all the inventory information has been collected. Move the
cursor over the Information (i) icon to display additional information
about the failure.
• Unreachable—Device cannot be reached and no inventory
information was collected due to device connectivity issues. This
condition occurs when periodic collection takes place.
• Wrong Credentials—If device credentials are changed after adding
the device to the inventory, this condition is noted.
• In Progress—Inventory collection is occurring.
Step 2 (Optional) To change the layout, click and choose one of the following layouts, or customize your own
layout:
• Status—Layout shows the Device Name, IP Address, Reachability Status, Uptime, Last Updated
Time, Poller Time, and Last Inventory Collection Status.
• Hardware—Layout shows the Device Name, IP Address, MAC Address, IOS/Firmware, Platform,
Serial Number, Last Inventory Collection Status, Config, and Device Family.
• Tagging—Layout shows the Device Name, IP Address, MAC Address, Config, Device Role, Location,
and Device Tag.
Types of Devices in the Cisco DNA Center Inventory

Devices show up in inventory one of two ways: by being discovered or by being added manually. Cisco DNA
Center Inventory supports the following types of devices:
Note For a complete list of supported devices, see the Cisco Digital Network Architecture Center Supported Devices
document.
• Network Devices—Supported network devices include Cisco routers, switches, and wireless devices
such as wireless controlers (WLCs) and access points (APs).
• Compute Devices—Supported compute devices include the Cisco Unified Computing System (UCS),
devices running Cisco Enterprise Network Functions Virtualization Infrastructure Software (NFVIS),
and other data center devices.

64
Manage Network Devices
• Meraki Dashboard—Dashboard to the Cisco cloud management platform for managing Cisco Meraki
products.
Manage Network Devices

Add a Network Device
You can add a network device to your inventory manually.
Procedure
Step 2 Click Add.
The Add Device dialog box is displayed.
Step 3 From the Type drop-down list, choose Network Device.

Step 4 In the Device IP / Name field, enter the IP address or name of the device.
Step 5 Expand the SNMP area, if it is not already visible.
Step 6 From the Version drop-down list, choose V2C (SNMP Version 2c) or V3 (SNMP, Version 3).
If you chose V2C, configure the following fields:
Field Description
Read • Name/Description—Name or description of the SNMPv2c settings that you are

adding.
Note Passwords are encrypted for security reasons and are not displayed in the
configuration.
Write • Name/Description—Name or description of the SNMPv2c settings that you are

adding.
• Write Community—Write community string used to make changes to the SNMP
information on the device.
configuration.
If you chose V3, configure the following fields:

65
Field Description
Auth Type Authentication type to be used. (Enabled if you select AuthPriv or AuthNoPriv as
the authentication mode.) Choose one of the following authentication types:
Note • Some wireless controllers require that passwords (or passphrases) be
at least 12 characters long. Be sure to check the minimum password
requirements for your wireless controllers. Failure to ensure these
required minimum character lengths for passwords results in devices
not being discovered, monitored, or managed by Cisco DNA Center.
• Passwords are encrypted for security reasons and are not displayed in
the configuration.
• DES—DES 56-bit (DES-56) encryption in addition to authentication based on
the CBC DES-56 standard.

66
Field Description
the configuration.
Step 7 Expand the SNMP RETRIES AND TIMEOUT area, if it is not already expanded, and configure the following
fields.
Field Description
Retries Number of attempts allowed to connect to the device. Valid values are from 1 to 3. The
default is 3.
Timeout (in Number of seconds Cisco DNA Center waits for when trying to establish a connection
Seconds) with a device before timing out. Valid values are from 1 to 300 seconds in intervals of
5 seconds. The default is 5 seconds.
Step 8 Expand the CLI area, if it is not already expanded, and configure the following fields:
Field Description
Protocol Network protocol that enables Cisco DNA Center to

communicate with remote devices. Valid values are
SSH2 or Telnet.
If you plan to configure the NETCONF port (see Step
9), choose SSH2 as the network protocol.

in your network.

confirmation.
configuration.

67
Update Network Device Credentials
Field Description
Enable Password Password used to move to a higher privilege level in

the CLI.
For security reasons, enter the enable password again.
configuration.
Step 9 Expand the NETCONF area, if it is not already expanded, and configure the Port field.
NETCONF requires that you configure SSH as the CLI protocol and define the SSH credentials.
Step 10 Click Add.
Related Topics
Types of Devices in the Cisco DNA Center Inventory, on page 64

You can update the discovery credentials of selected network devices. The updated settings override the global
and job-specific settings for the selected devices.
Before you begin

You must have either administrator (ROLE_ADMIN) or policy administrator (ROLE_POLICY_ADMIN)
permissions and the appropriate RBAC scope to perform this procedure.
Procedure
Step 2 Select the network devices that you want to update.
Step 3 From the Actions drop-down list, choose Update Credentials.
Step 4 From the Type drop-down field, select Network Device if it is not already selected.
Step 5 Expand the SNMP area, if it is not already expanded.
Step 6 From the Version field, choose the SNMP version (V2C or V3).
Note Because both the SNMP and CLI credentials are updated together, we recommend that you provide
both credentials. If you provide only SNMP credentials, Cisco DNA Center saves only the SNMP
credentials, and the CLI credentials are not updated.
Step 7 Depending on the whether you choose V2C or V3, enter information in the remaining fields, which are
described in the following tables.

68
Field Description

adding.
configuration.

adding.
configuration.
Field Description

69
Field Description
the configuration.
the configuration.
Step 8 Expand the SNMP RETRIES AND TIMEOUT area, if it is not already expanded, and complete the following
fields:
Field Description
Retries Number of attempts allowed to connect to the device. Valid values are from 1 to 3. The
default is 3.
Timeout (in Number of seconds Cisco DNA Center waits for when trying to establish a connection
Seconds) with a device before timing out. Valid values are from 1 to 300 seconds in intervals of
5 seconds. The default is 5 seconds.
Step 9 Expand the CLI area, if it is not already expanded, and complete the following fields:

70
Note Both the SNMP and CLI credentials are updated together, so you need to provide both credentials.
If you provide only SNMP credentials, Cisco DNA Center saves only the SNMP credentials. The
CLI credentials are not updated.
Field Description
Protocol Network protocol that enables Cisco DNA Center to

communicate with remote devices. Valid values are
SSH2 or Telnet.
If you plan to configure the NETCONF port (see next
step), you need to choose SSH2 as the network
protocol.

in your network.

confirmation.
configuration.

the CLI.
configuration.
Step 10 Expand the NETCONF area, if it is not already expanded, and configure the Port field.
NETCONF requires that you configure SSH as the CLI protocol and define the SSH credentials.
Step 11 Click Update.
Related Topics

71
Manage Compute Devices
Manage Compute Devices

Add a Compute Device
You can add a compute device to your inventory manually. A compute device includes devices such as the
Cisco Unified Computing System (UCS), devices running Cisco Enterprise Network Functions Virtualization
Infrastructure Software (NFVIS), and other data center devices.
Procedure
Step 2 Click Add.
The Add Device dialog box is displayed.
Step 3 From the Type drop-down list, choose Compute Device.

Step 4 In the Device IP / Name field, enter the IP address or name of the device.
Step 5 Expand the HTTP(S) area, if it is not already visible and configure the following fields:
• Port—Number of the TCP/UDP port used for HTTPS traffic. The default is port number 443 (the
well-known port for HTTPS).
Step 6 Click Add.
Related Topics
Update Compute Device Credentials

You can update the discovery credentials of selected compute devices. The updated settings override the
global and job-specific settings for the selected devices.
Before you begin

Procedure
Step 2 Select the devices that you want to update.
Step 4 From the Type drop-down list, choose Compute Device.
Step 5 Expand the HTTP(S) area, if it is not already expanded.
Step 6 In the Username and Password fields, enter the username and password.

72
Manage Meraki Dashboards
Step 7 In the Port field, enter the port number.

Related Topics
Manage Meraki Dashboards

Integrate Meraki Dashboard
You can integrate your Meraki Dashboard with Cisco DNA Center.
Procedure
Step 2 Click Add.
Step 3 In the Add Device dialog box, from the Type drop-down list, choose Meraki Dashboard.
Step 5 In the API Key / Password field, enter the API key and password credentials used to access the Meraki
dashboard.
Cisco DNA Center collects inventory data from the Meraki Dashboard and displays the information.
Related Topics
Update Meraki Dashboard Credentials

You can update the Meraki Dashboard credentials of selected devices. The updated settings override the global
and job-specific settings for the selected devices.
Before you begin

Procedure
Step 4 From the Type drop-down list, choose Meraki Dashboard.
Step 6 In the API Key / Password field, enter the API key and password credentials used to access the Meraki
dashboard.

73
Filter Devices
Step 7 In the Port field, enter the port number.

Related Topics
Filter Devices
Note To remove or change the filters, click Reset.
Before you begin

Procedure
Step 2 Click Filters.
The following filters are displayed:
• Device Name
• IP Address
• MAC Address
• Reachability Status
• IOS/Firmware
• Platform
• Serial Number
• Up Time
• Last Updated Time
• Resync Interval
• Last Inventory Collection Status
• Device Role
• Location
• Device Family
• Device Series

74
Change Devices Layout View
Step 3 Enter the appropriate value in the selected filter field, for example, for the Device Name filter, enter the name
of a device.
Cisco DNA Center presents you with auto-complete values as you enter values in the other fields. Choose
one of the suggested values or finish entering the desired value.
You can also use a wildcard (asterisk) with these filters, for example, you can enter values with an asterisk
at the beginning, end, or in the middle of a string value.
Step 4 Click the plus (+) icon to filter the information.

The data displayed in the Devices table is automatically updated according to your filter selection.
Note You can use several filter types and more than one value per filter.
Step 5 (Optional) If needed, add more filters.

To remove a filter, click the x icon next to the corresponding filter value.
Change Devices Layout View

Before you begin
Procedure
Step 2 Click and choose one of the following layout presets:
• Status—Displays general device status information, including Up Time, Update Frequency, and
Number of Updates.
• Hardware—Displays hardware information, including IOS/firmware, Serial Number, and Device
Role.
• Tagging—Displays tagging information, including Device Role, Location, and Tag.
Step 3 To customize your layout, select the columns that you want to display.
A blue check mark next to a column means that the column is displayed in the table.
Change Device Role (Inventory)

During the Discovery process, Cisco DNA Center assigns a role to each of the discovered devices. Device
roles are used to identify and group devices and to determine a device's placement on the network topology

75
Update a Device's Management IP Address
map in the Topology tool. The top tier is the internet. The devices underneath are assigned one of the following
roles:
Table 40: Device Roles and Topology Positions
Topology Position Device Role
Tier 1 Internet (non-configurable)
Tier 2 Border Router
Tier 3 Core
Tier 4 Distribution
Tier 5 Access
Tier 6 Unknown
Before you begin

Make sure that you have devices in your inventory. If not, discover devices using the Discovery function.
Procedure
Step 2 Locate the device whose role you want to change and choose a new role from the Device Role drop-down
list. Valid choices are Unknown, Access, Core, Distribution, or Border Router.
Note If you manually change the device role, the assignment remains static. Cisco DNA Center does not
update the device role even if it detects a change during a subsequent device resynchronization.
Update a Device's Management IP Address

You can update the management IP address of a devices.
Note You cannot update more than one device at a time. Also, you cannot update a Meraki device's management
IP address.
Procedure

76
Update Device Resync Interval
Step 3 From the Actions drop-down list, choose Update Management IP.
The Update Management IP dialog box is displayed.
Step 4 In the Device IP field, enter the new management IP address.

Note Make sure that the new management IP address is reachable from Cisco DNA Center and that the
device credentials are correct. Otherwise, the device might enter an unmanaged state.
Update Device Resync Interval

From the Inventory window, you can configure device resynchronization in the following ways:
• You can enable and configure a custom resynchronization interval for a specific device.
• You can enable the preconfigured global resynchronization interval that is set for all the devices. (This
setting is configured in the Settings > System Settings > Settings > Network Resync Interval window.
• You can disable resynchronization.
Before you begin

Make sure that you have devices in your inventory. If not, discover devices using the Discovery function.
Procedure
Step 3 From the Actions drop-down list, choose Update Resync Interval.
The Update Resync Interval dialog box is displayed.
Step 4 In Select Resync Option, click the radio button that corresponds to the type of resynchronization option you
want to configure for the device. Valid choices are Custom, Global, and Disable.
Step 5 If you chose Custom, in the Resync Interval (in Mins) field, enter the time interval (in minutes) between
successive polling cycles. Valid values are from 25 to 1440 minutes (24 hours).
Resync Device Information

You can resynchronize device information immediately for selected devices, regardless of their
resynchronization interval configuration. A maximum of 40 devices can be resynchronized at the same time.

77
Delete a Network Device
Procedure
Step 2 Select the devices that you want to gather information about.
Step 3 From the Actions drop-down list, choose Resync.
Step 4 Confirm the action by clicking OK.
Delete a Network Device

You can delete devices from the Cisco DNA Center database, as long as they have not already been added to
a site.
Before you begin

You must have administrator (ROLE_ADMIN) permissions and access to all devices (RBAC Scope set to
ALL) to perform this procedure.
Procedure
Step 2 Check the check box next to the device or devices that you want to delete.
Note You can select multiple devices by checking additional check boxes, or you can select all the devices
by checking the check box at the top of the list.
Step 3 From the Actions drop-down list, choose Delete.
Launch Command Runner (Inventory)

You can launch the command runner application for selected devices from within the Inventory window.
Before you begin

Install the Command Runner application. For more information, see the Cisco Digital Network Architecture
Center Administrator Guide.
Procedure
Step 2 Select the devices that you want to run commands on.

78
Use a CSV File to Import and Export Device Configurations
Step 3 From the Actions drop-down list, choose Launch Command Runner.
For information about the commands that you can run and how to run them, see Run Diagnostic Commands
on Devices, on page 161.
Use a CSV File to Import and Export Device Configurations

CSV File Import
If you want to use a CSV file to import your device configurations or sites from another source into Cisco
DNA Center, you can download a sample template by choosing up home page > Inventory > Import Devices.
Click Download to download a sample CSV file template.
When you use a CSV file to import device or site configurations, the extent to which Cisco DNA Center can
manage your devices, depends on the information you provide in the CSV file. If you do not provide values
for CLI username, password, and enable password, Cisco DNA Center will have limited functionality and
cannot modify device configurations, update device software images, and perform any other valuable functions.
You can specify the credential profile in the CSV file to apply the corresponding credentials to a set of devices.
If you specify the credential profile and also enter the values manually in the CSV file, the manually entered
credentials take higher priority and the device is managed based on a combination of manually entered
credentials and credential profile. For example, if the CSV file contains a credential profile with SNMP and
Telnet credentials in addition to manually entered SNMP credentials, the device is managed based on the
manually entered SNMP credentials and the Telnet credentials in the credential profile.
Note You must also provide values for the fields that correspond to the protocol you specify. For example, if you
specify SNMPv3, you must specify values for the SNMPv3 fields in the sample CSV file such as the SNMPv3
username and authorization password.
For partial inventory collection in Cisco DNA Center, you must provide the following values in the CSV file:
• Device IP address
• SNMP version
• SNMP read-only community strings
• SNMP write community strings
• SNMP retry value
• SNMP timeout value
For full inventory collection in Cisco DNA Center, you must provide the following values in the CSV file:
• Device IP address
• SNMP version
• SNMP read-only community strings

79
Import Device Configurations from a CSV File
• SNMP write community strings

• SNMP retry value
• SNMP timeout value
• Protocol
• CLI username
• CLI password
• CLI enable password
• CLI timeout value
CSV File Export

Cisco DNA Center enables you to create a CSV file that contains all or selected devices in the inventory.
When you create this file, you must enter a password to protect the configuration data that the file will contain.
Import Device Configurations from a CSV File

You can import device configurations from a CSV file.
Procedure
Step 1 From the Cisco DNA Center Home page, click Inventory.
Step 2 Click Import Device(s) to import all of the devices from the CSV file into Inventory.
Step 3 Drag and drop the CSV file into the boxed area in the Bulk Import dialog box or click the dotted-line boxed
area and browse to the CSV file.
Step 4 In the Export Device dialog box, enter a password that will be used to encrypt the exported CSV file. (Users
will need to supply this password to open the exported file.)
Step 5 Click Import.
Export Device Configurations

You can export specific data pertaining to selected devices to a CSV file. The CSV file is compressed.
Caution Handle the CSV file with care because it contains sensitive information about the exported devices. Ensure
that only users with special privileges perform a device export.
Procedure

80
Export Device Credentials
Step 2 To export configuration information about only certain devices, check the check box next to the devices that
you want to include. To include all the devices, check the check box at the top of the device list.
Step 3 Click Export.
The Export dialog box appears.
Step 4 Check the check boxes next to the data that you want to include in the CSV file.
Step 5 Click Export.
Note Depending on your browser configuration, you can save or open the compressed file.

You can export device credentials to a CSV file. You are required to configure a password to protect the file
from unwanted access. You need to supply the password to the recipient so that the file can be opened.
Caution Handle the CSV file with care because it lists all of the credentials for the exported devices. Ensure that only
users with special privileges perform a device export.
Procedure
Step 2 Check the check box next to the devices that you want to include in the CSV file. To include all the devices,
select the checkbox at the top of the list.
Step 3 Click Export to export the device credentials.
The Export dialog box appears.
Step 4 In Select Export Type, click Credentials radio button.

Step 5 In the Password field, enter a password that will be used to encrypt the exported CSV file.
Note The password is required to open the exported file.
Step 6 Confirm the encryption password and click Export.

Note Depending on your browser configuration, you can save or open the compressed file.

81

82
CHAPTER 6
Manage Software Images
• About Image Repository, on page 83
• Integrity Verification of Software Images, on page 83
• View Software Images, on page 84
• Use a Recommended Software Image, on page 84
• Import Software Images, on page 85
• Upload Software Images for Devices in Install Mode, on page 85
• About Golden Software Images, on page 86
• Create Golden Software Images, on page 86
• Provision Software Images, on page 87
About Image Repository

Cisco DNA Center stores all of the software images and software maintenance updates (SMUs) for the devices
in your network. Image Repository provides the following functions:
• Image Repository—Cisco DNA Center stores all the unique software images according to image type
and version. You can view, import, and delete software images.
• Provision—You can push software images to the devices in your network.
Before using Image Repository features, you must enable Transport Layer Security protocol (TLS) on older
devices such as Catalyst 3K, 4K, and 6K. After any system upgrades, you must re-enable TLS again. For
more information, see “Configure Security for Cisco DNA Center” in the Cisco Digital Network Architecture
Center Administrator Guide.
Integrity Verification of Software Images

The Integrity Verification application monitors software images that are stored in Cisco DNA Center for
unexpected changes or invalid values that could indicate your devices are compromised. During the import
process, the system determines image integrity by comparing the software and hardware platform checksum
value of the image that you are importing to the checksum value identified for the platform in the Known
Good Values (KVG) file to ensure that the two values match.

83
View Software Images
On the Image Repository window, a message displays if the Integrity Verification application cannot verify
the selected software image using the current KGV file. For more information about the Integrity Verification
application and importing KGV files, see the Cisco Digital Network Architecture Center Administrator Guide.
View Software Images

After you run Discovery or manually add devices, Cisco DNA Center automatically stores information about
the software images, SMUs and sub-packages for the devices.
Procedure
Step 1 From the Cisco DNA Center home page, choose Design > Image Repository. Alternately, in the Cisco DNA
Centerclick Image Repository.
The software images are organized and displayed based on the device type. By default, software images for
physical devices are displayed. You can toggle to Virtual tab to view software images for virtual devices.
Step 2 In the Image Name column, click the downward arrow to view all the software images for the specified device
type family. The Using Image column indicates how many devices are using the specific image shown in the
Image Name field. Click the number link to view the devices that are using the image.
Step 3 In the Version column, click the Add On link to view the applicable SMUs and Sub-packages for the base
image. Sub-packages are the additional features that can be added to the existing base image. The sub-package
version that is same as the image family and the base image version is displayed here.
Note If you tag any SMU as golden, it will be automatically activated when the base image is installed.
You cannot tag a sub-package as golden.
Step 4 In the Device Role column, select a device role for which you want to indicate this is a "golden" software
image. For more information, see About Golden Software Images, on page 86 and Create Golden Software
Images, on page 86.
Use a Recommended Software Image

Cisco DNA Center can display and allow you to select Cisco-recommended software images for the devices
that it manages.
Procedure
Step 1 From the Cisco DNA Center home page, choose > System Settings > Settings > Cisco Credentials and
verify that you have entered the correct credentials to connect to Cisco.com.
Step 2 Choose Design > Image Repository, or click Image Repository from the Cisco DNA Center home page.
Cisco DNA Center displays the Cisco-recommended software images according to device type.

84
Import Software Images
Step 3 Designate the recommended image as golden. See Create Golden Software Images, on page 86 for more
information.
After you designate the Cisco-recommended image as golden, Cisco DNA Center automatically downloads
the image from cisco.com.
Step 4 Push the recommended software image to the devices in your network. See Provision Software Images, on
page 87 for more information.
Import Software Images

You can import software images and software image updates from your local computer or from a URL.
Procedure
Step 1 From the Cisco DNA Center home page, choose Design > Image Repository or click Image Repository.
Step 2 Click Import Image/SMU.
Step 3 Click Choose File to navigate to a software image or software image update stored locally or Enter image
URL to specify an HTTP or FTP source from which to import the software image or software image update.
Step 4 If the image you are importing is for a third-party (not Cisco) vendor, select Third Party under Source. Then
select an Application Type, describe the device Family, and identify the Vendor.
A window displays the progress of the import.
Step 6 Click Show Tasks to verify that the image was imported successfully.
If you imported a SMU, Cisco DNA Center automatically applies the SMU to the correct software image,
and an Add-On link appears below the corresponding software image.
Step 7 Click the Add-On link to view the SMU.

Step 8 In the Device Role field, select the role for which you want to mark this SMU as golden. See Create Golden
Software Images, on page 86 for more information.
Note You can only mark a SMU as golden if you previously marked the corresponding software image
as golden.
Upload Software Images for Devices in Install Mode

The Image Repository page might show a software image as being in Install Mode. When a device is in Install
Mode, Cisco DNA Center is unable to upload its software image directly from the device. When a device is
in install mode, you must first manually upload the software image to the Cisco DNA Center repository before
marking the image as golden, as shown in the following steps.

85
About Golden Software Images
Procedure
Step 2 In the Image Name column, find the software image that is in Install Mode.
Step 3 Click Import to upload the binary software image file for the image that is in Install Mode.
Step 4 Click Choose File to navigate to a software image stored locally or Enter image URL to specify an HTTP
or FTP source from which to import the software image.
A window displays the progress of the import.
Step 6 Click Show Tasks and verify that the software image you imported is green, indicating it has been successfully
imported and added to the Cisco DNA Center repository.
Step 7 Click Refresh.
The Image Repository window refreshes. Cisco DNA Center displays the software image, and the Golden
Image and Device Role columns are no longer greyed out.
What to do next
• Create Golden Software Images, on page 86
• Provision Software Images, on page 87
About Golden Software Images

Cisco DNA Center allows you to designate software images and SMUs as golden. A golden software image
or SMU is a validated image that meets the compliance requirements for the particular device type. Designating
a software image or SMU as golden saves you time by eliminating the need to make repetitive configuration
changes and ensures consistency across your devices. You can designate an image and a corresponding SMU
as golden to create a standardized image. You can also specify a golden image for a specific device role. For
example, if you have an image for the Cisco 4431 Integrated Service Routers device family, you can further
specify a golden image for those Cisco 4431 devices that have the Access role only.
You cannot mark a SMU as golden unless the image to which it corresponds is also marked golden.
Create Golden Software Images

You can specify a golden software image for a device family or for a particular device role. The device role
is used for identifying and grouping devices according to their responsibilities and placement within the
network. For more information, see About Golden Software Images, on page 86.
Procedure

86
Provision Software Images
The software images are displayed according to device type.
Step 2 From the Family column, select a device family for which you want to specify a golden image.
Step 3 From the Image Name column, select the software image that you want to specify as golden.
Step 4 In the Device Role column, select a device role for which you want to specify a golden software image. Even
if you have devices from the same device family, you can specify a different golden software image for each
device role. You can select a device role for physical images only, not virtual images.
If the software image you specified as golden is not already uploaded into the Cisco DNA Center repository,
this process might take some time to complete. Under the Action column on the Image Repository page, if
the trash can icon is greyed out, the image is not yet uploaded to the Cisco DNA Center repository. Cisco
DNA Center must first upload the software image to its repository, and then it can mark the image as golden.
If the software image is already uploaded to the Cisco DNA Center repository, indicated by the active trash
can icon in the Action column, then the process to specify a golden image completes faster.
Provision Software Images

You can push software images to the devices in your network. Before pushing a software image to a device,
Cisco DNA Center performs upgrade readiness pre-checks on the device, such as checking the device
management status, SCP and HTTPS file-transfer check, disk space, and so on. If any pre-checks fail, you
cannot perform the software image update. After the software image of the device is upgraded, Cisco DNA
Center checks for the CPU usage, route summary, and so on, to ensure that the state of the network remains
unchanged after the image upgrade..
Cisco DNA Center compares each device's software image with the image that you have designated as golden
for that specific device type. If there is a difference between the software image of the device and the golden
image, then Cisco DNA Center specifies the software image of the device as outdated. The upgrade readiness
pre-checks will be triggered for those devices. If all the pre-checks are cleared, you can distribute (copy) the
new image) to the device and activate (make the new image as running image) it. The activation of the new
image requires a reboot of the device. This might interrupt the current network activity. In that case, you can
schedule the process to a later time..
If you have not designated a golden image for the device type, then the device's image cannot be updated.
See Create Golden Software Images, on page 86 for more information.
Procedure
Step 1 From the Cisco DNA Center home page, click Provision.
Step 2 Select the device whose image you want to upgrade.
Note If the pre-checks are successful for a device, the Outdated link in the OS Image column will have
a green tick mark. If any of the upgrade readiness pre-checks fail for a device, the Outdated link
will have a red into mark, and you cannot update the OS image for that device. Click on the Outdated
link and correct any errors before proceeding further.
See List of Device Upgrade Readiness Prechecks, on page 88 for the list of pre-checks.
Step 3 From the Actions drop-down list, choose Update OS Image and do the following.

87
List of Device Upgrade Readiness Prechecks
a) Distribute: Click Now to start the distribution immediately or click Later if you want to schedule the
distribution at a specific time.
Note If the image is already distributed for the selected device, the Distribute process will be skipped
and you will only be able to Activate the image.
b) Click Next.
c) Activate: Click Now to start the activation immediately or click Later if you want to schedule the activation
at a specific time.
Note You can skip this step, if you want to perform only the distribution process currently.
d) (Optional) Select the Schedule Activation after Distribution is completed checkbox as required.
e) Confirm: Click Confirm to confirm the update.
You can check the status of the update in the OS Update Status column. If this column is not displayed, click
and choose OS Update Status.
Step 4 (Optional) Click Upgrade Status to view the progress of the image upgrade.
Note If you have a device between Cisco DNA Center and another fabric device, such as an edge router,
the software update process might fail if the in between device reloads while the software image is
being provisioned to the other device.
List of Device Upgrade Readiness Prechecks

Precheck Description
Device management status Checks if the device is successfully managed in Cisco DNA
Center.
File transfer check Checks if the device is reachable through SCP and HTTPS. If
there is a connectivity problem, see Troubleshooting SCP and
HTTPS Connectivity.
NTP clock check Compares device time and Cisco DNA Center time to ensure
successful Cisco DNA Center certificate installation.
Flash check Verifies if there is enough disk space for the update. If there is
not enough disk space, a warning or error message is returned.
For information about the supported devices for Auto Flash
cleanup and how files are deleted, see Auto Flash Cleanup.
Config register check Verifies the config registry value.
Crypto RSA check Checks whether an RSA certificate is installed.
Crypto TLS check Checks whether the device supports TLS 1.2.
IP Domain name check Checks whether the domain name is configured.

88
Troubleshooting SCP and HTTPS Connectivity
Precheck Description
Startup config check Checks whether the startup configuration exists for this device.
Troubleshooting SCP and HTTPS Connectivity

If the device is not reachable through SCP or HTTPS, use the below steps to rectify the connectivity issue,
refer:
Related Topics
Troubleshoot HTTPS Connectivity, on page 89
Troubleshooting SCP Connectivity, on page 90
Troubleshoot HTTPS Connectivity

Perform the following steps to troubleshoot HTTPS connectivity problems.
Procedure
Step 1 To verify that the device time is in sync with the Cisco DNA Center time zone, enter the show clock command.
For example:
ASR1001-X-149#show clock
Step 2 To verify that the device is running TLS 1.2, enter:

show ip http client secure status
Note A running image version later than 16.x supports TLS 1.2.
Step 3 To verify that the device is configured with "crypto key generate rsa modulus 1024," enter:
show crypto key mypubkey rsa
If the device is not configured with the crypto key, enter the following command to configure it:
config t
crypto key generate rsa
Step 4 To verify that the device is configured with an IP domain name, enter:
sh running-config | sec ip domain
For example:
ip domain name Cisco.com
If the domain name is not configured, enter:

set : ip domain name <domain name>
Step 5 To validate the HTPPS communication between the device and Cisco DNA Center, enter:
copy https://10.104.240.95/core/img/cisco-bridge.png flash:cisco-bridge.png

89
Troubleshooting SCP Connectivity
Troubleshooting SCP Connectivity

Perform the below steps to rectify scp connectivity issue.
Procedure
Step 1 For SCP connectivity, first you need to verify if SSH is configured, using the below command:
Show run | inc ssh
For example:
ASR1001-X-149#show running-config | sec ssh
If SSH is not configured, use the below commands to configure SSH on the device:
line vty 0 15
transport input all
ip ssh source-interface GigabitEthernet1/1
Step 2 To enable the ssh version 2 on the device, run the below command:
ip ssh version 2
Step 3 Next, verify if SCP is configured on the device using the below command:
show run | inc scp
For example:
ASR1001-X-149#show running-config | sec scp
Step 4 If SCP is not configured, use below command to configure SCP on the device:
Config t
ip scp server enable
Auto Flash Cleanup

During the device upgrade readiness precheck, the flash check verifies whether there is enough space on the
device to copy the new image. If there is insufficient space:
• For devices that support auto flash cleanup, the flash check fails with a warning message. For these
devices, the auto cleanup process is attempted during the image distribution process to create the sufficient
space. As a part of the auto flash cleanup, Cisco DNA Center identifies unused .bin, .pkg, and .conf files
and delete them iteratively until enough free space is created on the device. Image distribution is attempted
after the flash cleanup. You can view these deleted files in Sytem > Audit Logs.
Note Auto flash cleanup is supported on Cisco Catalyst 9300, 9400, and 9500 switches.
• For devices that do not support auto flash cleanup, the flash check fails with an error message. You
can delete files from device flash to create required space before starting the image upgrade.

90
CHAPTER 7
Display Your Network Topology
• About Topology, on page 91
• Display the Topology of Areas, Sites, Buildings, and Floors, on page 92
• Filter Devices on the Topology Map, on page 92
• Display Device Information, on page 93
• Display Link Information, on page 93
• Pin Devices to the Topology Map, on page 94
• Assign Devices to Sites, on page 94
• Save a Topology Map Layout, on page 95
• Open a Topology Map Layout, on page 95
• Export the Topology Layout, on page 95
About Topology
The Topology window displays a graphical view of your network. Using the Discovery settings that you have
configured, Cisco DNA Center discovers the devices in your network and assigns a device role to them. Based
on the device role assigned during discovery (or changed in Device Inventory), Cisco DNA Center creates a
physical topology map with detailed device-level data.
Using the topology map, you can do the following:
• Display the topology of a selected area, site, building, or floor.
• Display detailed device information.
• Display detailed link information.
• Filter devices based on a specific Layer 2 VLAN.
• Filter devices based on a Layer 3 protocol (such as Intermediate System - Intermediate System [IS-IS],
Open Shortest Path First [OSPF], Enhanced Interior Gateway Routing Protocol [EIGRP], or static routing).
• Filter devices with Virtual Routing and Forwarding (VRF) capability.
• Pin devices to the topology map.
• Save a topology map layout.
• Open a topology map layout.

91
Display the Topology of Areas, Sites, Buildings, and Floors
• Export screen shots of the complete topology layout in PNG format.
Display the Topology of Areas, Sites, Buildings, and Floors

You can display the topology of an area, site, building or floor.
Before you begin

• Make sure that you have devices in your inventory. If not, discover devices using the Discovery feature.
• You must have defined a network hierarchy and provisioned devices to the buildings or floors within it.
Procedure
Step 1 From the Cisco DNA Center home page, click Topology.
Step 2 In the tree view menu, select the area, site, building, or floor that you are interested in.
Note Clicking the icon in the bottom right corner will open a legend that shows you the available shortcut
keys for the topology maps.
Filter Devices on the Topology Map

You can filter devices based on one of the following attributes:
• VLAN
• Routing
• VRF
Before you begin

Procedure
Step 2 Click Filter.
Step 3 Do one of the following:
• From the VLAN drop-down list, choose the VLAN that you want to view.
• From the Routing drop-down list, choose the protocol that interests you.

92
Display Device Information
• From the VRF drop-down list, choose the VRF that you want to view.
Display Device Information

You can display the device name, IP address, and software version of devices.
Note The device information that is accessible in the Topology window is also accessible in the Device Inventory
window.
Before you begin

Procedure
Step 3 In the topology area, hover your mouse over the device or device group that interests you.
Note A device group is labeled with the number and types of devices it contains.
Display Link Information

You can display information about the links in the topology map. For simple links, the display shows
information for the single link. For aggregated links, the display shows a listing of all the underlying links.
The information includes the interface name, its speed, and its IP address.
Before you begin

Procedure
Step 3 Hover your mouser over the link that interests you.

93
Pin Devices to the Topology Map
Pin Devices to the Topology Map

Devices can be grouped or aggregated so that they take up less room on the map. However, at times, you
might want to separate a device from its group. You can do this by pinning a device to the map.
Before you begin

Procedure
• To pin a device, click the device group, and in the dialog box, click the pin icon to the left of the device
name.
• To pin all the devices, click the device group, and, in the dialog box, click Pin All.
Note Double click the group to unpin the devices in the group.
Assign Devices to Sites

Devices can be assigned to specific sites using the topology map.
Before you begin

Procedure
Step 2 Click Unassigned Devices in the left pane. All the unassigned devices will be displayed in the topology area.
Step 3 Click the device for which you want to assign a site. Device details will be displayed in a popup. In the Assign
devices to: section, click on choose the location drop-down list to select a location.
Step 4 (Optional) Uncheck the Auto-assign unclaimed downstream devices checkbox, if you want to assign the
site only for the selected device and not for the connected (downstream) devices.
Step 5 Click Assign.

94
Save a Topology Map Layout
Save a Topology Map Layout

Cisco DNA Center has a Cisco recommended topology layout that is displayed by default when you open the
topology tool. You can customize multiple layouts and save them to view later. You can also set one of the
layouts as the default to be displayed when you open the topology map.
Before you begin

Procedure
Step 2 Click View Options.
Step 3 In the Enter View Title field, enter a name for your customized map.
Step 4 Click Save.
Step 5 (Optional) To set your customized map as the defult, click Make Default.
Open a Topology Map Layout

You can open previously saved topology maps.
Before you begin

You should have saved topology map layouts.
Procedure
Step 2 Click View Options.
Step 3 Click the name of the map that you want to display.
Export the Topology Layout

You can export a snapshot of the full topology layout. The snapshot is downloaded as a SVG, PDF, PNG file
to your local machine.
Before you begin


95
Export the Topology Layout
Procedure
Step 2 Click (this icon represents Export Topology).

Step 3 Select a file format and click Export.

96
CHAPTER 8
Design Network Hierarchy and Settings
• Design a New Network Infrastructure, on page 97
• About Network Hierarchy, on page 98
• Monitor a Floor Map, on page 103
• Edit Floor Elements and Overlays, on page 105
• Floor View Options, on page 115
• Data Filtering, on page 118
• Configure Global Wireless Settings, on page 119
• Create Network Profiles, on page 129
• About Global Network Settings, on page 131
• About Device Credentials, on page 132
• About Global Device Credentials, on page 134
• Guidelines and Limitations for Editing Global Device Credentials, on page 140
• Edit Global Device Credentials, on page 140
• Associate Device Credentials to Sites, on page 141
• Configure IP Address Pools, on page 142
• Import IP Address Pools, on page 142
• Configure Service Provider Profiles, on page 143
• Configure Global Network Servers, on page 143
• Add Cisco ISE or Other AAA Servers, on page 144
• Configure Cisco WLC High Availability from Cisco DNA Center, on page 145
Design a New Network Infrastructure

The Design area is where you create the structure and framework of your network, including the physical
topology, network settings, and device type profiles that you can apply to devices throughout your network.
Use the Design workflow if you do not already have an existing infrastructure. If you have an existing
infrastructure, use the Discovery feature. For more information, see About Discovery, on page 11.
You can perform these tasks in the Design area:
Procedure
Step 1 Create your network hierarchy. For more information, see Create a Site in a Network Hierarchy, on page 98.

97
About Network Hierarchy
Step 2 Define global network settings. For more information, see About Global Network Settings, on page 131.
Step 3 Define network profiles.
About Network Hierarchy

You can create a network hierarchy that represents your network's geographical locations. Your network
hierarchy can contain sites, which contains buildings and areas. You create site and building IDs so that later,
you can easily identify where to apply design settings or configurations. By default, there is one site called
Global.
• Areas or Sites do not have a physical address (for example, United States). You can think of areas as
the largest element. Areas can contain buildings and subareas. For example, an area called United States
can contain a subarea called California. And the subarea California can contain a subarea called San
Jose.
• Buildings have physical address and contain floors and floor plans. When you create a building, you
must specify a physical address and latitude and longitude coordinates. Buildings cannot contain areas.
By creating buildings, you can apply settings to a specific area.
• Floors are within the building which comprises of cubicles, walled offices, wired closet, and so on. You
can add floors only to buildings.
You can:
• Create a new network hierarchy. See Create a Site in a Network Hierarchy, on page 98.
• Upload an existing network hierarchy from Cisco Prime Infrastructure. See Upload an Existing Site
Hierarchy, on page 99.
Guidelines for Preparing Image Files to Use Within Maps

• Use a graphical application that can save the map image files to any of these formats: jpg, .gif, .png, .dxf,
and .dwg.
• Ensure that the dimension of an image is larger than the combined dimension of all the buildings and
outside areas that you plan to add to the campus map.
• Map image files can be of any size. Cisco DNA Center imports the original image to its database at a
full definition, but during display, it automatically resizes them to fit the workspace.
• Gather the horizontal and vertical dimensions of the site in feet or meters before importing. This helps
you to specify these dimensions during map import.
Create a Site in a Network Hierarchy

Cisco DNA Center allows you to easily define physical sites and then specify common resources for those
sites. The Design application uses a hierarchical format for intuitive use, while eliminating the need to redefine
the same resource in multiple places when provisioning devices. By default, there is one site called Global.

98
Upload an Existing Site Hierarchy
You can add more sites, buildings, and areas to your network hierarchy. You must create at least one site
before you can use the provision features.
Procedure
Step 1 From the Cisco DNA Center home page, choose Design > Network Hierarchy.
A world map is displayed.
Step 2 On the Network Hierarchy window, click + Add Site, or click the gear icon next to the parent site in the
left pane, and then select the appropriate option.
Step 3 You can also upload an existing hierarchy. For more information, see Upload an Existing Site Hierarchy, on
page 99.
Step 4 Enter a name for the site, and select a parent Node. By default, Global is the parent node.
Step 5 Click Add.
The site is created under the parent node in the left menu.
Upload an Existing Site Hierarchy

You can upload a CSV file or a map archive file that contains an existing network hierarchy. For example,
you can upload a CSV file with location information that you exported from Cisco Prime Infrastructure. For
more information, see Export Maps Archive, on page 100 on how to export maps from Cisco Prime
Infrastructure.
Procedure
Step 1 From the Cisco DNA Center home page, choose Design > Network Hierarchy, and then click Import >
Import Sites.
Step 2 Drag and drop your CSV file, or navigate to where your CSV file is located, then click Import to import the
Cisco Prime Infrastructure Groups CSV file.
If you do not have an existing CSV file, click Download Template to download a CSV file that you can edit
and upload.
Step 3 To import the Cisco Prime Infrastructure maps tar.gz archive file, click Import > Map Import.
Step 4 Drag and drop the map archive file into the boxed area in the Import Site Hierarchy Archive dialog box,
or click the click to select link and browse to the archive file.
Step 5 Click Save to upload the file.
The Import Preview window appears, which shows the imported file.

99
Export Maps Archive
Export Maps Archive
Procedure
Step 1 From the Cisco Prime Infrastructure user interface, choose Maps > Wireless Maps > Site Maps (New).
Step 2 From the Export drop-down list, choose Map Archive.
The Export Map Archive wizard opens.
Step 3 On the Select Sites window, configure the following. You can either select map information or calibration
information to be included in the maps archive.
• Map Information—Click the On or Off button to include map information in the archive.
• Calibration Information—To export calibration information, click the On or Off button. Click the
Calibration Information for selected maps or the All Calibration Information radio button. If you
select Calibration Information for selected maps, the calibration information for the selected site maps
is exported. If you select All Calibration Information, the calibration information for the selected map,
along with additional calibration information that is available in the system, is also exported.
• In the Sites left pane, check one or more check boxes of the site, campus, building floor, or outdoor area
that you want to export. Check the Select All check box to export all the maps.
Step 4 Click the Generate Map Archive. A message Exporting data is in progress is displayed.
A tar file is created and is saved to your local machine.
Step 5 Click Done.
Search the Network Hierarchy

You can search the network hierarchy to quickly find a site, building, or area. This is particularly helpful after
you have added many sites, areas, or buildings.
Procedure
To search the tree hierarchy, in the Find Hierarchy search field in the left pane and enter either the partial
or full name of the site, building, or floor name that you are searching. The tree hierarchy is filtered based on
the text you enter in the search field.
Edit Sites
Procedure
Step 2 In the left pane, navigate to the corresponding site that you want to edit.
Step 3 Click the gear icon next to the site and select Edit Site.

100
Delete Sites
Step 4 Make the necessary changes, and click Update.
Delete Sites
Procedure
Step 2 In the left pane, navigate to the site that you want to delete.
Step 3 Click the gear icon next to the corresponding site and select Delete Site.
Step 4 Confirm the deletion.
Add Buildings
Procedure
Step 1 From the Cisco DNA Centeru home page, choose Design > Network Hierarchy.
A world map is displayed.
Step 2 On the Network Hierarchy window, click + Add Site, or click the gear icon next to the parent site in the
left pane and select Add Building.
Step 3 You can also upload an existing hierarchy. See Upload an Existing Site Hierarchy, on page 99.
Step 4 Enter a name for the building.
Step 5 In the Address text field, enter an address. If you are connected to the Internet, as you enter the address, the
Design Application narrows down the known addresses to the one you enter. When you see that the correct
address appears in the window, select it. When you select a known address, the Longitude and Latitude
coordinates fields are automatically populated.
Step 6 Click Add.
The building that you created is added under the parent site in the left menu.
Step 7 To add another area or building, in the hierarchy frame, click the gear icon next to an existing area or
building that you want to be the parent node.
Edit a Building
Procedure
Step 1 Choose Design > Network Hierarchy.

Step 2 In the left tree pane, navigate to the building that you want to edit.

101
Delete Buildings
Step 3 Click the gear icon next to the building and select Edit Building.
Step 4 Make the necessary changes in the Edit Building window, and click Update.
Delete Buildings
Procedure
Step 2 In the left pane, navigate to the building that you want to delete.
Step 3 Click the gear icon next to the building and select Delete Building.
Step 4 Confirm the deletion.
Note Deleting a building deletes all its container maps. APs from the deleted maps are moved to
Unassigned state.
Add a Floor to a Building

After you add a building, create floors and upload a floor map.
Procedure
Step 2 Expand the Global site and the previously created area to see all the previously created buildings.
Step 3 Click the gear icon next to the building to which you want to add a floor, and then click Add Floor.
Step 4 Enter a name for the floor. The floor name has a 21-character limit. The floor name must start with a letter or
a hyphen (-) and the string following the first character can include one or more of the following:
• Upper or lower case letters or both
• Numbers
• Underscores (_)
• Hyphens (-)
• Periods (.)
• Spaces ( )
Step 5 Define the type of floor by choosing the Radio Frequency (RF) model from the Type (RF Model) drop-down
list: Indoor High Ceiling, Outdoor Open Space, Drywall Office Only, and Cubes And Walled Offices.
This defines if the floor is an open space or a drywall office, and so on. Based on the RF model selected, the
wireless signal strength and the distribution of heatmap is calculated.

102
Edit a Floor
Step 6 You can drag a floor plan on to the map or upload a file. Cisco DNA Center supports the following file types:
.jpg, .gif, .png, .dxf, and .dwg.
After you import a map, make sure that you mark the Overlay Visibility as On (Floor > View Option >
Overlays). By default, overlays are not displayed after you import a map.
Figure 5: Example of a Floor Plan
Step 7 Click Add.
Edit a Floor
After you add a floor, you can edit the floor map so that it contains obstacles, areas, and APs on the floor.
Procedure
Step 2 Expand the network hierarchy to find the floor that you want to edit, or enter the floor name in the Search
Hierarchy text field in the left pane.
Step 3 Make the necessary changes in the Edit Floor dialog window, and click Update.
Monitor a Floor Map

The floor view navigation pane provides access to multiple map functions like:
• Use the Find feature located at the top-right corner of the floor map window to find specific floor elements
such as APs, sensors, clients, and so on. The elements that match the search criteria are displayed on the
floor map along with a table in the right pane. When you hover your mouse over the table, it points to
the search element on the floor map with a connecting line.
• Click the icon at the top-right corner of the floor map window to:
• Export a floor plan as a PDF.

103
Monitor a Floor Map
• Measure the distance on the floor map.

• Set the scale to modify the floor dimensions.
• Click the icon at the bottom-right of the floor map window to zoom in on a location. The zooming
levels depend upon the resolution of an image. A high-resolution image might provide more zoom levels.
Each zoom level comprises of a different style map shown at different scales, each one showing the
corresponding details. Some maps are of the same style, but at a smaller or larger scale.
• Click the icon to see a map with fewer details.
• Click the icon to view the map icon legend.
Table 41: Map Icons
Floor Map Icons Description
AP Mode
L Local
F FlexConnect
B Bridge
Health Score
Good Health
Fair Health
Poor Health
AP Status
Not covered by sensor
Covered by sensor
Radio Band or Mode
5 802.11 a/n/ac (5 GHZ)
2.4 802.11 b/g/n (2.4 GHZ)
n 802.11 a/b/g/n (2.4 GHZ)

104
Edit Floor Elements and Overlays
Floor Map Icons Description
Se Sensor
M Monitor 5 GHz
m Monitor 2.4 GHz
Mx Monitor XOR Mode
R Rogue Detector
... Other
Radio Status
Ok
Minor Fault
Down
Admin Disable
Icons
Access Points
Sensor
Markers
Rx Neighbors Line
2.4 GHz
5 GHz
Edit Floor Elements and Overlays

Using the Edit option available on the floor area, you can:
• Add, position, and delete the following floor elements:
• Access Points

105
Guidelines for Placing Access Points
• Sensors
• Add, edit, and delete the following overlay objects:

• Coverage Areas
• Obstacles
• Location Regions
• Rails
• Markers
Guidelines for Placing Access Points

Follow these guidelines while placing APs on the floor map:
• Place access points along the periphery of coverage areas to keep devices close to the exterior of rooms
and buildings. Access points placed in the center of these coverage areas provide good data on devices
that would otherwise appear equidistant from all other APs.
• Location accuracy can be improved by increasing overall AP density and moving APs close to the
perimeter of the coverage area.
• In long and narrow coverage areas, avoid placing APs in a straight line. Stagger them so that each AP is
more likely to provide a unique snapshot of the device location.
• Although the design provides enough AP density for high-bandwidth applications, location suffers
because each AP view of a single device is not varied enough. Hence, location is difficult to determine.
Move the APs to the perimeter of the coverage area and stagger them. Each has a greater likelihood of
offering a distinctly different view of the device, resulting in higher location accuracy.
Add, Position, and Delete APs

Cisco DNA Center computes heatmaps for the entire map that show the relative intensity of the Radio Frequency
(RF) signals in the coverage area. The heatmap is only an approximation of the actual RF signal intensity
because it does not consider the attenuation of various building materials, such as drywall or metal objects,
nor does it display the effects of RF signals bouncing off obstructions.
Make sure that you have Cisco APs in your inventory. If not, discover APs using the Discovery feature. See
About Discovery, on page 11.
Procedure
Step 2 In the left pane, select the floor.
Step 3 Click Edit, which is located above the floor plan in the middle pane.
Step 4 In the Floor Elements panel, next to Access Points, click Add.
Access points that are not assigned to any floors appear in the list.

106
Add, Position, and Delete APs
Step 5 On the Add APs window, check the check boxes of the access points to select APs in bulk, and click Add
Selected. Alternatively click Add adjacent an access point.
Note You can search for access points using the search option available. Use the Filter field to search
for access points using the AP name, MAC address, model, or Cisco Wireless Controller. The search
is case-insensitive. The search result appear in a table. Click Add to add one or more of these APs
to the floor area.
Step 6 Close the Add APs window after assigning APs to the floor area.
Step 7 Newly added APs appear on the top-right corner of the floor map.
Step 8 In the Floor Elements pane, next to Access Points, click Position to position the APs correctly on the map.
• To position the APs, click an AP and drag and drop it to the appropriate location on the floor map.
Alternatively you can update the x and y coordinates and AP Height in the Selected AP Details window.
When you drag an access point on the map, its horizontal (x) and vertical (y) position appears in the text
field. When selected, the access point details are displayed in the right pane. The Selected AP Details
window displays the following:
• Position by 3 points—You can draw 3 points on the floor map and position APs using the points
created. To do this:
1. Click Position by 3 points.
2. To define the points, click anywhere on the floor map to start drawing the first point. Click again
to finish drawing a point. A dialog box appears to set the distance to first point. Enter the distance,
in meters, and click Set Distance.
3. Define the second and third points similarly, and click Save.
• Position by 2 Walls—You can define 2 walls on the floor map and position APs between the defined
walls. This helps you to know the position of APs between the two walls. This helps you to understand
the AP position between the walls.
1. Click Position by 2 walls.
2. To define the first wall, click anywhere on the floor map to start drawing the line. Click again
to finish drawing a line. A dialog box appears to set the distance to the first wall. Enter the
distance in meters and click Set Distance.
3. Define the second wall similarly and click Save.
The AP is placed automatically as per the defined distance between the walls.
• AP Name—Shows the AP name.

• AP Model—Indicates the AP model for the selected access point.
• MAC Address—Displays the MAC address.
• x—Indicates the horizontal span of the map, in feet.
• y—Indicates the vertical span of the map, in feet.
• AP Height—Indicates the height of the access point.
• Protocol—Protocol for this access point: 802.11a/n/ac, 802.11b/g/n (for Hyper Location APs), or
802.11a/b/g/n.

107
Quick View of APs
• Antenna—Antenna type for this access point.

Note For external APs, you must select an antenna, otherwise, the AP will not be present in the
map.
• Antenna Image—Shows the AP image.

• Antenna Orientation—Indicates the Azimuth and the Elevation orientations, in degrees.
• Azimuth—This option does not appear for Omnidirectional antennas because their pattern is
nondirectional in azimuth.
Step 9 After you have completed placing and adjusting access points, click Save.
Heatmap is generated based on the new position of the AP.
If a Cisco Connected Mobile Experiences (CMX) is synchronized with Cisco DNA Center, then you can view
the location of clients on the heatmap. See Create Cisco CMX Settings, on page 128.
Step 10 In the Floor Elements panel, next to Access Points, click Delete.
The Delete APs window appears which lists all the assigned and places access points, appears.
Step 11 Check the check boxes next to the access points that you want to delete, and click Delete Selected.
• To delete all the access points, click Select All, and click Delete Selected.
• To delete an access point from the floor, click the Delete icon.
• Use Quick Filter and search using the AP name, MAC address, Model, or Controller. The search is
case-insensitive. The search result appears in the table. Click the Delete icon to delete the APs from the
floor area.
Quick View of APs

Hover your cursor over the AP icon on the floor map to view AP details, Rx Neighbor information, client
information, and Device 360 information.
• Click Info to view the following AP details:
• Associated—Indicates whether an AP is associated or not.
• Name—AP name.
• MAC Address—MAC address of the AP.
• Model—AP model number.
• Admin/Mode—Administration status of the AP mode.
• Type—Radio type.
• OP./Admin—Operational status and AP mode.
• Channel—Channel number of the AP.
• Antenna—Antenna name.

108
Add, Position, and Delete Sensors
• Azimuth—Direction of the antenna.
• Click the Rx Neighbors radio button to view the immediate Rx neighbors for the selected AP on the
map with a connecting line. The floor map also shows whether the AP is associated or not along with
the AP name.
• Click Device 360 to get a 360° view of a specific network element (router, switch, AP, or Cisco Wireless
Controller). See the Monitor and Troubleshoot the Health of a Device topic in the Cisco DNA Assurance
User Guide.
Note For Device 360 to open, you must have the Assurance application installed.
Add, Position, and Delete Sensors
Note Make sure you have Cisco AP 1800S sensor in your inventory. The Cisco AP 1800S sensor needs to be
provisioned using Plug and Play (Pnp) for it to show up in the Inventory. See the Provision the Wireless Cisco
Aironet 1800s Active Sensor topic in the Cisco DNA Assurance User Guide.
The following sensor modes are available:

• Dedicated Sensor—An AP is converted into a sensor, and it stays in sensor mode (does not serve clients)
unless it is manually converted back into AP mode.
Note Sensor Device—A dedicated AP 1800S sensor. The AP 1800S sensor gets
bootstrapped using PnP. After it obtains Assurance server reachability details, it
directly communicates with the Assurance server.
• On-Demand Sensor—An AP is temporarily converted into a sensor to run tests. After the tests are
complete, the sensor changes back into AP mode.
Procedure
Step 3 Click Edit, which is located above the floor plan.
Step 4 In the Floor Elements panel, next to Sensors, click Add.
Step 5 On the Add Sensors window, choose the check boxes of the sensors that you want to add. Alternatively click
Add next to the sensor row to add sensors.
Note You can search for specific sensors using the search option. Use the Filter field and search using
the Name, MAC address, or Model of a sensor. The search is case-insensitive. The search are
displayed in the table. Click Add to add one or more these sensors to the floor area.

109
Add Coverage Areas
Step 6 Close the Add Sensors window after assigning sensors to the floor map.
Step 7 Newly added sensors appear on the top-right corner of the floor map.
Step 8 To position the sensors correctly, in the Floor Elements pane, next to Sensors, click Position to place them
correctly on the map.
Step 9 After you have completed placing and adjusting sensors, click Save.
Step 10 To delete a sensor, in the Floor Elements pane, next to Sensors, click Delete.
The Delete Sensors window appears which lists all the assigned and placed sensors, appears.
Step 11 Select the check boxes of the sensors that you want to delete, and click Delete Selected.
• To delete all the sensors, click Select All, and click Delete Selected.
• To delete a sensor from the floor, click the Delete icon next to that sensor.
• Use Quick Filter and search using the Name, MAC address, or Model. The search is case-insensitive.
The search results are displayed in a table. Click the Delete icon to delete one or more these sensors from
the floor area.
Add Coverage Areas

By default, any floor area or outside area defined as part of a building map is considered as a wireless coverage
area.
If you have a building that is nonrectangular or you want to mark a nonrectangular area within a floor, you
can use the map editor to draw a coverage area or a polygon-shaped area.
Procedure
Step 4 In the Overlays panel, next to Coverage Areas, click Add.
The Coverage creation dialog-box appears.
Step 5 To draw a coverage area, from the Type drop-down list, choose Coverage Area.
1. Enter the name of the area you are defining, and click Add Coverage. The coverage area must be a
polygon with at least 3 vertices.
2. Move the drawing tool to the area you want to outline.
3. Click the tool to start and stop a line.
4. After you have outlined the area, double-click the area, which results in the area getting highlighted.
Note The outlined area must be a closed object for it to be highlighted on the map.
Step 6 To draw a polygon-shaped area, from the Type drop-down list, choose Perimeter.
1. Enter the name of the area you are defining, and click Ok.

110
Create Obstacles
2. Move the drawing tool to the area you want to outline.

• Click the tool to start and stop a line.
• After you have outlined the area, double-click the area, which results in area getting highlighted on
the page.
Step 7 To edit a coverage area, in the Overlays panel, next to Coverage Areas, click Edit.
The available coverage areas are highlighted on the map.
Step 8 Make the changes and click Save after the changes.
Step 9 To delete a coverage area, in the Overlays panel, next to Coverage Areas, click Delete.
The available coverage areas are highlighted on the map.
Step 10 Hover your cursor over the coverage area and click to delete.
Step 11 Click Save after the deletion.
Create Obstacles
You can create obstacles so that they can be considered while computing Radio Frequency (RF) prediction
heatmaps for access points.
Procedure
Step 4 In the Overlays panel, next to Obstacles, click Add.
Step 5 In the Obstacle Creation dialog box, choose an obstacle type from the Obstacle Type drop-down list. The
type of obstacles that you can create are Thick Wall, Light Wall, Heavy Door, Light Door, Cubicle, and
Glass.
The estimated signal loss for the obstacle type you selected is automatically populated. The signal loss is used
to calculate RF signal strength near these objects.
Step 6 Click Add Obstacle.
Step 7 Move the drawing tool to the area where you want to create an obstacle.
Step 8 Click the drawing tool to start and stop a line.
Step 9 After you have outlined the area, double-click the area, which results in the area getting highlighted.
Step 10 Click Done in the Obstacle Creation window that appears.
Step 11 Click Save to save the obstacle on the floor map.
Step 12 To edit an obstacle, in the Overlays panel, next to Obstacles, click Edit.
All the available obstacles are highlighted on the map.
Step 13 Click Save after the changes.

Step 14 To delete an obstacle, in the Overlays panel, next to Obstacles, click Delete.

111
Location Region Creation
All the available obstacles are highlighted on the map.
Step 15 Hover your cursor over the obstacle and click to delete.
Step 16 Click Save.
Location Region Creation

You can create inclusion and exclusion areas to further refine location calculations on a floor. You can define
the areas that are included (inclusion areas) in the calculations and those areas that are not included (exclusion
areas). For example, you might want to exclude areas such as an atrium or stairwell within a building, but
include a work area, such as cubicles, labs, or manufacturing floors.
Guidelines for Placing Inclusion and Exclusion Areas on a Floor Map

• Inclusion and exclusion areas can be any polygon-shaped area and must have at least 3 points.
• You can only define 1 inclusion region on a floor. By default, an inclusion region is defined for each
floor area when it is created. The inclusion region is indicated by a solid aqua line, and generally outlines
the entire floor area.
• You can define multiple exclusion regions on a floor area.
Define an Inclusion Region on a Floor
Procedure
Step 3 In the Overlays panel, next to Location Regions, click Add.
Step 4 In the Location Region Creation dialog window, from the Inclusion Type drop-down list, choose an option.
Step 5 Click Add Location Region.
A drawing icon appears to outline the inclusion area.
Step 6 To begin defining the inclusion area, move the drawing tool to a starting point on the map and click once.
Step 7 Move the cursor along the boundary of the area you want to include and click to end a border line.
Click again to define the next boundary line.
Step 8 Repeat Step 7 until the area is outlined and then double-click the drawing icon.
A solid aqua line defines the inclusion area.
Step 9 Click Save.

112
Define a Exclusion Region on a Floor
Define a Exclusion Region on a Floor

To further refine location calculations on a floor, you can define areas that are excluded (exclusion areas) in
the calculations. For example, you might want to exclude areas such as an atrium or stairwell within a building.
As a rule, exclusion areas are defined within the borders of an inclusion area.
Procedure
Step 4 In the Overlays panel, next to Location Regions, click Add.
Step 5 In the Location Region Creation window, from the Exclusion Type drop-down list, choose a value.
Step 6 Click Location Region.
A drawing icon appears to outline the exclusion area.
Step 7 To begin defining the exclusion area, move the drawing icon to a starting point on the map and click once.
Step 8 Move the drawing icon along the boundary of the area you want to exclude.
Click once to start a boundary line, and click again to end the boundary line.
Step 9 Repeat Step 8 until the area is outlined and then double-click the drawing icon. The defined exclusion area is
shaded in purple when the area is fully defined.
Step 10 To define more exclusion regions, repeat Step 5 to Step 9.
Step 11 When all the exclusion areas are defined, click Save.
Edit Location Regions
Procedure
Step 1 In the Overlays panel, next to Location Regions, click Edit.

Step 2 The available location regions are highlighted on the map.
Step 3 Make the necessary changes, and click Save.
Delete Location Regions
Procedure
Step 1 In the Overlays panel, next to Location Regions, click Delete.

Step 2 The available location regions are highlighted on the map.
Step 3 Hover your cursor over the region that you want to delete, and click Delete.

113
Rail Creation
Step 4 Click Save.
Rail Creation
You can define a rail line on a floor that represents a conveyor belt. Also, you can define an area around the
rail area known as the snap-width to further assist location calculations. This represents the area in which you
expect clients to appear. Any client located within the snap-width area is plotted on the rail line (majority) or
outside of the snap-width area (minority).
The snap-width area is defined in feet or meters (user-defined) and represents the distance that is monitored
on either side (east and west or north and south) of the rail.
Procedure
Step 1 From the Cisco DNA Center home page, hoose Design > Network Hierarchy.
Step 4 In the Overlays panel, next to Rails, click Add.
Step 5 Enter a snap-width (feet or meters) for the rail and then click Add Rail.
A drawing icon appears.
Step 6 Click the drawing icon at the starting point of the rail line. Click again when you want to stop drawing the
line or change the direction of the line.
Step 7 Click the drawing icon twice when the rail line is drawn on the floor map. The rail line appears on the map
and is bordered on either side by the defined snap-width region.
Step 8 Click Save.
Step 9 In the Overlays panel, next to Rails, click Edit.
The available rails are highlighted on the map.
Step 10 Make changes, and click Save.

Step 11 In the Overlays panel, next to Rails, click Delete.
All the available rail lines are highlighted on the map.
Step 12 Hover your cursor over the rail line that you want to delete, and click to delete.
Step 13 Click Save
Place Markers
Procedure

114
Floor View Options

Step 4 In the Overlays panel, next to Markers, click Add.
A drawing icon appears.
Step 5 Enter the name for the markers, and then click Add Marker.
Step 6 Click the drawing icon and place the marker on the map.
Step 7 Click Save.
Step 8 In the Overlays panel, next to Markers, click Edit.
The available markers are highlighted on the map.
Step 9 Make changes, and click Save.

Step 10 In the Overlays panel, next to Markers, click Delete.
All the available markers are highlighted on the map.
Step 11 Hover your cursor on the marker that you want to delete, and click to delete.
Step 12 Click Save.
Floor View Options

Click the View Options, which is located above the floor plan in the middle pane. The floor map along with
these panels appear in the right pane: Access Points, Sensor, Overlay Objects, Map Properties, and Global
Map Properties.
You can modify the appearance of the floor map by selecting or unselecting various parameters. For example,
if you want to view only the access point information on the floor map, check the Access Point check box.
You can expand each panel to configure various settings available for each floor element.
View Options for Access Points

Click the On/Off button next to Access Points to view access points on the map. Expand the Access Points
panel to configure these settings:
• Display Label—From the drop-down list, choose a text label that you want to view on the floor map for
the AP. The available display labels are:
• None—No labels are displayed for the selected access point.
• Name—AP name.
• AP MAC Address—AP MAC address.
• Controller IP—IP address of Cisco Wireless Controller to which the access point is connected.
• Radio MAC Address—Radio MAC address.
• IP Address
• Channel—Cisco Radio channel number or Unavailable (if the access point is not connected).

115
View Options for Access Points
• Coverage Holes—Percentage of clients whose signal has become weaker until the client lost its
connection. It shows Unavailable for access points that are not connected and MonitorOnly for
access points that are in monitor-only mode.
• TX Power—Current Cisco Radio transmit power level (with 1 being high) or Unavailable (if the
access point is not connected). If you change the radio band, the information on the map changes
accordingly.
The power levels differ depending on the type of access point. The 1000 series APs accept a value
between 1 and 5, the 1230 access points accept a value between 1 and 7, and the 1240 and 1100
series access points accept a value between 1 and 8.
• Channel and Tx Power—Channel and transmit power level (or Unavailable if the access point is
not connected).
• Utilization—Percentage of bandwidth used by the associated client devices (including receiving,
transmitting, and channel utilization). Displays Unavailable for disassociated access points and
MonitorOnly for access points in monitor-only mode.
• Tx Utilization—Transmitted (Tx) utilization for the specified interface.
• Rx Utilization—Received (Rx) utilization for the specified interface.
• Ch Utilization—Channel utilization for the specified access point.
• Assoc. Clients—Total number of clients associated.
• Dual-Band Radios—Identifies and marks the XOR dual-band radios on the Cisco Aironet 2800
and 3800 Series Access Points.
• Health Score—AP health score.
• Issue Count
• Coverage Issues
• AP Down Issues
• Heatmap Type—Heatmap is a graphical representation of Radio Frequency (RF) wireless data where
the values taken by variable are represented in maps as colors. The current heatmap is computed based
on the RSSI prediction model, antenna orientation, and AP transmit power. From the Heatmap Type
drop-down list, select the heatmap type: None, or Coverage.
• None
• Coverage—If you have monitor mode access points on the floor plan, you can select coverage
heatmap. A coverage heatmap excludes monitor mode access points.
• Heatmap Opacity (%)—Drag the slider between 0 to 100 to set the heatmap opacity.
• RSSI Cut off (dBm)—Drag the slider to set the RSSI cutoff level. The RSSI cutoff ranges from -60
dBm to -90 dBm.
• Map Opacity (%)—Drag the slider to set the map opacity.
The AP details are reflected on the map immediately. Hover your cursor over the AP icon on the map to view
AP details and RX neighbor information.

116
View Options for Sensors
View Options for Sensors

Click the Sensors button to view sensors on the map. Expand the Sensors panel to configure these settings:
• Display Label—From the drop-down list, choose a text label that you want to view on the floor map for
the selected access point. The available display labels are:
• None
• Name—Sensors name.
• Sensor MAC Address—Sensors MAC address.
• IP Address—IP address of Cisco Wireless Controller to which the sensor is connected.
View Options for Overlay Objects

Expand the Overlay Objects panel to configure these settings. Use the On/Off buttons to view these overlay
objects on the map.
• Coverage Areas
• Location Regions
• Obstacles
• Rails
• Markers
Configure Map Properties

Expand the Map Properties panel to configure:
• Auto Refresh—Provides an interval drop-down list to set how often you want to refresh maps data from
the database. From the Auto Refresh drop-down list, set the time intervals: None, 1 min, 2 mins, 5
mins, or 15 mins.
Configure Global Maps Properties

Expand the Global Map Properties panel to configure:
• Unit of Measure—From the drop-down list, set the dimension measurements for maps to either Feet or
Meters.

117
Data Filtering
Data Filtering
Filtering Access Points Data
Click Access Point under the Filters panel in the right pane. The filtering options for access points include
the following:
• Choose the radio type from the drop-down list, located above the floor map in the middle pane: 2.4 GHz,
5 GHz, or 2.4 GHz & 5 GHz.
• Click + Add Rule to add a query:
• Choose the access point identifier you want to view on the map: Name, MAC Address, Tx Power,
Channel, Avg Air Quality, Min. Air Quality, Controller IP, Coverage Holes, Tx Utilization, Rx
Utilization, Profiles, CleanAir Status, Associated Clients, Dual-Band Radios, Radio, or Bridge
Group Name.
• Choose the parameter by which you want to filter access points.
• Enter the specific filter criteria in the text box for the applicable parameters, and click Go. The
search results appear in a tabular format.
• Click Apply Filters to List to view the filter results on the map. To view a particular access point
on the map, check the check box of the access point in the table that is displayed, and click Show
Selected on Maps.
When you hover your mouse cursor over the search result in the table, the location of the AP gets pointed
with a line on the map.
Filtering Sensors Data

Click Sensor under the Filters panel in the right pane. The filtering options for sensor include the following:
• Choose the radio type from the drop-down list, located above the floor map in the middle pane: 2.4 GHz,
5 GHz, or 2.4 GHz & 5 GHz.
• Click + Add Rule to add a query:
• Choose the sensor identifier you want to view on the map: Name and MAC Address.
• Choose the parameter by which you want to filter sensors.
• Enter the specific filter criteria in the text box for the applicable parameters, and click Go. The
search results appear in a tabular format.
• Click Apply Filters to List to view the filter results on the map. To view a particular access point
on the map, check the check box of the access point in the table that is displayed, and click Show
Selected on Maps.
When you hover your mouse cursor over the search result in the table, the location of the Sensor gets pointed
with a line on the map.

118
Configure Global Wireless Settings
Configure Global Wireless Settings

Global wireless network settings include settings for Service Set Identifier (SSID), wireless interfaces, Wireless
Radio Frequency (RF), and Sensor Settings.
Note Creating wireless interfaces and wireless radio frequency is applicable only for nonfabric deployments.
Creating the wireless sensor device profile is applicable only for the AP 1800S sensor device.
The following sections provide information about how to define global wireless network settings:
• Create SSIDs for an Enterprise Wireless Network, on page 119
• Create SSIDs for a Guest Wireless Network, on page 121
• Create a Wireless Interface, on page 124
• Create a Wireless Radio Frequency Profile, on page 124
• Create a Wireless Sensor Device Profile, on page 127
Create SSIDs for an Enterprise Wireless Network

The following procedure describes how to deploy SSIDs for an enterprise wireless network.
Note All SSIDs are created at the Global level. The site, building, and floor inherit settings from the Global level.
Procedure
Step 1 Choose Design > Network Settings > Wireless.

Step 2 Under Enterprise Wireless, click + Add to create a new SSID for the enterprise network. In the Create an
Enterprise Wireless Network window, configure the following parameters:
• Enter an SSID name in the Wireless Network Name (SSID) field.
• Select the Type of Enterprise Network: Voice and Data or Data Only. This selection defines the
quality of service (QoS).
• Check the Fast Lane check box to enable fastlane capability on this network.
• Click the BROADCAST SSID toggle to turn the broadcast SSID on or off. If you turn the broadcast
SSID off, the WLAN does not broadcast the SSID.
• Select one Wireless Option:
• Dual band operation (2.4 GHz and 5 GHz)—The WLAN is created for both 2.4 and 5 GHz. The
band select is disabled by default.
• Dual band operation with band select—The WLAN is created for 2.4 GHz and 5 GHz and band
select is enabled.

119
Create SSIDs for an Enterprise Wireless Network
• 5 GHz only—The WLAN is created for 5 GHz and band select is disabled.
• Check the Fast Transition check box to enable 802.11r protocol. You can select Enable or Disable
mode. By default, it is in Adaptive mode.
• Under the Level of Security area, select the encryption and authentication type for this network. The
security options are:
• WPA2 Enterprise—Provides a higher level of security using Extensible Authentication Protocol
(EAP) (802.1x) to authenticate and authorize network users with a remote RADIUS server.
• WPA2 Personal—Provides good security using a passphrase or a preshared key (PSK). Allows
anyone with the passkey to access the wireless network. If you select WPA2 Personal, enter the
passphrase in the Passphrase text box.
Note You can override a preshared key (PSK) at the site, building, or floor level. If you override
a PSK at the building level, the subsequent floor inherits the new settings. For more
information, see Preshared Key Override, on page 121.
• Open—Provides no security. Allows any device to access the wireless network without any
authentication.
• Under Advanced Security Options, configure the following:

• Check the MAC Filtering check box to enable MAC-based access control on an SSID.
• Set the Fast Transition (802.11r) to Enable, Adaptive, or Disable mode.
Step 3 Click Next. The Wireless Profiles window is displayed. You can associate this SSID with the corresponding
wireless profile.
Step 4 In the Wireless Profiles window, click +Add to create a new wireless profile.
Step 5 Configure the following in the Create a Wireless Profile window:
• Enter the profile name in the Wireless Profile Name text box.
• Specify whether the SSID is Fabric or Non-Fabric by selecting Yes or No. If you select No, configure
the following parameters:
• From the Select Interface drop-down list, select the interface. This is the VLAN ID that is associated
with the wireless interface.
• Check the Flex Connect check box to enable FlexConnect mode. This is Flex Group profile, where
the traffic is split locally, except for traffic that has specific rules. Based on the following
configurations, the profile is applied to a site and a flex group is created internally.
• To assign this profile to a site, enter the full or partial name of the site in the Site Selector text box.
The available sites are auto populated and you can select the site you want from the drop-down list.
Step 6 Click Add. The created profile appears in the Wireless Profiles page.
Step 7 To associate the SSID to wireless profile, do the following:
• On the Wireless Profile page, check the Profile Name check box(es) to associate the SSID you created
in Step 2.

120
Preshared Key Override
• Click Finish.
What to do next
1. Perform discovery of devices. You can discover devices using CDP or using an IP address range. For
more information, see Discover Your Network Using CDP, on page 15 and Discover Your Network
Using an IP Address Range, on page 21.
2. Automatically add and onboard new devices with Network Plug and Play.
3. Configure policies for your network. See Configure Policies, on page 167.
4. Add a Cisco Wireless Controller to a site. See Add Devices to Sites, on page 219.
5. Provision the Cisco Wireless Controller and Cisco APs. See Provision a Cisco Wireless Controller, on
page 222 and Provision a Cisco AP—Day 1 AP Provisioning, on page 224.
6. Add the Cisco Wireless Controller to a fabric domain. See Add Devices to a Fabric, on page 236.
7. Configure settings for the various kinds of devices ("hosts") that can access the fabric domain. See
Configure Host Onboarding.
Preshared Key Override

SSIDs are created at the Global hierarchy. The site, building, and floor inherit settings from the Global
hierarchy. You can override a preshared key (PSK) at the site, building, or floor level. If you override a PSK
at the building level, the subsequent floor inherits the new settings.
Procedure

Step 2 In the tree menu, select the site, building, or floor to edit the PSK.
Step 3 Under Enterprise Wireless, click the Passphrase text box, and enter a new passphrase for the PSK SSID.
Step 4 Click Save.
A success message displays "Passphrase for the SSID(s) updated successfully."
Click the Inherit icon next to the SSID to view the origin of the settings.
Step 5 To reset the PSK override, check the check box of the PSK SSID on the site, building, or floor and click
Delete. The PSK is reset to the global passphrase value.
Create SSIDs for a Guest Wireless Network

This procedure shows how to create SSIDs for a guest wireless network.

121
Procedure
Step 1 From the Cisco DNA Center home page, choose Design > Network Settings > Wireless.
Step 2 Under Guest Wireless, click +Add to create new SSIDs.
The Create a Guest Wireless Network window is displayed.
Step 3 In the Wireless Network Name (SSID) text box, enter a unique name for the guest SSID that you are creating.
Step 4 Under Level of Security, select the encryption and authentication type for this guest network: Web Auth
and Open.
Note For an External Web Authentication (EWA), select Web Auth as the Level of Security and External
Authentication as the Authentication Server.
Note For a Central Web Authentication (CWA), select Web Auth as the Level of Security and ISE
Authentication as the Authentication Server.
Step 5 The Web Auth encryption and authentication type provides a higher level of Layer 3 security.
Step 6 The Open encryption and authentication type provides no security. Allows any device to connect to the
wireless network without any authentication.
Step 7 If you choose Web Auth, you must configure the authentication server: ISE Authentication or External
Authentication.
• If you choose External Authentication, enter the redirect URL in the Web Auth URL text box.
• If you choose ISE Authentication, select the type of portal you want to create from the drop-down list:
• Self Registered—The guests are redirected to the Self-Registered Guest portal to register by providing
information to automatically create an account.
• HotSpot—The guests can access the network without providing any credentials.
Step 8 To redirect the guests after successful authentication, select from the drop-down list:
• Success Page—The guests are redirected to an Authentication Success window.
• Original URL—The guests are redirected to the URL they had originally requested.
• Custom URL—The guests are redirected to the custom URL that is specified here. Enter a redirect URL
in the Redirect URL text box.
Now that you have created an SSID, you must associate it with a wireless profile. This profile helps you to
construct a topology, which is used to deploy devices on a site.
Step 9 Click Next.

The Wireless Profiles window is displayed.
Step 10 If you do not have an existing wireless profile, in the Wireless Profiles window, click +Add to create a new
wireless profile.
Step 11 Enter a profile name in the Wireless Profile Name text box.
Step 12 Specify whether the SSID is fabric or not by clicking the Yes or No radio button next to Fabric.

122
Fabric SSID is a wireless network, which is part of Software Defined-Access (SD-Access). SD-Access is a
solution that automates and simplifies configuration, policy, and troubleshooting of wired and wireless
networks. With fabric SSID, it is mandatory to have SDA. Non-fabric is a traditional wireless network that
does not require SD-Access.
Step 13 If you want the guest SSID to be a guest anchor, click the Yes or No radio button next to Do you need a
Guest Anchor for this guest SSID.
Step 14 If you want your guest SSID to be a guest anchor, select Yes.
Step 15 If you select No, then enable the FlexConnect mode by checking the Flex Connect Local Switching check
box.
The selection of FlexConnect mode switches the traffic locally. Based on your configuration, the profile is
applied to a site and a flex group is created internally.
Step 16 From the Select Interface drop-down list, select the interface or click + create a new wireless interface to
create a new wireless interface.
This is the VLAN ID that is associated with the wireless interface.
Step 17 To assign this profile to a site, enter the full or partial name of the site in the Site Selector text box.
The available sites are auto populated and you can select the site that you want from the drop-down list.
Step 18 Click Save.

The created profile appears in the Wireless Profiles window.
Step 19 To associate the SSID to a wireless profile, in the Wireless Profiles window, configure the following.
Step 20 Check the Profile Name check box to associate the SSID.
Step 21 Click Next.
The Portal Customization window appears, where you can assign the SSID to a guest portal.
Step 22 In the Portal Customization window, click + Add to create the guest portal.
The Portal Builder window appears.
Step 23 Expand Page Content in the left menu to include various variables.
Step 24 Drag and drop variables into the portal template window and edit them.
• The list of variables for the Login page are: Access Code, Header Text, AUP, and Text Fields.
• The list variables for the Registration page are: First Name, Last Name, Phone Number, Company,
Sms Provider, Person being visited, Reason for a visit, Header text, User Name, Email Address,
and AUP.
• The list of variables for the Registration Success page are: Account Created and Header texts.
• The variable for the Success page is: Text fields.
Step 25 To customize the default color scheme in the portal, expand Color in the left menu and change the color.
Step 26 To customize the font, expand Font in the left menu and change the font.
Step 27 Click Save.
The created portal appears in the Portal Customization window.

123
Create a Wireless Interface
Step 28 Under Portals, click the radio button next to the corresponding Portal Name to assign the SSID to that guest
portal.
Step 29 Click Finish.
What to do next
1. Perform discovery of devices. You can discover devices using CDP or an IP address range. See Discover
Your Network Using CDP, on page 15 and Discover Your Network Using an IP Address Range, on page
21.
2. Automatically add and onboard new devices with Network Plug and Play. See About Network Plug and
Play, on page 37.
3. Configure policies for your network. See Configure Policies, on page 167.
4. Add a Cisco Wireless Controller to a site. See Add Devices to Sites, on page 219.
5. Provision Cisco Wireless Controller and Cisco APs. See Provision a Cisco Wireless Controller, on page
222 and Provision a Cisco AP—Day 1 AP Provisioning, on page 224.
6. Add the Cisco Wireless Controller to a fabric domain. See Add Devices to a Fabric, on page 236.
7. Configure settings for the various kinds of devices (hosts) that can access the fabric domain. See Configure
Host Onboarding.
Create a Wireless Interface

You can create wireless interfaces only in nonfabric deployments.
Procedure
Step 2 Under Wireless Interfaces, click +Add.
The New Interfaces window appears.
Step 3 In the Interfaces Name text box, enter the dynamic interface name.
Step 4 (Optional) In the VLAN ID text box, enter the VLAN ID for the interface. The valid range is from 0 to 4094.
Step 5 Click Ok.
The new interface appears under Wireless Interfaces.
Create a Wireless Radio Frequency Profile

You can create a wireless radio frequency profile only in a nonfabric deployment.

124
Procedure
Step 2 Under Wireless Radio Frequency Profile, click +Add RF.
The Wireless Radio Frequency window appears.
Step 3 In the Profile Name text box, enter the RF profile name.
Step 4 Use the On/Off button to select the radio band: 2.4 GHz or 5 GHz. If you have disabled one of the radios,
the base radio of the AP that you are going to configure this AP profile into will be disabled.
Step 5 Configure the following for the 2.4 GHz radio type:
• From the Parent Profile drop-down list, choose High, Medium (Typical), Low, or Custom. (The Data
Rate and Tx Configuration fields change depending on the parent profile selected. For example, if you
select High, it populates the profile configurations available in the device for 2.4 GHz. If you change
any settings in the populated Data Rate and Tx Configuration, the Parent Profile automatically changes
to Custom.) Note that a new RF profile is created only for the select custom profiles.
Note Low, Medium (Typical), and High are the pre-canned RF profiles. If you select any of the
pre-canned RF profiles, the respective RF profiles which are there in the device is used and
the new RF profile is not be created on the Cisco DNA Center.
• DCA dynamically manages channel assignment for an RF group and evaluates the assignments on a per
AP radio basis.
• Check the Select All check box to select DCA channels 1, 6, and 11. Alternatively, check the
individual check boxes adjacent the channel numbers.
• Click Show Advanced to select the DCA channel numbers under the Advanced Options. Check
the Select All check box to select DCA channels that are under Advanced Options, or check the
check box adjacent the individual channel numbers. The channel numbers that are available for B
profile are 2, 3, 4, 5, 7, 8, 9, 10, 12, 13, and 14.
Note You need to configure these channels globally on Cisco Wireless Controller.
• Use the Data Rate slider to set the rates at which data can be transmitted between an access point and
a client. The available data rates are 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, and 54.
• Under Tx Power Configuration, you can set the power level and power threshold for an AP.
• Power Level—To determine whether the power of an AP needs to be reduced or not. Reducing the
power of an AP helps mitigate co-channel interference with another AP on the same channel or in
close proximity. Use the Power Level slider to set the minimum and maximum power level. The
range is -10 to 30 dBm and the default is -10 dBM.
• Power Threshold—It is the cutoff signal level used by Radio Resource Management (RRM) to
determine whether to reduce the power of an AP or not. Use the Power Threshold slider to increase
and decrease the power value which causes the AP to operate at higher or lower transmit power
rates. The range is -50 dBM to 80 dBM and the default threshold is -70 dBM.
• RX SOP—Receiver Start of Packet Detection Threshold (RX SOP) determines the Wi-Fi signal
level in dBm at which an APs radio demodulates and decodes a packet. From the RX SOP drop-down
list, choose High, Medium, Low, or Auto threshold values for each 802.11 band.

125
Step 6 Configure the following for the 5 GHz radio type:

• From the Parent Profile drop-down list, choose High, Medium (Typical), Low, or Custom. (The Data
Rate and Tx Configuration fields change depending on the parent profile selected. For example, if you
select High, it populates the configurations available in the device for 2.4 GHz. If you change any settings
in the populated Data Rate and Tx Configuration fields, the Parent Profile automatically changes to
Custom.) Note that a new RF profile is created only for select custom profiles.
Note Low, Medium (Typical), and High are the pre-canned RF profiles. If you select any of the
pre-canned RF profiles, the respective RF profiles which are already there in the device is used
and the new RF profile is not be created on the Cisco DNA Center.
• From the Channel Width drop-down list, choose one of the channel bandwidth options: Best, 20 MHz,
40 MHz, 80 MHz, or 160 MHz, or Best.
• Set the DCA Channel to manage channel assignments:
Note You must configure the DCA channels globally on Cisco Wireless Controller.
• UNNI-1 36-48—The channels available for UNII-1 band are: 36, 40, 44, and 48. Check the UNII-1
36-48 check box to include all channels or check the check box of the channels to select them
individually.
• UNII-2 52-144—The channels available for UNII-2 band are: 52, 56, 60, 64, 100, 104, 108, 112,
116, 120, 124, 128, 132, 136, 140, and 144. Check the UNII-2 52-144 check box to include all
channels or check the check box of the channels to select them individually.
• UNII-3 149-165—The channels available for UNII-3 band are: 149, 153, 157, 161, and 165. Check
the UNII-3 149-165 check box to include all channels or check the check box of the channels to
select them individually.
• Use the Data Rate slider to set the rates at which data can be transmitted between an access point and
a client. The available data rates are 6, 9, 12, 18, 24, 36, 48, and 54.
• Under Tx Power Configuration, you can set the power level and power threshold for an AP.
• Power Level—To determine whether the power of an AP needs to be reduced or not. Reducing the
power of an AP helps mitigate co-channel interference with another AP on the same channel or in
close proximity. Use the Power Level slider to set the minimum and maximum power level. The
range is -10 to 30 dBm and the default is -10 dBM.
• Power Threshold—It is the cutoff signal level used by Radio Resource Management (RRM) to
determine whether to reduce the power of an AP or not. Use the Power Threshold slider to increase
and decrease the power value which causes the AP to operate at higher or lower transmit power
rates. The range is -50 dBM to 80 dBM and the default threshold is -70 dBM.
• RX SOP—Receiver Start of Packet Detection Threshold (RX SOP) determines the Wi-Fi signal
level in dBm at which an APs radio demodulates and decodes a packet. From the RX SOP drop-down
list, choose High, Medium, Low, or Auto threshold values for each 802.11 band.
Step 7 Click Save.

The profile created gets listed.
Step 8 To mark a profile as a default RF profile, check the Profile Name check box and click Mark Default.

126
Create a Wireless Sensor Device Profile
Step 9 Click OK in the Warning window that appears.
Create a Wireless Sensor Device Profile

Creating the wireless sensor device profile is applicable for the Cisco Aironet 1800s Active Sensor.
Before you begin

If you are using the Cisco Aironet AP 1800S Sensor without an Ethernet module, you must enable Cisco
Provisioning SSID on the wireless controller. See the "Enable Cisco Provisioning SSID on the Cisco Wireless
Controller" topic in the Cisco DNA Assurance User Guide.
Procedure

Step 2 Under Sensor Settings, click +Add.
The Create Sensor SSID Assignment window appears. Configure the following parameters:
• In the Settings Name field, enter a name for the sensor device profile.
• In the Wireless Network Name (SSID) field, enter a name for the SSID.
• In the Level of Security area, choose a security level, and then enter the appropriate credentials.
Note To provision the Cisco Aironet 1800s Active Sensor with wired connection, enter any proxy name
and SSID (for example wired_xyz), and in the Level of Security area, choose Open.
Step 3 Click Save.
About Cisco Connected Mobile Experiences Integration

Cisco DNA Center supports the integration of on-premise Connected Mobile Experiences (CMX) for wireless
maps. With the CMX integration, you can get the exact location of your clients on the floor map within the
Cisco DNA Center user interface.
You can create CMX settings either at the global level or at the site, building, or floor level depending upon
your requirement. For a small enterprise, you can assign CMX at the global level, which is the parent node
and all the children inherits their settings from the parent node. For a medium enterprise, you can assign CMX
at the building level and for a small enterprise, you can assign CMX at the floor level.
Supported Cisco CMX Software Releases

Cisco DNA Center supports the following Cisco CMX Software Releases:
• Cisco CMX 10.4.1
• Cisco CMX 10.5.0

127
Create Cisco CMX Settings
Create Cisco CMX Settings
Procedure

Step 2 In the left tree view menu, select either Global or area, building, or floor that you are interested in.
Step 3 Under CMX Settings, click Add to create CMX settings.
The Create CMX Settings page appears.
Step 4 In the IP Address field, enter the valid IP address of the CMX web UI.
Step 5 In the User Name and Password fields, enter the CMX web UI user name and password credentials.
Step 6 In the Admin User and Admin Password fields, enter the CMX admin user name and password credentials.
Note Make sure that CMX is reachable.
Step 7 Click Add.

After CMX is added, if you make any changes to the floor on the Network Hierarchy page, the changes are
synchronized automatically with the CMX.
When CMX is synced, Cisco DNA Center starts querying CMX for the client location and the client location
is displayed on the floor map.
From the floor map, you can do the following:
• View the location of the client. The location of the client is displayed on the floor map as a blue dot.
• Hover your cursor over an AP. A dialog box is displayed with three tabs: Info, Rx Neighbor, and Clients.
Click each tab for more information. Click Device 360 to open the Device 360 window and view issues.
Click an issue to see the location of the issue and the location of the client device.
• Click an AP to open a side bar with details about the AP.
• Perform real-time client tracking when Intelligent Capture and CMX are integrated.
Step 8 If the CMX was down at the time you made changes, then you must synchronize manually. To do that, on
the Network Hierarchy page, click the gear icon next to the building or floor on which you made the changes
in the left tree pane, and then select Sync with CMX to push the changes manually.
For CMX Authentication Failure

• Check if you are able to log in to CMX web UI with the credentials that you provided at the time of CMX
settings creation on the Cisco DNA Center.
• Check if you are able to log in to CMX console using SSH.
• Check if you are able to exercise CMX REST APIs using the API Documentation link on the CMX UI.
If Clients Do not Appear on the Cisco DNA Center Center Floor Map
• Check if the Cisco Wireless Controller on the particular floor is configured with CMX and is active.
• Check if the CMX UI shows clients on the floor map.

128
Configure Native VLAN for a Flex Group
• Use the Cisco DNA Center Maps API to list the clients on the floor: curl -k -u
<user>:<password> -X GET /api/v1/dna-maps-service/domains/<floor group
id>/clients?associated=true
Configure Native VLAN for a Flex Group

Native VLAN carries the management traffic between APs and Cisco Wireless Controllers. With this feature,
you can configure VLAN for a site through the Cisco DNA Center user interface. You can configure native
VLAN at the global level and override at the site, building, or floor level.
Procedure
Step 2 In the left pane, choose Global if you are configuring native VLAN at the global level.
Step 3 Under Native VLAN, enter a value for the VLAN ID in the VLAN text box. The valid range is from 1 to
4094.
Step 4 Click Save.
Step 5 Configure the SSID and create a wireless network profile. Make sure that the FlexConnect Local Switching
check box on the Design > Network Settings > Wireless page is enabled. For more information, see the
Create SSIDs for an Enterprise Wireless Network, on page 119 and Create SSIDs for a Guest Wireless Network,
on page 121.
Step 6 For the saved VLAN ID to get configured on the wireless controller, you must provision the wireless controller
on the Provision page. For more information, see Provision a Cisco Wireless Controller, on page 222.
Step 7 After provisioning the wireless controller, you must provision the AP that is associated with the controller.
For more information, see Provision a Cisco AP—Day 1 AP Provisioning, on page 224.
Step 8 To override the native VLAN at the site, building, or floor level, in the left tree view menu, select the site,
building, or floor.
Step 9 Under Native VLAN, enter a value for the VLAN ID.
Step 10 Reprovision the wireless controllers and the associated access point.
Create Network Profiles

From the Cisco DNA Center home page, choose Design > Network Profiles. Click Add Profile to create
network profiles for:
• Routing and NFV—For more information, see Create Network Profiles for Routing and NFV, on page
130.
• Switching
• Wireless—For more information, see Create SSIDs for an Enterprise Wireless Network, on page 119,
Create SSIDs for a Guest Wireless Network, on page 121, and Create and Associate Templates to Wireless
Profiles, on page 158.

129
Create Network Profiles for Routing and NFV
Create Network Profiles for Routing and NFV

This workflow shows hows to:
1. Configure router WAN.
2. Configure router LAN.
3. Configure ENCS integrated switch.
4. Create custom configurations.
5. View profile summary.
Procedure
Step 1 Choose Design > Network Profiles.

Step 2 Click +Add Profiles and choose Routing & NFV.
Step 3 The Router WAN Configuration window appears.
• Enter the profile name in the Name text box.
• Select the number of Service Providers and Devices from the drop down list. A maximum of three
service providers and two devices are supported per profile.
• Select the Service Provider Profile from the drop down list. For more information, see Configure Service
Provider Profiles, on page 143.
• Select the Device Family from the drop down list.
• Enter a unique string in the Device Tag to identify the different devices.
• To enable at least one line link for each device to proceed click on O and check the check box next to
Connect. Select the Line Type from the drop down list. Click OK.
• Click +Add Services to add services to the profile. The Add Services window appears. Check the check
box next to ISRv vEdge, WAN Optimizer, or Firewall. You can also select +Add Service or Network
to add custom services or networks to the profile.
To configure the ISRv router, select Profile from the drop down list. For more information, see Import
Software Images, on page 85. Click Save.
To configure vEdge, select Profile from the drop down list.
To configure WAN optimizer, select Services and Profile from the drop down lists.
To configure firewall, select Services, Services and Mode from the drop down lists.
To enable Direct Internet Access (DIA), select Firewall and check the check box next to DIA.
To configure custom networks, select +Add Service or Network and select Networks. Enter the network
name in Network Name. Select Connection Type and Network Mode. Enter the VLAN ID in VLAN
and select the services to connect. Click Save.
• Click Next.
Step 4 The Router LAN Configuration page appears.

130
About Global Network Settings
• Select L2 or L3 services.
• If you select L2, select the Type from the drop down list, enter the VLAN ID/Allowed VLAN and the
Description.
• If you select L3, select the Protocol Routing from the drop down list
and enter the Protocol Qualifier.
• Click Next.
Step 5 The ENCS Integrated Switch Configuration page appears.

• Click +Add Row. Select Type from the drop down list and enter the VLAN ID/Allowed VLAN and
the Description.
• Click Next.
Step 6 The Custom Configuration page appears.

The custom configurations are optional. You may skip the step and apply the configurations any time in the
Network Profiles.
If you choose to add the custom configurations
• Select the Template from the drop down list.
• Click Next.
Step 7 The Summary page appears.

This page summarizes the router configurations. Based on the devices and services selected, the hardware
recommendation is provided in this page.
• Click Save.
Step 8 The Network Profiles page appears.

Click Assign Sites to assign a site to the network profile. For more information, see Create a Site in a Network
Hierarchy, on page 98.
What to do next
1. Add Cisco WLC to a site. See Add Devices to Sites, on page 219.
2. Unclaimed Provisioning. See Network Plug and Play Use Cases, on page 39.
About Global Network Settings

You can create network settings that become the default for your entire network. There are two primary areas
from which you can define the settings within your network:

131
About Device Credentials
• Global settings—Settings defined here affect your entire network and include settings for servers such
as NTP, Syslog, SNMP Trap, NetFlow Collector, and so on, IP address pools, and device credential
profiles.
• Site settings—Settings define here override global settings and can include settings for servers, IP address
pools, and device credential profiles.
Note Changes in network settings that are being used by the active fabric are not supported. These network settings
include site hierarchy, renaming IP pools and few other features.
Note Certain network settings can be configured on devices automatically using the Device Controllability feature.
When Cisco DNA Center configures or updates devices, the transactions are captured in the Cisco DNA
Center audit logs. You can use the audit logs to help you track changes and troubleshoot issues. For more
information about Device Controllability and Audit Logs, see the Cisco Digital Network Architecture Center
Administrator Guide.
You can define the following global network settings by choosing Design > Network Settings > Network.
• Network servers, such as AAA, DHCP, and DNS—For more information, see Configure Global Network
Servers, on page 143.
• Device credentials, such as CLI, SNMP, and HTTP(S)—For more information, see Configure Global
CLI Credentials, on page 134, Configure Global SNMPv2c Credentials, on page 136, Configure Global
SNMPv3 Credentials, on page 137, and Configure Global HTTPS Credentials, on page 138.
• IP address pools—For more information, see Configure IP Address Pools, on page 142.
• Wireless settings as SSIDs, wireless interfaces, and wireless radio frequency profiles—For more
information, see Configure Global Wireless Settings, on page 119.
About Device Credentials

Device credentials refer to the CLI, SNMP, and HTTPS credentials that are configured on network devices.
Cisco DNA Center uses these credentials to discover and collect information about the devices in your network.
In Cisco DNA Center, you can specify the credentials that most of the devices use so that you do not have to
enter them each time you run a discovery job. After you set up these credentials, they are available for use in
the Discovery tool.
CLI Credentials
You need to configure the CLI credentials of your network devices in Cisco DNA Center before you can run
a Discovery job.
These credentials are used by Cisco DNA Center to log in to the CLI of a network device. Cisco DNA Center
uses these credentials to discover and gather information about network devices. During the discovery process,
Cisco DNA Center logs in to the network devices using their CLI usernames and passwords and runs show

132
SNMPv2c Credentials
commands to gather device status and configuration information, and clear commands and other commands
to perform actions that are not saved in a device's configuration.
Note In Cisco DNA Center's implementation, only the username is provided in cleartext.
SNMPv2c Credentials
Simple Network Management Protocol (SNMP) is an application-layer protocol that provides a message
format for communication between SNMP managers and agents. SNMP provides a standardized framework
and a common language to monitor and manage network devices.
SNMPv2c is the community string-based administrative framework for SNMPv2. SNMPv2c does not provide
authentication or encryption (noAuthNoPriv level of security). Instead, it uses a community string as a type
of password that is typically provided in cleartext.
Note In Cisco DNA Center's implementation, SNMP community strings are not provided in cleartext for security
reasons.
You need to configure the SNMPv2c community string values before you can discover your network devices
using the Discovery function. The SNMPv2c community string values that you configure must match the
SNMPv2c values that have been configured on your network devices. You can configure up to five read
community strings and five write community strings in Cisco DNA Center.
If you are using SNMPv2 in your network, specify both the Read Only (RO) and Read Write (RW) community
string values to achieve the best outcome. If you cannot specify both, we recommend that you specify the RO
value. If you do not specify the RO value, Cisco DNA Center attempts to discover devices using the default
RO community string, public. If you specify only the RW value, Discovery uses the RW value as the RO
value.
SNMPv3 Credentials
The SNMPv3 values that you configure to use Discovery must match the SNMPv3 values that have been
configured on your network devices. You can configure up to five SNMPv3 values.
The security features provided in SNMPv3 are as follows:
• Message integrity—Ensures that a packet has not been tampered with in transit.
• Authentication—Determines if a message is from a valid source.
• Encryption—Scrambles a packet's contents to prevent it from being seen by unauthorized sources.
SNMPv3 provides for both security models and security levels. A security model is an authentication strategy
that is set up for a user and a user's role. A security level is the permitted level of security within a security
model. A combination of a security model and a security level determines which security mechanism is
employed when handling an SNMP packet.
The security level determines if an SNMP message needs to be protected from disclosure and if the message
needs to be authenticated. The various security levels that exist within a security model are as follows:

133
HTTPS Credentials
• noAuthNoPriv—Security level that does not provide authentication or encryption

• AuthNoPriv—Security level that provides authentication, but does not provide encryption
• AuthPriv—Security level that provides both authentication and encryption
The following table describes the security model and level combinations:
Table 42: SNMPv3 Security Models and Levels
Level Authentication Encryption What Happens
noAuthNoPriv User Name No Uses a username match for

authentication.
AuthNoPriv Either: No Provides authentication based

on the Hashed Message
• HMAC-MD5
Authentication Code-Secure
• HMAC-SHA Hash Algorithm (HMAC-SHA).
AuthPriv Either: Either: Provides authentication based

on HMAC-MD5 or
• HMAC-MD5 • CBC-DES
HMAC-SHA.
• HMAC-SHA • CBC-AES-128 Provides Data Encryption
Standard (DES) 56-bit
encryption in addition to
authentication based on the
Cipher Block Chaining (CBC)
DES (DES-56) standard or
CBC-mode AES for encryption.
HTTPS Credentials
HTTPS is a secure version of HTTP that is based on a special PKI certificate store. In Cisco DNA Center,
HTTPS is used to discover Cisco Enterprise Network Function Virtualization Infrastructure Software (NFVIS)
devices only.
About Global Device Credentials

"Global device credentials" refers to the common CLI, SNMP, and HTTPS credentials that Cisco DNA Center
uses to discover and collect information about the devices in your network. Cisco DNA Center uses global
credentials to authenticate and access the devices in a network that share these configured device credentials.
You can add, edit, and delete global device credentials. You can also associate credentials to the Global site
or a specific site.
Configure Global CLI Credentials

You can configure and save up to five global CLI credentials.

134
Configure Global CLI Credentials
Procedure
Step 1 From the Cisco DNA Center home page, choose Design > Network Settings > Device Credentials.
Step 2 With the Global site selected, in the CLI Credentials area, click Add.
Step 3 Enter information in the following fields:
Field Description

in your network.

confirmation.
configuration.

the CLI. Configure this password only if your network
devices require it.
configuration.
Step 4 Click Save.

To apply the credential to a site, click on the site in the hierarchy on the left, select the button next to the
credential, then click Save.
Step 5 If you are changing existing credentials, you are prompted to update the new credentials on devices now or
schedule the update for a later time.
• To update the new credentials now, click the Now radio button and click Apply.
• To schedule the update for a later time, click the Later radio button, define the date and time of the
update and click Apply.
Note Use the Time Zone check box to indicate whether you want the update to happen according
to the site time zone or according to a specified time zone.

135
Configure Global SNMPv2c Credentials
Configure Global SNMPv2c Credentials

You can configure global SNMPv2c credentials to monitor and manage your network devices.
Before you begin

You must have your network's SNMP information.
Procedure
Step 2 With the Global site selected, in the SNMP Credentials area, click Add.
Step 3 For the Type, click SNMP v2c and enter the following information:
Field Description

adding.
configuration.

adding.
configuration.
Step 4 Click Save.


136
Configure Global SNMPv3 Credentials
Configure Global SNMPv3 Credentials

You can configure global SNMPv3 credentials to monitor and manage your network devices.
Before you begin

You must have your network's SNMP information.
Procedure
Step 2 With the Global site selected, in the SNMP Credentials area, click Add.
Step 3 For the Type, click SNMP v3 and enter the following information:
Field Description
the configuration.

137
Configure Global HTTPS Credentials
Field Description
the configuration.
Step 4 Click Save.


Procedure
Step 1 From the Cisco DNA Center Home page, select Design > Network Settings > Device Credentials.
Step 2 With the Global site selected, in the HTTPS Credentials area, click Add.
Step 3 Enter the following information:

138
Field Description
Type Specifies the kind of HTTPS credentials you are configuring. Valid types are Read or
Write.

• Name/Description—Name or description of the HTTPS credentials that you are
adding.
• Port—Number of the TCP/UDP port used for HTTPS traffic. The default is port
number 443 (the well-known port for HTTPS).
are encrypted for security reasons and are not displayed in the configuration.

• Name/Description—Name or description of the HTTPS credentials that you are
adding.
• Port—Number of the TCP/UDP port used for HTTPS traffic. The default is port
number 443 (the well-known port for HTTPS).
are encrypted for security reasons and are not displayed in the configuration.
Step 4 Click Save.


139
Guidelines and Limitations for Editing Global Device Credentials
GuidelinesandLimitationsforEditingGlobalDeviceCredentials
The following are guidelines and limitations for editing existing global device credentials:
• When you edit global device credentials and then apply those changes, there are some device types for
which Cisco DNA Center does not support this operation. For a list of devices on which you can apply
edited global device credentials, click the Learn More link on the top of any Edit window from Design
> Network Settings > Device Credentials.
• Cisco DNA Center uses the following process when you edit, save, and then apply a global device
credential:
1. Cisco DNA Center pushes the credential to the device.
2. After successfully pushing the credential to the device, Cisco DNA Center confirms it can reach the
device using the new credential.
Note If this step fails, Inventory uses the old credentials to manage the device even
though Cisco DNA Center pushed the new credentials to the device. In this case,
the Provision > Devices > Inventory screen might indicate that the device is
Unmanaged if you updated an existing credential.
3. After successfully reaching the device using the new credential, the Cisco DNA Center Inventory
starts managing the device using the new credential.
• Sites can contain devices that use SNMPv2c and SNMPv3 credentials. When you edit and save global
SNMPv2c or SNMPv3 credentials, Cisco DNA Center pushes those changes to devices and enables that
credential. For example, if you have a device that uses SNMPv2c, but you edit and save the SNMPv3
global credential, Cisco DNA Center pushes the new SNMPv3 credential to all devices in the associated
site and enables it, meaning that all devices will be managed using SNMPv3, even the devices that
previously had SNMPv2c enabled.
• To avoid any possible disruptions, modify the User Name when you edit CLI Credentials. This creates
a new CLI credential and leaves any existing CLI credentials unchanged.
Edit Global Device Credentials

When you edit global device credentials, the changes impact all devices that are associated to the sites under
the global site. After you edit and save a global device credential, Cisco DNA Center searches all sites that
reference the device credential you changed and pushes the change to all the devices.
You can update or create new global device credentials, but Cisco DNA Center never removes any credentials
from devices.
See Guidelines and Limitations for Editing Global Device Credentials, on page 140 for additional information
on editing global device credentials.

140
Associate Device Credentials to Sites
Procedure
Step 2 With the Global site selected, select the device credential you want to change, then under the Actions column
on the right, click Edit.
Note When you edit global device credentials and then apply those changes, there are some device types
for which Cisco DNA Center does not support this operation. For a list of devices on which you
can apply edited global device credentials, click the Learn More link on the top of any Edit window
from Design > Network Settings > Device Credentials.
Step 3 Make the required changes, then click Save.

Step 4 Select whether to update the new credentials on devices now or schedule the update for a later time.
• To update the new credentials now, click the Run Now radio button and click Apply.
• To schedule the update for a later time, click the Schedule Later radio button, define the date and time
of the update and click Apply.
A status message appears indicating whether the device credential change was successful or if it failed.
Step 5 To view the status of the credential change, from the Cisco DNA Center home page, choose Provision >
Devices > Inventory.
The Credential Status column displays one of the following statuses:
• Success—Cisco DNA Center successfully applied the credential change.
• Failed—Cisco DNA Center was unable to apply the credential change. Hover your cursor over the icon
to display additional information about which credential change failed and why.
• Not Applicable—The credential is not applicable to the device type.
If you edited and saved more than one credential (for example, CLI, SNMP, and HTTPS), the Credential
Status column displays Failed if Cisco DNA Center was unable to apply any of the credentials. Hover your
cursor over the icon to display additional information about which credential change failed.
Associate Device Credentials to Sites

The sites you create under the Global site can inherit the global device credentials, or you can create different
device credentials specific for a site.
Procedure
Step 2 Select a site from the hierarchy in the left pane.

141
Configure IP Address Pools
Step 3 Select the credential you want to associate with the selected site, then click Save.
A success message appears at the bottom of the screen indicating the device credential was successfully
associated with the site.
Step 4 Click Reset to clear the entries on the screen.
Configure IP Address Pools

You can manually create IP address pools.
You can also configure Cisco DNA Center to communicate with an external IP address manager. For more
information, see the Cisco Digital Network Architecture Center Administrator Guide.
You can also reserve IP address pools for sites. See Provision LAN Underlay, on page 229 for more information.
Procedure
Step 1 From the Cisco DNA Center home page, choose Design > Network Settings > IP Address Pools.
Step 2 Click Add IP Pool and complete the required fields. If you have configured Cisco DNA Center to communicate
with an external IP address manager, you cannot create an IP pool that overlaps an existing IP address pool
in the external IP address manager.
Step 3 Click Overlapping to specify overlapping IP address pool groups to allow different address spaces and
concurrently, use the same IP addresses in different address spaces.
Step 4 Click Save.
Note When you edit an IP address pool and make DHCP changes, you do not need to reprovision devices
using that IP address pool.
Import IP Address Pools

You can import IP address pools from Bluecat ® or Infoblox ®.
Note The IP address pools cannot have subpools and cannot have any assigned IP addresses from the IP address
pool.
You must configure Cisco DNA Center to communicate with an external IP Address Manager. For more
information, see the Cisco Digital Network Architecture Center Administrator Guide.
Procedure

142
Configure Service Provider Profiles
Step 2 Click Import and complete the required fields.

Step 3 Enter a CIDR and then click Retrieve to get the list of IP pools available to import.
Step 4 Click Select All or chose the IP address pools to import, then click Import.
Configure Service Provider Profiles

You can create a service provider (SP) profile that defines the class of service for a particular WAN provider.
You can define 4-class, 5-class, 6-class, and 8-class of service models. After you create a SP profile, you can
assign it to an application policy and to the WAN interfaces in the application policy scope, including setting
the subline rate on the interface, if needed.
Procedure
Step 1 From the Cisco DNA Center home page, select Design > Network Settings > SP Profiles.
Step 2 In the QoS area, click Add.
Step 3 In the Profile Name field, enter a name for the SP profile.
Step 4 From the WAN Provider drop-down list, choose a service provider.
Step 5 From the Model drop-down list, choose one of four class models: 4 class, 5 class, 6 class, and 8 class.
For a description of these classes, see Service Provider Profiles, on page 185.
Configure Global Network Servers

You can define global network servers that become the default for your entire network.
Note You can override global network settings on a site by defining site-specific settings.
Procedure
Step 1 From the Cisco DNA Center home page, choose Design > Network Settings > Network.
Step 2 In the DHCP Server field, enter the IP address of a DHCP server.
Note You must define at least one DHCP server in order to create IP address pools.
Step 3 In the DNS Server field, enter the domain name of a DNS server.
Note You must define at least one DNS server in order to create IP address pools.

143
Add Cisco ISE or Other AAA Servers
Step 4 (Optional) You can enter Syslog, SNMP Trap, and NetFlow Collector server information. Click Add Servers
to add an NTP server.
Step 5 Click Save.
Add Cisco ISE or Other AAA Servers

You can define Cisco Identity Services Engine (ISE) servers or other, similar AAA servers for network, client,
and endpoint authentication at the site or global level. For network authentication, RADIUS and TACACS
protocols are supported. For client and endpoint authentication, only RADIUS protocol is supported. Only
one ISE is supported per Cisco DNA Center.
After you configure a Cisco ISE server for a site, the devices that are assigned to the site are automatically
updated on the corresponding Cisco ISE server. Subsequently, any changes to those devices in Cisco ISE are
sent automatically to Cisco DNA Center.
Procedure
Step 2 Click Add Servers to add a AAA server.
Step 3 In the Add Servers window, check the AAA check box, and click OK.
Step 4 You can set the AAA server for network users or client/endpoint users or both.
Step 5 Check the Network and/or Client/Endpoint check boxes and configure servers and protocols for AAA server.
• Choose the Servers for authentication and authorization: ISE or Non-ISE.
• If you select ISE, configure the following:
Note AAA settings for a physical and managed site for a particular WLC should match, otherwise
the provisioning will fail.
From the Network drop-down list, select the IP address of the ISE server. The Network drop-down
list contains all the IP addresses of the Cisco ISE servers that are registered in System Settings on
the Cisco DNA Center Home page. Selecting an ISE IP populates primary and additional IP address
drop-down lists with Policy Service Nodes (PSN) IP addresses for the selected ISE. You can either
enter an IP address for the AAA server or select the PSN IP address from the IP Address (Primary)
and IP Address (Additional) drop-down lists.
• Note TACACS protocol is supported only for network users. If TACACS is selected for
clients/endpoint users, provisioning will fail.
Choose the Protocol for AAA server: RADIUS or TACACS.
• If you select Non-ISE, configure the following:

• You can either enter an IP address for the AAA server or select the IP addresses from the IP Address
(Primary) and IP Address (Additional) drop-down lists. These drop-down lists contain the non-ISE
AAA servers registered in System Settings.

144
Configure Cisco WLC High Availability from Cisco DNA Center
Step 6 Click Save.
Configure Cisco WLC High Availability from Cisco DNA Center

Cisco Wireless Controller High Availability (HA) can be configured through Cisco DNA Center. Currently,
the formation of wireless controller HA is supported; the breaking of HA and switchover options is not
supported.
This section contains information about the following topics:
• Prerequisites for Configuring Cisco Wireless Controller High Availability, on page 145
• Configuring Cisco Wireless Controller High Availability from Cisco DNA Center, on page 145
• What Happens During or After the High Availability Process is Complete, on page 146
• Commands to Configure and Verify Cisco Wireless Controller High Availability, on page 147
Prerequisites for Configuring Cisco Wireless Controller High Availability

• The discovery and inventory features of wireless controller 1 and wireless controller 2 should be successful.
The devices should be in the managed state.
• The service ports and the management ports of wireless controller 1 and wireless controller 2 should be
configured.
• The redundancy ports of wireless controller 1 and wireless controller 2 should be physically connected.
• The management address of wireless controller 1 and wireless controller 2 should be in the same subnet.
The redundancy management address of wireless controller 1 and wireless controller 2 should also be
in the same subnet.
Configuring Cisco Wireless Controller High Availability from Cisco DNA Center
Procedure
Step 1 From the Cisco DNA Center home page, choose Provision > Devices.
Step 2 Click WLC-1 to configure the device as a primary controller.
Step 3 Click the High Availability tab.
Step 4 Choose the Select Secondary WLC drop-down list.
Step 5 Enter the Redundancy Management IP and Peer Redundancy Management IP addresses in the respective
text boxes.
Note The IP addresses used for redundancy management IP and peer redundancy management IP should
be configured in the same subnet as the management interface of the Cisco Wireless Controller.
Ensure that these IP addresses are unused IP addresses within that subnet range.

145
What Happens During or After the High Availability Process is Complete
Step 6 Click Configure HA.

The HA configuration is initiated in the background using the CLI commands. First, the primary wireless
controller is configured. On success, the secondary wireless controller is configured. After the configuration
is complete, both wireless controllers reboot. This process may take up to 2.5 minutes to complete.
Step 7 After HA is initiated, the Redundancy Summary under the High Availability tab displays the Sync Status
as In Progress. When Cisco DNA Center finds that HA pairing succeeded, the Sync Status changes to
Complete.
This is triggered by the inventory poller or by manual resynchronization. By now, the secondary wireless
controller (wireless controller 2) is deleted from Cisco DNA Center. This flow indicates successful HA
configuration on the wireless controller.
Note There is no real-time data display for the Redundancy Summary. During HA pairing, under Device
Inventory, the wireless controller shows Synching but under Provision > WLC, it shows Sync
Completed.
You must perform HA on the wireless controller before adding it to the connectivity domain. Also,
ensure that the Sync status is Complete before adding the wireless controller to the connectivity
domain.
The following actions occur after the process is complete:

• Cisco wireless controller 1 and wireless controller 2 are configured with redundancy management,
redundancy units, and single sign-on (SSO). The wireless controllers reboot in order to negotiate their
role as an active controller or a standby controller. Configuration is synchronized from active to standby.
• On the Show Redundancy Summary window, you can see these configurations:
• SSO is enabled
• Wireless controller 1 is in Active state
• Wireless controller 2 is in Hot Standby state
• The management port of the active wireless controller is shared by both the active and standby wireless
controllers and points to the active wireless controller. The user interface, Telnet, and SSH do not work
on the standby wireless controller. You can use the console and service port interface to control the
standby wireless controller.
What Happens During or After the High Availability Process is Complete

1. Cisco wireless controller 1 and wireless controller 2 are configured with redundancy management,
redundancy units, and SSO. The wireless controllers reboot in order to negotiate their role as active or
stand by. Configuration is synced from active to stand by.
2. On the Show Redundancy Summary page, you can see these configurations:
• SSO is Enabled
• Wireless Controller is in Active state
• Wireless Controller is in Hot Stand By state

146
Commands to Configure and Verify Cisco Wireless Controller High Availability
3. The management port of the active wireless controller is shared by both the controllers and will be pointing
to active controller. The user interface, Telnet, and SSH on the stand by wireless controller will not work.
You can use the console and service port interface to control the stand by wireless controller.

The following are the configuration commands sent to configure Cisco Wireless Controller High Availability
from the Cisco DNA Center:
Following are the commands that are sent to wireless controller 1 from the Cisco DNA Center:
• config interface address redundancy-management 198.51.100.xx peer-redundancy-management
198.51.100.yy
• config redundancy unit primary
• config redundancy mode sso
Following are the commands that are sent to wireless controller 2 from the Cisco DNA Center:
• config interface address redundancy-management 198.51.100.yy peer-redundancy-management
198.51.100.xx
• config redundancy unit secondary
• config port adminmode all enable
• config redundancy mode sso
Use the following commands to verify the high availability configurations from wirless controller:
• Run the config redundancy mode sso command to check the HA-related details.
• Run the show redundancy summary command to check the configured interfaces.

147

148
CHAPTER 9
Create Templates to Automate Device
Configuration Changes
• About Template Editor, on page 149
• Create Projects, on page 149
• Create Templates, on page 150
• Template Form Editor, on page 156
• Create and Associate Templates to Wireless Profiles, on page 158
About Template Editor

Cisco DNA Center provides an interactive editor called template editor to author CLI templates. Template
Editor is a centralized CLI management tool to help design a set of device configurations that you need to
build devices in a branch. When you have a site, office, or branch which uses a similar set of devices and
configurations, you can use template editor to build generic configurations and apply the configurations to
one or more devices in the branch. With the Template Editor, you can:
• Create, edit, and delete templates
• Add interactive commands
• Validate errors in the template
• Version control the templates for tracking purpose
• Simulate the templates
Create Projects
Projects are a logical grouping to a set of templates.
Procedure
Step 1 From the Cisco DNA Center home page, choose Tools > Template Editor.
Step 2 In the left pane, click > Create Project.

149
Create Templates to Automate Device Configuration Changes
Create Templates
Step 3 In the Add New Project window that is displayed, enter a name, description, and tags for the project in the
respective text boxes.
Step 4 Click Add to add the project.
The created project appears in the left pane.
What to do next
1. Create templates. See Create a Regular Template, on page 150.
Create Templates
Cisco DNA Center provides the following type of configuration templates. CLI templates allow you to choose
the elements in the configurations. Cisco DNA Center provides variables that you can replace with actual
values and logic statements.
• Regular templates
• Composite templates
Create a Regular Template

Before you begin
• Design network hierarchy, with sites, buildings, floors, and so on. For more information, see the Create
a Site in a Network Hierarchy, on page 98, Add Buildings, on page 101, and Add a Floor to a Building,
on page 102.
• Make sure that you have defined the following global network settings before provisioning a Cisco WLC:
• Network servers, such as AAA, DHCP, and DNS. For more information, see Configure Global
Network Servers, on page 143.
• Wireless settings as SSIDs, wireless interfaces, and wireless radio frequency profiles. For more
information, Create SSIDs for an Enterprise Wireless Network, on page 119 and Create SSIDs for
a Guest Wireless Network, on page 121.
• Make sure that you have Cisco WLC in your inventory. If not, discover Cisco WLC using the Discovery
function. For more information, see About Discovery, on page 11.
• Make sure that Cisco WLC is added to a site. For more information, see Add Devices to Sites, on page
219.
Procedure

150
Create a Regular Template
Step 2 In the tree pane, select the project under which you are creating templates, and click the gear icon > Add
Templates or click > Add Templates located at the top of the left pane.
Step 3 In the Add New Template window that is displayed, click the Regular Template radio button.
Step 4 In the Name text box, enter a unique name for the template.
Step 5 In the Project Name text box, enter a unique name for the project.
The text box is enabled if you are navigating from the > Add Templates path. The text box is disabled if
you select a project, and click the gear icon > Add Templates in the tree pane.
Step 6 In the Description text box, enter a description for the template.
Step 7 In the Tags text box, enter an intuitive name to tag the templates . Tagging a configuration template helps
you to:
• Search a template using the tag name in the search field.
• Use the tagged template as a reference to configure more devices.
Step 8 If you are creating a template that applies only to a particular device type, from the Device Type drop-down
list, choose the device. The device types are displayed depending on your selection in the in the Device Type
drop-down list.
Step 9 From the Software Type drop-down list, choose the software type. You can select the specific software type
such as IOS-XE, IOS-XR, or NX-OS if there are commands specific to these software types. If you select the
software type as IOS, then the commands are applicable to all software types including IOS-XE, IOS-XR,
and NX-OS. This is used at the provisioning time to check whether the selected device is conforming to the
selection in the template.
Step 10 In the Software Version text box, enter the software version . During the provisioning, Cisco DNA Center
checks to see if the selected device has the similar software version as mentioned in the template. If there is
a mismatch, then the provision skips the template.
Step 11 Click Add to add the template. The template is created and is listed in the tree view menu under the project
you selected.
Step 12 You can edit the template content by selecting the template that you created in the left menu. To edit the
template content, see Edit Templates, on page 154.
Step 13 The Template Editor window opens where you can enter content for the template.
Step 14 To validate the template, from the Actions drop-down list, choose Check for errors.
The Cisco DNA Center checks for these errors and reports them:
• Velocity syntax error
• Conflicts with blacklisted commands
Step 15 To save the template content, from the Actions drop-down list, choose Save. You can use the Velocity
Template Language (VTL) to write the content in the template. For more information about using VTL, see
http://velocity.apache.org/engine/devel/vtl-reference.html.
After saving the template, Cisco DNA Center checks for any errors in the template. If there are any velocity
syntax errors, then the template content is not saved and all the input variables that are defined in the template
is automatically identified during the save process. The local variables (variables that are used in for loops,
assigned though a set, and so on) are ignored.
Step 16 To commit the template, from the Actions drop-down list, choose Commit. You can see only the committed
templates in the network profile section.

151
Blacklisted Commands
Note You can associate only a committed template to a network profile.
Step 17 Click the form editor icon
,
at the top-right corner of the page to enter additional information to variables in the template.
What to do next
1. Edit Templates. For more information about editing templates, see Edit Templates, on page 154
2. Assign templates to profiles. For more information on assigning templates to profiles, see Create and
Associate Templates to Wireless Profiles, on page 158
Blacklisted Commands
The blacklisted commands are the ones which are added to the blacklisted category. You can use these
commands only through the Cisco DNA Center applications. If you use blacklisted commands in your templates,
it shows a warning in the template that it may potentially conflict with some of the Cisco DNA Center
provisioning applications.
Use this query to find out the blacklisted commands which are part of the Cisco DNA Center: select commands
from cliconfigtree where sdnconfig_id in (selectid from SDNConfig where classname like
'SPFServiceConfig').
Sample Templates
Configure Hostname
hostname$name
Configure Interface
interface $interfaceName
description $description
Configure NTP on Cisco Wireless Controllers

config time ntp interval $interval
Create a Composite Template

Two or more regular templates are grouped together into a composite sequence template. You can create a
composite sequential template for a set of templates, which are applied collectovely to devices. For example,
when you deploy a branch, you must specify the minimum configurations for the branch router. The templates
that you create can be added to a single composite template, which aggregates all the individual templates
that you need for the branch router. You must specify the order in which templates that are in the composite
template are deployed to devices.

152
Create a Composite Template
Procedure
Step 2 In the left pane, select the project under which you are creating the templates. Click the gear icon > Add
Templates or click > Add Templates located at the top of the left pane.
Step 3 In the Add New Template window that is displayed, click the Composite Template radio button to create
composite sequential templates.
Step 4 In the Name text box, enter a unique name for the template.
Step 5 In the Project Name text box, enter a unique name for the project .
The text box is enabled if you are navigating from the > Add Templates path. The text box is disabled if
you select a project, and click the gear icon > Add Templates in the tree pane.
Step 6 Enter a description for the template in the Description text box.
Step 7 Enter an intuitive name to tag the templates in the Tags text box. Tagging a configuration template helps you
to:
• Search a template using the tag name in the search field.
• Use the tagged template as a reference to configure more devices.
Step 8 If you are creating a template that applies only to a particular device type, from the Device Type drop-down
list, choose a device. The device types are displayed depending on what you select in the Device Type
drop-down list.
Step 9 From the Software Type drop-down list, choose the software type. You can select the specific software type
such as IOS-XE, IOS-XR, or NX-OS if there are commands specific to these software types. If you select the
software type as IOS, then the commands are applicable to all software types including IOS-XE, IOS-XR,
and NX-OS. This is used at the provisioning time to check whether the selected device is conforming to the
selection in the template.
Step 10 Enter the software version in the Software Version text box. During the provisioning,Cisco DNA Center
checks to see if the selected device has the similar software version as mentioned in the template. If there is
a mismatch, then the provision skips the template.
Step 11 Click Add. The composite template is created and is listed in the left menu under the project you selected.
Step 12 Click the composite template that you created in the tree view pane.
Step 13 The Template Editor window opens where you can drag and drop templates from the tree view pane to create
a sequence. The templates are deployed based on the order in which they are sequenced. You can change the
order of templates in the Template Editor window.
Note You can drag and drop those templates that have the same device type, software type, and software
version as that of the composite template.
Step 14 To abort the deployment process upon failure of the first template, select the first template in the Template
Editor window and check the Abort sequence on targets if deployment fails checkbox.
Step 15 From the Actions drop-down list, choose Commit to commit the template content.

153
Edit Templates
What to do next
1. Assign templates to profiles. See Create and Associate Templates to Wireless Profiles, on page 158.
Edit Templates
After creating a template, you can edit the template to include content to it.
Procedure
Step 2 Select the template that you want to edit in the left tree pane.
The Template Editor window appears in the right pane.
Step 3 In the Template Editor window, enter the template content. You can have a template with a single-line
configuration or a multi-select configuration.
Note Velocity template framework restricts the use of variables starting with a number. Hence, you must
ensure that the variable name starts with a letter and not with a number.
Step 4 Validate the template by selecting Check for errors from the Actions drop-down list.
Cisco DNA Center checks for these errors and reports them:
• Velocity syntax error
• Conflicts with blacklisted commands
Step 5 Click the Input Form icon
,
which is located in the top-right corner to bind variables in the template to network settings.
• Select the variables in the Input Form pane and click the Required check box to bind variables to the
network settings.
• From the Display drop-down list, choose the type of UI widget you want to create at the time of
provisioning: Text Field, Single Select, or Multi Select.
• To bind variables to network settings, select each variable in the Input Form, and check the Bind to
Source check box under Content in the right pane.
• Choose the Source, Entity, and Attributes from the respective drop-down lists.
• For the source type CommonSettings, you can choose one of these entities: dhcp.server,
syslog.server, snmp.trap.receiver, ntp.server, timezone.site, device.banner, dns.server,
netflow.collector.
• For the source type NetworkProfile, you can choose the entity type as SSID. The SSID entity that
is populated is defined under the Design > Network Profile page. The binding generates a
user-friendly SSID name, which is a combination of SSID name, site, and SSID category. From the

154
Template Simulation
Attributes drop-down list, select the attribute for SSID:wlanid. This attribute is used during the
advanced CLI configurations at the time of template provisioning.
• For the source type Inventory, you can choose one of these entities: Device or Interface. For the
entity type Device and Interface the Attribute drop-down list shows the device or interface attributes.
• For the source type Inventory, you can choose one of these entities: Device, Interface, APGroup,
or FlexGroup. For the entity type Device and Interface the Attribute drop-down list shows the
device or interface attributes. The variable resolves to the APGroup and FlexGroup name that is
configured on the device to which the template is applied.
After binding variables to a common setting, when you assign templates to a wireless profile and provision
the template, whatever network settings that you have defined under Network Settings > Network,
appears in the drop-down list. You must define these attributes under Network Settings > Network at
the time of designing your network.
Step 6 From the Actions drop-down list, choose Save to save the template content.
Step 7 From the Actions drop-down list, choose Commit to commit the template content.
What to do next
1. Assign templates to profiles and provision the template. See Create and Associate Templates to Wireless
Profiles, on page 158.
Template Simulation
The interactive template simulation allows you to simulate the CLI generation of templates by specifying test
data for variables before sending them to devices. You can save the test simulation result and use them in
future if required.
Procedure
Step 1 Select Tools > Template Editor.

Step 2 Select the template you want to edit in the left menu.
The Template Editor window appears in the right pane.
Step 3 Click the Simulator icon
,
which is located in the top-right corner to run simulation on commands.
• From the Actions drop-down list, choose New Simulation. In the New Simulation window, enter a
name for the simulation, and click Submit.
• In the Simulation Input form, complete the required fields, and click Run. The results are displayed in
the Template Preview window.

155
Template Form Editor
Template Form Editor

Procedure
Step 1 Select the template in the left tree pane. The template window opens.
Step 2 Click the Form Editor icon that is located in the top-right corner to add additional metadata to the template
variables. All the variables that are identified in the template are displayed. You can configure the following
metadata:
• Check the Required check box if this is a required variable during the provisioning. All the variables
by default are marked as Required, which means you must enter the value for this variable at the time
of provisioning. If the parameter is not marked as Required and if you do not pass any value to the
parameter, then it results in substituting with an empty string at run time. A lack of variable can lead to
command failure which may not be syntactically correct. If you want to make an entire command optional
based on a variable not marked as Required, then you should use if-else block in the template.
• Enter the field name in the Field Name text box. This is the label that is used for the UI widget of each
variable during the provisioning.
• Enter the tooltip text that is displayed for each variable in the Tooltip text box.
• Enter the default value in the Default Value text box. This value appears during the provisioning as the
default value.
• Enter any instructional text in the Instructional Text text box. Instructional text appears within the UI
widget (for example, Enter the hostname here). The text within the widget is cleared when the user
clicks the widget to enter any text.
• Choose the data type from the Data Type drop-down list: String, Integer, IP Address, or Mac Address.
• Choose the type of UI widget you want to create at the time of provisioning from the Display Type
drop-down list: Text Field, Single Select, or Multi Select.
• Enter the number of characters that are allowed in the Maximum Characters text box. This is applicable
only for string data type.
Step 3 After configuring additional metadata information, from the Actions drop-down list, choose Save.
Step 4 After saving the template, you must version the template. You must version the template every time you make
changes to the template. To do that, from the Actions drop-down list, choose Commit. The Commit window
appears. You can enter a commit note in the Commit Note text box. However, the version numbers are
automatically generated by the system.
Step 5 To view the history, from the Actions drop-down list, select Show History to view previously created and
versioned templates. A pop-up window appears.
• Click View in the pop-up window to see the content of the old version.
• Click Edit in the pop-up window to edit the template.
Step 6 To view the old versions, from the Actions drop-down list, select

156
Variable Binding
Variable Binding
While creating a template, it is possible to specify variables that is contextually substituted. Many of these
variables are available in the drop-down list in the template editor. In Cisco DNA Center Release 1.1, you
had to manually enter values for every variable that is defined in the template.
From Release 1.2 onwards, template editor provides an option to bind or use variables in the template with
the source object values either while editing or through the input form enhancements. For example, DHCP
server, DNS server, Syslog server, and so on.
The pre-defined object values can be one of the following:
• Inventory
• Device object
• Interface object
• Common Settings—Settings available under the Design > Network Settings > Network page. The
common settings variable binding resolves values that are based on the site to which the device belongs.
Special Keywords
All commands executed through templates are always in the config t mode. Therefore, you do not have to
specify the enable or config t commands explicitly in the template.
Enable Mode Commands

Specify the #MODE_ENABLE command if you want to execute any commands outside of the config t
command.
Use this syntax to add enable mode commands to your CLI templates:
#MODE_ENABLE
<<commands>>
#MODE_END_ENABLE
Interactive Commands
Specify #INTERACTIVE if you want to execute a command where user input is required.
An interactive command contains the input that must be entered following the execution of a command. To
enter an interactive command in the CLI Content area, use the following syntax:
CLI Command<IQ>interactive question 1 <R> command response 1 <IQ>interactive question
2<R>command response 2
Where <IQ> and <R> tags are case-sensitive and must be entered in uppercase.
#INTERACTIVE
crypto key generate rsa general-keys <IQ>yes/no<R> no
#ENDS_INTERACTIVE

157
Create and Associate Templates to Wireless Profiles
Note In response to the interactive command question after providing a response, if the newline character is not
required, you must enter the <SF> tag. Include one space before the <SF> tag. When you enter the <SF> tag,
the </SF> tag pops up automatically. You can delete the </SF> tag because it is not needed.
For example:
#INTERACTIVE
config advanced timers ap-fast-heartbeat local enable 20 <SF><IQ>Apply(y/n)?<R>y
#ENDS_INTERACTIVE
Combining Interactive Enable Mode Commands

Use this syntax to combine interactive Enable Mode commands:
#MODE_ENABLE
#INTERACTIVE
commands<IQ>interactive question<R> response
#ENDS_INTERACTIVE
#ENDS_END_ENABLE
#MODE_ENABLE
#INTERACTIVE
mkdir <IQ>Create directory<R>xyz
#ENDS_INTERACTIVE
#MODE_END_ENABLE
Multiline Commands
If you want multiple lines in the CLI template to wrap, use the MLTCMD tags. Otherwise, the command is
sent line by line to the device. To enter multiline commands in the CLI Content area, use the following syntax:
<MLTCMD>first line of multiline command
second line of multiline command
...
...
last line of multiline command</MLTCMD>
• Where <MLTCMD> and </MLTCMD> are case-sensitive and must be in uppercase.

• The multiline commands must be inserted between the <MLTCMD> and </MLTCMD> tags.
• The tags cannot start with a space.
• The <MLTCMD> and </MLTCMD> tags cannot be used in a single line.

Before you begin
Before provisioning the template, ensure that the templates are associated with a network profile and the
profile is assigned to a site.
During provisioning, when the devices are assigned to the specific sites, the templates associated with the site
through the network profile appears in the advanced configuration.

158
Procedure
Step 1 Choose Design > Network Profiles, and click Add Profile.
There are three types of profiles available:
• Routing & NFV—Select this to create a routing and NFV profile. See Routing &NFC for more
information.
• Switching—Select this to create a switching profile.
• Enter the Profile Name.
• Click +Add and select the device type and template from the Device Type and Template drop-down
lists.
Note If you do not see the template that you need, create a new template in Template Editor as
described in Create a Regular Template, on page 150.
• Click Save.
• Wireless—Select this to create a wireless profile. Before assigning wireless network profile to a template,
ensure that you have created wireless SSIDs.
• Enter the Profile Name.
• Click + Add SSID. Those SSIDs that were created under Network Settings > Wireless gets
populated.
• Under Attach Template(s) area, select the template you want to provision from the Template
drop-down list.
• Click Save to save the profile.
Step 2 The Network Profiles page lists the following:

• Profile Name
• Type
• Version
• Created By
• Sites—Click Assign Site to add sites to the selected profile.
Step 3 Choose Provision > Devices.The Device Inventory window appears.

• Check one or more check boxes next to the device name that you want to provision.
• From the Action drop-down list, choose Provision.
• In the Assign Site window, assign a site to which the profiles are attached. In the Choose a Site field,
enter the name of the site to which you want to associate the controller or select from the Choose a Site
drop-down list.
• Click Next.
The Configuration window appears. In the Managed AP Locations field, enter the AP locations managed
by controller. Here you can change, remove, or reassign the site. This is applicable only for wireless
profiles.

159
• Click Next.
• The Advanced Configuration window appears. The templates associated with the site through the
network profile appears in the advanced configuration.
• Use the Find feature to quickly search for the device by entering the device name or exapnd the
templates folder and select the template in the left pane. In the right pane, select values for those
attributes which are bound to source from the drop-down lists .
• To export the template variables into a CSV file while deploying the template, click Export in the
right pane. You can use the CSV file to make necessary changes in the variable configuration and
import it into DNA Center at a later time by clicking Import in the right pane.
• Click Next to deploy the template. You are prompted to deploy the template now or to schedule it to a
later time.
• To deploy the template now, click the Now radio button and click Apply. To schedule the template
deployment for a later date and time, click the Later radio button and define the date and time of the
deployment.
The Status column in the Device Inventory window shows SUCCESS after a successful deployment

160
CHAPTER 10
Run Diagnostic Commands on Devices
• About Command Runner, on page 161
• Run Diagnostic Commands on Devices, on page 161
About Command Runner

The Command Runner tool allows you to send diagnostic CLI commands to selected devices. Currently, show
and other read-only commands are permitted.

Command Runner lets you run diagnostic CLI commands on selected devices and view the resulting command
output.
Before you begin

Perform the following procedures before you begin using Command Runner:
1. First, install the Command Runner application. From the Cisco DNA Center home page, click the gear
icon ( ), and then choose System Settings > App Management > Packages. Find the Command Runner
package in the Application Management - Packages window and click Install.
2. After installation, run a Discovery job to populate Cisco DNA Center with devices. You will be presented
with a list of devices from which to run diagnostic CLI commands.
Procedure
Step 1 From the Cisco DNA Center home page, click Command Runner in Tools.
The Command Runner window appears.
Step 2 From the Select one or more device(s) drop-down list, choose a device or devices on which to run diagnostic
CLI commands.
A Device List with your selection appears.

161
Step 3 Either select another device to add to the list or click your selected device or devices to close them.
Note Although the device list displays everything available in inventory, Command Runner is not supported
for wireless access points and Cisco Meraki devices. If you choose an access point device or Cisco
Meraki device, a warning message appears, stating that no commands will be executed on them.
Step 4 In the Add a Command field, enter a CLI command and click Add.
Step 5 Click Run Command(s).
If successful, a Command(s) executed successfully message appears.
Step 6 Click the command displayed underneath the device to view the command output.
The complete command output is then displayed in the Command Runner window.
Step 7 Click Copy CLI to copy the command output to your clipboard so that you can paste it to a text file, if
necessary.
Step 8 Click Previous Page to return to the previous window.
Note If necessary, click the x symbol next to a device name to remove the device from the device list.
Similarly, click the x symbol next to a command to remove the command from the command list.

162
CHAPTER 11
Configure Telemetry Profile
• About Telemetry, on page 163
• Configure a Telemetry Profile, on page 163
• Apply a Telemetry Profile to a Device, on page 164
About Telemetry
The Telemetry tool allows you to configure and apply profiles on devices for monitoring and assessing their
health.
Configure a Telemetry Profile

You can create telemetry assessment profiles for your network devices using the Telemetry tool.
Note By default, the Disable-Telemetry profile is configured by Network Data Platform (NDP) on all the interfaces
on all the capable devices.
Before you begin

Discover the devices in your network using Cisco DNA Center.
Procedure
Step 1 From the Cisco DNA Center home page, choose Telemetry from the Tools area.
The Telemetry window appears.
Step 2 Click the Site View tab and check to see if network devices are listed in this window.
Note After configuring telemetry profiles, you will have to return to this window and apply the telemetry
profiles to your devices.
Step 3 Click the Profile View tab.

163
Apply a Telemetry Profile to a Device
The Profile View table displays the following information:

• Profile Name—Name of Cisco DNA Center preconfigured profiles and any other profiles that you have
configured.
• Customized—Information about whether the profile is one of the Cisco DNA Center preconfigured
profiles or a user-configured profile.
• Profile Usage—Number of devices that the telemetry profile is applied to.
• Icon—For Cisco DNA Center preconfigured profiles, by hovering your cursor over an icon, a definition
appears. For example, when you hover your cursor over the following icons the following appears:
• Maximal Visibility—Telemetry profile generated by NDP to enable all possible telemetry on all
the interfaces on all the capable devices.
• Optimal Visibility—Telemetry profile generated by NDP after analyzing the network topology,
device capability, PIN, and enabled Cisco DNA Assurance features.
• Disable Telemetry—Disables the telemetry profiles configured by NDP on all the interfaces on all
the capable devices.
Step 4 Click Add Profile.

Step 5 In the Name field, enter a profile name.
Step 6 (Optional) Click Syslog and choose a Severity Level from the drop-down list.
Step 7 (Optional) Click SNMP Traps and choose an SNMP version from the drop-down list.
Step 8 (Optional) Click NetFlow and choose a version and profile from the drop-down list.
Step 9 Click Save to save the profile configuration or click Cancel to cancel the profile configuration.
What to do next
Proceed to apply the telemetry profile or profiles to your network devices. Use the Telemetry Site View
options and fields to accomplish this task.

You can apply a telemetry assessment profile to a network device using the Telemetry tool.
The telemetry profile configured in this procedure is used by Cisco DNA Center to determine what data types
to capture. These data types are then used in monitoring the health of the network devices.
Before you begin

Perform the following preliminary tasks:
1. Discover the devices in your network using Cisco DNA Center.
2. Review or configure the available telemetry profiles using the Telemetry Profile View options and fields.

164
Procedure
Step 1 From the Cisco DNA Center home page, choose Telemetry from the Tools area.
The Telemetry window appears.
Step 2 Click the Site View tab.

Step 3 Review the Site View table in this tab.
The following information is displayed:
• Device Name—Name of the device.
• Address—IP address of device.
• Type—Type of device.
• Family—Device category, for example, switch, router, access point.
• Version—Software version currently running on device.
• Profile—Applied telemetry profile on device.
Step 4 Check the check box next to the Device Name of a device to add a telemetry profile to that device.
Step 5 From the Actions drop-down list, choose a telemetry profile.
Step 6 From the Show drop-down list, choose the telemetry profile that you applied in Step 5.
The device should appear in the filtered list, along with any other devices that have also been configured with
the same telemetry profile.
What to do next
Access the Cisco DNA Assurance application and review both Assurance Health and Assurance Issues to
check the health of your network devices.

165

166
CHAPTER 12
Configure Policies
• Policy Overview, on page 167
• Policy Dashboard, on page 167
• Group-Based Access Control Policies, on page 168
• IP-Based Access Control Policies, on page 173
• Application Policies, on page 179
• Traffic Copy Policies, on page 212
• Virtual Networks, on page 216
Policy Overview
Cisco DNA Center enables you to create policies that reflect your organization's business intent for a particular
aspect of the network, such as network access. Cisco DNA Center takes the information collected in a policy
and translates it into network-specific and device-specific configurations required by the different types,
makes, models, operating systems, roles, and resource constraints of your network devices.
Using Cisco DNA Center, you can create virtual networks, access control policies, and traffic copy policies.
Policy Dashboard
The Policy Dashboard window shows the number of virtual networks, group-based access control policies,
IP-based access control policies, traffic copy policies, scalable groups, and IP network groups that you have
created. In addition, it shows the number of policies that have failed to deploy.
The Policy Dashboard window provides a list of policies and the following information about each policy:
• Policy Name—Name of policy.
• Policy Type—Type of policy. Valid types are Access Control and Traffic Copy.
• Policy Version—Iteration of policy. Each time a policy is changed and saved, it is incremented by one
version. For example, when you create a policy and save, the policy is at Version 1. If you change the
policy and save it again, the version of the policy is incremented to Version 2.
• Modified By—User who modified the particular version of a policy.
• Description—Word or phrase that identifies a policy.

167
Configure Policies
Group-Based Access Control Policies
• Policy Scope—User and device groups or applications that a policy affects.

• Timestamp—Date and time when a particular version of a policy was saved.
Group-Based Access Control Policies

Group-based access control policies are Security Group Access Control Lists (SGACLs). Cisco DNA Center
integrates with Cisco ISE to simplify the process of creating and maintaining SGACLs.
During the initial Cisco DNA Center and Cisco ISE integration, scalable groups and policies that are present
in Cisco ISE are propagated to Cisco DNA Center and placed in the default virtual network. For more
information, see the Cisco Digital Network Architecture Center Installation Guide.
Note Cisco DNA Center does not support access control policies with logging as an action. Therefore, Cisco ISE
does not propagate any such policies to Cisco DNA Center.
Depending on your organization's configuration and its access requirements and restrictions, you can segregate
the scalable groups into different virtual networks to provide further segmentation.
A group-based access control policy has two main components:
• Scalable Groups—Scalable groups comprise a grouping of users, end-point devices, or resources that
share the same access control requirements. These groups (known in Cisco ISE as security group) are
defined in Cisco ISE. A scalable group may have as few as one item (one user, one end-point device, or
one resource) in it.
• Access Contract—An access contract is a common building block that is used in both group-based and
IP-based access control policies. It defines the rules that make up the access control policies. These rules
specify the actions (permit or deny) performed when traffic matches a specific port or protocol and the
implicit actions (permit or deny) performed when no other rules match.
Before you can create group-based access control policies, make sure that Cisco ISE is integrated with Cisco
DNA Center. Verify that the scalable groups have been propagated to Cisco DNA Center from Cisco ISE.
To do this, from the Cisco DNA Center home page, choose Policy > Group-Based Access Control > Scalable
Groups. You should see scalable groups populated under the Scalable Groups tab. If you do not see any
scalable groups, verify if Cisco ISE is integrated correctly. For more information, see the Cisco Digital Network
Architecture Center Installation Guide.
After you create a group-based access control policy, Cisco DNA Center translates the policy into an SGACL,
which is ultimately deployed on a device.
The following sample procedure describes the process of authentication and access control that a user
experiences after logging in to the network:
1. A user connects to a port on a switch and provides credentials.
2. The switch contacts Cisco ISE.
3. Cisco ISE authenticates the user and downloads the SGACLs to the port to which the user is connected.
4. The user is granted or denied access to specific users or devices (servers) based on the access granted in
the SGACLs.

168
Configure Policies
Workflow to Configure a Group-Based Access Control Policy
Workflow to Configure a Group-Based Access Control Policy

Before you begin
• Make sure that you have integrated Cisco ISE with Cisco DNA Center.
• In Cisco ISE, make sure that the work process setting is configured as Single Matrix so that there is
only one policy matrix for all devices in the TrustSec network.
Procedure
Step 1 (Optional) Create virtual networks. Depending on your organization's configuration and its access requirements
and restrictions, you can segregate your groups into different virtual networks to provide further segmentation.
For more information, see Create a Virtual Network, on page 217.
Step 2 (Optional) Create scalable groups. After you integrate Cisco DNA Center with Cisco ISE, the scalable groups
that exist in Cisco ISE are propagated to Cisco DNA Center. If a scalable group that you need does not exist,
you can create it in Cisco ISE.
For more information, see Create a Group-Based Scalable Group, on page 169.
Step 3 Create an access control contract. A contract defines a set of rules that dictate the action (allow or deny) that
network devices perform based on the traffic matching particular protocols or ports.
For more information, see Create a Group-Based Access Control Contract, on page 170.
Step 4 Create a group-based access control policy. The access control policy defines the access control contract that
governs traffic between source and destination scalable groups.
For information, see Create a Group-Based Access Control Policy, on page 171
Create a Group-Based Scalable Group

You can access Cisco ISE through the Cisco DNA Center interface to create scalable groups. After you have
added a scalable group in Cisco ISE, it is synchronized with the Cisco DNA Center database so that you can
use it in an access-control policy.
Note You cannot edit or delete scalable groups from Cisco DNA Center; you need to perform these tasks from
Cisco ISE. After you delete a scalable group from Cisco ISE, the scalable group name is not removed from
the Cisco DNA Center policy dashboard. Instead, the Cisco DNA Center policy dashboard displays the scalable
group in red text to indicate that it has been deleted.
Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Group-Based Access Control > Scalable Groups.

169
Configure Policies
Create a Group-Based Access Control Contract
All of the scalable groups that have been created in Cisco ISE are displayed.
Step 2 Click Add Groups.

Cisco DNA Center opens a direct connection to the Cisco ISE server, where you can add the scalable group.
Step 3 In Cisco ISE, create scalable groups (called security groups in Cisco ISE).
For more information, see the Cisco Identity Services Engine Administrator Guide.
Step 4 Return to Cisco DNA Center.
Create a Group-Based Access Control Contract

Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Group-Based Access Control > Access Contract.
Step 2 Click Add Contract.
Step 3 In the dialog box, enter a name and description for the contract.
Step 4 From the Implicit Action drop-down list, choose either Deny or Permit.
Step 5 From the Action drop-down list in the table, choose either Deny or Permit.
Step 6 From the Port/Protocol drop-down list, choose a port or protocol.
a) If Cisco DNA Center does not have the port or protocol that you need, click Add Port/Protocol to create
your own.
b) In the Name field, enter a name for the port or protocol.
c) From the Protocol drop-down list, choose UDP, TDP, or TCP/UDP as the protocol.
d) In the Port Range field, enter the port range.
e) If you want Cisco DNA Center to configure the port or protocol as defined, and not report any conflicts,
check the Ignore Conflict check box.
Step 7 (Optional) To include more rules in your contract, click Add and repeat Step 5 and Step 6.
Step 8 Click Save.
Edit or Delete a Group-Based Access Control Contract

If you edit a contract that is used in a policy, the policy's state changes to MODIFIED in the Group-Based
Access Control Policies window. A modified policy is considered to be stale because it is inconsistent with
the policy that is deployed in the network. To resolve this situation, redeploy the policy to the network.
Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Group-Based Access Control > Access Contracts.
Step 2 Check the check box next to the contract that you want to edit or delete, and do one of the following tasks:

170
Configure Policies
Create a Group-Based Access Control Policy
• To make changes to the contract, click Edit, make the changes, and, click Save. For field definitions,
see Create a Group-Based Access Control Contract, on page 170.
Note If you make changes to a contract that is used in a policy, you need to deploy the modified
policy by choosing Policy > Group-Based Access Control > Group-Based Access Control
Policies, checking the check box next to the policy name, and clicking Deploy.
• To delete the contract, click Delete.
Create a Group-Based Access Control Policy

Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Group-Based Access Control > Group-Based
Access Control Policies.
Step 2 Click Add Policy. The Add Policy dialog box is displayed.
Step 3 In the Policy Name field, enter the name of the policy. The name can be up to 255 alphanumeric characters
in length, including hyphens (-) and underscore (_) characters.
Step 4 In the Description field, enter a word or phrase that identifies the policy.
Step 5 In the Contract field, click Add Contract.
Contract field has rules that govern the network interaction between the source and destination scalable
groups.
Step 6 In the dialog box, click the radio button next to the contract that you want to use.
Step 7 Alternatively, you can select the permit (permit all traffic) or deny (deny all traffic) contract.
Step 8 Check the Enable Policy check box, if the policy is not active.
If you uncheck the Enable Policy check box, the policy is disabled and it is saved only to Cisco DNA Center.
The policy is not synchronized with Cisco ISE or deployed in the network.
Step 9 Check the Enable Bi-directional check box, to enable the contract for traffic flowing in both directions (from
the source to the destination and from the destination to the source).
If you want the traffic to flow only from the source to the destination, uncheck the Enable Bi-directional
check box.
Step 10 To define the source-scalable groups, drag and drop the scalable groups from the Available Security Groups
area to the Source Scalable Groups area.
Step 11 To define the destination scalable groups, drag and drop the scalable groups from the Available Security
Groups area to the Destination Scalable Groups area.
Step 12 Click Save.

171
Configure Policies
Edit or Delete a Group-Based Access Control Policy
Edit or Delete a Group-Based Access Control Policy

You can edit or delete only the policies that you created in Cisco DNA Center. Policies that were imported
from Cisco ISE during the Cisco DNA Center and Cisco ISE integration cannot be edited or deleted from
Cisco DNA Center. You need to edit or delete these policies from Cisco ISE.
If you edit a policy, the policy's state changes to MODIFIED on the Group-Based Access Control Policies
window. A modified policy is considered to be stale because it is inconsistent with the policy that was deployed
in the network. To resolve this situation, redeploy the policy to the network.
Procedure
Access Control Policies.
Step 2 Check the check box next to the policy that you want to edit or delete.
Step 3 Do one of the following tasks:
• To make changes, click Edit, make the changes, and click Save. For field definitions, see Create a
Group-Based Access Control Policy, on page 171.
Note If you make changes to the policy, deploy the modified policy by checking the check box next
to the policy name, and clicking Deploy.
• To delete the group, click Delete.
Deploy a Group-Based Access Control Policy

If you make changes that affect a policy's configuration, you need to redeploy the policy to implement these
changes.
Procedure
Access Control.
Step 2 Locate the policy that you want to deploy.
Step 3 Check the check box next to the policy.
Step 4 Click Deploy.
You are prompted to deploy your policy immediately or to schedule it for a later time.

• To deploy the policy immediately, click the Run Now radio button and click Apply.
• To schedule the policy deployment for a later date and time, click the Schedule Later radio button and
define the date and time of the deployment.

172
Configure Policies
IP-Based Access Control Policies
Note The site time zone setting is not supported for scheduling application policy deployments.
IP-Based Access Control Policies

An IP-based access control policy controls the traffic going into and coming out of a Cisco device in the same
way that an Access Control List (ACL) does. As with an ACL, an IP-based access control policy contains
lists of permit and deny conditions that are applied to traffic flows based on various criteria, including protocol
type, source IP address, destination IP address, or destination port number.
IP-based access control policies can be used to filter traffic for various purposes, including security, monitoring,
route selection, and network address translation.
An IP-based access control policy has two main components:
• IP Network Groups—IP network groups comprise IP subnets that share the same access control
requirements. These groups can be defined only in Cisco DNA Center. An IP network group may have
as few as one IP subnet in it.
• Access Contract—An access contract is a common building block that is used in both IP-based and
group-based access control policies. It defines the rules that make up the access control policies. These
rules specify the actions (permit or deny) performed when traffic matches a specific port or protocol and
the implicit actions (permit or deny) performed when no other rules match.
Workflow to Configure an IP-Based Access Control Policy

Before you begin
• To create IP network groups from the Policy > IP Based Access Control > IP Network Groups window,
make sure that you have integrated Cisco ISE with Cisco DNA Center. However, Cisco ISE is not
mandatory if you are adding groups within the Policy > IP Based Access Control > IP Network Groups
window while creating a new IP-based access control policy.
Note Editing an IP network group on the Policy > IP Based Access Control window
is possible without Cisco ISE. But the creation of IP network groups from the IP
Based Access Control window requires Cisco ISE.
• Make sure you have defined the following global network settings and provision the device:
• Network servers, such as AAA, DHCP, and DNS Servers—(See Configure Global Network Servers,
on page 143.)
• Device credentials such as CLI, SNMP, HTTP, and HTTPS credentials—(See About Global Device
Credentials, on page 134.)
• IP address pools—(See Configure IP Address Pools, on page 142.)

173
Configure Policies
• Wireless settings as SSIDs, wireless interfaces, and wireless radio frequency profiles—(See Configure
Global Wireless Settings, on page 119.)
• Provision devices—(See Provisioning, on page 219.)
Procedure
Step 1 Create IP network groups.

For more information, see Create an IP Network Group, on page 175.
Step 2 Create an IP-based access control contract..

An IP-based access control contract defines a set of rules between the source and destination. These rules
dictate the action (allow or deny) that network devices perform based on the traffic that matches the specified
protocols or ports. For more information, see Create an IP-Based Access Control Contract, on page 175
Step 3 Create an IP-based access control policy. The access control policy defines the access control contract that
governs traffic between the source and destination IP network groups.
For more information, see Create an IP-Based Access Control Policy, on page 176.

You can define global network servers that become the default for your entire network.
Note You can override global network settings on a site by defining site-specific settings.
Procedure
Step 2 In the DHCP Server field, enter the IP address of a DHCP server.
Note You must define at least one DHCP server in order to create IP address pools.
Step 3 In the DNS Server field, enter the domain name of a DNS server.
Note You must define at least one DNS server in order to create IP address pools.
Step 4 (Optional) You can enter Syslog, SNMP Trap, and NetFlow Collector server information. Click Add Servers
to add an NTP server.
Step 5 Click Save.

174
Configure Policies
Create an IP Network Group
Create an IP Network Group

Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > IP Based Access Control > IP Network Groups.
Step 2 Click Add Groups.
Step 3 In the Name field, enter a name for the IP network group.
Step 4 In the Description field, enter a word or phrase that describes the IP network group.
Step 5 In the IP Address or IP/CIDR field, enter the IP addresses that make up the IP network group.
Step 6 Click Save.
Edit or Delete an IP Network Group

Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > IP Based Access Control > IP Network Groups.
Step 2 In the IP Network Groups table, check the check box next to the group that you want to edit or delete.
• To make changes to the group, click Edit. For field definitions, see Create an IP Network Group, on
page 175.
• To delete the group, click Delete and then click Yes to confirm.
Create an IP-Based Access Control Contract

Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > IP Based Access Control > Access Contract.
Step 2 Click Add Contract.
Step 4 From the Implicit Action drop-down list, choose either Deny or Permit.
Step 5 From the Action drop-down list in the table, choose either Deny or Permit.
Step 6 From the Port/Protocol drop-down list, choose a port or protocol.
a) If Cisco DNA Center does not have the port or protocol that you need, click Add Port/Protocol to create
your own.
b) In the Name field, enter a name for the port or protocol.
c) From the Protocol drop-down list, choose UDP, TDP, or TCP/UDP as the protocol.
d) In the Port Range field, enter the port range.

175
Configure Policies
Edit or Delete an IP-Based Access Control Contract
e) If you want Cisco DNA Center to configure the port or protocol as defined, and not report any conflicts,
check the Ignore Conflict check box.
Step 7 (Optional) To include more rules in your contract, click Add and repeat Step 5 and Step 6.
Step 8 Click Save.
Edit or Delete an IP-Based Access Control Contract

If you edit a contract that is used in a policy, the policy's state changes to MODIFIED in the IP Based Access
Control Policies window. A modified policy is considered to be stale because it is inconsistent with the policy
that is deployed in the network. To resolve this situation, you need to redeploy the policy to the network.
Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > IP-Based Access Control > Access Contract.
Step 2 Check the check box next to the contract that you want to edit or delete and do one of the following tasks:
• To make changes to the contract, click Edit, make the changes, and, click Save. For field definitions,
see Create an IP-Based Access Control Contract, on page 175.
Note If you make changes to a contract that is used in a policy, you need to deploy the modified
policy by choosing Policy > IP-Based Access Control > IP-Based Access Control Policies,
checking the check box next to the policy name, and clicking Deploy.
Create an IP-Based Access Control Policy

Create an IP-based access control policy to limit traffic between IP network groups.
• Multiple rules can be added to a single policy with different configurations.
• For a given combination of IP groups and contract classifiers, rules are created and pushed to the devices.
This count cannot exceed 64 rules as Cisco WLC limits an ACL to have a maximum of 64 rules.
• If a custom contract or the IP group that is used in a Deployed policy is modified, the policy is flagged
with status as Modified, indicating that it is Stale and requires a redeployment for the new configurations
to be pushed to the device.
Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > IP Based Access Control > IP Based Access
Control Policies.
Step 2 Click Add Policy.
Step 3 Complete the following fields:

176
Configure Policies
Create an IP-Based Access Control Policy
Field Description
Policy Name Name of the policy.
Description Word or phrase that identifies the policy.
SSID Lists FlexConnect SSIDs and non-FlexConnect SSIDs that were created during
the design of SSIDs. If the selected SSID is configured in a FlexConnect mode,
then the access policy is configured in FlexConnect mode. Otherwise, it will be
configured in a regular way.
Note If an SSID is part of one policy, that SSID will not be available for
another policy.
A valid site-SSID combination is required for policy deployment. You
will not be able to deploy a policy if the selected SSID is not
provisioned under any devices.
Site Scope Sites to which a policy is applied. If you configure a wired policy, the policy is
applied to all wired devices in the site scope. Likewise, if you configure a wireless
policy for a selected service set identifier (SSID), the policy is applied to all of
the wireless devices with the SSID defined in the scope. For more information,
see Site Scope, on page 180.
Source Origin of the traffic that is affected by the contract. From the SearchSource
drop-down list, choose an IP network group. If the IP network that you want is
not available, click +Group to create one.
Contract Rules that govern the network interaction between the source and destination in
an ACL. Click Add Contract to define the contract for the policy. In the dialog
box, click the radio button next to the contract that you want to use. Alternatively,
you can select the permit (permit all traffic) or deny (deny all traffic) contract.
Destination Target of the traffic that is affected by the contract. Click the SearchDestination
drop-down list, choose an IP network group. If the IP network that you want is
not available, click +Create IP Network Group to create one.
Direction Configures the relationship of the traffic flow between the source and destination.
To enable the contract for traffic flowing from the source to the destination, select
One-Way. To enable the contract for traffic flowing in both directions (from the
source to the destination and from the destination to the source), select
Bi-directional.
Step 4 (Optional) To create an IP network group, click Create IP Network Group.

Step 5 (Optional) To add another rule, click the plus sign.
Note To delete a rule, click x.
Step 6 (Optional) To reorder the sequence of the rules, drag and drop a rule in the order you want.
The success message "IP-Based Access Control Policy has been created and deployed successfully"
is displayed. Depending on the SSID selected, either a FlexConnect policy or a standard policy is created with

177
Configure Policies
Edit or Delete an IP-Based Access Control Policy
different levels of mapping information and deployed. The Status of the policy is shown as DEPLOYED.
A wireless icon next to the Policy Name shows that the deployed access policy is a wireless policy.
Edit or Delete an IP-Based Access Control Policy

If you need to, you can change or delete an IP-based access control policy.
Note If you edit a policy, the policy's state changes to MODIFIED on the IP Based Access Control Policies
window. A modified policy is considered to be stale because it is inconsistent with the policy that was deployed
in the network. To resolve this situation, you need to redeploy the policy to the network.
Procedure
Control Policies.
Step 2 Check the check box next to the policy that you want to edit or delete and do one of the following tasks:
• To make changes, click Edit. When you are done, click Save.For field definitions, see Create an IP-Based
Access Control Policy, on page 176.
• To delete the policy, click Delete.
Step 3 If you make changes to the policy, deploy the modified policy by checking the check box next to the policy
name and clicking Deploy.
Deploy an IP-Based Access Control Policy

If you make changes that affect a policy's configuration, you need to redeploy the policy to implement these
changes.
Procedure
Control Policy.
Step 2 Locate the policy that you want to deploy.
Step 3 Check the check box next to the policy.
You are prompted to deploy your policy immediately or to schedule it for a later time.

• To deploy the policy immediately, click the Run Now radio button and click Apply.

178
Configure Policies
Application Policies
• To schedule the policy deployment for a later date and time, click the Schedule Later radio button and
Note The site time zone setting is not supported for scheduling application policy deployments.
Application Policies
Quality of Service (QoS) refers to the ability of a network to provide preferential or deferential service to
selected network traffic. By configuring QoS, you can ensure that network traffic is handled in such a way
that makes the most efficient use of network resources while still adhering to the objectives of the business,
such as guaranteeing that voice quality meets enterprise standards, or ensuring a high Quality of Experience
(QoE) for video.
You can configure QoS in your network using application policies in Cisco DNA Center. Application policies
comprise these basic parameters:
• Application Sets—Sets of applications with similar network traffic needs. Each application set is assigned
a business relevance group (business relevant, default, or business irrelevant) that defines the priority of
its traffic. QoS parameters in each of the three groups are defined based on Cisco Validated Design
(CVD). You can modify some of these parameters to more closely align with your objectives. For more
information, see Applications and Application Sets, on page 180.
• Site Scope—Sites to which an application policy is applied. If you configure a wired policy, the policy
is applied to all the wired devices in the site scope. Likewise, if you configure a wireless policy for a
selected service set identifier (SSID), the policy is applied to all of the wireless devices with the SSID
defined in the scope. For more information, see Site Scope, on page 180.
Cisco DNA Center takes all of these parameters and translates them into the proper device CLI commands.
When you deploy the policy, Cisco DNA Center configures these commands on the devices defined in the
site scope.
Note Cisco DNA Center configures QoS policies on devices based on the QoS feature set available on the device.
For more information about a device’s QoS implementation, see the corresponding device's product
documentation.
CVD-Based Settings in Application Policies

The default QoS trust and queuing settings in application policies are based on the Cisco Validated Design
(CVD) for Enterprise Medianet Quality of Service Design. CVDs provide the foundation for systems design
based on common use cases or current engineering system priorities. They incorporate a broad set of
technologies, features, and applications to address customer needs. Each one has been comprehensively tested
and documented by Cisco engineers to ensure faster, more reliable, and fully predictable deployment.
The latest validated designs relating to QoS are published in the Cisco Press book, End-to-End QoS Network
Design: Quality of Service for Rich-Media & Cloud Networks, 2nd Edition, available at:

179
Configure Policies
Site Scope
http://www.ciscopress.com/store/end-to-end-qos-network-design-quality-of-service-for-9781587143694. For
additional information, see the following Cisco documentation:
• Cisco Validated Designs
• Enterprise Medianet Quality of Service Design 4.0
• Medianet Campus QoS Design 4.0
• Medianet WAN Aggregation QoS Design 4.0
Site Scope
A site scope defines the sites to which an application policy is applied. When defining a policy, you configure
whether a policy is for wired or wireless devices. You also configure a site scope. If you configure a wired
policy, the policy is applied to all the wired devices in the site scope. Likewise, if you configure a wireless
policy for a selected service set identifier (SSID), the policy is applied to all of the wireless devices in the site
scope with the SSID defined in the scope.
This allows you to make tradeoffs as necessary to compensate for differences in the behaviors between wired
and wireless network segments. For example, wireless networks typically have lower bandwidth, lower speed,
and increased packet loss in comparison to wired networks. Individual wireless segments may exhibit further
variation due to local conditions of RF interference, congestion, and other factors, such as the varying
capabilities of network devices. The ability to apply per-segment policies to individual wireless segments
enables the adjustment of traffic-handling rules to ensure that the highest-priority traffic is least affected by
degradation of the wireless network.
Applications and Application Sets

Applications are the software programs or network signaling protocols that are being used in your network.
Cisco DNA Center supports all of the applications in the Cisco Next Generation Network-Based Application
Recognition (NBAR2) library of approximately 1400 distinct applications.
Applications are grouped into logical groups called application sets. An application set can be assigned a
business relevance within a policy.
Applications are also mapped into industry standard-based traffic classes, as defined in RFC 4594, that have
similar traffic treatment requirements. The traffic classes define the treatments (such as Differentiated Services
Code Point [DSCP] marking, queuing, and dropping) that will be applied to the application traffic, based on
the business relevance group that it is assigned.
If you have additional applications that are not included in Cisco DNA Center, you can add them as custom
applications and assign them to application sets. For more information, see Custom Applications, on page
184. You can also create custom application sets to contain any applications that you want.
For more information about NBAR2, see : https://www.cisco.com/c/en/us/products/ios-nx-os-software/
network-based-application-recognition-nbar/index.html.
Business-Relevance Groups
A business-relevance group classifies a given application set according to how relevant it is to your business
and operations.

180
Configure Policies
Unidirectional and Bidirectional Application Traffic
The business-relevance groups are business relevant, default, and business irrelevant, and they essentially
map to three types of traffic: high priority, neutral, and low priority.
• Business Relevant—(High-priority traffic) The applications in this group directly contribute to
organizational objectives and, as such, may include a variety of applications, including voice, video,
streaming and collaborative multimedia applications, database applications, enterprise resource
applications, email, file-transfers, content distribution, and so on. Applications designated as
business-relevant are treated according to industry best-practice recommendations, as prescribed in
Internet Engineering Task Force (IETF) RFC 4594.
• Default—(Neutral traffic) This group is intended for applications that may or may not be business-relevant.
For example, generic HTTP/HTTPS traffic may contribute to organizational objectives at times, while
at other times such traffic may not. You may not have insight into the purpose of some applications (for
instance, legacy applications or even newly deployed applications), so the traffic flows for these
applications should be treated with the Default Forwarding service, as described in IETF RFC 2747 and
4594.
• Business Irrelevant—(Low-priority traffic) This group is intended for applications that have been
identified to have no contribution towards achieving organizational objectives. They are primarily
consumer- and/or entertainment-oriented in nature. We recommend that this type of traffic be treated as
a "Scavenger" service, as described in IETF RFC 3662 and 4594.
Applications are grouped into application sets and sorted into business-relevance groups. You can include an
application set in a policy as-is, or you can modify it to meet the needs of your business objectives and your
network configuration.
For example, YouTube is member of the consumer-media application set, which is business-irrelevant (by
default), because most customers typically classify this application this way. However, this classification may
not be the true for all companies; for example, some businesses may be using YouTube for training purposes.
In such cases, an administrator can move the YouTube application into the streaming-video application set,
which is business relevant by default.
Unidirectional and Bidirectional Application Traffic

Some applications are completely symmetrical and require identical bandwidth provisioning on both ends of
the connection. Traffic for such applications is described as bidirectional. For example, if 100 kbps of
Low-Latency Queuing (LLQ) is assigned to voice traffic in one direction, 100 kbps of LLQ must also be
provisioned for voice traffic in the opposite direction. This scenario assumes that the same Voice over IP
(VoIP) coder-decoders (codecs) are being used in both directions and do not account for multicast
Music-on-Hold (MoH) provisioning. However, certain applications, such as Streaming Video and multicast
MoH, are most often unidirectional. Therefore, it might be unnecessary and even inefficient, to provision any
bandwidth guarantees for such traffic on a branch router for the branch-to-campus direction of traffic flow.
Cisco DNA Center allows you to specify whether an application is unidirectional or bidirectional for a particular
policy.
On switches and wireless controllers, NBAR2 and custom applications are unidirectional by default. However,
on routers, NBAR2 applications are bidirectional by default.

181
Configure Policies
Consumers and Producers
Consumers and Producers

You can configure relationships between applications such that when traffic from one application is sent to
another application (thus creating a specific a-to-b traffic flow), the traffic is handled in a specific way. The
applications in this relationship are called producers and consumers, and are defined as follows:
• Producer—Sender of the application traffic. For example, in a client/server architecture, the application
server is considered the producer because the traffic primarily flows in the server-to-client direction. In
the case of a peer-to-peer application, the remote peer is considered the producer.
• Consumer—Receiver of the application traffic. The consumer may be a client end point in a client/server
architecture or it may be the local device in a peer-to-peer application. Consumers may be end-point
devices, but may, at times, be specific users of such devices (typically identified by IP addresses or
specific subnets). There may also be times when an application is the consumer of another application's
traffic flows.
Setting up this relationship allows you to configure specific service levels for traffic matching this scenario.
Marking, Queuing, and Dropping Treatments

Cisco DNA Center bases its marking, queuing, and dropping treatments on IETF RFC 4594 and the business
relevance category that you have assigned to the application. Cisco DNA Center assigns all of the applications
in the Default category to the Default Forwarding application class and all of the applications in the Irrelevant
Business category to the Scavenger application class. For applications in the Relevant Business category,
Cisco DNA Center assigns traffic classes to applications based on the type of application. See Table 50 for a
list of application classes and their treatments.

182
Configure Policies
Marking, Queuing, and Dropping Treatments
Table 47: Marking, Queuing, and Dropping Treatments
Business Application Per-Hop Queuing and Application Description

Relevance Class Behavior Dropping
Relevant VoIP1 Expedited Priority Queuing VoIP telephony (bearer-only) traffic, for
Forwarding (PQ) example, Cisco IP phones.
(EF)
Broadcast Video Class Selector PQ Broadcast TV, live events, video

(CS) 5 surveillance flows, and similar inelastic
streaming media flows, for example, Cisco
IP Video Surveillance and Cisco Enterprise
TV. (Inelastic flows refer to flows that are
highly drop sensitive and have no
retransmission or flow-control capabilities
or both.)
Real-time CS4 PQ Inelastic high-definition interactive video

Interactive applications and audio and video
components of these applications, for
example, Cisco TelePresence.
Multimedia Assured Bandwidth Desktop software multimedia collaboration

Conferencing Forwarding (BW) Queue and applications and audio and video
(AF) 41 Differentiated components of these applications, for
Services Code example, Cisco Jabber and Cisco WebEx.
Point (DSCP)
Weighted
Random Early
Detect (WRED)
Multimedia AF31 BW Queue and Video-on-Demand (VoD) streaming video

Streaming DSCP WRED flows and desktop virtualization
applications,such as Cisco Digital Media
System.
Network Control CS6 BW Queue only2 Network control-plane traffic, which is

required for reliable operation of the
enterprise network, such as EIGRP, OSPF,
BGP, HSRP, IKE, and so on.
Signaling CS3 BW Queue and Control-plane traffic for the IP voice and
DSCP video telephony infrastructure.
Operations, CS2 BW Queue and Network operations, administration, and

Administration, DSCP3 management traffic, such as SSH, SNMP,
and syslog, and so on.
Management
(OAM)
AF21 BW Queue and

DSCP WRED

183
Configure Policies
Custom Applications
Business Application Per-Hop Queuing and Application Description

Relevance Class Behavior Dropping
Transactional Interactive (foreground) data applications,
Data such as enterprise resource planning (ERP),
(Low-Latency customer relationship management (CRM),
Data) and other database applications.
Bulk Data AF11 BW Queue and Noninteractive (background) data

(High-Throughput DSCP WRED applications, such as email, file transfer
Data) protocol (FTP), and backup applications.
Default Default DF Default Queue Default applications and applications

Forwarding and RED assigned to the default business-relevant
(Best Effort) group. Because only a small number of
applications are assigned to priority,
guaranteed bandwidth, or even to
differential service classes, the vast majority
of applications continue to default to this
best-effort service.
Irrelevant Scavenger CS1 Minimum BW Non-business related traffic flows and

Queue applications assigned to the
(Deferential) and business-irrelevant group, such as data or
DSCP media applications that are
entertainment-oriented. Examples include
YouTube, Netflix, iTunes, and Xbox Live.
1
VoIP signaling traffic is assigned to the Call Signaling class.
2
WRED is not be enabled on this class because network control traffic should not be dropped.
3
WRED is not enabled on this class because OAM traffic should not be dropped.
Custom Applications
Custom applications are applications that you add to Cisco DNA Center. An orange bar is displayed next to
custom applications to distinguish them from the standard NBAR2 applications and application sets. For wired
devices, you can define applications based on server name, IP address and port, or URL. You cannot define
custom applications for wireless devices.
When you define an application according to its IP address and port, you can also define a DSCP value and
port classification.
To simplify the configuration process, you can define an application based on another application that has
similar traffic and service-level requirements. Cisco DNA Center copies the other application's traffic class
settings to the application that you are defining.
Cisco DNA Center does not configure ACLs for port numbers 80, 443, and 8080 even if they are defined as
part of a custom application. If the custom application has a transport IP defined, Cisco DNA Center configures
the application on the devices.

184
Configure Policies
Favorite Applications
Note For a custom application to be programmed on devices when a policy is deployed, you must assign the custom
application to one of the application sets defined in the policy.
Favorite Applications
Cisco DNA Center allows you to flag applications that you want to configure on devices before all other
applications, except custom applications. Flagging an application as a favorite helps to ensure that the QoS
policies for your favorite applications get configured on devices. For more information, see Processing Order
for Devices with Limited Resources, on page 188.
Although there is no limit to the number of applications that you can mark as favorite, designating only a
small number of favorite applications, for example, less than 25, helps to ensure that these applications are
treated correctly from a business-relevance perspective in deployments with network devices that have limited
ternary content addressable memory (TCAM).
Favorite applications can belong to any business-relevance group or traffic class and are configured
system-wide, not on a per-policy basis. For example, if you flag the Cisco Jabber video application as a
favorite, the application is flagged as a favorite in all policies.
Keep in mind that not only can business-relevant applications be flagged as favorites, even business irrelevant
applications can be flagged as such. For example, if an administrator notices a lot of unwanted Netflix traffic
on his network, the administrator might chose to flag Netflix as a favorite application (despite it being assigned
as business irrelevant). In this case, Netflix will be programmed into the device policies before other
business-irrelevant applications, ensuring that the business intent of controlling this application is realized.
Service Provider Profiles

Service provider (SP) profiles define the class of service for a particular WAN provider. You can define
4-class, 5-class, 6-class, and 8-class models.
When application policies are deployed on the devices, each SP profile is assigned a certain service-level
agreement (SLA) that maps each SP class to a Differentiated Services Code Point (DSCP) value and a
percentage of bandwidth allocation. See the table below.
You can customize the DSCP values and the percentage of bandwidth allocation in a SP profile when
configuring an application policy.
After you create the SP profile, you need to configure it on the WAN interfaces. To configure WAN interfaces,
see Configure Service Provider Profiles on WAN Interfaces.
Table 48: Default SLA Attributes for SP Profiles with 4-Classes
Class Name DSCP Priority Class SLA
Bandwidth (%) Remaining

Bandwidth (%)
Voice EF Yes 10 —
Class 1 Data AF31 — — 44

185
Configure Policies
Service Provider Profiles

Bandwidth (%)
Default 0 — — 31

Bandwidth (%)
Voice EF Yes 10 —
Default Best Effort — — 30

Bandwidth (%)
Video AF41 — — 34
Voice EF Yes 10 —

Bandwidth (%)
Network-Control CS6 — — 5
Management

186
Configure Policies
Queuing Profiles

Bandwidth (%)
Streaming Video AF31 — — 10
Call Signalling CS3 — — 4
Scavenger CS1 — — 1
Interactive Video AF41 — — 30
Voice EF Yes 10 —
Critical Data AF21 — — 25
Queuing Profiles
Queuing profiles allow you to define an interface's bandwidth allocation based on the interface speed and the
traffic class.
Note Queueing profiles do not apply to WAN-facing interfaces that are connected to a service provider profile.
The following interface speeds are supported:

• 100 Gbps
• 10/40 Gbps
• 1 Gbps
• 100 Mbps
• 10 Mbps
• 1 Mbps
If the speed of an interface falls between two interface speeds, Cisco DNA Center treats the interface at the
lower interface speed.
Note Cisco DNA Center attempts to detect the operational speed of the interface in order to apply the correct policy.
However, if a switch port is administratively down, Cisco DNA Center cannot detect the speed. In this case,
Cisco DNA Center uses the interface's supported speed.
You define a queuing policy as part of an application policy. When you deploy the application policy, the
devices in the sites that are selected in the site scope are configured with the assigned LAN queuing policy.
If no LAN queuing policy is assigned, the application policy uses the default CVD queuing policy.

187
Configure Policies
Processing Order for Devices with Limited Resources
If you change the queuing policy in an application policy that has already been deployed, the policy becomes
stale, and you need to redeploy the policy for the changes to be configured on the devices.
Note the following additional guidelines and limitations of queuing policies:
• You cannot delete a LAN queuing profile if it is used in a policy.
• If you update a queuing profile that is associated with a policy, the policy is marked as stale. You need
to redeploy the policy to provision the latest changes.
• Traffic class queuing customization does not affect interfaces on Cisco service provider switches and
routers. You should continue to configure these interfaces without using Cisco DNA Center.
Table 52: Default CVD LAN Queuing Policy
Traffic Class Default Bandwidth (Total = 100%)

4
Voice 10%
Broadcast Video 10%
Real-Time Interactive 13%
Multimedia Conferencing 10%
Network control 3%
Signaling 2%
OAM 2%
Transactional Data 10%
Bulk Data 4%
Scavenger 1%
Best Effort 25%

4
We recommend that the total bandwidth for Voice, Broadcast Video, and Real-Time Interactive traffic
classes equals no more than 33%.

Some network devices have a limited memory (called TCAM) for storing network ACLs and access control
entries (ACEs). So, because ACLs and ACEs for applications are configured on these devices, the available
TCAM space is used. When the TCAM space is depleted, QoS settings for additional applications cannot be
configured on that device.
To ensure that QoS policies for the most important applications get configured on these devices, Cisco DNA
Center allocates TCAM space in the following order:

188
Configure Policies
1. Rank—Number assigned to custom and favorite applications, but not to existing, default NBAR
applications. The lower the rank number, the higher the priority. For example, an application with rank
1 has a higher priority than an application with rank 2, and so on. Having no rank is the lowest priority.
Note • Custom applications are assigned rank 1 by default.

• Default NBAR applications are not assigned a rank until you mark them as favorites, at which point they
are assigned rank 10,000.
2. Traffic Class—Priority based on the following order: Signaling, Bulk Data, Network Control, Operations
Administration Management (Ops Admin Mgmt), Transactional Data, Scavenger, Multimedia Streaming,
Multimedia Conferencing, Real Time Interactive, Broadcast Video, and VoIP Telephony
3. Popularity—Number (1–10) that is based on CVD criteria. The popularity number cannot be changed.
An application with a popularity of 10 has a higher priority than an application with a popularity of 9,
and so on.
Note • Custom applications are assigned popularity 10 by default.

• Default NBAR applications are assigned a popularity number (1–10) that is based on CVD criteria. When
you mark an application as a favorite, this does not change the popularity number; only the rank is
changed.
4. Alphabetization—If two or more applications have the same rank and popularity number, they are sorted
alphabetically by the application’s name, and assigned a priority accordingly.
For example, let us assume that you define a policy that has the following applications:
• Custom application, custom_realtime, which has been assigned rank 1 and popularity 10 by default.
• Custom application, custom_salesforce, which has been assigned rank 1 and popularity 10 by default.
• Application named corba-iiop, which is in the transactional data traffic class, and you have designated
as a favorite, giving that application a ranking of 10,000 and popularity of 9 (based on CVD).
• Application named gss-http, which is in the Ops Admin Mgmt traffic class, and you have designated as
a favorite, giving that application a ranking of 10,000 and popularity of 10 (based on CVD).
• All other, default NBAR applications, which have no rank, but will be processed according to their traffic
class and default popularity (based on CVD).
According to the prioritization rules, the applications are configured on the device in this order:
Application Configuration Order Reason
1. Custom application, custom_realtime Custom applications are given highest priority. Given
that the custom_salesforce and custom_realtime
2. Custom application, custom_salesforce applications have the same rank and popularity, they
are sorted alphabetically, custom_realtime before
custom_salesforce.

189
Configure Policies
Policy Drafts
Application Configuration Order Reason
3. Favorite application, gss-http Because both of these applications have been

designated as favorites, they have the same application
4. Favorite application, corba-iiop ranking. So, Cisco DNA Center evaluates them
according to their traffic class. Because gss-http is in
the Ops Admin Mgmt traffic class, it is processed
first, followed by the corba-iiop application, which is
in the Trasactional Data traffic class. Their popularity
does not come into play because the processing order
has been determined by their traffic class.
5. All other, default NBAR applications All other applications are next and are prioritized
according to traffic class and then popularity, with
the applications having the same popularity being
alphabetized according to the application’s name.
Policy Drafts
When you create a policy, you can save it as a draft without having to deploy it. Saving it as a draft allows
you open the policy later and make changes to it. You can also make changes to a deployed policy, and save
it as a draft.
Note After you save or deploy a policy, you cannot change its name.
Draft policies and deployed policies are related to one another, but they have their own versioning, as follows:
When you save a policy as a draft, Cisco DNA Center appends the policy name with (Draft), and increments
the version number. When you deploy a policy, Cisco DNA Center increments the version number of the
deployed policy.
For example, as shown in the figure below, you create a policy named testPolicy1 and save it as a draft. The
policy is saved as testPolicy1 (Draft), version number 1. You make a change to the draft and save it again.
The policy has the same name, testPolicy1 (Draft), but its version number is incremented to 2.
You decide you like the policy, and you deploy it to the network. The policy is deployed with the name
testPolicy1 and its version number is 1. You make a change to the deployed policy and save it as a draft. The
draft policy, testPolicy1 (Draft) is incremented to version number 3. When you ultimately deploy that version,
testPolicy1 is incremented to version 2.

190
Configure Policies
Policy Preview
Figure 6: Deployed Policy and Draft Policy Versioning
Any time you modify and save either a draft policy or a deployed policy, the draft policy version number is
incremented. Similarly, any time you deploy either a draft policy or a modified deployed policy, the deployed
policy version is incremented.
Just as with deployed policies, you can display the history of draft policies and roll them back to previous
versions.
For more information about viewing the history of policy versions and rolling back to a previous version, see
Policy Versioning, on page 192.
Policy Preview
Before you deploy a policy, you can generate the CLI that will be applied to a device.
The Preview operation generates the CLI commands for a policy, compares them with the CLI commands in
the running configuration on the device, and returns only the remaining CLI commands that are required to
configure the policy on the device.
After reviewing the preview output, you can deploy the policy to all of the devices in the scope, or you can
continue to make changes to the policy.
Policy Precheck
When you create an application policy, you can verify if it will be supported on the devices in the site scope
before you deploy it. The precheck function verifies if the device type, model, line cards, and software images
support the application policy that you created. If any of these components are not supported, Cisco DNA
Center reports a failure for the device. Cisco DNA Center also provides possible ways to correct the failures.
If these remedies do not fix the failure, you can remove the device from the site scope.
If you deploy the application policy as-is, the policy will fail to deploy on the devices that reported a failure
during the precheck process. To avoid the failure, you can remove the device from the site scope or update
the device components to a level that the application policy supports. For a list of supported devices, see the
Cisco Digital Network Architecture Center Supported Devices document.

191
Configure Policies
Policy Scheduling
Policy Scheduling
After you create or change a policy, you can deploy or redeploy the policy to the devices associated with it.
You can deploy or redeploy a policy immediately or at a specific date and time, for example, on a weekend
during off-peak hours. You can schedule a policy deployment for wired or wireless devices.
After you have scheduled a policy to be deployed, the policy and site scope are locked. You can view the
policy, but you cannot edit it. If you change your mind about deploying the policy, you can cancel it.
Note When the scheduled event occurs, the policy is validated against the various policy components, for example,
applications, application sets, and queuing profiles. If this validation fails, the policy changes are lost.
Policy Versioning
Policy versioning allows you to do the following tasks:
• Compare a previous version to the current (latest) one to see the differences.
• Display previous versions of a policy and select a version to reapply to the devices in a site scope.
Editing one version of a policy does not affect other versions of that policy or the components of the policy,
such as the application sets that the policy manages. For example, deleting an application set from a policy
does not delete the application set from Cisco DNA Center, other versions of that policy, or even other policies.
Because policies and application sets exist independent of each other, it is possible to have a policy version
that contains application sets that no longer exist. If you attempt to deploy or roll back to an older version of
a policy that references an application set that no longer exists, an error occurs.
Note Policy versioning does not capture changes to applications (such as rank, port, and protocol), application set
members, LAN queuing profiles, and sites.
Original Policy Restore

The first time that you deploy a policy to devices, Cisco DNA Center detaches the device's original Cisco
Modular QoS CLI policy configurations, but leaves them on the device. Cisco DNA Center stores the device's
original NBAR configurations in Cisco DNA Center. This allows you to restore the original Modular QoS
CLI policies and NBAR configuration onto the devices later, if needed.
Note Because the Modular QoS CLI policies are not deleted from the device, if you remove these policies, you will
not be able to restore them using the Cisco DNA Center original policy restore feature.
When you restore the original policy configuration onto a device, Cisco DNA Center removes the existing
policy configuration that you deployed and reverts to the original configuration that was on the device.

192
Configure Policies
Stale Application Policies
Any Modular QoS CLI policy configurations that existed before you deployed application policies are reattached
to the interfaces. However, queuing policies, such as multilayer switching (MLS) configurations, are not
restored; instead, the devices retain the MLS configurations that were last applied through Cisco DNA Center.
After you restore the original policy configuration to the device, the policy that is stored in Cisco DNA Center
is deleted.
Note the following additional guidelines and limitations for this feature:
• If the first attempt to deploy a policy to a device fails, Cisco DNA Center automatically attempts to
restore the original policy configurations onto the devices.
• If a device is removed from an application policy after that policy has been applied to the device, the
policy remains on the device. Cisco DNA Center does not automatically delete the policy or restore the
QoS configuration on the device to its original (pre-Cisco DNA Center) configuration.
Stale Application Policies

An application policy can become stale if you change the configuration of something that is referenced in the
policy. If an application policy becomes stale, you need to redeploy it for the changes to take affect.
An application policy can become stale for any of the following reasons:
• Change to applications referenced in an application set.
• Change to interfaces, such as SP Profile assignment, WAN subline rate, or WAN or LAN marking.
• Change to the queuing profile.
• New site added under a parent site in the policy.
• Device added to a site that is referenced by the policy.
• Devices moved between sites in the same policy.
Application Policy Guidelines and Limitations

• Cisco DNA Center cannot learn multiple Wireless LANs (WLANs) with the same SSID name on a
Wireless Controller (WLC). At any point, Cisco DNA Center will have only one entry for a WLAN with
a unique name although it is possible for the WLC to contain multiple entries with the same name and
different WLAN Profile Names.
You might have duplicate SSID names per WLC by design, or you might have inadvertently added a
WLC with a duplicate SSID name using Cisco DNA Center. In either case, having duplicate SSID names
per WLC is problematic for several features:
• Learn Config—Cisco DNA Center learns only one randomly chosen SSID name per WLC and
discards any remaining duplicate SSID names. (Learn Config is typically used in a brownfield
scenario.)
• Application Policy—When deploying an application policy, Cisco DNA Center randomly applies
the policy to only one of the duplicate SSID names and not the others. In addition, policy restore,
CLI preview, EasyQoS Fastlane, and PSK override features either fail or have unexpected outcomes.
• Multiscale Network--In a multiscale network, multiple duplicate SSID names on multiple devices
can also cause issues. For example, one device has a WLAN configured as a non-fabric SSID, and

193
Configure Policies
Configure Applications and Application Sets
a second device has the same WLAN, but it is configured as a fabric SSID. When you perform a
Learn Config, only one SSID name is learned. The other SSID name from the other device is
discarded. This behavior can cause conflicts especially if the second device supports only fabric
SSID names, but Cisco DNA Center is trying to perform operations on the device with non-fabric
SSID names.
• IPACL Policy—When deploying an IPACL policy, Cisco DNA Center randomly applies the policy
to only one of the duplicate SSIDs. In addition, scenarios involving Flex Connect are also impacted.
• Cisco DNA Center does not recommend out-of-band (OOB) changes to device configurations. If you
make OOB changes, the policy in Cisco DNA Center and the one configured on the device become
inconsistent. The two policies remain inconsistent until you deploy the policy from Cisco DNA Center
to the device again.
• The QoS trust functionality cannot be changed.
Configure Applications and Application Sets

The following subsections describe the various tasks that you can perform in the context of applications and
application sets.
Change an Application's Settings

You can change the application set or traffic class of an existing NBAR application.
Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Application > Applications.
Step 2 Use the Search, Show, or View By fields to locate the application that you want to change.
Step 3 Click the application name.
Step 4 In the dialog box, change one or both settings:
• Traffic Class—Choose a traffic class from the drop-down list. Valid traffic classes are
BROADCAST_VIDEO, BULK_DATA, MULTIMEDIA_CONFERENCING,
MULTIMEDIA_STREAMING, NETWORK_CONTROL, OPS_ADMIN_MGMT,
REAL_TIME_INTERACTIVE, SIGNALING, TRANSACTIONAL_DATA, VOIP_TELEPHONY.
• Application Set—Choose an application set from the drop-down list. Valid application sets are
authentication-services, backup-and-storage, collaboration-apps, consumer-browsing,
consumer-file-sharing, consumer-gaming, consumer-media, consumer-misc, consumer-social-networking,
database-apps, desktop-virtualization, email, enterprise-ipc, file-sharing, generic-browsing, generic-media,
generic-misc, generic-tunneling, intranet-apps, naming-services, network-control, network-management,
remote-access, saas-apps, signaling, software-development-tools, software-updates, streaming-media.
Step 5 Click Save.

194
Configure Policies
Create a Server Name-Based Custom Application
Create a Server Name-Based Custom Application

If you have applications that are not in Cisco DNA Center, you can add them as custom applications.
Procedure
Step 1 From the Cisco DNA Center home page, click Policy > Application > Applications.
Step 2 Click Add Application.
Step 3 In the dialog box, complete the following fields:
Field Description
Application name Name of the custom application. The name can contain up to 24 alphanumeric
characters, including underscores and hyphens. The underscore and hyphen
characters are the only special character allowed in the application name.
Type Method by which users access the application. Choose Server Name for
applications that are accessible through a server.
Server Name Name of the server that hosts the application.
Similar To Application with the similar traffic-handling requirements. Click the radio-button
to select this option, then select an application from the drop-down field. Cisco
DNA Center copies the other application's traffic class to the application that you
are defining.
Traffic Class Traffic class to which the application belongs. Valid values are BULK_DATA,
TRANSACTIONAL_DATA, OPS_ADMIN_MGMT, NETWORK_CONTROL,
VOIP_TELEPHONY, MULTIMEDIA_CONFERENCING,
MULTIMEDIA_STREAMING, BROADCAST_VIDEO,
REAL_TIME_INTERACTIVE, and SIGNALING.
Application Set Application set that you want the application to reside. Valid application sets are
authentication-services, backup-and-storage, collaboration-apps,
consumer-browsing, consumer-file-sharing, consumer-gaming, consumer-media,
consumer-misc, consumer-social-networking, database-apps,
desktop-virtualization, email, enterprise-ipc, file-sharing, generic-browsing,
generic-media, generic-misc, generic-tunneling, intranet-apps, naming-services,
network-control, network-management, remote-access, saas-apps, signaling,
software-development-tools, software-updates, streaming-media.
Step 4 Click OK.
Create an IP Address and Port-Based Custom Application


195
Configure Policies
Create an IP Address and Port-Based Custom Application
Procedure
Step 2 Click Add Application.
Step 3 In the dialog box, provide the necessary information in the following fields:
Field Description
Type Method by which users access the application. Choose Server IP/Port for
applications that are accessible through an IP address and port.
DSCP Differentiated Services Code Point (DSCP) value. Check the DSCP check box
and define a DSCP value. If you do not define a value, the default value is Best
Effort. Best-effort service is essentially the default behavior of the network device
without any QoS.
IP/Port Classifiers Classification of traffic based on IP address, protocol, and port number. Check
the IP/Port Classifiers check box to define the IP address or subnet, protocol,
and port or port range for an application. Valid protocols are IP, TCP, UDP, and
TCP/UDP. If you select the IP protocol, you do not define a port number or range.
Click to add more classifiers.
are defining.
Step 4 Click OK.

196
Configure Policies
Create a URL-Based Custom Application
Create a URL-Based Custom Application

Procedure
Step 2 Click Add Application. The dialog box is displayed.
Field Description
Type Method by which users access the application. Choose URL for applications that
are accessible through a URL.
URL URL used to reach the application.
are defining.
Step 3 Click OK.
Edit or Delete a Custom Application

If required, you can change or delete a custom application.

197
Configure Policies
Move an Application from an Application Set
Note You cannot delete a custom application that is directly referenced by an application policy. Application policies
typically reference application sets and not individual applications. However, if a policy has special definitions
for an application (such as a consumer or producer assignment or bidirectional bandwidth provisioning), the
policy has a direct reference to the application. As such, you must remove the special definitions or remove
the reference to the application entirely before you can delete the application.
Procedure
Step 2 Use the Search, Show, or View By fields to locate the application that you want to change.
Step 3 To edit the application:
a) Click the application name and make the required changes. For information about the fields, see Create
a Server Name-Based Custom Application, on page 195, Create an IP Address and Port-Based Custom
Application, on page 195, or Create a URL-Based Custom Application, on page 197.
b) Click OK
Step 4 To delete the application: Click in the application box and then click OK to confirm.
Move an Application from an Application Set

You can move applications from one application set to another application set.
Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Application > Application Sets.
Step 2 Use the Search, Show, or View By fields to locate the applications or application sets that you want to change.
Step 3 Click the down arrow to display the applications in the set. Use the scroll bar to view all of the applications.
Step 4 Drag and drop applications from one application set to another.
Note You can select, drag, and drop multiple applications at a time.
Create a Custom Application Set

If none of the application sets fit your needs, you can create a custom application set.
Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Application > Application Sets.
Step 2 Click Add Application Set.
Step 3 In the dialog box, enter a name for the new application set.

198
Configure Policies
Edit or Delete a Custom Application Set
Cisco DNA Center creates the new application set; however, it will have no applications in it.
Step 4 Click OK.

Step 5 Use the Search, Show, or View By fields to locate the application set.
Step 6 Locate the applications that you want to move into the new application set.
Step 7 Check the check box next to the applications that you want to move.
Step 8 Drag and drop the applications into the new application set.
Edit or Delete a Custom Application Set

If required, you can change or delete a custom application set.
Note You cannot delete a custom application set that is referenced by an application policy. You must remove the
application set from the policy before you delete the application set.
Procedure
Step 1 From the Cisco DNA Center Home page, choose Policy > Application > Application Sets.
Step 2 Use the Search, Show, or View By fields to locate the application set that you want to change.
• To edit the application set, drag and drop applications into or out of the application set. Click OK to
confirm each change.
• To delete the application set, click in the application set box and then click OK to confirm.
Mark an Application as Favorite

You can mark an application as a favorite to designate that the application's QoS configuration must be
deployed to devices before other applications' QoS configuration. Applications are configured system-wide,
not on a per-policy basis. For more information, see Favorite Applications, on page 185.
Procedure
Step 2 Locate the application that you want to mark as a favorite.
Step 3 Click .

199
Configure Policies
Manage Application Policies
Manage Application Policies

The following sections provide information about how to manage application policies.
Prerequisites
To configure Application policies, make sure that you address the following requirements:
• Cisco DNA Center supports most of the Cisco LAN, WAN, WLAN devices. To verify whether the
devices and software versions in your network are supported, see Cisco Digital Network Architecture
Center Supported Devices.
• Make sure that your Cisco network devices, such as the ISR-G2, the ASR 1000, and Wireless LAN
Controller, have the AVC (Application Visibility and Control) feature license installed. For information,
see the NBAR2 (Next Generation NBAR) Protocol Pack FAQ.
• For Cisco DNA Center to identify the WAN interfaces that need policies, you must specify the interface
type (WAN), and optionally, its subline rate and service-provider Class-of-Service model. For more
information, see Assign a Service Provider Profile to a WAN Interface, on page 211.
• Verify that the device roles that were assigned to devices during the Discovery process are appropriate
for your network. If necessary, change the device roles that are not appropriate. For more information,
see Change Device Role (Inventory), on page 75.
Create an Application Policy

This section provides information about how to create an application policy.
Before you begin

• Define your business objectives. For example, your business objective might be to improve user
productivity by minimizing network response times or to identify and deprioritize nonbusiness applications.
Based on these objectives, decide which business relevance category your applications fall into.
• Make sure that you have devices in your inventory. If not, discover devices using the Discovery feature.
• Verify that the device roles that were assigned to devices during the Discovery process are appropriate
for your network. If necessary, change the device roles that are not appropriate. For more information,
see Change Device Role (Inventory), on page 75.
• Add devices to sites. For more information, see Add Devices to Sites, on page 219.
• If you have applications that are not defined in Cisco DNA Center, you can add them and define their
QoS attributes. For more information, see Custom Applications, on page 184.
• If you plan to configure this policy with an SP profile for traffic that is destined for an SP, make sure
that you have configured an SP Profile. After creating the application policy, you can return to the SP
Profile and customize its SLA attributes and assign the SP profile to WAN interfaces. For more
information, see Configure Service Provider Profiles, on page 143.
• If you want some applications configured before others on devices, mark these applications as favorites.
For more information, see Mark an Application as Favorite, on page 199.

200
Configure Policies
Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Application > Application Policies.
Step 3 In the Application Policy Name field, enter a name for the policy.
Step 4 Click either the Wired or Wireless radio button.
Step 5 Click Site Scope and check the check box next to the sites where you want to deploy the policy.
Note For policies of wired devices, you cannot select a site that is already assigned to another policy. For
policies of wireless devices, you cannot select a site that is already assigned to another policy with
the same SSID.
Step 6 For policies of wired devices, you can exclude devices or specific interfaces from being configured with the
policy:
a) From the Site Scope pane, click next to the site you are interested in.
A list of devices in the selected scope is displayed.
b) Locate the device that you want to exclude and click the toggle button in the corresponding Policy
Exclusions column.
c) To exclude specific interfaces, click Exclude Interfaces and .
d) From the list of interfaces, click the toggle button in the Exclude from Policy column next to the interfaces
that you want to exclude.
e) Click < Back to Devices in Site-Name.
f) Click < Back to Site Scope.
Step 7 For WAN devices, you can configure specific interfaces:
a) From the Site Scope pane, click next to the site you are interested in.
b) From the list of devices in the site, click Configure in the SP Profile Settings column next to the device
you are interested in.
Note This option is only available for routers.
c) In the WAN Interface column, from the Select Interface drop-down list, choose an interface.
d) In the Role column, from the Select Role drop-down list, choose a role according to the type of interface
you are configuring:
• Physical interface—Choose WAN. This role is the only valid role for a physical interface.
• Tunnel interface—Choose either DMVPN Branch or DMVPN Hub. If you choose DMVPN Hub,
you can also define the bandwidth to its corresponding branches.
Note Make sure that the tunnel interfaces have been created on the devices before deploying
these policy settings.
e) In the Service Provider Profile column, from the Select Profile drop-down list, choose an SP profile.
f) (Optional) If necessary, in the Sub-Line Rate (Mbps) column, enter the upstream bandwidth that the
interface requires.
g) (Optional) To configure additional WAN interfaces, click + and repeat Step c through Step f.
h) Click Save.

201
Configure Policies
i) Click < Back to Site Scope.

Step 8 From the Site Scope pane, click OK.
Step 9 (Optional) If the CVD queuing profile (CVD_QUEUING_PROFILE) does not meet your needs, create a
custom queuing profile.
a) Click Queuing Profiles.
b) Select a queuing profile from the list in the left pane.
c) Click Select.
Step 10 (Optional) If this policy is for traffic that is destined for an SP, customize the SP profile SLA attributes:
a) Click SP Profile.
b) Choose an SP profile.
c) Customize the SLA attributes (DSCP, SP Bandwidth %, and Queuing Bandwidth %).
Step 11 (Optional) Configure the business relevance of the application sets used in your network.
Cisco DNA Center comes with application sets that are preconfigured into business-relevancy groups. You
can keep this configuration or modify it by dragging and dropping an application set from one
business-relevancy group to another.
Step 12 (Optional) Customize applications by creating consumers and assigning them to applications, or by marking
an application as bidirectional:
a) Expand the application group.
b) Click the gear icon next to the application that you are interested in.
c) From the Traffic Direction field, click the Unidirectional or Bi-directional radio button.
d) To choose an existing consumer, click the Consumer field and choose the consumer that you want to
configure. To create a new consumer, click + Add Consumer and define the Consumer Name, IP/Subnet,
Protocol, and Port/Range.
e) Click OK.
Step 13 Configure host tracking. Click the Host Tracking toggle button to turn host tracking on or off.
When deploying an application policy, Cisco DNA Center automatically applies ACL entries to the switches
to which collaboration end points (such as Telepresence units or Cisco phones) are connected.
The ACE matches the voice and video traffic generated by the collaboration end point, ensuring that the voice
and video traffic are correctly marked.
When host tracking is turned on, Cisco DNA Center tracks the connectivity of the collaboration end points
within the site scope and to automatically reconfigure the ACL entries when the collaboration end points
connect to the network or move from one interface to another.
When host tracking is turned off, Cisco DNA Center does not automatically deploy policies to the devices
when a collaboration end point moves or connects to a new interface. Instead, you need to redeploy the policy
for the ACLs to be configured correctly for the collaboration end points.
Step 14 (Optional) Preview the CLI commands that will be sent to devices. For more information, see Preview an
Application Policy, on page 207.
Step 15 (Optional) Precheck the devices on which you plan to deploy the policy. For more information, see Precheck
an Application Policy, on page 208.
• Save the policy as a draft by clicking Save Draft. For more information, see Policy Drafts, on page 190.
• Deploy the policy by clicking Deploy. You can deploy the policy now or schedule it for a later time.

202
Configure Policies
View Application Policy Information
To deploy the policy now, click the Now radio button and click Apply.
To schedule the policy deployment for a later date and time, click the Later radio button and define the
date and time of the deployment. For more information, see Policy Scheduling, on page 192.
Note Site time zone setting is not supported for scheduling application policy deployments.
View Application Policy Information

You can display various information about the application policies that you have created and deployed.
Before you begin

You must have at least one deployed application policy.
Procedure
Step 2 Sort the policies by name, or filter them by name, status, or queuing profile.
Step 3 View the list of policies and the following information about each:
• Policy Name—Name of the policy.
• Version—Iteration of the policy. Each time a policy is deployed or saved as a draft, it is incremented
by one version. For example, when you create a policy and deploy it, the policy is at version 1. If you
change the policy and deploy it again, the version of the policy is incremented to version 2. For more
information, see Policy Drafts, on page 190 and Policy Versioning, on page 192
• Policy Status—State of the policy.
• Deployment Status—State of the last deployment (per device). Presents a summary of the following
• Devices that were successfully provisioned.
• Devices that failed to be provisioned.
• Devices that were not provisioned due to the deployment being aborted.
Clicking the state of the last deployment displays the Policy Deployment window, which provides a
filterable list of devices on which the policy is deployed. For each device, the following information is
displayed:
• Device details (name, site, type , role, and IP address)
• Success deployment status. Clicking the gear icon next to the status displays the details of the
effective marking policy that was deployed to the device. For devices that have limited TCAM
resources or an old NBAR protocol pack, only a subset of the applications that are included in the
policy can be provisioned, and they are shown in the view.
• Failure status shows the reason for the failure.

203
Configure Policies
Edit an Application Policy
• Scope—Number of sites (not devices) that are assigned to the policy. For policies of wireless devices,
the name of the SSID to which the policy applies is included.
• LAN Queuing Profile—Name of the LAN queuing profile that is assigned to the policy.
Edit an Application Policy

You can edit an application policy.
Before you begin

You must have created at least one policy.
Procedure
Step 2 Use the Filter field to locate the policy that you want to edit.
Step 3 Click the radio button next to corresponding policy.
Step 4 From the Actions drop-down list, choose Edit.
Step 5 Make changes to the application policy, as needed. For information about the application policy settings, see
Create an Application Policy, on page 200.
To deploy the policy now, click the Run Now radio button and click Apply.
To schedule policy deployment for a later date and time, click the Schedule Later radio button and
define the date and time of the deployment. For more information, see Policy Scheduling, on page 192.
Save a Draft of an Application Policy

When creating, editing, or cloning a policy, you can save it as a draft so that you can continue to modify it
later. You can also make changes to a deployed policy and save it as a draft.
Procedure
Step 2 Create an Application Policy, Edit an Application Policy, or Clone an Application Policy a policy.
Step 3 Click Save Draft.

204
Configure Policies
Deploy an Application Policy
For more information, see Policy Drafts, on page 190.
Deploy an Application Policy

If you make changes that affect a policy's configuration, such as adding a new application or marking an
application as a favorite, you should redeploy the policy to implement these changes.
Procedure
Step 2 Use the Filter field to locate the policy that you want to deploy.
Step 3 Click the radio button next to the policy that you want to deploy.
Step 4 From the Actions drop-down list, choose Deploy.
You are prompted to deploy your policy now or to schedule it for a later time.

• To deploy the policy now, click the Run Now radio button and click Apply.
• To schedule policy deployment for a later date and time, click the Schedule Later radio button and
Cancel a Policy Deployment

After you click Deploy, Cisco DNA Center begins to configure the policy on the devices in the site scope. If
you realize that you have made a mistake, you can cancel the policy deployment.
The policy configuration process is performed as a bulk process, in that, it configures 40 devices at a time.
So, if you have fewer than 40 devices, canceling the process has no real effect. However, if you have hundreds
of devices, canceling the policy deployment can be useful when needed.
When you click Abort, Cisco DNA Center cancels the configuration process on devices whose configuration
has not yet started, and changes the device status to Policy Aborted. Cisco DNA Center does not cancel the
deployments that are in the process of being completed or have been completed. These devices retain the
updated policy configuration and reflect the state of the policy configuration, whether it is Configuring,
Successful, or Failed.
Procedure
During a policy deployment, click Abort to cancel the policy configuration process.
Delete an Application Policy

You can delete an application policy if it is no longer needed.

205
Configure Policies
Clone an Application Policy
Procedure
Step 2 Use the Filter field to locate the policy that you want to delete.
Step 3 Click the radio button next to the policy that you want to delete.
Step 4 From the Actions drop-down list, choose Delete.
Step 5 To confirm the deletion, click Ok. Otherwise, click Cancel.
Step 6 When the deletion confirmation message appears, click Ok again.
Clone an Application Policy

If an existing application policy has most of the settings that you want in a new policy, you can save time by
cloning the existing policy, changing it, and then deploying it to a different scope.
Before you begin

You must have created at least one policy.
Procedure
Step 2 Use the Filter field to locate the policy that you want to clone.
Step 3 Click the radio button next to the policy that you want to clone.
Step 4 From the Actions drop-down list, choose Clone.
Step 5 Configure the application policy, as needed. For information about the application policy settings, see Create
an Application Policy, on page 200.
To deploy the policy now, click the Run Now radio button and click Apply.
To schedule the policy deployment for a later date and time, click the Schedule Later radio button and
define the date and time of the deployment. For more information, see Policy Scheduling, on page 192.
Restore an Application Policy

If you create or make changes to a policy and then decide that you want to start over, you can restore the
original QoS configuration that was on the device before you configured it using Cisco DNA Center.

206
Configure Policies
Reset the Default CVD Application Policy
Procedure
Step 2 Use the Filter field to locate the policy that you want to reset.
Step 3 Click the radio button next to the policy.
Step 4 From the Actions drop-down list, choose Restore.
Step 5 Click OK to confirm the change or Cancel to abort it.
Reset the Default CVD Application Policy

The CVD configuration is the default configuration for applications. If you create or make changes to a policy
and then decide that you want to start over, you can reset the applications to the CVD configuration. For more
information about the CVD configuration, see Application Policies, on page 179.
Procedure
Step 2 Use the Filter field to locate the policy that you want to reset.
Step 5 Click Reset to Cisco Validated Design.
Step 6 Click OK to confirm the change or Cancel to abort it.
• To save a draft of the policy, click Save Draft.
• To deploy the policy, click Deploy.
Preview an Application Policy

Before you deploy a policy, you can generate the CLI that will be applied to a device and preview the
configuration.
Procedure
Step 2 Create or edit a policy, as described in Create an Application Policy, on page 200 or Edit an Application Policy,
on page 204.
Step 3 Before deploying the policy, click Preview.
A list of the devices in the scope appears.
Step 4 Click Generate next to the device that you are interested in.

207
Configure Policies
Precheck an Application Policy
Cisco DNA Center generates the CLIs for the policy.
Step 5 Click View to view the CLIs or copy them to the clipboard.
Precheck an Application Policy

Before you deploy an application policy, you can check whether the devices in the site scope are supported.
The precheck process includes validating a device's model, line cards, and software image.
Procedure
Step 2 Create or edit a policy, as described in Create an Application Policy, on page 200 or Edit an Application Policy,
on page 204.
Step 3 Before deploying the policy, click Preview.
A list of the devices within the scope appears.
Step 4 Click Pre-check.

Cisco DNA Center checks the devices and reports failures, if any, in the Pre-Check Result column. You can
still deploy the policy even if failures are reported on some devices. To resolve the failures, bring the devices
into compliance with the specifications listed in Cisco Digital Network Architecture Center Supported Devices.
Display Application Policy History

You can display the version history of an application policy. The version history includes the series number
(iteration) of the policy and the date and time on which the version was saved.
Procedure
Step 2 Click the radio button next to the policy that interests you.
Step 3 From the Actions drop-down list, choose History.
Step 4 From the Policy History dialog box, you can do the following:
• To compare a version with the current version, click Difference next to the version that interests you.
• To roll back to a previous version of the policy, click Rollback next to the version that you want to roll
back to.
Roll Back to a Previous Policy Version

If you change a policy configuration, and then realize that it is incorrect, or that is not having the desired affect
in your network, you can revert to a policy that is up to five versions back.

208
Configure Policies
Manage Queuing Profiles
Before you begin

You must have created at least two versions of the policy to roll back to a previous policy version.
Procedure
Step 2 Click the radio button next to the policy that interests you.
Step 3 From the Actions drop-down list, choose Show History.
Previous versions of the selected policy are listed in descending order, with the newest version (highest
number) at the top of the list and the oldest version (lowest number) at the bottom.
Step 4 (Optional) To view the differences between the selected version and the latest version of a policy, click
Difference in the View column.
Step 5 When you determine the policy version that you want to roll back to, click Rollback for that policy version.
Note If the selected site scope changed between policy versions, rollback is not done on the current (latest)
selected site. Only the policy content is rolled back.
Step 6 Click Ok to confirm the rollback procedure.

The rolled back version becomes the newest version.
Manage Queuing Profiles

The following sections provide details about the various tasks that you can perform to manage queuing profiles.
Create a Queuing Profile

Cisco DNA Center provides a default CVD queuing profile (CVD_QUEUING_PROFILE). If this queuing
profile does not meet your needs, you can create a custom queuing profile.
Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Application > Queuing Profile.
Step 2 Click Add Profile.
Step 3 In the Profile Name field, enter a name for the profile.
Step 4 Configure the bandwidth for each traffic class by using the slider, clicking the plus (+) or minus (-) sign, or
entering a specific number in the field.
The number indicates the percentage of the total interface bandwidth that will be dedicated to the selected
application class. Because the total bandwidth equals 100, adding bandwidth to one application class subtracts
bandwidth from another application class.
An open lock icon indicates that you can edit the bandwidth for the application class. A closed lock indicates
that you cannot edit it.

209
Configure Policies
Edit or Delete a Queuing Profile
If you make a mistake, you can return to the CVD settings by clicking Reset to Cisco Validated Design.
The graph in the middle helps you visualize the amount of bandwidth that you are setting for each application
class.
Step 5 (For advanced users) To customize the DSCP code points that Cisco DNA Center uses for each of the traffic
classes, from the Show drop-down list, choose DSCP Values and configure the value for each application
class by entering a specific number in the field.
To customize the DSCP code points required within an SP cloud, configure an SP profile.
Step 6 Click Save.
Edit or Delete a Queuing Profile
Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Application > Queuing Profile.
Step 2 From the Queuing Profile pane, click the radio button next to the queuing profile that you want to edit or
delete.
• To edit the profile, change the field values, except the profile name, and click Save. For information
about the fields, see Create a Queuing Profile, on page 209.
• To delete the profile, click Delete.
Note You cannot delete a queuing profile if it is referenced in an application policy.
Manage Application Policies for WAN Interfaces

The following sections provide details about the various tasks that you can perform to manage application
profiles for WAN interfaces.
Customize Service Provider Profile SLA Attributes

If you do not want to use the default SLA attributes assigned to your SP profile by its class model, you can
customize the SP profile SLA attributes to fit your requirements. For more information about the default SP
profile SLA Attributes see Service Provider Profiles, on page 185.
Note After creating your custom SP profile, configure the WAN interfaces with the SP profile. For information,
see Configure Service Provider Profiles on WAN Interfaces.

210
Configure Policies
Assign a Service Provider Profile to a WAN Interface
Before you begin

Procedure
Step 2 Use the Filter field to locate the policy that you want to change.
Step 3 Select the radio button next to the policy.
Step 5 Click SP Profiles and select an SP profile.
Step 6 You can modify the information in the following fields:
• DSCP—Differentiated Services Code Point (DSCP) value. Valid values are from 0 to 63.
• Expedited Forwarding (EF)
• Class Selector (CS)—CS1, CS2, CS3, CS4, CS5, CS6
• Assured Forwarding—AF11, AF21, AF41
• Default Forwarding (DF)
For more information about these DSCP values, see Marking, Queuing, and Dropping Treatments, on
page 182.
• SP Bandwidth %—Percentage of bandwidth allocated to a specific class of service.
• Queuing Bandwidth %—Percentage of bandwidth allocated to each of the traffic classes. You can
make one of the following changes:
• To customize the queuing bandwidth, unlock the bandwidth settings by clicking the lock icon and
adjust the bandwidth percentages.
• To calculate the queuing bandwidth automatically from the SP bandwidth, lock the queuing bandwidth
settings by clicking the lock icon and then clicking OK to confirm. By default, Cisco DNA Center
automatically distributes the queuing bandwidth percentage such that the sum of the queuing
bandwidth for all of the traffic classes in an SP class aligns with the SP bandwidth percentage of
that class.
Step 7 Click OK.
Assign a Service Provider Profile to a WAN Interface

If you have already created an application policy and now want to assign SP profiles to WAN interfaces, you
can edit the policy and perform this configuration, including setting the subline rate on the interface, if needed.
Before you begin

If you have not created a policy, you can create a policy and assign SP profiles to WAN interfaces at the same
time. For more information, see Create an Application Policy, on page 200.

211
Configure Policies
Traffic Copy Policies
Procedure
Step 2 Use the Filter field to locate the policy that you want to edit.
Step 5 From the Site Scope pane, click the gear icon next to the site you are interested in.
Step 6 Click Configure in the SP Profile Settings column for the device you are interested in.
Step 7 In the WAN Interface column, from the Select Interface drop-down list, choose an interface.
Step 8 In the Role column, from the Select Role drop-down list, choose a role according to the type of interface you
are configuring:
• Physical interface—Choose WAN. This role is the only valid role for a physical interface.
• Tunnel interface—Choose either DMVPN Branch or DMVPN Hub. If you choose DMVPN Hub,
you can also define the bandwidth to its corresponding branches.
Note Make sure that the tunnel interfaces have been created on the devices before deploying these
policy settings.
Step 9 In the Service Provider Profile column, click the Select Profile drop-down field and choose an SP profile.
Step 10 If necessary, in the Sub-Line Rate (Mbps) column, enter the upstream bandwidth that the interface requires.
Step 11 To configure additional WAN interfaces, click + and repeat Step 7 through Step 10.
Step 12 Click Save.
Step 13 Click < Back to Site Scope.
Step 14 Click OK.
You are prompted to deploy your policy now or to schedule it for a later time.

• To deploy the policy now, click the Run Now radio button and click Apply.
• To schedule policy deployment for a later date and time, click the Schedule Later radio button and
Traffic Copy Policies

Using Cisco DNA Center, you can set up an Encapsulated Remote Switched Port Analyzer (ERSPAN)
configuration such that the IP traffic flow between two entities is copied to a specified destination for monitoring
or troubleshooting.

212
Configure Policies
Sources, Destinations, and Traffic Copy Destinations
To configure ERSPAN using Cisco DNA Center, create a traffic copy policy that defines the source and
destination of the traffic flow that you want to copy. You can also define a traffic copy contract that specifies
the device and interface where the copy of the traffic is sent.
Note Because traffic copy policies can contain either scalable groups or IP network groups, throughout this guide,
we use the term groups to refer to both scalable groups and IP network groups, unless specified otherwise.
Sources, Destinations, and Traffic Copy Destinations

Cisco DNA Center simplifies the process of monitoring traffic. You do not have to know the physical network
topology. You only have to define a source and destination of the traffic flow and the traffic copy destination
where you want the copied traffic to go.
• Source: One or more network device interfaces through which the traffic that you want to monitor flows.
The interface might connect to end-point devices, specific users of these devices, or applications. A
source group comprises Ethernet, Fast Ethernet, Gigabit Ethernet, 10-Gigabit Ethernet, or port channel
interfaces only.
• Destination: The IP subnet through which the traffic that you want to monitor flows. The IP subnet
might connect to servers, remote peers, or applications.
• Traffic Copy Destination: Layer 2 or Layer 3 LAN interface on a device that receives, processes, and
analyzes the ERSPAN data. The device is typically a packet capture or network analysis tool that receives
a copy of the traffic flow for analysis.
Note At the destination, we recommend that you use a network analyzer, such as a
Switch Probe device, or other Remote Monitoring (RMON) probe, to perform
traffic analysis.
The interface type can be Ethernet, Fast Ethernet, Gigabit Ethernet, or 10-Gigabit Ethernet interfaces
only. When configured as a destination, the interface can be used to receive only the copied traffic. The
interface can no longer receive any other type of traffic and cannot forward any traffic except that required
by the traffic copy feature. You can configure trunk interfaces as destinations. This configuration allows
the interfaces to transmit encapsulated traffic.
Note There can be only one traffic copy destination per traffic copy contract.
Guidelines and Limitations of Traffic Copy Policy

The traffic copy policy feature has the following limitations:
• You can create up to 8 traffic copy policies, 16 copy contracts, and 16 copy destinations.
• The same interface cannot be used by more than 1 traffic copy destination.

213
Configure Policies
Workflow to Configure a Traffic Copy Policy
• Cisco DNA Center does not show a status message to indicate that a traffic copy policy has been changed
and is no longer consistent with the one that is deployed in the network. However, if you know that a
traffic copy policy has changed since it was deployed, you can redeploy the policy.
• You cannot configure a management interface as a source group or traffic copy destination.
Workflow to Configure a Traffic Copy Policy

Before you begin
• To be monitored, a source scalable group that is used in a traffic copy policy needs to be statically mapped
to the switches and their interfaces.
• A traffic copy policy destination group needs to be configured as an IP network group. For more
information, see Create an IP Network Group, on page 175.
Procedure
Step 1 Create a traffic copy destination.

This is the interface on the device where the traffic flow will be copied for further analysis. For information,
see Create a Traffic Copy Destination, on page 214.
Step 2 Create a traffic copy contract.

The contract defines the copy destination. For information, see Create a Traffic Copy Contract, on page 215.
Step 3 Create a traffic copy policy.

The policy defines the source and destination of the traffic flow and the traffic copy contract that specifies
the destination where the copied traffic is sent. For information, see Create a Traffic Copy Policy, on page
216.
Create a Traffic Copy Destination

Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Traffic Copy > Traffic Copy Destination.
Step 2 Enter a name and description for the traffic copy destination.
Step 3 Select the device and one or more ports.
Step 4 Click Save.

214
Configure Policies
Edit or Delete a Traffic Copy Destination
Edit or Delete a Traffic Copy Destination

Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Traffic Copy > Traffic Copy Destination.
Step 2 Check the check box next to the destination that you want to edit or delete.
• To make changes, click Edit, make the necessary changes, and click Save.
• To delete the destination, click Delete.
Create a Traffic Copy Contract

Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Traffic Copy > Traffic Copy Contracts.
Step 2 Click Add.
Step 4 From the Copy Destination drop-down list, choose a copy destination.
Note You can have only one destination per traffic copy contract.
If no copy destinations are available for you to choose, you can create one. For more information, see Create
a Traffic Copy Destination, on page 214.
Step 5 Click Save.
Edit or Delete a Traffic Copy Contract

Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Traffic Copy > Traffic Copy Contracts.
Step 2 Check the check box next to the contract that you want to edit or delete.

215
Configure Policies
Create a Traffic Copy Policy
Create a Traffic Copy Policy

Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Traffic Copy > Traffic Copy Policies.
Step 3 In the Policy Name field, enter a name.
Step 4 In the Description field, enter a word or a phrase that identifies the policy.
Step 5 In the Contract field, click Add Contract.
Step 6 Click the radio button next to the contract that you want to use and then click Save.
Step 7 Drag and drop groups from the Available Groups area to the Source area.
Step 8 Drag and drop groups from the Available Groups area to the Destination area.
Step 9 Click Save.
Edit or Delete a Traffic Copy Policy

Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Traffic Copy > Traffic Copy Policies.
Step 2 Check the check box next to the policy that you want to edit or delete.
• To delete the policy, click Delete.
Virtual Networks
Virtual networks are isolated routing and switching environments. You can use virtual networks to segment
your physical network into multiple logical networks.
Only the assigned user groups are allowed to enter a virtual network. Within a virtual network, users and
devices can communicate with each other unless explicitly blocked by an access policy. Users across different
virtual networks cannot communicate with each other. However, an exception policy can be created to allow
some users to communicate across different virtual networks.
A typical use case is building management, where the user community needs to be segmented from building
systems, such as lighting; heating, ventilation, and air conditioning (HVAC) systems; and security systems.
In this case, you segment the user community and the building systems into two or more virtual networks to
block unauthorized access of the building systems.

216
Configure Policies
Guidelines and Limitations for Virtual Networks
A virtual network may span across multiple site locations and across network domains (wireless, campus,
and WAN).
By default, Cisco DNA Center has a single virtual network, and all users and endpoints belong to this virtual
network. If Cisco DNA Center is integrated with Cisco Identity Services Engine (ISE), the default virtual
network is populated with user groups and endpoints from Cisco ISE.
In Cisco DNA Center, the concept of virtual network is common across wireless, campus, and WAN networks.
When a virtual network is created, it can be associated with sites that have any combination of wireless, wired,
or WAN deployments. For example, if a site has a campus fabric deployed, which includes wireless and wired
devices, the virtual network creation process triggers the creation of the Service Set Identifier (SSID) and
Virtual Routing and Forwarding (VRF) in the campus fabric. If the site also has WAN fabric deployed, the
VRF extends from the campus to WAN as well.
During site design and initial configuration, you can add wireless devices, wired switches, and WAN routers
to the site. Cisco DNA Center detects that the virtual network and the associated policies have been created
for the site, and applies them to the different devices.
Guidelines and Limitations for Virtual Networks

Virtual networks have the following guidelines and limitations:
• You can create only one guest virtual network.
• VRFs are common across all domains. The maximum number of VRFs is based on the device with the
fewest VRFs in the domain.
Create a Virtual Network

You can create virtual network to segment your physical network into multiple logical networks.
Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Virtual Network.
Step 2 Click and enter the following information:
Table 53: Virtual Network Fields
Field Description
Network Name Name of the virtual network.
Guest Virtual Network Devices that are configured with special rules, which allow guests limited
access. Check this check box to configure the virtual network as a guest
network. You can create only one guest virtual network.
Available Groups Scalable groups that you can choose to include in the virtual network. Drag
and drop groups from the Available Groups area to the Groups in the
Virtual Network area.

217
Configure Policies
Edit or Delete a Virtual Network
Field Description
Groups in the Virtual Scalable groups that are in the virtual network. Drag and drop groups from
Network the Available Groups area to the Groups in the Virtual Network area.
Step 3 Click Save.
Related Topics
Edit or Delete a Virtual Network, on page 218
Guidelines and Limitations for Virtual Networks, on page 217
Virtual Networks, on page 216
Edit or Delete a Virtual Network

If you move a scalable group from one custom virtual network to another custom virtual network, the mappings
for the scalable groups are changed. Be aware that users or devices in the group might be impacted by this
change.
Procedure
Step 1 From the Cisco DNA Center home page, choose Policy > Virtual Network.
• To edit the virtual network, click the name of the virtual network from the left navigation pane and modify
the information in the following table, except the virtual network name:
Table 54: Virtual Network Fields
Field Description
Network Name Name of the virtual network. (Cannot be modified.)
Guest Virtual Network Devices that are configured with special rules, which allow guests limited
access. Check this check box to configure the virtual network as a guest
network. You can create only one guest virtual network.
Available Groups Scalable groups that you can choose to include in the virtual network.
Drag and drop groups from the Available Groups area to the Groups
in the Virtual Network area.
Groups in the Virtual Scalable groups that are in the virtual network. Drag and drop groups
Network from the Available Groups area to the Groups in the Virtual Network
area.
• To delete the virtual network, click and confirm the deletion.

218
CHAPTER 13
Provision Your Network
• Provisioning, on page 219
• Add Devices to Sites, on page 219
• Tag Devices, on page 220
• Tag Devices Using Rules, on page 220
• Edit Device Tags, on page 221
• Provisioning Devices, on page 222
• Check the LAN Automation Status, on page 232
• Delete a Device After Provisioning, on page 233
• Fabric Sites and Fabric Domains, on page 233
• Multi-Site Fabric Domain, on page 234
• Transit Sites, on page 234
• Configuring Fabric Domains, on page 235
Provisioning
After you have configured the policies for your network in Cisco DNA Center, you can provision your devices.
In this stage, you deploy the policies across your devices.
There are three aspects to provisioning devices:
• Assign devices to the inventory and deploy the required settings and policies.
• Add devices to sites.
• Create fabric domains and add devices to the fabric.
Add Devices to Sites

Procedure
Step 1 From the Cisco DNA Center home page, click Provision. The Inventory page displays device information
gathered during the discovery process.
Step 2 Check the check boxes next to the devices that you want to associate to a site.

219
Tag Devices
Step 3 From the Action menu, choose Add to Site.

Step 4 In the Find Site field, enter the name of the site to which you want to associate the devices. If you selected
multiple devices that you want added to the same site, click All Same Site.
Tag Devices
A device tag allows you to group devices based on an attribute or a rule. A single device can have multiple
tags; similarly, a single tag can be applied to multiple devices.
You can add tags to or remove tags from devices in the Provision window.
Procedure
Step 1 From the Cisco DNA Center home page, click Provision. The Device Inventory page displays device
information gathered during the discovery process.
Step 2 Check the check box next to the device(s) for which you want to apply a tag, then click Tag Device.
Step 3 Enter a tag name in the Tag Name field.
• If you are creating a new tag, click Create New Tag. You can also create a new tag with a rule. See Tag
Devices Using Rules, on page 220 for more information.
• If you are using an existing tag, select the tag from the list, then click Apply.
A tag icon and the tag name(s) appear under the device name(s) for which you applied the tag(s).
Step 4 To remove a tag from a device, do one of the following:

• Click Create New Tag, unselect all tags, then click Apply.
• Hover your cursor over the tag icon or tag name, then click X to disassociate the tag from the device.
Tag Devices Using Rules

You can group devices based on tags in which you define a rule. When you define a rule, Cisco DNA Center
automatically applies the tag to all devices that match the specified rule. Rules can be based on device name,
device family, device series, IP address, location, or version.
Procedure
Step 2 Check the check box next to the device(s) for which you want to apply a tag, then click Tag Device.

220
Edit Device Tags
Step 3 Enter a tag name in the Tag Name field, then click Create New Tag with Rule.
The Create New Tag window appears.
The Manually Added field under Total Devices Tagged Count indicates the number of devices you selected
in Step 2.
Step 4 Click Add Condition, then complete the required fields for the rule.
The Matching Devices number automatically changes to indicate how many devices match this condition.
You can have two options to create additional conditions:
• And conditions—Click the Add Condition link. And appears above the condition.
• Or conditions—Click the add icon (+) next to an existing condition. Or appears next to the condition.
You can add as many conditions as needed. As you make changes to the rule, the Matching Devices count
changes to reflect how many devices in the inventory match the rule you specified. You can click on the device
number to view the devices that match the rule.
Step 5 Click Save to save your tag with the defined rule.
A tag icon and the tag name(s) appear under the device name(s) for which you applied the tag(s).
As devices are added to the inventory, if they match the rules you defined, the tag is automatically applied to
the devices.
Edit Device Tags

You can edit device tags that you previously created.
Procedure
In the Device Name column, you can see any previously created device tags listed under the device names.
Step 2 Without selecting any devices, click Tag Device.

The previously created tags are listed.
Step 3 Hover your cursor over the tag you want to edit, then click the pencil icon next to the tag name.
Altenatively, you can select Tag Device > View All Tags, then click the pencil icon next to the tag you want
to edit.
Step 4 Make changes to the tag, then click Save to save your changes.

221
Provisioning Devices
Provisioning Devices
Provision a Cisco Wireless Controller
Before you begin
• Make sure that you have defined the following global network settings before provisioning a Cisco
Wireless Controller:
• Network servers, such as AAA, DHCP, and DNS. For more information, see Configure Global
Network Servers, on page 143.
• Device credentials, such as CLI, SNMP, HTTP, and HTTPS. For more information, see Configure
Global CLI Credentials, on page 134, Configure Global SNMPv2c Credentials, on page 136, Configure
Global SNMPv3 Credentials, on page 137, and Configure Global HTTPS Credentials, on page 138.
• IP address pools. For more information, see Configure IP Address Pools, on page 142.
• Wireless settings, such as SSIDs, wireless interfaces, and wireless radio frequency profiles. For
more information, see Configure Global Wireless Settings, on page 119.
• Make sure that you have a wireless controller in your inventory. If not, discover the device using the
Discovery feature. For more information, see Discover Your Network, on page 11.
• Make sure that the wireless controller is added to a site. For more information, see Add Devices to Sites,
on page 219.
Procedure
The Device Inventory window appears.
Step 2 Click the Device Inventory tab.

All discovered wireless controllers are listed.
Step 3 Check the check box next to the controller device name that you want to provision.
Step 4 From the Action drop-down list, choose Provision.
Step 5 In the Assign Site window, assign a site for the controller.
Step 6 In the Find Site field, enter the name of the site to which you want to associate the controller. To assign
multiple controllers to the same site, check the All Same Site check box.
Step 7 Click Next.
The Configuration window appears.
Step 8 Choose a role for the wireless controller: Active Main WLC or Guest Anchor.
Step 9 In the Managed AP Locations field, enter the AP locations managed by the controller. Here you have the
option to change, remove, or reassign the site.

222
Onboard APs with Zero Touch Provisioning—Day 0 Provisioning
Inheritance of managed AP locations lets you automatically choose a site along with the buildings and floors
under that particular site. One site can be managed by only one wireless controller.
Step 10 If you have selected the WLC Role as Active Main WLC, under Interface and VLAN Configuration, click
+ Add and configure the interface and the VLAN.
The Configure Interface and VLAN window appears.
Step 11 From the Interface Name drop-down list, choose the interface name.
Step 12 In the VLAN ID text box, enter a value for the VLAN ID.
Step 13 In the Interface IP Address text box, enter the interface IP address.
Step 14 In the Interface Net Mask (in bits) text box, enter the interface net mask details.
Step 15 In the Gateway IP Address text box, enter the gateway IP address.
Step 16 In the LAG/Port Number, enter the LAG or the port number.
Step 17 Click OK.
Step 18 For a guest anchor wireless controller, you can change the VLAN ID configuration by changing the VLAN
ID under Assign Guest SSIDs to DMZ site.
Step 19 Click Next.
Step 20 The Summary window displays the following information:
• System Details
• Global Setting
• SSID
• Managed Sites
• Interfaces
Step 21 Click Deploy to provision the controller.

The Status column in the Device Inventory window shows SUCCESS after a successful deployment.
Note After provisioning, if you want to make any changes, click Design, change the site profile, and
provision the controller again.
Onboard APs with Zero Touch Provisioning—Day 0 Provisioning

Follow this workflow for zero-touch provisioning of APs.
Before you begin

• Design the network hierarchy, with sites, buildings, floors, and so on. For more information, see Create
a Site in a Network Hierarchy, on page 98, Add Buildings, on page 101, and Add a Floor to a Building,
on page 102.
• Create a network profile. For more information, see Create a Wireless Sensor Device Profile, on page
127.
• Provision a Cisco Wireless Controller. For more information, see Provision a Cisco Wireless Controller,
on page 222.

223
Provision a Cisco AP—Day 1 AP Provisioning
• Configure the DHCP server with Option #43 or Option #60. These are the IP addresses of the Cisco
DNA Center Plug and Play (PnP) server. This helps the AP to contact the Plug and Play server to download
configurations. For more information, see About Global Network Settings, on page 131.
• The APs should be in the factory reset state without any wireless controller configurations.
Procedure
Step 1 The AP that is connected to a switch contacts the DHCP server and then connects to a Plug and Play server.
Step 2 The DHCP server allocates IP address with Option #43, which is the IP address of the Cisco DNA Center
Plug and Play server.
Step 3 The AP starts the Plug and Play agent and contacts the Plug and Play server.
Step 4 From the Provision > Unclaimed Devices tab, find the AP.
The Device Status shows as Unclaimed.
Step 5 Claim the device.

Step 6 Check the check box next to the AP device name, and click Claim Device.
Step 7 Enter a Device Name.
Step 8 From the Choose a site drop-down list, choose a site for the AP.
Step 9 By default, the customer RF profile that you marked as default under Network Settings > Wireless > Wireless
Radio Frequency Profile is selected in the Choose a RF Profile drop-down list. You can change the default
RF Profile value for an AP by selecting a value from the Choose a RF Profile drop-down list. The options
are High, Typical, and Low. The AP group is created based on the RF profile selected.
Step 10 Click Apply.
Step 11 The AP gets the Plug and Play configurations with wireless controller details and joins the wireless controller
successfully.
Step 12 At this stage, the Onboarding Status on the Provision > Unclaimed of the AP is ExecutedWorkflow and
the Device Status under Provision > Unclaimed Device page is Onboarding.
Step 13 After the AP is provisioned, the Provision Status on the Device Inventory > Inventory page changes to
Success.
Step 14 The Onboarding Status on Provision > Unclaimed changes to Executed Workflow.
Provision a Cisco AP—Day 1 AP Provisioning

Before you begin
Make sure that you have the Cisco AP in your inventory. If not, discover APs using the Discovery feature.
See Discover Your Network, on page 11.
Procedure

224
Provision a Brownfield Device
Step 2 Click the Device Inventory tab.

All discovered controllers are displayed.
Step 3 Check the check box next to the AP device name that you want to provision.
The Assign Site window appears.
Step 5 Assign an AP to the site.

Step 6 In the Find Site field, enter the name of the site to which you want to associate the AP. To assign multiple
APs to the same site, check the All Same Site check box.
Step 7 Click Next.
The Configuration window appears.
Step 8 By default, the customer RF profile that you marked as default under Network Settings > Wireless > Wireless
Radio Frequency Profile is chosen in the RF Profile drop-down list. You can change the default RF Profile
value for an AP by selecting a value from the RF Profile drop-down list. The options are High, Typical, and
Low. The AP group is created based on the RF profile selected.
Step 9 Click Deploy to provision the AP.
You are prompted with a message stating that creation or modification of an AP group in progress.
Note After completion, the devices are rebooted.
Step 10 Click OK.

The Status column in the Device Inventory window shows SUCCESS after a successful deployment.

Before you begin
With Cisco DNA Center, you can add and provision brownfield devices such as wireless controllers to the
network. Brownfield refers to devices that belong to existing sites with pre-existing infrastructure.
• Start by running a Discovery job on the device. All your devices are displayed on the Inventory window.
For more information, see Discover Your Network, on page 11 and About Inventory, on page 59.
• The wireless controller should be reachable and in Managed state on the Inventory window. For more
information, see About Inventory, on page 59.
Procedure
Step 2 Click the Inventory tab.

225
All discovered wireless controllers are listed.
Step 3 Click Filter and enter the appropriate values in the selected filter field. For example, for the Device Name
filter, enter the name of the device.
The data that is displayed in the Devices table is automatically updated according to your filter selection.
Step 4 Check the check box adjacent to the controller device name that you want to provision.
Step 5 From the Action drop-down list, choose Learn Device Config.
The Assign Site window appears.
Step 6 Assign a site for the controller.

Step 7 From the Choose a site drop-down list, choose the site to which you want to associate the controller.
Step 8 Click Next.
The Learnt Configurations window lists all the learned configurations.
Step 9 Click Network in the left pane.

The right pane displays configurations that were learned as part of device configuration learning, and shows
the following information:
• AAA Server details.
• Systems Settings, with details about the IP address and protocol of the AAA server.
Step 10 Enter the Shared Secret for the AAA server.

Step 11 Click Wireless in the left pane.
The right pane lists all the enterprise and guest SSIDs that are present on the device.
Step 12 For an SSID with a preshared key (PSK), enter the passphrase key.
Step 13 Click Discarded Config in the left pane.
The right pane lists the conflicting or the existing configurations on Cisco DNA Center. The discarded
configuration entries are categorized as:
• Duplicate design entity
• Unknown device configuration for Radio Policy
Step 14 Click Next.

The Network Profile window lists the network profile or site profile that is created based on the AP and
WLAN combination.
Step 15 Click Save.

A message saying "Brownfield Configuration is Successful" is displayed.
Step 16 Choose Design > Network Profiles to assign a site to the network profile.
Step 17 In the Network Profiles window, click Assign Site to add sites to the selected profile.
Step 18 In the Add Sites to Profile window, choose a site from the drop-down list, and click Save.
Step 19 Click the Provision tab.
Step 20 Click Filter and enter the appropriate values in the selected filter field.

226
Guest Anchor Configuration and Provisioning
The data that is displayed in the Devices table is automatically updated according to your filter selection.
Step 21 Check the check box adjacent to the controller device name that you want to provision.
Step 23 Review the details in the Assign Site window, and click Next.
The Configurations window appears.
Step 24 Under Interface and VLAN Configuration, click +Add to configure interface and VLAN details.
Step 25 In the Configure Interface and VLAN window, configure the required fields, and click OK.
Step 26 Click Next.
Step 27 The Summary window displays the following information:
• Device Details
• Network Settings
• SSID
• Managed Sites
• Interfaces
Step 28 Click Deploy to provision the device.

The Provision Status column in the Device Inventory window shows SUCCESS after a successful
deployment.
Guest Anchor Configuration and Provisioning

Follow these steps to configure a guest anchor wireless controller.
Procedure
Step 1 Design a network hierarchy, with sites, buildings, floors, and so on. For more information, see Create a Site
in a Network Hierarchy, on page 98, Add Buildings, on page 101, and Add a Floor to a Building, on page 102.
Step 2 Configure network servers, such as AAA, DHCP, and DNS servers. For more information, see Configure
Global Network Servers, on page 143 and Add Cisco ISE or Other AAA Servers, on page 144.
Step 3 Create SSIDs for a guest wireless network with external web authentication and central web authentication
with Cisco ISE. For more information, see Create SSIDs for a Guest Wireless Network, on page 121.
Step 4 Discover the wireless controller using the Cisco Discovery Protocol (CDP) or an IP address range and ensure
that the devices are in the Inventory window and in the Managed state. For more information, see About
Discovery, on page 11.
Step 5 Provision a foreign wireless controller as the active main wireless controller. See Provision a Cisco Wireless
Controller, on page 222.
Step 6 Choose the role for the wireless controller as guest anchor and provision the guest anchor controllers. For
more information, see Provision a Cisco Wireless Controller, on page 222.

227
Provision a Sensor Device
Step 7 Configure device credentials, such as CLI, SNMP, HTTP, and HTTPS. See Configure Global CLI Credentials,
on page 134, Configure Global SNMPv2c Credentials, on page 136, Configure Global SNMPv3 Credentials,
on page 137, and Configure Global HTTPS Credentials, on page 138.
Provision a Sensor Device

Provisioning a sensor device applies to Cisco Aironet 1800s Active Sensors.
Before you begin

Provisioning a sensor device is applicable only for Cisco Aironet 1800s Active Sensors.
• Make sure that the sensor device in your inventory is in an UNCLAIMED state.
• Make sure that you have created a profile for the sensor device. See Create a Wireless Sensor Device
Profile, on page 127.
• Make sure that Cisco Aironet 1800s Active Sensor is reachable through the Cisco DNA Center's enterprise
IP address (private/enp9s0). A DHCP option 43 string makes the device reachable in unclaimed mode
in Cisco DNA Center. To claim the device, the device must have reachability to interface enp9s0's IP
address.
• In the DHCP server, make sure that you configure the NTP server (DHCP option 42) and the
vendor-specific DHCP option 43 with the ACSII value "5A1D;B2;K4;I172.16.x.x;J80", where 172.16.x.x
is the virtual IP address of Cisco DNA Center associated with the enp9s0 interface.
Procedure
Step 2 Click the Unclaimed Devices tab.

All unclaimed devices are displayed.
Step 3 Check the check box next to the sensor device that you want to provision.
Three tabs appear above the list of unclaimed devices.
Step 4 Click the Claim Device tab.

The Claim Device window appears, providing the serial number and device information.
Step 5 From the Choose a floor drop-down list, choose the floor where the sensor device is located.
Step 6 From the Sensor Select SSID Profile drop-down list, choose the profile name to associate to the sensor device.
Provisioning starts, and the sensor device appears in the device inventory.
If the provisioning succeeds, the Provision Status column in the Device Inventory window shows Success.

228
Provision LAN Underlay

Use LAN automation to provision a LAN underlay.
Before you begin

• Configure your network hierarchy. (See Add Devices to Sites, on page 219.)
• Make sure you have defined the following global network settings:
• Network servers, such as AAA, DHCP, and DNS servers. (See Configure Global Network Servers,
on page 143.)
• Device credentials such as CLI, SNMP, HTTP, and HTTPS credentials. (See Configure Global CLI
Credentials, on page 134, Configure Global SNMPv2c Credentials, on page 136, Configure Global
SNMPv3 Credentials, on page 137, and Configure Global HTTPS Credentials, on page 138.)
• IP address pools. (See Configure IP Address Pools, on page 142.)
• Make sure that you have at least one device in your inventory. If not, discover devices using the Discovery
function.
Procedure
Step 1 Reserve an IP address pool for the site that you will be provisioning.
Note The size of the LAN automation IP address pool must be at least 25 bits of netmask in size or larger.
a) From the Cisco DNA Center home page, choose Design > Network Settings > IP Address Pools.
b) From the Network Hierarchy pane, select a site.
c) Click Reserve IP Pool and complete the following fields to reserve all or part of an available global IP
address pool for the specific site:
• IP Pool Name—Unique name for the reserved IP address pool.
• Type—Type of IP address pool. For LAN automation, choose LAN.
• Global IP Pool—IP address pool from which you want to reserve all or part of the IP addresses.
• CIDR Notation/No. of IP Addresses—IP subnet and mask address used to reserve all or part of the
global IP address pool or the number of IP addresses you want to reserve.
• Gateway IP Address—Gateway IP address.
• DHCP Servers—DHCP server(s) IP address(es).
d) Click Reserve.
Step 2 Discover and provision devices.
a) From the Cisco DNA Center home page, choose Provision > Devices > Inventory.
All the discovered devices are displayed.
b) Click the Topology View icon.
c) Right-click one of the discovered devices and choose Discover and Provision New Devices.

229
d) From the LAN Automation dialog box, complete the following fields:
• Site—Site ID and associated settings that Cisco DNA Center uses for LAN automation.
You can make different site selections for seed and discovered devices. LAN automation provides
flexibility in site selection for seeds and discovered devices, which can belong to different sites.
• Primary Device—IP address of the device that Cisco DNA Center uses as the starting point to
discover and provision new devices.
• Peer Device—IP address of the peer device.
• Choose Primary Device Ports—Ports to be used to discover and provision new devices.
• IP Pool—IP address pool that was reserved for LAN automation. (See Step 1.)
• ISIS Password—A user-provided IS-IS password for when LAN automation starts. If the password
already exists on the seed device, it is reused and is not overwritten. If no user-provided password
is entered and there is no existing IS-IS password on the device, the static IS-IS password 'cisco' is
configured.
• Enable Multicast—LAN automation creates a multicast tree from seed devices as RPs and discovered
devices as subscribers.
• Device Name Prefix—Text that describes the devices being provisioned. As Cisco DNA Center
provisions each device, it names the device with the text that you provide and adds a unique number
to the end. For example, if you enter Access as the name prefix, as each device is provisioned, it is
named Access-1, Access-2, Access-3, and so on.
• Hostname Map File—Configures user-provided names for discovery devices using a CSV file that
contains a mapping between serial numbers and hostnames. If the discovery device is a stack, all
serial numbers of the stack are provided in the CSV file.
e) Click Start.
Cisco DNA Center begins to discover and provision the new devices.
Step 3 Monitor and review the progress of devices being provisioned.

a) From the Provision > Devices > Inventory tab, click Status.
The LAN Automation Status dialog box displays the progress of the devices being provisioned.
Note The process can take several minutes for all of the new devices to be provisioned.
b) After all devices have been discovered, added to Inventory, and are in Managed state, click Stop in the
LAN Automation Status dialog box.
The LAN automation process is complete, and the new devices are added to the Device Inventory.
What to do next
To review the LAN automation configurations, from the Cisco DNA Center home page, choose Network
Plug and Play > Configurations.

230
Peer Device in LAN Automation Use Case
Peer Device in LAN Automation Use Case
Provision a Dual-Homed Switch

You must always select a peer device to provision the dual-homed switch.
Cisco DNA Center configures the DHCP server on the primary device. Because Cisco DNA Center understands
that the discovered device is connected to both the primary and peer devices, it configures two Layer 3
point-to-point connections when the LAN automation task is stopped. One connection is established between
the discovered device and the primary device; the other connection is established between the discovered
device and the peer device.
Note If the link between the primary and the peer device is not configured before the LAN automation job is
executed, you must select the interface of the primary device that connects to the peer device as part of the
LAN automation configuration in Cisco DNA Center.

231
Check the LAN Automation Status
LAN Automation's Two-Hop Limitation
For the preceding topology, Cisco DNA Center configures the following links:
• A point-to-point Layer 3 routed connection from Discovered device 1 to Primary device
• A point-to-point Layer 3 routed connection from Discovered device 1 to Peer device
• A point-to-point Layer 3 routed connection from Discovered device 1 to Discovered device 2
Consider the scenario where a device—named Discovered device 3—is directly connected below Discovered
device 2. The connection between Discovered device 2 and Discovered device 3 is not configured as part of
the LAN automation job, because it is more than two hops away from Primary device.
Check the LAN Automation Status

You can view the status of in-progress LAN automation jobs.
Before you begin

You must have created and started a LAN automation job.
Procedure
Step 2 Click the Inventory tab.
All discovered devices are displayed.
Step 3 Click LAN Auto Status.

232
Delete a Device After Provisioning
The status of any running or completed LAN automation jobs is displayed.
Delete a Device After Provisioning

• If you are deleting a device that is already been added to the fabric domain, remove it from the fabric
domain and then delete it from the Provision menu.
• You cannot delete a provisioned device from the Inventory window. Instead, you must delete provisioned
devices from the Provision menu.
Procedure
Step 2 Click the Inventory tab, which lists all discovered and provisioned devices.
Step 3 Check the check box next to the device that you want to delete.
Note APs are deleted only when the controller to which they are connected is deleted.
Step 4 From the Action drop-down list, choose Delete Device.

Step 5 At the confirmation prompt, click OK.
Fabric Sites and Fabric Domains

A fabric site is an independent fabric area with a unique set of network devices: control plane, border node,
edge node, wireless controller, ISE PSN. Different levels of redundancy and scale can be designed per site
by including local resources: DHCP, AAA, DNS, Internet, and so on.
A fabric site can cover a single physical location, multiple locations, or only a subset of a location:
• Single location: branch, campus, or metro campus
• Multiple locations: metro campus + multiple branches
• Subset of a location: building or area within a campus
A fabric domain can consist of one or more fabric sites + transit site. Multiple fabric sites are connected to
each other using a transit site.
There are two types of transit sites:
• SD-Access transit: Enables a native SD-Access (LISP, VXLAN, CTS) fabric, with a domain-wide control
plane node for intersite communication.

233
Multi-Site Fabric Domain
• IP-based transit: Leverages a traditional IP-based (VRF-LITE, MPLS) network, which requires remapping
of VRFs and SGTs between sites.
Multi-Site Fabric Domain

A multi-site fabric domain is a collection of fabric sites interconnected via a transit site and WLCs. A fabric
site is a portion of the fabric that has its own set of control plane nodes, border nodes, and edge nodes. A
given fabric site can also include fabric WLC and APs, and a related site-specific ISE PSN. Multiple fabric
sites in a single fabric domain are interconnected using a transit site.
The transit site consists of control plane nodes that help interconnect multiple fabric sites.
A Software-Defined Access (SDA) fabric comprises multiple sites. Each site has the benefits of scale, resiliency,
survivability, and mobility. The overall aggregation of sites (that is, the fabric domain) must also be able to
accommodate a very large number of endpoints and scale modularly or horizontally by aggregating sites
contained within each site.
Transit Sites
A transit site is a site that connects two or more fabric sites with each other or connects the fabric site with
external networks (Internet, data center, and so on). There are two types of transit networks:
• IP transit: Used in a regular IP network to connect to an external network or to connect two or more
fabric sites.
• SDA transit: Used in LISP/VxLAN encapsulation to connect two fabric sites. The SDA transit area may
be defined as a portion of the fabric that has its own Control Plane Nodes, Border Nodes, but does not
have Edge Nodes.
Using SDA transit, an end-to-end policy plane is maintained using SGT group tags.
Create an IP Transit Network

To add a new IP transit network:
Procedure
Step 2 Click the Fabric tab.
Step 3 Click the Add Fabric Domain or Transit tab.
Step 4 Choose Add Transit from the pop-up.
Step 5 Enter a transit name for the network.
Step 6 Choose IP-Based as the transit type.
The routing protocol is set to BGP by default.
Step 7 Enter the autonomous system number (ASN) for the transit network.

234
Create an SDA Transit Network
Step 8 Click Save.
Create an SDA Transit Network

To add a new SDA transit network:
Procedure
Step 4 Choose Add Transit from the pop-up.
Step 5 Enter a transit name for the network.
Step 6 Choose SD-Access as the transit type.
Step 7 Enter the Site for the Transit Control Plane for the transit network. Choose at least one transit
map server.
Step 8 Enter the Transit Control Plane for the transit network.
Step 9 Repeat Step 7 and Step 8 for all map servers that you want to add.
Step 10 Click Save.
What to do next
After you create an SDA transit, go to the fabric site and connect the sites to which you want to connect the
SDA transit. Go to Provision > Fabric > Fabric Site. Choose the fabric site that you created. Click Fabric
Site > Border > Edit Border > Transit. From the drop-down, point to your SDA transit site and click Add.
Configuring Fabric Domains

Fabric Overview
A fabric domain is a logical group of devices that is managed as a single entity in one or multiple locations.
Having a fabric in place enables several capabilities, such as the creation of virtual networks and user and
device groups, and advanced reporting. Other capabilities include intelligent services for application recognition,
traffic analytics, traffic prioritization, and steering for optimum performance and operational effectiveness.
Cisco DNA Center lets you add devices to a fabric network. These devices can be configured to act as control
plane or border devices within the fabric network.

235
Create a Fabric Domain
Before You Begin

Ensure that your network has been designed, the policies have been retrieved from the Cisco Integrated
Services Engine (ISE) or created in the Cisco DNA Center, and the devices have been inventoried and added
to the sites.
Create a Fabric Domain

Cisco DNA Center creates a default fabric domain called Default LAN Fabric.
Procedure
Step 4 Choose Add Fabric from the pop-up.
Step 5 Enter a fabric name.
Step 6 Choose one fabric site.
Step 7 Click Add.
Configure a Fabric Domain

You can add devices and associate virtual networks to a fabric domain, and add multicast address pools.
Add Devices to a Fabric

After you have created a fabric domain, you can add fabric sites, and then add devices to the fabric site. You
can also specify whether the devices should act as a control plane node, a border node, or both.
Note It is optional to designate the devices in a fabric domain as control plane nodes or border nodes. You may
have devices that do not play these roles. However, every fabric domain must have at least one control plane
node device and one border node device. In the current release for wired fabric, you can add up to six control
plane nodes for redundancy.
There are three steps to add and configure devices to a fabric domain:
1. Select the devices.
2. Specify devices to act as control plane nodes.
3. Specify devices to act as border nodes.
To add a device to the fabric:

236
Add Devices to a Fabric
Before you begin

You must provision the device. To provision a device, click the Provision tab and choose Devices. Before
you add a device to the fabric, you must perform the pre-verification check by clicking the Pre-Verification
tab. The pre-verification check can be done only for devices that have been assigned roles. The pre-verification
procedure performs a check on the Hardware Version and Software Version of the device. The result shows
whether the device passed the test, failed the test, or is not supported.
Procedure
Step 1 From the Cisco DNA Center home page, click Provision. The screen displays all provisioned fabric domains.
Step 2 From the list of fabric domains, choose a fabric. The screen displays all devices in the network that have been
inventoried. You can view devices in the topology view or list view. In the topology view, any device that is
added to the fabric is shown in blue.
Step 3 Click a device and choose one of the options displayed.
Field Description
Add as CP+Border+Edge Add the selected device as a control plane and a border node and an edge node.
Add to Fabric Add a distribution or access device to the fabric domain.
Add as CP Add a core or distribution device as a control plane node. This allows the fabric
access device to communicate with the control plane device.
Add as Border Add a core device as a border node. This allows the fabric access device to
communicate with the fabric border device.
Add as CP+Border Add the selected device as a control plane and a border node.
Run Pre-Provisioning Run a pre-provisioning check.

Check
Enable Guests In the pop-up window, enter the following options:

• Set as control plane: Check this check box if you want the device to act as
a control plane.
• Set as a border node: Check this check box if you want the device to act
as a border node.
• Select a guest virtual network: All guest virtual networks created are listed.
Check the check box of the guest virtual network and click Enable.
Note Ensure that you have created a guest virtual network in the Policy
application. See Create a Virtual Network, on page 217.
View Device Info Displays the details of the selected device.
Step 4 Click Save.

237
Add Device as a Border Node
Add Device as a Border Node

When you are adding a device to a fabric, you can add it in various combinations to act as a control plane,
border node, and edge node as explained in Add Devices to a Fabric, on page 236.
To add a device as a border node:
Procedure
A list of all provisioned fabric domains is shown.
Step 2 From the list of fabric domains, choose a fabric. The window displays all devices in the network that have
been inventoried. You can view the devices in the topology view or list view. In the topology view, any device
that is added to the fabric is shown in blue.
Step 3 Click a device and choose one of the options:
• Add as CP+Border+Edge: Add the selected device as a control plane and a border node and an edge
node.
• Add as Border: Add a core device as a border node. This allows the fabric access device to communicate
with the fabric border device.
• Add as CP+Border: Add the selected device as a control plane and a border node.
Step 4 A pop-up window appears with the name of the device that you want to add.
a) From the Border to field, click one of the radio buttons:
• Rest of Company (Internal): Designate the device as a border for IP routes inside your company.
A border exports fabric routes and imports outside routes.
• Outside World (External): Designate the device as a default border for IP routes outside your
company. A border exports fabric routes only.
• Anywhere (Internal & External): Designate the device as a border for both internal and external
IP routes. A border exports fabric routes and imports outside routes, except default-route.
b) Enter the Local Autonomous Number for the device.

c) From the Select IP Address Pools drop-down list, choose an IP address pool.
d) Check the connected to the internet check box to choose this border node to advertise internet services
to other fabric borders.
e) Choose a transit network to enable on the border device:
• To enable SDA transit on the border, choose a user-created SDA transit domain from the Select
Transit drop-down list. Click Add.
• To enable IP transit on the border, choose a user-created IP transit domain from the Select Transit
drop-down list. Click Add.
Choose an IP pool from Design Hierarchy. The selected pool will be used to automate IP routing
between the border node and IP peer. Click Add Interface to enter interface details on the next
screen.

238
Configure Host Onboarding
Choose External Interface from the drop-down list. Enter the Remote AS Number. Check the
Virtual Network from the list. This virtual network should be advertised by the border to the remote
peer. You can select one, multiple, or all virtual networks. Click Save.
Step 5 Click Layer 2. You will see a table of the virtual networks and the number of pools in each virtual network.
Click one of the virtual networks.
If a check box in the virtual network list is not clickable, it indicates that the segments under the virtual network
have been handed off to an external VLAN.
After you select a virtual network, the list of IP address pools present in the virtual network appears. A list
of interfaces through which you can connect non-fabric devices is displayed.
Enter the External VLAN into which the fabric must be extended. A virtual network can only be handed off
on a single interface. The same virtual network cannot be handed off via multiple interfaces.
Click Save.
Step 6 Click Add.
Configure Host Onboarding

The Host Onboarding tab lets you configure settings for the various kinds of devices or hosts that can access
the fabric domain.
In this tab, you can:
• Select an authentication template that will apply to the fabric. These templates are predefined
configurations that are retrieved from the ISE. After selecting the authentication template, click Save.
• Associate IP address pools to virtual networks (default, guest, or user defined), and click Update. The
IP address pools displayed are site-specific pools only.
• Specify wireless SSIDs within the network that hosts can access. You can select the guest or enterprise
SSIDs and assign address pools, and click Save.
• Apply specific configurations for each port for each access device within the fabric domain.
• On an edge device, designate a port as a server port during port assignment. Select the port to assign and
click Assign.
Select Authentication Template

You can select the authentication template that will apply to all the devices in the fabric domain.
Procedure
Step 1 From the Auth Template section, choose an authentication template:

• Closed Authentication: Any traffic prior to authentication is dropped, including DHCP, DNS, and ARP.
• Easy Connect: Security is added by applying an ACL to the switch port, to allow very limited network
access prior to authentication. After a host has been successfully authenticated, additional network access
is granted.

239
Associate Virtual Networks to the Fabric Domain
• No Authentication
• Open Authentication: A host is allowed network access without having to go through 802.1X
authentication.
Step 2 Click Save.
Associate Virtual Networks to the Fabric Domain

IP address pools enable host devices to communicate within the fabric domain.
When an IP address pool is configured, Cisco DNA Center immediately connects to each node to create the
appropriate switch virtual interface (SVI) to allow the hosts to communicate.
You cannot add an IP address pool, but you can configure a pool from the ones that are listed. The IP address
pools listed here were created when the network was designed.
Procedure
Step 1 From the Virtual Networks section, click a virtual network.

Step 2 Configure the virtual network.
Field Description
IP Pool Name From the list of IP address pools, choose the ones that should be part of the
virtual network.
Traffic Type Choose to send voice or data traffic through the virtual network.
Wireless Mgmt Pool Choose whether the virtual network should be part of the wireless management
pool of the fabric domain.
AP Provisioning Pool Choose whether the virtual network should be part of the access point
provisioning pool.
Layer-2 Extension Enables Layer-2 MAC Address registration for the IP Pool and Layer-2 VNI.
Layer-2 Flooding Layer 2 Flooding is disabled by default.
Groups Choose which group the IP Pool should belong to.

Critical Pool Displays whether the IP address pool assigned to this virtual network belongs
to the critical IP address pool.
Auth Policy Displays the authentication policy for the virtual network.
Step 3 Click Update to save the settings. The settings you specify here will be deployed to all devices on the network.
Step 4 After all the virtual networks have been configured, click Save.
Configure Wireless SSIDs for the Fabric Domain

The Wireless SSID section allows you to specify wireless SSIDs within the network that the hosts can access.

240
Configure Ports Within the Fabric Domain
Configure Ports Within the Fabric Domain

The Select Port Assignment section lets you configure each access device on the fabric domain. You can
specify network behavior settings for each port on each device.
Note The settings you make here for the ports override the general settings you made for the device in the Virtual
Networks section.
Procedure
Step 1 From the Select Fabric Device section, choose the access device that you want to configure.
The ports available on the device are displayed.
Step 2 Choose the ports on the device and specify the allowed IP address pool, the groups that have been provisioned,
the voice or data pool, and the authentication type for the port.
Step 3 Click Save.
Multicast Overview
Multicast traffic is forwarded in different ways:
• Through shared trees by using a rendezvous point. PIM SM is used in this case.
• Through shortest path trees (SPT). PIM source-specific multicast (SSM) uses only SPT. PIM SM switches
to SPT after the source is known on the edge router that the receiver is connected to.
See IP Multicast Technology Overview.
Configure Multicast Settings

After devices are added to the fabric domain, you can create multicast IP address pools and rendezvous points
(RPs). Applicable multicast configurations will be automated on all fabric devices operating in that fabric
domain.
An RP is a router in a multicast network domain that acts as a shared root for a multicast shared tree.
Create a Multicast IP Address Pool
Before you begin

A multicast IP address pool is used for internal PIM communication within the fabric domain. There is an
option to define multiple multicast pools, and each can be associated with a separate virtual network. There
is a requirement that each virtual network must have a separate multicast IP address pool created and associated
with it.

241
Add a Device as a Rendezvous Point
Procedure
A list of all IP address pools is displayed.
Step 2 Click Add and specify the multicast addresses to form the pool:
• IP Pool Name: Enter a name for the multicast IP address pool.
• Subnet/Mask: Enter the subnet IP address and subnet mask for the multicast pool.
• Gateway IP Address: Enter the IP address of the gateway.
Step 3 Click Save.

Step 4 To enable multicast in multiple virtual networks, create a separate IP multicast pool for each virtual network.
(Repeat Step 2 and Step 3.)
Add a Device as a Rendezvous Point
Procedure
Step 1 From the Cisco DNA Center home page, click the Provision tab.
By default, the Devices window is shown.
A list of fabric domains is shown.
Step 3 Choose a fabric. The Fabric - Devices window appears, showing all the devices in the network. Any device
that is added to the fabric is highlighted in blue.
Step 4 Click the fabric device that you want to add as a rendezvous point, and choose Enable Rendezvous Point.
Step 5 Cisco DNA Center displays a list of virtual networks in the pop-up window. Expand Virtual Networks and
choose an IP multicast pool by clicking the Plus button. Click Next.

242
Verify the Rendezvous Point
Note Only a single IP address pool is currently supported for each virtual network for multicast.
To enable multicast in multiple virtual networks, you must create multiple multicast IP address
pools.
Step 6 Associate the corresponding virtual network and click Enable.

Step 7 Click Save on the main screen. Apply the changes.
Verify the Rendezvous Point
Procedure
Step 3 Choose a fabric. The Fabric - Devices window appears, showing all devices in the network.
Virtual networks that are enabled for IP multicast are marked with an M.

243
Add a Device as a Redundant Rendezvous Point
Add a Device as a Redundant Rendezvous Point
Note Dual RP is supported only for EXTERNAL or INTERNAL BORDERNODE.

When a redundant RP is added to the network, the MSDP session is enabled. Each fabric device that hosts
the RP creates two loopbacks per VRF: one for the RP, and one to establish an MSDP session.
Procedure
Step 3 Choose a fabric. The Fabric - Devices window appears, showing all devices in the network. Any device that
is added to the fabric is highlighted in blue.
Step 4 Click the device that you want to add as a redundant RP and choose Enable Rendezvous Point.
Cisco DNA Center displays the list of virtual networks.
Step 5 Expand the Virtual Networks for which you want to add a redundant RP. A multicast IP address pool should
be prepopulated. Click Next.
Step 6 Associate the virtual networks and click Enable.
Step 7 Click Save on the main screen. Apply the changes.

244
CHAPTER 14
Cisco DNA Assurance
• Cisco DNA Assurance, on page 245
Cisco DNA Assurance

Cisco Digital Network Architecture (DNA) Assurance is an application that is available from Cisco DNA
Center. From Cisco DNA Center, Release 1.2.5, we are providing you with a user guide that deals exclusively
with Cisco DNA Assurance.
For details about the Assurance application, including how to monitor and troubleshoot network health, client
health, and application health, and enable NetFlow collection, see the Cisco DNA Assurance User Guide.

245
Cisco DNA Assurance
Cisco DNA Assurance

246
CHAPTER 15
Troubleshoot Cisco DNA Center Using Data
Platform
• About Data Platform, on page 247
• Troubleshoot Cisco DNA Center Using the Analytics Ops Center, on page 248
• View or Update Collector Configuration Information, on page 249
• Configure Data Retention Settings, on page 250
• View Pipeline Status, on page 251
About Data Platform

Data Platform provides tools that can help you monitor and troubleshoot Cisco DNA Center applications.
Data Platform displays synthesized data from various inputs to help you identify patterns, trends, and problem
areas in your network. For example, if something goes wrong in your network, you can quickly get answers
to questions such as whether a pipeline is in an error state and what is the real-time traffic flow in a particular
area. The main areas of Data Platform are:
• Analytics Ops Center—The Analytics Ops Center provides a graphical representation of how data is
streamed through collectors and pipelines and provides Grafana dashboards, which can help you identify
patterns, trends, and problem areas in your network. See Troubleshoot Cisco DNA Center Using the
Analytics Ops Center, on page 248.
• Collectors—Collectors collect a variety of network telemetry and contextual data in real time. As data
is ingested, Cisco DNA Center correlates and analysis the data. You can view the status of collectors
and quickly identify any problem areas. See View or Update Collector Configuration Information, on
page 249.
• Store Settings—Allows you to specify how long data is stored for an application. See Configure Data
Retention Settings, on page 250.
• Pipelines—Pipelines allow Cisco DNA Center applications to process streaming data. A data pipeline
encapsulates an entire series of computations that accepts input data from external sources, transforms
that data to provide useful intelligence, and produces output data. You can view the status of pipelines
and quickly identify any problem areas. See View Pipeline Status, on page 251.

247
Troubleshoot Cisco DNA Center Using Data Platform
Troubleshoot Cisco DNA Center Using the Analytics Ops Center
Troubleshoot Cisco DNA Center Using the Analytics Ops Center

The Analytics Ops Center provides a graphical representation of how data is streamed through collectors and
pipelines, and provides Grafana dashboards, which can help you identify patterns, trends, and problem areas
in your network, such as:
• Missing data in Cisco DNA Assurance.
• Inaccurate health score.
• Devices appear as monitored under Inventory but unmonitored under Assurance.
Procedure
Step 1 From the Cisco DNA Center home page, click the gear icon and then choose System Settings > Data
Platform.
Step 2 Click Analytics Ops Center.
A list of applications are displayed. For example, Assurance and Pegasus.
Step 3 Click the application name for which you want to view metrics, for example, Assurance.
A graphical representation of all the existing collectors and pipelines in the application appear. CPU or
throughput values corresponding to each pipeline are also provided.
The current health status of each component is indicated by its color:
• Red—indicates an error.
• Yellow—indicates a warning.
• Grey—indicates normal operation.
Step 4 To view historical data of pipelines, click Timeline & Events.

A timeline bar providing data for the time interval appears. You can also:
• Move the timeline slider to view data for a specific time.
• Hover your cursor over an event in the timeline bar to display additional details or a group of events that
occurred at the same time.
• Click on an event to display the Analytics Ops Center visualization at that particular time.
Step 5 To view additional details to help you troubleshoot an issue and determine the cause of an error or warning,
click a Collector Name.
A side bar appears with the following tabs:
• Metrics—Provides a selection of available metrics gathered during the last 30 minutes. It displays
summary information indicating the component status, start and stop time, and exceptions if errors have
occurred. You can also select a different time interval.
• Grafana—Displays a dashboard associated with the respective component for deeper debugging.

248
View or Update Collector Configuration Information
Step 6 To view whether data is flowing through a specific pipeline, click on a pipeline stream.
A sidebar appears with graphs. The graphs display whether the application is receiving data from the underlying
pipelines. The graph information is based on the time interval you select from the drop-down list in the sidebar.
Options are Last 30 Min, Last Hour, Last 2 Hours, and Last 6 Hours. Default is Last 30 Min.
Step 7 If a pipeline is not flowing at normal levels, hover your cursor over the stream to display the lag metrics.
Step 8 To view detail information for a specific pipeline, click a Pipleline Name.
The appropriate Pipleline page displays with the following tabs:
Note Make sure to click the Exceptions tab to determine if any exceptions have occurred in the pipeline.
Under normal working conditions, this tab displays null.
• Metrics—Displays metrics, updated every 30 minutes in a graph.

• Summary—Displays summary information such as stats, run-time, and manifest.
• Exceptions—Displays any exceptions that have occurred on the pipeline.
• Stages—Displays the pipeline stages.
Step 9 To change the metrics you want displayed in the Analytics Ops Center page, click Key Metrics, select up to
two metrics, and then click Apply.
By default, Cisco DNA Center displays CPU and Throughput metrics.
Step 10 To view metrics for a particular flow, do the following:

a) Click View Flow Details.
b) Select three connected components (collector, pipeline, and store) by clicking the tilde ( ̰ ) located on the
component's top left corner.
c) Click View Flow.
Cisco DNA Center displays the metrics associated with that specific flow.
View or Update Collector Configuration Information

Collectors collect a variety of network telemetry and contextual data in real time. As data is ingested, Cisco
DNA Center correlates and analyzes the data. You can view the status of collectors and quickly identify any
problem areas.
Procedure
Step 1 From the Cisco DNA Center home page, click the gear icon and choose System Settings > Data Platform.
Step 2 Click Collectors. The colored dot next to each collector indicates its overall status.
Step 3 To view additional details, click a collector name.
The appropriate Collector page displays. By default, Cisco DNA Center displays the Current Configurations
list.

249
Configure Data Retention Settings
Step 4 To view, update, or delete a configuration, click a specific configuration name.

Note In Cisco DNA Center 1.2.x, configuration information for some of the collectors cannot be updated.
If you try to update the configuration for those collectors, the following error message is displayed:
Not able to retrieve collector data. Retry? Ignore this error message.
Step 5 To add a new configuration, click + Add.

In the side bar that opens, enter the required information, and then click Save Configuration.
Note • Collector-ISE: To hide a wired client's username, check the Anonymize check box in the ISE
Collector Configuration window.
• Wireless-Collector: To hide a wireless client's username, check the Anonymize check box in
the Wireless Collector Configuration window.
When you check the Anonymize check box, the user ID in the Client Health window appears
scrambled.
Step 6 To view configured instances, click the Instances tab.

Step 7 To view summary information and metrics, choose an instance from the list.
Configure Data Retention Settings

You can specify how long data is stored for an application.
Procedure
Step 1 From the Cisco DNA Center home page, click the gear icon and then choose System Settings > Data
Platform.
Step 2 Click Store Settings.
Step 3 To view a list of historical purge jobs that have completed, click Data Purge Schedule.
The History table lists the name of the purge job, the result, time, and other data. You can sort, filter, and
export data in the table.
Step 4 To view or modify the current data retention and purge settings, click Data Retention & Purge Configuration.
Click the data for which you want to view or modify data retention and purge configuration settings:
• Time Series Document Store—Settings for all time-based data.
• Trigger Store—Storage space dedicated to issues detected by various data analysis algorithms.
• Time Series Graph Store—Settings for all time-based graphical data.

250
View Pipeline Status

Data pipelines allow Cisco DNA Center applications to process streaming data. A data pipeline encapsulates
an entire series of computations that accepts input data from external sources, transforms that data to provide
useful intelligence, and produces output data. You can view the status of pipelines and quickly identify any
problem areas.
Procedure
Step 1 From the Cisco DNA Center home page, click the gear icon and choose System Settings > Data Platform.
Step 2 Click Pipelines.
Step 3 To view whether the application is receiving data from the underlying pipelines, click a pipeline name.
The appropriate Pipeline page displays with the following tabs:
Note Make sure to click the Exceptions tab to determine if any exceptions have occurred in the pipeline.
Under normal working conditions, this tab displays null.
• Metrics: Displays metrics, updated every 30 minutes in a graph.

• Summary: Displays summary information such as stats, run-time, and manifest.
• Exceptions: Displays any exceptions that have occurred on the pipeline.
• Stages: Displays the pipeline stages.

251

252

Cisco Dna

Uploaded by

Document Informationclick to expand document informationCISCO DNA

Document Informationclick to expand document information

Copyright:

Available Formats

Cisco Dna

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Cisco Dna

Uploaded by

Copyright:

Available Formats

Cisco Digital Network Architecture Center User Guide, Release 1.2.

CHAPTER 1 New and Changed Information 1

CHAPTER 2 Get Started with Cisco DNA Center 3

CHAPTER 3 Discover Your Network 11

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

Edit a Discovery Job 31

CHAPTER 4 Onboard Devices with Network Plug and Play 37

CHAPTER 5 Manage Your Inventory 59

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

Manage Network Devices 65

Update Network Device Credentials 68

CHAPTER 6 Manage Software Images 83

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

Troubleshoot HTTPS Connectivity 89

CHAPTER 7 Display Your Network Topology 91

CHAPTER 8 Design Network Hierarchy and Settings 97

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

Quick View of APs 108

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

About Device Credentials 132

CHAPTER 9 Create Templates to Automate Device Configuration Changes 149

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

Template Form Editor 156

CHAPTER 10 Run Diagnostic Commands on Devices 161

CHAPTER 11 Configure Telemetry Profile 163

CHAPTER 12 Configure Policies 167

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

Deploy an IP-Based Access Control Policy 178

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

Create an Application Policy 200

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

CHAPTER 13 Provision Your Network 219

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

Multicast Overview 241

CHAPTER 14 Cisco DNA Assurance 245

CHAPTER 15 Troubleshoot Cisco DNA Center Using Data Platform 247

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

New and Changed Information

Feature Description Where Documented

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

Feature Description Where Documented

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

About Cisco DNA Center

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

Log In for the First Time as a Network Administrator

Before you begin

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

• SNMP v2c credentials, including the read community string

Default Home Page

The Network Configuration area includes:

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

Different Views of Home Page:

Day 0 Home Page

Cisco Digital Network Architecture Center User Guide, Release 1.2.5

• Notifications icon: See recently scheduled tasks and other notifications.

Cisco Digital Network Architecture Center User Guide, Release 1.2.5