Clear visibility of device compliance is key for network operations. One of the biggest challenges though is to agree upon the definition of compliance since different environments have different requirements. The purpose of this blog is to share the current compliance capabilities in Cisco DNA Center that will help network administrators to keep the infrastructure safe and consistent.
The current version of Cisco DNA Center, looks at device compliance from five different lenses in a non-SD-Access network: startup vs. running-config, network profiles, application visibility, software image, and critical security advisories.
Startup vs Running Configuration
Have you ever configured a device and forgotten to save the running configuration only to have the device reboot unexpectedly? The result of this could be catastrophic resulting in numerous issues in the network. Even though the preferred method for device configuration is through Cisco DNA Center, manual changes are still permitted. To avoid inconsistencies between startup and running configurations, Cisco DNA Center provides a compliance check by flagging any devices that have a startup and running configurations that don’t match.
In the snapshot below, we see how Cisco DNA Center provides visualization of the differences between the running and startup configuration. In this example, the network administrator manually added a description to an interface and forgot to save the new configuration. Cisco DNA Center also provides a way to remediate this problem with a button to “Synch Device Config” which saves the running-config into startup-config.
One of Cisco DNA Center’s greatest values is the automation it brings by leveraging Intent-Based Networking (IBN). One of the constructs that Cisco DNA Center uses to implement IBN is network profiles. Network profiles contain different aspects of intent-based networking including wireless and model-based configuration (for wireless devices) and templates (for all devices). Via compliance checks, Cisco DNA Center can flag any configuration deviation from these constructs.
Let’s say that we have a simple template in Cisco DNA Center pushing a “vlan” configuration to a port:
TBRANCH-C9200L-2#show run int gig 1/0/7 Building configuration... Current configuration : 344 bytes ! interface GigabitEthernet1/0/7 description Description pushed by DNAC Template -- lan switchport access vlan 419 switchport mode access device-tracking attach-policy IPDT_POLICY ip flow monitor dnacmonitor input ip flow monitor dnacmonitor output service-policy input DNA-MARKING_IN service-policy output DNA-dscp#APIC_QOS_Q_OUT end
In this example, we will assume that someone manually removed the “vlan” configuration that has been pushed by Cisco DNA Center templates:
TBRANCH-C9200L-2#conf t Enter configuration commands, one per line. End with CNTL/Z. TBRANCH-C9200L-2(config)#int gig 1/0/7 TBRANCH-C9200L-2(config-if)#no switchport access vlan 419 TBRANCH-C9200L-2(config-if)#
This action will trigger a “Network Profile” compliance violation as seen in the snapshots below:
Cisco DNA Center clearly identifies the template that has been changed in the device and the specific lines of configuration that have been removed:
Cisco DNA Center also leverages Intent-Based Networking (IBN) to provision devices for visibility of applications through CBAR and NBAR. If there are any changes to this intent, the devices will be marked as non-compliant for “Application Visibility” as seen in the example below.
The device has CBAR (Controller Based Application Recognition) enabled via DNA Center:
interface GigabitEthernet1/0/7 description Description pushed by DNAC Template -- lan switchport access vlan 419 switchport mode access device-tracking attach-policy IPDT_POLICY ip flow monitor dnacmonitor input ip flow monitor dnacmonitor output service-policy input DNA-MARKING_IN service-policy output DNA-dscp#APIC_QOS_Q_OUT ip nbar protocol-discovery end
Configuration is manually removed from the device:
TBRANCH-C9200L-2(config)#int gig 1/0/7 TBRANCH-C9200L-2(config-if)#no ip nbar protocol-discovery TBRANCH-C9200L-2(config-if)#
Cisco DNA Center uses the concept of “Golden Image” to support image consistency within a site. When devices have images different from “Golden Image”, it will trigger the “Software Image” compliance violation as seen in the snapshots below:
Critical Security Advisories
Devices with critical security vulnerabilities will also trigger a compliance check as shown in the snapshots below:
Our next blog will be covering aspects of Cisco DNA Center and configuration management.