Thursday, August 18, 2022
LetsAskBinu.com
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things
No Result
View All Result
LetsAskBinu.com
No Result
View All Result
Home Networking

Compliant or not? Cisco DNA Center will help you figure this out.

Researcher by Researcher
August 5, 2022
in Networking
0
Compliant or not? Cisco DNA Center will help you figure this out.
189
SHARES
1.5k
VIEWS
Share on FacebookShare on Twitter


Clear visibility of device compliance is key for network operations. One of the biggest challenges though is to agree upon the definition of compliance since different environments have different requirements. The purpose of this blog is to share the current compliance capabilities in Cisco DNA Center that will help network administrators to keep the infrastructure safe and consistent.

The current version of Cisco DNA Center, looks at device compliance from five different lenses in a non-SD-Access network: startup vs. running-config, network profiles, application visibility, software image, and critical security advisories.

Related articles

Makulu Linux Shift makes shifting between desktop layouts easy

What is YunoHost and how do you install it?

August 17, 2022
Bath Spa University leverages Wi-Fi 6E to provide students with new learning models

Bath Spa University leverages Wi-Fi 6E to provide students with new learning models

August 16, 2022
Compliance Types
Figure 1: Compliance Types

Startup vs Running Configuration

Have you ever configured a device and forgotten to save the running configuration only to have the device reboot unexpectedly?  The result of this could be catastrophic resulting in numerous issues in the network. Even though the preferred method for device configuration is through Cisco DNA Center, manual changes are still permitted. To avoid inconsistencies between startup and running configurations, Cisco DNA Center provides a compliance check by flagging any devices that have a startup and running configurations that don’t match.

In the snapshot below, we see how Cisco DNA Center provides visualization of the differences between the running and startup configuration.  In this example, the network administrator manually added a description to an interface and forgot to save the new configuration. Cisco DNA Center also provides a way to remediate this problem with a button to “Synch Device Config” which saves the running-config into startup-config.

Config Differences and Remediation option
Figure 2: Config Differences and Remediation option

Network Profiles

One of Cisco DNA Center’s greatest values is the automation it brings by leveraging Intent-Based Networking (IBN). One of the constructs that Cisco DNA Center uses to implement IBN is network profiles. Network profiles contain different aspects of intent-based networking including wireless and model-based configuration (for wireless devices) and templates (for all devices). Via compliance checks, Cisco DNA Center can flag any configuration deviation from these constructs.

Let’s say that we have a simple template in Cisco DNA Center pushing a “vlan” configuration to a port:

TBRANCH-C9200L-2#show run int gig 1/0/7
Building configuration...

Current configuration : 344 bytes
!
interface GigabitEthernet1/0/7
description Description pushed by DNAC Template -- lan
switchport access vlan 419
switchport mode access
device-tracking attach-policy IPDT_POLICY
ip flow monitor dnacmonitor input
ip flow monitor dnacmonitor output
service-policy input DNA-MARKING_IN
service-policy output DNA-dscp#APIC_QOS_Q_OUT
end

In this example, we will assume that someone manually removed the “vlan” configuration that has been pushed by Cisco DNA Center templates:

TBRANCH-C9200L-2#conf t
Enter configuration commands, one per line. End with CNTL/Z.
TBRANCH-C9200L-2(config)#int gig 1/0/7
TBRANCH-C9200L-2(config-if)#no switchport access vlan 419
TBRANCH-C9200L-2(config-if)#

This action will trigger a “Network Profile” compliance violation as seen in the snapshots below:

Network Profile Compliance Violation
Figure 3: Network Profile Compliance Violation

Cisco DNA Center clearly identifies the template that has been changed in the device and the specific lines of configuration that have been removed:

CLI commands from Template not present in the config
Figure 4: CLI commands from Template not present in the config

Application Visibility

Cisco DNA Center also leverages Intent-Based Networking (IBN) to provision devices for visibility of applications through CBAR and NBAR.  If there are any changes to this intent, the devices will be marked as non-compliant for “Application Visibility” as seen in the example below.

The device has CBAR (Controller Based Application Recognition) enabled via DNA Center:

interface GigabitEthernet1/0/7
description Description pushed by DNAC Template -- lan
switchport access vlan 419
switchport mode access
device-tracking attach-policy IPDT_POLICY
ip flow monitor dnacmonitor input
ip flow monitor dnacmonitor output
service-policy input DNA-MARKING_IN
service-policy output DNA-dscp#APIC_QOS_Q_OUT
ip nbar protocol-discovery
end

Configuration is manually removed from the device:

TBRANCH-C9200L-2(config)#int gig 1/0/7
TBRANCH-C9200L-2(config-if)#no ip nbar protocol-discovery
TBRANCH-C9200L-2(config-if)#

 

Application Visibility Compliance Violation
Figure 5: Application Visibility Compliance Violation

 

Configuration removed for this interface
Figure 6: Configuration removed for this interface

Software Image

Cisco DNA Center uses the concept of “Golden Image” to support image consistency within a site. When devices have images different from “Golden Image”, it will trigger the “Software Image” compliance violation as seen in the snapshots below:

Software Compliance Violation
Figure 7: Software Compliance Violation

 

Device Image different from Golden Image
Figure 8: Device Image different from Golden Image

Critical Security Advisories

Devices with critical security vulnerabilities will also trigger a compliance check as shown in the snapshots below:

Critical Security Advisories Compliance Violation
Figure 9: Critical Security Advisories Compliance Violation

 

Detailed list of security advisories
Figure 10: Detailed list of security advisories

 

Our next blog will be covering aspects of Cisco DNA Center and configuration management.
Stay tuned!

Share:



Source link

Tags: CenterCiscoCompliantDNAfigure
Share76Tweet47

Related Posts

Makulu Linux Shift makes shifting between desktop layouts easy

What is YunoHost and how do you install it?

August 17, 2022
0

YunoHost is a spin of Debian server that includes a user-friendly, web-based interface for the management of servers, users and...

Bath Spa University leverages Wi-Fi 6E to provide students with new learning models

Bath Spa University leverages Wi-Fi 6E to provide students with new learning models

August 16, 2022
0

Those of you that read my blog posts know that I love to talk about customers and Cisco technology. I...

Use Windows Admin Center to manage Azure Stack HCI like any other Windows Server

Use Windows Admin Center to manage Azure Stack HCI like any other Windows Server

August 12, 2022
0

How can you run a hybrid cloud using familiar tools? Image: natanaelginting/Adobe Stock The Windows Admin Center is a powerful...

Networking Demystified: Why Wi-Fi 6E is Hot and Why You Should Care

Networking Demystified: Why Wi-Fi 6E is Hot and Why You Should Care

August 11, 2022
0

Wi-Fi 6E is here and the worldwide Wi-Fi community is buzzing about it. But why is it a major change?...

Join the SD-WAN webinar: How to Extend Network Visibility and Optimize the SaaS Experience

Join the SD-WAN webinar: How to Extend Network Visibility and Optimize the SaaS Experience

August 11, 2022
0

Today’s hybrid work environments make it increasingly difficult to monitor, secure and optimize network connectivity and application performance. 40% of...

Load More
  • Trending
  • Comments
  • Latest
Brave browser’s Tor mode exposed users’ dark web activity

Brave browser’s Tor mode exposed users’ dark web activity

February 18, 2022
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 15/03

March 15, 2022
QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

QNAP Escalation Vulnerability Let Attackers Gain Administrator Privileges

March 15, 2022
A first look at threat intelligence and threat hunting tools

A first look at threat intelligence and threat hunting tools

March 15, 2022
Beware! Facebook accounts being hijacked via Messenger prize phishing chats

Beware! Facebook accounts being hijacked via Messenger prize phishing chats

0
Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

Shoulder surfing: Watch out for eagle‑eyed snoopers peeking at your phone

0
Remote work causing security issues for system and IT administrators

Remote work causing security issues for system and IT administrators

0
Elementor WordPress plugin has a gaping security hole – update now – Naked Security

Elementor WordPress plugin has a gaping security hole – update now – Naked Security

0
This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 18/08

August 18, 2022
Spring Framework Flaw Exploited in Mirai Malware Attacks

CISA Warns of Ongoing Exploitation Against Zimbra Flaws

August 18, 2022
High-Severity Flaw in Argo CD is Information Leak Risk

Apple Patches New macOS, iOS Zero-Days

August 18, 2022
How Can Crypto and CBDCs Help Communities?

How Can Crypto and CBDCs Help Communities?

August 18, 2022

Recent Posts

This Week in Fintech: TFT Bi-Weekly News Roundup 08/02

This Week in Fintech: TFT Bi-Weekly News Roundup 18/08

August 18, 2022
Spring Framework Flaw Exploited in Mirai Malware Attacks

CISA Warns of Ongoing Exploitation Against Zimbra Flaws

August 18, 2022
High-Severity Flaw in Argo CD is Information Leak Risk

Apple Patches New macOS, iOS Zero-Days

August 18, 2022

Categories

  • Cyber Threats
  • Cybersecurity
  • Fintech
  • Hacking
  • Internet Of Things
  • Malware
  • Networking
  • Protection

Tags

Access Android attack Attacks banking BiWeekly breach bug Cisco critical Cyber Cybersecurity Data devices Digital financial Finds Fintech Flaw flaws Google Group Hackers Krebs Latest malware Microsoft million Network News open patches Payments phishing platform Ransomware RoundUp security Software TFT Threat vulnerability warns Week Windows

© 2022 Lets Ask Binu All Rights Reserved

No Result
View All Result
  • Home
  • Cybersecurity
  • Cyber Threats
  • Hacking
  • Protection
  • Networking
  • Malware
  • Fintech
  • Internet Of Things

© 2022 Lets Ask Binu All Rights Reserved