Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

Compliant or not? Cisco DNA Heart will allow you to determine this out.

[ad_1]

Clear visibility of system compliance is essential for community operations. One of many largest challenges although is to agree upon the definition of compliance since totally different environments have totally different necessities. The aim of this weblog is to share the present compliance capabilities in Cisco DNA Heart that may assist community directors to maintain the infrastructure secure and constant.

The present model of Cisco DNA Heart, appears at system compliance from 5 totally different lenses in a non-SD-Entry community: startup vs. running-config, community profiles, software visibility, software program picture, and important safety advisories.

Compliance Types
Determine 1: Compliance Sorts

Startup vs Working Configuration

Have you ever ever configured a tool and forgotten to avoid wasting the working configuration solely to have the system reboot unexpectedly?  The results of this might be catastrophic leading to quite a few points within the community. Although the popular technique for system configuration is thru Cisco DNA Heart, handbook adjustments are nonetheless permitted. To keep away from inconsistencies between startup and working configurations, Cisco DNA Heart offers a compliance verify by flagging any gadgets which have a startup and working configurations that don’t match.

Within the snapshot beneath, we see how Cisco DNA Heart offers visualization of the variations between the working and startup configuration.  On this instance, the community administrator manually added an outline to an interface and forgot to avoid wasting the brand new configuration. Cisco DNA Heart additionally offers a solution to remediate this drawback with a button to “Synch Machine Config” which saves the running-config into startup-config.

Config Differences and Remediation option
Determine 2: Config Variations and Remediation choice

Community Profiles

One in all Cisco DNA Heart’s biggest values is the automation it brings by leveraging Intent-Based mostly Networking (IBN). One of many constructs that Cisco DNA Heart makes use of to implement IBN is community profiles. Community profiles comprise totally different points of intent-based networking together with wi-fi and model-based configuration (for wi-fi gadgets) and templates (for all gadgets). By way of compliance checks, Cisco DNA Heart can flag any configuration deviation from these constructs.

Let’s say that we’ve got a easy template in Cisco DNA Heart pushing a “vlan” configuration to a port:

TBRANCH-C9200L-2#present run int gig 1/0/7
Constructing configuration...

Present configuration : 344 bytes
!
interface GigabitEthernet1/0/7
description Description pushed by DNAC Template -- lan
switchport entry vlan 419
switchport mode entry
device-tracking attach-policy IPDT_POLICY
ip stream monitor dnacmonitor enter
ip stream monitor dnacmonitor output
service-policy enter DNA-MARKING_IN
service-policy output DNA-dscp#APIC_QOS_Q_OUT
finish

On this instance, we’ll assume that somebody manually eliminated the “vlan” configuration that has been pushed by Cisco DNA Heart templates:

TBRANCH-C9200L-2#conf t
Enter configuration instructions, one per line. Finish with CNTL/Z.
TBRANCH-C9200L-2(config)#int gig 1/0/7
TBRANCH-C9200L-2(config-if)#no switchport entry vlan 419
TBRANCH-C9200L-2(config-if)#

This motion will set off a “Community Profile” compliance violation as seen within the snapshots beneath:

Network Profile Compliance Violation
Determine 3: Community Profile Compliance Violation

Cisco DNA Heart clearly identifies the template that has been modified within the system and the particular traces of configuration which were eliminated:

CLI commands from Template not present in the config
Determine 4: CLI instructions from Template not current within the config

Software Visibility

Cisco DNA Heart additionally leverages Intent-Based mostly Networking (IBN) to provision gadgets for visibility of functions by CBAR and NBAR.  If there are any adjustments to this intent, the gadgets will probably be marked as non-compliant for “Software Visibility” as seen within the instance beneath.

The system has CBAR (Controller Based mostly Software Recognition) enabled by way of DNA Heart:

interface GigabitEthernet1/0/7
description Description pushed by DNAC Template -- lan
switchport entry vlan 419
switchport mode entry
device-tracking attach-policy IPDT_POLICY
ip stream monitor dnacmonitor enter
ip stream monitor dnacmonitor output
service-policy enter DNA-MARKING_IN
service-policy output DNA-dscp#APIC_QOS_Q_OUT
ip nbar protocol-discovery
finish

Configuration is manually faraway from the system:

TBRANCH-C9200L-2(config)#int gig 1/0/7
TBRANCH-C9200L-2(config-if)#no ip nbar protocol-discovery
TBRANCH-C9200L-2(config-if)#

 

Application Visibility Compliance Violation
Determine 5: Software Visibility Compliance Violation

 

Configuration removed for this interface
Determine 6: Configuration eliminated for this interface

Software program Picture

Cisco DNA Heart makes use of the idea of “Golden Picture” to help picture consistency inside a website. When gadgets have photos totally different from “Golden Picture”, it’ll set off the “Software program Picture” compliance violation as seen within the snapshots beneath:

Software Compliance Violation
Determine 7: Software program Compliance Violation

 

Device Image different from Golden Image
Determine 8: Machine Picture totally different from Golden Picture

Vital Safety Advisories

Gadgets with essential safety vulnerabilities can even set off a compliance verify as proven within the snapshots beneath:

Critical Security Advisories Compliance Violation
Determine 9: Vital Safety Advisories Compliance Violation

 

Detailed list of security advisories
Determine 10: Detailed listing of safety advisories

 

Our subsequent weblog will probably be protecting points of Cisco DNA Heart and configuration administration.
Keep tuned!

Share:

[ad_2]

Leave a Reply