[ad_1]
Clear visibility of system compliance is essential for community operations. One of many greatest challenges although is to agree upon the definition of compliance since completely different environments have completely different necessities. The aim of this weblog is to share the present compliance capabilities in Cisco DNA Heart that may assist community directors to maintain the infrastructure protected and constant.
The present model of Cisco DNA Heart, seems to be at system compliance from 5 completely different lenses in a non-SD-Entry community: startup vs. running-config, community profiles, software visibility, software program picture, and demanding safety advisories.
Determine 1: Compliance Varieties
Startup vs Working Configuration
Have you ever ever configured a tool and forgotten to save lots of the operating configuration solely to have the system reboot unexpectedly? The results of this could possibly be catastrophic leading to quite a few points within the community. Though the popular technique for system configuration is thru Cisco DNA Heart, handbook modifications are nonetheless permitted. To keep away from inconsistencies between startup and operating configurations, Cisco DNA Heart gives a compliance examine by flagging any gadgets which have a startup and operating configurations that don’t match.
Within the snapshot under, we see how Cisco DNA Heart gives visualization of the variations between the operating and startup configuration. On this instance, the community administrator manually added an outline to an interface and forgot to save lots of the brand new configuration. Cisco DNA Heart additionally gives a option to remediate this downside with a button to “Synch Gadget Config” which saves the running-config into startup-config.
Determine 2: Config Variations and Remediation choice
Community Profiles
One in every of Cisco DNA Heart’s biggest values is the automation it brings by leveraging Intent-Based mostly Networking (IBN). One of many constructs that Cisco DNA Heart makes use of to implement IBN is community profiles. Community profiles include completely different elements of intent-based networking together with wi-fi and model-based configuration (for wi-fi gadgets) and templates (for all gadgets). Through compliance checks, Cisco DNA Heart can flag any configuration deviation from these constructs.
Let’s say that we’ve a easy template in Cisco DNA Heart pushing a “vlan” configuration to a port:
TBRANCH-C9200L-2#present run int gig 1/0/7
Constructing configuration…
Present configuration : 344 bytes
!
interface GigabitEthernet1/0/7
description Description pushed by DNAC Template — lan
switchport entry vlan 419
switchport mode entry
device-tracking attach-policy IPDT_POLICY
ip circulation monitor dnacmonitor enter
ip circulation monitor dnacmonitor output
service-policy enter DNA-MARKING_IN
service-policy output DNA-dscp#APIC_QOS_Q_OUT
finish
On this instance, we’ll assume that somebody manually eliminated the “vlan” configuration that has been pushed by Cisco DNA Heart templates:
TBRANCH-C9200L-2#conf t
Enter configuration instructions, one per line. Finish with CNTL/Z.
TBRANCH-C9200L-2(config)#int gig 1/0/7
TBRANCH-C9200L-2(config-if)#no switchport entry vlan 419
TBRANCH-C9200L-2(config-if)#
This motion will set off a “Community Profile” compliance violation as seen within the snapshots under:
Determine 3: Community Profile Compliance Violation
Cisco DNA Heart clearly identifies the template that has been modified within the system and the precise traces of configuration which were eliminated:
Determine 4: CLI instructions from Template not current within the config
Software Visibility
Cisco DNA Heart additionally leverages Intent-Based mostly Networking (IBN) to provision gadgets for visibility of functions by CBAR and NBAR. If there are any modifications to this intent, the gadgets shall be marked as non-compliant for “Software Visibility” as seen within the instance under.
The system has CBAR (Controller Based mostly Software Recognition) enabled through DNA Heart:
interface GigabitEthernet1/0/7
description Description pushed by DNAC Template — lan
switchport entry vlan 419
switchport mode entry
device-tracking attach-policy IPDT_POLICY
ip circulation monitor dnacmonitor enter
ip circulation monitor dnacmonitor output
service-policy enter DNA-MARKING_IN
service-policy output DNA-dscp#APIC_QOS_Q_OUT
ip nbar protocol-discovery
finish
Configuration is manually faraway from the system:
TBRANCH-C9200L-2(config)#int gig 1/0/7
TBRANCH-C9200L-2(config-if)#no ip nbar protocol-discovery
TBRANCH-C9200L-2(config-if)#
Determine 5: Software Visibility Compliance Violation
Determine 6: Configuration eliminated for this interface
Software program Picture
Cisco DNA Heart makes use of the idea of “Golden Picture” to help picture consistency inside a website. When gadgets have photographs completely different from “Golden Picture”, it’ll set off the “Software program Picture” compliance violation as seen within the snapshots under:
Determine 7: Software program Compliance Violation
Determine 8: Gadget Picture completely different from Golden Picture
Important Safety Advisories
Gadgets with essential safety vulnerabilities may also set off a compliance examine as proven within the snapshots under:
Determine 9: Important Safety Advisories Compliance Violation
Determine 10: Detailed listing of safety advisories
Our subsequent weblog shall be protecting elements of Cisco DNA Heart and configuration administration.Keep tuned!
Share:
[ad_2]