Explore Cisco
How to Buy

Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco DNA Center 2.3.3.0

Data Sheet

Available Languages

Download Options

  • PDF
    (1.3 MB)
    View with Adobe Reader on a variety of devices
Updated:August 3, 2022

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

Available Languages

Download Options

  • PDF
    (1.3 MB)
    View with Adobe Reader on a variety of devices
Updated:August 3, 2022
 

 

Introduction

Cisco DNA Center is a powerful network controller and management dashboard that lets you take charge of your network, optimize your Cisco investment, and lower your IT spending. Cisco DNA Center provides a single dashboard for every fundamental management task to simplify running your network. With this platform, IT can respond to changes and challenges faster and more intelligently.

      Design: Design your network using intuitive workflows, starting with locations where your network devices will be deployed. Users of Cisco Prime® Infrastructure and the Cisco® Application Policy Infrastructure Controller Enterprise Module (APIC-EM) can simply import existing network designs and device images into Cisco DNA Center.

      Policy: Define user and device profiles that facilitate highly secure access and network segmentation based on business needs. Application policies allow your business-critical applications to provide a consistent level of performance regardless of network congestion.

      Provision:Use policy-based automation to deliver services to the network based on business priority and to simplify device deployment. Zero-touch device provisioning and software image management features reduce device installation or upgrade time from hours to minutes and bring new remote offices online with plug-and-play ease from an off-the-shelf Cisco device. Additionally, the Cisco Secure Network Analytics (formerly Stealthwatch®) service provisions network elements to send NetFlow and Encrypted Traffic Analytics (ETA) to the analytics service.

      Assurance: Enable every point on the network to become a sensor, sending continuous streaming telemetry on application performance and user connectivity in real time. This, coupled with automatic path-trace visibility and guided remediation, means network issues are resolved in minutes — before they become problems. Automated NetFlow switch configuration for Cisco Secure Network Analytics provides detection and mitigation of threats, even when they are hidden in encrypted traffic.

      Platform: An open and extensible platform allows third-party applications and processes to exchange data and intelligence with Cisco DNA Center. This improves IT operations by automating workflow processes based on network intelligence coming from Cisco DNA Center.

Cisco DNA Center

Figure 1.            

Cisco DNA Center

Cisco DNA Center is a centralized intent-based network management system to bring all this functionality into an integrated controller and present it through a single pane of glass.

How Cisco DNA Center works

Figure 2.            

How Cisco DNA Center works

Licensing

Cisco DNA Center is a software solution that resides on the Cisco DNA Center appliance. The solution receives data in the form of streaming telemetry from every device (switch, router, access point, and wireless access controller) on the network. This data provides Cisco DNA Center with the real-time information it needs for the many functions it performs. For a device to be authorized to send data to Cisco DNA Center, that device must be included in your company’s Cisco DNA software license subscription. Cisco encourages customers to purchase complete Cisco DNA Center functionality through a Cisco DNA Advantage license subscription. Limited Cisco DNA Center functionality is also available through a Cisco DNA Essentials license subscription. Wireless, switching, and SD-WAN and routing subscriptions are available for 3- and 5-year terms; wireless and switching are also available in a 7-year term. All Cisco DNA software license subscription options include embedded Cisco SWSS (software support and downloads).

The links below open matrices detailing the main features included in each respective suite.

Switching feature matrix

Wireless feature matrix

SD-WAN and routing matrix

In addition to the Cisco DNA licenses, the Cisco DNA Expansion Pack is a flexible way to purchase Cisco Identity Services Engine (ISE), Cisco DNA Spaces, Cisco Secure Network Analytics (previously, Stealthwatch), Cisco ThousandEyes®, and other licenses, appliances, and services in one convenient bundle. Enhance your Cisco networking solutions such as SD-Access, Cisco Zero Trust solutions, Encrypted Traffic Analytics (ETA), location analytics, and assurance. You can add the pack to your Cisco DNA software licenses and choose the license count that fits your needs.

Introduction to Smart Licensing

Cisco Smart Licensing is a flexible licensing model that provides you with an easier, faster, and more consistent way to purchase and manage software across the Cisco portfolio and across your organization. And it’s secure – you control what users can access. With Smart Licensing you get:

      Easy activation: Smart Licensing establishes a pool of software licenses that can be used across the entire organization—no more Product Activation Keys (PAKs).

      Unified management: My Cisco Entitlements (MCE) provides a complete view into all of your Cisco products and services in an easy-to-use portal, so you always know what you have and what you are using.

      License flexibility: Your software is not node-locked to your hardware, so you can easily use and transfer licenses as needed.

To use Smart Licensing, you must first set up a Smart Account on Cisco Software Central (software.cisco.com).

For a more detailed overview of Cisco Licensing, go to cisco.com/go/licensingguide.

New features

Cisco DNA Center’s latest release, 2.3.3.0, helps customers with innovations in network configuration, change management, and the ability to monitor ThousandEyes’ test results directly in Cisco DNA Center. Customers can automate time-consuming RF tuning using our AI-enhanced radio resource management (RRM) for wireless networks. Customers will enjoy enhanced security through detection of unauthorized open ports and weak credentials, and through Cisco DNA Center’s integration with Cisco’s Talos® IP reputation engine.

Key deliverables of Cisco DNA Center 2.3.3.0 are:

AIOps: AI-driven insights

AI-enhanced radio resource management simulator

Recent advances in Cisco DNA Center’s AI-enhanced radio resource management (RRM) have leveraged AI/ML to create a deep understanding of unique wireless environments and make configuration recommendations that improve the performance, coverage, and capacity of the Wi-Fi network.

In this release, we have added a new AI RRM simulator that enables the network operator to get a preview of the impact of RRM changes. When Cisco DNA Center recommends RRM setting changes, or when the network administrator plans changes to settings such as channel, channel width, and power, the network administrator will be able to:

      Simulate how the RF environment will respond to recommended changes

      Analyze the impact of potential changes during a particular time interval

      View the proposed changes measured in quantified statistics, including RRM health, co-channel interference and utilization, and RRM changes

Planned for version 2.3.3.2

Global assurance event viewer

Network devices can generate huge volumes of data from events related to the network infrastructure and the users on the network. Because of the amount of data, it can be a challenge for network administrators to correlate all the events to understand which ones are relevant.

The new global assurance event viewer gives the network administrator a consolidated view of events from all the devices, where they can search and filter on the events that are most important to address. The event viewer allows the user to:

      Troubleshoot network issues and quickly get to root causes

      Identify the most important range of time to focus on

      Correlate events that happen across multiple devices or users

      Isolate events on specific devices

Intel connectivity analytics

When troubleshooting wireless client problems, IT engineers have long faced challenges because different devices have different hardware, software, and drivers. This variability can lead to devices making different roaming decisions in various RF scenarios. Troubleshooting a user’s device and attempting to reproduce a problem has been time-consuming, inefficient, and sometimes not possible.

Cisco continues to expand its partnership with Intel® to exclusively provide granular, driver-level insights from wireless clients using the latest Intel chipsets and drivers without the need for installing client-side agents. So now network administrators can easily see important troubleshooting data from the client’s point of view, including device details such as OS and driver versions and RF statistics such as those regarding radios seen and their signals.

Using device-behavior insights into such things as roaming and disconnect problems and errors, the network administrator can now get to the bottom of wireless client issues, making them more efficient and enabling them to close tickets faster.

To provide insights into the security and performance impacts of unauthorized access points, this new feature set also provides visibility into a device’s attempts to connect to rogue and neighbor basic service set identifiers (BSSIDs).

Cisco DNA Spaces client location in 3D maps

The Cisco Wireless 3D Analyzer has revolutionized how wireless network administrators view and interact with the wireless network in their physical spaces. 3D views have redefined wireless network planning and deployment and have given users a new level of coverage validation, ensuring that the actual coverage meets the designed specifications and enhances user experience.

Starting with this release, Cisco DNA Center is expanding on its 3D troubleshooting capabilities using connectivity with Cisco DNA Spaces to provide client location on 3D map views. Granular visibility into the wireless coverage where the users are helps administrators correlate the user location and experience. Workflows to the Client 360 page provide a deeper level of wireless-client troubleshooting capabilities.

RF penetration from two floors away in 3D maps

The signal from an access point covers more than just the floor that the access point is deployed on. Sometimes the closest access point to a user is on a floor above or below. In this version of Cisco DNA Center, 3D maps can show the wireless coverage from access points on adjacent floors above and below, extending up to two levels, giving the administrator a better understanding of coverage.

Cisco DNA Center Insights

Cisco DNA Center can now send monthly emails to all users of the system, presenting users with personalized information about their network and curated content from Cisco. Users can opt in to:

      Monitor deployment progress with information about newly onboarded devices

      Track operational efficiency with a summary of issues resolved

      Check security compliance with Software Image Management updates

      Keep informed of upcoming Cisco events

      Stay on top of new Cisco product releases

      Improve IT success with insights into new product capabilities

Intelligent capture enhancements

When a Cisco DNA Center user wants to take an intelligent packet capture, they want the data to be available as quickly as possible, and without unnecessary burden on the network. In this version, when the network administrator runs a full, partial, or scheduled capture, they will be able to choose which Wireless LAN Controllers (WLCs) to run a capture on. The capture will be run just on the specified WLCs, reducing load on the network and generating the capture much more quickly than previously possible.

NetOps with Cisco DNA automation

Access-point provisioning enhancements

Network administrators who need to broadcast separate SSIDs on different sections of a floor can now easily do it without breaking the AP group into multiple floors. To do this, they can add access points to AP zones, which are logical groups comprising device tags, SSIDs, and RF profiles in a wireless network profile.

Additionally, customers can now create custom policy tag names to be used during AP provisioning instead of Cisco DNA Center autogenerating them. Combining custom policy tags with AP zone allows customers to broadcast different SSIDs on the same floor, removing the complexity of creating multiple floors.

6Ghz manual radio configuration override

For cases when users want to override Radio Resource Management (RRM) configuration on 6Ghz radios, users can now manually configure those settings, which include administrative status, channel, and power.

Reduced maintenance window for software image upgrades

When IT does upgrades of network infrastructure at scale, they want network downtime to be minimal. Cisco DNA Center 2.3.3.0 helps by separating the phases of the upgrade process that affect the network from those that do not. In the new release, the user can distribute the files to all the target devices while they are still running and perform the image activation later.

Additionally, this release makes managing and troubleshooting upgrades faster and easier with step-by-step details of both the distribution and activation phases as they happen. Now the user has detailed information on the entire upgrade process as it happens.

Enhanced UDN administration and troubleshooting

With Cisco DNA Center 2.3.3.0, we are now expanding the reach of Cisco’s User Defined Network (UDN) solution by launching UDN Cloud in Germany and Singapore. This offers global customers increased flexibility and scale, along with improved data resiliency, compliance, and security.

Additionally, we have added new capabilities to the UDN Cloud portal such as:

      Endpoint management: Allowing network administrators to add, remove, or move end user devices to UDN rooms as required

      Summary page view: Allowing network administrators to have a bird’s-eye view where UDN is deployed, including a summary of UDN-enabled SSIDs, endpoint counts, and UDN-enabled RLAN ports

      UDN room limit: Allowing network administrators to restrict the number of devices in a UDN room and limit the devices a user can register within a UDN room, thus reducing unwanted costs of deploying unlimited numbers of devices

This helps network administrators to improve UDN administration and troubleshooting.

Enhanced “learn device configuration” workflow

This release makes it easier than ever to onboard wireless network devices without risking changes to the device’s existing configuration. A new guided workflow learns the intent of the configuration from WLCs and access points, and creates reusable wireless design elements such as SSIDs, RF profiles, advanced model configuration templates, and CLI templates. It also learns policy tags, AAA override VLAN details, remote teleworker details, and mesh settings.

As the network scales to support more sites and users, the network operator can reuse the learned configuration policies to provision new wireless devices with speed and consistency.

Flexible AP refresh workflow

A refresh of a large-scale wireless network can be time-consuming and labor intensive. Cisco DNA Center’s AP refresh workflow is designed to guide customers through the process and is adding two new features to further improve IT’s operational efficiency during a wireless network refresh.

First, the user can now refresh access points even if they haven’t been provisioned by Cisco DNA Center. This expands the scope of the devices that are eligible to be refreshed.

Additionally, the new access points can now join any WLC, rather than having the restriction of needing to join the same WLC as the previous access points.

SecOps: zero-trust workplace

Detect connections to low-reputation sites through Talos

Endpoints that attempt to access weak, compromised, or malicious sites pose a significant security risk. Now, Cisco DNA Center connects with the Talos IP and Domain Reputation Center to detect when endpoints attempt to access sites with an untrusted reputation. When these threats are detected, the network administrator can then remediate manually or automatically, reducing the risk.

Extended node onboarding with Cisco DNA Essentials license

Customers want to migrate their access layer to a fabric without additional licensing expenses. In previous versions of Cisco DNA Center, it was not possible to integrate existing layer 2 switching networks into a fabric with previous versions of Cisco DNA Essentials licenses in previous versions. Now customers can onboard new or existing Layer- 2 switches with Cisco DNA Essentials licenses into an SD-Access fabric, maintaining the switches’ existing network blueprint at the access layer.

IP-based endpoint classification

Malicious actors that can spoof MAC addresses to avoid detection are a dangerous threat. Taking action against them without also affecting the spoofed device can be especially challenging. Now, the network operator can define policy based on both the MAC address and the NAD IP, enhancing security and keeping IT-sanctioned devices operating normally.

DevOps: innovation and integration

Cisco DNA Center dashboard for Splunk Enterprise

The Cisco DNA Center dashboard application for Splunk Enterprise integrates with Cisco DNA Center to offer a single view of network status, client health, application visibility, and more. This offers customers an easy way to get started integrating Cisco DNA Center and Splunk. It also gives users a way to view long-term network trends.

The Cisco DNA Center Dashboard application will be available soon for download on Splunkbase.

SD access APIs

Running Cisco DNA Center in headless mode allows enterprises to use APIs to scale and automate various Cisco DNA Center functions. New APIs include managing port operations like clear MAC addresses, supporting get-and-post operations, and adding support for start, stop, and status operations for LAN automation. These APIs save time for developers and enterprises by reducing the dependence on the GUI to perform repetitive network functions.

Enhancements to rogue access point APIs

Developers can now use APIs to edit MAC addresses on the allowed list so they can control which nearby access points are considered friendly. Also, a new API allows applications to get threat types and threat levels defined by aWIPS, Cisco’s Adaptive Wireless Intrusion Prevention System.

Cisco DNA Platform

FIPS support

When data is shared using weak or deprecated ciphers, that data is at risk of being decrypted by malicious actors. This version of Cisco DNA Center introduces support for FIPS 140-2-compliant cryptography modules, ensuring that only strong NIST-approved ciphers are used, and enabling deployment in security-conscious verticals such as public sector, finance, and healthcare.

During installation, the administrator can choose to enable FIPS, which will ensure only NIST-approved ciphers are used for data encryption.

Automation features

Table 1.        Cisco DNA Automation features and benefits

Feature

Description and benefits

Network discovery

Automatically discovers and maps network devices to a physical topology with detailed device-level data. The discovery function uses the following protocols and methods to retrieve device information, such as IP addresses, neighboring devices, and hosts connected to the device:

  Cisco Discovery Protocol
  Link Layer Discovery Protocol (LLDP) for endpoints
  IP Device Tracking (IPDT) and Address Resolution Protocol (ARP) entries for host discovery
  LLDP Media Endpoint Discovery (LLDP-MED) for discovering IP phones and some servers
  Simple Network Management Protocol (SNMP) versions 2 and 3

Inventory

Retrieves and saves details, such as host IP addresses, MAC addresses, and network attachment points, about devices in its database. After the initial discovery, Cisco DNA Center periodically scans the network to create a “single source of truth” for IT. This inventory includes all network devices, along with an abstraction for the entire enterprise network. It keeps an updated inventory of devices and software images on that device for version control and provides data to applications (such as Software Image Management [SWIM] and Cisco EasyQoS) so that the correct device and image version are used. It allows applications to be device independent, so configuration differences between devices are not a problem.

Network design and profile-based management

Allows you to manage your network in a hierarchical fashion by letting you add areas and buildings on a geospatial map. You can start by defining your sites, then add buildings to sites and add floors with detailed floor plans to the buildings. Cisco DNA Center lets the user define profiles, which consist of common network settings such as device credentials, DHCP, DNS server, AAA server, IP address pool, etc. Wireless settings such as SSIDs and RF profiles can be created globally and customized at site levels. These profiles form the basis for network automation. Network profiles can be created for Cisco Network Function Virtualization Infrastructure Software (NFVIS), routing, firewall (including Cisco Adaptive Security Appliance [ASA]), switching, and wireless.

Cisco Network Plug and Play (PnP)

Allows off-the-shelf Cisco devices to be provisioned simply by connecting them to the network. Cisco Network PnP provides a secure, scalable, seamless, and unified zero-touch-deployment experience for customers across Cisco's entire enterprise network portfolio of wired and wireless devices. Deploy new devices in minutes, without onsite support visits. Eliminate repetitive tasks and eliminate staging. Network PnP reduces the burden on enterprises by greatly simplifying the deployment process for new devices, which can significantly lower Operating Expenditures (OpEx) as well. For more details, refer to the solution guide for the Network Plug and Play application: https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Plug-and-Play/solution/guidexml/b_pnp-solution-guide.html

Software Image Management (SWIM)

Manages software upgrades and controls the consistency of image versions and configurations across your network. Speeds and simplifies the deployment of new software images and patches. Pre- and post-checks help ensure no adverse effects from an upgrade. This is an easy way to build a central repository of software images and apply them to devices. Administrators can mark software images as golden for a device family, allowing them to upgrade devices to the software image and patch versions that are in compliance with the golden versions defined in the repository. Patches are supported in Cisco DNA Center from intent to pre- and post-checks in the same way that we manage regular images. It also tracks when software maintenance updates, subpackages, ROM Monitor, AP Service Pack, and AP Device Pack upgrades are applied to the base image.

Network compliance audit and remediation

Network compliance audit feature allows network operators to quickly assess the devices that don’t adhere to corporate standards. The network compliance remediation feature allows network operators to automatically sync running (production) configurations with startup configurations for all the network elements. Network operators can select one or many devices, view and validate the change, select and sync those devices, and remediate them to maintain compliance. These two features reduce human involvement and error and helps ensure that the network is running the intended configuration standards.

Device tagging

An administrator can tag network devices in order to associate devices that share a common attribute. For example, you can create a tag and use it to group devices based on a platform ID, Cisco IOS® release, or location. Allows for grouping of devices based on specialized needs.

Configuration drift visibility

Allows network operators to compare any two device configuration versions in a very visual manner. Having different versions of a device configuration available allows for accurate accountability of every configuration change.

Device replacement and RMA workflows

Workflow templates allow for the replacement (RMA) of switches, routers, and access points. Includes restoration of Cisco IOS Software, configurations, and licenses. Also completes device replacement in operational systems such as Cisco ISE, certificate servers, and Cisco DNA Center inventory. Saves time and retains existing setup, licenses, and KPI trends.

Branch deployment automation

Simplified workflows for physical and virtual branch automation; day-0 router, and NFV design. Onboard WAN devices and services through these easy steps:

1.     Configure network settings, service provider, and IP pools.

2.     Design a router or virtual profile.

3.     Assign to sites and provision network devices.

Wireless automation

Intent-based workflows for simplified wireless deployment and automation:

  Network profiles: a profile is a container of wireless properties that can represent single or multiple sites
  Simplified SSID creation
  Advanced RF support for wireless networks
  A single workflow to enable Cisco FlexConnect ® or centralized wireless deployment
  PnP provisioning for APs
  IP Access Control List (ACL) support
  Access and access control policy for SD-Access Wireless only

Cisco StackWise® Virtual support

Base automation (inventory, discovery, SWIM, topology, and template programmer) and assurance support for Cisco Catalyst 9500 and 9400 Series StackWise Virtual switches. StackWise Virtual technology on the Cisco Catalyst 9000 platform allows the clustering of two physical switches together into a single logical entity, resulting in enhancements in all areas of network design, including high availability, scalability, management, and maintenance. Customers can now use Cisco DNA Center to manage the StackWise Virtual device, along with monitoring the health and status of StackWise Virtual ports and links.

Policy creation

Allows the creation of policies based on business intent for a particular part of the network. Users can be assigned policies for the services they consume, and these policies follow them throughout the network. Policies are translated by Cisco DNA Center into network-specific and device-specific configurations that can be adjusted dynamically based on network conditions. Of foundational importance for intent-based networking, policies define the business intent that is desired and allow the network to guarantee services.

Application policy creation

Allows policies to be assigned to applications based on business relevance. These applications can then be attached to sites (locations) where the policy should be applied. This feature allows business-critical applications to have greater QoS priority in the sites where their use is relevant. It is important for mission-critical applications such as machine-to-machine control in manufacturing or life-saving devices in healthcare, as well as for business-critical applications such as video in customer experience centers or voice in support sites.

Rogue Management and aWIPS

Supports the detection of rogue and Cisco Adaptive Wireless Intrusion Prevention System (aWIPS) threats on your network from within Cisco DNA Center. The Rogue and aWIPS Dashboard provides detailed threat analysis and a global view of all rogue access points detected in the network, with insight into the highest priority threats so that they can be quickly identified. The Threat 360 view on this dashboard provides further details on any specific threat. This includes a map view for quick location, and all affected clients.

Meraki® discovery and integration

Provides for the discovery of all Meraki devices in the network and integrates them into the Cisco DNA Center dashboard. It provides for a single pane of glass for both Cisco and Meraki devices.

Meraki wireless provisioning

Provision SSIDs in Meraki APs through Cisco DNA Center. This feature allows Meraki access points to be assigned SSIDs through Cisco DNA Center, without having to open the Meraki dashboard application.

Cisco Umbrella® integration

Allows Cisco Umbrella to be deployed across sites and SSIDs from within the Cisco DNA Center dashboard. Cisco Umbrella provides DNS-layer security and is one of the quickest and most effective ways to improve your security stack. Read the blog: https://blogs.cisco.com/networking/cisco-dna-center-and-cisco-umbrella-automate-your-journey-towards-dns-security.

Assurance features

Table 2.        Cisco DNA Assurance features and benefits

Feature

Description and benefits

Network and Client Health dashboards

Assurance dashboards that give a high-level overview of the health of every network device and client on the network, wired and wireless. They provide the top 10 global issues and allow the administrator to expand views by geographical site, device list, client list, or topology. Any poorly connected devices or communication issues are highlighted, with suggested remediation. Users can customize how the health score is computed.

Application Health dashboard

Provides a general overview of the health of all applications on the network. Includes a special section on applications that have been tagged as business relevant. Business-relevant application issues are highlighted, with suggested remediation for any anomalies.

ThousandEyes integration

Cisco ThousandEyes agents can be installed on all supported switches through a GUI-based installation process in Cisco DNA Center. The application resides on the switch’s flash storage, providing significant time and cost savings to deploy ThousandEyes. Data from the ThousandEyes agents is used by Cisco DNA Center to provide visibility into application performance and help the administrator pinpoint problem domains.

Webex integration

The Webex integration shows a consolidated view of quality metrics for audio, video, and shared components and provides administrators with a single pane of glass for troubleshooting Webex performance. Network operators can quickly identify and resolve issues in Cisco DNA Center without having to switch between multiple interfaces.

Cisco AI Network Analytics

Using AI and machine learning, Cisco AI Network Analytics drives intelligence in the network, empowering administrators to improve performance and issue resolution accurately and effectively. We are taking network analytics to a new level where noise and false positives are significantly reduced and enabling customers to very accurately identify issues, trends, anomalies, and root causes.

Intelligent issue detection and analysis

  AI-driven personalized baselining: No two networks are the same. AI-driven technologies can learn the user trends, services, and application metrics that are specific to your network. Cisco DNA Assurance can then create a customized performance curve for analytical decisions. The AI-driven baseline for the performance parameters that are unique to your network is constantly adapted as your network grows and changes. From there, the AI-driven analytics engine (both on premises and in the Cisco cloud) can make accurate decisions for what is normal and what is not, based on this personalized baseline.
  AI-driven anomaly detection: This capability surfaces any deviation from our AI-created personalized baseline for this network, allowing Cisco DNA Center to make sense of all the network data. The system can accurately detect performance issues and ignore unusual but harmless network anomalies. This reduces noise while accurately identifying anomalies that have the greatest impact on your network. AI-driven predictive analytics and proactive insights allow users to anticipate and prevent failures. The machine learning engine can predict increases in Wi-Fi interference, onboarding delays, office traffic load, etc. This is because, in IP networks, a problematic event is often preceded by a benign event or series of events. By learning how series of events are correlated to one another, predictive analytics can help network administrators anticipate the unexpected.
  AI-driven accelerated remediation: Cisco AI Network Analytics provides accelerated remediation through machine learning, which identifies the most critical variables related to the root cause of a given problem. This helps users detect issues and vulnerabilities, perform complex root cause analysis (using a Machine Reasoning Engine; see below), and execute corrective actions faster than ever. In coming releases, we will enable machine reasoning to execute the logical troubleshooting steps that an engineer would perform in order to resolve a problem. Both of these capabilities accelerate remediation, making your team more precise in problem solving and more productive overall.

Machine Reasoning Engine (MRE)

Defines the next intelligence evolution and helps in complex workflows where the result of one action determines the next. It closely resembles how human beings themselves reason things out and accomplish multistep tasks. An example where Cisco DNA Center uses MRE is to find and fix potentially crippling routing loops that require a careful analysis spanning multiple devices. This allows your new IT team members to accomplish complex tasks instead of escalating them, and saves time for your more seasoned IT team members by automating tedious workflows. For more information, read the blog: https://blogs.cisco.com/networking/machine-reasoning-is-the-new-ai-ml-technology-that-will-save-you-time-and-facilitate-offsite-netops.

Wireless 3D Analyzer

The Wireless 3D Analyzer provides granular analysis of millions of spatial RF data points and the ability to visualize wireless coverage. Network operators can identify the areas most affected by RF strengths, view client locations, simulate different RF environments, and conduct spatial planning and prediction of the interior environment. After loading basic architectural structural information, network operators can enter a virtual office space and move an access point or create an imaginary wall and see the resulting impact on Wi-Fi signal propagation. The Wireless 3D Analyzer helps network operators maximize WLAN performance and identify trouble spots and WLAN design issues faster.

Wireless Network Services Analytics

View Authentication, Authorization, and Accounting (AAA) and Dynamic Host Configuration Protocol (DHCP) services for wireless devices across Cisco and all third-party servers in a global comprehensive view. This release also integrates Cisco AAA servers’ (Identity Services Engine, or ISE) AI-based root cause analysis. These new features provide a snapshot of the overall health of these critical services all in one place, highlighting the worst-performing service server, site-level impact, and scope of end-user impact. This helps network operators reduce overall issue-ticket resolution time and leads to lower ticket volume.

Global assurance event viewer

The global assurance event viewer gives the network administrator a consolidated view of events from all devices, where they can search and filter on the events that are most important to address. The event view allows the user to identify, correlate, and troubleshoot network issues and quickly get to the root cause.

Power over Ethernet analytics

Provides visibility into the power loads that a switch is experiencing. Endpoint devices that are pulling too much power, as well as switches that are approaching overload, are flagged. Granular visibility shows the available power on any switch for quick installation of IoT endpoint devices.

Path Trace

Allows the operator to visualize the path of an application or service from the client through all devices and to the server. A common, and critical, troubleshooting task that normally requires 6 to 10 minutes is displayed instantly upon clicking a client or application. Troubleshoots issues along the network path.

  Run a path trace from source to destination to quickly get key performance statistics for each device along the network path.
  Identify ACLs that may be blocking or affecting the traffic flow.

True Trace

Captures live traffic on devices for path analysis. Cisco DNA Center’s True Trace extends the current path trace capability and provides KPIs for each hop, granular reasons for path degradation, and downloadable packet capture files. These deep insights enable faster troubleshooting in enterprise deployments and lead to operational savings.

Application QoS (Quality of Service) support for industrial switches

Authors and pushes QoS policies to Cisco Catalyst IE3300 and IE3400 Rugged Series Switches from Cisco DNA Center’s Application QoS. Applies default QoS trust settings as well as queuing settings based on Cisco Validated Designs, or writes a custom QoS policy for these devices. This removes the complexity of pushing a QoS policy and helps organizations ensure a good experience for end users in industrial environments.

Wi-Fi 6 Readiness dashboard

Prepares your network for the new Wi-Fi standard, verifying your hardware and configuration compatibility and checking your capacity readiness. This visibility will speed your upgrade and help ensure that you are upgrading the neediest locations first. After upgrading, advanced wireless analytics will indicate performance and capacity gains as a result of the Wi-Fi 6 deployment.

Included are features that check network devices for support of critical Wi-Fi 6 requirements (IPv6, wireless controller software versions, switch support, etc.) and look for software or hardware that is not compatible. It categorizes wireless clients by Wi-Fi version (protocol) and indicates areas where upgrade is most urgent. Shows wireless system performance following upgrade.

The Wi-Fi 6 Readiness dashboard allows customers to visualize two main aspects. First, it shows the readiness of their network with respect to Wi-Fi 6 across several different sites and locations. Key aspects of the readiness assessment include how many Wi Fi 6-capable clients are seen in the network, whether the user has the right AP model to support Wi-Fi 6, whether the APs and Wireless LAN controllers (WLCs) are running the right OS version, whether the Wi-Fi 6 configuration is enabled, etc. Second, the dashboard allows the user to visualize the benefits of the Wi-Fi 6 network in terms of higher capacity, superior connectivity, and lower latencies on Cisco DNA Analytics and Assurance. After upgrading, advanced wireless analytics indicate performance and capacity gains as a result of the Wi-Fi 6 deployment. For more information, see https://blogs.cisco.com/networking/cisco-dna-your-fastest-route-to-wi-fi-6.

Device 360 and Client 360

Provide assurance and overall health of devices, including parameters such as memory or CPU utilization, uplink availability, and other KPIs to help operators be more proactive and enable them to predict future issues. Device 360 and Client 360 can take you to different timeframes and associated issues that affect the device or client. They also provide suggested remediation, resolved issue lists, and historical data to help troubleshoot issues.

Application Experience

Tracks performance of predefined “critical business applications.” Shows user experience and performance metrics. Provides specialized rapid troubleshooting per application and per client. Enables unparalleled visibility and performance control over the applications that are critical to your core business, on a per-user basis. Multimedia monitoring uses Perfmon processing for Real-Time Protocol (RTP) streams, allowing teams to verify the quality of critical real-time applications such as multimedia. URL monitoring provides visibility into cloud-based (URL-based) applications so that their performance is optimized. Application Experience provides users the performance they need on the applications that are key to their company role.

Reporting

Derive insights into your network and its operations by creating reports. Cisco DNA Center offers a set of pre-canned reports that can be generated in several formats and have flexible scheduling and configuration options to customize for your operational needs. Supported use cases include:

  Capacity planning: Understand how devices in your network are being utilized.
  Change of pattern: Track how usage pattern trends change on the network. Usage pattern trends may include clients, devices, bands, or applications.
  Operational reporting: Review reports about network operations, such as upgrade completions or provisioning failures.
  Network health: Determine the overall health of your network through reports.

Wireless Sensor dashboard

Shows overall tests, connectivity statistics, and top wireless issues discovered by Cisco Aironet® Active Sensors. Includes test results for DHCP, DNS, host reachability, RADIUS, email, Microsoft Exchange Server, web, FTP, and a complete IP SLA for data throughput speed, latency, jitter, and packet loss. Provides guided remediation for any test failures.

Streaming telemetry

Enables network devices to send near-real-time telemetry information to Cisco DNA Center. The data can be used to optimize networks, locate where problems occur, and investigate issues in a collaborative manner. Telemetry data (events, KPIs) can be exported and surfaced through event-driven notifications.

Traffic Telemetry Appliance

This hardware solution collects networking data, processes it, and provides streaming telemetry to Cisco DNA Center. This can be useful in areas of your network where you do not have devices that support the types of telemetry that you need to collect from the local network, including NetFlow, Application Visibility and Control (AVC), Network-Based Application Recognition (NBAR), NBAR2, etc. This appliance can also perform Deep Packet Inspection (DPI) on network traffic in order to support Cisco AI Endpoint Analytics. This is a strong solution for areas with only Layer-2 network devices or for branch offices with third-party switches that do not support transmission of real-time telemetry. For more information, see the data sheet: https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/dna-traffic-telemetry-appliances/datasheet-c78-744352.html.

Network time travel

Allows the operator to see device or client performance in a timeline view to understand the network state when an issue occurred. Allows an operator to go back in time up to 14 days and see the cause of a network issue, instead of trying to re-create the issue in a lab.

  Rewind time to when the issue occurred
  See a history of critical events
  View all the information on the user or network device changes to the selected time

On-device analytics

Assurance and analytics are performed on the Cisco switch, router, or wireless controller where the anomaly was discovered. Critical metrics can be identified and immediately acted on before an incident occurs. KPIs that are core to business operations can be maintained in real time, and close to the users that rely on them.

Wi-Fi client analytics for Apple iOS clients

A joint development with Apple, Wi-Fi client analytics offers Cisco DNA Assurance insights into the performance and experience of iOS clients (iPhone/iPad) on the wireless network. Allows the administrator to view wireless performance from the perspective of the client.

  Supports per-device-group policies and analytics

    Client details, such as iPhone model and iOS information

  Provides insights into the client’s view of the network

    Basic service set identifier (BSSID)

    Received signal strength indicator (RSSI)

    Channel number

  Provides clarity regarding the reliability of connectivity

    Client reasons, such as error codes for last disconnection

Samsung client analytics

Gets client device profile information (model, OS version and sales code) and more than 20 onboarding error states from the client. Cisco's partnership with Samsung allows a Cisco network to get the client’s point of view of the network — what access points it sees, the reasons for disconnections, and the current state of the user experience — provided through Cisco DNA Assurance.

Intel connectivity analytics

Cisco continues to expand its partnership with Intel to exclusively provide granular, driver-level insights from wireless clients using the latest Intel chipsets and drivers without the need for installing client-side agents. So now network administrators can easily see important troubleshooting data from the client’s point of view, including device details such as OS and driver versions and RF statistics such as the number of radios seen and their signals.

Using device-behavior insights into such things as roaming and disconnect problems and errors, the network administrator can now get to the bottom of wireless client issues, making them more efficient and enabling them to close tickets faster.

This feature set also provides visibility into a device’s attempts to connect to rogue and neighbor BSSIDs

Intelligent Capture

Provides support for a direct communication link between Cisco DNA Center and APs, so that each of the APs can communicate with Cisco DNA Center directly. Using this channel, Cisco DNA Center can receive packet capture data, AP and client statistics, and spectrum data. With the direct communication link between Cisco DNA Center and APs, Cisco Intelligent Capture allows you access to data from APs that is not available from the wireless controllers.

ServiceNow and IT Service Management (ITSM) closed loop integration

Cisco DNA Center can now auto-resolve open ticket numbers in ServiceNow and other ITSM platforms. When Cisco DNA Assurance detects that a fault has been resolved, it will check for an ITSM ticket number. If one exists, it will send a ticket status change with the ticket number to the ITSM system, which will automatically close the open ticket in that system.

SD-Access features

Table 3.        SD-Access features and benefits

Feature

Description

Enhanced visibility into endpoints and traffic patterns

The Endpoint Analytics application in Cisco DNA Center identifies and classifies endpoint devices on a campus network with the use of AI/ML. Through the use of various profiling methods, including Deep Packet Inspection (DPI), it establishes visibility into what is on the network so that new endpoints can be authenticated and assigned an appropriate policy for network usage, security, and segmentation.

Group-based policy analytics simplify the delivery of segmentation policies. It uses analytical models to visualize the activity between endpoint profiles, scalable groups, and host groups in order to verify that the network policies are optimizing performance and security. The feature provides a way for users and endpoints to be identified and categorized, and for granular access privileges to be provided to the resources that each endpoint requires, while segmenting them from everything else.

Granular multilevel segmentation

SD-Access, through Cisco DNA Center, creates virtual overlays over the underlying physical infrastructure and segments the network without regard to its topology. SD-Access also segments at a micro level by enforcing group-based policies through the network infrastructure. The resulting granular segmentation controls traffic flows without using complex firewalls and Access Control Lists (ACLs), which can be difficult and costly to maintain.

Benefits of fabric infrastructure optimizations:

  Automates VRF configurations (lines of business, departments, etc.) and create overlay virtual networks
  Onboards users with 802.1X, MAB, Active Directory, and static authentication. With an option to move users in a critical VLAN during the unavailability of ISE.
  Includes a resilient control-plane architecture using LISP pub/sub that allows for dynamic path optimization toward available internet services. It simplifies fabric site design, routing convergence, and troubleshooting tasks.
  Simplifies network operations with a standard, error-free underlay network using LAN automation
  Uses Encrypted Traffic Analytics (ETA) to further enhance analysis of traffic through AVC and NetFlow

Ease of migration to SD-Access fabric:

  Layer-2 handoff at border is a key capability, allowing hosts in an SD-Access fabric to communicate with the traditional network at Layer 2.
  Fabric provides support for end hosts that require Layer-2 flooding; for example, building management systems, audio-visual equipment, etc.
  SD-Access introduces the support of existing access VLANs, allowing users to retain their existing access VLAN IDs when creating macro segments in the fabric. Customers can retain existing access VLAN IDs when connecting directly to the SD-Access fabric edge to simplify and speed up their SD-Access segmentation journey.
  Macrosegmentation without ISE capability is suited for deployments that have fabric at the distribution layer connecting downstream to an external Layer-2 switching domain. Customers can deploy an automated network fabric and use macrosegmentation with virtual networks without ISE.

Deployment flexibility with SD-Access fabric:

  SD-Access offers a distributed campus design with automated intersite connectivity with end-to-end policy and segmentation.
  Fabric in a Box allows the border node, control plane node, and edge node to run on the same fabric node, simplifying fabric deployment for a small site or a branch.
  SD-Access extended nodes extend the enterprise network by providing connectivity to non-carpeted spaces of an enterprise. This allows network connectivity and management of IoT devices and the deployment of traditional enterprise end devices in outdoor and non-carpeted environments, such as distribution centers, warehouses, or campus parking lots.
  SD-Access fabric offers two options for integrating wireless access:

    SD-Access Wireless using a VXLAN distributed data plane and a centralized control plane provides a consistent fabric experience and policy simplification for wired and wireless access.

    Over the top involves running a traditional Cisco Unified Wireless Network architecture with Control and Provisioning of Wireless Access Points (CAPWAPs) on top of a fabric wired network. This is a possible migration step to full SD-Access wireless implementation.

  Multisite remote border feature allows users to segregate untrusted traffic from various fabric sites to a firewall at the DMZ.
  Fabric zone features allow administrators to control the provisioning of IP subnets on select fabric edge nodes for better site scalability and security.
  SD-Access supports IPv4 as well as IPv6 endpoints.
  Cisco SD-Access offers support for the Cisco Wide Area Bonjour application, allowing users to discover and use shared services with minimal intervention and configuration.
  Secure network device onboarding of Catalyst 9000 extended nodes using 802.1X-based authentication and authorization.

Simplified fabric operations:

SD-Access Assurance allows users to detect, diagnose, and troubleshoot fabric issues in real time with minimized downtime and a better experience. The newly introduced SD-Access Assurance landing page contains overall fabric health for each fabric site deployed. KPIs configured on the fabric nodes provide insights for faster issue identification and suggested actions to remediate issues. KPIs are organized into categories to quickly triage control plane, infrastructure, and connectivity issues.

  Fabric control plane provides reachability checks between the fabric edge/border and the fabric control plane node.
  Fabric infrastructure validates the AAA server status from the fabric edge and policy extended nodes to the Identity Services Engine (ISE).
  Fabric connectivity provides reachability checks from the edge to the fabric border, and control-plane and port- channel connectivity checks between the fabric edge and the extended nodes.
  Support for ThousandEyes Agent on Catalyst 9000 switches operating in an SD-Access Fabric role. This provides the ability to run tests that provide performance metrics and end-to-end visibility.

Fabric UX2.0 provides administrators with an enhanced experience in the user interface that integrates simplicity, flexibility, and a rich, intuitive context.

Continuous verification of trust

Trust Analytics is an aggregation of various inputs and sources into a single, comprehensive, flexible trust score. Trust Analytics detects traffic from endpoints that are exhibiting unusual behavior. When anomalies in the network are detected, Trust Analytics lowers the trust score for the endpoint to limit or completely deny access to the network through integration with ISE. The feature expedites the detection and containment of untrustworthy endpoints that could lead to a security breach.

System and platform capabilities

Table 4.        Cisco DNA Center system capabilities

Feature

Description and benefits

Role-Based Access Control (RBAC)

Allows users to be mapped to one of the four predefined roles. The role determines what types of operations a user can perform within the system.

Backup and restore

Supports complete backup and restore of the entire database for added protection.

ISE integration

Integrates with ISE through pxGrid or API for fabric overlay support.

Workflows

Cisco DNA Center workflows are step-by-step guides through particular tasks; for example, “Create a role,” “Refresh AP,” etc. Workflows can be paused and revisited through the “in-progress” library on the workflow homepage. The workflow homepage can be found by clicking the menu icon on the GUI and clicking on “Workflows.” The home page will have a library of workflows along with in-progress workflows.

Activity center

The activity center is a centralized space to find audit logs and scheduled tasks. Audit logs record system events that occurred, when and where they occurred, and which users initiated them. With audit logging, configuration changes to the system are logged in separate log files for auditing. The Scheduled Tasks tab allows you to view upcoming, in-progress, completed, and failed administrative tasks, such as OS updates or device replacements.

FIPS 140-2 support

Cisco DNA Center includes support for FIPS-140-2-compliant cryptography modules, ensuring that only strong NIST-approved ciphers are used, and enabling deployment in security-conscious verticals such as public sector, finance, and healthcare. During installation, the administrator can choose to enable FIPS, which will ensure only NIST-approved ciphers are used for data encryption.

Table 5.        Cisco DNA Center platform capabilities

Feature

Description and benefits

Northbound REST APIs

The Cisco DNA Center platform supports Representational State Transfer (REST) APIs at the northbound layer for programmability. The Cisco DNA Center API provides support for the following features:

  Discovery, device inventory, and network topology
  SWIM, Plug and Play (PnP), wireless, SD-Access, and application policy
  Template programmer and command runner
  Assurance: site, device, and client health-monitoring and path tracing
  NFV provisioning
  Configuring event management notifications through APIs

IT Service Management (ITSM) integration

Minimizes the need for handoffs, deduplicates issues, and optimizes processes for proactive insights and faster remediation. Out-of-the-box integration exists with ServiceNow. The generic APIs exposed by the Cisco DNA Center platform enable partners and developers to integrate with any ITSM system.

IP Address Management (IPAM) integration

Allows for a seamless import of IP pools for Cisco DNA Center workflows from external IPAM systems and the synchronization of IP pool and subpool usage information between the two systems. Out-of-the-box integration exists with Infoblox and BlueCat. The Cisco DNA Center platform provides generic APIs to integrate with any IPAM system.

Events and notifications

The Cisco DNA Center platform webhooks allow third-party applications to receive notifications and listen to any events detected by Cisco DNA Assurance, automation, and other task-based operational workflows.

Table 6.        Correlated insights

Category

Insights

Wireless issues

Client onboarding

  Association failures
  Authentication failures
  IP address failures
  Client exclusion
  Excessive onboarding time
  Excessive authentication time
  Excessive IP addressing time
  AAA, DHCP reachability

Client experience

  Throughput analysis
  Roaming pattern analysis
  Sticky client
  Slow roaming
  Excessive roaming
  RF, roaming pattern
  Dual-band clients prefer 2.4 GHz
  Excessive interference
  Apple iOS client disconnect

Network coverage and capacity

  Coverage hole
  AP license utilization
  Client capacity
  Radio utilization

Network device monitoring

  Availability
  Crash, AP join failure
  High availability
  CPU, memory
  Flapping AP, hung radio
  Power supply failures

Sensor issues

Sensor onboarding

  Association failures
  Authentication failures
  IP address failures
  Sensor exclusion
  Excessive onboarding time
  Excessive authentication time
  Excessive IP addressing time
  AAA, DHCP reachability

Sensor experience

  Throughput analysis
  Outlook web response time
  Web server response time
  SSH server response time
  Mail server response time
  FTP server response time
  Excessive radio interference

Routing issues

Router health

  High CPU
  High memory

Routing technologies

  BGP AS mismatch, flap
  OSPF adjacency failure
  Enhanced Interior Gateway Routing Protocol (EIGRP) adjacency failure

Connectivity

  Interface high utilization
  LAN connectivity down/flap
  IP SLA to SP gateway connectivity

Switching issues (nonfabric)

Client onboarding

  Client or device DHCP
  Client or device DNS
  Client authentication or authorization

Switch

  CPU, memory, temperature
  Modules
  Power over Ethernet (PoE) power
  Ternary Content-Addressable Memory (TCAM) table

SD-Access issues

Border and edge reachability

  Control plane reachability
  Edge reachability
  Border reachability
  Routing protocol
  MAP server

Data plane

  Border and edge connectivity
  Border node health
  Access node health
  Network services DHCP, DNS, AAA

Policy plane

  ISE or pxGrid connectivity
  Border node policy
  Edge node policy

Client onboarding

  Client or device DHCP
  Client or device DNS
  Client authentication or authorization

Switch

  CPU, memory, temperature
  Modules
  PoE power
  TCAM table

SD-Access requirements

Maximum latency supported, roundtrip time

Figure 3.            

Maximum latency supported, roundtrip time

SD-Access platform scale

The following tables outline the Cisco SD-Access platform scale. The limits in this section are not necessarily dependent on Cisco DNA Center, but rather the model of device and its capacity design.

Table 7.        Cisco SD-Access control plane node scale

Cisco SD-Access control plane node scale

Family

Cisco Catalyst

ASR 1000, 4000 Series ISR

ASR 1000 4000 Series ISR

CSR

Device

3850

9300/X/L

9400 Sup-XL/Y

9500

9500H

9600

6800

8 GB RAM

16 GB RAM

1000v

Endpoints

3000

16,000

80,000

80,000

150,000

150,000

50,000

100,000

200,000

200,000

The control-plane scale does not depend on Ternary Content-Addressable Memory (TCAM); it only consumes memory.

Table 8.        Cisco SD-Access border node scale

Cisco SD-Access border node scale

Family

Cisco Catalyst

Cisco Nexus®1

ASR 1000, 4000 Series ISR

ASR 1000, 4000 Series ISR

Device

3850

9300/L

9400 Sup-XL/Y

SD-Access sdm template

9500

SD-Access sdm template

9500H

9600

6840/ 6880LE

6880XL

7700

8 GB RAM

16 GB RAM

Virtual networks2

64

256

256

256

256

256

128

128

128

128

128

IPv4 routes

8000

8000

64,000

64,000

48,000

48,000

60,000

450,000

500,000

1,000,000

4,000,000

Fabric host entries3 (host /32 or /128)

16,000

16,000

70,000

70,000

150,000

150,000

180,000

450,000

32,000

1,000,000

4,000,000

IPv4: SGT bindings

12,000

10,000

40,000

40,000

40,000

200,000

256,000

256,000

200,000

750,000

750,000

SGT/DGT policies

4000

8000

8000

8000

16,000

32,000

30,000

30,000

16,000

64,000

64,000

SG-ACEs (contract actions)

1500

5000

18,000

18,000

13,000

27,000

12,000

30,000

128,000

64,000

64,000

1 Cisco Nexus 7700 Series Switch can be an external border only.
2 Virtual network scale also depends on the Cisco DNA Center platform VN scale. See Table 7 for SD-Access scale.
3 If an endpoint has multiple IPv4 or IPv6 addresses, then each address will be counted as an individual entry.

Fabric host entries include access points and classic and policy-extended nodes.

Additional border node scale considerations:

/32 (IPv4) or /128 (IPv6) entries are used when the border node forwards traffic from outside the fabric to a host in the fabric.

For all switches except Cisco Catalyst 9500 Series High Performance Switches and Cisco Catalyst 9600 Series Switches:

      IPv4 uses one TCAM entry (fabric host entries) for every IPv4 IP address.

      IPv6 uses two TCAM entry (fabric host entries) for every IPv6 IP address.

For the Cisco Catalyst 9500 Series High Performance Switches and Cisco Catalyst 9600 Series Switches:

      IPv4 uses one TCAM entry (fabric host entries) for every IPv4 IP address.

      IPv6 uses one TCAM entry (fabric host entries) for every IPv6 IP address.

Table 9.        Cisco SD-Access Layer-2 handoff border node scale considerations

Cisco SD-Access Layer-2 handoff border node scale considerations

Family

Cisco Catalyst

Nexus

ASR 1000, 4000 Series ISR

ASR 1000, 4000 Series ISR

Device

3850

9300/L

9400

9500

9500H

9600

6800

7700

8 GB RAM

16 GB RAM

Endpoints

Supported

8000

16,000

16,000

32,000

32,000

Supported

NOT supported

NOT supported

NOT supported

These numbers are the sum of the total numbers of endpoints both inside and outside the fabric site when the site has a border node with a Layer-2 handoff.

A maximum of 6000 hosts can be connected outside the fabric for all platforms that support Layer-2 border handoff.

The border node with a Layer-2 handoff contains a combination of local and remote LISP entries.

Local entries = LISP database

Remote entries = LISP map-cache

Example:

The Cisco Catalyst 9300 Series Switches supports 8000 total entries.

If the fabric site has 6000 endpoints (map-cache), then only 2000 endpoints (database) can be in the traditional network beyond the Layer-2 handoff.

Table 10.     Cisco SD-Access edge node scale

Cisco SD-Access edge node scale

Family

Cisco Catalyst

Device

3650

3850

9200-L

9200

9200 Enhanced VNs

9300/L

4500

9400

9500/H

Virtual networks

64

64

11

42

323

256

64

256

256

Endpoints

2000

4000

2000

4000

4000

6000

4000

6000

6000

IPv4: SGT bindings

12,000

12,000

8000

10,000

10,000

10,000

128,000

40,000

40,000

SGT/DGT policies

4000

4000

2000

2000

2000

8000

2000

8000

8000

SG-ACEs (contract actions)

1350

1350

1,000

1000

1000

5000

64,000

18,000

18,000

1 9200-L = One (1) user-defined VN (VRF)
2 9200 = Four (4) user-defined VNs (VRFs)
3 9200 “Enhanced VN” SKUs = Thirty-two (32) user-defined VNs (VRFs)
Additional notes:
INFRA_VN is not a VRF definition. It is associated with the global routing table.
DEFAULT_VN is not user-defined; it is automatically created in Cisco DNA Center. It is present for historical (backward-compatibility) reasons; its use is neither necessary nor recommended.
DEFAULT_VN, if used in host onboarding, is provisioned as a VRF definition and counts as a “user-defined VN.”

Table 11.     Cisco SD-Access WLC scale

Cisco SD-Access WLC scale

Device

Number of access points

Number of clients

Aironet 3504

150

3000

Aironet 5520

1500

20,000

Aironet 8540

6000

40,000

Catalyst 9800-L

250

5000

Catalyst 9800-40

2000

32,000

Catalyst 9800-80

6000

64,000

Catalyst 9800-CL (4 CPU / 8 GB RAM)

1000

10,000

Catalyst 9800-CL (6 CPU / 16 GB RAM)

3000

32,000

Catalyst 9800-CL (10 CPU / 32 GB RAM)

6000

64,000

Table 12.     Cisco SD-Access wireless edge node scale for directly connected access points and endpoints

Cisco SD-Access wireless edge node scale for directly connected access points and endpoints

Family

Cisco Catalyst

Device

9200-L

92001

9300-L1

Access points

Not supported

25

50

Wireless endpoints

Not supported

500

1000

1 A single switch and a switch stack have the same scale.

The switches listed above have a limit on the number of access tunnels that can be created on them. An access tunnel is created between the fabric edge node and a fabric-mode AP that is either directly attached or attached through a directly-connect extended node.

Table 13.     Cisco SD-Access embedded wireless controller scale

Cisco SD-Access embedded wireless controller scale

Family

Cisco Catalyst

Device

9200/L

9300-L

9300 standalone

9300 stack

9400

9500/H

Access points

Not supported

50

100

200

200

200

Wireless endpoints

Not supported

1000

2000

4000

4000

4000

The embedded wireless scale is the same irrespective of the role of the device (edge, Fabric in a Box, border, or control plane).

Meraki integration

For existing Meraki branch customers who want to explore using Cisco DNA Center and Cisco Catalyst 9000 switches, or for customers with mixed environments, Cisco DNA Center now offers a single management pane of glass. This is an API-driven dashboard integration that supports all existing Meraki hardware and software at no additional license cost.

Meraki and Cisco DNA Center integration

Figure 4.            

Meraki and Cisco DNA Center integration

Features and benefits of Meraki integration:

      Single dashboard inventory across all platforms (Meraki, Cisco Catalyst, Cisco Integrated Services Routers [ISRs], and Aironet)

      Up-or-down status of all devices in a single platform

      Use existing Meraki API keys; no additional license required

      Combined topology mapping of hybrid environments

      Ability to assign SSIDs to Meraki access points from within Cisco DNA Center

Appliance scale

This new, second-generation (Gen2) of the Cisco DNA Center appliance is available in three form factors and comes with the Cisco DNA Center image preloaded on it and ready for installation. Notice that the entry-level Gen2 appliance (DN2-HW-APL) has the same size, performance, and capacity specifications as the first-generation (Gen1) Cisco DNA Center appliance (DN1-HW-APL). The reason for the change is to put all three Gen2 appliances on the newer Cisco UCS® M5 series of servers. If you currently have a Gen1 appliance (based on the Cisco UCS M4 series), there is no need to upgrade, and there is no advantage to upgrading, since both Gen1 and Gen2 entry appliances are based on the same 44-core processing units, have the same performance specifications, and support the same capacity of devices, sites, IP-pools, etc. Customers looking for greater performance, in order to support more capacity, are advised to upgrade to the 56-core “midsize” Gen2 appliance (DN2-HW-APL-L) or the 112-core “large” Gen2 appliance (DN2-HW-APL-XL). Also note that the appliance DN1-HW-APL is currently end of life (no longer being sold) and software maintenance will end in June 2022.

Table 14 captures the scale information for Cisco DNA Center 2.3.3.0.

Table 14.     Scale and hardware specifications

 

Scale and Hardware Specifications

Scale and Hardware Specifications

Scale and Hardware Specifications

 

 

DN2-HW-APL*

DN2-HW-APL-L

DN2-HW-APL-XL

Hardware description

Cisco UCS C220 M5

Rack Server

44 cores

Cisco UCS C220 M5

Rack Server

56 cores

Cisco UCS C480 M5

Rack Server

112 cores

Cisco DNA Center system scale

Number of devices1
(switch, router, wireless controller)

1000

2000

50005

Number of wireless access points

4000

6000

13,0005

Number of wireless sensors

600

800

1600

Number of concurrent endpoints

25,000

40,000

100,0005

Number of transient endpoints
(over 14-day period)

75,000

120,000

250,0005

Ratio of endpoints: wired wireless

Any

Any

Any

Any

Any

Any

Number of elements in hierarchy / on single site (inclusive of areas, buildings, and floors)

500

1000

4000

Number of wireless controllers

500

1000

2000

Number of ports2

48,000

192,000

480,0005

API rate limit

50 APIs/min

50 APIs/min

50 APIs/min

NetFlow

30,000 flows/sec

48,000 flows/sec

120,000 flows/sec5

Cisco DNA Center SD-Access scale

Number of fabric domains

10

20

20

Number of fabric sites

500

1000

2000

Cisco DNA Center per-fabric site scale

Number of virtual networks

64/site

64/site

256/site

Fabric devices per fabric site3

500/site

600/site

1200/site

Number of scalable groups

4000

4000

4000

Number of access contracts

500

500

500

Number of group-based policies

25,000

25,000

25,000

Number of IP pools per site4

100

300

1000

Notes:
* Capacity for the older DN1-HW-APL is identical to the DN2-HW-APL.
1 A switch stack of any number of switches counts as a single device.
A StackWise Virtual pair is counted as a single device.
A Virtual Switching System (VSS) pair is counted as a single device.
A WLC HA SSO pair is counted as a single device.
2 Includes all physical ports except the console ports.
Includes Redundancy Ports (RPs) on WLCs.
3 Cisco DNA Center supports 13,000 access points, but Cisco SD-Access supports 12,000 access points.
4 If any Cisco DNA Center scale parameter (for example, endpoints) maxes out in a single-fabric site, then the deployment cannot be further scaled with additional fabric sites. Cisco DNA Center Release 1.3.1.0 and later versions support tracking up to only 1.2 million separate interfaces on the managed devices. Interfaces include physical and virtual interfaces such as Switched Virtual Interfaces (SVIs), loopbacks, dot1Q, tunnels, LISP, and so on.
A single site can max out the IP pools supported.
5 For 3 Node DN2-HW-APL-XL Release 2.2.3 or later, capacity is increased as follows:
Device support increased to 8000.
AP Support increased to 16,000.
Number of concurrent endpoints increased to 300,000.
Number of transient endpoints increased to 750,000.
Total port support is 2,000,000 – of which 768,000 is physical and 1,232,000 is logical ports.
Flows/sec is increased to 250,000/sec.

Appliance specifications

The Cisco DNA Center appliance is available in three form factors and comes with the Cisco DNA Center image preloaded on it and ready for installation. For more detailed information on these Cisco UCS appliances, click on the data sheet link beside each hardware series in Table 15.

Table 15.     Physical specifications

Physical specifications

DN2-HW-APL and DN2-HW-APL-L

DN2-HW-APL-XL

Part number for ordering

DN2-HW-APL and DN2-HW-APL-L

DN2-HW-APL-XL

Hardware series

UCSC-C220-M5SX (data sheet)

UCSC-C480-M5 (data sheet)

Power supply

Dual 770W AC

Hot-pluggable, redundant 1600W AC

Physical dimensions
(H x W x D)

Height: 1.7 in. (4.32 cm)

Width: 16.89 in. (43.0 cm); including handles:18.98 in. (48.2 cm)

Depth: 29.8 in. (75.6 cm); including handles: 30.98 in. (78.7 cm)

Height: 6.9 in. (17.6 cm)

Width: 19 in. (48.3 cm)

Depth including handles and power supplies: 32.7 in. (83.0 cm)

Temperature: operating

1° to 95°F (5° to 35°C)

Derate the maximum temperature by 1°C per every 1000 ft. (305 m) of altitude above sea level.

1° to 95°F (5° to 35°C)

Derate the maximum temperature by 1°C per every 1000 ft. (305 m) of altitude above sea level.

Temperature: nonoperating

-40° to 149°F (–40° to 65°C)

-40° to 149°F (–40° to 65°C)

Humidity: operating

10% to 90%, noncondensing at 82°F (28°C)

10% to 90%, noncondensing at 82°F (28°C)

Humidity: nonoperating

5% to 93% at 82°F (28°C)

5% to 93% at 82°F (28°C)

Altitude: operating

0 to 3000 m (0 to 10,000 ft)

0 to 3000 m (0 to 10,000 ft)

Altitude: nonoperating

0 to 12,192 m (0 to 40,000 ft)

0 to 12,192 m (0 to 40,000 ft)

Network and management I/O

Supported connectors:

One 1 Gigabit Ethernet dedicated management port

Two 1 Gigabit BASE-T Ethernet LAN ports

One RS-232 serial port (RJ-45 connector)

One 15-pin VGA2 connector

Two USB 3.0 connectors

One front-panel KVM connector that is used with a KVM cable, which provides two USB 2.0s, one VGA, and one serial (DB-9) connector

Supported connectors:

One 1 Gigabit Ethernet dedicated management port

Two 1 Gigabit BASE-T Ethernet LAN ports

One RS-232 serial port (RJ-45 connector)

One 15-pin VGA2 connector

Three USB 3.0 connectors

One front-panel KVM connector that is used with a KVM cable, which provides two USB 2.0s, one VGA, and one serial (DB-9) connector

Regulatory standards compliance: Safety and EMC

Regulatory compliance

Products should comply with CE Markings according to directives 2004/108/EC and 2006/95/EC

Safety

NEBS

  UL 60950-1 Second Edition
  CAN/CSA-C22.2 No. 60950-1 Second Edition
  EN 60950-1 Second Edition
  IEC 60950-1 Second Edition
  AS/NZS 60950-1
  GB4943

EMC: Emissions

  47CFR Part 15 (CFR 47) Class A
  AS/NZS CISPR22 Class A
  CISPR22 Class A
  EN55022 Class A
  ICES003 Class A
  VCCI Class A
  EN61000-3-2
  EN61000-3-3
  KN22 Class A
  CNS13438 Class A

EMC: Immunity

  EN55024
  CISPR24
  EN300386
  KN35 KN24

Fabric VN scale

Table 16 captures the fabric VN limits for devices in the fabric when deploying Cisco DNA Center Release 2.3.3.0.

Table 16.     Fabric VN limits (The current maximum VRF validation is based on a lower limit of 1 and an upper limit of 128, even if the device can support more than 128.)

Device series

Max VRFs

Cisco Catalyst 3650 Series Switches

64

Cisco Catalyst 3850 Series Switches

64

Cisco Catalyst 4500 Series Switches

64

Cisco Catalyst 6800 Series Switches

1000 (128)

Cisco Catalyst 6500 Series Switches

1000 (128)

Data center switches (Cisco Nexus 7000 Series Switches)

4000 (128)

Cisco Cloud Services Router 1000V Series

4000 (128)

Cisco ASR 1000 Series Aggregation Services Routers

4000 (128)

Cisco 4000 Series Integrated Services Routers

4000 (128)

Cisco 4400 Series Integrated Services Routers

4000 (128)

Cisco 4200 Series Integrated Services Routers

4000 (128)

Cisco 4300 Series Integrated Services Routers

4000 (128)

Cisco Catalyst 9300 / 9300X Series Switches

256

Cisco Catalyst 9300 L Series Switches

256

Cisco Catalyst 9500 Series Switches

256

Cisco Catalyst 9500H Series Switches

256

Cisco Catalyst 9400 Series Switches

256

Cisco Catalyst 9200-L Switch Stack

1

Cisco Catalyst 9200 Switch Stack

4

Cisco Catalyst 9200-24PB Switch

32

Cisco Catalyst 9200-48PB Switch

32

Cisco Catalyst 9600 Series Switches

256

Roles and privileges

Table 17.     Role-based access control

Role

Privilege

Network-Admin-Role

Users with this role have full access to all of the network-related Cisco DNA Center functions. They do not have access to system-related functions, such as application management, users (except for changing their own passwords), and backup and restore.

Observer-Role

Users with this role have view-only access to all Cisco DNA Center functions.

Telemetry-Admin-Role

Users with this role have the ability to perform system-level functions within Cisco DNA Center.

Super-Admin-Role

Users with this role have full access to all of the Cisco DNA Center functions. They can create other user profiles with various roles, including those with the Super-Admin-Role.

Compatibility Matrix

Cisco DNA Center provides coverage for Cisco enterprise switching, routing, and mobility products. For a complete list of Cisco products supported, please see our compatibility matrix, which is updated regularly.

Cisco DNA Center compatibility matrix: https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/dnac_compatibility_matrix/index.html

Cisco SD-Access compatibility matrix: https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/sda_compatibility_matrix/index.html

Cisco environmental sustainability

Information about Cisco’s environmental sustainability policies and initiatives for our products, solutions, operations, and extended operations or supply chain is provided in the “Environment Sustainability” section of Cisco’s Corporate Social Responsibility (CSR) Report.

Reference links to information about key environmental sustainability topics (mentioned in the “Environment Sustainability” section of the CSR Report) are provided in the following table.

Links to information about key environmental sustainability topics

Sustainability topic

Reference

Information on product material content laws and regulations

Materials

Information on electronic waste laws and regulations, including products, batteries, and packaging

WEEE compliance

Reference links to product-specific environmental sustainability information that is mentioned in relevant sections of this data sheet are provided in Table 18:

Table 18.     Links to product-specific environmental sustainability information

Sustainability topic

Reference

General

Product compliance

Safety and compliance information

Power

Power supply

Power supplies and typical and maximum power specifications

Material

Dimensions

Physical dimensions

Cisco makes the packaging data available for informational purposes only. It may not reflect the most current legal developments, and Cisco does not represent, warrant, or guarantee that it is complete, accurate, or up to date. This information is subject to change without notice.

Product usage telemetry

Product usage telemetry provides valuable information about the status and capabilities of the Cisco DNA Center appliance. Cisco DNA Center is configured to automatically connect and transmit product usage data to Cisco. Product usage telemetry is used by Cisco to improve appliance lifecycle management for IT teams who have deployed Cisco DNA. Collecting this data helps the product teams serve customers better. This data and related insights enable Cisco to proactively identify potential issues, improve services and support, facilitate discussions to gather additional value from new and existing features, and assist IT teams with inventory report of license entitlement and upcoming renewals.

All product usage telemetry data is transmitted to Cisco through an encrypted channel. The categories of data collected in the product usage telemetry are the Cisco.com ID, system telemetry, feature usage telemetry and network device (for example, switch or router) inventory, and license entitlement. The collection of product usage telemetry will be enabled by default and cannot be disabled from the product. Customers may contact the Cisco Technical Assistance Center (TAC) for changes in collection settings.

For detailed product usage telemetry information collected, please see Table 19.

Table 19.     Cisco DNA Center product usage telemetry usage and benefits*

Category

Data elements

Purpose of collection

Cisco.com

  Cisco.com user ID

Identify customer account

System

  Deployment information (Cisco DNA Center appliance serial number, Cisco DNA Center appliance platform, Cisco DNA Center appliance machine ID)
  Connectivity with Cisco DNA Center
  Operational metrics (CPU, memory, file system, uptime) for pods
  Signed End-User License Agreement (EULA) flag
  Application stack and packages deployed

Identify potential issues in customers’ environments to prevent problems and improve the product

Feature usage

  Customer dwell time in application UI pages
  Site_member_details – name of site, instance UUID of device, support level of device, device family, and host name
  Assurance usage: number of sites, area, building, floor, wireless LAN controller (WLC), switch, Access Point (AP), number of clients (wired and wireless) and health score, sensor counts, sensor tests count, AI network analytics configuration flag, AP count with RF stats enabled, number of anomaly captures enabled, number of data packet captures enabled, and network telemetry max input rate (NetFlow, syslogs, traps)
  SD-Access usage: number of fabrics created, number of fabric domains per domain type, number of devices per fabric role by site, number of edge nodes and of border nodes and of control-plane nodes by device type, number of clients on fabric, number of access contracts, number of scalable group tags, number of virtual networks by site, number of IP pools, number of SSIDs, Cisco ISE version and status, number of group-based policies, number of access policy contracts, number of Cisco ACI ® scalable groups, number of APs and WLCs in fabric, number of each transit type, number of rogue AP/client messages, number of fabric sites by authentication mode, and number of ports by static port assignment
  Automation usage: number of devices provisioned using PnP, number of PnP devices by source, number of golden images and image repository details, number of successful/failed image activations and/or distributions, number of SMU images by type, number of application policies created and/or deployed, number of favorite applications, number of custom applications (sets), number of consumer applications, number of queueing profiles, number of excluded devices, number of devices in each policy, number of draft policies, number of policies using nondefault queueing profiles, device controllability check, site area/building/floor counts, number of SSA enablement/disablement tasks by status, number of SSA precheck failures by type and successes/failures per device family, Cisco Secure Network Analytics registration status, number of devices by SSA-enabled status, number of devices with security advisory match, number of security advisory scans, vManage integration status, MRE root cause analysis count and duration, number of MRE user feedbacks, number of devices with CVSS scores, number of devices by replacement status, WAB SDG node count, number of onboarding templates created and provisioned successfully on devices, number of devices with templates applied, and number of network profiles by site and namespace
  Cisco DNA Center as a Platform usage: number of event subscriptions by state, DaaS-runtime usage

Facilitate customer adoption and customer value

Network device inventory and license entitlement

  Network device inventory (serial number, software version, platform ID, and reachability errors). Number of devices per device support level, number of devices per device role, number of port types per device type, IDP instances enabled, number of devices by Ethernet channel control method, number of devices by acltype associated site information, uptime in days by device type, host count by device type, and number of devices by configuration type
  License entitlement information (network device type, Cisco Smart Software Manager registration status, Cisco DNA Center subscription level, hardware support contract coverage, and number of days until license expires)

Assist customers in tracking and maintaining license entitlement and renewals

For information on Cisco DNA Center privacy, please refer to Cisco’s Personal Data Privacy.

Cisco Capital

Flexible payment solutions to help you achieve your objectives

Cisco Capital® makes it easier to get the right technology to achieve your objectives, enable business transformation, and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services, and complementary third-party equipment in easy, predictable payments. Learn more.

For more information

See how Cisco DNA Center helps you move faster, lower costs, and reduce risk: https://cisco.com/go/dnacenter.

 

 

 

Learn more

Join us for a live demo of Cisco DNA Center capabilities and ask questions of Cisco experts. See examples of software image management, network and client health, and proactive troubleshooting.