Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account
Data Sheet

Available Languages

Download Options

  • PDF
    (810.5 KB)
    View with Adobe Reader on a variety of devices
Updated:September 16, 2019

Available Languages

Download Options

  • PDF
    (810.5 KB)
    View with Adobe Reader on a variety of devices
Updated:September 16, 2019


Improving your network from a single control and command center

Cisco DNA Center is the foundational controller and analytics platform at the heart of Cisco’s intent-based network for large and midsize organizations. Cisco DNA Center provides a single dashboard for every fundamental management task to simplify running your network. With this platform, IT can respond to changes and challenges faster and more intelligently.

     Design: Design your network using intuitive workflows, starting with locations where your network devices will be deployed. Users of Cisco Prime® Infrastructure and the Cisco Application Policy Infrastructure Controller Enterprise Module (APIC-EM) can simply import existing network designs and device images into Cisco DNA Center.

     Policy: Define user and device profiles that facilitate highly secure access and network segmentation based on business needs. Application policies allow your business-critical applications to provide a consistent level of performance regardless of network congestion.

     Provision: Use policy-based automation to deliver services to the network based on business priority and to simplify device deployment. Zero-touch device provisioning and software image management features reduce device installation or upgrade time from hours to minutes and bring new remote offices online with plug-and-play ease from an off-the-shelf Cisco® device. Additionally, the Stealthwatch Security Analytics service provisions network elements to send netflow and Encrypted Traffic Analytics to Stealthwatch.

     Assurance: Cisco DNA Assurance enables every point on the network to become a sensor, sending continuous streaming telemetry on application performance and user connectivity in real time. This, coupled with automatic path trace visibility and guided remediation, means network issues are resolved in minutes—before they become problems. Integration with Cisco Stealthwatch® security provides detection and mitigation of threats, even when they are hidden in encrypted traffic.

     Platform: An open and extensible platform allows third-party applications and processes to exchange data and intelligence with Cisco DNA Center. This improves IT operations by automating workflow processes based on network intelligence coming from Cisco DNA Center.


Figure 1.           

Cisco DNA Center

Cisco DNA Center is at the heart of the Cisco Digital Network Architecture, or Cisco DNA (https://www.cisco.com/go/dna), and is the only centralized intent-based network management system to bring all this functionality into an integrated controller and present it through a single pane of glass.


Figure 2.           

How Cisco DNA Center Works

Licensing Cisco DNA Center

Cisco DNA Center is a software solution that resides on the Cisco DNA Center appliance. The solution receives data in the form of streaming telemetry from every device (switch, router, access point, and wireless access controller) on the network. This data provides Cisco DNA Center with the real-time information it needs for the many functions it performs. For a device to be authorized to send data to Cisco DNA Center, that device must be included in your company’s Cisco DNA Software license subscription. These subscriptions are available for 3-, 5-, or 7-year terms. Cisco allows customers to purchase complete Cisco DNA Center functionality through a Cisco DNA Advantage license subscription or limited functionality through a Cisco DNA Essentials license subscription. Customers may also benefit from Cisco’s all-in-one software license, Cisco DNA Premier (formerly Cisco ONE). The Cisco DNA Premier license includes all Cisco DNA Advantage benefits plus the Cisco Identity Services Engine (ISE) for user identity policy and Cisco Stealthwatch for advanced security and Encrypted Traffic Analytics (ETA). All Cisco DNA Software license subscription options include Cisco SWSS (software support and downloads). The table below shows the main features included with the Cisco DNA Essentials, Cisco DNA Advantage, and Cisco DNA Premier licenses.

Table 1.             Cisco DNA Center Licensing Overview

Cisco DNA Essentials
Basic monitoring and automation

Cisco DNA Advantage
All Cisco DNA Essentials features plus

Cisco DNA Premier
All Cisco DNA Advantage features plus

Overall health dashboard

Time travel (14 days)

Cisco Stealthwatch with ETA

Network health dashboard

Cisco AI Network Analytics

Cisco ISE Base (identity policy)

Client health dashboard

360-degree health scores

Cisco ISE Plus (identity policy)

Application health dashboard

360-degree device view


Predefined reports

Apple iOS insights


Custom threshold KPIs

Active sensor tests



Wireless location heat maps



Guided remediation



Custom reports


Software image management (SWIM)

Third-party integrations


Network Plug and Play provisioning

Application policy


Network Functions Virtualization (NFV) provisioning

Software Maintenance Upgrade (SMU) patching


Cisco Virtual Network Functions (VNF)

Software-Defined Access


New features for Cisco DNA Center

Cisco DNA Center release is a major upgrade with the inclusion of Cisco AI Network Analytics, uses machine learning to improve user experience and reduce troubleshooting. Group-based policy for configuring and managing secure groups and user policies, support for third party NPS and better security, are highlights of the many new features in this release.

The main deliverables of Cisco DNA Center are: 

     Cisco AI Network Analytics: Cisco’s Intent-Based Networking just got smarter with Cisco AI Network Analytics, the cloud-based and on-premesis analytics engine that implements machine learning to improve user experience, and reduce time spent troubleshooting.  This is done through:

    Personalized baselining: Intelligently define personalized ”network normal” using unified global telemetry collected.

    Intelligent data analysis: Increase signal to noise, reduce false positives, and accurately identify trends and root causes.

    Accelerated remediation: Create automated resolution options for IT to act
on based on machine reasoning algorithms.

     Group-based policy is a major new capability in Cisco DNA Center for configuring, viewing and editing groups and policies. Through logical matrix interface, administrators can manage user access controls and segmentation using scalable groups, instead of IP address or VLANs. IT teams can create and manage “Secure Group Tags” (SGTs) from within Cisco DNA Center without having to open ISE (Cisco Identity Services Engine) or other network policy servers.

     AI-Analytics Security Advisories uses a Cisco Machine Reasoning Engine (MRE) to identify potential vulnerabilities in the network.  The Machine Reasoning Engine can be dynamically updated from the Machine Reasoning Knowledge Base to identify new security issues. Cisco DNA Center supported switches and routers can be scanned to identify software images that have a security advisory or security advisories. Identifying security advisories is a very time consuming task that can be automated through this advanced MRE technology.

     Support for third party network policy servers (NPS) has been a request from our users, and in release it is here. Now Cisco DNA Center can integrate with your third party NPS, or Cisco ISE–the choice is yours. 

     Automation of Netflow and ETA configuration for Stealthwatch: Subscribers to Cisco Stealthwatch and ETA (Encrypted Traffic Analytics) have requested a simpler way to configure the Netflow settings that are required for telemetry transmission to the Stealwatch flow collectors. With release, IT administrators can configure Netflow and ETA on select switches and routers in their network. This feature saves customers hours of configuration.

Multiple ISE (Cisco Identity Services Engine) systems to a single DNA Center server. This feature allows multiple ISE systems to control policies and user access through a single Cisco DNA Center applicance.

Below is a more complete list of the major upgrades in Cisco DNA Center

Table 2.             Cisco DNA Center new features for release


Description and benefits

Analytics and Assurance

Cisco AI Network Analytics

Using AI and Machine Learning Cisco AI Network Analytics drives intelligence in the network, empowering administrators to accurately and effectively improve performance and issue resolution. We are taking network analytics to a new level where noise and false positives are significantly reduced when enabling customers to very accurately identify issues, trends, anomalies, and root causes.
Intelligent issue detection and analysis

  AI-driven personalized baselining: No two networks are the same. AI-driven technologies can learn the user trends, services, and application metrics that are specific to your network. Cisco DNA Assurance can then create a customized performance curve for analytical decisions. The AI-driven baseline for the performance parameters that are unique to your network is constantly adapted as your network grows and changes. From there, the AI-driven analytics engine (both on premises and in the Cisco cloud) can make accurate decisions for what is normal and what is not, based on this personalized baseline.
  AI-driven anomaly detection: Surfaces any deviation from our AI-created personalized baseline for this network. This allows Cisco DNA Center to make sense of all the network data. The system can accurately detect performance issues and ignore unusual, but harmless, network anomalies. This reduces noise while accurately identifying anomalies that have the greatest impact on your network. AI-driven predictive analytics and proactive insights allow users to anticipate and prevent failures. Here, the machine learning engine can predict increases in Wi-Fi interference, onboarding delays, office traffic load, etc. This is because, in IP networks, a problematic event is often proceeded by a benign event or series of events. By learning how series of events are correlated to one another, predictive analytics can help network administrators anticipate the unexpected.
  AI-driven accelerated remediation: Cisco AI Network Analytics provides accelerated remediation through machine learning, which identifies the most critical variables related to the root cause of a given problem. This helps users detect issues and vulnerabilities, perform complex root cause analysis, and execute corrective actions faster than ever. In coming releases, we will enable machine reasoning to execute the logical troubleshooting steps that an engineer would perform in order to resolve a problem. Both of these capabilities accelerate remediation making your team more precise in problem solving and more productive overall.

Extended Application Visibility to switch and Wireless Controllers

Application visibility allows Cisco DNA Assurance to monitor a user’s application usage, even from a switch or wireless controller. By using switches and wireless controllers, DNAC customers will have a complete view of application visibility across the campus network infrastructure.

Machine Reasoning (MRE)

The addition of an intelligent machine reasoning engine allows for further intelligence in Cisco DNA Center. Included is the ability to discover layer-2 spanning tree loops in your non-fabric (legacy L2) network. Additionally, the MRE will scan current switch inventory for outdated images, PSIRT alerts, and suspicious configurations. These abilities are outlined further below under “AI-Analytics Security Advisories.”


Device replacement and RMA workflows

Workfolw templates allows for the replacement (RMA) of a switch and router. Includes restoration of IOS, configuration and license. Also completes device replacement in operational systems such as Cisco ISE, Certificate Servers, and Cisco DNA Center inventory. Saves time and retains existing setup, licenses, and KPI trends.

PMP Bulk Update (Day 0)

Simplified workflows for updating device images and configurations via easy Day-0 steps.

Multiple ISE support

Ability to support multiple Cisco ISE systems to single Cisco DNA Center Appliance. Allows for multiple policy servers for applications such as employee network access vs guest network access.

Fog Director

Ability to manage and view Cisco industrial devices via connection with Cisco Fog Director. Fog Director delivers the capability to manage large-scale production deployments of IOx-enabled fog applications.


Group-Based Policy

A major new capability in Cisco DNA Center for configuring, viewing and editing groups and policies. Through logical matrix interface, administrators can manage user access controls and segmentation using scalable groups, instead of IP address or VLANs. IT teams can create and manage “Secure Group Tags” (SGTs) from within Cisco DNA Center without having to open ISE (Cisco Identity Services Engine) or other network policy servers. Scale for group-based policy is as follows:

  Up to 4,000 scalable groups
  Up to 500 access contracts
  Up to 25,000 policies

3rd party NPS

Support for third party network policy servers (NPS) has been a request from our users, and in release it is here. Now Cisco DNA Center can integrate with your third party NPS, or Cisco ISE – the choice is yours.

AI-Analytics Security Advisories

This feature uses the Machine Reasoning Engine (MRE) to identify potential vulnerabilities in the network.  The Machine Reasoning Engine can be dynamically updated from the Machine Reasoning Knowledge Base to identify new security issues. Cisco DNA Center supported switches and routers can be scanned to identify software images that have a security advisory or security advisories. Identifying security advisories is a very time consuming task that can be automated through the advanced MRE technology.

Netflow Automation for ETA support

In order for Stealthwatch to be able to detect malware in encrypted traffic (ETA) network devices must be configured to send Netflow and ETA to Cisco Stealthwatch. This new Cisco DNA Center feature allowsusers to configure select switches and routers to send data to Stealthwatch by using the Stealthwatch Security Analytics service. The service also allows users to configure select switches to send Netflow to Stealthwatch for devices that do not support ETA.

Product usage telemetry

Product usage telemetry provides valuable information about the status and capabilities of the Cisco DNA Center appliance. Cisco DNA Center is configured to automatically connect and transmit product usage data to Cisco. Product usage telemetry is used by Cisco to improve appliance lifecycle management for IT teams who have deployed Cisco DNA. Collecting this data helps the product teams serve customers better. This data and related insights enable Cisco to proactively identify potential issues, improve services and support, facilitate discussions to gather additional value from new and existing features, and assist IT teams with inventory report of license entitlement and upcoming renewals.

All product usage telemetry data is transmitted to Cisco through an encrypted channel. The data is only accessible to authorized Cisco personnel. The categories of data collected in the product usage telemetry are the cisco.com ID, system telemetry, feature usage telemetry and network device (for example, switcher, router) inventory and license entitlement. Users may opt out of the collection of Product Usage Telemetry data collection by turning this feature off in the “Cisco DNA Center Settings” menu.

For detailed product usage telemetry information collected, please see Table 3. Please note, while some data collection is optional, few operational metrics are mandatorily collected. For details on data collected mandatorily, please see Table 4.

Table 3.             Cisco DNA Center product usage telemetry usage and benefits*


Data elements

Purpose of collection


  CCO User ID

Identify Customer Account


  Deployment information (Cisco DNA Center appliance serial number, Cisco DNA Center appliance platform, Cisco DNA Center appliance machine ID)
  Connectivity with Cisco DNA Center
  Operational Metrics – (cpu, memory, filesystem, uptime) for pods
  Signed EULA Flag
  Application stack and packages deployed

Identify potential issues in customers’ environments to prevent problems and improve the product

Feature Usage

  Dwell time in applications UI Pages
  Assurance Usage: Count of Site, Area, Building, Floor, WLC, Switch, AP, Number of Clients (Wired and Wireless) and Health Score, Sensor Counts, Sensor Tests Count
  SDA Usage: Number of Fabrics Created, Number of Edge Nodes, Border Nodes, Control Plane Nodes, Count of Clients on Fabric, Number of Access Contracts, Number of Scalable Group Tags, Count of Virtual Networks, Count of IP Pools, Count of SSIDs
  Automation Usage: Number of devices provisioned using PNP, Number of Golden Images and Image Repo details, Number of Application Policies Created/Deployed, # Favorite Apps, # Custom Apps (set), # Consumer Apps, # Queueing Profiles, # Excluded Devices, # Devices in each policy, # Draft Policies, # Policies using non-default queueing profile

Facilitate customer adoption and customer value

Network Device Inventory and License Entitlement

  Network device inventory (serial number, software version, platform ID, reachability errors)
  License entitlement information (network device type, IP address of network device, Cisco Smart Software Manager registration status, Cisco DNA Center subscription level, hardware support contract coverage, number of days until license expires)

Assist customers in tracking and maintaining license entitlement and renewals

Table 4.             Mandatory Telemetry Data collected


Data elements

Purpose of collection


  Cisco DNA Center Deployment information (Appliance serial number, Appliance platform information, Appliance machine ID, Cisco DNA Center Software Packages Version, First Connection Time, Deployment Mode)
  Operations metrics of Pods (CPU, Disk, Memory, Filesystem, Uptime)
  Scale (Count of number of client devices in the network)
  CCO ID of Super Admin

Required product usage telemetry data is the minimum data necessary to help keep Cisco DNA Center secure, up-to-date, and performing as expected.

For information on Cisco DNA Center Privacy, please refer to Cisco’s Personal Data Privacy page: https://www.cisco.com/c/en/us/about/trust-center/data-privacy.html#~privacydatadocs

Cisco DNA Center feature descriptions

Cisco DNA Assurance detailed feature description

Table 5.             Cisco DNA Assurance features and benefits


Description and benefits

Overall health dashboard

The main Assurance dashboard, which gives a high-level overview of the health of every network device and client on the network, wired and wireless, Cisco and Meraki®. Provides the top 10 global issues and allows administrator to expand views by geographical site, device list, client list, or topology.

Network health dashboard

General overview of the operational status of every network device connected to Cisco DNA Center. Any poorly connected devices or communication issues will be highlighted, with suggested remediation.

Client health dashboard

General overview of the operational status of every client connected to Cisco DNA Center. Any poorly connected clients or communication issues will be highlighted, with suggested remediation.

Application health dashboard

General overview of the health of all applications on the network. Includes a special section on applications that have been tagged as business relevant. Business-relevant application issues are highlighted, with suggested remediation for any anomalies.

Wireless sensor dashboard

Overview of all Aironet Active Sensors on the network. Shows overall tests, connectivity statistics, and top wireless issues discovered by sensors. Includes test results for Received Signal Strength Indicator (RSSI), Signal-to-Noise Ratio (SNR), Dynamic Host Configuration Protocol (DHCP), DNS, host reachability, RADIUS, email, Exchange server, web, FTP, and a complete IP SLA for data throughput speed, latency, jitter, and packet loss. Guided remediation for any test failures.

Streaming telemetry

Enables network devices to send near-real-time telemetry information to Cisco DNA Center, reducing delays in data collection. Some of the other benefits of streaming telemetry include:

  Low and quantifiable CPU overhead
  Optimized data export (key performance indicators [KPI], events)
  Event-driven notifications

Device 360 and Client 360

An Assurance feature allowing viewing of device or client connectivity from any angle or context. Included are information on topology, throughput, and latency from different times and applications. Gives a detailed view of any device or client performance over time and from any application context. Provides for very granular troubleshooting in seconds.

  History of performance for each user device
  Proactive identification of any issues affecting the user experience
  Connectivity graph with health score of all devices on the path
  Application experience
  Device KPIs

Path trace

Allows the operator to visualize the path of an application or service from the client through all devices and to the server. A common, and critical, troubleshooting task that normally requires 6 to 10 minutes is displayed instantly upon clicking on a client or application. Troubleshoots issues along the network path.

  Run a path trace from source to destination to quickly get key performance statistics for each device along the network path
  Identify Access Control Lists (ACLs) that may be blocking or affecting the traffic flow

Network time travel

Allows the operator to see device or client performance in a timeline view to understand the network state when an issue occurred. Allows an operator to go back in time up to 14 days and see the cause of a network issue, instead of trying to re-create the
issue in a lab.

  Rewind time to when the issue occurred
  History shows critical events
  All the information on the user or network device changes to the selected time

On-device analytics

Assurance and analytics are performed on a Cisco switch, router, or wireless controller where the anomaly was discovered. Critical metrics can be identified and immediately acted on before an incident occurs. KPIs that are core to business operations can be maintained in real time, and close to the users that rely on them.

Wi-Fi Analytics for Apple iOS clients

A joint development with Apple, Wi-Fi Analytics for Apple iOS offers Cisco DNA Assurance insights into the performance and experience of iOS clients (iPhone/iPad) on the wireless network. It allows the administrator to view wireless performance from the perspective of the iOS client.

  Supports per-device-group policies and analytics

     Client details, such as iPhone model and iOS information

  Provides insights into the client’s view of the network

     Basic Service Set Identifier (BSSID)


     Channel number

  Provides clarity regarding the reliability of connectivity

     Client reasons, such as error codes for last disconnection

Application experience

Tracks performance of predefined “critical business applications.” Shows user experience and performance metrics. Provides specialized rapid troubleshooting per application and per client. Provides unparalleled visibility and performance control over the applications that are critical to your core business, on a per-user basis. Allows users the performance they need on the applications key to their company role.

Proactive network insights

Network insights for issues affecting performance, reliability, or security. Detailed drill-downs to identify impacts quickly. Guided remediation to resolve issue.

Application policy support for SDA

This feature extends application policy to an SDA overlay network. Packets are classified and marked on the underlay and copied to the overlay within an SDA network.  Application policy works seamlessly on switches that are part of the SDA fabric.

Intelligent Capture

Intelligent Capture uses network sensors within the Aironet Active Sensor and the Aironet 4800 AP to provide advanced troubleshooting for wireless issues. Includes anomaly-based packet captures, on-demand RF scanning, real-time client location, and Wi-Fi application analytics. Offers a high level of wireless service guarantee based on detailed and proactive analysis of wireless performance per access point or per Wi-Fi client. Allows system administrators to prepare for special events, VIP visits, or simply to troubleshoot a stubborn wireless issue.

Media application monitoring

Ability to monitor using Perfmon processing for real-time protocol (RTP) streams. This allows teams to verify the quality of critical real-time applications.

URL monitoring

Allows Cisco DNA Assurance to have visibility into cloud-based (URL-based) applications and their performance and feeds information into Cisco DNA Center’s “Application Experience” feature so that cloud-based application performance is optimized. 

Cisco AI Network Analytics

Using AI and machine learning, Cisco AI Network Analytics drives intelligence in the network, empowering administrators to accurately and effectively improve performance and issue resolution. We are taking network analytics to a new level where noise and false positives are significantly reduced when enabling customers to accurately identify issues, trends, anomalies, and root causes.

AI-driven baselining (on-premises)

A set of ML features that enable network administrators to accurately identify, understand, and troubleshoot the most important issues in their network. This feature runs on the AI/ML engine that is located on the Cisco DNA Center appliance on site.

List of correlated insights

Table 6.            Correlated insights



Wireless issues

Client onboarding

  Association failures
  Authentication failures
  IP address failures
  Client exclusion
  Excessive onboarding time
  Excessive authentication time
  Excessive IP addressing time
  AAA, DHCP reachability

Client experience

  Throughput analysis
  Roaming pattern analysis
  Sticky client
  Slow roaming
  Excessive roaming
  RF, roaming pattern
  Dual-band clients prefer 2.4 GHz
  Excessive interference
  Apple iOS client disconnect

Network coverage and capacity

  Coverage hole
  AP license utilization
  Client capacity
  Radio utilization

Network device monitoring

  Crash, AP join failure
  High availability
  CPU, memory
  Flapping AP, hung radio
  Power supply failures

Sensor issues

Sensor onboarding

  Association failures
  Authentication failures
  IP address failures
  Sensor exclusion
  Excessive onboarding time
  Excessive authentication time
  Excessive IP addressing time
  AAA, DHCP reachability

Sensor experience

  Throughput analysis
  Outlook web response time
  Web server response time
  SSH server response time
  Mail server response time
  FTP server response time
  Excessive radio interference

Routing issues

Router health

  High CPU
  High memory

Routing technologies

  BGP AS mismatch, flap
  OSPF adjacency failure
  Enhanced Interior Gateway Routing Protocol (EIGRP) adjacency failure


  Interface high utilization
  LAN connectivity down/flap
  IP SLA to SP gateway connectivity

Switching issues (non fabric)

Client onboarding

  Client or device DHCP
  Client or device DNS
  Client authentication or authorization


  CPU, memory, temperature
  Line card
  Power over Ethernet (PoE) power
  Ternary Content-Addressable Memory (TCAM) table

SD-Access issues

Border and edge reachability

  Control plane reachability
  Edge reachability
  Border reachability
  Routing protocol
  MAP server

Data plane

  Border and edge connectivity
  Border node health
  Access node health
  Network services DHCP, DNS, AAA

Policy plane

  ISE or pxGrid connectivity
  Border node policy
  Edge node policy

Client onboarding

  Client or device DHCP
  Client or device DNS
  Client authentication or authorization


  CPU, memory, temperature
  Line card
  PoE power
  TCAM table

Cisco DNA Automation detailed feature description

Table 7.             Cisco DNA Automation features and benefits


Description and benefits

Network discovery

Automatically discovers and maps network devices to a physical topology with detailed device-level data. The discovery function uses the following protocols and methods to retrieve device information, such as IP addresses, neighboring devices, and hosts connected to the device:

  Cisco Discovery Protocol
  Link Layer Discovery Protocol (LLDP) for endpoints
  IP Device Tracking (IPDT) and ARP entries for host discovery
  LLDP Media Endpoint Discovery (LLDP-MED) for discovering IP phones and some servers
  Simple Network Management Protocol (SNMP) versions 2 and 3

Network Information Database (NIDB)

Periodically scans the network to create a “single source of truth” for IT. This inventory includes all network devices, along with an abstraction for the entire enterprise network. It keeps an updated inventory of devices and software images on that device for version control. The NIDB provides data to applications (such as SWIM, and EasyQoS) so that the correct device and image version are used. It allows applications to be device independent, so configuration differences between devices aren’t a problem.

Meraki discovery and integration

Provides for the discovery of all Meraki devices on the network and integrates them into the Cisco DNA Center dashboard. It provides for a single pane of glass for both Cisco and Meraki devices.

Network design and profile-based management

Allows you to manage your network in a hierarchical fashion by letting you add areas and buildings on a geospatial map. You can start by defining your sites, then add buildings to sites, and finally add floors with detailed floor plans to the buildings. Cisco DNA Center lets the user define profiles, which consist of common network settings such as device credentials, DHCP, DNS server, AAA server, IP address pool, etc., Wireless settings such as SSIDs and RF profiles can be created globally and customized at site levels. These profiles form the basis for network automation.

Network Plug and Play (PnP)

Zero-touch provisioning for new device installation. Allows off-the-shelf Cisco devices to be provisioned simply by connecting them to the network. Cisco Network PnP provides a highly secure, scalable, seamless, and unified zero-touch-deployment experience for customers across Cisco's entire enterprise network portfolio of wired and wireless devices. Deploy new devices in minutes, and without onsite support visits. Eliminate repetitive tasks and eliminate staging. Network PnP reduces the burden on enterprises by greatly simplifying the deployment process for new devices, which can significantly lower Operating Expenditures (OpEx) as well. For more details, refer to the data sheet for the Network Plug and Play application.


Software Image Management (SWIM)

Manages software upgrades and controls the consistency of image versions and configurations across your network. Speeds and simplifies the deployment of new software images and patches. Pre- and post-checks help ensure no adverse effects from an upgrade. This is an easy to way to build a central repository of software images and apply them to devices. Administrators can mark software images as golden for a device family, allowing them to upgrade devices to the software image and patch versions that are in compliance with the golden versions defined in the repository.

  Golden images: Intent-based network upgrades allow for image standardization, much desired by network administrators
  Pre- and post-checks allow network administrators more control over and visibility into network upgrades
  Patches are supported in Cisco DNA Center from intent to pre- and post-checks in the same way that we manage regular images

ROMMon support for SWIM

The SWIM ROMMon upgrade feature optimizes already scheduled downtime by allowing users to join ROMMon upgrades with regular upgrades. The ROMMon feature in SWIM eases the task of upgrading ROMMon images on supported Cisco devices.

SMU patching

Provides patching for Software Maintenance Upgrade (SMU) recommendations and reduces the effort required to manually search for, identify, and analyze SMUs that are needed for a device. Cisco DNA Center automatically provides SMU management for multiple Cisco IOS® XR platforms and releases. Automates the patching process and allows most bug fixes to be patched with minimal network disruption.

Branch deployment automation

Simplified workflows for physical and virtual branch automation; day-0 router/NFV design. Onboard WAN devices and services via easy steps:

1. Configure network settings, service provider, and IP pools

2. Design a router or virtual profile

3. Assign to sites and provision network devices

Enterprise Network Functions Virtualization (ENFV) automation

Facilitates branch virtualization on any hardware device, Cisco or third-party. Saves time in setting up network virtual services. Supports existing branch migration without hardware upgrade. This feature includes full NFV management.

Wireless automation

Intent-based workflows for simplified wireless deployment and automation

  Network profiles: A container of wireless properties that can represent single or multiple sites
  Simplified guest and SSID creation
  Advanced RF support for wireless networks
  A single workflow to enable flex or centralized wireless deployment
  PnP provisioning for APs
  IP ACL support
  Access and access control policy for SD-Access Wireless only

Device tagging

An administrator can tag network devices in order to associate devices that share a common attribute. For example, you can create a tag and use it to group devices based upon a platform ID, Cisco IOS release, or location. Allows for grouping of devices based on specialized needs.

Policy creation

Allows the creation of policies based on business intent for a particular part of the network. Users can be assigned policies for the services that they consume, and these policies follow them throughout the network. Policies are translated by Cisco DNA Center into network-specific and device-specific configurations that can be adjusted dynamically based on network conditions. Of foundational importance for intent-based networking, policies define the business intent that is desired and allow the network to guarantee services.

Application policy creation

Allows policies to be assigned to applications based on business relevance. These applications can then be attached to sites (locations) where the policy should be applied. This feature allows business-critical applications to have greater QoS priority in the sites where their use is relevant. It is important for mission-critical applications such as machine-to-machine control in manufacturing or life-saving devices in healthcare, as well as for business-critical applications such as video in customer experience centers or voice in support sites.

Cisco Software-Defined Access (SD-Access) key features

Table 8.            SD-Access features and description



Fabric infrastructure

  Automated external connectivity handoff using Virtual Routing and Forwarding Lite (VRF-Lite), and BGP Ethernet VPN (BGP-EVPN)
  FiaB w/o control plane
  Bonjour support for cisco SDA

Fabric assurance

  KPIs, 360-degree views for client, AP, wireless controller (WLC), and switch 

      Underlay and overlay correlation

      Device health: Fabric border and edge, CPU, memory, temperature, line cards, modules, stacking, PoE power, TCAM

      Data plane connectivity: Reachability to fabric border, edge, control plane, and DHCP, DNS, and AAA

      Policy: Fabric border and edge policy, ISE and pxGrid connectivity

      Client onboarding: Client and device DHCP and DNS, client authentication and authorization

Fabric wireless

  Wireless guest with ISE (Central Web Authentication) 
  Wireless guest support on separate guest border and control plane and wireless guest support as separate Virtual Network (VN) on enterprise border and control plane
  Same SSID for traditional and fabric on same WLC (mixed mode)
  WLC Stateful Switchover (SSO)
  Wireless multicast
  Multiple virtual networks for guest
  Embedded wireless support on fabric edge
  Guest web passthrough
  Sleeping client timeout


  Pre-check and post-check workflow validations
  ISE Primary Administration Node (PAN) High Availability (HA) support (includes pxGrid, Monitoring and Troubleshooting [M&T])
  Distributed ISE Policy Service Node (PSN) support (two per site)
  Same ISE instance for fabric and traditional (brownfield) deployments
  Cisco Secure Access Control System (ACS) and ISE for TACACS+ authentication of network devices
  HA support for Cisco DNA Center
  Policy-protected Command-Line Interface (CLI) configuration
  Software image and patch management
  License management
  Backup and restore
  Task scheduler
  Group-Based Access Control Policies

Distributed campus

  Automated intersite connectivity
  End-to-end policy and segmentation

Fabric infrastructure optimizations

  Device sensor for host onboarding
  Server connectivity for fabric edge
  Support for up to six control plane nodes
  LAN automation hardening
  Cisco DNA Center template-based configurations in fabric deployments for key use cases
  Border handoff enhancements: 4-byte ASN support
  Two Fiab in a site is supported without embedded wireless
  Lan Automation support for Nexus 9500 as intermediate node but not as seed

Simplified migrations

  Layer 2 handoff at border: Common subnet inside and outside fabric for SD-Access migration in brownfield network
  Layer 2 flooding: Fabric support for end hosts that require Layer 2 flooding, for example, building management systems, audio-visual equipment, etc.
  Catalyst 9500H series support for  Layer 2 handoff

SD-Access Extension for IoT

Automation functionality is extended to the fabric edge to support IoT deployments where "extended node" devices are outside the "carpeted network." Allows greater functionality to wired and wireless devices in applications such as industrial process control, digital cities, oilfields, mining, and outdoor video surveillance.

IPv6 endpoint support

This feature introduces the capability to support IPv6 wired and wireless endpoints that are dual stacked.

For more details on Software-Defined Access, visit SD-Access solution on Cisco.com.

Cisco DNA Center system capabilities

Table 9.            System capabilities


Description and benefits

Role-Based Access Control (RBAC)

Allows users to be mapped to one of the four predefined roles. The role determines what types of operations a user can perform within the system.

Backup and restore

Supports complete backup and restore of the entire database for added protection.

ISE integration

Integrates with ISE through pxGrid or API for fabric overlay support.

Cisco DNA Center platform capabilities

Table 10.          Platform capabilities


Description and benefits

Northbound REST APIs

The Cisco DNA Center platform supports Representational State Transfer (REST) APIs at the northbound layer for programmability. The Cisco DNA Center API provides support for the following features:

  Discovery, device inventory, network topology
  SWIM, Plug and Play (PnP)
  Template programmer, command runner
  Assurance: Site, device, and client health monitoring, path trace
  NFV provisioning

IT Service Management (ITSM) integration

The ITSM integration minimizes the need for handoffs, deduplicates issues, and optimizes processes for proactive insights and faster remediation. Out-of-the-box integration exists with ServiceNow. The generic APIs exposed by the Cisco DNA Center platform enable partners and developers to integrate with any ITSM system.

IP Address Management (IPAM) integration

This integration allows for a seamless import of IP pools for Cisco DNA Center workflows from external IPAM systems and the synchronization of IP pool and subpool usage information between the two systems. Out-of-the-box integration exists with Infoblox and Bluecat. The Cisco DNA Center platform provides generic APIs to integrate with any IPAM system.

Events and notifications

The Cisco DNA Center platform webhooks allow third-party applications to receive notifications and listen to any events detected by Cisco DNA Assurance, Automation, and other task-based operational workflows.

Multivendor SDK

The Cisco DNA Center Multivendor Device Pack SDK allows partners to add support for managing third-party devices directly via Cisco DNA Center.

Meraki visibility in Cisco DNA Center

For existing Meraki branch customers who want to explore using Cisco DNA Center and Cisco Catalyst® 9000 family switches, or for customers with mixed environments, Cisco DNA Center now offers a single management pane of glass. This is an API-driven dashboard integration that supports all existing Meraki hardware and software at no additional license cost.


Figure 3.           

Meraki and Cisco DNA Center Integration

Features and benefits

     Single dashboard inventory across all platforms (Meraki, Cisco Catalyst, Cisco Integrated Services Routers [ISRs], Aironet®)

     Up-or-down status of all devices in a single platform

     Use existing Meraki API keys; no additional license required

     Combined topology mapping of hybrid environments

Cisco DNA Center appliance: scale and hardware specifications

This new second generation (Gen2) of Cisco DNA Center appliance is available in three form factors and comes with the Cisco DNA Center image preloaded on it and ready for installation. Notice that the entry level Gen2 appliance (DN2-HW-APL) has the same size, performance, and capacity specifications as the first generation (Gen1) Cisco DNA Center Appliance (DN1-HW-APL). The reason for the change is to put all three Gen2 appliances on the newer Cisco “M5 Series” UCS. If you currently have a Gen1 appliance (based on the “M4 Series” UCS), there is no need to upgrade, and there is no advantage to upgrading since both Gen1 and Gen2 entry appliances are based on 44 core processing units. Customers looking for greater performance, in order to support more capacity, are advised to upgrade to the 56 core “mid-size” Gen2 appliance (DN2-HW-APL-L) or the 112 core “large” Gen2 appliance (DN2-HW-APL-XL). Table 9 captures the scale information for Cisco DNA Center Release

Table 11.          Scale and hardware specifications









Hardware description

Cisco UCS C220 M5
Rack Server
44 cores

Cisco UCS C220 M5
Rack Server
56 cores

Cisco UCS C480 M5
Rack Server
112 cores

Cisco DNA Center System Scale

Number of devices

(switch, router, wireless controller)




Number of wireless access points




Number of concurrent endpoints




Number of transient endpoints

(over 14-day period)




Ratio of Endpoints:




Number of ports




Number of site elements




Number of wireless controllers




API rate limit

50 APIs/min

50 APIs/min

50 APIs/min

Cisco DNA Center SD-Access Scale

Number of fabric domains




Number of fabric sites




Number of access points




Cisco DNA Center per fabric site scale

Number of virtual networks




Fabric devices per fabric site




Cisco DNA Center appliance physical specifications

Cisco DNA Center appliance is available in three form factors and comes with the Cisco DNA Center image preloaded on it and ready for installation.

Table 12 shows the appliance specifications.

Table 12.          Physical specifications

Part number for ordering



Hardware series



Power supply

Dual 770W AC

Dual 1600W AC

Physical dimensions (H x W x D)

Height: 1.7 in. (4.32 cm)

Width: 16.89 in. (43.0 cm); including handles:18.98 in. (48.2 cm)

Depth: 29.8 in. (75.6 cm); including handles: 30.98 in. (78.7 cm)

Height: 6.9 in. (17.6 cm)

Width: 19 in. (48.3 cm)

Depth including handles and power supplies: 32.7 in. (83.0 cm)

Temperature: operating

1° to 95°F (5° to 35°C)

Derate the maximum temperature by 1°C per every 1000 ft. (305 m) of altitude above sea level.

1° to 95°F (5° to 35°C)

Derate the maximum temperature by 1°C per every 1000 ft. (305 m) of altitude above sea level.

Temperature: nonoperating

-40° to 149°F (–40° to 65°C)

-40° to 149°F (–40° to 65°C)

Humidity: operating

10% to 90%, noncondensing at 82°F (28°C)

10% to 90%, noncondensing at 82°F (28°C)

Humidity: nonoperating

5% to 93% at 82°F (28°C)

5% to 93% at 82°F (28°C)

Altitude: operating

0 to 3000 m (0 to 10,000 ft)

0 to 3000 m (0 to 10,000 ft)

Altitude: nonoperating

0 to 12,192 m (0 to 40,000 ft)

0 to 12,192 m (0 to 40,000 ft)

Network and management I/O

Supported connectors:

One 1 Gigabit Ethernet dedicated management port

Two 1 Gigabit BASE-T Ethernet LAN ports

One RS-232 serial port (RJ-45 connector)

One 15-pin VGA2 connector

Two USB 3.0 connectors

One front-panel KVM connector that is used with a KVM cable, which provides two USB 2.0, one VGA, and one serial (DB-9) connector

Supported connectors:

One 1 Gigabit Ethernet dedicated management port

Two 1 Gigabit BASE-T Ethernet LAN ports

One RS-232 serial port (RJ-45 connector)

One 15-pin VGA2 connector

Three USB 3.0 connectors

One front-panel KVM connector that is used with a KVM cable, which provides two USB 2.0, one VGA, and one serial (DB-9) connector

Cisco DNA Center device-aware fabric VN limit (Fabric VN Scale)

Table 13 captures the fabric VN limits for devices in the fabric when deploying Cisco DNA Center Release 1.3.

Table 13.       Fabric VN limits (the current maximum VRF validation is based on a lower limit of 1 and an upper limit of 128, even if the device can support more than 128)

Device series

Max VRFs

Cisco Catalyst 3650 Series Switches


Cisco Catalyst 3850 Series Switches


Cisco Catalyst 4500 Series Switches


Cisco Catalyst 6800 Series Switches

1000 (128)

Cisco Catalyst 6500 Series Switches

1000 (128)

Data center switches (Cisco Nexus® 7000 Series Switches)

4000 (128)

Cisco Cloud Services Router 1000V Series

4000 (128)

Cisco ASR 1000 Series Aggregation Services Routers

4000 (128)

Cisco 4000 Series Integrated Services Routers

4000 (128)

Cisco 4400 Series Integrated Services Routers

4000 (128)

Cisco 4200 Series Integrated Services Routers

4000 (128)

Cisco 4300 Series Integrated Services Routers

4000 (128)

Cisco Catalyst 9300 Series Switches

256 (128)

Cisco Catalyst 9500 Series Switches

256 (128)

Cisco Catalyst 9500H Series Switches

256 (128)

Cisco Catalyst 9400 Series Switches

256 (128)

Cisco Catalyst 9200-L Series Switches


Cisco Catalyst 9200 Series Switches


Roles and privileges

Table 14.          Role-based access control




Users with this role have full access to all of the network-related Cisco DNA Center functions. They do not have access to system-related functions, such as application management, users (except for changing their own passwords), and backup and restore.


Users with this role have view-only access to all Cisco DNA Center functions.


Users with this role have the ability to perform system-level functions within Cisco DNA Center. 


Users with this role have full access to all of the Cisco DNA Center functions. They can create other user profiles with various roles, including those with the Super-Admin-Role.

Device support

Cisco DNA Center provides coverage for Cisco enterprise switching, routing, and mobility products. For a complete list of Cisco products supported, please download our support spreadsheet, which is reularly updated. https://www.cisco.com/c/en/us/products/cloud-systems-management/dna-center/datasheet-listing.html.

Cisco Capital

Flexible Payment Solutions to Help You Achieve Your Objectives

Cisco Capital® makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments.
Learn more.

For more information

See how Cisco DNA Center helps you move faster, lower costs, and reduce risk: https://cisco.com/go/dnacenter.

Learn more