Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco DNA Center Data Sheet

Data Sheet

Available Languages

Download Options

  • PDF
    (943.4 KB)
    View with Adobe Reader on a variety of devices
Updated:February 10, 2020

Available Languages

Download Options

  • PDF
    (943.4 KB)
    View with Adobe Reader on a variety of devices
Updated:February 10, 2020


Improving your network from a single control and command center

Cisco DNA Center is the foundational controller and analytics platform at the heart of Cisco’s intent-based network for large and midsize organizations. Cisco DNA Center provides a single dashboard for every fundamental management task to simplify running your network. With this platform, IT can respond to changes and challenges faster and more intelligently.

     Design: Design your network using intuitive workflows, starting with locations where your network devices will be deployed. Users of Cisco Prime® Infrastructure and the Cisco® Application Policy Infrastructure Controller Enterprise Module (APIC-EM) can simply import existing network designs and device images into Cisco DNA Center.

     Policy: Define user and device profiles that facilitate highly secure access and network segmentation based on business needs. Application policies allow your business-critical applications to provide a consistent level of performance regardless of network congestion.

     Provision: Use policy-based automation to deliver services to the network based on business priority and to simplify device deployment. Zero-touch device provisioning and software image management features reduce device installation or upgrade time from hours to minutes and bring new remote offices online with plug-and-play ease from an off-the-shelf Cisco device. Additionally, the Cisco Stealthwatch® Security Analytics service provisions network elements to send NetFlow and Encrypted Traffic Analytics to Stealthwatch.

     Assurance: Cisco DNA Assurance enables every point on the network to become a sensor, sending continuous streaming telemetry on application performance and user connectivity in real time. This, coupled with automatic path trace visibility and guided remediation, means network issues are resolved in minutes—before they become problems. Automated NetFlow switch configuration for Cisco Stealthwatch security provides detection and mitigation of threats, even when they are hidden in encrypted traffic.

     Platform: An open and extensible platform allows third-party applications and processes to exchange data and intelligence with Cisco DNA Center. This improves IT operations by automating workflow processes based on network intelligence coming from Cisco DNA Center.

Cisco DNA Center

Figure 1.               

Cisco DNA Center

Cisco DNA Center is at the heart of the Cisco Digital Network Architecture, or Cisco DNA (https://www.cisco.com/go/dna), and is the only centralized intent-based network management system to bring all this functionality into an integrated controller and present it through a single pane of glass.

How Cisco DNA Center Works

Figure 2.               

How Cisco DNA Center Works

Licensing Cisco DNA Center

Cisco DNA Center is a software solution that resides on the Cisco DNA Center appliance. The solution receives data in the form of streaming telemetry from every device (switch, router, access point, and wireless access controller) on the network. This data provides Cisco DNA Center with the real-time information it needs for the many functions it performs. For a device to be authorized to send data to Cisco DNA Center, that device must be included in your company’s Cisco DNA software license subscription. Cisco encourages customers to purchase complete Cisco DNA Center functionality through a Cisco DNA Advantage or Premier license subscription. Limited Cisco DNA Center functionality is also available through a Cisco DNA Essentials license subscription. Wireless, switching, and SD-WAN and routing subscriptions are available for 3- and 5-year terms; wireless and switching are also available in a 7-year term. All Cisco DNA software license subscription options include have embedded Cisco SWSS (software support and downloads).

The links below open feature matrices detailing the main features included with the Cisco DNA Essentials, Cisco DNA Advantage, and Cisco DNA Premier licenses in each respective suite.

Switching Feature Matrix

Wireless Feature Matrix

SD-WAN and Routing Matrix

New Features for Cisco DNA Center

Cisco DNA Center is the latest release, with new assurance, automation, and security capabilities, including Samsung client device analytics, new executive summary reports on network performance, wireless sensor enhancements, inventory insights, provisioning logs, APIC-EM migration tool, Cisco StackWise® Virtual support, ASA firewall configuration and management, as well as detection of rogue access points. Other minor enhancements are outlined in the Cisco DNA Center data sheet at cisco.com/go/dnacenter. 

The main new capabilities of Cisco DNA Center are: 

     Samsung client device analytics: Allows Samsung mobile clients (such as the Samsung Galaxy S10) to send alerts and error codes to Cisco DNA Center. Phase 1 of this capability, included in the release, provides basic Samsung device visibility, including hardware release and software version.

     Executive summary reports: Creates reports for various network performance and reliability metrics. Executive summary reports give your team a tool to demonstrate network performance and reliability metrics in a quick, visual presentation format to your executive team or other nontechnical stakeholders.

     Wireless sensor enhancements: Adds new features that increase the ease of use and reliability of wireless sensors and that facilitate remote site deployment. Wireless sensors are now easier to connect, are easier to use, and provide more options for testing wireless network performance.

     Inventory insights: Compares device images for consistency and security, locating inconsistent image versions and inconsistent switch configurations. This capability can save IT teams hours of time in manual consistency and quality control processes.

     APIC-EM migration: Provides a seamless path to Cisco DNA Center with support for all APIC-EM features and functionality. Customers using APIC-EM have a clear upgrade path to Cisco DNA Center with complete feature parity.

     StackWise Virtual support: Allows Cisco DNA Center to cluster switches together virtually for increased availability and performance. This allows the customer to add reliability and performance to bottleneck areas in their campus network by virtually stacking switch capacity.

     Provisioning logs: Logs in Cisco DNA Center show all device provisioning versions and the individual responsible. This provides insight into all network changes.

     Firewall support: Provides basic automation for Cisco ASA firewall provisioning, inventory, topology, software image management (SWIM), and configuration templates. This support provides the ability to remotely configure and provision Cisco firewalls running ASA software from within Cisco DNA Center.

     Rogue management: Detects unauthorized access points plugged into local switches or access points with same SSID that are not connected to the customer’s wired network. This capability provides increased security and control of wireless networks.

Below is a more complete list of the major upgrades in Cisco DNA Center

Table 1.           Cisco DNA Center New Features for Release


Description and benefits

Analytics and Assurance

Samsung client analytics phase 1

Client device profile information (model, OS version, sales code) and more than 20 onboarding error states from the client. Cisco's partnership with Samsung allows a Cisco network to get the client’s point of view of the network—what access points it sees, the reasons for disconnections, and the current state of the user experience—provided through Cisco DNA Assurance.

Wireless sensor advancements

Location-based test templates for running sensor tests, external WebAuth assessment for guest onboarding to Cisco Identity Services Engine (ISE), location-based sensor heatmap, Sensor 360 with AP neighbor map view, enhanced day-0 Cisco DNA Center discovery, and dedicated wireless backhaul

  Improved day-0 discovery of sensors with dedicated wireless backhaul and Secure Shell (SSH) support with Extensible Authentication Protocol – Transport Layer Security (EAP-TLS) support on wireless backhaul
  Customers have the ability to standardize on the proactive sensor tests that they want to run across hundreds of sites that are part of the enterprise in a consistent fashion by leveraging sensor test templates and flexible scheduling capabilities
  Sensors can now also simulate the guest onboarding experience in ISE
  Once the tests are set up, customers now have the ability to centrally monitor them from the newly built heatmap-based sensor dashboard that can help pinpoint sites having problem and then drill down to specific locations where more client onboarding is failing or where there is poor RF coverage, using location heatmaps and Sensor 360
  Enhancement to day-N sensor management use cases, including sensor status monitoring, SSH control with user name, LED flash control, name change with bulk change options, site hierarchy management, and support for bundle access for Cisco Technical Assistance Center (TAC) troubleshooting

Executive summary report

Weekly and daily report providing executives a summary of how their network is performing with insights into network devices, clients, and applications.

  View a summary of weekly and daily network and client health and application performance
  View the comparison and change against the previous period
  Analyze the number of network devices and clients seen on the network
  View the top client types seen on the network
  Analyze issue trends and top issues

Custom network health scores

Enables the customer to customize how the health score in Cisco DNA Assurance is computed. Customers really like the health score abstraction but have always asked for the ability to control how health scores are computed. We have given them that capability with this release.


Rogue management

Support for Cisco Catalyst® 9800 Series Wireless Controller rogue management within Cisco DNA Center. This extends the same capabilities to detect rogues that are supported on AireOS WLCs, including detection of honeypots and on-wire rogues, to the Cisco Catalyst 9800 Series.

StackWise Virtual support

Base automation (inventory, discovery, SWIM, topology, template programmer) and assurance support for Cisco Catalyst 9500 and 9400 Series StackWise Virtual switches. StackWise® Virtual technology on the Cisco Catalyst 9000 platform allows the clustering of two physical switches together into a single logical entity, resulting in enhancements in all areas of network design, including high availability, scalability, management, and maintenance. Customers can now use Cisco DNA Center to manage the StackWise Virtual device, along with monitoring the health and status of StackWise Virtual ports and links.

Device ID certificate provisioning during Plug and Play (PnP)

API support for provisioning of device ID certificate during Plug and Play device claim. With this feature the customer will be able to push the device ID certificate to the spoke routers during Plug and Play. Certificates for spoke routers need to be pushed as part of the day-0 configuration for a critical customer deployment so that when spokes come online after day-0 configuration and the certificate is applied to them, they can establish VPN (DMVPN) connectivity to hubs right away.

Meraki® wireless provisioning

Provision SSIDs in Meraki APs via Cisco DNA Center. This feature allows Meraki access points to be assigned SSIDs via Cisco DNA Center, without having to open the Meraki dashboard application.

Enterprise Network Functions Virtualization (ENFV): Advanced configuration mode

Provides advanced configurations for ENFV topologies and routing, such as switched port analyzer (SPAN) sessions, port mirroring, and packet capture. Integrates advanced configuration support for ENVF into Cisco DNA Center capabilities. This allows greater management of remote virtual servers via Cisco DNA Center.

Firewall (ASA) support

Base automation support (inventory, topology, SWIM, and configuration template) for ASA firewalls running ASA software.


Authentication enhancements

  Users can now change authentication mode from open to closed without having to remove the device from the fabric
  The site-specific authorization template will enable customers to have a unique template for each site and continue to have a global authorization template
  Critical VLAN will not be pushed by default via Cisco DNA Center templates.
  Seamless authorization changes will provide granularity and allow the user to make authentication changes without removing the device from the fabric
  Users can have different authentication templates based on the deployment model
  If the ISE goes down, the customer will have the flexibility to choose not to immediately move all the clients into a single critical VLAN/pool.

Cisco Software-Defined Access (SD-Access): Layer 2 intersite

Layer 2 sites can be connected via SD-Access transit; /32s are propagated to the transit control plane.  Previously, we could not use the same IP space across fabric sites. This use case is centered around sharing an IP subnet across multiple fabric-enabled sites and for allowing intersite communication for Layer 2 traffic over SD-Access transit.

Unique multicast group

For Layer 2 intersite, there will be a unique multicast group per site. The blast radius of Layer 2 flood is contained within this unique multicast group.

SD-Access: StackWise Virtual Link (SVL) border and edge

SVL support has been added on edge and border nodes. Base automation will discover manually configured SVL devices. The user can configure fabric roles such as edge/border or border + edge (B+E). SVL not only brings physical redundancy but also provides dual homing to the devices/servers connected to the border/edge.  With B+E (non-colocated) control plan users can connect servers at the border. 

Multicast enhancement for Cisco Vision: Custom source-specific multicast (SSM) and external rendezvous point (RP)

With external RP automation workflow and custom SSM range, users can now bring up devices that require custom SSM, such as Cisco Vision, into the SD-Access fabric. Sites such as convention centers and stadiums can automate their digital billboards. External RP support removes the need for a dedicated RP within each site.  This further reduces the TCO of a small site.

SD-Access: Extended node: 802.1X and MAC Authentication Bypass (MAB); multicast; authentication, authorization, and accounting (AAA); secure extended nodes

802.1X, MAB, AAA, multicast, and secure extended node support on extended nodes:

  Customers can onboard Internet of Things (IoT) devices, APs, and end devices with 802.1X and MAB authentication.
  Devices connected to extended nodes can join scalable groups for secure onboarding. This feature will add value for customers who want to leverage micro segmentation.
  Extended nodes will have multicast support. IoT devices such as surveillance devices can join multicast groups. The source and receiver can be hanging off of extended nodes. 

SD-Access: New devices (Shockley, Hyper-V-WLC, IW3700, Axel, Duplo)

Support for Shockley, Hyper-V-WLC, IW3700, Axel, and Duplo has been added to SD-Access.

Airgap support

Customers now have the ability to install or upgrade to the latest software versions in an airgap (when the appliance is not connected to the public network/Internet). This enables a customer to update/stay current with Cisco DNA Center versions while complying with their security policy.

Scale: Filtering for IP pools

Cisco DNA Center can enforce filtering for IP pools that were configured via third-party IP address management (IPAM) products. This capability provides increased IPAM Integration with Cisco DNA Center.

Product usage telemetry

Product usage telemetry provides valuable information about the status and capabilities of the Cisco DNA Center appliance. Cisco DNA Center is configured to automatically connect and transmit product usage data to Cisco. Product usage telemetry is used by Cisco to improve appliance lifecycle management for IT teams who have deployed Cisco DNA. Collecting this data helps the product teams serve customers better. This data and related insights enable Cisco to proactively identify potential issues, improve services and support, facilitate discussions to gather additional value from new and existing features, and assist IT teams with inventory report of license entitlement and upcoming renewals.

All product usage telemetry data is transmitted to Cisco through an encrypted channel. The data is only accessible to authorized Cisco personnel. The categories of data collected in the product usage telemetry are the cisco.com ID, system telemetry, feature usage telemetry and network device (for example, switcher, router) inventory and license entitlement. Users may opt out of the collection of Product Usage Telemetry data collection by turning this feature off in the “Cisco DNA Center Settings” menu.

For detailed product usage telemetry information collected, please see Table 2. Please note, while some data collection is optional, few operational metrics are mandatorily collected. For details on data collected mandatorily, please see Table 3.

Table 2.           Cisco DNA Center Product Usage Telemetry Usage and Benefits*


Data elements

Purpose of collection


  Cisco.com user ID

Identify Customer Account


  Deployment information (Cisco DNA Center appliance serial number, Cisco DNA Center appliance platform, Cisco DNA Center appliance machine ID)
  Connectivity with Cisco DNA Center
  Operational Metrics – (CPU, memory, filesystem, uptime) for pods
  Signed EULA Flag
  Application stack and packages deployed

Identify potential issues in customers’ environments to prevent problems and improve the product

Feature usage

  Dwell time in applications UI pages
  Assurance usage: Count of site, area, building, floor, WLC, switch, AP, number of clients (wired and wireless) and health score, sensor counts, sensor tests count
  SD-Access usage: Number of fabrics created, number of edge nodes, border nodes, control plane nodes, count of clients on fabric, number of access contracts, number of scalable group tags (SGTs), count of virtual networks, count of IP pools, count of SSIDs
  Automation usage: Number of devices provisioned using PnP, number of golden images and image repo details, number of application policies created/deployed, # favorite apps, # custom apps (set), # consumer apps, # queueing profiles, # excluded devices, # devices in each policy, # draft policies, # policies using nondefault queueing profile

Facilitate customer adoption and customer value

Network device inventory and license entitlement

  Network device inventory (serial number, software version, platform ID, reachability errors)
  License entitlement information (network device type, IP address of network device, Cisco Smart Software Manager registration status, Cisco DNA Center subscription level, hardware support contract coverage, number of days until license expires)

Assist customers in tracking and maintaining license entitlement and renewals

Table 3.           Mandatory Telemetry Data Collected


Data elements

Purpose of collection


  Cisco DNA Center deployment information (Appliance serial number, Appliance platform information, Appliance machine ID, Cisco DNA Center Software Packages Version, First Connection Time, Deployment Mode)
  Operations metrics of Pods (CPU, Disk, Memory, Filesystem, Uptime)
  Scale (Count of number of client devices in the network)
  Cisco.com ID of Super Admin

Required product usage telemetry data is the minimum data necessary to help keep Cisco DNA Center secure, up-to-date, and performing as expected.

For information on Cisco DNA Center privacy, please refer to Cisco’s Personal Data Privacy page:


Cisco DNA Center Feature Descriptions

Cisco DNA Assurance Detailed Feature Description

Table 4.           Cisco DNA Assurance Features and Benefits


Description and benefits

Overall health dashboard

The main Assurance dashboard, which gives a high-level overview of the health of every network device and client on the network, wired and wireless. Provides the top 10 global issues and allows administrator to expand views by geographical site, device list, client list, or topology.

Network health dashboard

General overview of the operational status of every network device managed through Cisco DNA Center. Any poorly connected devices or communication issues will be highlighted, with suggested remediation.

Client health dashboard

General overview of the operational status of every client connected to the network and managed through Cisco DNA Center. Any poorly connected clients or communication issues will be highlighted, with suggested remediation.

Application health dashboard

General overview of the health of all applications on the network. Includes a special section on applications that have been tagged as business relevant. Business-relevant application issues are highlighted, with suggested remediation for any anomalies.

Wireless sensor dashboard

Overview of tests that have been run using Cisco Aironet® Active Sensors. Shows overall tests, connectivity statistics, and top wireless issues discovered by sensors. Includes test results for Dynamic Host Configuration Protocol (DHCP), DNS, host reachability, RADIUS, email, Exchange server, web, FTP, and a complete IP SLA for data throughput speed, latency, jitter, and packet loss. Guided remediation for any test failures.

Streaming telemetry

Enables network devices to send near-real-time telemetry information to Cisco DNA Center, reducing delays in data collection. Some of the other benefits of streaming telemetry include:

  Low and quantifiable CPU overhead
  Optimized data export (key performance indicators [KPI], events)
  Event-driven notifications

Device 360 and Client 360

An Assurance feature allowing viewing and troubleshooting device or client from any angle or context. Included are information on health trends, topology, application experience and KPIs.

Path trace

Allows the operator to visualize the path of an application or service from the client through all devices and to the server. A common, and critical, troubleshooting task that normally requires 6 to 10 minutes is displayed instantly upon clicking on a client or application. Troubleshoots issues along the network path.

  Run a path trace from source to destination to quickly get key performance statistics for each device along the network path
  Identify access control lists (ACLs) that may be blocking or affecting the traffic flow

Network time travel

Allows the operator to see device or client performance in a timeline view to understand the network state when an issue occurred. Allows an operator to go back in time up to 14 days and see the cause of a network issue, instead of trying to re-create the issue in a lab.

  Rewind time to when the issue occurred
  History shows critical events
  All the information on the user or network device changes to the selected time

On-device analytics

Assurance and analytics are performed on a Cisco switch, router, or wireless controller where the anomaly was discovered. Critical metrics can be identified and immediately acted on before an incident occurs. KPIs that are core to business operations can be maintained in real time, and close to the users that rely on them.

Cisco AI Network Analytics

Using AI and machine learning, Cisco AI Network Analytics drives intelligence in the network, empowering administrators to accurately and effectively improve performance and issue resolution. We are taking network analytics to a new level where noise and false positives are significantly reduced when enabling customers to very accurately identify issues, trends, anomalies, and root causes.

Intelligent issue detection and analysis

  AI-driven personalized baselining: No two networks are the same. AI-driven technologies can learn the user trends, services, and application metrics that are specific to your network. Cisco DNA Assurance can then create a customized performance curve for analytical decisions. The AI-driven baseline for the performance parameters that are unique to your network is constantly adapted as your network grows and changes. From there, the AI-driven analytics engine (both on premises and in the Cisco cloud) can make accurate decisions for what is normal and what is not, based on this personalized baseline.
  AI-driven anomaly detection: This capability surfaces any deviation from our AI-created personalized baseline for this network, allowing Cisco DNA Center to make sense of all the network data. The system can accurately detect performance issues and ignore unusual but harmless network anomalies. This reduces noise while accurately identifying anomalies that have the greatest impact on your network. AI-driven predictive analytics and proactive insights allow users to anticipate and prevent failures. Here, the machine learning engine can predict increases in Wi-Fi interference, onboarding delays, office traffic load, etc. This is because, in IP networks, a problematic event is often preceded by a benign event or series of events. By learning how series of events are correlated to one another, predictive analytics can help network administrators anticipate the unexpected.
  AI-driven accelerated remediation: Cisco AI Network Analytics provides accelerated remediation through machine learning, which identifies the most critical variables related to the root cause of a given problem. This helps users detect issues and vulnerabilities, perform complex root cause analysis (using a machine reasoning engine), and execute corrective actions faster than ever. In coming releases, we will enable machine reasoning to execute the logical troubleshooting steps that an engineer would perform in order to resolve a problem. Both of these capabilities accelerate remediation, making your team more precise in problem solving and more productive overall.
  The addition of an intelligent machine reasoning engine (MRE) allows for further intelligence in Cisco DNA Center. Included is the ability to discover Layer 2 spanning tree loops in your non-fabric (legacy Layer 2) network. Additionally, the MRE will scan current switch inventory for outdated images, PSIRT alerts, and suspicious configurations. These abilities are outlined further below under “AI Analytics Security Advisories.”

Extended application visibility to switch and wireless controllers

Application visibility allows Cisco DNA Assurance to monitor a user’s application usage, even from a switch or wireless controller. By using switches and wireless controllers, Cisco DNA Center customers will have a complete view of application visibility across the campus network infrastructure.

Wi-Fi Analytics for Apple iOS clients

A joint development with Apple, Wi-Fi Analytics for Apple iOS offers Cisco DNA Assurance insights into the performance and experience of iOS clients (iPhone/iPad) on the wireless network. It allows the administrator to view wireless performance from the perspective of the iOS client.

  Supports per-device-group policies and analytics

      Client details, such as iPhone model and iOS information

  Provides insights into the client’s view of the network

      Basic Service Set Identifier (BSSID)

      Received Signal Strength Indicator (RSSI)

      Channel number

  Provides clarity regarding the reliability of connectivity

      Client reasons, such as error codes for last disconnection

Application experience

Tracks performance of predefined “critical business applications.” Shows user experience and performance metrics. Provides specialized rapid troubleshooting per application and per client. Provides unparalleled visibility and performance control over the applications that are critical to your core business, on a per-user basis. Multimedia monitoring uses Perfmon processing for Real-Time Protocol (RTP) streams, allowing teams to verify the quality of critical real-time applications such as multimedia. URL monitoring provides visibility into cloud-based (URL-based) applications so that their performance is optimized. Application experience provides users the performance they need on the applications key to their company role.

Intelligent Capture

Intelligent Capture uses network sensors within the Aironet Active Sensor and the Aironet 4800 AP to provide advanced troubleshooting for wireless issues. It includes anomaly-based packet captures, on-demand RF scanning, real-time client location, and Wi-Fi application analytics. This feature offers a high level of wireless service guarantee based on detailed and proactive analysis of wireless performance per access point or per Wi-Fi client. It allows system administrators to prepare for special events or VIP visits, or simply to troubleshoot a stubborn wireless issue.

List of correlated insights

Table 5.           Correlated insights



Wireless issues

Client onboarding

  Association failures
  Authentication failures
  IP address failures
  Client exclusion
  Excessive onboarding time
  Excessive authentication time
  Excessive IP addressing time
  AAA, DHCP reachability

Client experience

  Throughput analysis
  Roaming pattern analysis
  Sticky client
  Slow roaming
  Excessive roaming
  RF, roaming pattern
  Dual-band clients prefer 2.4 GHz
  Excessive interference
  Apple iOS client disconnect

Network coverage and capacity

  Coverage hole
  AP license utilization
  Client capacity
  Radio utilization

Network device monitoring

  Crash, AP join failure
  High availability
  CPU, memory
  Flapping AP, hung radio
  Power supply failures

Sensor issues

Sensor onboarding

  Association failures
  Authentication failures
  IP address failures
  Sensor exclusion
  Excessive onboarding time
  Excessive authentication time
  Excessive IP addressing time
  AAA, DHCP reachability

Sensor experience

  Throughput analysis
  Outlook web response time
  Web server response time
  SSH server response time
  Mail server response time
  FTP server response time
  Excessive radio interference

Routing issues

Router health

  High CPU
  High memory

Routing technologies

  BGP AS mismatch, flap
  OSPF adjacency failure
  Enhanced Interior Gateway Routing Protocol (EIGRP) adjacency failure


  Interface high utilization
  LAN connectivity down/flap
  IP SLA to SP gateway connectivity

Switching issues (non fabric)

Client onboarding

  Client or device DHCP
  Client or device DNS
  Client authentication or authorization


  CPU, memory, temperature
  Line card
  Power over Ethernet (PoE) power
  Ternary Content-Addressable Memory (TCAM) table

SD-Access issues

Border and edge reachability

  Control plane reachability
  Edge reachability
  Border reachability
  Routing protocol
  MAP server

Data plane

  Border and edge connectivity
  Border node health
  Access node health
  Network services DHCP, DNS, AAA

Policy plane

  ISE or pxGrid connectivity
  Border node policy
  Edge node policy

Client onboarding

  Client or device DHCP
  Client or device DNS
  Client authentication or authorization


  CPU, memory, temperature
  Line card
  PoE power
  TCAM table

Cisco DNA Automation detailed feature description

Table 6.           Cisco DNA Automation features and benefits


Description and benefits

Network discovery

Automatically discovers and maps network devices to a physical topology with detailed device-level data. The discovery function uses the following protocols and methods to retrieve device information, such as IP addresses, neighboring devices, and hosts connected to the device:

  Cisco Discovery Protocol
  Link Layer Discovery Protocol (LLDP) for endpoints
  IP Device Tracking (IPDT) and ARP entries for host discovery
  LLDP Media Endpoint Discovery (LLDP-MED) for discovering IP phones and some servers
  Simple Network Management Protocol (SNMP) versions 2 and 3

Network Information Database (NIDB)

Periodically scans the network to create a “single source of truth” for IT. This inventory includes all network devices, along with an abstraction for the entire enterprise network. It keeps an updated inventory of devices and software images on that device for version control. The NIDB provides data to applications (such as SWIM, and EasyQoS) so that the correct device and image version are used. It allows applications to be device independent, so configuration differences between devices aren’t a problem.

Meraki discovery and integration

Provides for the discovery of all Meraki devices on the network and integrates them into the Cisco DNA Center dashboard. It provides for a single pane of glass for both Cisco and Meraki devices.

Network design and profile-based management

Allows you to manage your network in a hierarchical fashion by letting you add areas and buildings on a geospatial map. You can start by defining your sites, then add buildings to sites, and finally add floors with detailed floor plans to the buildings. Cisco DNA Center lets the user define profiles, which consist of common network settings such as device credentials, DHCP, DNS server, AAA server, IP address pool, etc., Wireless settings such as SSIDs and RF profiles can be created globally and customized at site levels. These profiles form the basis for network automation.

Network Plug and Play (PnP)

Zero-touch provisioning for new device installation. Allows off-the-shelf Cisco devices to be provisioned simply by connecting them to the network. Cisco Network PnP provides a highly secure, scalable, seamless, and unified zero-touch-deployment experience for customers across Cisco's entire enterprise network portfolio of wired and wireless devices. Deploy new devices in minutes, and without onsite support visits. Eliminate repetitive tasks and eliminate staging. Network PnP reduces the burden on enterprises by greatly simplifying the deployment process for new devices, which can significantly lower Operating Expenditures (OpEx) as well. For more details, refer to the data sheet for the Network Plug and Play application.


Software image management (SWIM)

Manages software upgrades and controls the consistency of image versions and configurations across your network. Speeds and simplifies the deployment of new software images and patches. Pre- and post-checks help ensure no adverse effects from an upgrade. This is an easy to way to build a central repository of software images and apply them to devices. Administrators can mark software images as golden for a device family, allowing them to upgrade devices to the software image and patch versions that are in compliance with the golden versions defined in the repository.

  Golden images: Intent-based network upgrades allow for image standardization, much desired by network administrators
  Pre- and post-checks allow network administrators more control over and visibility into network upgrades

Patches are supported in Cisco DNA Center from intent to pre- and post-checks in the same way that we manage regular images

ROMMon support for SWIM

The SWIM ROMMon upgrade feature optimizes already scheduled downtime by allowing users to join ROMMon upgrades with regular upgrades. The ROMMon feature in SWIM eases the task of upgrading ROMMon images on supported Cisco devices.

Device replacement and RMA workflows

Workflow templates allow for the replacement (RMA) of a switch and router. Includes restoration of IOS, configuration and license. Also completes device replacement in operational systems such as Cisco ISE, Certificate Servers, and Cisco DNA Center inventory. Saves time and retains existing setup, licenses, and KPI trends.

PMP Bulk Update (Day 0)

Simplified workflows for updating device images and configurations via easy Day-0 steps.

Fog Director

Ability to manage and view Cisco industrial devices via connection with Cisco Fog Director. Fog Director delivers the capability to manage large-scale production deployments of Cisco IOx-enabled fog applications.

SMU patching

Provides patching for Software Maintenance Upgrade (SMU) recommendations and reduces the effort required to manually search for, identify, and analyze SMUs that are needed for a device. Cisco DNA Center automatically provides SMU management for multiple Cisco IOS® XR platforms and releases. Automates the patching process and allows most bug fixes to be patched with minimal network disruption.

Branch deployment automation

Simplified workflows for physical and virtual branch automation; day-0 router/NFV design. Onboard WAN devices and services via easy steps:

1. Configure network settings, service provider, and IP pools

2. Design a router or virtual profile

3. Assign to sites and provision network devices

Enterprise Network Functions Virtualization (ENFV) automation

Facilitates branch virtualization on any hardware device, Cisco or third-party. Saves time in setting up network virtual services. Supports existing branch migration without hardware upgrade. This feature includes full NFV management.

Wireless automation

Intent-based workflows for simplified wireless deployment and automation

  Network profiles: A container of wireless properties that can represent single or multiple sites
  Simplified guest and SSID creation
  Advanced RF support for wireless networks
  A single workflow to enable flex or centralized wireless deployment
  PnP provisioning for APs
  IP ACL support
  Access and access control policy for SD-Access Wireless only

Device tagging

An administrator can tag network devices in order to associate devices that share a common attribute. For example, you can create a tag and use it to group devices based upon a platform ID, Cisco IOS release, or location. Allows for grouping of devices based on specialized needs.

Policy creation

Allows the creation of policies based on business intent for a particular part of the network. Users can be assigned policies for the services that they consume, and these policies follow them throughout the network. Policies are translated by Cisco DNA Center into network-specific and device-specific configurations that can be adjusted dynamically based on network conditions. Of foundational importance for intent-based networking, policies define the business intent that is desired and allow the network to guarantee services.

Application policy creation

Allows policies to be assigned to applications based on business relevance. These applications can then be attached to sites (locations) where the policy should be applied. This feature allows business-critical applications to have greater QoS priority in the sites where their use is relevant. It is important for mission-critical applications such as machine-to-machine control in manufacturing or life-saving devices in healthcare, as well as for business-critical applications such as video in customer experience centers or voice in support sites.

Cisco Software-Defined Access (SD-Access) Key Features

Table 7.           SD-Access Features and Description



Fabric infrastructure

  Automated external connectivity handoff using Virtual Routing and Forwarding Lite (VRF-Lite), and BGP Ethernet VPN (BGP-EVPN)
  Fabric in a box without control plane
  Bonjour support for Cisco SD-Access

Fabric assurance

  KPIs, 360-degree views for client, AP, Wireless Controller (WLC), and switch 

      Underlay and overlay correlation

      Device health: Fabric border and edge, CPU, memory, temperature, line cards, modules, stacking, PoE power, TCAM

      Data plane connectivity: Reachability to fabric border, edge, control plane, and DHCP, DNS, and AAA

      Policy: Fabric border and edge policy, ISE and pxGrid connectivity

      Client onboarding: Client and device DHCP and DNS, client authentication and authorization

Fabric wireless

  Wireless guest with ISE (Central Web Authentication) 
  Wireless guest support on separate guest border and control plane and wireless guest support as separate Virtual Network (VN) on enterprise border and control plane
  Same SSID for traditional and fabric on same WLC (mixed mode)
  WLC Stateful Switchover (SSO)
  Wireless multicast
  Multiple virtual networks for guest
  Embedded wireless support on fabric edge
  Guest web passthrough
  Sleeping client timeout


  Pre-check and post-check workflow validations
  ISE Primary Administration Node (PAN) High Availability (HA) support (includes pxGrid, Monitoring and Troubleshooting [M&T])
  Distributed ISE Policy Service Node (PSN) support (two per site)
  Same ISE instance for fabric and traditional (brownfield) deployments
  Cisco Secure Access Control System (ACS) and ISE for TACACS+ authentication of network devices
  HA support for Cisco DNA Center
  Policy-protected Command-Line Interface (CLI) configuration
  Software image and patch management
  License management
  Backup and restore
  Task scheduler
  Group-Based Access Control Policies

Distributed campus

  Automated intersite connectivity
  End-to-end policy and segmentation

Fabric infrastructure optimizations

  Device sensor for host onboarding
  Server connectivity for fabric edge
  Support for up to six control plane nodes
  LAN automation hardening
  Cisco DNA Center template-based configurations in fabric deployments for key use cases
  Border handoff enhancements: 4-byte ASN support
  Two fabrics in a box at a site are supported without embedded wireless
  Lan Automation support for Nexus 9500 as intermediate node but not as seed

Simplified migrations

  Layer 2 handoff at border: Common subnet inside and outside fabric for SD-Access migration in brownfield network
  Layer 2 flooding: Fabric support for end hosts that require Layer 2 flooding, for example, building management systems, audio-visual equipment, etc.
  Catalyst 9500H series support for  Layer 2 handoff

SD-Access extension for IoT

Automation functionality is extended to the fabric edge to support IoT deployments where "extended node" devices are outside the "carpeted network." Allows greater functionality to wired and wireless devices in applications such as industrial process control, digital cities, oilfields, mining, and outdoor video surveillance. 

IPv6 endpoint support

This feature introduces the capability to support IPv6 wired and wireless endpoints that are dual stacked.

Group-based policy

A major new capability in Cisco DNA Center for configuring, viewing, and editing groups and policies. Through a logical matrix interface, administrators can manage user access controls and segmentation using scalable groups, instead of IP address or VLANs. IT teams can create and manage SGTs from within Cisco DNA Center without having to open ISE or other network policy servers. Scale for group-based policy is as follows:

  Up to 4000 scalable groups
  Up to 500 access contracts
  Up to 25,000 policies

Third-party NPS

Support for third-party Network Policy Servers (NPS) has been a request from our users, and now it is here. Cisco DNA Center can now integrate with your third-party NPS, or Cisco ISE – the choice is yours.

AI-Analytics security advisories

This feature uses the Machine Reasoning Engine (MRE) to identify potential vulnerabilities in the network.  The MRE can be dynamically updated from the Machine Reasoning Knowledge Base to identify new security issues. Cisco DNA Center supported switches and routers can be scanned to identify software images that have a security advisory or security advisories. Identifying security advisories is a very time-consuming task that can be automated through the advanced MRE technology.

NetFlow automation for Encrypted Traffic Analytics (ETA) support

In order for Stealthwatch to be able to detect malware in encrypted traffic, network devices must be configured to send NetFlow and encrypted traffic to Stealthwatch. This new Cisco DNA Center feature allows users to configure select switches and routers to send data to Stealthwatch by using the Stealthwatch Security Analytics service. The service also allows users to configure select switches to send NetFlow to Stealthwatch for devices that do not support ETA.

For more details on Software-Defined Access, visit SD-Access solution on Cisco.com.

Cisco DNA Center system capabilities

Table 8.           System capabilities


Description and benefits

Role-Based Access Control (RBAC)

Allows users to be mapped to one of the four predefined roles. The role determines what types of operations a user can perform within the system.

Backup and restore

Supports complete backup and restore of the entire database for added protection.

ISE integration

Integrates with ISE through pxGrid or API for fabric overlay support.

Cisco DNA Center platform capabilities

Table 9.           Platform capabilities


Description and benefits

Northbound REST APIs

The Cisco DNA Center platform supports Representational State Transfer (REST) APIs at the northbound layer for programmability. The Cisco DNA Center API provides support for the following features:

  Discovery, device inventory, network topology
  SWIM, Plug and Play (PnP)
  Template programmer, command runner
  Assurance: Site, device, and client health monitoring, path trace
  NFV provisioning

IT Service Management (ITSM) integration

The ITSM integration minimizes the need for handoffs, deduplicates issues, and optimizes processes for proactive insights and faster remediation. Out-of-the-box integration exists with ServiceNow. The generic APIs exposed by the Cisco DNA Center platform enable partners and developers to integrate with any ITSM system.

IP Address Management (IPAM) integration

This integration allows for a seamless import of IP pools for Cisco DNA Center workflows from external IPAM systems and the synchronization of IP pool and subpool usage information between the two systems. Out-of-the-box integration exists with Infoblox and Bluecat. The Cisco DNA Center platform provides generic APIs to integrate with any IPAM system.

Events and notifications

The Cisco DNA Center platform webhooks allow third-party applications to receive notifications and listen to any events detected by Cisco DNA Assurance, Automation, and other task-based operational workflows.

Multivendor SDK

The Cisco DNA Center Multivendor Device Pack SDK allows partners to add support for managing third-party devices directly via Cisco DNA Center.

Meraki Visibility in Cisco DNA Center

For existing Meraki branch customers who want to explore using Cisco DNA Center and Cisco Catalyst® 9000 family switches, or for customers with mixed environments, Cisco DNA Center now offers a single management pane of glass. This is an API-driven dashboard integration that supports all existing Meraki hardware and software at no additional license cost.

Meraki and Cisco DNA Center Integration

Figure 3.               

Meraki and Cisco DNA Center Integration

Features and benefits

     Single dashboard inventory across all platforms (Meraki, Cisco Catalyst, Cisco Integrated Services Routers [ISRs], Aironet®)

     Up-or-down status of all devices in a single platform

     Use existing Meraki API keys; no additional license required

     Combined topology mapping of hybrid environments

     Ability to assign SSIDs to Meraki access points from within Cisco DNA Center ( version and newer)

Cisco DNA Center Appliance: Scale and Hardware Specifications

This new second generation (Gen2) of the Cisco DNA Center appliance is available in three form factors and comes with the Cisco DNA Center image preloaded on it and ready for installation. Notice that the entry-level Gen2 appliance (DN2-HW-APL) has the same size, performance, and capacity specifications as the first-generation (Gen1) Cisco DNA Center appliance (DN1-HW-APL). The reason for the change is to put all three Gen2 appliances on the newer Cisco UCS® M5 Series. If you currently have a Gen1 appliance (based on the Cisco UCS M4 Series), there is no need to upgrade, and there is no advantage to upgrading, since both Gen1 and Gen2 entry appliances are based on 44 core processing units. Customers looking for greater performance, in order to support more capacity, are advised to upgrade to the 56-core “midsize” Gen2 appliance (DN2-HW-APL-L) or the 112-core “large” Gen2 appliance (DN2-HW-APL-XL). Table 10 captures the scale information for Cisco DNA Center Release

Table 10.       Scale and Hardware Specifications


Scale and Hardware Specifications

Scale and Hardware Specifications

Scale and Hardware Specifications

DN2-HW-APL-L (mid-size)

DN2-HW-APL (entry)

DN2-HW-APL-L (mid-size)

DN2-HW-APL-XL (large)

Hardware description

Cisco UCS C220 M5

Rack Server

44 cores

Cisco UCS C220 M5

Rack Server

56 cores

Cisco UCS C480 M5

Rack Server

112 cores

Cisco DNA Center system scale

Number of devices

(switch, router, wireless controller)




Number of wireless access points




Number of wireless sensors




Number of concurrent endpoints




Number of transient endpoints

(over 14-day period)




Ratio of endpoints: Wired








Number of ports




Number of site elements




Number of wireless controllers




API rate limit

50 APIs/min

50 APIs/min

50 APIs/min

Cisco DNA Center SD-Access scale

Number of fabric domains




Number of fabric sites




Number of access points




Cisco DNA Center per fabric site scale

Number of virtual networks




Fabric devices per fabric site




Cisco DNA Center Appliance Physical Specifications

Cisco DNA Center appliance is available in three form factors and comes with the Cisco DNA Center image preloaded on it and ready for installation.

Table 11 shows the appliance specifications.

Table 11.             Physical specifications

Part number for ordering



Hardware series



Power supply

Dual 770W AC

Hot-pluggable, redundant 1600W AC

Physical dimensions (H x W x D)

Height: 1.7 in. (4.32 cm)

Width: 16.89 in. (43.0 cm); including handles:18.98 in. (48.2 cm)

Depth: 29.8 in. (75.6 cm); including handles: 30.98 in. (78.7 cm)

Height: 6.9 in. (17.6 cm)

Width: 19 in. (48.3 cm)

Depth including handles and power supplies: 32.7 in. (83.0 cm)

Temperature: operating

1° to 95°F (5° to 35°C)

Derate the maximum temperature by 1°C per every 1000 ft. (305 m) of altitude above sea level.

1° to 95°F (5° to 35°C)

Derate the maximum temperature by 1°C per every 1000 ft. (305 m) of altitude above sea level.

Temperature: nonoperating

-40° to 149°F (–40° to 65°C)

-40° to 149°F (–40° to 65°C)

Humidity: operating

10% to 90%, noncondensing at 82°F (28°C)

10% to 90%, noncondensing at 82°F (28°C)

Humidity: nonoperating

5% to 93% at 82°F (28°C)

5% to 93% at 82°F (28°C)

Altitude: operating

0 to 3000 m (0 to 10,000 ft)

0 to 3000 m (0 to 10,000 ft)

Altitude: nonoperating

0 to 12,192 m (0 to 40,000 ft)

0 to 12,192 m (0 to 40,000 ft)

Network and management I/O

Supported connectors:

One 1 Gigabit Ethernet dedicated management port

Two 1 Gigabit BASE-T Ethernet LAN ports

One RS-232 serial port (RJ-45 connector)

One 15-pin VGA2 connector

Two USB 3.0 connectors

One front-panel KVM connector that is used with a KVM cable, which provides two USB 2.0, one VGA, and one serial (DB-9) connector

Supported connectors:

One 1 Gigabit Ethernet dedicated management port

Two 1 Gigabit BASE-T Ethernet LAN ports

One RS-232 serial port (RJ-45 connector)

One 15-pin VGA2 connector

Three USB 3.0 connectors

One front-panel KVM connector that is used with a KVM cable, which provides two USB 2.0, one VGA, and one serial (DB-9) connector

Cisco DNA Center Device-Aware Fabric VN Limit (Fabric VN Scale)

Table 12 captures the fabric VN limits for devices in the fabric when deploying Cisco DNA Center Release 1.3.

Table 12.       Fabric VN Limits (the current maximum VRF validation is based on a lower limit of 1 and an upper limit of 128, even if the device can support more than 128)

Device series

Max VRFs

Cisco Catalyst 3650 Series Switches


Cisco Catalyst 3850 Series Switches


Cisco Catalyst 4500 Series Switches


Cisco Catalyst 6800 Series Switches

1000 (128)

Cisco Catalyst 6500 Series Switches

1000 (128)

Data center switches (Cisco Nexus® 7000 Series Switches)

4000 (128)

Cisco Cloud Services Router 1000V Series

4000 (128)

Cisco ASR 1000 Series Aggregation Services Routers

4000 (128)

Cisco 4000 Series Integrated Services Routers

4000 (128)

Cisco 4400 Series Integrated Services Routers

4000 (128)

Cisco 4200 Series Integrated Services Routers

4000 (128)

Cisco 4300 Series Integrated Services Routers

4000 (128)

Cisco Catalyst 9300 Series Switches

256 (128)

Cisco Catalyst 9500 Series Switches

256 (128)

Cisco Catalyst 9500H Series Switches

256 (128)

Cisco Catalyst 9400 Series Switches

256 (128)

Cisco Catalyst 9200-L Series Switches


Cisco Catalyst 9200 Series Switches


Roles and privileges

Table 13.       Role-based access control




Users with this role have full access to all of the network-related Cisco DNA Center functions. They do not have access to system-related functions, such as application management, users (except for changing their own passwords), and backup and restore.


Users with this role have view-only access to all Cisco DNA Center functions.


Users with this role have the ability to perform system-level functions within Cisco DNA Center. 


Users with this role have full access to all of the Cisco DNA Center functions. They can create other user profiles with various roles, including those with the Super-Admin-Role.

Device support

Cisco DNA Center provides coverage for Cisco enterprise switching, routing, and mobility products. For a complete list of Cisco products supported, please download our support spreadsheet, which is
regularly updated.


Cisco environmental sustainability

Information about Cisco’s environmental sustainability policies and initiatives for our products, solutions, operations, and extended operations or supply chain is provided in the “Environment Sustainability” section of Cisco’s Corporate Social Responsibility (CSR) Report.

Reference links to information about key environmental sustainability topics (mentioned in the “Environment Sustainability” section of the CSR Report) are provided in the following table:

Sustainability topic


Information on product material content laws and regulations


Information on electronic waste laws and regulations, including products, batteries, and packaging

WEEE compliance

Cisco makes the packaging data available for informational purposes only. It may not reflect the most current legal developments, and Cisco does not represent, warrant, or guarantee that it is complete, accurate, or up to date. This information is subject to change without notice.

Cisco Capital

Flexible Payment Solutions to Help You Achieve Your Objectives

Cisco Capital® makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.

For more information

See how Cisco DNA Center helps you move faster, lower costs, and reduce risk: https://cisco.com/go/dnacenter.

Learn more