Set Up Crosswork Network Controller

Use the following topics to set up, configure, and access Crosswork Network Controller after installation.

Core features in Crosswork Network Controller

Familiarize yourself with the fundamental features essential for understanding and using Cisco Crosswork Network Controller.

Table 1. Core features in Crosswork Network Controller

Feature

Description

User roles

Use role-based access control to allow each user to access only the software functions needed for their job duties. New users start with full administrative privileges. To grant only the necessary privileges, create user roles and assign the appropriate roles to each user profile.

User accounts

Create separate accounts for each user to maintain a detailed audit record of user activity. Prepare a list of users, decide on usernames and temporary passwords, and create user profiles for each account. You can use TACACS+, LDAP, or RADIUS servers to centrally manage user roles and accounts. For more details, see User authentication systems .

Device-access groups

Device-access Groups (DAGs) are groups of devices that define device access for users. Users associated with DAGs can make configuration changes and provision services on devices within those groups. When creating a user, assign at least one DAG and a role to the user. For more details, see Manage Device Access Groups.

Credential profiles

For the Crosswork Network Controller to access a device or interact with a provider, it must present credentials. Instead of entering credentials each time, you can create credential profiles to securely store this information. The platform supports unique credentials for each access protocol and allows bundling multiple protocols and their corresponding credentials into a single profile. Devices using the same credentials can share a credential profile. For example, if all routers in a particular building share a single SSH user ID and password, you can create one credential profile for Crosswork Network Controller to manage them.

Before creating a credential profile, gather the access credentials and supported protocols needed to monitor and manage your devices. These credentials include user IDs, passwords, SNMPv2 read and write community strings, and SNMPv3 authentication and privilege types. For other providers (NSO, SR-PCE, Storage, Alert, and WAE), you always need user IDs, passwords, and connection protocols. Use this information to create credential profiles.

Tags

Tags are simple text strings that you can attach to devices to help group them. The Crosswork Network Controller includes a short list of pre-made tags for grouping network devices. You can also create your own tags to identify, find, and group devices for various purposes.

Plan a preliminary list of custom tags to create when setting up the system. Use these tags to group your devices when you first onboard them. You can always add more tags later, so a complete list is not necessary at the start. Add all planned tags before they are needed. If any tags are missing, add them manually at that time. For more details, see Manage tags.

Providers

Crosswork Network Controller applications rely on external services like Cisco Crosswork Network Services Orchestrator (NSO) or SR-PCE for tasks such as configuration changes and segment routing path computation. To manage access and reuse information between Crosswork Network Controller applications, configure a provider (for example, NSO or SR-PCE) for each external service. The provider family determines both the type of service supplied to Crosswork Network Controller and the unique parameters required for configuration. The parameters needed to configure a provider depend on the type of Crosswork Network Controller application used. It is important to review and gather each application's requirements before configuring a provider. For more information, see Providers and Provider families.

The main providers used with Crosswork Network Controller are:

  • Cisco Crosswork Network Services Orchestrator (NSO) is used by many Crosswork Network Controller applications to make changes to device configurations and provision services on devices. To add NSO as a provider, you need the IP address and credentials used for communication. For more details, see Cisco NSO providers.

    Note

     

    Additional steps are required when using NSO in LSA mode. For more details on these steps, see NSO layered service architecture (LSA) deployment.

  • If you plan to use Crosswork Optimization Engine, at least one Cisco SR-PCE provider must be defined to discover devices and distribute policy configurations to devices. Additional SR-PCEs can be used for more complex network topologies and redundancy. You can manually add devices to the system or auto-onboard them using SR-PCE discovery. Decide on your process for deployment and configuration before making configuration changes.

Devices

You can onboard devices using the UI, a CSV file, an API, SR-PCE discovery, or zero-touch provisioning. The onboarding method determines the type of information needed to configure a device in Crosswork Network Controller. Also, Crosswork Network Controller can forward device configuration to NSO, which may affect how you provision an NSO provider. For more information, see Add and Configure Devices.

Note

 

For information on device configuration, device monitoring, and device management workflows, see the Crosswork Network Controller 7.2 Device Lifecycle Management guide.

External data destinations

Crosswork Network Controller functions as the controller for the Crosswork Data Gateway. Operators planning to have Crosswork Data Gateway forward data to other data destinations must understand the format required by those destinations and other connection requirements.

Labels

If you plan to use Change Automation, labels are used to restrict which users can execute a playbook. For example, you may allow lower-level operators to run check playbooks but use labels to prevent them from running more complex or impactful playbooks that make changes to network device configurations.

KPI profile

If you plan to use Crosswork Health Insights, use KPI (Key Performance Indicator) profiles to monitor network health. You can establish unique performance criteria based on how a device or devices are used in the network. KPIs can be grouped to form a KPI Profile. It is helpful to have a clear idea of the data you plan to monitor and the performance targets you want to establish as you set up Health Insights.

Device monitoring samples

If you plan to install the Crosswork Service Health application, you should review the provided samples to determine if they are adequate for monitoring devices in your network.

Note that you can capture the devices, credential profiles, tags, and providers lists in spreadsheet form, convert the spreadsheet to CSV format, and then upload them in bulk to the Crosswork Network Controller application using the Import feature. You can access CSV templates for each of these lists by clicking the Import icon in the corresponding places in the user interface. Select the Download template link when prompted to choose an export destination path and filename.

Tasks to complete for initial setup

This topic guides you through preparing the system for use when deploying Crosswork Network Controller, whether as a cluster or a single VM.

This table lists the topics to refer to for assistance when performing each of the following tasks. If you have completed the recommended planning steps outlined in the Core features in Crosswork Network Controller, you should have all the information required to complete each step in this workflow.


Note

This workflow assumes that you have already installed Crosswork Network Controller based on the instructions in the latest version of the Cisco Crosswork Network Controller 7.2 Installation Guide .

Table 2. Tasks to complete to get started with Crosswork Network Controller
Step Action

1. Ensure that your devices are configured properly for communication and telemetry.

Refer to the guidelines and sample configurations in Configuration prerequisites for new devices.

2. Create user accounts and user roles.

Follow the steps in Manage Users and Create User Roles.

3. Create credential profiles.

Follow the steps in Manage credential profiles.

4. Add the provider(s).

Follow the steps in Providers and Add a provider.

Note

 

In case of the single VM deployment of Crosswork Network Controller Advantage tier, the embedded NSO provider is already added and configured during the deployment.

5. Validate communications with the provider(s).

Check on the provider's reachability using the steps in Get provider details.

6. Import or create tags.

To import them: Import tags.

To create them: Create tags.

7. Onboard your devices.

See Add and Configure Devices.

For more information, see the Cisco Crosswork Network Controller 7.2 Device Lifecycle Management guide.

8. Setup Crosswork Data Gateway

For cluster deployment, follow the steps in Crosswork Data Gateway setup, management, and troubleshooting.

For single VM deployment, follow the steps in Embedded Collectors in single VM deployments.

9. Validate Crosswork Network Controller communications with devices.

Review the Devices window. All the devices you have onboarded should be reachable.

Click Details icon to investigate any device whose Reachability State is marked as Unreachable icon (unreachable), Degraded icon (degraded), or Reachability Unknown icon (unknown).

For more information, see the Cisco Crosswork Network Controller 7.2 Device Lifecycle Management guide.

10. (Optional) Enable source IP for auditing.

If you want to log the user's IP address for auditing and accounting, see Configure AAA settings.

11. (Optional) Create additional user accounts and user roles.

Follow the steps in Manage Users and Create User Roles.

12. (Optional) Import or create additional credential profiles and providers.

To import providers: Import providers.

To add providers: Add a provider.

13. (Optional) Group your devices logically as per your requirement.

Follow the steps in Use Device Groups to Filter your Topology Map.

14. (Optional) Set display preferences for your topology.

Follow the steps in Upload internal map files for offline use and Show Link Health by Color.

Log in to Crosswork Network Controller

Access the Crosswork Network Controller and manage your account session securely and efficiently.

Crosswork Network Controller provides a browser-based user interface. Security and usability features such as session lockouts, color themes, and password management ensure robust user experience.


Attention

The number of unsuccessful login attempts and lockout timing is set by an administrator in Local Password Policy. For details on lockout settings, see Configure AAA settings.

Before you begin

  • Use a supported browser version. See the Compatibility Information section in the Release Notes for Crosswork Network Controller, Release 7.2.0.

  • Obtain your login credentials. The default administrator username is admin, and the default password is admin. For security reasons, change the password during installation verification.

  • The login page is inaccessible if the Central Authentication Service (CAS) pod is restarting or not running.

Procedure

Step 1

Log in

  1. Open a supported web browser.

  2. Enter one of the following URLs to access the Crosswork Network Controller:

    • For IPv4: https://<Crosswork Management Network Virtual IP (IPv4)>:30603/

    • For IPv6: https://[<Crosswork Management Network Virtual IP (IPv6)>]:30603/

    Note

     

    IPv6 addresses must be enclosed in brackets.

  3. If accessing for the first time, your browser may display a warning that the site is untrusted.

    Follow prompts to add a security exception and download the self-signed certificate, after which future logins are trusted.

  4. The login window appears. Enter your username and password.

    Note

     

    • The administrator account (admin) is created at installation. Its password must be changed during installation verification.

    • Cisco strongly recommends keeping default administrator credentials secure. Do not use the default admin account for routine logins; instead, create user roles with required privileges and assign users accordingly. At least one user should have the admin role.

  5. Click Login.

    Note

     

    Be aware: Repeated unsuccessful login attempts result in account lockout, as configured by your administrator in the Local password policy. After account lockout, wait until the configured time elapses, then log in with valid credentials. For more information, refer to Configure AAA settings.

Step 2

Change password

  1. At any time after logging in, click the User Account icon icon in the top right corner of the main window.

  2. Select Change password.

  3. In the dialog box, enter your current password and new password.

  4. Click Change password to confirm the update.

Note

 

If you need to update the HTTPS (UI admin login) password for the cluster:

  • Update the HTTPS (UI admin login) password at the cluster level, ensuring that the new password applies to the entire cluster rather than to individual nodes.

  • After you update the HTTPS password at the cluster level, immediately update the same password in the geo inventory to maintain consistency and ensure proper authentication across the system.

Step 3

Set color theme

  1. Click the User Account icon icon in the top right corner.

  2. Choose either Classic light or Classic dark from the color theme options.

    Note

     

    By default, Classic light is selected.

Step 4

Log out

  1. Click the User Account icon icon in the top right corner.

  2. Select Logout.

    • If you have multiple sessions open from the same client (across multiple browser tabs/windows) and log out or terminate a session in one tab/window, only the tab/window where logout was performed displays the logout screen.

    • All other tabs/windows show the error message: “Your session has ended. Log into the system again to continue.”
You have securely logged in to Crosswork Network Controller, managed your credentials, customized your color theme, and logged out. All personal session data is protected and terminated as required.

What to do next

If you changed your password, ensure you remember your new credentials. After logging out, close all browser tabs or windows to fully terminate access.