Compliance Audit for Network Devices

Compliance overview

Compliance helps in identifying any intent deviation or out-of-band changes in the network that may be injected or reconfigured without affecting the original content.

A network administrator can conveniently identify devices in Catalyst Center that do not meet compliance requirements for the different aspects of compliance, such as software images, PSIRT, network profiles, and so on.

Compliance checks can be automated or run on demand.

  • Automated compliance check: Uses the latest data collected from devices in Catalyst Center. This compliance check listens to the traps and notifications from various services, such as inventory and SWIM, to assess data.

  • Manual compliance check: Lets you manually trigger the compliance in Catalyst Center.

  • Scheduled compliance check: A scheduled compliance job runs every day at 11:00 pm and triggers the compliance check for devices on which the compliance check was not run in the past seven days.

Types of compliance

Compliance type Compliance check Compliance status

Startup versus Running Configuration

This compliance check helps in identifying whether the startup and running configurations of a device are in sync. If the startup and running configurations of a device are out of sync, compliance is triggered and a detailed report of the out-of-band changes is displayed. The compliance for startup vs. running configurations is triggered within 2 minutes of any out-of-band changes.

Note

 

Catalyst Center must be configured as a syslog server in the Design > Network Settings > Telemetry > Syslogs window for syslog-based collection to work.

  • Noncompliant: The startup and running configurations are not the same. In the detailed view, the system shows different startup vs. running between or running vs. previous running.

  • Compliant: The startup and running configurations are the same.

  • NA (Not Applicable): The device, such as AireOS, is not supported for this compliance type.

Software Image

This compliance check helps a network administrator to see if the tagged golden image in Catalyst Center is running on the device. It shows the difference between the golden image and the running image for a device. When there is a change in the software image, the compliance check is triggered immediately without any delay.

  • Noncompliant: The device is not running the tagged golden image of the device family.

  • Compliant: The device is running the tagged golden image of the device family.

  • NA (Not Applicable): The golden image is not available for the selected device family.

For Fabric Devices:

  • Noncompliant: The device is not running the tagged golden image of the device family, or the current software image version is not compatible for the network device.

    See the Cisco SD-Access Compatibility Matrix for the supported and recommended software image versions for your device.

  • Compliant: The device is running the tagged golden image of the device family, or the current software image version is compatible with the device.

  • NA (Not Applicable): The golden image is not available for the selected device family, or the device is not added to a fabric site.

For Cisco Switch Stacks: Catalyst Center allows the network administrator to check if the tagged golden image is running on the primary switch and members of switch stacks.

  • Noncompliant: The tagged golden image is not running on the primary switch and member switches.

    Also, the device will be noncompliant if golden tagging is not applicable for the device and the member switches are not running on the image version as that of the primary switch.

  • Compliant: The tagged golden image is running on the primary switch and member switches.

    Also, the device will be compliant if no golden tagging is applicable for the device and the member switches are running on the same image version as that of the primary switch.

  • NA (Not Applicable): The golden image is not applicable for the device, and the device is not a stacked switch.

Critical Security (PSIRT)

This compliance check enables a network administrator to check whether the network devices are running without critical security vulnerabilities.

  • Noncompliant: The device has critical advisories. A detailed report displays various other information.

  • Compliant: There are no critical vulnerabilities in the device.

  • NA (Not Applicable): The security advisory scan has not been done by the network administrator in Catalyst Center, or the device is not supported.

Network Profile

Catalyst Center allows you to define its intent configuration using network profiles and push the intent to the device. If any violations are found at any time due to out-of-band or any other changes, this check identifies, assesses, and flags it off. The violations are shown to the user under Network Profiles in the compliance summary window.

Note

 
Network profile compliance is applicable for routers, switches, and wireless controllers.
  • Noncompliant: The device is not running the intent configuration of the profile.

  • Compliant: While applying a network profile to the device, the device configurations that are pushed through Catalyst Center are actively running on the device.

  • Error: The compliance could not compute the status because of an underlying error. For details, see the error log.

Fabric (SDA)

This feature is in beta.

Fabric compliance helps to identify fabric intent violations, such as any out-of-band changes for fabric-related configurations.

The fabric compliance status does not participate in determining the overall compliance status of the device, as the feature is in the beta stage.

  • Noncompliant: The device is not running the intent configuration.

  • Compliant: The device is running the intent configuration.

SD-Access Unsupported Configuration

This feature is in beta.

This compliance check enables you to identify unsupported SD-Access configurations. When a device is added to a fabric site, the compliance check is triggered immediately.

To view the unsupported SD-Access configurations on a noncompliant device, click Unsupported Configuration. Under the Unsupported Configuration area, unsupported SD-Access configurations are highlighted in red.

Note

 

For devices that are not added to a fabric site, this compliance check is not used.

  • Noncompliant: The device is running some configurations that are not supported for SD-Access.

  • Compliant: The device is running the configurations that are supported for SD-Access.

Application Visibility

Catalyst Center allows you to create an application visibility intent and provision it to a device through CBAR and NBAR. If there is an intent violation on the device, this check identifies, assesses, and shows the violation as compliant or noncompliant under the Application Visibility window.

The automatic compliance checks are scheduled to run after 5 hours of receiving traps.

  • Noncompliant: The CBAR/NBAR configuration is not running on the device.

  • Compliant: The intent configuration of CBAR/NBAR is running on the device.

Model Config

This compliance check enables the network administrator to check any mismatch from the designed intent of Model Config. The mismatch is shown under Network Profile in the Compliance Summary window.

  • Noncompliant: There is a mismatch in the actual and intended value of the attributes in Model Config.

  • Compliant: The attributes in Model Config match the intended value.

CLI Template

Catalyst Center allows the network administrator to compare the CLI template with the running configuration of the device. The mismatch in the configuration is flagged. This mismatch is shown under Network Profile in the Compliance Summary window.

To view the flagged CLI commands:

  1. Click the Network Profile tile.

  2. From the CLI Deviations area, choose the CLI template for which you want to view the mismatch.

  3. The CLI commands are displayed in the Realize Template area, and the flagged commands are highlighted in red.

    Note

     

    Click the View CLI Template Best Practices link to view some of the best practices that must be used in a CLI template to minimize compliance issues.

The running configuration for CLI template compliance is taken from the latest archive that is available for the device. Event-based archive takes at least 2 minutes to update after traps are received. For accurate results, we recommend that you wait at least 2 minutes before running compliance manually after a configuration change.

Catalyst Center must be configured as a syslog server in the Design > Network Settings > Telemetry > Syslogs window for syslog-based collection to work.

Note

 

There are some limitations in CLI template compliance. See Limitations in CLI template compliance.

  • Noncompliant: There is a mismatch between the CLI template and the running configuration of the device.

  • Compliant: There is no mismatch between the CLI template and the running configuration of the device.

EoX - End of Life

Catalyst Center allows you to check the compliance status for the hardware, software, and module of EoX devices. You can check the EoX compliance status from the Compliance Summary > EoX - End of Life tile.

You can also view the EoX status of devices from the Inventory window, under the EoX Status column.

Note

 

To enable access to the EoX feature, authorize the CX Cloud Consent to Connect agreement through the Catalyst Center dashboard.

  • Noncompliant: The device is noncompliant if the last date of support has ended.

  • Compliant: The device is compliant if enough time remains until the last date of support.

  • Compliant with Warning: The device is compliant with warning if the last date of support is nearing.

Network Settings

Catalyst Center allows you to define its intent configuration settings using network settings and to push the intent to the device. If any violations are found at any time due to out-of-band or any other changes, the compliance check identifies, assesses, and flags it off.

You can view the violations under Network settings in the Compliance Summary window.

Note

 

Post UI upgrade, compliance for network settings will get triggered after 6 hours.

  • Noncompliant: The device is not running the intent configuration.

  • Compliant: The intent configuration that was pushed is actively running on the device.

  • NA (Not Applicable): The device is not configured with network settings, or the device is not assigned to the site.

Cisco Umbrella

Catalyst Center allows you to identify deviation from the intent Cisco Umbrella configuration that is pushed to the device by Catalyst Center. If any violations are found, compliance check identifies, assesses, and flags it off.

You can view the violations under Workflow in the Compliance Summary window.

Note

 

The Cisco Umbrella compliance check is applicable for Switches or Cisco Embedded Wireless Controllers. Ensure that the device provisioning is completed.

Also, Cisco Umbrella must be provisioned on the devices. For more information, see Provision Cisco Umbrella on network devices.

  • Noncompliant: The device is not running the intent configuration.

  • Compliant: The intent configuration that was pushed is actively running on the device.

  • NA (Not Applicable): Cisco Umbrella is not configured for the device.

View compliance summary

The inventory page shows an aggregated status of compliance for each device.

Procedure


Step 1

From the main menu, choose Provision > Inventory.

The compliance column shows the aggregated compliance status of each device.

Step 2

Click the compliance status to launch the compliance summary window, which shows these compliance checks applicable for the chosen device:

  • Startup versus Running Configuration

    Catalyst Center allows you to view the details of the out-of-band configuration changes for Startup versus Running Configuration. Hover the cursor over the bubble in the Change History area to view the details.

    This image shows the Startup vs Running Configuration view.

    These details are for out-of-band changes:

    • Lines Added, Removed, Modified: Shows the number of lines that were added, removed, or modified.

    • Triggered By: Displays the configuration change event. For information on events, see Configuration Drift of a Device.

    • Terminal Name, Login IP, Username: Displays the users terminal name, login IP, and username.

    • Config Method, Timestamp: Displays the configuration method and timestamp of the change done.

      Note

       

      If the Config Method is memory, it indicates that the device self-generated the configuration.

  • Software Image

  • Critical Security Vulnerability

  • Network Profile

  • Network Settings

  • Fabric

  • SD-Access Unsupported Configuration

  • Application Visibility

  • EoX - End of Life

  • Cisco Umbrella

Note

 
Network Settings, Network Profile, Fabric, SD-Access Unsupported Configuration, and Application Visibility are optional and display only if the device is provisioned with the required data.

Manual compliance run

You can trigger a compliance check manually in Catalyst Center.

Procedure


Step 1

From the main menu, choose Provision > Inventory.

Step 2

To run a bulk compliance check:

  1. Choose all the applicable devices.

  2. From the Actions drop-down list, choose Compliance > Run Compliance.

Step 3

To run a per-device compliance check:

  1. Choose the devices for which you want to run the compliance check.

  2. From the Actions drop-down list, choose Compliance > Run Compliance.

  3. Alternatively, click the compliance column (if available) and then click Run Compliance.

Step 4

To view the latest compliance status of a device:

  1. Choose the device and inventory. See Resynchronize device information.

  2. From the Actions drop-down list, choose Compliance > Run Compliance.

Note

 
  • A compliance run cannot be triggered for unreachable or unsupported devices.

  • If compliance is not run manually for a device, the compliance check is automatically scheduled to run after a certain period of time, which depends on the type of compliance.

  • CLI Template Compliance compares the realized templates against the running configuration of the device. The running configuration is taken from the latest archive that is available for the device.

  • Event-based archive takes at least 2 minutes to update after traps are received. For accurate results, we recommend that you wait for at least 2 minutes before running compliance manually after a configuration change.

  • Catalyst Center must be configured as a Syslog server in Design > Network Settings > Telemetry > Syslogs window for Syslog based collection to work.


Generate a Compliance Audit Report for network devices

Catalyst Center allows you to retrieve a consolidated Compliance Audit Report that shows the compliance status of individual network devices. With this report, you can get complete visibility of your network.

For more information, see "Run a Compliance Report" in the Cisco Catalyst Center Platform User Guide.

Acknowledge compliance violations

Catalyst Center lets you acknowledge less-important compliance violations of the device and opt-out the violations from the compliance status calculation. If required, you can also choose to opt-in the violation for the compliance status calculation.

Procedure


Step 1

From the main menu, choose Provision > Inventory.

Step 2

Click the device name to open a dialog box that provides high-level information for that device. Click View Device Details link in the dialog box.

The device details window displays.

Step 3

In the left pane, choose Compliance > Summary.

Step 4

In the Compliance Summary window, click the compliance tile for which you want to acknowledge the violations.

You can view the information under Open Violations and Acknowledged Violations table, including:

  • Model Name

  • Attribute

  • Status: This column shows one of the status states:

    • Added: The attribute is added in the device.

    • Changed: The intent value does not match the device value.

    • Removed: The intent is removed from the device.

  • Intended Value: Shows the intended value as configured by Catalyst Center.

  • Actual Value: Shows the value currently configured on the device.

  • Action: Shows Acknowledge link for open violations and Move to Open Violations link for acknowledged violations.

To opt-out the violation from the compliance status calculation:

  1. Click the Open Violations tab.

  2. Choose the violation and click Acknowledge in the Actions column.

  3. To acknowledge the violations in bulk, check the check box at the top of the table, or choose multiple violations and click Acknowledge.

  4. In the confirmation window, click Confirm.

    The violation is moved to the Acknowledged Violations tab.

To opt-in the violation for the compliance status calculation:

  1. Click the Acknowledged Violations tab.

  2. Choose the violation and click Move to Open Violations in the Actions column.

  3. To move the violations in bulk, check the check box at the top of the table, or choose multiple violations and click Move to Open Violations.

  4. In the confirmation window, click Confirm.

    The violation is moved to Open Violations tab.

Step 5

To see a list of attributes that you opted out from the Compliance status calculation, click the View Preference for Acknowledged Violations link in Compliance Summary window.

Step 6

In the Acknowledge Violation Preferences slide-in pane, opt-in the attribute for the compliance status calculation:

  1. Choose the attribute and click Unlist in the Actions column.

  2. For bulk selection, check the check box at the top of the table, or choose multiple violations and click Unlist.

The Models tab shows attributes that are acknowledged for Model Config, Routing, Wireless, Application Visibility, or Fabric. Acknowledged templates are shown under the Templates tab.

Note

 
  • In Acknowledge Violation Preferences window, a model with an empty (-) attribute means that the entire model, including its child attributes, are acknowledged.

  • When a violation with the status, Added or Removed is acknowledged, Catalyst Center automatically acknowledges similar attributes and their child attributes.

  • An acknowledged child attribute cannot be moved to open violations when a similar violation with the status, Added or Removed is overriding.


Synchronize startup and running configurations of a device

When there is a mismatch in the startup and running configurations of a device, you can do a remediation synchronization to match the configurations.

Procedure


Step 1

From the main menu, choose Provision > Inventory.

Step 2

To do a bulk remediation:

  1. Choose all the applicable devices.

  2. From the Actions drop-down list, choose Compliance > Write Running Config to Startup Config.

To do a per-device remediation:

  1. Choose the devices for which you want to do a remediation synchronization.

  2. From the Actions drop-down list, choose Compliance > Write Running Config to Startup Config.

    Alternatively, click the link under Compliance column and then choose Compliance Summary > Startup vs Running Configuration > Sync Device Config.

Step 3

To view the remedial status of the device:

  1. From the main menu, choose Provision > Inventory.

  2. From the Actions drop-down list, choose Compliance > Check Startup Config Write Status.


Fix compliance violations

Catalyst Center allows you to maintain a compliant network by providing an automated fix for device compliance violations. Any deviation from the intent in the device that is identified in the Catalyst Center compliance check is fixed with this procedure.

Procedure


Step 1

From the main menu, choose Provision > Inventory.

The compliance column shows the aggregated compliance status of each device.

Step 2

Click the compliance status to launch the Compliance Summary window.

Step 3

Click Fix All Configuration Compliance Issues link, at the top of the window.

The Fix Configuration Compliance Issues slide-in pane is displayed.

Note

 

The link for fixing compliance violations is visible only if the supported category has violations. Otherwise, the link is not shown.

Step 4

In Fix Configuration Compliance Issues slide-in pane, do these steps:

  1. In the Summary of Issues to be Fixed area, review the compliance violations for the network devices. The Issues Identified column lists the aggregated count of open and acknowledged violations. Click Schedule the Fix.

  2. Schedule the task for deployment.

    Depending on Visibility and Control of Configurations settings, you can either:

Step 5

On the Tasks window, monitor the task deployment.

Note

 
  • Routing, Wireless Controller HA Remediation, Software Image, Security Advisories, and Workflow-related compliance issues are not addressed in this fix. You can address these separately by using the actions in their respective sections.

  • CLI template compliance has some limitations, because of which some CLI templates may remain noncompliant. For more information, see Limitations in CLI template compliance.

  • In Catalyst Center Release 2.3.7 and later, the intent is updated on Catalyst Center instead of pushing the configuration directly to the device for these changes:

    • For IPDT, if protocol endpoint is discovered.

    • For SNMP trap configuration, if SNMP user group change is detected from the system.

    IPDT configuration is pushed directly to the device for any device role change.


Compliance behavior after device upgrade

  • A compliance check for all applicable devices (devices for which compliance never ran in the system) is triggered after successful device upgrade.

  • Compliance calculates and shows the status of the devices in the inventory, except the Startup vs Running type.

  • After upgrade, the Startup vs Running tile shows as NA with the text "Configuration data is not available."

  • After a day of successful upgrade, a one-time scheduler runs and makes configuration data available for devices. The Startup vs Running tile starts showing the correct status (Compliant/Noncompliant) and detailed data.

  • If any traps are received, the config archive service collects configuration data and the compliance check runs again.


Note


In the upgrade setup, ignore any compliance mismatch for the Flex Profile interface. For the interface name, 1 maps to management.


Limitations in CLI template compliance

Catalyst Center allows you to compare a CLI template with the running configuration of the device, so as to identify any mismatch from the intent. Comparator engine limitations include:

  • The CLI Template comparator supports use of uppercase letters for variables and values. But, you must avoid using uppercase letters for command keywords.

  • The CLI Template comparator supports use of aliases.

  • Avoid using abbreviated or shorthand commands, which are flagged as noncompliant.

  • If a command is missing and it is at the section level, the section-level commands succeeding the missing command are also flagged. To avoid this problem, use indentation.

    For example, this CLI Template comparator output shows commands without indentation:

    Realized template Running configuration Output
    #interface Vlan111
    #description SVI interface kan-111
    #ip address 111.2.3.4 255.255.255.0
    #ip helper-address 7.7.7.8
    #no mop enabled
    #no mop sysid
    #!
    #interface Vlan111
    # description SVI interface kan-111
    # ip address 111.2.3.4 255.255.255.0
    # ip helper-address 7.7.7.7
    # ip helper-address 7.7.7.8
    # no mop enabled
    # no mop sysid
    #!
    These commands are marked as missing:
    
     # ip helper-address 7.7.7.7
     # ip helper-address 7.7.7.8
     # no mop enabled
     # no mop sysid
    

    This CLI Template comparator output shows commands with indentation:

    Realized template Running configuration Output
    #interface Vlan111
    # description SVI interface kan-111
    # ip address 111.2.3.4 255.255.255.0
    # ip helper-address 7.7.7.8
    # no mop enabled
    # no mop sysid
    #!
    #interface Vlan111
    # description SVI interface kan-111
    # ip address 111.2.3.4 255.255.255.0
    # ip helper-address 7.7.7.7
    # ip helper-address 7.7.7.8
    # no mop enabled
    # no mop sysid
    #!
    The comparator flags only the missing command:
    
     #ip helper-address 7.7.7.7
     
  • Interactive and enable mode commands are not compared for compliance. You can use an alternative form of interactive commands by mentioning all the options and values with the commands.

    For example, if the template code is as follows, where #ENABLE and #INTERACTIVE mode command are given together, the commands are not compared.

    #MODE_ENABLE
     #INTERACTIVE
        mkdir <IQ>Create directory<R>xyz
     #ENDS_INTERACTIVE
     #MODE_END_ENABLE
    #end
  • Avoid using ranges in commands, which are flagged by the comparator. Ranges must be used in expanded form.

  • Overriding commands within the same template are flagged. You can avoid mismatch by enclosing the commands within ignore - compliance syntax, as shown in this example.

    Realized template Running configuration Output
    #no banner motd #Welcome to Cisco .:|:.#
    #banner motd #Welcome to Cisco .:|:.#
    #banner motd ^CWelcome to Cisco .:|:.^C 
    • This command is flagged as missing:
      
       no banner motd #Welcome to Cisco .:|:.#
    • This command is also marked as missing, because the running command is already compared with the preceding command.
      
       banner motd #Welcome to Cisco .:|:.#

    To avoid mismatch:

    Realized template Running configuration Output
    #! @start-ignore-compliance
     #no banner motd #Welcome to Cisco .:|:#
    #! @end-ignore-compliance
    #banner motd #Welcome to Cisco .:|:.#
    #banner motd ^CWelcome to Cisco .:|:.^C 

    There is no mismatch, because the command enclosed in the syntax is not compared.

  • For later releases of Cisco IOS XE, some default commands are shown only when show run all command is issued, instead of the show run command. Therefore, these commands do not appear in the running configuration and are flagged as noncompliant.


    Note


    To ignore these default commands from compliance check, open a support case with the Cisco Technical Assistance Center (TAC).


  • Password-bearing commands are flagged by the comparator, because they are stored in encrypted form on the device.


Note


You can avoid a mismatch for password-bearing commands and some default commands by enclosing the commands in this syntax:
! @start-ignore-compliance
! @end-ignore-compliance

Then, reprovision the template for the changes to appear.


To avoid a mismatch between the CLI template and the running configuration of the device, we recommend that you use commands similar to the running configuration.