Set Up Cisco DNA Center to Use Assurance

Before you begin using the Assurance application, you must configure Assurance. This chapter provides the basic tasks you must do to set up Assurance. Use this chapter in conjunction with the Cisco Digital Network Architecture Center User Guide.

Limitations and Restrictions

Assurance is not supported over NATed connections to managed devices.

Basic Setup Workflow

Before you begin using the Assurance application, you must set up Cisco DNA Center to use Assurance.

See the following illustration and the procedure that follows to understand the basic workflow.

Figure 1. Basic Workflow for Setting Up Cisco DNA Center to Use Assurance

Before you begin

See Limitations and Restrictions.

Procedure

Step 1

Install Cisco DNA Center.

See the Cisco DNA Center Installation Guide.

Step 2

Do the following in any order:
Step 3

Make sure that the devices appear in the device Inventory.

See Display Information About Your Inventory.

Note 

You must wait for all the devices to get into a Managed state.
Step 4

Add devices to sites.

See Add a Device to a Site.
Step 5

If you are adding APs, we recommend that you assign and position them on a floor map.

See Add, Position, and Delete APs.

Step 6

If your network uses Cisco Identity Services Engine for user authentication, you can configure Assurance for Cisco ISE integration. This enables you to see more information about wired clients, such as the username and operating system, in Assurance.

See About Cisco ISE Configuration for Cisco DNA Center.

Step 7

Configure the syslog, SNMP traps, and NetFlow Collector servers using Telemetry.

See Configure Syslog, SNMP Traps, NetFlow Collector Servers, and Wired Client Data Collection Using Telemetry.

Step 8

(Recommended) To view AI-driven issues and gain network insights, configure Cisco AI Network Analytics data collection.

See Configure Cisco AI Network Analytics Data Collection.

Step 9

(Recommended) To have access to the latest Machine Reasoning workflows, update the Machine Reasoning Knowledge Base.

See Update the Machine Reasoning Knowledge Base.

Step 10

Start using the Assurance application.

Discover Devices

The Discovery feature scans the devices in your network and sends the list of discovered devices to Inventory.

About Discovery

The Discovery feature scans the devices in your network and sends the list of discovered devices to Inventory.

The Discovery feature also can work with the Device Controllability feature to configure the required network settings on devices, if these settings are not already present on the device.

There are three ways for you to discover devices:

  • Use Cisco Discovery Protocol (CDP) and provide a seed IP address.

  • Specify a range of IP addresses. (A maximum range of 4096 devices is supported.)

  • Use Link Layer Discovery Protocol (LLDP) and provide a seed IP address.

When configuring the Discovery criteria, remember that there are settings that you can use to help reduce the amount of time it takes to discover your network:

  • CDP Level and LLDP Level: If you use CDP or LLDP as the Discovery method, you can set the CDP or LLDP level to indicate the number of hops from the seed device that you want to scan. The default, level 16, might take a long time on a large network. So, if fewer devices have to be discovered, you can set the level to a lower value.

  • Subnet Filters: If you use an IP address range, you can specify devices in specific IP subnets for Discovery to ignore.

  • Preferred Management IP: Whether you use CDP, LLDP, or an IP address range, you can specify whether you want Cisco DNA Center to add any of the device's IP addresses or only the device's loopback address.


    Note

    For Cisco SD-Access Fabric and Cisco DNA Assurance, we recommend that you specify the device's loopback address.

Regardless of the method you use, you must be able to reach the device from Cisco DNA Center and configure specific credentials and protocols in Cisco DNA Center to discover your devices. These credentials can be configured and saved in the Design > Network Settings > Device Credentials window or on a per-job basis in the Discovery window.


Note

If a device uses a first hop resolution protocol like Hot Standby Router Protocol (HSRP) or Virtual Router Redundancy Protocol (VRRP), the device might be discovered and added to the inventory with its floating IP address. Later, if HSRP or VRRP fails, the IP address might be reassigned to a different device. This situation can cause issues with the data that Cisco DNA Center retrieves for analysis.

Discovery Prerequisites

Before you run Discovery, complete the following minimum prerequisites:

  • Understand what devices will be discovered by Cisco DNA Center by viewing the Supported Devices List.

  • Understand that the preferred network latency between Cisco DNA Center and devices is 100 ms. (The maximum latency is 200 ms.)

  • Ensure at least one SNMP credential is configured on your devices for use by Cisco DNA Center. At a minimum, this can be an SNMPv2C read credential.

  • Configure SSH credentials on the devices you want Cisco DNA Center to discover and manage. Cisco DNA Center discovers and adds a device to its inventory if at least one of the following criteria is met:

    • The account that is being used by Cisco DNA Center to SSH into your devices has privileged EXEC mode (level 15).

    • You configure the device’s enable password as part of the CLI credentials configured in the Discovery job. For more information, see Discovery Configuration Guidelines and Limitations.

Preferred Management IP Address

When Cisco DNA Center discovers a device, it uses one of the device's IP addresses as the preferred management IP address. The IP address can be that of a built-in management interface of the device, another physical interface, or a logical interface such as Loopback0. You can configure Cisco DNA Center to use the device's loopback IP address as the preferred management IP address, provided the IP address is reachable from Cisco DNA Center.

When you choose Use Loopback IP as the preferred management IP address, Cisco DNA Center determines the preferred management IP address as follows:

  • If the device has one loopback interface, Cisco DNA Center uses that loopback interface IP address.

  • If the device has multiple loopback interfaces, Cisco DNA Center uses the loopback interface with the highest IP address.

  • If there are no loopback interfaces, Cisco DNA Center uses the Ethernet interface with the highest IP address. (Subinterface IP addresses are not considered.)

  • If there are no Ethernet interfaces, Cisco DNA Center uses the serial interface with the highest IP address.

After a device is discovered, you can update the management IP address from the Inventory window.

Discovery Configuration Guidelines and Limitations

The following are the guidelines and limitations for Cisco DNA Center to discover your Cisco Catalyst 3000 Series Switches and Catalyst 6000 Series Switches:

  • Configure the CLI username and password with privileged EXEC mode (level 15). This is the same CLI username and password that you configure in Cisco DNA Center for the Discovery function. Cisco DNA Center requires the highest access level to the device.

  • Explicitly specify the transport protocols allowed on individual interfaces for both incoming and outgoing connections. Use the transport input and transport output commands for this configuration. For information about these commands, see the command reference document for the specific device type.

  • Do not change the default login method for a device's console port and the VTY lines. If a device is already configured with a AAA (TACACS) login, make sure that the CLI credential defined in the Cisco DNA Center is the same as the TACACS credential defined in the TACACS server.

  • Cisco Wireless Controllers must be discovered using the Management IP address instead of the Service Port IP address. If not, the related wireless controller 360 and AP 360 pages will not display any data.

Discover Your Network Using CDP

You can discover devices using Cisco Discovery Protocol (CDP), an IP address range, or LLDP. This procedure shows you how to discover devices and hosts using CDP. For more information about the other discovery methods, see Discover Your Network Using an IP Address Range and Discover Your Network Using LLDP.


Note

  • The Discovery function requires the correct SNMP Read Only (RO) community string. If an SNMP RO community string is not provided, as a best effort, the Discovery function uses the default SNMP RO community string, public.

  • CLI credentials are not required to discover hosts; hosts are discovered through the network devices to which they are connected.

Before you begin

  • Enable CDP on your network devices.

  • Configure your network devices, as described in Discovery Prerequisites.

  • Configure your network device's host IP address as the client IP address. (A host is an end-user device, such as a laptop computer or mobile device.)

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Tools > Discovery.

The Discovery window appears with dashlets.
Step 2

Click Add Discovery.

The New Discovery window appears.
Step 3

In the Discovery Name field, enter a name.

Step 4

Expand the IP Address/Range area if it is not already visible, and configure the following fields:

  1. For Discovery Type, click CDP.

  2. In the IP Address field, enter a seed IP address for Cisco DNA Center to start the Discovery scan.

  3. (Optional) In the Subnet Filter field, enter an IP address or subnet to exclude from the Discovery scan.

    You can enter addresses either as an individual IP address (x.x.x.x ) or as a classless inter-domain routing (CIDR) address (x.x.x.x/y) , where x.x.x.x refers to the IP address and y refers to the subnet mask. The subnet mask can be a value from 0 to 32.

  4. Click +.

    Repeat Step c and Step d to exclude multiple subnets from the Discovery job.

  5. (Optional) In the CDP Level field, enter the number of hops from the seed device that you want to scan.

    Valid values are from 1 to 16. The default value is 16. For example, CDP level 3 means that CDP will scan up to three hops from the seed device.

  6. For Preferred Management IP, choose one of the following options:

    • None: Allows the device to use any of its IP addresses.

    • Use Loopback IP: Specify the device's loopback interface IP address.

      Note 

      If you choose Use Loopback IP and the device does not have a loopback interface, Cisco DNA Center chooses a management IP address using the logic described in Preferred Management IP Address.

      Note 

      To use the loopback interface IP address as the preferred management IP address, make sure that the CDP neighbor's IP address is reachable from Cisco DNA Center.

Step 5

Expand the Credentials area and configure the credentials that you want to use for the Discovery job.

Choose any of the global credentials that have already been created or configure your own Discovery credentials. If you configure your own credentials, you can save them only for the current job by clicking Save or you can save them for the current and future jobs by checking the Save as global settings check box and then clicking Save.

  1. Make sure that the global credentials that you want to use are selected. If you do not want to use a credential, deselect it.

  2. To add additional credentials, click Add Credentials.

  3. To configure CLI credentials, configure the following fields:

    Table 1. CLI Credentials
    Field Description
    Name/Description Name or phrase that describes the CLI credentials.
    Username Name that is used to log in to the CLI of the devices in your network.
    Password

    Password that is used to log in to the CLI of the devices in your network.

    For security reasons, re-enter the password as confirmation.

    Note 

    Passwords are encrypted for security reasons and are not displayed in the configuration.

    Enable Password

    Password used to move to a higher privilege level in the CLI. Configure this password only if your network devices require it.

    For security reasons, re-enter the enable password.

    Note 

    Passwords are encrypted for security reasons and are not displayed in the configuration.

  4. Click SNMP v2c and configure the following fields:

    Table 2. SNMPv2c Credentials

    Field

    Description

    Read

    • Name/Description: Name or description of the SNMPv2c settings that you are adding.

    • Read Community: Read-only community string password used only to view SNMP information on the device.

    Note 

    Passwords are encrypted for security reasons and are not displayed in the configuration.

    Write

    • Name/Description: Name or description of the SNMPv2c settings that you are adding.

    • Write Community: Write community string used to make changes to the SNMP information on the device.

    Note 

    Passwords are encrypted for security reasons and are not displayed in the configuration.

  5. (Optional) Click SNMP v3 and configure the following fields:

    Table 3. SNMPv3 Credentials

    Field

    Description

    Name/Description

    Name or description of the SNMPv3 settings that you are adding.
    Username

    Name associated with the SNMPv3 settings.

    Mode

    Security level that an SNMP message requires. Choose one of the following modes:

    • noAuthNoPriv: Does not provide authentication or encryption.

    • AuthNoPriv: Provides authentication, but does not provide encryption.

    • AuthPriv: Provides both authentication and encryption.

    Auth Type

    Authentication type to be used. (Enabled if you select AuthPriv or AuthNoPriv as the authentication mode.) Choose one of the following authentication types:

    • SHA: Authentication based on HMAC-SHA.

    • MD5: Authentication based on HMAC-MD5.

    Auth Password

    SNMPv3 password used for gaining access to information from devices that use SNMPv3. These passwords (or passphrases) must be at least eight characters in length.

    Note 

    • Some wireless controllers require that passwords (or passphrases) be at least 12 characters long. Be sure to check the minimum password requirements for your wireless controllers. Failure to ensure these required minimum character lengths for passwords results in devices not being discovered, monitored, or managed by Cisco DNA Center.

    • Passwords are encrypted for security reasons and are not displayed in the configuration.

    Privacy Type

    Privacy type. (Enabled if you select AuthPriv as the authentication mode.) Choose one of the following privacy types:

    • DES: DES 56-bit (DES-56) encryption in addition to authentication based on the CBC DES-56 standard.

    • AES128: CBC mode AES for encryption.

    • None: No privacy.

    Note 

    DES encryption is being deprecated and will be removed in a future release.

    Privacy Password

    SNMPv3 privacy password that is used to generate the secret key for encrypting messages that are exchanged with devices that support DES or AES128 encryption. Passwords (or passphrases) must be at least eight characters long.

    Note 

    • Some wireless controllers require that passwords (or passphrases) be at least 12 characters long. Be sure to check the minimum password requirements for your wireless controllers. Failure to ensure these required minimum character lengths for passwords results in devices not being discovered, monitored, or managed by Cisco DNA Center.

    • Passwords are encrypted for security reasons and are not displayed in the configuration.

  6. (Optional) Click SNMP PROPERTIES and configure the following fields:

    Table 4. SNMP Properties
    Field Description
    Retries Number of times Cisco DNA Center tries to communicate with network devices using SNMP.
    Timeout Number of seconds between retries.

  7. (Optional) Click HTTP(S) and configure the following fields:

    Table 5. HTTP(S) Credentials

    Field

    Description

    Type

    Specifies the kind of HTTPS credentials you are configuring. Valid types are Read or Write.

    Read

    You can configure up to 10 HTTPS read credentials:

    • Name/Description: Name or description of the HTTPS credentials that you are adding.

    • Username: Name used to authenticate the HTTPS connection.

    • Password: Password used to authenticate the HTTPS connection. Passwords are encrypted for security and are not displayed in the configuration.

    • Port: Number of the TCP/UDP port used for HTTPS traffic. The default is port number 443 (the well-known port for HTTPS).

    The password must contain from 7 to 128 characters, including at least one:

    • Lowercase letter (a - z)

    • Uppercase letter (A - Z)

    • Number (0 - 9)

    • Special character: # _ * ? –

    The password cannot contain spaces or angle brackets (< >). Note that some Cisco IOS XE devices do not allow a question mark (?).

    Write

    You can configure up to 10 HTTPS write credentials:

    • Name/Description: Name or description of the HTTPS credentials that you are adding.

    • Username: Name used to authenticate the HTTPS connection.

    • Password: Password used to authenticate the HTTPS connection. Passwords are encrypted for security and are not displayed in the configuration.

    • Port: Number of the TCP/UDP port used for HTTPS traffic. The default is port number 443 (the well-known port for HTTPS).

    The password must contain from 7 to 128 characters, including at least one:

    • Lowercase letter (a - z)

    • Uppercase letter (A - Z)

    • Number (0 - 9)

    • Special character: # _ * ? –

    The password cannot contain spaces or angle brackets (< >). Note that some Cisco IOS XE devices do not allow a question mark (?).

  8. (Optional) If you have network devices with NETCONF enabled, click NETCONF and enter a port number in the Port field.

    Note 

    You must enable NETCONF and set the port to 830 to discover Cisco Catalyst 9800 Series Wireless Controller devices. NETCONF provides a mechanism to install, manipulate, and delete configurations of network devices. NETCONF will be disabled if you select Telnet in the Advanced area.

Step 6

To configure the protocols to be used to connect with devices, expand the Advanced area and do the following tasks:

  1. Click the names of the protocols that you want to use. A green check mark indicates that the protocol is selected.

    Valid protocols are SSH (default) and Telnet.

  2. Drag and drop the protocols in the order that you want them to be used.
Step 7

Click Discover and select whether to run the discovery now or schedule the discovery for a later time.

  • To run the discovery now, click the Now radio button and click Start.
  • To schedule the discovery for a later time, click the Later radio button, define the date and time, and click Start.

Click the notifications icon to view the scheduled discovery tasks. Click Edit to edit the discovery task before the discovery starts. Click Cancel to cancel the scheduled discovery job before it starts.

The Discoveries window displays the results of your scan.

The Discovery Details pane shows the status (active or inactive) and the Discovery configuration. The Discovery Devices pane displays the host names, IP addresses, and status of the discovered devices.

Discover Your Network Using an IP Address Range

You can discover devices using an IP address range, CDP, or LLDP. This procedure shows you how to discover devices and hosts using an IP address range. For more information about the other Discovery methods, see Discover Your Network Using CDP and Discover Your Network Using LLDP.

Before you begin

Your devices must have the required device configurations, as described in Discovery Prerequisites.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Tools > Discovery.

The Discovery window appears with dashlets.
Step 2

Click Add Discovery.

The New Discovery window appears.
Step 3

In the Discovery Name field, enter a name.

Step 4

Expand the IP Address/Ranges area, if it is not already visible, and configure the following fields:

  1. For Discovery Type, click IP Address/Range.

  2. In the From and To fields, enter the beginning and ending IP addresses (IP address range) for Cisco DNA Center to scan, and click +.

    You can enter a single IP address range or multiple IP addresses for the discovery scan.

    Note 

    Cisco Wireless Controllers must be discovered using the management IP address instead of the service port IP address. If not, the related wireless controller 360 and AP 360 pages will not display any data.

  3. (Optional) Repeat Step b to enter additional IP address ranges.

  4. (Optional) In the Subnet Filter field, enter an IP address/range or subnet to exclude from the Discovery scan. You can enter addresses either as an individual IP address (x.x.x.x) or as a classless inter-domain routing (CIDR) address (x.x.x.x/y), where x.x.x.x refers to the IP address and y refers to the subnet mask. The subnet mask can be a value from 0 to 32.

  5. For Preferred Management IP Address, choose one of the following options:

    • None: Allows the device to use any of its IP addresses.

    • Use Loopback IP: Specify the device's loopback interface IP address.

      Note 

      If you choose Use Loopback IP and the device does not have a loopback interface, Cisco DNA Center chooses a management IP address using the logic described in Preferred Management IP Address.

Step 5

Expand the Credentials area and configure the credentials that you want to use for the Discovery job.

Choose any of the global credentials that have already been created or configure your own Discovery credentials. If you configure your own credentials, you can save them for only the current job by clicking Save, or you can save them for the current and future jobs by checking the Save as global settings check box and then clicking Save.

  1. Make sure that the global credentials that you want to use are selected. If you do not want to use a credential, deselect it.

  2. To add additional credentials, click Add Credentials.

  3. To configure CLI credentials, configure the following fields:

    Table 6. CLI Credentials
    Field Description
    Name/Description Name or phrase that describes the CLI credentials.
    Username Name that is used to log in to the CLI of the devices in your network.
    Password

    Password that is used to log in to the CLI of the devices in your network.

    For security reasons, re-enter the password as confirmation.

    Note 

    Passwords are encrypted for security reasons and are not displayed in the configuration.

    Enable Password

    Password used to move to a higher privilege level in the CLI. Configure this password only if your network devices require it.

    For security reasons, re-enter the enable password.

    Note 

    Passwords are encrypted for security reasons and are not displayed in the configuration.

  4. Click SNMP v2c and configure the following fields:

    Table 7. SNMPv2c Credentials

    Field

    Description

    Read

    • Name/Description: Name or description of the SNMPv2c settings that you are adding.

    • Read Community: Read-only community string password used only to view SNMP information on the device.

    Note 

    Passwords are encrypted for security reasons and are not displayed in the configuration.

    Write

    • Name/Description: Name or description of the SNMPv2c settings that you are adding.

    • Write Community: Write community string used to make changes to the SNMP information on the device.

    Note 

    Passwords are encrypted for security reasons and are not displayed in the configuration.

  5. (Optional) Click SNMP v3 and configure the following fields:

    Table 8. SNMPv3 Credentials

    Field

    Description

    Name/Description

    Name or description of the SNMPv3 settings that you are adding.
    Username

    Name associated with the SNMPv3 settings.

    Mode

    Security level that an SNMP message requires. Choose one of the following modes:

    • noAuthNoPriv: Does not provide authentication or encryption.

    • AuthNoPriv: Provides authentication, but does not provide encryption.

    • AuthPriv: Provides both authentication and encryption.

    Auth Type

    Authentication type to be used. (Enabled if you select AuthPriv or AuthNoPriv as the authentication mode.) Choose one of the following authentication types:

    • SHA: Authentication based on HMAC-SHA.

    • MD5: Authentication based on HMAC-MD5.

    Auth Password

    SNMPv3 password used for gaining access to information from devices that use SNMPv3. These passwords (or passphrases) must be at least eight characters in length.

    Note 

    • Some wireless controllers require that passwords (or passphrases) be at least 12 characters long. Be sure to check the minimum password requirements for your wireless controllers. Failure to ensure these required minimum character lengths for passwords results in devices not being discovered, monitored, or managed by Cisco DNA Center.

    • Passwords are encrypted for security reasons and are not displayed in the configuration.

    Privacy Type

    Privacy type. (Enabled if you select AuthPriv as the authentication mode.) Choose one of the following privacy types:

    • DES: DES 56-bit (DES-56) encryption in addition to authentication based on the CBC DES-56 standard.

    • AES128: CBC mode AES for encryption.

    • None: No privacy.

    Note 

    DES encryption is being deprecated and will be removed in a future release.

    Privacy Password

    SNMPv3 privacy password that is used to generate the secret key for encrypting messages that are exchanged with devices that support DES or AES128 encryption. Passwords (or passphrases) must be at least eight characters long.

    Note 

    • Some wireless controllers require that passwords (or passphrases) be at least 12 characters long. Be sure to check the minimum password requirements for your wireless controllers. Failure to ensure these required minimum character lengths for passwords results in devices not being discovered, monitored, or managed by Cisco DNA Center.

    • Passwords are encrypted for security reasons and are not displayed in the configuration.

  6. (Optional) Click SNMP PROPERTIES and configure the following fields:

    Table 9. SNMP Properties
    Field Description

    Retries

    Number of times Cisco DNA Center tries to communicate with network devices using SNMP.

    Timeout

    Number of seconds between retries.

  7. (Optional) Click HTTP(S) and configure the following fields:

    Table 10. HTTP(S) Credentials

    Field

    Description

    Type

    Specifies the kind of HTTPS credentials you are configuring. Valid types are Read or Write.

    Read

    You can configure up to 10 HTTPS read credentials:

    • Name/Description: Name or description of the HTTPS credentials that you are adding.

    • Username: Name used to authenticate the HTTPS connection.

    • Password: Password used to authenticate the HTTPS connection. Passwords are encrypted for security and are not displayed in the configuration.

    • Port: Number of the TCP/UDP port used for HTTPS traffic. The default is port number 443 (the well-known port for HTTPS).

    The password must contain from 7 to 128 characters, including at least one:

    • Lowercase letter (a - z)

    • Uppercase letter (A - Z)

    • Number (0 - 9)

    • Special character: # _ * ? –

    The password cannot contain spaces or angle brackets (< >). Note that some Cisco IOS XE devices do not allow a question mark (?).

    Write

    You can configure up to 10 HTTPS write credentials:

    • Name/Description: Name or description of the HTTPS credentials that you are adding.

    • Username: Name used to authenticate the HTTPS connection.

    • Password: Password used to authenticate the HTTPS connection. Passwords are encrypted for security and are not displayed in the configuration.

    • Port: Number of the TCP/UDP port used for HTTPS traffic. The default is port number 443 (the well-known port for HTTPS).

    The password must contain from 7 to 128 characters, including at least one:

    • Lowercase letter (a - z)

    • Uppercase letter (A - Z)

    • Number (0 - 9)

    • Special character: # _ * ? –

    The password cannot contain spaces or angle brackets (< >). Note that some Cisco IOS XE devices do not allow a question mark (?).

  8. (Optional) If you have network devices with NETCONF enabled, click NETCONF and enter a port number in the Port field.

    Note 

    You must enable NETCONF and set the port to 830 to discover Cisco Catalyst 9800 Series Wireless Controller devices. NETCONF provides a mechanism to install, manipulate, and delete configurations of network devices.

Step 6

(Optional) To configure the protocols that are to be used to connect with devices, expand the Advanced area and do the following tasks:

  1. Click the protocols that you want to use. A green check mark indicates that the protocol is selected.

    Valid protocols are SSH (default) and Telnet.

  2. Drag and drop the protocols in the order that you want them to be used.
Step 7

Click Discover and select whether to run the discovery now or schedule the discovery for a later time.

  • To run the discovery now, click the Now radio button and click Start.
  • To schedule the discovery for a later time, click the Later radio button, define the date and time, and click Start.

Click the notifications icon to view the scheduled discovery tasks. Click Edit to edit the discovery task before the discovery starts. Click Cancel if you want to cancel the scheduled discovery job before it starts.

The Discoveries window displays the results of your scan.

The Discovery Details pane shows the status (active or inactive) and the Discovery configuration. The Discovery Devices pane displays the host names, IP addresses, and status of the discovered devices.

Discover Your Network Using LLDP

You can discover devices using Link Layer Discovery Protocol (LLDP), CDP, or an IP address range. This procedure shows you how to discover devices and hosts using LLDP. For more information about the other discovery methods, see Discover Your Network Using CDP and Discover Your Network Using an IP Address Range.


Note

  • The Discovery function requires the correct SNMP Read Only (RO) community string. If an SNMP RO community string is not provided, as a best effort, the Discovery function uses the default SNMP RO community string, public.

  • CLI credentials are not required to discover hosts; hosts are discovered through the network devices to which they are connected.

Before you begin

  • Enable LLDP on your network devices.

  • Configure your network devices, as described in Discovery Prerequisites.

  • Configure your network device's host IP address as the client IP address. (A host is an end-user device, such as a laptop computer or mobile device.)

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Tools > Discovery.

The Discovery window appears with dashlets.
Step 2

Click Add Discovery.

The New Discovery window appears.
Step 3

In the Discovery Name field, enter a name.

Step 4

Expand the IP Address/Range area and configure the following fields:

  1. For Discovery Type, click LLDP.

  2. In the IP Address field, enter a seed IP address for Cisco DNA Center to start the Discovery scan.

  3. (Optional) In the Subnet Filter field, enter an IP address or subnet to exclude from the Discovery scan.

    You can enter addresses either as an individual IP address (x.x.x.x ) or as a classless inter-domain routing (CIDR) address (x.x.x.x/y) , where x.x.x.x refers to the IP address and y refers to the subnet mask. The subnet mask can be a value from 0 to 32.

  4. Click +.

    Repeat Step c and Step d to exclude multiple subnets from the Discovery job.

  5. (Optional) In the LLDP Level field, enter the number of hops from the seed device that you want to scan.

    Valid values are from 1 to 16. The default value is 16. For example, LLDP level 3 means that LLDP will scan up to three hops from the seed device.

  6. For Preferred Management IP, choose one of the following options:

    • None: Allows the device use any of its IP addresses.

    • Use Loopback IP: Specify the device's loopback interface IP address.

      Note 

      If you choose this option and the device does not have a loopback interface, Cisco DNA Center chooses a management IP address using the logic described in Preferred Management IP Address.

      Note 

      To use the loopback interface IP address as the preferred management IP address, make sure that the LLDP neighbor's IP address is reachable from Cisco DNA Center.

Step 5

Expand the Credentials area and configure the credentials that you want to use for the Discovery job.

Choose any of the global credentials that have already been created, or configure your own Discovery credentials. If you configure the credentials, you can choose to save them for future jobs by checking the Save as global settings check box.

  1. Make sure that the global credentials that you want to use are selected. If you do not want to use a credential, deselect it.

  2. To add additional credentials, click Add Credentials.

  3. For CLI credentials, configure the following fields:

    Table 11. CLI Credentials
    Field Description
    Name/Description Name or phrase that describes the CLI credentials.
    Username Name that is used to log in to the CLI of the devices in your network.
    Password

    Password that is used to log in to the CLI of the devices in your network.

    For security reasons, re-enter the password as confirmation.

    Note 

    Passwords are encrypted for security reasons and are not displayed in the configuration.

    Enable Password

    Password used to move to a higher privilege level in the CLI. Configure this password only if your network devices require it.

    For security reasons, re-enter the enable password.

    Note 

    Passwords are encrypted for security reasons and are not displayed in the configuration.

  4. Click SNMP v2c and configure the following fields:

    Table 12. SNMPv2c Credentials

    Field

    Description

    Read

    • Name/Description: Name or description of the SNMPv2c settings that you are adding.

    • Read Community: Read-only community string password used only to view SNMP information on the device.

    Note 

    Passwords are encrypted for security reasons and are not displayed in the configuration.

    Write

    • Name/Description: Name or description of the SNMPv2c settings that you are adding.

    • Write Community: Write community string used to make changes to the SNMP information on the device.

    Note 

    Passwords are encrypted for security reasons and are not displayed in the configuration.

  5. (Optional) Click SNMP v3 and configure the following fields:

    Table 13. SNMPv3 Credentials

    Field

    Description

    Name/Description

    Name or description of the SNMPv3 settings that you are adding.
    Username

    Name associated with the SNMPv3 settings.

    Mode

    Security level that an SNMP message requires. Choose one of the following modes:

    • noAuthNoPriv: Does not provide authentication or encryption.

    • AuthNoPriv: Provides authentication, but does not provide encryption.

    • AuthPriv: Provides both authentication and encryption.

    Auth Type

    Authentication type to be used. (Enabled if you select AuthPriv or AuthNoPriv as the authentication mode.) Choose one of the following authentication types:

    • SHA: Authentication based on HMAC-SHA.

    • MD5: Authentication based on HMAC-MD5.

    Auth Password

    SNMPv3 password used for gaining access to information from devices that use SNMPv3. These passwords (or passphrases) must be at least eight characters in length.

    Note 

    • Some wireless controllers require that passwords (or passphrases) be at least 12 characters long. Be sure to check the minimum password requirements for your wireless controllers. Failure to ensure these required minimum character lengths for passwords results in devices not being discovered, monitored, or managed by Cisco DNA Center.

    • Passwords are encrypted for security reasons and are not displayed in the configuration.

    Privacy Type

    Privacy type. (Enabled if you select AuthPriv as the authentication mode.) Choose one of the following privacy types:

    • DES: DES 56-bit (DES-56) encryption in addition to authentication based on the CBC DES-56 standard.

    • AES128: CBC mode AES for encryption.

    • None: No privacy.

    Note 

    DES encryption is being deprecated and will be removed in a future release.

    Privacy Password

    SNMPv3 privacy password that is used to generate the secret key for encrypting messages that are exchanged with devices that support DES or AES128 encryption. Passwords (or passphrases) must be at least eight characters long.

    Note 

    • Some wireless controllers require that passwords (or passphrases) be at least 12 characters long. Be sure to check the minimum password requirements for your wireless controllers. Failure to ensure these required minimum character lengths for passwords results in devices not being discovered, monitored, or managed by Cisco DNA Center.

    • Passwords are encrypted for security reasons and are not displayed in the configuration.

  6. (Optional) Click SNMP PROPERTIES and configure the following fields:

    Table 14. SNMP Properties
    Field Description

    Retries

    Number of times Cisco DNA Center tries to communicate with network devices using SNMP.

    Timeout

    Number of seconds between retries.

  7. (Optional) Click HTTP(S) and configure the following fields:

    Table 15. HTTP(S) Credentials

    Field

    Description

    Type

    Specifies the kind of HTTPS credentials you are configuring. Valid types are Read or Write.

    Read

    You can configure up to 10 HTTPS read credentials:

    • Name/Description: Name or description of the HTTPS credentials that you are adding.

    • Username: Name used to authenticate the HTTPS connection.

    • Password: Password used to authenticate the HTTPS connection. Passwords are encrypted for security and are not displayed in the configuration.

    • Port: Number of the TCP/UDP port used for HTTPS traffic. The default is port number 443 (the well-known port for HTTPS).

    The password must contain from 7 to 128 characters, including at least one:

    • Lowercase letter (a - z)

    • Uppercase letter (A - Z)

    • Number (0 - 9)

    • Special character: # _ * ? –

    The password cannot contain spaces or angle brackets (< >). Note that some Cisco IOS XE devices do not allow a question mark (?).

    Write

    You can configure up to 10 HTTPS write credentials:

    • Name/Description: Name or description of the HTTPS credentials that you are adding.

    • Username: Name used to authenticate the HTTPS connection.

    • Password: Password used to authenticate the HTTPS connection. Passwords are encrypted for security and are not displayed in the configuration.

    • Port: Number of the TCP/UDP port used for HTTPS traffic. The default is port number 443 (the well-known port for HTTPS).

    The password must contain from 7 to 128 characters, including at least one:

    • Lowercase letter (a - z)

    • Uppercase letter (A - Z)

    • Number (0 - 9)

    • Special character: # _ * ? –

    The password cannot contain spaces or angle brackets (< >). Note that some Cisco IOS XE devices do not allow a question mark (?).

Step 6

(Optional) To configure the protocols to be used to connect with devices, expand the Advanced area and do the following tasks:

  1. Click the names of the protocols that you want to use. A green check mark indicates that the protocol is selected. Valid protocols are SSH (default) and Telnet.

  2. Drag and drop the protocols in the order that you want them to be used.
Step 7

Click Discover and select whether to run the discovery now or schedule the discovery for a later time.

  • To run the discovery now, click the Now radio button and click Start.
  • To schedule the discovery for a later time, click the Later radio button, define the date and time, and click Start.

Click the notifications icon to view the scheduled discovery tasks. Click Edit to edit the discovery task before the discovery starts. Click Cancel if you want to cancel the scheduled discovery job before it starts.

The Discoveries window displays the results of your scan.

The Discovery Details pane shows the status (active or inactive) and the Discovery configuration. The Discovery Devices pane displays the host names, IP addresses, and status of the discovered devices.

Manage Discovery Jobs

Stop and Start a Discovery Job

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Tools > Discovery.

The Discovery window appears with dashlets.
Step 2

Click View All Discoveries.

Step 3

To stop an active Discovery job, perform these steps:

  1. From the Discoveries pane, select the corresponding job.

  2. Click Stop.

Step 4

To restart an inactive Discovery job, perform these steps:

  1. From the Discoveries pane, select the corresponding job.

  2. Click Re-discover to restart the selected job.

Clone a Discovery Job

You can clone a Discovery job and retain all of the information defined for that job.

Before you begin

You should have run at least one Discovery job.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Tools > Discovery.

The Discovery window appears with dashlets.
Step 2

Click View All Discoveries.

Step 3

From the Discoveries pane, select the Discovery job.

Step 4

Click Copy & Edit.

Cisco DNA Center creates a copy of the Discovery job, named Copy of Discovery_Job .

Step 5

(Optional) Change the name of the Discovery job.
Step 6

Define or update the parameters for the new Discovery job.

Delete a Discovery Job

You can delete a Discovery job whether it is active or inactive.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Tools > Discovery.

The Discovery window appears with dashlets.
Step 2

Click View All Discoveries.

Step 3

From the Discoveries pane, select the Discovery job that you want to delete.

Step 4

Click Delete.

Step 5

Click OK to confirm.

View Discovery Job Information

You can view information about a Discovery job, such as the settings and credentials that were used. You also can view the historical information about each Discovery job that was run, including information about the specific devices that were discovered or that failed to be discovered.

Before you begin

Run at least one Discovery job.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Tools > Discovery.

The Discovery window appears with dashlets.
Step 2

Click View All Discoveries.

Step 3

From the Discoveries pane, select the Discovery job. Alternatively, use the Search function to find a Discovery job by device IP address or name.

Step 4

Click the down arrow next to one of the following areas for more information:

  • Discovery Details: Displays the parameters that were used to run the Discovery job. Parameters include attributes such as the CDP or LLDP level, IP address range, and protocol order.

  • Credentials: Provides the names of the credentials that were used.

  • History: Lists each Discovery job that was run, including the time when the job started, and whether any devices were discovered.

    To successfully discover embedded wireless controllers, the NETCONF port must be configured. If the NETCONF port is not configured, wireless data is not collected.

    Use the Filter function to display devices by any combination of IP addresses or ICMP, CLI, HTTPS, or NETCONF values.

Design Network Hierarchy

You can create a network hierarchy that represents your network's geographical locations. Your network hierarchy can contain sites, which contains buildings and areas.

Design a New Network Infrastructure

The Design area is where you create the structure and framework of your network, including the physical topology, network settings, and device type profiles that you can apply to devices throughout your network. Use the Design workflow if you do not already have an existing infrastructure. If you have an existing infrastructure, use the Discovery feature. For more information, see About Discovery.

You can perform these tasks in the Design area:

Procedure

Step 1

Create your network hierarchy.

Step 2

Define global network settings.

Step 3

Define network profiles.

About Network Hierarchy

You can create a network hierarchy that represents your network's geographical locations. Your network hierarchy can contain sites, which in turn contain buildings and areas. You can create site and building IDs to easily identify where to apply design settings or configurations later. By default, there is one site called Global.

The network hierarchy has a predetermined hierarchy:

  • Areas or Sites do not have a physical address, such as the United States. You can think of areas as the largest element. Areas can contain buildings and subareas. For example, an area called United States can contain a subarea called California, and the subarea California can contain a subarea called San Jose.

  • Buildings have a physical address and contain floors and floor plans. When you create a building, you must specify a physical address and latitude and longitude coordinates. Buildings cannot contain areas. By creating buildings, you can apply settings to a specific area.

  • Floors are within buildings and consist of cubicles, walled offices, wiring closets, and so on. You can add floors only to buildings.

The following is a list of tasks that you can perform:

Guidelines for Image Files to Use in Maps

  • Use a graphical application that can save the map image files to any of these formats: .jpg, .gif, .png, .dxf, and .dwg.

  • Ensure that the dimension of an image is larger than the combined dimension of all the buildings and outside areas that you plan to add to the campus map.

  • Map image files can be of any size. Cisco DNA Center imports the original image to its database at a full definition, but during display, it automatically resizes them to fit the workspace.

  • Obtain the horizontal and vertical dimensions of the site in feet or meters before importing. This helps you to specify these dimensions during map import.

Create a Site in a Network Hierarchy

Cisco DNA Center allows you to easily define physical sites and then specify common resources for those sites. The Design area uses a hierarchical format for intuitive use, while eliminating the need to redefine the same resource in multiple places when provisioning devices. By default, there is one site called Global. You can add more sites, buildings, and areas to your network hierarchy. You must create at least one site before you can use the provision features.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

A world map is displayed in the right pane.
Step 2

In the Network Hierarchy window, click + Add Site > Add Area or click the gear icon next to the parent site in the left pane, and then click Add Area.

Step 3

Enter a name for the site in the Area Name field.

Step 4

From the Parent drop-down list, choose a parent node.

By default, Global is the parent node.

Step 5

Click Add.

The site is created under the parent node in the left pane.

You can also upload an existing hierarchy. For more information, see Upload an Existing Site Hierarchy.

Add Buildings

Procedure
Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

A world map is displayed in the right pane.
Step 2

In the Network Hierarchy window, click +Add Site > Add Building, or click the gear icon next to the parent site in the left pane and select Add Building.

You can also upload an existing hierarchy.
Step 3

In the Building Name field, enter a name for the building.

Step 4

From the Parent drop-down list, choose a parent node.

By default, Global is the parent node.

Step 5

In the Address field, enter an address. If you are connected to the Internet, as you enter the address, the Design Application narrows down the known addresses to the one you enter. The user can move the marker to change the position on the map. When you see that the correct address appears in the window, select it. When you select a known address, the Longitude and Latitude coordinates fields are automatically populated.

Step 6

Click Add.

The building that you created is added under the parent site in the left menu.
Step 7

To add another area or building, in the hierarchy frame, click the gear icon next to an existing area or building that you want to be the parent node.

Add a Floor to a Building

After you add a building, create floors and upload a floor map.

Procedure
Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

Step 2

Expand the Global site and the previously created area to see all the previously created buildings.

Step 3

Click the gear icon next to the building to which you want to add a floor, and then click Add Floor.

Step 4

Enter a name for the floor. The floor name has a 21-character limit. The floor name must start with a letter or a hyphen (-) and the string following the first character can include one or more of the following:

  • Upper or lower case letters or both

  • Numbers

  • Underscores (_)

  • Hyphens (-)

  • Periods (.)

  • Spaces ( )
Step 5

Define the type of floor by choosing the Radio Frequency (RF) model from the Type (RF Model) drop-down list: Indoor High Ceiling, Outdoor Open Space, Drywall Office Only, and Cubes And Walled Offices. This defines if the floor is an open space or a drywall office, and so on. Based on the RF model selected, the wireless signal strength and the distribution of heatmap is calculated.

Step 6

You can drag a floor plan on to the map or upload a file. Cisco DNA Center supports the following file types: .jpg, .gif, .png, .dxf, and .dwg.

After you import a map, make sure that you mark the Overlay Visibility as On (Floor > View Option > Overlays). By default, overlays are not displayed after you import a map.

Figure 2. Example of a Floor Plan
Step 7

Click Add.

Manage Network Hierarchy

Upload an Existing Site Hierarchy

You can upload a CSV file or a map archive file that contains an existing network hierarchy. For example, you can upload a CSV file with location information that you exported from Cisco Prime Infrastructure. For more information, see Export Maps Archive on how to export maps from Cisco Prime Infrastructure.


Note

Before importing a map archive file into Cisco DNA Center, make sure that the devices such as Cisco Wireless Controllers and its associated APs are discovered and listed on the Cisco DNA Center inventory page.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy and then click Import > Import Sites.

A world map is displayed in the right pane.
Step 2

Drag and drop your CSV file, or navigate to where your CSV file is located, then click Import to import the Cisco Prime Infrastructure Groups CSV file.

If you do not have an existing CSV file, click Download Template to download a CSV file that you can edit and upload.

Step 3

To import the Cisco Prime Infrastructure maps tar.gz archive file, click Import > Map Import.

Step 4

Drag and drop the map archive file into the boxed area in the Import Site Hierarchy Archive dialog box, or click the click to select link and browse to the archive file.

Step 5

Click Save to upload the file.

The Import Preview window appears, which shows the imported file.

Export Maps Archive

You can export maps archive files from Cisco Prime Infrastructure and import them into Cisco DNA Center.
Procedure
Step 1

From the Cisco Prime Infrastructure user interface, choose Maps > Wireless Maps > Site Maps (New).

Step 2

From the Export drop-down list, choose Map Archive.

Step 3

On the Select Sites window, configure the following. You can either select map information or calibration information to be included in the maps archive.

  • Map Information—Click the On or Off button to include map information in the archive.

  • Calibration Information—To export calibration information, click the On or Off button. Click the Calibration Information for selected maps or the All Calibration Information radio button. If you select Calibration Information for selected maps, the calibration information for the selected site maps is exported. If you select All Calibration Information, the calibration information for the selected map, along with additional calibration information that is available in the system, is also exported.

  • In the Sites left pane, check one or more check boxes of the site, campus, building floor, or outdoor area that you want to export. Check the Select All check box to export all the maps.

Step 4

Click Generate Map Archive. A message Exporting data is in progress is displayed.

A tar file is created and is saved to your local machine.
Step 5

Click Done.

Search the Network Hierarchy

You can search the network hierarchy to quickly find a site, building, or area. This is particularly helpful after you have added many sites, areas, or buildings.

Procedure

To search the tree hierarchy, in the Find Hierarchy search field in the left pane and enter either the partial or full name of the site, building, or floor name that you are searching. The tree hierarchy is filtered based on the text you enter in the search field.

Edit Sites

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

Step 2

In the left pane, navigate to the corresponding site that you want to edit.
Step 3

Click the gear icon next to the site and select Edit Site.

Step 4

Make the necessary changes, and click Update.

Delete Sites

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

Step 2

In the left pane, navigate to the site that you want to delete.
Step 3

Click the gear icon next to the corresponding site and select Delete Site.

Step 4

Confirm the deletion.

Edit a Building

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

Step 2

In the left tree pane, navigate to the building that you want to edit.
Step 3

Click the gear icon next to the building and select Edit Building.

Step 4

Make the necessary changes in the Edit Building window, and click Update.

Delete a Building

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

Step 2

In the left pane, navigate to the building that you want to delete.
Step 3

Click the gear icon next to the building and select Delete Building.

Step 4

Confirm the deletion.

Note 

Deleting a building deletes all its container maps. APs from the deleted maps are moved to Unassigned state.

Edit a Floor

After you add a floor, you can edit the floor map so that it contains obstacles, areas, and APs on the floor.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

Step 2

Expand the network hierarchy to find the floor that you want to edit, or enter the floor name in the Search Hierarchy text field in the left pane.

Step 3

Make the necessary changes in the Edit Floor dialog window, and click Update.

Monitor a Floor Map

The floor view navigation pane provides access to multiple map functions like:

  • Use the Find feature located at the top-right corner of the floor map window to find specific floor elements such as APs, sensors, clients, and so on. The elements that match the search criteria are displayed on the floor map along with a table in the right pane. When you hover your mouse over the table, it points to the search element on the floor map with a connecting line.

  • Click the icon at the top-right corner of the floor map window to:

    • Export a floor plan as a PDF.

    • Measure the distance on the floor map.

    • Set the scale to modify the floor dimensions.

  • Click the icon at the bottom-right of the floor map window to zoom in on a location. The zooming levels depend upon the resolution of an image. A high-resolution image might provide more zoom levels. Each zoom level comprises of a different style map shown at different scales, each one showing the corresponding details. Some maps are of the same style, but at a smaller or larger scale.

  • Click the icon to see a map with fewer details.

  • Click the icon to view the map icon legend.

Edit Floor Elements and Overlays

Using the Edit option available on the floor area, you can:

  • Add, position, and delete the following floor elements:

    • Access Points

    • Sensors

  • Add, edit, and delete the following overlay objects:

    • Coverage Areas

    • Obstacles

    • Location Regions

    • Rails

    • Markers

    • GPS Markers

Guidelines for Placing Access Points

Follow these guidelines while placing APs on the floor map:

  • Place APs along the periphery of coverage areas to keep devices close to the exterior of rooms and buildings. APs placed in the center of these coverage areas provide good data on devices that would otherwise appear equidistant from all other APs.

  • Location accuracy can be improved by increasing overall AP density and moving APs close to the perimeter of the coverage area.

  • In long and narrow coverage areas, avoid placing APs in a straight line. Stagger them so that each AP is more likely to provide a unique snapshot of the device location.

  • Although the design provides enough AP density for high-bandwidth applications, location suffers because each AP view of a single device is not varied enough. Therefore, location is difficult to determine. Move the APs to the perimeter of the coverage area and stagger them. Each has a greater likelihood of offering a distinctly different view of the device, resulting in higher location accuracy.

  • For optimal heatmap visibility on floor maps, configure the AP height to approximately 10 feet (3 meters) or lower.

Add, Position, and Delete APs

Cisco DNA Center computes heatmaps for the entire map that show the relative intensity of the Radio Frequency (RF) signals in the coverage area. The heatmap is only an approximation of the actual RF signal intensity because it does not consider the attenuation of various building materials, such as drywall or metal objects, nor does it display the effects of RF signals bouncing off obstructions.

Make sure that you have Cisco APs in your inventory. If not, discover APs using the Discovery feature. See About Discovery.

Cisco DNA Center supports the following 802.11ax APs:

  • Cisco Catalyst 9120 Access Points

  • Cisco Catalyst 9117 Access Points

  • Cisco Catalyst 9115 Access Points

  • Cisco Catalyst 9100 Access Points

Procedure
Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

Step 2

In the left pane, select the floor.
Step 3

Click Edit, which is located above the floor plan in the middle pane.

Step 4

In the Floor Elements panel, next to Access Points, click Add.

Access points that are not assigned to any floors appear in the list.
Step 5

On the Add APs window, check the check boxes of the access points to select the APs in bulk, and click Add Selected. Alternatively click Add next to an access point.

Note 

You can search for access points using the search option available. Use the Filter field to search for access points using the AP name, MAC address, model, or Cisco Wireless Controller. The search is case-insensitive. The search result appear in a table. Click Add to add one or more of these APs to the floor area.

Step 6

Close the Add APs window after assigning APs to the floor area.

Step 7

Newly added APs appear on the top-right corner of the floor map.
Step 8

In the Floor Elements pane, next to Access Points, click Position to position the APs correctly on the map.

  • To position the APs, click an AP and drag and drop it to the appropriate location on the floor map. Alternatively you can update the x and y coordinates and AP Height in the Selected AP Details window. When you drag an access point on the map, its horizontal (x) and vertical (y) position appears in the text field. When selected, the access point details are displayed in the right pane. The Selected AP Details window displays the following:

    • Position by 3 points: You can draw three points on the floor map and position APs using the points created. To do this:

      1. Click Position by 3 points.

      2. To define the points, click anywhere on the floor map to start drawing the first point. Click again to finish drawing a point. A dialog box appears to set the distance to first point. Enter the distance, in meters, and click Set Distance.

      3. Define the second and third points similarly, and click Save.

    • Position by 2 Walls: You can define two walls on the floor map and position APs between the defined walls. This helps you to know the position of APs between the two walls. This helps you to understand the AP position between the walls.

      1. Click Position by 2 walls.

      2. To define the first wall, click anywhere on the floor map to start drawing the line. Click again to finish drawing a line. A dialog box appears to set the distance to the first wall. Enter the distance in meters and click Set Distance.

      3. Define the second wall similarly and click Save.

        The AP is placed automatically as per the defined distance between the walls.

    • AP Name: Shows the AP name.

    • AP Model: Indicates the AP model for the selected access point.

    • MAC Address: Displays the MAC address.

    • x: Indicates the horizontal span of the map, in feet.

    • y: Indicates the vertical span of the map, in feet.

    • AP Height: Indicates the height of the access point.

    • Protocol: Protocol for this access point: 802.11a/n/ac, 802.11b/g/n (for Hyper Location APs), or 802.11a/b/g/n.

    • Antenna: Antenna type for this access point.

      Note 

      For external APs, you must select an antenna, or the AP will not be present in the map.

    • Antenna Image: Shows the AP image.

    • Antenna Orientation: Indicates the Azimuth and the Elevation orientations, in degrees.

    • Azimuth: This option does not appear for omnidirectional antennas because their pattern is nondirectional in azimuth.

      The azimuth is the angle of the antenna measured relative to the x axis. The azimuth range is 0 to 360. In Cisco DNA Center, north is 0 or 360 degrees; east is 90 degrees.

Step 9

After you have completed placing and adjusting access points, click Save.

The heatmap is generated based on the new position of the AP.

If a Cisco Connected Mobile Experiences (CMX) is synchronized with Cisco DNA Center, you can view the location of clients on the heatmap. See Create Cisco CMX Settings.

Step 10

In the Floor Elements panel, next to Access Points, click Delete.

The Delete APs window appears, listing all the assigned and placed access points.
Step 11

Check the check boxes next to the access points that you want to delete, and click Delete Selected.

  • To delete all the access points, click Select All and then Delete Selected.

  • To delete an access point from the floor, click the Delete icon.

  • Use Quick Filter and search using the AP name, MAC address, model, or controller. The search is case-insensitive. The search result appears in the table. Click the Delete icon to delete the APs from the floor area.

Quick View of APs

Hover your cursor over the AP icon on the floor map to view AP details, Rx neighbor information, client information, and Device 360 information.

  • Click Info to view the following AP details:

    • Associated: Indicates whether an AP is associated or not.

    • Name: AP name.

    • MAC Address: MAC address of the AP.

    • Model: AP model number.

    • Admin/Mode: Administration status of the AP mode.

    • Type: Radio type.

    • OP/Admin: Operational status and AP mode.

    • Channel: Channel number of the AP.

    • Antenna: Antenna name.

    • Azimuth: Direction of the antenna.

  • Click the Rx Neighbors radio button to view the immediate Rx neighbors for the selected AP on the map with a connecting line. The floor map also shows whether the AP is associated or not along with the AP name.

  • Click Device 360 to get a 360° view of a specific network element (router, switch, AP, or Cisco wireless controller). See the Monitor and Troubleshoot the Health of a Device topic in the Cisco DNA Assurance User Guide.


    Note

    For Device 360 to open, you must have the Assurance application installed.

Add, Position, and Delete Sensors


Note

Make sure you have the Cisco AP 1800S sensor in your inventory. The Cisco Aironet 1800s Active Sensor must be provisioned using Plug and Play for it to show up in the Inventory. See the Provision the Wireless Cisco Aironet 1800s Active Sensor topic in the Cisco DNA Assurance User Guide.

A sensor device is a dedicated AP 1800s sensor. The Cisco Aironet 1800s Active Sensor gets bootstrapped using PnP. After it obtains the Assurance server reachability details, it directly communicates with the Assurance server.

Procedure
Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

Step 2

In the left pane, select the floor.
Step 3

Click Edit, which is located above the floor plan.

Step 4

In the Floor Elements panel, next to Sensors, click Add.

Step 5

On the Add Sensors window, check the check boxes of the sensors that you want to add. Alternatively, click Add next to the sensor row to add sensors.

Note 

You can search for specific sensors using the search option. Use the Filter field and search using the name, MAC address, or model of a sensor. The search is case-insensitive. The search results are displayed in the table. Click Add to add one or more these sensors to the floor area.

Step 6

Close the Add Sensors window after assigning sensors to the floor map.

Newly added sensors appear on the top-right corner of the floor map.
Step 7

To position the sensors correctly, in the Floor Elements pane, next to Sensors, click Position to place them correctly on the map.

Step 8

After you have completed placing and adjusting sensors, click Save.

Step 9

To delete a sensor, in the Floor Elements pane, next to Sensors, click Delete.

The Delete Sensors window lists all the assigned and placed sensors.
Step 10

Check the check boxes of the sensors that you want to delete, and click Delete Selected.

  • To delete all the sensors, click Select All, and click Delete Selected.

  • To delete a sensor from the floor, click the Delete icon next to that sensor.

  • Use Quick Filter and search using the name, MAC address, or model. The search is case-insensitive. The search results are displayed in a table. Click the Delete icon to delete one or more sensors from the floor area.

Add Coverage Areas

By default, any floor area or outside area defined as part of a building map is considered as a wireless coverage area.

If you have a building that is nonrectangular or you want to mark a nonrectangular area within a floor, you can use the map editor to draw a coverage area or a polygon-shaped area.

Procedure
Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

Step 2

In the left pane, select the floor.
Step 3

Click Edit, which is located above the floor plan in the middle pane.

Step 4

In the Overlays panel, next to Coverage Areas, click Add.

The Coverage creation dialog-box appears.
Step 5

To draw a coverage area, from the Type drop-down list, choose Coverage Area.

  1. Enter the name of the area you are defining, and click Add Coverage. The coverage area must be a polygon with at least 3 vertices.

  2. Move the drawing tool to the area you want to outline.

  3. Click the tool to start and stop a line.

  4. After you have outlined the area, double-click the area, which results in the area getting highlighted.

    Note 

    The outlined area must be a closed object for it to be highlighted on the map.

Step 6

To draw a polygon-shaped area, from the Type drop-down list, choose Perimeter.

  1. Enter the name of the area you are defining, and click Ok.

  2. Move the drawing tool to the area you want to outline.

    • Click the tool to start and stop a line.

    • After you have outlined the area, double-click the area, which results in area getting highlighted on the page.
Step 7

To edit a coverage area, in the Overlays panel, next to Coverage Areas, click Edit.

The available coverage areas are highlighted on the map.
Step 8

Make the changes and click Save after the changes.

Step 9

To delete a coverage area, in the Overlays panel, next to Coverage Areas, click Delete.

The available coverage areas are highlighted on the map.
Step 10

Hover your cursor over the coverage area and, click delete.
Step 11

Click Save after the deletion.

Create Obstacles

You can create obstacles so that they can be considered while computing Radio Frequency (RF) prediction heatmaps for access points.

Procedure
Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

Step 2

In the left pane, select the floor.
Step 3

Click Edit, which is located above the floor plan in the middle pane.

Step 4

In the Overlays panel, next to Obstacles, click Add.

Step 5

In the Obstacle Creation dialog box, choose an obstacle type from the Obstacle Type drop-down list. The type of obstacles that you can create are Thick Wall, Light Wall, Heavy Door, Light Door, Cubicle, and Glass.

The estimated signal loss for the obstacle type you selected is automatically populated. The signal loss is used to calculate RF signal strength near these objects.
Step 6

Click Add Obstacle.

Step 7

Move the drawing tool to the area where you want to create an obstacle.
Step 8

Click the drawing tool to start and stop a line.
Step 9

After you have outlined the area, double-click the area to highlight it.
Step 10

In the Obstacle Creation window, click Done.

Step 11

Click Save to save the obstacle on the floor map.

Step 12

To edit an obstacle, in the Overlays panel, next to Obstacles, click Edit.

All the available obstacles are highlighted on the map.
Step 13

Click Save after the changes.

Step 14

To delete an obstacle, in the Overlays panel, next to Obstacles, click Delete.

All the available obstacles are highlighted on the map.
Step 15

Hover your cursor over the obstacle and click to delete.
Step 16

Click Save.

Location Region Creation

You can create inclusion and exclusion areas to further refine location calculations on a floor. You can define the areas that are included (inclusion areas) in the calculations and those areas that are not included (exclusion areas). For example, you might want to exclude areas such as an atrium or stairwell within a building, but include a work area, such as cubicles, labs, or manufacturing floors.

Guidelines for Placing Inclusion and Exclusion Areas on a Floor Map

  • Inclusion and exclusion areas can be any polygon-shaped area and must have at least 3 points.

  • You can only define 1 inclusion region on a floor. By default, an inclusion region is defined for each floor area when it is created. The inclusion region is indicated by a solid aqua line, and generally outlines the entire floor area.

  • You can define multiple exclusion regions on a floor area.

Define an Inclusion Region on a Floor
Procedure
Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

Step 2

In the left pane, select the floor.
Step 3

In the Overlays panel, next to Location Regions, click Add.

Step 4

In the Location Region Creation dialog window, from the Inclusion Type drop-down list, choose an option.

Step 5

Click Add Location Region.

A drawing icon appears to outline the inclusion area.

Step 6

To begin defining the inclusion area, move the drawing tool to a starting point on the map and click once.

Step 7

Move the cursor along the boundary of the area you want to include and click to end a border line.

Click again to define the next boundary line.
Step 8

Repeat Step 7 until the area is outlined and then double-click the drawing icon.

A solid aqua line defines the inclusion area.

Step 9

Click Save.

Define an Exclusion Region on a Floor

To further refine location calculations on a floor, you can define areas that are excluded (exclusion areas) in the calculations. For example, you might want to exclude areas such as an atrium or stairwell within a building. As a rule, exclusion areas are defined within the borders of an inclusion area.

Procedure
Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

Step 2

In the left pane, select the floor.
Step 3

Click Edit, which is located above the floor plan in the middle pane.

Step 4

In the Overlays panel, next to Location Regions, click Add.

Step 5

In the Location Region Creation window, from the Exclusion Type drop-down list, choose a value.

Step 6

Click Location Region.

A drawing icon appears to outline the exclusion area.
Step 7

To begin defining the exclusion area, move the drawing icon to a starting point on the map and click once.

Step 8

Move the drawing icon along the boundary of the area that you want to exclude.

Click once to start a boundary line, and click again to end the boundary line.

Step 9

Repeat the preceding step until the area is outlined and then double-click the drawing icon. The defined exclusion area is shaded in purple when the area is fully defined.

Step 10

To define more exclusion regions, repeat Step 5 to Step 9.

Step 11

When all the exclusion areas are defined, click Save.

Edit Location Regions
Procedure
Step 1

In the Overlays panel, next to Location Regions, click Edit.

The available location regions are highlighted on the map.
Step 2

Make the necessary changes, and click Save.

Delete Location Regions
Procedure
Step 1

In the Overlays panel, next to Location Regions, click Delete.

The available location regions are highlighted on the map.
Step 2

Hover your cursor over the region that you want to delete, and click Delete.

Step 3

Click Save.

Create a Rail

You can define a rail line on a floor that represents a conveyor belt. Also, you can define an area around the rail area known as the snap-width to further assist location calculations. This represents the area in which you expect clients to appear. Any client located within the snap-width area is plotted on the rail line (majority) or outside of the snap-width area (minority).

The snap-width area is defined in feet or meters (user-defined) and represents the distance that is monitored on either side (east and west or north and south) of the rail.

Procedure
Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

Step 2

In the left pane, select the floor.
Step 3

Click Edit, which is located above the floor plan in the middle pane.

Step 4

In the Overlays panel, next to Rails, click Add.

Step 5

Enter a snap-width (feet or meters) for the rail, and click Add Rail.

A drawing icon appears.
Step 6

Click the drawing icon at the starting point of the rail line. Click again when you want to stop drawing the line or change the direction of the line.

Step 7

Click the drawing icon twice when the rail line is drawn on the floor map. The rail line appears on the map and is bordered on either side by the defined snap-width region.

Step 8

Click Save.

Step 9

In the Overlays panel, next to Rails, click Edit.

The available rails are highlighted on the map.
Step 10

Make changes, and click Save.

Step 11

In the Overlays panel, next to Rails, click Delete.

All the available rail lines are highlighted on the map.

Step 12

Hover your cursor over the rail line that you want to delete, and click Delete.

Step 13

Click Save.

Place Markers

Procedure
Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Hierarchy.

Step 2

In the left pane, select the floor.
Step 3

Click Edit, which is located above the floor plan in the middle pane.

Step 4

In the Overlays panel, next to Markers, click Add.

A drawing icon appears.

Step 5

Enter the name for the markers, and then click Add Marker.

Step 6

Click the drawing icon and place the marker on the map.

Step 7

Click Save.

Step 8

In the Overlays panel, next to Markers, click Edit.

The available markers are highlighted on the map.
Step 9

Make changes, and click Save.

Step 10

In the Overlays panel, next to Markers, click Delete.

All the available markers are highlighted on the map.
Step 11

Hover your cursor on the marker that you want to delete, and click delete.
Step 12

Click Save.

Floor View Options

Click the View Options, which is located above the floor plan in the middle pane. The floor map along with these panels appear in the right pane: Access Points, Sensor, Overlay Objects, Map Properties, and Global Map Properties.

You can modify the appearance of the floor map by selecting or unselecting various parameters. For example, if you want to view only the access point information on the floor map, check the Access Point check box. You can expand each panel to configure various settings available for each floor element.

View Options for Access Points

Click the On/Off button next to Access Points to view access points on the map. Expand the Access Points panel to configure these settings:

  • Display Label—From the drop-down list, choose a text label that you want to view on the floor map for the AP. The available display labels are:

    • None—No labels are displayed for the selected access point.

    • Name—AP name.

    • AP MAC Address—AP MAC address.

    • Controller IP—IP address of Cisco Wireless Controller to which the access point is connected.

    • Radio MAC Address—Radio MAC address.

    • IP Address

    • Channel—Cisco Radio channel number or Unavailable (if the access point is not connected).

    • Coverage Holes—Percentage of clients whose signal has become weaker until the client lost its connection. It shows Unavailable for access points that are not connected and MonitorOnly for access points that are in monitor-only mode.

    • TX Power—Current Cisco Radio transmit power level (with 1 being high) or Unavailable (if the access point is not connected). If you change the radio band, the information on the map changes accordingly.

      The power levels differ depending on the type of access point. The 1000 series APs accept a value between 1 and 5, the 1230 access points accept a value between 1 and 7, and the 1240 and 1100 series access points accept a value between 1 and 8.

    • Channel and Tx Power—Channel and transmit power level (or Unavailable if the access point is not connected).

    • Utilization—Percentage of bandwidth used by the associated client devices (including receiving, transmitting, and channel utilization). Displays Unavailable for disassociated access points and MonitorOnly for access points in monitor-only mode.

    • Tx Utilization—Transmitted (Tx) utilization for the specified interface.

    • Rx Utilization—Received (Rx) utilization for the specified interface.

    • Ch Utilization—Channel utilization for the specified access point.

    • Assoc. Clients—Total number of clients associated.

    • Dual-Band Radios—Identifies and marks the XOR dual-band radios on the Cisco Aironet 2800 and 3800 Series Access Points.

    • Health Score—AP health score.

    • Issue Count

    • Coverage Issues

    • AP Down Issues

  • Heatmap Type—Heatmap is a graphical representation of Radio Frequency (RF) wireless data where the values taken by variable are represented in maps as colors. The current heatmap is computed based on the RSSI prediction model, antenna orientation, and AP transmit power. From the Heatmap Type drop-down list, select the heatmap type: None, AP RSSI, Client Density, IDS, Planned Heatmap, or Coverage.

    • None

    • AP RSSI—Shows the coverage heatmap which identifies the strength of wireless signal in the specific band.

      • RSSI Cut off (dBm)—Drag the slider to set the RSSI cutoff level. The RSSI cutoff ranges from -60 dBm to -90 dBm.

      • Heatmap Opacity (%)—Drag the slider between 0 to 100 to set the heatmap opacity.

      • Heatmap Color Scheme—Shows the green color as good heatmap coverage and red color as poor heatmap coverage.

    • Client Density—Shows the client density of associated clients.

      • Map Opacity (%)—Drag the slider to set the map opacity.

    • IDS—IDS heatmap shows the monitor mode access point coverage provided to the wireless clients on a floor map.

    • Planned Heatmap—A planned heatmap is a hypothetical heatmap which shows the possible coverage of planned access points on a floor map.

    • Coverage—If you have monitor mode access points on the floor plan, you can select coverage heatmap. A coverage heatmap excludes monitor mode access points.

The AP details are reflected on the map immediately. Hover your cursor over the AP icon on the map to view AP details, RX neighbors details, client details, and switch information.

View Options for Sensors

Click the Sensors button to view sensors on the map. Expand the Sensors panel to configure these settings:

  • Display Label: From the drop-down list, choose a text label that you want to view on the floor map for the selected access point. The available display labels are:

    • None

    • Name: Sensor name.

    • Sensor MAC Address: Sensor MAC address.

View Options for Overlay Objects

Expand the Overlay Objects panel to configure these settings. Use the On/Off buttons to view these overlay objects on the map.

  • Coverage Areas

  • Location Regions

  • Obstacles

  • Rails

  • Markers

Configure Map Properties

Expand the Map Properties panel to configure:

  • Auto Refresh—Provides an interval drop-down list to set how often you want to refresh maps data from the database. From the Auto Refresh drop-down list, set the time intervals: None, 1 min, 2 mins, 5 mins, or 15 mins.

Configure Global Map Properties

Expand the Global Map Properties panel to configure:

  • Unit of Measure—From the drop-down list, set the dimension measurements for maps to either Feet or Meters.

Data Filtering

Filter Access Point Data

Click Access Point under the Filters panel in the right pane.

  • Choose the radio type from the drop-down list, located above the floor map in the middle pane: 2.4 GHz, 5 GHz, or 2.4 GHz & 5 GHz.

  • Click + Add Rule to add a query:

    • Choose the access point identifier you want to view on the map.

    • Choose the parameter by which you want to filter access points.

    • Enter the specific filter criteria in the text box for the applicable parameters, and click Go. The search results appear in a tabular format.

    • Click Apply Filters to List to view the filter results on the map. To view a particular access point on the map, check the check box of the access point in the table that is displayed, and click Show Selected on Maps.

When you hover your mouse cursor over the search result in the table, the location of the AP is marked by a line on the map.

Filter Sensor Data

Click Sensor under the Filters panel in the right pane.

  • Choose the radio type from the drop-down list, located above the floor map in the middle pane: 2.4 GHz, 5 GHz, or 2.4 GHz & 5 GHz.

  • Click + Add Rule to add a query:

    • Choose the sensor identifier you want to view on the map: Name and MAC Address.

    • Choose the parameter by which you want to filter sensors.

    • Enter the specific filter criteria in the text box for the applicable parameters, and click Go. The search results appear in a tabular format.

    • Click Apply Filters to List to view the filter results on the map. To view a particular sensor on the map, check the check box of the sensor in the table that is displayed, and click Show Selected on Maps.

When you hover your mouse cursor over the search result in the table, the location of the sensor is marked by a line on the map.

Manage Inventory

The Inventory function retrieves and saves details, such as host IP addresses, MAC addresses, and network attachment points about devices in its database.

About Inventory

The Inventory function retrieves and saves details, such as host IP addresses, MAC addresses, and network attachment points about devices in its database.

The Inventory feature can also work with the Device Controllability feature to configure the required network settings on devices, if these settings are not already present on the device.

Inventory uses the following protocols, as required:

  • Link Layer Discovery Protocol (LLDP).

  • IP Device Tracking (IPDT) or Switch Integrated Security Features (SISF). (IPDT or SISF must be enabled on the device.)

  • LLDP Media End-point Discovery. (This protocol is used to discover IP phones and some servers.)

  • Network Configuration Protocol (NETCONF). For a list of devices, see Discovery Prerequisites.

After the initial discovery, Cisco DNA Center maintains the inventory by polling the devices at regular intervals. The default interval is every six hours. However, you can change this interval up to 24 hours, as required for your network environment. For more information, see Update the Device Polling Interval. Also, a configuration change in the device triggers an SNMP trap, which in turn triggers device resynchronization. Polling occurs for each device, link, host, and interface. Only the devices that have been active for less than one day are displayed. This prevents stale device data, if any, from being displayed. On average, polling 500 devices takes approximately 20 minutes.

Update the Device Polling Interval

You can update the polling interval at the global level for all devices by choosing System > Settings > Network Resync Interval or at the device level for a specific device by choosing Device Inventory. When you set the polling interval using the Network Resync Interval, that value takes precedence over the Device Inventory polling interval value.

If you do not want a device to be polled, you can disable polling.

Before you begin

Make sure that you have devices in your inventory. If not, discover devices using the Discovery feature.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Provision > Devices > Inventory.

Step 2

Select the devices that you want to update.
Step 3

Click Update Polling Interval.

Step 4

From the Update Resync Interval dialog box, in the Status field, click Enabled to turn on polling or click Disabled to turn off polling.

Step 5

In the Polling Time field, enter the time interval (in minutes) between successive polling cycles. Valid values are from 25 to 1440 minutes (24 hours).

Note 

The device-specific polling time supersedes the global polling time. If you set the device-specific polling time and then change the global polling time, Cisco DNA Center continues to use the device-specific polling time.

Step 6

Click Update.

Display Information About Your Inventory

The Inventory table displays information for each discovered device. Click the column header to sort the rows in ascending order. Click the column header again to sort the rows in descending order.

To select which columns to show or hide in the table, click . Note that the column selection does not persist across sessions.

Before you begin

Make sure that you have devices in your inventory. If not, discover devices using the Discovery feature.

Procedure

In the Cisco DNA Center GUI, click the Menu icon () and choose Provision > Inventory.

The Inventory window displays the device information gathered during the discovery process. The following table describes the information that is available.
Table 16. Inventory
Column Description

Device Name

Name of the device.

Click the device name to view the following device details:

Details: Displays details such as device name, reachability status, Manageability status, IP address, device model, role, uptime, site, and so on.

  • View Assurance 360: Displays 360 window. For 360 to open, you must have installed the Assurance application.

  • Interfaces

    • Ethernet Ports (For all devices): Displays the operational status and admin status of the ethernet ports. Click the info icon to view the status legend.

      The Ports table displays the operational status, admin status, type, VLAN, MAC address, PoE status, speed, and MTU. You can click the Search or Filter option to view the details of the desired ports.

    • VLANs (Only for Switches and hubs): The VLAN table displays the VLAN ID, operational status, admin status, VLAN type, and IP address. You can click the Search or Filter option to view the details of the desired VLAN.

    • Virtual Ports (Only for wireless devices, controllers, and routers): The ports table displays the operational status, admin status, type, MAC address, PoE status, speed, and MTU. You can click the Search or Filter option to view the details of the desired ports.

  • Hardware and Software: Displays the hardware and software details of the device.

  • Configuration: Displays detailed configuration information similar to what is displayed in the output of the show running-config command.

    This feature is not supported for access points (APs) and wireless controllers. Therefore, configuration data is not returned for these device types.

  • Power: Displays power budgeted, power consumed, and power remaining details of the device. The Power Supplies table shows the operational status, serial number, and vendor equipment type details.

  • Fans: Displays the operational status, serial number, and vendor equipment type of fans.

  • Wireless Info: Displays the primary and secondary managed locations.

  • Mobility: Displays the mobility group name, RF group name, virtual IP, and mobility MAC address.

Note 
A device name that is displayed in red means that inventory has not polled the device and updated its information for more than 30 minutes.

IP Address

IP address of the device.

Support Type

Shows the device support level as follows:

  • Supported: The device pack is tested for all applications on Cisco DNA Center. You can open a service request if any of the Cisco DNA Center functionalities for these devices do not work.

  • Unsupported: All remaining Cisco and third party devices which are not tested and certified on Cisco DNA Center. You may try out various functionalities on Cisco DNA Center for these devices as best effort. However, we do not expect you to raise a service request or a bug if Cisco DNA Center features do not work as expected.

  • Third Party: Device pack is built by customers/business partners and has gone through the certification process. Third party devices will support base automation capabilities such as Discovery, Inventory, Topology, and so on. Cisco TAC will provide an initial level of support for these devices. However, if there is a problem with the device pack, you must reach out to the business partner for a fix.

Reachability

The following is a list of the various statuses:

  • Reachable: The device is reachable by Cisco DNA Center using SNMP, HTTP(S), and Netconf poll mechanisms.

  • Ping Reachable: The device is reachable by Cisco DNA Center using ICMP polling mechanism and not reachable using SNMP, HTTP(S), and Netconf poll mechanisms.

  • Unreachable: The device is not reachable using SNMP, HTTP(S), Netconf, and ICMP poll mechanisms.

Manageability

Shows the device status as follows:

  • Managed with green tick icon: Device is reachable and is fully managed.

  • Managed with orange error icon: Device is managed with some error such as unreachable, authentication failure, missing Netconf ports, internal error and so on. You can hover the mouse over the error message to view more details about the error and the impacted applications.

  • Unmanaged: Device cannot be reached and no inventory information was collected due to device connectivity issues.

MAC Address

MAC address of the device.

Image Version

Cisco IOS software that is currently running on the device.

Platform

Cisco product part number.

Serial Number

Cisco device serial number.

Uptime

Period of time that the device has been up and running.

Device Role

Role assigned to each discovered device during the scan process. The device role is used to identify and group devices according to their responsibilities and placement within the network. If Cisco DNA Center is unable to determine a device role, it sets the device role to Unknown.

Note 

If you manually change the device role, the assignment remains static. Cisco DNA Center does not update the device role even if it detects a change during a subsequent device resynchronization.

If required, you can use the drop-down list in this column to change the assigned device role. The following device roles are available:

  • Unknown

  • Access

  • Core

  • Distribution

  • Border Router

Site

The site to which the device is assigned. Click Assign if the device is not assigned to any site. Click Choose a Site, select a site from the hierarchy, and then click Save. For more information, see About Network Hierarchy.

Last Updated

Most recent date and time that Cisco DNA Center scanned the device and updated the database with new information about the device.

Device Family

Group of related devices, such as routers, switches, hubs, or wireless controllers.

Device Series

Series number of the device; for example, Cisco Catalyst 4500 Series Switches.

Resync Interval

The polling interval for the device. This interval can be set globally in Settings or for a specific device in Inventory. For more information, see Cisco DNA Center Administrator Guide.

Last Sync Status

Status of the last Discovery scan for the device:

  • Managed: Device is in a fully managed state.

  • Partial Collection Failure: Device is in a partial collected state and not all the inventory information has been collected. Move the cursor over the Information (i) icon to display additional information about the failure.

  • Unreachable: Device cannot be reached and no inventory information was collected due to device connectivity issues. This condition occurs when periodic collection takes place.

  • Wrong Credentials: If device credentials are changed after adding the device to the inventory, this condition is noted.

  • In Progress: Inventory collection is occurring.

Delete a Network Device

You can delete devices from the Cisco DNA Center database, as long as they have not already been added to a site.

Before you begin

You must have administrator (ROLE_ADMIN) permissions and access to all devices (RBAC Scope set to ALL) to perform this procedure.

Make sure that you have devices in your inventory. If not, discover devices using the Discovery feature.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Provision > Inventory.

The Inventory window displays the device information gathered during the Discovery process.
Step 2

Check the check box next to the device or devices that you want to delete.

Note 

You can select multiple devices by checking additional check boxes, or you can select all the devices by checking the check box at the top of the list.

Step 3

From the Actions drop-down list, choose Inventory > Delete Device.

Step 4

In the Warning window, check the Config Clean-Up check box to remove the network settings and telemetry configuration from the selected device.

Step 5

Confirm the action by clicking OK.

Add a Device to a Site

Adding devices to a site configures Cisco DNA Center as the Syslog an SNMP Trap Server, which enables Syslog Level 2 and configure global telemetry settings.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Provision > Inventory.

The Inventory window displays the device information gathered during the Discovery process.
Step 2

Check the check box for the devices that you want to assign to a site.
Step 3

From the Actions menu, choose Provision > Assign Device to Site.

The Assign Device to Site slide-in pane appears.
Step 4

In the Assign Device to Site slide-in pane, click the link next to the icon for the device.

The Choose a floor slide-in pane appears.
Step 5

In the Choose a floor slide-in pane, select the floor to assign to the device.

Step 6

Click Save.

Step 7

(Optional) If you selected multiple devices to add to the same location, you can check the Apply to All check box for the first device to assign its location to the rest of the devices.

Step 8

Click Assign.

Step 9

When assigning devices to a site, if Device Controllability is enabled, a workflow is automatically triggered to push the device configuration from the site to the devices.

From the Focus drop-down list, choose Provision and click See Details in the Provision Status column. The configuration that is pushed to the device is shown in a separate window if you enabled Device Controllability.

About Cisco ISE Configuration for Cisco DNA Center

If your network uses Cisco ISE for user authentication, you can configure Cisco DNA Center for Cisco ISE integration. This enables you to see more information about wired clients, such as the username and operating system.

Cisco ISE configuration is centralized within NCP (Network Control Platform), which enables you to configure Cisco ISE at one GUI location. The workflow for configuring Cisco ISE is as follows:

  1. In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > External Services > Authentication and Policy Servers, and enter the Cisco ISE server details.

  2. After the Cisco ISE server is successfully added, NCP establishes a connection with NDP (Network Data Platform) and sends the details of the pxGrid nodes, keystore, and truststore files.

  3. NDP uses the configuration received from NCP to establish a pxGrid session.

  4. NCP automatically detects pxGrid node failovers, persona moves, and communicates it to NDP.

  5. If there are ISE deployment changes, NDP starts a new pxGrid session with a new pxGrid ACTIVE node.

Configure Authentication and Policy Servers

Cisco DNA Center uses AAA servers for user authentication and Cisco ISE for both user authentication and access control. Use this procedure to configure AAA servers, including Cisco ISE.

Before you begin

  • If you are using Cisco ISE to perform both policy and AAA functions, make sure that Cisco DNA Center and Cisco ISE are integrated.

  • If you are using another product (not Cisco ISE) to perform AAA functions, make sure to do the following:

    • Register Cisco DNA Center with the AAA server, including defining the shared secret on both the AAA server and Cisco DNA Center.

    • Define an attribute name for Cisco DNA Center on the AAA server.

    • For a Cisco DNA Center multihost cluster configuration, define all individual host IP addresses and the virtual IP address for the multihost cluster on the AAA server.

  • Before you configure Cisco ISE, confirm that:

    1. You deployed Cisco ISE 2.3 or later in your network. If you have a multihost Cisco ISE deployment, integrate with the Cisco ISE admin node.

    2. SSH is enabled on the Cisco ISE node.

    3. The pxGrid service is enabled on the Cisco ISE host with which you plan to integrate Cisco DNA Center, and the ERS service is enabled for read/write operations.


      Note

      Cisco ISE 2.4 and later supports pxGrid 2.0 and pxGrid 1.0. Although pxGrid 2.0 allows up to four pxGrid nodes in the Cisco ISE deployment, Cisco DNA Center does not currently support more than two pxGrid nodes.

    4. The Cisco ISE GUI and Cisco ISE shell username and passwords are the same.

    5. There is no proxy configured between Cisco DNA Center and Cisco ISE. If a proxy server is configured on Cisco ISE, the Cisco DNA Center IP address must bypass that proxy server.

    6. There is no firewall between Cisco DNA Center and Cisco ISE. If there is a firewall, open the communication between Cisco DNA Center and Cisco ISE.

    7. A ping between Cisco DNA Center and Cisco ISE succeeds with both the IP address and hostname.

    8. The Cisco ISE admin node certificate contains the Cisco ISE IP address or FQDN in either the certificate subject name or the SAN.

    9. If a third-party certificate is used, the certificate includes all IP addresses in the SAN field.

    10. The pxGrid approval is set for automatic or manual approval in Cisco ISE to enable the pxGrid connection in Cisco DNA Center.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings > External Services > Authentication and Policy Servers.

Step 2

Click Add.

Step 3

Configure the primary AAA server by providing the following information:

  • Server IP Address: IP address of the AAA server.

  • Shared Secret: Key for device authentications. The shared secret can contain up to 128 characters.

Step 4

To configure a AAA server (not Cisco ISE), leave the Cisco ISE Server toggle to Off and proceed to the next step.

To configure a Cisco ISE server, set the Cisco ISE server toggle to On and enter information in the following fields:

  • Username: Name that is used to log in to the Cisco ISE CLI.

    Note 

    This user must be a Super Admin.

  • Password: Password for the Cisco ISE CLI username.

  • FQDN: Fully qualified domain name (FQDN) of the Cisco ISE server.

    Note 

    • We recommend that you copy the FQDN that is defined in Cisco ISE (Administration > Deployment > Deployment Nodes > List) and paste it directly into this field.

    • The FQDN that you enter must match the FQDN, Common Name (CN), or Subject Alternative Name (SAN) defined in the Cisco ISE certificate.

    The FQDN consists of two parts, a hostname and the domain name, in the following format:

    hostname.domainname.com

    Example: The FQDN for a Cisco ISE server can be ise.cisco.com.

  • SSH Key:

    The SSH key is a Diffie-Hellman crypto key in base64-encoded format. This key provides security for SSH connections to the Cisco ISE Administration console. You can retrieve the key with the Cisco ISE CLI command show crypto authorized_keys and show crypto host_keys.

  • Virtual IP Address(es): Virtual IP address of the load balancer behind which the Cisco ISE policy service nodes (PSNs) are located. If you have multiple PSN farms behind different load balancers, you can enter a maximum of six virtual IP addresses.

Note 

After the required information is provided, Cisco ISE is integrated with Cisco DNA Center in two phases. It takes several minutes for the integration to complete. The phase-wise integration status is shown in the Authentication and Policy Servers page and System 360 page as follows:

Cisco ISE server registration phase:

  • Authentication and Policy Servers page: "In Progress"

  • System 360 page: "Primary Available"

pxGrid subscriptions registration phase:

  • Authentication and Policy Servers page: "Active"

  • System 360 page: "Primary Available" and "PXGRID Available"

If the status of the configured Cisco ISE server is "FAILED" due to a password change, click Retry, and update the password to resynchronize the Cisco ISE connectivity.

Step 5

Click View Advanced Settings and configure the settings:

  • Protocol: TACACS and RADIUS (the default). You can select both protocols.

    Attention 

    If you do not enable TACAS for a Cisco ISE server here, you cannot configure the Cisco ISE server as a TACACS server under Design > Network Settings > Network when configuring a AAA server for network device authentication.

  • Authentication Port: Port used to relay authentication messages to the AAA server. The default is UDP port 1812.

  • Accounting Port: Port used to relay important events to the AAA server. The information in these events is used for security and billing purposes. The default UDP port is 1813.

  • Port: Port used by TACAS. The default port is 49.

  • Retries: Number of times that Cisco DNA Center attempts to connect with the AAA server before abandoning the attempt to connect. The default number of attempts is 3.

  • Timeout: Length of time the device waits for the AAA server to respond before abandoning the attempt to connect. The default timeout is 4 seconds.

Step 6

Click Add.

Step 7

To add a secondary server, repeat the preceding steps.

Configure Syslog, SNMP Traps, NetFlow Collector Servers, and Wired Client Data Collection Using Telemetry

With Cisco DNA Center, you can configure global network settings when devices are assigned to a specific site. Telemetry polls network devices and collects telemetry data according to the settings in the SNMP server, the syslog server, the NetFlow Collector, or the wired client.

Before you begin

Create a site and assign a device to the site. See Create a Site in a Network Hierarchy.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Design > Network Settings > Telemetry.

Step 2

Expand the SNMP Traps area if it is not visible and do one of the following:

  1. Check the Cisco DNA Center as SNMP trap server check box.

  2. Check the Add an external SNMP trap server check box and enter the IP address of the external SNMP trap server.

    The selected server collects SNMP traps and messages from the network devices.
Step 3

Expand the Syslogs area if it is not visible and do one of the following:

  1. Check the Use Cisco DNA Center as syslog server check box.

  2. Check the Add an external syslog server check box and enter the IP address of the external syslog server.

Step 4

Expand the NetFlow area if it is not visible and do one of the following:

  1. Check the Use Cisco DNA Center as NetFlow collector server check box.

    The NetFlow configuration on the device interfaces is completed only when you enable application telemetry on the device. Select the NetFlow collector at the site level to configure the NetFlow destination server to the device.

  2. Check the Add an external NetFlow collector server check box and enter the IP address and port number of the NetFlow Collector server.

    The selected server is the destination server for NetFlow export from the network devices. If the NetFlow Collector is not selected, the application telemetry enablement will not work.

Step 5

Expand the Wired Client Data Collection area and check the Monitor wired clients check box.

This selection turns on IP Device Tracking (IPDT) on the access devices of the site.

By default, IPDT is disabled for the site.
Step 6

Click Save.

Configure Cisco AI Network Analytics Data Collection

Use this procedure to enable Cisco AI Network Analytics to export network event data from wireless controllers as well as the site hierarchy to the Cisco DNA Center.

Before you begin

  • Make sure that you have the Cisco DNA Advantage software license for Cisco DNA Center. The AI Network Analytics application is part of the Cisco DNA Advantage software license.

  • Make sure that you have downloaded and installed the AI Network Analytics application. See the "Download and Install Packages and Updates" topic in the Cisco Digital Network Architecture Center Administrator Guide.

  • Make sure that your network or HTTP proxy is configured to allow outbound HTTPS (TCP 443) access to the following cloud hosts:

    • api.use1.prd.kairos.ciscolabs.com (US East Region)

    • api.euc1.prd.kairos.ciscolabs.com (EU Central Region)

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings.

Step 2

Scroll down to External Services and choose Cisco AI Analytics.

The AI Network Analytics window appears.
Step 3

Do one of the following:

  • If you have an earlier version of Cisco AI Network Analytics installed in your appliance, do the following:

    1. Click Recover from a config file.

      The Restore AI Network Analytics window appears.

    2. Drag-and-drop the configuration files in the area provided or choose the files from your file system.

    3. Click Restore.

      Cisco AI Network Analytics might take a few minutes to restore, and then the Success dialog box appears.
  • If this is the first time you are configuring Cisco AI Network Analytics, do the following:

    1. Click Configure.

    2. In the Where should we securely store your data? area, choose the location to store your data. Options are: Europe (Germany) or US East (North Virginia).

      The system starts testing cloud connectivity as indicated by the Testing cloud connectivity... tab. After cloud connectivity testing completes, the Testing cloud connectivity... tab changes to Cloud connection verified.

    3. Click Next.

      The terms and conditions window appears.

    4. Click the Accept Cisco Universal Cloud Agreement check box to agree to the terms and conditions, and then click Enable.

      Cisco AI Network Analytics might take a few minutes to enable, and then the Success dialog box appears.
Step 4

In the Success dialog box, click Okay.

The AI Network Analytics window appears, and the Cloud Connection area displays .
Step 5

(Recommended) In the AI Network Analytics window, click Download Configuration file.

Disable Cisco AI Network Analytics Data Collection

To disable Cisco AI Network Analytics data collection, you must turn off (disable) the connection to the Cisco AI Network Analytics cloud service. This will disable all of the Cisco AI Network Analytics-related features, such as AI-Driven Issues, Network Heatmap, Site Comparison, and Peer Comparison.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings.

Step 2

Scroll down to External Services and choose Cisco AI Analytics.

The AI Network Analytics window appears.
Step 3

In the Cloud Connection area, click the button to off, such that appears.

Step 4

Click Update.

Step 5

To delete your network data from the Cisco AI Network Analytics cloud, contact the Cisco Technical Response Center (TAC) and open a support request.

Step 6

(Optional) If you have misplaced your previous configuration, click Download configuration file.

Update the Machine Reasoning Knowledge Base

Machine Reasoning knowledge packs are step-by-step workflows that are used by the Machine Reasoning Engine (MRE) to identify security issues and improve automated root cause analysis. These knowledge packs are continuously updated as more information is received. The Machine Reasoning Knowledge Base is a repository of these knowledge packs (workflows). To have access to the latest knowledge packs, you can either configure Cisco DNA Center to automatically update the Machine Reasoning Knowledge Base on a daily basis, or you can perform a manual update.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose System > Settings.

Step 2

Scroll down to External Services and choose Machine Reasoning Knowledge Base.

The Machine Reasoning Knowledge Base window shows the following information:

  • INSTALLED: Shows the installed version and installation date of the Machine Reasoning Knowledge Base package.

When there is a new update to the Machine Reasoning Knowledge Base, the AVAILABLE UPDATE area appears in the Machine Reasoning Knowledge Base window, which provides the Version and Details about the update.

  • AUTO UPDATE: Automatically updates the Machine Reasoning Knowledge Base in Cisco DNA Center on a daily basis.

Step 3

(Recommended) Check the AUTO UPDATE check box to automatically update the Machine Reasoning Knowledge Base.

The Next Attempt area shows the date and time of the next update.

You can perform an automatic update only if Cisco DNA Center is successfully connected to the Machine Reasoning Engine in the cloud.

Step 4

To manually update the Machine Reasoning Knowledge Base in Cisco DNA Center, do one of the following:

  • Under AVAILABLE UPDATES, click Update. A Success pop-up window appears with the status of the update.
  • Manually download the Machine Reason Knowledge Base to your local machine and import it to Cisco DNA Center. Do the following:

    1. Click Download.

      The Opening mre_workflow_signed dialog box appears.

    2. Open or save the downloaded file to the desired location in your local machine, and then click OK.

    3. Click Import to import the downloaded Machine Reasoning Knowledge Base from your local machine to Cisco DNA Center.

Enable Localization

You can view the Cisco DNA Center GUI screens in English (the default), Chinese, Japanese, or Korean.

To change the default language, perform the following task:

Procedure

Step 1

In your browser, change the locale to one of the supported languages: Chinese, Japanese, or Korean.

  • From Google Chrome, do the following:

    1. Click the icon in the top-right corner, and then choose Settings.

    2. Scroll down and click Advanced.

    3. From the Languages > Language drop-down list, choose Add languages.

      The Add languages pop-up window appears.

    4. Choose Chinese, Japanese, or Korean, and then click Add.

  • From Mozilla Firefox, do the following:

    1. Click the icon in the top-right corner, and then choose Options.

    2. From the Language and Appearance > Language area, choose Search for more languages.

      The Firefox Language Settings pop-up window appears.

    3. From the Select a language to add drop-down list, choose Chinese, Japanese, or Korean.

    4. Click Ok.

Step 2

Log in to Cisco DNA Center.

The GUI screens are shown in the selected language.

Figure 3. Example Localized Login Screen

Role-Based Access Control Support for Assurance

Assurance supports role-based access control (RBAC), which enables a user with SUPER-ADMIN-ROLE privileges to define custom roles that permit or restrict users access to certain Assurance features.

For more information see the "Manage Users" chapter in the Cisco DNA Center Administrator Guide.

Use this procedure to define a custom role and then assign a user to that role.

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure.

Procedure

Step 1

Define a custom role.

  1. In the Cisco DNA Center GUI, click the Menu icon () and choose System > Users and Roles > Role Based Access Control.

  2. Click + Create New Role.

    The Create a Role window appears. After you create the new role, you are asked to assign users to the new role.

  3. Click Let's Do it.

    If you want to skip this screen in the future, check the Don't show this to me again check box.

    The Create a New Role window appears.

  4. Enter a name for the role and then click Next.

    The Define the Access window appears with a list of options.

  5. Click > next to Assurance to expand it.

    The following options appear, which allow you to set Deny, Read (the default), or Write permissions for the new role.

    • Monitor and Troubleshooting: Allows you to monitor your network using the following dashboards: Health, Issues, and Sensors. It also allows you to analyze trends and gain insights, and troubleshoot using the 360° views and issue details.

      If you set the permission level to Deny, the user to whom you assign this role cannot view any of the Assurance features.

    • Monitoring Settings: Allows you to manage data retention and health settings.

      You must have System permissions to manage data retention settings.

    • Troubleshooting Tools: Allows you to create and schedule sensor tests and manage Intelligent Capture settings.

  6. Click Next.

    The Summary window appears.

  7. Review the summary. If the information is correct, click Create Role. Otherwise, click Edit and make the appropriate changes.

    The Done, Role-Name window appears.
Step 2

To assign a user to the custom role you just created, click Add Users.

The User Management > Internal Users window appears, which allows you to assign the custom role to an existing user or to a new user.

  • To assign the custom role to an existing user, do the following:

    1. In the Internal Users window, click the radio button next to the user to whom you want to assign the custom role, and then click Edit.

      The Update Internal User slide-in pane appears.

    2. From the Role List drop-down list, choose the custom role, and then click Save.

  • To assign the custom role to a new user, do the following:

    1. Click + Add, located on the top-right corner.

      The Create Internal User slide-in pane appears.

    2. Enter the first name, last name, and username in the fields provided.

    3. From the Role List drop-down list, choose the custom role to assign to the new user.

    4. Enter the password and then confirm it.

    5. Click Save.

Step 3

If you are an existing user who was logged in when the administrator was making changes to your access permissions, you must log out of Cisco DNA Center and then log back in for the new permission settings to take effect.