Discover Your Network

About Discovery

Discovery and Device Inventory function as one service. The process of finding network devices is known as Discovery. The Discovery function scans the devices in your network and sends the list of discovered devices to Device Inventory. Device Inventory retrieves and saves the details about the devices in its database. Device Inventory refreshes every 25 minutes for each device. (At any given time, Device Inventory may be refreshing data for several devices at a time.)

There are two methods for discovering devices:

  • Using CDP and providing a seed IP address.

  • Specifying a range of IP addresses (maximum of 4096 devices).

Regardless of the method you use, you must be able to reach (ping) the device from DNA Center, and you need to configure specific credentials and protocols in DNA Center to discover your devices. These credentials can be configured globally in the Device Credentials page or on a per-job basis on the Discovery page. (Credentials configured in Discovery may be saved to use later as global credentials.)

  • CLI credentials

  • Simple Network Management Protocol (SNMPv2c or SNMPv3) credentials

  • HTTPS credentials (These credentials are required only for discovering devices running Cisco Network Function Virtualization Infrastructure Software (NFVIS).)

  • SSH/Telnet protocol

Because the various devices in a network can have different sets of credentials, you can configure multiple sets of credentials in DNA Center. The discovery process iterates through all of the sets of credentials until it finds a set that works for the device.

For discovery, one set of CLI credentials and one set of SNMP credentials (SNMPv2c Read, SNMPv2cWrite, or SNMPv3) is mandatory. If valid sets of credentials are provided for both SSH and Telnet, SSH credentials will be picked because SSH is more advanced than Telnet. If all three sets of valid SNMP credentials are provided, SNMP v3 will be picked because it's the most advanced protocol of the three.

After discovering devices, Device Inventory retrieves the details about the devices, such as host IP addresses, MAC addresses, and network attachment points, using one of the following protocols, as required:

  • Link Layer Discovery Protocol (LLDP)

  • IP Device Tracking (IPDT) is enabled automatically for the network fabric during the provisioning.

  • LLDP Media Endpoint Discovery (LLDP-MED) (This protocol is used to discover IP phones and some servers.)

  • Network Configuration Protocol (NETCONF) (Only required for devices running NFVIS.)

For information about configuration requirements for specific device types, see Discovery Prerequisites.

Discovery Credentials

Discovery credentials are the CLI, SNMPv2c, SNMPv3, and HTTP configuration values for the devices that you want to discover. You need to specify the credentials based on the types of devices you are trying to discover:

  • Standard Cisco devices—CLI and SNMP credentials.

  • NFVIS devices—HTTP credentials.

  • Both standard and NFVIS devices—CLI, SNMP, and HTTP credentials

If you use the same credential values for the majority of devices in your network, you can configure and save them as global discovery credentials, which you can reuse in multiple discovery jobs. To discover devices with unique credentials, you can add job-specific discovery credentials when you run Discovery. You can define up to five global and one job-specific credential for each of the credential types (CLI, SNMPv2c, SNMPv3, and HTTP).


Note

If you use Cisco ISE for the DNA Center access policy feature, make sure that the device credentials that you use for discovery are also configured as the device credentials used by Cisco ISE. For more information, see Device Inventory and Cisco ISE Authentication.

Discovery Credentials Guidelines and Limitations

The following are guidelines and limitations for the DNA Center discovery credentials:

  • If you change a device's credential after successfully discovering the device, subsequent polling cycles for that device fail. To correct this situation, use one of the following options:

    • Use the Discovery tool to:

      • Run a new discovery job with job-specific credentials that match the device's new credential.

      • Edit the existing discovery job and re-run the Discovery.

    • Use the Design tool to:

      • Create a new global credential and run a new discovery job using the correct global credential.

      • Edit an existing global credential and re-run the discovery job.

  • If an ongoing discovery polling cycle fails due to a device authentication failure, you can correct the situation using one of following options:

    • Use the Discovery tool to:

      • Stop or delete the current discovery job and run a new discovery job with job-specific credentials that match the device's credential.

      • Stop or delete the current discovery job, edit the existing discovery job, and re-run the Discovery.

    • Use the Design tool to:

      • Create a new global credential and run a new discovery job using the correct global credential.

      • Edit an existing global credential and re-run the discovery job.

  • Deleting a global credential does not affect previously discovered devices. The status of the previously discovered devices does not indicate an authentication failure. However, the next discovery that tries to use the deleted credential will fail. The discovery will fail before it tries to contact any devices. For example, 25 minutes after you delete the credential, discovery jobs that use it will fail.

  • DNA Center provides a REST API that allows an external application to retrieve a list of the managed network devices and synchronize its own managed inventory with the devices that have been discovered by DNA Center.

Discovery Credentials Example

Assume that a network of 200 devices, which form a Cisco Discovery Protocol (CDP) neighborhood (neighboring devices discovered using CDP), exists. In this network, 190 devices share a global credential (Credential 0) and the remaining devices each have their own unique credential (Credential-1 through Credential-10).

To discover all of the devices in this network using DNA Center, you would perform the following tasks:

Procedure
     Command or ActionPurpose
    Step 1Configure the CLI global credentials as Credential-0.    
    Step 2Configure the SNMP (v2c or v3) global credentials.    
    Step 3Run a discovery job using one of the 190 device IP addresses (190 devices that share the global credentials) and the global Credential-0.    
    Step 4Run 10 separate discovery jobs for each of the remaining 10 devices using the appropriate job-specific credentials, for example, Credential-1, Credential-2, Credential-3, and so on.   
    Step 5Review the results in the Device Inventory window.   

    Preferred Management IP Address

    DNA Center can use another interface's IP address as the preferred management IP address. DNA Center chooses the preferred management IP address as follows:

    1. If the device has one loopback interface, DNA Center uses that loopback interface IP address.

    2. If the device has multiple loopback interfaces, DNA Center uses the loopback interface with the highest IP address.

    3. If there are no loopback interfaces, DNA Center uses the Ethernet interface with the highest IP address. (Subinterface IP addresses are not considered.)

    4. If there are no Ethernet interfaces, DNA Center uses the serial interface with the highest IP address.

    Discovery Prerequisites

    Make the following configuration changes on these platforms for the Discovery tool to work properly.

    Table 1 Required Platform Configurations

    Feature

    Platform

    Required Configuration

    Discovery (device inventory collection)

    • Cisco ASR 9000 Series Aggregation Services Routers

    • Cisco Catalyst 3000 Series Switches

    • Cisco Catalyst 6000 Series Switches

    • Cisco Wireless LAN Controllers

      • Cisco Series 3504 WLC

      • Cisco Series 5508/5520 WLC

      • Cisco Series 8510/8540 WLC

    • Other Cisco devices that require NETCONF support for their device pack.

    Configure NETCONF on these platforms. For information, see NETCONF Configuration.

    Discovery (device inventory collection)

    • Cisco ASR 9000 routers

    • Cisco Catalyst 3000 and 6000 series switches

    Discovery (host inventory collection)

    Devices connected to hosts using SNMP.

    Configure SNMP traps on these devices. For information, see SNMP Trap Configuration.

    Devices connected to hosts using Switch Integrated Security Features based IP device tracking.

    Enable SISF-based IP device-tracking for these devices. For information, see IP Device-Tracking Configuration.

    NETCONF Configuration

    Enable the NETCONF protocol for the Cisco ASR 9000 Series Aggregation Services Routers or other Cisco devices that require NETCONF support for their device pack. If NETCONF is not enabled, the inventory collection process will be incomplete for that device.


    Note

    Although NETCONF typically runs over SSH or on its own port, with DNA Center, NETCONF is run over a CLI session.

    For specific information about enabling NETCONF on your Cisco device, refer to that device’s configuration guide. the following is an example of a typical configuration sequence on a terminal to enable NETCONF on a Cisco device: 

    #ssh server v2
#netconf agent tty
#!
#xml agent tty
#!
#commit
#end
#crypto key generate rsa

    Note

    The RSA key needs to be generated to succeed with SSH. Therefore, run the crypto key generate rsa command in EXEC mode at the end of the configuration sequence if it has not already been done.

    SNMP Trap Configuration

    DNA Center uses SNMP traps (notifications) to capture a device's interface status and a host's MAC address, IP address, type, and so on. If you have Device Controllability enabled, DNA Center configures these SNMP traps for you. Otherwise, you need to enable SNMP traps and configure DNA Center's server IP address as the SNMP server. For more information about Device Controllability, see Device Controllability.

    Enter the following commands in order, according to the type of device that you are configuring.

    Cisco IOS Commands

    snmp-server enable traps snmp linkdown linkup
snmp-server host IP_address version 2c public

    Cisco Nexus Commands

    snmp-server enable traps snmp linkdown linkup
snmp-server host IP_address version 2c public

    Cisco Wireless Controller Commands

    config trapflags client enhanced-802.11-associate enable
config trapflags client enhanced-802.11-deauthenticate enable
config trapflags client enhanced-authentication enable
config trapflags client enhanced-802.11-stats enable

    Note

    Be sure to configure DNA Center's server IP address as the SNMP trap destination.

    IP Device-Tracking Configuration

    IP Device Tracking (IPDT) is one of the protocols that DNA Center uses during the discovery process to retrieve host inventory information, such as host IP addresses, MAC addresses, and network attachment points. If you have device controllability enabled, you do not need to configure IPDT manually on your devices. As part of the device controllability function, DNA Center configures IPDT or Switch Integrated Security Features (SISF) IPDT on the device based on the device type and image version that is running. If device controllability is disabled, you need to manually enable IPDT on your devices and interfaces. For more information about device controllability, see Device Controllability. For more information about whether IPDT is supported and enabled on your devices, see the configuration guide for the specific device type.

    Discovery Configuration Guidelines and Limitations

    The following are guidelines and limitations for DNA Center to discovery your Cisco Catalyst 3000 Series Switch, Catalyst 6000 Series Switches, and Cisco ASR 9000 Series Aggregation Services Routers:

    • Configure the CLI username and password with privileged EXEC mode (level 15). This is the same CLI username and password that you configure in DNA Center for the Discovery function. DNA Center requires the highest access level to the device.

    • Explicitly specify the transport protocols allowed on individual lines for both incoming and outgoing connections. This configuration is achieved using the transport input and transport output commands. For information about these commands, see the command reference for the specific device type.

    • Do not use the aaa new-model command to change the default login methods for the console port and VTY lines. DNA Center cannot discover devices that have this login method.

    Perform Discovery

    Discover Your Network Using CDP

    You can discover devices using Cisco Discovery Protocol (CDP) or an IP address range. This procedure shows you how to discover devices and hosts using CDP. For information about discovering devices using an IP address range, see Discover Your Network Using an IP Address Range.
    Before You Begin

    • Enable CDP on your network devices.

    • Configure your network devices as described in Discovery Prerequisites.

    • Configure your network device's host IP address as the client IP address.

    Procedure
      Step 1   From the DNA Center home page, click Discovery.
      Step 2   Enter a name in the Discovery Name field.
      Step 3   Expand the IP Ranges area, if it is not already visible, and configure the following fields:
      1. For Type, click CDP.
      2. In the IP Address field, enter a seed IP address for the DNA Center to use to start the discovery scan.
      3. Optional: In the Subnet Filter field, enter an IP address or subnet to exclude from the discovery scan and click .

        You can enter the address as an individual IP address (x.x.x.x) or as a classless inter-domain routing (CIDR) address (x.x.x.x/y) where x.x.x.x refers to the IP address and y refers to the subnet mask. The subnet mask can be a value from 0 to 32.

        Repeat this step to exclude multiple subnets from the discovery job.

      4. Optional: In the CDP Level field, enter the number of hops from the seed device that you want to scan.

        Valid values are from 1 to 16. The default value is 16. For example, CDP level 3 means that CDP will scan up to three hops from the seed device.

      5. In the Preferred Management IP field, click the drop-down list to select either None or Use Loopback.

        Select None to use the device's IP address or Use Loopback IP to use the device's loopback interface IP address as its management IP address. If you choose Use Loopback IP and the device does not have a loopback interface, DNA Center chooses a management IP address using the logic described in Preferred Management IP Address.

        Note   

        To use the loopback interface IP address as the preferred management IP address, make sure that the CDP neighbor's IP address is reachable from DNA Center.

      Step 4   Expand the Credentials area and configure the credentials that you want to use for the discovery job.

      Choose any of the global credentials that have already been created or configure your own discovery credentials. If you configure the credentials, you can choose to save them for future jobs by clicking the Save as global settings check box.

      1. Make sure that the global credentials that you want to use are checked. If you do not want to use a credential, remove it by clicking the check mark.
      2. To add additional credentials, click Add Credentials, configure the fields, and click Add. For information about these fields, see the following sections:
        Note   

        • The Discovery function requires the correct SNMP Read Only (RO) community string. If an SNMP RO community string is not provided, as a best effort, the Discovery function uses the default SNMP RO community string, public.

        • With the Device Controllability option enabled, DNA Center configures devices that do not have SNMP credentials with the SNMP credentials set in DNA Center.

        • CLI credentials are not required to discover hosts; hosts are discovered through the network devices that they are connected to.

      Step 5   (Optional)  To configure the protocols to be used to connect with devices, expand the Advanced area and do the following tasks:
      1. Click the names of the protocols that you want to use. A green check mark indicates that the protocol is selected.

        Valid protocols are SSH (default) and Telnet.

      2. Drag and drop the protocols in the order that you want them to be used.
      Step 6   Click Start.

      The Discoveries window displays the results of your scan.

      The Discovery Details pane shows the status (active or inactive) and the discovery configuration. The Discovery Devices pane displays the host names, IP addresses, and status of the discovered devices for the selected discovery.

      Discover Your Network Using an IP Address Range

      You can discover devices using Cisco Discovery Protocol (CDP) or an IP address range. This procedure shows you how to discover devices and hosts using an IP address range. For information about discovering devices using CDP, see Discover Your Network Using CDP.
      Before You Begin

      Your devices must have the required device configurations, as described in Discovery Prerequisites.

      Procedure
        Step 1   From the DNA Center Home page, click Discovery.
        Step 2   Enter a name in the Discovery Name field.
        Step 3   Expand the IP Ranges area, if it is not already visible, and configure the following fields:
        1. For Type, click Range.
        2. In the IP Ranges field, enter the beginning and ending IP addresses (IP address range) for DNA Center to scan and click .

          You can enter a single IP address range or multiple IP addresses for the discovery scan.

        3. Optional: Repeat Step b to enter additional IP address ranges.
        4. From the Preferred Management IP drop-down list, choose either None or Use Loopback.

          Select None to use the device's IP address or Use Loopback IP to use the device's loopback interface IP address as its management IP address. If you choose Use Loopback IP and the device does not have a loopback interface, DNA Center chooses a management IP address using the logic described in Preferred Management IP Address.

        Step 4   Expand the Credentials area and configure the credentials that you want to use for the discovery job.

        Choose any of the global credentials that have already been created or configure your own discovery credentials. If you configure the credentials, you can choose to save them for future jobs by clicking the Save as global settings check box.

        1. Make sure that the global credentials that you want to use are checked. If you do not want to use a credential, remove it by clicking the check mark.
        2. To add additional credentials, click Add Credentials, configure the fields, and click Save. For information about these fields, see the following sections:
          Note   

          • The Discovery function requires the correct SNMP Read Only (RO) community string. If an SNMP RO community string is not provided, as a best effort, the Discovery function uses the default SNMP RO community string, public.

          • With the Device Controllability option enabled, DNA Center configures devices that do not have SNMP credentials with the SNMP credentials set in DNA Center.

          • CLI credentials are not required to discover hosts; hosts are discovered through the network devices that they are connected to.

        Step 5   (Optional)  To configure the protocols that are to be used to connect with devices, expand the Advanced area and do the following tasks:
        1. Click the protocols that you want to use. A green check mark indicates that the protocol is selected.

          Valid protocols are SSH (default) and Telnet.

        2. Drag and drop the protocols in the order that you want them to be used.
        Step 6   Click Start.

        The Discoveries window displays the results of your scan.

        The Discovery Details pane shows the status (active or inactive) and the discovery configuration. The Discovery Devices pane displays the host names, IP addresses, and status of the discovered devices for the selected discovery.

        Manage Discovery Jobs

        Stop and Start a Discovery Job

        Procedure
          Step 1   From the DNA Center home page, click Discovery.
          Step 2   To stop an active discovery job, perform these steps:
          1. From the Discoveries pane, select the corresponding discovery job.
          2. Click Stop.
          Step 3   To restart an inactive discovery job, perform these steps:
          1. From the Discoveries pane, select the corresponding discovery job.
          2. Click Start.

          Clone a Discovery Job

          You can clone a discovery job and retain all of the information defined for the job.

          Before You Begin

          You have run at least one discovery job.

          Procedure
            Step 1   From the DNA Center home page, click the Discovery tool.
            Step 2   From the Discoveries pane, select the discovery job.
            Step 3   Click Clone.

            DNA Center creates a copy of the discovery job, named Copy of Discovery_Job.

            Step 4   (Optional)  Change the name of the discovery job.
            Step 5   Define or update the parameters for the new discovery job.

            Delete a Discovery Job

            You can delete a discovery job whether it is active or inactive.
            Before You Begin

            You have run at least one discovery job.

            Procedure
              Step 1   From the DNA Center home page, select the Discovery tool.
              Step 2   From the Discoveries pane, select the discovery job that you want to delete.
              Step 3   Click Delete.
              Step 4   Click OK to confirm.