Release Notes for Cisco Digital Network Architecture Center, Release 1.2.5

We are very pleased to announce the availability of Cisco DNA Center, Release 1.2.5 with several new product innovations for Cisco DNA Assurance and SD-Access solutions coupled with user experience enhancements that significantly accelerate the intent-based networking journey for our customers and partners. Release 1.2.5 contains new features, a new home page design, along with serviceability, installation, migration, and platform stability improvements. This release also completes the general availability of Cisco DNA Center platform that was announced at Cisco Live U.S.

Cisco DNA Center, Release 1.2.5 is now the recommended release for all customers who are ready to move from laboratory trials into a production environment, customers who are already in production, or new customers who are just starting on the intent-based networking journey with Cisco DNA Center.

Change History

The following table lists changes to this document since its initial release.

Table 1. Document Change History

Date

Change

Location

2019-07-19

Clarified that you can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.

Limitations and Restrictions

2018-10-01

Initial release.

Guidance for New and Existing Deployments

  • New customers: Go directly to Cisco DNA Center 1.2.5 via the cloud update.

  • Existing production deployment customers (both SD-Access and Assurance) on 1.2.x: Go directly to Cisco DNA Center 1.2.5 via the cloud update.

  • Earlier production deployments (both SD-Access and Assurance) on Cisco DNA Center 1.1.x: Go to Cisco DNA Center 1.2.5 after an assessment of your migration requirements with the Cisco TAC. This is to ensure a smooth migration given the number of changes from 1.1.x to 1.2.x. Note that with upgrade capability enhancements in the 1.2.x release, cloud updates are the consistent path forward and do not require Cisco TAC assistance even for major upgrades.

Getting TAC Assistance

Use this link to open a TAC case. Choose the following when opening a TAC case:

  • Technology: Cisco DNA - Software-Defined Access

  • Subtechnology: Cisco DNA Center Appliance (SD-Access)

  • Problem Code: Install, uninstall, or upgrade

Summary Guidance Table

Customer Scenario

Current Version

Guidance for Update

New SDA or Assurance deployment

Not applicable

Move to 1.2.5 via the cloud update

SDA or Assurance deployments already in production

1.2.x

Move to 1.2.5 via the cloud update

SDA or Assurance deployments already in production

1.1.x

Contact the TAC for assistance to migrate to 1.2.5


Note

We recommend that all customer deployments on releases earlier than 1.1.5 (SDA or non-SDA) upgrade first to Cisco DNA Center 1.1.8, and then choose one of the paths above. Contact the TAC if you are on a Cisco DNA Center release earlier than 1.1.8.


Compatible Browsers

The Cisco DNA Center web interface is compatible with the following HTTPS-enabled browsers:

  • Google Chrome: version 62.0 or later

  • Mozilla Firefox: version 54.0 or later

We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.

What's New in Cisco DNA Center, Release 1.2.5

Cisco DNA Center, Release 1.2.5 resolves several pre-existing issues and is designed to enhance your product's performance and stability.

Table 2. Updated Packages and Versions in This Release

Update Type

Package Name

Version

System Updates

System

1.1.0.638

Package Updates

Application Policy

2.1.23.170130

Assurance - Base

1.2.5.92

Assurance - Sensor

1.2.5.88

Automation - Base

2.1.23.60287

Automation - Intelligent Capture

2.1.23.60287

Automation - Sensor

2.1.23.60287

Command Runner

2.1.23.60287

Device Onboarding

2.1.23.60289

Device Onboarding UI

2.1.23.60287

Cisco DNA Center Platform

1.0.3.2

Cisco DNA Center UI

1.2.0.43

Image Management

2.1.23.60287

NCP - Base

2.1.23.60287

NCP - Services

2.1.19.60287

Network Controller Platform

2.1.23.60291 (Updated on 2018-10-12. The originally released package version was 2.1.23.60287.)

Network Data Platform - Base Analytics

1.1.7.577

Network Data Platform - Core

1.1.7.695

Network Data Platform - Manager

1.1.7.631

Path Trace

2.1.23.60287

SD Access

2.1.23.60287

New Features and Enhancements

Home Page

The Cisco DNA Center home page now includes a Network Snapshot section along with Network Configuration and Tools sections.

Smart License

You can enable auto registration of Smart License (SL)-enabled devices. After auto registration is enabled, any SL-enabled device added to Cisco DNA Center are automatically registered to the chosen virtual account.

Specific License Reservation and Permanent License Reservation

You can now apply Specific License Reservation (SLR) or Permanent License Reservation (PLR) to devices in a highly secured network.

Topology

You can assign devices to specific sites using the topology map. You can unpin devices in a group. You can export a snapshot of your topology layout in SVG or PDF format. Some keyboard shortcuts are included.

Software Image Management

The upgrade readiness precheck now includes the device management status and a file transfer check. Also, the Distribute and Activate processes are now separate processes. An automatic flash cleanup process is included to create the space required for the image upgrade.

Network Plug and Play

Stack provisioning is supported on Cisco Catalyst 2960-X and 2960-XR Series switches.

Cisco DNA Center Platform

Cisco DNA Center now provides an extensible platform that Cisco customers and partners can use to create value-added applications that can be built on top of its native capabilities. For information about Cisco DNA Center platform and how to deploy and use its features within your network, see the Release Notes for Cisco DNA Center Platform.

ENFV

You can define a custom network as access or trunk. You can connect your custom network to the LAN, WAN, or none. You can configure a system-defined network (such as LAN-net, WAN-net, Mgmt-net, or Service-net) as access.

The Uptime column in the provisioning inventory page is populated for all NFVIS devices.

You can provision ENCS 5000 series routers by configuring and adding a management port on Cisco DNA Center if the WAN port state is down.

What's New in Cisco DNA Center Wireless

  • Native VLAN: Native VLAN carries the management traffic between access points and Cisco Wireless Controllers. With this feature, you can now configure a VLAN for a site through Cisco DNA Center. You can configure a native VLAN at the global level and override at the site, building, or floor level.

  • Provision of Cisco Mobility Express APs: With Cisco DNA Center, you can now add and provision the Cisco Mobility Express APs in the network.

  • Supported Cisco Wireless Controller Software Release and Access Points

    • Cisco DNA Center 1.2.5 is compatible with Cisco Wireless Controller Release 8.8.

    • Cisco DNA Center 1.2.5 supports Cisco Aironet 4800 Access Points.

    • Cisco DNA Center 1.2.5 supports Cisco Aironet 1540 and Cisco Aironet 1560 Access Points.

What's New in Cisco DNA Assurance


Important

Cisco DNA Assurance is an application that is available from Cisco DNA Center. From Release 1.2.5 onward, we are providing you with a separate user guide, which deals exclusively with Assurance. For details, see the Cisco DNA Assurance User Guide.


The following table summarizes the new and changed Assurance features.

Table 3. GUI Enhancements and Features in Assurance, Release 1.2.5

GUI Enhancements

Features

Network health enhancements

Total APs up and down

Top N APs by client count

Top N APs with high interference

Device 360 enhancements

AP 360

Client count chart per radio or AP over a selected time period

Link errors chart per interface

Ignore radios in monitor mode for health scores

Router 360

Application Experience category in Router 360 window

Switches

Near real-time update based on link down traps

Insights—Fabric wireless controller node failed to reach Control Plane server

Client health enhancements

Client health summary with new analytics charts

Timeline slider with healthy client percentage chart

Client 360 enhancements

Near real-time update (onboarding events and new clients)

Low health score indicated when you hover your cursor over the charts

Application health enhancements

Application usage and view details in side bar

Timeline slider with health score trend line chart

Site filter support

Application Experience 360 enhancements

Exporter level breakdown

Path trace enhancements

Matched ACLs in a specific traffic flow are displayed in the path trace

Path trace on Layer 3 port channel is supported

Path trace on Switch Virtual Interface (SVI) associated with a port channel is supported

Sensor enhancements

IPSLA test

Speed test

Floor reassignment for Cisco Aironet 1800s Active Sensors

Workflow serviceability improvements

Intelligent Capture support

Real-time analytics

Real-time and automated wireless client troubleshooting

RF and spectrum analysis for AP(s)

Note 

Intelligent Capture is only available with Cisco Wireless Controller Release 8.8 MR1.

Issues enhancements

Issue Catalog—Time selection slider and table with list of device or site information

Priority tags on every issue

Issue insights

Time mismatch between Cisco Wireless Controller and Cisco DNA Center

AP noise and interference analytics for client timeout issues

Global client issues display top OS, device type, and location

Client data sets and reports

The following client data sets and reports are available after you deploy the Cisco DNA Center platform application:

Client summary

Top 10 locations by client count

Client detail

What's New in SD-Access

The following table lists the new software features in SD-Access 1.2.5.

Table 4. New Software Features in SDA Release 1.2.5

Feature

Description

Platforms and Images Supported

SDA for distributed campus (multisite SDA transit FCS) deployments

This feature enables inter-site communication for consistent, end-to-end automation and policy, ensuring that an operator’s intent is deployed across the metro network.

The functionalities that this feature delivers are:

  • Build policy once and replicate it to multiple sites without compromising resiliency.

  • Improve site survivability and availability with multiple control planes and borders per fabric site.

  • Avoid traffic backhauling to the headquarters to reach external domains.

A fabric site is an independent fabric area with a unique set of network devices: control plane, border, edge, Cisco Wireless Controller, and Identity Services Engine (ISE) Policy Service Node (PSN).

Different levels of redundancy and scale can be designed per site by including local resources, such as DHCP, Authentication, Authorization, and Accounting (AAA), DNS, Internet, and so on.

A fabric site may cover a single physical location, multiple locations, or just a subset of a location.

Single location -> Branch, campus, or metro campus

Multiple locations -> Metro campus + multiple branch

Subset of a location -> Building or area within a campus

Multiple fabric sites can be connected to each other using a transit site, resulting in a fabric domain.

There are two types of transit:

SD-Access transit: Enables a native SD-Access (LISP, VXLAN, Cisco TrustSec) fabric, with a domain-wide control plane node for inter-site communication.

IP-based transit: Leverages a traditional IP-based (VRF-lite, MPLS) network, which requires remapping of virtual route forwarding instances (VRFs) and Scalable Group Tags (SGTs) between sites.

Fabric-in-a-box

  • Targeted for smaller sites in a distributed campus that may have up to 100 users in a particular location.

  • Customers with limited hardware requirements can now deploy a single platform to act as an edge, border, and control plane node in a branch environment.

This feature allows the border node, edge node and control plane node functions to operate on the same fabric device. You can use Catalyst 9300 (single or stacked), or Catalyst 9400 (Supervisor-1XL) , or Catalyst 9500 as a fabric-in-a-box.

The topology supported for a fabric-in-a-box is limited to a single device. Additional fabric edge switches cannot be connected to this fabric-in-a-box device.

Layer 2 (selective) flooding

In releases earlier than SDA 1.2.5, the fabric by default suppresses broadcast traffic to avoid unnecessary flooding.

Selective Flooding enables flooding of broadcast and link-local multicast required by card readers, door knobs, and sensors for their operation.

This use case is relevant for silent hosts that require ARP traffic to be flooded in the network.

This feature is enabled on an IP subnet or VLAN basis and each VLAN in the fabric is mapped to an underlay multicast group where the traffic is flooded.

The functionalities that this feature delivers are:

  • Efficient replication of frames at an egress point close to the multicast group receivers.

  • Support for multiple source multicast stream applications by optimal pruning of multicast trees on transit nodes in the network.

  • Multicast global transport that enables a source feed from outside the fabric to reach a set of fabric hosts, all belonging to the same Virtual Network (VRF) or different VRFs.

  • Multicast receivers can be spread across multiple policy groups (SGTs).

Layer 2 border handoff

This functionality enables host communication between a VxLAN-based fabric and a traditional VLAN switch port or trunk port connected to an enterprise network.

This functionality enables the following:

  • Migration of traditional (brownfield) networks to SD-Access fabric.

  • No downtime during migration because the same subnets remain extended across fabric and external network.

Note 

For the Layer 2 border handoff, the default gateway must be on the border for the Layer 2 gateway.

  • Cisco Catalyst 3000 Series Switch - IOS XE 16.9.1s

  • Cisco Catalyst 9000 Series Switch - IOS XE 16.9.1s

    Note 

    Layer 2 border handoff is not supported on Cisco Catalyst 9500 High Performance Series Switches.

Port assignment for server connectivity

Cisco DNA Center 1.2.5 allows you to assign a fabric edge switch port as a trunk to facilitate server connectivity.

Host onboarding enhancement: VLAN name customization

Cisco DNA Center assigns a default VLAN name for every IP subnet in the fabric and based on it, associated policy sets are configured on ISE. You can now change the default VLAN name that is assigned to an IP subnet, so you can relate to the name and reuse it across sites.

Template-based configurations

Using the template-based configuration, approved SDA configurations can be manually pushed through template configuration via Cisco DNA Center.

The following configurations are supported:

  • Switch Hardening

    • CoPP, SSH ACL, Line VTY, BPDU Guard, Root Guard

  • Border Handoff

    • Port channel for Border handoff

    • iBGP, OSPF

  • Transparent Firewall at Border

  • MTU – Variable MTU values through template config (TCP MSS)

  • Services

    • FNF Templates (App Assurance): Edge configuration of FNF, AVC with NBAR2

    • ETA Templates

  • Multi-ISE for Guest Wireless

  • SGT Inline tagging and propagation at border node (bidirectionally)

  • Multicast RP outside fabric

  • Device profiler or sensor SXP to Border

Control plane scale up to six nodes

You can use six control plane nodes in a given fabric, which enhances resiliency in the networks.

Global settings enhancements

The following are the enhancements with respect to changes in global settings in Cisco DNA Center:

  • Changes in global settings like in DHCP do not require fabric reprovisioning.

    Ease-of-use in Cisco DNA Center workflow.

  • Site-level changes in settings require reprovisioning of the fabric.

Catalyst 9300 stack as border node, and a control plane node

Cisco Catalyst 9300 stack can be used as a border node and a control plane node in SD-Access.

Cisco Catalyst 9300 Series Stack - IOS XE 16.9.1s

The following table lists the new hardware introduced in SD-Access 1.2.5.

Table 5. New Hardware in SDA Release 1.2.5

Device Role

Product Family

Part Number

Description

Fabric wireless node

Wave 2 access points

AIR-AP4800-x-K9

4800 Series access points

Dual-band, controller-based 802.11a/b/g/n/ac

AIR-AP15621-x-K9

1560 Series access points

Dual-band 802.11a/g/n/ac, Wave 2, internal semi-omni antennas

AIR-AP1562D-x-K9

1560 Series access points

Dual-band 802.11a/g/n/ac, Wave 2, internal directional antennas

AIR-AP1562E-x-K9

1560 Series access points

Dual-band 802.11a/g/n/ac, Wave 2, external antennas

AIR-AP1542I-x-K9

1540 Series access point

Dual-band 802.11a/g/n/ac, Wave 2, internal omni antennas

AIR-AP1542D-x-K9

Dual-band 802.11a/g/n/ac, Wave 2, internal directional antennas

Fabric border and control node

Cisco Catalyst 9400 Series

C9404R / C9407R / C9410R with Supervisor:

C9400-SUP-1XL-Y

C9400 Supervisor 1XL Module with 25G uplinks

Beta Features

The following features in this release are in beta or are being released as an engineering field trial (EFT):

  • High Availability

  • SD-Access Extension for IoT

  • Network Plug and Play application

  • Intelligent Capture support

  • Skype for Business Application Experience

IP Address and FQDN Firewall Requirements

To determine the IP addresses and fully qualified domain names (FQDNs) that must be made accessible to Cisco DNA Center through any existing network firewall, see "Required Internet URLs and FQDNs" in the Cisco Digital Network Architecture Center Installation Guide.

Border Node Requirements on Cisco Nexus 7700 Series Switches

To configure a Cisco Nexus 7700 Series Switch as a border, ensure that the following actions are performed:

  • A valid MPLS_PKG license is installed on the switch.

  • The install feature-set fabric and install feature-set mpls commands are enabled in the Admin VDC or in the default VDC if Admin VDC is not present.


Note

Only Cisco Nexus 7700 Series Switch with M3 line card supports the border role.


Installing Cisco DNA Center

You install Cisco DNA Center as a dedicated physical appliance purchased from Cisco with the Cisco DNA Center ISO image preinstalled. Refer to the Cisco Digital Network Architecture Center Installation Guide for information about installation and deployment procedures.


Note

The following applications are not installed on Cisco DNA Center by default. If you purchased any of these applications, you must manually download and install the packages separately.

  • Cisco Software-Defined Access (sd-access)

  • Assurance - Sensor

  • Automation - Sensor

  • Application Policy

  • Cisco Plug and Play (device-onboarding-ui)


For more information about downloading and installing a package, see the "Manage Applications" chapter in the Cisco Digital Network Architecture Center Administrator Guide.

Prerequisites for Upgrading to Cisco DNA Center, Release 1.2.5

You must perform the system updates first when you are migrating to this version. Do not attempt to either download or install package updates until all system updates have been installed. Failure to download and install system updates first can cause problems with package updates.


Note

You cannot upgrade the packages individually. You must follow all the steps in this procedure.

Before you upgrade, make sure the cluster link interface is connected to a switch port and is in the UP state.


Review the following list of prerequisites and perform the following procedures before upgrading your installed instance of Cisco DNA Center:

  • Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see the Cisco Digital Network Architecture Center Administrator Guide.

  • You can upgrade to this Cisco DNA Center release from the following releases only:

    • Cisco DNA Center 1.2.4 (September 10, 2018)

    • Cisco DNA Center 1.2.3 (August 10, 2018)

    • Cisco DNA Center 1.2.2 (July 12, 2018)

    • Cisco DNA Center 1.2.1 (June 15, 2018)

    • Cisco DNA Center 1.2 (June 5, 2018)

    • Cisco DNA Center 1.1.8 (July 17, 2018)

    • Cisco DNA Center 1.1.7 (June 9, 2018)

    • Cisco DNA Center 1.1.6 (May 18, 2018)


    Important

    You must contact the Cisco TAC for help with upgrading to Cisco DNA Center 1.2.5.

    Note

    Do not perform any activities on the cluster until after both the system (platform) and application updates are complete. After the system update is installed, the GUI displays "complete." Before you choose Download All, you must ensure all services are up and running, which might take 10 to 15 minutes after the system upgrade has completed. Before choosing the Download All option, run the following command and make sure no results are returned:

    magctl appstack status | grep 0/


  • Create a backup of your Cisco DNA Center database. For information about backing up and restoring Cisco DNA Center, see the Cisco Digital Network Architecture Center Administrator Guide.

  • If you have a firewall, make sure you allow Cisco DNA Center to access the following location for all system and package downloads: https://www.ciscoconnectdna.com:443. To ensure that you have cloud connectivity to AWS, log in to the cluster and run the following CLI command: maglev catalog settings validate. For more information, see the Cisco Digital Network Architecture Center Installation Guide.

  • Have the username and password for at least one cisco.com user account. You might be prompted, once, for the account credentials during package installations. This can be any valid cisco.com user account.

  • Allocate the appropriate time for the upgrade process. Upgrading from Cisco DNA Center 1.2.x can take approximately 3 hours to complete. If you are upgrading from Cisco DNA Center 1.1.x, you can expect the upgrade to take considerably longer.

  • We strongly recommend that you do not use Cisco DNA Center or any of its applications or tools when it is in the process of being upgraded.

  • Before you upgrade, make sure that there are no packages with the status installing or downloading. The packages displayed should have a status of running.

    • For upgrades from Cisco DNA Center 1.1.6, 1.1.7, or 1.1.8, check the > System Settings > App Management > Packages & Updates page for package status.

    • For upgrades from Cisco DNA Center 1.2, 1.2.1, 1.2.2, 1.2.3, or 1.2.4, check the > System Settings > Software Updates > Updates page for package status.

  • If the Cisco DNA Center download, update, or install procedures fail for any reason, always retry the procedure a second time using the GUI. If the procedure fails a second time, contact Cisco TAC for support.

In a multihost cluster, you can trigger an upgrade of the entire cluster from the Cisco DNA Center GUI (the GUI represents the entire cluster and not just a single host). An upgrade triggered from the GUI automatically upgrades all hosts in the cluster.


Note

If you upgrade a three-node Cisco DNA Center cluster from any version of 1.2.x, the application upgrade will fail its dependency checks. To upgrade a three-node (multihost) cluster, Service Distribution (or HA) must be enabled. Be aware that Service Distribution (or HA) for a three-node cluster is a beta feature and is not recommended for use in production deployments. You must contact the Cisco TAC for help with upgrading a three-node cluster.


Upgrading from Release 1.1.6, 1.1.7, or 1.1.8 to Release 1.2.5

Procedure


Step 1

From the Cisco DNA Center home page, choose > System Settings > App Management.

A Cisco DNA Center 1.2.5 is Here! banner appears at the top of the App Management page with a Switch Now button.

The App Management page also displays the following side tabs:

  • Packages & Updates: Shows the packages currently installed and updates available for installation from the Cisco cloud.

  • System Updates: Shows the System updates currently installed and updates available for installation from the Cisco cloud.

Step 2

Click Switch Now in the banner.

Step 3

At the prompt, click OK to proceed with the upgrade.

Clicking OK changes the release train in the back end. The message "Connecting to... 1.2.5 cloud catalog" with a progress bar appears.

Wait for approximately 90 seconds for the progress bar to finish and the updated system version to display. Refresh the page if the new system version does not appear.

Step 4

After the release train change finishes, review the System Updates page.

The following information is displayed:

  • Package: System package

  • Status: Running

  • Installed Version: Current system package installed

  • Available Update: System package available for installation

Step 5

Click Install in the Available Update column.

During the install process, the following GUI changes are made:

  • App Management tab: Changes to the Software Updates tab

  • System Updates side panel: Changes to the Updates side panel

  • Packages & Updates side panel: Changes to the Installed Apps side panel

Step 6

After the system installation is finished and is in Running state, refresh the page.

A new Updates page displays the following information:

  • Platform Update: Displays the updated system version with a statement that the system is currently up to date. Additionally, a green check mark indicates a successful system upgrade.

  • Apps Updates: Displays groupings of applications with their current file size and version.

Note 
After performing system updates, clear the browser cache and log in to Cisco DNA Center 1.2.5 again.
Step 7

At the top of the Apps Updates field, click the Download All button.

After clicking this button, all the application upgrade packages are downloaded.

Note 

There are additional Download All buttons for different application groups (for example, Core, Automation, and Assurance). These buttons are dimmed and disabled. You need to only click the Download All button at the top of the page.

Step 8

After all of the application packages have been downloaded, click the Update All button at the top of the Apps Updates field.

After clicking this button, all of the applications are subsequently updated.

Note 

There are additional Update All buttons for different application groups (for example, Core, Automation, and Assurance). These buttons are dimmed and disabled. You need to only click the Update All button at the top of the page.

Step 9

Ensure that each application has been updated by reviewing its version in the Installed Apps page.

The application versions should be updated in this page.

Note 

There may be some new application packages that were not part of your previous Cisco DNA Center configuration, and for this reason have not been installed by this procedure (for example, the Test Support package listed on this page).


Upgrading from Release 1.2, 1.2.1, 1.2.2, 1.2.3, or 1.2.4 to Release 1.2.5

Procedure


Step 1

From the Cisco DNA Center home page, choose > System Settings > Software Updates.

A Cisco DNA Center 1.2.5 is Here! banner appears at the top of the Software Updates page with a Switch Now button.

Step 2

Click Switch Now in the banner.

Step 3

At the prompt, click OK to proceed with the upgrade.

Step 4

If a system update appears on the Software Updates page, click Update.

Step 5

Download the applications by doing one of the following:

  • To download all applications at once, click Download All at the top of the Application Updates field.

  • To download a specific application group, click Download All next to that group.

  • To download a specific application, click Download next to that application.

Step 6

Update the applications by doing one of the following:

  • To update all applications at once, click Update All at the top of the Application Updates field.

  • To update a specific application group, click Update All next to that group.

  • To update a specific application, click Update next to that application.

Step 7

Ensure that each application has been updated by reviewing its version on the Installed Apps page.

The application versions should be updated on this page.

Note 

There may be some new application packages that were not part of your previous Cisco DNA Center configuration, and for this reason have not been installed by this procedure (for example, the Test Support package listed on this page).


Recover from Premature Package Downloads

Successful migration to this release requires that you install all system updates before downloading or installing package updates. Due to dependencies among the updates, failure to observe this rule can make it impossible to install both system updates and package updates. Problem indicators include messages that a system update has failed and package update downloads that never exit the "Downloading" state.

As an admin user with Maglev SSH access privileges, complete the following steps to recover and install the system update.

Procedure


Step 1

Using an SSH client, log in to the Cisco DNA Center appliance using the IP address of the out-of-band management network adapter, on port 2222. Use the maglev login command and log in with an admin username and password (which is the same login used for the admin user on the Cisco DNA Center GUI).

Step 2

At the command line, delete all prematurely downloaded package updates by entering the following command:

for pkg in $(maglev package status -o json | jq -r '.[] | select(.available!="-") | [ .name,.available | tostring ] | join (":")'); do maglev catalog package delete $pkg 2>/dev/null; done
Important 

You must enter the preceding command as one line.

Step 3

Trigger the downloaded system update from the Cisco DNA Center GUI.

Step 4

After the system update installs successfully, download and install the package updates.


CMX Support

Cisco DNA Center supports the following CMX versions:

  • CMX 10.4.1

  • CMX 10.5.0

Before adding a CMX instance to Cisco DNA Center Network Settings, you must complete the following steps:

Procedure


Step 1

SSH to CMX using a cmxadmin account.

ssh -l cmxadmin (cmx-ip-address)
Step 2

Start the API server.

# cmxos apiserver start
Step 3

Create an API server user for Cisco DNA Center.

cmxos apiserver user add --user admin --password
Use the same password as the CMX web admin user password.

Network Plug and Play Considerations

Network Plug and Play Support

The Network Plug and Play application is not installed in Cisco DNA Center by default. You must download and install the package named Device Onboarding UI, and then you can find the application in the Tools section. For more information about installing a package, see the chapter "Manage Applications" in the Cisco Digital Network Architecture Center Administrator Guide.

General Feature Support

Network Plug and Play supports the following features, depending on the Cisco IOS software release on the device:

  • AAA device credential support: The AAA credentials are passed to the device securely and the password is not logged. This feature allows provisioning a device with a configuration that contains aaa authorization commands. This feature requires software release IOS 15.2(6)E1, IOS 15.6(3)M1, IOS XE 16.3.2, or IOS XE 16.4 or later on the device.

  • Image install and upgrade for Cisco Catalyst 9300 Series, Catalyst 9400 Series, Catalyst 9500 Series, Catalyst 3650 Series, and Catalyst 3850 Series switches is supported only when the switch is booted in Install mode. (Image install and upgrade is not supported for switches booted in Bundle mode.)

SUDI Support

The Secure Unique Device Identifier (SUDI) feature that allows secure device authentication is available on the following platforms:

  • Cisco routers:

    • Cisco ISR 1100 Series with software release 16.6.2

    • Cisco ISR 4000 Series with software release 3.16.1 or later, except for the ISR 4221, which requires release 16.4.1 or later

    • Cisco ASR 1000 Series (except for the ASR 1002-x) with software release 16.6.1

  • Cisco switches:

    • Cisco Catalyst 3850 Series with software releases 3.6.3E or 16.1.2E or later

    • Cisco Catalyst 3650 Series and 4500 Series with Supervisor 7-E/8-E, with software releases 3.6.3E, 3.7.3E, or 16.1.2E or later

    • Cisco Catalyst 4500 Series with Supervisor 8L-E with software releases 3.8.1E or later

    • Cisco Catalyst 4500 Series with Supervisor 9-E with software release 3.10.0E or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

  • NFVIS platforms:

    • Cisco ENCS 5400 Series with software release 3.7.1 or later

    • Cisco ENCS 5104 with software release 3.7.1 or later


Note

Devices that support SUDI have two serial numbers: the chassis serial number and the SUDI serial number (called the License SN on the device label). You must enter the SUDI serial number in the Serial Number field when adding a device that uses SUDI authentication. The following device models have a SUDI serial number that is different from the chassis serial number:

  • Cisco routers: ISR 43xx, ISR 44xx, ASR1001-X/HX, ASR1002-HX

  • Cisco switches: Catalyst 4500 Series with Supervisor 8-E/8L-E/9-E, Catalyst 9400 Series


Management Interface VRF Support

Network Plug and Play operates over the device management interface on the following platforms:

  • Cisco routers:

    • Cisco ASR 1000 Series with software release 16.3.2 or later

    • Cisco ISR 4000 Series with software release 16.3.2 or later

  • Cisco switches:

    • Catalyst 3650 Series and 3850 Series with software release 16.6.1 or later

    • Cisco Catalyst 9300 Series with software release 16.6.1 or later

    • Cisco Catalyst 9400 Series with software release 16.6.1 or later

    • Cisco Catalyst 9500 Series with software release 16.6.1 or later

4G Interface Support

Network Plug and Play operates over a 4G network interface module on the following Cisco routers:

  • Cisco 1100 Series ISR with software release 16.6.2 or later

Configuring Server Identity

To ensure successful Cisco DNA Center discovery by Cisco devices running newer IOS releases, the server SSL certificate offered by Cisco DNA Center during the SSL handshake must contain an appropriate Subject Alternate Name (SAN) value, so that the Cisco Plug and Play IOS Agent can verify the server identity. This may require the administrator to upload a new server SSL certificate, which has the appropriate SAN values, to Cisco DNA Center.

This requirement applies to devices running the following Cisco IOS releases:

  • Cisco IOS Release 15.2(6)E2 and later

  • Cisco IOS Release 15.6(3)M4 and later

  • Cisco IOS Release 15.7(3)M2 and later

  • Cisco IOS XE Denali 16.3.6 and later

  • Cisco IOS XE Everest 16.5.3 and later

  • Cisco IOS Everest 16.6.3 and later

  • All Cisco IOS releases from 16.7.1 and later

The value of the SAN field in the Cisco DNA Center certificate must be set according to the type of discovery being used by devices, as follows:

  • For DHCP option-43/option-17 discovery using an explicit IPv4 or IPv6 address, set the SAN field to the specific IPv4/IPv6 address of Cisco DNA Center.

  • For DHCP option-43/option-17 discovery using a hostname, set the SAN field to the Cisco DNA Center hostname.

  • For DNS discovery, set the SAN field to the plug and play hostname, in the format pnpserver.domain.

  • For Cisco Plug and Play Connect cloud portal discovery, set the SAN field to the Cisco DNA Center IP address, if the IP address is used in the Plug and Play Connect profile. If the profile uses the Cisco DNA Center hostname, then the SAN field must be set to the fully qualified domain name (FQDN) of the controller.

If the Cisco DNA Center IP address that is used in the Plug and Play profile is a public IP address that is assigned by a NAT router, then this public IP address must be included in the SAN field of the server certificate.

If an HTTP proxy server is used between the devices and Cisco DNA Center, ensure that the proxy certificate has the same SAN fields with the appropriate IP address or hostname.

We recommend that you include multiple SAN values in the certificate, in case discovery methods vary. For example, you can include both the Cisco DNA Center FQDN and IP address (or NAT IP address) in the SAN field. If you do include both, set the FQDN as the first SAN value, followed by the IP address.

If the SAN field in the Cisco DNA Center certificate does not contain the appropriate value, the device cannot successfully complete the plug and play process.


Note

The Cisco Plug and Play IOS Agent checks only the certificate SAN field for the server identity. It does not check the common name (CN) field.


Important Notes

Update Telemetry Profiles to Use a New Cluster Virtual IP Address

If you are using the Cisco DNA Center Telemetry tool to monitor device data, and you need to change the Cisco DNA Center cluster virtual IP address (VIP), complete the following steps to change the VIP and to ensure that node telemetry data is sent to the new VIP.

Before you begin

You need the following:

  • Determine whether the version of Cisco DNA Center you are using is in the 1.1.x or 1.2.x release train. You can check this by logging in to the Cisco DNA Center web interface, choosing > About, and checking the Cisco DNA Center version number. For example, if the version you are using begins with "1.1," it is in the 1.1.x release train.

  • SSH client software.

  • The IP address that was configured for the 10 GB interface facing the enterprise network on the Cisco DNA Center master node. To identify this port, see the rear-panel figure in "Front and Rear Panels" in the Cisco Digital Network Architecture Center Installation Guide. You log in to the appliance at this address, on port 2222.

  • The Linux username (maglev) and password configured on the master node.

  • The cluster VIP that you want to assign. The cluster VIP must conform to the requirements explained in the "Required IP Addresses and Subnets" topic in the 1.2 version of the Cisco Digital Network Architecture Center Installation Guide.

Procedure


Step 1

Access the Cisco DNA Center GUI and use the Cisco DNA Center Telemetry tool to push the Disabled profile to all nodes, as follows:

  1. From the Cisco DNA Center home page, click Telemetry in Tools.

  2. Click the Site View tab.

  3. In the Site View table in this tab, choose all the sites and devices currently being monitored.

  4. Click the Actions button and choose the Disable Telemetry profile from the drop-down list.

  5. Wait for the Site View table to show that telemetry has been disabled for the selected sites and devices.

Step 2

Use the appliance Configuration wizard to change the cluster VIP, as follows:

  1. Using an SSH client, log in to the OOB management port of the Cisco DNA Center master node. Be sure to log in on port 2222.

  2. When prompted, enter the Linux username and password.

  3. Enter the following command to access the Configuration wizard on the master node:

    
    $ sudo maglev-config update
    
    

    If prompted for the Linux password, enter it again.

  4. Click [Next] until the screen prompting you for the cluster virtual IP appears. Enter the new cluster VIP, then click [Next] to proceed through the remaining screens of the Configuration wizard.

  5. When you reach the final screen, a message appears stating that the Configuration wizard is ready to apply your changes. Click [proceed] to apply the cluster VIP change.

    At the end of the configuration process, a CONFIGURATION SUCCEEDED! message appears and the SSH prompt reappears.

Step 3

Restart the necessary Cisco DNA Center services by entering the following series of commands at the SSH prompt. Use the commands for the release train appropriate for your Cisco DNA Center version.

For versions of Cisco DNA Center in the 1.1.x release train (versions 1.1.1 and later, up to but not including 1.2.0), enter the following series of commands:
magctl service restart -d netflow-go
magctl service restart -d syslog
magctl service restart -d trap
magctl service restart -d wirelesscollector
For Cisco DNA Center in the 1.2.x release train (versions 1.2.0 and later), enter the following series of commands:
magctl service restart -d collector-netflow
magctl service restart -d collector-syslog
magctl service restart -d collector-trap
magctl service restart -d wirelesscollector
Step 4

Wait for all services to restart. You can monitor the progress of the restarts by entering the following command, substituting service names as needed for the release train appropriate for your Cisco DNA Center version. For example, if you are using a version of Cisco DNA Center in the 1.2.x release train, enter the following command:

magctl appstack status | grep -i -e collector-netflow -e collector-syslog -e collector-trap -e wirelesscollector

When all necessary services are running, you see command output similar to the following, with a "Running" status for each service that has restarted successfully:

assurance-backend   wirelesscollector-111222333-bc99s   1/1       Running   0    25d       10.60.3.55     172.19.53.99
ndp                          collector-netflow-444555666-lxvlx   1/1       Running   0     1d       172.19.53.99   172.19.53.99
ndp                          collector-syslog-777888999-r0rr1    1/1       Running   0    25d       172.19.53.99   172.19.53.99
ndp                          collector-trap-000111222-3ppllm     1/1       Running   0    25d       172.19.53.99   172.19.53.99
 
Step 5

Access the Cisco DNA Center GUI and use the Cisco DNA Center Telemetry tool to push the Optimal Visibility profile to all nodes, as you did in Step 1.


Troubleshooting WAAS Central Manager Access

If you update a non-default WAAS Central Manager (WCM) username (which doesn't have permission to access the WCM GUI) and then later receive an access error when you try to cross-launch WCM from Cisco DNA Center, you need to redo the role for that username as shown in the following steps.

Procedure


Step 1

Launch the WCM GUI by entering https://wcm_ip_address:8443 and enter the admin user credentials.

Step 2

Choose Admin > AAA > Users.

Step 3

Select the username that you recently modified, then navigate to Role Management.

Step 4

Assign the role that has access for the GUI.

This gives the correct access permissions to the user and allows you to cross-launch WAAS Central Manager from Cisco DNA Center.


Bugs

Open Bugs

The following table lists the open bugs for Cisco DNA Center for this release.

Table 6. Open Bugs

Bug Identifier

Headline

CSCvh98064

Provisioning a new device to the same site used in a policy gives no notification for policy redeployment.

CSCvh98080

If the SSID used in a policy is switched to fabric and a device is reprovisioned, the status becomes 0/0 devices.

CSCvi92534

Learning config for a WLAN controller that has multiple WLANs with same name causes implications on application policy.

CSCvj15985

There is a need to reboot Cisco vEDGE/ISRv router if any updates are made on the VNIC.

CSCvj34839

In Appx 360 page, time-series health plot on the chart is not visible.

CSCvj41522

PNP CSV with 25 APs fails.

CSCvj43440

After upgrading the Assurance package, the wireless/wired clients are recognized differently. Therefore, if you query for a count with a time range that encompasses the Upgrade time stamp, the same clients are represented/counted twice.

CSCvj44491

Mobility express controller upgrade fails with an SFTP error.

CSCvj68716

The SWIM readiness check does not complete and keeps rechecking for more than 10 minutes.

CSCvj99964

Reprovisioning on changing management network to LAN network in switch configuration must be supported.

CSCvk33113

Editing the global PSK SSID does not change the override PSK SSID after reprovisioning the wireless controller.

CSCvk42460

NCP package upgrade fails while upgrading from 1.1.8 to 1.2.3.

CSCvk73751

Issues with Find option in APIs page under Developer Toolkit.

CSCvm03144

App relevancy applied in Application policy is not reflected in Assurance.

CSCvm09710

An invalid character in the configuration on plug-and-play fails with a timeout.

CSCvm09564

The 24-hour bar on the Sensor Management page has a grayed-out section on the far right (for the most recent interval). The sensor results are grayed-out even for tests that passed.

CSCvm14997

Image copy fails to use SFTP for Mobility Express.

CSCvm18457

Wireless pipeline lag fluctuates the client number in the client health page.

CSCvm21352

Global VLANs of E NCS 54xx switch are not configured.

CSCvm29623

Top N Apps by client count chart shows no data; API returns null values.

CSCvm35571

Top AP Up/Down donut chart does not populate.

CSCvm37603

Site prefixes are not seen in the local control plane in a fabric-in-a-box scenario.

CSCvm38028

Upgrading from 1.2.3 or 1.2.4 to 1.2.5 fails if both IWAN and SDA are installed in 1.2.3 or 1.2.4.

CSCvm38125

Fabric-in-a-box with SDA transit creates /32 entries in the transit control plane.

CSCvm38169

Cisco Wireless Controller 5508 image upgrade fails with golden tag and wireless controller bundle error.

CSCvm40832

Cannot enable L2 handoff if the border has SDA transit connected.

CSCvm42415

Assurance should display clients from trunk port.

CSCvm46121

Catalyst 6500/Catalyst 6800 15.5(1)SY2 image does not encode DHCP option 82 in the DHCP discover packet.

CSCvm47215

Mobility Express shows as null on provisioning page after successful Mobility Express plug-and-play claim.

CSCvm51415

Push 'advertisement-interval 0' during border automation.

CSCvm53278

Cisco DNA Center with IWAN: A hub provisioning failure occurs when adding a day-N MTT link to the border router.

CSCvm53612

Cisco Wireless Controller provision and add to fabric succeeds, but wireless controller shows fabric as disabled.

CSCvm53779

AP is shown as 'unmonitor' under its domain and shown as 'monitor' under all domains.

CSCvm54948

After the Mobility Express controller is onboarded to Cisco DNA Center, Cisco DNA Center provisions the Mobility Express with IP addresses from the IP pool and the site username and password. The Mobility Express stays in "Cannot Sync" state and does not change to "Manage" state.

CSCvm55331

Cannot delete the seed device, even though network orchestration is complete.

CSCvm55403

Cisco DNA Center with IWAN: A partial collection failure occurs on the hub border router if a day-n WAN bandwidth change is made.

CSCvm55555

Nexus 7000 border post-provision check fails with "Error while getting polled data from device."

CSCvm57129

Extended node C3560CX, post-provision check fails.

CSCvm57225

From the Design/Provision > Assurance page, the 24-hour duration option is unavailable.

CSCvm58872

Multicast traffic does not work on SDA in-box with SDA transit.

CSCvm58967

LAN automation is stuck in unclaimed with Catalyst 6000 as a seed device.

CSCvm59016

Device tracking policy is not removed on L2 border trunk interface.

CSCvm59095

Recent tasks in image repository and device update status occasionally show no data.

CSCvm59169

AP-1800S image upgrade fails with Flash error when skip activate step selected.

CSCvm59209

Cisco DNA Center - Cisco Wireless Controller - ME AP does not send WSA due to a certificate issue.

CSCvm60582

SWIM: The Mobility Express upgrade succeeds but is reported as failed.

CSCvm64504

Client count doubled just before the system package upgrade.

CSCvm64749

Assurance doesn't show data under the Fabric Edge Assurance page.

CSCvm65767

Updating management IP for NFVIS goes to partial collection failure.

CSCvm68111

After upgrading from 1.2.4 to 1.2.5, the Cisco Aironet 1800s Active Sensor appears in the Inventory in Unclaimed state.

CSCvm70271

Cisco DNA Center pushes the wrong secret key to Cisco Identity Services Engine (ISE), and guest clients cannot join.

CSCvj75410

HA - Various changes relating to handling ES moving to a new node and support by services for result.

Resolved Bugs

The following table lists the resolved bugs for Cisco DNA Center for this release.

Table 7. Resolved Bugs

Bug Identifier

Headline

CSCvj10092

Top-level workflow steps time out if lower-level steps take longer than 30 minutes.

CSCvj59814

Disable IPv6 during installation, if not enabled in Maglev installation wizard.

CSCvj73255

Assurance UI fails to load due to error code "MAINTENANCE_SYSTEM_UPDATE_IN_PROGRESS."

CSCvk09815

Assurance cannot filter on the client MAC.

CSCvk26918

Application policy fails on Fabric Cisco Wireless Controller.

CSCvk31039

When editing the default profiles in the Telemetry application, the Save button does not appear.

CSCvk31042

When editing custom profiles in the Telemetry application, any previous settings do not appear.

CSCvk33192

Migrated from 1.1.6 to 1.2.3; after restoration, cannot create contracts.

CSCvk34607

Telemetry app sends the wrong IP for trap when no VIP is configured.

CSCvk36520

Upgrade from 1.2.1 to 1.2.2 fails with an exception in package: network-visibility.

CSCvk41167

Assurance: Client table returns inaccurate results for chosen wired/wireless filter.

CSCvk50743

Reprovisioning devices when the device sync status is "in progress" fails. Device sync status might remain "in progress" for up to 10 hours.

CSCvm29532

Limitation with port channel in a 9300 stack when ASR is used as fusion.

CSCvm31496

Image update: Golden image marking does not work for NFVIS devices and requires refresh after marking.

CSCvm31953

Template: cat4500-X VSS is set to the wrong device type.

CSCvm57070

Enabling external guest border with SDA in a box should not be allowed, and should generate an error in the UI.

CSCvm58678

Elastic wireless controller - Assurance page doesn't load when you navigate from Design/wireless UI.

CSCvm60765

L2 handoff fails on upgraded cluster with error code "InternalError."

CSCvm72025

After upgrading from Cisco DNA Center 1.1.8 to 1.2.5, managed devices might go into Partial Collection Failure status.

This problem is resolved by updating the Network Controller Platform package to version 2.1.23.60291.

Using the Bug Search Tool

Use the Bug Search tool to search for a specific bug or to search for all bugs in this release.

Procedure


Step 1

Point your browser to http://tools.cisco.com/bugsearch.

Step 2

At the Log In screen, enter your registered cisco.com username and password; then, click Log In. The Bug Search page opens.

If you do not have a cisco.com username and password, you can register for them at http://tools.cisco.com/RPF/register/register.do.

Step 3

To search for a specific bug, enter the bug ID in the Search For field and press Return.

Step 4

To search for bugs in the current release:

  1. In the Search For field, enter Cisco DNA Center and press Return. (Leave the other fields empty.)

  2. When the search results are displayed, use the filter tools to find the types of bugs you are looking for. You can search for bugs by modified date, status, severity, and so forth.

    To export the results to a spreadsheet, click the Export Results to Excel link.

Limitations and Restrictions

Backup and Restore Limitations

Backup and restore limitations and restrictions include:

  • You cannot take a backup from one version of Cisco DNA Center and restore it to another version of Cisco DNA Center. You can only restore a backup to an appliance that is running the same Cisco DNA Center software version, applications, and application versions as the appliance and applications from which the backup was taken. To view the current applications and versions on Cisco DNA Center, click > System Settings > App Management.

  • After performing a restore operation, update your integration of Cisco ISE with Cisco DNA Center. After a restore operation, Cisco ISE and Cisco DNA Center might not be in sync. To update your Cisco ISE integration with Cisco DNA Center, access Settings in the GUI, then open the Authentication and Policy Servers window and choose Edit for the server. Enter your Cisco ISE password to update.

  • After performing a restore operation, the configuration of devices in the network might not be in sync with the restored database. For this reason, you might need to manually revert the CLI commands pushed for authentication, authorization, and accounting (AAA) and configuration on the network devices. Refer to the individual network device documentation for information about the CLI commands to enter.

  • Re-enter the device credentials in the restored database. If you updated the site-level credentials before the database restore and the backup being restored does not have the credential change information, all devices go to partial-collection after restore. You then need to manually update the device credentials on the devices for synchronization with Cisco DNA Center or perform a rediscovery of those devices to learn the device credentials.

  • Perform AAA provisioning only after adjusting network device differential changes to the restored database. Otherwise, device lockouts might occur.

  • You can back up and restore Automation data only or both Automation and Assurance data. But you cannot use the GUI or the CLI to back up or restore only Assurance data.

HA Limitation

In this release, Cisco DNA Center only provides HA support for Automation functionality. HA for Assurance is not supported at this time.

Cisco ISE Integration Limitations

Cisco ISE integration limitations and restrictions include:

  • ECDSA keys are not supported as either SSH keys for Cisco ISE SSH access, nor in certificates in Cisco DNA Center and Cisco ISE.

  • Full certificate chains must be uploaded to Cisco DNA Center while replacing the existing certificate. If the Cisco DNA Center certificate is issued by a subCA of a rootCA, the certificate chain uploaded to Cisco DNA Center while replacing the Cisco DNA Center certificate must contain all three certificates.

  • Self-signed certificates applied on Cisco DNA Center must have the Basic Constraints extension with cA:TRUE (RFC5280 section-4.2.19).

  • The IP address or FQDN of both Cisco ISE and Cisco DNA Center must be present in either the Subject Name field or the Subject Alt Name field of the corresponding certificates.

  • If the certificate is replaced or renewed in either Cisco ISE or Cisco DNA Center, trust must be re-established.

  • Cisco DNA Center andCisco ISE IP/FQDN must be present in the proxy exceptions list if there is a web proxy between Cisco DNA Center and Cisco ISE.

  • Cisco DNA Center and Cisco ISE nodes cannot be behind a NAT device.

  • Cisco DNA Center does not detect pxGrid persona changes after trust establishment.

  • Cisco DNA Center and Cisco ISE cannot integrate if the ISE Admin and ISE pxGrid certificates are issued by different enterprise certificate authorities.

    Specifically, if the ISE Admin certificate is issued by CA server A, the ISE pxGrid certificate is issued by CA server B, and the pxGrid persona is running on a node other than ISE PPAN, the pxGrid session from Cisco DNA Center to Cisco ISE does not work.

Brownfield Feature-Related Limitations

Brownfield feature-related limitations include:

  • Cisco DNA Center cannot learn device credentials.

  • You must enter the preshared key (PSK) or shared secret for the AAA server as part of the import flow.

  • Details about DNS, WebAuth redirect URL, and syslog are not learned.

  • Cisco DNA Center can learn only one wireless controller at a time.

  • For site profile creation, only those AP groups with AP and SSID entries are considered.

  • Automatic site assignment is not possible.

  • SSIDs with an unsupported security type and radio policy are discarded.

  • For authentication and accounting servers, if the RADIUS server is present in the device, it is given first preference. If the RADIUS server is not present, the TACACS server is considered for design.

  • Cisco ISE server (AAA) configuration is not learned through brownfield provisioning.

  • The authentication and accounting servers must have the same IP addresses for them to be learned through brownfield provisioning.

  • When the same SSID is associated with different interfaces in different AP groups, during the provisioning, the newly created AP group with the SSID is associated with the same interface.

  • A wireless conflict is based on the SSID name only and does not consider other attributes.

Wireless Policy Limitation

Wireless policy limitation includes:

  • If the AP is migrated after the policy was created, you must manually edit the policy and point to an appropriate AP location before deploying the policy. Otherwise, an error message saying "Policy Deployment failed" is displayed.

Cisco Plug and Play Limitations

Plug and Play limitations and restrictions include:

  • Virtual Switching System (VSS) is not supported.

  • The Cisco Plug and Play Mobile app is not supported with Plug and Play in Cisco DNA Center.

  • The Stack License workflow task is supported for Cisco Catalyst 3650 and 3850 Series switches running IOS XE 16.7.1 and later.

  • The Plug and Play agent on the switch initiates on VLAN 1 by default. Most deployments recommend that VLAN 1 be disabled. If you do not want to use VLAN 1 when PnP starts, enter the following CLI command on the upstream device:

    pnp startup-vlan <vlan_number>

Service and Support

Related Documentation

The following publications are available for Cisco DNA Center.

For this type of information...

See this document...

Release information, including new features, system requirements, and open and resolved bugs.

Cisco DNA Center Release Notes

Installation and configuration of Cisco DNA Center, including post-installation tasks.

Cisco DNA Center Installation Guide

Use of the Cisco DNA Center GUI and its applications.

Cisco DNA Center User Guide

Configuration of user accounts, RBAC scope, security certificates, authentication and password policies, and global discovery settings.

Monitoring and managing Cisco DNA Center services.

Backup and restore.

Cisco DNA Center Administrator Guide

Supported devices, such as routers, switches, wireless access points, NFVIS platforms, and software releases.

Supported Devices

Use of the Cisco DNA Assurance GUI.

Cisco DNA Assurance User Guide

Licenses and notices for open source software used in Cisco DNA Assurance.

Open Source Used in Cisco DNA Assurance

Use of the Cisco DNA Center platform GUI and its applications.

Cisco DNA Center Platform User Guide

Cisco DNA Center platform release information, including new features, deployment, and open bugs.

Cisco DNA Center Platform Release Notes

Licenses and notices for open source software used in Cisco DNA Center platform.

Open Source Used in Cisco DNA Center Platform

Key features and scale numbers.

Cisco DNA Center Data Sheet

Obtaining Documentation and Submitting a Service Request

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information, see What’s New in Cisco Product Documentation.

You can also subscribe to the What’s New in Cisco Product Documentation RSS feed, which delivers lists and content of new and revised Cisco technical documentation directly to your desktop, using any RSS reader application. This RSS feed is a free service.