Compliance Audit for Network Devices

Compliance Overview

Compliance helps in identifying any anomalies in the network, that may be injected or reconfigured through any other source such as out of the band, without affecting the original content.

A network administrator can conveniently identify devices that do not meet compliance requirement for the different aspects of compliance such as Software Image, PSIRT, Network Profile and so on in Cisco DNA Center.

Compliance check can be automated, manual, and scheduled.

  • Automated compliance check: Uses the latest data collected from devices in Cisco DNA Center. This compliance check listens to the traps and notification from various services such as inventory, SWIM, and so on to compute data.

  • Manual compliance check: Enables user to manually trigger the compliance in Cisco DNA Center.

  • Scheduled compliance check: A scheduled compliance job runs every Saturday midnight at 11 pm. This will be run for all devices with triggerFull=true, which means all supported types of compliance such as RUNNING_CONGIC, INTENT, IMAGE, PSIRT, and so on will be checked.

Manual Compliance Run

You can trigger a compliance check manually in Cisco DNA Center.

Procedure

Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Provision > Inventory.

Step 2

For a bulk compliance check, do the following:

  1. Choose all the applicable devices.

  2. From the Actions drop-down list, choose Compliance > Run Compliance.

Step 3

For a per-device compliance check, do the following:

  1. Choose the devices for which you want to run the compliance check.

  2. From the Actions drop-down list, choose Compliance > Run Compliance.

  3. Alternatively, click on compliance column (if available) and then click on Run Compliance.

Step 4

To view the latest compliance status of a device, do the following:

  1. Choose the device and inventory. See Resynchronize Device Information.

  2. From the Actions drop-down list, choose Compliance > Run Compliance.

Note 

  • A compliance run cannot be triggered for unreachable or unsupported devices.

  • If compliance is not run manually for a device, the compliance check is automatically scheduled to run after a certain period of time which depends on the type of compliance.

View Compliance Summary

Procedure

The inventory page shows an aggregated status of compliance for each device.

The inventory page shows an aggregated status of compliance for each device.
Step 1

In the Cisco DNA Center GUI, click the Menu icon () and choose Provision > Inventory.

The compliance column shows the aggregated compliance status of each device.
Step 2

Click the compliance status to launch the compliance summary window, which shows the following compliance checks applicable for the selected device:

  • Startup versus Running Configuration

  • Software Image

  • Critical Security Vulnerability

  • Network Profile

  • Fabric

  • Application Visibility

Note 

  • Network Profile, Fabric and Application Visibility are optional and are displayed only if the device is provisioned with the required data.

  • For the compliance debug, collect the following information from customer setup:

    1. Compliance Summary screenshot and tile screenshot with mismatches.

    2. The debugging log must have spf-service-manager-service. In the system settings Debugging Logs window, Service drop-down list must be enabled for spf-service-manager-service and Logger Name for com.cisco.dnac.compliance in spf-service-manager-service.

Types of Compliance

Compliance Type

Compliance Check

Compliance Status

Startup versus Running Configuration

This compliance check helps network administrator to see whether startup and running configuration of a device are same or not. Compliance identify, compute and shows a summarized as well as detail report of out of band changes in the running configuration. When there is a change in the startup or running configuration in the device, the compliance check will be automatically scheduled to run after five minutes of delay.

  • Non-Compliant: The Startup and Running configuration are not the same. On detail view, the system shows different startup versus running between or running versus previous running.

  • Compliant: Startup and Running Configuration are the same.

  • NA (Not Applicable): The device is not supported for this compliance type (for example, AireOS).

Software Image

This compliance check helps network administrator to see if tagged golden image in Cisco DNA Center is running on the device or not. It shows the difference in golden image and running image for a device. When there is a change in the software image, the compliance check is triggered immediately without any delay.

  • Non-Compliant: The device is not running the tagged golden image of the device family.

  • Compliant: The device is running the tagged golden image of the device family.

  • NA (Not Applicable): The golden image is not available for the selected device family.

Critical Security (PSIRT)

PSIRT Compliance check enables the network administrator in checking whether the network devices are running without any critical security vulnerabilities or not.

  • Non-Compliant: The device has critical advisories. A detailed report displays various other information.

  • Compliant: There are no critical vulnerabilities in the device.

  • NA (Not Applicable): The security advisory scan has not been done by network administrator in Cisco DNA Center or the device is not supported.

Network Profile

Cisco DNA Center allows you to define its intent configuration via Network Profile and pushes to device via provisioning. The Intent must be running on a device. If any violations are found at any time due to out of band changes, compliance identify, compute and flag it off. The violations are shown to the user under Network Profiles on the compliance summary page. The automatic compliance check is scheduled to run after a period of 5 hours.

  • Non-Compliant: The device is not running the intent configuration of profile.

  • Compliant: The intent configurations are running on the device.

  • Error: The compliance could not compute status because of an underlying error. For more details, please refer to the error log.

Fabric (SDA Profile)

  • Non-Compliant: The device is not running the intent configuration.

  • Compliant: The device is running the intent configuration.

Application Visibility

Cisco DNA Center allows you to create application visibility intent and provision it to devices via CBAR and NBAR. If intent is not running on devices, compliance identify, compute and shows the violation as compliant or non-compliant under Application Visibility. The automatic compliance check is scheduled to run after a period of 5 hours.

  • Non-Compliant: The CBAR/NBAR configuration is not running on the device.

  • Compliant: The intent configuration of CBAR/NBAR is running on the device.

Compliance Behavior After Upgrading from N-1/N-2

  • A compliance check for all applicable devices (devices for which compliance never ran in the system) is triggered after successful upgrade from N-1/N-2.

  • Compliance computes and shows status of the devices on inventory, except the Startup vs Running type.

  • After upgrade, the Startup vs Running tile shows as NA with the text "Configuration data is not available."

  • After a day of successful upgrade, a one-time scheduler runs and makes configuration data available for devices. The Start-up vs Running tile starts showing the correct status (Compliant/Non-Compliant) and detailed data.

  • If any traps are received, the config archive service collects configuration data and the compliance check runs again.


Note

In the upgrade setup, ignore any compliance mismatch for the Flex Profile interface. For the interface name, 1 maps to management.