First Published: March 13, 2020

Last Updated: May 4, 2022

Introduction

Cisco DNA Center is the foundational controller and analytics platform at the heart of Cisco’s intent-based network. Cisco DNA Center offers centralized, intuitive management that makes it fast and easy to design, provision, and apply policies across your network environment. The Cisco DNA Center GUI provides end-to-end network visibility and uses network insights to optimize network performance and deliver the best user and application experience.

Cisco DNA Center introduces support for offline software updates, allowing Cisco DNA Center appliances deployed in secure, air gapped networks to be updated to the latest Cisco DNA Center software and application versions, without having to access the Cisco Connected DNA Cloud.


Note

If you installed from an ISO image in an air-gapped environment, and you don’t need to update yet, you must still accept the end-user license agreement (EULA) as explained in this guide.

Fresh Install from the Cisco DNA Center ISO Image

Offline Install Workflow

An offline Cisco DNA Center installation involves the following steps:

  1. Download the image.

  2. Verify the downloaded file.

  3. Create a bootable USB drive.

  4. Install the Cisco DNA Center ISO image.

  5. Configure the Cisco DNA Center appliance.

  6. Complete the first-time setup.

  7. Accept the device EULA (1.3.3.6 and earlier).

  8. Accept the device EULA (1.3.3.7 and later).

  9. Install the applications.

Download the Image

You or your Cisco account representative must raise a TAC request. A TAC representative then gives you access and instructions for downloading the ISO file from a Cisco file server.

Procedure

Step 1

Log in to the Cisco file server, which is accessible via the internet.
Step 2

Download the Cisco DNA Center ISO image (.iso) from the location specified.

Step 3

Download the Cisco public key (cisco_image_verification_key.pub) for signature verification.
Step 4

Download the secure hash algorithm (SHA512) checksum file for the image.
Step 5

Download the binary image's signature file (.sig).

Verify the Downloaded File

Verify the integrity of the downloaded image using Cisco signature verification and the SHA512 checksum provided on the portal.

Procedure

Step 1

(Optional) Perform SHA verification to determine whether the ISO image is corrupted due to a partial download.

Depending on your OS, enter one of the following commands:

  • Linux: 
    sha512sum Cisco-DNA-Center-image-filename
  • Mac: 
    shasum -a 512 Cisco-DNA-Center-image-filename

Microsoft Windows does not include a built-in checksum utility, but you can use the certutil tool:

certutil -hashfile <filename> sha256 | md5

For example:

certutil -hashfile D:\Customers\FINALIZE.BIN sha256

On Windows, you can also use the Windows PowerShell to generate the digest. For example: 

PS C:\Users\Administrator> Get-FileHash -Path D:\Customers\FINALIZE.BIN
Algorithm Hash Path
SHA256 B84B6FFD898A370A605476AC7EC94429B445312A5EEDB96166370E99F2838CB5 D:\Customers\FINALIZE.BIN

Compare the output of the command you run to the SHA512 checksum file that you downloaded. If the command output does not match, download the ISO image again and run the appropriate command a second time. If the output still does not match, contact Cisco support.

Step 2

Verify that the ISO image is genuine and from Cisco by verifying its signature:

openssl dgst -sha512 -verify cisco_image_verification_key.pub -signature signature-filename Cisco-DNA-Center-image-filename

This command works in both Mac and Linux environments. For Windows, you must download and install OpenSSL, if you haven’t done so already.

If the ISO image is genuine, entering this command displays a Verified OK message. If this message fails to appear, do not install the ISO image and contact Cisco support.

Install the Cisco DNA Center ISO Image

Procedure

Step 1

Connect the bootable USB drive with the Cisco DNA Center ISO image to the appliance.

Step 2

Log in to Cisco IMC and start a KVM session.
Step 3

Power on or power cycle the appliance:

  • If the appliance is not currently running, choose Power > Power On System.

  • If the appliance is already running, choose Power > Power Cycle System (cold boot).

Step 4

In the resulting pop-up window, click Yes to acknowledge that you are about to execute a server control action.

Step 5

When the Cisco logo appears, either press the F6 key or choose Macros > User Defined Macros > F6 from the KVM menu. The boot device selection menu appears.

Step 6

Select your USB drive and then press Enter.

Step 7

Depending on your Cisco DNA Center release, do one of the following in the GNU GRUB bootloader window:

  • For Cisco DNA Center releases earlier than 2.2.2, choose Maglev Installer and then press Enter.
  • For Cisco DNA Center 2.2.2 and later, choose Cisco DNA Center Installer and then press Enter.
Note 

The bootloader automatically boots the Maglev installer if you don't make a selection within 30 seconds.

Configure the Cisco DNA Center Appliance

When installation of the Cisco DNA Center ISO image completes, the installer reboots and opens the Maglev Configuration wizard's welcome screen. To configure your appliance for day-to-day use in your network, complete the steps described in one of the following sections:

Complete the First-Time Setup

Procedure

Step 1

After the Cisco DNA Center appliance reboot is completed, launch your browser.

Step 2

Enter the host IP address to access the Cisco DNA Center GUI, using HTTPS:// and the IP address of the Cisco DNA Center GUI that was displayed at the end of the configuration process.

After entering the IP address, one of the following messages appears (depending on your browser):

  • Google Chrome: Your connection is not private

  • Mozilla Firefox: Warning: Potential Security Risk Ahead
Step 3

Ignore the message and click Advanced. One of the following messages appears:

  • Google Chrome: This server could not prove that it is GUI-IP-address; its security certificate is not trusted by your computer's operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.

  • Mozilla Firefox: Someone could be trying to impersonate the site and you should not continue. Websites prove their identity via certificates. Firefox does not trust GUI-IP-address because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.

These messages appear because the controller uses a self-signed certificate. For information on how Cisco DNA Center uses certificates, see the "Certificate and Private Key Support" section in the Cisco DNA Center Administrator Guide.

Step 4

Ignore the message and do one of the following:

  • Google Chrome: Click the Proceed to <GUI-IP-address> (unsafe) link.

  • Mozilla Firefox: Click Accept the Risk and Continue.

The Cisco DNA Center Login window appears.
Step 5

In the Login window, enter the admin's username (admin) and password that you set when you configured Cisco DNA Center, then click Log In.

The Reset Login window appears.
Step 6

Enter the old password, enter and confirm a new password for the admin superuser, and then click Save.

The Enter Cisco.com ID window appears.
Step 7

(Skip this step) Enter the username and password for the cisco.com user, then click Next. If the cisco.com user login does not match any known Cisco Smart Account user login, the Smart Account window appears.

Step 8

(Skip this step) If the Smart Account window appears, enter the username and password for your organization's Smart Account, or click the corresponding link to open a new Smart Account. After you are finished, click Next.

The IP Address Manager window appears.
Step 9

If your organization uses an external IP address manager (IPAM), do the following and then click Next:

  • Enter your IPAM server's name and URL.

  • Enter the username and password required for server access.

  • Choose your IPAM provider (such as Infoblox).

  • Choose the specific view of IP addresses available in the IPAM server database that you want Cisco DNA Center to use.

The Enter Proxy Server window appears.
Step 10

Click Next.

The software EULA window appears.
Step 11

Click Next to accept the software End User License Agreement and continue.

The Ready to go! window appears.
Step 12

We recommend that you click the User Management link to display the User Management window. Then click Add to begin adding new Cisco DNA Center users. After you have entered the new user's name and password, and selected the user's role, click Save to create the new user. Repeat this as needed until you have added all the new users for your initial deployment. Be sure to create at least one user with the NETWORK-ADMIN-ROLE.

Accept the Device EULA (1.3.3.6 and Earlier)

Complete this procedure for Cisco DNA Center 1.3.3.6 and earlier releases. For 1.3.3.7 and later releases, skip this procedure and go directly to Accept the Device EULA (1.3.3.7 and Later).

Procedure

Step 1

As part of the files that you downloaded, there is a file (<release_name>_accept_device_eula) to accept the EULA offline. Locate and download this file, which is available as a separate download and can be installed in the same way as the bundle described previously.

Step 2

After downloading the file, enter the following command to make it executable:

chmod +x <release_name>_accept_device_eula
Step 3

Enter the following command to run the file:

sudo ./ <release_name>_accept_device_eula -Y

The -Y argument indicates that you are accepting the Cisco DNA Center software license EULA.

Note 
In the Cisco DNA Center GUI under Design > Image Repository, the image EULA is still shown as not accepted, but this is expected and has no functional impact.

Accept the Device EULA (1.3.3.7 and Later)

Complete this procedure only for Cisco DNA Center 1.3.3.7 and later releases.

Procedure

Step 1

Log in to the Cisco DNA Center cluster and change directories to desired location. For example: 

$ cd /mnt/install-artifacts/eula
$ ls
finalize_offline_installation-1.3.0.147.bin
Step 2

Change the permissions:

$ sudo chmod 777 finalize_offline_installation-1.3.0.147.bin
[sudo] password for maglev:
Step 3

Enter the following command:

$ sudo ./finalize_offline_installation-1.3.0.147.bin -Y

The -Y argument indicates that you are accepting the Cisco DNA Center software license EULA.

Note 

In the Cisco DNA Center GUI under Design > Image Repository, the image EULA is still shown as not accepted, but this is expected and has no functional impact.

Install the Applications

After completing the preceding tasks, the uber ISO has a number of applications that are loaded and must be installed.

Procedure

Step 1

In the Cisco DNA Center GUI, click the gear icon in the top-right corner.

Step 2

Choose System Settings > Software Updates.

Step 3

Click Install All.

Step 4

Click Continue.

Step 5

Click Continue.

Update from the Cisco DNA Center Binary Image

Prerequisites

Before upgrading your installed instance of Cisco DNA Center, review the following prerequisites:

  • Ensure that Cisco DNA Center does not have internet connectivity.

  • Only a user with SUPER-ADMIN-ROLE permissions can perform a Cisco DNA Center software update.

  • Create a backup of your Cisco DNA Center database. For instructions on creating a backup, see the Cisco DNA Center Administrator Guide.

  • Have the username and password for a cisco.com user account available for the download. This can be any valid cisco.com user account.

  • Allocate enough time for the upgrade process, which can take longer than 6 hours to complete.

  • We strongly recommend that you do not use Cisco DNA Center or any of its applications or tools while the upgrade is in process.

  • Confirm that the minimum disk requirements are met:

    • The / partition has at least 2 GB of free space.

    • The /data partition has at least 35 GB of free space and is not more than 70% full.

  • Use the df -h command to verify the disk space: 

    $ df -h
Filesystem        Size  Used Avail Use% Mounted on
udev                                126G     0  126G   0% /dev
tmpfs                               26G   14M   26G   1% /run
/dev/sdb2                           29G   23G  4.5G  84% /
tmpfs                               126G     0  126G   0% /dev/shm
tmpfs                               5.0M     0  5.0M   0% /run/lock
tmpfs                               126G     0  126G   0% /sys/fs/cgroup
/dev/sdb3                           29G   44M   27G   1% /install2
/dev/sdb5                           374G   99G  256G  28% /data
/dev/sdb4                           9.3G  601M  8.2G   7% /var
/dev/sdc1                           420G  1.4G  397G   1% 
/data/maglev/srv/fusion
/dev/sdc2                           1.4T   41G  1.3T   4% 
/data/maglev/srv/maglev-system
/dev/sdd1                           3.5T  243M  3.3T   1% /data/maglev/srv/ndp
glusterfs-server.maglev-…ault_vol   1.4T   54G  1.3T   5% 
/mnt/glusterfs/default_vol
[Fri Jan 10 18:59:27 UTC] maglev@10.82.128.100 (maglev-master-10-82-128-100) /
$

If you receive a storage validation failed error, contact the Cisco TAC.

If the Cisco DNA Center download, update, or install procedures fail for any reason, always retry the procedure a second time.

Offline Update Workflow

An offline Cisco DNA Center update involves the following steps:

  1. Raise a TAC request to get access to the image for the airgap/offline update.

  2. Download the Cisco DNA Center binary image from a Cisco file server (requires access to the internet).

  3. Verify the integrity of the downloaded image.

  4. Transfer the downloaded image to the Cisco DNA Center cluster in the secure, airgap environment.

  5. SSH to the Cisco DNA Center cluster and execute the binary.

  6. Log in to the Cisco DNA Center GUI and perform a system update and an applications update.

Download the Image

You or your Cisco account representative must raise a TAC request. A TAC representative then gives you access and instructions for downloading the binary file from a Cisco file server.

Procedure

Step 1

Log in to the Cisco file server, which is accessible via the internet.
Step 2

Download the image from the Cisco file server. This includes the secure hash algorithm (SHA512) checksum file for the image.

Verify the Downloaded File

Verify the integrity of the downloaded image using Cisco signature verification and the SHA512 checksum provided on the portal.

Procedure

Step 1

Perform SHA verification to determine whether the binary image is corrupted due to a partial download.

Depending on your OS, enter one of the following commands:

  • Linux: 
    sha512sum Cisco-DNA-Center-image-filename
  • Mac: 
    shasum -a 512 Cisco-DNA-Center-image-filename

Microsoft Windows does not include a built-in checksum utility, but you can install a utility from Microsoft at http://www.microsoft.com/en-us/download/details.aspx?id=11533.

Step 2

Compare the command output (or Microsoft Windows utility) to the SHA512 checksum file. If the command output does not match, download the ISO image again and enter the appropriate command a second time. If the output still does not match, contact Cisco support.

Transfer the File to Cisco DNA Center

Procedure

Step 1

Use a supported file transfer mechanism (SCP or SFTP) to transfer the downloaded image to the Cisco DNA Center cluster and the /data/tmp partition. When using USB, transfer the image to a terminal in the air-gapped network and then transfer the image to the Cisco DNA Center cluster and the /data/tmp partition (via SCP or SFTP).

Step 2

After transferring the image to the Cisco DNA Center cluster, perform SHA verification again to check if the file was corrupted in the process.

Considerations for a Three-Node Cluster

Procedure

Step 1

For a three-node Cisco DNA Center cluster, copy the bin file to the node where the catalogserver pod is running.

Step 2

To determine the IP address of the node where the catalog server is running, enter:

magctl service status catalogserver | grep Node:

For example, the output is similar to the following:

$ magctl service status catalogserver | grep Node:
Node: 192.192.192.72/192.192.192.72

[Thu Mar 19 22:59:48 UTC]maglev@192.192.192.68(maglev-master-192-192-192-68) ~
$

In this example, copy the bin file to the /data/tmp partition on 192.192.192.72.

Execute the Binary File

Procedure

Step 1

Use SSH to log in to the Cisco DNA Center cluster.

Step 2

Enter the following command to add execute permission:

chmod +x <uber-bin-file>
Step 3

Enter the following command to execute the binary file:

sudo ./<uber-bin-file>

The command has the following output:

$ sudo ./<bin-filename>.bin
[sudo] password for maglev:
=============================
Welcome to DNAC offline update
=============================
Please provide your credentials to get started
[administration] username: admin <Cisco DNA Center login/password combo>
[administration] password for admin: <Cisco DNA Center password>
Step 4

Executing the binary file updates the local catalog for the system and application packages. Locate the Installation SUCCESSFUL status message, which indicates that the bin file executed successfully.

You can track the current status of the process by tailing the log file <bin-filename>-install.log. If required, you can also verify the logs under /var/log/offlineupdates/.

Perform an Offline Update

Procedure

Step 1

After successful execution of the binary file, log in to the Cisco DNA Center cluster GUI and choose Settings > Software Updates > Updates.

Step 2

A system update appears on the Software Updates page. Click Update.

After a successful update, you see the following message:

Your system package is up to date. Proceed with Application updates.
Step 3

(Make sure your system is up to date before proceeding with this step). After all application packages are downloaded, at the top of the Application Updates area, click Update All.

The packages begin updating.
Step 4

Ensure that each application has been updated by reviewing its version in the Installed Apps page.

Update the Knowledge Pack for a PSIRT Scan

Offline Update of Knowledge Pack

An offline knowledge pack update involves the following steps:

  1. Download the knowledge pack file.

  2. Export the file to USB or other transferrable medium.

  3. Import the file to Cisco DNA Center on an air-gap device.

Export to USB or Other Transferrable Medium

Procedure

Step 1

Confirm that the file is in .tar.gz format.
Step 2

Transfer the downloaded file to USB (or other medium).

Import to Cisco DNA Center on an Air-Gap Device

Procedure

Step 1

Insert the USB into the device.
Step 2

From the Cisco DNA Center home page, click the gear icon and choose System Settings > Settings > Machine Reasoning.

Step 3

To import to Cisco DNA Center, click Import from local, shown as follows:

Step 4

Select the .tar.gz file from the USB to upload.

Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)