Introduction
Cisco DNA Center is the foundational controller and analytics platform at the heart of Cisco’s intent-based network. Cisco DNA Center offers centralized, intuitive management that makes it fast and easy to design, provision, and apply policies across your network environment. The Cisco DNA Center GUI provides end-to-end network visibility and uses network insights to optimize network performance and deliver the best user and application experience.
Cisco DNA Center introduces support for offline software updates, allowing Cisco DNA Center appliances deployed in secure, air gapped networks to be updated to the latest Cisco DNA Center software and application versions, without having to access the Cisco Connected DNA Cloud.
![]() Note |
If you installed from an ISO image in an air-gapped environment, and you don’t need to update yet, you must still accept the end-user license agreement (EULA) as explained in this guide. |
Fresh Install from the Cisco DNA Center ISO Image
Offline Install Workflow
An offline Cisco DNA Center installation involves the following steps:
-
Download the image.
-
Verify the downloaded file.
-
Create a bootable USB drive.
-
Install the Cisco DNA Center ISO image.
-
Configure the Cisco DNA Center appliance.
-
Complete the first-time setup.
-
Accept the device EULA (1.3.3.6 and earlier).
-
Accept the device EULA (1.3.3.7 and later).
-
Install the applications.
Download the Image
You or your Cisco account representative must raise a TAC request. A TAC representative then gives you access and instructions for downloading the ISO file from a Cisco file server.
Procedure
Step 1 |
Log in to the Cisco file server, which is accessible via the internet. |
Step 2 |
Download the Cisco DNA Center ISO image (.iso) from the location specified. |
Step 3 |
Download the Cisco public key (cisco_image_verification_key.pub) for signature verification. |
Step 4 |
Download the secure hash algorithm (SHA512) checksum file for the image. |
Step 5 |
Download the binary image's signature file (.sig). |
Verify the Downloaded File
Verify the integrity of the downloaded image using Cisco signature verification and the SHA512 checksum provided on the portal.
Procedure
Step 1 |
(Optional) Perform SHA verification to determine whether the ISO image is corrupted due to a partial download. Depending on your OS, enter one of the following commands:
Microsoft Windows does not include a built-in checksum utility, but you can use the certutil tool:
For example:
On Windows, you can also use the Windows PowerShell to generate the digest. For example:
Compare the output of the command you run to the SHA512 checksum file that you downloaded. If the command output does not match, download the ISO image again and run the appropriate command a second time. If the output still does not match, contact Cisco support. |
Step 2 |
Verify that the ISO image is genuine and from Cisco by verifying its signature:
This command works in both Mac and Linux environments. For Windows, you must download and install OpenSSL, if you haven’t done so already. If the ISO image is genuine, entering this command displays a Verified OK message. If this message fails to appear, do not install the ISO image and contact Cisco support. |
Create a Bootable USB Drive
After confirming that you downloaded a Cisco ISO image, create a bootable USB drive that contains the Cisco DNA Center ISO image. For details, see the Cisco DNA Center Second-Generation Appliance Installation Guide.
Install the Cisco DNA Center ISO Image
Procedure
Step 1 |
Connect the bootable USB drive with the Cisco DNA Center ISO image to the appliance. |
||
Step 2 |
Log in to Cisco IMC and start a KVM session. |
||
Step 3 |
Power on or power cycle the appliance:
|
||
Step 4 |
In the resulting pop-up window, click Yes to acknowledge that you are about to execute a server control action. |
||
Step 5 |
When the Cisco logo appears, either press the F6 key or choose from the KVM menu. The boot device selection menu appears. |
||
Step 6 |
Select your USB drive and then press Enter. |
||
Step 7 |
Depending on your Cisco DNA Center release, do one of the following in the GNU GRUB bootloader window:
|
Configure the Cisco DNA Center Appliance
When installation of the Cisco DNA Center ISO image completes, the installer reboots and opens the Maglev Configuration wizard's welcome screen. To configure your appliance for day-to-day use in your network, complete the steps described in one of the following sections:
-
If you are using the Maglev Configuration wizard, see the "Configure the Appliance Using the Maglev Wizard" section in the Cisco DNA Center Second-Generation Appliance Installation Guide.
-
If you are using the browser-based configuration wizard to configure a 44- or 56-core appliance, see the "Configure the 44/56-Core Appliance Using the Browser-Based Wizard" section in the Cisco DNA Center Second-Generation Appliance Installation Guide.
-
If you are using the browser-based configuration wizard to configure a 112-core appliance, see the "Configure the 112-Core Appliance Using the Browser-Based Wizard" section in the Cisco DNA Center Second-Generation Appliance Installation Guide.
Complete the First-Time Setup
Procedure
Step 1 |
After the Cisco DNA Center appliance reboot is completed, launch your browser. |
Step 2 |
Enter the host IP address to access the Cisco DNA Center GUI, using HTTPS:// and the IP address of the Cisco DNA Center GUI that was displayed at the end of the configuration process. After entering the IP address, one of the following messages appears (depending on your browser):
|
Step 3 |
Ignore the message and click Advanced. One of the following messages appears:
These messages appear because the controller uses a self-signed certificate. For information on how Cisco DNA Center uses certificates, see the "Certificate and Private Key Support" section in the Cisco DNA Center Administrator Guide. |
Step 4 |
Ignore the message and do one of the following:
The Cisco DNA Center
Login window appears.
|
Step 5 |
In the Login window, enter the admin's username (admin) and password that you set when you configured Cisco DNA Center, then click Log In. The Reset Login window appears.
|
Step 6 |
Enter the old password, enter and confirm a new password for the admin superuser, and then click Save. The Enter Cisco.com ID window appears.
|
Step 7 |
(Skip this step) Enter the username and password for the cisco.com user, then click Next. If the cisco.com user login does not match any known Cisco Smart Account user login, the Smart Account window appears. |
Step 8 |
(Skip this step) If the Smart Account window appears, enter the username and password for your organization's Smart Account, or click the corresponding link to open a new Smart Account. After you are finished, click Next. The IP Address Manager window appears.
|
Step 9 |
If your organization uses an external IP address manager (IPAM), do the following and then click Next:
The Enter Proxy Server window appears.
|
Step 10 |
Click Next. The software EULA window appears.
|
Step 11 |
Click Next to accept the software End User License Agreement and continue. The Ready to go! window appears.
|
Step 12 |
We recommend that you click the User Management link to display the User Management window. Then click Add to begin adding new Cisco DNA Center users. After you have entered the new user's name and password, and selected the user's role, click Save to create the new user. Repeat this as needed until you have added all the new users for your initial deployment. Be sure to create at least one user with the NETWORK-ADMIN-ROLE. |
Accept the Device EULA (1.3.3.6 and Earlier)
Complete this procedure for Cisco DNA Center 1.3.3.6 and earlier releases. For 1.3.3.7 and later releases, skip this procedure and go directly to Accept the Device EULA (1.3.3.7 and Later).
Procedure
Step 1 |
As part of the files that you downloaded, there is a file (<release_name>_accept_device_eula) to accept the EULA offline. Locate and download this file, which is available as a separate download and can be installed in the same way as the bundle described previously. |
||
Step 2 |
After downloading the file, enter the following command to make it executable:
|
||
Step 3 |
Enter the following command to run the file:
The -Y argument indicates that you are accepting the Cisco DNA Center software license EULA.
![]() |
Accept the Device EULA (1.3.3.7 and Later)
Complete this procedure only for Cisco DNA Center 1.3.3.7 and later releases.
Procedure
Step 1 |
Log in to the Cisco DNA Center cluster and change directories to desired location. For example:
|
||
Step 2 |
Change the permissions:
|
||
Step 3 |
Enter the following command:
The -Y argument indicates that you are accepting the Cisco DNA Center software license EULA.
![]() |
Install the Applications
After completing the preceding tasks, the uber ISO has a number of applications that are loaded and must be installed.
Procedure
Step 1 |
In the Cisco DNA Center GUI, click the gear icon in the top-right corner. |
Step 2 |
Choose . |
Step 3 |
Click Install All. |
Step 4 |
Click Continue. |
Step 5 |
Click Continue. |
Update from the Cisco DNA Center Binary Image
Prerequisites
Before upgrading your installed instance of Cisco DNA Center, review the following prerequisites:
-
Ensure that Cisco DNA Center does not have internet connectivity.
-
Only a user with SUPER-ADMIN-ROLE permissions can perform a Cisco DNA Center software update.
-
Create a backup of your Cisco DNA Center database. For instructions on creating a backup, see the Cisco DNA Center Administrator Guide.
-
Have the username and password for a cisco.com user account available for the download. This can be any valid cisco.com user account.
-
Allocate enough time for the upgrade process, which can take longer than 6 hours to complete.
-
We strongly recommend that you do not use Cisco DNA Center or any of its applications or tools while the upgrade is in process.
-
Confirm that the minimum disk requirements are met:
-
The / partition has at least 2 GB of free space.
-
The /data partition has at least 35 GB of free space and is not more than 70% full.
-
-
Use the df -h command to verify the disk space:
$ df -h Filesystem Size Used Avail Use% Mounted on udev 126G 0 126G 0% /dev tmpfs 26G 14M 26G 1% /run /dev/sdb2 29G 23G 4.5G 84% / tmpfs 126G 0 126G 0% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 126G 0 126G 0% /sys/fs/cgroup /dev/sdb3 29G 44M 27G 1% /install2 /dev/sdb5 374G 99G 256G 28% /data /dev/sdb4 9.3G 601M 8.2G 7% /var /dev/sdc1 420G 1.4G 397G 1% /data/maglev/srv/fusion /dev/sdc2 1.4T 41G 1.3T 4% /data/maglev/srv/maglev-system /dev/sdd1 3.5T 243M 3.3T 1% /data/maglev/srv/ndp glusterfs-server.maglev-…ault_vol 1.4T 54G 1.3T 5% /mnt/glusterfs/default_vol [Fri Jan 10 18:59:27 UTC] maglev@10.82.128.100 (maglev-master-10-82-128-100) / $
If you receive a storage validation failed error, contact the Cisco TAC.
If the Cisco DNA Center download, update, or install procedures fail for any reason, always retry the procedure a second time.
Offline Update Workflow
An offline Cisco DNA Center update involves the following steps:
-
Raise a TAC request to get access to the image for the airgap/offline update.
-
Download the Cisco DNA Center binary image from a Cisco file server (requires access to the internet).
-
Verify the integrity of the downloaded image.
-
Transfer the downloaded image to the Cisco DNA Center cluster in the secure, airgap environment.
-
SSH to the Cisco DNA Center cluster and execute the binary.
-
Log in to the Cisco DNA Center GUI and perform a system update and an applications update.

Download the Image
You or your Cisco account representative must raise a TAC request. A TAC representative then gives you access and instructions for downloading the binary file from a Cisco file server.
Procedure
Step 1 |
Log in to the Cisco file server, which is accessible via the internet. |
Step 2 |
Download the image from the Cisco file server. This includes the secure hash algorithm (SHA512) checksum file for the image. |
Verify the Downloaded File
Verify the integrity of the downloaded image using Cisco signature verification and the SHA512 checksum provided on the portal.
Procedure
Step 1 |
Perform SHA verification to determine whether the binary image is corrupted due to a partial download. Depending on your OS, enter one of the following commands:
Microsoft Windows does not include a built-in checksum utility, but you can install a utility from Microsoft at http://www.microsoft.com/en-us/download/details.aspx?id=11533. |
Step 2 |
Compare the command output (or Microsoft Windows utility) to the SHA512 checksum file. If the command output does not match, download the ISO image again and enter the appropriate command a second time. If the output still does not match, contact Cisco support. |
Transfer the File to Cisco DNA Center
Procedure
Step 1 |
Use a supported file transfer mechanism (SCP or SFTP) to transfer the downloaded image to the Cisco DNA Center cluster and the /data/tmp partition. When using USB, transfer the image to a terminal in the air-gapped network and then transfer the image to the Cisco DNA Center cluster and the /data/tmp partition (via SCP or SFTP). |
Step 2 |
After transferring the image to the Cisco DNA Center cluster, perform SHA verification again to check if the file was corrupted in the process. |
Considerations for a Three-Node Cluster
Procedure
Step 1 |
For a three-node Cisco DNA Center cluster, copy the bin file to the node where the catalogserver pod is running. |
Step 2 |
To determine the IP address of the node where the catalog server is running, enter:
For example, the output is similar to the following:
In this example, copy the bin file to the /data/tmp partition on 192.192.192.72. |
Execute the Binary File
Procedure
Step 1 |
Use SSH to log in to the Cisco DNA Center cluster. |
Step 2 |
Enter the following command to add execute permission:
|
Step 3 |
Enter the following command to execute the binary file:
The command has the following output:
|
Step 4 |
Executing the binary file updates the local catalog for the system and application packages. Locate the Installation SUCCESSFUL status message, which indicates that the bin file executed successfully. You can track the current status of the process by tailing the log file <bin-filename>-install.log. If required, you can also verify the logs under /var/log/offlineupdates/. ![]() |
Perform an Offline Update
Procedure
Step 1 |
After successful execution of the binary file, log in to the Cisco DNA Center cluster GUI and choose . |
Step 2 |
A system update appears on the Software Updates page. Click Update. ![]() After a successful update, you see the following message:
|
Step 3 |
(Make sure your system is up to date before proceeding with this step). After all application packages are downloaded, at the top of the Application Updates area, click Update All. ![]() The packages begin updating.
![]() |
Step 4 |
Ensure that each application has been updated by reviewing its version in the Installed Apps page. |
Update the Knowledge Pack for a PSIRT Scan
Offline Update of Knowledge Pack
An offline knowledge pack update involves the following steps:
-
Download the knowledge pack file.
-
Export the file to USB or other transferrable medium.
-
Import the file to Cisco DNA Center on an air-gap device.
Download the File
Procedure
Step 1 |
Confirm that you are using one of the recommended search engines: Chrome or Firefox. |
Step 2 |
Select the following link to begin downloading: |
Export to USB or Other Transferrable Medium
Procedure
Step 1 |
Confirm that the file is in .tar.gz format. |
Step 2 |
Transfer the downloaded file to USB (or other medium). |
Import to Cisco DNA Center on an Air-Gap Device
Procedure
Step 1 |
Insert the USB into the device. |
Step 2 |
From the Cisco DNA Center home page, click the gear icon and choose . |
Step 3 |
To import to Cisco DNA Center, click Import from local, shown as follows: ![]() |
Step 4 |
Select the .tar.gz file from the USB to upload. |
References
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)