Tuesday, September 27, 2022
HomeCloud ComputingCisco DNA Heart Planning and Adoption What it's worthwhile to know to...

Cisco DNA Heart Planning and Adoption What it’s worthwhile to know to make the bounce to mild pace, Half 2

Half 2 of the 2-part Cisco DNA Heart Planning and Adoption


In my earlier weblog titled, Cisco DNA Heart Planning and Adoption, Half 1 – What it’s worthwhile to make the bounce to mild pace, we mentioned the configuration settings which might be included underneath the Design Menu in Community Settings, Gadget Credentials, and in Telemetry Settings in Cisco DNA Heart. In Half Two, I’ll present you what configuration settings are wanted so as to add gadgets whenever you Onboard with PnP, Run a Gadget Discovery, Add a Gadget to the Stock, Declare Gadget, and Provision a Gadget.

To seize and visualize the configuration modifications made by Cisco DNA Heart, I’ll use a testing and validation software referred to as Python Automated Check System (pyATS).

What’s pyATS?

pyATS is a testing and validation framework that’s platform and vendor agnostic and supplies a function, resolution, system sanity checks, and scale checks for community gadgets (routers, switches, entry factors, firewalls, and so on.). In different phrases, you need to use pyATS to check and validate modifications in your community gadgets, be they configuration or modifications within the state or operation of the machine, and evaluate the outcomes of every run to validate that issues are what they’re anticipated to be.

Additional, pyATS could be built-in into your present tooling and processes to supply the required testing and validation process in your Closed Looped Automations.

For this train, I’ll use two pyATS instructions, “pyats study config” and “pyats diff” to gather and evaluate the pre/submit configurations. As I mentioned earlier, pyATS is highly effective and might do rather more than simply gather and evaluate configuration recordsdata. I urge you to dig deeper into this very helpful testing and validation software.

Examples of the “pyats study config” and “pyats diff” instructions.

  • pyats study config –testbed-file 29hw-testbed.yaml –gadgets 29hw-c9200l –output weblog/c9200l-base-No-AAA
  • pyats diff weblog/c9200l-base-No-AAA weblog/c9200l-discovery –output weblog/diff-c9200l-Discovery

For extra data on pyATS, try these sources:

Python Automated Check Methods (pyATS) Overview

DevNet: Accelerating your DevOps with pyATS

Workflows and configuration change

We are going to take a look at the workflows and actions in Cisco DNA Heart that can apply the configuration to your infrastructure. As described in Half 1, within the Base Automations, these settings are pushed by Gadget Controllability and configured in Community Settings, Gadget Credentials, and Telemetry tabs. These settings will put configuration in your gadgets, however what’s going to change will rely on what chances are you’ll or might not have already got configured.

I’ll first work with a fresh-out-of-the-box machine with no configuration and work via the method of PnP, Claiming a tool, and including to a web site. This will provide you with an concept of how this course of can enhance your Day0 duties of Onboarding gadgets and present you what configuration can be utilized to your gadgets from the bottom automation and customized configuration with Day0/DayN templates.

Then I’ll take you on the journey of including brownfield gadgets to Cisco DNA Heart via Discovery and Add Gadget into Stock. To point out you ways this works, I’ll use two Brownfield use instances.

  1. Brownfield machine with an present configuration that conflicts with these in Community Settings
  2. Brownfield machine with out configuration outlined in Community Settings

A Word on Gadget Controllability

Gadget Controllability is a system-level course of on Cisco DNA Heart that enforces state synchronization for some device-layer options. Its goal is to help in deploying the required community settings that Cisco DNA Heart must handle gadgets. Adjustments are made on community gadgets throughout discovery, when including a tool to Stock, or when assigning a tool to a web site. Suppose modifications are made to any settings underneath the scope of this course of. In that case, these modifications are utilized to the community gadgets in the course of the Provision and Replace Telemetry Settings operations, even when Gadget Controllability is disabled. The next machine settings can be enabled as a part of Gadget Controllability when gadgets are found:

  • SNMP Credentials
  • NETCONF Credentials

After discovery, gadgets can be added to the Stock. The next machine settings can be enabled when gadgets are added to the stock:

  • Cisco TrustSec (CTS) Credentials

The next machine settings can be enabled when gadgets are assigned to a web site. A few of these settings could be outlined at a web site degree underneath Design > Community Settings > Telemetry & Wi-fi.

  • IPDT Enablement
  • Controller Certificates
  • SNMP Lure Server Definitions
  • Syslog Server Definitions
  • NetFlow Server Definitions
  • Wi-fi Service Assurance (WSA)
  • Wi-fi Telemetry
  • AP Impersonation
  • DTLS Ciphersuite

If Gadget Controllability is disabled, Cisco DNA Heart doesn’t configure any of the credentials or settings talked about above on gadgets throughout discovery, runtime, or web site project.

***In brief, you’ll considerably scale back the effectiveness of Cisco DNA Heart and its capability to function in its meant method in case you disable Gadget Controllability. So, until you’re 100% certain that is what you will need to do, DON’T DO IT!

Base Configuration

That is the bottom configuration that we are going to use for our testing.

Cat9200L base config
Determine 1. Cat9200L base config

PnP – Gadget Onboarding

While you onboard a tool with PnP, there are a few steps within the course of; Claiming the machine, including it to a web site, and optionally including customized configuration via using Day0/DayN Configuration Templates. However the primary motion of the PnP Declare course of yields the configuration modifications under, which as a naked minimal, permits Cisco DNA Heart to speak with the machine.

Configuration after PnP
Determine 2. Configuration after PnP

Discovery – Brownfield machine

Within the picture under, we are able to see the variations between the bottom config and the configuration that resulted from doing a discovery of our Catalyst 9200L swap. Since we had the CLI credential and SNMP RO Group already configured in our base configuration Cisco DNA Heart added a Self-Signed Certificates, TrustPoint, and configured netconf-yang.

Diff between base config and after Discovery
Determine 3. Diff between base config and after Discovery

Assign a tool to a web site

Now that we’ve found our Catalyst 9200L, let’s add it to our machine to a Website and observe what occurs.

DNA Center assign the device to the site
Determine 4. Cisco DNA Heart assign the machine to the location

Right here we see that Add Website has modified the earlier configuration from Gadget Discovery. The gadgets marked with —Discovery configuration and +++Add-Website configuration. Take discover of the modifications to the Certificates, SNMP, SYSLOG, and Netconf-yang. To summarize, Cisco DNA Heart added new certificates, SNMP settings, SYSLOG settings, and Netconf-yang was faraway from the brand new configuration after including the machine to the location. To not fear, Netconf-yang will get reapplied later in Gadget Provisioning.

Diff Add to Site
GIF 1. Diff Add to Website

Provision Gadget

For this train, I set the machine again to the bottom configuration with out AAA settings (above) to indicate what’s going to change when Brownfield gadgets are provisioned.

The modifications on the machine are primarily based on what was configured within the Design menu and on the Community, Gadget Credentials, and Telemetry tabs. As you possibly can see, Provisioning the machine provides a great deal of configuration.

Let’s take a look at the distinction between the configuration we captured from the machine within the c9200l-base-No-AAA state and the configuration after it was provisioned.

— weblog/c9200l-base-No-AAA/config_iosxe_29hw-c9200l_ops.txt

+++ weblog/c9200l-provision/config_iosxe_29hw-c9200l_ops.txt

Diff base no AAA and Provision
GIF 2. Diff base no AAA and Provision

NOTE: if the machine had a AAA configuration and Cisco DNA Heart was operating 2.2.3.x, and above, the machine would have failed provisioning.

Allow Utility Telemetry

After provisioning the machine, Enabling Utility Telemetry didn’t yield any configuration variations. So I’ll replace the Telemetry setting and Power the Configuration Push.

Replace Telemetry Settings with Power Configuration Push

Let’s see what occurs with we Replace the Telemetry Settings and Power a Configuration Push.

Diff between Provision and Telemetry with a Power Configuration

— weblog/c9200l-provision/config_iosxe_29hw-c9200l_ops.txt

+++ weblog/c9200l-Telem-FC/config_iosxe_29hw-c9200l_ops.txt

As you possibly can see, Cisco DNA Heart added the Netflow configuration to the swap.

Diff Provision and Force Telemetry settings
GIF 3. Diff Provision and Power Telemetry settings

Use Circumstances

Subsequent, I’ll check two use instances exhibiting you what occurs when you could have a brownfield configuration that conflicts with the settings within the Design Menu. This isn’t an exhaustive checklist of use instances, however they cowl some widespread situations and can can help you start testing in your surroundings.

Use case #1 – AAA Server Configured in Cisco DNA Heart and Brownfield AAA configuration (v2.2.3.5)

On this use case there’s a brownfield AAA configuration on the swap and I’ve configured AAA settings for the location in Cisco DNA Heart.

DNA Center Network settings with AAA
Determine 5. Cisco DNA Heart Community settings with AAA

On this case, provisioning will fail resulting from conflicting configurations. This reiterates what I mentioned in Half 1 “you will need to remember that the Base Automation and Community Settings are there to automate the configuration within the curiosity of Cisco DNA Heart.”

Failed provisioning due to brownfield AAA configuration on the device
Determine 6. Failed provisioning resulting from brownfield AAA configuration on the machine

Use case #2 — Brown Discipline SNMP RO ACL and VTY ACL configured on the swap – Discovery/Add Gadget

If an entry for Cisco DNA Heart is just not current within the ACLs, then discovery or add machine will fail. Nevertheless, if there may be an entry for Cisco DNA Heart within the ACLs, then the machine can be added to the stock, and the ACL configuration will stay configured on the swap.

Listed here are the contents from the pyats study of the bottom configuration with SNMP and VTY ACLs.

SNMP and VTY Access-class ACLs
GIF 3. SNMP and VTY Entry-class ACLs

This time I take advantage of egrep to look via the Put up Provision configuration realized by pyats for ‘line vty’ and ‘snmp-server neighborhood’ along with -A to get 4  traces after the search strings. Within the display seize, you possibly can see that the ACL configuration continues to be utilized to the SNMP neighborhood and the vty access-class.

DNA Center did not remove the existing ACLs from the configuration
Determine 7. Cisco DNA Heart didn’t take away the prevailing ACLs from the configuration


Hopefully, you now have a greater understanding of what and when the Base Automations in Cisco DNA Heart will make modifications to the configuration of your community gadgets. Don’t simply examine the field in Cisco DNA Heart or every other software; actually know what it does by completely testing!

I wish to hear from you. So go away a remark and let me know what you wish to hear extra about.

Dig in and see what else pyATS is able to:

pyATS/Gene – Fashions, Parsers, Triggers, and Verifications.




Please enter your comment!
Please enter your name here

Most Popular

Recent Comments