DNAC -SWIM functionality and port 80

sujanyakj · ‎01-08-2024

If we using the SWIM functionality of the DNAC , would 80 port should be allowed by to cisco.com, cant we fetch the image using 443 port

Also , as per the below link , with ISE below communication to be opened, is it encrypted /secured communication?

UDP 1645 or 1812	RADIUS	Needed only if you are using external authentication with a RADIUS server.	Port must be open only if an external RADIUS server is used to authenticate user login to Cisco DNA Center.
TCP 5222, 8910	Cisco ISE	Cisco DNA Center uses Cisco ISE XMP for PxGrid.	Port must be open for Cisco ISE.
TCP 9060	Cisco ISE	Cisco DNA Center uses Cisco ISE ERS API traffic.	Port must be open for Cisco ISE.

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html

Torbjørn · ‎01-08-2024

It specifies that port 80 is _one of the ways_ the DNAC is able to fetch images for SWIM. It is also be able to use port 443 for this. For reference, see the SWIM URLs listed in this install & upgrade guide: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-3/install_guide/2ndgen/b_cisco_dna_center_install_guide_2_3_3_2ndGen/m_plan_deployment_2_3_3_2ndgen.html

For the remaining questions: RADIUS does not encrypt the entire payload, but it encrypts the credentials using a shared secret. ISE PxGrid XMP and ERS uses TLS for traffic encryption.

Happy to help! Please mark as helpful/solution if applicable.
Get in touch: https://torbjorn.dev