cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
487
Views
0
Helpful
3
Replies

Equivalent of Prime compliance policy and profile in DNA Center?

mat_rouch
Level 1
Level 1

We are in the final stages of migrating our network device management from Prime to DNA Center.  I have found equivalent functions within DNAC for just about everything we did in Prime, with one big exception.  I was in the habit of using Prime's compliance policies/profiles to scan our network for devices with missing and/or outdated configuration and update it (or just notify me of things that were out of the ordinary so that I could inspect it).  These can be run on an arbitrary set of devices, or all devices in one location, or all devices of one model, etc.  I could build fairly complex policies that checked for all kinds of things.  Here's a simple example of one profile I created in Prime to confirm that auto qos is enabled on all access ports with a voice vlan:

1. For every interface on the device DO
2. if the interface configuration contains "switchport mode access" AND
3. The interface configuration contains "switchport voice vlan" THEN
4. raise a violation if the interface configuration does NOT contain "auto qos voip cisco-phone"

I do not see a direct equivalent in DNAC.  At least, not anything that is as flexible and customizable as what's in Prime.  I did find the DNAC network templates and profiles, but those seem much more limited in how they can be used.  Is there something else in DNAC I am missing?  Is there a document that might explain how to get equivalent functionality?

 

Thanks in advance,

-Mathew Rouch

 

3 Replies 3

Preston Chilcote
Cisco Employee
Cisco Employee

Have you looked into CLI template compliance?  https://www.youtube.com/watch?v=stjPR5AHLhE

It sort of solves 2 problems in one.  Rather than using a tool to find which configs might be missing, and then going to correct those configs, DNA wants you to tell it what the config should be and push it to the device (this needs to be done for both greenfield and brownfield to take advantage of CLI Compliance).   After that provision is done, DNA will continue monitoring and flag any devices that have configurations that deviate from the desired template.

 

mat_rouch
Level 1
Level 1

Yes, I have looked at those, and I am using DNAC compliance templates for certain things, but they are not always going to cover the cases that I run into. In the example cited in my original post, I want to ensure that all access ports that have a voice vlan defined also have auto qos cisco-phone enabled.  however, I cannot write one static DNAC template to accomplish this, even at initial device deployment time, because different switches in our environment, even those of the same model, will have individual ports configured differently.  port gi1/0/48 might be an access port with a voice vlan on switch one, an access port with no voice vlan on switch 2, and a trunk port on switch 3.  I only want to add auto qos in the first instance.  And this needs to be evaluated for every port on the switch.  Prime allowed me to build logic into the compliance profiles to accomplish that.  Can equivalent logic be built into the DNAC compliance templates?  I have not seen any examples of that anywhere.  Please post a link to such an example, if you know of one.

-Mat

 

Preston Chilcote
Cisco Employee
Cisco Employee

You can use templates to do what you asked.  When you provision the devices, you can have a multiselect variable to choose all of the interfaces that need to have the voice vlan,  then the template will loop through that list of interfaces and generate a config with voice vlan and quto-qos.  If you need to change one interface config later on, you will push the entire config again (that's how DNA day-N automation is designed), but IOSXE doesn't care if you overwrite a config with what is already there, so it's a no-op to most of the config.  

However, you are observing one of the ways that having non standard configs across your access switches is such a pain to manage, especially if you think you'll be changing port configs a lot.  I hope you'll consider attacking the problem in a different way. Lots of customers have moved in the direction of dot1x and ISE to have ISE just push the necessary configs based on what type of device gets plugged into the port.  That way every access port config looks the same, making it's config management and troubleshooting much easier.  If you don't have ISE, you can still probably use the autoconf feature to create a config template that can get applied depending on whether an IP Phone or some other device type is detected.  That will also make all of your access port configs identical.  https://www.cisco.com/c/en/us/td/docs/ios-xml/ios/ibns/configuration/15-e/ibns-15-e-book/ibns-autoconf.html