07-14-2022 06:11 AM
Hi,
We've recently switched over to a different domain for both ISE and DNA Center server, which required some configuration steps back in the nature of removing all statically assigned SGTs from ports in Fabric and removing integration between DNAC and ISE. At last we're now about to replace DNAC self-signed certificate with a new self-signed cert for new domain.
Cisco DNA Center Security Best Practices Guide (https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/hardening_guide/b_dnac_security_best_practices_guide.html#d54e3970a1635) mentions that during replacement of the certificate from self-signed to CA-signed the network operation will be disrupted. Does anyone know in what manner will the disruption be, will that affect traffic of Virtual Networks on statically assigned ports in the Fabric when switching over to a new self-signed certificate?
Thanks in advance for any answers.
Solved! Go to Solution.
07-19-2022 06:12 AM
You really should not use self-signed certificates with the DNAC.
I have changed the certificate on DNAC a couple of times and have not experienced any Network Downtime.
The Certificate is used with the ISE, and the PXGRID session with the ISE will stop working and you have to resync the session again.
And the Certificate is used with telemetry collection trust to the network devices, so that will most likely stop working. Depending on the version of DNAC you are using. The DNAC will push the new CA trust to the network devices right away or at the next provisioning. Otherwise you can force it with the Telemetry -> Update: Force push button.
07-19-2022 06:12 AM
You really should not use self-signed certificates with the DNAC.
I have changed the certificate on DNAC a couple of times and have not experienced any Network Downtime.
The Certificate is used with the ISE, and the PXGRID session with the ISE will stop working and you have to resync the session again.
And the Certificate is used with telemetry collection trust to the network devices, so that will most likely stop working. Depending on the version of DNAC you are using. The DNAC will push the new CA trust to the network devices right away or at the next provisioning. Otherwise you can force it with the Telemetry -> Update: Force push button.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide