cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

Cisco DNA and templates/ip access-lists

trondaker
Beginner
Beginner

Hi,

 

We have a problem with DNAC version 2.2.3.4 and the auth-templates and redirects ACLs for guest-networks. The following template is used for host-facing ports:

 

template DefaultWiredDot1xOpenAuth
dot1x pae authenticator
dot1x timeout supp-timeout 7
dot1x max-req 3

switchport voice vlan 2046
switchport mode access
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB

 

The voice-vlan in this template is causing all sorts of problems for video endpoints that care about CDP-announcements of a voice vlan. Now we can work around this with "no cdp enable" on the interfaces, but it should be possible to change this template. If we do this on a switch-by-switch basis, DNAC changes it back. Another example is the redirect-acl for guest-networks

 

Extended IP access list DNAC_ACL_WEBAUTH_REDIRECT
1 deny udp host 192.168.194.198 eq bootps any eq bootpc
2 deny udp any eq bootpc host 192.168.194.198 eq bootps
3 deny ip host ISE-IP any
4 deny ip any host ISE-IP
5 permit tcp any range 0 65535 any eq www

 

In the above ACL, the actual guest-portal-ip isnt in the deny-section, which means when the client tries to connect to the portal for registration, that request gets redirected to the portal, and into an eternal loop we go. Adding the guest-ip section below fixes this:

Extended IP access list DNAC_ACL_WEBAUTH_REDIRECT
1 deny udp host 192.168.195.6 eq bootps any eq bootpc
2 deny udp any eq bootpc host 192.168.195.6 eq bootps
3 deny ip host ISE-IP any
4 deny ip any hostISE-IP
5 deny ip GUEST-PORTAL 0.0.255.255 any
6 deny ip any GUEST-PORTAL 0.0.255.255
7 deny udp any any eq domain
8 deny udp any eq domain any
30 permit ip any any


But again, DNAC comes to the "rescue" and removes those lines back to the original ACL. Question is, does anyone have a fix for this? Is there any way i can change the template/ACL without DNAC changing it back? 

 

version on the switches is 17.3.4 and DNAC 2.2.3.4

7 REPLIES 7

Flavio Miranda
Advisor
Advisor

Hi

  Are you saying that your DNAC is activilly configuring your devices? If I get in this situation I simply shut it down immediately.

You should take a look in "device controllability":

"When device controllability is disabled, Cisco DNA Center does not configure any of the preceding credentials or features on devices while running discovery
or when the devices are assigned to a site. However, the telemetry settings and related configuration are pushed when the device is provisioned or
when the Update Telemetry Settings action is performed from Provision > Inventory > Actions.
At the time of the network settings creation on the site, if device controllability is enabled, the associated devices are configured accordingly. "

 

In my case, Controllability is Off and I never had problem with configuration being changed by DNAC against my will.

Actually, I faced a problem once when I just finished upgrading a cluster and it configured some devices. Cisco is investigatiing this as it is not a expected behavior.

 

   If you put a config "hardening" in a device, it must remain their until you ask to change, otherwise, what is it good for?

 

 

 

 

 

Exactly, what is it good for? DNAC checking if a device is compliant with some pre-defined config would be good if you can create a config from DNAC that you wanted it to check against - but when you cant create a full template for it to enforce, what is the point. DNAC removes all changes to acls and templates so far. The only thing it hasnt changed back is disabling cdp on an interface. Ill try disabling Device controllability.

cjcanno
Cisco Employee
Cisco Employee

Hmm, I'm a little confused. Are you modifying the device config locally then re-provisioning the device for DNAC to revert changes? Or are the changes just automagically reverting? DNAC shouldn't be modifying any config on the device without your input.

Yes, magically disappearing. The only two examples i have are the ones listed in the OP, but the access-lists are now as we speak reverted to just the original 5 lines created by DNA. The changes i made to make the guest-portal actually work are gone.

DNAC should not change configuration on a device unless someone provisions the device. We had the same issue with the Redirect ACL, and had to create a template to overwrite the one DNAC creates on every provision.