DNA Center Provisioning and Disabling Telnet

David Parker · ‎08-02-2019

We are in the process of rolling out a network upgrade using Cisco DNA Center. All of our switches are either Catalyst 9300 or 9500 series switches. We've noticed that after provisioning the devices that DNA Center leaves telnet access enabled on the vty lines. I don't want anyone to even accidentally connect to a device using telnet. I wish to require ssh. How do I make this the default for DNA Center deployment?

Mike.Cifelli · ‎08-05-2019

Best bet is to create a template via template editor to harden your devices. Then create a network profile with a Day-N-Template and assign your template to the respective Device Types. Then upon provisioning a device under advanced configuration you will be able to assign your changes and properly configure your VTY lines as you wish. Good luck & HTH!

Freerk Terpstra · ‎08-06-2019

This is indeed the current workaround. Be aware that when you provision a device for a second time with the same revision of the linked template, the template won't be pushed again (CSCvq22396). In this case that would mean that the VTY settings are back to DNA's defaults.

Track enhancement CSCvq28740 for the real fix, hopefully they will include VTY and SNMP ACLs as part of this enhancement as well.

Please rate useful posts... :-)

David Parker · ‎08-07-2019

Thanks for the feedback. I spoke with our implementation engineer. He confirmed that the BU is aware of the issue and will address this in a future update.

anantsiv · ‎08-26-2019

You can work on template editor and to create and template . Go through the process of provisioning your devices and make sure you configure the VTY lines using the tools and this will help .