Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
206
Views
1
Helpful
3
Replies

Cannot do ACL or VTY config via Template Hub with SD-A?

Go to solution
bfbcnet
Level 1
Level 1

‎06-03-2024 05:14 AM - edited ‎06-03-2024 05:16 AM

Hi,

As part of our SD-Access roll out, we wanted to keep some functionality we had on our legacy Cisco network where access to the management interfaces of our Fabric switches is locked down to certain remote addresses and the address of DNA-C. Thought the a template would be a good idea, to apply such CLI confg to all our switches. Unfortunately it looks like there is a conflict when applying ACL config or config on the VTY's via template hub. 

bfbcnet_0-1717416136229.png

bfbcnet_2-1717416493862.png

When you hover over the Excimation marks you get the error message, 'This command is reserved to be by Cisco DNA Centre' 

So it looks like you cannot apply any extra ACL config over what DNA applies as part of the SD-A fabric setup. Is there any documentation about these conflicts so I know to avoid them in the future, and is there another way to achieve what I am after? A setting in the fabric area or something in model config editor?

Kind of missing just being able to just bang in the CLI config in, in this case....

 

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Boort
Level 1
Level 1

‎06-03-2024 08:34 AM

You can just push it without issues. Its not an error message, just a warning that you are applying CLIs to something that DNA Center interacts with during network intent.

As for your other questions. This is the golden rule i follow when creating templates for anything SDA.

If DNA center pushes the config dont remove or modify it. However, you can in most cases add to it. For example BGP on SDA border nodes. Adding soft reconfiguration and session passwords is totaly fine on DNA center provisioned BGP peers where as modifying the peer IP will cause a conflict with the intent module.

View solution in original post

3 Replies 3

Go to solution
andy!doesnt!like!uucp
Spotlight
Spotlight

‎06-03-2024 06:53 AM - edited ‎06-03-2024 06:56 AM

UPD. we use other form of standard ACL. UI shows the same conflict, but we ignore it.

stuff works well

0 Helpful

Go to solution
Boort
Level 1
Level 1

‎06-03-2024 08:34 AM

You can just push it without issues. Its not an error message, just a warning that you are applying CLIs to something that DNA Center interacts with during network intent.

As for your other questions. This is the golden rule i follow when creating templates for anything SDA.

If DNA center pushes the config dont remove or modify it. However, you can in most cases add to it. For example BGP on SDA border nodes. Adding soft reconfiguration and session passwords is totaly fine on DNA center provisioned BGP peers where as modifying the peer IP will cause a conflict with the intent module.

Go to solution
bfbcnet
Level 1
Level 1

‎06-04-2024 03:38 AM

Thanks both for sharing your experience. Since there is hardly any documentation on this, I was very nervous about proceeding with these settings due to the warning. It is one of the biggest issues I have had to wrap my head around with this SD-Access journey as far as what DNA-C can do / what you should leave it to do, without getting in its way and what it cannot do where you may need to intervene.

0 Helpful
Customers Also Viewed These Support Documents