Thursday, 13 October 2022

Cisco DNA Center and Device configuration management

In my conversations with customers and partners, there are two topics that are different but somewhat related: compliance and device configuration management. In my latest blog, “Compliant or not? Cisco DNA Center will help you figure this out”, we discussed compliance capabilities in Cisco DNA Center 2.3.3. In this blog, I will address device configuration management.

Let me start by saying that DNA Center always has the latest device configuration in its internal databases. This has always been the case. The configuration of a device is first collected and stored when the device is added to the inventory, it’s then updated by periodic triggers as well as event-based triggers. Event-based triggers happen when there is a change in the configuration. DNA Center uses these up-to-date configurations for all its capabilities including, but not restricted to, assurance, device replacement, and compliance. Network administrators can also leverage these configurations so, in this blog, we will explore different ways to access them.

Visualize Configuration in Inventory


For certain device types, like switches, DNA Center has the option to show and export the full device configuration. This allows the network administrator to have quick visibility into the configuration. For security reasons, sensitive data is masked which means that we can’t directly use this device config to restore a device.

Cisco DNA Center, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Material, Cisco Certification, Cisco Device, Cisco Prep, Cisco Preparation
Figure 1: Configuration Visualization in Inventory: sensitive data is masked

Export the device configuration


Configuration archive is the DNA Center feature that allows network administrators to export raw configurations to an external server. Raw configurations are useful to restore a device for example.

Cisco DNA Center, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Material, Cisco Certification, Cisco Device, Cisco Prep, Cisco Preparation
Figure 2: Configuration Archive: exporting raw configurations to an external server

Device configuration backup can be scheduled with the desired recurrence and the configurations are sent to an external server. For each configuration backup, DNA Center creates a password-protected zip file. This zip file contains one directory per device and each directory contains three files: running-config, startup-config, and VLAN database.

Cisco DNA Center, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Material, Cisco Certification, Cisco Device, Cisco Prep, Cisco Preparation
Figure 3: Password-protected zip file

Cisco DNA Center, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Material, Cisco Certification, Cisco Device, Cisco Prep, Cisco Preparation
Figure 4: One directory per device containing running config, startup configs and VLAN DB

APIs to retrieve device configuration


Another way to access the clear text device configurations is via APIs. The API available in Cisco DNA Center allows to retrieve raw startup, running configs, and VLAN DB in the form of a zip file in a similar way as the configuration archive capability.

API details:

POST /network-device-archive/cleartext

Visualize Configuration Drifts


Arguably, I’m leaving the most interesting capability for last!

At the beginning of the blog, we mentioned that DNA Center stores the device configuration and updates the configurations periodically and upon changes. Every time there is a change in the configuration, DNA Center will store and timestamp this new configuration for a maximum of 50. We call these configurations config drifts. Moreover, DNA Center can show differences between these stored configurations to help the network administrator identify any changes. For out-of-band changes, Config Drift tool will also show the username of the person that made the change.

In the example below, we are comparing two configurations taken on September 2nd, 2022, one at 1:56pm and the other at 2:57pm. We can see in the latter, that a “description” command was removed from “interface GigabitEthernet 1/0/10”. Once we identify these changes in the running configuration, the network administrator can take specific actions to remediate the issue. For example, the device can be re-provisioned.

Cisco DNA Center, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Material, Cisco Certification, Cisco Device, Cisco Prep, Cisco Preparation
Figure 5: Config Drift

We can also identify and label a specific configuration that we deem “standard”. That way, it will be easier to compare the current running configuration with the selected labeled configuration.

In the example below, we will first select the preferred configuration and name it with the label of our choice, in this case, “TBRANCH-Std-Config“:

Cisco DNA Center, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Material, Cisco Certification, Cisco Device, Cisco Prep, Cisco Preparation
Figure 6: Label Config

Once we label our standard configuration, we can then compare it to the current configuration. In this example, the current running configuration is identified as “September 2nd at 3:10pm”. In this case, both running configuration and standard configurations match.

Cisco DNA Center, Cisco Career, Cisco Skills, Cisco Jobs, Cisco Tutorial and Material, Cisco Certification, Cisco Device, Cisco Prep, Cisco Preparation
Figure 7: Comparing running-config to labeled config

Related Posts

0 comments:

Post a Comment