WhatsNew Cisco DNA Center 2 2 3 X - Santander

What’s New in Cisco DNA Center
2.2.3.x(Shockwave)
Aug 2021
1 Key Highlights in Cisco DNAC 2.2.3.x
2 Business Outcomes and Use Cases
3 List of Features
Agenda
4 Cisco DNA Automation Update
5 Cisco SD-Access Update
6 Cisco DNA Assurance Update
7 Cisco DNA Platform and APIs Update

© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco DNA Center
Command and control center for intent-based networking
Cisco DNA Center

Automate provisioning, device updates, and device
Automation lifecycle management
(Net Ops)
Improve network performance and spend less time

Analytics and troubleshooting with AI/ML and Machine Learning
Cisco DNA Center Appliance Assurance (AI Ops)
Identify and classify endpoints, Create user and group

Physical and virtual infrastructure SDA - Security and policies and increase security threat protection
Policy
Cisco and third party (Sec Ops)
What’s new in Cisco DNA Center, Release 2.2.3.x

Webex Control Hub AIOps – Trust Score
Wireless Maps – 3D PoE Assurance & Prime Migration
integration for Client Engine for Endpoint SDA Fabric Zones
Analyzer Analytics enhancements Features
360 Analytics
Key Highlights in Cisco DNA Center 2.2.3.x (Shockwave)
Faster and Accurate Isolation of Collab issues / App experience
• Webex Control Hub integration with with several new innovations such as Webex integration, True trace
Improve Client 360 and network Services Analytics. 3D Analyzer delivers 3D view of
• True trace enhancement for Path trace predictive coverage/SNR heatmap, co-channel interference
Performance • Network Services Troubleshooting and measured vs predicted RSSI including Simulations of
• 3D Analyzer ”What if “ scenarios
Large scale deployments will now benefit from 3x scale for

• 3X scale for clients endpoints and 4000 site Elements. SDA Fabric Zones now allow
Increase Scale • Support for 4000 Site Elements better fabric site scaling/security with granular control of IP
• SDA – Fabric Zones pool provisioning scope.
• Application QOS and RMA support for IOT Extend the power of Intelligent Automation and AI-Ops to
switches IOT deployments with use cases such as App QOS, RMA
Drive Adoption • Endpoint Analytics – Seamless ISE increasing DNA Center adoption. Endpoint Analytics can
integration , NAT detection now work in NAT’ed environments too.
• Wireless - Mesh Configuration support
Business Outcomes and Capabilities
New Capabilities in Cisco DNAC 2.2.3.x Enable IT Teams to Work
Smarter and Faster
NetOps AIOps SecOps DevOps

• 3x Scale for Endpoints • Wireless Maps -3D • Security Advisory support • Event Subscriptions for
• 4000 Site Elements Analyzer for cat9800 Rogue/aWIPS and License Out
• License Manager • Network Heatmaps Export • Group based Access-control of Compliance
enhancements • MRE – AAA Root cause – Extend VN attribute
• Application QOS Intent API
• App QOS and RMA analysis propagation to Multi DNAC
support
support for IOT switches • Endpoint Analytics – deployments
• Template Editor Seamless ISE integration, • Rogue/aWIPS –Support for • New reports – AI endpoint
enhancements NAT detection , Posture adhoc Rogue detection, Analytics, SDA reports ,Client
• Wireless automation- &Authentication Trust CTS/RTS Virtual Carrier Trend , Access point KPI reports.
Mesh and RLAN support. score input Sense attack –aWIPS profile
• PNP – 8021.x support for • Network Services Analytics • SDA Fabric Zones
AP onboarding • Webex Control hub
• Prime Migration features Integration - client 360
• True trace – Path trace
enhancements with
© 2021 Cisco and/or its affiliates. All rights reserved. additional KPIs
Cisco Public
• POE Assurance – new

Drive Business Outcomes for IT with Cisco DNAC 2.2.3.x
NetOps AIOps SecOps DevOps
Improve Improve Service

Increase Scale Improve Security
Performance Delivery
• Business resiliency, • Reduced Opex • Automate enforcement of • Faster service delivery

continuity, and quick through faster Root security policies on using API-based
time to value Cause Analysis (RCA) network infrastructure automation workflows
• Business Compliance of • IT visibility and • Automate end point • Early issue detection and
network with config observability visibility, classification, integration with 3rd party
policies and grouping platforms through
• Scalability enhanced notification
channels
© 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public • Compliance Reporting
Use Cases
Cisco DNA Center Use Cases and Capabilities
Category
Network
Base Automation Software Defined Access (SD-Access)
Assurance
Use Cases
1 2 3 4 5
Network Device Software Image
Network Assurance Network Segmentation Network Policy
Onboarding Management
a a a a a
Discovery, onboarding, and Upgrading and patching Configuring segmentation for
Monitoring health scores Configuring security policies
provisioning devices using network device software users, guests and network
(network, app, client etc.) and maintaining compliance
Plug-n-Play images devices
Capabilities
b b b b b Host onboarding and

Managing network Identifying security Troubleshooting and guided Configuring segmentation for
enforcing end-point
inventory and topology vulnerabilities remediation IoT devices
authentication policies
c Applying configuration c c Enabling unified NetOps and

templates and network Managing network user mobility across wired
MACD analytics, gaining visibility and wireless
Capabilities enhanced in Cisco DNA Center release 2.2.3.x

Use Cases and capabilities supported in Cisco DNA Center
Shockwave
Base Automation Assurance SD-Access
Use Cases
1 Network Device
2 Software Image
3 4 5
Network Assurance Network Segmentation Network Policy
Onboarding Management
PnP – Secure AP NAT device detection,

ISSU Support for ASR1k RCA for AAA (MRE) Fabric zones Concurrent MAC detection
onboarding using 802.1x
Capabilities
RMA Support for IE IOT Webex Control Hub

SWIM protocol integration with Client Multiple AAA Server for Seamless integration with
Switches
Preference for Image 360 SSID ISE
RMA – License update in
Distribution
CSSM
3D Analyzer – Wireless
maps LISP Pub Sub for Dynamic
Wireless automation - Compliance Automation- Per Policy Enforcement
Default Border and Backup
Mesh configuration and Remediation for Startup Stats
Internet
Remote-LAN support Vs Running config True Trace enhancement
Compliance to Path trace
Trust Score Engine
Network Services
Analytics (DHCP, AAA)
Cisco DNA Center Release 2.2.3.x Enhancements
Major Impacted Use

Impacted Capabilities Description of new enhancements in DNAC, release 2.2.3.x
Enhancements Case
SWIM • Reduce downtime with the ISSU support for ASR 1K

Upgrading and patching network device software images
• Protocol choices for Image distribution
Automation Configuration
Start up Vs Running config Comparison • Remediate Config differences using Bulk Sync between Startup & Running Configurations
Compliance
• mesh support added via Automation workflows

Wireless
Mesh support • RLAN config support
Automation
Troubleshooting and guided remediation using Machine • AAA Failure Root cause Analysis
Reasoning • Network Heatmap Export option
Network AI Ops • POE port availability dashlet, Stack Power Supply details
Assurance POE analytics • Troubleshoot Webex Audio, Video and sharing related issues via Webex control Hub integration
Webex Control Hub Integration • True Trace Enhancements to Path trace with KPI Overlay
AI / ML powered Truetrace
Assurance and aWIPS
• 3D Analyzer -Substantial addition/improvement in capabilities and user experience in
Wireless Assurance
heatmap/telemetry visualization, triaging of coverage problems, deployment planning and
Network
generating insight.
Assurance
• SPAN /ERSPAN Automation workflows for Traffic Telemetry Appliance (TTA)
App Experience
Gathering context and using it for access policies for

Network Policy
endpoints and IOT dynamically using AI EPA • Introduces significant improvements such as Enhanced ISE integration. Trust Analytics has new
End Point Analytics features such as NAT detection, Concurrent MAC address detection, Detection of change in profile
Network Endpoint profiling and Trust Analytics used in segmenting labels and Trust score Engine for Endpoints.
Segmentation the network
Configuring security policies leveraging AI GPA
Group Analytics Network Policy • New UI enhancements , Custom Policy view and Policy enforcement stats
recommendations
List of features
(Automation/Assurance/SD-Access/Platform)
Summary of Features in Cisco DNAC Shockwave
• 2.2.3.x introduces 3x scale for Endpoints and 4000 Site element support for Large Enterprise deployments
• Automation – SWIM protocol preferences, WLAN Mesh config support, New Events/Reporting, Compliance
remediation . RMA and App QOS support extended to IOT 33xx switches.
• AIOps – Endpoint analytics now supports seamless ISE integration , Posture/Authentication Inputs to Trust score.
Network Heatmaps can now be exported .
• AI Ops – Introducing industry first 3D Analyzer for Wireless maps which provides new capabilities and user
experience for heatmap/telemetry visualization, triaging of coverage problems, deployment planning and
generating insight.
• Assurance - POE analytics enhancements, Isolate Collab issues faster with Webex Control hub integration for
Client 360 and Network Services Analytics to improve user Onboarding experience . True trace adds new KPIs
and packet capture capabilities with Path trace.
• SDA – Fabric Zones support , new UX for Automation and Assurance . Also support for AAA per SSID with
Embedded WLC in Fabric.
• SecOps – Security Advisory is now supported on 9800 WLC . Users can now subscribe into Rogue/aWIPS events
in addition to consuming reports .
• AND several more Innovations that deliver on Intelligent Automation & AI enabled Assurance/Analytics.
Cisco SD-Access and Zero-trust 2.2.3.x Features
• LISP PubSub for Dynamic Default Border and Backup Internet

• SD-Access Fabric Zones
SD-Access
• Fabric UX 2.0 (Automation and Assurance)

• AAA Server Per SSID for Embedded Wireless
• Wired Concurrent MAC Address Detection

AI Endpoint Analytics
• NAT device detection

• Anomalous Change in Profile Label
• Posture & Authentication Trust Score Input
• Seamless Integration with ISE
• TTA appliance Southbound Subnet Configuration
• Endpoint Purge
• New GBAC Dashboard

• Support for DNA Center System Certificate as PxGrid Client Certificate
Access Control
Group Based
• Extend VN attribute Propagation to Multi DNA Center Deployments
Cisco DNA Automation 2.2.3.x Features
PNP /Device replacement(RMA) enhancements Inventory
• PNP – 801x for AP onboarding • Support for VLAN changes per interface
• PNP user Authorization while Onboarding • Support to identify Port Channel interfaces and ports in Error
Resource Lifecycle management

• RMA retry, CSSM license update with RMA Disabled state
• RMA support for IE IOT switches used as Extended nodes.
SWIM enhancements Template Editor
• SWIM ISSU support for ASR1000 • New Favorite devices list when creating a template
• Protocol selection for Image distribution • Auto complete feature for System Variables
• SWIM – PSIRT Integration • Support to add custom tags to templates while creating
• SWIM – Image/SMU recommendation for Security Network profiles
Resource Lifecycle management
Advisory
Wireless Maps Device Credential
• 3D Analyzer • Creation of device credentials and applying to the sites at the
• Neighbor Information displayed on Wireless Maps site level view
Wireless • Support for AES 256 privacy type for SNMP v3 credentials
• Mesh Configuration Support
• Support for Remote LAN configuration
• Bulk AP Rename – via AP config workflow
• Support for AAA override VLAN for Flexconnect SSID
Rogue Management/aWIPS
• SSID Site Level Override for L2-Security Type
• Event Subscription for Rogue and aWIPS Threats
Security Integrations
• Support for Overlapping IP’s in Flex Deployments
• Adhoc - Rogue Detection
• Update Called station-ID via Model Config
• New aWIPS Signatures - CTS/RTS Virtual Carrier Sense Attack.
• Ability to Disable Random MAC Clients
• Radius Profiling Support
Security Advisories
• Guest Anchor Support for both Guest and Enterprise
• Support for C9800 WLC.
SSID Types.
• Secure AP Onboarding – PnP
Config Compliance
• Config sync for Startup Vs Running config
Cisco DNA Assurance 2.2.3.x Features
Wireless Assurance Application Health
• 3D Maps • WebEx Integration in Client 360.
• Network Service Assurance – AAA and DHCP detailed dashlets
Full Stack Health Visibility
App Ex
Wired Assurance
• PoE Port Availabilty
• PoE Power Allocation
• PoE information for Stack switches in switch 360
• TrueTrace – Enhanced PathTrace using Packet Captures
Wireless Sensors
• Ability to test WPA3 SSID
• Proxy support for Web Application Tests
• Subscribe to Sensor Issues
AI/ML
AI/ML & MRE
• Export option in Network Heatmaps
Prime Migration
Wired Wireless
• CLI Templates Migration from Prime to DNAC • Anchor configurations for Dot1x and other non layer 3 web
policy SSIDs
Automation
• Keep the AP last contact CDP neighbor info when it goes • Missing KPIs on AP 360: Multiple Channel, Configured Rate,
down Power Status, BSSID Info and others
• Device CPU and Memory Utilization Report • AP KPI Report (Traffic and Client Breakdown)
Assurance
• Emergency, Severe and Critical Syslogs in the Event • Client Trend Report - Long Term report (90 days to 12 months)
• Neighbor information displayed on wireless maps with KPIs
viewer
• Critical KPIs on AP 360:
• Neighbor and Rogue AP view
• Client Distribution and Tx Power
Cisco DNA Center System 2.2.3.x Features
Disaster Recovery for single and 3-node Cluster (1:1 and 3:3
DR) 3x Scale
• Support for 1:1 DR in (44C) appliance (DN1 & DN2)
• DR Cluster to work with upto 350 ms latency •Supported only on 3-node DN2-HW-APL-XL
• API support for DR monitoring •4K site elements
• Support for adding a separate certificate for DR (optional)
Scale
•8K network devices
DR
• RTO is optimized to 15 mins •16K APs

• Reduction in Failure detection to 3 mins •Support for 300K endpoints
• Upgrade enterprise VIP to DR VIP and configure a new
enterprise VIP (brownfield DR support from 2.2.2.x)
• Simplify DR registration UI for improved usability
License Manager
License Management
•Support multiple Smart Accounts in License Manager

•Subscribe to out of compliance alerts on a monthly basis
•Banner notification under settings page, license manager app and
homepage widget will appear until compliance issue is fixed
•Only user with license manager privilege will see the notification
•Enhancement: FQDN support added for smart proxy, on-prem CSSM
Cisco DNA Center Platform 2.2.3.x
• AI Endpoint Analytics – Endpoint profiling Report
• Client Trend report (Up to 12 months of data ) Licenses Out of Compliance events
New Events
• Group communication Summary Reports Rogue /aWIPS Events
• Group Pair Communication Analytics Report
New Reports
• Device Life Cycle Report

• AP KPI report
• AP traffic and Client Breakdown report
• App QOS Intent APIs

• App Registry APIs
New
APIs
System Capabilities in 2.2.3.x
License Manager updates
Out of compliance warning when licenses have expired
❖ Informs user about

out of compliance
and user can
generate report on
non-compliant
devices.
User License Upload Reports for SLP devices
❖ User can generate license upload reports for devices that are capable for Smart
licensing using policy
FQDN support for Smart proxy, On-Prem CSSM
❖ User can configure OnPrem SSM

and Smart Proxy connection
modes with FQDN.
Disaster Recovery
Disaster Recovery
RTO/RPO 30 mins
Replication Across L3 for

System & Automation data
IPSec Support between DR

Pairs
BGP Support for seamless

DR VIP movement
Latency Support between

DR Pairs: 250ms RTT
DR DN2-HW-APL (44C) DN2-HW-APL-L (56C) DN2-HW-APL-XL (112C)
1:1 + Witness Node 2.2.2.x 2.2.1.x 2.2.1.x

3:3 + Witness Node Future 2.1.2.x 2.1.2.x
Disaster Recovery Configuration
Integration with BGP routing protocol to advertise the location of DR VIP upon failover
Disaster Recovery Monitoring
Logical Topology after 1:1 DR configuration is successfully deployed
Disaster Recovery Event Timeline
Event Timeline capturing the various stages of DR events
Scale
DNAC 3X Scale Update
DNAC Releases
3X Performance Releases: DNAC 2.2.3.x
Scale Parameters 2X ON XL-3N
Software Defined Access
SD-Access Fabric Zones
2021 Cisco
© 2021 Ciscoand/or
and/oritsitsaffiliates.
affiliates.AllAll rights
rights reserved.
reserved. Cisco
Cisco Public
Confidential
SD-Access Fabric Zones
Use Case
• Before 2.2.3.x, the provisioning scope of an IP Pool was the whole fabric site. For security and/or better
fabric site scaling, some customers require granular control of IP Pool provisioning scope.
Details
• SD-Access Fabric Zones are child sites of a parent fabric site.

VN GREY VN YELLOW
• Edge nodes (FE, EN, PEN) are added to Fabric Zones. 192.168.10.0/24 192.168.40.0/24
VN RED VN GREEN
• L3VNs and IP pools are added and provisioned to one or more Fabric Zones. 192.168.20.0/24 192.168.50.0/24
VN BLUE VN PURPLE
192.168.30.0/24 192.168.60.0/24
Considerations
• L3VNs and IP Pools must be assigned to the parent fabric site before assigning to one or more
Fabric Zone.
FABRIC ZONE 1 FABRIC ZONE 2 FABRIC ZONE 3
• Only edge nodes (FE, EN, PEN) can be provisioned to a Fabric Zone. Collocated fabric roles (e.g.,
FE+B, FE + Embedded WLC, etc.) cannot be provisioned to a Fabric Zone.
• EN/PEN must be in same Fabric Zone as parent FE.
Fabric UX 2.0
2021 Cisco
© 2021 Ciscoand/or
rights reserved.
reserved. Cisco
Cisco Public
Confidential
Fabric Site Visualization and Management
Fabric UX 2.0: Automation

• Cisco DNA Center UI Workflow -
Use Case Phase1
• Administrators require an enhanced experience in the user interface that integrates simplicity, flexibility,
and a rich, intuitive context.
L3VN and IP pool Visualization and Management

Details
• Phase 1 of SD-Access UX 2.0 restructures, updates, and enhances workflows, views,

and day-N management tasks for:
• Fabric sites
• Layer 3 VNs
• Layer 2 VNs
• IP Pools
• Fabric Zones
New UX Workflows
Considerations
• L3VN creation tasks must use the new workflow.
• Fabric site creation tasks must use the new workflow.
• Transit and Peer Network create
Fabric UX 2.0 : Assurance
• Cisco DNA Center UI
Use Case Enhancements – Phase1
• Customers require detailed SD-Access health and fabric-specific operational visibility to
detect and troubleshoot issues.
Details
• Cisco DNA Center Assurance has a new SD-Access landing page that contains overall
fabric health information across all fabric sites.
• New fabric Assurance sub-categories have been added across various components to
quickly triage VN services, infrastructure and connectivity issues.
• New fabric attributes have been added to existing Assurance:

• Network device health.
• Client 360 (VN information).
Considerations
• Cisco DNA Center must discover fabric devices using NETCONF.
AAA Server Per SSID for
Embedded Wireless
2021 Cisco
© 2021 Ciscoand/or
rights reserved.
reserved. Cisco
Cisco Public
Confidential
SSID1 Fabric Site
AAA Server Per SSID for Embedded Wireless AAA-SVR1

AAA-SVR2
AAA-SVR1
AAA-SVR2
SSID2 SSID2
AAA-SVR3 AAA-SVR3
Use Cases AAA-SVR4 AAA-SVR4
AAA-SVR5 AAA-SVR5
• Certain Deployments may require RADIUS servers to be customized per SSID. SSID3 SSID3
AAA-SVR6 AAA-SVR6
• The most common use case is a different set of AAA servers for Enterprise and Guest AAA-SVR7 AAA-SVR7
users and endpoints.
Feature Overview
SD-Access Fabric
• This feature was introduced in Cisco DNA Center version 2.2.2.x for AireOS and
Catalyst 9800 Series Controllers
• The feature is supported for Cisco SD-Access Embedded Wireless on Catalyst 9000
Series Switches from Cisco DNA Center version 2.2.3.x
• Cisco DNA Center now allows up to six AAA severs per SSID.
• Both ISE PSN and regular AAA servers are supported with this feature.
SSID1 SSID2 SSID3
Cisco DNA Center Automation
updates 2.2.3.x
Device Credentials
Device Credential
❖ Option to create credential using “Manage Credential”

option under Global Hierarchy
❖ Option to assign the credentials to Global site or other sites
❖ Once Assigned, option to Apply the credentials to sites

Device Credential
❖ Now credentials can be created at the site
level as well
❖ Credentials created at the site can be

assigned to the site and applied to the
devices
❖ New status field to show if the applied

credentials are pushed successfully.
Device Credential- SNMPv3
❖ Support for AES 256 Privacy type

included
❖ Retired- support for privacy type

using DES
Inventory Updates
Inventory- Port/VLAN Changes
❖ New dropdown menu to make

port level changes for VLAN
❖ Display Ether-channel
configured on the device / Port
Channel
❖ Display ports in error disabled

stated/errors exceeding
threshold limit
❖ Options to choose which vlan’s to be displayed on the

GUI with color representation
❖ Select an interface from the UI to make port level

changes such as “Clear Mac Address” & “Bounce a
interface”
❖ Options to edit a VLAN for a particular selected

interface.
❖ Option to edit “Port Description”.
Inventory- Provisioning Focus- Configuration Difference
❖ Under the Provisioning Focus, we now have option to view the configuration difference
between previous running config and the intent which was pushed by DNAC
❖ The config diff will take 5 mins to show after the intent is provisioned successfully
Template Editor
Template Editor
❖ Option to make a device type or device series as a

Favorite for quicker reuse while creating a template
❖ Auto complete for System variables or user defined

variables while creating template
Template Editor
❖ Option to simulate composite templates introduced ❖ Attaching a template to profile has new changes
to 2.2.3.x release
❖ Based on device type, the templates are shown in
the table below
❖ Option to select a template and apply custom tags

to the templates also been added.
Wireless Maps – 3D Analyzer
3D Analyzer Overview
• Easy steps to create high fidelity 3D space for a
floor, including high ceiling environments.
• Predictive heatmap for RSSI, SNR and Channel
interference.
• Three use-case based options for heatmap
visualization : Point cloud, Isosurface and
scanner.
• Intuitive 3D navigation tools : satellite view , first
person view, drop in a pin, game console like
movement in 3D space.
• Simulation capability to support what if
scenarios and commit simulation results to
production.
• Configurable insights on floor for coverage SLA,
Voice readiness , Channel interference.
Floor Set up using CAD file
RSSI heatmap - ISOSurface
RSSI heatmap – Point cloud
RSSI heatmap - Scanner
SNR heatmap
Interference heatmap
Navigation – First person view
Navigation – Drop a pin
Navigation – Clip plane
Navigation – Clip box
Navigation – Insight view
Insight – Configuration
Insight – Voice coverage
Insight - SLA
Wireless Maps
Neighbour information displayed on wireless maps
Compliance
Compliance – Startup vs Running Remediation
❖ Remediation for Start up vs

Running Compliance.
❖ Provides option for single Device

sync and for Bulk devices sync.
Application QOS
Application Policy Support for Industrial IoT Switches
Extend Application Policy to support to customer's extended enterprise
deployments in outdoor spaces, warehouses, and distribution centers.
▪ Extends Application QOS to the IE3300K and the IE3400K

family IOT switches.
▪ ACL based Classification , Marking and Queueing support.
Customer Benefit
▪ Customers can automate QOS policy on parts of the networks
running IoT at the edge
▪ Ability for customers to use Application QOS Policy on IoT
switches can support growing IoT usage
API support for Application Policy
Enabling the flexibility and programmability to create policy in customer deployment
▪ Support the ability to create, retrieve, update and delete data

related to the creation of application policy
▪ Customers can now deploy an application policy via API

▪ Supporting Cisco’s ability to be more open with APIs for
customer looking to improve integration
Group-Based Access Control
New Group-Based Access Control Dashboard/Overview page
New dashboard:
❖ Groups for Analytics

❖ Policy Issue
Indicators
❖ Most Active Policies
❖ Least Active Policies
❖ Active Scalable
Groups
Extend VN Attribute Propagation for MDNAC Deployments
❖ When Virtual Networks

are created/deleted on
the Author Node, those
additions/deletions are
propagated to the
Reader Nodes.
Endpoint Analytics
Trust Analytics
Wired Concurrent MAC Address Detection
Use Case
EA
Multiple wired endpoints are connected (for
example, on different switches or in different
VLANs on the same switch) with the same MAC
address. This may indicate duplicate MAC's or
MAC spoofing
Feature
Detect concurrent instances of the same MAC
address connected at the same time
DCS
Considerations
DNAC Version: 2.2.3 (Shockwave)
Catalyst 9K w/ IOS-XE: 17.6.1+
*Works on wired endpoints connected to CAT9k 00:26:AB:7C:EC:40 00:26:AB:7C:EC:40
Detect NAT Devices
Use Case
Network Address Translation (NAT) devices are
providing unauthorized and unmanaged entry
points onto my network.
Feature
Detect NAT devices using the new NAT device
detection feature on Endpoint Analytics
Considerations
Catalyst 9K w/ IOS-XE: 17.6.1+
Anomalous change in profile label
Multifactor Classification
Attribute Time 1 Time 2 Time 3
Use Case MAC Address 00:26:AB:7C:EC:40 00:26:AB:7C:EC:40 00:26:AB:7C:EC:40
Model Ultima Ultima iPhone 12

For a given MAC address, profile label changes
based on endpoint attributes which may signal Manufacturer Globex Globex Apple
that MAC spoofing is occurring or the endpoint Operating System MS Windows 7 MS Windows 10 MS Windows 10
may be compromised.
Endpoint Type CT Scanner CT Scanner Mobile Device
Feature
Detect anomalous changes to the profile label
EA
while ignoring changes that are normal and
expected to happen
Considerations
Catalyst 9K w/ IOS-XE: 17.6.1+ DCS
Globex Ultima CT Scanner
(Runs Windows 7)
Posture & Authentication Trust Score Input
Use Case
Authentication & Posture provide rich context
that is relevant to endpoint trust but are
currently not used in the trust score calculation.
Feature
Posture & Authentication data are now used
to evaluate the trust score of an endpoint.
Considerations
ISE Version: 2.4P11+, 2.6P5+ or 2.7P1+
Support for ISE generated Unique-Id
Use Case
In the latest versions of Android and iOS,
devices can use random MAC addresses, and
this may be turned on by default. Tracking
endpoint based on random MAC becomes very
cumbersome.
Feature
Utilize ISE unique-IDs for endpoint
identification rather than MAC address.
Considerations
ISE Version: 2.4P11+, 2.6P5+ or 2.7P1+
Endpoint Purge
DNAC 2.2.3
Use Case
Old and unused endpoints are in my inventory
and causing my DNAC to approach scaling
challenges.
Feature
Purge out old endpoints using the endpoint
purge policy feature based on the endpoint
profile
Considerations
Roadmap
“Trust” based network access DNAC 2.2.3

Continuously monitor endpoint trust
Threat Metrics
Vulnerability Status
Security Ecosystem
Vulnerability Auth/ Posture Metrics
communications
Encrypted/Clear
Databases
Profiling anomalies Trust Score
Spoofing behavior
Trust-based Policies
Machine Learning 1-3 Deny Access
Endpoint Telemetry 4-7 Limited Access

Cisco DNAC & ISE
7-10 Full Access
Adaptive Control
Access Control and Threat

Containment based on
continuous trust evaluation
Cisco DNA Center Assurance
updates 2.2.3.x
Network Services
Network Services - AAA
Quickly view AAA insights and

troubleshoot data within the AAA tab for
a selected period of time, and track:
• AAA Servers
• AAA Server Latency
• AAA Server Transactions
• AAA Transaction Failures %
• Top Sites by Transaction Failures
• Top Sites by Highest Latency
• AAA Servers
Network
NetworkServices
Services- -AAA
AAA
Network Services – DHCP
View DHCP insights and
troubleshoot data within the
DHCP tab for a selected
period.
• DHCP Servers
• DHCP Server Latency
• DHCP Server Transactions
• DHCP Transaction Failures
%
• Top Sites by Transaction
Failures
• Top Sites by Highest
Latency
Network Services - Overview
TrueTrace
TrueTrace
Enhanced Packet Capture that allows live traffic to be captured,
providing visibility into Network Topology, Security Policies, and
Performance Metrics to identify critical issues.
• Captures live traffic on devices in path for analysis

• KPIs such as packet loss are available at each hop
• Granular reason codes that explain degradation in the path
• Downloadable packet capture files
TrueTrace
From Device 360/Client

360 Page
Enable “Live
Traffic”
Start
Trace
TrueTrace (cont’d)
Prime Migration features
Run and Review PDART
Report
2021 Cisco
© 2021 Ciscoand/or
rights reserved.
reserved. Cisco
Cisco Public
Confidential
Assess Prime Usage via PDART Tool
1 Software
• Prime Version – 3.5 or higher required for initiating migration.

• Recommended version - PI 3.9
PDART Tool
2 Network Devices
• Identify network devices in the wired and wireless network
• Assess network device compatibility with DNAC
PDART Tool
3 Use Cases
• Assess top Prime Infrastructure use cases.
• Surface any gaps – DNAC will prioritize them on the roadmap
PDART Tool
4 Scale
• Assess scale of managed devices (wired network devices,
access points and clients)
PDART Tool
Note: Does the customer have Cisco DNA Center?

Run Prime to DNAC
Migration Tool
2021 Cisco
© 2021 Ciscoand/or
rights reserved.
reserved. Cisco
Cisco Public
Confidential
Cisco DNA Center Platform
API support for Application Policy
Enabling the flexibility and programmability to create policy in customer deployment
▪ Support the ability to create, retrieve, update and delete data

related to the creation of application policy
▪ Customers can now deploy an application policy via API

▪ Supporting Cisco’s ability to be more open with APIs for
customer looking to improve integration
New System APIs - Licenses
New Licensing Reports
New Report – Device Lifecycle information
New Reports – Group Communication summary
New Report - AI Endpoint Analytics

WhatsNew Cisco DNA Center 2 2 3 X - Santander

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

WhatsNew Cisco DNA Center 2 2 3 X - Santander

Uploaded by

Copyright:

Available Formats

What’s New in Cisco DNA Center

2 Business Outcomes and Use Cases

5 Cisco SD-Access Update

6 Cisco DNA Assurance Update

7 Cisco DNA Platform and APIs Update

Cisco DNA Center

Improve network performance and spend less time

Identify and classify endpoints, Create user and group

What’s new in Cisco DNA Center, Release 2.2.3.x

Large scale deployments will now benefit from 3x scale for

NetOps AIOps SecOps DevOps

• POE Assurance – new

NetOps AIOps SecOps DevOps

Improve Improve Service

• Business resiliency, • Reduced Opex • Automate enforcement of • Faster service delivery

b b b b b Host onboarding and

c Applying configuration c c Enabling unified NetOps and

Capabilities enhanced in Cisco DNA Center release 2.2.3.x

PnP – Secure AP NAT device detection,

RMA Support for IE IOT Webex Control Hub

Major Impacted Use

SWIM • Reduce downtime with the ISSU support for ASR 1K

• mesh support added via Automation workflows

Gathering context and using it for access policies for

• LISP PubSub for Dynamic Default Border and Backup Internet

• Fabric UX 2.0 (Automation and Assurance)

• Wired Concurrent MAC Address Detection

• NAT device detection

• New GBAC Dashboard

• Extend VN attribute Propagation to Multi DNA Center Deployments

Resource Lifecycle management

• Export option in Network Heatmaps

• RTO is optimized to 15 mins •16K APs​

•Support multiple Smart Accounts in License Manager​

• Device Life Cycle Report

• App QOS Intent APIs

❖ Informs user about

❖ User can configure OnPrem SSM

Replication Across L3 for

IPSec Support between DR

BGP Support for seamless

Latency Support between

DR DN2-HW-APL (44C) DN2-HW-APL-L (56C) DN2-HW-APL-XL (112C)

1:1 + Witness Node 2.2.2.x 2.2.1.x 2.2.1.x

3X Performance Releases: DNAC 2.2.3.x

Scale Parameters 2X ON XL-3N

• SD-Access Fabric Zones are child sites of a parent fabric site.

• EN/PEN must be in same Fabric Zone as parent FE.

Fabric UX 2.0: Automation

L3VN and IP pool Visualization and Management

• Phase 1 of SD-Access UX 2.0 restructures, updates, and enhances workflows, views,

• L3VN creation tasks must use the new workflow.

• Fabric site creation tasks must use the new workflow.

• Transit and Peer Network create

• New fabric attributes have been added to existing Assurance:

• Cisco DNA Center must discover fabric devices using NETCONF.

AAA Server Per SSID for Embedded Wireless AAA-SVR1

SSID1 SSID2 SSID3

❖ Option to create credential using “Manage Credential”

❖ Option to assign the credentials to Global site or other sites

❖ Once Assigned, option to Apply the credentials to sites

❖ Credentials created at the site can be

❖ New status field to show if the applied

• RTO is optimized to 15 mins •16K APs

•Support multiple Smart Accounts in License Manager