Cisco DNA Center

This article describes the role and functions of Cisco DNA Center in the context of CCNA exam blueprint requirements.

Relevant CCNA exam topics are available here:

  • Explain the role and function of network components: Controllers (Cisco DNA Center and WLC*)
  • Compare traditional campus device management with Cisco DNA Center enabled device management

* Wireless LAN Controllers functions were discussed in the blog post dedicated to wireless devices, however, this article will use WLCs along with other types of controllers for comparison.

DNA Center Overview

Cisco DNA Center is a management software and a controller for SD-Access. At the time of the writing, it is available only as a hardware appliance. DNA Center is positioned in Cisco’s product line as the replacement for Cisco APIC-EM. It can also replace Cisco Prime Infrastructure.

There are 3 available options of hardware appliances to choose from:

  • DN2-HW-APL (C220 M5, 44 cores) – up to 1000 devices
  • DN2-HW-APL-L (C220 M5, 56 cores) – up to 2000 devices
  • DN2-HW-APL-XL (C480 M5, 112 cores) – up to 5000 devices

Cisco supports a single node deployment or a cluster of 3 appliances for high availability.

DNA Center can operate with 2 types of networks:

  • Traditional campus networks
  • SD-Access fabric

Traditional Networks

DNA Center can work with non-SD-Access networks similar to traditional network management software. Policy-driven automation is available in this mode, but it is optional. Assurance and analytics functionality can be opened with even only read-only access to the network and provide a safe way to get familiar and to evaluate DNA Center’s features.

SD-Access Fabric

Cisco introduced a new paradigm for medium- to large- size enterprise networks called intent-based networking. In this architecture, an administrator communicates intent to the controller or requesting “what” he wants to achieve. He doesn’t need to specify device-specific instructions (“how?”) for the changes to be applied. A controller accepts instructions from an administrator via GUI or from an application via API and then applies configuration to the devices it controls.

Software-Defined Access or SD-Access is an implementation of this paradigm. We’ve published an article called SD-Access Components and it explains functions of DNA Center only briefly; this blog post is expanding its coverage. SD-Access has multiple underlying protocols to provide scalable and flexible, but relatively complex virtualized network infrastructure. DNA Center is the key that hides the complexity by providing a level of abstraction that allows network operators to focus their attention on more high-level configuration concepts, such as policies.

Role in the network

In SD-Access fabric, DNA Center plays a more essential role compared to one in the non-SDA network. With SD-Access fabric, while the underlay network can be built manually, the overlay networks are created and operated via DNA Center. In the traditional network, an administrator can decide which tasks should be performed by DNA Center and which ones are to be done directly on the device.

DNA Center has ability to perform many tasks in the network lifecycle:

  • Day 0. Onboarding and discovery. During this stage DNA Center can be used for zero-touch provisioning (ZTP) with Plug and Play (PnP) protocol
  • Day 1. Provisioning. Policy-based templates can be defined and applied to multiple devices grouped into a hierarchy of sites
  • Day 2, N. Operation via policy configuration, monitoring, troubleshooting, and software patching. DNA Center has multiple features simplifying network operations tasks, including, Software and Image Management, zero-touch RMA

Controller operations

Management plane

A network controller can use many protocols to interact with the network devices and this communication is referred to as Southbound connectivity. DNA Center can use multiple management protocols, for example, CLI, Netconf or SNMP. To provide some comparison with other controllers – Cisco SD-WAN uses Netconf to push configuration from vManage to vEdge devices and Cisco WLC uses CAPWAP protocol to communicate with access points.

End devices, such as switches and routers run normal IOS-XE software. Their configuration mode can be accessed locally and changes pushed from DNA Center can be observed via a device’s configuration files.

Control plane

Cisco DNA Center in both modes of operations is distributed across switches, access points and routers. It keeps the network devices in charge of their control plane operation. The network will continue to function if the DNA Center appliance is not reachable. For example, it doesn’t participate in dynamic route propagation or reflection, as vSmarts in SD-WAN.

Data plane

Cisco DNA Center doesn’t perform transit data forwarding functions. In comparison, Cisco Wireless LAN Controller can switch traffic in certain deployment modes.

Features and Functions

DNA Center functions and features can be divided into 4 groups, as shown in Figure 1.

Figure 1. DNA Center Features and Functions
Figure 1. DNA Center Features and Functions


This group of features is responsible for performing operational and provisioning tasks without applying the configuration manually to the devices. Some of the examples are available below.

Network Design and Profiles

Logical separation of the network into a hierarchy of regions and sites. The profiles, which include common parameters, such as DNS, DHCP server details, are then associated with this logical containers, so all sites under them inherit the settings.

Software Image Management (SWIM)

This feature ensures that consistent software image versions are deployed to devices in the network. DNA Center performs checks prior and post-installation. For example, free space on the flash memory is one of such checks.

Network Plug and Play (PnP)

A very useful feature when the number of deployed devices is high. A device just needs to be plugged in and receive an IP address to receive its configuration automatically. To locate DNA Center several discovery methods are supported, such as using a DHCP option and a DNS name.

QoS Configuration Automation

One of the challenging aspects of the day-to-day operation of the network is QoS policy implementation. Applications on the network can change or new ones are added. If the network is managed manually, keeping configuration up-to-date with properly classified traffic and its preferred treatment can consume a lot of time. Different hardware QoS implementation on different models of devices further increases the complexity.

DNA Center provides an intuitive user interface that allows the administrator to select one of the pre-defined application templates and to choose if its business-relevant or not. Then scope, or which devices should have this policy, is selected and configuration is applied to the network.


Another function of a controller is to provide centralized monitoring. DNA Center component responsible for it is called DNA Assurance. It provides many unique features, such as the correlation of different types of information; focused 360 views for the network devices and clients; and retrospective view with Network time travel feature.


There are multiple dashboards available each focusing on different aspects of network health. Performance of business-relevant applications, clients and network devices is monitored and top issues are displayed.

Device 360, Client 360 and Network Time Travel

These features provide a device-centric view of a device or a client. It provides an administrator with ability to quickly access relevant to an endpoint or device information and its health score. For example, it simplifies troubleshooting when a user complains about application performance. By using the search function to quickly locate the user and his device, an administrator can identify if there are issues with the network reachability, such as poor RF signal or packet drops.

It also usually takes some time after an issue occurs and before an administrator starts working on the ticket. By that time, an alert can be cleared out making troubleshooting more difficult. Network Time Travel allows focusing the device view on a specific time in the past (up to 14 days) to see events and alerts that were active at that time.

Path Trace

Path Trace visually displays every device in the path between two IP addresses across the network. It can optionally include information about devices that can be blocking the traffic with access lists, as well as interface and QoS (Quality of Service) statistics.

AI Network Analytics

Analytics powered by Artificial Intelligence/Machine Learning algorithms helps to proactively identify issues. First, the network-specific baseline is gathered and learning occurs. This information is then used to evaluate anomalies to alert the administrator of a possible issue.


This group of functions is specific to SD-Access. Includes functions required to perform the SD-Access controller’s management features for fabric infrastructure and fabric wireless.

Fabric Assurance

DNA Center provides additional monitoring features for fabric, such as the correlation of fabric’s underlay and overlay, reachability between fabric edge, control and border nodes.

Group-based Policy Configuration

DNA Center integrates with Cisco ISE (Identity Service Engine) to enable the use of identity-based policies using Cisco TrustSec. Group-based Policy configuration allows an administrator to configure group and policy management from the user interface of the DNA Center, which then communicates with ISE and fabric.

The main purpose of this feature is to let network devices to infer user identity without relying on IP address or VLAN information mapping. For example, when a user or a device is authenticated with ISE, traffic from this device is marked with a special tag called SGT (Security/Scalable Group Tag). SD-Access places this tag into VXLAN header, so other devices can tell which user or group this datagram belongs to and use this information to apply security and QoS policies.


In the management plane section, we introduced the concept of Southbound protocols in Software Defined Networks, i.e. from the controller to end devices, such as switches and routers. Northbound protocols, as their name suggests are working in the opposite direction, and are responsible for communication from external services to the controller for 3rd party integration. Cisco DNA Center supports REST (Representational State Transfer) APIs for such integration.

Integration with Service Management Platforms

Cisco DNA Center can be integrated via API with Service Management Platforms. This integration provides the ability to interact with platforms such as ServiceNow. For example, the Software Imaging feature of the DNA Center can log a change request in ServiceNow and perform image push only once it is approved. Another use case can be automated ticket logging when DNA Center discovers an issue.

IPAM Integration

IP Address management provides centralized management of IP pool allocation. Integrating with such a system allows DNA Center to reserve pools for workflows.

Self-test questions

What are 2 types of networks that DNA Center can work with?
• Traditional networks as a management platform

• SD-Access fabric as a controller and a management platform
DNA Center supports Southbound and Northbound protocols. What are they?
• Southbound protocols are responsible for communication from a controller to managed devices

• Northbound protocols or APIs provide access to the controller from external systems