cisco-dna-center

Data sheet
Cisco public
Cisco DNA Center 2.3.5
© 2023 Cisco and/or its affiliates. All rights reserved. Page 1 of 32

Contents
Introduction 3
Licensing 5
Automation features 6
Assurance features 8
SD-Access features 12
System and platform capabilities 14
SD-Access requirements 18
SD-Access platform scale 18
Meraki integration 23
Appliance scale 24
Hardware appliance specifications 26
Virtual appliance requirements 28
Fabric VN scale 28
Roles and privileges 29
Compatibility matrix 29
Cisco environmental sustainability 30
Product usage telemetry 31
Cisco Capital 32
For more information 32

Introduction
Cisco DNA Center is a powerful network controller and management dashboard that lets you take charge of
your network, optimize your Cisco investment, and lower your IT spending. Cisco DNA Center provides a single
dashboard for every fundamental management task to simplify running your network. With this platform, IT can
respond to changes and challenges faster and more intelligently.
● Design: Design your network using intuitive workflows, starting with locations where your networ k
devices will be deployed. Users of Cisco Prime ® Infrastructure and the Cisco ® Application Policy
Infrastructure Controller Enterprise Module (APIC-EM) can simply import existing network designs and
device images into Cisco DNA Center.
● Policy: Define user and device profiles that facilitate highly secure access and network segmentation
based on business needs. Application policies allow your business-critical applications to provide a
consistent level of performance regardless of network congestion.
● Provision: Use policy-based automation to deliver services to the network based on business priority
and to simplify device deployment. Zero-touch device provisioning and software image management
features reduce device installation or upgrade time from hours to minutes and bring new remote offices
online with plug-and-play ease from an off-the-shelf Cisco device. Additionally, the Cisco Secure
Network Analytics (formerly Stealthwatch) service provisions network elements to send NetFlow and
Encrypted Traffic Analytics (ETA) to the analytics service.
● Assurance: Enable every point on the network to become a sensor, sending continuous streaming
telemetry on application performance and user connectivity in real time. This, coupled with automatic
path-trace visibility and guided remediation, means network issues are resolved in minutes — before they
become problems. Automated NetFlow switch configuration for Cisco Secure Network Analytics
provides detection and mitigation of threats, even when they are hidden in encrypted traffic.
● Platform: An open and extensible platform allows third-party applications and processes to exchange
data and intelligence with Cisco DNA Center. This improves IT operations by automating workflow
processes based on network intelligence coming from Cisco DNA Center.

Figure 1.
Cisco DNA Center
Cisco DNA Center is a centralized intent-based network management system to bring all this functionality into
an integrated controller and present it through a single pane of glass.
Figure 2.
How Cisco DNA Center works

Licensing
Cisco DNA Center is a software solution that offers flexible deployment options. It can be deployed either on
the Cisco DNA Center hardware appliance or as a virtual appliance on AWS. The solution receives telemetry
data from network devices including switches, routers, access points, and controllers. For a device to be
authorized to send data to Cisco DNA Center, that device must be included in your organization’s Cisco DNA
software license subscription. Cisco encourages customers to purchase complete Cisco DNA Center
functionality through a Cisco DNA Advantage license subscription. Limited Cisco DNA Center functionality is
also available through a Cisco DNA Essentials license subscription. Wireless, switching, and SD -WAN and
routing subscriptions are available for 3- and 5-year terms; wireless and switching are also available in a 7-
year term. All Cisco DNA software license subscription options include embedded Cisco software support and
downloads.
The links below open matrices detailing the main features included in each respective suite.
Switching feature matrix
Wireless feature matrix
SD-WAN and routing matrix
In addition to the Cisco DNA licenses, the Cisco DNA Expansion Pack is a flexible way to purchase Cisco
Identity Services Engine (ISE), Cisco Spaces, Cisco Secure Network Analytics (previously, Stealthwatch), Cisco
ThousandEyes®, and other licenses, appliances, and services in one convenient bundle. Enhance your Cisco
networking solutions such as SD-Access, Cisco Zero Trust solutions, Encrypted Traffic Analytics (ETA), location
analytics, and assurance. You can add the pack to your Cisco DNA software licenses and choose the license
count that fits your needs.
Introduction to Smart Licensing
Cisco Smart Licensing is a flexible licensing model that provides you with an easier, faster, and more consistent
way to purchase and manage software across the Cisco portfolio and across your organization. And it’s secure
– you control what users can access. With Smart Licensing you get:
● Easy activation: Smart Licensing establishes a pool of software licenses that can be used across the
entire organization—no more Product Activation Keys (PAKs).
● Unified management: My Cisco Entitlements (MCE) provides a complete view into all of your Cisco
products and services in an easy-to-use portal, so you always know what you have and what you are
using.
● License flexibility: Your software is not node-locked to your hardware, so you can easily use and
transfer licenses as needed.
To use Smart Licensing, you must first set up a Smart Account on Cisco Software Central (software.cisco.com).
For a more detailed overview of Cisco Licensing, go to cisco.com/go/licensingguide.

Automation features
Table 1. Cisco DNA Center Automation features and benefits
Feature Description and benefits
Network discovery Automatically discovers and maps network devices to a physical topology with detailed
device-level data. The discovery function uses the following protocols and methods to
retrieve device information, such as IP addresses, neighboring devices, and hosts
connected to the device:
● Cisco Discovery Protocol
● Link Layer Discovery Protocol (LLDP) for endpoints

● IP Device Tracking (IPDT) and Address Resolution Protocol (ARP) entries for host discovery
● LLDP Media Endpoint Discovery (LLDP-MED) for discovering IP phones and some servers
● Simple Network Management Protocol (SNMP) versions 2 and 3
Inventory Retrieves and saves details, such as host IP addresses, MAC addresses, and network
attachment points, about devices in its database. After the initial discovery, Cisco DNA
Center periodically scans the network to create a “single source of truth” for IT. This
inventory includes all network devices, along with an abstraction for the entire enterpri se
network. It keeps an updated inventory of devices and software images on that device for
version control and provides data to applications (such as Software Image Management
[SWIM] and Cisco EasyQoS) so that the correct device and image version are used . It
allows applications to be device independent, so configuration differences between
devices are not a problem.
Network design and profile- Allows you to manage your network in a hierarchical fashion by letting you add areas and
based management buildings on a geospatial map. You can start by defining your sites, then add buildings to
sites and add floors with detailed floor plans to the buildings. Cisco DNA Center lets the
user define profiles, which consist of common network settings such as dev ice credentials,
DHCP, DNS server, AAA server, IP address pool, etc. Wireless settings such as SSIDs and
RF profiles can be created globally and customized at site levels. These profiles form the
basis for network automation. Network profiles can be created for Cisco Network Function
Virtualization Infrastructure Software (NFVIS), routing, firewall (including Cisco Adaptive
Security Appliance [ASA]), switching, and wireless.
Cisco Network Plug and Allows off-the-shelf Cisco devices to be provisioned simply by connecting them to the
Play (PnP) network. Cisco Network PnP provides a secure, scalable, seamless, and unified zero -
touch-deployment experience for customers across Cisco's entire enterprise network
portfolio of wired and wireless devices. Deploy new devices in minutes, without onsite
support visits. Eliminate repetitive tasks and eliminate staging. Network PnP reduces the
burden on enterprises by greatly simplifying the deployment process for new devices,
which can significantly lower Operating Expenditures (OpEx) as well. For more details, refer
to the solution guide for the Network Plug and Play application:
https://www.cisco.com/c/en/us/td/docs/solutions/Enterprise/Plug-and-
Play/solution/guidexml/b_pnp-solution-guide.html
Software Image Manages software upgrades and controls the consistency of image versions and
Management (SWIM) configurations across your network. Speeds and simplifies the deployment of new software
images and patches. Pre- and post-checks help ensure no adverse effects from an
upgrade. This is an easy way to build a central repository of software images and apply
them to devices. Administrators can mark software images as golden for a device family,
allowing them to upgrade devices to the software image and patch versions that are in
compliance with the golden versions defined in the repository. Patches are supported in
Cisco DNA Center from intent to pre- and post-checks in the same way that we manage
regular images. It also tracks when software maintenance updates, subpackages, ROM
Monitor, AP Service Pack, and AP Device Pack upgrades are applied to the base image.

Network compliance audit Network compliance audit feature allows network operators to quickly assess the devices
and remediation that don’t adhere to corporate standards. The network compliance remediation feature
allows network operators to automatically sync running (production) configurations with
startup configurations for all the network elements. Network operators can select one or
many devices, view and validate the change, select and sync those devices, and remediate
them to maintain compliance. These two features reduce human involvement and error and
helps ensure that the network is running the intended configuration standards.
Device tagging An administrator can tag network devices in order to associate devices that share a
common attribute. For example, you can create a tag and use it to group devices based on
a platform ID, Cisco IOS release, or location. Allows for grouping of devices based on
specialized needs.
Configuration drift visibility Allows network operators to compare any two device configuration versions in a very visual
manner. Having different versions of a device configuration available allows for accurate
accountability of every configuration change.
Device replacement and Workflow templates allow for the replacement (RMA) of switches, routers, and access
RMA workflows points. Includes restoration of Cisco IOS Software, configurations, and licenses. Also
completes device replacement in operational systems such as Cisco ISE, certificate
servers, and Cisco DNA Center inventory. Saves time and retains existing setup, licenses,
and KPI trends.
Branch deployment Simplified workflows for physical and virtual branch automation; day -0 router, and NFV
automation design. Onboard WAN devices and services through these easy steps:
Configure network settings, service provider, and IP pools.
Design a router or virtual profile.
Assign to sites and provision network devices.
Wireless automation Intent-based workflows for simplified wireless deployment and automation:
● Network profiles: a profile is a container of wireless properties that can represent single or multiple
sites
● Simplified SSID creation
● Advanced RF support for wireless networks

● A single workflow to enable Cisco FlexConnect® or centralized wireless deployment
● PnP provisioning for APs

● IP Access Control List (ACL) support
● Access and access control policy for SD-Access Wireless only
Cisco StackWise ® Virtual Base automation (inventory, discovery, SWIM, topology, and template programmer) and
support assurance support for Cisco Catalyst ® 9500 and 9400 Series StackWise Virtual switches.
StackWise Virtual technology on the Cisco Catalyst 9000 platform allows the clustering of
two physical switches together into a single logical entity, resulting in enhancements in a ll
areas of network design, including high availability, scalability, management, and
maintenance. Customers can now use Cisco DNA Center to manage the StackWise Virtual
device, along with monitoring the health and status of StackWise Virtual ports and links.
Policy creation Allows the creation of policies based on business intent for a particular part of the network.
Users can be assigned policies for the services they consume, and these policies follow
them throughout the network. Policies are translated by Cisco DNA Center into network-
specific and device-specific configurations that can be adjusted dynamically based on
network conditions. Of foundational importance for intent -based networking, policies
define the business intent that is desired and allo w the network to guarantee services.

Application policy creation Allows policies to be assigned to applications based on business relevance. These
applications can then be attached to sites (locations) where the policy should be applied.
This feature allows business-critical applications to have greater QoS priority in the sites
where their use is relevant. It is important for mission-critical applications such as
machine-to-machine control in manufacturing or life-saving devices in healthcare, as well
as for business-critical applications such as video in customer experience centers or voice
in support sites.
Rogue management and Supports the detection of rogue and Cisco Adaptive Wireless Intrusion Prevention System
aWIPS (aWIPS) threats on your network from within Cisco DNA Center. The Rogue and aWIPS
Dashboard provides detailed threat analysis and a global view of all rogue access points
detected in the network, with insight into the highest priority threats so that they can be
quickly identified. The Threat 360 view on this dashboard provides further details on any
specific threat. This includes a map view for quick location, and all affected clients.
Meraki discovery and Provides for the discovery of all Meraki devices in the network and integrates them into the
integration Cisco DNA Center dashboard. It provides fo r a single pane of glass for both Cisco and
Meraki devices.
Meraki wireless provisioning Provision SSIDs in Meraki APs through Cisco DNA Center. This feature allows Meraki
access points to be assigned SSIDs through Cisco DNA Center, without having to open the
Meraki dashboard application.
Cisco Umbrella integration Allows Cisco Umbrella to be deployed across sites and SSIDs from within the Cisco DNA
Center dashboard. Cisco Umbrella provides DNS-layer security and is one of the quickest
and most effective ways to improve your security stack. Read the blog:
https://blogs.cisco.com/networking/cisco-dna-center-and-cisco-umbrella-automate-
your-journey-towards-dns-security.
Assurance features
Table 2. Cisco DNA Center Assurance features and benefits
Network and Client Health Assurance dashboards that give a high-level overview of the health of every network
dashboards device and client on the network, wired and wireless. They provide the top 10 global issues
and allow the administrator to expand views by geographical site, device list, client list, or
topology. Any poorly connected devices or communication issues are highlighted, with
suggested remediation. Users can customize how the health score is computed.
Application Health Provides a general overview of the health of all applications on the network. Incl udes a
dashboard special section on applications that have been tagged as business relevant. Business -
relevant application issues are highlighted, with suggested remediation for any anomalies.
ThousandEyes integration Cisco ThousandEyes agents can be installed on all supported switches through a GUI-
based installation process in Cisco DNA Center. The application resides on the switch’s
flash storage, providing significant time and cost savings to deploy ThousandEyes. Data
from the ThousandEyes agents is used by Cisco DNA Center to provide visibility into
application performance and help the administrator pinpoint problem domains.
Webex integration The Webex integration shows a consolidated view of quality metrics for audio, video, and
shared components and provides administrators with a single pane of glass for
troubleshooting Webex performance. Network operators can quickly identify and resolve
issues in Cisco DNA Center without having to switch between multiple interfaces.

Cisco AI Network Analytics Using AI and machine learning, Cisco AI Network Analytics drives intelligence in the
network, empowering administrators to improve performance and issue resolution
accurately and effectively. We are taking network analytics to a new level where noise and
false positives are significantly reduced and enabling customers to very accurately identify
issues, trends, anomalies, and root causes.
Intelligent issue detection and analysis
● AI-driven personalized baselining: No two networks are the same. AI -driven technologies can learn
the user trends, services, and application metrics that are specific to your network. Cisco DNA
Center Assurance can then create a customized performance curve for analytical decisions. The AI -
driven baseline for the performance parameters that are unique to your network is constantly
adapted as your network grows and changes. From there, the AI -driven analytics engine (both on
premises and in the Cisco cloud) can make accurate decisions for what is normal and what is not,
based on this personalized baseline.
● AI-driven anomaly detection: The system can accurately detect performance issues and ignore
unusual but harmless network anomalies. This reduces noise while accurately identifying anomalies
that have the greatest impact on your network. AI-driven predictive analytics and proactive insights
allow users to anticipate and prevent failures. The machine learning engine can predict increases in
Wi-Fi interference, onboarding delays, office traffic load, etc. This is because, in IP networks, a
problematic event is often preceded by a benign event or series of events. By learning how series
of events are correlated to one another, predictive analytics can help network administrators
anticipate the unexpected.
● AI-driven accelerated remediation: Cisco AI Network Analytics provides accelerated remediation
through machine learning, which identifies the most critical variables related to the root cause of a
given problem. This helps users detect issues and vulnerabilities, perform complex root cause
analysis (using a Machine Reasoning Engine; see below), and execute corrective actions faster than
ever. In coming releases, we will enable machine reasoning to execute the logical troubleshooting
steps that an engineer would perform in order to resolve a problem. Both of these capabilities
accelerate remediation, making your team more precise in problem solving and more productive
overall.
● AI-driven Site Analytics: Site Analytics helps IT teams proactively identify underlying issues that can
have a sitewide impact on user experience. It gives the network administrator a single view of
customizable KPIs to help them understand the health of devices, users, and applications.
Machine Reasoning Engine Defines the next intelligence evolution and helps in complex workflows where the result of
(MRE) one action determines the next. It closely resembles how human beings themselves reason
things out and accomplish multistep tasks. An example where Cisco DNA Center uses MRE
is to find and fix potentially crippling routing loops that require a careful analysis spanning
multiple devices. This allows your new IT team members to accomplish complex tasks
instead of escalating them, and saves time for your more seasoned IT team members by
automating tedious workflows. For more information, read the blog:
https://blogs.cisco.com/networking/machine-reasoning-is-the-new-ai-ml-technology-
that-will-save-you-time-and-facilitate-offsite-netops.
Wireless 3D Analyzer The Wireless 3D Analyzer provides granular analysis of millions of spatial RF data points
and the ability to visualize wireless coverage. Network operators can identify the areas
most affected by RF strengths, view client locations, simulate different RF environments,
and conduct spatial planning and prediction of the interior environment. After loading basic
architectural structural information, network operators can enter a virtual office space and
move an access point or create an imaginary wall and see the resulting impact on Wi -Fi
signal propagation. The Wireless 3D Analyzer helps network operators maximize WLAN
performance and identify trouble spots and WLAN design issues faster.
Wireless Network Services View Authentication, Authorization, and Accounting (AAA) and Dynamic Host Configuration
Analytics Protocol (DHCP) services for wireless devices across Cisco and all third -party servers in a
global comprehensive view. This capability includes the overall health of these critical
services all in one place, highlighting the worst -performing service server, site-level
impact, and scope of end-user impact. This helps network operators reduce overall issue-
ticket resolution time and leads to lower ticket volume.

Global assurance event The global assurance event viewer gives the network administrator a consolidated view of
viewer events from all devices, where they can search and filter on the events that are most
important to address. The event view allows the user to identify, correlate, and
troubleshoot network issues and quickly get to the root cause.
Power over Ethernet Provides visibility into the power loads that a switch is experiencing. Endpoint devices that
analytics are pulling too much power, as well as switches that are approaching overload, are
flagged. Granular visibility shows the available power on any switch for quick installation of
IoT endpoint devices.
Path Trace Allows the operator to visualize the path of an application or service from the client through
all devices and to the server. A common, and critical, troubleshooting task that normally
requires 6 to 10 minutes is displayed instantly upon clicking a client or application.
Troubleshoots issues along the network path.
● Run a path trace from source to destination to quickly get key performance statistics for each
device along the network path.
● Identify ACLs that may be blocking or affecting the traffic flow.
True Trace Captures live traffic on devices for path analysis. Cisco DNA Center’s True Trace extends
the current path trace capability and provides KPIs for each hop, granular reasons for path
degradation, and downloadable packet capture files. These deep insights enable faster
troubleshooting in enterprise deployments and lead to operational savings.
Application QoS (Quality of Authors and pushes QoS policies to Cisco Catalyst IE3300 and IE3400 Rugged Series
Service) support for Switches from Cisco DNA Center’s Application QoS. Applies default QoS trust settings as
industrial switches well as queuing settings based on Cisco Validated Designs, or writes a custom QoS policy
for these devices. This removes the complexity of pushing a QoS policy and helps
organizations ensure a good experience for end users in industrial environments.
Wi-Fi 6 Readiness Prepares your network for the new Wi-Fi standard, verifying your hardware and
dashboard configuration compatibility and checking your capacity readiness. This visibility will speed
your upgrade and help ensure that you are upgrading the neediest locations first. After
upgrading, advanced wireless analytics will indicate performance and capacity gains as a
result of the Wi-Fi 6 deployment.
It categorizes wireless clients by Wi-Fi version (protocol) and indicates areas where
upgrade is most urgent. Shows wireless system performance following upgrade.
The Wi-Fi 6 Readiness dashboard allows customers to visualize two main aspects. First, it
shows the readiness of their network with respect to Wi-Fi 6 across several different sites
and locations. Key aspects of the readiness assessment include how many Wi Fi 6 -capable
clients are seen in the network, whether the user has the right AP model to support Wi -Fi
6, whether the APs and Wireless LAN controllers (WLCs) are running the right OS version,
whether the Wi-Fi 6 configuration is enabled, etc. Second, the dashboard allows the user
to visualize the benefits of the Wi-Fi 6 network in terms of higher capacity, superior
connectivity, and lower latencies on Cisco DNA Center Analytics and Assurance. After
upgrading, advanced wireless analytics indicate performance and capacity gains as a result
of the Wi-Fi 6 deployment. For more information, see
https://blogs.cisco.com/networking/cisco-dna-your-fastest-route-to-wi-fi-6.
Device 360 and Client 360 Provide assurance and overall health of devices, including parameters such as memory or
CPU utilization, uplink availability, and other KPIs to help operators be more proactive and
enable them to predict future issues. Device 360 and Client 360 help you understand what
problems have happened, when and why they happened, and how much of an impact they
have. They also provide suggested remediation, resolved issue lists, and historical data to
help troubleshoot issues.

Application Experience Tracks performance of predefined “critical business appli cations.” Shows user experience
and performance metrics. Provides specialized rapid troubleshooting per application and
per client. Enables unparalleled visibility and performance control over the applications that
are critical to your core business, on a per-user basis. Multimedia monitoring uses Perfmon
processing for Real-Time Protocol (RTP) streams, allowing teams to verify the quality of
critical real-time applications such as multimedia. URL monitoring provides visibility into
cloud-based (URL-based) applications so that their performance is optimized. Application
Experience provides users the performance they need on the applications that are key to
their company role.
Reporting Derive insights into your network and its operations by creating report s. Cisco DNA Center
offers a set of pre-canned reports that can be generated in several formats and have
flexible scheduling and configuration options to customize for your operational needs.
Supported use cases include:
● Capacity planning: Understand how devices in your network are being utilized.
● Change of pattern: Track how usage pattern trends change on the network. Usage pattern trends
may include clients, devices, bands, or applications.
● Operational reporting: Review reports about network operations, such as upgrade completions or
provisioning failures.
● Network health: Determine the overall health of your network through reports.
Wireless Sensor dashboard Shows overall tests, connectivity statistics, and top wireless issues discovered by Cisco
Aironet Active Sensors. Includes test results for DHCP, DNS, host reachability, RADIUS,
email, Microsoft Exchange Server, web, FTP, and a complete IP SLA for data throughput
speed, latency, jitter, and packet loss. Provides guided remediation for any test failures .
Streaming telemetry Enables network devices to send near-real-time telemetry information to Cisco DNA
Center. The data can be used to optimize networks, locate where problems occur, and
investigate issues in a collaborative manner. Telemetry data (events, KPIs) can be exported
and surfaced through event-driven notifications.
Traffic Telemetry Appliance This hardware solution collects networking data, processes it, and provides streaming
telemetry to Cisco DNA Center. This can be useful in areas of your network where you do
not have devices that support the types of telemetry that you need to collect from the local
network, including NetFlow, Application Visibility and Control (AVC), Network -Based
Application Recognition (NBAR), NBAR2, etc. This appliance can also perform Deep Packet
Inspection (DPI) on network traffic in order to support Cisco AI Endpoint Analytics. This is a
strong solution for areas with only Layer-2 network devices or for branch offices with third-
party switches that do not support transmission of real -time telemetry. For more
information, see the data sheet: https://www.cisco.com/c/en/us/products/collateral/cloud-
systems-management/dna-traffic-telemetry-appliances/datasheet-c78-744352.html.
Network time travel Allows the operator to see device or client performance in a timeline view to understand
the network state when an issue occurred. Allows an operator to go back in time up to 14
days and see the cause of a network issue, instead of trying to re-create the issue in a lab.
● Rewind time to when the issue occurred
● See a history of critical events

● View all the information on the user or network device changes to the selected time

On-device analytics Assurance and analytics are performed on the Cisco switch, router, or wireless controller
where the anomaly was discovered. Critical metrics can be identified and immediately
acted on before an incident occurs. KPIs that are core to business operations can be
maintained in real time, and close to the users that rely on them.
Connectivity analytics for Detailed analytics and insights from the device’s point of view, without the need for
Apple iOS, Samsung and installing an agent on the device.
Intel devices
Intelligent Capture Provides support for a direct communication link between Cisco DNA Center and APs, so
that each of the APs can communicate with Cisco DNA Center directly. Using this channel,
Cisco DNA Center can receive packet capture data, AP and client statistics, and spectrum
data. With the direct communication link between Cisco DNA Center and APs, Cisco
Intelligent Capture allows you access to data from APs that is not available from the
wireless controllers.
ServiceNow and IT Service Cisco DNA Center can now auto-resolve open ticket numbers in ServiceNow and other
Management (ITSM) closed ITSM platforms. When Cisco DNA Center Assurance detects that a fault has been resolved,
loop integration it will check for an ITSM ticket number. If one exists, it will send a ticket status change with
the ticket number to the ITSM system, which will automatically close the open ticket in that
system.
SD-Access features
Table 3. SD-Access features and benefits
Feature Description
Enhanced visibility into The Endpoint Analytics application in Cisco DNA Center identifies and classifies endpoint
endpoints and traffic devices on a campus network with the use of AI/ML. Through the use of various profiling
patterns methods, including Deep Packet Inspection (DPI), it establishes visibility into what is on the
network so that new endpoints can be authenticated and assigned an appropriate policy for
network usage, security, and segmentation.
Group-based policy analytics simplify the delivery of segmentation policies . It uses analytical
models to visualize the activity between endpoint profiles, scalable groups, and host groups in
order to verify that the network policies are optimizing performance and security. The feature
provides a way for users and endpoints to be identified and categorized, and for granular
access privileges to be provided to the resources that each endpoint requires, while
segmenting them from everything else.
Granular multilevel SD-Access, through Cisco DNA Center, creates virtual overlays over the underlying physical
segmentation infrastructure and segments the network without regard to its topology. SD -Access also
segments at a micro level by enforcing group-based policies through the network
infrastructure. The resulting granular segmentation controls traffic flows without using
complex firewalls and Access Control Lists (ACLs), which can be difficult and costly to
maintain.
Benefits of fabric infrastructure optimizations:
● Automates VRF configurations (lines of business, departments, etc.) and create overlay virtual
networks
● Onboards users with 802.1X, MAB, Active Directory, and static authentication. With an option to move
users in a critical VLAN during the unavailability of ISE.
● Includes a resilient control-plane architecture using LISP pub/sub that allows for dynamic path
optimization toward available internet services. It simplifies fabric site design, routing convergence,
and troubleshooting tasks.
● Simplifies network operations with a standard, error -free underlay network using LAN automation
● Uses Encrypted Traffic Analytics (ETA) to further enhance analysis of traffic through AVC and NetFlow

Feature Description
Ease of migration to SD-Access fabric:

● Layer-2 handoff at border is a key capability, allowing hosts in an SD-Access fabric to communicate
with the traditional network at Layer 2.
● Fabric provides support for end hosts that require Layer -2 flooding; for example, building management
systems, audio-visual equipment, etc.
● SD-Access introduces the support of existing access VLANs, allowing users to retain their existing
access VLAN IDs when creating macro segments in the fabric. Customers can retain existing access
VLAN IDs when connecting directly to the SD-Access fabric edge to simplify and speed up their SD-
Access segmentation journey.
● Macrosegmentation without ISE capability is suited for deployments that have fabric at the distribution
layer connecting downstream to an external Layer -2 switching domain. Customers can deploy an
automated network fabric and use macrosegmentation with virtual networks without ISE.
Deployment flexibility with SD-Access fabric:

● SD-Access offers a distributed campus design with automated intersite connectivity with end-to-end
policy and segmentation.
● Fabric in a Box allows the border node, control plane node, and edge node to run on the same fabric
node, simplifying fabric deployment for a small site or a branch.
● SD-Access extended nodes extend the enterprise network by providing connectivity to non -carpeted
spaces of an enterprise. This allows network connectivity and management of IoT devices and the
deployment of traditional enterprise end devices in outdoor and non -carpeted environments, such as
distribution centers, warehouses, or campus parking lots.
● SD-Access fabric offers two options for integrating wireless access:
◦ SD-Access Wireless using a VXLAN distributed data plane and a centralized control plane provides
a consistent fabric experience and policy simplification for wired and wireless access.
◦ Over the top involves running a traditional Cisco Unified Wireless Networ k architecture with Control
and Provisioning of Wireless Access Points (CAPWAPs) on top of a fabric wired network. This is a
possible migration step to full SD-Access wireless implementation.
● Multisite remote border feature allows users to segregate untrusted traffic from various fabric sites to a
firewall at the DMZ.
● Fabric zone features allow administrators to control the provisioning of IP subnets on select fabric
edge nodes for better site scalability and security.
● SD-Access supports IPv4 as well as IPv6 endpoints.
● Cisco SD-Access offers support for the Cisco Wide Area Bonjour application, allowing users to
discover and use shared services with minimal intervention and configuration.
● Secure network device onboarding of Catalyst 9000 extended nodes using 802.1X-based
authentication and authorization.
Simplified fabric operations:

SD-Access Assurance allows users to detect, diagnose, and troubleshoot fabric issues in real
time with minimized downtime and a better experience. The newly introduced SD -Access
Assurance landing page contains overall fabric health for each fabric site deployed. KPIs
configured on the fabric nodes provide insights for faster issue identification and suggested
actions to remediate issues. KPIs are organized into categories to quickl y triage control plane,
infrastructure, and connectivity issues.
● Fabric control plane provides reachability checks between the fabric edge/border and the fabric
control plane node.
● Fabric infrastructure validates the AAA server status from the fabric edge and policy extended nodes
to the Identity Services Engine (ISE).
● Fabric connectivity provides reachability checks from the edge to the fabric border, and control-plane
and port- channel connectivity checks between the fabric edge and the extended nodes.
● Support for ThousandEyes Agent on Catalyst 9000 switches operating in an SD-Access Fabric role.
This provides the ability to run tests that provide performance metrics and end-to-end visibility.
Fabric UX2.0 provides administrators with an enhanced experience in the user interface that
integrates simplicity, flexibility, and a rich, intuitive context.

Feature Description
Continuous verification of Trust Analytics is an aggregation of various inputs and sources into a single, comprehensive,
trust flexible trust score. Trust Analytics detects traffic from endpoints that are exhibiting unusual
behavior. When anomalies in the network are detected, Trust Analy tics lowers the trust score
for the endpoint to limit or completely deny access to the network through integration with
ISE. The feature expedites the detection and containment of untrustworthy endpoints that
could lead to a security breach.
System and platform capabilities

Table 4. Cisco DNA Center system capabilities
Role-Based Access Allows users to be mapped to one of the four predefined roles. The role determines what
Control (RBAC) types of operations a user can perform within the system.
Backup and restore Supports complete backup and restore of the entire database for added protection.
ISE integration Integrates with ISE through pxGrid or API for fabric overlay support.
Workflows Cisco DNA Center workflows are step-by-step guides through particular tasks; for example,
“Create a role,” “Refresh AP,” etc. Workflows can be paused and revisited through the “in-
progress” library on the workflow homepage. The workflow homepage can be found by
clicking the menu icon on the GUI and clicking on “Workflows.” The home page will have a
library of workflows along with in-progress workflows.
Activity center The activity center is a centralized space to find audit logs and scheduled tasks. Audit logs
record system events that occurred, when and where they occurred, and which users
initiated them. With audit logging, configuration changes to the system are logged in separate
log files for auditing. The Scheduled Tasks tab allows you to view upcoming, in-progress,
completed, and failed administrative tasks, such as OS updates or device replacements.
FIPS 140-2 support Cisco DNA Center includes support for FIPS-140-2-compliant cryptography modules,
ensuring that only strong NIST-approved ciphers are used, and enabling deployment in
security-conscious verticals such as public sector, finance, and healthcare. During
installation, the administrator can choose to enable FIPS, which will ensure only NIST -
approved ciphers are used for data encryption.

Table 5. Cisco DNA Center platform capabilities
Northbound REST APIs The Cisco DNA Center platform supports Representational State Transfer (REST) APIs at the
northbound layer for programmability. The Cisco DNA Center API provides support for the
following features:
● Discovery, device inventory, and network topology
● SWIM, Plug and Play (PnP), wireless, SD-Access, and application policy
● Template programmer and command runner

● Assurance: site, device, and client health-monitoring and path tracing
● NFV provisioning
● Configuring event management notifications through APIs
IT Service Minimizes the need for handoffs, deduplicates issues, and optimizes processes for proactive
Management (ITSM) insights and faster remediation. Out-of-the-box integration exists with ServiceNow. The generic
integration APIs exposed by the Cisco DNA Center platform enable partners and developers to integrate
with any ITSM system.
IP Address Allows for a seamless import of IP pools for Cisco DNA Center workflows from external IPAM
Management (IPAM) systems and the synchronization of IP pool and subpool usage information between the two
integration systems. Out-of-the-box integration exists with Infoblox and BlueCat. The Cisco DNA Center
platform provides generic APIs to integrate with any IPAM system.
Events and The Cisco DNA Center platform webhooks allow third-party applications to receive notifications
notifications and listen to any events detected by Cisco DNA Center Assurance, automation, and other task-
based operational workflows.
Table 6. Correlated insights
Category Insights
Wireless insights Client onboarding

an analysis
● Association failures
● Authentication failures
● IP address failures
● Client exclusion
● Excessive onboarding time
● Excessive authentication time
● Excessive IP addressing time
● AAA, DHCP reachability
Client experience
● Throughput analysis
● Roaming pattern analysis
● Sticky client
● Slow roaming
● Excessive roaming
● RF, roaming pattern
● Dual-band clients prefer 2.4 GHz
● Excessive interference
● Apple iOS client disconnect
Network coverage and capacity

Category Insights
● Coverage hole
● AP license utilization
● Client capacity
● Radio utilization
Network device monitoring

● Availability
● Crash, AP join failure
● High availability
● CPU, memory
● Flapping AP, hung radio
● Power supply failures
Sensor issues Sensor onboarding

● Association failures
● Authentication failures
● IP address failures
● Sensor exclusion
● Excessive onboarding time

● Excessive authentication time
● Excessive IP addressing time

● AAA, DHCP reachability
Sensor experience
● Throughput analysis
● Outlook web response time

● Web server response time
● SSH server response time

● Mail server response time
● FTP server response time

● Excessive radio interference
Routing issues Router health

● High CPU
● High memory
Routing technologies
● BGP AS mismatch, flap
● OSPF adjacency failure
● Enhanced Interior Gateway Routing Protocol (EIGRP) adjacency failure
Connectivity
● Interface high utilization
● LAN connectivity down/flap
● IP SLA to SP gateway connectivity

Category Insights
Switching issues Client onboarding

(nonfabric)
● Client or device DHCP
● Client or device DNS

● Client authentication or authorization
Switch
● CPU, memory, temperature
● Modules
● Power over Ethernet (PoE) power
● Ternary Content-Addressable Memory (TCAM) table
SD-Access issues Border and edge reachability

● Control plane reachability
● Edge reachability
● Border reachability
● Routing protocol
● MAP server
Data plane
● Border and edge connectivity
● Border node health

● Access node health
● Network services DHCP, DNS, AAA
Policy plane
● ISE or pxGrid connectivity
● Border node policy
● Edge node policy
Client onboarding
● Client or device DHCP
● Client or device DNS
● Client authentication or authorization
Switch
● CPU, memory, temperature
● Modules
● PoE power
● TCAM table

SD-Access requirements
Figure 3.
Maximum latency supported, roundtrip time. Latency Requirements and Round-Trip Time (RTT): The latency between the
DNA Center appliance and a managed device should be ~100 milliseconds RTT or less. Longer execution times could be
experienced for certain events after 100 milliseconds, such as Invent ory Collection, Fabric Provisioning, and Image Update
(SWIM). Cisco does not support a Round-Trip Time (RTT) of more than 200 milliseconds.
SD-Access platform scale

The following tables outline the Cisco SD-Access platform scale. The limits in this section are not necessarily
dependent on Cisco DNA Center, but rather the model of device and its capacity design.
Table 7. Cisco SD-Access control plane node scale
Cisco SD-Access control plane node scale
Family Cisco Catalyst ASR ASR CSR

1000, 1000
4000 4000
Series Series
ISR ISR
Device 3850 6800 9300/L 9300X 9400 9400X 9500 9500X 9500H 9600 9600X 8 GB 16 GB 1000v
Sup- RAM RAM
XL/Y
Endpoints 3000 50,000 16,000 32,000 80,000 112,000 80,000 1,000,000 150,000 150,000 1,000,000 100,000 200,000 200,000
The control-plane scale does not depend on Ternary Content-Addressable Memory (TCAM); it only consumes
memory.

Table 8. Cisco SD-Access border node scale
Cisco SD-Access border node scale
Family Cisco Catalyst Cisco ASR ASR

Nexus1 1000, 1000,
4000 4000
Series Series
ISR ISR
Device 3850 6840/ 6880XL 9300/L 9300X 9400 9400X 9500 9500H 9500X 9600 9600X 7700 8 GB RAM 16 GB
6880LE Sup- RAM
XL/Y SD-
Access
SD- sdm
Access template
sdm
template
Virtual 64 128 128 256 256 256 1000 256 256 1000 256 1000 128 128 128
networks2
IPv4 8000 60,000 450,000 8000 32,000 64,000 96,000 64,000 48,000 512,000 48,000 512,000 500,000 1,000,000 4,000,000
routes
Fabric 16,000 180,000 450,000 16,000 32,000 70,000 96,000 70,000 150,000 512,000 150,000 512,000 32,000 1,000,000 4,000,000
host
entries3
(host /32
or /128)
IPv4: SGT 12,000 256,000 256,000 10,000 32,000 40,000 109,000 40,000 40,000 200,000 200,000 200,000 200,000 750,000 750,000
bindings
SGT/DGT 4000 30,000 30,000 8000 7400 8000 32,000 8000 16,000 32,000 32,000 32,000 16,000 64,000 64,000
policies
SG-ACEs 1500 12,000 30,000 5000 4800 18,000 16,000 18,000 13,000 4000 27,000 4000 128,000 64,000 64,000
(contract
actions)
1
Cisco Nexus 7700 Series Switch can be an external border only.
2
Virtual network scale also depends on the Cisco DNA Center platform VN scale. See Table 7 for SD-Access scale.
3
If an endpoint has multiple IPv4 or IPv6 addresses, then eac h address will be counted as an individual entry.
Fabric host entries include access points and classic and policy -extended nodes.
Additional border node scale considerations:
/32 (IPv4) or /128 (IPv6) entries are used when the border node forwards traffic from outside the fabric to a
host in the fabric.
For all switches except Cisco Catalyst 9500 Series High Performance Switches and Cisco Catalyst 9600 Series
Switches:
● IPv4 uses one TCAM entry (fabric host entries) for every IPv4 IP address.
● IPv6 uses two TCAM entry (fabric host entries) for every IPv6 IP address.

For the Cisco Catalyst 9500 Series High Performance Switches and Cisco Catalyst 9600 Series Switches:
Table 9. Cisco SD-Access Layer-2 handoff border node scale considerations
Cisco SD-Access Layer-2 handoff border node scale considerations
Family Cisco Catalyst Nexus ASR ASR

1000, 1000,
4000 4000
Series Series
ISR ISR
Device 3850 6800 9300/L 9300X 9400 9400X 9500 9500H 9500X 9600 9600X 7700 8 GB 16 GB
RAM RAM
Endpoints Supported Supported 8,000 32,000 16,000 100,000 16,000 32,000 256,000 32,000 256,000 NOT NOT NOT
supported supported supported
These numbers are the sum of the total numbers of endpoints both inside and outside the fabric site when the
site has a border node with a Layer-2 handoff.
A maximum of 6000 hosts can be connected outside the fabric for all platforms that support Layer -2 border
handoff.
The border node with a Layer-2 handoff contains a combination of local and remote LISP entries.
Local entries = LISP database
Remote entries = LISP map-cache
Example:
The Cisco Catalyst 9300 Series Switches supports 8000 total entries.
If the fabric site has 6000 endpoints (map-cache), then only 2000 endpoints (database) can be in the traditional
network beyond the Layer-2 handoff.

Table 10. Cisco SD-Access edge node scale
Cisco SD-Access edge node scale
Family Cisco Catalyst Cisco Catalyst
Device 3650 3850 4500 9200CX 9200- 9200 9200 9300/L 9300X 9400 9400X 9500/H
L Enhanced
VNs
Virtual 64 64 64 16 11 42 32 3 256 256 256 1000 256

networks
Endpoints 2000 4000 4000 4000 2000 4000 4000 6000 18,000 6000 70,000 6000
IPv4: SGT 12,000 12,000 128,000 10,000 8000 10,000 10,000 10,000 32,000 40,000 109,000 40,000
bindings
SGT/DGT 4000 4000 2000 2000 2000 2000 2000 8000 7400 8000 32,000 8000
policies
SG-ACEs 1350 1350 64,000 1200 1,000 1000 1000 5000 4800 18,000 16,000 18,000
(contract
actions)
1
9200-L = One (1) user-defined VN (VRF)
2
9200 = Four (4) user-defined VNs (VRFs)
3
9200 “Enhanced VN” SKUs = Thirty-two (32) user-defined VNs (VRFs)
Additional notes:
INFRA_VN is not a VRF definition. It is associated with the global routing table.
DEFAULT_VN is not user-defined; it is automatically created in Cisco DNA Center. It is present for historical (backward-compatibility)
reasons; its use is neither necessary nor recommended.
DEFAULT_VN, if used in host onboarding, is provisioned as a VRF definition and counts as a “user -defined VN.”

Table 11. Cisco SD-Access WLC scale
Cisco SD-Access WLC scale
Device Number of access points Number of clients
Aironet 3504 150 3000
Aironet 5520 1500 20,000
Aironet 8540 6000 40,000
Catalyst 9800-L 250 5000
Catalyst 9800-40 2000 32,000
Catalyst 9800-80 6000 64,000
Catalyst 9800-CL (4 CPU/8 GB RAM) 1000 10,000
Table 12. Cisco SD-Access wireless edge node scale for directly connected access points and endpoints
Cisco SD-Access wireless edge node scale for directly connected access points and endpoints
Family Cisco Catalyst
Device 9200-L 9200 1 9300-L 1
Access points Not supported 25 50
Wireless endpoints Not supported 500 1000
1
A single switch and a switch stack have the same scale.
The switches listed above have a limit on the number of access tunnels that can be created on them. An access
tunnel is created between the fabric edge node and a fabric-mode AP that is either directly attached or
attached through a directly-connect extended node.
Table 13. Cisco SD-Access embedded wireless controller scale
Cisco SD-Access embedded wireless controller scale
Family Cisco Catalyst
Device 9200/L 9300-L 9300 9400 9500/H
Access points Not supported 50 200 200 200
Wireless endpoints Not supported 1000 4000 4000 4000

The embedded wireless scale is the same irrespective of the role of the device (edge, Fabric in a Box, border,
or control plane).
Meraki integration
For existing Meraki branch customers who want to explore using Cisco DNA Center and Cisco Catalyst 9000
switches, or for customers with mixed environments, Cisco DNA Center now offers a single management pane
of glass. This is an API-driven dashboard integration that supports all existing Meraki hardware and software at
no additional license cost.
Figure 4.
Meraki and Cisco DNA Center integration
Features and benefits of Meraki integration:

● Single dashboard inventory across all platforms (Meraki, Cisco Catalyst, Cisco Integrated Services
Routers [ISRs], and Aironet)
● Up-or-down status of all devices in a single platform
● Use existing Meraki API keys; no additional license required
● Combined topology mapping of hybrid environments
● Ability to assign SSIDs to Meraki access points from within Cisco DNA Center

Appliance scale
Cisco DNA Center offers flexible deployment options. It can be deployed on a hardware appliance or as a
virtual appliance on AWS.
The second-generation (Gen2) of the Cisco DNA Center appliance is available in three form factors and comes
with the Cisco DNA Center image preloaded on it and ready for installation.
Tables 14 and 15 capture the scale information for Cisco DNA Center when deployed on physical appliances.
Table 14. Scale and hardware specifications
SKU DN-SW-APL DN2-HW-APL DN2-HW-APL-L DN2-HW-APL-XL
Description Cisco DNA Cisco UCS C220 M5 Cisco UCS C220 Cisco UCS C480 M5
Center Virtual M5
Appliance Rack Server Rack Server
Rack Server
44 cores 112 cores
56 cores
Cisco DNA Center system scale
Devices1 (switch, router, 1000 1000 2000 5000

wireless controller) (non-fabric)
Devices1 (switch, router, 2000 2000 4000 8000

wireless controller) (fabric)
Wireless access points (non- 4000 4000 6000 13,000

fabric)
Wireless access points (fabric) 3000 3000 4000 10,000
Wireless sensors 600 600 800 1600
Concurrent endpoints 25,000 25,000 40,000 100,000
Transient endpoints 75,000 75,000 120,000 250,000

(over 14-day period)
Ratio of endpoints to wired Any Any Any Any

wireless
Any Any Any Any
Site elements 2500 2500 5000 10,000
Wireless controllers 500 500 1000 2000
Ports2 48,000 48,000 192,000 768,000
API rate limit 50 APIs/min 50 APIs/min 50 APIs/min 50 APIs/min
NetFlow flows/sec 30,000 30,000 48,000 120,000
Concurrent software image 100 100 100 100

updates

SKU DN-SW-APL DN2-HW-APL DN2-HW-APL-L DN2-HW-APL-XL
Description Cisco DNA Cisco UCS C220 M5 Cisco UCS C220 Cisco UCS C480 M5
Center Virtual M5
Appliance Rack Server Rack Server
Rack Server
44 cores 112 cores
56 cores
Cisco DNA Center SD-Access

scale
Devices1 2000 2000 4000 8000

(switch, router, wireless
controller)
Wireless access points 3000 3000 4000 10,000
Fabric domains 10 10 20 20
Fabric sites 500 500 1000 2000
Cisco DNA Center Scale per Fabric Site
Layer 3 Virtual Networks 64/site 64/site 128/site 256/site
Fabric devices 500/site 500/site 600/site 1200/site
Scalable groups 4000 4000 4000 4000
Access contracts 500 500 500 500
Group-based policies 25,000 25,000 25,000 25,000
IP pools3,4,5 100 6 100 6 300 7 1000 8
Layer 2 Virtual Networks3,4,5 100 6 100 6 300 7 1000 8
Note:
1
Switch stacks, StackWise Virtual pairs, VSS pairs, and WLC HA SSO pairs each count as a single device.
2
Includes all physical ports except the console ports. Includes redundancy ports (RPs) on WLCs.
3
Adding additional Fabric Sites to a SD-Access deployment does not increase any Cisco DNA Center system scale parameter . For
example, 1000 concurrent endpoints spread over 10 Fabric Sites and 1000 concurrent endpoints in a single Fabric Site both contribute
equally to system scale.
4
Cisco DNA Center supports a maximum of 1.5 million separate interfaces on managed devices. Interfaces include both physical and virtual
interfaces such as Switched Virtual Interfaces (SVIs), loopbacks, tunnels, LISP, and so on.
5
A Layer 2 Virtual Network is a Layer 2 segment in SD-Access with no Anycast Gateway in the Fabric Site; a Layer 2 Virtual Network does
not use an IP pool.
6
Per Fabric Site, the sum of IP pools plus Layer 2 Virtual Networks must not exceed 200.
7
8

Table 15. Scale for 3-node DN2-HW-APL-XL cluster
Description Supported scale
Devices 10,000
(switch, router, wireless controller)
Wireless access points 25,000
Concurrent endpoints 300,000
Transient endpoints 750,000

(over 14-day period)
NetFlow 250,000 flows/sec
Hardware appliance specifications

The Cisco DNA Center appliance is available in three form factors and comes with the Cisco DNA Center image
preloaded on it and ready for installation. For more detailed information on these Cisco UCS appliances, click
on the data sheet link beside each hardware series in Table 16.
Table 16. Physical specifications
Physical specifications DN2-HW-APL and DN2-HW-APL-L DN2-HW-APL-XL
Part number for ordering DN2-HW-APL and DN2-HW-APL-L DN2-HW-APL-XL
Hardware series UCSC-C220-M5SX (data sheet) UCSC-C480-M5 (data sheet)
Power supply Dual 770W AC Hot-pluggable, redundant 1600W AC
Physical dimensions Height: 1.7 in. (4.32 cm) Height: 6.9 in. (17.6 cm)
(H x W x D)
Width: 16.89 in. (43.0 cm); including Width: 19 in. (48.3 cm)
handles:18.98 in. (48.2 cm)
Depth including handles and power
Depth: 29.8 in. (75.6 cm); including supplies: 32.7 in. (83.0 cm)
handles: 30.98 in. (78.7 cm)
Temperature: operating 1° to 95°F (5° to 35°C) 1° to 95°F (5° to 35°C)

Derate the maximum temperature by 1°C Derate the maximum temperature by 1°C
per every 1000 ft. (305 m) of altitude per every 1000 ft. (305 m) of altitude
above sea level. above sea level.
Temperature: nonoperating -40° to 149°F (–40° to 65°C) -40° to 149°F (–40° to 65°C)
Humidity: operating 10% to 90%, noncondensing at 82°F 10% to 90%, noncondensing at 82°F
(28°C) (28°C)
Humidity: nonoperating 5% to 93% at 82°F (28°C) 5% to 93% at 82°F (28°C)
Altitude: operating 0 to 3000 m (0 to 10,000 ft) 0 to 3000 m (0 to 10,000 ft)
Altitude: nonoperating 0 to 12,192 m (0 to 40,000 ft) 0 to 12,192 m (0 to 40,000 ft)

Physical specifications DN2-HW-APL and DN2-HW-APL-L DN2-HW-APL-XL
Network and management I/O Supported connectors: Supported connectors:

One 1 Gigabit Ethernet dedicated One 1 Gigabit Ethernet dedicated
management port management port
Two 1 Gigabit BASE-T Ethernet LAN ports Two 1 Gigabit BASE-T Ethernet LAN ports
One RS-232 serial port (RJ-45 connector) One RS-232 serial port (RJ-45 connector)
One 15-pin VGA2 connector One 15-pin VGA2 connector

Two USB 3.0 connectors Three USB 3.0 connectors
One front-panel KVM connector that is One front-panel KVM connector that is
used with a KVM cable, which provides used with a KVM cable, which provides
two USB 2.0s, one VGA, and one serial two USB 2.0s, one VGA, and one serial
(DB-9) connector (DB-9) connector
Regulatory standards compliance: Safety and EMC
Regulatory compliance Products should comply with CE Markings according to directives 2004/108/EC and
2006/95/EC
Safety NEBS
● UL 60950-1 Second Edition
● CAN/CSA-C22.2 No. 60950-1 Second Edition
● EN 60950-1 Second Edition

● IEC 60950-1 Second Edition
● AS/NZS 60950-1
● GB4943
EMC: Emissions ● 47CFR Part 15 (CFR 47) Class A
● AS/NZS CISPR22 Class A

● CISPR22 Class A
● EN55022 Class A
● ICES003 Class A
● VCCI Class A
● EN61000-3-2
● EN61000-3-3
● KN22 Class A
● CNS13438 Class A
EMC: Immunity ● EN55024
● CISPR24
● EN300386
● KN35 KN24

Virtual appliance requirements
Cisco DNA Center can be deployed as a virtual appliance on AWS. For the system requirements, see Table 17.
Table 17. Virtual appliance requirements
Specification Requirement
Instance type r5a.8xlarge
Cores 32vCPU
RAM 256 GB
Storage 4 TB
Storage type GP3 EBS
Fabric VN scale
Table 18 captures the fabric VN limits for devices in the fabric when deploying Cisco DNA Center Release
2.3.4.
Table 18. Fabric VN limits (The current maximum VRF validation is based on a lower limit of 1 and an upper limit of 128,
even if the device can support more than 128.)
Device series Max VRFs
Cisco Catalyst 3650 Series Switches 64
Cisco Catalyst 6800 Series Switches 1000 (128)
Cisco Catalyst 6500 Series Switches 1000 (128)
Data center switches (Cisco Nexus 7000 Series Switches) 4000 (128)
Cisco Cloud Services Router 1000V Series 4000 (128)
Cisco ASR 1000 Series Aggregation Services Routers 4000 (128)
Cisco 4000 Series Integrated Services Routers 4000 (128)
Cisco Catalyst 9300/9300X Series Switches 256
Cisco Catalyst 9300 L Series Switches 256

Device series Max VRFs
Cisco Catalyst 9500H Series Switches 256
Cisco Catalyst 9200-L Switch Stack 1
Cisco Catalyst 9200 Switch Stack 4
Cisco Catalyst 9200-24PB Switch 32
Cisco Catalyst 9200-48PB Switch 32
Roles and privileges

Table 19. Role-based access control
Role Privilege
Network-Admin-Role Users with this role have full access to all of the network-related Cisco DNA Center functions.
They do not have access to system-related functions, such as application management, users
(except for changing their own passwords), and backup and restore.
Observer-Role Users with this role have view-only access to all Cisco DNA Center functions.
Telemetry-Admin-Role Users with this role have the ability to perform system -level functions within Cisco DNA Center.
Super-Admin-Role Users with this role have full access to all of the Cisco DNA Center funct ions. They can create
other user profiles with various roles, including those with the Super-Admin-Role.
Compatibility matrix
Cisco DNA Center provides coverage for Cisco enterprise switching, routing, and mobility products. For a
complete list of Cisco products supported, please see our compatibility matrix, which is updated regularly.
Cisco DNA Center compatibility matrix:
https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/dnac_compatibility_matrix/index.html
Cisco SD-Access compatibility matrix:

https://www.cisco.com/c/dam/en/us/td/docs/Website/enterprise/sda_compatibility_matrix/index.html

Cisco environmental sustainability
Information about Cisco’s environmental sustainability policies and initiatives for our products, solutions,
operations, and extended operations or supply chain is provided in the “Environment Sustainability ” section of
Cisco’s Corporate Social Responsibility (CSR) Report.
Reference links to information about key environmental sustainability topics (mentioned in the “Environment
Sustainability” section of the CSR Report) are provided in the following table.
Table 20. Links to information about key environmental sustainability topics
Sustainability topic Reference
Information on product material content laws and regulations Materials
Information on electronic waste laws and regulations, including products, batteries, and packaging WEEE compliance
Reference links to product-specific environmental sustainability information that is mentioned in relevant

sections of this data sheet are provided in Table 21:
Table 21. Links to product-specific environmental sustainability information
Sustainability topic Reference
General
Product compliance Safety and compliance information
Power
Power supply Power supplies and typical and maximum power specifications
Material
Dimensions Physical dimensions
Cisco makes the packaging data available for informational purposes only. It may not reflect the most current
legal developments, and Cisco does not represent, warrant, or guarantee that it is complete, accurate, or up to
date. This information is subject to change without notice.

Product usage telemetry
Product usage telemetry provides valuable information about the status and capabilities of the Cisco DNA
Center appliance. Cisco DNA Center is configured to automatically connect and transmit product usage data to
Cisco. Product usage telemetry is used by Cisco to improve appliance lifecycle management for IT teams who
have deployed Cisco DNA. Collecting this data helps the product teams serve customers better. This data and
related insights enable Cisco to proactively identify potential issues, improve services and support, facilitate
discussions to gather additional value from new and existing fe atures, and assist IT teams with inventory report
of license entitlement and upcoming renewals.
All product usage telemetry data is transmitted to Cisco through an encrypted channel. The categories of data
collected in the product usage telemetry are the Cisco.com ID, system telemetry, feature usage telemetry and
network device (for example, switch or router) inventory, and license entitlement. The collection of product
usage telemetry will be enabled by default and cannot be disabled from the product. Customers may contact
the Cisco Technical Assistance Center (TAC) for changes in collection settings.
For detailed product usage telemetry information collected, please see Table 22.
Table 22. Cisco DNA Center product usage telemetry usage and benefits *
Category Data elements Purpose of collection
Cisco.com ● Cisco.com user ID Identify customer

account
System ● Deployment information (Cisco DNA Center appliance serial number, Cisco DNA Identify potential issues
Center appliance platform, Cisco DNA Center appliance machine ID) in customers’
● Connectivity with Cisco DNA Center environments to
prevent problems and
● Operational metrics (CPU, memory, file system, uptime) for pods
improve the product
● Signed End-User License Agreement (EULA) flag
● Application stack and packages deployed
Feature usage ● Customer dwell time in application UI pages Facilitate customer

● Site_member_details: Name of site, instance UUID of device, support level of adoption and customer
device, device family, and host name value
● Assurance usage: number of sites, area, building, floor, wireless LAN controller
(WLC), switch, Access Point (AP), number of clients (wired and wireless) and health
score, sensor counts, sensor tests count, AI network analytics configuration flag, AP
count with RF stats enabled, number of anomaly captures enabled, number of data
packet captures enabled, and network telemetry max input rate (NetFlow, syslogs,
traps)
● SD-Access usage: number of fabrics created, number of fabric domains per domain
type, number of devices per fabric role by site, number of edge nodes and of border
nodes and of control-plane nodes by device type, number of clients on fabric,
number of access contracts, number of scalable group tags, number of virtual
networks by site, number of IP pools, number of SSIDs, Cisco ISE version and
status, number of group-based policies, number of access policy contracts, number
of Cisco ACI scalable groups, number of APs and WLCs in fabric, number of each
transit type, number of rogue AP/client messages, number of fabric sites by
authentication mode, and number of ports by static port assignment
● Automation usage: number of devices provisioned using PnP, number of PnP
devices by source, number of golden images and image repository details, number
of successful/failed image activations and/or distributions, number of SMU images
by type, number of application policies created and/or deployed, number of favorite
applications, number of custom applications (sets), number of consumer
applications, number of queueing profiles, number of excluded devices, number of
devices in each policy, number of draft policies, number of policies using nondefault
queueing profiles, device controllability check, site area/building/floor counts,
number of SSA enablement/disablement tasks by status, number of SSA precheck
failures by type and successes/failures per device family, Cisco Secure Network

Category Data elements Purpose of collection
Analytics registration status, number of devices by SSA-enabled status, number of
devices with security advisory match, number of security advisory scans, vManage
integration status, MRE root cause analysis count and duration, number of MRE user
feedbacks, number of devices with CVSS scores, number of devices by
replacement status, WAB SDG node count, number of onboarding templates
created and provisioned successfully on devices, number of devices with templates
applied, and number of network profiles by site and namespace
● Cisco DNA Center as a Platform usage: number of event subscriptions by state,
DaaS-runtime usage
Network device ● Network device inventory (serial number, software version, platform ID, and Assist customers in
inventory and reachability errors). Number of devices per device support level, number of devices tracking and
per device role, number of port types per device type, IDP instances enabled,
license maintaining license
number of devices by Ethernet channel control method, number of devices by
entitlement acltype associated site information, uptime in days by device type, host count by
entitlement and
device type, and number of devices by configuration type renewals
● License entitlement information (network device type, Cisco Smart Software
Manager registration status, Cisco DNA Center subscription level, hardware support
contract coverage, and number of days until license expires)
For information on Cisco DNA Center privacy, please refer to Cisco’s Personal Data Privacy.
Cisco Capital
Flexible payment solutions to help you achieve your objectives
Cisco Capital® makes it easier to get the right technology to achieve your objectives, enable business
transformation, and help you stay competitive. We can help you reduce the total cost of ownership,
conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can
help you acquire hardware, software, services, and complementary third -party equipment in easy,
predictable payments. Learn more.
For more information

See how Cisco DNA Center helps you move faster, lower costs, and reduce risk:
https://cisco.com/go/dnacenter.
Printed in USA C78-739686-24 07/23

cisco-dna-center

Uploaded by

Copyright:

Available Formats

cisco-dna-center

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

cisco-dna-center

Uploaded by

Copyright:

Available Formats

Data sheet

Cisco DNA Center 2.3.5

© 2023 Cisco and/or its affiliates. All rights reserved. Page 1 of 32

© 2023 Cisco and/or its affiliates. All rights reserved. Page 2 of 32

© 2023 Cisco and/or its affiliates. All rights reserved. Page 3 of 32

© 2023 Cisco and/or its affiliates. All rights reserved. Page 4 of 32

Switching feature matrix

Wireless feature matrix

SD-WAN and routing matrix

For a more detailed overview of Cisco Licensing, go to cisco.com/go/licensingguide.

© 2023 Cisco and/or its affiliates. All rights reserved. Page 5 of 32

Feature Description and benefits

● Link Layer Discovery Protocol (LLDP) for endpoints

© 2023 Cisco and/or its affiliates. All rights reserved. Page 6 of 32

● Advanced RF support for wireless networks

● PnP provisioning for APs

● Access and access control policy for SD-Access Wireless only

© 2023 Cisco and/or its affiliates. All rights reserved. Page 7 of 32

Feature Description and benefits

© 2023 Cisco and/or its affiliates. All rights reserved. Page 8 of 32

© 2023 Cisco and/or its affiliates. All rights reserved. Page 9 of 32

© 2023 Cisco and/or its affiliates. All rights reserved. Page 10 of 32

● See a history of critical events

© 2023 Cisco and/or its affiliates. All rights reserved. Page 11 of 32

© 2023 Cisco and/or its affiliates. All rights reserved. Page 12 of 32

Ease of migration to SD-Access fabric:

Deployment flexibility with SD-Access fabric:

Simplified fabric operations:

© 2023 Cisco and/or its affiliates. All rights reserved. Page 13 of 32

System and platform capabilities

Feature Description and benefits

© 2023 Cisco and/or its affiliates. All rights reserved. Page 14 of 32

Feature Description and benefits

● Template programmer and command runner

Table 6. Correlated insights

Wireless insights Client onboarding

Network coverage and capacity

© 2023 Cisco and/or its affiliates. All rights reserved. Page 15 of 32

Network device monitoring

Sensor issues Sensor onboarding

● Excessive onboarding time

● Excessive IP addressing time

● Outlook web response time

● SSH server response time

● FTP server response time

Routing issues Router health

● IP SLA to SP gateway connectivity

© 2023 Cisco and/or its affiliates. All rights reserved. Page 16 of 32

Switching issues Client onboarding

● Client or device DNS

● Ternary Content-Addressable Memory (TCAM) table

SD-Access issues Border and edge reachability

● Border node health

● Network services DHCP, DNS, AAA

● Edge node policy

● Client authentication or authorization

© 2023 Cisco and/or its affiliates. All rights reserved. Page 17 of 32

SD-Access platform scale

Table 7. Cisco SD-Access control plane node scale

Cisco SD-Access control plane node scale