Cisco DNA Center is the cornerstone of intent-based networking and network automation in the modern enterprise. For the CCNA 200-301 exam, understanding DNA Center is critical because it represents how Cisco is shifting from CLI-based management to centralized, software-driven control. This chapter covers exam objective 6.2 (Automation – Cisco DNA Center) and will prepare you to answer questions about its architecture, features, deployment models, and integration with other automation tools. In real network engineering, DNA Center is becoming the standard for managing campus networks, so knowing its capabilities is essential for any network professional.
Jump to a section
Imagine a busy international airport with dozens of flights arriving and departing every hour. Before air traffic control (ATC) was centralized, each pilot had to communicate with individual ground crews and make decisions based on local information, leading to inefficiencies and near-misses. Now, ATC has a single radar screen showing every aircraft's position, speed, altitude, and flight plan. Controllers can see the big picture, predict conflicts, and issue commands that ensure safe and efficient operations.
Cisco DNA Center is like that ATC system for your network. Instead of logging into each switch or router individually (like each pilot talking to a local tower), DNA Center provides a centralized dashboard that discovers all network devices, collects their configurations and operational data, and displays them on a map or topology view. It continuously monitors network health, traffic flows, and device status, just as radar tracks aircraft. When a new policy is needed (e.g., 'guest users should only access the internet'), DNA Center translates that high-level intent into device-specific configurations and pushes them out, like ATC issuing a new flight path to all affected aircraft. If a device fails or a link becomes congested, DNA Center alerts the administrator and can even suggest or automate remediation, similar to how ATC reroutes planes around a storm. Without DNA Center, managing a large network is like running an airport without radar – chaotic and error-prone.
What is Cisco DNA Center?
Cisco DNA Center (formerly APIC-EM) is the management and automation platform for Cisco's Digital Network Architecture (DNA). It provides a single pane of glass for designing, provisioning, configuring, and monitoring campus networks. DNA Center operates on the principle of intent-based networking: you define what you want (the 'intent'), and the system figures out how to implement it across the network devices.
DNA Center is not just a GUI for CLI commands; it uses a model-driven approach, interacting with devices via APIs (NETCONF, RESTCONF) and protocols like SNMP, SSH, and CLI. It can manage both traditional IOS/IOS-XE devices and newer platforms that support full programmability.
Architecture and Components
DNA Center has a two-tier architecture: - DNA Center Appliance: The physical or virtual server that runs the DNA Center software. It provides the GUI, REST APIs, and backend services (inventory, automation, assurance, etc.). - DNA Center Controllers (optional): In larger deployments, additional appliances can be added for scale and redundancy.
Key components within DNA Center: - Design: Create network hierarchies (sites, buildings, floors), network profiles, and device templates. - Policy: Define access policies (e.g., segmentation, QoS) that are enforced across the network. - Provision: Automate device onboarding, software image updates, and configuration deployment. - Assurance: Monitor network health, client experience, and proactively detect issues using telemetry and analytics. - Platform: Provides APIs for integration with external systems (ITSM, IPAM, etc.).
How DNA Center Discovers and Manages Devices
Discovery is the first step. DNA Center uses a seed IP address and credentials (SNMP, SSH, CLI) to discover devices. It then learns the network topology via CDP/LLDP and builds an inventory. The discovery process typically uses: - SNMP: To read device information (sysName, sysDescr, interfaces, etc.) and topology. - SSH/CLI: To execute show commands for more detailed data (e.g., running config, VLANs). - NETCONF: If supported, for model-driven data retrieval.
After discovery, DNA Center continuously updates the inventory via periodic polling or event-driven notifications (e.g., SNMP traps, syslog).
Intent-Based Networking Workflow
The typical workflow in DNA Center follows these steps: 1. Design: Create a site hierarchy (e.g., Campus > Building > Floor) and define network settings (SSIDs, VLANs, IP pools). 2. Profile: Create device profiles that define roles (e.g., access switch, distribution switch) and associated configurations. 3. Provision: Assign devices to sites and profiles. DNA Center generates the final configuration and pushes it to the device. 4. Assurance: Monitor the network to verify that the intent is being met. If not, alerts are generated.
Key Features for the CCNA Exam
Plug and Play (PnP): Zero-touch provisioning of new switches and routers. A new device boots up, contacts DNA Center (via DHCP option 43 or DNS), downloads its configuration, and becomes operational without manual intervention.
SD-Access: Software-Defined Access is a major DNA Center feature that enables fabric-based segmentation and automation. However, for CCNA, you only need to know that DNA Center is the controller for SD-Access.
Cisco DNA Assurance: Uses telemetry from devices and clients to compute a 'health score' for the network, devices, and clients. It can pinpoint issues like high latency, packet loss, or poor RF conditions.
Network Data Platform (NDP): The big data engine behind Assurance, collecting streaming telemetry from devices.
Deployment Models
DNA Center can be deployed in three ways: - On-Premises: The appliance is installed in your data center. You manage it entirely. - Cloud: DNA Center is hosted in Cisco's cloud. (Less common for campus, more for SD-WAN.) - Hybrid: Some functions on-prem, some in cloud.
For CCNA, focus on on-premises deployment, as it's the most common for campus networks.
Interaction with Other Protocols
NETCONF/YANG: DNA Center uses NETCONF to push configurations to devices that support it. YANG models define the data structures.
RESTCONF: A RESTful alternative to NETCONF, using HTTP/HTTPS.
SNMP: Used for legacy device monitoring and discovery.
DHCP: For PnP, DHCP option 43 points the new device to the DNA Center.
DNS: For PnP, a DNS query for 'pnpserver' can also direct devices to DNA Center.
Verification Commands
While DNA Center is GUI-centric, you can verify its operation from the appliance CLI (via SSH to the DNA Center appliance) and from managed devices:
From DNA Center CLI:
maglev shell
show statusFrom a managed switch (to verify connectivity to DNA Center):
show ip http server status
show netconf-yang sessionsExample output:
Switch# show netconf-yang sessions
RPC ID Session ID Transport Username Source Host Login Time
--------- ------------- ------------ ----------- ------------------ -------------------
12345 678 netconf admin 10.10.10.1 2023-08-15T10:30:00How it Works at the Packet Level (PnP Example)
A new switch boots up with factory default config.
It sends a DHCP request. The DHCP server offers an IP and option 43 with the DNA Center IP.
The switch sends a PnP discovery message to DNA Center via HTTPS (TCP port 443).
DNA Center authenticates the switch (based on serial number or certificate) and assigns a site/profile.
DNA Center sends the configuration (as a CLI template or NETCONF payload) to the switch.
The switch applies the config and becomes operational.
Key Defaults and Timers
PnP discovery retry interval: 5 minutes (default)
PnP timeout: 30 minutes (after which the switch falls back to local config)
DNA Center polls devices every 5 minutes for health data (configurable)
Assurance data retention: 30 days (default)
Deploy DNA Center Appliance
First, install the DNA Center appliance (physical or virtual). For the exam, know that the physical appliance comes in three sizes: small (up to 500 devices), medium (up to 1000 devices), and large (up to 3000 devices). The virtual appliance runs on VMware ESXi. After installation, access the GUI via HTTPS using the appliance's IP address. The initial setup wizard will ask for basic network settings (IP, subnet, gateway, DNS). You also configure the admin password and optionally integrate with AAA (RADIUS/TACACS+). This step is typically done once and sets the foundation for all subsequent management.
Configure Network Settings and Discovery
In the DNA Center GUI, navigate to Design > Network Settings. Here you define global settings like DNS, NTP, DHCP, and SNMP credentials. Next, go to Discovery and create a new discovery job. Provide a seed IP address (e.g., the management IP of your core switch), SNMP read/write community strings (or SNMPv3 credentials), and CLI credentials (SSH username/password). Discovery uses SNMP to find the seed device and then uses CDP/LLDP to discover neighbors recursively. The process can take minutes to hours depending on network size. After discovery, devices appear in Inventory with their status (Managed, Unmanaged, etc.).
Design Site Hierarchy and Profiles
Go to Design > Network Hierarchy. Create a site hierarchy that matches your physical network (e.g., Corporate > Building A > Floor 1). Then, under Design > Network Profiles, create device profiles. For example, an 'Access Switch' profile might include VLANs, spanning-tree settings, and port configurations. Profiles can be assigned to specific sites. Also, define IP address pools (under Design > IP Address Management) that will be used for device management or user subnets. This step is critical because it translates your network design into a structured model that DNA Center can use for provisioning.
Provision Devices with Configuration
Navigate to Provision > Inventory. Select a device and click 'Assign to Site' to map it to a location in your hierarchy. Then, 'Apply Profile' to push the appropriate configuration. DNA Center generates a configuration based on the profile and site settings, then deploys it to the device via NETCONF or CLI. You can schedule the deployment for a maintenance window. During deployment, DNA Center shows a progress bar and logs any errors. After successful deployment, the device's status changes to 'Managed'. You can also use 'Plug and Play' for zero-touch provisioning of new devices.
Monitor with Assurance
Go to Assurance > Dashboard. Here you see overall network health (0-10 scale), client health, and device health. Click on a device to see detailed metrics: CPU, memory, interface errors, etc. Assurance uses streaming telemetry from devices (via NETCONF or SNMP) to compute health scores. You can set thresholds for alerts (e.g., interface utilization > 80%). Assurance also provides 'Client 360' view to troubleshoot a specific client's connectivity issues. This step is where DNA Center proves its value in proactive monitoring and fault isolation.
Integrate with External Systems
DNA Center has a rich set of REST APIs. Go to Platform > Developer Toolkit to explore API documentation. You can use APIs to automate tasks like adding devices, retrieving health data, or triggering actions. Integration with IT Service Management (ITSM) tools like ServiceNow allows DNA Center to create tickets automatically when issues are detected. Also, you can integrate with IP Address Management (IPAM) systems like Infoblox to sync IP pools. For the exam, know that DNA Center supports northbound REST APIs and southbound NETCONF/RESTCONF/SNMP.
In a typical enterprise campus with thousands of users, managing network devices manually is impractical. For example, a university with 500 access switches spread across 50 buildings would require a team of engineers spending weeks to upgrade IOS images or reconfigure VLANs. With DNA Center, the network team can create a single 'Access Switch' profile and apply it to all switches in a building. A simple change to the profile (e.g., adding a new voice VLAN) can be pushed to hundreds of switches in minutes during a maintenance window.
Another scenario: A hospital needs to enforce strict segmentation between IoT medical devices and the main patient network. Using DNA Center's Policy feature, the administrator defines a macro-level policy: 'All IoT devices must be in VLAN 100 and cannot communicate with the data center.' DNA Center translates this into device-specific ACLs and VLAN configurations and deploys them consistently across all access switches. This ensures compliance without per-switch CLI changes.
A common pitfall: An engineer configures a device profile with incorrect SNMP community strings. When DNA Center tries to provision, it fails because it cannot authenticate to the device. The engineer then spends hours troubleshooting, only to realize the credentials were wrong. DNA Center does not validate credentials until deployment time, so always double-check credentials in the profile.
Performance considerations: DNA Center appliances have device limits. Exceeding the limit can cause slow GUI response and missed polls. Also, Assurance requires significant storage for telemetry data (default retention 30 days). In large networks, consider using the medium or large appliance and archiving older data to external storage.
The CCNA 200-301 exam objective 6.2 (Automation – Cisco DNA Center) focuses on understanding the purpose, architecture, and key features of DNA Center, not hands-on configuration. Expect questions about:
What DNA Center is and its role in intent-based networking.
The difference between traditional network management and DNA Center.
Key features: Plug and Play, Assurance, SD-Access (conceptual).
How DNA Center communicates with devices (NETCONF, RESTCONF, SNMP, SSH).
The deployment models (on-prem, cloud, hybrid).
Common wrong answers: 1. 'DNA Center replaces the CLI entirely' – No, DNA Center uses APIs and CLI under the hood; CLI is still available for direct access. 2. 'DNA Center only works with SD-Access' – No, it can manage traditional networks as well. 3. 'DNA Center is a cloud-only solution' – No, it can be deployed on-premises. 4. 'Plug and Play requires manual configuration of each new device' – No, PnP automates the entire provisioning.
Specific values: Know that PnP uses DHCP option 43 or DNS to direct devices to DNA Center. The default polling interval for Assurance is 5 minutes. Data retention is 30 days.
Elimination strategy for scenario questions: If a question asks about automating device provisioning, look for answers that mention 'Plug and Play' or 'zero-touch'. If it's about monitoring, look for 'Assurance' or 'health scores'. If it's about policy, look for 'intent-based' or 'SD-Access'.
DNA Center is the management platform for Cisco's intent-based networking, providing centralized design, policy, provision, and assurance.
It communicates with devices via NETCONF, RESTCONF, SNMP, and SSH; northbound APIs are RESTful.
Plug and Play (PnP) automates zero-touch provisioning using DHCP option 43 or DNS to locate DNA Center.
Assurance uses streaming telemetry to compute health scores (0-10) for network, devices, and clients.
DNA Center can be deployed on-premises (physical or virtual) or in the cloud; on-prem is common for campus.
Key features for CCNA: PnP, Assurance, SD-Access (conceptual), and network discovery via SNMP/CDP/LLDP.
Default polling interval for assurance data is 5 minutes; data retention is 30 days.
DNA Center does not replace CLI; it uses automation to reduce manual CLI tasks.
These come up on the exam all the time. Here's how to tell them apart.
Traditional CLI Management
Requires manual SSH/telnet to each device
Configuration changes are error-prone and time-consuming
Monitoring is reactive (SNMP traps, syslog)
Scaling to hundreds of devices is difficult
No centralized policy enforcement
DNA Center Management
Centralized GUI and API-based management
Automated configuration deployment via profiles and templates
Proactive monitoring with health scores and telemetry
Designed for large-scale networks (up to 3000 devices per appliance)
Intent-based policy: define what you want, not how to do it
Mistake
DNA Center is only for SD-Access networks.
Correct
DNA Center can manage both traditional (non-fabric) networks and SD-Access fabric networks. It is a general-purpose management platform.
Cisco markets DNA Center heavily with SD-Access, leading candidates to think it's exclusive to that technology.
Mistake
DNA Center replaces the need for SSH and CLI access to devices.
Correct
DNA Center uses APIs and CLI under the hood, but administrators can still SSH into devices directly for troubleshooting. DNA Center is not a replacement for CLI access.
The term 'automation' suggests that manual access is obsolete, but in practice, CLI is still used for break-fix scenarios.
Mistake
Plug and Play requires a dedicated server for DHCP.
Correct
PnP works with any standard DHCP server that supports option 43. The DHCP server does not need to be a Cisco appliance.
Candidates may think PnP requires a Cisco-specific infrastructure, but it uses standard DHCP extensions.
Mistake
DNA Center Assurance requires all devices to be part of an SD-Access fabric.
Correct
Assurance works with any device that supports telemetry (via NETCONF or SNMP), even in traditional networks.
Assurance is often associated with SD-Access, but it is a separate feature that can be used independently.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Cisco Prime Infrastructure is an older network management platform focused on monitoring and basic configuration management. DNA Center is the next-generation platform that adds intent-based networking, automation, assurance, and SD-Access capabilities. DNA Center has a more modern architecture with REST APIs, model-driven configuration, and streaming telemetry. Cisco has announced end-of-sale for Prime Infrastructure, and DNA Center is its successor. For the CCNA exam, know that DNA Center is the current standard.
No, DNA Center is designed to manage Cisco devices exclusively. It uses Cisco-specific features like CDP, Cisco-specific YANG models, and Cisco IOS commands. It cannot manage switches or routers from other vendors. In a multivendor environment, you would need a separate management platform for non-Cisco devices. The CCNA exam focuses on Cisco-only networks, so this is not a major concern.
In SD-Access, DNA Center serves as the controller that defines the fabric, policies, and automation. It communicates with the fabric edge nodes, control plane nodes, and border nodes to set up VXLAN tunnels, LISP mappings, and group-based policies. Without DNA Center, SD-Access cannot function. For the CCNA, you only need a high-level understanding that DNA Center is the brain of SD-Access.
Yes, DNA Center requires a subscription license. There are different tiers: DNA Essentials (basic automation and assurance) and DNA Advantage (advanced features like SD-Access and advanced assurance). Devices must have the appropriate DNA license to be managed. For the CCNA exam, you should know that licensing is required, but you don't need to memorize license types.
DNA Center supports high availability through a cluster of appliances (active/standby or active/active). The cluster shares a virtual IP address and synchronizes data. If the active node fails, the standby takes over. Additionally, DNA Center can be backed up to an external server. For the exam, know that HA is supported but details are not required.
Cisco Catalyst Center is the new name for DNA Center as of 2023. The product is the same; only the branding changed to align with the Catalyst switching family. For the CCNA exam, the term 'DNA Center' is still used in the objectives, but you may see 'Catalyst Center' in newer materials. They are synonymous.
Yes, DNA Center can manage Cisco routers (ISR, ASR) and wireless LAN controllers (WLCs) in addition to switches. For wireless, DNA Center can configure SSIDs, RF profiles, and AP join settings. However, some advanced wireless features may still require direct WLC access. The CCNA exam expects you to know that DNA Center manages the entire campus network, including wired and wireless.
You've just covered Cisco DNA Center — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?