Automation & Programmability Intermediate

Cisco DNA Center / Catalyst Center

Cisco's centralized network controller for enterprise campus + branch. What it does (assurance, automation, SD-Access), how it sits relative to traditional CLI, and what a CCNA candidate needs to recognize.

TL;DR

Cisco DNA Center (rebranded Catalyst Center in 2024) is the central appliance that controls, automates, and monitors a campus network — switches, routers, APs, ISE.
Three pillars: **Automation** (push config, swap devices, ZTP), **Assurance** (telemetry, AI insights, root-cause), **SD-Access** (intent-based segmentation with fabrics, VNs, SGTs).
Drives the network via REST APIs and templates rather than per-device CLI — but you can still SSH to any device if you need to.

Mental model

Traditional campus operations: every switch, router, AP, and ISE node is configured individually via CLI. Adding a new site? Forty CLI sessions. Pushing a new VLAN to 200 access switches? A scripted CLI loop you hope works.

Cisco’s bet with DNA Center (and the broader Cisco Catalyst Center brand from 2024) is that a single appliance can:

Discover and inventory every device on the network.
Push intent (templates + policies) to all of them centrally.
Continuously collect telemetry (streaming, not SNMP) and reason about it with built-in AI.
Onboard new devices with zero-touch via Plug-and-Play.
Define network behavior as policy instead of per-port commands (SD-Access).

It’s the same SDN pattern as in SDN Controllers, targeted at the campus/branch instead of the WAN.

What runs DNA Center

A physical or virtual appliance running on Cisco hardware (DN2 series — basically a beefy UCS server preinstalled). Several SKUs based on scale:

DN2-HW-APL — small (small campus)
DN2-HW-APL-L — medium
DN2-HW-APL-XL — large
Cluster of 3 for HA and scale

The appliance hosts a containerized stack — microservices for inventory, telemetry ingestion, policy engine, assurance correlation, GUI, REST API. You don’t manage the containers; you just use the GUI and APIs.

The three pillars

1. Automation

Day-1 / day-2 config push from a central place:

Discovery — find every device by IP range, CDP, LLDP. Build an inventory.
Templates — Jinja2-style config templates with variables. Push to many devices at once.
Plug-and-Play — ship a switch unconfigured. It boots, calls home to DNAC, gets its config and IOS image, joins the fabric.
Software Image Management (SWIM) — schedule IOS upgrades across the fleet. Pre-checks, post-checks, rollback if something fails.
Compliance — defines a “golden config.” Continuously checks every device against it; flags drift.
Workflows — orchestrated multi-step changes (e.g., “decommission this switch” = drain traffic + reroute + power-down).

2. Assurance

Continuous telemetry plus AI-driven correlation. Where traditional NMS shows you SNMP graphs, Assurance answers questions like:

“Why did user X’s Wi-Fi performance drop at 14:32?” → root cause: AP firmware bug + 5 GHz channel interference.
“Which clients have intermittent connectivity?” → list with auto-grouping by symptom.
“Health of the network right now?” → composite health score 0-10 per category.

Behind it:

Streaming telemetry (gRPC, NETCONF subscriptions — see NETCONF & YANG) from devices every few seconds.
AI/ML correlation — pattern detection across thousands of metrics, looking for anomalies and known signatures.
Path trace — visualize the actual path traffic takes between two endpoints, with per-hop stats.
Sensor data — APs and Catalyst 9000 switches can act as wireless/wired test probes (synthetic transactions).

3. SD-Access

The “intent-based networking” piece. Instead of configuring VLANs, ACLs, and trunks per switch, you define:

Virtual Networks (VNs) — analogous to VRFs.
Scalable Group Tags (SGTs) — security groups assigned per user/device at login.
Group-Based Access Control (GBAC) policy — “Employees can talk to Servers; Contractors cannot.”

DNAC translates that intent into LISP/VXLAN/BGP-EVPN config on the underlying fabric and pushes it. End users never see the underlying complexity.

The fabric uses VXLAN for encapsulation, LISP for endpoint mapping, CTS / TrustSec / SGT for identity-based security. CCNA scope is “recognize and describe” — full SD-Access implementation is CCNP / CCIE territory.

CCNA-level depth

For the CCNA 200-301 exam, you should know:

What DNA Center is — controller for campus / branch.
The three pillars — automation, assurance, SD-Access.
Where it sits in the architecture diagram — north of the network (between admins and devices). Talks south to devices via NETCONF/RESTCONF/SSH; talks north to humans and external systems via REST API.
Compared to traditional management — replaces per-device CLI with centralized intent + automation.
Compared to SD-WAN’s vManage — different product, same SDN architecture pattern. DNAC = campus. vManage = WAN.

You won’t be configuring SD-Access fabrics on the CCNA exam.

The northbound API

Everything DNAC’s GUI does, you can do via REST:

# Get inventory
GET https://dnac.example.com/dna/intent/api/v1/network-device

# Push a config template
POST https://dnac.example.com/dna/intent/api/v1/template-programmer/template/version/deploy

# Run a path trace
POST https://dnac.example.com/dna/intent/api/v1/flow-analysis

The auth flow is token-based — login once, get a token, attach it to every subsequent call. Standard REST patterns (see REST APIs).

DevNet has a sandbox at sandboxdnac.cisco.com (free) — you can play with the API without buying hardware.

DNA Center vs Catalyst Center — the rebrand

In 2024, Cisco rebranded Cisco DNA Center → Cisco Catalyst Center. Same product, same APIs, new badge. Catalyst Center is part of the broader Catalyst portfolio (Catalyst switches, Catalyst APs, Catalyst Center, Catalyst SD-WAN).

For CCNA: know both names. Older study materials say DNA Center; new ones say Catalyst Center.

When DNAC is the right tool

Scenario	DNAC fit
Single small campus, 5 switches	Overkill. Stick with CLI.
50+ branches, lots of churn	Strong fit — automation pays for itself fast.
Compliance-heavy environment	Strong fit — continuous compliance + audit reports.
You want SD-Access (intent-based segmentation)	DNAC is the only way to deploy it.
Multi-vendor environment (Cisco + Juniper + Arista)	Limited — DNAC manages Cisco well, others poorly. Look at multi-vendor tools.
Just want a faster NMS	DNAC isn’t a drop-in NMS replacement — it’s a controller. Heavier than PRTG.

Common mistakes

Assuming DNAC manages SD-WAN. It doesn’t. SD-WAN is a separate product (vManage / Catalyst SD-WAN). They integrate but they’re not the same controller.
Bypassing DNAC by CLI. If you SSH into a switch DNAC manages and change config, DNAC sees the drift on next scan and either restores intent or alerts. Either way, it’s the wrong way to work — use DNAC’s interface or accept the drift cost.
Underestimating discovery sizing. Inventory of a large network = lots of streaming telemetry. Spec the appliance for what you actually have, not what you wish you had.
Buying SD-Access without ISE. SD-Access policy enforcement requires ISE (Identity Services Engine) for SGT assignment. They’re sold together for a reason.
Confusing Catalyst Center with Meraki Dashboard. Meraki is a separate cloud-managed product line — different controller, different hardware, different SKU. Cisco sells both; pick one, don’t try to mix.
Mistaking telemetry for monitoring. Assurance gives you insights, not raw graphs. If your team only wants “is the switch up?” SNMP polling, DNAC is overkill — buy a simpler NMS.

Lab to try tonight

Reserve a DNAC sandbox on Cisco DevNet (developer.cisco.com → Sandboxes → DNA Center Always-On). Free, no Cisco account needed.
Log into the GUI. Look at the inventory page — see the pre-loaded sample devices.
Open the topology view. Note how DNAC discovers physical connections via CDP/LLDP.
Try a path trace from one client to another. Inspect the per-hop stats.

Hit the REST API:

POST /dna/system/api/v1/auth/token   (with HTTP basic auth)
GET  /dna/intent/api/v1/network-device  (with X-Auth-Token header)

Compare the JSON response to what you saw in the GUI — same data, different surface.
Bonus: explore the Assurance dashboards. Click into a “client health issue” and walk the AI-suggested root cause.

Cheat strip

Concept	Plain English
DNA Center / Catalyst Center	Cisco’s central controller for campus + branch networks
Three pillars	Automation, Assurance, SD-Access
Automation	Templates, PnP, SWIM, compliance — push config from one place
Assurance	Streaming telemetry + AI = root-cause analysis
SD-Access	Intent-based segmentation using VXLAN + LISP + SGT
Virtual Network (VN)	Like a VRF — isolated routing instance
SGT	Scalable Group Tag — identity-based segmentation. Pairs with ISE
Northbound API	REST — call DNAC from outside
Southbound	NETCONF / RESTCONF / SSH — DNAC to devices
vManage	DNAC’s WAN cousin — separate product for SD-WAN
CCNA depth	Recognize the product, three pillars, where it sits. No config.
DevNet sandbox	Free, always-on DNAC for practice

← Previous topic

MPLS Basics

Multi-Protocol Label Switching demystified — labels instead of IP lookups, label distribution (LDP), the P/PE/CE model, MPLS L3VPN, and why MPLS still dominates the WAN backbone.

Next topic →

VRF Basics — Virtual Routing and Forwarding

How a router can pretend to be multiple separate routers with isolated routing tables — VRF-lite vs MPLS-VPN VRFs, RDs/RTs, and the use cases (multi-tenant, management plane, lab isolation).

Master this on a real network

Want this drilled into reflex?

1:1 weekly sessions, live feedback on your labs, and US interview prep — built around the CCNP® exam blueprint. Free first session. No card on file until you decide.

Claim my free session →

One topic per email, every fortnight

VLANs, OSPF, ACLs, subnetting, automation — written like this. Unsubscribe in one click.

We respect your inbox. One email per week, max. Unsubscribe any time.