Skip to content

Lab 8 - Service Operations

The information in this section is provided for reference as, while the configuration pages mentioned are visible on the lab setup, the actual operations (e.g., cloud activation, config restore, etc..) cannot be performed on the lab system.

More information can be found on the Cisco DNA Assurance User Guide (Release 2.3.5).

Prerequisites

Kindly deploy below mentioned packages in the same order to enable Smart Grouping and Spoofing Detection as these features are available as part of AI Endpoint Analytics application.

  1. Application Registry
  2. Application Policy
  3. Application Visibility Service
  4. AI Endpoint Analytics

Cloud activation

The Cisco AI Analytics feature set is not enabled by default on a Cisco Catalyst Center appliance as it requires explicit consent by the user in order to enable the data export and processing on the Cloud platform.

Make sure to review the Cisco Catalyst Center Privacy Data Sheet prior to the activation.

The one-click activation is managed via the Cisco AI Analytics Settings page:

  • Go to: Menu > System > Settings > External Services > Cisco AI Analytics
  • Click on the Configure button and follow the instructions:

Cisco AI Analytics Settings Page

During the cloud onboarding, the user has to select the region where to export and process the data. The choice has to be made considering proximity and data regulations, among the following available options:

  • Europe (Germany)
  • US East (N. Virginia)

Alternatively, a previously backed up configuration file can be restored, using the Recover from a config file option.

Configuration

The Cisco AI Analytics configuration consists of details such as:

  • the Deployment ID (or Customer ID):
    Along with the cloud region selected during the registration process, it uniquely identifies the deployment in the cloud.
  • the certificate used to authenticate the communication with the cloud endpoint.
  • the anonymization key used to encrypt (and decrypt) the PII fields of the exported data.

Note

When a TAC case is opened for support on any of the Cisco AI Analytics features, it's important to provide the Deployment ID and the cloud region information, so that TAC and the Cisco Engineering team can identify the setup and verify the status of data ingestion and processing from the cloud side, however, the certificate and anonymization keys are confidential information that should be private to the customer, therefore, not to be shared with anyone, including the Cisco TAC.

Config backup and restore

The Cisco AI Analytics configuration is backed up as part of the Cisco Catalyst Center appliance-wide backup.

As the certificate used to authenticate the cloud access is automatically refreshed every 12 months, as well as ensuring that the config can be restored on a new Cisco Catalyst Center in case of an appliance reinstallation or replacement (independently from a full system restore), it's highly recommended to periodically backup the configuration file directly on the settings page:

  • Go to: Menu > System > Settings > External Services > Cisco AI Analytics
  • Click on Download configuration file

Cisco AI Analytics - Download Config

Note

The configuration file is intended to be used on a single Cisco Catalyst Center appliance at any given point in time. If the same config is used on more than one appliance, the exported data from all appliances will be merged in the cloud, and it may cause data inconsitencies. If this happens, the UI will show a warning notification and the configuration should be removed from all the Cisco Catalyst Center appliances except one, in order to resolve this issue. If you need to use the Cisco AI Analytics features on more than one Cisco Catalyst Center appliance, register a dedicated Deployment ID on each appliance.

Data privacy and security considerations

The Cisco AI Analytics solution was designed with data privacy and security in mind.

On top of applying industry best practices regarding the authentication of the cloud service, data encryption in transit and at rest, all the Personally Identifiable Information (PII) included in the exported telemetry data goes through an additional layer of security as it's encrypted using a deterministic AES-based algorithm before being exported to the cloud, using an encryption key that is generated on the on-prem appliance during the onboarding process and never exported to the cloud.

This means that all details such as usernames, IP and MAC addresses, device and location names are only available in the cloud platform in their anonymized version, where only the users of the on-prem appliance can access their cleartext values (decrypted on the fly by the agent, just before being displayed on the UI).

The only exception is the export of Syslog messages as part of the new Event Analytics feature; by default the message text is not exported and, only upon user consent, it's exported in clear-text.

More information on data privacy and security can be found on the Cisco Catalyst Center Privacy Data Sheet .

Note

The details about Cisco AI Analytics features in the Cisco Catalyst Center Privacy Data Sheet can be found on the Addendum 1 and Addendum 2.