Professional Documents
Culture Documents
Troubleshooting
Cisco DNA SD-
Access from API and
Maglev
Parthiv Shah, Technical Leader, Escalation
Akshay Manchanda, Technical Leader, TAC
BRKARC-2016
#CLUS
Agenda
• Cisco DNA Architecture Overview
• Maglev Based Troubleshooting
• Installation/Services Debugging
• Log Collection
• ISE and DNA-Centre Integration
• Device Discovery/Provisioning
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• Cisco DNA Architecture Overview
• Maglev Based Troubleshooting
• Installation/Services Debugging
• Log Collection
• ISE and DNA-Centre Integration
• Device Discovery/Provisioning
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Cisco Webex Teams
Questions?
Use Cisco Webex Teams to chat
with the speaker after the session
How
1 Find this session in the Cisco Live Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
#CLUS © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
Objectives and Assumptions
Objectives
After completing this module you will:
• Understand the Basic DNA Architecture Overview
• Understand Cisco DNAC Maglev Based Troubleshooting
• Understand Cisco DNAC API Based Troubleshooting
Assumptions
Audience must be familiar with
• Working knowledge of APIC-EM and PKI.
• Working knowledge of Routing/Switching and Cisco Fabric architecture.
• This session will not cover Cisco Fabric or ISE troubleshooting.
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Cisco DNA
Architecture
Overview
The Cisco DNA Center Appliance
Fully Integrated Automation & Assurance
• Centralized Deployment - Cloud Tethered
• Built-In Telemetry Collectors (FNF, SNMP, Syslog, etc)
• Built-In Contextual Connectors (ISE/pxGrid, IPAM, etc)
• Multi-Node High Availability (3 Node, Automation)
• RBAC, Backup & Restore, Scheduler, APIs
Cisco DNA Center Platform
1RU Server (Small form factor)
DN2-HW-APL •
•
UCS 220 M5S: 64-bit x86
vCPU: 44 core (2.2GHz) / 56C / 112C
DNAC 1.2 Scale: Per Node • RAM: 256GB DDR4
• 5,000 Nodes (1K Devices + 4K APs) • Control Disks: 2 x 480GB SSD RAID1
• 25,000 Clients (Concurrent Hosts)
• System Disks: 6 x 1.9TB SSD M-RAID
DNAC 1.3 Scale: Per Node • Network: 2 x 10GE SFP+
• Please refer DNAC 1.3 Data Sheet • Power: 2 x 770W AC PSU
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
Cisco DNA Center
Cisco SD-Access – Key Components
API
Cisco& ISE
Identity Policy Automation
NCP Assurance
NDP
API API
Identity Services Engine Network Control Platform Network Data Platform
NETCONF
SNMP
SSH
AAA
RADIUS
EAPoL
Fabric HTTPS
NetFlow
Syslogs
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 10
Cisco DNA Center and ISE integration
Identity and Policy Automation
Cisco Identity Services Engine
pxGrid
Campus Fabric REST APIs
Fabric Policy
Management Authoring
Workflows
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
Cisco DNA Center and ISE integration
ISE node roles in SD-Access
Admin/Operate
Things
Config Sync Context
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Cisco DNA Center Solution Basic Pre-requisite
• Hardware
• Supported Cisco DNA Center Appliance (DN2-HW-APL / DN2-HW-APL-L / DN2-HW-APL-XL)
• Supported switch/router/WLC/AP models
• Software
• Check various platform for recommended IOS-XE software version
• Check License for planned platforms
• Recommended ISE and Cisco DNA Center software
• Underlay/Overlay
• IP address plan for Cisco DNA Center and ISE
• Check for underlay network / routing configured correctly and devices are reachable
• Reachability to Internet – Direct or Proxy connection
• Access to an NTP server
• Make sure Cisco DNA Center appliance is close to real time using CIMC
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 13
Cisco DNA Center
Troubleshooting
Cisco DNA Center
SD-Access 4 Step Workflow
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Cisco DNA Center – Maglev Logical Architecture
App Stack 1 App Stack 2 App Stack N
Maglev Services
IaaS
(Baremetal, ESXi, AWS, OpenStack etc)
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Cisco SD-Access (Fusion) Package Services
Trap events, host discovery we leverage ipam-service IP Address manager
apic-em-event-service
snmp traps so they are handled here.
Critical during Provisioning
apic-em-inventory- Provides communication service between network-orchestration-service
orchestation.
manager-service inventory and discovery service
orchestration-engine-service Orchestration Service
Certificate authority and enables controller
apic-em-jboss-ejbca
authority on the DNAC.
pnp-service PNP Tasks
apic-em-network- Configure devices. Critical service to check
programmer-service during provisioning. policy-analysis-service Policy related
apic-em-pki-broker-
PKI Certificate authority policy-manager-service Policy related
service
command-runner- Responsible for Command Runner related Core database management
postgres
service task system
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Most Commonly Used Maglev CLI
$ maglev $ magctl
Usage: maglev [OPTIONS] COMMAND [ARGS]... Usage: magctl [OPTIONS] COMMAND [ARGS]...
Tool to manage a Maglev deployment Tool to manage a Maglev deployment
Options:
Options:
--version Show the version and exit.
--version Show the version and exit. -d, --debug Enable debug logging
-d, --debug Enable debug logging --help Show this message and exit.
-c, --context TEXT Override default CLI context
--help Show this message and exit.
Commands: Commands:
backup Cluster backup operations api API related operations
appstack AppStack related operations
catalog Catalog Server-related management operations completion Install shell completion
completion Install shell completion disk Disk related operations
context Command line context-related operations glusterfs GlusterFS related operations
cronjob Cluster cronjob operations iam Identitymgmt related operations
job Cluster job operations job Job related operations
login Log into the specified CLUSTER logs Log related operations
logout Log out of the cluster maglev Maglev related commands
node Node related operations
maintenance Cluster maintenance mode operations service Service related operations
managed_service Managed-Service related runtime operations tenant Tenant related operations
node Node management operations token Token related operations
package Package-related runtime operations user User related operations
restore Cluster restore operations workflow Workflow related operations
service Service-related runtime operations
system System-related management operations
system_update_addon System update related runtime operations
system_update_package System update related runtime operations
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Collecting Integrating
Logs ISE
Bring-up
Issues
Provisioning Discovery
Issues Issues
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Cisco DNA Center Services are not coming up
Have Patience
120 to 180 minutes bring-up time
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Install Failure
If you are unable to run maglev/magctl commands after install:
• Check RAID configuration and install error messages
• USB 3.0 is recommended for installation.
• Avoid KVM and/or USB 2.0 or NFS mount method for installation
• Use Windows 10 or Linux/Mac based system to build burn ISO image.
• Check for Error or Exception in following log files:
• /var/log/syslog
• /var/log/maglev_config_wizard.log
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Package Status – GUI / CLI
How to Check Package Status from GUI How to Check Package Status from CLI
System Settings App Management: Packages & Updates maglev package status
System Settings Software Updates Installed Apps
Check for any status
not “DEPLOYED”
Check for
“Failed”
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 23
Verify H/W profile complies with requirements
Should show
Result as
SUCCESS
(Continued)
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Troubleshooting – Kubernetes & Docker
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 26
Package Update
Package Update Troubleshooting
2-Step Update Process – System Update and Application Package update
Fail to Download Packages:
• Check connectivity to Internet
• During update download internet connectivity is mandatory
Fail to install packages:
• During install internet connectivity is mandatory
• Check if there is any failure displayed in GUI
• Check the status from CLI if there is any error
Package Update Ordering
https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-
management/dna-center/1-1/rn_release_1_1_2_2/b_dnac_release_notes_1_1_2_2.html#task_nj3_nww_qcb
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Proxy Setting check If Proxy server
configured then
check for Proxy
server
Check Parent
Catalog server and
Repository
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
System Update Check
maglev system_updater update_info
Failure Output
Displays the
current and new
version
Progress Percentage
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 31
Package Deploy Failure and Recovery
$ maglev package status
maglev-1 [main - https://kong-frontend.maglev-system.svc.cluster.local:443]
NAME DEPLOYED AVAILABLE STATUS
-----------------------------------------------------------------------------------
network-visibility 2.1.1.60067 - UPGRADE_ERROR - maglev_workflow.workflow.exceptions.TaskCallableExecutionError:
(1516326117.1073043, 1516327147.0490577, 'TimeoutError', 'Timeout of 1020 seconds has expired while watching for k8s changes for apic-em-jboss-
ejbca ')
$ maglev catalog package display network-visibility | grep fq Find the package name
fqn: network-visibility:2.1.1.60067
$ maglev package undeploy network-visibility. Undeploy failed package – Don’t use it as it can be
Undeploying packages 'network-visibility:2.1.1.60067'
Package will start getting undeployed momentarily
destructive and can lose the database
Once above steps completed, go to GUI and download the package again and install it.
Or you can use “maglev package deploy <>”
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
High Availability
High Availability(HA) Overview
• Minimize Downtime for Cisco DNAC Clsuter
• HA cluster consists of multiple nodes that communicate and share/replicate information to
ensure high system availability, reliability, and scalability
• Cisco DNAC HA is limited to 3 nodes (active active).
• Can Handle maximum one node failure
• Components scaled as part of HA :
• Managed Service Addons: Rabbitmq, Kong, Cassandra DB, Mongo DB, Postgres DB, Glusterfs, Elastic search,
Minio
• Maglev Core Service Addons: Maglevserver, Identity Management, agent, fluent-es, keepalived, platform-ui
• K8S Components: kube-apiserver , etcd , calico, kube-controller-manager , kube-dns , kube-proxy , kube-
scheduler
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Creation of 3 node cluster
Redistribute services through System 360 enables the cluster to act as a single unit
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Install Initial Cisco DNA Center Node
Kong
CatalogServer
MaglevServer DockerRegistry
WorkflowServer WorkflowWorker
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Install Additional Cisco DNA Center Nodes
CatalogServer
MaglevServer DockerRegistry
WorkflowServer WorkflowWorker
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Distribute Services
Fusion Services NDP Services Fusion Services NDP Services Fusion Services NDP Services
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Bringing up Cisco DNA Center 3 node cluster
• Always ensure the seed Cisco DNA Center node is up and running before
adding other cluster nodes
• After forming the cluster, make sure that all the nodes are in READY state
when you run ‘kubectl get nodes’ command from CLI.
• Enabling HA should only be done after confirming that the 3-node cluster
is successfully formed and operational with full stack deployed.
• DO NOT try to add two nodes in parallel i.e. add nodes sequentially.
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Cisco DNA Center settings after second node install
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Cisco DNA Center settings after third node install
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Enable Service Distribution
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
Check services on each node
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Automation Behavior on node failure
Switch 1 Switch 2 Switch 3 Switch 1 Switch 2 Switch 3
Node failure restore (RMA) will require re-distribution of services needs (25 minutes – can be planned outage)
Link failure - no significant delay in redistribution of services when link comes back up
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
UI Notification on HA failure
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 45
Node Failure UI Notifications
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Node Failure UI Notifications
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Service Failure UI Notifications
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Service Failure UI Notifications
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Cluster Link Failure Notifications
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Cluster Link Came Up
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 51
Cluster Link Came Up
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
Network Link failure
No Impact but No Notifications
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Remove a node from cluster (RMA use case)
• If a node in a one of the node in cluster is in failed state and is not recovering after
several hours, users should remove it from the cluster
by running CLI : $ maglev node remove <node_ip>
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
HA Commands Cheat Sheet
HA commands:
• maglev service nodescale status
• maglev service nodescale refresh
• maglev service nodescale progress
maglev service nodescale history
•
Check All 3 nodes available
• maglev node remove <node_ip>
• maglev node allow <node_ip>
• maglev cluster node display
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
Collecting Integrating
Logs ISE
Bring-up
Issues
Provisioning Discovery
Issues Issues
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
UI Debugging from Browser
Use Browser Debugging mode to find out API or GUI related Errors
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
UI Debugging from Browser
Firebug is another Tool for debugging mode.
• Install Firebug add-on in Firefox Browser
• Enable Firebug add-on
• Launch Firebug and Go to Console
• Run the task and it will capture detailed API information and related operation
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 58
Live Log - Service
Log Files:
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Check Service Log in GUI
Click on Kibana Icon
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 61
Cisco DNA Center’s Monitoring Dashboard
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Monitoring Cisco DNA Center Memory, CPU &
Bandwidth
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
Check Service Log using Log Explorer
Log Messages
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Changing Cisco DNA Center Logging Levels
How to Change the Logging Level
• Navigate to the Settings Page: System Settings Settings Debugging Levels
• Select the service of interest
• Select the new Logging Level
• Set the duration Cisco DNA Center should
keep this logging level change
• Intervals: 15 / 30 / 60 minutes or forever
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Required information to report an issue
• RCA file [Sun Feb 11 14:26:00 UTC] maglev@10.90.14.247 (maglev-master-1)
$ rca
• SSH to server using maglev user
===============================================================
ssh –p 2222 maglev@<dnacenter_ip_address> Verifying ssh/sudo access
===============================================================
• rca
[sudo] password for maglev: <passwd>
Done
mkdir: created directory '/data/rca'
• Generated file can be copied using scp/sftp from changed ownership of '/data/rca' from root:root to maglev:maglev
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Collecting Integrating
Logs ISE
Bring-up Issues
Provisioning Discovery
Issues Issues
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Cisco DNA Center – ISE Integration
Administration pxGrid Services
• Pxgrid service should be enabled on ISE.
• SSH needs to be enabled on ISE.
• Superadmin credentials will be used for trust establishment for SSH/ERS
communication. By default ISE Super admin has ERS credentials
• ISE CLI and UI user accounts must use the same username and password
• ISE admin certificate must contain ISE IP or FQDN in either subject name or SAN.
• DNAC system certificate must contain DNAC IP or FQDN in either subject name
or SAN.
• Pxgrid node should be reachable on eth0 IP of ISE from DNAC.
• Bypass Proxy for DNAC on ISE server
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 68
Cisco DNA Center – ISE Integration Workflow
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
Trust Status on Cisco DNA •Center
Identity source status: (Under System360)
• AAA server Status (Settings – Auth/Policy Server) • INIT
• INPROGRESS • Available/Unavailable (PxGRID state)
• ACTIVE • TRUSTED/UNTRUSTED
• FAILED
• RBAC_FAILURE
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 70
Troubleshooting
ISE - Cisco DNA Center Integration
Example Error:
2017-08-01 05:24:36,794 | ERROR | pool-1-thread-1 | identity-manager-pxGrid-service |
c.c.e.i.u.pxGridConfigurationUtils | An error occurred while retrieving pxGrid endpoint
certificate. Request: PUT https://bldg24-ise1.cisco.com:9060/ers/config/endpointcert/
certRequest HTTP/1.1, Response: HttpResponseProxy{HTTP/1.1 500 Internal Server Error
[Cache-Control: no-cache, no-store, must-revalidate, Expires: Thu, 01 Jan 1970 00:00:00 GMT,
Set-Cookie: JSESSIONIDSSO=9698CC02E88780EC4415A6DE80C37355; Path=/; Secure; HttpOnly, Set-
Cookie: APPSESSIONID=03A609099AD604812984C6DF27CF7A19; Path=/ers; Secure; HttpOnly, Pragma:
no-cache, Date: Tue, 01 Aug 2017 05:24:36 GMT, Content-Type: application/json;charset=utf-8,
Content-Length: 421, Connection: close, Server: ] ResponseEntityProxy{[Content-Type:
application/json;charset=utf-8,Content-Length: 421,Chunked: false]}} |
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Troubleshooting
ISE - Cisco DNA Center Integration
How To Capture ISE Log bundle:
• Go to Operation Download Logs
• Select ISE server
• Select any additional log to be captured
• Select Encryption and create bundle
• Download bundle
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Collecting Integrating
Logs ISE
Bring-up Issues
Provisioning Discovery
Issues Issues
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
Step 1
Verify all devices are green after Discovery
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Step 2
Check if all devices in Managed state
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
New Configuration after Discovery
FE250#show archive config differences flash:underlay system:running-config
!Contextual Config Diffs:
+device-tracking tracking
+device-tracking policy IPDT_MAX_10
+limit address-count 10
+no protocol udp
+tracking enable
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Troubleshooting – Discovery/Inventory
• Check for IP address reachability from DNAC
to the device
• Check username/password configuration in
Settings
• Check whether telnet/ssh option is properly
selected
• Check using manual telnet/ssh to the
device from DNAC or any other client
• Check SNMP community configuration
matches on switch and DNA-C
• Discovery View will provide additional
information.
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Collecting Integrating
Logs ISE
Bring-up Issues
Provisioning Discovery
Issues Issues
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 80
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Verifying Config Push
• While Cisco DNA Center is evolving to use NETCONF and YANG APIs, at this
time it pushes most configuration by SSH.
• Exact configuration commands can be seen via show history all
FE2050#show history all
CMD: 'enable' 13:29:55 UTC Tue Jan 16 2018
CMD: 'terminal length 0' 13:29:55 UTC Tue Jan 16 2018
CMD: 'terminal width 0' 13:29:55 UTC Tue Jan 16 2018
CMD: 'show running-config' 13:29:55 UTC Tue Jan 16 2018
CMD: 'config t' 13:29:56 UTC Tue Jan 16 2018
CMD: 'no ip domain-lookup' 13:29:56 UTC Tue Jan 16 2018
CMD: 'no ip access-list extended DNA Center_ACL_WEBAUTH_REDIRECT' 13:29:57 UTC Tue Jan 16 2018
*Jan 16 13:29:57.023: %DMI-5-SYNC_NEEDED: Switch 1 R0/0: syncfd: Configuration change requiring
running configuration sync detected - 'no ip access-list extended DNA
Center_ACL_WEBAUTH_REDIRECT'. The running configuration will be synchronized to the NETCONF
running data store.
CMD: 'ip tacacs source-interface Loopback0' 13:29:57 UTC Tue Jan 16 2018
CMD: 'ip radius source-interface Loopback0' 13:29:57 UTC Tue Jan 16 2018
CMD: 'cts role-based enforcement vlan-list 1022' 13:29:57 UTC Tue Jan 16 2018
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
AAA Configuration
FE2050#show running-config | sec aaa
aaa new-model AAA server (ISE) is now
aaa group server radius dnac-group used to authenticate
server name dnac-radius_172.26.204.121 device logins
ip radius source-interface Loopback0
aaa authentication login default group dnac-group local
aaa authentication enable default enable
aaa authentication dot1x default group dnac-group
aaa authorization exec default group dnac-group local
aaa authorization network default group dnac-group
aaa authorization network dnac-cts-list group dnacs-group
aaa accounting dot1x default start-stop group dnac-group
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Global Cisco TrustSec (CTS) Configurations
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
ISE and ‘Network Device’ Transact Securely Using PAC keys
Switch authenticates with Cisco ISE for Secure EAP FAST Channel
Environmental Data Switch# cts credential id <device_id> password <cts_password>
TrustSec Egress Policy
RADIUS EAP FAST Channel RADIUS PAC* keys pushed by ISE. Switch uses this to talk to ISE securely
ISE IOS bldg24-edge-3650-1#show cts pacs
AID: 5079AA777CC3205E5D951003981CBF95
PAC-Info:
PAC-type = Cisco Trustsec
AID: 5079AA777CC3205E5D951003981CBF95
I-ID: FDO1947Q1F1
A-ID-Info: Identity Services Engine
Credential Lifetime: 15:30:58 PST Mon May 28 2018
PAC-Opaque:
000200B800010211000400105079AA777CC3205E5D951003981CBF950006009C0003
0100C25BAEC6DC8B90034431914E48C335DC000000135A95A90900093A8087E1E4
7B8EA12456005D6E38C41F69C19F86B884B370177982EB65469F1E5F6B2B6D96B7
1C99DA19B240FE080757F8F8BBD543AE830A5959EA4A999C310CE1FEC427213AA
552406796C8DDDA695DBCF08FB3473249DCC025598D27CD280E4D01E7877F14C6
F211CC3BAB5E3B836A6B42A9C5EE4E0E6F997549D10561
Refresh timer is set for 11w3d
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Environmental Data
Switch# show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 2-00:TrustSec_Infra_SGT
Server List Info:
Installed list: CTSServerList1-0001, 1 server(s):
IOS *Server: 10.1.1.222, port 1812, A-ID 3E465B9E3F4E012E6AD3159B403B5004
ISE Status = DEAD
Security Group Name Table:
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime
= 20 secs 0-00:Unknown
Multicast Group SGT Table: 2-00:TrustSec_Infra_SGT
Security Group Name Table:
0-00:Unknown
10-00:Employee_FullAccess
2-00:TrustSec_Infra_SGT 20-00:Employee_BYOD
10-00:Employee_FullAccess 30-00:Contractors
20-00:Employee_BYOD
30-00:Contractors 100-00:PCI_Devices
100-00:PCI_Devices 110-00:Web_Servers
110-00:Web_Servers
120-00:Mail_Servers
120-00:Mail_Servers
255-00:Unregist_Dev_SGT 255-00:Unregist_Dev_SGT
Environment Data Lifetime = 86400 secs
Last update time = 21:57:24 UTC Thu Feb 4 2016
Env-data expires in 0:23:58:00 (dd:hr:mm:sec)
Env-data refreshes in 0:23:58:00 (dd:hr:mm:sec)
Cache data applied = NONE
State Machine is running
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
If CTS is not Configured, Verify the Device is a NAD
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Configuration Configuration not pushed to the
Issues network device
Check
state?
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
% 10.9.3.0 overlaps with Vlan12
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
Fix the configuration on the device
(config)#no vrf definition Campus
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 91
Loopback 0 If you are using Automated Underlay
skip this setup
interface Loopback0
ip address <> This is only required for Manual
Underlay configuration
ip router isis
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
SD-Access Fabric
Provisioning
Fabric Edge Configuration
LISP configuration
VRF/VLAN configuration
SVI configuration
Interface configuration
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 94
SDA Provisioning – Workflow
Services Involved Start Provisioning from UI
SPF Service Validate-Cfs-Step Validate whether this config is consistent and conflict free
Process-Cfs-Step
Persist the data and take snapshot for all namespaces
in a single transaction
Target-Resolver-Cfs-Step
Orchestration Determine the list of devices this config should go to
SPF Device
Engine Translate-Cfs-Step Per device convert the config to the config that needs to go to the device
Messaging
Deploy-Rfs-Task Convert the config to Bulk Provisioning Message to send it to NP
Network
Programmer Rfs-Status-Updater-
Task Update the Device config Status based on response from NP
Rfs-Merge-Step
Complete Update the task with an aggregate merged message
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
SDA Provisioning – Task Status Check
Click on View Target Device List
Click on Show task
Status Check the status
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Closed Authentication Configuration
IBNS 2.0 Template Interface Configuration
template DefaultWiredDot1xClosedAuth FE2051#show run int gi 1/0/1
dot1x pae authenticator switchport mode access
switchport access vlan 2047 device-tracking attach-policy IPDT_MAX_10
switchport mode access authentication timer reauthenticate server
switchport voice vlan 4000 dot1x timeout tx-period 7
dot1x max-reauth-req 3
mab
source template DefaultWiredDot1xClosedAuth
access-session closed
spanning-tree portfast
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_ D
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 98
Troubleshooting – Device / Fabric Provision Issues
Services involved:
• orchestration-engine-service • spf-device-manager-service
• spf-service-manager-service • apic-em-network-programmer-service
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
Cisco SD-Access
Fabric
Troubleshooting
DHCP
DHCP Packet Flow in Campus Fabric
B DHCP
1 The DHCP client generates a
DHCP request and broadcasts it
on the network
FE1 BDR
1 2 FE uses DHCP Snooping to add
it’s RLOC as the remote ID in
Option 82 and sets giaddress the
2 Anycast SVI
Using DHCP Relay the request is
forwarded to the Border.
4 3 DHCP Server replies with offer
3
5 to Anycast SVI.
4 Border uses the remote ID in
option 82 to forward the packet.
5 FE installs the DHCP binding
and forwards the reply to client
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
DHCP Binding on Fabric Edge
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Received DHCP Discover
015016: *Feb 26 00:07:35.296: DHCP_SNOOPING: received new DHCP packet from input interface
(GigabitEthernet4/0/3)
015017: *Feb 26 00:07:35.296: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER,
input interface: Gi4/0/3, MAC da: ffff.ffff.ffff, MAC sa: 00ea.bd9b.2db8, IP da: 255.255.255.255, IP
sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0,
DHCP chaddr: 00ea.bd9b.2db8, efp_id: 374734848, vlan_id: 1022
Option 82 0x3 0xFE = 3FE = VLAN ID 1022 LISP Instance-id 4099 RLOC IP 192.168.3.98
0x4 = Module 4 , 0x3 = Port 3
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Continue with Option 82
015026: *Feb 26 00:07:35.297: DHCPD: Reload workspace interface Vlan1022 tableid 2.
015027: *Feb 26 00:07:35.297: DHCPD: tableid for 1.1.2.1 on Vlan1022 is 2
015028: *Feb 26 00:07:35.297: DHCPD: client's VPN is Campus.
015029: *Feb 26 00:07:35.297: DHCPD: No option 125
015030: *Feb 26 00:07:35.297: DHCPD: Option 125 not present in the msg.
015031: *Feb 26 00:07:35.297: DHCPD: Option 125 not present in the msg.
015032: *Feb 26 00:07:35.297: DHCPD: Sending notification of DISCOVER:
015033: *Feb 26 00:07:35.297: DHCPD: htype 1 chaddr 00ea.bd9b.2db8
015034: *Feb 26 00:07:35.297: DHCPD: circuit id 000403fe0403 Circuit ID
015035: *Feb 26 00:07:35.297: DHCPD: table id 2 = vrf Campus 0x3 0xFE = 3FE = VLAN ID 1022
015036: *Feb 26 00:07:35.297: DHCPD: interface = Vlan1022 0x4 = Module 4 , 0x3 = Port 3
015037: *Feb 26 00:07:35.297: DHCPD: class id 4d53465420352e30
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Forwarding ACK
015089: *Feb 26 00:07:35.302: DHCPD: Reload workspace interface LISP0.4099 tableid 2.
015090: *Feb 26 00:07:35.302: DHCPD: tableid for 1.1.7.4 on LISP0.4099 is 2
015091: *Feb 26 00:07:35.302: DHCPD: client's VPN is .
015092: *Feb 26 00:07:35.302: DHCPD: No option 125
015093: *Feb 26 00:07:35.302: DHCPD: forwarding BOOTREPLY to client 00ea.bd9b.2db8.
015094: *Feb 26 00:07:35.302: DHCPD: Forwarding reply on numbered intf
015095: *Feb 26 00:07:35.302: DHCPD: Option 125 not present in the msg.
015096: *Feb 26 00:07:35.302: DHCPD: Clearing unwanted ARP entries for multiple helpers
015097: *Feb 26 00:07:35.303: DHCPD: src nbma addr as zero
015098: *Feb 26 00:07:35.303: DHCPD: creating ARP entry (1.1.2.13, 00ea.bd9b.2db8, vrf Campus).
015099: *Feb 26 00:07:35.303: DHCPD: egress Interfce Vlan1022
015100: *Feb 26 00:07:35.303: DHCPD: unicasting BOOTREPLY to client 00ea.bd9b.2db8 (1.1.2.13).
015101: *Feb 26 00:07:35.303: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan1022)
015102: *Feb 26 00:07:35.303: No rate limit check because pak is routed by this box
015103: *Feb 26 00:07:35.304: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input
interface: Vl1022, MAC da: 00ea.bd9b.2db8, MAC sa: 0000.0c9f.f45d, IP da: 1.1.2.13, IP sa: 1.1.2.1,
DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 1.1.2.13, DHCP siaddr: 0.0.0.0, DHCP giaddr: 1.1.2.1, DHCP chaddr:
00ea.bd9b.2db8, efp_id: 374734848, vlan_id: 1022
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 105
Client Adding to Device Tracking
015104: *Feb 26 00:07:35.304: DHCP_SNOOPING: binary dump of option 82, length: 22 data:
0x52 0x14 0x1 0x6 0x0 0x4 0x3 0xFE 0x4 0x3 0x2 0xA 0x3 0x8 0x0 0x10 0x3 0x1 0xC0 0xA8 0x3 0x62
015105: *Feb 26 00:07:35.304: DHCP_SNOOPING: binary dump of extracted circuit id, length: 8 data:
0x1 0x6 0x0 0x4 0x3 0xFE 0x4 0x3
015106: *Feb 26 00:07:35.304: DHCP_SNOOPING: binary dump of extracted remote id, length: 12 data:
0x2 0xA 0x3 0x8 0x0 0x10 0x3 0x1 0xC0 0xA8 0x3 0x62
015107: *Feb 26 00:07:35.304: actual_fmt_cid OPT82_FMT_CID_VLAN_MOD_PORT_INTF global_opt82_fmt_rid
OPT82_FMT_RID_DEFAULT_GLOBAL global_opt82_fmt_cid OPT82_FMT_CID_DEFAULT_GLOBAL cid: sub_option_length 6
015108: *Feb 26 00:07:35.304: DHCP_SNOOPING: opt82 data indicates local packet
015109: *Feb 26 00:07:35.304: DHCP_SNOOPING: opt82 data indicates local packet
015117: *Feb 26 00:07:35.405: DHCP_SNOOPING: add binding on port GigabitEthernet4/0/3 ckt_id 0
GigabitEthernet4/0/3
015118: *Feb 26 00:07:35.405: DHCP_SNOOPING: added entry to table (index 1125)
015119: *Feb 26 00:07:35.405: DHCP_SNOOPING: dump binding entry: Mac=00:EA:BD:9B:2D:B8 Ip=1.1.2.13 Lease=21600
Type=dhcp-snooping Vlan=1022 If=GigabitEthernet4/0/3
015120: *Feb 26 00:07:35.406: No entry found for mac(00ea.bd9b.2db8) vlan(1022) GigabitEthernet4/0/3
015121: *Feb 26 00:07:35.406: host tracking not found for update add dynamic
Client Added to Device Tracking
(1.1.2.13, 0.0.0.0, 00ea.bd9b.2db8) vlan(1022)
015122: *Feb 26 00:07:35.406: DHCP_SNOOPING: remove relay information option.
015123: *Feb 26 00:07:35.406: platform lookup dest vlan for input_if: Vlan1022, is NOT tunnel, if_output:
Vlan1022, if_output->vlan_id: 1022, pak->vlan_id: 1022
015124: *Feb 26 00:07:35.406: DHCP_SNOOPING: direct forward dhcp replyto output port: GigabitEthernet4/0/3.
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Available API’s and
DNA Platform
Troubleshooting
What is an API (Application Programmable Interface)?
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 108
What is Representational State Transfer
(RestFul) API’s
GET
POST
Application A Application B
PUT
DELETE
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 109
Different Ways for Consuming API’s
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Method 1
DNA Center
Platform as a
Service
Enable the REST API bundle from DNA-Center
Enable the
REST API
bundle to start
REST calls
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
Access the API’s from the Developer Toolkit
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
List of available API’s
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 114
Discovery API Call from DNAC Platform
Get
Discovery by Make a REST
Index Range Call from DNA
GUI Itself
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 115
Discovery API Call from DNAC Platform (Cont)
{
"response": [
{
"name": "C9800-CL",
"discoveryType": "Range",
You can also "ipAddressList": "10.122.145.235-10.122.145.235",
"deviceIds": "36f02621-5b65-4c15-8374-8f9e5b1e72ee",
"userNameList": "admin",
do Discovery "passwordList": "NO!$DATA!$",
"ipFilterList": "",
"enablePasswordList": "NO!$DATA!$",
by ID "snmpRoCommunity": "",
"protocolOrder": "ssh",
"discoveryCondition": "Complete",
"discoveryStatus": "Inactive",
"timeOut": 5,
"numDevices": 1,
"retryCount": 3,
"isAutoCdp": false,
"globalCredentialIdList": [
"c39a97e7-54c1-4a4a-a9d8-15d0ec142f30",
"47658146-ed68-4208-b208-bb01060236b2"
],
"preferredMgmtIPMethod": "None",
"netconfPort": "830",
"id": "133"
}
],
"version": "1.0"
}
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
Method 2
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
Get Device Provisioning Config
Part 2- Find the Provisioning Config Status Based on Device-ID and
flag for IsLatest: true
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
Method 3:
{
"Token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJzdWIiOiI1YjhlZmE4OGZjNGE5YjAwODlkZmM3ZDIiLCJhdXRoU291cmNlIjoiaW50ZXJuYWwiLCJ0ZW5hbnROYW1lIjoiVE5UMCIsInJvbG
VzIjpbIjViOGVmYTg2ZmM0YTliMDA4OWRmYzdkMSJdLCJ0ZW5hbnRJZCI6IjViOGVmYTg1ZmM0YTliMDA4OWRmYzdjZiIsImV4cCI6MTU1NzE3NDYwMywidXNlcm5 hbWUiOiJhZG1pbiJ9.JlkLC2ig-
DCdkqFEQ1wQjow4eaoYqi_ApfbEl8aMIhY"
}
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
Getting All VLAN ID’s in the Fabric and Underlay
https://<DNAC IP/FQDN>/dna/intent/api/v1/topology/vlan/vlan-names
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 122
Find the GET Request for pulling the Templates
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
Run the GET template API from the DNA Center
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
Running a GET to Cisco DNA Center
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
Verify the template from Cisco DNA Center
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
Getting the details of a template using API GET
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 127
Creating a project using API
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 128
Creating a project using API
If successful, you’ll
see a tasked, URL and
a version number.
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Project created in Cisco DNA Center
The project
is created You can check the template-
programmer logs to see how it was
created
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
Defining and running the API POST for a template
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Defining and running the API POST for a template
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
Verifying template under the defined project
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
How DNA Center
Uses API’s
Internally
Kong is the backend API Server for DNA Center
Inventory
SPF Service
Topology Service
Kong
Service
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
Check the API’s currently used by individual services
$ magctl appstack status | grep kong
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
Using Chrome
Developer Tools to
Troubleshoot
Issues
Launching Developer Tools on a Browser
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 139
Network API calls on Developer Tools
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Checking a Specific API Call from Developer Tools
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Saving the API requests for a particular session
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Understanding
Certificates and
Common Issues hit
due to Improper
Certificates
Operations on DNA Center that makes use of
Certificates
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Understanding the Key Fields of a Certificate
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 145
Understanding the Chain of Trust in Certificates
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Verifying Certificate from Cisco DNA Center GUI
Step-3
1 Step-2
2
4
3
Step-1
1
2
3
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
How to Revert to Self Signed Certificate on DNA
Center
cd /home/maglev 1. Generate the certificate:
vi register.conf
sudo openssl req -x509 -nodes -days 365 -newkey rsa:2048 -
[req]
keyout key.pem -out cert.pem -config request.conf -extensions
distinguished_name = req_distinguished_name
x509_extensions = v3_req 'v3_req’
prompt = no
[req_distinguished_name]
C = IN
ST = MH
L = Mumbai
2. Verification of the IP’s in the certificate:
O = CUSTOMER
OU = MyDivision
CN = DOMAIN openssl x509 -inform pem -text -noout -in cert.pem
[v3_req]
basicConstraints = critical, CA:TRUE
keyUsage = keyEncipherment, dataEncipherment
extendedKeyUsage = serverAuth Download the cert.pem and key.pem file from DNA Center and upload on the
subjectAltName = @alt_names
DNA Center
[alt_names]
IP.1 = X.X.X.X
IP.2 = 172.20
<esc>
:wq
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
Upload the Certificate on the DNA Center
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Post Certificate Change Checks
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
Pushing the New DNA Center Certificate on WLC
(Cisco Controller) >show network assurance summary • Login into the DNA Center SSH on Port 2222
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
Validate DNA-
Center Networking
Check the assigned IP addresses to DNA-Center
and the Virtual IP addresses
$ ip a | grep enp
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Check the Intra-Cluster link details
etcdctl get /maglev/config/node-<DNAC IP address>/network| python -mjson.tool
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
Validate High
Availability and
Cluster Health for
Cisco DNA Center
$ etcdctl get /maglev/node_scale/status
Completed
$ etcdctl cluster-health
member 93186661b8b32a0 is healthy: got healthy result from http://10.1.1.4:2379
member 1141887decc0d774 is healthy: got healthy result from http://10.1.1.2:2379
member a76429d777a6ffeb is healthy: got healthy result from http://10.1.1.1:2379
cluster is healthy
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 157
Provisioning
Operations Stuck
for a Long Time
Firstly, Be Patient
Make Sure the SPF and Programmer Services are
Running
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
Check for queued messages in the RabbitMQ
$ magctl service exec rabbitmq-0 "rabbitmqctl list_queues"
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 160
Critical Check Points
and Known Issues
for DNAC-ISE
Integration
Three Step Integration of ISE with DNA Center
1. For SD-Access capabilities, ISE needs to have ISE Base and ISE Plus License installed
2. Make sure all required Ports are opened as per this guide:
1. https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/1-
2/install/b_dnac_install_1_2/b_dnac_install_1_2_chapter_0101.html?bookSearch=true#reference_wtq_lkk_tdb
1. https://www.cisco.com/c/en/us/solutions/enterprise-networks/software-defined-access/compatibility-matrix.html
4. The ISE CLI and GUI user accounts must use the same user name and password.
5. DNA Center Certificate should have all physical IP’s and Virtual IP’s in the SAN Field of the Certificate.
6. The ISE admin certificate must contain the ISE IP address or fully-qualified domain name (FQDN) in either the certificate subject name or the SAN.
7. DNA Center and Cisco ISE IP/FQDN must be present in the proxy exceptions list IF there is a web-proxy between Cisco ISE and DNA Center.
8. DNA Center and Cisco ISE nodes cannot be behind a NAT device.
9. Cisco DNA Center and Cisco ISE cannot integrate if the ISE Admin and ISE pxGrid certificates are issued by different enterprise certificate authorities.
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
Three Step Integration of ISE with DNA Center
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 163
Make Sure NTP is in sync on both DNA and ISE
The certificate download process will fail if the times are not in sync on DNA Center and ISE.
Please make sure NTP is in sync on both ISE and DNA Center before integrating ISE and DNA Center.
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
ISE CLI/GUI Password Change OR Pxgrid
Certificate Expired/Replaced
1. Change the password
here if the password
from ISE side has
changed.
2. Even if there is a
certificate change, we
can just update the
password on this same
pacge and it will
exchange the
certificate change.
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Pulling Client and
Inventory Health
Reports from
Cisco DNA Center
Navigate to Data and Reporting Page
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 167
Sample Report for Inventory
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 168
Sample Report for Client Health
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
API Documentation
https://developer.cisco.com/dnacenter/
https://developer.cisco.com/site/dna-center-rest-
api/
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 170
Complete your
online session • Please complete your session survey
evaluation after each session. Your feedback
is very important.
• Complete a minimum of 4 session
surveys and the Overall Conference
survey (starting on Thursday) to
receive your Cisco Live water bottle.
• All surveys can be taken in the Cisco Live
Mobile App or by logging in to the Session
Catalog on ciscolive.cisco.com/us.
Cisco Live sessions will be available for viewing
on demand after the event at ciscolive.cisco.com.
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Continue your education
Demos in the
Walk-in labs
Cisco campus
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
NDA Roadmap Sessions at Cisco Live
Customer Connection Member Exclusive
Join Cisco’s online user group to …
Connect online with 29,000 peer and Cisco NETWORKING ROADMAPS SESSION ID DAY / TIME
experts in private community forums
Roadmap: SD-WAN and Routing CCP-1200 Mon 8:30 – 10:00
Give feedback to Cisco product teams Join at the Customer Connection Booth
(in the Cisco Showcase)
Product enhancement ideas
Early adopter trials Member Perks at Cisco Live
User experience insights • Attend NDA Roadmap Sessions
• Customer Connection Jacket
Join online: www.cisco.com/go/ccp • Member Lounge
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Thank you
#CLUS
#CLUS
Additional Slides
for
Reference
Locator/ID Separation Protocol (LISP) Internet
Groper – “lig”
FE1#lig 18.18.18.18 instance-id 4099
Mapping information for EID 18.18.18.18 from 172.16.1.2 with RTT 7 msecs
18.18.18.18/32, uptime: 00:00:00, expires: 23:59:59, via map-reply, complete
Locator Uptime State Pri/Wgt
10.2.120.4 00:00:00 up 10/10
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
SD-Access Data
Plane
Troubleshooting
Thank you
#CLUS
Package Update – GUI v/s CLI
How to get GUI name from CLI
maglev catalog package display base-provision-core | grep display
$ maglev catalog package display $ maglev catalog package display automation-core | grep display
maglev-1 [main - https://kong-frontend.maglev-system.svc.cluster.local:443] displayName: NCP - Services
NAME VERSION STATE INFO [Fri Jan 19 00:25:39 UTC] maglev@172.27.255.230 (maglev-master-1) ~
-------------------------------------------------------------------- $ maglev catalog package display base-provision-core | grep display
application-policy 2.1.1.170016 READY displayName: Automation - Base
assurance 1.0.5.583 READY
automation-core 2.1.1.60067 READY
base-provision-core 2.1.1.60067 READY $ maglev catalog package status network-visibility
command-runner 2.1.1.60067 READY maglev-1 [main - https://kong-frontend.maglev-system.svc.cluster.local:443]
device-onboarding 2.1.1.60067 READY
image-management 2.1.1.60067 READY KIND RESOURCE STATE MESSAGE
ncp-system 2.1.1.60067 READY -------------------------------------------------------------------------------------------------------
ndp-base-analytics 1.0.7.823 PARTIAL Package needs to bePackage
pulled/downloaded network-visibility:2.1.3.60048 READY
ndp-platform 1.0.7.724 PARTIAL Package needs to bePlugin
pulled/downloaded fusion/cli-template/devicecontrollability-cli-template-plugin:7.7.3.60048 READY
ndp-ui 1.0.7.919 PARTIAL Package needs to bePlugin
pulled/downloaded fusion/cli-template/perfmon-cli-template-plugin:7.7.3.60048 READY
network-visibility 2.1.1.60067 READY Plugin fusion/cli-template/wlc-dynamic-qos-cli-template-plugin:7.7.3.60048 READY
path-trace 2.1.1.60067 READY .
sd-access 2.1.1.60067 READY .
sensor-assurance 1.0.5.301 PARTIAL Package needs to be. pulled/downloaded
sensor-automation 2.1.1.60067 READY ServiceBundle fusion/apic-em-event-service:7.1.3.60048 READY
system 1.0.4.661 PARTIAL Package needs to beServiceBundle
pulled/downloaded fusion/apic-em-inventory-manager-service:7.1.3.60048 READY
ServiceBundle fusion/apic-em-jboss-ejbca:7.1.3.60048 READY
.
.
State to be ready .
ServiceBundleGroup fusion/apicem-core:2.1.3.60048 READY
ServiceBundleGroup fusion/dna-maps:2.1.3.60048 READY
ServiceBundleGroup maglev-system/apicem-core-ui:2.1.3.60048 READY
ServiceBundleGroup maglev-system/dna-maps-ui:2.1.3.60048 READY
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 180
Package Update
$ maglev catalog package display network-visibility (Continued)
_capabilityStatus: - level: 1
modified: 1513910885.2623622 minLevel: 0
_dependsOn: name: ncp:device-templating
capabilities: Package Dependencies _pullStatus: {}
- level: 1 abstract: A fundamental building block for all DNA Center Applications.
name: ncp:platform-base abstract: A fundamental building block for all DNA Center Applications.
- level: 1 description: 'A fundamental building block for DNA Automation, Network Controller
name: maglev:platform
_id: 5a39e478378cef79fe8ec4c4 Platform (NCP) offers capabilities such as such as Discovery, Inventory,
_provides: Topology, Site and Grouping services, Site Profiles, etc. DNA Center
capabilities: Package Capabilities Applications will leverage these capabilities to interact with devices on
the network, to provision, apply policies, or query the network.
- level: 1
minLevel: 0 '
name: ncp:service-provisioning-support displayName: Network Controller Platform
- level: 1 fqn: network-visibility:2.1.1.60067 Display name as
minLevel: 0
name: ncp:device-on-demand-read
info: ''
kind: Package shown in GUI
- level: 1 manifestVersion: v1
minLevel: 0 name: network-visibility
name: ncp:device-inventory requiresPull: false
- level: 1 serviceGroups:
minLevel: 0 - fusion/apicem-core:2.1.1.60067
name: ncp:platform-common - fusion/dna-maps:2.1.1.60067
- level: 1 - maglev-system/apicem-core-ui:2.1.1.60067
minLevel: 0 - maglev-system/dna-maps-ui:2.1.1.60067
name: ncp:floor-maps state: READY
- level: 1 status:
minLevel: 0 state: READY
name: ncp:device-model-config tenantId: SYS0
version: 2.1.1.60067
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 181
Package Deploy Failure and Recovery
Failure scenario
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 182
Cisco DNA Center Services not coming up
How to Check Service Status from GUI
System Settings System360: Services
https://<dnacenter_ip>/dna/systemSettings
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 183
Cisco DNA Center Services not coming up
How to Check Service Status from CLI
• SSH to Cisco DNA Center server
• Check for Service Instance status using “magctl appstack status <service>”
• Various States – Running, Terminating, Unresponsive, Error, crashdump, stopped
$ magctl appstack status fusion
NAME READY STATUS RESTARTS AGE IP NODE
apic-em-event-service-1698386882-cxvkb 1/1 Running 0 1d 10.10.243.107 192.168.240.11
apic-em-inventory-manager-service-3938287905-2ghz4 1/1 Running 0 1d 10.10.243.70 192.168.240.11
apic-em-jboss-ejbca-2091556107-t632h 1/1 Running 0 1d 10.10.243.105 192.168.240.11
apic-em-network-programmer-service-1178764915-blkpg 1/1 Running 0 1d 10.10.243.90 192.168.240.11
apic-em-pki-broker-service-4242378431-08dzw 1/1 Running 0 1d 10.10.243.111 192.168.240.11
app-policy-provisioning-service-1453250883-n3pkw 1/1 Running 0 1d 10.10.243.74 192.168.240.11
...
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 184
Cisco DNA Center Services not coming up
Check Cisco DNA Center server
resources • Check CPU usage “top”
• Disk Throughput Check “iostat”
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 185
Assurance Behavior on node failure
Assurance is impacted if Cisco DNAC1 fails – no impact if any other node fails
To restore assurance, the failed node must be removed from cluster and assurance restarted in another active
node
Failure of Assurance enabled node will result in loss of assurance data
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 187
Assurance Services Failure UI Notifications
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 188
Graceful node power cycle in cluster
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 189
Clustering Capabilities
Failover:
• Stateful set services get replicated onto all the master nodes to enable stateful failover of
requests in the event that processes servicing these requests fail.
• This is achieved by the anti-node affinity configured for the services that are getting scaled..
Load Balancing:
• With a load-balancing mechanism in place, the requests are distributed across the nodes. If
any of the instances fail, requests to the failed instance can be sent to the surviving instances.
(eg. Kong HA provides load balancing capability as part of HA )
Rebalancing of services:
• Services get rebalanced onto the number of nodes available ( 3 in our case) instead of running
only on one node.
#CLUS BRKARC-2016 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 190