DNA Center Wireless Assurance BRKEWN-2034

BRKEWN-2034
Cisco DNA Wireless

Assurance
Isolate problems for faster troubleshooting
Minse Kim, TME

Cisco DNA Wireless
Assurance Overview
Cisco DNA Center
Central network management system
Cisco DNA Center
Policy Provision Design Assurance
Complete network Analytics for assurance

Cisco DNA Center Appliance management system • Verify intent of network settings
• Single pane of glass for all devices • Proactively resolve issues
• End-to-end health information in real time • Reduce time spent troubleshooting
• Granular visibility
• Simplified workflows
Physical and virtual infrastructure Automation for provisioning Platform for extensibility
• Zero-touch deployment • Integrate APIs with third-party solutions
• Device lifecycle management • Integrate and customize ServiceNow
Cisco and third party • Policy enforcement • Evolve operational tools and processes
BRKEWN-2034 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco DNA Assurance
From network data to business insights
Network telemetry Complex event Correlated Suggested

contextual data processing insights remediation
Traceroute
Complex
Syslog NetFlow correlation Clients Baseline
AAA Router DHCP

Metadata
Telnet Wireless CLI extraction
DNS
OID IPSLA Ping
MIB Steam
SNMP IPAM
Processing Application Network
AppD
CMX
Everything as a sensor Over 150 actionable insights

Clients | Applications | Wireless | Switching | Routing
Cisco DNA Assurance Architecture
Customer Datacenter Cloud Based
ML Engine)
Cisco DNA Center Assurance UI
Insights
Feedback
Cisco DNA
Automation Cisco DNA Data
Cisco DNA
Assurance Cloud Analytics
Network
Control Network Data Platform
Platform
ssh/NETCONF
Protocols & APIs (WSA, gRPC, SNMP, NetFlow, Syslog, Location, NETCONF, CLI, ...)
CMX
DHC
P
WAN
Network Control Points

Office Site Network Services DC Metrics, Events, Config, ...
Customer Control, Notifications, ...
Network
Wireless Assurance Enablement
Internet Edge
Internet
Assurance
Enabled
WAN Edge
ACI Fabric
WAN
Shared
Services Core
Distribution
WAN Sites
Access
Fabric Campus site Non Fabric Campus Large Medium Small
Enable Assurance across all deployments © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Wireless Assurance Feature by Deployment
model
Network Client Health Client Issue Sensor Intelligent
Health 360 Capture
Local Mode
● ● ● ● ● ●
FlexConnect
(Central Auth) ● ● ● ● ● ●
LocalAuth,
LocalDHCP ● ● ○* ○* ● ●
Mobility Express
● ● ● ● ● ●
Catalyst 9800
(Overlay, Fabric) ● ● ● ● ● ●
*In FlexConnect LocalAuth/DHCP/Assoc mode, Event Viewer and Onboarding Widget, Onboarding Issue has limited
visibility
Wireless Assurance AP Feature Matrix
802.11n AP1800 AP2800/ AP4800

Wave-1 AP 3800
Health, Issue ● ● ● ●
DNA Widget X ● ● ●
AP as a Sensor X ● ● ●
IP SLA Responder X ● ● ●
Intelligent Capture X X ● ●
Intelligent Capture w/ Full Packet
Capture
X X X ●
Key Use Cases
Overall
Client Device Wireless Application
Health
Health Health Sensor Health
Dashboard
Use Case: Use Case: Use Case Use Case: Use Case:
Executive Dashboard Client Onboarding (wireless): SLA Monitoring Application
Network Experience Experience
Topics Covered: Topics Covered: Topics Covered:
Topics Covered: Topics Covered:
• Overall Health • Client Health • Day 0 Setup
Dashboard Dashboard • Network Health • Manage 18+ • Application
• Client 360 Dashboard tests Health
• Device 360 • Sensor Dashboard
Use Case: Dashboard • App 360
Level 1 Issue Use Case (wired):
Analysis and Ticket Network Experience
management
Topics Covered:
Topics Covered:
• Network Health
• Global Issues Dashboard
• Service Now • Issues with
Integration Suggested
Actions
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Streaming Telemetry
for Wireless Analytics
Streaming Telemetry
Export enriched, consistent and concise data with context from

network devices for a better user and operator experience
Periodic or Structured Scalable Reduced CPU

On-Change Data Load
*Available with 16.10.1s
Purpose-Built for Cisco DNA Assurance and Cisco DNAC 1.2.8 or later
Wireless Streaming Telemetry Architecture

Cisco DNA Center
gRPC/Protobuf https/JWT TLS/TDL AP WSA/JWT
AP2/3/4800K ME, WLC3504/5520/8540 Catalyst 9800 Series Active Sensor AP1800S
• HTTP 2.0/gRPC based • Supported from AireOS 8.5 • KPI Parity with AireOS • HTTPS for Automation and
• Anomaly Event, RF Stat, • Real-Time client event • Immediate Event Update reporting
PCAP, Spectrum • Embedded Wireless in • PnP-based Provisioning
• Scheduled and Automated Cat9300 • Fully Managed by DNAC
AireOS WLC Provisioning troubleshooting
• Streaming Telemetry Failure -WLC shows “partial collection failure” in Last
Sync Status
• Check following items,
1. Check if WLC has right SNMP Read Only community name
2. Check if Cisco DNAC has right WLC Credential
3. Check if WLC Network Assurance is properly “Externalizing Data”
4. Check if WLC has right time(NTP or manual)
5. Check if WLC properly subscribed necessary channels from WLC GUI,
[MANAGEMENT] [Cloud Services] [Telemetry] [Network Assurance] [Server] [Advanced
Configuration]
BRKEWN-2034 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
Wireless Assurance with
Catalyst 9800
Cisco DNA Center automatically turns on streaming
telemetry when Catalyst 9800 is added to inventory
• Cisco DNAC pushes automated scripts to enable telemetry

1. Install DNAC Certificate for https setup with Cisco DNAC
2. Configure and Enable streaming telemetry (TDL) using NETCONF to Cisco DNAC
1 Download
3
NA Cert
Streaming Telemetry
Automation (NETCONF)
2 data (TDL) using TLS
Script to enable WSA
Data flow between Catalyst 9800 and Cisco
DNAC
Cisco DNAC
Binary TDL to java TDL
objects + map to NDP Assurance
Schema kafka pipeline
NCP
IOS-XE collector (TLS server)
Assurance-backend
• Subscribe using
NETCONF based
automation Export subscribed data in
• Setup PKI/SSL for • Binary TDL encoding
export • Native TDL model
• Over TLS (not https)
TLS client on devices
Catalyst 9800
Catalyst 9300 w/ Embedded Wireless
Wireless Assurance provide feature Parity
between AireOS and IOS-XE based Controller
Cisco DNA Center

• Design, Provision, Automate
• Health, Issue, Sensor
Policy Automation Assurance • Intelligent Capture
• Apple iOS WiFi Analytics
AireOS 8.5 or 8.8+ Catalyst 16.10.1 or later

Use JWT – JSON Web Token Use TDL - Binary encoded, model-based JSON
Wireless Network
Troubleshooting
Zoom Into most problematic location from global
view
Geomap View
Location List view
• Site by Site Navigation
• Top-N based on Network Health
Latest or Trend view per Network device type
• Router, Switch (Core, Distribution, Access), Wireless Controller, Access Point
• Network health = % of all good (healthy) devices from total devices
• Health Score assignment is Based on the Cisco Best Practice KPI threshold value
Actionable Dashboard - Drill-down by KPIs
• Breakdown of Device Health per type, with latest or trend view
Network Device Health

based on KPIs Intuitive Drill-down workflow
Network Health Score Details
• Health Score = Single KPI that indicate network device and link condition
• Calculated per every 5 min, with 15 min window.
Device KPI Data Plane KPI

• CPU • Uplink Status (Switch)
• Link Error (Switch, AP, WLC)
• Memory
• Noise, Air Quality, Interference,
• Free MBuf
Radio Utilization (AP)
• Free Timer
• Packet Pools, WQE Pools
(WLC)
• Network health = % of all good (healthy) devices from total devices
• Device score is chosen from lowest Device KPI type
• Health Score assignment is Based on the Cisco Best Practice KPI threshold value
Network Device Table – Health Drill Down view
• Table-based workflow filter, Export, search, sort

• Device Model, Device Reachability, OS Version, Address,
Device 360 – Device Event Logs in Network Time
Travel view and Event Viewer
Device 360 – Enhanced Neighbor Topology
• Neighboring Interface number

• Port Type (e.g. Trunk or Access)
Device 360 – Interface Table
• Per Interface
detail
• Port Type Filter
• Speed
• Duplex
• VLAN
• Type
• Interface ID
• Admin Status
Client Health Dashboard
Client Health Summary Workflow
• All Client or breakdown of the client health site
score for Wired and Wireless clients
• last 5min view is provided across all widgets
• Trendline health summary chart for the 24 hrs.

view
• From this page, we can navigate to:
• The individual site specific Client summary page
• Network Time Travel using 24 hours Client Health
Trend
• Enhanced Client List View
4 Level Wi-Fi connection quality indicator =
Wireless Health Score
• Based on Client connection status & RF quality
• Calculated per every 5 min, using client RSSI and SNR from WLC
– Connected, (Both RSSI and SNR are above threshold)
7 – Connected, (One of RSSI or SNR is below threshold)
4 – Connected, (Both RSSI and SNR are below threshold)
1 – Connected, Failed to Onboarding
– Inactive or Newly connected Client
Bad < -72 dBm RSSI < Good
Bad < -9 dB SNR < Good

Client Health Analytics Charts
• Available Client Analytics

• Drill-Down Workflow
• Wireless Client Onboard Time
• Drill-down Detail
• Roaming Time
• Mid level, Top N view
• Common LATEST / TREND View on Every Dashlet
• Network Time Travel for trend view
• Connectivity RSSI / SNR chart
Client Health Drill Down – OnBoarding
• Break down view of Assoc. time,

AAA time, DHCP time,
• Per Server View on AAA & DHCP
• Mid-level drill down view
• Select any sub-section will show

client lists in selected category
• Display Applied Filter on top of list
• Show Onboarding performance of

each client
Roaming Times
• Overall Roaming
Performance
• Fast Roam: <150msec
• Slow Roam: Above >3sec
• Narrow Down Roaming

Problems into
• Top Area
• Top OS Type
• Top APs
Client Table and Health Hover
• Connection Status and

type icon
• Usage
• Sort
• Health detail view
• Range-based Filter
• Export
Troubleshooting Wi-Fi
- Onboarding
Client 360
• Shows Details on specific client
• Timeseries metric chart of the client

health score
• Individual Client issues
• Onboarding Event Viewer 215 Kbps
• Application Experience
• Using Router – App Health derived from
Network Delay, App Delay, Packet Loss
• Path Trace Tool for Troubleshooting
• RF and Usage Details
Client 360 – Event Viewer
• Client Onboarding State Analytics
• Always On for All of Clients
• Capture Onboarding Failure,
Roaming Failure, De-
authentication from AP or Client
• Each Events are aggregated per
onboarding session, provide
session details
• Provide Onboarding delay and
duration per each step
Wireless Client Troubleshooting Start and Stop Full Packet
Capture for AP4800
Network Time Travel

Time Travel Navigation
button
36
Real-time Client location

Client
10.10.1.25
Map with trail of movement

0
Event
Viewer All or
Failed Onboard Packet
Onboard stage identifier Download
Auto Event Onboard Packet
Packet
Analyzer Onboarding
De-authentication
Packet
Session
Interpacket Gap (ms)
RSSI Chart per Packet bar chart
Real-Time Client location Tracking
• Client location movement trail

• Color coded by client RF stat.
• Real Time location Update
• Push Update from CMX
• Real-Time or Historical Client location
• Requires CMX 10.5
RF Metric Good (Green) Fair (Orange) Poor (Red)

RSSI > -69 dBm -69 dBm to -71dBm < -71 dBm
SNR > 25 dBm 10dB to 25dB <10dB
Data Rate MCS3,4,5,6,7,11,12,13, MCS1,2,9,10,17,18 MCS0,8,16 - BPSK
14,15,19,20,21,22,23 - QPSK
Throughput > 10 Kbps 2 ~ 10 Kbps < 1Kbps
Packet Retry 1 or less 2 3 or above
Drill down from Client Event to Packets
1 Click Onboarding Event in the left pane

Check timestamp “8:12:33.893 PM”
Data Packet captured at “8:12:33.794pm”

2
when client moved to RUN Status
WLC Event and AP PCAP gets correlated based on time window

Auto Packet Analyzer Download
Onboard Packet (*.PCA)
using Browser
Green color packet RED color packet

- 802.11 Auth. - Deauthentication
- Assoc. - Disassociation
- EAP (802.1x)
- DHCP
- Data (ARP,DNS,ICMP) Line chart
logarithmic For RSSI per Packet
Time scale
First packet Origination of Packets Bar Chart Display Last packet

Timestamp Inter-packet delay up to 80 packets Timestamp
Zoom into Client Wi-Fi Onboarding failure
1 Click KeyExchange Failure

Check timestamp “3:18:52.074 PM” 2 3 consecutive
AP to Client EAP Packets
Client De-authentication Event Drill-down
1 Click Client Deauthenticated Event

On “3:18:52.074 PM”
De-authentication Packet
from AP to client 2
on “3:18:54.183 pm”
Zoom into Client Wi-Fi Onboarding failure
Confirm EAP Key packet

3 Download Onboard
4 Packet
from Wireshark
Troubleshooting Wi-Fi
- RF Interference
Mitigation
Real Time Client RF monitoring
Live On/Off Button
ECG-like Client RF Chart

w/ 5 sec frequency
Type of Real Time Client RF Chart - RSSI/SNR, Rx/Tx Data Rate, Tx/Rx Pkt Count, Tx Pkt Retry
Client RF stat is different feature from Onboarding PCAP but scheduled parallelly with same duration
Monitoring AP RF Insight
• Accessible from AP360 page after AP

Radio / WLAN Statistics is turned on
• Advanced AP RF Analysis w/ High Density
telemetry (30 sec. interval).
o Channel Utilization per traffic type
o Channel Utilization per SSID
o Frame Count per type (Management, Data
Frame)
o Frame Re-transmission count
o Tx Power and SNR
o Multicast/Broadcast Chart
Real Time Spectrum Analyzers
• Persistent FFT
• Swept Spectrogram
• Interferers with
impacted BW
• Available on
AP2800/3800/4800
APs
• Support
Local/FlexConnect and
Monitor mode AP
Wireless Client
Troubleshooting - Demo
Wireless Issue analysis
DNA-C Wireless Assurance
From Network Data to Business Insights
Unified Network Telemetry Correlation Issues Guided Remediation
Auto Fix It - Future
Contextual Data Complex Event Processing Insights - Now
Clients Baseline
INSI GHTS
Application Network
 66 Wireless Actionable Insights

Client Client RF App Experience Network Device
Onboarding Experience - Throughput analysis - CPU, Mem utilization
- Association failures - Sticky client, Ping - App Performance – - Crash, AP Join
pong Packet Loss, Latency Failure, Flapping AP
- Authentication
failures - Coverage Hole and Jitter - Power supply failure
- IP address failures - Client Capacity - DNS Issues - Radio Utilization
Individual Issues can be escalated to global issue
if impact is significant
Issue Network Clients Application Sensor

Category
Per-entity Device 360 AP Issue Per-Client Per-App n/a
Issue Client 360 Device level
App 360
Global Overview WLC Issue Multiple (+5%) Not More than
Issue Health Routing Issue Clients having Available 2 sensors
Issue Page Infrastructure same issue failed for
Link Down from same floor same
reason
Wireless Client Issues Notification
DNA to generate
Client Issue
Onboarding Issue
- Slow, Onboarding/Roaming Failure
Connected Issue – Coverage, Sticky WSA Events
iOS Client Issues – based on

iOS Disconnect Reason
Sensor Issue – Multiple Sensor Test Failures
• DNAC to correlated, aggregate Client Events from AP& WLC and generate issue
• Issue can be reported to ServiceNow using Native Integration
Wireless Device (WLC & AP) – Issues
DNA to generate
Edge Analytics
AP/WLC Issue
Notification
API
AP, WLC Events
• Smart Edge Analytics can trigger AP Anomaly Event (Beacon Miss, Beacon Recovered) w/ PCAP
• DNAC to correlated, aggregate Device Events from AP& WLC and generate issue
• Suggested Action with possible CLI auto-run for further verification

Issue Customization
Issue Grouping
Enable Intelligent
Capture
Intelligent Capture ~ Key Use-Cases
VIP Assurance
RF Scanner
Automated PCAP*
On-Demand PCAP (of Onboarding Frames)
Made for DNA On Demand AP/Client Monitor
Spectrum Analysis
Automated AP Radio Anomalies*

*Roadmap
Intelligent Capture
Architecture Fast Path for Data RSSI, Hyperlocation
CMX
NMSP for Probe-based Location
Real-Time Location Update
Fast Path Automation for AP/WLC
CAPWAP TLV Automation
HTTPS/JWT
CAPWAP
AP Data (Client & AP Stats) WLC RT stats (client, AP, AAA, etc) DNA Center
Events: onboarding, RRM, etc up to 2 sec.
gRPC, TCP 32656 (PCAP, Anomaly Events, Real Time AP and Client RF Stats) up to 5 sec.
• AP data exported directly to northbound system using gRPC (HTTP 2.0)

• Real time Client RF stats and AP stats (programmable up to 5 sec).
• Anomalies-based PCAP, Anomaly Events, Spectrum Data
• WLC data export types using JWT – Client Event from real time filtered channel
Intelligent Capture
Automated Stitching from Multiple APs Capture
• Multiple APs tracking clients during packet capture
2.4GHz / 6 Ch • Single PCAP generated upon

00111101 Multiple AP roaming scenarios
Roam • Zero Packet Loss during Client Roam
5 GHz / 36 Ch
11111001 • Auto Decrypted Data Packet
DNA Center
• Capture Across AP, across Floor
Roam 00111101
11111001
00000111
• Pre-Scheduled Packet Capture
00000111
5 GHz / 161 Ch
• Automated Packet Capture
Intelligent Capture
Three Configuration Step
Prerequisite Day-1 Config

• DNAC 1.2.8 or later 1. Add WLC to DNAC
(Discovery or Inventory)
• WLC w/ AireOS 8.8.111.0
2. (Optional) Hyperlocation
• AP2800/3800/4800
3. (Optional) Add CMX and
vNAM to DNAC
Cisco DNAC automate all of necessary configs in WLC and AP
Intelligent Capture config on AireOS 8.8
Automated via DNA Assurance
Complicated, error-prone
Intent-based, DNA Automation
Device-level Config
Intelligent Capture Workflow - Step 1
Device Preparation
Cisco DNAC 1.2.10 – Intelligent Capture
New* Push-based
gRPC/gNMI WSA/JWT Location Update
AP2/3/4800K ME, WLC3504/5520/8540 CMX
• Upgrade to 8.8.111.0 • AireOS 8.8.111.0 • HTTPS for Automation and

• AP shall be reachable to • Intelligent Capture reporting
DNAC via https (port:32626) Control Plane • PnP-based Provisioning
• Filtered Channel • Fully Managed by DNAC
Enabling Intelligent Capture
1 Select [Assurance] [Manage][Scheduled Capture]
2 Select Global Auto-Capture Settings
DNAC 1.2.x Intelligent Capture uses manual activation

Consider it as WiFi Troubleshooting Session
Enabling Intelligent Capture (Cont’d)
• Toggle AP RF Stat
• Provides real-time RF stats from AP
3
Select Configure Intelligent
Location 4 Capture per AP
Scheduled On-Boarding Packet Capture
On-boarding capture can be configured
for Up to 16 clients per DNAC
DNAC
AP2800/3800/4800
AP sends packets only for the following On-Boarding
and roaming protocols:
802.11 AUTH, ASSOC, EAP, DHCP, DNS, ARP,
ICMP, 802.11k, 11v, Action Frames
DNA-C correlates the Events to Packets

and lets you download the PCAPS for
the specific events
Scheduling Onboard Packet Capture
1 Note Device Identify of 2 Schedule specific Onboard Packet Capture for specific clients
troubleshooting target device
1. Select Location
2. Run now or
scheduled
3. Up to 8 hours
4. Enter UserID(802.1x Login ID) or hostname or MAC Address,

in FULL text and enter
BRKEWN-2034
4. Click [Save] to initiate command
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Under the hood Onboard Packet Capture
All APs
Converted into
global command
Drill-down Onboard Failure debugging session
1 Confirm current/past Onboard Packet Capture session 2 Select Troubleshooting client
3 Select [Intelligent Capture] under Client 360
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 69
CMX integration CMX
Notify
NMSP Subscribe
Fast Path
WLC DNA-C
AP
• Client updates sent via existing methods using NMSP or Fast Path
• DNAC to subscribe/register for location updates for one or list of clients
• Push-based Client location update from CMX to DNAC
• Enable Hyperlocation support for NTP enforcement
Real-Time Application Analysis using AP4800
Full Packet Capture
Data Center
• vNAM can be deployed as
Out-of-Band Deployment
Packet Capture
• vNAM is consumer of DNA-C using PCAP
• Packet capture from AP4800
vNAM DNA-C • On-Demand Packet Analysis
WLC • Deployment Agnostics – works on
vNAM retrieve packet
Central, FlexConnect or Fabric mode
capture from DNA-C
• Use-Cases
• RTP (VoIP) analysis
• TCP Analysis
• Real Client Traffic Analysis
AP4800 AP4800 AP4800 • Raw Packet Analysis
• Advantages
• Single Node deployment
WAN Branch/FlexConnect
• Remote node Analysis
• Zero User Throughput Impact
AP4800
AP4800 Full Packet Capture create two PCAP
files per single capture
• Concurrent, Dual PCAP File capture
• Wireless PCAP
• Wired PCAP
7c468520795e_80211_1530109006495976.pcap 7c468520795e_ethernet_1530109005954280.pcap
MAC Address media type

Real Time Application Analytics
Enabled by vNAM-DNAC Integration
• Application Analysis through Full

PCAP Analysis
• Application Identification
• Identify WMM (L2), DSCP(L4)
Marking of each App
• Packet Loss
• Wireless Delay
• RTP Jitter
BRKEWN-2034
Supported on AP 4800 using 3rd Radio
73
vNAM Integration(step1)
vNAM Config
1. data-port 1 ip-address <open IP
address in subnet> Assign an IP
address to data-port 1
Prerequisite 2. cdb-export collector 1 ip-address
<IP of DNAC>
1. NAM 6.4(1) on Appliance or VM
3. Time / sync ntp <NTP server IP>
2. DNAC 1.2.5
3. WLC w/ AireOS 8.8.111.0
4. AP4800
vNAM Integration from DNAC Enable DNA Agent Export
Enter DNA Agent (NAM)

From DNAC [System Settings] [Data Platform] [Collectors] [GRPC COLLECTOR] IP Address
Enter Config Name

& Save config
Click (+) Add
Available Packet Type per Capture
PCAP Type How to Media Type Captured Protocol Features Supported
trigger AP and
capture
method
Onboard On-demand • Wireless 802.11 mgmt. • Auto Packet Analyzer AP2800/380
PCAP or PCAP (Auth, Assoc) • Downloadable from anywhere 0/4800 –
Scheduled Data – (802.1x/EAP, using Web browser Inline-based
or DHCP, DNS, ARP, • Automated Onboard Failure Packet
automated ICMP), PCAP up to 100 packet per capture
Roaming – 802.11k, session
802.11v • Data Packet auto decryption
Block Ack
Full PCAP On-demand • Wireless • 802.11 with Radio • Application Analyzer, AP4800 – 3rd
PCAP Header • Wireless Delay, Wireless Radio w/
• Wired (Mgmt, Control, Packet Loss Chart Self-Sniffing
PCAP Data Frame) • Jitter chart using RTP (Wired & feature
• 802.3 with Wireless)
Ethernet Header • Data Packet auto decryption
Intelligent Capture Operation and Scale
DataType Operation Scale
Single Client Device
Full Packet Capture On-Demand
(1 client at any point in time on DNA Assurance)
Client RF stats Scheduled

Up to 16 Clients
Client Onboarding Events (WLC) Always On
Partial PCAP (Mgmt., DHCP/ICMP,
Scheduled Up to 16 Clients
EAP, etc.)
AP RF Stats, Via Config option APs at any point in time on DNA Assurance for 4000
Other AP Stats ( On/Off ) AP deployment
Client RF Stats Scheduled Up to 16 Client
Spectogram View On-Demand Only during client browser is opened
Client Location Update Always On For All Clients (using CMX)
Intelligent Capture FAQ
• Bandwidth Consumption modeling – Intelligent Capture is essentially On-
demand, scheduling-based feature
• BW consumption only occurs when each feature get turned on
• Partial Packet Capture
• Spectrum
• On-Demand Full Packet Capture : Client BW consumption x 2 (wired, wireless)
• Catalyst 9800 platform Intelligent Capture support – scheduled on 16.12.1
Client Insights using
Wireless Sensor
Two Formfactors, Two Difference Purposes
Clients Baseline
Aironet 1800S Active Sensor AP as a Sensor

(1800/2800/3800/4800)
Client Wireless Network & Service

Performance Test Application
Availability Test
Network
• Desktop mount • Ceiling or Wall Mount

• Client Wi-Fi Performance • Larger coverage than
(2x2 with 2 SS) actual client
• Multiple powering options • Use regular AP runs as
Sensor mode
Onboarding & Configure Tests Global Issue Dynamic Sensor

SLA Dashboard
Services Tests Remotely Creation Test Trigger
Test Your Network Anywhere at Any time at Real-world Client Level
Sensor Dashboard
• Sensor Test Result Dashboard
• Top N Location, Top N APs by failure
• Sensor Test Performance
• Common filter set as Client Health Page
• Network Time Travel Navigation up to 7 Days
• Customizable Dashlet
Sensor Test result drill down
RF Stat. during Active Sensor Testing Test Failure reason code

- RSSI, SNR, Data Rates, Pkt Loss
Schedule Sensor Testing: Step1
Create Sensor-Driven Test
[ASSURANCE] [Manage][Sensor-Driven Tests]
Step1. Create Sensor-Driven Test
Step2. Add Test – Schedule, SSID selection

SSID and Security settings are
auto-learned from WLC config
Sensor Feature Matrix
Test AP1800s AP1800 AP2800/38 Wave-1 &

Series 00/4800 11n AP
Wireless Provisioning Yes n/a n/a n/a
Network & Application Yes n/a n/a Infra AP only

Test
IP SLA sender Sensor and Sensor and Not
responder responder supported
Speed test Yes Yes Yes Infra AP only
Note: Sensor is dedicated to Wireless client mode. No AP service available when it’s on AP-as-a-Sensor
Schedule Sensor Testing: Step2
Select tests and Assign Sensor
Setp3. Select Tests
Sensor – Target AP Threshold
RSSI Threshold: -35 ~ -90 dBm
Target AP # : 1 ~ 5
Step 4.
Select Test Sensor
Proactive Wireless
Testing Sensor - Demo
How to setup
Sensor
Sensor Workflow
Day-0 Day-1 Day-2
SensorProvisioning
Sensor Provisioning Sensor Test Config Sensor
Sensor Upgrade
Upgrade
- Sensor Profile creation - Select Onboard SSID - Upgrade using DNAC
- DNAC Discovery - Network Test - Upgrade using CLI
- Claim - Performance Test
- Map Placement (Speed Test, SLA)
- Application Connectivity
Day-N Sensor Dashboard
DNAC Discovery from
Sensor
Two types of Sensor, Two types of discovery
path to DNAC
AP1800/
WLC
AP2K/3K/4800*
WSA Channel
DNAC
Learn DNAC IP address

AP1800S via DHCP Option 43 or DNS
Dedicate Sensor discover DNA Center via DHCP
Option 43 or DNS Hostname
AP1/2/3/4800
WLC
https (JWT)
DNA Center
1. Configure DHCP Option 43 with following string

value in ascii.
5A1N;B2;K4;I192.168.2.206;J80
2 5A1N - Specifies DHCP option for plug and play
B2 - IP address type (IPv4) [ B1 - Hostname / B2 -
IPv4]
K4 - HTTP (default) [4- HTTP/ 5-HTTPS]
Learn DNAC IP address I<IP Address> - PNP Server IP Address (in this
AP1800S 1 case DNA-C IP Address)
via DHCP Option 43 DHCP Server J80 - (Port to connect to DNAC, 80 for HTTP and
or DNS hostname, ”PNPSERVER” 443 for HTTPS)
DNAC Discovery using
DHCP/DNS Server
From DHCP Server From DNS Server
• If Option 43 field is already
used for other purpose, Use
conditional Option 43 using
VCI string. AP1800S’s VCI
string is “Cisco AP c1800”
OR
• Alternatively, DNAC IP
Address can be manually
provision from CLI Console
(AIR-CONSADPT=)
# config dot11 sensor pnp ip
Create Option 43 <xxx.xxx.xxx.xxx>
“5A1N;B2;K4;I10.13.1.100;J80" Create entry “PNPSERVER”
10.13.1.100 – DNAC IP Address and assign DNAC IP Address
BRKEWN-2034
Create Backhaul SSID Profile for Sensor
1. Create Wireless SSID Settings for Sensor Test report 2. Create Wireless SSID for Sensor
[DESIGN] [Network Settings][Sensor Settings]
Configure dedicate Wireless SSID for AP1800s Wireless backhaul channel

This settings is for Sensor, not to the WLC.
Sensor Provisioning
Step 0
Before Claim Sensor, Let’s change sensor name
[Provision][Devices][Plug and Play]

3. Change Device Name
1. Select Unclaimed Sensor
4. Click [Edit Device
2. Under [Action] Select [Edit]
Sensor Name change can be done on Unclaimed condition
Step 1
Assign Sensor Provision profile to Sensors
[PROVISION] [Devices][Unclaimed Devices]
1
1.
1 Go to [Provision] Menu then
2 2.
2 Go to [Plug and Play], confirm newly discovered
AP1800S, appeared as “UNCLAIMED” Status
3.
3 Select newly discovered AP1800
4 4 Click [Actions] [Claim]
New AP1800S sensor will appear once Sensor discovers DNAC via
DHCP Option 43 or DNS Host name “PNPSERVER”
Step 2
AP1800S Sensor Provisioning
Assign Sensor Provision profile to Sensors
Assign Sensor Backhaul SSID

Even if Sensor has wired backhaul
Assign Location “Site / Bld. / Flr.”
Step 3
AP1800S Sensor Provisioning
Place Sensor to actual sensor location
[DESIGN] [Network Hierarchy]
One device is pending for placement
Assign Location “Site/Bld/Flr.”
Note: Once AP1800S provisioned and assigned to floor, Admin need to place
Sensor to actual location on the map using DESIGN module
Sensor using Wireless
Backhaul
Step1. On WLC
Create Wireless Provisioning SSID for AP1800S
• Off-the-self AP1800s sensor can connect
wirelessly using “CiscoSensorProvision”
SSID
• Hidden SSID
• WLC Internal AAA – EAP-TLS
Trigger
following
changes
Step.1 Enable Wireless Provisioning

Step2. From WLC
Setup Backhaul SSID Configuration
• Assign one of WLC SSID as “Sensor SSID”. This will be used by a sensor to connect
DNAC and communicate over the air.
• Sensor SSID will be used to push sensor-test config, receive test results to the
DNAC
Ensure that the SSID name and security matches an existing WLAN in the WLC
Sensor-Driven Test
Config
Convert AP as a Sensor using DNAC automation
1 ssh
WLC
DNA Center
2
AP1/2/3/4800
AP as a Sensor
• If admin select regular AP, AP mode will be

converted into AP-as-a-Sensor mode.
• AP-as-a-Sensor will not be converted back unless
associated sensor test gets deleted
Sensor-Test config gets downloaded to each
type of sensor
WLC
DNA Center
AP1/2/3/4800
AP as a Sensor
# show dot11 sensor test config - This shows

the configuration that the Sensor has received
1a. Sensor HTTP heartbeat per every min. from the DNAC thru the WLC.
1b. DNAC send ACK with test config version
AP1800S 1c. Sensor detects new test config version
Dedicate Sensor 1d. Sensor request download new test config
Sensor use HTTPS to DNAC for sensor programming and reporting
Sensor-Test result traverse directly to DNAC
WLC
DNA Center
Wired PoE
AP1800S
Dedicate Sensor AP1/2/3/4800
Sensor Test result is directly reported to DNAC using Wireless Backhaul SSID or
Wired Backhaul. Make sure Sensor can directly communicate to DNAC
Sensor Software
Upgrade
10 Step Sensor Image Upgrade through DNAC
Prep - Image Management Upgrade from PROVISION
5 Select Upgrade Target Sensor
1 Download Image from CCO
6 Action > Update OS Image

2 Import image into DNAC
7 [Distribute] select “Now”
3 Tag New sensor image as Golden Image
8 [OS Update] Select “Schedule Activation after
4 Click [Update Device] Distribution is completed”
9 “Confirm” Upgrade
10 Wait for SWIM to complete upgrade
Or using Console cable

# archive download-sw /reload tftp://192.168.0.1/SW1800-SENSOR-K9-8-7-258-
0.tar.gz
Conclusion
Cisco DNA Wireless Assurance
Active Sensor Wi-Fi iOS Streaming Network Time

Testing Analytics Telemetry Travel
Intelligent Capture Intelligent Capture Actionable Guided

Auto PCAPs Forensics Insights Remediation
Aironet Active Sensor

Aironet 2800,3800, 4800
with proactive wireless
AP with Intelligent Capture
network test
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Find this session in the Cisco Events Mobile App
2 Click “Join the Discussion”
3 Install Webex Teams or go directly to the team space
4 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKXXX-xxxx
Complete your online
session survey
• Please complete your Online Session
Survey after each session
• Complete 4 Session Surveys & the Overall
Conference Survey (available from
Thursday) to receive your Cisco Live T-
shirt
• All surveys can be completed via the Cisco
Events Mobile App or the Communication
Stations
Don’t forget: Cisco Live sessions will be available for viewing

on demand after the event at ciscolive.cisco.com
Continue Your Education
Demos in Meet the Related

Walk-in
the Cisco engineer sessions
self-paced
Showcase labs 1:1
meetings
Thank you
Backup
DNAC Setup
DNA center assurance and automation
Install  Discover  Assure
If sites have been
These tasks run in the background
created already, you can Run discovery
skip to run discovery and (ping sweep or CDP)
add devices to sites
Automatically push device

Set up manageability config
Install DNAC device credentials Inventory collection from DNAC
in DNAC Assess telemetry
quotient to adjust
Create site hierarchy

(area, building, floor, and
maps*) Assign devices to
(*maps come later) site/building/floor
Device ready for

Assurance
DNA Assurance - Getting Started Workflow
Network Network Ready for

DNA Center
Device Design & DNA
Install
Discovery Provision Assurance !
On-Premise CDP Create Network

Single Node IP Address Range Hierarchy (Sites)
Cloud Tethered Assign Device to

for App Updates Sites
Provision
Telemetry
Configuration
Getting Started Workflow – Network Discovery
Getting Started Workflow – Assign Device to Sites
Min SW and HW Requirements for DNA
Assurance
• Controllers supported:
• DNA Optimized Infrastructure: CT 3504, 5520 and 8540, ME (production beta)
• APs Supported
• DNA Optimized Infrastructure: Wave 2 APs (1810, 1815, 1830, 1850, 2800, 3800, 4800, 1540, 1560)
• Other APs supported: Wave 1 APs (1700, 2700, 3700) and 11n APs (700, 1600, 2600, 3500 and 3600)
• Sensor Support1:
• AP as a Sensor - AP 1800, 2800, 3800, 4800 2
• Dedicated Sensor - AP 1800S
• SDA is only supported on Wave 1 and Wave 2 APs
• Recommended Software Releases:

• WLC, ME: 8.5.140, 8.8.111
• ME: 8.8.100
• Sensor AP1800S: 8.8.258
Wireless Assurance
Troubleshooting
General Troubleshooting
• Make sure NTP is configured across all components
• Make sure that all devices on the DNAC inventory page are Reachable and
Managed. If any device is not Reachable and Managed, then select the
device(s) and use the Actions => Resync to establish the connection.
• Make sure that all devices on Assurance => Health => Network are in an
assigned location. If any device is not assigned to a location, then go to
the Provision page, select the device(s) and use the Actions => Assign
Device to Site action to assign the device(s) to a site/location.
• Using the WLC GUI, check page Advanced => Management > User
Sessions to make sure there are less than 4 user sessions. If there are
more, then delete oldest sessions until there are less than 4.
Catalyst 9800 Provisioning in Cisco DNAC
• Discovery – Ensure NETCONF is enabled on the device and device version
is 16.10 and above. Also ensure that NETCONF with port is selected during
discovery via DNAC UI
• After successful discovery and device going to be managed state,
following subscriptions are pushed
• Network Assurance Cert
• Network Assurance Config enablement including url, icap port
• Telemetry Subscriptions
• DNAC-CA and sdn-network-infra-iwan trustpoints
Catalyst 9800 Wireless Streaming Telemetry
subscription
• On change and periodic subscriptions
• On change – immediately on any change in any of the table fields
• Periodic – predefined intervals
• Sample On-change • Sample Periodic subscription:

subscription: telemetry ietf subscription 3111
telemetry ietf subscription 3012 encoding encode-tdl
encoding encode-tdl filter tdl-uri

/services;serviceName=Catalyst
filter tdl-uri 9800_oper/traffic_stats
/services;serviceName=Catalyst
9800_oper/dot11_oper_data source-address 10.195.153.74
source-address 10.195.153.74 stream native
stream native update-policy periodic 9000

receiver ip address 10.195.165.40 25103
update-policy on-change
protocol tls-native profile sdn-network-
receiver ip address 10.195.165.40 25103 infra-iwan
protocol tls-native profile sdn-network-
infra-iwan
Intelligent Capture Troubleshooting
General troubleshooting steps
• show icap global all - verify config from WLC
• show icap summary – Validate port 32626 setup, If not, run config icap
server port 32626
• show ap icap subscription and show ap icap packets on AP to verify that
settings are set and that packets are being sent to the DNAC, respectively.
• Log into the DNAC CLI and do the following:
• Run magctl service attach nsa-webapp
• Change directory to /var/tmp/airsense where you will find the directories below.
Verify they contain current PCAP files:
• airscanRadioPacketCapture which contains full packet capture files
• servingRadioPacketCapture which contains partial packet capture files
• ilmEventPacketCapture which contains anomaly packet files
Check gRPC activities from DNAC
• Settings Gear => System Settings => Data Platform => Analytics Ops
Center => Assurance => gRPC collector
AP debug (1/2)
• show ap icap telemetry: configs that is pushed to gRPC regarding to stats
enable/disable and frequencies.
• debug grpc server <debug/ info… >: to set the debugging level of grpc-server
• show grpc server log: to show the logs of grpc-server
• debug trace kernel level <detail/warning… >: this turns on aptrace logging on
console
• debug trace user level <detail/warning…>: this turns on anomaly-detection engine
logging to be saved to /var/log/aptraced.log
AP debug (2/2)
• show ap icap anomaly-detection: configs of anomaly-detection, type of packets
analytics engine received, counters for events generated, and memory usage for
queued events
• show ap icap config <connection …>: ap saved config history for anomaly-detection,
connection, … etc
• show ap icap connection: configs of gRPC server and port, JWT and stream status,
timestamps for last success/failure, counters for attempts/ failures.
• show ap icap packets: counters for everything that is sent over gRPC, eg., partial
packet capture count, radio stats count… etc
• show ap icap subscription: configs that is pushed to gRPC server on AP, eg., Full-
packet-trace enable/ disable, Partial-packet-trace MAC filters… etc
Sensor Troubleshooting Commands
• CLI Commands for troubleshooting. These are to be ran from the sensor AP console
(telnet/ssh)
#config dot11 sensor pnp ip [DNAC_IP Address] – Manually provision DNAC IP
Address to Sensor
#clear dot11 sensor – Reset Sensor config to default
#show dot11 sensor heartbeat status - A heartbeat between DNAC and the sensor
occurs every 60 seconds. Run this command to see the status and last success time of the
heartbeat – If fail confirm connectivity to DNAC
#show dot11 sensor test result -This shows the results of the test that the sensor has
ran. These results flow directly to the DNAC and do not go thru the WLC
Sensor Troubleshooting Commands
#show dot11 sensor test config - This shows the configuration that the
Sensor has received from the DNAC thru the WLC.
#show dot11 sensor synthetic work list - This shows details for each tests
that the sensor will execute
#show dot11 sensor stats - Look for “Total Test Cases Ran”, “Successful Test
Cases” and “Failed Test Cases”. This gives in indication of how many tests the sensor
has performed and the overall status of those tests. Note this also includes radio stats
and does show you if DNAC connectivity is enabled
#show dot11 sensor scan list - This shows the AP’s that the sensor can hear
and at what signal level. Only AP’s with RSSI of -75 or higher are tested against
#debug wsa debug - Use ‘term mon’ to view the full debug output from the wsa
debug
CMX Integration
CMX-DNA Center integration
• DNA Center 1.2.x • CMX 10.4.1.15 and above
• Add CMX On-Prem instance • Add WLC to CMX

• [DESIGN][Network Settings][Wireless] • [SYSTEM][Settings][Controller and
CMX Settings Maps Setup][Advanced]
• Type GUI (admin) and CLI (cmxadmin) • Add WLC through snmp RW
login credential
Client Location from DNA
• Multiple Client Location Tracking • Single Client Location Tracking
[DESIGN][Network Hierarchy] [Assurance][Client360][Intelligent
Capture]
Under Client360, Intelligent Capture

Under Design, Floor Map
DNA-CMX Integration Feature
Client Location
Playback
Client Location, Client

Density heatmap
Display Connected Client Client Detail

Health Score
• Display All of connected Clients locations

• Any Changes in Floor Map will be automatically sync’ed with CMX Map, vice versa
• Single floor map can support up to 200 APs in 1.2.8
2. Live Coverage
Real-Time Client location Tracking Hole Analysis
36
10.10.1.25
• Live Coverage Hole analysis that provides real-time client movement

over-layered with Client onboarding events and Client RF metrics
• Historical Client Location Playback feature on any given moment for
past 7 days

DNA Center Wireless Assurance BRKEWN-2034

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DNA Center Wireless Assurance BRKEWN-2034

Uploaded by

Copyright:

Available Formats

BRKEWN-2034

Cisco DNA Wireless

Minse Kim, TME

Cisco DNA Center

Policy Provision Design Assurance

Complete network Analytics for assurance

Network telemetry Complex event Correlated Suggested

AAA Router DHCP

Everything as a sensor Over 150 actionable insights

Network Control Points

Fabric Campus site Non Fabric Campus Large Medium Small

802.11n AP1800 AP2800/ AP4800

Export enriched, consistent and concise data with context from

Periodic or Structured Scalable Reduced CPU

Wireless Streaming Telemetry Architecture

gRPC/Protobuf https/JWT TLS/TDL AP WSA/JWT

AP2/3/4800K ME, WLC3504/5520/8540 Catalyst 9800 Series Active Sensor AP1800S

• Cisco DNAC pushes automated scripts to enable telemetry

TLS client on devices

Cisco DNA Center

AireOS 8.5 or 8.8+ Catalyst 16.10.1 or later

Location List view

• Site by Site Navigation

• Top-N based on Network Health

• Router, Switch (Core, Distribution, Access), Wireless Controller, Access Point

• Network health = % of all good (healthy) devices from total devices

Network Device Health

Device KPI Data Plane KPI

• Table-based workflow filter, Export, search, sort

• Neighboring Interface number

• Trendline health summary chart for the 24 hrs.

– Connected, (Both RSSI and SNR are above threshold)

7 – Connected, (One of RSSI or SNR is below threshold)

4 – Connected, (Both RSSI and SNR are below threshold)

1 – Connected, Failed to Onboarding

– Inactive or Newly connected Client

Bad < -72 dBm RSSI < Good

Bad < -9 dB SNR < Good

• Available Client Analytics

• Break down view of Assoc. time,

• Mid-level drill down view

• Select any sub-section will show

• Show Onboarding performance of

• Narrow Down Roaming

• Connection Status and

• Timeseries metric chart of the client

• Onboarding Event Viewer 215 Kbps

• RF and Usage Details

Network Time Travel

Real-time Client location

Map with trail of movement

• Client location movement trail

RF Metric Good (Green) Fair (Orange) Poor (Red)

1 Click Onboarding Event in the left pane

Data Packet captured at “8:12:33.794pm”

WLC Event and AP PCAP gets correlated based on time window

Green color packet RED color packet

First packet Origination of Packets Bar Chart Display Last packet

1 Click KeyExchange Failure

1 Click Client Deauthenticated Event

Confirm EAP Key packet

ECG-like Client RF Chart

• Accessible from AP360 page after AP

 66 Wireless Actionable Insights