Brkemt-2002 (2021)

#CiscoLive
7 habits for a successful

Cisco DNA Center
deployment
Adam Radford - Distinguished Architect - @adamradford123

Lila Rousseaux – Technical Solutions Architect - @lila_rousseaux
BRKEMT-2002
#CiscoLive
Agenda
• Habit #1 – Do the pre-work before installation
• Habit #2 – Understand what happens when adding a device in Cisco DNA
Center
• Habit #3 – Change your operational model with SWIM & Advisory Tool
• Habit #4 – Know your Telemetry (PoE, Wi-Fi, Application Health and Visibility)
• Habit #5 – Enable AI/ML to make DNA Center Assurance smarter
• Habit #6 – Consider API’s for Automation, Integration and Innovation
• Habit #7 – Leverage AURA tool for health, scale & upgrade readiness checks
• Conclusion
#CiscoLive BRKEMT-2002 © 2021 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Habit #1 –
Do the pre-work
before
installation
Pre-work Summary
1. Decide which DNAC interfaces will be used for the deployment
2. Define required DNAC IP addresses, subnets and routes
3. Define required passwords
4. Compile IP addresses and passwords for required network
services (NTP, DNS, Proxy)
5. Allow access for required network ports and protocols
Installation Template - EXAMPLE
Appliance #1 IP Appliance #2 IP Appliance #3 IP
Intra-Cluster IP: 172.25.216.12/24 Intra-Cluster IP: 172.25.216.13/24 Intra-Cluster IP: 172.25.216.14/24
Intra-cluster VIP: 172.25.216.11/24 Intra-cluster VIP: 172.25.216.11/24 Intra-cluster VIP: 172.25.216.11/24
Management (CIMC) IP: 172.24.250.71 Management (CIMC) IP: 172.24.250.72 Management (CIMC) IP: 172.24.250.73
DNAC Admin IP: 172.25.217.12/24 DNAC Admin IP: 172.25.217.13/24 DNAC Admin IP: 172.25.217.14/24
DNAC Admin VIP: 172.25.217.11/24 DNAC Admin VIP: 172.25.217.11/24 DNAC Admin VIP: 172.25.217.11/24
Cloud IP: NA Cloud IP: NA Cloud IP: NA
Cloud VIP: NA Cloud VIP: NA Cloud VIP: NA
Enterprise IP: 172.25.218.12/24 Enterprise IP: 172.25.218.13/24 Enterprise IP: 172.25.218.14/24
Enterprise VIP: 172.25.218.11/24 Enterprise VIP: 172.25.218.11/24 Enterprise VIP: 172.25.218.11/24
Default Gateway IP: 172.25.218.1/24 Default Gateway IP: 172.25.218.1/24 Default Gateway IP: 172.25.218.1/24
Hostname BestDNAC-1 Hostname BestDNAC-2 Hostname BestDNAC-3

DNS #1 IP: 172.16.222.21 DNS #1 IP: 172.16.222.21 DNS #1 IP: 172.16.222.21
172.25.217.0/24 - 172.25.217.0/24 - 172.25.217.0/24 -
Static Route #1 IP: Static Route #1 IP: Static Route #1 IP:
172.25.217.1 172.25.217.1 172.25.217.1
Static Route #2 IP: NA Static Route #2 IP: NA Static Route #2 IP: NA
NTP #1 IP: 172.16.128.1 NTP #1 IP: 172.16.128.1 NTP #1 IP: 172.16.128.1
NTP #3 IP: NTP #3 IP: NTP #3 IP:
Proxy: Proxy: Proxy:
Proxy username/password: Proxy username/password: Proxy username/password:
Linux/Maglev password: M$glev1@3 Linux/Maglev password: M$glev1@3 Linux/Maglev password: M$glev1@3

Admin Password Tempassword123 Admin Password Tempassword123 Admin Password Tempassword123

172.25.217.0/24 - 172.25.217.0/24 - 172.25.217.0/24 -
172.25.217.1 172.25.217.1 172.25.217.1
NTP #1 IP: • Enterprise and Cluster
172.16.128.1 NTP #1 IP:interfaces are required
172.16.128.1
NTP #1 IP: 172.16.128.1
NTP #2 IP:
NTP #3 IP:
• CIMC is strongly recommended
172.16.128.2 NTP #2 IP:
NTP #3 IP:
172.16.128.2
NTP #2 IP:
NTP #3 IP:
172.16.128.2
Proxy: • Cluster IP is the only IP address that can’t be changed

Proxy: Proxy: after installation


172.25.217.0/24 - 172.25.217.0/24 - 172.25.217.0/24 -
172.25.217.1 172.25.217.1 172.25.217.1
• DNAC used to require two unique /21 subnets, not shared with Network, for
inter-cluster communications
• From 2.1.1.x this requirement is removed, and the two /21 are not required.
Proxy:
Proxy username/password:
Proxy:
Proxy:
System now uses the 169.x.x.x address spaces within the cluster.
Management (CIMC) IP: 172.24.250.71 The system can have a single default gateway
Management (CIMC) IP: 172.24.250.72 Management (CIMC) IP: 172.24.250.73
DNAC Admin IP: 172.25.217.12/24 ForIP:other 172.25.217.13/24

DNAC Admin interfaces, staticDNAC
routes
Admin IP: and required
172.25.217.14/24

172.25.217.0/24 - 172.25.217.0/24 - 172.25.217.0/24 -
172.25.217.1 172.25.217.1 172.25.217.1

DNAC Admin IP:

DNAC Admin VIP:
• NTP, DNS and proxy
172.25.217.12/24
172.25.217.11/24
must be reachable
DNAC Admin IP:
DNAC Admin VIP:
from IP DNAC
172.25.217.13/24
172.25.217.11/24
addresses
DNAC Admin IP:
Admin VIP:
used for
172.25.217.14/24
172.25.217.11/24
Cloud IP:
Cloud VIP:
DNAC,NA NA
check firewall Cloud
rules
Cloud IP:
VIP:
NA
NA
Cloud IP:
Cloud VIP:
NA
NA
Enterprise IP:
Enterprise VIP:
• Prepare for Internet Enterprise
172.25.218.12/24
172.25.218.11/24
access
Enterprise IP:
VIP:
for required resources
172.25.218.13/24
172.25.218.11/24
Enterprise IP:
Enterprise VIP:
172.25.218.14/24
172.25.218.11/24

172.25.217.0/24 - 172.25.217.0/24 - 172.25.217.0/24 -
172.25.217.1 172.25.217.1 172.25.217.1

Habit #2 –
Understand what
happens when
adding a device in
Cisco DNA Center
Device Controllability
Monitoring Settings Telemetry Trust
What happens when a C9K switch is added to
Cisco DNA Center?
1 Push PKI, 2
IPDT, HTTP SNMP Poll
Server, SNMP and CLI
crypto pki trustpoint DNAC-CA
enrollment mode ra configuration, telemetry
enrollment terminal
usage ssl-client Netconf-yang, collection Syslog,
revocation-check crl
crypto pki certificate chain DNAC-CA telemetry 3 SNMP Trap
<snip>
quit
Streaming
device-tracking tracking Telemetry
!
device-tracking policy IPDT_MAX_10
limit address-count 10
no protocol udp
tracking enable
!
interface <ACCESS-INTERFACES>
device-tracking attach-policy IPDT_MAX_10
ip http client source-interface Loopback0
snmp-server community <RO-COMMUNITY> RO

snmp-server community <RW-COMMUNITY> RW
Example of configuration pushed by DNAC

What happens when an IOS-XE C9800 WLC is
added to Cisco DNA Center?
• Cisco DNAC pushes automated scripts to enable telemetry
• Prerequisite – Enable Netconf-yang from Cat9800 CLI
• Install DNAC Certificate for https setup with Cisco DNAC
• Configure and Enable streaming telemetry (TDL) using NETCONF to Cisco DNAC
2 Download
NA Cert 4
Streaming Telemetry
Automation (NETCONF)
3 data (TDL) using TLS
Script to enable WSA
(config)#aaa authorization exec default local

1 (config)#netconf-yang // Enable Netconf from WLC CLI
Full device on-boarding process into DNA Center
Discovered Added to Inventory Assigned to Site
Enabled for Telemetry Provisioned
Changes in the right direction: more visibility and
control of required configuration
DNA Center 1.x DNA Center 2.x
Device Added to DNA Center inventory Device Added to DNA Center inventory
the following are configured the following is configured
• SNMP/CLI credentials
• SNMP/CLI credentials
• Syslog to DNAC Adding device to a site (site level
• Traps to DNAC customization of what to enable):
• Netflow to DNAC • Syslog to DNAC
• IPDT for wired clients • Traps to DNAC
• WSA/TDL for Wireless telemetry • Netflow to DNAC
• Cisco trustsec credentials • IPDT for wired clients (2.2.1)
• Cisco controller certs • WSA/TDL for Wireless telemetry
• Cisco trustsec credentials
• Cisco controller certificates
• Device Controllability allows devices to interact with DNA Center efficiently
• Cisco DNA Center now provides comprehensive visibility into Device
Controllability configurations
• Device Controllability is safe and easy to troubleshoot
Monitoring Settings Telemetry Trust
Habit #3 –
Change your
operational model
with SWIM &
Advisory Tool
Leverage “Security Advisories” tool to uncover
potential security vulnerabilities
Leverage “Security Advisories” tool to uncover
potential security vulnerabilities
“Security Advisories” tool supports the upgrade
workflow
Leverage SWIM workflow to keep infrastructure
updated
Define relevant pre & post checks
ISSU Supported Platforms on Cisco DNA Center
Minimum Software Minimum DNAC
Platforms
version version
Cat 9400s : C9404R, C9407R,C9410R 17.6.1* 2.2.1
Cat 9500s : C9500-12Q, C9500-24Q,

C9500-40X,C9500-16X,C9500-
32C,C9500-32QC,C9500-24Y4C,C9500- 17.6.1* 2.2.1
48Y4C
Cat 9800 WLC 17.3* 2.1.2
Habit #4 –
Know your
Telemetry
(PoE, Wi-Fi,
Application Health and
Visibility)
Wifi 6 Readiness Dashboard
Key Use Cases:

1. Understanding the Wi-Fi 6 Readiness of
Clients & Network Infrastructure.
2. Visualizing the benefits of an existing Wi-Fi 6
Network.
Wi-Fi 6 readiness Version required for
Wifi 6 Readiness Dashboard assessment for your
network
Wi-Fi 6 in the
network
Wifi 6 Readiness Dashboard
Wi-Fi 6 clients Percentage of
associated with AP’s Wi-Fi 6 Percentage of Wi-Fi version
Wi-Fi 6 network enabled AP’s Wi-Fi 6 distribution
capable
PoE Analytics
Key Use Cases:

1. Full Visibility on PoE infrastructure
2. Insights into IEEE Compliance and Perpetual
PoE and End point distribution based on the
IEEE power standard
3. Dedicated PoE Issue Types
PoE Analytics
• Ports in faulty
• Power consumption mode, power
from the point of view denied mode, error
of devices. disabled mode or
on/off
• View which devices are

leveraging perpetual • Power
PoE, fast PoE, IEEE consumption by
PoE, etc each switch.
• Useful if a device is not • Highlights switches
getting the right kind of experiencing high
power load
Application Visibility vs Application Experience
How Much = quantitative How Good = qualitative (health)
• Supported on cat 9k • Supported on routers IOS-XE
• 17.3.1 supported with ETA • 9800 WLC– local mode
• AirOS WLC
• 9800 WLC – flex
DNA Center 2.1.2 supports auto interface/WLAN selection
Telemetry cheat sheet
How Much = quantitative How Good = qualitative (health)

APV – application performance visibility APM – application performance monitor
Switches 16.10 or 17.3 for ETA+ Routers. 17.3 optimized APM
AireOS WLC 8.8.114 - central Appliance 17.3
9800 WLC 16.12.1 - central 9800 WLC 17.3 central (with DNAC 2.1.2)
#3 SWIM to do software upgrades
Habit #5 – Enable
AI/ML to make
DNA Center
Assurance smarter
AI Driven Baseline Issues
Use case:
What are the expected KPI performance across AP’s and
SSID’s? How can I effectively identify, isolate and mitigate
deviations from the baseline performance.
Key Benefits:
View Dynamic baselines and deviations for 12

(onboarding + throughput) KPI’s
Accelerated troubleshooting with end-2-end

workflow complete with impact and potential root
cause details
Active feedback loop (thumps up/down) to integrate
SME expertise to further refine baselines over period
of time
AI Analytics – AP Family & Endpoint Comparison
Use case:
View and evaluate AP and client performance across

different sites through dynamic performance clusters
identified based on selected KPI
Key Benefits:
Compare AP performance across traffic classes.
Flexibility to compare both on-boarding and throughput

KPI’s
View and compare dynamic performance clusters for a

selected KPI and AP families.
View and compare onboarding KPIs for specific device

types for days of a week..
Cisco AI Network Analytics Architecture
Anomalies and Insights
Cisco DNA Center
WLC
Controller
Strong Anonymization
Cloud Agent Anonymized

Data
WSA
Cisco AI Cloud
Cisco DNAC Appliance
Privacy
Network Infrastructure
AI Endpoint Analytics on Cisco DNA Center
Rapidly reducing the unknowns by aggregating data from different sources
ML Analytics
?? Endpoint
Profiling
Data
Aggregation
DPI-based Network Easy Onboarding CMDB

Fingerprint/ Telemetry Tools Connector
Behavior Probes CMDB: Configuration Management Database
Classification based on Deep Packet Inspection (DPI)
Endpoint type:
Multifactor classification
CT scanner
Manufacturer:
Globex Corp.
Model:
DPI Ultima
Operating system:
Deep packet MS Windows 7
inspection
EA
L7
ML analytics DICOM:
GE CT540
L6 Cisco® Catalyst® 9000
Series Switch - powered by
Probes NBAR
DHCP
CMDB Class-ID:
connector Globex Ultima MSFT
CT scanner (Windows 7)
Options to support non-Cisco devices available.
Reducing Unknowns with Machine Learning
Device data
lake
ML groups Creates Admin labels AI learns
Known endpoints rules endpoints from new
IPhones
DPI
labels
These are
Bosch
Cluster 2 Coffee New labels
Machines
Bosch
ML analytics
= Coffee
Attribute B
Cluster 1 Machine
Endpoint
These are
Analytics Unknown New labels
Apple
Watches. Apple
= Watch
CMDB
connector Attribute A
= done in cloud
Habit #6 –
Consider API’s for
Automation,
Integration and
Innovation
GUI
API
Why API?
AUTOMATION INTEGRATION INNOVATION
SDK
>>> from dnacentersdk import DNACenterAPI
>>> api = DNACenterAPI()
Ansible
https://galaxy.ansible.com/cisco/dnac
GO
https://galaxy.ansible.com/cisco/dnac
Habit #7 –
Leverage AURA
tool for health,
scale & upgrade
readiness checks
AURA
Focus Areas for Automation Cisco DNA Center AURA
DNA Center Scale
SDA Control & (Audit & Upgrade Readiness
Security Audit
Analyzer)
DNA Center Infra SDA Device CLI
Health Capture • AURA is a tool that covers health, scale & upgrade readiness checks across
the DNAC Use Cases
DNA Center WLC/eWLC • Simple & Straight Forward:
Assurance Assurance
• Copy one executable file to the DNAC and execute it on the DNAC
• Using existing pre-installed libraries/software ONLY
Bugs Causing Upgrade
Upgrade Failures Readiness • Only input required – DNA Center passwords
• Automatically generated PDF report & Zipped Log file that can be
PDF Generation SDA Compatibility automatically uploaded to Cisco SR
(Open Source) Check • Not Intrusive – only DB reads, show commands and API calls
• Works with 1.2.8/10/12, 1.3.x, 2.1.x, 2.2.x & Fury
DNAC-ISE • Execution time: DNAC node <15mins. SDA=depends on scale (approx.
Integration 30min for 30 SDA Devices)
Sample (32-page) report
Download from git
https://github.com/CiscoDevNet/DNAC-AURA
Conclusion
Summary
Strong foundation with pre-planning
Device Controllability to maximize value
Software Image management to keep up to date
Telemetry for network/application/user insights
AI/ML for AIops
API for automation/integration/innovation
AURA – Automated Upgrade Readiness Assessment (and operational health)
Thank you
#CiscoLive
#CiscoLive

Brkemt-2002 (2021)

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Brkemt-2002 (2021)

Uploaded by

Copyright:

Available Formats

#CiscoLive

7 habits for a successful

Adam Radford - Distinguished Architect - @adamradford123

Hostname BestDNAC-1 Hostname BestDNAC-2 Hostname BestDNAC-3

Linux/Maglev password: M$glev1@3 Linux/Maglev password: M$glev1@3 Linux/Maglev password: M$glev1@3

Hostname BestDNAC-1 Hostname BestDNAC-2 Hostname BestDNAC-3

Proxy: • Cluster IP is the only IP address that can’t be changed

Linux/Maglev password: M$glev1@3 Linux/Maglev password: M$glev1@3 Linux/Maglev password: M$glev1@3

Hostname BestDNAC-1 Hostname BestDNAC-2 Hostname BestDNAC-3

DNAC Admin IP: 172.25.217.12/24 ForIP:other 172.25.217.13/24

Hostname BestDNAC-1 Hostname BestDNAC-2 Hostname BestDNAC-3

Linux/Maglev password: M$glev1@3 Linux/Maglev password: M$glev1@3 Linux/Maglev password: M$glev1@3

DNAC Admin IP:

Hostname BestDNAC-1 Hostname BestDNAC-2 Hostname BestDNAC-3

Linux/Maglev password: M$glev1@3 Linux/Maglev password: M$glev1@3 Linux/Maglev password: M$glev1@3

ip http client source-interface Loopback0

snmp-server community <RO-COMMUNITY> RO

Example of configuration pushed by DNAC

(config)#aaa authorization exec default local

Enabled for Telemetry Provisioned

Monitoring Settings Telemetry Trust

Cat 9500s : C9500-12Q, C9500-24Q,

Cat 9800 WLC 17.3* 2.1.2

Key Use Cases:

Key Use Cases:

• View which devices are

DNA Center 2.1.2 supports auto interface/WLAN selection

How Much = quantitative How Good = qualitative (health)

#3 SWIM to do software upgrades

View Dynamic baselines and deviations for 12

Accelerated troubleshooting with end-2-end

View and evaluate AP and client performance across

Compare AP performance across traffic classes.

Flexibility to compare both on-boarding and throughput

View and compare dynamic performance clusters for a

View and compare onboarding KPIs for specific device

Cloud Agent Anonymized

Cisco DNAC Appliance

DPI-based Network Easy Onboarding CMDB

AUTOMATION INTEGRATION INNOVATION

Device Controllability to maximize value

Software Image management to keep up to date

Telemetry for network/application/user insights

AI/ML for AIops

API for automation/integration/innovation

AURA – Automated Upgrade Readiness Assessment (and operational health)

You might also like