Professional Documents
Culture Documents
10 - Automation Lab
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Page 1 of 86
1 LAB PREPARATION 3
1.1 LAB TOPOLOGY 3
1.2 CONNECTION TO LAB 3
3 ISE INTEGRATION 5
4 DESIGN 9
4.1 NETWORK HIERARCHY 9
4.2 NETWORK SETTINGS 14
4.3 DEVICE CREDENTIALS 17
Page 2 of 86
1 Lab Preparation
DNAC: 192.168.40.91-100
C9800-CL: 192.168.40.131-140
Enterprise
Network
ISE: 192.168.40.171-180
WLC 3504:
WLC-PODx RTR-PODx : Router (4331)
10.10x.255.130 Lo0:10.10x.255.1
SW-BN-PODx
Cat 9300 Core/Distribution
Lo0: 10.10x.255.2
AP 2800
ISIS
SW-EN1-PODx SW-EN1-PODx
Cat 3850 Acces Cat 9300 Access
Lo0 10.10x.255.3 Lo0 10.10x.255.3
AP 2800
AP 2800
• server: primelab-us.cisco.com
• username: sevt
• password: sevt
Page 3 of 86
2 Connect to Cisco DNA Center and ISE
https://192.168.40.9x
where x is your pod number (192.168.40.91-99 for POD 1 to 9; 192.168.40.100 for POD 10)
Use the following credentials to login to Cisco DNA Center.
Username: admin
Password: Public123$
Open a separate tab and connect to ISE using the following link:
https://192.168.40.17x
where x is your pod number (192.168.171-179 for POD 1 to 9; 192.168.40.180 for POD10)
Username: iseadmin
Password: Public123$
Page 4 of 86
3 ISE integration
In the lab, ISE is required and will be used for device access.
To save time in the lab, PxGrid has already been configured on ISE. The steps related to ISE
below are for information.
To integrate Cisco DNA Center and ISE the following steps are needed.
• Copy the FQDN (you will need to give this in Cisco DNA Center settings page to
configure the ISE integration)
Page 5 of 86
In “Administration > pxGrid Services”, you will see pxGrid connected message at the
bottom.
Note: Please note if pxGrid was not enabled before, it can take a few minutes.
Page 6 of 86
Next, still in “Administration > PxGrid Services”, then click on the “Settings”, check
“Automatically approve new certificate-based accounts”.
Go back to the Cisco DNA Center browser and then go to “System Settings > Settings >
Authentication and Policy Servers”. Click on “Add”.
You need to fill the “Add AAA/ISE Server” form with the parameters below:
- ISE Server IP: 192.168.40.17x (for Pod 1-9) or 192.168.40.180 (Pod 10)
- Shared Secret: cisco
- CISCO ISE server: ON
- Username: iseadmin
- Password: Public123$
- FQDN: Copy this from ISE server (Administration > System > Deployment) and paste
it here.
Be careful, it must match the FQDN you have in ISE not what you can find in DNS
resolution!
Page 7 of 86
Cisco DNA Center will now create the AAA server.
On ISE side, at Administration->PxGrid Services, your Cisco DNA Center client should be
approved automatically and become online later.
You can verify that Cisco DNA Center and ISE are integrated as below:
Page 8 of 86
4 Design
You will create now a new site with one building and one floor
Select “Design”
Page 9 of 86
Select Add Area
Page 10 of 86
Fill in the followings and click on “Add”:
Don’t be too creative if you want to choose another location. The location is used to
configure the country of the WLC which must be consistent with the regulatory domain of
the AP. If you choose a location outside North America, you can have issue with your AP.
Before adding floor, let us download the floor map (Floox-298x164.jpg) from the box link
below:
Page 11 of 86
https://cisco.box.com/v/floorplan
Go back to the building Whynot DNAC and then select “Add Floor”
Enter “DNAC lab” in “Floor Name” field and select “Cubes and Walled Offices” for “Type (RF
Model)”.
Upload the floor map (Floox-298x164.jpg) for “Floor Image” and change the “Width” to
“298” ft, then click “Add”
Page 12 of 86
You should have loaded the floor map
Select “HQ” site then create a building called “BLDG5” with this address below:
325 E Tasman Drive, San Jose, CA 95134
Page 13 of 86
4.2 Network Settings
Now you will define in “Network Settings -> Network”, the list of servers as well as some
other settings that you would see configured on your devices when you provision them.
First, add AAA and NTP servers in “Network Settings” tab since they are not selected by
default.
Click on “Design > Network Settings > Add Servers”, and select “AAA” and “NTP”
- DHCP Server: 10.10x.50.2, where x is your pod number (10.110.50.2 for pod 10)
- Domain Name: sda.ciscous.com
- DNS Server: 192.168.40.1
- Syslog Server: Select the checkbox “Cisco DNA Center as Syslog server”
- SNMP Server: Select the checkbox “Cisco DNA Center as SNMP server”
- NTP: 10.0.255.3
- Time Zone: select “GMT”
- Message of the day: you can be creative here …
Page 15 of 86
Click on the “Whynot” Site in the network hierarchy (left column), you should see that
settings are inherited from global (note that they can be overridden at site level).
Page 16 of 86
4.3 Device Credentials
In this section, you will define the network credentials that you would like to use to access
your devices.
Credentials are defined globally and are inherited by sites in the hierarchy. Multiple
credentials can be defined and it’s possible to select which one will be used for each site.
Page 17 of 86
Add CLI credentials shown below and save. Don’t worry about the warning regarding ISE and
try to figure out why you will not have such issue.
Name/Description: admin
Username: admin
Password: cisco
Enable: cisco
Don’t be creative with username/password as they have been preconfigured like this in the
devices and in ISE
Page 18 of 86
Define SNMP credentials both V2C Read (Name ‘ro’ and community public) and V2C Write
(Name ‘rw’ and community private) and click Save.
Make sure you have selected all the check box for all credentials that were defined:
• CLI
• SNMP READ
• SNMP WRITE
Page 19 of 86
Warning: On the screen shot above, don’t forget to click on SNMP Write credential and
select it.
You should see the Success Message at the bottom once you click Save.
Create
Define Network Define Golden Onboarding Define Network Assign Network
Create Sites
Settings Image (Optional) Templates Profile Profile to Sites
(Optional)
Create Sites – Define where onboarding devices belong to. (Already defined
above in section 4.1)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Page 20 of 86
Define Network Settings – Define DHCP, DNS, AAA services and etc. for the site.
(Already defined above in section 4.2)
Define Golden image – Define the golden image if network admin wants devices
to run on a standardized software image (See section 5.2 below).
Create Onboarding Templates – Create user-defined CLI templates to be used by
PnP for day-0 onboarding (See section 5.3 below).
Define Network Profile – Define network profile that uses onboarding templates
defined in Step 4 (See section 5.4 below).
Step 6. Assign Network Profile to Site – Assign the network profile to the desired sites so
that device can inherit it when claimed to the sites (See section 5.5 below).
Provision Phase:
Profile Profile
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Plan for PnP Discovery – Plan DHCP option 43 or DNS for devices to discover Cisco
DNA Center. For non-fabric onboarding, this is the step outside of Cisco DNA
Center automation (See section 5.6 below).
Claim to Site via PnP – After devices discovers Cisco DNA Center successfully, they
will become “Unclaimed” state for network admin to claim. When network admin
claims the devices, there are two part of configurations are added in this step
(See section 5.7 below):
• PnP Claim – Device credentials and CLI template of profile
• Add to Inventory – Configuration of “Device Controllability” if it is
enabled.
Complete Profile Provisioning – Until this step, configuration in “Network
Settings” page of Cisco DNA Center is still not provision yet. To complete profile
provisioning, network admin needs to provision the devices again after devices
are managed by Cisco DNA Center (See section 5.8 below).
Page 21 of 86
In this section, we will use Cat9300 switch to go through day-0 onboarding workflow for
switches via PnP.
5.1 Overview
Cisco DNA Center onboarding workflow is designed to follow the principles of network IT
operation from Design to Provisioning. To the core of this workflow, it is all about the site
concept as figure below.
So, what is exactly in switching network profile? Refer to the picture below from PnP TDM
deck for 1.2.8.
CLI Templates
Device Credentials
User Defined
Configuration
System Generated Configuration by
Cisco DNA Center UI Orchestration
• Network Settings
• Device Credentials
Network Settings
• AAA (Radius and TACACS)
• DHCP and DNS
• Syslog, SNMP, and Netflow
Collector
• NTP Server
• Message of Day
For users, the configuration of switching is the combination of what is generated by Cisco
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
DNA Center and what is defined in CLI templates. Users should avoid the configuration
overlap is possible. In case of overlap, they can user user-defined template to override what
is generated by Cisco DNA Center.
Page 22 of 86
5.2 Define Golden Image – Design Phase
In Cisco DNA Center, it is mandatory to mark image as “Golden” for device family for
upgrade. Otherwise, the image will not be available for upgrade even if it is imported
successfully. Furthermore, marking it as “Golden” can be done at global or site levels. The
purpose to have this option at site level is to enable flexibility to override what is at global
level.
Please note that starting from Cisco DNA Center 1.2.8 release, Software Image Management
(SWIM) will support the new capability, which allows users to assign the imported image to
the desired device family manually even if the devices are not part of inventory yet. This new
feature is developed specifically to support devices software upgrade for day-0 onboarding.
Let us first import the image. On “Design” page, click on “Image Repository”, then click on
“Import”
You can import 16.8.1a image for Cat9300 from a ftp server located in the lab using this URL:
ftp://pi:cisco@192.168.40.11/cat9k_iosxe.16.08.01a.SPA.bin
After clicking “Import” button, you will notice the Import Image message.
Page 23 of 86
You can click on “Show Tasks” which will display importing status for this image in a sliding
window below:
After a few minutes, if you click on “Refresh” button again, it should see green checkbox to
indicate the import success as below:
Then go back to “Image Repository”, click on “Refresh” button, you show see a new category
called “Imported Images” under “Family” column. Click on “Assign” button
In pop-up window, select the checkbox next to “Cisco Catalyst 9300 Switch”, and click on
“Assign”
Note: if you do not see any entry under “Device Series” section, that means that Cisco DNA
Center has some connectivity issue with cisco.com for some reasons so it could not fetch
related device family list. In that case, you can still choose “Switches and Hubs” under
“Device Types”, then type in keyword “9300” in search bar, then select the checkbox next to
“Cisco Catalyst 9300 Switch”, and click on “Assign”
Page 24 of 86
Now go back to “Image Repository” page, you should see “Cisco Catalyst 9300 Switch” is
shown in Family.
Now you are ready to mark this device as “Golden” by click on star under “Golden Image”
column. You should see it will mark “ALL” under “Device Role” column, meaning it is the
standardized image version for all Catalyst 9300 switches regardless of device roles.
Once you mark the image as Golden, you will see a Success Message being shown at the
bottom and you can also see that the color of the star is now turned to Golden.
Before this exercise, let us go to box folder for switch template first as the link below:
Page 25 of 86
https://cisco.box.com/v/SWITCH-TEMPLATES
Locate the switch template named “SW-SJ-BN-PODx-template”. You can download or open
it. We will use it later in this section.
In this section, we will create an onboarding switch template in “Template Editor”, which
will be used to create switching network profile later.
On the top corner of Cisco DNA Center page, click on the square dot icon and select
“Template Editor”
In “Template Editor”, you will see a new system default project named “Onboarding
Configuration”, which is designed to group all day-0 onboarding templates. Only templates
in this project can be used for day-0 onboarding, while templates under user-defined
projects will be used for day-2 provisioning. Click on “Add Template”
Page 26 of 86
Now, copy and paste the content of the switch template file (SW-SJ-BN-PODx-template.txt)
into this new template.
Please note that a string starting with $ will be considered as a variable. To avoid confusion
${var} can also been used. In this lab, we just defined the pod number as only variable for
simplicity and demonstration.
Click on “Actions->Save” to save the local copy of template on Cisco DNA Center:
Page 27 of 86
Click on “Form View” to review the variable in this template (icon on right … see below):
Change the following fields:
• “Field name” (Prompt): Enter your pod number
• “Data Type”: Integer
Page 28 of 86
Test your template with a simulation
then
Enter a name for the simulation, your pod number and click run
Page 29 of 86
Explore the result
Page 30 of 86
Finally, click on “Actions->Commit” to commit this template so it can be available for
network profile to be consumed.
Note: The committed version of template is read-only. If there are new changes you want to
make, you can edit the local copy and commit it again. There is no limitation on the number
of committed versions, but only latest committed version can be referred by network profile
later.
Now, we are ready to define switching network profile for Cat9300 switch onboarding.
Now under “Onboarding Template(s)” tab, click on Add. Then select or search “Cisco
Catalyst 9300 Series Switches” for “Device Type” and template “SW-BN-PODx” defined in
previous section.
Page 31 of 86
Finally, click on “Save”.
On the side panel for “Add Sites to Profile”, select “Whynot” site and click on “Save”.
In order for devices to call home to plug and play server in Cisco DNA Center, network
admins need to prepare DHCP/DNS service for PnP discovery. Please refer to Solution Guide
for Cisco Network Plug and Play for more details.
In figure below, it is a Cisco IOS DHCP server configuration example for Plug and Play DHCP
Option 43, which is configured on upstream router in this lab (on POD1).
Page 32 of 86
5.7 Claim to Site via PnP
Please note that at first prompt of telnet, input password in “Line Password” column for you
POD.
After connecting to the console of your switch, you can use the following script to reset the
switch to factory default.
https://cisco.box.com/v/pnp-reset-sw-to-factory
Now you can relax for a few minutes. Monitor the console but avoid touching keyboard after
switch boots up since that will stop PnP process. You should observe PnP discovery done
successfully like the figure below:
Page 33 of 86
Once PnP discovery is successful, the Cat9300 switch will establish HTTPs connection with
Cisco DNA Center. Now go to “Provision->Devices->Plug and Play” page and you should see
the switch becomes “Unclaimed”.
Before you claim this switch, if you want to observe what will be configured by Cisco DNA
Center, you can copy/paste the following EEM script in switch console to capture them. It is
safe to get into console now, J.
Now, we are ready to claim this Cat9300 switch to desired site. Select the switch and click on
“Action->Claim”
Page 34 of 86
If End User License Agreement (EULA) is not accepted at system settings of Cisco DNA
center, there will be a pop-up window to prompt users to accept EULA. Go ahead and accept
and EULA and click on “Apply”
Next, at “Site Assignment”, select “Global/Whynot/Whynot DNAC” as the site and click on
“Next”
In “Configuration” page, you may see the warning message “Failed to retrieve device-
specific production information…..”. This is because the exact device PID is not device family
directory yet in Cisco DNA Center, but PnP is able to locate parent device family. Therefore,
the warning message is given. In case of PID is in found, golden image will be automatically
populated for you.
So, ignore the warning message, go ahead and select “16.8.1” as “golden” image in “Image”
section if you want this switch to go through software upgrade. In this lab, we will skip image
upgrade thus selecting “Skip golden image upgrade” below.
Page 35 of 86
In “Advanced Configuration” page, select the switch you are about to provision, then input
“x”, x is your POD ID for the only variable in this template. Click on “Next”
Finally, in “Summary” page, you can review provisioning details. Explore on this page to see
what is shown in different section. In “Day-0 Configuration Preview” section, Cisco DNA
Center essentially generate configuration including device credentials and enabling SSH for
management later. There are also some hidden commands are documented here for your
reference for switching provisioning in 1.2.10. Please refer to the link below for details:
https://cisco.box.com/v/SW-Day0-ConfigbyDNAC-PnP
Page 36 of 86
In 1.3 releases, we will remove all hidden commands so that configuration displayed in UI
will match what is in CLI configuration.
Click on “Template CLI Preview” to confirm the configuration. Click on “Claim” to claim the
switch
Please note that in regard to the order of configurations, the configuration in “Day-0
Configuration Preview”, generated by Cisco DNA Center, will be pushed to device first,
followed by user-defined CLI templates. You can verify that by monitoring over the console.
After a few minutes, you should observe that the switch becomes “Provisioned”.
Page 37 of 86
Once the device is added into inventory, if “Device Controllability” is enabled, there will be
more configurations added. You can observe these configuration via switch console too
. For a sample configuration added, please refer to the link below:
https://cisco.box.com/v/SW-Inventory-Controllability
Last tip is that you will notice the loopback 0 IP address of switch becomes management IP
automatically in the figure below. That is because there is one-line command, “ip http client
source-interface Loopback0”, which instructs the switch to use that interface IP to call home
for PnP, based on HTTP/HTTPs. That last call-home IP during PnP will be handed off to
inventory for management IP of device.
Page 38 of 86
5.8 Complete Profile Provisioning
In this section, you will complete profile provisioning by pushing the configuration generated
by Cisco DNA Center in “Network Settings” page.
In “Assign Site” page, since the site is already provisioned during PnP phase, simply click on
“Next”
Page 39 of 86
In “Advanced Configuration” page, simply click on “Next”
In “Summary” page, review the configuration in “Network Settings” section and click on
“Deploy”
Page 40 of 86
In the sliding side panel, select “Now” to schedule this provisioning immediately and click on
“Apply”
After that, simply monitor the switch console, you will notice configurations from “Network
Settings” page is pushed to the switch as figure below:
Page 41 of 86
Within a minute, the provisioning should be completed successfully. Go back to “Provision-
>Devices->Inventory”, you should observe “Provision Status” becomes “Success” as below:
You can click on See Details to take deeper look into the details of Provisioning.
During this phase, Cisco DNA Center not only provision TACACS related configuration to the
device, but also create the device entry in “Network Devices” as AAA client in ISE through
API automatically. Let us verify it following the steps below on ISE:
Page 42 of 86
You should see your switch was added under “Network Devices” through the API.
In this section, we simply want to discover the existing devices in “Whynot DNAC” site and
assign them to it.
Select “Tools->Discovery”
Discovery can be done through CDP, LLD or IP range. You will use CDP and the newly
claimed switch 10.10x.255.2 as seed device (x is your pod number).
Page 43 of 86
Name the discovery: PODx, where x is your POD number
Select “CDP” and give the IP address of your switch IP (10.10x.255.2)
Device Controllability is enabled by default (click learn more to understand what this option
will automatically configure on the devices)
Click on “Start”
You should discover successfully 4 devices, including new claimed switch in previous section.
Page 44 of 86
Ignore two APs discovered, which will not be used in this lab.
Next, we will assign these discovered devices to the site “Whynot DNAC”.
Go to “Provision->Device Inventory”, select all devices then click “Actions-> Assign Device
to Site”
Select the building “Whynot DNAC” for router and click on the checkbox “Apply to All”,
which apply the site assignment to all applicable devices. Then click “Apply”
Page 45 of 86
It will return to “Provision->Device Inventory” page and the devices should be shown
assigned successfully like below:
7.1 Overview
Cat9800 is the next-generation wireless controller based on IOS-XE. Built on a modular
operating system, it features open and programmable APIs that enable automation of your
day-0 to day-N network operations. The config model of Cat9800 is as below:
Page 46 of 86
Cisco Catalyst 9800 Config Model
Access Points
RF
Policy
Profile 5
Profile
GHz
Site Tag
AP Join
Profile
Flex
Profile
Similar to AireOS WLC, the wireless network profile of Cat9800 is the combination of what is
generated by Cisco DNA Center and what is defined in CLI templates in Cisco DNA Center as
figure below. Please note that given Cat9800 PnP claim is not supported yet in Cisco DNA
Center 1.2.10 release, device credentials are not provisioned by Cisco DNA Center, but used
to match what configured on Cat9800 for discovery and management.
• Device Credentials
Day-0 Cat9800 wireless automation is essentially the same as AireOS WLC automation. It can
be categorized into two major phases:
Design Phase:
Page 47 of 86
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Create Sites – Define where devices belong to
Define Network Settings – Define DHCP, DNS, AAA services and etc. for the site.
Define Wireless Settings – Define SSIDs, wireless interfaces, RF profiles and etc.
Create Templates – Create user-defined CLI templates for wireless profile.
Define Wireless Network Profile – Define wireless network profile that uses
templates defined in Step 4.
Assign Wireless Network Profile to Site – Assign the wireless network profile to
the desired sites so that Cat9800 WLC can inherit it (configuration) when
Day-0 Cat9800 Wireless Controller Provision
provisioned to the sites.
Workflow
Provision Phase:
APs Discover
Provision WLC Provision APs
Discover WLC Cisco DNA
to Site to Site
Center via PnP
Discover Cat9800 WLC – Discover Cat9800 WLC and add it into inventory
Provision Cat9800 WLC to Site – Provision Cat9800 WLC to the site with wireless
profile defined in design phase.
APs Discover Cisco DNA Center via PnP – Plan DHCP option 43 or DNS for AP PnP
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
discovery so that APs can discover Cisco DNA Center and become “Unclaimed”.
Provision APs to Site – Claim APs to desired site.
In this section, you will complete day-0 automation to provision Cat9800-CL wireless
controller and AP to the sites via profile, based on FlexConnect architecture design as
follows:
• Cat9800-CL is located in “HQ->BLDG 5” site, which has an enterprise SSID named
“DNAC-PODx”.
• FlexConnect AP is located at floor “Whynot DNAC->DNAC Lab” of remote site. Its
native VLAN is 60 for AP management. The SSID “DNAC-PODx” is locally switched to
VLAN 50, named “Data-VLAN”.
First, let us create wireless interface to which the data traffic is locally switched at remote
site. Scroll down to section “Wireless Interfaces”, click on “Add”
Page 48 of 86
In side panel, input “Data-VLAN” for “Interface Name” and “50” for “VLAN ID”. Click on
“Add” to add this new interface for remote site.
You may notice this is the same process to create dynamic interface on AireOS WLC.
However, it is used here to define locally-switched VLAN for Flex AP in Cat9800.
Next, we will define native VLAN for Flex AP. Scroll further down to “Native VLAN” section,
input “60” for “VLAN” and click on “Save”. In this way, we define VLAN 60 as native VLAN
across sites since it is defined in global level. Of course, you can override it at site level.
7.3 Create and Wireless Profile, and Assign Wireless Profile to Sites
Now let us create an Enterprise Wireless SSID and its associated wireless profile. At the same
time, assign this new wireless profile to sites that Cat9800 will manage.
Page 49 of 86
Name it “DNAC-PODx”, where x is POD number. Keep default values for other fields and
click on “Next”
Page 50 of 86
Finally, click on “Finish”
In this section, we will create wireless template for Cat9800-CL, which enables wireless traps
so that AP registration trap can be sent by Cat9800-CL to Cisco DNA Center for seamless
integration for AP day-0 onboarding. Ideally, this should be done automatically by Cisco DNA
Center during Cat9800-CL provisioning. But due to a known issue, we will use template as
workaround to accomplish this.
First, create a project called “C9800-CL” and a template named “SNMP-Trap” under it. For
template “Device Type(s)”, select as below:
Page 51 of 86
Remember to Save and Commit for this template in order to be used by network profile
later.
Page 52 of 86
7.5 Discover Cat9800-CL Wireless Controller
Cat9800-CL virtual wireless controller for each POD is pre-configured with minimum
configuration as below:
For Cat9800-CL, Gigabit Ethernet 2 interface is wireless management interface. Please refer
to Cisco Catalyst C9800-CL Wireless Controller Virtual Deployment Guide for details on how
to configure basic configuration.
Pod 1 – 192.168.40.131
Pod 2 – 192.168.40.132
!
!
Pod 10 – 192.168.40.140
At this point, please DO NOT connect to Cat9800-CL via HTTPS, which will display Cat9800
configuration wizard since country code is not set yet. In this exercise, we do not want to go
through configuration wizard to configure Cat9800-CL.
Instead, SSH to your POD’s Cat9800-CL (admin/cisco). After login, save the running
configuration to a file called “pre-discovery” on flash as below:
copy running-config flash:pre-discovery.cfg
Later, we will use compare it with the post-discovery configuration to observe configuration
difference after successful Cat9800-CL discovery.
Page 53 of 86
At “Credentials” section, click on “Add Credentials”. In sliding panel, click on “NETCONF”
tab, leave the port as “830” by default and click on “Save as global settings”. Finally, click on
“Save”
Page 54 of 86
Wait for a couple minutes, the discovery should be successful as below:
Now, go back to Cat9800-CL SSH session and type in the following command to compare
pre-discovery and post-discovery configurations.
Page 55 of 86
In summary, the following configuration was added to Cat9800-CL after discovery:
Now let us save the post-discovery C9800-CL configuration by typing the following command
via SSH session.
Go to back to Cisco DNA Center, select “Provision” Select your WLC and Click on “Actions->
Provision”
Page 56 of 86
On “Assign Site” tab, select the Building “Global/HQ/BLDG5” and click on “Next”
On “Configuration” tab, add the site “Whynot DNAC” in the “Managed AP Location(s)”,
which will include the floor “DNAC Lab” underneath it.
Page 57 of 86
After that, you should see “3” for “Managing AP location(s)”, which is logically managed
locations by this Cat9800-CL. The locally-switched VLAN “Data-VLAN” with VLAN ID “50” for
flex profile should be automatically populated for you. No need to make changes. Click on
“Next”
Page 58 of 86
Finally, on “Summary” tab, review all changes that will be applied and click “Now” and
“Apply”
Now, you should be brought back to “Device Inventory Page” of “Provisioning”. You should
observe the changes on “Provision Status”. You can monitor it by hitting “Refresh” link.
It will take a couple of minutes to complete and WLC should be provisioned successfully.
Page 59 of 86
show archive config differences flash:post-discovery.cfg system:running-
config
Now, you can go to C9800-CL UI and review all the changes made by Cisco DNA Center.
(C9800-PODx is from 192.168.40.131-.140 admin/cisco)
Go to “Configuration->Tags & Profiles->WLANs”, you should see a new SSID created with
WLAN ID starting at “17”. Please note that any WLANs with ID number greater than 16 are
not in default AP group, which means that you need to put APs in a specified AP group to
inherit this WLAN. Click on this SSID to review the changes if you like.
Page 60 of 86
Go to “Configuration->Tags & Profiles->Policy”, you should see a new policy profile created
too.
Click on this policy, you show see “Central Switching” is not checked on “General” tab,
meaning traffic will be locally switching.
Click on “Access Policies” tab, you should see “Data-VLAN” for “VLAN/VLAN Group”, which
is the locally-switched VLAN.
Page 61 of 86
You can explore more these changes on Cat9800-CL UI.
You can verify these configurations on the switch by using “Command Runner” in Cisco DNA
Center.
Page 62 of 86
- Click on the first command “show running | sec pool AP”, you should see the CLI
output on right panel. The very first DHCP pool for VLAN 60 includes option 43 for
PNP discovery.
- Click on 2nd command “show run interface gig1/0/13”, you should see interface
gig1/0/13 is in trunk mode with native VLAN 60 for FlexConnect AP. This interface is
also in “shutdown” state.
Now let us power on this AP connected to port gig1/0/13, which will obtain DHCP IP and
option 43 from VLAN 60 IP DHCP pool and discover Cisco DNA Center.
Page 63 of 86
Connect to the switch (SW-BN-PODx) and activate port gig1/0/13. The switch console info is
given in previous exercise. But you can refer to the table below for convenience.
After a few minutes , you should see the AP obtains a DHCP IP address in the appropriate
pool (10.10x.60.0) by typing “show ip dhcp binding” command to verify:
Go back to Cisco DNA Center, you should see this AP becomes “Unclaimed” on “Provision-
>Plug and Play” page as below:
Page 64 of 86
7.8 Claim AP to Site
In this section, you will claim this AP to site, floor “DNA Lab”.
On “Site Assignment” tab, choose your floor “DNAC Lab” and click on “Next”
Page 65 of 86
On “Configuration” tab, choose “Typical” for “RF Profile” and click on “Next”
On “Summary” tab, you will review policy tag, site tag, and RF tag assigned for this AP in
“Day-0 Configuration Preview” section. Click on “Claim”
Page 66 of 86
AP will transition into “Onboarding” state and stay in this state for a few minutes. Behind
the scene, the AP is provisioned with primary WLC to join and Cisco DNA Center will also
provision policy, site and RF tags related to AP on C9800-CL wireless controller.
Moreover, from serviceability perspective, Cisco DNA Center will not change APs
“Onboarding” state until APs join desired wireless controller successfully.
Note: If the AP onboarding takes a long time (more than 10 minutes) and AP joined the WLC
as local mode already, pls. resync your WLC C9800 from your Provisioning page by selecting
Actions > Resync. That will add AP into DNA Center inventory and DNA center will go to
C9800 and change the AP mode to Flex.
If you like to check on AP joining status, you can log in your Cat9800-CL UI and check on
“Monitoring->AP Statistics->Join Statistics” as below while waiting:
Page 67 of 86
Once APs join wireless controller successfully, there will be AP joining traps sent to Cisco
DNA Center to inform the event, which will in turn change AP state to “Provisioned” in “Plug
and Play” page.
Cisco DNA Center will also trigger resync with wireless controller to add AP into inventory
eventually as below:
Page 68 of 86
If you monitor your Cat9800-CL really closely, you may notice that AP first joins controller as
local mode. Then after a few minutes, it changes to flex mode and reboots to finish mode
change. Wait until AP becomes flex mode before proceed here.
You can also log in C9800-CL UI to review and verify these changes.
Go to “Configuration->Tags & Profiles->Flex”, click on newly created flex profile and you
should see “Native VLAN” is set to “60” under “General” tab.
Page 69 of 86
Click on “VLAN” tab, you should see VLAN “Data-VLAN” with ID “50”.
Go to “Configuration->Tags & Profiles->Tags”, click on the newly created policy tag, you
should see WLAN profile to policy profile mapping:
Click on “Site” tab and the newly created site tag, you should see default AP join profile is
used and flex profile created is selected. Also notice “Enable Local Site” is unchecked,
meaning flexconnect mode for APs associate to this site tag.
Page 70 of 86
Click on “RF” tab and the newly created RF tag “TYPICAL”, you can review changes as below:
Click on this AP, you will see policy, site and RF tag assigned to it in “General” tab.
Click on “High Availability” tab, you will observe primary controller name and IP are
configured.
Page 71 of 86
7.9 Heat Map
Go back to “Design->Network Hierarchy” on Cisco DNA Center, go to your floor “DNAC Lab”
and click “Edit”, then “Access Points-> Position”
Drag and drop the APs anywhere you want on the map (see other options: position by 3
points or by 2 walls) and choose antennas for 2.4GHZ and 5GHZ (choose “AIR-ANT2535SDW-
R” , most of the APs in the lab don’t have antennas J )
Page 72 of 86
Click on “Save” and the heatmap will be displayed.
Page 73 of 86
8 Smart Licensing Integration
8.1 Overview
There are four options below for Cisco devices to do smart licensing registration. In this
section, we will use Cisco DNA Center to orchestrate smart licensing registration for
managed Cisco devices via option 1 (direct cloud access). For direct cloud access registration,
Cisco devices need to have direct Internet access without HTTP/HTTPs proxy so they can
register directly with Cisco Smart Software Management (CSSM).
In this section, you will go through smart licensing registration process with a Cat9300
switch.
In order to register devices with CSSM, users need to have cisco.com (CCO) credential and
their organization needs to have smart account with Cisco.
In this lab, CCO credential was configured already. The associated smart account “BU
Production Test” was shown accordingly. Please note that Cisco DNA Center licensing
manager only supports a single smart account association with CCO account.
Page 74 of 86
Click on “License”, you may notice that “Auto register smart license enabled devices”
option is unchecked. It was configured that way on purpose for this lab since we want to do
the smart licensing registration manually.
Next, go to “Tools->License Manager”, click on “All Licenses” and you will see all devices in
inventory license status. Out of 5 devices, there should be two devices, SW-EN1-PODx and
C9800-PODx, eligible for smart licensing registration. The reason is that smart licensing is
only enabled by default after 16.9.1 code for Cat9K.
Let us first SSH into the SW-EN1-PODx (10.10x.255.3, admin/cisco/cisco) and put in the
following commands if you like to monitor changes made by Cisco DNA Center for smart
license registration.
term mon
conf t
event manager applet catchall
event cli pattern ".*" sync no skip no
action 1 syslog msg "$_cli_msg"
Now let us go ahead and register SW-EN1-PODx to CSSM manually. Select the device then
click on “Action->Manage Smart License->Register”
Page 75 of 86
In the pop-up window, select “EFT FIELD SEVT” virtual account to register this device to,
then click on “Continue”
Page 76 of 86
Go back to SSH session to SW-EN1-PODx, you should see DNS server is configured and token
ID from CSSM is pushed by Cisco DNA Center for smart licensing registration.
You can also check license status by typing the following command:
Page 77 of 86
Go to “License Manager->All Licenses” on Cisco DNA Center, after refreshing the page, click
on SW-EN1-PODx, you should see this switch is registered to virtual account “EFT FIELD
SEVT” with authorization status “Authorized”.
Now, you can stop. Ask your proctor to log in his smart account and virtual account to show
you that your switch is registered successfully in “Smart Software Licensing” portal page
(CSSM) in software.cisco.com.
Page 78 of 86
9 Software Image Management
DNA Center provides software image update features with interesting capabilities like
• Extensive pre-checks
• Concept of golden image
• SMU support
• Distribution and activation in separate jobs
Cisco DNA Center can host an image repository. (You can also use external repository).
Page 79 of 86
Note: as the lab run several times the device a probably already been upgraded. So, if your
device SW-EN1-PODx is running 16.09.02, you will upgrade it in 16.09.03, and if your device
is running 16.09.3, you will downgrade it in 16.09.02.
Depending on the running version of your switch, you can import the other image from an
ftp server located in the lab. For example, import 16.09.03 image if your switch is running in
16.09.02 image, or vice versa.
Choose the appropriate image for your switch to populate into your image repository:
Use one of these URLs to obtain image:
• ftp://pi:cisco@192.168.40.11/cat9k_iosxe.16.09.02.SPA.bin
• ftp://pi:cisco@192.168.40.11/cat9k_iosxe.16.09.03.SPA.bin
Click on “Import”
In the pop-up window, copy the URL above in “Enter image URL (http or ftp)” field and click
on “Import”
Immediately after that, you should see a small text box shown on right corner of your screen
to indicate file transferring success. Click on hyperlink on “show tasks” to check image
import status.
Page 80 of 86
In “Recent Tasks” side panel, you should see this image status is still in progress.
Until complete
Refresh “Image Repository” page, find Cisco Catalyst 9300 Switch and expand arrow. Scroll
down list of images and you should find newly imported image, in this case 16.09.02. Click
on pen icon and select “Access” to mark it golden image for Catalyst 9300 switches in access
role.
Page 81 of 86
After that, you should see golden star appears next to “Access” role.
Why ?
The reason is because of difference in their device roles . The golden image is marked only for
Cat9300 with access role. Thus, SW-EN1-PODx is shown as “Outdated” since it is in access
role. But the other device SW-BN1-PODx is not since it is in distribution role.
You may see next to “Outdated” hyperlink, there is a green checkmark, meaning upgrade
readiness pre-check passed on this device.
Page 82 of 86
If you like to see what pre-checks have been done by Cisco DNA Center, click on “Outdated”.
You should see an example like below:
Page 83 of 86
At “Distribute” tab, select “Now” and click on “Next”. You may also notice that there is a
message “Distribution for 1 device is already done”. That is because the image was saved
on Cat9300 flash already in order to save lab exercise time. Cisco DNA Center detected this
image on flash and will skip distribution task.
At “Distribute” tab, select “Now” and click on “Next” to trigger activation immediately. You
have option to schedule it at different time.
Page 84 of 86
Lastly, at “Confirm” tab, review and click on “Confirm”
You can check the upgrade image process by click on “Upgrade Status”.
You should see image upgrade for this device is in progress like below:
At last, you should see upgrade success for this device as below:
Page 85 of 86
END of LAB
Page 86 of 86