DNA Center 1.2.10 - Automation Lab

Cisco DNA Center 1.2.
10 - Automation Lab
Enterprise SEVT – April 2019
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Page 1 of 86
1 LAB PREPARATION 3
1.1 LAB TOPOLOGY 3
1.2 CONNECTION TO LAB 3
2 CONNECT TO CISCO DNA CENTER AND ISE 4

2.1 CONNECT TO CISCO DNA CENTER 4
2.2 CONNECT TO ISE 4
3 ISE INTEGRATION 5
4 DESIGN 9
4.1 NETWORK HIERARCHY 9
4.2 NETWORK SETTINGS 14
4.3 DEVICE CREDENTIALS 17
5 DAY-0 SWITCH ONBOARDING VIA PNP 20

5.1 OVERVIEW 22
5.2 DEFINE GOLDEN IMAGE – DESIGN PHASE 23
5.3 CREATE ONBOARDING TEMPLATE – DESIGN PHASE 25
5.4 DEFINE NETWORK PROFILE – DESIGN PHASE 31
5.5 ASSIGN NETWORK PROFILE TO SITE – DESIGN PHASE 32
5.6 PLAN DHCP OPTION 43 OR DNS FOR PNP DISCOVERY – PROVISION PHASE 32
5.7 CLAIM TO SITE VIA PNP – PROVISION PHASE 33
5.8 COMPLETE PROFILE PROVISIONING – PROVISION PHASE 39
6 DISCOVERY AND ASSIGN DEVICES TO SITE 43
7 DAY-0 CAT9800 WIRELESS AUTOMATION 46

7.1 OVERVIEW 46
7.2 FLEX SPECIFIC DESIGN IN WIRELESS SETTINGS 48
7.3 CREATE AND WIRELESS PROFILE, AND ASSIGN WIRELESS PROFILE TO SITES 49
7.4 CAT9800-CL WIRELESS TEMPLATE 51
7.5 DISCOVER CAT9800-CL WIRELESS CONTROLLER 53
7.6 PROVISION WIRELESS CONTROLLER 56
7.7 AP DISCOVERS CISCO DNA CENTER VIA PNP 62
7.8 CLAIM AP TO SITE 65
7.9 HEAT MAP 72
8 SMART LICENSING INTEGRATION 74

8.1 OVERVIEW 74
8.2 PRE-REQUISITES- CISCO CREDENTIAL AND SMART ACCOUNT 74
9 SOFTWARE IMAGE MANAGEMENT 79

9.1 POPULATE SOFTWARE IMAGE REPOSITORY 79
9.2 MARK IMAGES AS GOLDEN 81
9.3 UPDATE OS OUTDATED DEVICES 82
Page 2 of 86
1 Lab Preparation
1.1 Lab Topology
Each student group shares the following network
DNAC: 192.168.40.91-100
C9800-CL: 192.168.40.131-140
Enterprise
Network
ISE: 192.168.40.171-180
WLC 3504:
WLC-PODx RTR-PODx : Router (4331)
10.10x.255.130 Lo0:10.10x.255.1
SW-BN-PODx
Cat 9300 Core/Distribution
Lo0: 10.10x.255.2
AP 2800
ISIS
SW-EN1-PODx SW-EN1-PODx
Cat 3850 Acces Cat 9300 Access
Lo0 10.10x.255.3 Lo0 10.10x.255.3
AP 2800
AP 2800
1.2 Connection to lab
To connect to the lab, use AnyConnect VPN client:
• server: primelab-us.cisco.com
• username: sevt
• password: sevt
Page 3 of 86
2 Connect to Cisco DNA Center and ISE
2.1 Connect to Cisco DNA Center

Launch the browser and connect to Cisco DNA Center using IP address.
https://192.168.40.9x
where x is your pod number (192.168.40.91-99 for POD 1 to 9; 192.168.40.100 for POD 10)
Use the following credentials to login to Cisco DNA Center.
Username: admin
Password: Public123$
2.2 Connect to ISE
Open a separate tab and connect to ISE using the following link:
https://192.168.40.17x
where x is your pod number (192.168.171-179 for POD 1 to 9; 192.168.40.180 for POD10)
Username/ Password to connect to ISE is given below:
Username: iseadmin
Password: Public123$
Page 4 of 86
3 ISE integration
In the lab, ISE is required and will be used for device access.
To save time in the lab, PxGrid has already been configured on ISE. The steps related to ISE
below are for information.
To integrate Cisco DNA Center and ISE the following steps are needed.
• You must first configure ISE to enable pxGrid

Go to “Administration > System > Deployment”, click your ISE node and check if the
pxGrid is enabled at the bottom. If not, enable it and then click Save.
• Copy the FQDN (you will need to give this in Cisco DNA Center settings page to
configure the ISE integration)
Page 5 of 86
In “Administration > pxGrid Services”, you will see pxGrid connected message at the
bottom.
Note: Please note if pxGrid was not enabled before, it can take a few minutes.
Page 6 of 86
Next, still in “Administration > PxGrid Services”, then click on the “Settings”, check
“Automatically approve new certificate-based accounts”.
Rest of the integration needs to be done on Cisco DNA Center.
Go back to the Cisco DNA Center browser and then go to “System Settings > Settings >
Authentication and Policy Servers”. Click on “Add”.
You need to fill the “Add AAA/ISE Server” form with the parameters below:
- ISE Server IP: 192.168.40.17x (for Pod 1-9) or 192.168.40.180 (Pod 10)
- Shared Secret: cisco
- CISCO ISE server: ON
- Username: iseadmin
- Password: Public123$
- FQDN: Copy this from ISE server (Administration > System > Deployment) and paste
it here.
Be careful, it must match the FQDN you have in ISE not what you can find in DNS
resolution!
- Subscriber name: DNACx, where x is your Pod number.

- Expand “Advanced Settings” and select TACACS option also along with the RADIUS.
- Click “Apply”
Page 7 of 86
Cisco DNA Center will now create the AAA server.
After a few minutes you should see
On ISE side, at Administration->PxGrid Services, your Cisco DNA Center client should be
approved automatically and become online later.
You can verify that Cisco DNA Center and ISE are integrated as below:
Page 8 of 86
4 Design
4.1 Network Hierarchy
You will create now a new site with one building and one floor
Select “Design”
Then “Network Hierarchy”, and click on “Add Site”
Page 9 of 86
Select Add Area
Enter the Site Name: “Whynot”
Select the Site and click on “Add Building”
Page 10 of 86
Fill in the followings and click on “Add”:
Building Name: “Whynot DNAC”

Address: Whynot Road, Laurel Hill, North Carolina
Select the address.
Don’t be too creative if you want to choose another location. The location is used to
configure the country of the WLC which must be consistent with the regulatory domain of
the AP. If you choose a location outside North America, you can have issue with your AP.
Before adding floor, let us download the floor map (Floox-298x164.jpg) from the box link
below:
Page 11 of 86
https://cisco.box.com/v/floorplan
Go back to the building Whynot DNAC and then select “Add Floor”
Enter “DNAC lab” in “Floor Name” field and select “Cubes and Walled Offices” for “Type (RF
Model)”.
Upload the floor map (Floox-298x164.jpg) for “Floor Image” and change the “Width” to
“298” ft, then click “Add”
Page 12 of 86
You should have loaded the floor map
Similarly, created a site called “HQ” below:
Select “HQ” site then create a building called “BLDG5” with this address below:
325 E Tasman Drive, San Jose, CA 95134
Page 13 of 86
4.2 Network Settings
Now you will define in “Network Settings -> Network”, the list of servers as well as some
other settings that you would see configured on your devices when you provision them.
First, add AAA and NTP servers in “Network Settings” tab since they are not selected by
default.
Click on “Design > Network Settings > Add Servers”, and select “AAA” and “NTP”
Then fill in the form as below:

Page 14 of 86
For AAA Server:
• Select both Network and Client/Endpoint
• Under “NETWORK” subsection, select ISE and TACACS then choose ISE server IP
address
• Under “CLIENT/ENDPOINT” subsection, select ISE and RADIUS then choose ISE server
IP address
For other fields, fill in as show below:
- DHCP Server: 10.10x.50.2, where x is your pod number (10.110.50.2 for pod 10)
- Domain Name: sda.ciscous.com
- DNS Server: 192.168.40.1
- Syslog Server: Select the checkbox “Cisco DNA Center as Syslog server”
- SNMP Server: Select the checkbox “Cisco DNA Center as SNMP server”
- NTP: 10.0.255.3
- Time Zone: select “GMT”
- Message of the day: you can be creative here …
Ensure you click “Save” button on “Network” tab before proceeding.
Page 15 of 86
Click on the “Whynot” Site in the network hierarchy (left column), you should see that
settings are inherited from global (note that they can be overridden at site level).
Page 16 of 86
4.3 Device Credentials
In this section, you will define the network credentials that you would like to use to access
your devices.
Credentials are defined globally and are inherited by sites in the hierarchy. Multiple
credentials can be defined and it’s possible to select which one will be used for each site.
Select “Design -> Network Settings -> Device Credentials”
Select “Global” in hierarchy and click on “Add” to add CLI credentials
Page 17 of 86
Add CLI credentials shown below and save. Don’t worry about the warning regarding ISE and
try to figure out why you will not have such issue.
Name/Description: admin
Username: admin
Password: cisco
Enable: cisco
Don’t be creative with username/password as they have been preconfigured like this in the
devices and in ISE
Page 18 of 86
Define SNMP credentials both V2C Read (Name ‘ro’ and community public) and V2C Write
(Name ‘rw’ and community private) and click Save.
(same remark as above, use exactly these credentials)
Make sure you have selected all the check box for all credentials that were defined:
• CLI
• SNMP READ
• SNMP WRITE
and click save.
Page 19 of 86
Warning: On the screen shot above, don’t forget to click on SNMP Write credential and
select it.
You should see the Success Message at the bottom once you click Save.
5 Day-0 Switch Onboarding via PnP

The workflow of switching day-0 onboarding is categorized into two major phases, Design
Device Onboarding
and Provision phase. Design Workflow
Switching/Routing
Design Phase:
There are 6 steps involved during the Design.
Create
Define Network Define Golden Onboarding Define Network Assign Network
Create Sites
Settings Image (Optional) Templates Profile Profile to Sites
(Optional)
Create Sites – Define where onboarding devices belong to. (Already defined
above in section 4.1)
© 2017 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Page 20 of 86
Define Network Settings – Define DHCP, DNS, AAA services and etc. for the site.
(Already defined above in section 4.2)
Define Golden image – Define the golden image if network admin wants devices
to run on a standardized software image (See section 5.2 below).
Create Onboarding Templates – Create user-defined CLI templates to be used by
PnP for day-0 onboarding (See section 5.3 below).
Define Network Profile – Define network profile that uses onboarding templates
defined in Step 4 (See section 5.4 below).
Step 6. Assign Network Profile to Site – Assign the network profile to the desired sites so
that device can inherit it when claimed to the sites (See section 5.5 below).
Provision Phase:
During provision phase, there are three steps involved:

Device Onboarding Provision Workflow
Switch
Step 2
Step 0 Step 1
Complete Profile
Plan for PnP Discovery Claim to Site via PnP
Provisioning
Plan DHCP Option 43 or DNS for What are Provisioned? What are Provisioned?
devices to discover Cisco DNA
Center • Part 1- PnP Claim • Network Settings of Profile
• Device Credentials of Profile
• CLI Template(s) of Profile
• Part 2- Add to Inventory
• Device Controllability if it is
enabled
Profile Profile
Plan for PnP Discovery – Plan DHCP option 43 or DNS for devices to discover Cisco
DNA Center. For non-fabric onboarding, this is the step outside of Cisco DNA
Center automation (See section 5.6 below).
Claim to Site via PnP – After devices discovers Cisco DNA Center successfully, they
will become “Unclaimed” state for network admin to claim. When network admin
claims the devices, there are two part of configurations are added in this step
(See section 5.7 below):
• PnP Claim – Device credentials and CLI template of profile
• Add to Inventory – Configuration of “Device Controllability” if it is
enabled.
Complete Profile Provisioning – Until this step, configuration in “Network
Settings” page of Cisco DNA Center is still not provision yet. To complete profile
provisioning, network admin needs to provision the devices again after devices
are managed by Cisco DNA Center (See section 5.8 below).
Page 21 of 86
In this section, we will use Cat9300 switch to go through day-0 onboarding workflow for
switches via PnP.
5.1 Overview
Cisco DNA Center onboarding workflow is designed to follow the principles of network IT
operation from Design to Provisioning. To the core of this workflow, it is all about the site
concept as figure below.
So, what is exactly in switching network profile? Refer to the picture below from PnP TDM
deck for 1.2.8.
Network Profile - Switching
CLI Templates
Device Credentials
User Defined
Configuration
System Generated Configuration by
Cisco DNA Center UI Orchestration
• Network Settings
• Device Credentials
Network Settings
• AAA (Radius and TACACS)
• DHCP and DNS
• Syslog, SNMP, and Netflow
Collector
• NTP Server
• Message of Day
For users, the configuration of switching is the combination of what is generated by Cisco
DNA Center and what is defined in CLI templates. Users should avoid the configuration
overlap is possible. In case of overlap, they can user user-defined template to override what
is generated by Cisco DNA Center.
Page 22 of 86
5.2 Define Golden Image – Design Phase
In Cisco DNA Center, it is mandatory to mark image as “Golden” for device family for
upgrade. Otherwise, the image will not be available for upgrade even if it is imported
successfully. Furthermore, marking it as “Golden” can be done at global or site levels. The
purpose to have this option at site level is to enable flexibility to override what is at global
level.
Please note that starting from Cisco DNA Center 1.2.8 release, Software Image Management
(SWIM) will support the new capability, which allows users to assign the imported image to
the desired device family manually even if the devices are not part of inventory yet. This new
feature is developed specifically to support devices software upgrade for day-0 onboarding.
Let us first import the image. On “Design” page, click on “Image Repository”, then click on
“Import”
You can import 16.8.1a image for Cat9300 from a ftp server located in the lab using this URL:
ftp://pi:cisco@192.168.40.11/cat9k_iosxe.16.08.01a.SPA.bin
After clicking “Import” button, you will notice the Import Image message.
Page 23 of 86
You can click on “Show Tasks” which will display importing status for this image in a sliding
window below:
After a few minutes, if you click on “Refresh” button again, it should see green checkbox to
indicate the import success as below:
Then go back to “Image Repository”, click on “Refresh” button, you show see a new category
called “Imported Images” under “Family” column. Click on “Assign” button
In pop-up window, select the checkbox next to “Cisco Catalyst 9300 Switch”, and click on
“Assign”
Note: if you do not see any entry under “Device Series” section, that means that Cisco DNA
Center has some connectivity issue with cisco.com for some reasons so it could not fetch
related device family list. In that case, you can still choose “Switches and Hubs” under
“Device Types”, then type in keyword “9300” in search bar, then select the checkbox next to
“Cisco Catalyst 9300 Switch”, and click on “Assign”
Page 24 of 86
Now go back to “Image Repository” page, you should see “Cisco Catalyst 9300 Switch” is
shown in Family.
Now you are ready to mark this device as “Golden” by click on star under “Golden Image”
column. You should see it will mark “ALL” under “Device Role” column, meaning it is the
standardized image version for all Catalyst 9300 switches regardless of device roles.
Once you mark the image as Golden, you will see a Success Message being shown at the
bottom and you can also see that the color of the star is now turned to Golden.
5.3 Create Onboarding Template
Before this exercise, let us go to box folder for switch template first as the link below:
Page 25 of 86
https://cisco.box.com/v/SWITCH-TEMPLATES
Locate the switch template named “SW-SJ-BN-PODx-template”. You can download or open
it. We will use it later in this section.
In this section, we will create an onboarding switch template in “Template Editor”, which
will be used to create switching network profile later.
On the top corner of Cisco DNA Center page, click on the square dot icon and select
“Template Editor”
In “Template Editor”, you will see a new system default project named “Onboarding
Configuration”, which is designed to group all day-0 onboarding templates. Only templates
in this project can be used for day-0 onboarding, while templates under user-defined
projects will be used for day-2 provisioning. Click on “Add Template”
Fill the form as below:

• Name: SW-BN-PODx, where x is your POD number
• Project Name should show Onboarding Configuration
• Device Type: Cisco Catalyst 9300 Series Switches. To select this device family, you
need to click on “Edit”, then type in “9300” in search field of next window and select
the checkbox next to “Cisco Catalyst 9300 Series Switches”.
• Software Type: IOS-XE
Click on “Add” button
Page 26 of 86
Now, copy and paste the content of the switch template file (SW-SJ-BN-PODx-template.txt)
into this new template.
Please note that a string starting with $ will be considered as a variable. To avoid confusion
${var} can also been used. In this lab, we just defined the pod number as only variable for
simplicity and demonstration.
Click on “Actions->Save” to save the local copy of template on Cisco DNA Center:
Page 27 of 86
Click on “Form View” to review the variable in this template (icon on right … see below):
Change the following fields:
• “Field name” (Prompt): Enter your pod number
• “Data Type”: Integer
Select Actions-> Save
Page 28 of 86
Test your template with a simulation
Create a simulation, then click New simulation
then
Enter a name for the simulation, your pod number and click run
Page 29 of 86
Explore the result
Page 30 of 86
Finally, click on “Actions->Commit” to commit this template so it can be available for
network profile to be consumed.
Note: The committed version of template is read-only. If there are new changes you want to
make, you can edit the local copy and commit it again. There is no limitation on the number
of committed versions, but only latest committed version can be referred by network profile
later.
You have this popup
5.4 Define Network Profile
Now, we are ready to define switching network profile for Cat9300 switch onboarding.
On “Design->Network Profile” page, click on “Add Profile->Switching”
Next, fill in “SW-BN” string for “Profile Name”.
Now under “Onboarding Template(s)” tab, click on Add. Then select or search “Cisco
Catalyst 9300 Series Switches” for “Device Type” and template “SW-BN-PODx” defined in
previous section.
Page 31 of 86
Finally, click on “Save”.
5.5 Assign Network Profile to Site
Back to “Network Profiles” page, click on “Assign Site”.
On the side panel for “Add Sites to Profile”, select “Whynot” site and click on “Save”.
Now, you complete all required steps during design phase.
5.6 Plan DHCP Option 43 or DNS for PnP Discovery
In order for devices to call home to plug and play server in Cisco DNA Center, network
admins need to prepare DHCP/DNS service for PnP discovery. Please refer to Solution Guide
for Cisco Network Plug and Play for more details.
In figure below, it is a Cisco IOS DHCP server configuration example for Plug and Play DHCP
Option 43, which is configured on upstream router in this lab (on POD1).
Page 32 of 86
5.7 Claim to Site via PnP
Now we are ready to claim switch to site via PnP.

But first, let us reset the switch, SW-BN-PODx, where x is you POD number, to factory
default. In order to do that, you need to connect to the console the switch by using telnet to
specific port for your POD. Please refer to the table below for login details:
POD Number Switch Terminal port Line Switch Credentials

server Password
1 SW-BN-POD1 192.168.195.1 2013 POD1 admin/cisco/cisco
Please note that at first prompt of telnet, input password in “Line Password” column for you
POD.
After connecting to the console of your switch, you can use the following script to reset the
switch to factory default.
https://cisco.box.com/v/pnp-reset-sw-to-factory
Now you can relax for a few minutes. Monitor the console but avoid touching keyboard after
switch boots up since that will stop PnP process. You should observe PnP discovery done
successfully like the figure below:
Page 33 of 86
Once PnP discovery is successful, the Cat9300 switch will establish HTTPs connection with
Cisco DNA Center. Now go to “Provision->Devices->Plug and Play” page and you should see
the switch becomes “Unclaimed”.
Before you claim this switch, if you want to observe what will be configured by Cisco DNA
Center, you can copy/paste the following EEM script in switch console to capture them. It is
safe to get into console now, J.
event manager applet catchall

event cli pattern ".*" sync no skip no
action 1 syslog msg "$_cli_msg"
Now, we are ready to claim this Cat9300 switch to desired site. Select the switch and click on
“Action->Claim”
Page 34 of 86
If End User License Agreement (EULA) is not accepted at system settings of Cisco DNA
center, there will be a pop-up window to prompt users to accept EULA. Go ahead and accept
and EULA and click on “Apply”
Next, at “Site Assignment”, select “Global/Whynot/Whynot DNAC” as the site and click on
“Next”
In “Configuration” page, you may see the warning message “Failed to retrieve device-
specific production information…..”. This is because the exact device PID is not device family
directory yet in Cisco DNA Center, but PnP is able to locate parent device family. Therefore,
the warning message is given. In case of PID is in found, golden image will be automatically
populated for you.
So, ignore the warning message, go ahead and select “16.8.1” as “golden” image in “Image”
section if you want this switch to go through software upgrade. In this lab, we will skip image
upgrade thus selecting “Skip golden image upgrade” below.
In section of “Template”, you can select onboarding template “SW-BN-PODx” defined

earlier. Notice that there is a small eye icon next to template for you to review the template.
Finally, click on “Next”.
Page 35 of 86
In “Advanced Configuration” page, select the switch you are about to provision, then input
“x”, x is your POD ID for the only variable in this template. Click on “Next”
Finally, in “Summary” page, you can review provisioning details. Explore on this page to see
what is shown in different section. In “Day-0 Configuration Preview” section, Cisco DNA
Center essentially generate configuration including device credentials and enabling SSH for
management later. There are also some hidden commands are documented here for your
reference for switching provisioning in 1.2.10. Please refer to the link below for details:
https://cisco.box.com/v/SW-Day0-ConfigbyDNAC-PnP
Page 36 of 86
In 1.3 releases, we will remove all hidden commands so that configuration displayed in UI
will match what is in CLI configuration.
Click on “Template CLI Preview” to confirm the configuration. Click on “Claim” to claim the
switch
Please note that in regard to the order of configurations, the configuration in “Day-0
Configuration Preview”, generated by Cisco DNA Center, will be pushed to device first,
followed by user-defined CLI templates. You can verify that by monitoring over the console.
After a few minutes, you should observe that the switch becomes “Provisioned”.
Once the switch becomes provisioned, click on “Provision->Devices->Inventory” and you

should see the switch is being added into inventory. Eventually, it will become “Managed”
state as below:
Page 37 of 86
Once the device is added into inventory, if “Device Controllability” is enabled, there will be
more configurations added. You can observe these configuration via switch console too
. For a sample configuration added, please refer to the link below:
https://cisco.box.com/v/SW-Inventory-Controllability
Last tip is that you will notice the loopback 0 IP address of switch becomes management IP
automatically in the figure below. That is because there is one-line command, “ip http client
source-interface Loopback0”, which instructs the switch to use that interface IP to call home
for PnP, based on HTTP/HTTPs. That last call-home IP during PnP will be handed off to
inventory for management IP of device.
Page 38 of 86
5.8 Complete Profile Provisioning
In this section, you will complete profile provisioning by pushing the configuration generated
by Cisco DNA Center in “Network Settings” page.
Select the switch and click on “Action->Provision”
In “Assign Site” page, since the site is already provisioned during PnP phase, simply click on
“Next”
In “Configuration” page, simply click on “Next”
Page 39 of 86
In “Advanced Configuration” page, simply click on “Next”
In “Summary” page, review the configuration in “Network Settings” section and click on
“Deploy”
Page 40 of 86
In the sliding side panel, select “Now” to schedule this provisioning immediately and click on
“Apply”
After that, simply monitor the switch console, you will notice configurations from “Network
Settings” page is pushed to the switch as figure below:
Page 41 of 86
Within a minute, the provisioning should be completed successfully. Go back to “Provision-
>Devices->Inventory”, you should observe “Provision Status” becomes “Success” as below:
You can click on See Details to take deeper look into the details of Provisioning.
During this phase, Cisco DNA Center not only provision TACACS related configuration to the
device, but also create the device entry in “Network Devices” as AAA client in ISE through
API automatically. Let us verify it following the steps below on ISE:
Logon to your POD ISE (credential: iseadmin/Public123$) and go to “Administration-

>Network Devices”
Page 42 of 86
You should see your switch was added under “Network Devices” through the API.
In Operations->TACACS->Live Logs, you should see the authentication/authorization events

from this switch.
6 Discovery and Assign Devices to Site
In this section, we simply want to discover the existing devices in “Whynot DNAC” site and
assign them to it.
Select “Tools->Discovery”
Discovery can be done through CDP, LLD or IP range. You will use CDP and the newly
claimed switch 10.10x.255.2 as seed device (x is your pod number).
Page 43 of 86
Name the discovery: PODx, where x is your POD number
Select “CDP” and give the IP address of your switch IP (10.10x.255.2)
Select “Use Loopback” as “Preferred Management IP”
Global Credentials for CLI, SNMP are automatically selected
Device Controllability is enabled by default (click learn more to understand what this option
will automatically configure on the devices)
Click on “Start”
You should discover successfully 4 devices, including new claimed switch in previous section.
Page 44 of 86
Ignore two APs discovered, which will not be used in this lab.
Next, we will assign these discovered devices to the site “Whynot DNAC”.
Go to “Provision->Device Inventory”, select all devices then click “Actions-> Assign Device
to Site”
Select the building “Whynot DNAC” for router and click on the checkbox “Apply to All”,
which apply the site assignment to all applicable devices. Then click “Apply”
Page 45 of 86
It will return to “Provision->Device Inventory” page and the devices should be shown
assigned successfully like below:
7 Day-0 Cat9800 Wireless Automation
7.1 Overview
Cat9800 is the next-generation wireless controller based on IOS-XE. Built on a modular
operating system, it features open and programmable APIs that enable automation of your
day-0 to day-N network operations. The config model of Cat9800 is as below:
Page 46 of 86
Cisco Catalyst 9800 Config Model
Access Points
Policy Tag RF Tag

RF
WLAN
Profile
Profile 2.4 GHz
RF
Policy
Profile 5
Profile
GHz
Defines the broadcast domain (list of Defines the RF properties

of the network
WLANs to be broadcasted) with the
properties of the respective SSIDs
Site Tag
AP Join
Profile
Flex
Profile
Defines the properties of the

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential central and the remote site APs
Similar to AireOS WLC, the wireless network profile of Cat9800 is the combination of what is
generated by Cisco DNA Center and what is defined in CLI templates in Cisco DNA Center as
figure below. Please note that given Cat9800 PnP claim is not supported yet in Cisco DNA
Center 1.2.10 release, device credentials are not provisioned by Cisco DNA Center, but used
to match what configured on Cat9800 for discovery and management.
Wireless Network Profile for Cat9800
System Generated Configuration by

Cisco DNA Center UI Orchestration
CLI Templates
• Network Settings
• Device Credentials
Network Settings • Wireless Settings
User Defined Configuration

Device Credentials
• CLI Templates
Wireless Settings
Day-0 Cat9800 Wireless Controller Design

Workflow © 2018 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Day-0 Cat9800 wireless automation is essentially the same as AireOS WLC automation. It can
be categorized into two major phases:
Design Phase:
Create Assign Wireless

Define Network Define Wireless Define Wireless
Create Sites Templates Network Profile
Settings Settings Network Profile
(Optional) to Sites
During Design Phase, there are 6 steps involved:
Page 47 of 86
Create Sites – Define where devices belong to
Define Network Settings – Define DHCP, DNS, AAA services and etc. for the site.
Define Wireless Settings – Define SSIDs, wireless interfaces, RF profiles and etc.
Create Templates – Create user-defined CLI templates for wireless profile.
Define Wireless Network Profile – Define wireless network profile that uses
templates defined in Step 4.
Assign Wireless Network Profile to Site – Assign the wireless network profile to
the desired sites so that Cat9800 WLC can inherit it (configuration) when
Day-0 Cat9800 Wireless Controller Provision
provisioned to the sites.
Workflow
Provision Phase:
APs Discover
Provision WLC Provision APs
Discover WLC Cisco DNA
to Site to Site
Center via PnP
Discover Cat9800 WLC – Discover Cat9800 WLC and add it into inventory
Provision Cat9800 WLC to Site – Provision Cat9800 WLC to the site with wireless
profile defined in design phase.
APs Discover Cisco DNA Center via PnP – Plan DHCP option 43 or DNS for AP PnP
discovery so that APs can discover Cisco DNA Center and become “Unclaimed”.
Provision APs to Site – Claim APs to desired site.
In this section, you will complete day-0 automation to provision Cat9800-CL wireless
controller and AP to the sites via profile, based on FlexConnect architecture design as
follows:
• Cat9800-CL is located in “HQ->BLDG 5” site, which has an enterprise SSID named
“DNAC-PODx”.
• FlexConnect AP is located at floor “Whynot DNAC->DNAC Lab” of remote site. Its
native VLAN is 60 for AP management. The SSID “DNAC-PODx” is locally switched to
VLAN 50, named “Data-VLAN”.
7.2 Flex Specific Design in Wireless Settings
Let us go through flex specific design in “Design->Network Settings->Wireless” in this

section for Cat9800.
First, let us create wireless interface to which the data traffic is locally switched at remote
site. Scroll down to section “Wireless Interfaces”, click on “Add”
Page 48 of 86
In side panel, input “Data-VLAN” for “Interface Name” and “50” for “VLAN ID”. Click on
“Add” to add this new interface for remote site.
You may notice this is the same process to create dynamic interface on AireOS WLC.
However, it is used here to define locally-switched VLAN for Flex AP in Cat9800.
Next, we will define native VLAN for Flex AP. Scroll further down to “Native VLAN” section,
input “60” for “VLAN” and click on “Save”. In this way, we define VLAN 60 as native VLAN
across sites since it is defined in global level. Of course, you can override it at site level.
7.3 Create and Wireless Profile, and Assign Wireless Profile to Sites
Now let us create an Enterprise Wireless SSID and its associated wireless profile. At the same
time, assign this new wireless profile to sites that Cat9800 will manage.
Page 49 of 86
Name it “DNAC-PODx”, where x is POD number. Keep default values for other fields and
click on “Next”
Fill in the followings in “Wireless Profiles” page:
- Wireless Profile : WPRF-PODx, where x is your POD number.

- Fabric : Select “No”
- Select Interface: Note you need to select “Flex Connect Local Switching” first. Then
go up to “Select Interface” and choose “Data-VLAN” from drop-down options. VLAN
ID “50” will be automatically populated for you in “Local to VLAN” field.
- Sites: Select the buildings “Whynot DNAC” and “HQ”
Page 50 of 86
Finally, click on “Finish”
7.4 Cat9800-CL Wireless Template
In this section, we will create wireless template for Cat9800-CL, which enables wireless traps
so that AP registration trap can be sent by Cat9800-CL to Cisco DNA Center for seamless
integration for AP day-0 onboarding. Ideally, this should be done automatically by Cisco DNA
Center during Cat9800-CL provisioning. But due to a known issue, we will use template as
workaround to accomplish this.
First, create a project called “C9800-CL” and a template named “SNMP-Trap” under it. For
template “Device Type(s)”, select as below:
Also select “IOS-XE” as “Software Type”.
In the template “SNMP-Trap”, type in the following command:
snmp-server enable traps wireless AP
The template should be like the figure below:
Page 51 of 86
Remember to Save and Commit for this template in order to be used by network profile
later.
Next, we will include this template in wireless network profile.
Go to “Design->Network Profiles”, click on “Edit” for wireless network profile “WPRF-

POD1”.
Click on “Add” in “Attach Template(s)” section, input the followings:

• Device Type: Select “Cisco Catalyst 9800 Wireless Controller for Cloud”
• Template: Select “SNMP-Trap”
Finally, click on “Save”.
Now we completed all required design work.
Page 52 of 86
7.5 Discover Cat9800-CL Wireless Controller
Cat9800-CL virtual wireless controller for each POD is pre-configured with minimum
configuration as below:
• SSH and NETCONF are enabled (Default)

• CLI Login Credential
• Wireless Management Interface:
For Cat9800-CL, Gigabit Ethernet 2 interface is wireless management interface. Please refer
to Cisco Catalyst C9800-CL Wireless Controller Virtual Deployment Guide for details on how
to configure basic configuration.
Cat9800-CL IP address for each POD is as follows
Pod 1 – 192.168.40.131
Pod 2 – 192.168.40.132
!
!
Pod 10 – 192.168.40.140
At this point, please DO NOT connect to Cat9800-CL via HTTPS, which will display Cat9800
configuration wizard since country code is not set yet. In this exercise, we do not want to go
through configuration wizard to configure Cat9800-CL.
Instead, SSH to your POD’s Cat9800-CL (admin/cisco). After login, save the running
configuration to a file called “pre-discovery” on flash as below:
copy running-config flash:pre-discovery.cfg
Later, we will use compare it with the post-discovery configuration to observe configuration
difference after successful Cat9800-CL discovery.
Go to “Tools->Discovery”, create a new discovery named “PODx-eWLC”, where x is your

POD number. Select “Range” as “Discovery Type” and input your POD’s Cat9800-CL IP in
“From” and “To” fields, e.g. 192.168.40.131 for POD1.
Page 53 of 86
At “Credentials” section, click on “Add Credentials”. In sliding panel, click on “NETCONF”
tab, leave the port as “830” by default and click on “Save as global settings”. Finally, click on
“Save”
After returning to new discovery page, click on “Start”
Page 54 of 86
Wait for a couple minutes, the discovery should be successful as below:
Now, go back to Cat9800-CL SSH session and type in the following command to compare
pre-discovery and post-discovery configurations.
show archive config differences flash:pre-discovery.cfg system:running-

config
The below is the sample screenshot of comparison result:
Page 55 of 86
In summary, the following configuration was added to Cat9800-CL after discovery:
• Install multiple certificates:

• Cisco DNA Center device certificate issuing ca, sd-network-infra-iwan
• Enroll device certificate of Cat9800 to sdn-network-infra-iwan
• Cisco DNA Center server certificate and its issuing ca certificate
• Cisco smart licensing agent root CA
• Generate self-signed certificate named “ewlc-tp1” for AP joining
• SNMP credentials
• DNS Server
• SSH/HTTP source interface from management SVI/IP
• Enable network assurance telemetry
Now let us save the post-discovery C9800-CL configuration by typing the following command
via SSH session.
copy running-config flash:post-discovery.cfg
7.6 Provision Wireless controller
Go to back to Cisco DNA Center, select “Provision” Select your WLC and Click on “Actions->
Provision”
Page 56 of 86
On “Assign Site” tab, select the Building “Global/HQ/BLDG5” and click on “Next”
On “Configuration” tab, add the site “Whynot DNAC” in the “Managed AP Location(s)”,
which will include the floor “DNAC Lab” underneath it.
Page 57 of 86
After that, you should see “3” for “Managing AP location(s)”, which is logically managed
locations by this Cat9800-CL. The locally-switched VLAN “Data-VLAN” with VLAN ID “50” for
flex profile should be automatically populated for you. No need to make changes. Click on
“Next”
On “Advanced Configuration” tab, click on “Ca9800-POD1” in “SNMP-Trap” section, which

will show “SNMP-Trap” is selected, but no variable in this template. Click on “Next”
Page 58 of 86
Finally, on “Summary” tab, review all changes that will be applied and click “Now” and
“Apply”
Now, you should be brought back to “Device Inventory Page” of “Provisioning”. You should
observe the changes on “Provision Status”. You can monitor it by hitting “Refresh” link.
It will take a couple of minutes to complete and WLC should be provisioned successfully.
Page 59 of 86
show archive config differences flash:post-discovery.cfg system:running-
config
After reviewing the difference, you can save configuration as below:

copy running-config flash:post-wlc-provision.cfg
Now, you can go to C9800-CL UI and review all the changes made by Cisco DNA Center.
(C9800-PODx is from 192.168.40.131-.140 admin/cisco)
Go to “Configuration->Tags & Profiles->WLANs”, you should see a new SSID created with
WLAN ID starting at “17”. Please note that any WLANs with ID number greater than 16 are
not in default AP group, which means that you need to put APs in a specified AP group to
inherit this WLAN. Click on this SSID to review the changes if you like.
Page 60 of 86
Go to “Configuration->Tags & Profiles->Policy”, you should see a new policy profile created
too.
Click on this policy, you show see “Central Switching” is not checked on “General” tab,
meaning traffic will be locally switching.
Click on “Access Policies” tab, you should see “Data-VLAN” for “VLAN/VLAN Group”, which
is the locally-switched VLAN.
Page 61 of 86
You can explore more these changes on Cat9800-CL UI.
7.7 AP Discovers Cisco DNA Center via PnP
In this section, you will first review two pieces of configurations:

• IOS DHCP server configuration example of option 43 for PnP discovery on the switch
(SW-BN-PODx)
• Switchport configuration on port G1/0/13 for FlexConnect AP
You can verify these configurations on the switch by using “Command Runner” in Cisco DNA
Center.
Go to “Tools->Inventory” on Cisco DNA Center. Click on your switch (SW-BN-PODx) and

select “Actions->Launch Command Runner”
Add these commands

- show running | sec pool AP
- show run interface gig1/0/13
And run these commands
Page 62 of 86
- Click on the first command “show running | sec pool AP”, you should see the CLI
output on right panel. The very first DHCP pool for VLAN 60 includes option 43 for
PNP discovery.
- Click on 2nd command “show run interface gig1/0/13”, you should see interface
gig1/0/13 is in trunk mode with native VLAN 60 for FlexConnect AP. This interface is
also in “shutdown” state.
Now let us power on this AP connected to port gig1/0/13, which will obtain DHCP IP and
option 43 from VLAN 60 IP DHCP pool and discover Cisco DNA Center.
Page 63 of 86
Connect to the switch (SW-BN-PODx) and activate port gig1/0/13. The switch console info is
given in previous exercise. But you can refer to the table below for convenience.
POD Number Switch Terminal port Line Switch Credentials

server Password
Please note that at first prompt of telnet, input password in “Line Password” column for you
POD.
After a few minutes , you should see the AP obtains a DHCP IP address in the appropriate
pool (10.10x.60.0) by typing “show ip dhcp binding” command to verify:
Go back to Cisco DNA Center, you should see this AP becomes “Unclaimed” on “Provision-
>Plug and Play” page as below:
Page 64 of 86
7.8 Claim AP to Site
In this section, you will claim this AP to site, floor “DNA Lab”.
Select the AP and click on “Action->Claim”
On “Site Assignment” tab, choose your floor “DNAC Lab” and click on “Next”
Page 65 of 86
On “Configuration” tab, choose “Typical” for “RF Profile” and click on “Next”
On “Advanced Configuration” tab, simply click on “Next”
On “Summary” tab, you will review policy tag, site tag, and RF tag assigned for this AP in
“Day-0 Configuration Preview” section. Click on “Claim”
Page 66 of 86
AP will transition into “Onboarding” state and stay in this state for a few minutes. Behind
the scene, the AP is provisioned with primary WLC to join and Cisco DNA Center will also
provision policy, site and RF tags related to AP on C9800-CL wireless controller.
Moreover, from serviceability perspective, Cisco DNA Center will not change APs
“Onboarding” state until APs join desired wireless controller successfully.
Note: If the AP onboarding takes a long time (more than 10 minutes) and AP joined the WLC
as local mode already, pls. resync your WLC C9800 from your Provisioning page by selecting
Actions > Resync. That will add AP into DNA Center inventory and DNA center will go to
C9800 and change the AP mode to Flex.
If you like to check on AP joining status, you can log in your Cat9800-CL UI and check on
“Monitoring->AP Statistics->Join Statistics” as below while waiting:
Page 67 of 86
Once APs join wireless controller successfully, there will be AP joining traps sent to Cisco
DNA Center to inform the event, which will in turn change AP state to “Provisioned” in “Plug
and Play” page.
Cisco DNA Center will also trigger resync with wireless controller to add AP into inventory
eventually as below:
Page 68 of 86
If you monitor your Cat9800-CL really closely, you may notice that AP first joins controller as
local mode. Then after a few minutes, it changes to flex mode and reboots to finish mode
change. Wait until AP becomes flex mode before proceed here.
Finally, let us review what is configured in summary:

• Flex Profile – Include native VLAN, locally-switched VLAN
• Site Tag - Include flex profile created.
• Policy Tag- Create mapping between SSID to policy.
• RF Tag – Create RF tag with RF profile defined
• Assign AP with site, policy and RF tags
You can use this command to review the changes as below:

show archive config differences flash:post-wlc-provision.cfg
system:running-config
You can also log in C9800-CL UI to review and verify these changes.
Go to “Configuration->Tags & Profiles->Flex”, click on newly created flex profile and you
should see “Native VLAN” is set to “60” under “General” tab.
Page 69 of 86
Click on “VLAN” tab, you should see VLAN “Data-VLAN” with ID “50”.
Go to “Configuration->Tags & Profiles->Tags”, click on the newly created policy tag, you
should see WLAN profile to policy profile mapping:
Click on “Site” tab and the newly created site tag, you should see default AP join profile is
used and flex profile created is selected. Also notice “Enable Local Site” is unchecked,
meaning flexconnect mode for APs associate to this site tag.
Page 70 of 86
Click on “RF” tab and the newly created RF tag “TYPICAL”, you can review changes as below:
Finally, go to “Configuration->Wireless->Access Points”, you should finally see AP joined as

“Flex” mode.
Click on this AP, you will see policy, site and RF tag assigned to it in “General” tab.
Click on “High Availability” tab, you will observe primary controller name and IP are
configured.
Page 71 of 86
7.9 Heat Map
Go back to “Design->Network Hierarchy” on Cisco DNA Center, go to your floor “DNAC Lab”
and click “Edit”, then “Access Points-> Position”
Drag and drop the APs anywhere you want on the map (see other options: position by 3
points or by 2 walls) and choose antennas for 2.4GHZ and 5GHZ (choose “AIR-ANT2535SDW-
R” , most of the APs in the lab don’t have antennas J )
Page 72 of 86
Click on “Save” and the heatmap will be displayed.
Page 73 of 86
8 Smart Licensing Integration
8.1 Overview
There are four options below for Cisco devices to do smart licensing registration. In this
section, we will use Cisco DNA Center to orchestrate smart licensing registration for
managed Cisco devices via option 1 (direct cloud access). For direct cloud access registration,
Cisco devices need to have direct Internet access without HTTP/HTTPs proxy so they can
register directly with Cisco Smart Software Management (CSSM).
In this section, you will go through smart licensing registration process with a Cat9300
switch.
8.2 Pre-requisites- Cisco Credential and Smart Account
In order to register devices with CSSM, users need to have cisco.com (CCO) credential and
their organization needs to have smart account with Cisco.
In this lab, CCO credential was configured already. The associated smart account “BU
Production Test” was shown accordingly. Please note that Cisco DNA Center licensing
manager only supports a single smart account association with CCO account.
Page 74 of 86
Click on “License”, you may notice that “Auto register smart license enabled devices”
option is unchecked. It was configured that way on purpose for this lab since we want to do
the smart licensing registration manually.
Next, go to “Tools->License Manager”, click on “All Licenses” and you will see all devices in
inventory license status. Out of 5 devices, there should be two devices, SW-EN1-PODx and
C9800-PODx, eligible for smart licensing registration. The reason is that smart licensing is
only enabled by default after 16.9.1 code for Cat9K.
Let us first SSH into the SW-EN1-PODx (10.10x.255.3, admin/cisco/cisco) and put in the
following commands if you like to monitor changes made by Cisco DNA Center for smart
license registration.
term mon
conf t
event manager applet catchall
event cli pattern ".*" sync no skip no
action 1 syslog msg "$_cli_msg"
Now let us go ahead and register SW-EN1-PODx to CSSM manually. Select the device then
click on “Action->Manage Smart License->Register”
Page 75 of 86
In the pop-up window, select “EFT FIELD SEVT” virtual account to register this device to,
then click on “Continue”
In background, Cisco DNA Center will execute two things:

1. Fetch token ID from CSSM for smart licensing registration via API
2. Push token ID and related smart licensing configuration to device for its registration
directly with CSSM.
In next page, select on “Now” and click on “Confirm”
Page 76 of 86
Go back to SSH session to SW-EN1-PODx, you should see DNS server is configured and token
ID from CSSM is pushed by Cisco DNA Center for smart licensing registration.
You can also check license status by typing the following command:
show license status
The output should be like this:
Page 77 of 86
Go to “License Manager->All Licenses” on Cisco DNA Center, after refreshing the page, click
on SW-EN1-PODx, you should see this switch is registered to virtual account “EFT FIELD
SEVT” with authorization status “Authorized”.
Now, you can stop. Ask your proctor to log in his smart account and virtual account to show
you that your switch is registered successfully in “Smart Software Licensing” portal page
(CSSM) in software.cisco.com.
Page 78 of 86
9 Software Image Management
DNA Center provides software image update features with interesting capabilities like
• Extensive pre-checks
• Concept of golden image
• SMU support
• Distribution and activation in separate jobs
Cisco DNA Center can host an image repository. (You can also use external repository).
9.1 Populate Software Image Repository
First, you will import software images.
Select “Tools->Image Repository”
Page 79 of 86
Note: as the lab run several times the device a probably already been upgraded. So, if your
device SW-EN1-PODx is running 16.09.02, you will upgrade it in 16.09.03, and if your device
is running 16.09.3, you will downgrade it in 16.09.02.
Depending on the running version of your switch, you can import the other image from an
ftp server located in the lab. For example, import 16.09.03 image if your switch is running in
16.09.02 image, or vice versa.
Choose the appropriate image for your switch to populate into your image repository:
Use one of these URLs to obtain image:
• ftp://pi:cisco@192.168.40.11/cat9k_iosxe.16.09.02.SPA.bin
• ftp://pi:cisco@192.168.40.11/cat9k_iosxe.16.09.03.SPA.bin
Click on “Import”
In the pop-up window, copy the URL above in “Enter image URL (http or ftp)” field and click
on “Import”
Immediately after that, you should see a small text box shown on right corner of your screen
to indicate file transferring success. Click on hyperlink on “show tasks” to check image
import status.
Page 80 of 86
In “Recent Tasks” side panel, you should see this image status is still in progress.
Until complete
9.2 Mark Images as Golden
Refresh “Image Repository” page, find Cisco Catalyst 9300 Switch and expand arrow. Scroll
down list of images and you should find newly imported image, in this case 16.09.02. Click
on pen icon and select “Access” to mark it golden image for Catalyst 9300 switches in access
role.
Page 81 of 86
After that, you should see golden star appears next to “Access” role.
9.3 Update OS outdated devices
Go to “Provision”. You should see one of Cat9300s with an OS image “Outdated”.
Why ?
The reason is because of difference in their device roles . The golden image is marked only for
Cat9300 with access role. Thus, SW-EN1-PODx is shown as “Outdated” since it is in access
role. But the other device SW-BN1-PODx is not since it is in distribution role.
You may see next to “Outdated” hyperlink, there is a green checkmark, meaning upgrade
readiness pre-check passed on this device.
Page 82 of 86
If you like to see what pre-checks have been done by Cisco DNA Center, click on “Outdated”.
You should see an example like below:
Close this window to return to “Provision” page
Select the switch (SW-EN1-PODx), and select “Actions-> Update OS image”
Page 83 of 86
At “Distribute” tab, select “Now” and click on “Next”. You may also notice that there is a
message “Distribution for 1 device is already done”. That is because the image was saved
on Cat9300 flash already in order to save lab exercise time. Cisco DNA Center detected this
image on flash and will skip distribution task.
At “Distribute” tab, select “Now” and click on “Next” to trigger activation immediately. You
have option to schedule it at different time.
Page 84 of 86
Lastly, at “Confirm” tab, review and click on “Confirm”
You can check the upgrade image process by click on “Upgrade Status”.
You should see image upgrade for this device is in progress like below:
Now you can relax, it is going to take a while….
At last, you should see upgrade success for this device as below:
Page 85 of 86
END of LAB
Page 86 of 86

DNA Center 1.2.10 - Automation Lab

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

DNA Center 1.2.10 - Automation Lab

Uploaded by

Copyright:

Available Formats

Cisco DNA Center 1.2.

Enterprise SEVT – April 2019

2 CONNECT TO CISCO DNA CENTER AND ISE 4

5 DAY-0 SWITCH ONBOARDING VIA PNP 20

6 DISCOVERY AND ASSIGN DEVICES TO SITE 43

7 DAY-0 CAT9800 WIRELESS AUTOMATION 46

8 SMART LICENSING INTEGRATION 74

9 SOFTWARE IMAGE MANAGEMENT 79

1.1 Lab Topology

Each student group shares the following network

1.2 Connection to lab

To connect to the lab, use AnyConnect VPN client:

2.1 Connect to Cisco DNA Center

2.2 Connect to ISE

Username/ Password to connect to ISE is given below:

• You must first configure ISE to enable pxGrid

Rest of the integration needs to be done on Cisco DNA Center.

- Subscriber name: DNACx, where x is your Pod number.

After a few minutes you should see

4.1 Network Hierarchy

Then “Network Hierarchy”, and click on “Add Site”

Enter the Site Name: “Whynot”

Select the Site and click on “Add Building”

Building Name: “Whynot DNAC”

Select the address.

Similarly, created a site called “HQ” below:

Then fill in the form as below:

For other fields, fill in as show below:

Ensure you click “Save” button on “Network” tab before proceeding.

Select “Design -> Network Settings -> Device Credentials”

Select “Global” in hierarchy and click on “Add” to add CLI credentials

(same remark as above, use exactly these credentials)

and click save.

5 Day-0 Switch Onboarding via PnP

There are 6 steps involved during the Design.

During provision phase, there are three steps involved:

Network Profile - Switching

5.3 Create Onboarding Template

Fill the form as below:

Click on “Add” button

Select Actions-> Save

Create a simulation, then click New simulation

You have this popup

5.4 Define Network Profile

On “Design->Network Profile” page, click on “Add Profile->Switching”

Next, fill in “SW-BN” string for “Profile Name”.

5.5 Assign Network Profile to Site

Back to “Network Profiles” page, click on “Assign Site”.

Now, you complete all required steps during design phase.

5.6 Plan DHCP Option 43 or DNS for PnP Discovery

Now we are ready to claim switch to site via PnP.

POD Number Switch Terminal port Line Switch Credentials

event manager applet catchall

In section of “Template”, you can select onboarding template “SW-BN-PODx” defined

Once the switch becomes provisioned, click on “Provision->Devices->Inventory” and you

Select the switch and click on “Action->Provision”

In “Configuration” page, simply click on “Next”

Logon to your POD ISE (credential: iseadmin/Public123$) and go to “Administration-

In Operations->TACACS->Live Logs, you should see the authentication/authorization events

6 Discovery and Assign Devices to Site

Select “Use Loopback” as “Preferred Management IP”

Global Credentials for CLI, SNMP are automatically selected

7 Day-0 Cat9800 Wireless Automation

Policy Tag RF Tag