Lab Guide

Deploying Cisco ENSDA

V2.0

V1.0
v1.0
 Content
Lab 0 The MIRA LAB Access ......................................................................................................4
Task 1 Lab Access ..................................................................................................................4
Task 2 Topology and Addressing...........................................................................................8
Topology ........................................................................................................................................ 8
Addressing ..................................................................................................................................... 9
Task 3 Correct Access to the remote Student PCs ..............................................................10
Initial setup for RDP..................................................................................................................... 10
Lab 1 Configure Initial Cisco ISE setup ....................................................................................11
Task 1 Configure ISE via Setup Wizard ................................................................................12
Task 2 Applying a patch ......................................................................................................19
Lab 2 Using DNA Center Design App ......................................................................................24
Task 1 Creating Sites and Buildings – Network Hierarchy ..................................................25
Task 2 Defining Shared Common Servers – Network Settings ...........................................33
Task 3 Network Settings – Device credentials ....................................................................37
Task 4 Network Settings – IP Address Pools .......................................................................39
Lab 3 Integration of the ISEv with the DNA Center ................................................................44
Task 1 Configure roles for ISE nodes...................................................................................45
Task 2 Add the ISE node to DNA Center as a AAA server ...................................................49
Verification ..........................................................................................................................53
Lab 4 Using DNA Center Policy App........................................................................................54
Task 1 SD-Access Scalable Group Tag Creation for User Groups........................................55
Task 2 SD-Access Network Segmentation – Virtual Networks and SGTs ...........................61
Task 3 Applying a Layer-3 Policy – Group Based Access Control ........................................68
Lab 5 Discovering the SD-Access Underlay ............................................................................76
Task 1 Discover the SDA Underlay ......................................................................................77
Task 2 Configure underlay switches using LAN Automation ..............................................97
Task 3 Provisioning the SD-Access underlay network ..................................................... 110
Task 4 Building an Overlay Network ................................................................................ 116
Task 5 Reserved IP Pools for Host Onboarding................................................................ 119
Lab 6 Configuring Transit Site and Fusion Router ............................................................... 128

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 1
Tel 902876701
 Task 1 Create an IP Transit Network................................................................................ 130
Task 2 Configuring Layer 3 Handoff ................................................................................. 133
Task 3 Verify Configurations pushed by DNAC to Border Router.................................... 144
Task 4 Configure Fusion Routers ..................................................................................... 159
Task 5 Verify Configurations on Fusion Router ............................................................... 164
Task 6 Verify Configurations on Border Switch ............................................................... 167
Lab 7 Enable Fabric Edge ports for Client Onboarding ....................................................... 170
Task 1 Host Onboarding ................................................................................................... 170
Task 2 Verify IP Connectivity for StudentPC and Server .................................................. 175
Lab 8 Integrating Wireless into SD-Access .......................................................................... 180
Task 1 Add the wireless controller into inventory ........................................................... 182
Task 2 Provision the WLC for SD-Access Wireless fabric integration .............................. 188
Task 3 Enable Onboarding of APs into the wireless fabric .............................................. 196
Task 4 Create IP Address Pool for Wireless SSIDs............................................................ 211
Task 5 Create SSIDs for an Enterprise Wireless Network ................................................ 216
Task 6 Assign IP Pools to wireless SSIDs .......................................................................... 223
Lab 9 Policy Access Group ................................................................................................... 233
Task 1 Configure Global and Site Network AAA Server ................................................... 233
Task 2 Create a user account in the ISE for Network Devices management ................... 237
Task 3 Create Users Identity Groups in ISE ...................................................................... 244
Task 4 Configurar Host Onboarding with Autenticacion Closed ..................................... 256
Task 5 Testing Connectivity with Authentication Closed ................................................ 259
Task 6 Apply a Layer-4 Custom Contract ......................................................................... 271
Lab 10 Assurance Application.............................................................................................. 278
Task 1 Monitor the Overall Health of your Lab ............................................................... 278
Task 2 Monitor the Health of Your Network ................................................................... 282
Task 3 Monitor the Health of a Client Device .................................................................. 289
Task 4 Trace the Path of a Device .................................................................................... 294
Lab 11 Cisco DNA Center Automation - Template Editor.................................................... 297
Task 1 Creating a configuration template ....................................................................... 297
Task 2 Assign Templates to Profiles ................................................................................. 303

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 2
Tel 902876701
 Task 3 Provisioning devices with Template ..................................................................... 306
Lab 12 DNA Center APIS & Postman ................................................................................... 314
Task 1 Rest Request and Postman setup ......................................................................... 317
Task 2 REST API calls ........................................................................................................ 320
Task 3 Script with Python................................................................................................. 340

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 3
Tel 902876701
 Lab 0 The MIRA LAB Access
Task 1 Lab Access
To access the lab, you can establish a VPN IPSEC session through Anyconnect.

1. Open in your browser (Updated Mozilla Firefox) the next url:

https:\\lab2.miratelecomunicacions.com, and enter the username and password
provided by your instructor, accept the Cisco VPN installation questions:

2. Select MIRASSL group and login with your credentials

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 4
Tel 902876701
 3. Anyconnect will be autoinstalled. If it fails, you can click the link below.
For Linux x64 must be installed xterm package

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 5
Tel 902876701
 4. Save and install

5. Open AnyConnect

6. Type lab.miratelecomunicacions.com and press Connect, then, select MIRASSL and

use your credentials

7. The credentials are the same for students and instructor

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 6
Tel 902876701
 8. Once logged, you should be able to access to Students PCs.

Note: Please, DO NOT upgrade any software on the remote Jumper (student PCs) such java,
browser or DNA Center or Swicthes.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 7
Tel 902876701
 Task 2 Topology and Addressing
The lab guide is based on the following topology. It utilizes a CAT 9300-24T for CP/Border
Node, another one CAT 9300-24T for Edge Node, a Catalyst 3850 as Gateway switch and NTP
server, and CAT 3850 as Distribution switch. Also an router ISR-2901 is used as Fusion Router,
a WLC 3504 and AP 3802 are available in the topology for Fabric Wireless.

At the level of virtual machines we have one ISEv for integration with DNA Center, a DNS
Server, a Jumper PC, one Windows PCs, and Ubuntu machine.

Topology

The figure illustrates the lab topology that is used throughout the labs in this course.

Note 1: This lab guide is using POD1 values as example, be carefully with the addressing if
different POD is used.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 8
Tel 902876701
 Addressing
The table below provides the access information for the devices within a given pod.

Network SubNet or IP mask Gateway

Enterprise 10.10.1#.0 /24 10.10.1#.254

Border-Handoff-POD1 10.129.0.0 /16 10.129.0.1
Border-Handoff-POD2 10.131.0.1 /16 10.131.0.1
Border-Handoff-POD3 10.133.0.2 /16 10.133.0.1

Underlay-POD1 10.128.0.0 /16 10.128.255.1

Underlay-POD2 10.130.0.1 /16 10.130.255.1
Underlay-POD3 10.132.0.2 /16 10.132.255.1

JumperPC 10.10.1#.10 /24 10.10.1#.254

ISEv 10.10.1#.100 /24 10.10.1#.254
DNS Server 10.10.1#.110 /24 10.10.1#.254
NTP Server 10.10.1#.254 /24
DHCP Server 99.#.#.# /28
WLC 10.10.1#.115 /24 10.10.1#.254

AP-POD1 172.16.63.0 /28 172.16.63.14

AP-POD2 172.16.73.0 /28 172.16.73.14
AP-POD3 172.16.83.0 /28 172.16.83.14

Student-POD1 172.16.61.0 /28 172.16.61.14

Student-POD2 172.16.71.0 /28 172.16.71.14
Student-POD3 172.16.81.0 /28 172.16.81.14

Server-POD1 172.16.62.0 /28 172.16.62.14

Server-POD2 172.16.72.0 /28 172.16.72.14
Server-POD3 172.16.82.0 /28 172.16.82.14

Note 2: During the development of the guide please do not make any type of update either
in the DNA Center or in the switches

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 9
Tel 902876701
 Task 3 Correct Access to the remote Student PCs

Initial setup for RDP

a. Set the Jumper (remote Student PC) IP address you want to access and click
on Connect. (please check which are the correct IP addresses for your POD,
we are using POD1’s IP addressing)

IP Addresses, where # is your POD number

Device IP Address Credentials

User: Win7
Jumper PC 10.10.1#.10 Password: NXos12345

b. Type the credentials (Win7/NXos12345) and hit OK.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 10
Tel 902876701
 Lab 1 Configure Initial Cisco ISE setup

Overview
We have an ISE virtual machine deployed off an ISO. While you can deploy via OVA
downloaded from the Cisco site, we recommend using the ISO download instead. The reason
being is that you can configure the virtual machine requirements prior to deploying it. In the
past, we have seen ISE slow down after deploying an OVA and then changing the resources
on it (add/remove RAM, vCPUs, etc). It's easier to set it up right and size it right prior to
installing it on that VM.

Topology

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 11
Tel 902876701
 IP Addresses and Credentials
Device IP Address Credentials
GUI: admin / NXos12345
DNAC 10.10.1#.200 CIMC: admin / 1234QWer

JumperPC 10.10.1#.10 RDP: Win7 /NXos12345

RDP: administrator /
DNS 10.10.1#.110 1234QWer

ISEv 10.10.1#.100 admin / 1234QWer

NTP –Gateway 10.10.1#.254 -----------------------

vSphere Client 192.168.100.33 dnac# / dnac#

# is the Pod number

Task 1 Configure ISE via Setup Wizard

During the setup, you need to provide the following information:
- Hostname
- IP Address of ISE and Netmask
- Default Gateway
- DNS Domain / Nameserver
- NTP Server - (At least one)
- Timezone
- Username - The default is admin. This is for the CLI login, not the GUI
- Password

After you enter this information, ISE will bring up the network interface, attempt to
contact the default gateway and name server and reboot if that is successful after setup
is complete.

Step 1 Connect via RDP on you Jumper PC 10.10.1#.10 with credentials: Win7 / NXos12345

Step 2 Open Vmware vsphere Client and introduce the IP: 192.168.100.33 with credentials
of your POD (dnac#/dnac#).

After login ignore the warning

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 12
Tel 902876701
 Step 3 Go to VM and Templates you should see your VMs

NOTE: In this document reference is made to the tasks for the POD1

Step 4 Open the context menu with the secondary button on the VM marked ISE-DNAC-
POD# choose Open Console and press Enter.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 13
Tel 902876701
 Step 5 On the console of the ISE node, at the login prompt, type setup, and then press Enter.

**********************************************

Please type ‘setup’ to configure the appliance

**********************************************

localhost login: setup

Step 6 Enter the platform configuration parameters.

Press ‘Ctrl-C’ to abort setup

Enter hostname[]: isev#

Enter IP address []: 10.10.1#.100

Enter IP netmask[]: 255.255.255.0

Enter IP default gateway[]: 10.10.1#.254

Enter default DNS domain[]: dnac#.local

Enter Primary nameserver[]: 10.10.1#.110

Add secondary nameserver? Y/N [N]: N

Enter NTP server[time.nist.gov]: 10.10.1#.254

Add another NTP server? Y/N [N]: N

Enter system timezone[UTC]: UTC

Enable SSH service? Y/N [N]: Y

Enter username[admin]: admin

Enter password: [1234QWer]

Enter password again: [1234QWer]

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 14
Tel 902876701
 Step 7 Once the installation is finished, on the console, we logged in with admin/1234QWer

Introduce the command “show application status ise” to see that all processes are running,
this command takes a few seconds to show the list.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 15
Tel 902876701
 The service Application Server corresponds to the interface of ISE, It can take up to 10
minutes to boot.

Step 8 While starts, we ejecute “show ntp”

We should see the asterisk on IP 10.10.11.254, if the virtual machine of ISEv just rebooted,
it may take a while to sync.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 16
Tel 902876701
 The hour should match with https://www.timeanddate.com/time/aboututc.html

Step 9 Check timestamp with show clock

Step 10 Verify the DNS with “nslookup dnac1.local”

Step 11 Open JumperPC via RDP 10.10.1#.10 (Win7/NXos12345)

Step 12 Open Mozilla and access to: https://isev#.dnac.local/ or https://10.10.1#.100 and
accept the certificate alerts.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 17
Tel 902876701
 Step 13 Login with the credentials admin/1234QWer

Close the different banners about license and wizard.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 18
Tel 902876701
 Step 14 Close the different banners about license and wizard.

Task 2 Applying a patch

Let's take advantage of the fact that we are doing the init and we will apply a patch to correct
possible bugs.

NOTE: This lab takes about 20 minutes to apply the patch, you can reprogram this lab before the
end of the class or for the last day.

Step 1 Open the browser and go to http://10.17.11.7/files/ and download the file ISE-
patchbundle-2.6.0.156-Patch3-19110111.SPA.x86_64.tar.gz

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 19
Tel 902876701
 1. Go to Administration > Maintenance > Patch Management

2. Click on Install
In Choose file and navigate to the Download folder and select the file ISE-patchbundle-
2.6.0.156-Patch3-19110111.SPA.x86_64.tar.gz

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 20
Tel 902876701
 After about 2 minutes you can validate that the patch has been installed in the ISE with DIR
command:

After a patch is applied to a node, it immediately reboots to complete the installation. You can
keep track of a node’s progress by logging into the CLI via SSH and executing the command
“show application status ise”.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 21
Tel 902876701
 3. After this it will restart to apply it. In the below output, The PAN was still initializing some
services. In this state, you can´t be able to login to the PAN GUI…must…find…patience!
4.

5. Once started, we log in and in the top gear o the right select About Identity Services Engine

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 22
Tel 902876701
 6. We observe for Installed Patches is 1

7. Close

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 23
Tel 902876701
 Lab 2 Using DNA Center Design App
Overview
 DNA Center provides a robust Design application to allow customers of every size and scale
to easily define their physical Sites and common resources. Using a hierarchical format that
is intuitive to use, the Design App removes the need to redefine the same resource such as
DHCP, DNS, and AAA Servers in multiple places when provisioning devices.

 The network hierarchy created in the Design Application should mimic the actual, physical
network hierarchy of your deployment.
 Using DNA Center, you will create a network hierarchy of areas that can contain additional
areas or buildings and floors within areas. Devices map into the buildings and floors for
service provisioning.

Topology

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 24
Tel 902876701
 IP Addresses and Credentials
Device IP Address Credentials
GUI: admin / NXos12345
DNAC 10.10.1#.200 CIMC: admin / 1234QWer

JumperPC 10.10.1#.10 RDP: Win7 /NXos12345

RDP: administrator /
DNS 10.10.1#.110 1234QWer

ISEv 10.10.1#.100 admin / 1234QWer

NTP –Gateway 10.10.1#.254 -----------------------

vSphere Client 192.168.100.33 dnac# / dnac#

# is the Pod number

Task 1 Creating Sites and Buildings – Network Hierarchy

In this task, you will design and deploy the following feature needed for the Automation of
the SD-Access Underlay network for your campus fabric:

 Build the network hierarchy based on the geographic locations for your SD-Access
Campus fabric in the Cisco DNA Center GUI.

Step 1 Begin by selecting the Design app to open it.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 25
Tel 902876701
 Once it is open, select Network Hierarchy

Step 2 Click the Add Site button to create a new site and the Area button should be selected.

POD Site Name Area Building Floor

1 Barcelona Montserrat Ambar Piso2
2 Madrid Fuenfria Cornalina Piso2
3 Sevilla Bonales Topacio Piso2

- Enter the Site Name as table above: Barcelona.

- Ensure the Parent is Global and click Add.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 26
Tel 902876701
 Note: Pay attention to the Parent for each of your entries to correctly design your network
hierarchy. We will create an area of Barcelona, a sub-area called Montserrat, a building called
Ambar, and floor 2 in the building (POD1 as example). The design App is used to create a
logical view of your physical network topology.

Step 3 Create another Site (Area) by clicking Barcelona, and clicking on then, select Add
Area.

Step 4 Name the Area: Montserrat

• The Area radio button should be selected.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 27
Tel 902876701
 • Ensure the Parent is Barcelona and click Add

Step 5 Click next to Barcelona to expand it.

Step 6 Click Montserrat, then click the gear next to Montserrat, and select Add
Building.

Note: When the network devices are provisioned later, they will be added to the building
Montserrat. DNAC must know where a device is physically located in the topology and
geographically in order to provision policy and fabric configurations.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 28
Tel 902876701
 Step 7 Name the building Ambar.

• Ensure the Parent is Montserrat.

Step 8 In the Address field, begin to type in Sant Cugat

As the address is entered, the Design App will narrow down the known addresses to the one
entered.

Step 9 When Sant Cugat appears in the window below, select it.

The benefit of selecting a known address is that the longitude and latitude coordinates are
automatically provided, as they are required.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 29
Tel 902876701
 Step 10 Once the address is selected, finish adding the building with the Add button.

Step 11 Expand Ambar with the button.

Step 12 Click Montserrat, and use the next to Ambar to add a building floor with the
Add Floor button.

Step 13 Use floor name Piso2 and these dimensions:

• Width – 300 feet

• Length – 100 feet

• Height – 15 feet

• Floor # – 1

and Click Add.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 30
Tel 902876701
 Step 14 Click on Floor Image and upload file from Desktop, Open and Updated

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 31
Tel 902876701
 Step 15 Once the floor is created, a floorplan can be added.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 32
Tel 902876701
 Task 2 Defining Shared Common Servers – Network Settings
You can create network settings that become the default for your entire network. There are
two primary areas for defining settings within your network:

• Global settings affect your entire network and can include settings for servers (such as NTP,
Syslog, SNMP Trap, NetFlow Collector, etc.), IP address pools, and device credential profiles.

• Site settings override Global settings and can include settings for servers, IP address pools,
and device credential profiles.

DNA Center allows saving common resources and settings with Design App’s Network
Settings sub-application (tab). As described earlier, this allows information pertaining to the
enterprise to be stored so it can be reused throughout DNA Center. The idea is to define
once and use many.

Step 1 Click on Desing > Network Settings > Network on the menu bar.

Step 2 Once opened, a list of server settings, which are typical in every network environment,
are shown.

SD-Access requires AAA, DHCP, and DNS servers to be configured.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 33
Tel 902876701
 Step 3 Under DHCP server, manually type in the address 99.#.#.#

Step 4 Under DNS server, use the domain name dnac#.local, and type in the address
10.10.1#.110

POD DHCP DNS DOMAIN NAME NTP

1 99.1.1.1 10.10.11.110 dnac1.local 10.10.11.254
2 99.2.2.2 10.10.12.110 dnac2.local 10.10.12.254
3 99.3.3.3 10.10.13.110 dnac3.local 10.10.13.254

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 34
Tel 902876701
 Step 5 Under Add Servers, select NTP Server and type in the address 10.10.1#.254

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 35
Tel 902876701
 Step 6 Click Save

Step 7 Click on Cisco DNA Center and review the results, you can see 1 DNS and 1 NTP
server

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 36
Tel 902876701
 Task 3 Network Settings – Device credentials
Device credentials refer to the CLI, Simple Network Management Protocol (SNMP), and
HTTPS credentials that are configured on network devices. DNA Center uses these
credentials to discover the devices in your network. In DNA Center, you can specify the
credentials that most of the devices use so that you do not have to enter them each time
you run a discovery job. These credentials are called global device credentials.

Use the table to populate the CLI and SNMPv2c Read and Write credentials.

Field Value
CLI Credentials Username dnac
Password NXos12345
Enable Password 1234QWer
SNMPv2c Read Name / Description publica
Read Community public
SNMPv2c Write Name / Description privada
Write Community private

Step 1 Go to DNA Center GUI and select Design > Network Settings > Device Credentials,
click on CLI

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 37
Tel 902876701
 Step 2 Select CLI and Click to Save

Step 3 Scroll down and Add SNMPv2c and in the Read and Write boxes add the data
according to the table above and give Save.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 38
Tel 902876701
 Note: These credentials have been preconfigured on the devices in the baseline configuration (Border
and Edge switch and Fusion Router).

Task 4 Network Settings – IP Address Pools

DNA Center supports both manually entering IP address allotments as well as integrating with
IPAM solutions, such as Infoblox, to learn of existing IP addresses already in use in the
network.

IP Address Pools required in the topology must be manually defined and configured. DNAC
does not provision the actual DHCP server, even if it is a Cisco device. It is simply setting aside
pools as a visual reference. These pools will be referenced later in the lab guide. These address
pools will be associated with VN (Virtual Networks/VRFs) during the Device On-Boarding
section.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 39
Tel 902876701
 POD1
IP Pool Name IP Subnet Mask Gateway DHCP Server DNS Server
Student_Pool 172.16.61.0 /24 172.16.61.1 99.1.1.1 10.10.11.110
Server_Pool 172.16.62.0 /24 172.16.62.1 99.1.1.1 10.10.11.110
AP_Global_Pool 172.16.63.0 /24 172.16.63.1 99.1.1.1 10.10.11.100

POD2
IP Pool Name IP Subnet Mask Gateway DHCP Server DNS Server
Student_Pool 172.16.71.0 /24 172.16.71.1 99.2.2.2 10.10.12.110
Server_Pool 172.16.72.0 /24 172.16.72.1 99.2.2.2 10.10.12.110
AP_Global_Pool 172.16.73.0 /24 172.16.73.1 99.2.2.2 10.10.12.110

POD3
IP Pool Name IP Subnet Mask Gateway DHCP Server DNS Server
Student_Pool 172.16.81.0 /24 172.16.81.1 99.3.3.3 10.10.13.110
Server_Pool 172.16.82.0 /24 172.16.82.1 99.3.3.3 10.10.13.110
AP_Global_Pool 172.16.83.0 /24 172.16.83.1 99.3.3.3 10.10.13.110

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 40
Tel 902876701
 Step 1 Select Design – Network Setting – Global and using the menu bar, select IP Address
Pools.

Step 2 Click on Add to open a dialog for creating new IP Pools.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 41
Tel 902876701
 Step 3 It is necessary to create a Global Address Pool so that later we can make the
automatic discovery of the devices that will make the fabric (CP / Border, Edge, WLC, etc.)
with the PnP protocol through the Provisioning service (LAN Automation).

PODs IP Pool Name IP Subnet Mask Gateway

1 Underlay-1 10.128.0.0 /16 10.128.255.254
2 Underlay-2 10.130.0.0 /16 10.130.255.254
3 Underlay-3 10.132.0.0 /16 10.132.255.254

Step 4 Click on Add to open a dialog for creating the Underlay-# IP Pools.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 42
Tel 902876701
 When completed, the DNA Center IP Address Pools for Global should look similar to the
page below:

Note: The name of the IP Address Pool is arbitrary. It simply needs to be a descriptive name
that indicates the purpose of that pool

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 43
Tel 902876701
 Lab 3 Integration of the ISEv with the DNA Center
Overview
This release of DNA Center provides a mechanism to create a trusted communications link
with Cisco Identity Services Engine (ISE) and permit the two applications to share data with
one another in a secure manner. Once ISE is registered with DNA Center, any device ISE
discovers, along with relevant configuration and other data, is pushed to DNA Center.

The Cisco Platform Exchange Grid (pxGrid) is a multivendor, cross-platform network system
that pulls together different parts of an IT infrastructure. Cisco pxGrid provides an API which
is secured via an SSL certificate system. DNA Center has automated the certificate process
to allow users to simply and easily integrate DNA Center to ISE in a secure manner.

In this Lab you will perform the following steps to integrate Cisco DNA Center with Cisco ISE:
 ISE server management IP address
 RADIUS server/ISE shared secret
 ISE user login credentials
 ISE FQDN name
 Subscriber/Client name for PxGrid services
 Inspect the Cisco ISE running configuration that must be enabled for successful ISE
integration with Cisco DNA Center.
 Verify that the Cisco DNA Center is integrated successfully with Cisco ISE.

Topology

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 44
Tel 902876701
 IP Addresses and Credentials
Device IP Address Credentials
GUI: admin / NXos12345
DNAC 10.10.1#.200 CIMC: admin / 1234QWer

JumperPC 10.10.1#.10 RDP: Win7 /NXos12345

RDP: administrator /
DNS 10.10.1#.110 1234QWer

ISEv 10.10.1#.100 admin / 1234QWer

Gateway / NTP 10.10.1#.254 -----------------------

vSphere Client 192.168.100.33 dnac# / dnac#

# is the Pod number

Task 1 Configure roles for ISE nodes

Step 1 On the ISE node, login using a web browser and the configured username and
password, and then accept any informational messages. From Jumper PC, open browser and
type: https://10.10.1#.100, username admin and password 1234QWer.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 45
Tel 902876701
 Step 2 Navigate to Administration > System > Deployment, and then click OK to the
informational message.

Step 3 Click on the ISEv# node hostname, and then under Role, click Make Primary.

Step 4 Select pxGrid, and then click Save

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 46
Tel 902876701
 Step 5 Navigate to Administration > System > Settings, on the left pane navigate to ERS
Settings, under ERS Setting for Primary Administration Node select Enable ERS for
Read/Write, accept any dialog box that appears, under ERS Setting for All Other Nodes select
Enable ERS for Read, under CRSF Check select Disable CSRF for ERS Request, and then click
Save. Accept any additional dialog box that appears.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 47
Tel 902876701
 At this point you can review in pxGrid Services the status of Pending.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 48
Tel 902876701
 Task 2 Add the ISE node to DNA Center as a AAA server

Step 1 In the Cisco DNA Center - System menu select Settings and click in External Services
and choose Authentication and Policy Servers.

Click Add

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 49
Tel 902876701
 Step 2 In the Add AAA/ISE SERVER display, enter the ISE node Server IP Address (example:
10.10.11.100 for POD1) and Shared Secret 1234QWer, toggle the Cisco ISE selector, enter
the ISE Username (example: admin), enter the ISE Password 1234Qwer, enter the ISE fully
qualified domain name for FQDN, enter Subscriber Name (example: isev#.dnac#.local), leave
the SSH Key blank, and then click Apply.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 50
Tel 902876701
 During communication establishment, status from DNA Center displays Creating AAA
server… and then Status displays INPROGRESS.

Step 3 Use the Refresh button until communication establishes with ISE and the server
displays ACTIVE status. If communication is not established, an error message displays with
information reported from ISE regarding the problem to be addressed before continuing.

Step 4 Log in to ISE, and then navigate to Administration > pxGrid Services.

The client named dnac# is now showing Pending in the Status column.

Step 5 Check the box next to dnac#, below the list click Approve, and then click Yes to
confirm.

Step 6 In case you did not see the pxgrid_client_######_dnac_ndp entry in the All Clients
table, then use the ssh [email protected]#.100 to ISE console and use the show application
status ise command to verify thet PxGrid services are running on ISE. If they are not running,

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 51
Tel 902876701
 restart the ISE services using the applications restart ise command or use reboot command
to reboot the ISE.

Note If ISE is integrated with DNA Center after scalable groups are already created in ISE, in addition
to the default groups available, any existing ISE groups are also visible by logging in to DNA Center
and navigating to Policy > Registry > Scalable Groups. Existing ISE policies are not migrated to DNA
Center.

Step 8 Return to DNA Center and verify that the System Settings shows the AAA/ISE Server
as Active.

Step 9 You can also see the communication status by navigating from the gear icon to
System Settings > System 360. Under External Network Services, the Cisco ISE server shows
in Available status. With communications established, DNA Center requests a pxGrid
session with ISE.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 52
Tel 902876701
 Verification
In the Task, you have verified that the Cisco DNA Center is successfully integrated with
Cisco ISE. You have verified following details:
Cisco ISE Integration STATUS shows ACTIVE in Cisco DNA Center.
Cisco ISE CLI configuration uses proper integration parameters.
Cisco ISE PxGrid Services are enabled in Cisco ISE GUI.
In Cisco ISE GUI, the PxGrid Services report that the Cisco DNA Center client (dnac#) is
Online.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 53
Tel 902876701
 Lab 4 Using DNA Center Policy App
Overview
SGTs can be carried throughout the network and are the basis for access policy enforcement
under Cisco DNA and Software-Defined Access. SGTs are carried through the network in the
VXLAN encapsulated header of a LISP data packet.

ISE, by default, creates several SGTs. A new SGT will be created as part of the lab to
demonstrate the pxGrid communication between DNAC and ISE. These steps are used to
show that an SGT defined in ISE will be shown and available for policy in DNAC.

Topology

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 54
Tel 902876701
 IP Addresses and Credentials
Device IP Address Credentials
GUI: admin / NXos12345
DNAC 10.10.1#.200 CIMC: admin / 1234QWer

JumperPC 10.10.1#.10 RDP: Win7 /NXos12345

RDP: administrator /
DNS 10.10.1#.110 1234QWer

ISEv 10.10.1#.100 admin / 1234QWer

Gateway / NTP 10.10.1#.254 -----------------------

vSphere Client 192.168.100.33 dnac# / dnac#

Border# Pod1: 10.129.255.253 dnac / NXos12345

Pod2: 10.131.255.253
Pod3: 10.133.255.253

Pod1: 10.10.11.3
Fusion-Router# Pod2: 10.10.12.3
Pod3: 10.10.13.3 dnac / NXos12345

# is the Pod number

Task 1 SD-Access Scalable Group Tag Creation for User Groups

Step 1 Use the main button to access the home page.

Step 2 Click Policy, select Group-Based Access Control

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 55
Tel 902876701
 You will also have the opportunity to migrate any ISE data policy to the DNA Center. Click on
Start migration.

Step 3 Then click in Scalable Groups page to shows all the SGTs pushed from ISE. A new
SGT (Group) will be Added to demonstrate the pxGrid communication between ISE and
DNAC. Click on Create Scalable Group.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 56
Tel 902876701
 Step 4 Give the new SGT (Security Group) a name of Students.
Step 5 Add a description SD-Access Student Group.
Step 6 Let the Tag Value by default.
Step 7 Click Save at the bottom of the page to save the new group.

You will see the new Scalable group is created and syncing to our ise server.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 57
Tel 902876701
 Note: If SGT Students exist, please delete

Step 8 We are going to check if the Scalable Group appears in our ise server, go to your ise
server assigned 10.10.1#.100 and log in.

Step 9 Log in Use the credentials admin/1234QWer.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 58
Tel 902876701
 Step 10 In the ISE tab home page click Work Centers and select TrustSec

Step 11 In TrustSec click on Security Groups, remember we can’t add or delete neither
modify groups from ise if we want to create or remove needs to be done on your DNA
Center.

Check that our Students Scalable group is showing.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 59
Tel 902876701
 Note: In DNA Center terminology, SGTs are referred to as Scalable Groups or Scalable
Group Tags. ISE uses the older term of Security Groups or Security Group Tags. Scalable
Group Tags and Security Group Tags are the same thing.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 60
Tel 902876701
 Task 2 SD-Access Network Segmentation – Virtual Networks and SGTs

The Policy app supports creating and managing Virtual Networks, Policy Administration and
Contracts, and supports Scalable Groups. Most deployments will want to set up their SD-
Access Policy (Virtual Networks and Contracts) before doing any SD-Access Provisioning. The
general order of operation is Design, Policy, and Provision, corresponding with the order of
the Apps seen on DNAC’s dashboard However, because it is a Lab and to be more illustrative
we prefer to make the Provision before.

In this section, the overlay network (which has not been created, yet) will be segmented
using the DNAC Policy app. This process virtualizes the overlay network into multiple self-
contained Virtual Networks (VRFs).

By default, any network device (or user) within a Virtual Network is permitted to
communicate with other device (or user) in the same Virtual Network.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 61
Tel 902876701
 To enable communication between different Virtual Networks, traffic must leave the
Fabric (Default) Border and then return, typically traversing a firewall or fusion router. This
is process is done through route leaking and multi-protocol BGP.

The later policy validation exercises will simulate deploying SD-Access in a Learning Center
setting. This allows the demonstration of SD-Access virtualization (VRFs) and segmentation
(SGTs) between well understood groups and entities such as Students, Employees, Guest and
Servers.

VRFs (VNs) are used to segment the network. SGTs are used to segment inside of VRFs
(Microsegmentation).

Step 1 Return to the Cisco DNAC Center, navigate to Policy -> Virtual Network.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 62
Tel 902876701
 Step 2 Select Default Virtual Network DEFAULT_VN and click on Scalable Group number. The
recently created SGT Students should appear.

Note: The Default Virtual Network has numerous SGT Groups, which were populated from
ISE when DNA Center was integrated with in previous steps. Ensure Students SGT appears in
the DEFAULT_VN to validate that the pxGrid connection between ISE and DNAC is
functioning correctly.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 63
Tel 902876701
 Step 3 Click on the Create Virtual Network to add a new Virtual Network. This will modify
the window layout so that a new Virtual Network can be defined.

Step 4 Give the Virtual Network the Network Name of Campus_VN and Save

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 64
Tel 902876701
 Step 5 Clik Add Scalable Group

Populate the newly created Virtual Network with Groups (SGTs).

This creates micro-segmentation inside of the VN (VRF). Select the following Scalable
Groups by clicking on them:

• Employees
• Production Servers
• Students

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 65
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 66
Tel 902876701
 Step 6 Click on to add another new Virtual Network named Guest_VN. Click on Guest
Virtual Network checkbox, and Save

Step 7 Add the following Groups Guests and Network_Services

Note: Guest Virtual Network—Devices that are configured with special rules, which allow
guests limited access, for example our Access Point to register with WLC. Click this check box
to configure the virtual network as a guest network. You can create only one guest virtual
network.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 67
Tel 902876701
 Task 3 Applying a Layer-3 Policy – Group Based Access Control

SD-Access Policy Administration

Once SD-Access has been segmented into Virtual Networks, security policies can be defined
to segment traffic inside of the VNs. DNA Center will allow the administrator to explicitly
deny or explicitly allow traffic between Groups (SGTs) within Virtual Networks. This policy is
created in DNAC, pushed to ISE, and then finally pushed down to the switches to enforce the
policy.

The following steps will show how SD-Access (Secure Fabric) will be provisioned to establish
security policies with just a few clicks within DNA Center. The security policies created in this
section are referred to as SGACL (Security Group ACLs) in ISE. They are also referred to as
Layer-3 Policies as they enforce traffic based on Layer-3 information.

Three policies will be created using the information in the table below will help demonstrate
the ease of creating (and enforcing) end-to-end policy in DNAC.

Note: The source tag only need to be selected a single time.

Table of SGACL

Name Source Scalable Destination Contract

Group Scalable Group
Employees Employees Students deny

Students Students Employees deny

Production_Servers

ProductionServers Production_Servers Students deny

Step 1 From the principal page to select Policy – Group-Based Access Control and click on

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 68
Tel 902876701
 If you find some previous policies, please delete them, selecting all and clicking on Actions –
Set Default Policy.

Accept Warning, click Yes

Step 3 Select Policies.

Click on Create Policies to add a new policy and select Source to Destination.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 69
Tel 902876701
 The Scalable Groups that were from ISE are displayed.

Step 4 The first policy denies traffic sourced by Employees and destined for Students. Select
Scalable Groups Employees and click Next.

Step 5 Select Students to the Destination and click Next.

Step 6 In Contract select deny IP and click Next.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 70
Tel 902876701
 Step 7 Confirm the policy is correct and then click on Save.

Step 8 The policy will be created, and the page will reload in a few seconds.

Step 9 Click on icon to see TrustSec Matrix Table and Click on Enter full screen

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 71
Tel 902876701
 Step 10 Click on Create Policies to add a second policy. Repeat the steps 3 to 10. This
policy denies traffic sourced by Students and destined for Employees and Production
Servers.

Name Source Scalable Destination Contract

Group Scalable Group
Employees Employees Students Deny_IP

Students Students Employees Deny_IP

Production_Servers

ProductionServers Production_Servers Students Deny_IP

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 72
Tel 902876701
 Step 11 Create a third Layer-3 Policy.

This policy denies traffic sourced by Production_Server and destined for Students.

Step 12 Click on once the page refreshes itself, the three created policies are
displayed.

Click on

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 73
Tel 902876701
 Step 13 We can also observe the SGTs in the ISE, in the main page we click on Administration
and select Trustsec.

Step 14 Select TrustSec - Matrix

Different views of the ISE TrustSec Matrix can be selected. You may need to use both
scrolls bars on the right of the screen to navigate the Matrix.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 74
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 75
Tel 902876701
 Lab 5 Discovering the SD-Access Underlay
Overview
Discovery and Device Inventory function as one service. The process of finding network
devices is known as Discovery. The Discovery function scans the devices in your network and
sends the list of discovered devices to Device Inventory.

Device Inventory retrieves and saves the details about the devices in its database. Device
Inventory refreshes every 25 minutes for each device. There are two methods for discovering
devices:

 Using CDP and providing a seed IP address.

 Specifying a range of IP addresses (maximum of 4096 devices)

IP Addresses and Credentials

Device IP Address Credentials
GUI: admin / NXos12345
DNAC 10.10.1#.200 CIMC: admin / 1234QWer

JumperPC 10.10.1#.10 RDP: Win7 /NXos12345

RDP: administrator /
DNS 10.10.1#.110 1234QWer

ISEv 10.10.1#.100 admin / 1234QWer

Gateway / NTP 10.10.1#.254 -----------------------

vSphere Client 192.168.100.33 dnac# / dnac#

Border# Pod1: 10.129.255.253 dnac / NXos12345

Pod2: 10.131.255.253 enable secret 1234QWer
Pod3: 10.133.255.253

Pod1: 10.10.11.3
Fusion-Router# Pod2: 10.10.12.3
Pod3: 10.10.13.3 dnac / NXos12345

# is the Pod number

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 76
Tel 902876701
 Topology

Task 1 Discover the SDA Underlay

You will use the Discovery Tool to add devices to Inventory. In DNA Center, the Discovery
tool is used to find existing underlay devices using CDP or IP address ranges. When defining
a discovery profile, users are able to leverage the credentials defined in the Design App.

Step 1 Before creating a Discovery profile and running it, take a moment to look at the
underlay configuration of the equipment. Specifically observe the Border and Fusion Router
devices which have been configured so that there is connectivity in the network segment so
that the discovery between the DNA Center and the Border (Seed switch) is successful.

The devices can be accessed from JumperPC by clicking the Putty icon on the desktop. An
entry will be available for each devices console access.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 77
Tel 902876701
 Device IP Address Credentials

Border# Pod1: 10.129.255.253 dnac / NXos12345

Pod2: 10.131.255.253
Pod3: 10.133.255.253

Note: If for some reason the serial ports (COM) are not correctly associated in the Putty,
please check in Control Panel - System - Device Manager what are the available serial ports
and associate in Terminal Putty to access the consoles devices.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 78
Tel 902876701
 Step 2 Use the following command to show the baseline configuration on each device.
The following configurations are of POD1

BORDER-POD1show running

hostname BORDER-POD1

enable secret 1234QWer

ip routing

ip name-server 10.10.11.110

ip domain name dnac1.local

username dnac privilege 15 password NXos12345

vtp mode transparent

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 79
Tel 902876701
 interface GigabitEthernet1/0/2

switchport mode trunk

shutdown

interface GigabitEthernet1/0/3

no switchport

ip address 10.129.255.253 255.255.252

ip route 0.0.0.0 0.0.0.0 10.129.255.254

ip ssh version 2

snmp-server community public RO

snmp-server community private RW

line vty 0 4

password 1234QWer

login local

BORDER-POD1#show ip int brief

Interface IP-Address OK? Method Status Protocol

Vlan1 unassigned YES manual up up

GigabitEthernet0/0 unassigned YES TFTP up up

GigabitEthernet1/0/1 unassigned YES unset up up

GigabitEthernet1/0/2 unassigned YES unset Admin down Admin down

GigabitEthernet1/0/3 10.129.255.253 YES manual up up

GigabitEthernet1/0/4 unassigned YES unset down down

GigabitEthernet1/0/5 unassigned YES unset down down

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 80
Tel 902876701
 Step 3 Verify connectivity by pinging defult Gateway 10.10.1#.254 represented by the
GW-SW and the DNA Center 10.10.1#.200.

BORDER-POD1#ping 10.10.11.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.11.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/4 ms

BORDER-POD1#ping 10.10.11.200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.11.200, timeout is 2 seconds:

!!!!!

Step 4 Execute in Fusion-# the command show running-config and checking the following
baseline configuration.

FUSION-1#show running

hostname FUSION-1

enable secret 1234QWer

ip name-server 10.10.11.110

ip domain name dnac1.local

username dnac privilege 15 password NXos12345

ip dhcp excluded-address 172.16.63.1 172.16.63.4

ip dhcp excluded-address 172.16.61.1 172.16.61.4

ip dhcp excluded-address 172.16.62.1 172.16.62.4

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 81
Tel 902876701
 ip dhcp pool AP_Global_Pool

network 172.16.63.0 255.255.255.240

default-router 172.16.63.14

dns-server 10.10.11.110

domain-name dnac1.local

option 43 hex f104.0a0a.0b73

ip dhcp pool Student_Pool_Wired

network 172.16.61.0 255.255.255.240

default-router 172.16.61.14

dns-server 10.10.11.110

domain-name dnac1.local

ip dhcp pool Servers_Pool

network 172.16.62.0 255.255.255.240

default-router 172.16.62.1

dns-server 10.10.11.110

domain-name dnac1.local

interface Loopback99

ip address 99.1.1.1 255.255.255.255 please take note of the mask /24 o /32

description IP for protocol DHCP

interface GigabitEthernet0/0

no ip address

interface GigabitEthernet0/0.417

encapsulation dot1Q 417

ip address 10.10.11.3 255.255.255.0

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 82
Tel 902876701
 description Conexion to Network

interface GigabitEthernet0/1

ip address 10.129.255.254 255.255.255.252

description Conexion L3 to Border

ip route 0.0.0.0 0.0.0.0 10.10.11.254

line vty 0 4

password 1234QWer

login local

FUSION-1#show ip int brief

Interface IP-Address OK? Method Status Protocol

GigabitEthernet0/0 unassigned YES NVRAM up up

GigabitEthernet0/0.417 10.10.11.3 YES NVRAM up up

GigabitEthernet0/1 10.129.255.254 YES manual up up

Loopback99 99.1.1.1 YES manual up up

According to the topology in the Gi0/0.417 sub interface of the Fusion router, it is the
connection to the 10.10.1#.0/24 enterprise network through the GW-SW and the Gi0/1 port
to the L3 connection to the Border switch for discovery.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 83
Tel 902876701
 Step 5 Verify connectivity from the Fusion router to the default Gateway 10.10.1#.254
represented by the GW-SW and the DNA Center 10.10.1#.200.

FUSION-1#ping 10.10.11.254

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.11.254, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/4 ms

FUSION-1#ping 10.10.11.200

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.10.11.200, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 84
Tel 902876701
 Step 6 It is necessary to create a Reserved IP Address Pool so we can make the automatic
discovery of the devices that will make the fabric (Border, Edge, WLC, etc) with the PnP
protocol through the Provisioning service (LAN Automation).

PODs

IP Pool Name IP Subnet Mask Gateway

Underlay-Ambar 10.128.255.0 /24 10.128.255.1
Underlay-Cornalina 10.130.255.0 /24 10.130.255.1
Underlay-Bonales 10.132.255.0 /24 10.132.255.1

Go to Design – Network Setting – your Building – IP Address Pool Select, click Reserved IP
Pool

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 85
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 86
Tel 902876701
 Step 7 From Jumper PC enter via Putty to BORDER and Fusion Router and verify connectivity
with show ip route and show ip int brief

Step 8 Return to DNA Center in the browser. Click on the Discovery tool from the home page.

Step 9 Go to Cisco DNAC Center – Tools - Discovery from the home page

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 87
Tel 902876701
 Step 10 Click Add Discovery, this opens the New Discovery page.

Enter the Discovery Name as: BORDER-SEED

Discovery type: CDP

In the field IP address of switch Border#

Device IP Address

Border# Pod1: 10.129.255.253

Pod2: 10.131.255.253
Pod3: 10.133.255.253

CDP Level: 4

Prefered IP Management: none

Note: Outside of the lab, this IP address could be any L3 interface or Loopback on any switch
that DNA Center can access.

Normally you would sweep a large range of IP addresses that you have in your environment,
for lab you will discover a single device. Border Switch 9300 will have the role BORDER/CP
and Edge Switch have the role EDGE

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 88
Tel 902876701
 Step 11 Expand the Credentials section.

Step 12 Verify the Credentials added in the Lab 2 - Task 3

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 89
Tel 902876701
 Note: Remember these credentials have been preconfigured on the devices in the baseline
configuration.

Step 13 Scroll down the page and open the Advanced section.

Step 14 The final step is to verify SSH as a discovery. To do this, scroll down the page and
open the Advanced section. Ensure it has a blue check mark to it.

Step 15 To start the discovery process, click on Start in the upper right-hand corner.
Once the discovery starts, the page will present the devices and details as they are
discovered.

Note: Discovery may discover multiple devices per CDP, but by now only the Border switch
with the supplied credentials will be reachable successfully via CLI and SNMP. Full discovery
with this number of CDP hops may take up to ten minutes to complete.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 90
Tel 902876701
 During the Discovery process we can observe from the BORDER switch console how the
DNA Center performs several successful login through the CLI and SNMP, generate initial
configurations as well as generate and save the certificate.

You can find the differences between baseline file and the new configuration with the
following command:

BORDER-1

show archive config differences flash:BORDER1-INIT system:running-config

From version 1.3 you can go directly to Provision – Network Devices - Inventory, select the
BORDER Switch, click on Configuration and check the running-config

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 91
Tel 902876701
 Step 16 Click on Cisco DNA Center to return Home page and check Network Devices

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 92
Tel 902876701
 Step 17 Click on “1” and check that the Border switch has been added as Network Devices

Step 18 Verify that the Status of the Border Switch is Not Provisioned (Unassigned
Devices)

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 93
Tel 902876701
 Step 19 Select the Border Switch and Actions click Provision – Provision Device

Step 20 Choose your Building site/Floor and Next

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 94
Tel 902876701
 Step 21 Next leaving Advanced Configuration by default

Step 22 After giving Deploy and Apply, we can see how the Border switch has already been
assigned to the corresponding building.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 95
Tel 902876701
 Step 23 You can also click on BORDER-POD1 and see the information pertinent to the switch
in Compliant.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 96
Tel 902876701
 Task 2 Configure underlay switches using LAN Automation

Use this procedure if you are deploying LAN switches without existing configurations into
the underlay by using DNA Center’s LAN Automation capabilities. The device CLI and SNMP
credentials to be pushed by PnP, the network-reachable IP address pool used for
connectivity, and the seed devices (typically border switches) have been configured as part
of previous procedures.

Each seed device (BORDER) is expected to have an appropriate VTP mode and MTU
configuration (examples: vtp mode transparent, system mtu 9100). Ports on the seed device
connected to devices to be discovered must be in layer-2 mode (access port versus routed
port), and the seed device ports cannot be dedicated out-of-band (OOB) management ports.

The credentials supplied allow DNA Center and seed devices to work together to configure
the discovered devices and add them into managed inventory. Because all of the discovered
devices must be running the PnP agent with no previous configuration, any previously
configured switch to be used must be restored to a state where the PnP agent is running,
accomplished by using the following configuration mode and exec mode commands:

(config)#config-register 0x2102

(config)#crypto key zeroize

(config)#no crypto pki certificate pool

delete /force vlan.dat

delete /force nvram:*.cer

delete /force nvram:pnp*

delete /force flash:pnp*

delete /force stby-nvram:*.cer

delete /force stby-nvram:*.pnp*

!previous two lines only for HA systems

write erase

reload

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 97
Tel 902876701
 Do not save the configurations for the reload process. To prepare switch stacks for LAN
Automation, use the same restoration commands for each switch in the stack.

The IP pool used for LAN Automation should be sized significantly larger than the number of
devices to be discovered. The pool is divided in half, with one half used for VLAN 1 DHCP
services provided by the seed devices.

The second half of the pool is divided in half again, leaving a quarter of the total address
space for point-to-point link addressing, and a quarter for loopback addressing. Endpoints
should not be plugged into the switches, as they can exhaust the IP pool DHCP uses for PnP
provisioning.

Note: Addresses in the LAN Automation pool (Underlay-Building) need to be reachable by

DNA Center to successfully complete provisioning and must not be used anywhere else in
the network.

Step 1 Navigate to PROVISION > Network Devices > Inventory.

Select Border switch, click Actions - Provision drop-down, click LAN Automation on the right
in the LAN Automation slide-out, fill in all of the parameters for the supported seed device.
Select the interfaces connected to the devices to be discovered, and then click Start.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 98
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 99
Tel 902876701
 Step 2 Click Start

Step 3 Click LAN Auto Status to view progress. Do not click Stop in this step. Wait until all
devices show a state of Completed, and then proceed to the next verification step.
Prematurely stopping the PnP process will leave the discovery in a state needing manual
intervention for recovery.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 100
Tel 902876701
 Discovering devices an additional hop away from the seed can take significantly more time
to reach completion.

In Tab Summary you can see details about Discovery process

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 101
Tel 902876701
 Step 4 Click in Tab on Logs to see the events, refresh periodically

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 102
Tel 902876701
 After the devices discovered all reach Completed state, click Stop. LAN Automation tears
down all Layer 2 connectivity on VLAN 1 and the underlay IS-IS routing process is used for
reachability to the routed network, and devices are managed in the inventory.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 103
Tel 902876701
 Click Devices

During the LAN Automation process, we can observe from the BORDER and EDGE switch
console how the DNA Center performs several successful configurations.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 104
Tel 902876701
 BORDER
Aug 28 11:18:41.292: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up

Aug 28 11:18:41.542: %CLNS-6-DFT_OPT: Protocol timers for fast convergence are Enabled.

Aug 28 11:18:42.186: %SYS-5-CONFIG_I: Configured from console by dnac on vty0 (10.10.13.200)

Aug 28 11:18:43.187: %SYS-5-CONFIG_I: Configured from console by dnac on vty0 (10.10.13.200)

Aug 28 11:18:43.952: DHCPDR: No form 1

Aug 28 11:18:43.991: %SYS-5-CONFIG_I: Configured from console by dnac on vty0 (10.10.13.200)

Aug 28 11:18:44.595: %BFD-6-BFD_IF_CONFIGURE: BFD-SYSLOG: bfd config apply, idb:Vlan1

Aug 28 11:18:44.640: %SYS-5-CONFIG_I: Configured from console by dnac on vty0 (10.10.13.200)

Aug 28 11:18:46.440: %LINK-3-UPDOWN: Interface Vlan1, changed state to up

Aug 28 11:18:47.441: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to up

Aug 28 11:22:50.365: %BFD-6-BFD_SESS_CREATED: BFD-SYSLOG: bfd_session_created, neigh 10.13

2.255.2 proc:ISIS, idb:Vlan1 handle:1 act

Aug 28 11:22:50.838: %BFDFSM-6-BFD_SESS_UP: BFD-SYSLOG: BFD session ld:1 handle:1 is going UP

Aug 28 11:22:51.358: %CLNS-5-ADJCHANGE: ISIS: Adjacency to 0101.3225.5068 (Vlan1) Up, new adjacency

Aug 28 11:22:51.358: %CLNS-5-ADJCHANGE: ISIS: Adjacency to 0101.3225.5068 (Vlan1) Up, new adjacency

Aug 28 11:30:36.926: %SYS-5-CONFIG_I: Configured from console by dnac on vty1 (10.10.13.200)

Aug 28 11:30:37.742: %BFDFSM-6-BFD_SESS_DOWN: BFD-SYSLOG: BFD session ld:1 handle:1,is going Down Reason:

ECHO FAILURE

Aug 28 11:30:37.742: %CLNS-5-ADJCHANGE: ISIS: Adjacency to Switch-10-132-255-68 (Vlan1) Do

wn, bfd neighbor down

Aug 28 11:30:37.742: %CLNS-5-ADJCHANGE: ISIS: Adjacency to Switch-10-132-255-68 (Vlan1) Do

wn, bfd neighbor down

Aug 28 11:30:37.827: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1,

changed state to down

Aug 28 11:30:38.827: %LINK-3-UPDOWN: Interface Vlan1, changed state to down

Aug 28 11:30:38.828: %BFD-6-BFD_SESS_DESTROYED: BFD-SYSLOG: bfd_session_destroyed, ld:1 n

eigh proc:ISIS, handle:1 act

Aug 28 11:30:38.839: %BFD-6-BFD_IF_CONFIGURE: BFD-SYSLOG: bfd config apply, idb:GigabitEthernet1/0/1

Aug 28 11:30:39.827: %LINEPROTO-5-UPDOWN: Line protocol on Interface Vlan1, changed state to down

Aug 28 11:30:40.275: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to down

Aug 28 11:30:40.346: %SYS-5-CONFIG_I: Configured from console by on vty2 (EEM:_L3Applet_G

igabitEthernet1/0/1)

Aug 28 11:30:42.759: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, changed state to up

Aug 28 11:30:42.759: %IFDAMP-5-UPDOWN: interface GigabitEthernet1/0/1 update CLNS Routing

state to UP, interface is not suppressed

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 105
Tel 902876701
 Aug 28 11:30:42.760: %IFDAMP-5-UPDOWN: interface GigabitEthernet1/0/1 update IP Routing st
ate to UP, interface is not suppressed

Aug 28 11:30:42.785: %BFD-6-BFD_SESS_CREATED: BFD-SYSLOG: bfd_session_created, neigh 10.13

2.255.67 proc:ISIS, idb:GigabitEthernet1/0/1 handle:2 act

Aug 28 11:30:43.470: %SYS-5-CONFIG_I: Configured from console by dnac on vty1 (10.10.13.200)

Aug 28 11:30:43.759: %LINEPROTO-5-UPDOWN: Line protocol on Interface GigabitEthernet1/0/1,

changed state to up

Aug 28 11:30:44.421: %BFDFSM-6-BFD_SESS_UP: BFD-SYSLOG: BFD session ld:2 handle:2 is going UP

Aug 28 11:30:44.423: %CLNS-5-ADJCHANGE: ISIS: Adjacency to Switch-10-132-255-68 (GigabitEt

hernet1/0/1) Up, new adjacency

Aug 28 11:30:46.111: %SYS-5-CONFIG_I: Configured from console by dnac on vty1 (10.10.13.200)

Aug 28 11:30:47.399: %BFD-6-BFD_SESS_DESTROYED: BFD-SYSLOG: bfd_session_destroyed, handle

:1 neigh proc:CEF, handle:1 act

EDGE

% Please answer 'yes' or 'no'.

Would you like to enter the initial configuration dialog? [yes/no]:

Press RETURN to get started!

*Aug 28 11:22:34.029: %PNP-6-PROFILE_CONFIG: PnP Discovery profile pnp-zero-touc

h configured

*Aug 28 11:22:34.368: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named TP-self-signed-

993705203 has been generated or imported

*Aug 28 11:22:34.369: %SSH-5-ENABLED: SSH 1.99 has been enabled

*Aug 28 11:22:34.440: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named TP-self-signed-993705203.server has been generated

or imported

*Aug 28 11:22:44.921: %PNP-6-PNP_DISCOVERY_DONE: PnP Discovery done successfully

*Aug 28 11:19:28.000: %SYS-6-CLOCKUPDATE: System clock has been updated from 11:
22:47 UTC Sat Aug 28 2021 to 11:19:28 UTC Sat Aug 28 2021, configured from console by vty0.

Aug 28 11:19:28.000: %PKI-6-AUTHORITATIVE_CLOCK: System clock has been set. PKI timers get initialized now.

Aug 28 11:19:28.685: %PKI-4-NOCONFIGAUTOSAVE: Configuration was modified. Issue "write memory" to save new IOS PKI
configuration

Aug 28 11:19:37.287: %AN-6-AN_ABORTED_BY_CONSOLE_INPUT: Autonomic disabled due to User intervention on console.

configure 'autonomic' to enable it.

%Error opening tftp://255.255.255.255/network-confg (Timed out)

%Error opening tftp://255.255.255.255/cisconet.cfg (Timed out)

Aug 28 11:21:02.140: %PNPA-DHCP Op-43 Msg: Op43 has 5A. It is for PnP

Aug 28 11:21:02.140: %PNPA-DHCP Op-43 Msg: After stripping extra characters in front of 5A, if any:
5A1D;B2;K4;I10.10.13.6;J80; op43_len: 27

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 106
Tel 902876701
 Aug 28 11:21:02.140: %PNPA-DHCP Op-43 Msg: _pdoon.2.ina=[Vlan1]

Aug 28 11:21:02.140: %PNPA-DHCP Op-43 Msg: _papdo.2.eRr.ena

Aug 28 11:21:02.140: %PNPA-DHCP Op-43 Msg: _pdoon.2.eRr.pdo=-1

%Error opening tftp://255.255.255.255/router-confg (Timed out)

%Error opening tftp://255.255.255.255/ciscortr.cfg (Timed out)

Aug 28 11:22:15.152: AUTOINSTALL: Tftp script execution not successful for Vl1.

000198: Aug 28 11:22:48.027: yang-infra: ERROR: Failed to create a new self-signed trustpoint

000199: Aug 28 11:22:48.027: yang-infra: netconf-yang server has been notified to start

000200: Aug 28 11:22:48.548: %CRYPTO_ENGINE-5-KEY_ADDITION: A key named dnac-sda has been generated or imported

000201: Aug 28 11:22:48.753: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up

000202: Aug 28 11:22:48.761: %CLNS-6-DFT_OPT: Protocol timers for fast convergence are Enabled.

000203: Aug 28 11:22:48.774: %BFD-6-BFD_IF_CONFIGURE: BFD-SYSLOG: bfd config apply, idb:Vlan1

000204: Aug 28 11:22:49.390: %BFD-6-BFD_SESS_CREATED: BFD-SYSLOG: bfd_session_created, neigh 10.132.255.1 proc:ISIS,

idb:Vlan1 handle:1 act

000205: Aug 28 11:22:50.256: %BFDFSM-6-BFD_SESS_UP: BFD-SYSLOG: BFD session ld:1 handle:1 is going UP

000206: Aug 28 11:22:50.383: %CLNS-5-ADJCHANGE: ISIS: Adjacency to 0101.3225.5065 (Vlan1) Up, new adjacency

000207: Aug 28 11:22:50.785: %CLNS-5-ADJCHANGE: ISIS: Adjacency to 0101.3225.5065 (Vlan1) Up, new adjacency

000208: Aug 28 11:22:52.155: %PNPA-DHCP Op-43 Msg: Op43 has 5A. It is for PnP

000209: Aug 28 11:22:52.155: %PNPA-DHCP Op-43 Msg: After stripping extra characters in front of 5A, if any:
5A1D;B2;K4;I10.10.13.6;J80; op43_len: 27

000210: Aug 28 11:22:52.155: %PNPA-DHCP Op-43 Msg: _pdoon.3.ina=[Vlan1]

000211: Aug 28 11:22:52.155: %PNPA-DHCP Op-43 Msg: _papdo.3.eRr.ena

000212: Aug 28 11:22:52.155: %PNPA-DHCP Op-43 Msg: _pdoon.3.eRr.pdo=-1

000213: Aug 28 11:22:58.881: %HMANRP-6-EMP_NO_ELECTION_INFO: Could not elect active EMP switch, setting emp active
switch to 0: EMP_RELAY: Could not elect switch with mgmt port UP

000214: Aug 28 11:23:02.527: %ONEP_BASE-6-SS_ENABLED: ONEP: Service set Vty was enabled by Platform

000215: Aug 28 11:23:02.729: %ONEP_BASE-6-CONNECT: [Element]: ONEP session Application:com.cisco.syncfd Host:Switch-

10-132-255-68_1_RP_0 ID:3377 User:a has connected.

000216: Aug 28 11:23:04.930: %ONEP_BASE-6-CONNECT: [Element]: ONEP session Application:com.cisco.nesd Host:Switch-

10-132-255-68_1_RP_0 ID:7440 User:NETCONF has connected.

000217: Aug 28 11:23:13.381: %NDBMAN-5-ACTIVE: Switch 1 R0/0: ndbmand: All data providers active.

000218: Aug 28 11:23:18.243: %DMI-5-SYNC_START: Switch 1 R0/0: syncfd: External change to running configuration
detected. The running configuration will be synchronized to the NETCONF running data store.

000219: Aug 28 11:23:18.353: %DMI-5-NACM_INIT: Switch 1 R0/0: dmiauthd: NACM configuration has been set to its
initial configuration.

000220: Aug 28 11:23:18.389: %DMI-3-NETCONF_SSH_ERROR: Switch 1 R0/0: ncsshd_bp:NETCONF/SSH: error: Trustpoint does
not have a cert

000221: Aug 28 11:23:21.052: %DMI-5-SYNC_COMPLETE: Switch 1 R0/0: syncfd: The running configuration has been
synchronized to the NETCONF running data store.

000223: Aug 28 11:23:44.921: %SYS-5-CONFIG_I: Configured from console by dnac on vty2 (10.10.13.200)

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 107
Tel 902876701
 000224: Aug 28 11:23:44.922: %SYS-6-LOGGINGHOST_STARTSTOP: Logging to host 10.10.13.6 port 514 started - CLI
initiated

000225: Aug 28 11:23:45.593: %SYS-5-CONFIG_I: Configured from console by dnac on vty2 (10.10.13.200)

000226: Aug 28 11:23:46.215: %SYS-5-CONFIG_I: Configured from console by dnac on vty2 (10.10.13.200)

000227: Aug 28 11:23:46.847: %SYS-5-CONFIG_I: Configured from console by dnac on vty2 (10.10.13.200)

000229: Aug 28 11:23:51.330: %PKI-6-CA_CERT_INSTALL: A CA certificate has been installed under trustpoint : DNAC-CA

Issuer-name ou=Cisco DNA Center,o=Cisco Systems,cn=7138bc55-4167-3d20-6286-891daa9b0b0c

Subject-name ou=Cisco DNA Center,o=Cisco Systems,cn=7138bc55-4167-3d20-6286-891daa9b0b0c

Serial-number 00C48790CF64D1DE90

End-date : 10:28:48 UTC Feb 17 2023

000230: Aug 28 11:23:51.846: %SYS-5-CONFIG_I: Configured from console by dnac on vty2 (10.10.13.200)

000231: Aug 28 11:23:51.923: %DMI-5-SYNC_START: Switch 1 R0/0: syncfd: External change to running configuration
detected. The running configuration will be synchronized to the NETCONF running data store.

000232: Aug 28 11:23:54.148: %SYS-5-CONFIG_I: Configured from console by dnac on vty2 (10.10.13.200)

000233: Aug 28 11:23:54.818: %DMI-5-SYNC_COMPLETE: Switch 1 R0/0: syncfd: The running configuration has been
synchronized to the NETCONF running data store.

000234: Aug 28 11:23:59.142: %SYS-5-CONFIG_I: Configured from console by dnac on vty2 (10.10.13.200)

000235: Aug 28 11:23:59.254: %DMI-5-SYNC_START: Switch 1 R0/0: syncfd: External change to running configuration
detected. The running configuration will be synchronized to the NETCONF running data store.

000236: Aug 28 11:23:59.914: %SYS-5-CONFIG_I: Configured from console by dnac on vty2 (10.10.13.200)

000237: Aug 28 11:24:02.403: %DMI-5-SYNC_COMPLETE: Switch 1 R0/0: syncfd: The running configuration has been
synchronized to the NETCONF running data store.

000238: Aug 28 11:30:32.940: %DMI-5-SYNC_NEEDED: Switch 1 R0/0: syncfd: Configuration change requiring running
configuration sync detected - 'action 1.4 cli command "ip address 10.132.255.67 255.255.255.254"'. The running
configuration will be synchronized to the NETCONF running data store.

000239: Aug 28 11:30:34.059: %SYS-5-CONFIG_I: Configured from console by dnac on

vty0 (10.10.13.200)

000240: Aug 28 11:30:34.061: %DMI-5-SYNC_START: Switch 1 R0/0: syncfd: External

change to running configuration detected. The running configuration will be sync
hronized to the NETCONF running data store.

000241: Aug 28 11:30:35.432: %LINEPROTO-5-UPDOWN: Line protocol on Interface Gig

abitEthernet1/0/1, changed state to down

000242: Aug 28 11:30:36.045: %BFD-6-BFD_IF_CONFIGURE: BFD-SYSLOG: bfd config app

ly, idb:GigabitEthernet1/0/1

000243: Aug 28 11:30:36.966: %BFDFSM-6-BFD_SESS_DOWN: BFD-SYSLOG: BFD session ld

:1 handle:1,is going Down Reason: ECHO FAILURE

000244: Aug 28 11:30:36.967: %CLNS-5-ADJCHANGE: ISIS: Adjacency to BORDER-POD3 (

Vlan1) Down, bfd neighbor down

000245: Aug 28 11:30:36.967: %CLNS-5-ADJCHANGE: ISIS: Adjacency to BORDER-POD3 (

Vlan1) Down, bfd neighbor down

000246: Aug 28 11:30:36.995: %DMI-5-SYNC_COMPLETE: Switch 1 R0/0: syncfd: The ru

nning configuration has been synchronized to the NETCONF running data store.

000247: Aug 28 11:30:37.440: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, cha

nged state to down

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 108
Tel 902876701
 000248: Aug 28 11:30:37.669: %SYS-5-CONFIG_I: Configured from console by on vty
3 (EEM:_L3Applet_GigabitEthernet1/0/1)

000249: Aug 28 11:30:42.194: %LINK-3-UPDOWN: Interface GigabitEthernet1/0/1, cha

nged state to up

000250: Aug 28 11:30:42.195: %IFDAMP-5-UPDOWN: interface GigabitEthernet1/0/1 up

date CLNS Routing state to UP, interface is not suppressed

000251: Aug 28 11:30:42.196: %IFDAMP-5-UPDOWN: interface GigabitEthernet1/0/1 up

date IP Routing state to UP, interface is not suppressed

000252: Aug 28 11:30:43.172: %BFD-6-BFD_SESS_CREATED: BFD-SYSLOG: bfd_session_cr

eated, neigh 10.132.255.66 proc:ISIS, idb:GigabitEthernet1/0/1 handle:2 act

000253: Aug 28 11:30:43.194: %LINEPROTO-5-UPDOWN: Line protocol on Interface Gig

abitEthernet1/0/1, changed state to up

000254: Aug 28 11:30:43.833: %BFDFSM-6-BFD_SESS_UP: BFD-SYSLOG: BFD session ld:2

handle:2 is going UP

000255: Aug 28 11:30:43.835: %CLNS-5-ADJCHANGE: ISIS: Adjacency to BORDER-POD3 (

GigabitEthernet1/0/1) Up, new adjacency

000256: Aug 28 11:30:44.220: %BFD-6-BFD_SESS_DESTROYED: BFD-SYSLOG: bfd_session_

destroyed, ld:1 neigh proc:ISIS, handle:1 act

000257: Aug 28 11:30:48.317: %DMI-5-SYNC_NEEDED: Switch 1 R0/0: syncfd: Configur

ation change requiring running configuration sync detected - 'no ip address '. T
he running configuration will be synchronized to the NETCONF running data store
.

000258: Aug 28 11:30:49.036: %SYS-5-CONFIG_I: Configured from console by dnac on

vty0 (10.10.13.200)

000259: Aug 28 11:30:49.037: %DMI-5-SYNC_START: Switch 1 R0/0: syncfd: External

change to running configuration detected. The running configuration will be sync
hronized to the NETCONF running data store.

000260: Aug 28 11:30:52.030: %DMI-5-SYNC_COMPLETE: Switch 1 R0/0: syncfd: The ru

nning configuration has been synchronized to the NETCONF running data store.

000261: Aug 28 11:30:52.451: %BFD-6-BFD_SESS_DESTROYED: BFD-SYSLOG: bfd_session_

destroyed, handle:1 neigh proc:CEF, handle:1 act

000262: Aug 28 11:31:19.230: %PNPA-DHCP Op-43 Msg: Op43 has 5A. It is for PnP

000263: Aug 28 11:31:19.230: %PNPA-DHCP Op-43 Msg: After stripping extra charact
ers in front of 5A, if any: 5A1D;B2;K4;I10.10.13.6;J80; op43_len: 27

000264: Aug 28 11:31:19.230: %PNPA-DHCP Op-43 Msg: _pdoon.4.ina=[Vlan1]

000265: Aug 28 11:31:19.230: %PNPA-DHCP Op-43 Msg: _papdo.4.eRr.ena

000266: Aug 28 11:31:19.230: %PNPA-DHCP Op-43 Msg: _pdoon.4.eRr.pdo=-1

User Access Verification

Username:

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 109
Tel 902876701
 Step 5 Check in Provision-Network Devices-Inventory there are one new device.

Task 3 Provisioning the SD-Access underlay network

Step 1 Assign the Border-Router Role to BORDER-POD1.dna1.local switch and new swith
appears as Access by default.

For Access switch we must execute the Provision as Provision Device

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 110
Tel 902876701
 Step 2 After assigning the roles and Provisioning, we click on Device Name to see some
parameters of the switches, the configuration and the status of their interfaces.

BORDER-POD3 (Details)

(Interfaces-Ethernet Ports)

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 111
Tel 902876701
 EDGE SWITCH (Details)

EDGE SWITCH (Interfaces-Ports)

Step 3 Now we can observe the network topology in the icon of Topology

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 112
Tel 902876701
 Step 4 Repeat the same procedure done to the Border Switch to add the Fusion Router
specifically through a new Discovery to the inventory, even though this router model 2901
that is not compatible to be part of the fabric however it is very useful to see it in our
Topology.

Note: Remember select ONLY Telnet in Fusion Router Discovery

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 113
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 114
Tel 902876701
 Once discovered assign the Site

Step 5 Assign Fusion Router as CORE and assign to your building site

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 115
Tel 902876701
 Task 4 Building an Overlay Network
In previous tasks, we added devices in Cisco DNA Center to build an underlay transport
automatically as (greenfield case), but we did not specify how an overlay network would
work. With wired automation, SD-Access creates an overlay network and defines the fabric
edge as well as control plane and border functions.

The Cisco DNA Center web interface made this possible with a simple five step process:

1.- Provision network devices. This was simply a matter of adding all previously defined
devices.

2.- Create a fabric domain. With SD-Access, the scope of a fabric domain can be arbitrarily
large or small. In our lab, we will define a new fabric called “FABRIC_POD#” and added all
previously defined devices to it using DNA Center’s Provision/Fabric module.

Importantly, this step creates a single logical fabric of multiple physical devices, while also
hiding the underlying mechanics (which can be quite complex) from network professionals.

3.- Define a Border node require explicit definition in SD-Access. This is as simple as clicking
on a previously defined Cisco Catalyst 9300 and designating it as a Border node.

4.- Define a Control Plane node. Similarly, in our lab we clicked on the same Catalyst 9300
Border switch and chose it to be the network’s Control Plane node.

5.- Define one or more Fabric Edge nodes. Clicking on the remaining switch in DNA Center
allowed us to designate them as Fabric Edge nodes.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 116
Tel 902876701
 Step 1 Go to Provision and select Fabric. After a momentary delay, you will be taken to a
new page for creating and managing SD-Access fabrics.

Step 2 Click on Add to create a new Fabric

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 117
Tel 902876701
 Step 3 Use the Fabric name “FABRIC_POD#” (# = Pod number), and then click Next

Step 4 Select Campus_VN, Guest_VN and INFRA_VN and Click Add.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 118
Tel 902876701
 Task 5 Reserved IP Pools for Host Onboarding
Host Onboarding is a number of different steps under the Provision – Fabric select your
building and click Host Onboarding tab of DNAC. It combines together all the previously
configured items completed during the Design Stage.

Once the overlay (LISP) is provisioned, the routers and switches need to be made aware of
the IP Address Pools. These pools enable hosts to communicate through the Fabric. This is
done by binding the Reserved IP Address Pools with the previously created VNs. This is how
LISP keeps track of hosts and their applicable VRFs, effectively segmenting the network. SGTs
further segments the VRFs.

Step 1 In the DNA Center tab home page click Design – Network Settings and select your
Building or Floor to create the Reserved IP Address Pool for Virtual Networks

Reserved IP Pools
POD1

Reserved IP Pool Name IP Subnet Mask Gateway DHCP DNS Server

Server
Student_Ambar 172.16.61.0 /28 172.16.61.14 99.1.1.1 10.10.11.110
Server_Ambar_P2 172.16.62.0 /28 172.16.62.14 99.1.1.1 10.10.11.110
AP_Ambar_P2 172.16.63.0 /28 172.16.63.14 99.1.1.1 10.10.11.110

POD2

Reserved IP Pool Name IP Subnet Mask Gateway DHCP DNS Server

Server
Student_Cornalina 172.16.71.0 /28 172.16.71.14 99.2.2.2 10.10.12.110
Server_ Cornalina _P2 172.16.72.0 /28 172.16.72.14 99.2.2.2 10.10.12.110
AP_ Cornalina _P2 172.16.73.0 /28 172.16.73.14 99.2.2.2 10.10.12.110

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 119
Tel 902876701
 POD3

Reserved IP Pool Name IP Subnet Mask Gateway DHCP DNS Server

Server
Student_Topacio 172.16.81.0 /28 172.16.81.14 99.3.3.3 10.10.13.110
Server_ Topacio _P2 172.16.82.0 /28 172.16.82.14 99.3.3.3 10.10.13.110
AP_ Topacio _P2 172.16.83.0 /28 172.16.83.14 99.3.3.3 10.10.13.110

Step 2 Click on Reserved IP Pool

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 120
Tel 902876701
 Step 3 Review the table of IP address Pool
Once the VNs are bound to the IP Address Pools, DNAC will push additional configuration to
the Edge Nodes. Each Edge Node will be provisioned with a SVI (Switched Virtual Interface)

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 121
Tel 902876701
 for each defined Virtual Network. The IP address of that SVI will be the Gateway defined in
the IP Address Pool in Design.

Step 4 Review DNAC configuration to Edge and Border switch

Step 5 Return the Cisco DNA Center and select Provision – Fabric and click in your
FABRIC_POD#

Step 6 Click on the Host Onboarding to start applying the IP pools for host devices.
This will utilize the IP Address Pools defined in the Design section.

Provisión – Fabric - FABRIC-POD#- your building - Host Onboarding

Step 7 Under Authentication Template select No Authentication and Apply

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 122
Tel 902876701
 Step 8 In Virtual Networks, Add Campus and Guest and click Update

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 123
Tel 902876701
 Step 9 Select Campus_VN, click Add

Step 9 Add Server_Topacio_P2 and Student_Topacio_Wired (example for POD3)

Step 10 Both need to be of data type Choose Data for the Traffic Type.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 124
Tel 902876701
 Click Deploy and Apply

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 125
Tel 902876701
 The final image of Campus_VN should look something like this

Note: Sometimes the Virtual Networks will be displayed in a different order. They should be
alphabetical, although may appear out of order in this early release. This is GUI display error
that does not impact the configuration or provisioning.

Step 11 The previously defined IP Address Pools from Design Section are listed.
These Address Pools must be assigned to (bound to) a VN (VRF) in order for the Host Tracking
Data Base (HTDB), Segmentation, and Anycast Gateways to work properly.

Step 12 Returns DNAC to the Host Onboarding page for the FABRIC-POD#.
Provision - Fabric – FABRIC-POD# - Host Onboarding
Notice that the Campus Virtual Network is now blue, indicating it has Address Pools
provisioned.

Step 13 Repeat these steps with the Virtual network Guest_VN.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 126
Tel 902876701
 Step 14 After applying the Address Pools to Virtual Networks, the resulting configuration is
queued to be pushed to the Edge nodes. The SVI (Anycast Gateway) will use the IP address
defined as the default gateway during the Design Section.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 127
Tel 902876701
 Lab 6 Configuring Transit Site and Fusion Router
Overview

Today the Dynamic Network Architecture Software Defined Access (DNA-SDA) solution
requires a fusion router to perform VRF route leaking between user VRFs and Shared-
Services, which may be in the Global routing table (GRT) or another VRF. Shared Services
may consist of DHCP, Domain Name System (DNS), Network Time Protocol (NTP), Wireless
LAN Controller (WLC), Identity Services Engine (ISE), DNAC components which must be made
available to other virtual networks (VN’s) in the Campus. Thus by creating Border Gateway
Protocol (BGP) peering’s from the Border Routers to the Fusion Routers, on the Fusion
Router the fabric VRF’s subnets which need access to these shared services will be leaked
into GRT, and vice-versa. Route maps can be used to help contain routing tables to subnets
specific to SDA Fabric.

Transit Sites

A transit site is a site that connects two or more fabric sites with each other or connects the
fabric site with external networks (Internet, data center, and so on). There are two types of
transit networks:

 IP transit: Used in a regular IP network to connect to an external network or to connect two

or more fabric sites.

 SDA transit: Used in LISP/VxLAN encapsulation to connect two fabric sites. The SDA transit
area may be defined as a portion of the fabric that has its own Control Plane Nodes, Border
Nodes, but does not have Edge Nodes.

Using SDA transit, an end-to-end policy plane is maintained using SGT group tags.

Border Switch

Connects to any “known” IP subnets attached to the outside network (e.g. DC, WLC, FW,
etc.)

• Exports all internal IP Pools to outside (as aggregate), using a traditional IP routing
protocol(s).

• Imports and registers (known) IP subnets from outside, into the Fabric Control Plane
System • Outside hand-off requires mapping the prefix context (VRF & SGT) from one
domain to another.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 128
Tel 902876701
 TOPOLOGY

IP Addresses and Credentials

Device IP Address Credentials
GUI: admin / NXos12345
DNAC 10.10.1#.200 CIMC: admin / 1234QWer

JumperPC 10.10.1#.10 RDP: Win7 /NXos12345

RDP: administrator /
DNS 10.10.1#.110 1234QWer

ISEv 10.10.1#.100 admin / 1234QWer

Gateway / NTP 10.10.1#.254 -----------------------

vSphere Client 192.168.100.33 dnac# / dnac#

Border# Pod1: 10.129.255.253 dnac / NXos12345

Pod2: 10.131.255.253
Pod3: 10.133.255.253

Pod1: 10.10.11.3
Fusion-Router# Pod2: 10.10.12.3
Pod3: 10.10.13.3 dnac / NXos12345

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 129
Tel 902876701
 Task 1 Create an IP Transit Network
During the task of assigning devices a role of Border Router into the Fabric is necessary and
a Layer 3 hand-off link.

To add a new IP transit network:

Step 1 From the Cisco DNA Center home page, click Provision.

Step 2 Click the Fabric tab.

Step 3 Click the Add Fabric Domain or Transit/Peer Network tab.

Step 4 Choose Add Transit from the pop-up.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 130
Tel 902876701
 Transit Name: EXTERNAL-TRANSIT

Routing Protocol: BGP

Autonomous System Number: 6550#

Transit Type: IP-Based

Step 5
Enter a transit name for the network.
Step 6 Choose IP-Based as the transit type.
The routing protocol is set to BGP by default.

Note: eBGP is preferred to break any loops caused by the bidirectional

advertisement (redistribution) of routes from the fabric to external domain (and
vice-versa), when using multiple Internal Borders for redundancy.

Cisco DNA Center only BGP is supported (for automated configuration). Any routing
protocol is supported if the configuration is going to be applied to the external
interface of the border manually. Select a number to be used as the local AS number.

Step 7
Enter the autonomous system number (ASN) for the transit network.

Step 8 Click Save

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 131
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 132
Tel 902876701
 Task 2 Configuring Layer 3 Handoff
Cisco DNA Center provides an automated Layer 3 handoff for the border configuration to
support carrying policy outside of the fabric. This configuration can be configured manually
if desired.
First, you need to configure an IP pool that will be used for configuring the IP addresses for
VRF-Lite. These IP addresses will be subnetted into multiple /30 networks, one for each VRF
that will be leaked. The external interface of the border(s) will be configured with this. The
other usable IP address in each subnet will need to be manually configured on the neighbor
interface on the next hop (Fusion Router).

To establish the Layer 3 connectivity between the Border Switch and the Fusion Router, we
need a network segment and define the trunk interface in the Border switch.

Step 1 Create the Global IP Pool for the Layer 3 Handoff in Design – Network Setting –
Global – IP address pool

Step 2 Fill the Global IP Pool with the following data and Save:

IP Pool Name: Border_Handoff

IP Subnet:

POD1: 10.129.0.0 /16, GW: 10.129.0.1

POD2: 10.131.0.0/16, GW: 10.131.0.1

POD3: 10.133.0.0/16, GW: 10.133.0.1

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 133
Tel 902876701
 Step 3 Create the Reserve IP Pool in Design – Network Setting click on your Building or Floor
(will depend on where the switches have been added) and click on IP address pool –
Reserved IP Pool

Step 4 Complete the Reserve IP Pool template with the following data according to your
pod and Save:

IP Pool Name: Border_Handoff_”your Building”

Type: LAN (must be LAN)

Global IP Pool: Border_Handoff

CIDR Notation:

POD1: 10.129.0.0 /24, GW: 10.129.0.1

POD2: 10.131.0.0/24, GW: 10.131.0.1

POD3: 10.133.0.0/24, GW: 10.133.0.1

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 134
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 135
Tel 902876701
 Step 5 In the Provision tab home page click Fabric – FABRIC_POD#

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 136
Tel 902876701
 Step 8 Select first the Edge switch click on it and Add to Fabric without Save.

Step 9 Now you can select BORDER switch click on it and select first CP Node and later
Border Node

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 137
Tel 902876701
 This will bring up a configuration box on the right side of the screen. Select the option that
suits the border’s neighbor based on the descriptions below.

Step 9 Click Enable Layer 3 Handoff

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 138
Tel 902876701
 Step 10 Fill template with the following values and Save:

Local Autonmous System: 6500# #= Your pod number

IP Address pool: Border_Handoff_X X= your building POD

TRANSIT: EXTERNAL-TRANSIT

Remote AS Number: 6550# #= Your pod number

Interface: Gi1/0/2

Virtual Network: Campus_VN, Guest_VN and INFRA_VN

Uncheck Do not import external routes

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 139
Tel 902876701
 Click Add

Select your IP Pool

Step 12 ADD

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 140
Tel 902876701
 Click on Deploy

Click Now and Apply

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 141
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 142
Tel 902876701
 Note: The remote AS number will need to be configured manually on the remote device as the
local AS number. This configuration is not automated on the remote device

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 143
Tel 902876701
 Task 3 Verify Configurations pushed by DNAC to Border Router

This Section covers verification of configuration on Border Routers related to BGP protocol,

Enter in BORDER switch and no shutdown interface Gi1/0/2 and verify is configured as
trunk and status UP

BORDER-PODX#show run int Gi1/0/2

interface GigabitEthernet1/0/2

switchport mode trunk

end

Verify the vlans numbers associated to Virtual Networks

BORDER-POD3#show vlan

VLAN Name Status Ports

---- -------------------------------- --------- -------------------------------

1 default active Gi1/0/4, Gi1/0/5, Gi1/0/6

Gi1/0/7, Gi1/0/8, Gi1/0/9

Gi1/0/10, Gi1/0/11, Gi1/0/12

Gi1/0/13, Gi1/0/14, Gi1/0/15

Gi1/0/16, Gi1/0/17, Gi1/0/18

Gi1/0/19, Gi1/0/20, Gi1/0/21

Gi1/0/22, Gi1/0/23, Gi1/0/24

Te1/1/1, Te1/1/2, Te1/1/3

Te1/1/4, Te1/1/5, Te1/1/6

Te1/1/7, Te1/1/8

3001 3001 active

3002 3002 active

3003 3003 active

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 144
Tel 902876701
 Note: Vlans numbers normally start at 3001 but may vary if there have been
errors in previous configurations and the Border switch has not been reset.

Verify Interfaces loopback associated to VRFs and routing process

BORDER-POD3# show run int loopback0

interface Loopback0

description Fabric Node Router IDsho

ip address 10.128.0.65 255.255.255.255

ip pim sparse-mode

ip router isis

clns mtu 1400

BORDER-POD3# show ip interface brief

Interface IP-Address OK? Method Status Protocol

Vlan1 unassigned YES NVRAM up up

Vlan3001 10.133.0.1 YES manual up up

Vlan3002 10.133.0.5 YES manual up up

Vlan3003 10.133.0.9 YES manual up up

GigabitEthernet0/0 unassigned YES NVRAM administratively down down

GigabitEthernet1/0/1 10.132.255.66 YES NVRAM up up

GigabitEthernet1/0/2 unassigned YES unset up up

GigabitEthernet1/0/3 10.133.255.253 YES NVRAM up up

GigabitEthernet1/0/4 unassigned YES unset down down

. .

. .

GigabitEthernet1/0/24 unassigned YES unset down down

GigabitEthernet1/1/1 unassigned YES unset down down

. .

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 145
Tel 902876701
 GigabitEthernet1/1/4 unassigned YES unset down down

Te1/1/1 unassigned YES unset down down

. .

Te1/1/8 unassigned YES unset down down

Fo1/1/1 unassigned YES unset down down

Fo1/1/2 unassigned YES unset down down

TwentyFiveGigE1/1/1 unassigned YES unset down down

TwentyFiveGigE1/1/2 unassigned YES unset down down

Ap1/0/1 unassigned YES unset up up

LISP0 unassigned YES unset up up

LISP0.4097 10.132.255.65 YES unset up up

LISP0.4099 172.16.82.14 YES unset up up

LISP0.4100 172.16.83.14 YES unset up up

Loopback0 10.132.255.65 YES NVRAM up up

Loopback1021 172.16.82.14 YES manual up up

Loopback1022 172.16.81.14 YES manual up up

Loopback1023 172.16.83.14 YES manual up up

BORDER-POD3#

BORDER-POD3#show run int lo 1021

interface Loopback1021

description Loopback Border

vrf forwarding Campus_VN

ip address 172.16.82.14 255.255.255.255

BORDER-POD1#show run int lo1022

interface Loopback1022

description Loopback Border

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 146
Tel 902876701
 vrf forwarding Campus_VN

ip address 172.16.81.14 255.255.255.255

end

BORDER-POD1#show run int lo1023

interface Loopback1023

description Loopback Border

vrf forwarding Guest_VN

ip address 172.16.83.14 255.255.255.255

BORDER-POD3#sh run | s vrf definition Campus

vrf definition Campus

rd 1:4099

address-family ipv4

route-target export 1:4099

route-target import 1:4099

exit-address-family

Verify VRFs for Campus_VN and Guest_VN

BORDER-POD3#show vrf

Name Default RD Protocols Interfaces

Campus 1:4099 ipv4 Vl3001

LI0.4099

Guest_VN 1:4100 ipv4 Vl3002

LI0.4100

Mgmt-vrf <not set> ipv4,ipv6 Gi0/0

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 147
Tel 902876701
 BORDER-POD3#sh run | s vrf definition Guest_VN

vrf definition Guest_VN

rd 1:4100

address-family ipv4

route-target export 1:4100

route-target import 1:4100

exit-address-family

BORDER-POD3#show run int vlan 3001

interface Vlan3001

description vrf interface to External router

vrf forwarding Campus

ip address 10.133.0.1 255.255.255.252

no ip redirects

ip route-cache same-interface

BORDER-POD3#show run int vlan 3002

interface Vlan3002

description vrf interface to External router

vrf forwarding Guest_VN

ip address 10.133.0.5 255.255.255.252

no ip redirects

ip route-cache same-interface

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 148
Tel 902876701
 BORDER-POD3#show run int vlan 3003

interface Vlan3003

interface Vlan3003

description vrf interface to External router

ip address 10.133.0.9 255.255.255.252

no ip redirects

ip route-cache same-interface

Verify BGP configuration

BORDER-POD3#sh run | s bgp

router bgp 65003

bgp router-id interface Loopback0

bgp log-neighbor-changes

bgp graceful-restart

neighbor 10.133.0.10 remote-as 65503

neighbor 10.133.0.10 update-source Vlan3003

address-family ipv4

network 10.132.255.65 mask 255.255.255.255

redistribute lisp metric 10

neighbor 10.133.0.10 activate

neighbor 10.133.0.10 weight 65535

neighbor 10.133.0.10 advertisement-interval 0

exit-address-family

address-family ipv4 vrf Campus_VN

network 10.133.0.0 mask 255.255.255.252

redistribute lisp metric 10

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 149
Tel 902876701
 neighbor 10.133.0.2 remote-as 65503

neighbor 10.133.0.2 update-source Vlan3001

neighbor 10.133.0.2 activate

neighbor 10.133.0.2 weight 65535

exit-address-family

address-family ipv4 vrf Guest_VN

network 10.133.0.4 mask 255.255.255.252

redistribute lisp metric 10

neighbor 10.133.0.6 remote-as 65503

neighbor 10.133.0.6 update-source Vlan3002

neighbor 10.133.0.6 activate

neighbor 10.133.0.6 weight 65535

exit-address-family

BORDER-POD1#sho run | sec lisp

router lisp

locator-table default

locator-set rloc_519a88fa-3b01-48a7-9433-4a9624b5c2cc

IPv4-interface Loopback0 priority 10 weight 10

auto-discover-rlocs

exit-locator-set

service ipv4

encapsulation vxlan

itr map-resolver 10.132.255.65

itr map-resolver 10.132.255.68

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 150
Tel 902876701
 etr map-server 10.132.255.65 key 7 035C5D5E040D79

etr map-server 10.132.255.65 proxy-reply

etr map-server 10.132.255.68 key 7 08794A1B0B1B5D

etr map-server 10.132.255.68 proxy-reply

etr

sgt

no map-cache away-eids send-map-request

proxy-etr

proxy-itr 10.132.255.65

map-server

map-resolver

exit-service-ipv4

service ethernet

itr map-resolver 10.132.255.65

itr map-resolver 10.132.255.68

itr

etr map-server 10.132.255.65 key 7 035C5D5E040D79

etr map-server 10.132.255.65 proxy-reply

etr map-server 10.132.255.68 key 7 10160F4C07154A

etr map-server 10.132.255.68 proxy-reply

etr

map-server

map-resolver

exit-service-ethernet

instance-id 4097

remote-rloc-probe on-route-change

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 151
Tel 902876701
 service ipv4

eid-table default

route-export site-registrations

distance site-registrations 250

map-cache site-registration

exit-service-ipv4

exit-instance-id

instance-id 4099

remote-rloc-probe on-route-change

service ipv4

eid-table vrf Campus_VN

route-import database bgp 65003 route-map DENY-Campus_VN locator-set rloc_519a88fa-

3b01-48a7-9433-4a9624b5c2cc

route-export site-registrations

distance site-registrations 250

map-cache site-registration

exit-service-ipv4

exit-instance-id

instance-id 4100

remote-rloc-probe on-route-change

service ipv4

eid-table vrf Guest_VN

route-import database bgp 65003 route-map DENY-Guest_VN locator-set rloc_519a88fa-3b01-

48a7-9433-4a9624b5c2cc

route-export site-registrations

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 152
Tel 902876701
 distance site-registrations 250

map-cache site-registration

exit-service-ipv4

exit-instance-id

site site_uci

description map-server configured from Cisco DNA-Center

authentication-key 7 11511F50151053

eid-record instance-id 4097 0.0.0.0/0 accept-more-specifics

eid-record instance-id 4099 0.0.0.0/0 accept-more-specifics

eid-record instance-id 4099 172.16.81.0/28 accept-more-specifics

eid-record instance-id 4099 172.16.82.0/28 accept-more-specifics

eid-record instance-id 4100 0.0.0.0/0 accept-more-specifics

eid-record instance-id 4100 172.16.83.0/28 accept-more-specifics

eid-record instance-id 8188 any-mac

eid-record instance-id 8189 any-mac

eid-record instance-id 8190 any-mac

exit-site

ipv4 locator reachability exclude-default

ipv4 source-locator Loopback0

exit-router-lisp

redistribute lisp metric 10

redistribute lisp metric 10

redistribute lisp metric 10

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 153
Tel 902876701
 Switch-10-132-255-68#show run | sec lisp

no lisp mobility liveness test

lisp mobility 172_16_82_0-Campus_VN-IPV4

no lisp mobility liveness test

lisp mobility 172_16_81_0-Campus_VN-IPV4

no lisp mobility liveness test

lisp mobility 172_16_83_0-Guest_VN-IPV4

router lisp

locator-table default

locator-set rloc_8c223f43-e91b-4c5e-af7d-d9d2fe0517a6

IPv4-interface Loopback0 priority 10 weight 10

exit-locator-set

locator default-set rloc_8c223f43-e91b-4c5e-af7d-d9d2fe0517a6

service ipv4

encapsulation vxlan

itr map-resolver 10.132.255.65

etr map-server 10.132.255.65 key 7 0914485C1B074F

etr map-server 10.132.255.65 proxy-reply

etr

sgt

no map-cache away-eids send-map-request

use-petr 10.132.255.65

proxy-itr 10.132.255.68

exit-service-ipv4

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 154
Tel 902876701
 !

service ethernet

itr map-resolver 10.132.255.65

itr

etr map-server 10.132.255.65 key 7 005C1553065953

etr map-server 10.132.255.65 proxy-reply

etr

exit-service-ethernet

instance-id 4097

remote-rloc-probe on-route-change

service ipv4

eid-table default

exit-service-ipv4

exit-instance-id

instance-id 4099

remote-rloc-probe on-route-change

dynamic-eid 172_16_81_0-Campus_VN-IPV4

database-mapping 172.16.81.0/28 locator-set rloc_8c223f43-e91b-4c5e-af7d-

d9d2fe0517a6

exit-dynamic-eid

dynamic-eid 172_16_82_0-Campus_VN-IPV4

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 155
Tel 902876701
 database-mapping 172.16.82.0/28 locator-set rloc_8c223f43-e91b-4c5e-af7d-
d9d2fe0517a6

exit-dynamic-eid

service ipv4

eid-table vrf Campus_VN

map-cache 0.0.0.0/0 map-request

exit-service-ipv4

exit-instance-id

instance-id 4100

remote-rloc-probe on-route-change

dynamic-eid 172_16_83_0-Guest_VN-IPV4

database-mapping 172.16.83.0/28 locator-set rloc_8c223f43-e91b-4c5e-af7d-

d9d2fe0517a6

exit-dynamic-eid

service ipv4

eid-table vrf Guest_VN

map-cache 0.0.0.0/0 map-request

exit-service-ipv4

exit-instance-id

instance-id 8188

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 156
Tel 902876701
 remote-rloc-probe on-route-change

service ethernet

eid-table vlan 1021

broadcast-underlay 239.0.17.1

flood arp-nd

flood unknown-unicast

database-mapping mac locator-set rloc_8c223f43-e91b-4c5e-af7d-d9d2fe0517a6

exit-service-ethernet

exit-instance-id

instance-id 8189

remote-rloc-probe on-route-change

service ethernet

eid-table vlan 1022

broadcast-underlay 239.0.17.1

flood arp-nd

flood unknown-unicast

database-mapping mac locator-set rloc_8c223f43-e91b-4c5e-af7d-d9d2fe0517a6

exit-service-ethernet

exit-instance-id

instance-id 8190

remote-rloc-probe on-route-change

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 157
Tel 902876701
 service ethernet

eid-table vlan 1023

broadcast-underlay 239.0.17.1

flood arp-nd

flood unknown-unicast

database-mapping mac locator-set rloc_8c223f43-e91b-4c5e-af7d-d9d2fe0517a6

exit-service-ethernet

exit-instance-id

ipv4 locator reachability minimum-mask-length 32

ipv4 source-locator Loopback0

exit-router-lisp

snmp-server enable traps lisp

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 158
Tel 902876701
 Task 4 Configure Fusion Routers

The external device handling routing among multiple virtual networks and a global routing
instance acts as a fusion router for those networks, and the separation of connectivity is
maintained by using VRFs connected using interfaces with 802.1Q tagging to the border, also
known as VRF-lite.

Step 1 Open Putty from your Jumper PC and select the Fusion-# and enter with dnac /
NXos12345

Routing needs to be established between the border and the fusion router. Any IGP that
your border, fusion router, or firewall hardware support is supported. This Lab provides
configuration for BGP based on the Cisco DNA Center automated Layer 3 handoff BGP
configuration. This task can be used as guidance for implementing other routing protocols.
Appropriate loop prevention mechanisms should be implemented (distribute-list, prefix-list,
route-map, etc.).
Note: The Cisco Catalyst 3000, 6000, and 9000 platforms and the Cisco Nexus 7000 platform will use SVIs
for the VRFs that connect to the fusion router. The ASR 1000 Series and the 4000 Series ISR will use 802.1Q
sub interfaces for the VRFs that connect to the fusion router.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 159
Tel 902876701
 Step 2 Configure links towards Border Switch as sub interfaces for each VRF using the
following table:

POD 1 POD 2 POD 3

Gi0/0. 30XX Gi0/0. 30XX Gi0/0. 30XX

IP: 10.129.0.2 /30 IP: 10. 131.0.2 /30 IP: 10. 133.0.2 /30

VLAN: 30XX VLAN: 30XX VLAN: 30XX

Gi0/0. 30YY Gi0/0. 30YY Gi0/0. 30YY

IP: 10.129.0.6 /30 IP: 10. 131.0.6 /30 IP: 10. 133.0.6 /30

VLAN: 30YY VLAN: 30YY VLAN: 30YY

Gi0/0. 30ZZ Gi0/0. 30ZZ Gi0/0. 30ZZ

IP: 10.129.0.10 /30 IP: 10. 131.0.10 /30 IP: 10. 133.0.10 /30

VLAN: 30ZZ VLAN: 30ZZ VLAN: 30ZZ

Example for POD3

The values of the vlans (30XX, 30YY and 30ZZ) will depend on those assigned in the
provisioning process to the border.

Note: The following configurations are for the POD1 and in our lab the fusion router will be
represented by an ISR 2901

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 160
Tel 902876701
 Step 3 Check status of the SVI in Border switch.

Step 4 Configure the Sub-interfaces in the Fusion Router (Example for POD3)

interface GigabitEthernet0/0.3001

encapsulation dot1Q 3001

ip address 10.133.0.2 255.255.255.252

interface GigabitEthernet0/0.3002

encapsulation dot1Q 3002

ip address 10.133.0.6 255.255.255.252

interface GigabitEthernet0/0.3003

encapsulation dot1Q 3003

ip address 10.133.0.10 255.255.255.252

Step 5 Configure BGP Routing Protocol to establish the neighbor relationship with Border
switch.

router bgp 65503

neighbor 10.133.0.1 remote-as 65003

neighbor 10.133.0.5 remote-as 65003

neighbor 10.133.0.9 remote-as 65003

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 161
Tel 902876701
 address-family ipv4

neighbor 10.133.0.1 activate

neighbor 10.133.0.5 activate

neighbor 10.133.0.9 activate

Step 6 Advertise only the 10.10.1#.0 subnet and the DHCP IP address in the BGP table to be
learned by the Border Switch. This configuration is done at the address-family ipv4 level.

address-family ipv4

network 10.10.13.0 mask 255.255.255.0

network 99.3.3.3 mask 255.255.255.255 - Validate the mask

aggregate-address 10.10.13.0 255.255.255.0 summary-only

Step 7 Configure the following filters using prefix-list (OPTIONAL):

A prefix-list that matches the 10.10.1 #.0 subnet and the DHCP IP

ip prefix-list SERVICES_NETS seq 5 permit 10.10.13.0/24 le 32

ip prefix-list SERVICES_NETS seq 10 permit 99.3.3.3/24 or /32

A prefix-list that matches the subnets corresponding to the INFRA network segment (Pod1:
10.128.0.0/16 / Pod2: 10.129.0.0/16 / Pod3: 10.130.0.0/16) and the network segments of
the VRFs Campus_VN / AP pools and Guest_VN

ip prefix-list FABRIC_NETS seq 5 permit 10.133.0.0/16 le 32

ip prefix-list FABRIC_NETS seq 10 permit 172.16.81.0/24 le 32

ip prefix-list FABRIC_NETS seq 15 permit 172.16.82.0/24 le 32

ip prefix-list FABRIC_NETS seq 20 permit 172.16.83.0/24 le 32

ip prefix-list FABRIC_NETS seq 25 permit 172.16.84.0/24 le 32

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 162
Tel 902876701
 Step 8 Configure the following route-map using previously configured prefix-lists:

route-map RM-TOFABRIC permit 10

match ip address prefix-list SERVICES_NETS

route-map RM-FROMFABRIC permit 10

match ip address prefix-list FABRIC_NETS

Step 9 Apply the route-map to the BGP neighborhood relations

address-family ipv4

neighbor 10.133.0.1 route-map RM-FROMFABRIC in

neighbor 10.133.0.1 route-map RM-TOFABRIC out

neighbor 10.133.0.5 route-map RM-FROMFABRIC in

neighbor 10.133.0.5 route-map RM-TOFABRIC out

neighbor 10.133.0.9 route-map RM-FROMFABRIC in

neighbor 10.133.0.9 route-map RM-TOFABRIC out

exit-address-family

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 163
Tel 902876701
 Task 5 Verify Configurations on Fusion Router

This Section covers verification of configuration on Fusion Routers related to BGP protocol.

FUSION-3#show ip bgp summary

BGP router identifier 99.3.3.3, local AS number 65503

BGP table version is 9, main routing table version 9

8 network entries using 1152 bytes of memory

8 path entries using 640 bytes of memory

3/3 BGP path/bestpath attribute entries using 432 bytes of memory

1 BGP AS-PATH entries using 24 bytes of memory

0 BGP route-map cache entries using 0 bytes of memory

0 BGP filter-list cache entries using 0 bytes of memory

BGP using 2248 total bytes of memory

BGP activity 8/0 prefixes, 8/0 paths, scan interval 60 secs

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

10.133.0.1 4 65003 130 132 9 0 0 01:53:50 3

10.133.0.5 4 65003 129 133 9 0 0 01:53:54 2

10.133.0.9 4 65003 131 134 9 0 0 01:53:50 1

FUSION-3#show ip bgp

BGP table version is 23, local router ID is 99.99.99.99

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

BGP table version is 9, local router ID is 99.3.3.3

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 164
Tel 902876701
 r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

*> 10.10.13.0/24 0.0.0.0 0 32768 i

*> 10.132.255.65/32 10.133.0.9 0 0 65003 i

r> 10.133.0.0/30 10.133.0.1 0 0 65003 i

r> 10.133.0.4/30 10.133.0.5 0 0 65003 i

*> 99.3.3.0/24 0.0.0.0 0 32768 i

*> 172.16.81.0/28 10.133.0.1 0 0 65003 i

*> 172.16.82.0/28 10.133.0.1 0 0 65003 i

*> 172.16.83.0/28 10.133.0.5 0 0 65003 i

FUSION-3#show ip route

Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP

D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area

N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2

E1 - OSPF external type 1, E2 - OSPF external type 2

o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP

+ - replicated route, % - next hop override

Gateway of last resort is 10.10.11.254 to network 0.0.0.0

S* 0.0.0.0/0 [1/0] via 10.10.13.254

10.0.0.0/8 is variably subnetted, 12 subnets, 3 masks

C 10.10.13.0/24 is directly connected, GigabitEthernet0/0.419

L 10.10.13.3/32 is directly connected, GigabitEthernet0/0.419

S 10.132.255.0/24 [1/0] via 10.133.255.253

B 10.132.255.65/32 [20/0] via 10.133.0.9, 01:56:40

C 10.133.0.0/30 is directly connected, GigabitEthernet0/0.3001

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 165
Tel 902876701
 L 10.133.0.2/32 is directly connected, GigabitEthernet0/0.3001

C 10.133.0.4/30 is directly connected, GigabitEthernet0/0.3002

L 10.133.0.6/32 is directly connected, GigabitEthernet0/0.3002

C 10.133.0.8/30 is directly connected, GigabitEthernet0/0.3003

L 10.133.0.10/32 is directly connected, GigabitEthernet0/0.3003

C 10.133.255.252/30 is directly connected, GigabitEthernet0/1

L 10.133.255.254/32 is directly connected, GigabitEthernet0/1

99.0.0.0/8 is variably subnetted, 2 subnets, 2 masks

C 99.3.3.0/24 is directly connected, Loopback99

L 99.3.3.3/32 is directly connected, Loopback99

172.16.0.0/28 is subnetted, 3 subnets

B 172.16.81.0 [20/0] via 10.133.0.1, 01:29:59

B 172.16.82.0 [20/0] via 10.133.0.1, 01:29:59

B 172.16.83.0 [20/0] via 10.133.0.5, 01:25:56

FUSION-3#ping 172.16.81.14

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.81.14, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

FUSION-3#ping 172.16.82.14

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.82.14, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

FUSION-3#ping 172.16.83.14

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 172.16.83.14, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 166
Tel 902876701
 FUSION-1#ping 10.132.255.68

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.132.255.68, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/4 ms

Task 6 Verify Configurations on Border Switch

BORDER-POD3#show ip bgp summary

Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd

10.133.0.10 4 655013 3027 3031 1812 0 0 1d21h 2

BORDER-POD3#show ip bgp

Network Next Hop Metric LocPrf Weight Path

*> 10.10.13.0/24 10.133.0.10 0 65535 65503 i

*> 10.132.255.65/32 0.0.0.0 0 32768 i

*> 99.3.3.0/24 10.133.0.10 0 65535 65503 i

BORDER-POD3#show ip route vrf Campus_VN

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks

B 10.10.13.0/24 [20/0] via 10.133.0.2, 01:58:27

C 10.133.0.0/30 is directly connected, Vlan3001

L 10.133.0.1/32 is directly connected, Vlan3001

99.0.0.0/24 is subnetted, 1 subnets

B 99.3.3.0 [20/0] via 10.133.0.2, 02:02:51

172.16.0.0/16 is variably subnetted, 4 subnets, 2 masks

B 172.16.81.0/28 [200/0], 01:37:28, Null0

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 167
Tel 902876701
 C 172.16.81.14/32 is directly connected, Loopback1022

B 172.16.82.0/28 [200/0], 01:37:28, Null0

C 172.16.82.14/32 is directly connected, Loopback1021

BORDER-POD3#show ip route vrf Guest_VN

Gateway of last resort is not set

10.0.0.0/8 is variably subnetted, 3 subnets, 3 masks

B 10.10.13.0/24 [20/0] via 10.133.0.6, 01:59:31

C 10.133.0.4/30 is directly connected, Vlan3002

L 10.133.0.5/32 is directly connected, Vlan3002

99.0.0.0/24 is subnetted, 1 subnets

B 99.3.3.0 [20/0] via 10.133.0.6, 02:03:55

172.16.0.0/16 is variably subnetted, 2 subnets, 2 masks

B 172.16.83.0/28 [200/0], 01:34:29, Null0

C 172.16.83.14/32 is directly connected, Loopback1023

BORDER-POD3#show bgp vrf Campus_VN

BGP table version is 333, local router ID is 10.128.0.65

Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,

r RIB-failure, S Stale, m multipath, b backup-path, f RT-Filter,

x best-external, a additional-path, c RIB-compressed,

t secondary path, L long-lived-stale,

Origin codes: i - IGP, e - EGP, ? - incomplete

RPKI validation codes: V valid, I invalid, N Not found

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 1:4099 (default for vrf Campus)

*> 10.10.13.0/24 10.133.0.2 0 65535 65503 i

*> 10.133.0.0/30 0.0.0.0 0 32768 i

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 168
Tel 902876701
 *> 99.3.3.0/24 10.133.0.2 0 65535 65503 i

*> 172.16.81.0/28 0.0.0.0 32768 i

s> 172.16.81.14/32 0.0.0.0 0 32768 i

*> 172.16.82.0/28 0.0.0.0 32768 i

s> 172.16.82.14/32 0.0.0.0 0 32768 i

BORDER-POD3#show bgp vrf Guest_VN

Network Next Hop Metric LocPrf Weight Path

Route Distinguisher: 1:4100 (default for vrf Guest_VN)

*> 10.10.13.0/24 10.133.0.6 0 65535 65503 i

*> 10.133.0.4/30 0.0.0.0 0 32768 i

*> 99.3.3.0/24 10.133.0.6 0 65535 65503 i

*> 172.16.83.0/28 0.0.0.0 32768 i

s> 172.16.83.14/32 0.0.0.0 0 32768 i

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 169
Tel 902876701
 Lab 7 Enable Fabric Edge ports for Client Onboarding

Topology

Task 1 Host Onboarding

Step 1 Navigate to PROVISION > Fabric, under Fabric Domains click the created fabric site
(FABRIC_POD#), click the Host Onboarding tab, and under Port Assignment section, in the
left column, select a switch.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 170
Tel 902876701
 Step 2 Scroll down and according to the following table configure the host ports:

POD1
Interface Device-Type Address Pool Auth Template
Gi1/0/12 User Devices 172_16_61_0 No Authentication
Gi1/0/13 User Devices 172_16_62_0 No Authentication

POD2
Interface Device-Type Address Pool Auth Template
Gi1/0/12 User Devices 172_16_71_0 No Authentication
Gi1/0/13 User Devices 172_16_72_0 No Authentication

POD3
Interface Device-Type Address Pool Auth Template
Gi1/0/12 User Devices 172_16_81_0 No Authentication
Gi1/0/13 User Devices 172_16_82_0 No Authentication

Step 3 First select port Gi1/0/12 click on Assign

In the slide-out, select the appropriate according to your pod.

Example for POD 3
Connected Device Type: ip-phone,computer,laptop
Address Pool: (example for POD1: 172_16_81_0 (Student_Topacio)
Group: it´s not required
Voice Pool: it´s not required
Auth Template: No Authentication, and then click Update.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 171
Tel 902876701
 Step 4 Configure the rest of ports Gi1/0/13

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 172
Tel 902876701
 Step 5 Select Deploy, and then click Apply.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 173
Tel 902876701
 We are observing that in this new version of the Cisco DNA Center 2.1.2.7 the Devices
template adds the spanning-tree bpduguard enable command to the port, so for now we
will have to disable this command in the edge switch since we have connected to the ports
gi1/0/12 and 13 virtual machines through a switch.

Example:

interface GigabitEthernet1/0/13
switchport access vlan 1021
switchport mode access
device-tracking attach-policy IPDT_POLICY
load-interval 30
no macro auto processing
spanning-tree portfast
spanning-tree bpduguard enable
end

Switch-10-132-255-68#conf t
Switch-10-132-255-68(config)#int gi1/0/13
Switch-10-132-255-68(config-if)#no spanning-tree bpduguard enable

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 174
Tel 902876701
 Task 2 Verify IP Connectivity for StudentPC and Server

Step 1 Run the VSphere Client from the JumperPC. We access vCenter to 192.168.100.33
with user and password dnac# (# is the POD).

Step 2 Open the console of the VM Student-DNAC#

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 175
Tel 902876701
 Step 3 Access with the credentials Win7 and password NXos12345

Step 4 Verify that your host Student-DNAC# has received an IP of the range 172.16.X1.0/28
with the ipconfig command.

Step 5 Verify connectivity to the Default Gateway 172.16.X1.14

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 176
Tel 902876701
 Step 6 Open the console of the VM Server-DNAC#

Step 7 Access with the credencials Ubuntu and password NXos12345

Step 8 Open Terminal and verify that the host Server-DNAC# has received an IP of the
range 172.16.62.0/28 with the ipconfig command.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 177
Tel 902876701
 Step 9 Verify connectivity to the Default Gateway 172.16.X2.14

You can stop the ping with CTRL-C

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 178
Tel 902876701
 Step 10 Verify connectivity by pinging the host IP Student-DNAC# (172.16.X1.YY)

Step 11 Enter the console of the fusion router through the Putty and validate with the show
ip dhcp binding command the IP addresses delivered to the 2 hosts.

Note: Pings between the Student and Server will success because they are in same
Campus_VN Virtual Network although they are in different network segments.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 179
Tel 902876701
 Lab 8 Integrating Wireless into SD-Access
Overview
There are two options to integrate the wireless access:
 SD-Access Wireless Architecture
 CUWN Wireless Over the Top (OTT)
In our Lab we are going to examine the SD-Access Wireless since it brings the full advantages
of Fabric for wireless users, because OTT is basically running tradition wireless on top of a
Fabric wired network. The steps to integrate Wireless into SD-Access are the following:
 Add the wireless controller into inventory
 Create Reserved IP pools for APs
 Design fabric enterprise and guest wireless SSIDs
 Provision the WLC for SD-Access Wireless fabric integration
 Enable onboarding of APs into the wireless fabric
 Assign wireless clients to VN and enable connectivity

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 180
Tel 902876701
 Topology

IP Addresses and Credentials

Device IP Address Credentials
GUI: admin / NXos12345
DNAC 10.10.1#.200 CIMC: admin / 1234QWer

JumperPC 10.10.1#.10 RDP: Win7 /NXos12345

RDP: administrator /
DNS 10.10.1#.110 1234QWer

ISEv 10.10.1#.100 admin / 1234QWer

Gateway / NTP 10.10.1#.254 -----------------------

vSphere Client 192.168.100.33 dnac# / dnac#

WLC 10.10.1#.115 admin / 1234QWer

Border# Pod1: 10.129.255.253 dnac / NXos12345
Pod2: 10.131.255.253 enable secret 1234QWer
Pod3: 10.133.255.253

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 181
Tel 902876701
 Pod1: 10.10.11.3
Fusion-Router# Pod2: 10.10.12.3
Pod3: 10.10.13.3 dnac / NXos12345

# is the Pod number

Task 1 Add the wireless controller into inventory

If the wireless LAN controller is not in the DNA Center inventory, you must add this before
the wireless integration.

Step 1 Verify you can access via SSH to WLC with the following’s credentials: admin /
1234QWer from Jumper PC via Putty. In logins as: enter

With this credential we will execute the Discovery of WLC

Step 2 Navigate to the main DNA Center dashboard, under the Tools section click Discovery
and Add Discovery

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 182
Tel 902876701
 Step 3 In the Discovery template fill it with: Discovery Name: WLC-0#, click IP
Address/Range, enter the IP address of the WLC: 10.10.1#.115, in Discovery Type enter CDP,
leave the default Preferred Management IP: None.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 183
Tel 902876701
 Step 4 Click in Credentials, Unselected CLI and any other that may exist and Add Credentials
to discovery WLC.

Add the credentials to access the WLC:

Name: WIRELESS-LAN-#

Username: admin

Password: 1234QWer

Step 5 Click Save and Ok

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 184
Tel 902876701
 Step 6 click Discover & Start.

The inventory discovery for the WLC starts, and when it is complete the device count
increments and shows Complete is displayed.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 185
Tel 902876701
 Step 7 Navigate to the main DNA Center dashboard and go to Provision - Inventory

Before proceeding, use the Refresh button to update the Last Inventory Collection Status
until it is in Managed status.

Step 8 Assign WLC to Site and Next

Click Save and Next

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 186
Tel 902876701
 Finally click Assign

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 187
Tel 902876701
 Task 2 Provision the WLC for SD-Access Wireless fabric integration
Before complete the tasks SD-Access WLC Provision, you will need to configure at least one
Wireless Profile per Building/Floor so that the WLC knows where the wireless ssid will be.

Step 1 Navigate to the main DNA Center dashboard, under the Design section click Network
Profiles and Add Profile.

Step 2 Enter a Wireless Profile Name: MIRALAB-# and Profile Type: wlan and click Save

# = Your POD number

Step 3 Click on Assign site to MIRALAB-# Network Profile and select Building and Floor and
click OK

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 188
Tel 902876701
 Step 4 Navigate to PROVISION > Inventory, find the WLC and select the checkbox next to it,
and then at the top of the screen under the Actions pull-down, select Provision. The
Provision Devices wizard opens.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 189
Tel 902876701
 Click Next

Step 2 Assign the site (example for POD 3: Global/Sevilla/Bonales/Topacio), click Next

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 190
Tel 902876701
 And Save

Step 3 Click Next on Advanced Configuration

Step 4 At the Summary screen review the configurations, click Deploy, at the slide out panel
keep the default selection Run Now, and then click Apply.

The WLC is assigned to the site and the provisioning starts. Use the Refresh button until
Provision Status shows Success before proceeding.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 191
Tel 902876701
 Step 5 Navigate to PROVISION > Fabric, click the fabric domain where the WLC is to be added

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 192
Tel 902876701
 Step 6 In Fabric Infrastructure click the WLC, in the popup box select Add to Fabric, click
Deploy, in the slideout menu keep the default selection Run Now, and then click Apply. The
WLC configurations are created to establish a secure connection to the fabric control plane.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 193
Tel 902876701
 Step 8 You can verify that WLC controller is integrated into the fabric from the WLC
management console https://10.10.1#.115 (admin/1234QWer) from Jumper PC or your own
Laptop by navigating to CONTROLLER > Fabric Configuration > Control Plane, which shows
the fabric integration is enabled with the connection status up .

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 194
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 195
Tel 902876701
 Task 3 Enable Onboarding of APs into the wireless fabric
The APs are hosts that join the fabric and are assigned into a VN named INFRA_VN. This
special VN for infrastructure devices such as APs, enables management communication
between the APs at the fabric edge nodes using the fabric control plane and the WLC sitting
outside of the fabric as a part of global routing connectivity.

Step 1 The AP is connected to the fabric directly to an edge node within the fabric, port
Gi1/0/20.

Step 2 Navigate to PROVISION > Fabric, select the fabric, and then click Host Onboarding.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 196
Tel 902876701
 Note: DNA Center enables automatic onboarding of APs by provisioning a CDP macro at
the fabric edge switches when the authentication template to be set to No Authentication.
Alternatively, you use the switch port configurations in DNA Center to assign a port to the
IP address pool for the APs.

Step 3 Remove the ip pool 172.16.X3.0 associated to Guest_VN in order to add it to

INFRA_VN

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 197
Tel 902876701
 Step 5 Under Virtual Networks, select INFRA_VN, click the check box next to the IP Pool
Name for the APs (POD 1 example: AP_Ambar_P2), click Update, in the slideout panel keep
the default selection Run Now, and then click Apply.

Step 5 Scroll down to Switch-10-128-0-66.dnac1.local and select port Gi1/0/20

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 198
Tel 902876701
 Step 6 Click on Assign and select on Selected Interfaces: GigabiEthernet1/0/20 in Connected
Device Type: Access Point(Ap) and click Update

Step 7 Click Updaye and click Deploy

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 199
Tel 902876701
 Step 8 Verify that port Gi1/0/20 is activated.

After the update is complete, the edge node switch ports connected to the APs are enabled
with a device tracking configuration recognizing APs and permitting the APs to get network
connectivity.

Step 9 Enter by RDP to the Jumper PC 10.10.1#.10, Win7 / NXoos12345 and from there
execute the Putty and open the consoles of the AP and Fusion Router.

The credentials by default for AP are cisco/Cisco and enable Cisco and the Fusion Router are
dnac/NXos12345

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 200
Tel 902876701
 Step 10 The AP may not be initialized and it is trying to restore the DHCP service, so it is
convenient to enter the console and give a reload to the AP to observe the reception of the
IP by the DHCP configured in the Fusion Router for AP network segment 172.16.XX.0 / 28.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 201
Tel 902876701
 AP Booting

[*09/24/2021 16:58:43.2639] CAPWAP State: Init

[*09/24/2021 16:58:43.2643]

[*09/24/2021 16:58:43.2643] PNP is not required, Starting CAPWAP discovery

[*09/24/2021 16:58:43.2643]

[*09/24/2021 16:58:43.2646]

[*09/24/2021 16:58:43.2646] CAPWAP State: Discovery

[*09/24/2021 16:58:43.2650] Got WLC address 10.10.13.115 from DHCP.

[*09/24/2021 16:58:43.2651] IP DNS query for CISCO-CAPWAP-CONTROLLER.dnac3.local

[*09/24/2021 16:58:48.3054] Discovery Request sent to 10.10.13.115, discovery type

STATIC_CONFIG(1)

[*09/24/2021 16:58:48.3066] Discovery Request sent to 255.255.255.255, discovery type

UNKNOWN(0)

[*09/24/2021 16:58:48.3066]

[*09/24/2021 16:58:48.3066] CAPWAP State: Discovery

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 202
Tel 902876701
 [*09/24/2021 16:58:48.3071] Discovery Response from 10.10.13.115

[*09/24/2021 16:59:59.0000]

[*09/24/2021 16:59:59.0000] CAPWAP State: DTLS Setup

[*09/24/2021 16:59:59.3797]

[*09/24/2021 16:59:59.3797] CAPWAP State: Join

[*09/24/2021 16:59:59.3839] Sending Join request to 10.10.13.115 through port 5248

[*09/24/2021 16:59:59.3875] Join Response from 10.10.13.115

[*09/24/2021 16:59:59.4695] HW CAPWAP tunnel is ADDED

[*09/24/2021 16:59:59.4844]

[*09/24/2021 16:59:59.4844] CAPWAP State: Image Data

[*09/24/2021 16:59:59.5211] do NO_UPGRADE, part2 is active part

[*09/24/2021 16:59:59.5266]

[*09/24/2021 16:59:59.5266] CAPWAP State: Configure

[*09/24/2021 16:59:59.5289] DOT11_CFG[0] Radio Mode is changed from Local to Local

[*09/24/2021 16:59:59.5294] DOT11_CFG[1] Radio Mode is changed from Local to Local

[*09/24/2021 17:00:00.1713] Started Radio 0

[*09/24/2021 17:00:00.1883] Stopped Radio 0

[*09/24/2021 17:00:00.2014] DOT11_DRV[0]: set_channel Channel set to 1

[*09/24/2021 17:00:00.3692] Started Radio 0

[*09/24/2021 17:00:01.0741] Stopped Radio 0

[*09/24/2021 17:00:01.0868] DOT11_DRV[0]: set_channel Channel set to 1

[*09/24/2021 17:00:01.2546] Started Radio 0

[*09/24/2021 17:00:02.2518] 1:change to DFS channel 116, CAC for 60 seconds.

[*09/24/2021 17:00:02.3260] Started Radio 1

[*09/24/2021 17:00:02.3479] Stopped Radio 1

[*09/24/2021 17:00:02.3510] deinit DFS SM since radio is stopped before last CAC expired

[*09/24/2021 17:00:02.3607] DOT11_DRV[1]: set_channel Channel set to 116

[*09/24/2021 17:00:02.5296] 1:change to DFS channel 116, CAC for 60 seconds.

[*09/24/2021 17:00:02.6039] Started Radio 1

[*09/24/2021 17:00:02.7610] reset DFS SM before last CAC expired

[*09/24/2021 17:00:03.3953] Stopped Radio 1

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 203
Tel 902876701
 [*09/24/2021 17:00:03.4076] DOT11_DRV[1]: set_channel Channel set to 116

[*09/24/2021 17:00:03.5746] 1:change to DFS channel 116, CAC for 60 seconds.

[*09/24/2021 17:00:03.6489] Started Radio 1

[*09/24/2021 17:00:03.8030] reset DFS SM before last CAC expired

[*09/24/2021 17:00:04.4714] CAPWAP HW tunnel params changed, DELETING the existing

[*09/24/2021 17:00:05.5259] HW CAPWAP tunnel is ADDED

[*09/24/2021 17:00:05.8163] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state:

Configure(8).

[*09/24/2021 17:00:05.8164] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state:

Configure(8).

[*09/24/2021 17:00:05.8165] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state:

Configure(8).

[*09/24/2021 17:00:05.8166] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state:

Configure(8).

[*09/24/2021 17:00:05.8166] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state:

Configure(8).

[*09/24/2021 17:00:05.8167] Discarding msg CAPWAP_WTP_EVENT_REQUEST(type 9) in CAPWAP state:

Configure(8).

[*09/24/2021 17:00:05.8454] Stopped Radio 0

[*09/24/2021 17:00:05.8577] DOT11_DRV[0]: set_channel Channel set to 1

[*09/24/2021 17:00:06.0254] Started Radio 0

[*09/24/2021 17:00:06.8559] Stopped Radio 1

[*09/24/2021 17:00:06.8686] DOT11_DRV[1]: set_channel Channel set to 116

[*09/24/2021 17:00:07.0386] 1:change to DFS channel 116, CAC for 60 seconds.

[*09/24/2021 17:00:07.1124] Started Radio 1

[*09/24/2021 17:00:07.2622] reset DFS SM before last CAC expired

[*09/24/2021 17:00:07.8957] Stopped Radio 1

[*09/24/2021 17:00:07.9080] DOT11_DRV[1]: set_channel Channel set to 116

[*09/24/2021 17:00:08.0704] 1:change to DFS channel 116, CAC for 60 seconds.

[*09/24/2021 17:00:08.1445] Started Radio 1

[*09/24/2021 17:00:08.2971] reset DFS SM before last CAC expired

[*09/24/2021 17:00:09.1136]

[*09/24/2021 17:00:09.1136] CAPWAP State: Run

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 204
Tel 902876701
 [*09/24/2021 17:00:09.1432] CAPWAP HW tunnel params changed, UPDATING the existing

[*09/24/2021 17:00:09.2104] AP has joined controller SDA-WLC-3

[*09/24/2021 17:00:09.2251] Re-Tx Count=1, Max Re-Tx Value=5, SendSeqNum=8,

NumofPendingMsgs=3

[*09/24/2021 17:00:09.2251]

[*09/24/2021 17:00:09.3588] save_on_failure is set to 1

[*09/24/2021 17:00:09.3590] save_on_failure is set to 1

[*09/24/2021 17:00:10.3315]

[*09/24/2021 17:00:10.3315] !!!!! {/usr/bin/capwap_brain} Activate NBAR....

[*09/24/2021 17:00:11.4246]

[*09/24/2021 17:00:11.4246] !!!!! {/usr/bin/capwap_brain} Activate NBAR .... Done !

Step 11 Go to the Fusion Router and type show ip dhcp binding command to confirm that
DHCP have delivered an IP in the AP segment.

Step 12 Check ping connectivity to the IP address of the AP from Router Fusion.

Now that the AP obtained an IP address and learnt the WLC's Management IP, the AP will
join the WLC.

Step 13 Go to the WLC and see the AP status in Wireless menu

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 205
Tel 902876701
 Step 14 Verify the received IP and the default gateway IP with the show ip interface brief
command.

Step 16 In the Edge Switch we can observe the default IP Gateway (Anycast Gateway) of
the AP with show ip int brief command.

show ip int brief

Step 17 Once the APs are registered to WLC, they will appear in the Inventory page on DNAC.
Navigate to the main page of Provision and observe as AP was immediately added to the
inventory without waiting for an inventory refresh.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 206
Tel 902876701
 Step 18 Navigate to the main DNA Center dashboard, PROVISION > Devices > Inventory,
select the APs being added, at the top in the Actions pulldown menu, select Provision.

Step 19 Assign the AP to a floor (Pod1: Global/Barcelona/Montserrat/Ambar/Piso2), click

Next, for RF Profile select TYPICAL, click Next, at the Summary page click Deploy, and then
in the slideout panel, click Apply and acknowledge any warnings about reboots.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 207
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 208
Tel 902876701
 Once the Provisioning has been successful, we can observe its status in the last two columns.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 209
Tel 902876701
 Step 20 In Provision select FABRIC_POD# click on your building (Ambar for POD1) and see
that the AP is physically connected to the Edge Switch.

Step 21 As part of AP provisioning, some config pushed on WLC. An AP group will be created
with the name of the site it was mapped.

Note: If you find other AP Group Name, it is a product of previous configurations of some
past courses.

In Typical deployment, all users on a WLAN are mapped to a single interface on the WLC.
With the help of AP groups we can specify that which SSID will be shown by which Access
Point. Each access point advertises only the enabled WLANs that belong to its access point
group. We can create access point groups (AP Groups) and assign up to 16 WLANs to each
group. Each access point advertises only the enabled WLANs that belong to its access point

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 210
Tel 902876701
 group. The access point does not advertise disabled WLANs in its access point group or
WLANs that belong to another group.

Task 4 Create IP Address Pool for Wireless SSIDs

Before creating the Fabric Enterprise and Guest wireless SSIDs, we must create the
corresponding Global IP address Pool and Reserved IP Address Pool, as well as to create a
wireless profile that will contain the wireless SSID. Now we need to assign IP pools to wireless
clients and SSIDs to have the clients actually join the network, follow the steps below:

Step 1 Navigate to Design – Network Settings and click on Global IP Pool Address and create
the following Global IP address Pool according to the following table:

PODs

Global IP Pool Name IP Subnet Mask Gateway DHCP DNS Server

Server
Student_Pool_Wireless
POD1: 172.16.64.0 /24 172.16.64.1 99.1.1.1 10.10.11.110
POD2: 172.16.74.0 172.16.74.1 99.2.2.2 10.10.12.110
POD3: 172.16.84.0 172.16.84.1 99.3.3.3 10.10.13.110

Guest_Pool_Wireless
POD1: 172.16.65.0 /24 172.16.65.1 99.1.1.1 10.10.11.110
POD2: 172.16.75.0 172.16.75.1 99.2.2.2 10.10.12.110
POD3: 172.16.85.0 172.16.85.1 99.3.3.3 10.10.13.110

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 211
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 212
Tel 902876701
 Step 2 Return to the DNAC browser tab. Navigate to Design – Network Settings and select
your Building and click on Reserve IP Pool according to the following table:

POD1

Enterprise Reserverd IP IP Subnet Mask Gateway DHCP DNS Server

Pool Name Server
Student_Ambar_Wireless 172.16.64.0 /28 172.16.64.14 99.1.1.1 10.10.11.110

Guest Reserverd IP Pool IP Subnet Mask Gateway DHCP DNS Server

Name Server
Guest_Ambar_Wireless 172.16.65.0 /28 172.16.65.14 99.1.1.1 10.10.11.110

POD2

Enterprise Reserverd IP IP Subnet Mask Gateway DHCP DNS Server

Pool Name Server
Student_Cornalina_Wireless 172.16.74.0 /28 172.16.74.14 99.2.2.2 10.10.12.110

Guest Reserverd IP Pool IP Subnet Mask Gateway DHCP DNS Server

Name Server
Guest_Cornalina_Wireless 172.16.75.0 /28 172.16.75.14 99.2.2.2 10.10.12.110

POD3

Enterprise Reserverd IP IP Subnet Mask Gateway DHCP DNS Server

Pool Name Server
Student_Topacio_Wireless 172.16.84.0 /28 172.16.84.14 99.3.3.3 10.10.13.110

Guest Reserverd IP Pool IP Subnet Mask Gateway DHCP DNS Server

Name Server
Guest_Topacio_Wireless 172.16.85.0 /28 172.16.85.14 99.3.3.3 10.10.13.110

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 213
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 214
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 215
Tel 902876701
 Task 5 Create SSIDs for an Enterprise Wireless Network
This workflow shows how to:

 Create wireless profile

 Create SSIDs

 Associate SSIDs to wireless profiles.

Step 1 Check that the Wireless Profile has been created (Lab 8 - Task 2) in main DNA Center
dashboard, under the Design section click Network Profiles.

Step 2 From the main DNA Center dashboard, navigate to DESIGN > Network Settings>
Wireless, in the Enterprise Wireless section click + Add, in the Create an Enterprise Wireless
Network wizard, and supply the following information:

PODs

Enterprise Wireless SSID Level of Security Type Band Wireless

Profile
Employee_Ent_Pod# WPA2 Enterprise data+voice Dual Band MIRALAB

Student_Per_Pod# WPA2 personal data Dual Band MIRALAB

Password: NXos12345

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 216
Tel 902876701
 Step 3 Enter an SSID name in the Wireless Network Name (SSID) field.

- Select the Type of Enterprise Network: Voice and Data or Data Only.

This selection defines the quality of service (QoS).

- Check the Fast Lane check box to enable fastlane capability on this network.

- Under Level of Security area, select the encryption and authentication type for each
network.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 217
Tel 902876701
 Let advanced options as default by remember to mark WPA2 Enterprise on level of Security.

Step 4 Click Next. The Wireless Profiles window is displayed. You can associate this SSID
with the corresponding wireless profile MIRALAB-# created rrecently.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 218
Tel 902876701
 Step 5 Click Save and then Finish

Step 6 Repeat this procedure for additional SSIDs Student_Per_Pod#, using the same
network profile and location but changing the level of security to WPA2 personal

with NXos12345 as pass phrase finally you will get the next result.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 219
Tel 902876701
 Notes:

• WPA2 Enterprise—Provides a higher level of security using Extensible Authentication Protocol

(EAP) (802.1x) to authenticate and authorize network users with a remote RADIUS server. If you
select WPA Enterprise, check the MAC Filtering check box to enable MAC-based access control on an
SSID.

• WPA2 Personal—Provides good security using a passphrase or a preshared key (PSK). Allows
anyone with the passkey to access the wireless network.

• Open—Provides no security. Allows any device to access the wireless network without any
authentication.

Step 7 From the main DNA Center dashboard, navigate to DESIGN > Network Settings>
Wireless, in the Guest Wireless section click +Add, in Create the Guest Wireless Network
wizard, and supply the following information:

PODs

Guest Wireless SSID Security Type Band Wireless

Profile
Guest_Open_Pod# open data Dual MIRALAB
Band
Guest_Portal_Pod# Web_auth data Dual MIRALAB
url:http://miratelecomunicacions.com Band

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 220
Tel 902876701
 Note: If we left Admin status disabled, we will need to enable it on the WLC in the next
task.

Step 8 Click Next. The Wireless Profiles window is displayed. You can associate this SSID
with the corresponding wireless profile MIRALAB-#.

Step 9 Click Finish to continue. The DESIGN > Network Settings> Wireless screen is
displayed.

Step 10 Repeat this procedure for additional Guest SSIDs Guest_Portal_Pod#, using the
same network profile and location, finally you will get the next result

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 221
Tel 902876701
 Note: If we left Admin status disabled, we will need to enable it on the WLC in the next
task.

The final result of the Enterprise and Guest Wireless SSIDs should be.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 222
Tel 902876701
 Task 6 Assign IP Pools to wireless SSIDs
Now we need to assign IP pools to wireless clients and SSIDs to have the clients actually join
the network, in Provision Host Onboarding select Campus_VN and Guest_VN to assign IP
Address Pool to each Wireles SSID.

Step 1 In the Provision menu click Fabric – FABRIC_POD# - your Building Pod select Host
Onboarding in Virtual Networks Click on Guest_VN.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 223
Tel 902876701
 Step 2 Select Guest_Ambar_Wireless (172.16.#5.0/28) in Traffic type: Data in Layer-2
Flooding Extension turn On, Update and Apply

Note: Layer-2 Extension enables L2 LISP and associates a L2VNID to this pool. This is required.
The traffic type setting (Data or Data + Voice) is only relevant for wired clients. The
correspondent settings for wireless clients is done at the SSID level.

Step 3 Click on Virtual Networks Campus_VN

Step 4 Select Student_Ambar_Wireless (172.16.64.0/28), in Traffic type: Data in Layer-2

Extension turn On, enable Wireless Pool, Update and Apply

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 224
Tel 902876701
 We will also activate Wireless Pool in IP Pool 172.16.x1

Step 5
To be able to select the network segments of each Wireless SSID. Go to Provision menu and
select WLC-POD #, click Actions – Provision again.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 225
Tel 902876701
 Step 6 For on Boarding Enterprise SSID go to Fabric click on Host Onboarding – Wireless
SSID´s select the Address Pool 172.16.6x.0 to each Employee_Ent_Pod# and
Student_Per_Pod#, Deploy and Apply.

If you cannot see the wireless SSIDs, check in Network Profiles - Wireless that the Fabric
option is selected:

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 226
Tel 902876701
 Step 7 Now, you can configure the SSID in the onboarding session. Return to the Provision -
Fabric. Click on Host Onboarding tab then associate the Guest SSID with the pool.

Guest_Open_Pod# -> 172.16.X4.0

Guest_Portal_Pod# -> 172.16.X5.0

Step 8 Click Deploy and Apply

After completing the Wireless SSID Onboarding, push the configuration from the design to
the WLC.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 227
Tel 902876701
 Step 9 Navigate to PROVISION > Devices, find the WLC and select the checkbox next to it,
and then at the top of the screen under the Actions pull-down, select Provision Device. The
Provision Devices wizard opens.

Step 10 In Assign the site click Next, at the Configuration screen under Managed AP Location,
click Next, and then at the Advanced Configuration screen click Next again.

Step 11 At the Summary screen review the configurations, click Deploy, at the slideout panel
keep the default selection Run Now, and then click Apply.

The WLC is assigned to the site again and the provisioning starts. Use the Refresh button
until Provision Status shows Success before proceeding.

Step 12 Once the provision has been successful, you will see in the WLC the SSIDs which
we activate Admin Status ON are Enabled.

Step 13 Clients can now be connected to fabric enabled wireless SSID.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 228
Tel 902876701
 From your PC, enter to remote PC via RDP.

Equipo Dirección IP Credenciales

Win-1 192.168.69.121 DNAC-1 / 1234QWer
Win-2 192.168.69.122 mira / 1234QWer
Win-3 192.168.69.123 DNAC-3 / 1234QWer

Step 14 Introduce the password Nxos12345

Step 15 Choose and connect to Guest Wireless SSID Guest_Open_Pod# of your respective
Pod.

Step 16 Click Status and check IP address in Details

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 229
Tel 902876701
 Step 17 If for some reason the PC does not receive an IP address, check:
- If the DHCP service is configured in the Fusion Router for all network segments
- If the IP address of Loopback (DCHCP) was advertised by the Border switch via eBGP
correctly.
- Validate that from the Fusion router you can ping the default gateway 172.16.xx.14
- Verify the configuration of the Wireless SSID and the pools of ip address

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 230
Tel 902876701
 The configuration in the Fusion Router for the DHCP Guest network (POD1) should be as
follows:

ip dhcp excluded-address 172.16.64.1 172.16.64.4

ip dhcp excluded-address 172.16.65.1 172.16.65.4

ip dhcp pool POOL-GUEST-OPEN

network 172.16.64.0 255.255.255.240
dns-server 10.10.11.110
domain-name dnac1.local
default-router 172.16.64.14

ip dhcp pool POOL-GUEST-PORTAL

network 172.16.65.0 255.255.255.240
dns-server 10.10.11.110
domain-name dnac1.local
default-router 172.16.65.14

Step 18 Validate that the Fusion Router has assigned the IP to the network
Guest_Open_Pod#.

Step 19 You can go to your WLC and check connected client details on Monitor – Client
Summary - Current Clients

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 231
Tel 902876701
 Step 20 Click on Details and observe Client, Fabric and AP Properties

Step 21 Test the connection with the other wireless Enterprise and Guest networks of your
respective Pod.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 232
Tel 902876701
 Lab 9 Policy Access Group
SD-Access Policy Administration

Once SD-Access has been segmented into Virtual Networks, security policies can be defined
to segment traffic inside of the VNs (microsegmentation). DNA Center will allow the
administrator to explicitly deny or explicitly allow traffic between Groups (SGTs) within
Virtual Networks. This policy is created in DNAC, pushed to ISE, and then finally pushed down
to the switches to enforce the policy.

The following steps will show how SD-Access (Secure Fabric) will be provisioned to establish
security policies with just a few clicks within DNA Center. The security policies created in this
section are referred to as SGACL (Security Group ACLs) in ISE. They are also referred to as
Layer-3 Policies as they enforce traffic based on Layer-3 information. The following tasks will
be executed in the following order:

 Add AAA Server to Site

 Create a user account in the ISE for Network Devices management

 Create Local Users in ISE

 Review Authentication and Authorization policies in ISE

 Host Onboarding with Closed Authentication

 802.1x configuration

Task 1 Configure Global and Site Network AAA Server

You can define global network servers that become the default for your entire network or
you can override global network settings on a site by defining site-specific settings.

Step 1 Choose Design > Network Settings > Network. In GLOBAL a list of default servers
appears.

Step 2 Click Add Servers to add an AAA server.

Step 3 Select AAA and Ok

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 233
Tel 902876701
 Step 4 Complete the required fields, then click Save

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 234
Tel 902876701
 Step 5 Verify that the configuration has been inherited up to Floor 2

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 235
Tel 902876701
 Step 6 Go to ISE in Administration – Network Resources – Network Devices and verify that
the 9300 switches have been added as network devices from the DNA Center inventory.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 236
Tel 902876701
 Task 2 Create a user account in the ISE for Network Devices management

Step 1 In the ISE go to Administration – Identity Management – Identities - Users

Step 2 Create the user with the established access credentials who will have access to the
9300 switches (dnac / NXos12345, enable password: 1234QWer, email
admin#@gmail.com).

Step 3 At this point we can give Provision to the Border and Edge Switch so that the AAA
configuration is sent to them.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 237
Tel 902876701
 Step 4 Go to the Edge Switch console and see the AAA configuration displayed by the DNA
Center
Switch-10-132-255-68#

012571: Sep 27 17:29:34.435: %SEC_LOGIN-5-LOGIN_SUCCESS: Login Success [user: dna

c] [Source: 10.10.13.200] [localport: 22] at 17:29:34 UTC Mon Sep 27 2021

012572: .Sep 27 17:29:35.538: %RADIUS-4-NOSERVNAME: Warning: Server dnac-radius_1

0.10.13.100 is not defined.

012573: .Sep 27 17:29:36.296: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been a

dded to the configuration using a type 0 password. However, type 0 passwords will
soon be deprecated. Migrate to a supported password type

012574: .Sep 27 17:29:36.334: Request successfully sent to PAC Provisioning driv

er.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 238
Tel 902876701
 012575: .Sep 27 17:29:36.833: %AAAA-4-CLI_DEPRECATED: WARNING: Command has been a
dded to the configuration using a type 0 password. However, type 0 passwords will
soon be deprecated. Migrate to a supported password type

012576: .Sep 27 17:29:36.845: %SYS-5-CONFIG_I: Configured from console by dnac on

vty1 (10.10.13.200)

012577: .Sep 27 17:29:36.713: %DMI-5-SYNC_NEEDED: Switch 1 R0/0: dmiauthd: Config

uration change requiring running configuration sync detected - 'line vty 0 15'. T
he running configuration will be synchronized to the NETCONF running data store.

012578: .Sep 27 17:29:44.698: %SYS-5-CONFIG_I: Configured from console by dnac on vty1

(10.10.13.200)

Switch-10-132-255-68#

Switch-10-132-255-68#show run | sec line vty

line vty 0 4

authorization exec VTY_author

login authentication VTY_authen

transport preferred none

transport input all

line vty 5 15

authorization exec VTY_author

login authentication VTY_authen

transport preferred none

transport input all

line vty 16 31

Step 5 From the Jumper PC open the Putty pointing to the loopback0 of the Border Switch
via SSH:

Pod1: 10.128.255.65

Pod2: 10.130.255.65

Pod3: 10.132.255.65

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 239
Tel 902876701
 Credentials: dnac and password: NXos12345

enable secret: 1234QWer

Step 6 Verify authentication on ISE, go to Operations - Live Logs

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 240
Tel 902876701
 If you see many Logs and do not identify the successful authentication sessions, select
Status: Auth passed

Step 7 Observe the Authentication process by clicking on (Detail Authentication

Report)

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 241
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 242
Tel 902876701
 Step 8 From the Border switch console verify the configuration implemented through
Provision from the DNA Center using the following command: Step
BORDER-POD3#show run | sec aaa

aaa new-model

aaa group server radius dnac-client-radius-group

server name dnac-radius_10.10.13.100

ip radius source-interface Loopback0

aaa group server radius dnac-network-radius-group

server name dnac-radius_10.10.13.100

ip radius source-interface Loopback0

aaa authentication login default local

aaa authentication login dnac-cts-list group dnac-client-radius-group local

aaa authentication login VTY_authen group dnac-network-radius-group local

aaa authentication dot1x default group dnac-client-radius-group

aaa authorization exec default local

aaa authorization exec VTY_author group dnac-network-radius-group local if-authenticated

aaa authorization network default group dnac-client-radius-group

aaa authorization network dnac-cts-list group dnac-client-radius-group

aaa accounting update newinfo periodic 2880

aaa accounting identity default start-stop group dnac-client-radius-group

aaa accounting exec default start-stop group dnac-network-radius-group

aaa server radius dynamic-author

client 10.10.13.100 server-key 7 091D1C5A4D34201719

aaa session-id common

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 243
Tel 902876701
 Step 9 From the Border switch you can do a AAA test by executing the following command:

test aaa group dnac-network-radius-group dnac NXos12345 new-code

BORDER-POD3#test aaa group dnac-network-radius-group dnac NXos12345 new-code

User successfully authenticated

USER ATTRIBUTES

username 0 "dnac"

Message-Authenticato 0 <hidden>

Task 3 Create Users Identity Groups in ISE

A user, user group or member, or an endpoint is recognized by the Cisco ISE network
according to its network identity. Once identified, the network grants the access and
privileges that are defined and associated with the identity.

There are three functional groupings for identity management and admin access in Cisco ISE,
with each group containing one or more components:

1.- Identities

– Users—Defined based on user data and assigned role. This component is where you can
configure a network access user identity for accessing resources and services in a Cisco ISE
network.

– Endpoints—Defined based on the MAC address, device policy, and device identity group
to which this endpoint belongs. This component is where you can configure a network-
capable device identity that can connect to and access resources and services in a Cisco ISE
network.

2.- Groups

– User Identity Groups—Defined based on group name, description, members, group type,
and assigned role. This component is where you can configure a user group by the group or
role name that can access resources and services in a Cisco ISE network.

– Endpoint Identity Groups—Defined based on group name, description, parent group,

and endpoint type (for details, see Table 4-1). This component is where you can configure an
endpoint group by the group or device name that can access resources and services in a Cisco
ISE network.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 244
Tel 902876701
 3.- Admin Access

– Policies—Role-based access control (RBAC) policies defined by rule name, groups, and
permissions. This component is where you can configure RBAC policies that allow admin
groups to access resources and services in a Cisco ISE network.

– Administrators—Defined based on admin user data, admin group, and assigned role This
component is where you can create and manage administrators who can access resources
and services in a Cisco ISE network.

– Admin Groups—Defined based on group name, description, members, group type, and
assigned role.This component is where you can create and manage administrator groups
who can access resources and services in a Cisco ISE network.

– Permissions—Defined based on group name and role, description, and menu and data
access permissions. This component is where you can create and manage menu and data
access permissions for admin groups to access resources and services in a Cisco ISE network.

– Settings—Defined based on IP address access permission, password policy, and session

timeout values. This component is where you can create and manage IP address-based
access, password policy, and session timeout settings for users and groups to access
resources and services in a Cisco ISE network.

Use this procedure to create a user identity group (and create or delete users within this
local user identity group). To create a user identity group, complete the following steps:

Step 1 From ISE, choose Administration > Identity Management > Groups > User Identity
Groups.

The User Identity Groups window appears.

Step 2 In the Identity Groups navigation pane, click User Identity Groups, click Action, and
click Create Top User Identity Group.

The User Identity Groups page appears with two panels: Identity Group and Member Users.

Step 3 Click Add, in the Identity Group panel, enter values in the following fields.

• Name*

• Description

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 245
Tel 902876701
 Step 4 Create two Identity Groups (Students and Production_Server) and click Submit

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 246
Tel 902876701
 Step 5 Now we will create three network access users and associate their respective newly
created groups. Choose Administration – Identity Management – Identities – Users, click
Add in User Identiy Groups and click Add

Name Login Password User Groups

student1 NXos12345 Students
student2 NXos12345 Students
server1 NXos12345 Production_Servers

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 247
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 248
Tel 902876701
 Step 6 Review the Policy Set at AUTHENTICATION LEVEL

Cisco ISE is a policy-based, network-access-control solution, which offers network access

policy sets, allowing you to manage several different network access use cases such as
wireless, wired, guest, and client provisioning. Policy sets (both network access and device
administration sets) enable you to logically group authentication and authorization policies
within the same set.

You can have several policy sets based on an area, such as policy sets based on location,
access type and similar parameters. When you install ISE, there is always one policy set
defined, which is the default policy set, and the default policy set contains within it,
predefined and default authentication, authorization and exception policy rules.

Choose Policy – Policy Set and Clik on icon arrow

Step 7 Click in Authentication Policy

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 249
Tel 902876701
 Step 8 Verify the order of the default authentication policies that we will use in our lab

Authentication policies are configured within policy sets. Each policy set can contain a single
authentication policy with multiple rules. Priority of the authentication rules for processing
is determined based on the order of those rules as they appear within the Authentication
Policy table of the policy set itself (from the Set view page).

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 250
Tel 902876701
 The authentication policy uses the allowed protocols configured on policy set at the top level.
Identity source sequences define the order in which Cisco ISE looks for user credentials in
different databases. Within the authentication policy under the main policy set, you can
define condition-based rules that configure the identity sources or identity source
sequences, as well as the identity methods, to be used for authentication.

Step 9 Configure the Authorization policies for Production_Servers and Students.

Authorization policies allow access to specific or all network endpoints and are created to
apply to groups of users and devices that share a common set of privileges and can also be
used as templates that you modify to serve the needs of another specific identity group,
using specific conditions or permissions, to create another type of standard policy to meet
the needs of new divisions, or user groups, devices, or network groups.

Authorization policies can contain conditional requirements that combine one or more
identity groups using a compound condition that includes authorization checks that can
return one or more authorization profiles. In addition, conditional requirements can exist
apart from the use of a specific identity group.

An authorization policy is composed of authorization rules. Authorization rules have three

elements: name, attributes, and permissions. The permission element maps to an
authorization profile.

Step 10 Create the following Authorization Policy according to the following table:

Rule Name Conditions Security Groups

Production_Servers Identity Group=Production_Servers Production_Servers

Students Identity Group=Students Students

Click in Authorization Policy

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 251
Tel 902876701
 Step 11 Click in Authorization Policy

Step 12 Click in Add (+)

Step 13 Add the first rule: Production_Servers

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 252
Tel 902876701
 Step 14 Click in Conditions

Step 15 The next screen gives us information about the different parameters that can be
used to build the rule, click on the X

Step 16 Click to Add an Attribute

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 253
Tel 902876701
 Step 17 Click on icon and select from list InternalUser IdentityGroup and Use

Step 18 In field operator select Equals and choose Production_Servers.

You have two options to deal with this first rule; Use it with the Use option or Save it in the
library. Click Select Use option.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 254
Tel 902876701
 Step 19 Select Permit Access in Profiles and Security Group associate to the rule
Productions_Server

Step 20 Repeat the same process for the Students rule

Rule Name Conditions Security Groups

Students Identity Group=Students Students

Step 21 Save and Verify the new two rules.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 255
Tel 902876701
 Task 4 Configurar Host Onboarding with Autenticacion Closed

DNA Center has three authentication template:

• Closed Authentication: Any traffic prior to authentication is dropped, including DHCP, DNS,
and ARP.

• Easy Connect: Security is added by applying an ACL to the switch port, to allow very limited
network access prior to authentication. After a host has been successfully authenticated,
additional network access is granted.

• No Authentication

• Open Authentication: A host is allowed network access without having to go through

802.1X authentication.

Step 1 Choose Provision – Fabric and select FABRIC_POD#

Step 2 Click in Host Onboarding and select Port Assigment and Scroll down to select Edge
Switch

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 256
Tel 902876701
 Step 3 To do the practice we will use a Laptop with 802.1X connected to port 14 of the Edge
Switch.

If the Port Gi1/0/14 was configured please select, click Clear, Save and Apply

Step 4 Configure ports Gi1/0/14 as follows:

- Connected Device Type: ip-phone,computer,laptop

- Address Pool: 172.16.61.0 (Example for POD1)
- Group: none
- Voice pool: none
- Authentication Template: Closed Authentication

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 257
Tel 902876701
 Click Update and Save

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 258
Tel 902876701
 Task 5 Testing Connectivity with Authentication Closed

Step 1 In this task from the PC Jumper (RDP 10.10.1 # .10 Win7 / NXos12345) or your PC you
can connect to the Remote Laptop via Windows RDP.

Equipo Dirección IP Credenciales

Win-1 192.168.69.121 DNAC-1 / 1234QWer
Win-2 192.168.69.122 mira / 1234QWer
Win-3 192.168.69.123 DNAC-3 / 1234QWer

Once connected to the remote Laptop, we will to connect to the Wired Network with 802.1x
authentication using the user credentials student1 / NXos12345 created in the ISE

Step 2 Before connecting to the wired network, you must Activate 802.1X in Windows as a
wired service, to do this, execute services.msc

Step 3 Start the service Wired Autoconfig (802.1X authentication)

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 259
Tel 902876701
 Windows in english language

Windows in spanish language

Step 4 Go to Network Adapters and select the LAN or the network adapter that corresponds
and in properties click on the Authentication tab.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 260
Tel 902876701
 Step 5 In the Authentication tab, click Enable IEEE 802.1X authentication and select
Microsoft: Protected EAP (PEAP) as the authentication method.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 261
Tel 902876701
 Step 6 Click Settings and and Click uncheck Validate server certificate and click Configure
and verify uncheck Automatically use my Windows log-on and finally OK.

Here, we want to make sure it is unselected to Automatically use my Windows logon

name and password (and domain if any). This is selected by default, so there should be a
need to check this.

Step 7 Click in Additional Settings and Specify authentication mode like User
authtentication and click in Replace Credentials

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 262
Tel 902876701
 Step 8 Put the credentials of student1 / NXos12345 and click Ok

Click Ok again

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 263
Tel 902876701
 Step 9 Once 802.1x is activated on the network card, it will try to authenticate itself with
credentials as student1 / NXos12345

Step 10 Check in LAN Status the parameters provided

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 264
Tel 902876701
 Step 11 Go to the ISE and in Operations - Live Logs verify the Authentication log. Click on

the icon and observe all access control events.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 265
Tel 902876701
 Step 12 You can also see the Authentication status of port Gi1/0/14 on the Edge Switch with
the command:

show authentication sessions interface gigabitethernet 1/0/14 details

Step 13 Return to ISE and check Log Lives for Student1

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 266
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 267
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 268
Tel 902876701
 Step 14 Make connectivity tests between Laptop-# connected in port Gi1/0/14 and Virtual
Machine (Student-DNAC-1) are succesfully.

Step 15 Make connectivity tests between Laptop-# and Virtual Machine (Server-DNAC-#) are
not succesfully because there are a Contract with Deny rule even though they are on the
same Campus_VN Virtual network

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 269
Tel 902876701
 With Closed authentication method we can see that according to the credentials entered by
the user, the ISE assigns him an SGT with which he will have associated the corresponding
security policy according to the type of user.

Step 16 Go to Policy menu select and delete all GBAC policies with Set to Default Policy,
accept Warning and Yes.

Step 17 Make connectivity tests between Laptop-# and Virtual Machine (Server-DNAC-#)
again, are succesfully because there are not a police and they are on the same Campus_VN
Virtual network

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 270
Tel 902876701
 Task 6 Apply a Layer-4 Custom Contract
We will now add one Layer-4 policy using the table below:

Name Source Protocol Contract Name Destination

Restrict_Faculty Students ssh, http Deny_SSH_HTTP_Only Production_Servers

Before applying Layer 4 policy we are going to validate the following:

Step 1 Check IP address of Server-DNAC #

Step 2 From the Laptop-DNAC-# PC verify that the ping and SSH to the Server-DNAC-# are
successful

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 271
Tel 902876701
 PING to Server

SSH to Server

Credentials: ubuntu – Nxos12345

To allow certain applications, a customer contract is required. This section will show you
the steps to create the new contract and then walk you through applying it to the Students
and Production Servers groups.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 272
Tel 902876701
 Step 3 Navigate to the Policy – GBAC - Contracts screen to create a new custom contract,

Create the first line of the contract that denies SSH, and click on the + symbol to add
Name Source Protocol Contract Name Destination
Restrict_Faculty Students ssh, http Deny_SSH_HTTP_Only Production_Servers

Step 4 Create the second line of the contract that denies HTTP, and click Save

Step 5 Go to GBAC – Policies and build the policy between Students and
Production_Servers

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 273
Tel 902876701
 Select the contract

Step 6 Upon completion DNA Center returns you to the Policy Administration page where
you can verify the saved policy now resides in the policy table, select Students and click
Deploy.

Click Deploy to deploy the updated policies to the network devices. When you click Deploy,
Cisco DNA Center requests the Cisco Identity Services Engine (Cisco ISE) to send notifications
about the policy changes to the network devices.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 274
Tel 902876701
 Step 7 To view the details of the Security Group ACL simply go to Work Centers – TrustSec
– Components - Security Group ACLs.

Step 8 Double click the Security Group ACL name to display the edit window screen where
the specific permits and denies are displayed.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 275
Tel 902876701
 Step 9 Go to the Laptop- # and do the application tests again, the ping should still be
successful while the SSH connection to the Server-# will no longer be successful.

Step 10 Modify the Access Contract (SGACL) and deny ICMP traffic, Save and Deploy

Select in Application the Advanced option where you can select ICMP protocol

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 276
Tel 902876701
 Step 11 Finally verify that from the Laptop the ping is no longer successful towards the
Server

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 277
Tel 902876701
 Lab 10 Assurance Application
Task 1 Monitor the Overall Health of your Lab

Use this procedure to get a global view of the health of your lab, which includes network
devices and clients, and to determine if there are potential issues that must be addressed.

Step 1 Configure SNMP Configuration from the Cisco DNA Center home page, Setting –
System Settings.

Step 2 Click on Data Platform

Step 3 Select Collectors and Click on COLLECTOR-SMMP

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 278
Tel 902876701
 Step 4 Click on circle

Step 5 Verify list of metrics in SMMP Configuration and CREATE a new

Configuration with Name: DNAC# and click Click Update Configuration

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 279
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 280
Tel 902876701
 Step 6 Return DNA Center home page and click Assurance.
The Overall Health window appears with three dashlets, as described in the following table.

The colors represent the health of the devices:

 Red—Critical issues. Health score range is 1 to 3.
 Orange—Warnings. Health score range is 4 to 7.
 Green—No errors or warning. Health score range is 8 to 10.
 Gray—No data available. Health score is 0.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 281
Tel 902876701
 Task 2 Monitor the Health of Your Network

Use this procedure to get a global view of your network and to determine if there are
potential issues that must be addressed.

The network health score exists only in the context of a location. If the location of a device
is not available, it is not counted in the network health score.

Step 1 Choose Health > Network.

The Network Health window appears with four dashlets, as described in the following table.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 282
Tel 902876701
 Based on the selected site or domain, displays the list of devices that are available.

Step 2 Click on 24 Hours and select 7 Days, and click Apply

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 283
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 284
Tel 902876701
 Latest

Trend

Step 3 Scroll down to Network Devices and select BORDER-POD# and check status.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 285
Tel 902876701
 Step 4 A Device 360° view of the device appears, as described in the table below, and you
can hover the mouse over the timeline and look for some significant change.

Step 5 Scroll down to Issues and Physical Neighbour Topology

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 286
Tel 902876701
 Issues, if any that must be addressed. Issues are listed based on the time stamp.
The most recent issue is listed first. Click an issue to view the corresponding details, such as
the description of the issue, impact, and suggested actions. To resolve an issue, from the
Status field, choose Resolve.

Physical Neighbor Topology, displays a topology view of a specific device and shows how
that device is connected to neighboring devices.

Path Trace, display a network topology between a specified source device and a destination
device. The topology includes the path's direction and the devices along the path, including
their IP addresses. The display also shows the protocol of the devices along the path
(Switched, STP, ECMP, Routed, Trace Route) or other source type.

Application Experience, Applications running on a router with their qualitative and

quantitative metrics. To view the metrics in a chart format, click the radio button next to an
application, in the table. A side pane opens with the relevant information.

Event Viewer

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 287
Tel 902876701
 All Interfaces

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 288
Tel 902876701
 Task 3 Monitor the Health of a Client Device
A client is an end device (computer, phone, and so on) that is connected to a network device
(access point or switch). Cisco DNA Center supports both wired and wireless clients.

Step 1 Choose Health > Client

The Client Health window appears with dashlets, as described in the following table.

This dashlet includes the following information:

• Wired or Wireless Client Health Summary Score—The Wired or Wireless Client Summary
Health Score is the percentage of clients that onboarded successfully and have good
connectivity.
• Client Count—Count of Active, Inactive, and New client devices.
New clients are clients that attempted to onboard after the 5-minute health score calculation
window started. The health score for these clients will be included in the next 5-minute
calculation window.
• Client Health Summary Charts—Provides two types of charts:
• Latest—Displayed by default. This snapshot-view chart provides the distribution of clients
that passed or failed to onboard within the last 5 minutes. Then, from the number of clients
that onboarded successfully (passed), the chart provides the percentage of clients that have
good or fair connectivity.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 289
Tel 902876701
 • Trend—Click the Trend tab to display a trend chart. This trend chart shows the health of
clients over a time period. For the clients that failed to onboard, the breakdown of the reason
for the onboarding failure is provided. For example, AAA, DHCP, Other, and so on.

Step 2 Click on any client (p.e. 172.16.85.5) to open a slide-in pane with additional details.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 290
Tel 902876701
 Step 3 Click Onboarding

Onboarding, Show the topology of how a client got on the network, including information
about the following services: AAA and DHCP.

Example of wired client topology: Client > Switch > Router

Example of wireless client topology: Client > SSID > Access Point > SDA Wireless Controller

Step 4 Scroll down and click on Event Viewer

Event Viewer, Lists scenarios and the sequence of sub-events that led to each scenario.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 291
Tel 902876701
 Event Viewer, allows you to pin-point during which sub-event an issue occurred. The
following scenarios are provided:
• Re-Authentication
• Broadcast Rekey—Process of changing the session key—the encryption key of an ongoing
communication—in order to limit the amount of data encrypted with the same key.
• Onboarding
• DHCP
• Delete
• INTRA-Roaming
When an issue occurs, that event is marked red, otherwise it is green. The second column
provides additional information about the issue, such as the error message, and the AP and
wireless controller to which the client device is connected. The third column provides the
time stamp when the event occurred

Step 5 Scroll Up and Click on Device Information

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 292
Tel 902876701
 Click on Connectivity

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 293
Tel 902876701
 Click on RF

Task 4 Trace the Path of a Device

Path Trace, can to perform a path trace between two nodes in your network—a specified
source device and a specified destination device. The two nodes can be a combination of
wired or wireless hosts or Layer 3 interfaces or both. In addition, you can specify the protocol
that the Cisco DNA Center controller should use to establish
the path trace connection, either TCP or UDP.

When you initiate a path trace, the Cisco DNA Center controller reviews and collects network
topology and routing data from the discovered devices. It then uses this data to calculate a
path between the two hosts or Layer 3 interfaces, and displays the path in a path trace
topology. The topology includes the path direction and the devices along the path, including
their IP addresses. The display also shows the protocol of the devices along the path
(Switched, STP, ECMP, Routed, Trace Route) or other source type

Step 1 From Assurance – Health, click Network again

Step 2 Click on your Edge Switch

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 294
Tel 902876701
 Hover your mouse over timeline to display System resources, Data Plane and Control plane
utilization.

Step 3 From Device 360 window, scroll down to Path Trace category

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 295
Tel 902876701
 Step 4 Click Run New Path Trace. The Set Up Path Trace dialog box appears

Source: IP of Edge Switch

Destination: IP of Border Switch

Step 5 Click Start

Step 6 The path trace topology appears. The IP addresses, protocol, and the time stamp
indicating when the path trace was last updated display above the topology.
Hover your cursor over a device to display CPU and memory utilization.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 296
Tel 902876701
 Lab 11 Cisco DNA Center Automation - Template Editor
Exercise Description and objective
In the previous exercises, we tested Cisco DNA Center capabilities of rolling out standard
network changes using Cisco DNA Center’s intent-driven automation engine.

This allows network administrators to save time and avoid mistakes caused by manual
configuration. We also saw how we can seamlessly roll out policy across the network
within seconds and in accordance to Cisco CVD best practices.

Network administrators do not have to deal with the differences in command line interface
(CLI) across platforms. In some cases, however, network administrators need to deploy
customized configuration to network devices. For this purpose, Cisco DNA Center provides
a template programmer.

Task 1 Creating a configuration template

Step 1 We will start with creating a configuration template for an access switch. We will use
the template for basic configuration. We will also do basic testing of the template-editor
capability to support variables.

From the Cisco DNA Center dashboard, scroll down to the “Tools” section. Select “Template
Editor”.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 297
Tel 902876701
 Step 2 Click on + symbol and follow the steps below to create a project called “C9K-
Templates-POD#”:

Step 3 Select “Create Template” within the “C9K-Templates-POD#” project and Add
Template:

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 298
Tel 902876701
 Step 4 Assign the following parameters:

Assign the name “C9K-Branch-Template” to the template.

For “Device Type” start typing “9300”. Cisco DNA Center will populate the devices that
match with the input. select “Cisco Catalyst 9300 Series Switches” from the drop-down
menu.

Back to Add New Template and for “Software Type” select “IOS-XE”.
Click on “Add”:

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 299
Tel 902876701
 Step 5 Click C9K-Branch-Template, the editor now becomes available to enter the
commands for the template:

Step 6 The CLI commands for the template programmer are provided in the file “Template-
Commands-POD.txt” located in the Jumper PC Desktop DNAC# Folder:

Use the commands in the section called “FIRST PART”.

With these commands, we are also testing the capability to use variables in the templates.

====== TEMPLATE – FIRST PART =================

hostname $hostname

vlan $vlanNumber

interface $interfaceName
description $description

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 300
Tel 902876701
 Step 7 Save the template from the “Actions” menu:

Step 8 After saving the template, you need to version the template. You must version the
template every time you make changes to the template.

To do that, from the Actions drop-down list, select Commit. You can enter a commit note
when the Commit window appears. If you Commit without saving the template, you will be
prompted to save the changes. Go to the “Actions” menu and “Commit”:

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 301
Tel 902876701
 Step 9 Now that the template has been created, we will create a network profile. Cisco
DNA Center is leveraging profile-based deployment. Network profiles are standardized
configurations for routers, switches and WLC’s.

We can design and create the profile one and reuse across multiples sites in the network.
This approach provides: simplified network deployment, configuration consistency and
integrated IT process flows.

In Wireless lab, we used wireless profiles for wireless configuration. In this exercise, we will
follow a similar process.

The diagram below shows how we will be using the profiles:

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 302
Tel 902876701
 Task 2 Assign Templates to Profiles

Before provisioning the template, ensure that the templates are associated with a network
profile and the profile is assigned to a site. During provisioning, when the devices are
assigned to the specific sites, the templates associated with the site through the network
profile appears in the advanced configuration.

Step 10 From the main Cisco DNA Center Dashboard, go to the “Design” menu and select
“Network Profiles”. Create a Switching Profile

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 303
Tel 902876701
 Step 11 Profile Name: C9K-PnP-Branches and Select Day-N Template

Step 12 Click Add

Step 13 Device Type: Cisco Catalyst 9300 Series Switches

Template: C9K-Branch-Template

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 304
Tel 902876701
 The Network Profiles page lists the following:

• Profile Name
• Type
• Sites
• Action

Step 14 In Assign Site select with check list to add sites to the selected profile and Save

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 305
Tel 902876701
 Task 3 Provisioning devices with Template
Step 1 So far, we created a template but still haven’t pushed the template to the device.
Before doing so, let’s check that the device doesn’t actually have the configuration we will
be pushing.

We will be using “Run Commands” for these “show commands”. In order to do this, we need
to go to the “Inventory” tool and click on the equipment.
Click on Action – Others – Run Commands

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 306
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 307
Tel 902876701
 www.miratelecomunicacions.com MIRALAB GUIDE ENSDA
[email protected] 308
Tel 902876701
 Step 2 Go to the “Provision” menu, select the branch switch Switch-10-13x-255-68. From
the “Actions” menu, select “Provision Device”:

Step 3 We will follow the same workflow we used for standard network provisioning:

Click Next

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 309
Tel 902876701
 Select the switch

Parameters for all PODS:

Hostname: Edge-SW-POD# #: is your POD number

Vlan: 70
Interface: Gigabitethernet1/0/12
Description: AccesPort-to-Student

Click Next

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 310
Tel 902876701
 Click Deploy Now and Apply

Step 4 Once you receive the message that the configuration has been successful, go back
to the browser tab where you ran “ Run Command”
Run the commands again and check the results:

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 311
Tel 902876701
 Step 5 To observe the change on the hostname, do the following

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 312
Tel 902876701
 Click Refresh wait approximately 30s until the hostname update

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 313
Tel 902876701
 Lab 12 DNA Center APIS & Postman

Before we start, we need to know what is an API, API is the acronym for Application
Programming Interface, which is a software intermediary that allows two applications
to talk to each other.

An example of an API could be when you use an application on your mobile phone, the
application connects to the Internet and sends data to a server. The server then retrieves
that data, interprets it, performs the necessary actions and sends it back to your phone.
The application then interprets that data and presents you with the information you
wanted in a readable way.

Representing Data

Is the way how computers share and display the information between them, One
computer has to put the data in a format that the other will understand.

The most common formats found in modern APIs are JSON (JavaScript Object Notation)
and XML (Extensible Markup Language) and Yaml (Ain't Markup Language).

Let’s see some examples displaying the same information in these three formats. We
will talk about a pizza order. The pizza will have original crust, and three toppings (We
will use a list) cheese, pepperoni and garlic, and the status of the order.

JSON is a very simple format that has two pieces: keys and values. Keys represent an
attribute about the object being described and the values are the parts to the right.
These are the actual details of the order. Also, important to know that in JSON, a value
that starts and ends with square brackets ([]) is a list of values like we see in the toppings.

Key / Value
{
"crust": "original",
"toppings": ["cheese", "pepperoni", "garlic"],
"status": "cooking"
}

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 314
Tel 902876701
 XML has been around since 1996. With age, it has become a very mature and powerful data format.
<order>
<crust>original</crust>
<toppings>
<topping>cheese</topping>
<topping>pepperoni</topping>
<topping>garlic</topping>
</toppings>
<status>cooking</status>
</order>

YAML has a minimal syntax

crust: original

toppings:

- cheese

- pepperoni

- garlic

status: cooking

- API transport protocol >>> Restful, Netconf.

- Data Model Such as >>> SMI, YANG.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 315
Tel 902876701
 Let's go back to the Postman Tool:

Postman is a great tool when trying to analyze RESTful APIs made by others. Postman is
an API (application programming interface) development tool that helps to build, test,
and modify APIs.

It has the ability to make various types of HTTP requests (POST, GET, PUT, PATCH,
Delete).

The five methods most commonly seen in APIs are:

 GET - Asks the server to retrieve a resource

 POST - Asks the server to create a new resource
 PUT - Asks the server to edit/update an existing resource
 DELETE - Asks the server to delete a resource
 PATCH - To create or update the resources object.

Cisco DNA Center REST API calls with Postman

The main Major of network automation is automating the configuring and managing
devices through automation tools, testing, deploying the network devices within a short
time, and operating smoothly.

Network automation comes to automate tasks and reduce the time and cost, Etc.., and the
important goal is to reduce human error and lower operating expenses.

Objectives

When you have completed this lab, you will be able to:

 Authenticate and retrieve a token from Cisco DNA Center.

 Build an authentication python function.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 316
Tel 902876701
 Task 1 Rest Request and Postman setup

Step 1 Launch Postman-RESTful Client

In this task you will launch the Postman-RESTful Client from your student PC;
then login to Cisco DNA Center.

Step 2 Click on Collections – Cisco DNA Center APIs and select Authentication

As we know Cisco DNA Center accepts REST requests from authenticated users only

Step 3 Select POST method and replace sandbox.dnac2.cisco.com with IP DNAC

X= Your POD

Step 4 Click Authorization and put Username admin and Password NXos12345 of DNA
Center.

After configuring the authentication method, we have to perform a POST API call with click
Send

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 317
Tel 902876701
 You will receive an error message:

Step 5 Click go to Settings and disable SSL verification

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 318
Tel 902876701
 Click Send

In the response there is our token, that we will use in the future calls.

Step 6 To configure authorization with token, we have to add a header with following
values:

 Key – X-Auth-Token
 Value – Here you have to paste the generated token from the previous call response

From now on, we can perform an API calls to the Cisco DNA Center.

Note: Remember to paste the Token without the quotes and without spaces.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 319
Tel 902876701
 Task 2 REST API calls

We will take a look at the network devices, that are present in the DNA Center. To fetch all
network devices, we have to perform a GET request.

https://10.10.1X.200/dna/intent/api/v1/network-device

Step 1 Go to Collection – Cisco DNA Center APIs Network Devices select Network Devices
and click the fisrt GET:

GET https://{{dnac}}:{{port}}/api/v1/network-device/1/14

Step 2 Replace sandbox.dnac2.cisco.com by 10.10.1X.200

Step 3 Before clicking Send, do not forget in the Headers tab to paste the Token generated
previously without the quotes and without spaces.

Step 4 Click Send

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 320
Tel 902876701
 Here’s output from the call.

"response": [

"description": "Cisco IOS Software [Everest], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.6.5, RELEASE SOFTWARE (fc3)
Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2018 by Cisco Systems, Inc. Compiled Mon 10-Dec-18 12:52 by
mcpre",

"memorySize": "NA",

"family": "Switches and Hubs",

"serialNumber": "FCW2239L0XV",

"deviceSupportLevel": "Supported",

"softwareType": "IOS-XE",

"softwareVersion": "16.6.5",

"lastUpdateTime": 1613552407668,

"roleSource": "MANUAL",

"errorCode": null,

"errorDescription": null,

"interfaceCount": "0",

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 321
Tel 902876701
 "lastUpdated": "2021-02-17 09:00:07",

"lineCardCount": "0",

"lineCardId": "",

"locationName": null,

"hostname": "BORDER-POD1.dnac1.local",

"managementIpAddress": "10.129.255.253",

"platformId": "C9300-24T",

"reachabilityFailureReason": "",

"reachabilityStatus": "Reachable",

"series": "Cisco Catalyst 9300 Series Switches",

"snmpContact": "",

"snmpLocation": "",

"tagCount": "0",

"tunnelUdpPort": null,

"uptimeSeconds": 1122533,

"waasDeviceMode": null,

"apManagerInterfaceIp": "",

"associatedWlcIp": "",

"bootDateTime": "2021-02-04 14:43:07",

"collectionStatus": "Managed",

"upTime": "12 days, 18:17:20.11",

"collectionInterval": "Global Default",

"inventoryStatusDetail": "<status><general code=\"SUCCESS\"/></status>",

"macAddress": "34:f8:e7:5c:8f:00",

"type": "Cisco Catalyst 9300 Switch",

"location": null,

"role": "BORDER ROUTER",

"instanceUuid": "1012f00f-ec4b-43a9-a6d9-b8131c0fe878",

"instanceTenantId": "5ec67218e6902500cbb974df",

"id": "1012f00f-ec4b-43a9-a6d9-b8131c0fe878" -> ID BORDER SWITCH POD1

},

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 322
Tel 902876701
 "description": "Cisco IOS Software, C2900 Software (C2900-UNIVERSALK9-M), Version 15.2(4)M6a, RELEASE SOFTWARE (fc1)
Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2014 by Cisco Systems, Inc. Compiled Tue 15-Apr-14 09:45 by
prod_rel_team",

"memorySize": "NA",

"family": "Routers",

"serialNumber": "FCZ1833C28R",

"deviceSupportLevel": "Unsupported",

"softwareType": "IOS",

"softwareVersion": "15.2(4)M6a",

"lastUpdateTime": 1613560805975,

"roleSource": "MANUAL",

"errorCode": null,

"errorDescription": null,

"interfaceCount": "0",

"lastUpdated": "2021-02-17 11:20:05",

"lineCardCount": "0",

"lineCardId": "",

"locationName": null,

"hostname": "FUSION-1.dnac1.local",

"managementIpAddress": "10.129.255.254",

"platformId": "CISCO2901/K9",

"reachabilityFailureReason": "",

"reachabilityStatus": "Reachable",

"series": "Cisco 2900 Series Integrated Services Routers G2",

"snmpContact": "",

"snmpLocation": "",

"tagCount": "0",

"tunnelUdpPort": null,

"uptimeSeconds": 1405675,

"waasDeviceMode": null,

"apManagerInterfaceIp": "",

"associatedWlcIp": "",

"bootDateTime": "2021-02-01 08:04:05",

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 323
Tel 902876701
 "collectionStatus": "Managed",

"upTime": "16 days, 3:16:39.00",

"collectionInterval": "Global Default",

"inventoryStatusDetail": "<status><general code=\"SUCCESS\"/></status>",

"macAddress": "1c:6a:7a:16:1b:d0",

"type": "Cisco 2901 Integrated Services Router G2",

"location": null,

"role": "CORE",

"instanceUuid": "ddee799a-30a1-4ff2-8175-cbe334daf671",

"instanceTenantId": "5ec67218e6902500cbb974df",

"id": "ddee799a-30a1-4ff2-8175-cbe334daf671"

},

"description": null,

"memorySize": "NA",

"family": "Unified AP",

"serialNumber": "FCW2247N6A3",

"deviceSupportLevel": "Supported",

"softwareType": null,

"softwareVersion": "8.5.131.0",

"lastUpdateTime": 1613566168904,

"roleSource": "AUTO",

"errorCode": "null",

"errorDescription": null,

"interfaceCount": "0",

"lastUpdated": "2021-02-17 12:49:28",

"lineCardCount": "0",

"lineCardId": "",

"locationName": null,

"hostname": "OshoAP",

"managementIpAddress": "172.16.63.6",

"platformId": "AIR-AP3802I-E-K9",

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 324
Tel 902876701
 "reachabilityFailureReason": "NA",

"reachabilityStatus": "Reachable",

"series": "Cisco 3800I Series Unified Access Points",

"snmpContact": "",

"snmpLocation": "Global/Barcelona/Montserrat/Ambar/Piso2",

"tagCount": "0",

"tunnelUdpPort": "16666",

"uptimeSeconds": 526902,

"waasDeviceMode": null,

"apManagerInterfaceIp": "10.10.11.115",

"associatedWlcIp": "10.10.11.115",

"bootDateTime": null,

"collectionStatus": "Managed",

"upTime": "6 days, 00:39:10.600",

"collectionInterval": "NA",

"inventoryStatusDetail": "NA",

"macAddress": "70:b3:17:b1:dc:a0",

"type": "Cisco 3800I Unified Access Point",

"location": null,

"role": "ACCESS",

"instanceUuid": "2feba8f8-307b-4307-83d4-7d4d082fee33",

"instanceTenantId": "5ec67218e6902500cbb974df",

"id": "2feba8f8-307b-4307-83d4-7d4d082fee33"

},

"description": "Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT9K_IOSXE), Version 16.12.3a, RELEASE SOFTWARE
(fc1) Technical Support: http://www.cisco.com/techsupport Copyright (c) 1986-2020 by Cisco Systems, Inc. Compiled Tue 28-Apr-20
09:37 by mcpre",

"memorySize": "NA",

"family": "Switches and Hubs",

"serialNumber": "FCW2239S0GQ",

"deviceSupportLevel": "Supported",

"softwareType": "IOS-XE",

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 325
Tel 902876701
 "softwareVersion": "16.12.3a",

"lastUpdateTime": 1613560061774,

"roleSource": "AUTO",

"errorCode": null,

"errorDescription": null,

"interfaceCount": "0",

"lastUpdated": "2021-02-17 11:07:41",

"lineCardCount": "0",

"lineCardId": "",

"locationName": null,

"hostname": "Switch-10-128-255-68.dnac1.local",

"managementIpAddress": "10.128.255.68",

"platformId": "C9300-24T",

"reachabilityFailureReason": "",

"reachabilityStatus": "Reachable",

"series": "Cisco Catalyst 9300 Series Switches",

"snmpContact": "",

"snmpLocation": "",

"tagCount": "0",

"tunnelUdpPort": null,

"uptimeSeconds": 1050379,

"waasDeviceMode": null,

"apManagerInterfaceIp": "",

"associatedWlcIp": "",

"bootDateTime": "2021-02-05 10:45:41",

"collectionStatus": "Managed",

"upTime": "12 days, 0:22:51.07",

"collectionInterval": "Global Default",

"inventoryStatusDetail": "<status><general code=\"SUCCESS\"/></status>",

"macAddress": "34:f8:e7:8e:6f:80",

"type": "Cisco Catalyst 9300 Switch",

"location": null,

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 326
Tel 902876701
 "role": "ACCESS",

"instanceUuid": "4221d0d1-cde2-4523-b0cf-633854298ce6",

"instanceTenantId": "SYS0",

"id": "4221d0d1-cde2-4523-b0cf-633854298ce6"

},

"description": "Cisco Controller Wireless Version:8.5.131.0",

"memorySize": "3735322624",

"family": "Wireless Controller",

"serialNumber": "FCW2247M0M5",

"deviceSupportLevel": "Supported",

"softwareType": "Cisco Controller",

"softwareVersion": "8.5.131.0",

"lastUpdateTime": 1613566168904,

"roleSource": "AUTO",

"errorCode": null,

"errorDescription": null,

"interfaceCount": "0",

"lastUpdated": "2021-02-17 12:49:28",

"lineCardCount": "0",

"lineCardId": "",

"locationName": null,

"hostname": "WLC-POD1",

"managementIpAddress": "10.10.11.115",

"platformId": "AIR-CT3504-K9",

"reachabilityFailureReason": "",

"reachabilityStatus": "Reachable",

"series": "Cisco 3500 Series Wireless LAN Controller",

"snmpContact": "",

"snmpLocation": "",

"tagCount": "0",

"tunnelUdpPort": "16666",

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 327
Tel 902876701
 "uptimeSeconds": 532172,

"waasDeviceMode": null,

"apManagerInterfaceIp": "",

"associatedWlcIp": "",

"bootDateTime": "2021-02-11 10:42:28",

"collectionStatus": "Managed",

"upTime": "6 days, 2:07:28.00",

"collectionInterval": "Global Default",

"inventoryStatusDetail": "<status><general code=\"SUCCESS\"/></status>",

"macAddress": "cc:70:ed:14:e8:00",

"type": "Cisco 3504 Wireless LAN Controller",

"location": null,

"role": "ACCESS",

"instanceUuid": "747b2257-79ff-47ec-ac13-5a7e45348224",

"instanceTenantId": "5ec67218e6902500cbb974df",

"id": "747b2257-79ff-47ec-ac13-5a7e45348224"

],

"version": "1.0"

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 328
Tel 902876701
 Step 5 As you can see in this example of POD1, there are five network devices. We can count
them manually, but in a large environment, it could be problematic. The better way to
accomplish this is to perform an API call, that will return to us the number of devices.

Note: If the Token expires, resend a POST https://10.10.1#.200/api/system/v1/auth/token and

copy and paste again in Headers - X-Auth-Token

GET https://10.10.1X.200/dna/intent/api/v1/network-device/count

"response": 5,

"version": "1.0"

As we can see here, there are 5 devices.

Step 6 Instead of gathering all devices, we can fetch data about only one device, to do so
we have to use the device id (BORDER Switch POD1).

Don't forget to look up the device ID of the Border Switch of your corresponding POD.

GET: https://10.10.1X.200/dna/intent/api/v1/network-device/1012f00f-ec4b-43a9-a6d9-
b8131c0fe878

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 329
Tel 902876701
 Step 7 If we’re interested in information about VLANs on a particular device, we can
perform a GET API call containing device id (id).

https://10.10.1X.200/dna/intent/api/v1/network-device/1012f00f-ec4b-43a9-a6d9-b8131c0fe878/vlan

And here’s the response.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 330
Tel 902876701
 As we can see, there are some VLANS configured on this device.

Step 8 We can also gather information of all devices about all interfaces.

https://10.10.1X.200/dna/intent/api/v1/interface

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 331
Tel 902876701
 In this example, there are plenty of network interfaces, the output has been shortened.

"response": [

"pid": "CISCO2901/K9",

"description": "Conexion L3 to Border",

"status": "up",

"mediaType": null,

"speed": "1000000",

"duplex": "FullDuplex",

"lastUpdated": "2021-02-17 11:20:05.975",

"interfaceType": "Physical",

"ipv4Address": "10.129.255.254",

"ipv4Mask": "255.255.255.252",

"isisSupport": "false",

"mappedPhysicalInterfaceId": null,

"mappedPhysicalInterfaceName": null,

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 332
Tel 902876701
 "nativeVlanId": null,

"ospfSupport": "false",

"ifIndex": "3",

"series": "Cisco 2900 Series Integrated Services Routers G2",

"adminStatus": "UP",

"deviceId": "ddee799a-30a1-4ff2-8175-cbe334daf671",

"portName": "GigabitEthernet0/1",

"vlanId": "0",

"macAddress": "1c:6a:7a:16:1b:d0",

"portMode": "routed",

"portType": "Ethernet Port",

"serialNo": "FCZ1833C28R",

"voiceVlan": null,

"className": "EthrntPrtclEndpntExtndd",

"instanceUuid": "777ce3af-cd3a-430f-bd52-ab77863defea",

"instanceTenantId": "5ec67218e6902500cbb974df",

"id": "777ce3af-cd3a-430f-bd52-ab77863defea"

Step 9 To get information about only one interface BORDER switch, we have to specify the
interface name attribute in the header. Postman will automatically append this attribute to
the request URI.

Example: Gi1/0/1 of Border Switch POD1

https://10.10.1X.200/dna/intent/api/v1/interface/network-device/1012f00f-ec4b-43a9-a6d9-
b8131c0fe878/interface-name?name=GigabitEthernet1/0/1

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 333
Tel 902876701
 {
"response": {
"pid": "C9300-24T",
"description": "Fabric Physical Link",
"status": "up",
"mediaType": null,
"speed": "1000000",
"duplex": "FullDuplex",
"lastUpdated": "2021-02-17 09:00:07.668",
"interfaceType": "Physical",
"ipv4Address": "10.128.255.66",
"ipv4Mask": "255.255.255.254",
"isisSupport": "false",
"mappedPhysicalInterfaceId": null,
"mappedPhysicalInterfaceName": null,
"nativeVlanId": null,
"ospfSupport": "false",
"ifIndex": "8",
"series": "Cisco Catalyst 9300 Series Switches",
"adminStatus": "UP",
"deviceId": "1012f00f-ec4b-43a9-a6d9-b8131c0fe878",
"portName": "GigabitEthernet1/0/1",
"vlanId": null,
"macAddress": "34:f8:e7:5c:8f:64",
"portMode": "routed",

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 334
Tel 902876701
 "portType": "Ethernet Port",
"serialNo": "FCW2239L0XV",
"voiceVlan": null,
"className": "SwitchPort",
"instanceUuid": "5c959655-0b03-47a3-a043-bbd7d0e55b8f",
"instanceTenantId": "5ec67218e6902500cbb974df",
"id": "5c959655-0b03-47a3-a043-bbd7d0e55b8f"
},
"version": "1.0"
}

Note: If this message appears about token expired, request it again with a POST

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 335
Tel 902876701
 Step 10 Cisco DNA Center has a bunch of attributes that inform us about the overall
network health. We can get it using a single API call.

https://10.10.1X.200/dna/intent/api/v1/network-health

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 336
Tel 902876701
 {

"version" : "1.0",

"response" : [ {

"time" : "2021-02-17T14:55:00.000+0000",

"healthScore" : 100,

"totalCount" : 5,

"goodCount" : 5,

"unmonCount" : 0,

"fairCount" : 0,

"badCount" : 0,

"entity" : null,

"timeinMillis" : 1613573700000

} ],

"measuredBy" : "global",

"latestMeasuredByEntity" : null,

"latestHealthScore" : 100,

"monitoredDevices" : 5,

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 337
Tel 902876701
 "monitoredHealthyDevices" : 5,

"monitoredUnHealthyDevices" : 0,

"unMonitoredDevices" : 0,

"healthDistirubution" : [ {

"category" : "Core",

"totalCount" : 1,

"healthScore" : 100,

"goodPercentage" : 100,

"badPercentage" : 0,

"fairPercentage" : 0,

"unmonPercentage" : 0,

"goodCount" : 1,

"badCount" : 0,

"fairCount" : 0,

"unmonCount" : 0

}, {

"category" : "Access",

"totalCount" : 1,

"healthScore" : 100,

"goodPercentage" : 100,

"badPercentage" : 0,

"fairPercentage" : 0,

"unmonPercentage" : 0,

"goodCount" : 1,

"badCount" : 0,

"fairCount" : 0,

"unmonCount" : 0

}, {

"category" : "Router",

"totalCount" : 1,

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 338
Tel 902876701
 "healthScore" : 100,

"goodPercentage" : 100,

"badPercentage" : 0,

"fairPercentage" : 0,

"unmonPercentage" : 0,

"goodCount" : 1,

"badCount" : 0,

"fairCount" : 0,

"unmonCount" : 0

}, {

"category" : "WLC",

"totalCount" : 1,

"healthScore" : 100,

"goodPercentage" : 100,

"badPercentage" : 0,

"fairPercentage" : 0,

"unmonPercentage" : 0,

"goodCount" : 1,

"badCount" : 0,

"fairCount" : 0,

"unmonCount" : 0

}, {

"category" : "AP",

"totalCount" : 1,

"healthScore" : 100,

"goodPercentage" : 100,

"badPercentage" : 0,

"fairPercentage" : 0,

"unmonPercentage" : 0,

"goodCount" : 1,

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 339
Tel 902876701
 "badCount" : 0,

"fairCount" : 0,

"unmonCount" : 0

}]

Task 3 Script with Python

Step 1 Creating a network device list with a Python function

Let's use the Python requests library to create a function that when called upon, will return
and display the list of devices managed by the DNA Center.

The first part of the function will import the required libraries.

o requests are the library of choice to make the api request.

o HTTPBasicAuth is part of the requests library and is used to encode the credentials
to Cisco DNA-C

Step 2 Get the code of network-device. Copy this URI and paste into Postman with “GET”
method

https://<dna center ip address>/api/v1/network-device

In the “Headers” tab set a “X-Auth-Token” as a key and paste a token from the previous
task into a “VALUE” and then click “Send”

You’ll see a returning JSON value within the “Body” tab

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 340
Tel 902876701
 Step 3 Click Code and select Python-Request

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 341
Tel 902876701
 Step 4 Create the new document in IDLE or Notepad editor or modify the one in C:\Program
Files\Python38\GetDevice. Also remember to add import json

Now you can change request (POST, GET, PUT, PATCH, Delete) as you need and start your
Journey

import requests
import json

url = https://10.10.11.200/dna/intent/api/v1/network-device

payload={}
headers = {
'x-auth-token':
'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJzdWIiOiI1ZWM2NzIxOGU2OTAyNTAwY2JiOTc0ZTIiLCJhdXRoU291cmNlIjoiaW5
0ZXJuYWwiLCJ0ZW5hbnROYW1lIjoiVE5UMCIsInJvbGVzIjpbIjVlYzY3MjE4ZTY5MDI1MDBjYmI5NzRlMSJdLCJ0ZW5hbnRJZCI6
IjVlYzY3MjE4ZTY5MDI1MDBjYmI5NzRkZiIsImV4cCI6MTYxMzU3NTg2NywiaWF0IjoxNjEzNTcyMjY3LCJqdGkiOiIzMTJkOWE1
Yi00MzczLTQ4MGQtOWQ5MC00NDhhMDg1OTlhNjgiLCJ1c2VybmFtZSI6ImFkbWluIn0.QTszpfiKekQVXGX_hDXwl1YHSK8cA
y8y-MeJdBQK2rgP5oN8OyvecGW5GVZvudBUCE46ThpHcfaxi8vUXBkR73_OrYMI1DulnZ5Jlkmzr19nN7H-

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 342
Tel 902876701
 N1W8rySFGSMsKE7GUs31xUiqz5JZg7okQfk1Bgh2s6-_lgbVEbtsuYAnEc-
Dn09srErgiywxW8eHTJ_SfQ6nszBaEErLQioOzhO3zSNuA93vre1Dyj3ot7COh3t5id-J7d7p3upNE96qvBXzfI_7VPxR2T-
hqgLOjUl-b4ArUiyXp75bpo9HqCjfE73qE439OxMUhbMrjoJ4NF7Ona9B0pXBw6JuCDJi1rncfw'
}

response = requests.request("GET", url, headers=headers, data=payload)

print(response.text)

With IDLE copy and paste from postman

If you use Notepad remember select Format and Click Word Wrap

Step 5 Save in the path c:\Program Files\Python38 with the name of GetDevice.py

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 343
Tel 902876701
 From the path c:\Programs Files\Python38 run the script with Python GetDevice.py

Use Shift + Right click to open the cmd then execute the script.

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 344
Tel 902876701
 Step 6 Edit the GetDevice.py Script and add the following parameter: verify=False

Step 7 Run the script and if it gives the Token expired error

Step 8 Request the Token with a Post from Postman, copy and paste it back to the Script
and run it again

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 345
Tel 902876701
 Step 9 Add to script GetDevice.py the following:

raw_data = json.loads(response.text)

devices = raw_data["response"]

for device in devices:

print("Hostname: {}".format(device["hostname"]))

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 346
Tel 902876701
 Congratulations, you have completed the
laboratory!

www.miratelecomunicacions.com MIRALAB GUIDE ENSDA

[email protected] 347
Tel 902876701