Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3. ... (1721R). © 2021 Cisco Systems, Inc. All rights reserved.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3
First Published: 2021-08-04 Last Modified: 2021-09-01
Americas Headquarters
Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000
800 553-NETS (6387) Fax: 408 527-0883
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/c/en/us/about/legal/trademarks.html. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
© 2021 Cisco Systems, Inc. All rights reserved.
CONTENTS
CHAPTER 1 CHAPTER 2 CHAPTER 3
Review the Cisco DNA Center Appliance Features 1 Appliance Hardware Specifications 1 Front and Rear Panels 2 Physical Specifications 8 Environmental Specifications 9 Power Specifications 10 10 Gigabit Ethernet Switches 11
Plan the Deployment 13 Planning Workflow 13 Cisco DNA Center and Cisco Software-Defined Access 14 Interface Cable Connections 14 Required IP Addresses and Subnets 17 Required Internet URLs and Fully Qualified Domain Names 20 Provide Secure Access to the Internet 23 Required Network Ports 23 Required Ports and Protocols for Cisco Software-Defined Access 25 Required Configuration Information 32 Required First-Time Setup Information 33
Install the Appliance 35 Appliance Installation Workflow 35 Unpack and Inspect the Appliance 35 Review the Installation Warnings and Guidelines 36 Review the Rack Requirements 37 Connect and Power On the Appliance 37
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 iii
Contents
CHAPTER 4
CHAPTER 5 CHAPTER 6 CHAPTER 7
Check the LEDs 38
Prepare the Appliance for Configuration 41 Preparation for Appliance Configuration Overview 41 Enable Browser Access to Cisco Integrated Management Controller 41 Execute Preconfiguration Checks 46 Reimage the Appliance 53 Verify the Cisco DNA Center ISO Image 53 Create a Bootable USB Flash Drive 54 Using Etcher 54 Using the Linux CLI 55 Using the Mac CLI 55 Install the Cisco DNA Center ISO Image 56
Configure the Appliance 59 Appliance Configuration Overview 59 Maglev Wizard Interface Configuration Order 59 Configure the Primary Node 60 Configure a Secondary Node 77 Upgrade to the Latest Cisco DNA Center Release 93
Complete First-Time Setup 95 First-Time Setup Workflow 95 Compatible Browsers 95 Complete the Quick Start Workflow 95 Integrate Cisco ISE with Cisco DNA Center 100 Group-Based Access Control: Policy Data Migration and Synchronization 103 Configure Authentication and Policy Servers 105 Configure SNMP Properties 109
Troubleshoot the Deployment 111 Troubleshooting Tasks 111 Log Out 111 Reconfigure the Appliance Using the Configuration Wizard 112
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 iv
Contents
APPENDIX A
Power-Cycle the Appliance 113 Using the Cisco IMC GUI 114 Using SSH 115
Review High Availability Cluster Deployment Scenarios 117 New HA Deployment 117 Existing HA Deployment of the Primary Node with Standard Interface Configurations 118 Existing HA Deployment of the Primary Node with Nonstandard Interface Configurations 118 Activate High Availability 119 Additional HA Deployment Considerations 119 Telemetry 119 Wireless Controller 120
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 v
Contents
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 vi
1 C H A P T E R
Review the Cisco DNA Center Appliance Features
· Appliance Hardware Specifications, on page 1 · Front and Rear Panels, on page 2 · Physical Specifications, on page 8 · Environmental Specifications, on page 9 · Power Specifications, on page 10 · 10 Gigabit Ethernet Switches, on page 11
Appliance Hardware Specifications
Feature
Cisco supplies Cisco Digital Network Architecture (DNA) Center in the form of a rack-mountable, physical appliance. The first-generation Cisco DNA Center appliance (Cisco part number DN1-HW-APL) consists of a Cisco Unified Computing System (UCS) C220 M4 small form factor (SFF) chassis, with the addition of a Virtual Interface Card (VIC) 1227 in the mLOM slot. The Cisco DNA Center software image is preinstalled on the appliance, but must be configured for use.
The following table summarizes the appliance's hardware specifications.
Description
Chassis
One rack-unit (1RU) chassis
Processors
Two 22-core Intel Xeon E5-2699 v4 2.20 GHz processors
Memory
Eight 32-GB DDR4 2400 MHz registered DIMMs (RDIMMs)
Storage
· Six 1.9-TB, 2.5-inch Enterprise Value 6G SATA solid state drives (SSDs) · Two 480-GB, 2.5-inch Enterprise Value 12G SATA SSDs
Disk Management (RAID)
· RAID 1 on slots 1 through 4 · RAID 10 on slots 5 through 8
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 1
Front and Rear Panels
Review the Cisco DNA Center Appliance Features
Feature Network and Management I/O
Power Cooling Video
Description Supported connectors:
· Two 10-Gbps Ethernet ports on the Cisco UCS VIC 1227 · One 1-Gbps Ethernet dedicated management port · Two 1-Gbps BASE-T Ethernet LAN ports
The following connectors are available but not typically used in the day-to-day operation of Cisco DNA Center:
· One RS-232 serial port (RJ-45 connector) · One 15-pin VGA2 connector · Two USB 3.0 connectors · One front-panel KVM connector that is used with the KVM cable, which provides
two USB 2.0, one VGA, and one serial (DB-9) connector
· Two 770-W AC power supplies · Redundant as 1+1
Six hot-swappable fan modules for front-to-rear cooling Video Graphics Array (VGA) video resolution up to 1920 x 1200, 16 bpp at 60 Hz, and up to 256 MB of video memory
Front and Rear Panels
The following figures and tables describe the front and rear panels of the 44-core Cisco DNA Center appliance.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 2
Review the Cisco DNA Center Appliance Features Figure 1: Appliance Front Panel
Front and Rear Panels
Component 1
2 3
Description A total of eight drives are available on the appliance:
· Six 1.9 TB SATA SSD · Two 480 GB SAS SSD
Each installed drive bay has a fault LED and an activity LED. When the drive fault LED is:
· Off: The drive is operating properly. · Amber: The drive has failed. · Amber, blinking: The drive is rebuilding.
When the drive activity LED is: · Off: There is no drive in the sled (no access, no fault). · Green: The drive is ready. · Green, blinking: The drive is reading or writing data.
Pull-out asset tag Operations sub-panel buttons and LEDs. LED states for these buttons and the conditions they indicate are described in the following entries.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 3
Front and Rear Panels
Review the Cisco DNA Center Appliance Features
Component 4
5 6
Description
Power button/power status LED. When the LED is: · Off: There is no AC power to the appliance. · Amber: The appliance is in standby power mode. Power is supplied only to the Cisco Integrated Management Controller (CIMC) and some motherboard functions. · Green: The appliance is in main power mode. Power is supplied to all the server components.
Unit identification button and LED. When the LED is: · Blue: Unit identification is active. · Off: Unit identification is inactive.
System status LED. When the LED is: · Green: The appliance is running in a normal operating condition. · Green, blinking: The appliance is performing system initialization and memory checks. · Amber, steady: The appliance is in a degraded operational state, which may be due to one or more of the following causes: · Power supply redundancy is lost. · CPUs are mismatched. · At least one CPU is faulty. · At least one DIMM is faulty. · At least one drive in a RAID configuration failed.
· Amber, blinking: The appliance is in a critical fault state, which may be due to one or more of the following: · Boot failed. · Fatal CPU and/or bus error was detected. · Server is in an over-temperature condition.
7
Fan status LED. When the LED is:
· Green: All fan modules are operating properly.
· Amber, steady: One fan module has failed.
· Amber, blinking: Critical fault, two or more fan modules have failed.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 4
Review the Cisco DNA Center Appliance Features
Front and Rear Panels
Component 8
Description Temperature status LED. When the LED is:
· Green: The appliance is operating at normal temperature. · Amber, steady: One or more temperature sensors have exceeded a warning threshold. · Amber, blinking: One or more temperature sensors have exceeded a critical threshold.
9
Power supply status LED. When the LED is:
· Green: All power supplies are operating normally.
· Amber, steady: One or more power supplies are in a degraded operational state.
· Amber, blinking: One or more power supplies are in a critical fault state.
10
Network link activity LED. When the LED is:
· Green, blinking: One or more Ethernet LOM ports are link-active, with activity.
· Green: One or more Ethernet LOM ports are link-active, but there is no activity.
· Off: The Ethernet link is idle.
11
KVM connector. Used with a KVM cable that provides two USB 2.0, one VGA, and one
serial connector.
Figure 2: Appliance Rear Panel
Component 1 2 3
Description Grounding-lug hole (for DC power supplies) PCIe riser 1/slot 1 PCIe riser 2/slot 2
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 5
Front and Rear Panels
Review the Cisco DNA Center Appliance Features
Component 4
5
Description
Power supplies (up to two: redundant as 1+1). Each power supply has a power supply fault LED and an AC power LED. When the fault LED is:
· Off: The power supply is operating normally. · Amber, blinking: An event warning threshold has been reached, but the power
supply continues to operate. · Amber, solid: A critical fault threshold has been reached, causing the power supply
to shut down (for example, a fan failure or an over-temperature condition).
When the AC Power LED is: · Green, solid: AC power is OK, DC output is OK. · Green, blinking: AC power is OK, DC output is not enabled. · Off: There is no AC power to the power supply.
For more details, see Power Specifications.
10-Gbps Cluster Port (Port 2, enp10s0, Network Adapter 1): This is the second 10-Gbps port on the Cisco Virtual Interface Card (VIC) 1227 in the appliance mLOM slot. The rear panel labels it Port 2 and the Maglev Configuration wizard identifies it as enp10s0 and Network Adapter 1. Connect this port to a switch with connections to the other nodes in the Cisco DNA Center cluster. This port has a link status (ACT) LED and a link speed (LINK) LED. When the link status LED is:
· Green, blinking: Traffic is present on the active link. · Green: Link is active, but there is no traffic present. · Off: No link is present.
When the link speed LED is: · Green: Link speed is 10 Gbps. · Amber: Link speed is 1 Gbps. · Off: Link speed is 100 Mbps or less.
Note The enterprise and cluster ports must operate at 10 Gbps only.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 6
Review the Cisco DNA Center Appliance Features
Front and Rear Panels
Component 6
7 8
9
Description
10-Gbps Enterprise Port (Port 1, enp9s0, Network Adapter 4): This is the first 10-Gbps port on the Cisco Virtual Interface Card (VIC) 1227 in the appliance mLOM slot. The rear panel labels it Port 1 and the Maglev Configuration wizard identifies it as enp9s0 and Network Adapter 4. Connect this port to a switch with IP reachability to the networking equipment that Cisco DNA Center will manage. This port has a link status (ACT) LED and a link speed (LINK) LED. When the link status LED is:
· Green, blinking: Traffic is present on the active link. · Green: Link is active, but there is no traffic present. · Off: No link is present.
When the speed LED is: · Green: Link speed is 10 Gbps. · Amber: Link speed is 1 Gbps. · Off: Link speed is 100 Mbps or less.
Note The Cisco DNA Center appliance enterprise and cluster ports must operate at 10 Gbps only.
Two USB 3.0 ports
1-Gbps CIMC Port (M): This is the embedded port to the right of the two USB ports and to the left of the RJ45 serial port. The back panel labels it M and you assign an IP address to it when you enable browser access to the appliance's CIMC GUI (see Enable Browser Access to Cisco Integrated Management Controller). This port is reserved for out-of-band (OOB) management of the Cisco DNA Center appliance chassis and software. Connect this port to a switch that provides access to your dedicated OOB enterprise management network. This port has a link status LED and a link speed LED. When the link status LED is:
· Green, blinking: Traffic is present on the active link. · Green: Link is active, but there is no traffic present. · Off: No link is present.
When the speed LED is: · Green: Link speed is 1 Gbps. · Amber: Link speed is 100 Mbps. · Off: Link speed is 10 Mbps or less.
Serial port (RJ-45 connector)
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 7
Physical Specifications
Review the Cisco DNA Center Appliance Features
Component 10
11
12 13
Description
1-Gbps Cisco DNA Center GUI Port (1, enp1s0f0, Network Adapter 2): This is the first Intel i350 1Gb Ethernet controller port. It is embedded on the appliance motherboard. The rear panel labels it 1 and the Maglev Configuration wizard identifies it as enp1s0f0 and Network Adapter 2. Connect this port to a switch that provides access to your dedicated enterprise management network. This port has a link status LED and a link speed LED. When the status LED is:
· Green, blinking: Traffic is present on the active link. · Green: Link is active, but there is no traffic present. · Off: No link is present.
When the speed LED is: · Green: Link speed is 1 Gbps. · Amber: Link speed is 100 Mbps. · Off: Link speed is 10 Mbps or less.
1-Gbps Cloud Port (2, enp1s0f1, Network Adapter 3): This is the second embedded 1Gbps Ethernet controller port. The rear panel labels it 2 and the Maglev Configuration wizard identifies it as enp1s0f1 and Network Adapter 3. This port is optional. It is used for connecting to the Internet when it is not possible to do so via the 10-Gbps enterprise port (Port 1, enp9s0, Network Adapter 4). This port has a link status LED and a link speed LED. When the link status LED is:
· Green, blinking: Traffic is present on the active link. · Green: Link is active, but there is no traffic. · Off: No link is present.
When the speed LED is: · Green: Link speed is 1 Gbps. · Amber: Link speed is 100 Mbps. · Off: Link speed is 10 Mbps or less.
VGA video port (DB-15). This panel area around this port is blue.
Blue LED locator button
Physical Specifications
The following table lists the physical specifications for the appliance.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 8
Review the Cisco DNA Center Appliance Features
Environmental Specifications
Table 1: Physical Specifications
Description Height Width
Depth (length)
Front Clearance Side Clearance Rear Clearance Maximum weight (fully loaded chassis)
Specification 1.7 in. (4.32 cm) 16.89 in. (43.0 cm) Including handles: 18.98 in. (48.2 cm) 29.8 in. (75.6 cm) Including handles: 30.98 in. (78.7 cm) 3 in. (76 mm) 1 in. (25 mm) 6 in. (152 mm) 37.9 lb. (17.2 kg)
Environmental Specifications
The following table lists the environmental specifications for the Cisco DNA Center appliance.
Table 2: Environmental Specifications
Description
Specification
Temperature, operating
41 to 95°F (5 to 35°C)
Derate the maximum temperature by 1°C for every 1000 ft. (305 meters) of altitude above sea level.
Temperature, nonoperating (when the appliance is 40 to 149°F (40 to 65°C) stored or transported)
Humidity (RH), operating
10 to 90%, noncondensing at 82°F (28°C)
Humidity, nonoperating
5 to 93% at 82°F (28°C)
Altitude, operating
0 to 10,000 ft. (0 to 3,000 m)
Altitude, nonoperating (when the appliance is stored 0 to 40,000 ft. (0 to 12,192 m) or transported)
Sound power level, measure A-weighted per ISO7779 5.4 LwAd (Bels), operation at 73°F (23°C)
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 9
Power Specifications
Review the Cisco DNA Center Appliance Features
Description
Sound pressure level, measure A-weighted per ISO7779 LpAm (dBA), Operation at 73°F (23°C)
Specification 37
Power Specifications
The specifications for the two 770 W AC power supplies (Cisco part number UCSC-PSU1-770W) provided with the Cisco DNA Center appliance are listed in the table below.
Table 3: AC Power Supply Specifications
Description AC input voltage
AC input frequency
Maximum AC input current
Maximum input volt-amperes Maximum output power per PSU Maximum inrush current Maximum hold-up time Power supply output voltage Power supply standby voltage Efficiency rating
Form factor Input connector
Specification Nominal range: 100120 VAC, 200240 VAC Range: 90132 VAC, 180264 VAC Nominal range: 50 to 60 Hz (Range: 4763 Hz) 9.5 A at 100 VAC 4.5 A at 208 VAC 950 VA at 100 VAC 770 W at 100120 VAC 15 A at 35° C 12 ms at 770 W 12 VDC 12 VDC Climate Savers Platinum Efficiency (80Plus Platinum certified) RSP2 IEC320 C14
Note You can get more specific power information for the exact configuration of your appliance by using the Cisco UCS Power Calculator: http://ucspowercalc.cisco.com
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 10
Review the Cisco DNA Center Appliance Features
10 Gigabit Ethernet Switches
10 Gigabit Ethernet Switches
The following table lists the 10 Gigabit Ethernet Cisco switches that can currently be brought up from the first-generation Cisco DNA Center appliance. This table will be updated as more switches are tested.
Cisco Switch Cisco Nexus 5672UP
Cisco Part Number N5K-C5672UP
Comment --
Cisco Catalyst 6880-X
C6880-X-LE
--
Cisco Nexus 7700 (6-Slot)
N77-C7706
Tested with the Cisco Nexus 7700 Switch Supervisor2 Enhanced Module (Cisco part number N77-SUP2E) installed.
In order for the remaining switches in this table to function properly, ensure that the following settings are configured for both your switch and your Cisco DNA Center appliance:
· Default VLAN: Specify the same port number on your appliance and switch.
· VLAN Mode: Set Trunk mode.
See Steps 3 and 4 in Execute Preconfiguration Checks, on page 46.
Cisco Catalyst 3850-48XS-S
WS-C3850-48XS-S
--
Cisco Catalyst 4500X-32 SFP+
WS-C4500X-32SFP+
--
Cisco Catalyst C9500-40X-E
C9500-40X
--
Cisco Catalyst 3650-48PQ-E
WS-C3650-48PQ-E
--
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 11
10 Gigabit Ethernet Switches
Review the Cisco DNA Center Appliance Features
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 12
2 C H A P T E R
Plan the Deployment
· Planning Workflow, on page 13 · Cisco DNA Center and Cisco Software-Defined Access, on page 14 · Interface Cable Connections, on page 14 · Required IP Addresses and Subnets, on page 17 · Required Internet URLs and Fully Qualified Domain Names, on page 20 · Provide Secure Access to the Internet, on page 23 · Required Network Ports, on page 23 · Required Ports and Protocols for Cisco Software-Defined Access, on page 25 · Required Configuration Information, on page 32 · Required First-Time Setup Information, on page 33
Planning Workflow
You must perform the following planning and information-gathering tasks before attempting to install, configure, and set up your Cisco DNA Center appliance. After you complete these tasks, you can continue by physically installing your appliance in the data center. 1. Review the recommended cabling and switching requirements for standalone and cluster installations.
For more information, see Interface Cable Connections. 2. Gather the IP addressing, subnetting, and other IP traffic information that you will apply during appliance
configuration. For more information, see Required IP Addresses and Subnets. 3. Prepare a solution for the required access to web-based resources. For more information, see Required
Internet URLs and Fully Qualified Domain Names and Provide Secure Access to the Internet. 4. Reconfigure your firewalls and security policies for Cisco DNA Center traffic. For more information, see
Required Network Ports. If you are using Cisco DNA Center to manage a Cisco Software-Defined Access (SD-Access) network, also see Required Ports and Protocols for Cisco Software-Defined Access. 5. Gather the additional information used during appliance configuration and first-time setup. For more information, see Required Configuration Information and Required First-Time Setup Information.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 13
Cisco DNA Center and Cisco Software-Defined Access
Plan the Deployment
Cisco DNA Center and Cisco Software-Defined Access
You can use Cisco DNA Center to manage any type of network, including networks that employ the Cisco SD-Access fabric architecture. Cisco SD-Access transforms conventional networks into intent-based networks, where business logic becomes a physical part of the network, making it easy to automate day-to-day tasks such as configuration, provisioning, and troubleshooting. The Cisco SD-Access solution reduces the time taken to adapt the network to business needs, improves issue resolutions, and reduces security-breach impacts.
A complete discussion of the Cisco SD-Access solution is outside the scope of this guide. Network architects and administrators planning to implement a Cisco SD-Access fabric architecture for use with Cisco DNA Center can find additional information and guidance from the following resources:
· For more information on how Cisco DNA Center leverages Cisco SD-Access to automate solutions that are not possible with normal networking approaches and techniques, see Software Defined Access: Enabling Intent-Based Networking.
· For guidance in using Cisco SD-Access access segmentation to enhance network security, see the Software-Defined Access Segmentation Design Guide.
· For guidance on deploying SDA with Cisco DNA Center, see the Software-Defined Access Deployment Guide.
· For more information on the digital network architecture that is the foundation of Cisco DNA Center and the Cisco SD-Access solution, and the roles that other Cisco and third-party products and solutions play in this innovative architecture, see the Cisco DNA Design Zone.
Interface Cable Connections
Connect the ports on the appliance to switches providing the following types of network access. At a minimum, you must configure the Enterprise and Cluster port interfaces, as they are required for Cisco DNA Center functionality.
Note During appliance configuration, the Maglev Configuration wizard does not let you proceed until you assign the Cluster Link option to an interface. For both single-node and three-node deployments in a production environment, designate port enp10so as the Cluster Link on the first-generation Cisco DNA Center appliance (Cisco part number DN1-HW-APL).
Be aware that the interface marked as the Cluster Link cannot be changed after configuration completes. Later, if you must change the interface marked as the Cluster Link, you are required to reimage the appliance. (For a description of the tasks you need to complete in order to reimage your Cisco DNA Center appliance, see Reimage the Appliance, on page 53.) With this in mind, we recommend that you set up the Cluster Port with an IP address, so as to allow for expansion to a three-node cluster in the future. Also, make sure that the cluster link interface is connected to a switch port and is in the UP state.
· (Required) 10-Gbps Cluster Port (Port 2, enp10so, Network Adapter 1): This is the left-hand port on the VIC 1227 card in the appliance mLOM slot. Its purpose is to enable communications among the primary and secondary nodes in a Cisco DNA Center cluster. Connect this port to a switch with connections to the other nodes in the cluster and configure one IP address with a subnet mask for the port.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 14
Plan the Deployment
Interface Cable Connections
· (Optional) 1-Gbps Cisco DNA Center GUI Port (1, enp1s0f0, Network Adapter 2): This port provides access to the Cisco DNA Center GUI. Its purpose is to enable users to use the software on the appliance. Connect this port to a switch with connections to your enterprise management network, and configure one IP address with a subnet mask for the port.
· (Optional) 1-Gbps Cloud Port (2, enp1s0f1, Network Adapter 3): This port is optional. Use it only if you cannot connect the appliance to the Internet (including to your Internet proxy server) using the 10-Gbps enterprise port (Port 1, enp9s0, Network Adapter 4). If you need to use the cloud port, connect it to a switch with connections to your Internet proxy server and configure an IP address with a subnet mask for the port.
· (Required) 10-Gbps Enterprise Port (Port 1, enp9s0, Network Adapter 4): This is the right-hand port on the VIC 1227 card in the appliance mLOM slot. Its purpose is to enable Cisco DNA Center to communicate with and manage your network. Connect this port to a switch with connections to the enterprise network and configure one IP address with a subnet mask for the port.
· (Optional, but strongly recommended) 1-Gbps CIMC Port (M): This port provides browser access to the Cisco Integrated Management Controller (CIMC) out-of-band appliance management interface and its GUI. Its purpose is to allow you to manage the appliance and its hardware. Connect this port to a switch with connections to your enterprise management network and configure an IP address with a subnet mask for the port.
The following figure shows the recommended connections for a single-node Cisco DNA Center cluster:
Figure 3: Recommended Cabling for Single-Node Cluster
The following figure shows the recommended connections for a three-node Cisco DNA Center cluster. All but one of the connections for each node in the three-node cluster are the same as those for the single-node cluster, and use the same ports. The exception is the Cluster Port (Port 2, enp10so, Network Adapter 1), which is required so that each host in the three-node cluster can communicate with the other hosts.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 15
Interface Cable Connections Figure 4: Recommended Cabling for Three-Node Cluster
Plan the Deployment
For a short video presentation about the rear-panel ports and how they are used, see the first five minutes of Unboxing Cisco DNA Center Appliance for Assurance and SD-Access (under the section "Get Started"). For more details on each of the ports, see the rear panel diagram and accompanying descriptions for your appliance in Front and Rear Panels.
Note Multinode cluster deployments require all the member nodes to be in the same network and at the same site. The appliance does not support distribution of nodes across multiple networks or sites. When cabling the 10-Gbps enterprise and cluster ports, please note that both ports support only the following media types: · SFP-10G-SR (Short range, MMF) · SFP-10G-LR (Long range, SMF) · SFP-H10GB-CU1M (Twinax cable, passive, 1 Meter) · SFP-H10GB-CU3M (Twinax cable, passive, 3 Meters) · SFP-H10GB-CU5M (Twinax cable, passive, 5 Meters) · SFP-H10GB-ACU7M (Twinax cable, active, 7 Meters)
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 16
Plan the Deployment
Required IP Addresses and Subnets
Required IP Addresses and Subnets
Before beginning the installation, you must ensure that your network has sufficient IP addresses available to assign to each of the appliance ports that you plan on using. Depending on whether you are installing the appliance as a single-node cluster or as a primary or secondary node in a three-node cluster, you will need the following appliance port (NIC) addresses:
· Enterprise Port Address (Required): One IP address with a subnet mask.
· Cluster Port Address (Required): One IP address with a subnet mask.
· Management Port Address (Optional): One IP address with a subnet mask.
· Cloud Port Address (Optional): One IP address with a subnet mask. This is an optional port, used only when you cannot connect to the cloud using the Enterprise port. You do not need an IP address for the Cloud port unless you must use it for this purpose.
· CIMC Port Address (Optional, but strongly recommended): One IP address with a subnet mask.
Note All of the IP addresses called for in these requirements must be valid IPv4 addresses with valid IPv4 netmasks. Ensure that the addresses and their corresponding subnets do not overlap. Service communication issues can result if they do.
You will also need the following additional IP addresses and dedicated IP subnets, which are prompted for and applied during configuration of the appliance:
1. Cluster Virtual IP Addresses: One virtual IP (VIP) address per configured network interface per cluster. This requirement applies to three-node clusters and single-node clusters that are likely to be converted into a three-node cluster in the future. You must supply a VIP for each network interface you configure. Each VIP should be from the same subnet as the IP address of the corresponding configured interface. There are four interfaces on each appliance: Enterprise, Cluster, Management, and Cloud. At a minimum, you must configure the Enterprise and Cluster port interfaces, as they are required for Cisco DNA Center functionality. An interface is considered configured if you supply an IP address for that interface, along with a subnet mask and one or more associated gateways or static routes. If you skip an interface entirely during configuration, that interface is considered as not configured.
Note the following:
· If you have a single-node setup and do not plan to convert it into a three-node cluster in the future, you are not required to specify a virtual IP address. However, if you decide to do so, you must specify a virtual IP address for every configured network interface (just as you would for a three-node cluster).
· If the intracluster link for a single-node cluster goes down, the VIP addresses associated with the Management and Enterprise interfaces also go down. When this happens, Cisco DNA Center is unusable until the intracluster link is restored (because the Software Image Management [SWIM] and Cisco Identity Services Engine [ISE] integration is not operational and Cisco DNA Assurance data is not displayed because information cannot be gathered from Network Data Platform [NDP] collectors).
· You cannot use a link-local IP address for a host interface.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 17
Required IP Addresses and Subnets
Plan the Deployment
2. Default Gateway IP Address: The IP address for your network's preferred default gateway. If no other routes match the traffic, traffic will be routed through this IP address. Typically, you should assign the default gateway to the interface in your network configuration that accesses the internet. For information on security considerations to keep in mind when deploying Cisco DNA Center, see the Cisco Digital Network Architecture Center Security Best Practices Guide.
3. DNS Server IP Addresses: The IP address for one or more of your network's preferred DNS servers. During configuration, you can specify multiple DNS server IP addresses by entering them as a space-separated list.
4. (Optional) Static Route Addresses: The IP addresses, subnet masks, and gateways for one or more static routes. During configuration, you can specify multiple static-route IP addresses, netmasks, and gateways by entering them as a space-separated list.
You can set one or more static routes for any interface on the appliance. You should supply static routes when you want to route traffic in a specific direction other than the default gateway. Each of the interfaces with static routes will be set as the device the traffic will be routed through in the IP route command table. For this reason, it is important to match the static route directions with the interface though which the traffic will be sent.
Static routes are not recommended in network device routing tables such as those used by switches and routers. Dynamic routing protocols are better for this. However, you should add them where needed to allow the appliance access to particular parts of the network that can be reached no other way.
5. NTP Server IP Addresses: The DNS-resolvable hostname, or IP address, for at least one Network Time Protocol (NTP) server.
During configuration, you can specify multiple NTP server IP addresses/masks or hostnames by entering them as a space-separated list. For a production deployment, we recommend that you configure a minimum of three NTP servers.
You will specify these servers during pre-flight hardware synchronization and again during configuration of the software on each appliance in the cluster. Time synchronization is critical to the accuracy of data and coordination of processing across a multi-host cluster. Before deploying the appliance in production, make sure that the time on the appliance system clock is current and that the Network Time Protocol (NTP) servers you specified are keeping accurate time. If you are planning to integrate the appliance with Cisco Identity Services Engine (ISE), you should also ensure that ISE is synchronizing with the same NTP servers as the appliance.
6. Container Subnet: Identifies one dedicated IP subnet for the appliance to use in managing and getting IP addresses for communications among its internal application services, such as Assurance, inventory collection, and so on. By default, Cisco DNA Center configures a link-local subnet (169.254.32.0/20) for this parameter, and we recommend that you use this subnet. If you choose to enter another subnet, ensure that it does not conflict with or overlap any other subnet used by Cisco DNA Center's internal network or any external network. Also ensure that the minimum size of the subnet is 21 bits. The subnet you specify must conform with the IETF RFC 1918 and RFC 6598 specifications for private networks, which support the following address ranges:
· 10.0.0.0/8
· 172.16.0.0/12
· 192.168.0.0/16
· 100.64.0.0/10
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 18
Plan the Deployment
Required IP Addresses and Subnets
For details, see RFC 1918, Address Allocation for Private Internets, and RFC 6598, IANA-Reserved IPv4 Prefix for Shared Address Space.
Important · Ensure that you specify a valid CIDR subnet. Otherwise, incorrect bits will be present in the 172.17.1.0/20 and 172.17.61.0/20 subnets.
· After configuration of your Cisco DNA Center appliance is completed, you cannot assign a different subnet without first reimaging the appliance (see the "Reimage the Appliance" topic in the "Configure the Appliance" chapter for more information).
7. Cluster Subnet: Identifies one dedicated IP subnet for the appliance to use in managing and getting IPs for communications among its infrastructure services, such as database access, the message bus, and so on. By default, Cisco DNA Center configures a link-local subnet (169.254.48.0/20) for this parameter, and we recommend that you use this subnet. If you choose to enter another subnet, ensure that it does not conflict with or overlap any other subnet used by Cisco DNA Center's internal network or any external network. Also ensure that the minimum size of the subnet is 21 bits. The subnet you specify must conform with the IETF RFC 1918 and RFC 6598 specifications for private networks, which support the following address ranges: · 10.0.0.0/8
· 172.16.0.0/12
· 192.168.0.0/16
· 100.64.0.0/10
For details, see RFC 1918, Address Allocation for Private Internets, and RFC 6598, IANA-Reserved IPv4 Prefix for Shared Address Space. If you were to specify 10.10.10.0/21 as your Container subnet, you could also specify a Cluster subnet of 10.0.8.0/21 since these two subnets do not overlap. Also note that the configuration wizard detects overlaps (if any) between these subnets and prompts you to correct the overlap.
Important · Ensure that you specify a valid CIDR subnet. Otherwise, incorrect bits will be present in the 172.17.1.0/20 and 172.17.61.0/20 subnets.
· After configuration of your Cisco DNA Center appliance is completed, you cannot assign a different subnet without first reimaging the appliance (see the "Reimage the Appliance" topic in the "Configure the Appliance" chapter for more information).
The recommended total IP address space for the two Container and Cluster subnets contains 4,096 addresses, broken down into two /21 subnets of 2,048 addresses each. The two /21 subnets must not overlap. Cisco DNA Center's internal services require a dedicated set of IP addresses to operate (a requirement of the Cisco DNA Center microservice architecture. To accommodate this requirement, you must allocate two dedicated subnets per Cisco DNA Center system. One reason the appliance requires this amount of address space is to maintain system performance. Because it uses internal routing and tunneling technologies for east-west (inter-node) communications, using overlapping address spaces would force the appliance to run Virtual Routing and Forwarding FIBs internally. This would
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 19
Required Internet URLs and Fully Qualified Domain Names
Plan the Deployment
lead to multiple encaps/decaps for packets going from one service to another, causing high internal latency at a very low level, with cascading impacts at higher layers.
Another reason is the Cisco DNA Center Kubernetes-based service containerization architecture. Each appliance uses the IP addresses in this space per Kubernetes K8 node. Multiple nodes can make up a single service. Currently, Cisco DNA Center supports more than 100 services, each requiring several IP addresses, and new features and corresponding services are being added all the time. The address space requirement is purposely kept large at the start to ensure that Cisco can add new services and features without either running out of IPs or requiring customers to reallocate contiguous address spaces simply to upgrade their systems.
The services supported over these subnets are also enabled at Layer 3. The Cluster space, in particular, carries data between application and infrastructure services, and is heavily used.
The RFC 1918 and RFC 6598 requirement is because of the requirement by Cisco DNA Center to download packages and updates from the cloud. If the selected IP address ranges do not conform with RFC 1918 and RFC 6598, this can quickly lead to problems with public IP address overlaps.
Required Internet URLs and Fully Qualified Domain Names
The appliance requires secure access to the following table of URLs and Fully Qualified Domain Names (FQDNs).
The table describes the features that make use of each URL and FQDN. You must configure either your network firewall or a proxy server so that IP traffic can travel to and from the appliance and these resources. If you cannot provide this access for any listed URL and FQDN, the associated features will be impaired or inoperable.
For more on requirements for proxy access to the internet, see Provide Secure Access to the Internet.
Table 4: Required URLs and FQDN Access
In order to...
Download updates to the system and application package software; submit user feedback to the product team.
...Cisco DNA Center must access these URLs and FQDNs Recommended: *.ciscoconnectdna.com:4431 Customers who want to avoid wildcards can specify these URLs instead:
· https://www.ciscoconnectdna.com · https://cdn.ciscoconnectdna.com · https://registry.ciscoconnectdna.com · https://registry-cdn.ciscoconnectdna.com
Cisco DNA Center update package. Smart Account and SWIM software downloads.
Authenticate with the cloud domain.
https://*.ciscoconnectdna.com/* https://apx.cisco.com https://cloudsso.cisco.com/as/token.oauth2 https://*.cisco.com/* https://download-ssc.cisco.com/ https://dnaservices.cisco.com
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 20
Plan the Deployment
Required Internet URLs and Fully Qualified Domain Names
In order to... Integrate with Webex. User feedback. Integrate with Cisco Meraki.
Check SSL/TLS certificate revocation status using OCSP/CRL.
...Cisco DNA Center must access these URLs and FQDNs · http://analytics.webexapis.com · https://webexapis.com
https://dnacenter.uservoice.com Recommended: *.meraki.com:443 Customers who want to avoid wildcards can specify these URLs instead:
· dashboard.meraki.com:443 · api.meraki.com:443 · n63.meraki.com:443
· http://ocsp.quovadisglobal.com · http://crl.quovadisglobal.com/* · http://x3ocsp.identrust.com · http://validation.identrust.com/crl/hydrantidcao1.crl
Note These URLs do not utilize the proxy server that's configured for Cisco DNA Center. Confirm that Cisco DNA Center can access the URLs directly.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 21
Required Internet URLs and Fully Qualified Domain Names
Plan the Deployment
In order to... Integrate with cisco.com and Cisco Smart Licensing.
...Cisco DNA Center must access these URLs and FQDNs *.cisco.com:443 Customers who want to avoid wildcards can specify these URLs instead:
· software.cisco.com · cloudsso.cisco.com · cloudsso1.cisco.com · cloudsso2.cisco.com · apiconsole.cisco.com · api.cisco.com · apx.cisco.com · sso.cisco.com · apmx-prod1-vip.cisco.com · apmx-prod2-vip.cisco.com · tools.cisco.com · tools1.cisco.com · tools2.cisco.com · smartreceiver.cisco.com
Render accurate information in site and location maps.
· www.mapbox.com
· *.tiles.mapbox.com/* :443. For a proxy, the destination is *.tiles.mapbox.com/*
For Cisco AI Network Analytics data collection, configure your network or HTTP proxy to allow outbound HTTPS (TCP 443) access to the cloud hosts.
· https://api.use1.prd.kairos.ciscolabs.com (US East Region) · https://api.euc1.prd.kairos.ciscolabs.com (EU Central Region)
Access a menu of interactive help flows that let you complete https://ec.walkme.com specific tasks from the GUI.
Access the licensing service.
https://swapi.cisco.com
1 Cisco owns and maintains ciscoconnectdna.com and its subdomains. The Cisco Connect DNA infrastructure meets Cisco Security and Trust guidelines and undergoes continuous security testing. This infrastructure is robust, with built-in load balancing and automation capabilities, and is monitored and maintained by a cloud operations team to ensure 24x7x365 availability.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 22
Plan the Deployment
Provide Secure Access to the Internet
Provide Secure Access to the Internet
By default, the appliance is configured to access the internet in order to download software updates, licenses, and device software, as well as provide up-to-date map information, user feedback, and so on. Providing internet connections for these purposes is a mandatory requirement.
Using an HTTPS proxy server is a reliable way to access remote URLs securely. We recommend that you use an HTTPS proxy server to provide the appliance with the access it needs to the URLs listed in Required Internet URLs and Fully Qualified Domain Names. During appliance installation, you are prompted to enter the URL and port number of the proxy server you want to use for this purpose, along with the proxy's login credentials (if the proxy requires them).
As of this release, the appliance supports communication with proxy servers over HTTP only. You can place the HTTPS proxy server anywhere within your network. The proxy server communicates with the internet using HTTPS, while the appliance communicates with the proxy server via HTTP. Therefore, we recommend that you specify the proxy's HTTP port when configuring the proxy during appliance configuration.
If you need to change the proxy setting after configuration, you can do so using the GUI.
Required Network Ports
The following tables list the well-known network service ports that the appliance uses. You must ensure that these ports are open for traffic flows to and from the appliance, whether you open them using firewall settings or a proxy gateway.
Additional ports, protocols, and types of traffic must be accommodated if you are deploying the appliance in a network that employs SDA infrastructure. For details, see Required Ports and Protocols for Cisco Software-Defined Access.
Note For information on security considerations when deploying Cisco DNA Center, see the Cisco Digital Network Architecture Center Security Best Practices Guide.
Table 5: Ports: Incoming Traffic
Port Number 22 67 80 111 123 162 443
Permitted Traffic SSH
Protocol (TCP or UDP) TCP
BOOTP
UDP
HTTP
TCP
NFS (used for Assurance backups) TCP and UDP
NTP
UDP
SNMP
UDP
HTTPS
TCP
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 23
Required Network Ports
Plan the Deployment
Port Number 514 2049 2222 9991
20048 32767
Permitted Traffic Syslog
Protocol (TCP or UDP) UDP
NFS (used for Assurance backups) TCP and UDP
SSH
TCP
Multicast Domain Name System TCP (mDNS)
NFS (used for Assurance backups) TCP and UDP
NFS (used for Assurance backups) TCP and UDP
Table 6: Ports: Outgoing Traffic
Port Number 22 23 53 80
123 161 443 5222, 8910 9060
Permitted Traffic SSH (to network devices and Cisco ISE)
Protocol (TCP or UDP) TCP
Telnet (to network devices)
TCP
DNS
UDP
Port 80 can be used for an outgoing proxy configuration. TCP
Other common ports (such as 8080) can also be used when a proxy is configured using the Configuration wizard (if a proxy is already in use for your network).
To access Cisco-supported certificates and trust pools, configure your network to allow outgoing IP traffic from the appliance to the Cisco addresses listed at:
https://www.cisco.com/security/pki/
NTP
UDP
SNMP agent
UDP
HTTPS
TCP
Cisco ISE XMP for PxGrid
TCP
Cisco ISE ERS API traffic
TCP
Note Additionally, you can configure your network to allow outgoing IP traffic from the appliance to the Cisco addresses at: https://www.cisco.com/security/pki/. The appliance uses the IP addresses listed at the above URL to access Cisco-supported certificates and trust pools.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 24
Plan the Deployment
Required Ports and Protocols for Cisco Software-Defined Access
Required Ports and Protocols for Cisco Software-Defined Access
This topic details the ports, protocols, and types of traffic native to a typical Cisco SD-Access fabric deployment that is similar to the one shown in the following figure.
Figure 5: Cisco SD-Access Fabric Infrastructure
If you have implemented Cisco SD-Access in your network, use the information in the following tables to plan firewall and security policies that secure your Cisco SD-Access infrastructure properly while providing Cisco DNA Center with the access it requires to automate your network management.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 25
Required Ports and Protocols for Cisco Software-Defined Access
Plan the Deployment
Table 7: Cisco DNA Center Traffic
Source Port2
Source
Destination Destination Port
Description
Any
Cisco DNA
UDP 53
DNS Server
From Cisco DNA Center to DNS server
Center
Any
Cisco DNA
TCP 22
Fabric underlay From Cisco DNA Center to fabric
Center
switches' loopbacks for SSH
Any
Cisco DNA
TCP 23
Fabric underlay From Cisco DNA Center to fabric
Center
switches' loopbacks for TELNET
Any
Cisco DNA
UDP 161
Fabric underlay From Cisco DNA Center to fabric
Center
switches' loopbacks for SNMP device
discovery
ICMP
Cisco DNA Center
ICMP
Fabric underlay
From Cisco DNA Center to fabric switches' loopbacks for SNMP device discovery
Any
Cisco DNA
TCP 443
Fabric underlay From Cisco DNA Center to fabric
Center
switches for software upgrades (also to
the internet if there is no proxy)
Any
Cisco DNA
UDP 6007 Switches and
From Cisco DNA Center to switches
Center
routers
and routers for NetFlow
Any
Cisco DNA
TCP 830
Fabric underlay From Cisco DNA Center to fabric
Center
switches for Netconf (Cisco SD-Access
embedded wireless)
UDP 123 Cisco DNA Center
UDP 123
Fabric underlay
From Cisco DNA Center to fabric switches for the initial period during LAN automation
Any
Cisco DNA
UDP 123
NTP Server
From Cisco DNA Center to NTP server
Center
Any
Cisco DNA
TCP 22, UDP Cisco Wireless From Cisco DNA Center to Cisco
Center
161
Controller
Wireless Controller
ICMP
Cisco DNA Center
ICMP
Cisco Wireless Controller
From Cisco DNA Center to Cisco Wireless Controller
Any
AP
TCP 32626
Cisco DNA Center Used for receiving traffic statistics and packet capture data used by the Cisco DNA Assurance Intelligent Capture (gRPC) feature.
2 Cluster, PKI, SFTP server, and proxy port traffic are not included in this table.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 26
Plan the Deployment
Required Ports and Protocols for Cisco Software-Defined Access
Table 8: Internet Connectivity Traffic
Source Source Port
Destination Destination Port
Description
Any Cisco DNA Center TCP 443 registry.ciscoconnectdna.com Download Cisco DNA Center package updates
Any Cisco DNA Center TCP 443 www.ciscoconnectdna.com
Download Cisco DNA Center package updates
Any Cisco DNA Center TCP 443 registry-cdn.ciscoconnectdna.com Download Cisco DNA Center package updates
Any Cisco DNA Center TCP 443 cdn.ciscoconnectdna.com
Download Cisco DNA Center package updates
Any Cisco DNA Center TCP 443 software.cisco.com
Download device software
Any Cisco DNA Center TCP 443 cloudsso.cisco.com
Validate Cisco.com and Smart Account credentials
Any Cisco DNA Center TCP 443 cloudsso1.cisco.com
Validate Cisco.com and Smart Account credentials
Any Cisco DNA Center TCP 443 cloudsso2.cisco.com
Validate Cisco.com and Smart Account credentials
Any Cisco DNA Center TCP 443 apiconsole.cisco.com
CSSM Smart Licensing API
Any Cisco DNA Center TCP 443 sso.cisco.com
Cisco.com credentials and Smart Licensing
Any Cisco DNA Center TCP 443 api.cisco.com
Cisco.com credentials and Smart Licensing
Any Cisco DNA Center TCP 443 apx.cisco.com
Cisco.com credentials and Smart Licensing
Any Cisco DNA Center TCP 443 dashboard.meraki.com
Meraki integration
Any Cisco DNA Center TCP 443 api.meraki.com
Meraki integration
Any Cisco DNA Center TCP 443 n63.meraki.com
Meraki integration
Any Cisco DNA Center TCP 443 dnacenter.uservoice.com
User feedback submission
Any Cisco DNA Center TCP 443 *.tiles.mapbox.com Admin Client
Render maps in the browser (for access through proxy; the destination is *.tiles.mapbox.com/*)
Any Cisco DNA Center TCP 443 www.mapbox.com
Maps and Cisco Wireless Controller country code identification
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 27
Required Ports and Protocols for Cisco Software-Defined Access
Plan the Deployment
Table 9: Cisco Software-Defined Access Fabric Underlay Traffic
Source Port3
UDP 68
Source
Fabric underlay
Any
Fabric
underlay
Any
Fabric
underlay
Any
Fabric
underlay
Any
Fabric
underlay
Any
Fabric
underlay
Any
Fabric
underlay
ICMP
Fabric underlay
UDP 161 Fabric underlay
Any
Fabric
underlay
TCP and Fabric UDP 4342 underlay
TCP and Fabric UDP 4342 underlay
Any
Fabric
underlay
Any
Fabric
underlay
ICMP
Fabric underlay
Destination Port Destination
Description
UDP 67
DHCP server
TCP 80
Cisco DNA Center
TCP 443
Cisco DNA Center
UDP 162
Cisco DNA Center
UDP 514 UDP 6007 UDP 123
Cisco DNA Center
Cisco DNA Center
Cisco DNA Center
ICMP
Cisco DNA Center
Any
Cisco DNA
Center
UDP 53
DNS Server
TCP and UDP 4342 Fabric Routers and Switches
Any
Fabric Routers
and Switches
UDP 4789
Fabric Routers and Switches
UDP
ISE
1645/1646/1812/1813
ICMP
ISE
From fabric switches and routers to the DHCP server for DHCP Relay packets initiated by the fabric edge nodes.
From fabric switch and router loopback IPs to Cisco DNA Center for PnP
From fabric switch and router loopback IPs to Cisco DNA Center for image upgrade
From fabric switch and router loopback IPs to Cisco DNA Center for SNMP Traps
From fabric switches and routers to Cisco DNA Assurance
From fabric switches and routers to Cisco DNA Center for NetFlow
From fabric switches to Cisco DNA Center; used when doing LAN automation
From fabric switch and router loopbacks to Cisco DNA Center for SNMP: device discovery
From fabric switch and router loopbacks to Cisco DNA Center for SNMP: Device Discovery
From fabric switches and routers to DNS server for name resolution
LISP-encapsulated control messages
LISP control-plane communications
Fabric-encapsulated data packets (VXLAN-GPO)
From fabric switch and router loopback IPs to ISE for RADIUS
From fabric switches and routers to ISE for troubleshooting
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 28
Plan the Deployment
Required Ports and Protocols for Cisco Software-Defined Access
UDP
Fabric
Any
1700/3799 underlay
ISE
From fabric switches to ISE for
care-of address (CoA)
Any
Fabric
UDP 123
underlay
NTP Server
From fabric switch and router loopback IPs to the NTP server
Any
control-plane UDP and TCP
Cisco Wireless From control-plane loopback IP to
4342/4343
Controller
Cisco Wireless Controller for
Fabric-enabled wireless
3 Border routing protocol, SPAN, profiling, and telemetry traffic are not included in this table.
Table 10: Cisco Wireless Controller Traffic
Source Port Source
UDP
Cisco Wireless
5246/5247/5248 Controller
ICMP
Cisco Wireless Controller
Any
Cisco Wireless
Controller
Destination Port
Destination
Description
Any
AP IP Address From Cisco Wireless Controller
Pool
to an AP subnet for CAPWAP
ICMP
AP IP Address From Cisco Wireless Controller
Pool
to APs allowing ping for
troubleshooting
· TCP 443 Cisco DNA (Cisco Center AireOS wireless controllers)
From Cisco Wireless Controller to Cisco DNA Center for Assurance
· TCP 25103 (Cisco 9800 wireless controllers)
Any Any Any UDP 161 Any
Cisco Wireless Controller
Cisco Wireless Controller
Cisco Wireless Controller
Cisco Wireless Controller Cisco Wireless Controller
UDP 69/5246/5247 TCP 22
AP IP Address From Cisco Wireless Controller
Pool
to an AP subnet for CAPWAP
UDP and TCP Control plane 4342/4343
From Cisco Wireless Controller to control-plane loopback IP address
TCP 22
Cisco DNA Center
From Cisco Wireless Controller to Cisco DNA Center for device discovery
Any
Cisco DNA From Cisco Wireless Controller
Center
to Cisco DNA Center for SNMP
UDP 162
Cisco DNA Center
From Cisco Wireless Controller to Cisco DNA Center for SNMP traps
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 29
Required Ports and Protocols for Cisco Software-Defined Access
Plan the Deployment
Any
ICMP Any
Any Any Any Any Any ICMP Any
Cisco Wireless Controller
Cisco Wireless Controller Cisco Wireless Controller and various syslog servers
Cisco Wireless Controller Cisco Wireless Controller
Cisco Wireless Controller
Cisco Wireless Controller Cisco Wireless Controller Cisco Wireless Controller Cisco Wireless Controller
TCP 16113
ICMP UDP 514
Cisco Mobility From Cisco Wireless Controller
Services Engine to Cisco MSE and Spectrum
(MSE) and
Expert for NMSP
Cisco Spectrum
Expert
Cisco DNA Center
From Cisco Wireless Controller to allow ping for troubleshooting
Cisco Wireless Syslog (optional) Controller
UDP 53 TCP 443
DNS Server ISE
UDP 1645,1812 ISE
UDP 1646, 1813 UDP 1700, 3799 ICMP
UDP 123
ISE ISE ISE NTP server
From Cisco Wireless Controller to DNS server
From Cisco Wireless Controller to ISE for Guest SSID web authorization
From Cisco Wireless Controller to ISE for RADIUS authentication
From Cisco Wireless Controller to ISE for RADIUS accounting
From Cisco Wireless Controller to ISE for RADIUS CoA
From Cisco Wireless Controller to ISE ICMP for troubleshooting
From Cisco Wireless Controller to NTP server
Table 11: Fabric-Enabled Wireless AP IP Address Pool Traffic
Source Port UDP 68
ICMP
Any
Any
Source
AP IP Address Pool AP IP Address Pool AP IP Address Pool
AP IP Address Pool
Destination Port Destination
Description
UDP 67 ICMP 514
DHCP server DHCP server Various
UDP
Cisco Wireless
69/5246/5247/5248 Controller
From an AP IP Address pool to DHCP server.
From an AP IP Address pool to ICMP for troubleshooting.
Syslog--Destination configurable. Default is 255.255.255.255.
From an AP IP Address pool to Cisco Wireless Controller for CAPWAP.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 30
Plan the Deployment
Required Ports and Protocols for Cisco Software-Defined Access
ICMP
AP IP Address Pool
ICMP
Cisco Wireless Controller
From an AP IP Address pool to Cisco Wireless Controller, allowing ping for troubleshooting.
Table 12: ISE Traffic
Source Port4 Any
Source Destination Port
ISE TCP 64999
Any
ISE UDP 514
UDP
ISE
1645/1646/1812/1813
Any
ISE
Any
UDP 1700/3799
Destination
Border
Cisco DNA Center
Fabric underlay
Fabric underlay, Cisco Wireless Controller
Description
From ISE to border node for SGT Exchange Protocol (SXP)
From ISE to syslog server (Cisco DNA Center)
From ISE to fabric switches and routers for RADIUS and authorization
From ISE to fabric switch and router loopback IP addresses for RADIUS Change of Authorization (CoA).
UDP port 3799 must also be open from ISE to the wireless controller for CoA.
ICMP
ISE ICMP
Fabric underlay
From ISE to fabric switches for troubleshooting
Any
ISE UDP 123 NTP Server
From ISE to NTP server
UDP
ISE Any
1812/1645/1813/1646
Cisco Wireless Controller
From ISE to Cisco Wireless Controller for RADIUS
ICMP
ISE ICMP
Cisco Wireless Controller
From ISE to Cisco Wireless Controller for troubleshooting
4 Note: High availability and profiling traffic are not included in this table.
Table 13: DHCP Server Traffic
Source Port UDP 67
ICMP
UDP 67
ICMP
UDP 67
Source
DHCP server
DHCP server
DHCP server
DHCP server
DHCP server
Destination Port
UDP 68
Destination
Description
AP IP Address Pool From DHCP server to fabric APs
ICMP UDP 68
AP IP Address Pool ICMP for troubleshooting: Fabric to DHCP
Fabric underlay From DHCP to fabric switches and routers
ICMP UDP 68
Fabric underlay
User IP Address Pool
ICMP for troubleshooting: Fabric to DHCP
From DHCP server to fabric switches and routers
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 31
Required Configuration Information
Plan the Deployment
ICMP
DHCP server
ICMP
Table 14: NTP Server Traffic
Source Port UDP 123
UDP 123
UDP 123
UDP 123
Source
NTP Server NTP Server NTP Server NTP Server
Destination Port Any
Any
Any
Any
Table 15: DNS Traffic
Source Port UDP 53
UDP 53
Source
DNS Server DNS Server
Destination Port Any
Any
User IP Address Pool
ICMP for troubleshooting: User to DHCP
Destination ISE Cisco DNA Center Fabric underlay Cisco Wireless Controller
Description
From NTP server to ISE
From NTP server to Cisco DNA Center
From NTP server to fabric switch and router loopback From NTP server to Cisco Wireless Controller
Destination
Fabric underlay
Cisco Wireless Controller
Description
From DNS server to fabric switches
From DNS server to Cisco Wireless Controller
Required Configuration Information
During appliance configuration, you will be prompted for the following information, in addition to the Required IP Addresses and Subnets:
· Linux User Name: This is maglev. This user name is the same on all the appliances in a cluster, including the primary node and secondary nodes, and cannot be changed.
· Linux Password: Identifies the password for the Linux user name maglev. This password ensures secure access to each appliance using the Linux command line. If required, you can assign a different Linux password for each maglev Linux user name on each appliance in a cluster. You must create the Linux password because there is no default. The password must meet the following requirements: · Minimum length of eight characters.
· Cannot contain a tab or a line break.
· Contains characters from at least three of the following categories: · Uppercase letters (AZ)
· Lowercase letters (az)
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 32
Plan the Deployment
Required First-Time Setup Information
· Numbers (09)
· Special characters (for example, ! or #)
The Linux password is encrypted and hashed in the Cisco DNA Center database. If you are deploying a multinode cluster, you will also be prompted to enter the primary node's Linux password on each of the secondary nodes.
· Password Generation Seed (Optional): Instead of creating a Linux password, you can enter a seed phrase and click Generate Password. The Maglev Configuration wizard generates a random and secure password using this seed phrase. You can further edit the generated password by using the Auto Generated Password field.
· Administrator Passphrase: Identifies the password used for web access to Cisco DNA Center in a cluster. This is the password for the superuser account admin, which you use to log in to Cisco DNA Center for the first time (see #unique_23). You are prompted to change this password when you log in for the first time.
You must create this password because there is no default. The Administrator Passphrase must meet the same requirements as the Linux password, described earlier.
· CIMC User Password: Identifies the password used for access to the CIMC GUI. The factory default is password, but you are prompted to change it when you first set up CIMC for access using a web browser (see Enable Browser Access to Cisco Integrated Management Controller).
The CIMC user password must meet the same requirements as the Linux password described earlier. It can be changed back to password only by a reset to factory defaults.
· Primary Node IP Address: Required only when you are installing secondary nodes in a cluster. This is the IP address of the cluster port on the primary node (see Interface Cable Connections).
Required First-Time Setup Information
After you have configured your appliances, log in to Cisco DNA Center and complete the essential setup tasks. During this first-time setup, you should have the following information:
· New Admin Superuser Password: You will be prompted to enter a new password for the Cisco DNA Center admin super user. Resetting the super user password enhances operational security. This is especially important if, for example, the enterprise staff who installed and configured the Cisco DNA Center appliance is not a Cisco DNA Center user or administrator.
· Cisco.com Credentials: The Cisco.com user ID and password that your organization uses to register software downloads and receive system communications through email.
· Cisco Smart Account Credentials: The Cisco.com Smart Account user ID and password your organization uses for managing your device and software licenses.
· IP Address Manager URL and Credentials: The host name, URL, admin user name, and admin password of the third-party IP address manager (IPAM) server you plan to use with Cisco DNA Center. This release supports InfoBlox and Bluecat.
· Proxy URL, Port, and Credentials: The URL (host name or IP address), port number, user name, and user password of the proxy server you plan to use with Cisco DNA Center in order to get updates to the Cisco DNA Center software, manage device licenses, and retrieve other downloadable content.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 33
Required First-Time Setup Information
Plan the Deployment
· Cisco DNA Center Users: User names, passwords, and privilege settings for the new Cisco DNA Center users you will be creating. We recommend that you always use one of these new user accounts for all your normal Cisco DNA Center operations. Avoid using the admin super user account for activities, except reconfiguring Cisco DNA Center and operations where super user privileges are explicitly required.
For details about how to launch and respond to the first-time setup wizard that prompts you for this information, see Complete the Quick Start Workflow, on page 95.
You will also need the following information to complete the remaining setup tasks, which can be done after your first login:
· ISE Server IP and Credentials: You will need the Cisco ISE server IP address and credentials, administrative user name, and password. These are needed to log in to and configure your organization's ISE server to share data with Cisco DNA Center, as explained in Integrate Cisco ISE with Cisco DNA Center.
Installation of or upgrade to Cisco DNA Center checks to see if Cisco ISE is configured as an authentication and policy (AAA) server. If the correct version of Cisco ISE is already configured, you can start migrating group policy data from Cisco ISE to Cisco DNA Center.
If Cisco ISE is not configured, or if the required version of Cisco ISE is not present, Cisco DNA Center installs, but Group Based Policy is disabled. You must install or upgrade Cisco ISE and connect it to Cisco DNA Center. You can then start the data migration.
Cisco DNA Center data present in the previous version is preserved when you upgrade. The data migration operation merges data from Cisco DNA Center and Cisco ISE. If the migration encounters a conflict, preference is given to data from Cisco ISE.
If Cisco DNA Center becomes unavailable, and it is imperative to manage policies before Cisco DNA Center becomes available once more, there is an option in Cisco ISE to override the Read-Only setting. This allows you to make policy changes directly in Cisco ISE. After Cisco DNA Center is available again, you must disable the Read-Only override on Cisco ISE, and re-synchronize the policy data on Cisco DNA Center Group Based Access Control Settings page. Only use this option when absolutely necessary, since changes made directly in Cisco ISE are not propagated to Cisco DNA Center.
· Authorization and Policy Server Information: If you are using Cisco ISE as your authentication and policy server, you will need the same information listed in the previous bullet, plus the ISE CLI user name, CLI password, server FQDN, a subscriber name (such as cdnac), the ISE SSH key (optional), the protocol choice (RADIUS or TACACS), the authentication port, the accounting port, and retry and timeout settings.
If you are using an authorization and policy server that is not Cisco ISE, you will need the server's IP address, protocol choice (RADIUS or TACACS), authentication port, accounting port, and retry and timeout settings.
This information is required to integrate Cisco DNA Center with your chosen authentication and policy server, as explained in Configure Authentication and Policy Servers, on page 105.
· SNMP Retry and Timeout Values: This is required to set up device polling and monitoring, as explained in Configure SNMP Properties.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 34
3 C H A P T E R
Install the Appliance
· Appliance Installation Workflow, on page 35 · Unpack and Inspect the Appliance, on page 35 · Review the Installation Warnings and Guidelines, on page 36 · Review the Rack Requirements, on page 37 · Connect and Power On the Appliance, on page 37 · Check the LEDs, on page 38
Appliance Installation Workflow
Complete the tasks described in this chapter to physically install your Cisco DNA Center appliance. Complete these tasks for each appliance you want to install, and be sure to install all of the appliances before configuring the primary node.
Unpack and Inspect the Appliance
Caution When handling internal appliance components, wear an ESD strap and handle modules by the carrier edges only.
Step 1 Step 2 Step 3
Remove the appliance from its cardboard container and save all the packaging material (in case the appliance requires shipping in the future). Compare the shipment with the equipment list provided by your customer service representative. Verify that you have all the items. Check for damage and report discrepancies or damage, if any, to your customer service representative immediately. Have the following information ready:
· Invoice number of the shipper (see the packing slip)
· Model and serial number of the damaged unit
· Description of damage
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 35
Review the Installation Warnings and Guidelines
· Effect of damage on the installation
Install the Appliance
Review the Installation Warnings and Guidelines
Warning To prevent the system from overheating, do not operate it in an area that exceeds the maximum recommended ambient temperature of: 95°F (35°C). Statement 1047
Warning The plug-socket combination must be accessible at all times, because it serves as the main disconnecting device. Statement 1019
Warning This product relies on the building's installation for short-circuit (overcurrent) protection. Ensure that the protective device is rated not greater than: 250 V, 15 A. Statement 1005
Warning Installation of the equipment must comply with local and national electrical codes. Statement 1074
Caution
To ensure proper airflow it is necessary to rack the appliances using rail kits. Physically placing the units on top of one another or "stacking" without the use of the rail kits blocks the air vents on top of the appliances, which could result in overheating, higher fan speeds, and higher power consumption. We recommend that you mount your appliances on rail kits when you are installing them into the rack because these rails provide the minimal spacing required between the appliances. No additional spacing between the appliances is required when you mount the units using rail kits.
Caution Avoid uninterruptible power supply (UPS) types that use ferroresonant technology. These UPS types can become unstable with systems such as the Cisco UCS, which can have substantial current-draw fluctuations due to fluctuating data traffic patterns.
When you are installing an appliance, follow these guidelines:
· Plan your site configuration and prepare the site before installing the appliance. See the Cisco UCS Site Preparation Guide for help with recommended site planning and preparation tasks.
· Ensure that there is adequate space around the appliance to allow for servicing the appliance and for adequate airflow. The airflow in this appliance is from front to back.
· Ensure that the site air-conditioning meets the thermal requirements listed in the Environmental Specifications.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 36
Install the Appliance
Review the Rack Requirements
· Ensure that the cabinet or rack meets the requirements listed in Review the Rack Requirements, on page 37
· Ensure that the site power meets the requirements listed in Power Specifications, on page 10. If available, you can use a UPS to protect against power failures.
Review the Rack Requirements
For proper operation, the rack in which you install the appliance must meet the following requirements: · A standard 19-in. (48.3-cm) wide, four-post EIA rack, with mounting posts that conform to English universal hole spacing, per section 1 of ANSI/EIA-310-D-1992.
· The rack post holes can be square 0.38-in. (9.6 mm), round 0.28-in. (7.1 mm), #12-24 UNC, or #10-32 UNC when you use the supplied slide rails.
· The minimum vertical rack space per server must be one RU, equal to 1.75 in. (44.45 mm).
Connect and Power On the Appliance
This section describes how to power on the appliance and check that it is functional.
Step 1 Step 2
Attach the supplied power cord to each power supply in the appliance and then attach the power cords to a grounded AC power outlet. See Power Specifications, on page 10 for details. Wait for approximately two minutes to let the appliance boot into standby power mode during the first boot up. You can verify the power status by looking at the Power Status LED:
· Off--There is no AC power present in the appliance.
· Amber--The appliance is in standby power mode. Power is supplied only to the CIMC and some motherboard functions.
· Green--The appliance is in main power mode. Power is supplied to all appliance components.
For more information on these and other appliance LEDs, see Front and Rear Panels.
Connect a USB keyboard and VGA monitor to the server, using the supplied KVM cable connected to the KVM connector on the front panel. Alternatively, you can use the VGA and USB ports on the rear panel. You can only connect to one VGA interface at a time.
What to do next Continue by following the procedure described in Check the LEDs.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 37
Check the LEDs
Install the Appliance
Check the LEDs
After you have powered up the Cisco DNA Center appliance, check the state of the front-panel and rear-panel LEDs and buttons to ensure it is functioning.
The following illustrations show the LEDs for a functional appliance after physical installation and first power-up and before configuration.
Figure 6: Front Panel LEDs
LED
Desired Status Indicator
1
Drive Fault LEDs: Off.
Drive Activity LEDs: Green
2
Power Status: Green
3
System Status: Green
4
Fan Status: Green
5
Temperature Status: Green
6
Power Supply Status: Green
7
Network Link Activity: Off
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 38
Install the Appliance Figure 7: Rear Panel LEDs
Check the LEDs
LED
Desired Status Indicator
1
After initial power-up, all the ports should have their Link Status and Link Speed LEDs
showing as off, and their Power Status LED should be green.
After network settings are configured and tested using the Maglev Configuration Wizard (see Configure the Primary Node and Configure a Secondary Node), the Link Status, Link Speed and Power Status LEDs for all cabled ports should be green. All uncabled port LEDs should be unchanged.
2
Power Supply Fault LEDs: Off.
AC Power LEDs: Green
If you see LEDs with colors other than those shown above, you may have a problem condition. See Front and Rear Panels for details on the likely causes of the status. Be sure to correct any problem conditions before proceeding to configure the appliance.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 39
Check the LEDs
Install the Appliance
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 40
4 C H A P T E R
Prepare the Appliance for Configuration
· Preparation for Appliance Configuration Overview, on page 41 · Enable Browser Access to Cisco Integrated Management Controller, on page 41 · Execute Preconfiguration Checks, on page 46 · Reimage the Appliance, on page 53
Preparation for Appliance Configuration Overview
Before you can successfully configure your Cisco DNA Center appliance, first complete the following tasks: 1. Enable browser access to the appliance's Cisco IMC (see Enable Browser Access to Cisco Integrated
Management Controller). 2. Use Cisco IMC to check and adjust important hardware and switch settings (see Execute Preconfiguration
Checks). 3. Cisco DNA Center software is preinstalled on your appliance, but you may need to reinstall the software
in certain situations (such as before you change the current cluster link configuration). If this is the case, you must also complete the tasks described in Reimage the Appliance.
Note If you do not need to reimage your appliance, proceed to Appliance Configuration Overview.
Enable Browser Access to Cisco Integrated Management Controller
After installing the appliance, as described in Appliance Installation Workflow, use the Cisco IMC configuration utility to assign an IP address and gateway to the appliance's CIMC port. This gives you access to the Cisco IMC GUI, which you should use to configure the appliance. After you complete the Cisco IMC setup, log in to Cisco IMC and run the tasks listed in Execute Preconfiguration Checks to ensure correct configuration.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 41
Enable Browser Access to Cisco Integrated Management Controller
Prepare the Appliance for Configuration
Tip To help ensure the security of your deployment, Cisco IMC prompts you to change the Cisco IMC user's default password when you boot the appliance for the first time. To change the Cisco IMC user password later, use the Cisco IMC GUI, as follows:
1. From the top-left corner of the GUI, click the Toggle Navigation icon ( ) and then choose Admin > User Management. The Local User Management tab should already be selected.
2. Check the check box for user 1, and then click Modify User. The Modify User Details dialog box opens.
3. Check the Change Password check box.
4. Enter and confirm the new password, and then click Save.
Step 1
Step 2 Step 3
Access the appliance console by attaching either of the following:
· A KVM cable to the KVM connector on the appliance's front panel (component 12 on the front panel illustrated in Front and Rear Panels)
· A keyboard and monitor to the USB and VGA ports on the appliance's rear panel (components 7 and 12, respectively, on the rear panel illustrated in Front and Rear Panels).
Make sure that the appliance's power cord is plugged in and the power is on. Press the Power button on the front panel to boot the appliance.
The Cisco IMC configuration utility boot screen should be displayed, as shown below.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 42
Prepare the Appliance for Configuration
Enable Browser Access to Cisco Integrated Management Controller
Step 4
As soon as the boot screen is displayed, press F8 to perform Cisco IMC configuration. The CIMC configuration utility displays the CIMC User Details screen, as shown below.
Step 5 Step 6
Enter the default CIMC user password (the default on a new appliance is password) in the Enter current CIMC Password field.
Enter and confirm the new CIMC user password in the Enter new CIMC password and Re-Enter new CIMC password fields.
When you press Enter after entering the new password in the Re-Enter new CIMC password field, the Cisco IMC configuration utility displays the NIC Properties screen, as shown below.
Step 7
Perform the following actions: · NIC mode: Select Dedicated. · IP (Basic): Select IPV4. · CIMC IP: Enter the IP address of the CIMC port.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 43
Enable Browser Access to Cisco Integrated Management Controller
Prepare the Appliance for Configuration
Step 8
· Prefix/Subnet: Enter the subnet mask for the CIMC port IP address. · Gateway: Enter the IP address of your preferred default gateway. · Pref DNS Server: Enter the IP address of your preferred DNS server. · NIC Redundancy: Select None.
Press F1 to specify Additional settings. The Cisco IMC configuration utility displays the Common Properties screen, as shown below.
Step 9
Step 10 Step 11 Step 12
Perform the following actions: · Hostname: Enter a hostname for CIMC on this appliance. · Dynamic DNS: Uncheck the check box to disable this feature. · Factory Defaults: Uncheck the check box to disable this feature. · Default User (Basic): Leave these fields blank. · Port Properties: Enter new settings or accept the defaults shown in these fields. · Port Profiles: Uncheck the check box to disable this feature.
Press F10 to save the settings. Press Escape to exit and reboot the appliance. After the settings are saved and the appliance finishes rebooting, open a compatible browser on a client machine with access to the subnet on which the appliance is installed, and enter the following URL:
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 44
Prepare the Appliance for Configuration
Enable Browser Access to Cisco Integrated Management Controller
https://CIMC_ip_address, where CIMC_ip_address is the Cisco IMC port IP address that you entered in Step 7.
Your browser displays a main Cisco IMC GUI login window similar to the one shown below.
Step 13
Log in using the Cisco IMC user ID and password you set in Step 5.
If the login is successful, your browser displays a Cisco Integrated Management Controller Chassis Summary window similar to the one shown below.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 45
Execute Preconfiguration Checks
Prepare the Appliance for Configuration
Execute Preconfiguration Checks
After installing the appliance (as described in Appliance Installation Workflow) and setting up access to the Cisco IMC GUI (as described in Enable Browser Access to Cisco Integrated Management Controller), use Cisco IMC to perform the following preconfiguration tasks, which help ensure correct configuration and deployment:
1. Synchronize the appliance hardware with the Network Time Protocol (NTP) servers you use to manage your network. These must be the same NTP servers whose hostnames or IPs you gathered for use when planning your implementation, as explained in Required IP Addresses and Subnets. This is a critical task that ensures that your Cisco DNA Center data is synchronized properly across the network.
2. Check that the appliance's 10-Gbps ports are enabled and properly configured for high throughput.
3. Reconfigure the switches connected to the 10-Gbps appliance ports to support higher throughput settings.
4. Reconfigure the switches connected to the 10-Gbps appliance ports to support oversize 802.1p frames.
Step 1
Log in to the appliance's Cisco IMC using the Cisco IMC IP address, user ID, and password you set in Enable Browser Access to Cisco Integrated Management Controller.
If the login is successful, your browser displays the Cisco Integrated Management Controller Chassis Summary window, as shown below.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 46
Prepare the Appliance for Configuration
Execute Preconfiguration Checks
Step 2
Synchronize the appliance's hardware with the Network Time Protocol (NTP) servers you use to manage your network, as follows:
a) From the top-left corner of the Cisco IMC GUI, click the Toggle Navigation icon ( ). b) From the Cisco IMC menu, select Admin > Networking, and then choose the NTP Setting tab. c) Make sure that the NTP Enabled check box is checked and enter up to four NTP server host names or addresses in
the numbered Server fields, as shown in the example below.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 47
Execute Preconfiguration Checks
Prepare the Appliance for Configuration
Step 3
d) Click Save Changes. Cisco IMC validates your entries and then begins to synchronize the time on the appliance's hardware with the time on the NTP servers.
Next, check that the appliance NICs are configured to support high throughput, as follows:
a) If needed, click the icon to display the Cisco IMC menu. b) From the Cisco IMC menu, select Chassis > Inventory > Cisco VIC Adapters. Verify that the Product ID
"UCSC-MLOM-CSC-02" is listed for the MLOM slot, as shown below:
c) Select > Compute > BIOS > Configure BIOS > Advanced. Verify that the Reboot Host Immediately checkbox is unchecked and note the location of the LOM and PCIe Slots Configuration dropdown.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 48
Prepare the Appliance for Configuration
Execute Preconfiguration Checks
d) Select LOM and PCIe Slots Configuration. Then, using the dropdown selectors, set PCIe Slot: MLOM OptionROM to Enabled and PCIe Slot: MLOM Link Speed to Auto.
e) Click Save. You will be prompted to reboot the host. Click OK to continue instead of rebooting.
f) Select > Networking > Adapter Card MLOM > General. Take note of the MAC addresses for Port-0 and Port-1 (shown in the External Ethernet Interfaces section at the bottom of the page). In the Adapter Card Properties section, use the dropdown selectors next to Port-0 and Port-1 to set the speed of both these ports to Auto, as shown below. Then click Save Changes.
g) Click the vNICs tab and select eth0 from the vNICs dropdown. Use the selectors and fields to set these values for eth0:
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 49
Execute Preconfiguration Checks
Prepare the Appliance for Configuration
· VLAN Mode: Trunk
· MTU: 1500
· Default VLAN: 99 (Please note that "99" is only an example. You should enter the default VLAN value you want your appliances and their connected uplink switch to use.)
Tip
1500 is the minimum maximum transmission unit (MTU) size. You can improve throughput on the 10Gbps
ports by entering any higher value, up to a maximum of 9000.
h) Click Save Changes. You will be prompted to reboot the host again. Click Cancel to continue instead of rebooting. i) Select eth1 from the vNICS dropdown and set the values that you want your appliances and their connected uplink
switch to use. j) When you are finished, click Save Changes. You will be prompted to reboot the host. This time, click OK to reboot
the appliance. k) When the appliance is finished rebooting, log in to the Cisco IMC GUI again. Select > Networking > Adapter
Card MLOM > General > vNICs. Verify the accuracy of the vNIC MAC addresses and the MTU, VLAN and VLAN Mode parameters you set earlier. l) When you are finished: Click the Host Power menu at top right and select Power Cycle. Then click OK.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 50
Prepare the Appliance for Configuration
Execute Preconfiguration Checks
Step 4
Reconfigure your switches to match the high-throughput settings on the appliance, as follows:
a) Using a Secure Shell (SSH) client, log in to the switch to be configured and enter EXEC mode at the switch prompt. b) Configure the switch port.
On a Cisco Catalyst switch, enter the following commands. For example:
MySwitch#Config terminal MySwitch(config)#interface tengigabitethernet 1/1/3 MySwitch(config-if)#switchport MySwitch(config-if)#switchport mode trunk MySwitch(config-if)#switchport trunk allowed vlan 99 MySwitch(config-if)#switchport voice vlan dot1p MySwitch(config-if)#speed auto MySwitch(config-if)#duplex full MySwitch(config-if)#mtu 1500 MySwitch(config-if)#no shut MySwitch(config-if)#end MySwitch(config)#do copy running-config startup-config
On a Cisco Nexus switch, enter the following commands to disable Link Layer Discovery Protocol (LLDP) and priority flow control (PFC). For example:
N7K2# configure terminal N7K2(config)# interface eth 3/4 N7K2(config-if)# no priority-flow-control mode auto N7K2(config-if)# no lldp transmit N7K2(config-if)# no lldp receive
Note that these commands are examples only. When configuring your appliance's NICs, use the same VLAN ID and MTU values you entered in Step 3 of this procedure. The values displayed for the link speed, duplex, and MTU parameters are the defaults for your switch. Enter new values for these parameters only if you have changed the defaults. You may, as with the appliance NICs, also set the MTU up to a maximum of 9000 for better throughput.
c) Run the show interface tengigabitethernet portID command and verify that the port is connected, running, and has the correct MTU, duplex, and link-type settings in the command output. For example:
MySwitch#show interface tengigabitethernet 1/1/3 TenGigabitEthernet1/1/3 is up, line protocol is up (connected)
Hardware is Ten Gigabit Ethernet, address is XXXe.310.8000 (bia XXX.310.8000) MTU 1500 bytes, BW 10000000 Kbit/sec, DLY 10 usec,
reliability 255/255, txload 1/255, rxload 1/255 Encapsulation ARPA, loopback not set
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 51
Execute Preconfiguration Checks
Prepare the Appliance for Configuration
Keepalive not set Full-duplex, 10GB/s, link type is auto, media type is SFP-10Gbase-SR
d) Run the show run interface tengigabitethernet portID command to configure the switch ports where the cables from the VIC 1227 ports are connected. For example:
MySwitch#show run interface tengigabitethernet 1/1/3 Building configuration... Current configuration : 129 bytes ! interface TenGigabitEthernet1/1/3
switchport trunk allowed vlan 99 switchport mode trunk end
MySwitch#
e) Run the show run interface tengigabitethernet portID command and verify from the command output that the port has the correct voice vlan dot1p setting. For example:
MySwitch#show run interface tengigabitEthernet 1/1/3 Building configuration... Current configuration : 129 bytes ! interface TenGigabitEthernet1/1/3
switchport trunk allowed vlan 99 switchport mode trunk switchport voice vlan dot1p end
MySwitch#
f) Run the show mac address-table interface tengigabitethernet portID command and verify the MAC address from the command output. For example:
MySwitch#show mac address-table interface tengigabitethernet 1/1/3
Mac Address Table
--
Vlan
Mac Address
Type
Ports
--
-
-
--
99
XXXe.3161.1000 DYNAMIC Te1/1/3
Total Mac Addresses for this criterion: 1
MySwitch#
What to do next When this task is complete, do one of the following:
· If you need to reinstall Cisco DNA Center software before you configure your appliance, see Reimage the Appliance.
· If you are ready to configure your appliance, proceed to Appliance Configuration Overview.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 52
Prepare the Appliance for Configuration
Reimage the Appliance
Reimage the Appliance
Situations may arise that require you to reimage your Cisco DNA Center appliance, such as recovering from a backup or changing your cluster link configuration. To do so, complete the following procedure.
Step 1 Step 2 Step 3
Download the Cisco DNA Center ISO image and verify that it is a genuine Cisco image. See Verify the Cisco DNA Center ISO Image, on page 53. Create a bootable USB drive that contains the Cisco DNA Center ISO image. See Create a Bootable USB Flash Drive, on page 54. Reinstall Cisco DNA Center onto your appliance. See Install the Cisco DNA Center ISO Image, on page 56.
Verify the Cisco DNA Center ISO Image
Prior to deploying Cisco DNA Center, we strongly recommend that you to verify that the ISO image you downloaded is a genuine Cisco image.
Before you begin Obtain the location of the Cisco DNA Center ISO image (through email or by contacting the Cisco support team).
Step 1 Step 2
Step 3 Step 4
Step 5
Download the Cisco DNA Center ISO image (.iso) from the location specified by Cisco. Download the Cisco public key (cisco_image_verification_key.pub) for signature verification from the location specified by Cisco. Download the secure hash algorithm (SHA512) checksum file for the ISO image from the location specified by Cisco. Obtain the ISO image's signature file (.sig) from Cisco support through email or by download from the secure Cisco website (if available). (Optional) Perform an SHA verification to determine whether the ISO image is corrupted due to a partial download. Run one of the following commands (depending upon your operating system):
· On a Linux system: sha512sum ISO-image-filename
· On a Mac system: shasum -a 512 ISO-image-filename
Microsoft Windows does not include a built-in checksum utility, but you can use the certutil tool:
certutil -hashfile <filename> sha256 | md5
For example:
certutil -hashfile D:\Customers\FINALIZE.BIN sha256
On Windows, you can also use the Windows PowerShell to generate the digest. For example:
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 53
Create a Bootable USB Flash Drive
Prepare the Appliance for Configuration
Step 6 Step 7
PS C:\Users\Administrator> Get-FileHash -Path D:\Customers\FINALIZE.BIN Algorithm Hash Path SHA256 B84B6FFD898A370A605476AC7EC94429B445312A5EEDB96166370E99F2838CB5 D:\Customers\FINALIZE.BIN
Compare the output of the command you run to the SHA512 checksum file that you downloaded. If the command output does not match, download the ISO image again and run the appropriate command a second time. If the output still does not match, contact Cisco support.
Verify that the ISO image is genuine and from Cisco by verifying its signature:
openssl dgst -sha512 -verify cisco_image_verification_key.pub -signature signature-filename ISO-image-filename
Note This command works in both MAC and Linux environments. For Windows, you need to download and install OpenSSL (available here) if you have not already done so.
If the ISO image is genuine, running this command should display a Verified OK message. If this message fails to appear, do not install the ISO image and contact Cisco support.
After confirming that you have downloaded a Cisco ISO image, create a bootable USB drive that contains the Cisco DNA Center ISO image. See Create a Bootable USB Flash Drive.
Create a Bootable USB Flash Drive
Complete one of the following procedures to create a bootable USB flash drive from which you can install the Cisco DNA Center ISO image. Before you begin:
· Download and verify your copy of the Cisco DNA Center ISO image. See Verify the Cisco DNA Center ISO Image.
· Confirm that the USB flash drive you are using has a capacity of at least 64 GB.
Using Etcher
Step 1
Step 2 Step 3 Step 4
Download and install Etcher (Version 1.3.1 or later), an open-source freeware utility that allows you to create a bootable USB drive on your laptop or desktop. Linux, macOS, and Windows versions of Etcher are currently available. You can download a copy at https://www.balena.io/etcher/. Note Use only the Windows version of Etcher on machines running Windows 10, as there are known compatibility
issues with older versions of Windows.
From the machine on which you installed Etcher, connect a USB drive and then start Etcher. In the top-right corner of the window, click and verify that the following Etcher settings are set:
· Auto-unmount on success · Validate write on success
Click Back to return to the main Etcher window.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 54
Prepare the Appliance for Configuration
Using the Linux CLI
Step 5 Step 6
Step 7
Click Select Image. Navigate to the Cisco DNA Center ISO image you downloaded previously, select it, and then click Open.
The name of the USB drive you connected should be listed under the drive icon ( ). If it is not: a. Click Select drive. b. Click the radio button for the correct USB drive, and then click Continue.
Click Flash! to copy the ISO image to the USB drive. Etcher configures the USB drive as a bootable drive with the Cisco DNA Center ISO image installed.
Using the Linux CLI
Step 1 Step 2
Verify that your USB flash drive is recognized by your machine:
a) Insert a flash drive into your machine's USB port. b) Open a Linux shell and run the following command: lsblk
The command lists the disk partitions that are currently configured on your machine, as illustrated in the following example:
$ lsblk NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINT sda 8:0 0 446.1G 0 disk sda1 8:1 0 1M 0 part sda2 8:2 0 28.6G 0 part / sda3 8:3 0 28.6G 0 part /install2 sda4 8:4 0 9.5G 0 part /var sda5 8:5 0 30.5G 0 part [SWAP] sda6 8:6 0 348.8G 0 part /data sdb 8:16 0 1.8T 0 disk sdb1 8:17 0 426.1G 0 part /data/maglev/srv/fusion sdb2 8:18 0 1.3T 0 part /data/maglev/srv/maglev-system sdc 8:32 0 3.5T 0 disk sdc1 8:33 0 3.5T 0 part /data/maglev/srv/ndp sdd 8:48 1 28.7G 0 disk sdd1 8:49 1 12G 0 part
c) Confirm that an sdd partition (which indicates the presence of a USB flash drive) is listed.
Burn the Cisco DNA Center ISO image you downloaded previously onto your USB flash drive: time sudo dd if=/data/tmp/ISO-image-filename of=/dev/flash-drive-partition bs=4M && sync
For example, to create a bootable USB drive using an ISO image named CDNAC-SW-1.330.iso, you would run the following command: time sudo dd if=/data/tmp/CDNAC-SW-1.330.iso of=/dev/sdd bs=4M && sync
Using the Mac CLI
Step 1 Determine the disk partition associated with your USB flash drive:
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 55
Install the Cisco DNA Center ISO Image
Prepare the Appliance for Configuration
Step 2 Step 3
Step 4
a) Open a Terminal window and run the following command: diskutil list The command lists the disk partitions that are currently configured on your machine.
b) Insert a flash drive into your machine's USB port and run the diskutil list command a second time. The partition that was not listed the first time you ran this command corresponds to your flash drive. For example, let's assume that your flash drive's partition is /dev/disk2.
Unmount the flash drive's partition: diskutil unmountDisk flash-drive-partition Continuing our example, you would enter diskutil unmountDisk /dev/disk2
Using the Cisco DNA Center ISO image you downloaded previously, create a disk image: hdiutil convert -format UDRW -o Cisco-DNA-Center-version ISO-image-filename Continuing our example, let's assume that you are working with a Cisco DNA Center ISO image named CDNAC-SW-1.330.iso. You would run the following command, which creates a macOS disk image named CDNAC-1.330.dmg: hdiutil convert -format UDRW -o CDNAC-1.330 CDNAC-SW-1.330.iso Important Ensure that the ISO image does not reside on a Box partition.
Create a bootable USB drive: sudo dd if=macOS-disk-image-filename of=flash-drive-partition bs=1m Continuing our example, you would run the following command: sudo dd if=CDNAC-1.330.dmg of=/dev/disk2 bs=1m The ISO image is about 18 GB in size, so this can take around an hour to complete.
Install the Cisco DNA Center ISO Image
Complete the following procedure to install the Cisco DNA Center ISO image onto your appliance.
Before you begin Create the bootable USB drive from which you will install the Cisco DNA Center ISO image. See Create a Bootable USB Flash Drive.
Step 1 Step 2 Step 3
Step 4 Step 5
Step 6
Connect the bootable USB drive with the Cisco DNA Center ISO image to the appliance. Log in to Cisco IMC and start a KVM session. Power on or power cycle the appliance:
· Choose Power > Power On System if the appliance is not currently running. · Choose Power > Power Cycle System (cold boot) if the appliance is already running.
In the resulting pop-up window, click Yes to acknowledge that you are about to execute a server control action. When the Cisco logo appears, either press the F6 key or choose Macros > User Defined Macros > F6 from the KVM menu. The boot device selection menu appears.
Select your USB drive and then press Enter.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 56
Prepare the Appliance for Configuration
Install the Cisco DNA Center ISO Image
Step 7
In the GNU GRUB bootloader window, choose Cisco DNA Center Installer and then press Enter.
Note The bootloader automatically boots the Maglev Installer instead if you do not make a selection within 30 seconds.
After installation of the Cisco DNA Center ISO image is completed, the installer reboots and opens the Maglev Configuration wizard's welcome screen. Depending on whether you are going to configure a primary or secondary cluster node, proceed to Step 4 in either Configure the Primary Node or Configure a Secondary Node.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 57
Install the Cisco DNA Center ISO Image
Prepare the Appliance for Configuration
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 58
5 C H A P T E R
Configure the Appliance
· Appliance Configuration Overview, on page 59 · Maglev Wizard Interface Configuration Order , on page 59 · Configure the Primary Node, on page 60 · Configure a Secondary Node, on page 77 · Upgrade to the Latest Cisco DNA Center Release, on page 93
Appliance Configuration Overview
You can deploy the appliance in your network in one of the following two modes: · Standalone: As a single node offering all the functions. This option is usually preferred for initial or test deployments and in smaller network environments. · Cluster: As a node that belongs to a three-node cluster. In this mode, all the services and data are shared among the hosts. This is the preferred option for large deployments.
If you choose the Standalone mode for your initial deployment, you can add more appliances later to form a cluster. When configuring the standalone host, ensure that it is set it up as the first, or primary, node in the cluster. If you choose the Cluster mode for your initial deployment, be sure to finish configuring the primary node before configuring the secondary nodes. To proceed, complete the following tasks: 1. Launch the Maglev Configuration wizard from Cisco IMC and configure the primary node in your cluster.
See Configure the Primary Node. 2. If you have installed three appliances and want to add the second and third nodes to your cluster, see
Configure a Secondary Node.
Maglev Wizard Interface Configuration Order
The order in which Cisco DNA Center appliance interfaces are configured in the Maglev Configuration wizard differ between the first and second-generation appliance, as illustrated in the following table. Refer to these Cisco part numbers to determine whether you have a first or second-generation appliance:
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 59
Configure the Primary Node
Configure the Appliance
· First-generation 44-core appliance: DN1-HW-APL · Second-generation:
· 44-core appliance: DN2-HW-APL · 44-core promotional appliance: DN2-HW-APL-U · 56-core appliance: DN2-HW-APL-L · 56-core promotional appliance: DN2-HW-APL-L-U · 112-core appliance: DN2-HW-APL-XL · 112-core promotional appliance: DN2-HW-APL-XL-U
Cisco DNA Center Appliance Interface and Function
Cluster (enp10s0): Links the appliance to your cluster nodes.
Appliance Type
First-generation Second-generation
Management (enp1s0f0): Allows First-generation
you to access the Cisco DNA Center GUI from your management Second-generation
network.
Cloud (enp1s0f1): Provides internet access when another interface is not available for this purpose.
First-generation Second-generation
Enterprise (enp9s0): Links the appliance to your enterprise network.
First-generation Second-generation
Configuration Order in the Maglev Wizard Network Adapter #1 Network Adapter #2 Network Adapter #2 Network Adapter #3
Network Adapter #3 Network Adapter #4
Network Adapter #4 Network Adapter #1
Configure the Primary Node
Perform the steps in this procedure to configure the first installed appliance as the primary node. You must always configure the first appliance as the primary node, whether it will operate standalone or as part of a cluster.
If you are configuring the installed appliance as an secondary node for an existing cluster that already has a primary node, follow the steps described in Configure a Secondary Node instead.
Note Ensure that all of the IP addresses you enter while completing this procedure are valid IPv4 addresses with valid IPv4 netmasks. Also make sure that the addresses and their corresponding subnets do not overlap. Service communication issues can result if they do.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 60
Configure the Appliance
Configure the Primary Node
Important
Before you configure the appliances in a three-node cluster, ensure that you have logged out of those appliances. Otherwise, the Quick Start workflow (which you complete to discover your network's devices and enable telemetry) will not start after you have configured your cluster's appliances and log in to Cisco DNA Center for the first time.
Before you begin
Ensure that you:
· Collected all of the information specified in Required IP Addresses and Subnets and Required Configuration Information.
· Installed the first appliance, as described in Appliance Installation Workflow.
· Configured Cisco IMC browser access on the primary node, as described in Enable Browser Access to Cisco Integrated Management Controller.
· Checked that the primary node appliance's ports, and the switches they use, are properly configured, as described in Execute Preconfiguration Checks.
· Confirmed that you are using a compatible browser. For a list of compatible browsers, see the Release Notes document for the version of Cisco DNA Center you are installing.
· Enabled ICMP on the firewall between Cisco DNA Center and both the default gateway and the DNS server you specify in the following procedure. The Maglev Configuration wizard uses ping to verify the gateway and DNS server you specify. This ping might get blocked if a firewall is in place and ICMP is not enabled on that firewall. When this happens, you will not be able to complete the wizard.
Step 1
Point your browser to the Cisco IMC IP address you set during the Cisco IMC GUI configuration you performed, and log in to the Cisco IMC GUI as the Cisco IMC user (see Enable Browser Access to Cisco Integrated Management Controller).
After successful login, the appliance displays the Cisco Integrated Management Controller Chassis Summary window, with a hyperlinked menu at the top of the window, as shown below.
Step 2
From the hyperlinked menu, choose Launch KVM and then select either Java based KVM or HTML based KVM. If you select Java-based KVM, you will need to launch the Java startup file from your browser or file manager in order to view the KVM console in its own window. If you select HMTL-based KVM, it launches the KVM console in a separate window or tab automatically.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 61
Configure the Primary Node
Configure the Appliance
Step 3
Irrespective of the KVM type you choose, use the KVM console to monitor the progress of the configuration and respond to the Maglev Configuration wizard prompts.
With the KVM displayed, reboot the appliance by making one of the following selections: · In the main Cisco IMC GUI browser window: Choose Host Power > Power Cycle, and switch to the KVM console to continue. · In the KVM console: Choose Power > Power Cycle System (cold boot).
If you are asked to confirm your choice to reboot the appliance, click OK. After displaying reboot messages, the KVM console displays the Maglev Configuration wizard welcome screen.
Step 4
Click Start a Cisco DNA Center Cluster to begin configuring the primary node. The wizard discovers all of the ports on the appliance and presents them to you one by one, in separate screens, in the following order: a. 10-Gbps Cluster port (Port 2, enp10s0, Network Adapter #1) b. 1-Gbps Cisco DNA Center GUI port (1, enp1s0f0, Network Adapter #2) c. 1-Gbps Cloud port (2, enp1s0f1, Network Adapter #3) d. 10-Gbps Enterprise port (Port 1, enp9s0, Network Adapter #4)
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 62
Configure the Appliance
Configure the Primary Node
Step 5
Note If the wizard fails to display either or both of the Enterprise and Cluster ports during the course of configuration, these ports may be non-functional or disabled. These two ports are required for Cisco DNA Center functionality. If you discover that they are non-functional, choose cancel to exit the configuration immediately. Be sure you have completed all of the steps provided in Execute Preconfiguration Checks before resuming configuration or contacting the Cisco Technical Assistance Center (TAC).
The wizard discovers the 10-Gbps Cluster port (Port 2, enp10s0) first, and presents it as NETWORK ADAPTER #1. As explained in Interface Cable Connections, this port is used to link the appliance to the cluster, so apply the host IP address, netmask, and other values that are appropriate for this purpose (see Required IP Addresses and Subnets and Required Configuration Information for the values to enter).
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 63
Configure the Primary Node
Configure the Appliance
Enter the configuration values for NETWORK ADAPTER #1, as shown in the table below.
Table 16: Primary Node Entries for Network Adapter #1: 10-Gbps Cluster Port (enp10s0)
Host IP address
Enter the IP address for the Cluster port. This is required. Note that you cannot change the address of the Cluster port later.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 64
Configure the Appliance
Configure the Primary Node
Step 6
Netmask Default Gateway IP address
Enter the netmask for the port's IP address. This is required.
Enter a default gateway IP address to use for the port.
Important Ensure that you enter a default gateway IP address for at least one of your appliance's interfaces. Otherwise, you will not be able to complete the configuration wizard.
DNS Servers
Enter the IP address of the preferred DNS server. If you are entering multiple DNS servers, separate the IP addresses in the list with spaces.
Important For each appliance in your cluster, configure a maximum of three DNS servers. Problems can occur if you configure more than three DNS servers for an appliance.
Static Routes Cluster Link
Enter one or more static routes in the following format, separated by spaces: <network>/<netmask>/<gateway>. This is usually required on the GUI port only.
Check the check box to indicate that this port will be the link to a cluster. This is required on the Cluster port only.
After you finish entering the configuration values, click next>> to proceed. The wizard validates the values you entered and issues an error message if any are incorrect. If you receive an error message, check that the value you entered is correct, then reenter it. If needed, click <<back to reenter it.
After successful validation of the Cluster port values you entered, the wizard presents the 1-Gbps Cisco DNA Center GUI port (1, enp1s0f0) as NETWORK ADAPTER #2. As explained in Interface Cable Connections, this port is used to access the Cisco DNA Center GUI from your management network. Apply the host IP address, netmask, and other values that are appropriate for this purpose (see Required IP Addresses and Subnets and Required Configuration Information for the values to enter).
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 65
Configure the Primary Node
Configure the Appliance
Enter the configuration values for NETWORK ADAPTER #2, as shown in the table below.
Table 17: Primary Node Entries for Network Adapter #2: 1-Gbps GUI Port (enp1s0f0)
Host IP address
Enter the IP address for the 1-Gbps GUI Port. This is required only if you are using the GUI Port to access the Cisco DNA Center GUI from your management network; otherwise, you can leave it blank.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 66
Configure the Appliance
Configure the Primary Node
Step 7
Netmask Default Gateway IP address
DNS Servers
Enter the netmask for the port's IP address. This is required if you enter an IP address.
Enter a default gateway IP address to use for the port.
Important Ensure that you enter a default gateway IP address for at least one of your appliance's interfaces. Otherwise, you will not be able to complete the configuration wizard.
Enter the IP address of the preferred DNS server. If you are entering multiple DNS servers, separate the IP addresses in the list with spaces.
Important
· For NTP, ensure port 123 (UDP) is open between Cisco DNA Center and your NTP server.
· For each appliance in your cluster, configure a maximum of three DNS servers. Problems can occur if you configure more than three DNS servers for an appliance.
Static Routes Cluster Link
Enter one or more static routes in the following format, separated by spaces: <network>/<netmask>/<gateway>.
Leave this field blank. It is required on the Cluster port only.
After you provide the necessary information, click next>> to proceed. Correct any validation errors as you did in previous screens.
After successful validation of the Cisco DNA Center GUI port values you entered, the wizard presents the 1-Gbps Cloud port (2, enp1s0f1) as NETWORK ADAPTER #3. As explained in Interface Cable Connections, this is an optional port used to link the appliance to the Internet when you cannot do so through the 10-Gbps Enterprise port (Port 1, enp9s0). Apply the host IP address, netmask, and other values that are appropriate for this purpose (see Required IP Addresses and Subnets and Required Configuration Information for the values to enter).
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 67
Configure the Primary Node
Configure the Appliance
Enter the configuration values for NETWORK ADAPTER #3, as shown in the table below.
Table 18: Primary Node Entries for Network Adapter #3: 1-Gbps Cloud Port (enp1s0f1)
Host IP address
Enter the IP address for the Cloud port. This is required only if you are using the Cloud port for internet connection; otherwise, you can leave it blank.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 68
Configure the Appliance
Configure the Primary Node
Step 8
Netmask Default Gateway IP address
Enter the netmask for the port's IP address. This is required if you enter an IP address.
Enter a default gateway IP address to use for the Cloud port.
Important Ensure that you enter a default gateway IP address for at least one of your appliance's interfaces. Otherwise, you will not be able to complete the configuration wizard.
DNS Servers
Enter the IP address of the preferred DNS server. If you are entering multiple DNS servers, separate the IP addresses in the list with spaces.
Important For each appliance in your cluster, configure a maximum of three DNS servers. Problems can occur if you configure more than three DNS servers for an appliance.
Static Routes Cluster Link
Enter one or more static routes in the following format, separated by spaces: <network>/<netmask>/<gateway>. This is usually required on the Cisco DNA Center GUI port only.
Leave this field blank. It is required on the Cluster port only.
After you provide the necessary information, click next>> to proceed. Correct any validation errors as you did in previous screens.
After successful validation of the Cloud port values you entered, the wizard presents the 10-Gbps Enterprise port (Port 1, enp9s0) as NETWORK ADAPTER #4. As explained in Interface Cable Connections, this port is required to link the appliance to the enterprise network. Apply the host IP address, netmask, and other values that are appropriate for this purpose, (see Required IP Addresses and Subnets and Required Configuration Information for the values to enter).
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 69
Configure the Primary Node
Configure the Appliance
Enter the configuration values for NETWORK ADAPTER #4, as shown in the table below.
Table 19: Primary Node Entries for Network Adapter #4: 10-Gbps Enterprise Port (enp9s0)
Host IP address Netmask
Enter the IP address for the 10-Gbps Enterprise port. This is required.
Enter the netmask for the port's IP address. This is required.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 70
Configure the Appliance
Configure the Primary Node
Step 9
Default Gateway IP address
Enter a default gateway IP address to use for the port.
Important Ensure that you enter a default gateway IP address for at least one of your appliance's interfaces. Otherwise, you will not be able to complete the configuration wizard.
DNS Servers
Enter the IP address of the preferred DNS server. If you are entering multiple DNS servers, separate the IP addresses in the list with spaces.
Important For each appliance in your cluster, configure a maximum of three DNS servers. Problems can occur if you configure more than three DNS servers for an appliance.
Static Routes Cluster Link
Enter one or more static routes in the following format, separated by spaces: <network>/<netmask>/<gateway>. This is usually required on the Cisco DNA Center GUI port only.
Leave this field blank. It is required on the Cluster port only.
After you provide the necessary information, click next>> to proceed. Correct validation errors, if any, as you did in previous screens. The wizard validates and applies your network adapter configurations.
After the network adapter configuration is complete, the wizard prompts you to enter configuration values for the NETWORK PROXY you are using, as shown below.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 71
Configure the Primary Node
Configure the Appliance
Step 10
Enter the configuration values for the NETWORK PROXY, as shown in the table below.
Table 20: Primary Node Entries for Network Proxy
HTTPS Proxy
HTTPS Proxy Username HTTPS Proxy Password
Enter the URL or host name of an HTTPS network proxy used to access the Internet.
Note Connection from Cisco DNA Center to the HTTPS proxy is supported only via HTTP in this release.
Enter the user name used to access the network proxy. If no proxy login is required, leave this field blank.
Enter the password used to access the network proxy. If no proxy login is required, leave this field blank.
After you provide the necessary information, click next>> to proceed. Correct validation errors, if any, as you did in previous screens.
After network proxy configuration completes, the wizard prompts you to enter virtual IP addresses for the primary node, in MAGLEV CLUSTER DETAILS, as shown below.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 72
Configure the Appliance
Configure the Primary Node
Step 11
Enter a space-separated list of the virtual IP addresses used for traffic between the cluster and your network. This is required for both three-node clusters and single-node clusters that will be converted into a three-node cluster in the future. If you have a single-node cluster setup and plan to stick with it, skip this step and proceed to Step 11.
Important You must enter one virtual IP address for each configured network interface. You will not be able to complete the wizard unless you do so. These addresses are tied to the cluster link's status, which must be in the UP state.
You also have the option to specify the fully qualified domain name (FQDN) for your cluster. Cisco DNA Center uses this domain name to do the following:
· It uses this hostname to access your cluster's web interface and the Representational State Transfer (REST) APIs used by devices in the enterprise network that Cisco DNA Center manages.
· In the Subject Alternative Name (SAN) field of Cisco DNA Center certificates, it uses the FQDN to the define the Plug and Play server that should be used for device provisioning.
After you provide the necessary information, click next>> to proceed. Correct validation errors, if any, as you did in previous screens.
After you have entered the virtual IP addresses, the wizard prompts you to enter USER ACCOUNT SETTINGS values, as shown below.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 73
Configure the Primary Node
Configure the Appliance
Enter the values for USER ACCOUNT SETTINGS, as shown in the table below.
Table 21: Primary Node Entries for User Account Settings
Linux Password Re-enter Linux Password Password Generation Seed Auto Generated Password
Administrator Passphrase Re-enter Administrator Passphrase
Enter a Linux password for the maglev user.
Confirm the Linux password by entering it a second time.
If you do not want to create the Linux password yourself, enter a seed phrase in this field and then press <Generate Password> to generate the password.
(Optional) The seed phrase appears as part of a random and secure password. If desired, you can either use this password "as is", or you can further edit this auto-generated password. Press <Use Generated Password> to save the password.
Enter a password for the default admin superuser, used to log in to Cisco DNA Center for the first time.
Confirm the administrator passphrase by entering it a second time.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 74
Configure the Appliance
Configure the Primary Node
Step 12
After you provide the necessary information, click next>> to proceed. Correct validation errors, if any, as you did in previous screens.
After you have entered the user account details, the wizard prompts you to enter NTP SERVER SETTINGS values, as shown below.
Step 13
Enter one or more NTP server addresses or hostnames, separated by spaces. At least one NTP address or hostname is required. For a production deployment, we recommend that you configure a minimum of three NTP servers.
After you provide the necessary information, click next>> to proceed. Correct validation errors, if any, as you did in previous screens. The wizard validates and applies your NTP server configuration.
After you have specified the appropriate NTP servers, the wizard prompts you to enter MAGLEV ADVANCED SETTINGS values, as shown below.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 75
Configure the Primary Node
Configure the Appliance
Enter the configuration values for MAGLEV ADVANCED SETTINGS, as shown in the table below.
Table 22: Primary Node Entries for Maglev Advanced Settings
Container Subnet Cluster Subnet
A dedicated, non-routed IP subnet that Cisco DNA Center uses to manage internal services. By default, this is already set to 169.254.32.0/20, and we recommend that you use this subnet. If you choose to enter another subnet, ensure that it does not conflict with or overlap any other subnet used by the Cisco DNA Center internal network or an external network. For more information, see the Container Subnet description in Required IP Addresses and Subnets, on page 17.
A dedicated, non-routed IP subnet that Cisco DNA Center uses to manage internal cluster services. By default, this is already set to 169.254.48.0/20, and we recommend that you use this subnet. If you choose to enter another subnet, ensure that it does not conflict with or overlap any other subnet used by the Cisco DNA Center internal network or an external network. For more information, see the Cluster Subnet description in Required IP Addresses and Subnets, on page 17.
When you are finished, click next>> to proceed. Correct validation errors, if any, as you did in previous screens.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 76
Configure the Appliance
Configure a Secondary Node
Step 14
After you have entered the Maglev advanced settings, a final message appears, stating that the wizard is ready to apply the configuration (as shown below).
Click proceed>> to complete the configuration wizard. The host will reboot automatically and display messages on the KVM console as it applies your settings and brings up services. This process can take several hours. You can monitor its progress via the KVM console. At the end of the configuration process, the appliance power-cycles again, then displays a CONFIGURATION SUCCEEDED! message.
What to do next · If you are deploying this appliance in standalone mode only, perform the first-time setup: First-Time Setup Workflow. · If you are deploying this appliance as the primary node in a cluster, configure the second and third installed appliances in the cluster: Configure a Secondary Node.
Configure a Secondary Node
Perform the steps in this procedure to configure the second and third appliances in the cluster.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 77
Configure a Secondary Node
Configure the Appliance
Important In order to build a three-node cluster, the same version of the System package must be installed on your three Cisco DNA Center appliances. Otherwise, unexpected behavior and possible downtime can occur.
Note Ensure that all of the IP addresses you enter while completing this procedure are valid IPv4 addresses with valid IPv4 netmasks. Also make sure that the addresses and their corresponding subnets do not overlap. Service communication issues can result if they do.
Important
Before you configure the appliances in a three-node cluster, ensure that you have logged out of those appliances. Otherwise, the Quick Start workflow (which you complete to discover your network's devices and enable telemetry) will not start after you have configured your cluster's appliances and log in to Cisco DNA Center for the first time.
When joining each new secondary node to the cluster, you must specify the first host in the cluster as the primary node. Note the following when joining secondary nodes to a cluster:
· Be sure to join only a single node to the cluster at a time. Do not attempt to add multiple nodes at the same time, because this results in unpredictable behavior.
· Before adding a new node to the cluster, be sure that all installed packages are deployed on the primary node. You can check this by using Secure Shell to log in to the primary node's Cisco DNA Center Management port as the Linux User (maglev) and then running the command maglev package status. All installed packages should appear in the command output as DEPLOYED. In the following example, a few packages were not installed, such as the application-policy and sd-access packages. They are the only packages whose status is NOT_DEPLOYED. Your package status should look similar to this before configuring a secondary node.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 78
Configure the Appliance
Configure a Secondary Node
· Expect some service downtime during the cluster attachment process for each secondary node. Services will need to be redistributed across the nodes and the cluster will be down for periods of time during that process.
Before you begin Ensure that you:
· Configured the first appliance in the cluster, following the steps in Configure the Primary Node. · Collected all of the information specified in Required IP Addresses and Subnets and Required
Configuration Information. · Installed the second and third appliances, as described in Appliance Installation Workflow. · Have done the following:
1. Ran the maglev package status command on the first appliance. You can also access this information from the Cisco DNA Center GUI by clicking the Help icon ( ) and choosing About > Packages.
2. Contacted the Cisco TAC, gave them the output of this command, and asked them to point you to the ISO that you should install on your second and third appliances.
· Configured Cisco IMC browser access on both secondary appliances, as described in Enable Browser Access to Cisco Integrated Management Controller.
· Checked that both the secondary node appliances' ports, and the switches they use, are properly configured, as described in Execute Preconfiguration Checks.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 79
Configure a Secondary Node
Configure the Appliance
· Confirmed that you are using a compatible browser. For a list of compatible browsers, see the Release Notes document for the version of Cisco DNA Center you are installing.
· Enabled ICMP on the firewall between Cisco DNA Center and both the default gateway and the DNS server you specify in the following procedure. The Maglev Configuration wizard uses ping to verify the gateway and DNS server you specify. This ping might get blocked if a firewall is in place and ICMP is not enabled on that firewall. When this happens, you will not be able to complete the wizard.
Step 1
Point your browser to the Cisco IMC IP address you set during the Cisco IMC GUI configuration you performed, and log in to the Cisco IMC GUI as the Cisco IMC user (see Enable Browser Access to Cisco Integrated Management Controller).
After successful login, the appliance displays the Cisco Integrated Management Controller Chassis Summary window, with a hyperlinked menu at the top of the window, as shown below.
Step 2 Step 3
From the hyperlinked menu, choose Launch KVM and then select either Java based KVM or HTML based KVM. If you select Java-based KVM, you will need to launch the Java startup file from your browser or file manager in order to view the KVM console in its own window. If you select HMTL-based KVM, it launches the KVM console in a separate window or tab automatically.
Irrespective of the KVM type you choose, use the KVM console to monitor the progress of the configuration and respond to the Maglev Configuration wizard prompts.
With the KVM displayed, reboot the appliance by choosing one of the following options: · In the main Cisco IMC GUI browser window: Choose Host Power > Power Cycle, and switch to the KVM console to continue.
· In the KVM console: Choose Power > Power Cycle System (cold boot).
If you are asked to confirm your choice to reboot the appliance, click OK.
After displaying reboot messages, the KVM console displays the Maglev Configuration wizard welcome screen.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 80
Configure the Appliance
Configure a Secondary Node
Step 4 Step 5
Click Join a Cisco DNA Center Cluster to begin configuring the secondary node.
The wizard discovers all of the ports on the appliance and presents them to you one by one, in separate screens, in the following order:
a. 10-Gbps Cluster port (Port 2, enp10s0, Network Adapter #1)
b. 1-Gbps Cisco DNA Center GUI port (1, enp1s0f0, Network Adapter #2)
c. 1-Gbps Cloud port (2, enp1s0f1, Network Adapter #3)
d. 10-Gbps Enterprise port (Port 1, enp9s0, Network Adapter #4)
Note If the wizard fails to display one or both of the 10-Gbps ports during the course of configuration,it might indicate that these ports are nonfunctional or disabled. These 10-Gbps ports are required for Cisco DNA Center functionality. If you discover that they are nonfunctional, choose cancel to exit the configuration wizard immediately. Be sure that you have completed all of the steps provided in Execute Preconfiguration Checks before resuming the configuration or by contacting the Cisco Technical Assistance Center (for more information, see the "Get Assistance from the Cisco TAC" topic in the Release Notes document).
The wizard discovers the 10-Gbps Cluster port (Port 2, enp10s0) first, and presents it as NETWORK ADAPTER #1. As explained in Interface Cable Connections, this port is used to link the appliance to the cluster, so apply the host IP address, netmask, and other values that are appropriate for this purpose (see Required IP Addresses and Subnets and Required Configuration Information for the values to enter).
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 81
Configure a Secondary Node
Configure the Appliance
Enter configuration values for NETWORK ADAPTER #1 as shown in the table below.
Table 23: Secondary Node Entries for Network Adapter #1: 10-Gbps Cluster Port (enp10s0)
Host IP address Netmask
Enter the IP address for the Cluster port. This is required. Note that you cannot change the address of the Cluster port later.
Enter the netmask for the port's IP address. This is required.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 82
Configure the Appliance
Configure a Secondary Node
Step 6
Default Gateway IP address
Enter a default gateway IP address to use for the port.
Important Ensure that you enter a default gateway IP address for at least one of your appliance's interfaces. Otherwise, you will not be able to complete the configuration wizard.
DNS Servers
Enter the IP address of the preferred DNS server. If you are entering multiple DNS servers, separate the IP addresses in the list with spaces.
Important For each appliance in your cluster, configure a maximum of three DNS servers. Problems can occur if you configure more than three DNS servers for an appliance.
Static Routes Cluster Link
Enter one or more static routes in the following format, separated by spaces: <network>/<netmask>/<gateway>. This is usually required on the Cisco DNA Center GUI port only.
Check the check box to indicate that this port will be the link to a cluster. This is required on the Cluster port only.
After you finish entering the configuration values, click next>> to proceed. The wizard validates the values you entered and issues an error message if any are incorrect. If you receive an error message, check that the value you entered is correct, then reenter it. If needed, click <<back to reenter it.
After successful validation of the Cluster port values you entered, the wizard presents the 1-Gbps Cisco DNA Center GUI port (1, enp1s0f0) as NETWORK ADAPTER #2. As explained in Interface Cable Connections, this port is used to access the Cisco DNA Center GUI from your management network. Apply the host IP address, netmask, and other values that are appropriate for this purpose (see Required IP Addresses and Subnets and Required Configuration Information for the values to enter).
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 83
Configure a Secondary Node
Configure the Appliance
Enter the configuration values for NETWORK ADAPTER #2, as shown in the table below.
Table 24: Secondary Node Entries for Network Adapter #2: 1-Gbps GUI Port (enp1s0f0)
Host IP address
Enter the IP address for the 1-Gbps GUI Port. This is required only if you are using the GUI Port to access the Cisco DNA Center GUI from your management network; otherwise, you can leave it blank.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 84
Configure the Appliance
Configure a Secondary Node
Step 7
Netmask Default Gateway IP address
Enter the netmask for the port's IP address. This is required if you enter an IP address.
Enter a default gateway IP address to use for the port.
Important Ensure that you enter a default gateway IP address for at least one of your appliance's interfaces. Otherwise, you will not be able to complete the configuration wizard.
DNS Servers
Enter the IP address of the preferred DNS server. If you are entering multiple DNS servers, separate the IP addresses in the list with spaces.
Important · For NTP, ensure port 123 (UDP) is open between Cisco DNA Center and your NTP server.
· For each appliance in your cluster, configure a maximum of three DNS servers. Problems can occur if you configure more than three DNS servers for an appliance.
Static Routes Cluster Link
Enter one or more static routes in the following format, separated by spaces: <network>/<netmask>/<gateway>.
Leave this field blank. It is required on the Cluster port only.
After you provide the necessary information, click next>> to proceed. Correct validation errors, if any, as you did in previous screens.
After successful validation of the Cisco DNA Center GUI port values you entered, the wizard presents the 1-Gbps Cloud port (2, enp1s0f1) as NETWORK ADAPTER #3. As explained in Interface Cable Connections, this is an optional port used to link the appliance to the Internet when you cannot do so through the 10-Gbps Enterprise port (Port 1, enp9s0). Apply the host IP address, netmask, and other values that are appropriate for this purpose (see Required IP Addresses and Subnets and Required Configuration Information for the values to enter).
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 85
Configure a Secondary Node
Configure the Appliance
Enter the configuration values for NETWORK ADAPTER #3, as shown in the table below.
Table 25: Secondary Node Entries for Network Adapter #3: 1-Gbps Cloud Port (enp1s0f1)
Host IP address
Enter the IP address for the Cloud port. This is required only if you are using the Cloud port for internet connection; otherwise, you can leave it blank.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 86
Configure the Appliance
Configure a Secondary Node
Step 8
Netmask Default Gateway IP address
Enter the netmask for the port's IP address. This is required if you enter an IP address.
Enter a default gateway IP address to use for the Cloud port.
Important Ensure that you enter a default gateway IP address for at least one of your appliance's interfaces. Otherwise, you will not be able to complete the configuration wizard.
DNS Servers
Enter the IP address of the preferred DNS server. If you are entering multiple DNS servers, separate the IP addresses in the list with spaces.
Important For each appliance in your cluster, configure a maximum of three DNS servers. Problems can occur if you configure more than three DNS servers for an appliance.
Static Routes Cluster Link
Enter one or more static routes in the following format, separated by spaces: <network>/<netmask>/<gateway>. This is usually required on the GUI port only.
Leave this field blank. It is required on the Cluster port only.
After you provide the necessary information, click next>> to proceed. Correct validation errors, if any, as you did in previous screens.
After successful validation of the Cloud port values you entered, the wizard presents the 10-Gbps Enterprise port (Port 1, enp9s0) as NETWORK ADAPTER #4. As explained in Interface Cable Connections, this port is required to link the appliance to the enterprise network. Apply the host IP address, netmask, and other values that are appropriate for this purpose (see Required IP Addresses and Subnets and Required Configuration Information for the values to enter).
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 87
Configure a Secondary Node
Configure the Appliance
Enter the configuration values for NETWORK ADAPTER #4, as shown in the table below.
Table 26: Secondary Node Entries for Network Adapter #4: 10-Gbps Enterprise Port (enp9s0)
Host IP address Netmask
Enter the IP address for the 10-Gbps Enterprise port. This is required. Enter the netmask for the port's IP address. This is required.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 88
Configure the Appliance
Configure a Secondary Node
Step 9
Default Gateway IP address
Enter a default gateway IP address to use for the port.
Important Ensure that you enter a default gateway IP address for at least one of your appliance's interfaces. Otherwise, you will not be able to complete the configuration wizard.
DNS Servers
Enter the IP address of the preferred DNS server. If you are entering multiple DNS servers, separate the IP addresses in the list with spaces.
Important For each appliance in your cluster, configure a maximum of three DNS servers. Problems can occur if you configure more than three DNS servers for an appliance.
Static Routes Cluster Link
Enter one or more static routes in the following format, separated by spaces: <network>/<netmask>/<gateway>. This is usually required on the GUI port only.
Leave this field blank. It is required on the Cluster port only.
After you provide the necessary information, click next>> to proceed. Correct validation errors, if any, as you did in previous screens.
After the network adapter configuration is complete, the wizard prompts you to enter configuration values for the NETWORK PROXY that you are using, as shown below.
Enter the configuration values for the NETWORK PROXY, as shown in the table below.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 89
Configure a Secondary Node
Configure the Appliance
Step 10
Table 27: Secondary Node Entries for Network Proxy
HTTPS Proxy
HTTPS Proxy Username HTTPS Proxy Password
Enter the URL or host name of an HTTPS network proxy used to access the Internet.
Note Connection from Cisco DNA Center to the HTTPS proxy is supported only through HTTP in this release.
Enter the user name used to access the network proxy. If no proxy login is required, leave this field blank.
Enter the password used to access the network proxy. If no proxy login is required, leave this field blank.
After you provide the necessary information, click next>> to proceed. Correct validation errors, if any, as you did in previous screens.
After network proxy configuration completes, the wizard prompts you to identify the Cluster port on the primary node, and primary node login details, in MAGLEV CLUSTER DETAILS, as shown below.
Enter the values for MAGLEV CLUSTER DETAILS, as shown in the table below.
Table 28: Secondary Node Entries for Maglev Cluster Details
Maglev Primary Node
Enter the IP address of the Cluster port on the primary node in the cluster. If you have followed the recommendations for port assignment, this will be the IP address of Port 2, enp10s0, Network Adapter #1 on the primary node.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 90
Configure the Appliance
Configure a Secondary Node
Step 11
Username Password
Enter maglev. Enter the Linux password you configured on the primary node.
After you provide the necessary information, click next>> to proceed. Correct validation errors, if any, as you did in previous screens.
After you have entered the Maglev cluster details, the wizard prompts you to enter USER ACCOUNT SETTINGS values for this secondary node, as shown below.
Enter the values for USER ACCOUNT SETTINGS, as shown in the table below.
Table 29: Secondary Node Entries for User Account Settings
Linux Password Re-enter Linux Password Password Generation Seed
Auto Generated Password
Enter a Linux password for the maglev user.
Confirm the Linux password by entering it a second time.
If you do not want to create the Linux password yourself, enter a seed phrase in this field and then press <Generate Password> to generate the password.
(Optional) The seed phrase appears as part of a random and secure password. If required, you can either use this password as is, or you can further edit this auto-generated password. Click <Use Generated Password> to save the password.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 91
Configure a Secondary Node
Configure the Appliance
Step 12
Administrator Passphrase
Re-enter Administrator Passphrase
Enter a password for the default admin superuser, used to log in to Cisco DNA Center for the first time.
Confirm the administrator passphrase by entering it a second time.
After you provide the necessary information, click next>> to proceed. Correct validation errors, if any, as you did in previous screens.
After you have entered the user account details, the wizard prompts you to enter NTP SERVER SETTINGS values, as shown below.
Step 13
Enter one or more NTP server addresses or hostnames, separated by spaces. At least one NTP address or hostname is required. They should be the same NTP servers you specified for the primary node.
After you provide the necessary information, click next>> to proceed. Correct validation errors, if any, as you did in previous screens.
When you are finished entering the NTP server settings, a final message appears, stating that the wizard is ready to apply the configuration (as shown below).
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 92
Configure the Appliance
Upgrade to the Latest Cisco DNA Center Release
Click proceed>> to complete the configuration wizard. The host will reboot automatically and display messages on the KVM console as it applies your settings and brings up services. This process can take several hours. You can monitor its progress via the KVM console. At the end of the configuration process, the appliance power-cycles again, then displays a CONFIGURATION SUCCEEDED! message.
What to do next · If you have an additional appliance to deploy as the third and final node in the cluster, repeat this procedure. · If you have finished adding hosts to the cluster, perform the first-time setup: First-Time Setup Workflow.
Upgrade to the Latest Cisco DNA Center Release
For information about upgrading your current release of Cisco DNA Center, see the Cisco DNA Center Upgrade Guide.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 93
Upgrade to the Latest Cisco DNA Center Release
Configure the Appliance
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 94
6 C H A P T E R
Complete First-Time Setup
· First-Time Setup Workflow, on page 95 · Compatible Browsers, on page 95 · Complete the Quick Start Workflow, on page 95 · Integrate Cisco ISE with Cisco DNA Center, on page 100 · Configure Authentication and Policy Servers, on page 105 · Configure SNMP Properties, on page 109
First-Time Setup Workflow
After you finish configuring all of the Cisco DNA Center appliances you have installed, perform the tasks described in this chapter to prepare Cisco DNA Center for production use. Note the following points:
· For the parameter information you need to complete this work, see Required First-Time Setup Information. · If you plan to deploy high availability (HA) in your production environment, you will need to redistribute
services among your cluster nodes to optimize HA operation (see Activate High Availability, on page 119). Complete this step after you have configured the SNMP settings for your appliances.
Compatible Browsers
The Cisco DNA Center GUI is compatible with the following HTTPS-enabled browsers: · Google Chrome: Version 73.0 or later. · Mozilla Firefox: Version 65.0 or later.
We recommend that the client systems you use to log in to Cisco DNA Center be equipped with 64-bit operating systems and browsers.
Complete the Quick Start Workflow
After you have installed and configured the Cisco DNA Center appliance, you can log in to its GUI. Use a compatible, HTTPS-enabled browser when accessing Cisco DNA Center.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 95
Complete the Quick Start Workflow
Complete First-Time Setup
When you log in for the first time as the admin superuser (with the username admin and the SUPER-ADMIN-ROLE assigned), the Quick Start workflow automatically starts. Complete this workflow to discover the devices that Cisco DNA Center will manage and enable the collection of telemetry from those devices.
Before you begin To log in to Cisco DNA Center and complete the Quick Start workflow, you will need:
· The admin superuser username and password that you specified while completing the procedure described in Configure the Primary Node, on page 60.
· The information described in Required First-Time Setup Information, on page 33.
Step 1 Step 2 Step 3
Step 4 Step 5
After the Cisco DNA Center appliance reboot is completed, launch your browser. Enter the host IP address to access the Cisco DNA Center GUI, using HTTPS:// and the IP address of the Cisco DNA Center GUI that was displayed at the end of the configuration process. After entering the IP address, one of the following messages appears (depending on the browser you are using):
· Google Chrome: Your connection is not private · Mozilla Firefox: Warning: Potential Security Risk Ahead
Ignore the message and click Advanced. One of the following messages appears:
· Google Chrome:
This server could not prove that it is GUI-IP-address; its security certificate is not trusted by your computer's
operating system. This may be caused by a misconfiguration or an attacker intercepting your connection.
· Mozilla Firefox:
Someone could be trying to impersonate the site and you should not continue.
Websites prove their identity via certificates. Firefox does not trust GUI-IP-address because its certificate issuer is unknown, the certificate is self-signed, or the server is not sending the correct intermediate certificates.
These messages appear because the controller uses a self-signed certificate. For information on how Cisco DNA Center uses certificates, see the "Certificate and Private Key Support" section in the Cisco DNA Center Administrator Guide.
Ignore the message and do one of the following: · Google Chrome: Click the Proceed to GUI-IP-address (unsafe) link. · Mozilla Firefox: Click Accept the Risk and Continue.
The Cisco DNA Center login screen appears.
Enter the admin's username (admin) and password that you set when you configured Cisco DNA Center, then click Log In. In the resulting screen, you are prompted to specify a new admin password (as a security measure).
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 96
Complete First-Time Setup
Complete the Quick Start Workflow
Step 6 Step 7
Step 8 Step 9
Do the following, then click Next: a) Enter the same admin password you specified in Step 5. b) Enter and confirm a new admin password. In the resulting screen, enter your cisco.com username and password and then click Next. These credentials are used to register software downloads and receive system communications. The Terms & Conditions screen opens, providing links to the software End User License Agreement (EULA) and any supplemental terms that are currently available.
After reviewing these documents, click Next to accept the EULA. The Quick Start Overview slider opens. Click > to view a description of the tasks that the Quick Start workflow will help you complete in order to start using Cisco DNA Center.
Complete the Quick Start workflow: a) Click Let's Do it. b) In the Discover Devices: Provide IP Ranges screen, enter the following information and then click Next:
· The name for the device discovery job.
· The IP address ranges of the devices you want to discover. Click + to enter additional ranges.
· Specify whether you want to designate your appliance's loopback address as its preferred management IP address. For more information, see the "Preferred Management IP Address" topic in the Cisco DNA Center User Guide.
c) In the Discover Devices: Provide Credentials screen, enter the information described in the following table for the type of credentials you want to configure and then click Next:
Field
Description
CLI (SSH) Credentials
Username
Username used to log in to the CLI of the devices in your network.
Password
Password used to log in to the CLI of the devices in your network.
Name/Description
Name or description of the CLI credentials.
Enable Password
Password used to enable a higher privilege level in the CLI. Configure this password only if your network devices require it.
SNMP Credentials: SNMPv2c Read tab
Name/Description
Name or description of the SNMPv2c read community string.
Community String
Read-only community string password used only to view SNMP information on the device.
SNMP Credentials: SNMPv2c Write tab
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 97
Complete the Quick Start Workflow
Field Name/Description Community String SNMP Credentials: SNMPv3 Name/Description Username Mode
Authentication Password
Authentication Type
Complete First-Time Setup
Description
Name or description of the SNMPv2c write community string.
Write community string used to make changes to the SNMP information on the device.
Name or description of the SNMPv3 credentials.
Username associated with the SNMPv3 credentials.
Security level that SNMP messages require: · No Authentication, No Privacy (noAuthnoPriv): Does not provide authentication or encryption. · Authentication, No Privacy (authNoPriv): Provides authentication, but does not provide encryption. · Authentication and Privacy (authPriv): Provides both authentication and encryption.
Password required to gain access to information from devices that use SNMPv3. The password must be at least eight characters in length. Note the following points:
· Some wireless controllers require that passwords be at least 12 characters long. Be sure to check the minimum password requirements for your wireless controllers. Failure to ensure these required minimum character lengths for passwords results in devices not being discovered, monitored, or managed by Cisco DNA Center.
· Passwords are encrypted for security reasons and are not displayed in the configuration.
Hash-based Message Authentication Code (HMAC) type used when either Authentication and Privacy or Authentication, No Privacy is set as the authentication mode:
· SHA: HMAC-SHA authentication. · MD5: HMAC-MD5 authentication.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 98
Complete First-Time Setup
Complete the Quick Start Workflow
Field Privacy Type
Description
Privacy type used when Authentication and Privacy is set as the authentication mode:
· DES: 56-bit DES encryption. Note DES encryption is being deprecated and will be removed in a future release.
· AES128: 128-bit AES encryption. · None: No privacy.
Privacy Password
Password used to generate the secret key for encrypting messages that are exchanged with devices that support DES or AES128 encryption. Passwords must be at least eight characters long. Note the following points:
· Some wireless controllers require that passwords be at least 12 characters long. Be sure to check the minimum password requirements for your wireless controllers. Failure to ensure these required minimum character lengths for passwords results in devices not being discovered, monitored, or managed by Cisco DNA Center.
· Passwords are encrypted for security reasons and are not displayed in the configuration.
NETCONF Port
The NETCONF port that Cisco DNA Center should use in order to discover wireless controllers that run Cisco IOS-XE.
d) In the Create Site screen, group the devices you are going to discover into one site in order to facilitate telemetry and then click Next.
You can enter the site's information manually or click the location you want to use in the provided map.
e) In the Enable Telemetry screen, check the network components that you want Cisco DNA Center to collect telemetry for and then click Next.
To open a pop-up window that lists the commands Cisco DNA Center will send to enable telemetry on a particular component, click its View Sample Commands link.
f) In the Summary screen, review the settings that you have entered and then do one of the following:
· If you want to make changes, click the appropriate Edit link to open the relevant screen.
· If you're happy with the settings, click Start Discovery and Telemetry. Cisco DNA Center validates your settings to ensure that they will not result in any issues. After validation is complete, the screen updates.
Cisco DNA Center begins the process of discovering your network's devices and enabling telemetry for the network components you selected. The process will take a minimum of 30 minutes (more for larger networks).
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 99
Integrate Cisco ISE with Cisco DNA Center
Complete First-Time Setup
g) Click Launch Homepage to open the Cisco DNA Center homepage.
While Cisco DNA Center discovers your network's devices and enables telemetry, you can familiarize yourself with the functionality that the product provides. Begin by clicking Launch Homepage. Then click the Explore link to open a page that provides pointers to product documentation and videos.
A message appears at the top of the homepage to indicate when the Quick Start workflow has completed.
Integrate Cisco ISE with Cisco DNA Center
Cisco DNA Center provides a mechanism to create a trusted communications link with Cisco ISE and to share data with Cisco ISE in a secure manner. After Cisco ISE is registered with Cisco DNA Center, any device that Cisco DNA Center discovers, along with relevant configuration and other data, is pushed to Cisco ISE. You can use Cisco DNA Center to discover devices and then apply both Cisco DNA Center and Cisco ISE functions to them because these devices will be displayed in both the applications. Cisco DNA Center and Cisco ISE devices are all uniquely identified by their device names. As soon as the devices are provisioned and assigned to a particular site in the Cisco DNA Center site hierarchy, Cisco DNA Center devices are pushed to Cisco ISE. Any updates to a Cisco DNA Center device (such as changes to IP address, SNMP or CLI credentials, Cisco ISE shared secret, and so on) will be sent to the corresponding device instance on ISE automatically. Note that Cisco DNA Center devices are pushed to Cisco ISE only when these devices are associated with a particular site where Cisco ISE is configured as its AAA server.
Before you begin Before attempting to integrate Cisco ISE with Cisco DNA Center, ensure that you have met the following prerequisites:
· You have deployed one or more Cisco ISE hosts on your network. For information on supported Cisco ISE versions, see Cisco DNA Center Supported Devices. For information on installing Cisco ISE, see the Cisco Identity Services Engine Install and Upgrade guides.
· If you have a standalone ISE deployment, you must integrate Cisco DNA Center with the Cisco ISE node and enable the pxGrid service and External RESTful Services (ERS) on that node.
Note Although pxGrid 2.0 allows up to four pxGrid nodes in the Cisco ISE deployment, Cisco DNA Center releases earlier than 2.2.1.x do not support more than two pxGrid nodes.
· If you have a distributed Cisco ISE deployment: · You must integrate Cisco DNA Center with the primary policy administration node (PAN), and enable ERS on the PAN.
Note We recommend that you use ERS through the PAN. However, for backup, you can enable ERS on the PSNs.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 100
Complete First-Time Setup
Integrate Cisco ISE with Cisco DNA Center
· You must enable the pxGrid service on one of the Cisco ISE nodes within the distributed deployment. Although you can choose to do so, you do not have to enable pxGrid on the PAN. You can enable pxGrid on any Cisco ISE node in your distributed deployment.
· The PSNs that you configure in Cisco ISE to handle TrustSec or SD Access content and PACs must also be defined in Work Centers > Trustsec > Trustsec Servers > Trustsec AAA Servers. For more information, see the Cisco Identity Services Engine Administrator Guide.
· You must enable communication between Cisco DNA Center and Cisco ISE on the following ports: 22, 443, 5222, 8910, and 9060.
· The Cisco ISE host on which pxGrid is enabled must be reachable from Cisco DNA Center on the IP address of the Cisco ISE eth0 interface.
· The Cisco ISE node can reach the fabric underlay network via the appliance's NIC.
· The Cisco ISE admin node certificate must contain the Cisco ISE IP address or FQDN in either the certificate subject name or the Subject Alternative Name (SAN).
· The Cisco DNA Center system certificate must list both the Cisco DNA Center appliance IP address and FQDN in the SAN field.
Note For Cisco ISE 2.4 Patch 13, 2.6 Patch 7, and 2.7 Patch 3, if you are using the Cisco ISE default self-signed certificate as the pxGrid certificate, Cisco ISE might reject that certificate after applying those patches. This is because the older versions of that certificate have the Netscape Cert Type extension specified as the SSL server, which now fails (because a client certificate is required).
This issue does not occur in Cisco ISE 3.0 and later. For more information, see the Cisco ISE Release Notes.
For more information about configuring Cisco ISE for Cisco DNA Center, see the "Integration with Cisco DNA Center" topic in the Cisco Identity Services Engine Administrator Guide.
Step 1
Enable the pxGrid service and ERS on Cisco ISE: a) Log in to the primary policy administration node. b) In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > System > Deployment.
The Deployment Nodes window appears.
c) Click the hostname of the Cisco ISE node on which you want to enable the pxGrid service. In a distributed deployment, this can be any Cisco ISE node in the deployment.
The Edit Node window appears.
d) In the General Settings tab, check the pxGrid check box, and click Save. e) In the Cisco ISE GUI, click the Menu icon ( ) and choose Administration > System > Settings. f) From the left navigation pane, click ERS Settings to open the ERS Settings window. g) Click the Enable ERS for Read/Write radio button, and then click OK in the notification prompt. h) Click Save.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 101
Integrate Cisco ISE with Cisco DNA Center
Complete First-Time Setup
Step 2
Add the Cisco ISE node to Cisco DNA Center as a AAA server: a) Log in to the Cisco DNA Center GUI. b) Click the Menu icon ( ) and choose System > System 360. c) In the Identity Services Engine (ISE) pane, click the Configure link. d) From the Authentication and Policy Servers window, click Add and choose ISE from the drop-down list. e) Enter the following details in the Add ISE server slide-in pane:
· In the Server IP Address field, enter the IP address of the Cisco ISE server.
· Enter the Shared Secret used to secure communications between your network devices and Cisco ISE.
· In the Username and Password fields, enter the corresponding Cisco ISE admin credentials.
· Enter the FQDN for the Cisco ISE node.
· (Optional) Enter the virtual IP address of the load balancer behind which the Cisco ISE PSNs are located. If you have multiple policy service node farms behind different load balancers, you can enter a maximum of six virtual IP addresses.
· Connect to pxGrid: Check this check box under Advanced Settings to enable pxGrid connection.
If you want to use the Cisco DNA Center system certificate as the pxGrid client certificate (sent to ISE to authenticate the Cisco DNA Center system as a pxGrid client), check the Use Cisco DNA Center Certificate for pxGrid check box. You can use this option if all the certificates that are used in your operating environments must be generated by the same Certificate Authority (CA). If this option is disabled, Cisco DNA Center will send a request to Cisco ISE to generate a pxGrid client certificate for the system to use.
When you enable this option, ensure that:
· The Cisco DNA Center certificate is generated by the same CA as is in use by Cisco ISE (otherwise the pxGrid authentication will fail).
· The Certificate Extended Key Use (EKU) field includes "Client Authentication".
Step 3
f) Click Add.
When the integration with Cisco ISE is initiated, you will see a notification that the certificate from Cisco ISE is not yet trusted. You can view the certificate to see the details.
Click Accept to trust the certificate and continue with the integration process, or choose Decline if you do not wish to trust the certificate and terminate the integration process.
After the integration completes successfully, a confirmation message is displayed.
If there is any issue in the integration process, an error message is displayed. An option to edit or retry is displayed where applicable.
· If the error message says that the Cisco ISE Admin credentials are invalid, click Edit and re-enter the correct information.
· If errors are found with certificates in the integration process, you must delete the Cisco ISE server entry and restart the integration from the beginning after the certificate issue has been resolved.
Verify that Cisco DNA Center is connected to Cisco ISE, and that the Cisco ISE SGT groups and devices are pushed to Cisco DNA Center: a) Log in to the Cisco DNA Center GUI.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 102
Complete First-Time Setup
Group-Based Access Control: Policy Data Migration and Synchronization
Step 4
b) Click the Menu icon ( ) and choose System > System 360. c) In the Identity Services Engine (ISE) pane, verify that the status of all listed ISE servers is displayed as Available
or Configured. d) In the Identity Services Engine (ISE) pane, click the Update link. e) From the Authentication and Policy Servers window, verify that the status of the Cisco ISE AAA server is still
Active.
Verify that Cisco ISE is connected to Cisco DNA Center and that the connection has subscribers: a) Log in to the Cisco ISE nodes that are shown as pxGrid servers in the Identity Services Engine (ISE) pane. b) Choose Administration > pxGrid Services and click the Web Clients tab.
You should see the pxGrid clients in the list with the IP address of the Cisco DNA Center server.
Group-Based Access Control: Policy Data Migration and Synchronization
When You Start Using Cisco DNA Center
In earlier releases of Cisco DNA Center, the Group-Based Access Control policy function stored some policy Access Contracts and Policies locally in Cisco DNA Center. Cisco DNA Center also propagated that data to Cisco ISE. Cisco ISE provides the runtime policy services to the network, which includes group-based access control policy downloads to the network devices. Usually, the policy information in Cisco DNA Center matches the policy information in Cisco ISE. But it is possible that the data is not in sync; the data may not be consistent. Because of this, after installing or upgrading to Cisco DNA Center, the following steps are necessary before you can use the Group-Based Access Control capabilities.
· Integrate Cisco ISE with Cisco DNA Center, if it is not already integrated.
· Upgrade Cisco ISE, if the version is not the minimum required. See the Cisco DNA Center Release Notes for the required versions of Cisco ISE.
· Perform Policy Migration and Synchronization.
What Is "Migration and Synchronization"?
Cisco DNA Center reads all the Group-Based Access Control policy data in the integrated Cisco ISE and compares that data with the policy data in Cisco DNA Center. If you upgraded from an earlier version, existing policy data is retained. You must synchronize the policies before you can manage Group-Based Access Control Policy in Cisco DNA Center.
How Does Migration and Synchronization Work?
Usually, the policy data in Cisco ISE and in Cisco DNA Center is consistent, so no special handling or conversion of data is necessary. Sometimes, when there are minor discrepancies or inconsistencies, only some of the data is converted during the migration. If there is a conflict, the data in Cisco ISE is given precedence, so as not to introduce changes in policy behavior in the network. The following list describes the actions taken during migration:
· Scalable Groups: The Scalable Group Tag (SGT), which is a numeric value, uniquely identifies a Scalable Group. Cisco ISE Security Groups are compared to Scalable Groups in Cisco DNA Center.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 103
Group-Based Access Control: Policy Data Migration and Synchronization
Complete First-Time Setup
· When the Name and SGT value are the same, nothing is changed. The information in Cisco DNA Center is consistent with Cisco ISE and does not need to be changed.
· When a Cisco ISE Security Group SGT value does not exist in Cisco DNA Center, a new Scalable Group is created in Cisco DNA Center. The new Scalable Group is given the default association of "Default_VN."
· When a Cisco ISE Security Group SGT value exists in Cisco DNA Center, but the names do not match, the name from Cisco ISE Security Group replaces the name of that Scalable Group in Cisco DNA Center.
· When the Cisco ISE Security Group Name is the same, but the SGT value is different, the Security Group from Cisco ISE is migrated. It retains the name and tag value, and the Cisco DNA Center Scalable Group is renamed. A suffix of "_DNA" is added.
Contracts All the SGACLs in Cisco ISE that are referenced by policies are compared to Contracts in Cisco DNA Center.
· When the SGACL and Contract have the same name and content, there is no need for further action. The information in Cisco DNA Center is consistent with Cisco ISE and does not need to be changed. · When the SGACL and Contract have the same name, but the content is different, the SGACL content from Cisco ISE is migrated. The previous Contract content in Cisco DNA Center is discarded.
When the SGACL name does not exist in Cisco DNA Center, a new Contract with that name is created, and the SGACL content from Cisco ISE is migrated.
Note When creating new Access Contracts based on Cisco ISE SGACL content, Cisco DNA Center parses the text command lines, and, where possible, renders these SGACL commands as a modeled Access Contract. Each ACE line renders as an "Advanced" application line. If a Cisco ISE SGACL contains text that cannot be parsed successfully, the text content of the SGACL is not converted into modeled format. It is stored as raw command line text. These SGACL text contracts may be edited, but no parsing or syntax checking of the text content is performed during migration.
Policies A Policy is uniquely identified by a source group-destination group pair. All Cisco ISE TrustSec Egress Policy Matrix policies are compared to the policies in Cisco DNA Center.
· When a policy for a source group-destination group references the same SGACL/Contract name in Cisco ISE, no changes are made.
· When a policy for a source group-destination group references a different SGACL/Contract name in Cisco ISE, the Cisco ISE Contract name is referenced in the policy. This overwrites the previous Contract reference in Cisco DNA Center.
· The Cisco ISE default policy is checked and migrated to Cisco DNA Center.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 104
Complete First-Time Setup
Configure Authentication and Policy Servers
Note Cisco DNA Center supports a single contract in access policies. Cisco ISE has an option to use multiple SGACLs in access policies, but this option is not enabled by default in Cisco ISE, and in general is not widely used. Existing SDA customers who have been using the previous release of Cisco DNA Center to manage Group-Based Access Control policy did not use this option.
If you enabled the option to allow multiple SGACLs on Cisco ISE and used this when creating policies, those policies cannot be migrated to Cisco DNA Center in this release. The specific policy features that make use of the "multiple SGACL" option and cannot be migrated are:
· Multiple SGACLs in a policy.
· Policy Level catch-all rules set to "Permit" or "Deny." Only the value of "None" is currently supported for migration to Cisco DNA Center.
· Default Policy set to use a customer-created SGACL, but only the standard values of "Permit IP," "Permit_IP_Log," "Deny IP," and "Deny_IP_Log" are currently supported for migration to Cisco DNA Center.
If any of the preceding SGACLs are detected during the policy migration and synchronization operation, a notification is generated, and you must choose between the following options to continue:
· Manage Group-Based Access Control policy in Cisco DNA Center: If this option is selected, all management of Group-Based Access Control Policy is done in Cisco DNA Center. The user interface screens in Cisco ISE for management of Cisco ISE Security Groups, SGACLs, and Egress Policies are available in Read-Only mode. If there were any issues migrating policies (due to use of multiple SGACLs in Cisco ISE), those policies have no contract selected in Cisco DNA Center. The policy uses the default policy, and you can select a new contract for those policies after completing the migration. If there was an problem migrating the default policy, the default policy is set to "Permit."
· Manage Group-Based Access Control Policy in Cisco ISE: If this option is selected, Cisco DNA Center Group-Based Access Control policy management is inactive. No changes are made to Cisco ISE and there is no effect on policy enforcement in the network. Group-Based Access Control policy is managed in Cisco ISE at the TrustSec workcenter.
· Manage Group-Based Access Control policy in both Cisco DNA Center and Cisco ISE: This option is not recommended for general use, because policy changes made in Cisco ISE are not synchronized with Cisco DNA Center. The two systems cannot be kept in sync. This option is intended as a short-term or interim option, and should only be considered when you enabled the "Allow Multiple SGACLs" option in Cisco ISE. Use this option if you need more time and flexibility updating Cisco ISE.
Configure Authentication and Policy Servers
Cisco DNA Center uses AAA servers for user authentication and Cisco ISE for both user authentication and access control. Use this procedure to configure AAA servers, including Cisco ISE.
Before you begin · If you are using Cisco ISE to perform both policy and AAA functions, make sure that Cisco DNA Center and Cisco ISE are integrated.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 105
Configure Authentication and Policy Servers
Complete First-Time Setup
· If you are using another product (not Cisco ISE) to perform AAA functions, make sure to do the following: · Register Cisco DNA Center with the AAA server, including defining the shared secret on both the AAA server and Cisco DNA Center. · Define an attribute name for Cisco DNA Center on the AAA server. · For a Cisco DNA Center multihost cluster configuration, define all individual host IP addresses and the virtual IP address for the multihost cluster on the AAA server.
· Before you configure Cisco ISE, confirm that: · You have deployed Cisco ISE on your network. For information on supported Cisco ISE versions, see the Cisco DNA Center Compatibility Matrix. For information on installing Cisco ISE, see the Cisco Identity Services Engine Install and Upgrade guides. · If you have a standalone ISE deployment, you must integrate Cisco DNA Center with the Cisco ISE node and enable the pxGrid service and External RESTful Services (ERS) on that node.
Note Although pxGrid 2.0 allows up to four pxGrid nodes in the Cisco ISE deployment, Cisco DNA Center releases earlier than 2.2.1.x do not support more than two pxGrid nodes.
· If you have a distributed Cisco ISE deployment: · You must integrate Cisco DNA Center with the primary policy administration node (PAN), and enable ERS on the PAN.
Note We recommend that you use ERS through the PAN. However, for backup, you can enable ERS on the PSNs.
· You must enable the pxGrid service on one of the Cisco ISE nodes within the distributed deployment. Although you can choose to do so, you do not have to enable pxGrid on the PAN. You can enable pxGrid on any Cisco ISE node in your distributed deployment.
· The PSNs that you configure in Cisco ISE to handle TrustSec or SD Access content and PACs must also be defined in Work Centers > Trustsec > Trustsec Servers > Trustsec AAA Servers. For more information, see the Cisco Identity Services Engine Administrator Guide.
· You must enable communication between Cisco DNA Center and Cisco ISE on the following ports: 443, 5222, 8910, and 9060.
· The Cisco ISE host on which pxGrid is enabled must be reachable from Cisco DNA Center on the IP address of the Cisco ISE eth0 interface.
· The Cisco ISE node can reach the fabric underlay network via the appliance's NIC. · The Cisco ISE admin node certificate must contain the Cisco ISE IP address or FQDN in either the
certificate subject name or the Subject Alternative Name (SAN).
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 106
Complete First-Time Setup
Configure Authentication and Policy Servers
· The Cisco DNA Center system certificate must list both the Cisco DNA Center appliance IP address and FQDN in the SAN field.
Note For Cisco ISE 2.4 Patch 13, 2.6 Patch 7, and 2.7 Patch 3, if you are using the Cisco ISE default self-signed certificate as the pxGrid certificate, Cisco ISE might reject that certificate after applying those patches. This is because the older versions of that certificate have the Netscape Cert Type extension specified as the SSL server, which now fails (because a client certificate is required).
This issue does not occur in Cisco ISE 3.0 and later. For more information, see the Cisco ISE Release Notes.
Step 1 Step 2 Step 3
Step 4
In the Cisco DNA Center GUI, click the Menu icon ( ) and choose System > Settings > External Services > Authentication and Policy Servers. From the Add drop-down list, choose AAA or ISE. To configure the primary AAA server, enter the following information:
· Server IP Address: IP address of the AAA server.
· Shared Secret: Key for device authentications. The shared secret can contain up to 100 characters.
To configure a Cisco ISE server, enter the following details: · Server IP Address: IP address of the ISE server. · Shared Secret: Key for device authentications. · Username: Username that is used to log in to the Cisco ISE CLI. Note This user must be a Super Admin.
· Password: Password for the Cisco ISE CLI username.
· FQDN: Fully qualified domain name (FQDN) of the Cisco ISE server.
Note
· We recommend that you copy the FQDN that is defined in Cisco ISE (Administration >
Deployment > Deployment Nodes > List) and paste it directly into this field.
· The FQDN that you enter must match the FQDN, Common Name (CN), or Subject Alternative Name (SAN) defined in the Cisco ISE certificate.
The FQDN consists of two parts, a hostname and the domain name, in the following format: hostname.domainname.com For example, the FQDN for a Cisco ISE server can be ise.cisco.com.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 107
Configure Authentication and Policy Servers
Complete First-Time Setup
Step 5
· Virtual IP Address(es): Virtual IP address of the load balancer behind which the Cisco ISE policy service nodes (PSNs) are located. If you have multiple PSN farms behind different load balancers, you can enter a maximum of six virtual IP addresses.
Click Advanced Settings and configure the settings: · Connect to pxGrid: Check this check box to enable a pxGrid connection. If you want to use the Cisco DNA Center system certificate as the pxGrid client certificate (sent to Cisco ISE to authenticate the Cisco DNA Center system as a pxGrid client), check the Use Cisco DNA Center Certificate for pxGrid check box. You can use this option if all the certificates that are used in your operating environments must be generated by the same CA. If this option is disabled, Cisco DNA Center will send a request to Cisco ISE to generate a pxGrid client certificate for the system to use. When you enable this option, ensure that: · The Cisco DNA Center certificate is generated by the same Certificate Authority (CA) as is in use by Cisco ISE (otherwise, the pxGrid authentication fails).
· The Certificate Extended Key Use (EKU) field includes "Client Authentication."
· Protocol: TACACS and RADIUS (the default). You can select both protocols. Attention If you do not enable TACAS for a Cisco ISE server here, you cannot configure the Cisco ISE server as a TACACS server under Design > Network Settings > Network when configuring a AAA server for network device authentication.
· Authentication Port: Port used to relay authentication messages to the AAA server. The default UDP port is 1812.
· Accounting Port: Port used to relay important events to the AAA server. The default UDP port is 1813.
· Port: The default TACACS port is 49.
· Retries: Number of times that Cisco DNA Center attempts to connect with the AAA server before abandoning the attempt to connect. The default number of attempts is 3.
· Timeout: The time period for which the device waits for the AAA server to respond before abandoning the attempt to connect. The default timeout is 4 seconds.
Note After the required information is provided, Cisco ISE is integrated with Cisco DNA Center in two phases. It takes several minutes for the integration to complete. The phase-wise integration status is shown in the Authentication and Policy Servers window and System 360 window: Cisco ISE server registration phase: · Authentication and Policy Servers window: "In Progress"
· System 360 window: "Primary Available"
pxGrid subscriptions registration phase: · Authentication and Policy Servers window: "Active"
· System 360 window: "Primary Available" and "pxGrid Available"
If the status of the configured Cisco ISE server is shown as "FAILED" due to a password change, click Retry, and update the password to resynchronize the Cisco ISE connectivity.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 108
Complete First-Time Setup
Configure SNMP Properties
Step 6 Step 7
Click Add. To add a secondary server, repeat the preceding steps.
Configure SNMP Properties
You can configure the retry and timeout values for SNMP.
Before you begin Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see the Cisco DNA Center Administrator Guide.
Step 1 Step 2
Step 3
In the Cisco DNA Center GUI, click the Menu icon ( ) and choose System > Settings > Device Settings > SNMP. Configure the following fields:
· Retries: Number of attempts allowed to connect to the device. Valid values are from 1 to 3. The default is 3. · Timeout (in Seconds): Number of seconds Cisco DNA Center waits when trying to establish a connection with a
device before timing out. Valid values are from 1 to 300 seconds, in intervals of 5 seconds. The default is 5 seconds.
Click Save. Note To return to the default settings, click Reset and Save.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 109
Configure SNMP Properties
Complete First-Time Setup
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 110
7 C H A P T E R
Troubleshoot the Deployment
· Troubleshooting Tasks, on page 111 · Log Out, on page 111 · Reconfigure the Appliance Using the Configuration Wizard, on page 112 · Power-Cycle the Appliance, on page 113
Troubleshooting Tasks
When troubleshooting issues with the appliance's configuration, you will normally perform the following tasks: 1. If you are currently using the Cisco DNA Center GUI: Log Out.
2. To reconfigure the appliance's hardware, log in to and use the Cisco IMC GUI, as explained in Steps 12 and 13 of Enable Browser Access to Cisco Integrated Management Controller.
3. To change the appliance configuration, launch and use the Maglev Configuration wizard, as explained in Reconfigure the Appliance Using the Configuration Wizard.
4. Power-cycle the appliance so that your changes are active: Power-Cycle the Appliance, on page 113.
For more information about the appliance's network adapters, see the Managing Adapters section of the Cisco UCS C-Series Servers Integrated Management Controller CLI Configuration Guide, Release 3.1. As noted elsewhere, never attempt to manage the appliance hardware through the Linux CLI. Use only the Cisco IMC GUI or the Maglev Configuration wizard to change appliance settings.
Log Out
Follow the steps below to log out of the Cisco DNA Center GUI.
For security reasons, we recommend that you log out after you complete a work session. If you do not log out yourself, you will be logged out automatically after 30 minutes of inactivity.
Step 1 Step 2
Click the Menu icon ( ). Click Sign out.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 111
Reconfigure the Appliance Using the Configuration Wizard
This ends your session and logs you out.
Troubleshoot the Deployment
Reconfigure the Appliance Using the Configuration Wizard
To reconfigure an appliance, you must use the Configuration wizard to update the appliance settings. You cannot use the Linux CLI to do this. The normal Linux administration procedures that you might use to update configuration settings on a standard Linux server will not work and should not be attempted. After the appliance is configured, you cannot use the Configuration wizard to change all of the appliance settings. Changes are restricted to the following settings only:
· Host IP address of the appliance · DNS server IP addresses · Default gateway IP address · NTP server IP addresses · Cluster Virtual IP address · Cluster hostname (FQDN) · Static routes · Proxy server IP address · Maglev user password · Admin user password
Before you begin You will need the Linux user name (maglev) and password that are currently configured on the target appliance.
Step 1
Point your browser to the Cisco IMC IP address you set during the Cisco IMC GUI configuration you performed, and log in to the Cisco IMC GUI as the Cisco IMC user (see Enable Browser Access to Cisco Integrated Management Controller).
After successful login, the appliance displays the Cisco Integrated Management Controller Chassis Summary window, with a hyperlinked menu at the top of the window, as shown below.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 112
Troubleshoot the Deployment
Power-Cycle the Appliance
Step 2
Step 3 Step 4 Step 5 Step 6
From the hyperlinked menu, choose Launch KVM and then select either Java based KVM or HTML based KVM. If you select Java-based KVM, you will need to launch the Java startup file from your browser or file manager in order to view the KVM console in its own window. If you select HMTL-based KVM, it launches the KVM console in a separate window or tab automatically. Irrespective of the KVM type you choose, use the KVM console to monitor the progress of the configuration and respond to the Maglev Configuration wizard prompts.
When prompted, enter the Linux password. Enter the following command to access the Configuration wizard. sudo maglev-config update If you are prompted for the Linux password, enter it again.
The Configuration wizard presents an abbreviated version of the same series of screens shown in, for example, Configure a Secondary Node. Make changes to the settings presented, if required. After you finish making changes on each screen, choose [Next], as needed, to proceed through the Configuration wizard. At the end of the configuration process, a message appears, stating that the Configuration wizard is now ready to apply your changes. The following options are available:
· [back]: Review and verify your changes.
· [cancel]: Discard your changes and exit the Configuration wizard.
· [proceed]: Save your changes and begin applying them.
Choose proceed>> to complete the installation. The Configuration wizard applies the changes you made. At the end of the configuration process, a CONFIGURATION SUCCEEDED! message appears.
What to do next Ensure your changes are applied and active by power-cycling the appliance. See Power-Cycle the Appliance, on page 113.
Note If you have updated the DNS Server IP addresses, we recommend that you perform a cold boot when power-cycling the appliance. This ensures that your DNS changes are applied.
Power-Cycle the Appliance
Complete one of the following procedures on your Cisco DNA Center appliance to either halt it or perform a warm restart. You can halt the appliance before you make hardware repairs, or you can initiate a warm restart after you have corrected software issues.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 113
Using the Cisco IMC GUI
Troubleshoot the Deployment
Using the Cisco IMC GUI
If you want to use the KVM console that is accessible from the Cisco IMC GUI in order to halt your appliance or perform a warm restart, complete the tasks described in this procedure.
Before you begin Note that any hardware changes you make using the Cisco IMC GUI will be applied after the appliance reboots.
Caution Power-cycling your appliance from the Cisco IMC GUI can result in the corruption or loss of data. Only do so if your appliance is completely unresponsive to SSH, the Cisco IMC console, or the physical console.
Step 1
Point your browser to the Cisco IMC IP address you set during the Cisco IMC GUI configuration you performed, and log in to the Cisco IMC GUI as the Cisco IMC user (see Enable Browser Access to Cisco Integrated Management Controller, on page 41).
After successful login, the appliance displays the Cisco Integrated Management Controller Chassis Summary window, with a hyperlinked menu at the top of the window, as shown below.
Step 2
With the KVM displayed, reboot the appliance by choosing Host Power > Power Cycle . If you are asked to confirm your choice to reboot the appliance, click OK.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 114
Troubleshoot the Deployment
Using SSH
Using SSH
If you want to use SSH in order to halt your appliance or perform a warm restart, complete the following tasks:
Before you begin You will need the following:
· Secure Shell (SSH) client software. · The IP address that you configured for the 10-Gbps Enterprise port on the appliance that needs
reconfiguration. Log in to the appliance at this address, on port 2222. To identify the Enterprise port, see the rear-panel figure in Front and Rear Panels, on page 2. · The Linux user name (maglev) and the password that is currently configured on the target appliance.
Step 1
Step 2 Step 3
Step 4 Step 5
Using a Secure Shell (SSH) client, log in to the IP address of the Enterprise port of the appliance that needs to be reconfigured, on port 2222: ssh maglev@Enterprise-port's-IP-address -p 2222
When prompted, enter the Linux password. Enter the command that is appropriate for the task you want to perform:
· To halt the appliance, enter: sudo shutdown -h now · To initiate a warm restart, enter: sudo shutdown -r now
If you are prompted for the Linux password, enter it again.
Review the command output that is displayed as the host shuts down. If you halted your appliance, power up the Maglev root process by turning the appliance back on, using the front-panel power button.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 115
Using SSH
Troubleshoot the Deployment
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 116
A A P P E N D I X
Review High Availability Cluster Deployment Scenarios
Cisco DNA Center's implementation of high availability (HA) is described in the Cisco DNA Center High Availability Guide. We recommend that you first review this information and then determine whether you want to deploy HA in your production environment. If you choose to do so, complete the following tasks: 1. Complete the deployment procedure that is appropriate for your network:
· New HA Deployment · Existing HA Deployment of the Primary Node with Standard Interface Configurations · Existing HA Deployment of the Primary Node with Nonstandard Interface Configurations
2. Activate High Availability on your Cisco DNA Center cluster. 3. See Additional HA Deployment Considerations and make any additional configurations that are necessary.
· New HA Deployment, on page 117 · Existing HA Deployment of the Primary Node with Standard Interface Configurations, on page 118 · Existing HA Deployment of the Primary Node with Nonstandard Interface Configurations, on page 118 · Activate High Availability, on page 119 · Additional HA Deployment Considerations, on page 119
New HA Deployment
To install a brand new HA cluster, complete the following steps:
Step 1 Step 2
Configure the first installed appliance as the primary node. See Configure the Primary Node. Configure the second and third appliances in the cluster. See Configure a Secondary Node.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 117
Existing HA Deployment of the Primary Node with Standard Interface Configurations
Review High Availability Cluster Deployment Scenarios
Existing HA Deployment of the Primary Node with Standard Interface Configurations
To deploy an existing HA cluster, where the primary node uses the required interface cable configurations, complete the following steps.
Step 1 Step 2 Step 3 Step 4 Step 5
Upgrade the primary node to the latest Cisco DNA Center version. For information about upgrading your current release of Cisco DNA Center, see the Cisco DNA Center Upgrade Guide.
Confirm that you are using the required interface cable configurations on the primary node. See Interface Cable Connections.
Update the virtual IP address (if the virtual IP address is not yet added). See Reconfigure the Appliance Using the Configuration Wizard.
Configure the second and third appliances in the cluster. See Configure a Secondary Node.
Enter the following command to check the GlusterFS size: sudo du -h /data/maglev/srv/maglev-system/glusterfs/mnt/bricks/default_brick/ | tail -1 | awk '{print $1}' If the GlusterFS file system size is larger than 150 GB, complete the steps described in Existing HA Deployment of the Primary Node with Nonstandard Interface Configurations.
Existing HA Deployment of the Primary Node with Nonstandard Interface Configurations
To deploy an existing HA cluster where the primary node uses nonstandard interface configurations, complete the following steps.
Step 1 Step 2 Step 3
Upgrade the primary node to the latest Cisco DNA Center version. For information about upgrading your current release of Cisco DNA Center, see the Cisco DNA Center Upgrade Guide.
Create a backup of the remote repository. See the "Backup and Restore" chapter in the Cisco DNA Center Administrator Guide.
Reimage the primary node with the required interface cable configuration. See Interface Cable Connections and Install the Cisco DNA Center ISO Image. Make sure that the VIP has been configured correctly on the primary node.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 118
Review High Availability Cluster Deployment Scenarios
Activate High Availability
Step 4 Step 5 Step 6
On the primary node, install the same set of packages that you selected during the backup. Using the backup file that you created in Step 2, restore the remote repository's data. Configure the second and third appliances in the cluster.
See Configure a Secondary Node.
Activate High Availability
Cisco DNA Center's implementation of HA is described in the Cisco DNA Center High Availability Guide. We recommend that you first review this information and then determine whether you want to deploy HA in your production environment. If you choose to do so, complete the following steps:
1. Click the Menu icon ( ) in the Cisco DNA Center GUI and choose System > Settings > System Configuration > High Availability.
2. Click Activate High Availability.
After you click Activate High Availability, Cisco DNA Center enters into maintenance mode. In this mode, Cisco DNA Center is unavailable until the redistribution of services is completed. You should take this into account when scheduling an HA deployment.
Note Cisco DNA Center goes into maintenance mode every time you restore the database, perform a system upgrade (not a package upgrade), and activate HA (as described above).
Additional HA Deployment Considerations
For an existing HA deployment, the following additional configurations must be made.
Note For information about known HA bugs and workarounds, see "Open Bugs--HA" in the Release Notes for Cisco Digital Network Architecture Center.
Telemetry
If you enabled telemetry for a device (without enabling the VIP), complete the following steps:
Step 1 Step 2
Use the sudo maglev-config update command to update the cluster VIP. Disable telemetry on the device: a. From the Cisco DNA Center home page, choose Network Telemetry from the Tools area.
The Network Telemetry window appears.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 119
Wireless Controller
Review High Availability Cluster Deployment Scenarios
Step 3
b. Click the Site View tab. c. Check the check box of the device on which you want to disable telemetry, and then choose Actions > Disable
Telemetry.
Reenable telemetry using the profile associated with the device previously.
Wireless Controller
You must update the wireless controllers in your network with the new VIP of Cisco DNA Center.
Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.2.3 120
DITA Open Toolkit XEP 4.30.961; modified using iText 2.1.7 by 1T3XT