Deploy Using AWS Marketplace

Unknown

Deploy Using AWS Marketplace

• Google Docs
• Google Drive
• Download [pdf]



File Info : application/pdf, 6 Pages, 1.30MB

Document Document

Deploy Using AWS Marketplace
· Use AWS Marketplace to Manually Deploy Cisco DNA Center on AWS, on page 1 · Manual Deployment Using AWS Marketplace Workflow, on page 1 · Prerequisites for Manual Deployment Using AWS Marketplace, on page 1 · Deploy Cisco DNA Center on AWS Manually Using AWS Marketplace, on page 6 · Validate the Deployment, on page 6
Use AWS Marketplace to Manually Deploy Cisco DNA Center on AWS
If you're familiar with AWS administration, you have the option of deploying Cisco DNA Center manually on your AWS account using AWS Marketplace.
Manual Deployment Using AWS Marketplace Workflow
To deploy Cisco DNA Center on AWS using this method, follow these high-level steps: 1. Meet the prerequisites. See Prerequisites for Manual Deployment Using AWS Marketplace, on page 1. 2. (Optional) Integrate Cisco ISE on AWS and your Cisco DNA Center VA together. See Guidelines for
Integrating Cisco ISE on AWS with Cisco DNA Center on AWS. 3. Deploy Cisco DNA Center on AWS using AWS Marketplace. See Deploy Cisco DNA Center on AWS
Manually Using AWS Marketplace, on page 6. 4. Make sure that your environment setup and the Cisco DNA Center VA configuration are installed correctly
and working as expected. See Validate the Deployment, on page 6.
Prerequisites for Manual Deployment Using AWS Marketplace
Before you can begin to deploy Cisco DNA Center on AWS, make sure that the following network, AWS, and Cisco DNA Center requirements have been met:
Deploy Using AWS Marketplace 1

Prerequisites for Manual Deployment Using AWS Marketplace

Deploy Using AWS Marketplace

Network Environment You must have the following information about your network environment on hand:
· Enterprise DNS server IP address · (Optional) HTTPS Network Proxy details
AWS Environment You must meet the following AWS environment requirements:
· You have valid credentials to access your AWS account.
Note We recommend that your AWS account be a subaccount (a child account) to maintain resource independence and isolation. A subaccount ensures that the Cisco DNA Center deployment does not impact your existing resources.
· Important: Your AWS account is subscribed to Cisco DNA Center Virtual Appliance - Bring Your Own License (BYOL) in AWS Marketplace.
· You must have administrator access permission for your AWS account. (In AWS, the policy name is displayed as AdministratorAccess.)

· The following resources and services must be set up in AWS: · VPC: The recommended CIDR range is /25. In IPv4 CIDR notation, the last octet (the fourth octet) of the IP address can only have the values 0 or 128. For example: x.x.x.0 or x.x.x.128. · Subnets: The recommended subnet range is /28 and should not overlap with your corporate subnet. · Route Tables: Make sure that your VPC subnet is allowed to communicate with your Enterprise network via your VPN GW or TGW.
Deploy Using AWS Marketplace 2

Deploy Using AWS Marketplace

Prerequisites for Manual Deployment Using AWS Marketplace

Port -- TCP 22, 80, 443
UDP 123 UDP 162 UDP 514 UDP 6007 TCP 9991

· Security Groups: For communication between the Cisco DNA Center on AWS and the devices in your Enterprise network, the AWS security group that you attach to the Cisco DNA Center on AWS must allow the following ports:
· TCP 22, 80, 443, 9991, 25103, 32626
· UDP 123, 162, 514, 6007, 21730

The following table lists information about the ports that Cisco DNA Center uses, the services communicating over these ports, the appliance's purpose in using them, and the recommended action.

Service Name ICMP

Purpose
Devices use ICMP messages to communicate network connectivity issues.

Recommended Action Enable ICMP.

HTTPS, SFTP, HTTP

Software image download from Cisco Ensure that firewall rules limit the

DNA Center through HTTPS:443, source IP of the hosts or network

SFTP:22, HTTP:80.

devices allowed to access Cisco DNA

Certificate download from Cisco DNA Center on these ports.

Center through HTTPS:443, HTTP:80 Note

We do not recommend

(Cisco 9800 Wireless Controller, PnP),

the use of HTTP 80. Use

Sensor/Telemetry.

HTTPS 443 wherever

Note

Block port 80 if you don't

possible.

use Plug and Play (PnP),

Software Image

Management (SWIM),

Embedded Event

Management (EEM),

device enrollment, or

Cisco 9800 Wireless

Controller.

NTP SNMP Syslog NetFlow Wide Area Bonjour Service

Devices use NTP for time synchronization.

Port must be open to allow devices to synchronize the time.

Cisco DNA Center receives SNMP Port must be open for data analytics

network telemetry from devices.

based on SNMP.

Cisco DNA Center receives syslog Port must be open for data analytics

messages from devices.

based on syslog.

Cisco DNA Center receives NetFlow Port must be open for data analytics

network telemetry from devices.

based on NetFlow.

Cisco DNA Center receives multicast Port must be open on Cisco DNA Domain Name System (mDNS) traffic Center if the Bonjour application is from the Service Discovery Gateway installed. (SDG) agents using the Bonjour Control Protocol.

Deploy Using AWS Marketplace 3

Prerequisites for Manual Deployment Using AWS Marketplace

Deploy Using AWS Marketplace

Port UDP 21730 TCP 25103
TCP 32626

Service Name
Application Visibility Service

Purpose

Recommended Action

Application Visibility Service CBAR Port must be open when CBAR is

device communication.

enabled on a network device.

Cisco 9800 Wireless Used for telemetry. Controller and Cisco Catalyst 9000 switches with streaming telemetry enabled

Port must be open for telemetry connections between Cisco DNA Center and Catalyst 9000 devices.

Intelligent Capture (gRPC) collector

Used for receiving traffic statistics and Port must be open if you are using the packet - capture data used by the Cisco Cisco DNA Assurance Intelligent DNA Assurance Intelligent Capture Capture (gRPC) feature. (gRPC) feature.

· VPN Gateway (VPN GW) or Transit Gateway (TGW): You must have an existing connection to your Enterprise network, which is your Customer Gateway (CGW).
For your existing connection from the CGW to AWS, make sure that the correct ports are open for traffic flow to and from your Cisco DNA Center VA, whether you open them using the firewall settings or a proxy gateway. For more information about the well-known network service ports that the appliance uses, see "Required Network Ports" in the "Plan the Deployment" chapter of the Cisco DNA Center First-Generation Appliance Installation Guide, Release 2.3.5.
· Site-to-Site VPN Connection: You can use TGW Attachments and TGW Route Tables.

· Your AWS environment must be configured with one of the following regions: · ap-northeast-1 (Tokyo) · ap-northeast-2 (Seoul) · ap-south-1 (Mumbai) · ap-southeast-1 (Singapore) · ap-southeast-2 (Sydney) · ca-central-1 (Canada) · eu-central-1 (Frankfurt) · eu-south-1 (Milan) · eu-west-1 (Ireland) · eu-west-2 (London) · eu-west-3 (Paris) · us-east-1 (Virginia) · us-east-2 (Ohio) · us-west-1 (N. California) · us-west-2 (Oregon)

Deploy Using AWS Marketplace 4

Deploy Using AWS Marketplace

Prerequisites for Manual Deployment Using AWS Marketplace

· If you want to enable multiple IAM users with the ability to configure Cisco DNA Center using the same environment setup, you need to create a group with the following policies and then add the required users to that group: · IAMReadOnlyAccess · AmazonEC2FullAccess · AWSCloudFormationFullAccess
· The Cisco DNA Center instance size must meet the following minimum resource requirements: · r5a.8xlarge

Important

Cisco DNA Center supports only the r5a.8xlarge instance size. Any changes to this configuration aren't supported. Additionally, the r5a.8xlarge instance size isn't supported in specific availability zones. To view the list of unsupported availability zones, see the Release Notes for Cisco Global Launchpad.

· 32 vCPU · 256-GB RAM · 4-TB storage · 2500 disk input/output operations per second (IOPS) · 180 MBps disk bandwidth

· You have the following AWS information on hand: · Subnet ID · Security Group ID · Keypair ID · Environment name · CIDR reservation

Cisco DNA Center Environment You must meet the following requirements for your Cisco DNA Center environment:
· You have access to the Cisco DNA Center GUI. · You have the following Cisco DNA Center information on hand:
· NTP setting · Default gateway setting · CLI password · UI username and password

Deploy Using AWS Marketplace 5

Deploy Cisco DNA Center on AWS Manually Using AWS Marketplace

Deploy Using AWS Marketplace

· Static IP · FQDN for the Cisco DNA Center IP address

Deploy Cisco DNA Center on AWS Manually Using AWS Marketplace
For instructions on how to deploy Cisco DNA Center on AWS using AWS Marketplace, do one of the following:
· Go to the Cisco Software Download site and download the following file:
Deploy-cisco-dna-center-using-aws-marketplace-1.8.0.tar.gz
· Go to the Cisco Software Download site and download the following file:
Deploy-cisco-dna-center-on-aws-using-aws-marketplace-1.7.0.zip

Validate the Deployment
To ensure that your environment setup and Cisco DNA Center VA configuration are working, perform the following validation checks.
Before you begin Ensure that your stack creation on AWS Marketplace has no errors.
Procedure

Step 1
Step 2
Step 3 Step 4

From the Amazon EC2 console, validate the network and system configuration and verify that the Cisco DNA Center IP address is correct. Send a ping to the Cisco DNA Center IP address to ensure that your host details and network connection are valid. Establish an SSH connection with Cisco DNA Center to verify that Cisco DNA Center is authenticated. Test HTTPS accessibility to the Cisco DNA Center GUI using one of the following methods:
· Use a browser. For more information about browser compatibility, see the Cisco DNA Center Release Notes.
· Use Telnet through the CLI.
· Use curl through the CLI.

Deploy Using AWS Marketplace 6