Sda Infra Deploy 2019oct
Sda Infra Deploy 2019oct
Cisco Public
October, 2019
Cisco DNA Center Appliance DN2-HW-APL-L (M5-based chassis) 1.2.10.4 (System 1.1.0.754)
Cisco Wireless LAN Controller Cisco 8540, 5520, and 3504 Series Wireless Controllers 8.8.111.0 (8.8 MR1)
Cisco IOS XE Software See Appendix A for complete listing IOS XE 16.9.3
The DEFINE section defines Software-Defined Access, its relationship to Cisco DNA Center, and provides information on
companion Solution Guides.
The DESIGN section shows the deployment topology and discusses additional network planning items needed in advance of the
deployment.
The DEPLOY section provides information and steps for the various workflows to install and bootstrap Cisco DNA Center, an
AireOS Wireless LAN Controller, and Cisco Identity Services Engine.
The OPERATE section demonstrates the steps necessary to integrate Cisco DNA Center and Cisco Identify Services Engine once
both have been installed and have basic network configuration.
This guide is used to deploy the management infrastructure, including Cisco DNA Center, Cisco Identity Services Engine (ISE), and
Cisco Wireless LAN Controllers (WLC), described in the companion Software-Defined Access Solution Design Guide. The
deployment described in this guide is used in advance of deploying a Cisco Software-Defined Access fabric, as described in the
companion Software Defined Access Fabric Deployment Guide.
Companion Resources
Find the companion Software-Defined Access Solution Design Guide, Software-Defined Access Medium and Large Site Fabric
Provisioning Prescriptive Deployment Guide, Software-Defined Access for Distributed Campus Prescriptive Deployment Guide,
related deployment guides, design guides, and white papers, at the following pages:
● https://www.cisco.com/go/designzone
● https://cs.co/en-cvds
If you didn’t download this guide from Cisco Community or Design Zone, you can check for the latest version of this guide.
Topology Overview
Design topology
The Cisco SD-Access management infrastructure solution described uses a single Cisco DNA Center hardware appliance, installed
initially as a single-node cluster and then expanded into a three-node cluster as an option. For this solution, the Cisco DNA
Center software integrates with two Cisco ISE nodes configured for redundancy and dedicated to the Cisco SD-Access
deployment, as detailed in the installation. To support Cisco SD-Access Wireless, the solution includes two Cisco WLCs for
controller redundancy
● IP addressing and network connectivity for all controllers being deployed: Cisco DNA Center must have Internet
access for system updates from the Cisco cloud catalog server.
● A network-reachable Network Time Protocol (NTP) server, used during Cisco DNA Center installation to help
ensure reliable digital certificate operation for securing connections.
Deploy
This section provides the workflow to install Cisco DNA Center, Cisco Wireless LAN Controller, and Cisco Identity Services engine
and configure basic IP connectivity for this infrastructure. The basically installation for Cisco DNA Center is shown for both a
single-node and a three-node (HA) cluster. Finally, an example demonstrates how to cloud upgrade Cisco DNA Center.
The guide uses the following conventions for commands that you enter at the
command-line interface (CLI).
Commands to enter at a CLI prompt:
configure terminal
Commands that specify a value for a variable (variable is in bold italics):
ntp server 10.4.0.1
Commands with variables that you must define (definition is bracketed in bold
and italics):
router bgp [autonomous-system-number]
Commands at a CLI or script prompt (entered commands are in bold):
Router# enable
Long commands that line wrap on a printed page (underlined text is entered as
one command):
monitor capture CAPTURE interface
GigabitEthernet1/0/1 both limit pps 10000
For provisioning and assurance communication efficiency, Cisco DNA Center should be installed in close network proximity to
the greatest number of devices being managed. The latency RTT (round-trip-time) between Cisco DNA Center and the network
devices it manages must be taken into consideration. The optimal RTT should be less than 100 milliseconds to achieve optimal
performance. Latency RTT of up to 200ms is support.
Both single-node cluster and three-node cluster configurations require the reserved IP address space for internal application
services within the appliance and for communication among its internal infrastructure services. These are referred to in the
installation wizard as the Cluster Services and Cluster Services Subnets. Reserve an arbitrary private IP space at least 20 bits of
netmask in size that is not used elsewhere in the enterprise network (example: 192.168.240.0/20). Divide the /20 address space
into two /21 address spaces (examples: 192.168.240.0/21, 192.168.248.0/21) and use them in a later setup step for services
communication among the processes running in a Cisco DNA Center instance.
Cisco DNA Center appliance also must have Internet connectivity, either directly or via a web proxy, to obtain software updates
from the Cisco cloud catalog server. Internet access requirements and optional proxy server setup requirements are detailed in
the applicable version of the Cisco Digital Network Architecture Center Appliance Installation Guide.
Caution
The installation described assumes a new installation of Cisco DNA Center. If you already have Cisco DNA Center deployed and managing
devices in your network, do not use the steps in this Installing Cisco DNA Center process. Instead, you must refer to the release notes on
Cisco.com for the correct procedure for a successful upgrade to your desired release.
https://www.cisco.com/c/en/us/support/cloud-systems-management/dna-center/products-release-notes-list.html
The validated installation process uses a DN2-HW-APL-L appliance. If you are using an appliance with a different physical interface
structure, such as the DN1-HW-APL appliance, the Maglev Configuration wizard steps for interface configuration display with different
names and in a different order. Details for other appliances are also shown in the release notes.
The 10-Gbps ports on the original M4-based appliance are reversed left-to-right from the more recent M5-based appliance, and
the location of the on-board copper Ethernet ports are in different locations. The M4 appliance uses an 802.1q header tag with
VLAN ID 0, requiring IOS-XE switches to use an interface configuration supporting the tagged configuration (switchport voice
vlan dot1p) and operating as a trunk, whereas an M5-based appliance requires a basic interface access VLAN configuration for
the Ethernet switch connection, as described in the associated installation guides.
Figure 3 Rear view of the Cisco DNA Center appliance — DN2-HW-APL (M5-based)
PORT 1 PORT 2 1 2 M
mLOM/PCIe mLOM/PCIe Integrated Integrated (or “gear” label)
SFP+ 10 Gbps SFP+ 10 Gbps RJ-45 1 Gbps RJ-45 1 Gbps RJ-45 1 Gbps
Use Enterprise: Enterprise Cluster: Intra-cluster Management: Cloud: Optional cloud CIMC: Cisco
network communications Dedicated network port for Integrated
infrastructure management network separated Internet Management
for web access connectivity Controller out-of-
band server appliance
management
Tech tip
Step 1. Connect the Cisco DNA Center hardware appliance to a Layer 2 switch port in your
network, by:
● Using the 10 Gbps SFP+ port labeled PORT 1 on the mLOM/PCIe card (named enp94s0f1 or enp9s0 in the wizard).
● Using the 10 Gbps port SFP+ labeled PORT 2 on the mLOM/PCIe card (named enp94s0f0 or enp10s0 in the wizard).
This port must be up for single-node cluster configurations and for each appliance in a 3-node cluster.
● Using the Cisco Integrated Management Controller (IMC) port (labeled with a gear symbol or letter M on the
integrated copper Ethernet ports).
For maximum physical network resiliency in a three-node cluster, each cluster node should connect to a unique top-of-rack
switch, with each node interface placed into a separate Layer 2 domain (VLAN) on that switch. Enable communication between
the nodes by using trunks to between each switch. Typical designs aggregate top-of-rack switches to redundant switches at the
aggregation layer for this purpose. This design enables at least two nodes of the three-node cluster to communicate during an
outage of any single switch or link, meeting the minimum criteria for the cluster to survive those communication failures.
Step 2. The described deployment uses the required minimum three ports on Cisco DNA Center Appliance– Cisco IMC and
both SFP+ ports. Connect any other ports needed for the deployment, such as the dedicated web management port or an
isolated enterprise network port. These ports are not used for the deployment described.
The following example steps are described in detail with all options within the Installation Guide for the appliance software
version. Use the Installation Guide to configure Cisco IMC on the appliance during first boot, along with the credentials required
for Cisco IMC access. The Installation Guide describes the complete set of options. The example procedure that follows
configures a single appliance for a single-node cluster or the first appliance for a three-node cluster deployment, without
configuring a network proxy.
Step 3. Boot the Cisco DNA Center hardware appliance. A welcome message appears.
Welcome to the Maglev Configuration Wizard!
Step 4. Press Enter to accept the default choice, Start a DNA-C Cluster.
Step 5. Continue by accepting the wizard default choices, while supplying information for the following steps within the
wizard (the wizard steps are in order but are not sequential; different hardware appliances have different adapter names and
may be in a different order):
● In wizard STEP #4, selection for NETWORK ADAPTER #1 (eno1):
This interface can be used as a dedicated management interface for administrative web access to Cisco DNA Center. If
you are using this option (which may require static route configuration), fill in the information; otherwise leave all
selections blank, and then select next >> to continue.
Only one interface can be configured with a default gateway. If a default gateway is not defined on the interface, static routes can be
used. These take the form of ‘Subnet/Subnet Mask/Gateway.’ Multiple static routes can be entered using a space between each.
Example: 198.51.100.0/255.255.255.0/198.51.100.254 203.0.113.0/255.255.255.0/203.0.113.254
This interface is available for use with a separate network (example: firewall DMZ) to the Internet cloud catalog server.
Unless you require this connectivity, leave all selections blank, and select next >> to continue.
● In wizard STEP #4, selection for OPTIONAL - NETWORK ADAPTER #3 (enp94s0f0):
Use this interface for communications with your network infrastructure. Supply at least the Host IP Address, Netmask,
Default Gateway IP Address, and DNS Servers. If you are not using the single interface with default gateway, supply
Static Routes, and then select next >> to continue.
Host IP Address:
10.4.49.34
Netmask:
255.255.255.0
Default Gateway IP Address:
10.4.49.1
DNS Servers:
10.4.49.10
Static Routes:
[blank for combined management/enterprise interface installation]
Cluster Link
[blank]
Configure IPv6 address
[blank]
This interface is used for cluster communication, although this port must be configured and operational for both single-
node and 3-node clusters. Fill in the information for the Host IP Address and Netmask (a /29 size network or larger
covers a three-member cluster), use the spacebar to select Cluster Link, do not fill in any other fields, and then select
next >> to continue.
Host IP Address:
192.168.127.2
Netmask:
255.255.255.248
Default Gateway IP Address:
[blank]
DNS Servers:
[blank]
Static Routes: [blank]
Cluster Link
Tech tip
Confirm that the cluster link configuration is correct before proceeding. Changing the cluster link configuration after it is applied will
require initiating a fresh configuration.
If the cluster link is down, the VIP addresses will become unavailable. For both single-node and three-node clusters, the cluster link must
be in an operational state.
Tech tip
The wizard validates the DNS Servers and NTP servers entry using ICMP. Do not restrict ICMP echo communication between the appliance
and any configured DNS and NTP servers.
Step 6. Select proceed >> to continue with the network validation. The installation validates gateway reachability.
Please wait while we validate and configure host networking...
Step 7. If the wizard detects a network proxy server, then you are prompted to configure the proxy settings.
● In wizard STEP #8, selection for NETWORK PROXY:
Tech tip
Do not proceed until all packages are listed as DEPLOYED or NOT_DEPLOYED with exception.The following three packages will, depending
on version, show as NOT_DEPLOYED. This is an expected behavior.
application-policy
sd-access
sensor-automation
This guide demonstrates how to upgrade Cisco DNA Center to the next version. Therefore, these packages will remain NOT_DEPLOYED at
this point in the installation, as they will be upgraded and installed in later steps.
Step 1. Log in to the Cisco DNA Center web interface by directing a web browser to the Cluster Virtual IP address that you
supplied in the previous procedure (example: https://10.4.49.29/).
Step 2. At the Username line, enter admin; at the Password line, enter the Cisco DNA Center GUI administrator password
that you assigned using the Maglev Configuration wizard, and then click Log In.
When logging into the GUI for the first time as the admin user, you will be asked to complete a first-time setup wizard. Although steps
can be skipped in the Wizard, at minimum, the Cisco Credentials should be configured, and the Terms and Conditions must be accepted.
Step 3. At the prompt to reset the password, choose a new password or skip to the next step.
Step 4. At the welcome prompt, provide a Cisco.com ID and password. The ID is used to register software downloads and
receive system communications.
If you skip this step because you do not have an ID or plan to add one later by using Settings (gear) > System Settings > Settings
> Cisco Credentials, features such as SWIM, Telemetry, and Licensing will be unable to function properly. Additionally,
credentials are required for downloading software packages as described in the software migration and update procedures.
Step 5. In the previous step, if you did not enter an ID with Smart Account access with privileges for managing Cisco software
licenses for your organization, a Smart Account prompt displays. Enter a Cisco.com ID associated with a Smart Account or click
Skip.
Step 6. If you have an IPAM server (examples: Infoblox, Bluecat), enter the details at the IP Address Manager prompt and
click Next. Otherwise, click Skip.
Step 7. If you are using a proxy server, enter the details at the Enter Proxy Server prompt and click Next. Otherwise, click Skip.
Step 8. At the Terms and Conditions display, click Next, and then at the Ready to go! display, click Go to System 360.
Connect and configure the second and third add-on nodes to the cluster
Optional
Using the Cisco Integrated Management Controller (IMC) port (labeled with a gear symbol or letter M on the
●
Tech tip
Do this step only on the second node, and do not attempt to configure the third node in parallel. The second node must be joined into the
cluster completely before you start the steps of joining the third node into the cluster.
Step 5. Continue by accepting the wizard default choices, while supplying information for the following steps within the
wizard (the wizard steps are in order but are not sequential; different hardware appliances have different adapter names and
may be in a different order):
● In wizard STEP #4, selection for NETWORK ADAPTER #1 (eno1):
This interface can be used as a dedicated management interface for administrative web access to Cisco DNA Center. If
you are using this option (which may require static route configuration), fill in the information; otherwise leave all
selections blank, and then select next >> to continue.
● In wizard STEP #4, selection for OPTIONAL - NETWORK ADAPTER #2 (eno2):
This interface is available for use with a separate network (example: firewall DMZ) to the Internet cloud catalog server.
Unless you require this connectivity, leave all selections blank, and select next >> to continue.
● In wizard STEP #4, selection for OPTIONAL - NETWORK ADAPTER #3 (enp94s0f0):
This interface is used for clustering— configure clustering to easily allow for future clustering capability, even if initially
you don't need clustering. Fill in the information for the Host IP Address and Netmask (a /29 size network or larger
covers a three-member cluster), use the spacebar to select Cluster Link, do not fill in any other fields, and then select
next >> to continue.
Host IP Address:
192.168.127.3
Netmask:
255.255.255.248
Default Gateway IP Address:
[blank]
DNS Servers:
[blank]
Static Routes:
[blank]
Cluster Link
[use spacebar to select]
Configure IPv6 address
[blank]
The wizard displays an informational message.
The wizard will need to shutdown the controller in order to validate…
Step 6. Select proceed >> to continue with the network validation. The installation validates gateway reachability.
Please wait while we validate and configure host networking...
Step 7. If the wizard detects a network proxy server, then you are prompted to configure the proxy settings.
Tech tip
Complete these steps on the third node only after the second node is verified as completely joined into the cluster.
Step 16. Select Join a DNA-C Cluster (do not accept the default choice), and then press Enter.
Step 17. Continue by accepting the wizard default choices, while supplying information for the following steps within the
wizard (the wizard steps are in order but are not sequential; different hardware appliances have different adapter names and
may be in a different order):
● In wizard STEP #4, selection for NETWORK ADAPTER #1 (eno1):
This interface can be used as a dedicated management interface for administrative web access to Cisco DNA Center. If
you are using this option (which requires static route configuration), fill in the information; otherwise leave all selections
blank, and then select next >> to continue.
● In wizard STEP #4, selection for OPTIONAL - NETWORK ADAPTER #2 (eno2):
This interface is available for use with a separate network (example: firewall DMZ) to the Internet cloud catalog server
using a static route. Unless you require this connectivity, leave all selections blank, and select next >> to continue.
● In wizard STEP #4, selection for OPTIONAL - NETWORK ADAPTER #3 (enp94s0f0):
Use this interface for communications with your network infrastructure. Supply at least the Host IP Address, Netmask,
Default Gateway IP Address, and DNS Servers. If you are not using the single interface with default gateway, supply
Static Routes, and then select next >> to continue.
Host IP Address:
10.4.49.36
Netmask:
255.255.255.0
Default Gateway IP Address:
10.4.49.1
DNS Servers:
10.4.49.10
Static Routes:
[blank for combined management/enterprise interface installation]
Cluster Link
[blank]
This interface is used for cluster communication, although this port must be configured and operational for both single-
node and 3-node clusters. Fill in the information for the Host IP Address and Netmask (a /29 size network or larger covers
a three-member cluster), use the spacebar to select Cluster Link, do not fill in any other fields, and then select next >> to
continue.
Host IP Address:
192.168.127.4
Netmask:
255.255.255.248
Default Gateway IP Address:
[blank]
DNS Servers:
[blank]
Static Routes:
[blank]
Cluster Link
[use spacebar to select]
Configure IPv6 address
[blank]
The wizard displays an informational message.
The wizard will need to shutdown the controller in order to validate…
Step 18. Select proceed >> to continue with the network validation. The installation validates gateway reachability.
Please wait while we validate and configure host networking...
Step 19. If the wizard detects a network proxy server, then you are prompted to configure the proxy settings.
● In wizard STEP #8, selection for NETWORK PROXY:
In 3-node HA deployment, running services are distributed across the appliance. Processes and services are redistributed from the
master-node to the two other nodes. This process is completed in the GUI, and Cisco DNA Center enters maintenance mode while this
completes.
Step 29. Next to Hosts, click Enable Service Distribution (or, depending on the display for your version, toggle the HIGH
AVAILABILITY switch on), and then at the warning message click Continue.
The button text changes to Enabling Service Distribution… and the services are distributed across the nodes in the cluster.
This process can take approximately an hour. Use the browser refresh button to verify the configuration status, which shows
DNA Center is in maintenance mode until the process completes.
Cisco DNA Center automatically connects to the Cisco cloud catalog server to find the latest updates. Update Cisco DNA Center
to the required version using the Cisco cloud catalog server.
Tech tip
This procedure shows a Cisco DNA Center upgrade from release 1.2.8, and illustrations are installation examples. Software versions used
for validation are listed in Appendix A: Product List. For upgrade requirements using other software versions, refer to the release notes on
Cisco.com for the correct procedure for a successful upgrade to the target version from the installed version.
https://www.cisco.com/c/en/us/support/cloud-systems-management/dna-center/products-release-notes-list.html
The release notes include access requirements for connecting Cisco DNA Center to the Internet behind a firewall to download packages
from the cloud catalog server.
Step 1. At the main Cisco DNA Center dashboard, at the top right of the window, click the Software Updates (cloud) button,
and then click Go to Software Updates.
The Settings > Software Updates > Updates screen appears. This screen is used to install updates and packages that add
functionality to the controller, including SD-Access. For significant system-wide updates, an announcement is displayed at the
top of the updates window.
Step 2. Click the Switch Now button, and then acknowledge that the migration is irreversible by clicking OK.
Caution
The System package within the System Updates section is the only package you download or update during the initial system update.
After the installation of the system is complete, download and install the application package updates.
Do not switch to a new version of Cisco DNA Center until you have completely updated the system. Before switching, check the listing of
permitted update paths in the Cisco Digital Network Architecture Center Upgrade Guide.
The system goes into maintenance mode, and a message appears stating that there is a system update in progress. The
download and installation can take more than an hour. Use the Refresh button to check the status.
At the end of the installation, refresh the browser to view the web interface for the updated Cisco DNA Center.
When Cisco DNA Center is running the latest system update, you upgrade the packages to the versions associated with the
updated system version.
Step 1. Log in to the Cisco DNA Center web interface and navigate to the main dashboard.
Step 2. In the top right of the Cisco DNA Center dashboard, click the Software Updates (cloud) button, and then click Go to
Software Updates.
The system navigates to the Software Updates > Updates > System Update screen.
Step 3. At the top right of the System Update screen, on the same row as Application Updates, click the upper Download All
button. At the pop-up window, click Continue to confirm the update operation, and then, at the second System Readiness
Check pop-up window, click Continue.
Step 5. After the new versions of the packages are downloaded, at the top right of the System Update screen, on the same
row as Application Updates, click the upper Install All button. On the pop-up window, click Continue, and then, on the System
Readiness Check pop-up window, click Continue. An informational message appears, and the installation begins.
Tech tip
Packages must be updated in a specific order to appropriately address package interdependencies. Allow Cisco DNA Center to handle
dependencies by selecting and updating all package updates at once. The Installation Guide for the installed version explains how to use
the Maglev CLI to force a download retry for any stalled download.
While the packages are installing, you can work in parallel on the next process for installing the Identity Services Engine nodes.
All application package updates are installed when the Software Updates > Updates screen no longer shows any available
packages listed under App Updates and the cloud icon in the top right of the screen displays a green check mark.
If you need additional functionality in later Cisco DNA Center releases, such as support for new switches or features, you can
continue the upgrade process as required.
With all application packages installed and hosts in the cluster showing a status of Up, the SD-Access functionality is available to
configure, and integration with ISE can proceed.
For high availability stateful switchover (HA SSO) resiliency, use a pair of WLCs with all network connectivity in place before
starting the configuration procedure. Redundant WLCs are connected to a set of devices configured to support the Layer 2
redundancy suitable for the HA SSO WLCs, such as a switch stack, Cisco Virtual Switching System, or Cisco StackWise® Virtual,
which may exist in a data center or shared services network. For maximum resiliency, redundant WLCs should not be directly
connected to the Layer 3 border nodes.
Configure the WLC Cisco AireOS platforms using the startup wizard
After powering up the WLC, you should see the following on the WLC console. If not, type - (hyphen) followed by Enter
repeatedly until the startup wizard displays the first question.
Welcome to the Cisco Wizard Configuration Tool
Use the ‘-‘ character to backup
Step 1. Terminate the auto-install process.
Would you like to terminate autoinstall? [yes]: YES
Step 2. Enter a system name. Do not use colons in the system name, and do not use the default name.
System Name [Cisco_7e:8e:43] (31 characters max): SDA-WLC-1
Step 3. Enter an administrator username and password. Use at least three of the following character classes in the password:
lowercase letters, uppercase letters, digits, and special characters.
Enter Administrative User Name (24 characters max): admin
Enter Administrative Password (24 characters max): [password]
Re-enter Administrative Password: [password]
Step 4. Use DHCP for the service port interface address.
Service Interface IP address Configuration [static] [DHCP]: DHCP
Step 5. Enable Link Aggregation (LAG).
Enable Link Aggregation (LAG) [yes][NO]: YES
Step 6. Enter the management interface IP address, mask, and default router. The IP address for the secondary controller of
an HA SSO pair is used only temporarily until the secondary WLC downloads the configuration from the primary and becomes a
member of the HA controller pair.
Management Interface IP Address: 10.4.174.26
Management Interface Netmask: 255.255.255.0
Management interface Default Router: 10.4.174.1
Step 7. Configure the management interface VLAN identifier.
Management Interface VLAN Identifier (0 = untagged): 174
Step 8. Configure the management interface port number. The displayed range varies by WLC model. This number is arbitrary
after enabling LAG, because all management ports are automatically configured and participate as one LAG, and any functional
physical port in the group can pass management traffic.
Management Interface Port Num [1 to 2]: 1
Step 9. Enter the DHCP server for clients (example: 10.4.48.10).
Tech tip
The multicast IP address must be unique for each controller or HA pair in the network. The multicast IP address entered is used as the
source multicast address, which the access points registered to the controller use for receiving wireless user-based multicast streams.
Step 13. Enter a name for the default mobility and RF group.
Mobility/RF Group Name: SDA-Campus
Step 14. Enter an SSID for the data WLAN. This is used later in the deployment process.
Network Name (SSID): SDA-Data
Step 15. Disable DHCP Bridging Mode.
Configure DHCP Bridging Mode [yes][NO]: NO
Step 16. Enable DHCP snooping.
Allow Static IP Addresses [YES][no]: NO
Step 17. Do not configure the RADIUS server now. You will configure the RADIUS server later, using the GUI.
Configure a RADIUS Server now? [YES][no]: NO
Warning! The default WLAN security policy requires a RADIUS server.
Please see documentation for more details.
Step 18. Enter the country code where you are deploying the WLC.
Enter Country Code list (enter ‘help’ for a list of countries) [US]: US
Step 19. Enable the required wireless networks.
Enable 802.11b network [YES][no]: YES
Enable 802.11a network [YES][no]: YES
Enable 802.11g network [YES][no]: YES
Step 20. Enable the radio resource management (RRM) auto-RF feature.
Enable Auto-RF [YES][no]: YES
Step 21. Synchronize the WLC clock to your organization's NTP server.
Configure a NTP server now? [YES][no]: YES
Enter the NTP server's IP address: 10.4.0.1
Enter a polling interval between 3600 and 604800 secs: 86400
Step 22. Do not configure IPv6.
Would you like to configure IPv6 parameters? [YES][no]: NO
Step 23. Confirm that the configuration is correct. The WLC saves the configuration and resets automatically.
Step 26. From the home page, at the top right, click Advanced. Navigate to COMMANDS > Set Time. Verify that the date and
time agree with the NTP server. If the time appears to be significantly different, manually correct it, and, if your network
infrastructure devices use something other than the default time zone, also choose a time zone. The correct date and time are
important for certificate validation and successful AP registration with the WLC. Repeat this step with each WLC.
Add the credentials to the WLC used for discovery and management by Cisco DNA Center. During discovery, with the Device
Controllability feature enabled, Cisco DNA Center uses the user credentials to configure additional management access
requirements, such as SNMPv3.
Step 1. Use a web browser to connect to the Cisco WLC administration web page using the credentials created in Step 3 of
Procedure 1 (example: https://10.4.174.26).
Step 2. Add a local login for Cisco DNA Center to manage the device. From the home page, at the top right, click Advanced.
Navigate to MANAGEMENT > Local Management Users. At the top right, click New…, fill out the form, supplying User Name
(example: dna), Password, Confirm Password, set User Access Mode to ReadWrite, supply a Description, and then click Apply.
Step 4. Repeat this procedure for the secondary WLC, using the appropriate parameters for it.
The WLCs are ready for integration into the Cisco DNA Center setup. Integration is part of the fabric deployment itself and
consists of adding WLCs into inventory, optionally creating HA pairs, creating IP pools and SSIDs for fabric wireless, provisioning
WLCs into the fabric, and assigning wireless endpoints to the fabric. These steps are outlined as part of the Software-Defined
Access Medium and Large Site Fabric Provisioning Prescriptive Deployment Guide.
PSN PSN
pxGrid pxGrid
Tech tip
The identity services engine can be installed as a VM (virtual machine) or installed on dedicated Cisco Secure Network Server (SNS)
appliances. The procedures below provide the steps to configure ISE once the appliance or virtual machine has been installed and wired.
For additional details beyond the scope of the procedures below, please see Cisco Identity Services Engine Installation Guides.
Step 1. On both ISE nodes, boot and install the ISE image.
Step 2. On the console of the first ISE node, at the login prompt, type setup, and then press Enter.
**********************************************
Please type ‘setup’ to configure the appliance
**********************************************
localhost login: setup
Step 3. Enter the platform configuration parameters.
Press ‘Ctrl-C’ to abort setup
Enter hostname[]: m29-ise1
Enter IP address []: 10.4.49.30
Enter IP netmask[]: 255.255.255.0
Enter IP default gateway[]: 10.4.49.1
Enter default DNS domain[]: ciscodna.net
Enter Primary nameserver[]: 10.4.49.10
Add secondary nameserver? Y/N [N]: N
Enter NTP server[time.nist.gov]: 10.4.0.1
Add another NTP server? Y/N [N]: Y
Enter NTP server[time.nist.gov]: 10.4.0.2
Add another NTP server? Y/N [N]: N
Enter system timezone[UTC]: UTC
Enable SSH service? Y/N [N]: Y
Enter username[admin]: admin
Enter password: [admin password]
Enter password again: [admin password]
Copying first CLI user to be first ISE admin GUI user...
Bringing up network interface...
Pinging the gateway...
Pinging the primary nameserver...
Installing Applications...
=== Initial Setup for Application: ISE ===
Additional installation messages appear, and then the server reboots.
Step 1. On the first ISE node, log in using a web browser and the configured username and password, and then accept any
informational messages.
https://m29-ise1.ciscodna.net/
Step 2. Navigate to Administration > System > Deployment, and then click OK to the informational message.
Step 3. Click on the ISE node hostname, and then, under Role, click Make Primary.
Step 4. Under Policy Service, select Enable Device Admin Service and Enable Passive Identity Service, select pxGrid, and
then click Save.
Using the same ISE administration session started on the first node, integrate the additional ISE node.
Tech tip
ISE distributed deployments use mutual certificate identification to validate each node that is registered with the Primary.
Communication between nodes is created using the FQDN (fully qualified domain names), not the IP address. Forward and reverse DNS
entries must be available in the defined DNS server for the IP address and FQDN that are part of your distributed deployment or
registration will fail.
Step 1. Using the existing session, refresh the view by navigating again to Administration > System > Deployment, and then
under the Deployment Nodes section, click Register.
A screen allowing registration of the second ISE node into the deployment appears.
Step 2. Enter the ISE fully-qualified domain name Host FQDN (m29-ise2.ciscodna.net), User Name (admin), and Password
([admin password]), and then click Next.
Step 3. If you are using self-signed certificates, click Import Certificate and Proceed. If you are not using self-signed
certificates, follow the instructions for importing certificates and canceling this registration, and then return to the previous
step.
Step 4. On the Register ISE Node - Step 2: Configure Node screen, under Monitoring, change the role for this second ISE
node to PRIMARY. Under Policy Service, select Enable Device Admin Service and Enable Passive Identity Service, select pxGrid,
and then click Submit.
Step 6. Check Cisco.com for ISE release notes and the SD-Access Hardware and Software Compatibility Matrix and download
any patch required for your installation. Then, install the patch by navigating in ISE to Administration > System > Maintenance >
Patch Management, click Install, click Browse, browse for the patch image, and then click Install. The patch installs node-by-
node to the cluster, and each cluster node reboots.
Step 7. After the ISE web interface is active again, check the progress of the patch installation by navigating to Administration
> System > Maintenance > Patch Management, select the patch, and then select Show Node Status. Use the Refresh button to
update status until all nodes are in Installed status before proceeding.
The ERS settings are updated, and ISE is ready to be integrated with Cisco DNA Center.
Tech tip
There are specific ISE software versions required for compatibility with Cisco DNA Center. To be able to integrate with an existing ISE
installation, you must first ensure that the existing ISE is running at least the minimum supported version. An ISE integration option, which
is not included in this validation, is to deploy a new ISE instance as a proxy to earlier versions of ISE.
The versions of ISE and Cisco DNA Center validated in HA standalone mode for this guide are listed in Appendix A: Product List. You may
find alternative recommended images in the latest SD-Access Hardware and Software Compatibility Matrix.
Step 1. Log in to the Cisco DNA Center web interface. At the top-right corner, select the Settings (gear) icon, and then
navigate to System Settings.
Step 2. Navigate to Settings > Authentication and Policy Servers, and then click the + Add button.
Tech tip
The next step for integrating an ISE installation is the same whether you use a high-availability standalone ISE deployment, as shown in
this example, or a distributed ISE deployment. The shared secret chosen needs to be consistent with the shared secret used across the
devices in the network for communicating with the authentication, authorization, and accounting (AAA) server. The username and
password are used for Cisco DNA Center to communicate with ISE using SSH and must be the default super admin account that was
created during the ISE installation. The ISE CLI and ISE GUI passwords must be the same.
Step 3. In the Add AAA/ISE SERVER slide-out display, enter the ISE node 1 (primary PAN) Server IP Address (example:
10.4.49.30) and Shared Secret, toggle the Cisco ISE server selector to On, enter the ISE Username (example: admin), enter the
ISE Password. For the FQDN and enter the ISE fully qualified domain name, enter Subscriber Name (example: dnac) and leave
the SSH Key blank. If you are using TACACS for infrastructure device administration, click View Advanced Settings and select
TACACS. Click Apply.
With communications established, Cisco DNA Center requests a pxGrid session with ISE.
Step 4. Log in to ISE and navigate to Administration > pxGrid Services.
The client named dnac (Subscriber Name defined above) shows Pending in the Status column.
Step 5. Check the box next to dnac, above the list, click Approve, and then click Yes to confirm.
If ISE is integrated with Cisco DNA Center after scalable groups are already created in ISE, in addition to the default groups
available, any existing ISE groups also are visible by logging in to Cisco DNA Center and navigating to Policy > Dashboard >
Scalable Groups.
Cisco DNA Center Appliance DN2-HW-APL-L (M5-based chassis) 1.2.10.4 (System 1.1.0.754)
All packages running on the Cisco DNA Center during validation are listed—not all packages are included as part of the testing
for SD-Access validation.
Package Version
SD-Access 2.1.28.60244.9
Wireless LAN controller Cisco 8540, 5520, and 3504 Series Wireless Controllers 8.8.111.0 (8.8 MR1)