BRKCRS 2813
BRKCRS 2813
BRKCRS 2813
Cisco SD-Access
Monitoring and
Troubleshooting
BRKCRS-2813
Parthiv Shah, Technical Leader, Escalation
Derek Huckaby, Technical Marketing Engineer
#CLMEL
Cisco Webex Teams
Questions?
Use Cisco Webex Teams (formerly Cisco Spark)
to chat with the speaker after the session
How
1 Open the Cisco Events Mobile App
2 Find your desired session in the “Session Scheduler”
3 Click “Join the Discussion”
4 Install Webex Teams or go directly to the team space
5 Enter messages/questions in the team space
cs.co/ciscolivebot#BRKCRS-2813
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 3
Agenda
• DNA Architecture Overview
• DNA Center Troubleshooting
• Install / Services Debugging / HA
• Log Collection
• ISE and DNA Center Integration
• Device Discovery
• Provisioning
• DHCP
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 4
Objectives and Assumptions
Objectives
After completing this module you will:
• Understand the DNA Center Server Troubleshooting
• Understand SD-Access Fabric Deployment and Troubleshooting
• Understand SD-Access Host Onboarding and Troubleshooting
Assumptions
• Audience must be familiar with ISE deployment scenarios, pxGrid and Cisco TrustSec.
• Working knowledge of APIC-EM and PKI.
• Working knowledge of Routing/Switching and Cisco Fabric architecture.
• This session will not cover CLI based Cisco Fabric or ISE troubleshooting.
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 5
6
DNA Architecture
Overview
The DNA Center Appliance
Fully Integrated Automation & Assurance
• Centralised Deployment - Cloud Tethered
• Built-In Telemetry Collectors (FNF, SNMP, Syslog, etc)
• Built-In Contextual Connectors (ISE/pxGrid, IPAM, etc)
• Multi-Node High Availability (3 Node, Automation)
• RBAC, Backup & Restore, Scheduler, APIs
DNA Center Platform
1RU Server (Small form factor)
DN2-HW-APL •
•
UCS 220 M5S: 64-bit x86
vCPU: 44 core (2.2GHz)
• RAM: 256GB DDR4
• Control Disks: 2 x 480GB SSD RAID1
DNAC 1.2 Scale: Per Node • System Disks: 6 x 1.9TB SSD M-RAID
• 5,000 Nodes (1K Devices + 4K APs) • Network: 2 x 10GE SFP+
• 25,000 Clients (Concurrent Hosts) • Power: 2 x 770W AC PSU
DNA Center
Identity Services Engine Network Control Platform Network Data Platform
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 8
Cisco DNA Center
Cisco SD-Access – Key Components
API
Cisco& ISE
Identity Policy Automation
NCP Assurance
NDP
API API
Identity Services Engine Network Control Platform Network Data Platform
NETCONF
SNMP
SSH
AAA
RADIUS
EAPoL
Fabric HTTPS
NetFlow
Syslogs
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 9
DNA Center and ISE integration
ISE node roles in SD-Access
Admin/Operate
DNA Center
Things
Config Sync Context
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 11
DNA Center Solution Basic Pre-requisite
• Hardware
• Supported DNA Center Appliance (DN2-HW-APL)
• Supported switch/router/WLC/AP models
• Software
• Check various platform for recommended IOS-XE software version
• Check License for planned platforms
• Recommended ISE and DNA Center software
• Underlay/Overlay
• IP address plan for DNA Center and ISE
• Check for underlay network / routing configured correctly and devices are reachable
• Reachability to Internet – Direct or Proxy connection
• Access to an NTP server
• Make sure DNA Center appliance is close to real time using CIMC
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 12
Cisco DNA Center
Troubleshooting
Cisco DNA Center
Cisco SD-Access 4 Step Workflow
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 14
DNA Center – Maglev Logical Architecture
App Stack 1 App Stack 2 App Stack N
Maglev Services
IaaS
(Baremetal, ESXi, AWS, OpenStack etc)
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 15
Cisco SD-Access (Fusion) Package Services
Trap events, host discovery we leverage ipam-service IP Address manager
apic-em-event-service
snmp traps so they are handled here.
Critical during Provisioning
apic-em-inventory- Provides communication service between network-orchestration-service
orchestation.
manager-service inventory and discovery service
Certificate authority and enables controller orchestration-engine-service Orchestration Service
apic-em-jboss-ejbca
authority on the DNAC. pnp-service PNP Tasks
apic-em-network- Configure devices. Critical service to check
programmer-service during provisioning. policy-analysis-service Policy related
apic-em-pki-broker-
PKI Certificate authority policy-manager-service Policy related
service
command-runner- Responsible for Command Runner related Core database management
postgres
service task system
distributed-cache- rbac-broker-service RBAC
Infrastructure
service
sensor-manager Sensor Related
dna-common-service DNAC-ISE integration task
site-profile-service Site Profiling
dna-maps-service Maps Related services Core service during Provisioning
spf-device-manager-service
phase
dna-wireless-service Wireless Core service during Provisioning
spf-service-manager-service
phase
identity-manager-pxgrid-
DNAC-ISE integration task swim-service SWIM
service
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 16
Assurance Services Base Services
cassandra Database
cassandra Core Database
collector-agent Collector Agents
catalogserver Local Catalog Server for update
collector-manager Collector Manager
elasticsearch Search elasticsearch Elastic Search Container
ise ISE data collector glusterfs-server Core Filesystem
kafka Communication service
identitymgmt Identity Managenent container
mibs-container SNMP MIBs
netflow-go Netflow data collector influxdb Database
pipelineadmin kibana-logging Kibana Logging collector
pipelineruntime-jobmgr
kong Infrastructure service
pipelineruntime-taskmgr
pipelineruntime-taskmgr maglevserver Infrastructure
pipelineruntime-taskmgr- mongodb Database
data
pipelineruntime-taskmgr- rabbitmq Communication service
timeseries Various Pipelines and Task nanager
workflow-server
snmp SNMP Colelctor
syslog Syslog Collector workflow-ui
trap Trap Collector workflow-worker Various Update workflow task
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 17
Most Commonly Used Maglev CLI
$ maglev $ magctl
Usage: maglev [OPTIONS] COMMAND [ARGS]... Usage: magctl [OPTIONS] COMMAND [ARGS]...
Tool to manage a Maglev deployment Tool to manage a Maglev deployment
Options:
Options:
--version Show the version and exit.
--version Show the version and exit. -d, --debug Enable debug logging
-d, --debug Enable debug logging --help Show this message and exit.
-c, --context TEXT Override default CLI context
--help Show this message and exit.
Commands: Commands:
backup Cluster backup operations api API related operations
appstack AppStack related operations
catalog Catalog Server-related management operations completion Install shell completion
completion Install shell completion disk Disk related operations
context Command line context-related operations glusterfs GlusterFS related operations
cronjob Cluster cronjob operations iam Identitymgmt related operations
job Cluster job operations job Job related operations
login Log into the specified CLUSTER logs Log related operations
logout Log out of the cluster maglev Maglev related commands
node Node related operations
maintenance Cluster maintenance mode operations service Service related operations
managed_service Managed-Service related runtime operations tenant Tenant related operations
node Node management operations token Token related operations
package Package-related runtime operations user User related operations
restore Cluster restore operations workflow Workflow related operations
service Service-related runtime operations
system System-related management operations
system_update_addon System update related runtime operations
system_update_package System update related runtime operations
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 18
Collecting Integrating
Logs ISE
Bring-up
Issues
Provisioning Discovery
Issues Issues
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 19
Cisco DNA Center Services are not coming up
Have Patience
120 to 180 minutes bring-up time
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 20
Install Failure
If you are unable to run maglev/magctl commands after install:
• Check RAID configuration and install error messages
• USB 3.0 is recommended for installation.
• Avoid KVM and/or USB 2.0 or NFS mount method for installation
• Use Windows 10 or Linux/Mac based system to build burn ISO image.
• Check for Error or Exception in following log files:
• /var/log/syslog
• /var/log/maglev_config_wizard.log
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 21
Package Status – GUI / CLI
How to Check Package Status from GUI How to Check Package Status from CLI
System Settings App Management: Packages & Updates maglev package status
System Settings Software Updates Installed Apps
Check for any status
not “DEPLOYED”
Check for
“Failed”
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 22
Verify H/W profile complies with requirements
Should show
Result as
SUCCESS
(Continued)
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 24
Troubleshooting – Kubernetes & Docker
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 25
Package Update
Package Update Troubleshooting
Fail to Download Packages:
• Check connectivity to Internet
• During update download internet connectivity is mandatory
Fail to install packages:
• During install internet connectivity is mandatory
• Check if there is any failure displayed in GUI
• Check the status from CLI if there is any error
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 27
Proxy Setting check If Proxy server
configured then
check for Proxy
server
Check Parent
Catalog server and
Repository
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 28
Package Mapping – GUI v/s CLI
CLI Package Name GUI Display Name GUI Display Name CLI Package Name
application-policy Automation - Application Policy Automation - Application Policy application-policy
assurance Assurance - Base Assurance - Base assurance
automation-core NCP - Services Assurance - Path Trace path-trace
base-provisioning-core Automation - Base Assurance - Sensor sensor-automation
command-runner Command Runner Automation - Base base-provisioning-core
core-network-visibility Network Controller Platform Automation - Device Onboarding device-onboarding
device-onboarding Automation - Device Onboarding Automation - Image Management image-management
image-management Automation - Image Management Automation - SD Access sd-access
iwan IWAN Automation - Sensor sensor-automation
migration-support Automation - WAAS waas
ncp-system NCP - Base Command Runner command-runner
ndp Network Data Platform IWAN iwan
ndp-base-analytics Network Data Platform - Base Analytics NCP - Base ncp-system
ndp-platform Network Data Platform - Core NCP - Services automation-core
Ndp-ui Network Data Platform - Manager Network Controller Platform core-network-visibility
Network-visibility Network Controller Platform Network Controller Platform Network-visibility
path-trace Assurance - Path Trace Network Data Platform ndp
sd-access Automation - SD Access Network Data Platform - Base Analytics ndp-base-analytics
system System Or Infrastructure Network Data Platform - Core ndp-platform
waas Automation - WAAS Network Data Platform - Manager Ndp-ui
sensor-automation Automation - Sensor System Or Infrastructure system
sensor-automation Assurance - Sensor migration-support
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 29
Package Deploy Failure and Recovery
$ maglev package status
maglev-1 [main - https://kong-frontend.maglev-system.svc.cluster.local:443]
NAME DEPLOYED AVAILABLE STATUS
-----------------------------------------------------------------------------------
network-visibility 2.1.1.60067 - UPGRADE_ERROR - maglev_workflow.workflow.exceptions.TaskCallableExecutionError:
(1516326117.1073043, 1516327147.0490577, 'TimeoutError', 'Timeout of 1020 seconds has expired while watching for k8s changes for apic-em-jboss-
ejbca ')
$ maglev catalog package display network-visibility | grep fq Find the package name
fqn: network-visibility:2.1.1.60067
Once above steps completed, go to GUI and download the package again and install it.
Or you can use “maglev package deploy <>”
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 30
High Availability
High Availability(HA) Overview
• Minimize Downtime for Cisco DNAC Clsuter
• HA cluster consists of multiple nodes that communicate and share/replicate information to
ensure high system availability, reliability, and scalability
• Cisco DNAC HA is limited to 3 nodes (active active).
• Can Handle maximum one node failure
• Components scaled as part of HA :
• Managed Service Addons: Rabbitmq, Kong, Cassandra DB, Mongo DB, Postgres DB, Glusterfs, Elastic search,
Minio
• Maglev Core Service Addons: Maglevserver, Identity Management, agent, fluent-es, keepalived, platform-ui
• K8S Components: kube-apiserver , etcd , calico, kube-controller-manager , kube-dns , kube-proxy , kube-
scheduler
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 32
Creation of 3 node cluster
Redistribute services through System 360 enables the cluster to act as a single unit
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 33
Install Initial DNA Center Node
Kong
CatalogServer
MaglevServer DockerRegistry
WorkflowServer WorkflowWorker
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 34
Install Additional DNA Center Nodes
CatalogServer
MaglevServer DockerRegistry
WorkflowServer WorkflowWorker
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 35
Distribute Services
Fusion Services NDP Services Fusion Services NDP Services Fusion Services NDP Services
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 36
Bringing up Cisco DNA Center 3 node cluster
• Always ensure the seed Cisco DNA Center node is up and running before
adding other cluster nodes
• After forming the cluster, make sure that all the nodes are in READY state
when you run ‘kubectl get nodes’ command from CLI.
• Enabling HA should only be done after confirming that the 3-node cluster
is successfully formed and operational with full stack deployed.
• DO NOT try to add two nodes in parallel i.e. add nodes sequentially.
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 37
Cisco DNA Center settings after second node install
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 38
Cisco DNA Center settings after third node install
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 39
Enable Service Distribution
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 40
Check services on each node
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 41
Automation Behavior on node failure
Switch 1 Switch 2 Switch 3 Switch 1 Switch 2 Switch 3
Node failure restore (RMA) will require re-distribution of services needs (25 minutes – can be planned outage)
Link failure - no significant delay in redistribution of services when link comes back up
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 42
UI Notification on HA failure
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 43
Node Failure UI Notifications
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 44
Service Failure UI Notifications
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 46
Service Failure UI Notifications
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 47
Cluster Link Failure Notifications
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 48
Cluster Link Came Up
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 49
Cluster Link Came Up
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 50
Remove a node from cluster (RMA use case)
• If a node in a one of the node in cluster is in failed state and is not recovering after
several hours, users should remove it from the cluster
by running CLI : $ maglev node remove <node_ip>
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 52
HA Commands Cheat Sheet
HA commands:
• maglev service nodescale status
• maglev service nodescale refresh
• maglev service nodescale progress
maglev service nodescale history
•
Check All 3 nodes available
• maglev node remove <node_ip>
• maglev node allow <node_ip>
• maglev cluster node display
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 53
Collecting Integrating
Logs ISE
Bring-up
Issues
Provisioning Discovery
Issues Issues
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 54
UI Debugging from Browser
• Use Browser Debugging mode to find out API or GUI related Errors
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 55
UI Debugging from Browser
Firebug is another Tool for debugging mode.
• Install Firebug add-on in Firefox Browser
• Enable Firebug add-on
• Launch Firebug and Go to Console
• Run the task and it will capture detailed API information and related operation
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 56
Live Log - Service
Log Files:
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 57
Check Service Log in GUI
Click on Kibana Icon
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 59
Check Service Log using Log Explorer
Log Messages
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 62
Changing DNA Center Logging Levels
How to Change the Logging Level
• Navigate to the Settings Page: System Settings Settings Debugging Levels
• Select the service of interest
• Select the new Logging Level
• Set the duration DNA Center should
keep this logging level change
• Intervals: 15 / 30 / 60 minutes or forever
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 63
39
Required information to report an issue
• RCA file
[Sun Feb 11 14:26:00 UTC] maglev@10.90.14.247 (maglev-master-1)
• SSH to server using maglev user $ rca
===============================================================
scp –P 2222 Verifying administration access
===============================================================
maglev@<dnacenter_ip_address>:<rca_filename> [administration] password for 'admin': <passwd>
User 'admin' logged into 'kong-frontend.maglev-
system.svc.cluster.local' successfully
• API Debug log using 2018-02-18 14:26:14 | INFO | Generating log for 'date'...
browser debugging mode tar: Removing leading `/' from member names
/etc/cron.d/
/etc/cron.d/.placeholder
/etc/cron.d/clean-elasticsearch-indexes
/etc/cron.d/clean-journal-files
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 64
Collecting Integrating
Logs ISE
Bring-up Issues
Provisioning Discovery
Issues Issues
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 65
Cisco DNA Center – ISE Integration
Administration pxGrid Services
• Pxgrid service should be enabled on ISE.
• SSH needs to be enabled on ISE.
• Superadmin credentials will be used for trust establishment for SSH/ERS
communication. By default ISE Super admin has ERS credentials
• ISE CLI and UI user accounts must use the same username and password
• ISE admin certificate must contain ISE IP or FQDN in either subject name or SAN.
• DNAC system certificate must contain DNAC IP or FQDN in either subject name
or SAN.
• Pxgrid node should be reachable on eth0 IP of ISE from DNAC.
• Bypass Proxy for DNAC on ISE server
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 66
Cisco DNA Center – ISE Integration Workflow
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 67
Trust Status on Cisco DNA •Center
Identity source status: (Under System360)
• AAA server Status (Settings – Auth/Policy Server) • INIT
• INPROGRESS • Available/Unavailable (PxGRID state)
• ACTIVE • TRUSTED/UNTRUSTED
• FAILED
• RBAC_FAILURE
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Troubleshooting
ISE - Cisco DNA Center Integration
Example Error:
2017-08-01 05:24:36,794 | ERROR | pool-1-thread-1 | identity-manager-pxGrid-service |
c.c.e.i.u.pxGridConfigurationUtils | An error occurred while retrieving pxGrid endpoint
certificate. Request: PUT https://bldg24-ise1.cisco.com:9060/ers/config/endpointcert/
certRequest HTTP/1.1, Response: HttpResponseProxy{HTTP/1.1 500 Internal Server Error
[Cache-Control: no-cache, no-store, must-revalidate, Expires: Thu, 01 Jan 1970 00:00:00 GMT,
Set-Cookie: JSESSIONIDSSO=9698CC02E88780EC4415A6DE80C37355; Path=/; Secure; HttpOnly, Set-
Cookie: APPSESSIONID=03A609099AD604812984C6DF27CF7A19; Path=/ers; Secure; HttpOnly, Pragma:
no-cache, Date: Tue, 01 Aug 2017 05:24:36 GMT, Content-Type: application/json;charset=utf-8,
Content-Length: 421, Connection: close, Server: ] ResponseEntityProxy{[Content-Type:
application/json;charset=utf-8,Content-Length: 421,Chunked: false]}} |
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public
Collecting Integrating
Logs ISE
Bring-up Issues
Provisioning Discovery
Issues Issues
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 72
Device Discovery
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 73
Step 1
Verify all devices are green after Discovery
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 74
Step 2
Check if all devices in Managed state
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 75
New Configuration after Discovery
FE250#show archive config differences flash:underlay system:running-config
!Contextual Config Diffs:
+device-tracking tracking
+device-tracking policy IPDT_MAX_10
+limit address-count 10
+no protocol udp
+tracking enable
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 76
Troubleshooting – Discovery/Inventory
• Check for IP address reachability from DNAC
to the device
• Check username/password configuration in
Settings
• Check whether telnet/ssh option is properly
selected
• Check using manual telnet/ssh to the
device from DNAC or any other client
• Check SNMP community configuration
matches on switch and DNA-C
• Discovery View will provide additional
information.
#CLMEL © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 77
Collecting Integrating
Logs ISE
Bring-up Issues
Provisioning Discovery
Issues Issues
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 78
Time to Provision Devices
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 79
Pre-deployment Summary
BLD2-FLR2-DST2
System Details Device Name: BLD2-FLR2-DST2
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 81
AAA Configuration
FE2050#show running-config | sec aaa
aaa new-model AAA server (ISE) is now
aaa group server radius dnac-group used to authenticate
server name dnac-radius_172.26.204.121 device logins
ip radius source-interface Loopback0
aaa authentication login default group dnac-group local
aaa authentication enable default enable
aaa authentication dot1x default group dnac-group
aaa authorization exec default group dnac-group local
aaa authorization network default group dnac-group
aaa authorization network dnac-cts-list group dnacs-group
aaa accounting dot1x default start-stop group dnac-group
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 82
Global Cisco TrustSec (CTS) Configurations
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 83
ISE and ‘Network Device’ Transact Securely Using PAC keys
Switch authenticates with Cisco ISE for Secure EAP FAST Channel
Environmental Data Switch# cts credential id <device_id> password <cts_password>
TrustSec Egress Policy
RADIUS EAP FAST Channel RADIUS PAC* keys pushed by ISE. Switch uses this to talk to ISE securely
ISE IOS bldg24-edge-3650-1#show cts pacs
AID: 5079AA777CC3205E5D951003981CBF95
PAC-Info:
PAC-type = Cisco Trustsec
AID: 5079AA777CC3205E5D951003981CBF95
I-ID: FDO1947Q1F1
A-ID-Info: Identity Services Engine
Credential Lifetime: 15:30:58 PST Mon May 28 2018
PAC-Opaque:
000200B800010211000400105079AA777CC3205E5D951003981CBF950006009C0003
0100C25BAEC6DC8B90034431914E48C335DC000000135A95A90900093A8087E1E4
7B8EA12456005D6E38C41F69C19F86B884B370177982EB65469F1E5F6B2B6D96B7
1C99DA19B240FE080757F8F8BBD543AE830A5959EA4A999C310CE1FEC427213AA
552406796C8DDDA695DBCF08FB3473249DCC025598D27CD280E4D01E7877F14C6
F211CC3BAB5E3B836A6B42A9C5EE4E0E6F997549D10561
Refresh timer is set for 11w3d
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 84
Environmental Data
Switch# show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Local Device SGT:
SGT tag = 2-00:TrustSec_Infra_SGT
Server List Info:
Installed list: CTSServerList1-0001, 1 server(s):
IOS *Server: 10.1.1.222, port 1812, A-ID 3E465B9E3F4E012E6AD3159B403B5004
ISE Status = DEAD
Security Group Name Table:
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime
= 20 secs 0-00:Unknown
Multicast Group SGT Table: 2-00:TrustSec_Infra_SGT
Security Group Name Table:
0-00:Unknown 10-00:Employee_FullAccess
2-00:TrustSec_Infra_SGT 20-00:Employee_BYOD
10-00:Employee_FullAccess 30-00:Contractors
20-00:Employee_BYOD
30-00:Contractors 100-00:PCI_Devices
100-00:PCI_Devices 110-00:Web_Servers
110-00:Web_Servers
120-00:Mail_Servers
120-00:Mail_Servers
255-00:Unregist_Dev_SGT 255-00:Unregist_Dev_SGT
Environment Data Lifetime = 86400 secs
Last update time = 21:57:24 UTC Thu Feb 4 2016
Env-data expires in 0:23:58:00 (dd:hr:mm:sec)
Env-data refreshes in 0:23:58:00 (dd:hr:mm:sec)
Cache data applied = NONE
State Machine is running
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 85
If CTS is not Configured, Verify the Device is a NAD
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 86
Configuration Configuration not pushed to the
Issues network device
Save
Check
state?
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 87
Different Types of Error
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 88
Fix the configuration on the device
(config)#no vrf definition Campus
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 89
Before You Add to Fabric
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 90
91
SD-Access Fabric
Provisioning
Fabric Edge Configuration
LISP configuration
VRF/VLAN configuration
SVI configuration
Interface configuration
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 92
SDA Provisioning – Workflow
Services Involved Start Provisioning from UI
Pre-Process-Cfs-Step Determine all the namespaces this config applies to
NB API
SPF Service Validate-Cfs-Step Validate whether this config is consistent and conflict free
Process-Cfs-Step
Persist the data and take snapshot for all namespaces
in a single transaction
Target-Resolver-Cfs-Step
Orchestration Determine the list of devices this config should go to
SPF Device
Engine Translate-Cfs-Step Per device convert the config to the config that needs to go to the device
Messaging
Deploy-Rfs-Task Convert the config to Bulk Provisioning Message to send it to NP
Network
Programmer Rfs-Status-Updater-
Task Update the Device config Status based on response from NP
Rfs-Merge-Step
Complete Update the task with an aggregate merged message
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 93
SDA Provisioning – Task Status Check
Click on View Target Device List
Click on Show task
Status Check the status
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 95
Closed Authentication Configuration
ISBN 2.0 Template Interface Configuration
template DefaultWiredDot1xClosedAuth FE2051#show run int gi 1/0/1
dot1x pae authenticator switchport mode access
switchport access vlan 2047 device-tracking attach-policy IPDT_MAX_10
switchport mode access authentication timer reauthenticate server
switchport voice vlan 4000 dot1x timeout tx-period 7
dot1x max-reauth-req 3
mab
source template DefaultWiredDot1xClosedAuth
access-session closed
spanning-tree portfast
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_ D
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 96
Troubleshooting – Device / Fabric Provision Issues
Services involved:
• orchestration-engine-service • spf-device-manager-service
• spf-service-manager-service • apic-em-network-programmer-service
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 97
Cisco SD-Access Fabric
Troubleshooting DHCP
DHCP Packet Flow in Campus Fabric
B DHCP
1 The DHCP client generates a
DHCP request and broadcasts it
on the network
FE1 BDR
1 2 FE uses DHCP Snooping to add
it’s RLOC as the remote ID in
Option 82 and sets giaddress the
2 Anycast SVI
Using DHCP Relay the request is
forwarded to the Border.
4 3 DHCP Server replies with offer
3
5 to Anycast SVI.
4 Border uses the remote ID in
option 82 to forward the packet.
5 FE installs the DHCP binding
and forwards the reply to client
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 99
DHCP Binding on Fabric Edge
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 100
Received DHCP Discover
015016: *Feb 26 00:07:35.296: DHCP_SNOOPING: received new DHCP packet from input interface
(GigabitEthernet4/0/3)
015017: *Feb 26 00:07:35.296: DHCP_SNOOPING: process new DHCP packet, message type: DHCPDISCOVER,
input interface: Gi4/0/3, MAC da: ffff.ffff.ffff, MAC sa: 00ea.bd9b.2db8, IP da: 255.255.255.255, IP
sa: 0.0.0.0, DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 0.0.0.0, DHCP siaddr: 0.0.0.0, DHCP giaddr: 0.0.0.0,
DHCP chaddr: 00ea.bd9b.2db8, efp_id: 374734848, vlan_id: 1022
Option 82 0x3 0xFE = 3FE = VLAN ID 1022 LISP Instance-id 4099 RLOC IP 192.168.3.98
0x4 = Module 4 , 0x3 = Port 3
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 101
Continue with Option 82
015026: *Feb 26 00:07:35.297: DHCPD: Reload workspace interface Vlan1022 tableid 2.
015027: *Feb 26 00:07:35.297: DHCPD: tableid for 1.1.2.1 on Vlan1022 is 2
015028: *Feb 26 00:07:35.297: DHCPD: client's VPN is Campus.
015029: *Feb 26 00:07:35.297: DHCPD: No option 125
015030: *Feb 26 00:07:35.297: DHCPD: Option 125 not present in the msg.
015031: *Feb 26 00:07:35.297: DHCPD: Option 125 not present in the msg.
015032: *Feb 26 00:07:35.297: DHCPD: Sending notification of DISCOVER:
015033: *Feb 26 00:07:35.297: DHCPD: htype 1 chaddr 00ea.bd9b.2db8
015034: *Feb 26 00:07:35.297: DHCPD: circuit id 000403fe0403 Circuit ID
015035: *Feb 26 00:07:35.297: DHCPD: table id 2 = vrf Campus 0x3 0xFE = 3FE = VLAN ID 1022
015036: *Feb 26 00:07:35.297: DHCPD: interface = Vlan1022 0x4 = Module 4 , 0x3 = Port 3
015037: *Feb 26 00:07:35.297: DHCPD: class id 4d53465420352e30
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 102
Forwarding ACK
015089: *Feb 26 00:07:35.302: DHCPD: Reload workspace interface LISP0.4099 tableid 2.
015090: *Feb 26 00:07:35.302: DHCPD: tableid for 1.1.7.4 on LISP0.4099 is 2
015091: *Feb 26 00:07:35.302: DHCPD: client's VPN is .
015092: *Feb 26 00:07:35.302: DHCPD: No option 125
015093: *Feb 26 00:07:35.302: DHCPD: forwarding BOOTREPLY to client 00ea.bd9b.2db8.
015094: *Feb 26 00:07:35.302: DHCPD: Forwarding reply on numbered intf
015095: *Feb 26 00:07:35.302: DHCPD: Option 125 not present in the msg.
015096: *Feb 26 00:07:35.302: DHCPD: Clearing unwanted ARP entries for multiple helpers
015097: *Feb 26 00:07:35.303: DHCPD: src nbma addr as zero
015098: *Feb 26 00:07:35.303: DHCPD: creating ARP entry (1.1.2.13, 00ea.bd9b.2db8, vrf Campus).
015099: *Feb 26 00:07:35.303: DHCPD: egress Interfce Vlan1022
015100: *Feb 26 00:07:35.303: DHCPD: unicasting BOOTREPLY to client 00ea.bd9b.2db8 (1.1.2.13).
015101: *Feb 26 00:07:35.303: DHCP_SNOOPING: received new DHCP packet from input interface (Vlan1022)
015102: *Feb 26 00:07:35.303: No rate limit check because pak is routed by this box
015103: *Feb 26 00:07:35.304: DHCP_SNOOPING: process new DHCP packet, message type: DHCPACK, input
interface: Vl1022, MAC da: 00ea.bd9b.2db8, MAC sa: 0000.0c9f.f45d, IP da: 1.1.2.13, IP sa: 1.1.2.1,
DHCP ciaddr: 0.0.0.0, DHCP yiaddr: 1.1.2.13, DHCP siaddr: 0.0.0.0, DHCP giaddr: 1.1.2.1, DHCP chaddr:
00ea.bd9b.2db8, efp_id: 374734848, vlan_id: 1022
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 103
Client Adding to Device Tracking
015104: *Feb 26 00:07:35.304: DHCP_SNOOPING: binary dump of option 82, length: 22 data:
0x52 0x14 0x1 0x6 0x0 0x4 0x3 0xFE 0x4 0x3 0x2 0xA 0x3 0x8 0x0 0x10 0x3 0x1 0xC0 0xA8 0x3 0x62
015105: *Feb 26 00:07:35.304: DHCP_SNOOPING: binary dump of extracted circuit id, length: 8 data:
0x1 0x6 0x0 0x4 0x3 0xFE 0x4 0x3
015106: *Feb 26 00:07:35.304: DHCP_SNOOPING: binary dump of extracted remote id, length: 12 data:
0x2 0xA 0x3 0x8 0x0 0x10 0x3 0x1 0xC0 0xA8 0x3 0x62
015107: *Feb 26 00:07:35.304: actual_fmt_cid OPT82_FMT_CID_VLAN_MOD_PORT_INTF global_opt82_fmt_rid
OPT82_FMT_RID_DEFAULT_GLOBAL global_opt82_fmt_cid OPT82_FMT_CID_DEFAULT_GLOBAL cid: sub_option_length 6
015108: *Feb 26 00:07:35.304: DHCP_SNOOPING: opt82 data indicates local packet
015109: *Feb 26 00:07:35.304: DHCP_SNOOPING: opt82 data indicates local packet
015117: *Feb 26 00:07:35.405: DHCP_SNOOPING: add binding on port GigabitEthernet4/0/3 ckt_id 0
GigabitEthernet4/0/3
015118: *Feb 26 00:07:35.405: DHCP_SNOOPING: added entry to table (index 1125)
015119: *Feb 26 00:07:35.405: DHCP_SNOOPING: dump binding entry: Mac=00:EA:BD:9B:2D:B8 Ip=1.1.2.13 Lease=21600
Type=dhcp-snooping Vlan=1022 If=GigabitEthernet4/0/3
015120: *Feb 26 00:07:35.406: No entry found for mac(00ea.bd9b.2db8) vlan(1022) GigabitEthernet4/0/3
015121: *Feb 26 00:07:35.406: host tracking not found for update add dynamic
Client Added to Device Tracking
(1.1.2.13, 0.0.0.0, 00ea.bd9b.2db8) vlan(1022)
015122: *Feb 26 00:07:35.406: DHCP_SNOOPING: remove relay information option.
015123: *Feb 26 00:07:35.406: platform lookup dest vlan for input_if: Vlan1022, is NOT tunnel, if_output:
Vlan1022, if_output->vlan_id: 1022, pak->vlan_id: 1022
015124: *Feb 26 00:07:35.406: DHCP_SNOOPING: direct forward dhcp replyto output port: GigabitEthernet4/0/3.
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 104
Cisco SD-Access Fabric
Troubleshooting
Host Onboarding
Typical SD-Access Environment
Control Plane Node
Underlay Network
(CP)
C Routing ID (RLOC) – IP address of
the LISP router facing ISP
B B Overlay Network
10.2.100.1
Border Node Endpoint Identifier(EID) - IP address
(BDR) of a host
10.2.100.2 10.2.100.3
VRF - Campus
Instance Id - 4099
10.2.120.1 10.2.120.2 10.2.120.3
Dynamic EID – 10_2_1_0-Campus
Fabric Edge 1 Fabric Edge 3
(FE1) VLAN – 1021
(FE3)
10.2.1.99 Fabric Edge 2 10.2.1.89
(FE2)
Fabric Domain
(Overlay)
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 106
Here Is How You Begin
External Connectivity
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 107
Different hosts
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 110
Case 1: Host Registration – Wired Client
CP
C
10.2.120.1 10.2.100.1
IP Network
FE1
router lisp
10.2.1.99 site site_sjc
...
eid-prefix instance-id 10.2.1.0/24 accept-more-specifics
exit
router lisp
...
eid-table Campus instance-id
dynamic-eid 10_2_1_0-Campus
database-mapping 10.2.1.0/24 locator-set campus_fabric
exit
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 111
Registration
Message flow
!
FE1 CP
1 2 FE saves the host info in local
database. Send the registration
message to CP (Map–server)
2
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 112
C
MAC
B B
Address ?
1 FE1#show mac address
1021 0013.a91f.b2b0 DYNAMIC Te1/0/23
If you don’t see the MAC address entry, then it’s a SILENT HOST.
ARP
Entry ?
2 FE1#show arp vrf Campus
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.2.1.99 0 0013.a91f.b2b0 ARPA Vlan1021
IP Device
Tracking ?
3 FE1#show device-tracking database
Network Layer Address Link Layer Address Interface vlan
ARP 10.2.1.99 0013.a91f.b2b0 Te1/0/23 1021
Fabric Edge Fabric Edge can learn the IP address from ARP, DHCP or DATA pack. If device tracking entry is
missing then check if client got an IP
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 113
C
B B
LISP local
database ?
FE1#show ip lisp instance-id 4099 database
4 LISP ETR IPv4 Mapping Database for EID-table vrf Campus (IID 4099)
LSBs: 0x1 Entries total 3, no-route 0, inactive 0
Instance
Enable debug if the database entry is missing ID
EID
FE1 RLOC
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 116
C
B B
Dynamic EID
FE1 RLOC EID
Instance
ID
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 117
C
B B
LISP Control
Plane Entry ?
CP#show lisp site instance-id 4099
5 Site Name Last Up Who Last Inst EID Prefix
C Register Registered ID
site_sjc never no -- 4099 10.2.1.0/24
3d23h yes# 10.2.120.1 4099 10.2.1.99/32
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 118
C
message ?
debug lisp control map-request
*Jan 17 01:56:01.045: LISP: Send map request for EID prefix IID 4099 10.2.1.99/32
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 119
C
B B
Control
Plane FE1 RLOC
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 120
Case 1b: Host Registration – Access Point
B
CP
C
10.2.120.1 10.2.100.1
IP Network
FE1
router lisp
10.2.1.89 site site_sjc
...
eid-prefix instance-id 10.2.1.0/24 accept-more-specifics
exit
router lisp
...
eid-table Campus instance-id
dynamic-eid 10_2_1_0-Campus
database-mapping 10.2.1.0/24 locator-set campus_fabric
exit
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 121
SD-Access Wireless Basic Workflows
AP Join 1
B Cisco
DNA Center
IP Network
FE1 C
Fabric WLC
1 Admin configures AP pool in Cisco DNA Center in INFRA_VN. Cisco DNA Center pre-
provision a configuration macro on all the FEs
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 123
SD-Access Wireless Basic Workflows
AP Join 1
FE1
B Cisco
DNA Center
IP Network
2 CDP C
Fabric WLC
AP directly connected (*)
1 Admin configures AP pool in Cisco DNA Center in INFRA_VN. Cisco DNA Center pre-
provision a configuration macro on all the FEs
2 AP is plugged in and powers up. FE discovers it’s an AP via CDP and applies the macro
to assign the switch port the the right VLAN
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 124
SD-Access Wireless Basic Workflows
AP Join 1
FE1
B
IP Network DHCP
2 CDP C
DHCP 3
Fabric WLC
AP directly connected (*)
1 Admin configures AP pool in Cisco DNA Center in INFRA_VN. Cisco DNA Center pre-
provision a configuration macro on all the FEs
2 AP is plugged in and powers up. FE discovers it’s an AP via CDP and applies the macro
to assign the switch port the the right VLAN
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 125
SD-Access Wireless Basic Workflows
AP Join FE1 5
B
CAPWAP Join CAPWAP in VXLAN
exchange SDA Fabric
C
CAPWAP traffic 4 7 AP RLOC?
AP EID register 6 AP Check
Fabric WLC
4 Fabric Edge registers AP’s IP address and MAC (EID) and updates the Control Plane (CP)
5 AP learns WLC’s IP and joins using traditional methods. Fabric AP joins in Local mode
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 126
LISP Control
Plane Entry ?
1 CP#show lisp site instance-id 4099
C Site Name Last Up Who Last Inst EID Prefix
Register Registered ID
site_sjc never no -- 4099 10.2.1.0/24
3d23h yes# 10.2.120.1 4099 10.2.1.7/32
Is AP
discovered?
FE1 RLOC
2
(Cisco Controller) >show ap summary EID
Instance
Number of APs.................................... 1 ID
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 130
Is AP fabric
enabled? (Cisco Controller) >show fabric summary
3
Fabric Support................................... enabled
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 131
FE1#show lisp instance-id 8041 ethernet database wlc
Is VXLAN WLC clients/access-points information for router lisp 0 IID 8041
tunnel UP?
4 Hardware Address Type Sources Tunnel Update
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 132
Case 1c: Host Registration – Wireless Client
B
CP
C
10.2.120.1 10.2.100.1
IP Network
FE1
router lisp
11.2.1.89 site site_sjc
...
eid-prefix instance-id10.2.1.0/24 accept-more-specifics
exit
router lisp
...
eid-table Campus instance-id
dynamic-eid 10_2_1_0-Campus
database-mapping 10.2.1.0/24 locator-set campus_fabric
exit
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 133
SD-Access Wireless Basic Workflows
Client Onboarding
FE1 B
CAPWAP in VXLAN ISE
SDA Fabric
C
Client Join
1
Fabric WLC
Client SGT/VNID and RLOC
• Client authenticates to a Fabric enabled WLAN. WLC gets SGT from ISE, updates AP
1
with client L2VNID and SGT
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 134
SD-Access Wireless Basic Workflows
Client Onboarding
B
Client in FWD
3
table SDA Fabric
FE1
C
2
Client MAC register Fabric WLC
• Client authenticates to a Fabric enabled WLAN. WLC gets SGT from ISE, updates AP
1
with client L2VNID and SGT
2 • WLC knows RLOC of AP from internal DB . WLC proxy registers Client L2 info in CP;
this is LISP modified message to pass additional info, like the client SGT
3 • FE gets notified by CP and knows it’s a client; FE adds client MAC in L2 forwarding
table and go and fetch the client policy from ISE based on the client SGT
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 135
SD-Access Wireless Basic Workflows DHCP
Client Onboarding DHCP flow
B
6 SDA Fabric
5
FE1 C
4 DHCP packet + L2 vnid
Fabric WLC
• Fabric Edge maps L2 VNID to the VLAN interface and forwards the DHCP
6
packet in the overlay (same as for a wired Fabric client)
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 136
SD-Access Wireless Basic Workflows DHCP
Client Onboarding 7
FE1 B
SDA Fabric
8 C
• DHCP snooping triggers the client EID registration by the Fabric Edge to the CP.
8
(If client has a static IP, then ARP or any other IP packet will trigger the
registration)
This completes Client onboarding process
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 137
1 (Cisco Controller)>show fabric summary
VNID Mappings configured: 1
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 140
Is WLAN
fabric enabled ?
3 (Cisco Controller)>show client detail b8:27:eb:ac:4c:d8
Client MAC Address............................... b8:27:eb:91:0b:80
Client Username ................................. N/A
. . .
Client State..................................... Associated
Client User Group................................
Client NAC OOB State............................. Access
WLC Wireless LAN Id.................................. 2
. . .
Authentication Algorithm......................... Open System
802.1P Priority Tag.............................. disabled
Security Group Tag............................... 1000
. . .
Fabric Configuration
--------------------
Fabric Status: .................................. Enabled
Vnid: ........................................... 8041
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 141
Is client
registered?
4
CP#show lisp instance-id 8041 ethernet server
C LISP Site Registration Information
Fabric Edge
Vlan Mac Address Type Ports
---- ----------- -------- -----
1021 18F6.43E1.3FFB DYNAMIC Ac0
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 142
Is AP to FE
VXLAN tunnel up
? 6
AP00A6.CA36.08D8#show ip tunnel fabric
Fabric GWs Information:
Tunnel-Id GW-IP GW-MAC Adj-Status Encap-Type Packet-In Bytes-In
1 10.2.120.1 00:42:5A:91:89:46 Forward VXLAN 930 100370
AP
Is client
entry on
access-tunnel ?
7
AP00A6.CA36.08D8#show controllers dot11Radio 0 client 18:F6:43:E1:3F:FB
mac radio vap aid state encr Maxrate is_wgb_wired wgb_mac_addr
18:F6:43:E1:3F:FB 0 1 2 FWD OPEN M7 false 00:00:00:00:00:00
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 143
LISP Control
Plane Entry ?
8 CP#show lisp site instance-id 4099
C Site Name Last Up Who Last Inst EID Prefix
Register Registered ID
site_sjc never no -- 4099 10.2.1.0/24
3d23h yes# 10.2.120.1 4099 10.2.1.89/32
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 144
Wired and Wireless Host Resolution
CP
C
Wired Wireless
Clients Clients
B B
10.2.100.1
10.2.120.1 10.2.120.3
FE1 FE3
10.2.1.99 10.2.1.89
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 146
Map Cache FE1#show ip lisp map-cache instance-id 4099
Entry ? LISP IPv4 Mapping Cache for EID-table vrf Campus (IID 4099), 5 entries
1
10.2.1.89/32, uptime: 00:05:16, expires: 23:57:59, via map-reply, complete
Locator Uptime State Pri/Wgt
10.2.120.3 00:04:23 up 10/10
Fabric Edge
If you don’t see the MAC address entry, then it’s a SILENT HOST.
Control Plane
Entry ?
2
C CP#show lisp site instance-id 4099
Site Name Last Up Who Last Inst EID Prefix
Register Registered ID
site_sjc never no -- 4099 10.2.1.0/24
3d23h yes# 10.2.120.1 4099 10.2.1.99/32
3d23h yes# 10.2.120.3 4099 10.2.1.89/32
If you don’t see the MAC address entry, then it’s a SILENT HOST.
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 148
Host Resultion
Message flow
!
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 149
C
control-plane ?
debug lisp control map-request
*Jan 18 16:12:57.741: LISP: Send map request for EID prefix IID 4099 10.2.1.89/32
*Jan 18 16:12:57.741: LISP-0: EID-AF IPv4, Sending map-request from 10.2.1.89 to 10.2.1.89
for EID 10.2.1.89 /32, ITR-RLOCs 1, nonce 0x0579975B-0x0823B8E4 (encap src 10.2.120.1, dst
10.2.100.1).
Host2
EID
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 150
Verify map-request messages are sent
C
*Jan 18 16:12:57.741: LISP-0: EID-AF IPv4, Sending map-request from 10.2.1.89 to 10.2.1.89 for EID
10.2.1.89 /32, ITR-RLOCs 1, nonce 0x0579975B-0x0823B8E4 (encap src 10.2.120.1, dst 10.2.100.1).
Host2
EID
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 151
C
B B
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 152
C
B B
B B
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 153
It is the Same Sequence if Border is Requesting
C
B B
Map Cache
10.2.1.99/32,
Locator 10.2.120.1
Local Database
10.2.1.99/32,
Locator 10.2.120.1
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 154
Case: 4 - External Connectivity
CP
C
router lisp
site site_sjc
40.1.1.40 ...
B B eid-prefix instance-id 4099 10.2.1.0/24 accept-more-specifics
exit
10.2.100.1
BDR
10.2.100.2 router lisp
encapsulation vxlan
!
eid-table Campus instance-id 4099
map-cache 10.2.1.0/24 map-request exit
10.2.120.3
router lisp
FE3 ...
eid-table Campus instance-id 4099
dynamic-eid 10_2_1_0-Campus
10.2.1.89 database-mapping 10.2.1.0/24 locator-set campus_fabric
exit
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 155
C
B B
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 158
Verification at the FE
FE3#show ip lisp map-cache instance-id 4099
LISP IPv4 Mapping Cache for EID-table vrf Campus (IID 4099), 5 entries
B B
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 159
B
B B
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 162
SD-Access Borders
Border Node is an entry & exit point for all data traffic
coming in or going out of the Fabric
! C ?
There are 2 Types of Border Nodes: Known Unknown
Networks Networks
B B
• Fabric Border (Internal)
• Used for “Known” Routes in your company
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 164
In case of Internal Border
Verify the routes that are being imported
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 165
Case: 5 - East West Traffic
CP
C
router lisp
site site_sjc
B B ...
eid-prefix instance-id 4099 10.2.1.0/24 accept-more-specifics
exit
router lisp
...
eid-table Campus instance-id 4099
dynamic-eid 10_2_1_0-Campus
database-mapping 10.2.1.0/24 locator-set campus_fabric
exit
FE1 FE3
router lisp
...
eid-table Campus instance-id 4099
dynamic-eid 10_2_1_0-Campus
Host1 Host2 database-mapping 10.2.1.0/24 locator-set campus_fabric
exit
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 166
C
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 169
Verification at the FEs
FE1#show ip lisp instance-id 4099 database 10.2.120.1
10.2.1.99/32, locator-set rloc_021a8c01-5c45-4529-addd-b0d626971a5f
Locator Pri/Wgt Source State
10.2.120.1 10/10 cfg-intf site-self, reachable
10.2.120.3
FE3#show ip lisp instance-id 4099 database
10.2.1.89/32, locator-set rloc_021a8c01-5c45-4529-addd-b0d626971a5f
Locator Pri/Wgt Source State
10.2.120.3 10/10 cfg-intf site-self, reachable
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 171
Case: 6 - Host Mobility
CP
C
B B
Host1 Host2
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 172
Map Request Message flow 1 Host1 moves from FE1 to FE2
C 2 FE2 saves the host info in local
database. Send the registration
message to control plane
FE1 CP FE2 3 The Map-Server adds to the
1 database the entry for the
specific EID, associated to the
RLOCs
2
4 The Map-Server sends a Map-
Notify message to the last FE1
3 that registered the 10.2.1.99/32
prefix
4 5 FE1 receives the Map-Notify
message from the CP and adds
route associated to the 10.2.1.99
5 EID to away table
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 173
Verification at the FEs
FE1#show ip lisp away instance-id 4099
LISP Away Table for router lisp 0 (Campus) IID 4099
Entries: 1
Prefix Host EID
Producer
10.2.1.99/32 local EID
FE2
FE1
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 174
1 The LISP process on FE1
receiving the first data packet
Map Request Message flow creates a control plane message
SMR and sends it to the remote
FE3(ITR) that generated the packet
C
2 Send a new Map-Request for the
desired destination (10.17.1.99) to
the Map-Server
FE3 FE1 CP FE2
1 3 Map-Request is forwarded by
the Map-Server to the FE2 that
registered last the /32 EID
address
2 4 FE2 replies with updated
mapping information to the
3 remote FE3
5 FE3 updates the information in
its map-cache, adding the
4 specific /32 EID address
5 associated to the xTRs deployed
in the East site (10.2.120.1 and
5
10.2.120.2)
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 175
Q&A
Complete your online session evaluation
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 177
Continue Your Education
• Demos on the Cisco stand
• Walk-in Self-Paced Labs
• Meet the Expert 1:1 meetings
• Related sessions
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 178
179
Thank you
#CLMEL
DNA Center Services not coming up
How to Check Service Status from GUI
System Settings System360: Services
https://<dnacenter_ip>/dna/systemSettings
#CLMEL BRKCRS-2813 © 2019 Cisco and/or its affiliates. All rights reserved. Cisco Public 218