IBN Campus PoV v4 0 DCloud Use Case Guide SDA FiaB v4.1

Cisco dCloud IBN Campus PoV 4.
0 – Use Case Guide – SDA FiaB
Cisco Intent Based Networking

Proof of Value – Use Case Guide
SDA Fabric-in-a-Box
Version 4.1
For Use With dCloud.cisco.com Demo Version Only
© 2020 Cisco All rights reserved Cisco Confidential

1
Cisco dCloud IBN Campus PoV 4.0 – Use Case Guide – SDA FiaB
Table of Contents
INTRODUCTION ..................................................................................................................................................... 4
CREDENTIALS / LOGIN INFORMATION ................................................................................................................... 5
STOP & READ FULLY BEFORE PROCEEDING ............................................................................................................ 6
EXERCISE 1 | EXECUTE INITIAL DEVICE PROVISIONING .......................................................................................... 7
SECTION 1.1 | PROVISION ...............................................................................................................................................7
EXERCISE 2 | CREATE FABRIC AND BORDER AUTOMATION ON FIAB .................................................................... 11
SECTION 2.1 | CREATE THE BAY AREA IP TRANSIT .............................................................................................................11
SECTION 2.2 | CREATE THE BAY AREA FABRIC ...................................................................................................................13
SECTION 2.3 | ADD FIAB TO THE BAY AREA FABRIC AND PROVISION DEVICE ROLES..................................................................16
SECTION 2.4 | CONFIGURE HOST ONBOARDING FOR THE SAN_JOSE-13 FABRIC SITE ...............................................................23
SECTION 2.5 | EXPLORE THE CONFIGURATION ADDED BY DNA CENTER AUTOMATION..............................................................24
SECTION 2.6 | VERIFY FABRIC CONNECTIVITY FROM FUSION ROUTER ....................................................................................27
EXERCISE 3 | FABRIC VIRTUAL NETWORK SETUP AND PROVISIONING ................................................................. 28
SECTION 3.1 | CAMPUS AND GUEST VIRTUAL NETWORK (VNS) ...........................................................................................28
SECTION 3.2 | BIND IP POOL RESERVATION TO THE VIRTUAL NETWORKS ...............................................................................32
SECTION 3.3 | EXPLORE CONFIGURATION CHANGES FROM DNA CENTER AUTOMATION ...........................................................37
SECTION 3.4 | CONNECT CAMPUS VN, GUEST VN TO SHARED SERVICES ...............................................................................41
SECTION 3.5 | REVIEW CHANGES MADE BY CISCO DNA CENTER AUTOMATION ......................................................................45
EXERCISE 4 | VIRTUAL NETWORK TESTING .......................................................................................................... 50
SECTION 4.1 | TEST AND VERIFY WIRED CAMPUS VN CONNECTIVITY ....................................................................................50
SECTION 4.2 | TEST THE GUEST VIRTUAL NETWORK...........................................................................................................57
EXERCISE 5 | CONFIGURE AND VERIFY CAMPUS MICRO SEGMENTATION............................................................ 64
SECTION 5.1 | CREATE A DENY ALL ACCESS CONTROL POLICY BETWEEN HR AND ACCT USERS .................................................64
SECTION 5.2 | TEST THE HR TO ACCT DENY ALL ACCESS CONTROL POLICY IN CAMPUS VN ......................................................67
SECTION 5.3 | MAKE THE HR TO ACCT DENY POLICY AIRTIGHT WITH AN INVERSE RULE............................................................69
SECTION 5.4 | CONFIRM THE HR TO ACCT AND ACCT TO HR DENY ALL ACCESS CONTROL POLICY ............................................70
SECTION 5.5 | DISABLE THE HR TO ACCT DENY ALL POLICY AND VERIFY ON CLIENTS ..............................................................71
SECTION 5.6 | CREATE A DENY FTP ACCESS CONTRACT ......................................................................................................74
SECTION 5.7 | IMPLEMENT THE DENY_FTP CONTRACT IN A POLICY BETWEEN HR AND ACCT ...................................................76
SECTION 5.8 | TEST THE DENY FTP ACCESS CONTROL POLICY ON THE CLIENTS .......................................................................79
EXERCISE 6 | FABRIC INTEGRATED WIRELESS CONFIGURATION WITH EMBEDDED WIRELESS ON FIAB ................ 80
SECTION 6.0 | INTRODUCTION .......................................................................................................................................80
SECTION 6.1 | BUILD CAMPUS AND GUEST SSIDS IN DNA CENTER ......................................................................................80
SECTION 6.2 | ENABLE WIRELESS ON THE FABRIC VN IP POOLS ...........................................................................................87
SECTION 6.3 | CONFIGURE EMBEDDED WIRELESS ON THE FIAB SWITCH ................................................................................89
SECTION 6.4 | CONFIGURE HOST ONBOARDING TO SUPPORT CAMPUS AND GUEST WIRELESS SSIDS ..........................................96
SECTION 6.5 | CONNECT AND PROVISION THE ACCESS POINT ON THE FIAB SWITCH .................................................................97
EXERCISE 7 | TEST CAMPUS AND GUEST WIRELESS ON FIAB .............................................................................. 102
SECTION 7.0 | INTRODUCTION .....................................................................................................................................102

2
SECTION 7.1 | TEST CAMPUS WIRELESS CONNECTIVITY ....................................................................................................102

SECTION 7.2 | TEST GUEST WIRELESS CONNECTIVITY .......................................................................................................104
EXERCISE 8 | ADDING A NEW FABRIC EDGE NODE (OPTIONAL) ......................................................................... 108
SECTION 8.1 | SPECIFY A GOLDEN IMAGE FOR SWIM (OPTIONAL) .....................................................................................108
SECTION 8.2 | ONBOARDING NEW FABRIC EDGE NODE USING LAN AUTOMATION ...............................................................111
SECTION 8.3 | PROVISION AND ENABLE NEW FABRIC EDGE NODE ......................................................................................118
SECTION 8.4 | CLIENT TESTING ON NEW FABRIC EDGE NODE ............................................................................................121
EXERCISE 9 | ADDING A POLICY EXTENDED NODE (OPTIONAL) .......................................................................... 123
SECTION 9.1 | ONBOARDING NEW POLICY EXTENDED NODE .............................................................................................123
SECTION 9.2 | CLIENT TESTING ON NEW POLICY EXTENDED NODE......................................................................................135

3
Introduction
The goal of this guide is to provide the PoV presenter with the information to demonstrate the
value of SD-Access Fabric-in-a-Box (FiaB) to customers as part of a technical deep dive. FiaB
allows for all three SDA roles (control plane, border, and edge) to coexist simultaneously on a
single physical chassis. It is a convenient and effective solution, and particularly suited for small
sites when deploying SD-Access fabric. Note that a FiaB site is normally deployed in conjunction
with a larger SD-Access Distributed Campus solution consisting of multiple sites. SD-Access
Distributed Campus allows for multiple fabric sites to be administered centrally from Cisco DNA
Center. SD-Access Distributed Campus, when coupled with SDA Transit nodes, preserves
policies that traverse from site to site, including FiaB sites.
This Use Case Guide also has optional exercises to extend the topology and utility of a single
FiaB site.
Note that this guide must be paired with either of the following Base Guide at a minimum in
order to function properly:
A. Cisco dCloud IBN Campus PoV 4.0—Base Guide—External Fusion Router

B. Cisco dCloud IBN Campus PoV 4.0—Base Guide—Internal Fusion Router
Please note that this guide is specifically for use with the dCloud demo environment. At a
minimum, the following equipment is required in order to successfully demonstrate the use
cases in this guide.
• Catalyst 9300L or higher switch serving as a Fabric-in-a-Box (this switch must have
already been onboarding onto Cisco DNA Center using one of the Base Guides
above)
• Cisco 802.11ac or higher Access Point (AP1800/2800/3800/4800 or C91xx)
• Test clients (laptops, Raspberry Pi, network cameras, etc…)
This guide may not be suitable for another lab environment; in particular, do not use this
Guide with the Cisco Self-Service Lab System.

4
Credentials / Login Information

Below are the pre-configured credentials present in the dCloud demo and in the base-config
files for equipment used in this guide. Please do not change any passwords on the equipment
or in the dCloud demo environment.
• Networking devices (FiaB, Fusion)

o Username: netadmin Password: C1sco12345
• DNA Center Web UI, ISE

o Username: admin Password: C1sco12345
• DNA Center SSH console

o Username: maglev Password: C1sco12345
• Wireless Access Point (After factory reset AND before joining controller)
o Username: cisco Password: Cisco
• Wireless Access Point (After joining controller)

o Username: netadmin Password: C1sco12345
• dCloud Demo AnyConnect credentials and IP Address

o Consult the dCloud demo details for credentials
• 802.1x Client Testing Accounts

o Username: Acct1 Password: C1sco12345
o Username: Acct2 Password: C1sco12345
o Username: Hr1 Password: C1sco12345
o Username: Hr2 Password: C1sco12345
• Guest wired and wireless accounts are built through the self-registration portal

5
Stop & Read Fully Before Proceeding

Before proceeding, make sure that all of the tasks listed below have been completed. Please
ensure that you are familiar with all of the following topics and tasks.
• Ensure that the fabric-in-a-box (FiaB) switch has been successfully onboarded onto Cisco
DNA Center using one of the Base Guides. If this has not been done, STOP here and
follow the instructions in the Base Guide.
• Wired and wireless test clients are available for testing.
• You know how to manage 802.1x client configurations on your test clients.
• You can manage the wireless settings / profiles on your test clients or workstations.
Ensure that previous network associations, i.e. “Known Networks,” from prior PoVs have
been cleared or deleted.
• The test clients or workstations have the correct software in place, and you know how
to use it in the PoV. This includes things like the FTP Client/Server software.
• You are connected to the console port of the Fusion and FiaB devices in order to reset
them and establish the DMVPN tunnel with dCloud, if necessary.
• You are aware of how to use the Cisco AnyConnect VPN client to connect to the dCloud
demo headend to access the headend jump PC (WKST1) and use the direct 1:1 NAT
mappings to access services and devices in dCloud. For this demonstration using a single
FiaB switch, it is imperative to access the jump PC in the dCloud environment through
AnyConnect VPN to interact with Cisco DNA Center. Some of the 1:1 NAT mappings are
shown below.
Services Configured IP NAT Address on

AnyConnect VPN
Windows PC in dCloud 100.64.0.250 198.18.133.250
Cisco DNA Center 100.64.0.101 198.18.133.101
Cisco ISE 100.64.0.100 198.18.133.100
• You know how to request support for the PoV or dCloud demo if needed, and what you
can expect of support.

6
Exercise 1 | Execute Initial Device Provisioning
Section 1.1 | Provision
With the single border (FiaB) switch successfully added to the Inventory of DNA Center via Plug
and Play, it is now necessary to provision the parameters contained under Design > Network
Settings that are required in order to enable the SD-Access functionalities on the switch. As part
of the PnP onboarding process, DNA Center has automatically added the switch to Cisco
Identity Services Engine (ISE) as an authorized Network Access Device (NAD). This can be
verified under Administration > Network Resources > Network Devices on ISE.
Although the FiaB switch has been added as a NAD under ISE, the configuration necessary for
the switch to communicate with ISE has not been configured. Provisioning the switch with DNA
Center will program the AAA configuration that is necessary to allow for network and client
authentication on the switch.
To provision the switch on DNA Center, go to Provision > Inventory and check the box for the
FiaB switch. Then mouse over the Actions dropdown menu and select Provision > Provision
Device.

7
On the Assign Site page, ensure the FiaB switch site is assigned to the San_Jose-13-2 (which it
was as part of the PnP process) and click on Next
On the Advanced Configuration page, click on the Next button since there currently is not
template configuration to pushed to the FiaB switch.
On the Summary page, click on the blue Deploy button.

8
A side window will appear that offers the option to either deploy the settings immediately, at a
later time, or to generate the configuration that can be previewed prior to deployment to the
FiaB switch. To demonstrate the configuration preview feature introduced with DNA Center
version 2.1.x, select Generate Configuration Preview, give the task the name of “FiaB initial
provision config preview” so that it will be easier to locate, then click on Apply.
To view the generated preview, click on Menu > Activity, then select the Work Items tab.
Select the “Fiab initial provision config preview” item, follow by the FiaB’s IP address, to view all
the configuration that can be provisioned to the FiaB switch. After verifying the configuration,
click on Deploy, then Apply to push the configuration out.

9
After the configuration has been deployed, you have the option to retain or delete the
configuration preview. It is recommended to select No so that the configuration can be
referenced at a later time.
Return to the Inventory page and change the focus to Provision.
Ensure that the Provision Status shows Success for the FiaB switch. A provisional status of
success is required in order to enable SD-Access functionalities.

10
Exercise 2 | Create Fabric and Border Automation on FiaB
Section 2.1 | Create the Bay Area IP Transit
In Cisco DNA Center navigate to Provision > Fabric.
Click on the blue Add Fabric or Transit/Peer Network link at the top right. Then, select
Transit/Peer Network from the resulting menu.
The Add Transit side slide-out menu will appear. Enter the information, then click on the Save
button to build it.
Transit Name: Bay-Area-Transit

Transit Type: IP-Based
Routing Protocol: BGP
Autonomous System Number: 65535

11
The Bay-Area-Transit will now be present under Transit/Peer Networks.

12
Section 2.2 | Create the Bay Area Fabric
If you have navigated away from the Fabric page in the previous section, go back to Provision >
Fabric.
Click on the blue Add Fabric or Transit at the top right. Then, select Add Fabric from the
resulting menu.
The Add Fabric slide-out menu will appear as pictured. Enter the below information in red and
click on the Next button. Ensure that the San_Jose-13 site level is chosen and not any other
level, as the selection here determines the SD-Access fabric site within the Bay-Area-Fabric
domain. If you have made the wrong selection, please delete the site and add back the
appropriate site level. It is mandatory that the appropriate site level be chosen in order to
successfully create the fabric as it needs to align with the Network Settings and IP address
pools reserved under Design.
Fabric Domain Name: Bay-Area-Fabric

First Fabric Site: San_Jose-13

13
Select only the INFRA_VN for the new fabric and click on the blue Add Button. DEFAULT_VN is
not used in this demonstration, so there is no need to add it to the fabric.

14
At this point, the Provision > Fabric section of DNA Center should look like the picture below,
with both a Transit and a Fabric now created.

15
Section 2.3 | Add FiaB to the Bay Area Fabric and provision Device Roles
With the fabric domain and IP transit added, we now proceed to enabling the FiaB switch with
SD-Access roles within the fabric site. In DNA Center, go to Provision > Fabric, and click on the
Bay-Area-Fabric.
Click on the newly created fabric site San_Jose-13 within the Bay-Area-Fabric domain. This will
bring up the fabric topology for the site.
Click on the FiaB.dcloud.cisco.com switch to bring up its detail. To enable the SD-Access roles
for the FiaB switch, click on the sliders in the following order. This sequence must be followed
exactly in order to enable all functionalities on the switch. Failure to follow this sequence may
prevent one or more roles from being enabled.

16
1. Enable Control Plane role

2. Enable Border role
3. Enable Edge role
When the Border role is enabled, information regarding the border functionality will need to be
supplied in order for the switch to work properly in that role. In the resulting pane, add the
following information.
Enable Layer-3 Handoff: Checked

Local AS Number: 65534
Default to all Virtual Networks: Checked (i.e. FiaB will forward all fabric egress traffic)
Do not Import External Routes: Checked (i.e. No redistribution of routes learned
externally into LISP)
Add Transit/Peer Site: IP: Bay-Area-Transit

17
Once the IP Transit Bay-Area-Transit is added, add the physical interface on the FiaB switch that
connects to the Fusion router.
In addition to specifying the physical GigabitEthernet1/0/1 (and an optional interface

description), it is required to indicate which Virtual Network will be utilizing the interface to
pass traffic in and out of the fabric. For now, we will start with only the INFRA_VN [the
INFRA_VN is a special LISP instance that resides in the global (default) VRF and its purpose is to
provide management connectivity for wireless access points, as well as SD-Access Extended
Nodes and Policy Extended Nodes (PEN)]. We want to configure the Switch Virtual Interface
(SVI) with a VLAN value of 3001 to correspond with the interface that is already pre-configured
on the Fusion router. The BGP neighbor relationship for the global route table between the FiaB
and Fusion router will be formed using these interfaces.

18
Once the physical interface selection has been saved, the workflow will return to the Layer-3
Handoff panel. In this panel, click on the “Select IP Pool” dropdown menu to select the SJC-
Transit-Pool (100.126.1.0/24) that will be used to configure all the layer-3 handoff interfaces
on the FiaB. Click on the blue Add button after making the selection. The workflow will then
return back to the FiaB detail pane. Proceed carefully with the next section.

19
Once the border information has been entered, enable the Edge role. Make sure that all three
roles have been enabled before clicking on the blue Add button.
If you mistakenly click Add button before all three roles are enabled (but before saving the
changes), then click on the blue "Cisco DNA Center" on the upper left corner to get out of the
screen, then repeat from the beginning of Section 2.3 again (i.e. start with enabling the Control
Plane role). It is very important to have all three boxes enabled before saving since it is
currently not possible to enable any other node functionality (Control Plane, Border, or Edge)
once a node is saved.
The workflow will return to the Fabric Infrastructure page. Click on the blue Deploy button to
begin the process of applying the configuration.

20
You can choose to Apply the configuration now, at a later time, or generate the configuration
preview before applying. For our purposes, apply now.
The screen will flash up a task message in the lower right-hand corner during the process, but
after a few minutes, the Fabric Infrastructure page will be updated with the FiaB switch shown

21
in blue color, which indicates that all of the configuration has been successfully pushed to the
switch.
At this point, DNA Center has configured VLAN 3001 and a corresponding SVI on FiaB. The IP
address on the SVI is from the 1st /30 in the Bay-Area-Transit IP Pool, namely 100.126.1.1/30.
DNA Center has also configured BGP AS 65534 on the FiaB switch and added the pre-configured
Fusion router (100.126.1.2) as an eBGP neighbor in AS 65535. Keep in mind that this is all
provisioned in the INFRA_VN, which is part of the global routing table (i.e. the underlay of the
fabric). Later, we will repeat this process for each VN we create, and those configurations will
go into the VRF associated with that VN at that time.

22
Section 2.4 | Configure Host Onboarding for the San_Jose-13 Fabric Site
Now that the SD-Access roles have been enabled for the FiaB switch, other properties (e.g.
default 802.1x authentication template, IP address pools for the various VNs, wireless SSIDs,
port specific configuration, etc…) will need to be expressed for the San_Jose-13 fabric site. On
the Host Onboarding pane, click on the “Authentication Template” tab and select “Closed
Authentication” since we want 802.1x enforcement mode to be the default for all edge switch
access ports.
Select to Apply now to immediately push out the 802.1x related configurations.

23
Section 2.5 | Explore the Configuration added by DNA Center Automation
Open a CLI session (console or SSH) to FiaB switch that is now a part of the Bay-Area-Fabric
domain to explore the configurations that have been automated by DNA Center. Start by
reviewing the resulting LISP configurations. Note that there is a LISP instance for the INFRA_VN
(tied to the global routing table) with an ID of 4097.
show run | sec lisp

24
Display the layer-3 hand-off interface that was specified for the IP Transit for the FiaB switch.
Notice it has now been made into an 802.1Q trunk port permitting all VLANs.
show run int g1/0/1
Display the interfaces on FiaB and note that Vlan3001 should now be present.
show ip interface brief
Display the VLAN 3001 interface on FiaB and look at the configuration that DNA Center had
automated.
show run interface vlan 3001
Lastly, review the BGP configurations on FiaB and note the 100.126.1.2 eBGP peer (i.e. Fusion
router) on the other side of the 100.126.1.0/30 subnet in VLAN 3001.
show run | sec bgp

25

26
Section 2.6 | Verify Fabric Connectivity from Fusion Router
To verify fabric connectivity from the Fusion router, start with a display of the BGP summary of
the “underlay” VRF. One prefix will be received from the FiaB.
show ip bgp vpnv4 vrf underlay sum
Take a more detailed look at what prefixes are received from the FiaB switch, as well as those
prefixes sent to the FiaB from the Fusion router. The Loopback0 interface of FiaB is learned via
BGP on the Fusion router via the “underlay” VRF.
show ip bgp vpnv4 vrf underlay nei 100.126.1.1 routes
show ip bgp vpnv4 vrf underlay nei 100.126.1.1 advertised-routes

27
Exercise 3 | Fabric Virtual Network Setup and Provisioning
Section 3.1 | Campus and Guest Virtual Network (VNs)
With the INFRA_VN established with the Fusion router, we now proceed to adding the Campus
VN to onboard enterprise users and a Guest VN to onboard guest users. Begin by verifying that
DNA Center and ISE are synchronized by navigating to Policy > Group-Based Access Control. If
the Group-Based Access Control page shows that DNA Center and ISE are out of Sync, then click
on Restart Migration to synchronize the policy and group information between DNA Center
and ISE. Only proceed when the migration is shown to completed, similar to below.
Click on Policy > Virtual Network from the main menu to proceed with creating the new Virtual
Networks. On the VN page, click on the blue Create Virtual Networks on the upper right to
create a new Virtual Network in DNA Center.
Name this new virtual network Campus with an initial capital C. VN names are case-sensitive (as
they are configured as VRFs on the switches), so it is mandatory that you MUST use the name
Campus exactly as shown.

28
Repeat and create another VN with a name of Guest. Again, note the name is case-sensitive!
There is no need to check the Guest Virtual Network box starting with DNA Center v2.1 as the
Remote Multisite Border capability introduced with v2.1 has supplanted that need.
After creating the VNs, click on the blue Add link next to the new Campus VN.

29
Add the following Scalable Group Tags (SGTs) to Campus. Once complete, click on the blue Save
button.
Scalable Groups: acct, hr, Employees
Repeat the process for the Guest VN and add the Guests SGT to it.

30
After creating the VNs and assigning them the appropriate SGTs, the resulting VN profile should
have Campus with three SGTs and Guest with one SGT.

31
Section 3.2 | Bind IP Pool Reservation to the Virtual Networks
With the VNs created, return to Provision > Fabric > Bay-Area-Fabric > San_Jose-13 > Host
Onboarding page and click on the Virtual Networks tab. Notice that only the INFRA_VN is
present in the San_Jose-13 fabric site, and that it is still gray as no IP Pool has been assigned to
it yet. Add the new VNs that were created in the previous section by clicking on the blue Add
Virtual Network in the upper right.
In the resulting window check the boxes for Campus and for Guest, then click on the blue
Update button.
The Host Onboarding page will now display all three Virtual Networks as assigned to the fabric
site. Let’s assign an IP Pool to the Campus VN by clicking on it.

32
In the resulting slide-out panel, click on the blue Add at the top right to select a pool.
The side panel will expand further as pictured below. Click in the IP Address Pool dropdown
menu and select the SJC-Campus-Pool (100.100.0.0/16) that was already pre-configured in the
interest of time.
Note – To learn more about IP Pools and Reservations or to create or edit them, explore the Design section on
of DNA Center. These IP Pools and Reservations have been made as part of the PoV base images and

33
configurations in the interest of time, and as creating many of them can be repetitive. If you would like to show
creating one or more, simply delete them from DNA Center and configure them again to highlight the functions.
Notice that after selecting the SJC-Campus-Pool that the VLAN Name has automatically been
populated with the auto-generated string 100_100_0_0-Campus in the pre-determined format
of IP_Pool-VN. If left un-edited, DNA Center will add a new VLAN with the indicated VLAN
Name on the FiaB switch to onboard users and devices.
The VLAN name needs to match up with the pre-configured policies on ISE as it is the critical
component to onboarding users and devices. Click on the VLAN Name and change it to simply
Campus (without the 100_100_0_0 component) to match up with the ISE policies. Now select
Data from the Traffic type in the bottom right dropdown menu within the panel. Once
completed, click on the blue Add button followed by Deploy > Apply to push out the changes.

34
Note – Once the IP pool has been assigned to the Campus VN, DNA Center will push the configuration for the
VRF, LISP routing instance, VLAN, and SVI corresponding to the Campus VRF on the FiaB switch. It will also
add the relevant BGP configuration on the FiaB switch to advertise reachability of the 100.100.0.0/16 network
to the Fusion router on the Campus VRF.
Repeat the process and add the SJC-Guest-Pool (100.99.0.0/16) IP Pool to the Guest Virtual
Network. Be sure to modify the VLAN Name to Guest to match up with ISE.
Note – Again, once the IP pool has been assigned to the Guest VN, DNA Center will push the configuration for
the VRF, LISP routing instance, VLAN, and SVI corresponding to the Guest VRF on the FiaB switch. It will also
add the relevant BGP configuration on the FiaB switch to advertise reachability of the 100.99.0.0/16 network to
the Fusion router on the Guest VRF.
Repeat the process and add the SJC-AP-Pool (100.123.0.0/16) IP Pool to the INFRA_VN Virtual
Network. Be sure to modify the VLAN Name to AP_VLAN to match up with ISE. This pool will be
used to onboard wireless APs in the underlay (global routing table).

35
After adding IP Pools to all the VNs, they should now all be blue.

36
Section 3.3 | Explore Configuration Changes from DNA Center Automation
Connect to the CLI of FiaB switch to review the changes in configuration pushed by DNA Center
after assigning the IP Pools to the Virtual Networks.
Examine the newly created Campus and Guest VRFs that DNA Center has created.
show vrf
Display the LISP configuration. Look for the newly created LISP instances.
show run | sec lisp

37
In Section 2.4, we have chosen the “Closed Authentication” template. This has resulted in an
802.1x closed authentication configuration on all edge ports in the fabric.
show run interface g1/0/2
As can be seen above, 802.1x closed authentication is now in effect on all the access switch
ports on the FiaB. The interface configuration references a template that DNA Center created

38
called DefaultWiredDot1xClosedAuth. Use the below show command to display what is

configured within this template.
show template interface all | beg DefaultWiredDot1x
Examine the BGP configuration changes made on the FiaB. Under the Campus VRF address
family, take note of the new network statement and summary-only aggregate command to
inject the 100.100.0.0/16 network into BGP. Under the Guest VRF address family, a similar
network statement and summary-only aggregate command that injects the 100.99.0.0/16
network into BGP has also been configured. In the global routing table, notice the new
100.123.0.0/16 network statement and summary-only aggregate address as well (this
corresponds to the INFRA_VN LISP instance).
show run | sec bgp

39
Examine the Endpoint Identifier (EID) Prefix that is configured for each LISP instance as part of
the IP Pool to VN association that was done.
show lisp site
Note - Notice that in the above displays, for both LISP and BGP, the 100.100.0.0/16 network is now always
present and advertised. The same is true of 100.99.0.0/16 for Guest and 100.123.0.0/16 for INFRA_VN

40
Section 3.4 | Connect Campus VN, Guest VN to Shared Services
Now that the Campus and Guest VNs have been established and are active within the Fabric, it
is time to update the Border configurations within DNA Center to provide IP reachability for
these VNs outside of the Bay-Area-Fabric.
Go to the Fabric Infrastructure page of Provision > Fabric > Bay-Area-Fabric > San_Jose-13.
Click on FiaB within the topology view. In the resulting side panel, click on the blue Configure
link next to the Border Node as pictured.
In the Border Node side panel, click on the GigabitEthernet1/0/1 physical interface for the Bay-
Area-Transit that we had added earlier.

41
Now in the GigabitEthernet1/0/1 side panel, enable the sliders for Campus VN and Guest VN. It
is imperative to use VLAN 3002 for the Campus VN, and VLAN 3003 for the Guest VN in order
to align with the pre-configuration that is on the Fusion router. Do NOT make any other
changes. Click on Save to retain the.

42
Back at the first panel click on the Add button.
Click on the blue Add button at the bottom right of the screen.
In the main fabric page, click on the blue Deploy (then Apply Now) to save the changes.

43
Note that the next available /30 IP network from the Transit IP Pool (i.e. 100.126.1.4/30) and a
3002 VLAN are assigned to the Campus VN, while 100.126.1.8/30 and VLAN 3003 are assigned
to the Guest VN as part of the fabric border handoff to the Fusion.

44
Section 3.5 | Review Changes Made by Cisco DNA Center Automation
Explore the changes that were made by DNA Center on FiaB switch by connecting to the FiaB
CLI. Note the new 3000 series VLANs configured for the Campus and Guest VNs.
show vlan
Display the corresponding SVIs created by DNA Center.
show run int vlan 3002

45
show run int vlan 3003
Display the BGP configuration and note the neighbor statements across the Campus and Guest
VRFs.
show run | sec bgp

46
Connect to the CLI of the Fusion Router (e.g. via SSH from SE-PC in dCloud) and review the BGP
peering status in the Campus and Guest VRFs, using the following display commands.
show ip bgp vpnv4 vrf Campus sum
show ip bgp vpnv4 vrf Guest sum

47
Notice that the two neighbors are already up and active in the Campus and Guest VRFs, as the
Fusion router base configuration contained the necessary config to peer using the optional
VLANs and networks from DNA Center. Now, on the Fusion router, display the routes going
between the fusion and border routers.
show ip bgp vpnv4 vrf Campus nei 100.126.1.5 rou
show ip bgp vpnv4 vrf Guest nei 100.126.1.9 rou
On the Fusion router, verify that the 100.100.0.0/16 and 100.99.0.0/16 networks are now
present in the shared_services VRF routing table, with the next hop via the Campus and Guest
VRFs, respectively.

48
show ip route vrf shared_services

49
Exercise 4 | Virtual Network Testing
Section 4.1 | Test and Verify Wired Campus VN Connectivity
At this point the Campus VN has been configured, a secure access policy has been applied via
the closed 802.1x authentication template, and the necessary border automation configuration
has been pushed to connect it with the outside world via the Fusion Router. The Campus VN is
ready for wired test clients to be connected.
Connect one or more wired test clients to FiaB switch on an open access port or ports. It is
recommended to test with two wired test clients. To follow along with these guided tests,
connect one client to port 1/0/10 and the second client to 1/0/11 on the FiaB switch.
Note – Test clients will need to be configured for 802.1x authentication on the client-side
network interface and have certificate verification disabled, single sign-on disabled, caching of
credentials disabled, and set to always ask for the username and password.
If the 802.1x supplicant is configured properly on the test client, it will prompt for network
access credentials when it is connected. The Windows Security Sign in window can be seen in
the example screenshots below.

50
Log into the network on both clients. On Client-1, log in as an Accounting user, and on Client-2,
log in as an HR user with the credentials shown below.
Username: acct1
Password: C1sco12345
Username: hr1
Once both clients have logged onto the network, open a CMD prompt and issue the below
command to review what was received via DHCP.
ipconfig /all

51
Both clients should receive IP addresses in the 100.100.0.0/16 space within the Campus VN. The
first two IP addresses available in the Campus VNs DHCP scope are 100.100.0.21 and .22, so the
clients should receive these assignments.
On the test clients, start pinging each other as a basic test (remember to disable the Windows
firewall setting if the test clients are Windows-based).
ping 100.100.0.22 -t

52
ping 100.100.0.21 -t
Next, start a set of streaming pings to the default gateway from both clients.
ping 100.100.0.1 -t

53
Open a browser on each and go to some test websites to verify connectivity outside the Fabric,
and to the DNS server.

54
Now connect to the FiaB switch via SSH from the dCloud SE-PC and display the LISP table and
verify that you can see the clients on the Control Plane node which is the FiaB. There should be
/32 host entries in the table for the clients IP addresses received from DHCP.
show lisp site
On the FiaB, display the authentication details on each of the switch ports connected to the test
clients using the commands shown below. Note the display includes the SGT that is assigned to
the client, based on policies defined in ISE.
show authentication session interface g1/0/10 detail

55
Another visibility option is to log onto the ISE web UI via the SE-PC and navigate to Operations
> RADIUS > Live Logs to review the entries for the HR and Accounting 802.1x network logins.
Additionally, look at Context Visibility > Endpoints and review the information for the clients.

56
Section 4.2 | Test the Guest Virtual Network
Now it is time to test the new Guest Virtual network from a client device.
Note – The ISE policy for Guest is to place endpoints or clients into the Guest VN if they do not
have the 802.1x client supplicant enabled or running. The client will initially have the Guest auth
ACL applied, and be redirected to the Guest Login Portal provided by ISE.
Start by connecting a wired test client to FIAB or clearing out the authentication and
disconnecting an existing test client. For this test, remove any 802.1x client supplicants if they
have been configured.
After disabling the 802.1x supplicant (if applicable), plug in the client to an access port on the
FiaB and the web authentication redirection should trigger automatically. Be patient, as it may
take 120 seconds for the window pictured below to pop up. Click on OK to open it in Microsoft
Edge browser, if using Windows, so that you can bypass the certificate. If the popup window
does not appear, open Microsoft Edge and navigate to any site, e.g. www.cisco.com.

57
Optionally, enter the command shown below on the FiaB to look at the authentication state
during the process. You should see that 802.1x timed out, and MAB subsequently ran. The
redirect ACL should be applied, which only allows DHCP, DNS, and web traffic to the ISE portal.
On the test client, after clicking OK to accept and open the Web Authentication Portal in
Microsoft Edge, the below window will open (if the popup window does not appear, open
Microsoft Edge and navigate to any site). Click Details in gray, and then click on Go on to the
Webpage to proceed to the portal.
After bypassing the certificate warning the below pictured page will load from ISE.

58
Note – In this lab environment the Guest Authentication Page provided by ISE uses a self-
signed certificate. In production, bypassing a certificate warning would not be required.
Click on the blue “Or register for guest access” link just below the Sign On button to build an
account. The below registration page will load.

59
Note – This version of the Guest Portal is the default one provided by ISE. The appearance of
the portal can be easily modified in ISE, as well as the style of access. This portal could be
changed to a company’s logo and colors or to a simple Acceptable Use Policy challenge, or no
challenge at all.
Enter information into the key fields and click on the Register button at the bottom. What
information is given to ISE is not important for the purposes of the client test in our scenario.
Only the Username field is required before clicking to register.
After registering, the default ISE portal will return a Username and a Password that can be used
to access the Guest network. Copy them down or take a screenshot before clicking to Sign On.
The portal will return to the Sign On page. Enter the Username and Password just created on
the previous screen, then click on the blue Sign On button to proceed.

60
Once authenticated, a default Acceptable Use Policy from ISE will appear. Click on the blue
Accept button to proceed.
Once accepted, a default welcome message will appear. Click on the Continue button.

61
The below success message will be returned. At this point the Client will become authenticated
in the Guest VN and the restricting WebAuth ACL will be removed from the port.
In a new browser window or tab, open a website to test access to the Internet. This traffic will
flow from the Guest VN in the fabric, up through the Fusion Router, and out to the Internet.
Open a CMD window on Client-2 and display the IP information of this client. It will now have
an IP address in the 100.99.0.0/16 range, and a default Gateway of 100.99.0.1 in the Guest VN.
ipconfig /all

62
Detail information regarding the auth session of the test client can be seen on the FiaB switch.
Notice that the redirect ACL is no longer present, and the test client has an SGT of 6, which is
assigned to Guests per ISE policies.

63
Exercise 5 | Configure and Verify Campus Micro Segmentation
Section 5.1 | Create a Deny All Access Control Policy Between HR and ACCT Users
Return to the Cisco DNA Center Web UI and navigate to Policy > Group-Based Access Control.
Click on the square between the ACCT and HR Security Group Tags in the policy matrix to
modify the policy.
In the resulting side panel, click on the blue Change Contract link.
In the resulting side panel, click to select the radial button for the Deny_IP contract. Then click
on the blue Change button at the bottom right.

64
Now click on the blue Save button at the bottom right of the previous panel.
The policy matrix should now match the below picture. At this point, the policy changes have
been saved on DNA Center and ISE, but they have not been pushed to the network
infrastructure. This staging capability allows for multiple policy changes to be made prior to
making them take effect. For now, click on the blue Deploy link near the top left to push the
policy changes to the network infrastructure.

65
A small success message will appear at the bottom right. At this point all IP traffic between
ACCT users and HR users will be dropped within the Fabric.

66
Section 5.2 | Test the HR to ACCT Deny All Access Control Policy in Campus VN
Return to the wired test clients on the FiaB switch and verify this new policy that was just
deployed to the Campus VN. Bounce the ports of any clients that are already connected and
authenticated before beginning to test. Then log in one test client as an ACCT1 user and the
other one as HR1 user. Confirm that they each received a DHCP address and can access the
internet in the 100.100/16 space.
Now test again, pinging between the clients and confirm that the micro-segmentation policy is
in effect within the Fabric, i.e. the pings between the test clients will not work, although pings
to other destinations such as the default GW and ISE or DNA Center will work.
On the FiaB switch, enter the commands below to explore how this works. Begin by displaying
the session information for the client that is logged in as Accounting and look at the SGT value.
show authentication session interface gig 1/0/10 details

67
Now display the same thing for the client logged in as HR and look at its SGT Value.
show authentication session interface gig 1/0/11 details
Now review the active permissions that are currently in effect. Notice that the rule built in Cisco
DNA Center is now present on the switch and blocking SGT 17 to SGT 16 Traffic.
Show cts role-based permissions
One additional thing to note is that the current policy only denies IP from SGT 17 to SGT 16, so
in effect, packets sourced from SGT 16 that are destined for SGT 17 would arrive at the
destination host but return traffic would be blocked.

68
Section 5.3 | Make the HR to Acct Deny Policy Airtight with an Inverse Rule
To make this policy airtight, return to Cisco DNA Center Policy > Group-Based Access Control
page and click on the square between HR and ACCT. Similar to how it was done previously,
attach the DENY_IP contract so as to create the reverse policy.
After making the policy change, the policy matrix should look like below, with the two red
squares. Click on Deploy to push out the changes.

69
Section 5.4 | Confirm the HR to ACCT and ACCT to HR Deny All Access Control Policy
Return to the wired test clients on the FiaB and verify that they are still online and active as
both ACCT and HR users. Confirm that Ping is still not operational between the devices, but
would work to other destinations like ISE, DNA Center, the default GW, etc.
Now with both clients online as HR and ACCT respectively, re-run the below command. Review
the active Role-Based Permissions that are currently in effect. Notice that both rules built in
Cisco DNA Center are now on the FiaB switch and blocking both SGT 17 to SGT 16 as well as the
reverse SGT 16 to SGT 17 traffic.

70
Section 5.5 | Disable the HR to ACCT Deny All Policy and Verify on Clients
After verifying that the Deny All policies between ACCT and HR groups are working, let’s
remove them so that more granular policies can be put in place instead. Go to Policy > Group-
Based Access Control and click one of the two current policies denying IP traffic between the
ACCT and HR groups within the Fabric.
In the resulting side panel, click on the blue View Traffic Flows Set to Default Policy link at the
top right to delete any contract for this policy. In essence, the policy is set back to Default
Policy, which is Permit IP by default.
Back at the main Policy page, the cell of the matrix will now be empty. Scroll down to the
inverse rule blocking HR to ACCT in the matrix and click on it.

71
Again, delete any contract for that cell by setting it back to the Default Policy of Permit IP. Back
at the main Policy page, the matrix now be all white as pictured below. Click on the blue Deploy
link to push these policy changes out to the Fabric.
Once the policy changes are deployed, return to the test clients and test the pings between
them. With the policies withdrawn, the pings will work again.

72
This can also be confirmed on the FiaB switch by examining the role-based permissions.

73
Section 5.6 | Create a Deny FTP Access Contract
We now want to create more granular policies between the HR and ACCT users such that only
FTP traffic is denied, but all others should be allowed. For this demonstration, the test clients
should have FTP server software installed, e.g. FileZilla Server or CoreFTP on Windows. Proceed
to Policy > Group-Based Access Control, then click on the Access Contracts tab. Then click on
Create Access Contract link in the upper right.
In the resulting side panel enter the below information for the new Access Control policy, then
Save.
Name: Block_FTP
Description: This Blocks FTP Traffic
Contract Content Line 1 Action: Deny
Contract Content Line 1 Application: ftp

74
Back on the Access Contracts page, the Block_FTP contract will now be in the list.
Note the small orange triangle to the left of the new contract—this indicates that it has not yet
been deployed. Click on the blue Deploy link to push out this new contract to ISE. Ensure that
the orange triangle has cleared before proceeding (you may need to click on the Refresh link in
the upper right).

75
Section 5.7 | Implement the Deny_FTP Contract in a Policy between HR and ACCT
On the Policies tab of the Policy >Group-Based Access Control page, click on the cell between
the ACCT and HR SGTs to apply the new Deny_FTP contract.
In the Create Policy side panel, add the new Deny_FTP contract, similar to how the Deny_IP
contract was added in Section 5.1.

76
Back on the first Create Policy panel, click on the blue Save button.
Create the reverse policy to block FTP traffic between HR and ACCT groups.
After both policies have been added (thus creating a bidirectional block), click on the Deploy
link to push out the changes. Ensure that the policy is successfully deployed.

77

78
Section 5.8 | Test the Deny FTP Access Control Policy on the Clients
Return to the wired test clients connected to the FiaB switch and authenticate at least one
client as an ACCT user and one client as an HR user. Confirm they both receive a DHCP address
in the 100.100/16 space and make sure that pings between them work.
Ensure that each client has a functional FTP server configured (e.g. FileZilla Server or CoreFTP
on Windows), then attempt to open an FTP session from each client to the other. Neither
session will be able to connect based on the micro-segmentation policy that has been
implemented via Cisco DNA Center.
Examine the polices currently active on the FiaB switch that are making this possible and note
how DNA Center translated the intent-based UI policy into an SGT-based enforcement rule.

79
Exercise 6 | Fabric Integrated Wireless Configuration with Embedded

Wireless on FiaB
Section 6.0 | Introduction
With many Catalyst switches (9300L, 9300, 9400, 9500), it is possible to enable the embedded
wireless controller to run natively on the switch. This simple to deploy solution enables small
sites to support wireless connectivity without additional equipment. When the embedded
wireless functionality is integrated into the Fabric, a common access model with uniform policy
enforcement can be realized to support onboarding of users and devices, regardless of whether
the connectivity is through wired or wireless.
Section 6.1 | Build Campus and Guest SSIDs in DNA Center
Begin by going to Design > Network Settings > Wireless on DNA Center. Ensure that the
hierarchy selection is on the Global level (since only new SSIDs can be added at the Global
level), then click on the blue Add link under Enterprise Wireless.
On the Create an Enterprise Wireless Network page, enter a name for the Wireless Network
Name (SSID). It is recommended to make the name unique so that it is easy to find when trying
to connect to the wireless network at a later stage. We are using the name FiaB-WiFi-Campus
in this example. Other options can also be chosen (e.g. Fast Lane provides an automated QoS
negotiation between Apple devices and Cisco wireless infrastructure), but for our example, we
will leave most settings with their default values. Click on Next after inputting on the first page.

80
On the Wireless Profiles page, provide a name for a new Wireless Profile that will be created to
associate wireless settings with sites. We will use SJC-Wireless-Profile in our example. Ensure
the Fabric setting is selected as this profile will be used for Fabric connectivity.
Then click on the Sites link to select the sites that will be using this Wireless Profile. Select the
San_Jose-13 site, which will automatically select the floors as well (i.e. different wireless
profiles can be created to associate different areas of a site). Click on OK to retain the site
settings.

81
On the Enterprise Wireless Network creation page, click on Finish to save the wireless settings.
With the Enterprise wireless network created, we will now create the Guest wireless network
to onboard Guest wireless users. Click on the blue Add button for the Guest Wireless to begin.

82
On the Create a Guest Wireless Network page, enter a name for the Wireless Network Name
(SSID). It is recommended to make the name unique so that it is easy to find when trying to
connect to the wireless network at a later stage. We are using the name FiaB-WiFi-Guest in this
example. Note that the default layer-3 authentication method defaults to a Self-Registered
portal serviced by ISE, which is what we want. Click on the blue Next button to continue.

83
On the Wireless Profiles page, select the SJC-Wireless-Profile that was created during the
Enterprise SSID creation process since the same wireless profile can be used for both Enterprise
and Guest SSIDs. Ensure that the SJC-Wireless-Profile is set to be a fabric profile for the Guest
SSID before clicking Save. After saving, click on Next to proceed to the Portal Customization
page.
On the Portal Customization page, click on the blue Add button to create a new portal on ISE.

84
A portal builder widow will open. Name the new client redirect portal Guest_Portal1. Note that
many customizations can be performed here, including graphics, lettering, Acceptable Usage
Policy wording, etc…For our demonstration, we will accept the default settings and click on
Save. Be patient as the portal creation can take 15-30s as it is being saved to ISE. Once the
portal is saved, it can be viewed and modified on ISE under Work Centers > Guest Access >
Portals and Components.
Back on the Portal Customization page, click on the blue Finish button to create the new Guest
Wireless Network.

85
The main Wireless page in Cisco DNA Center will now have both the enterprise wireless
network and the guest wireless network assigned to the San Jose site. A new wireless guest
portal, along with the needed ISE policy for this new guest portal to function properly, has also
been configured by Cisco DNA Center.

86
Section 6.2 | Enable Wireless on the Fabric VN IP Pools
With the wireless networks created, we now assign the default IP Pool that will be associated
with the enterprise and guest wireless networks. These default address pools will be used to
onboard wireless users if no policies on ISE dictate otherwise. Note that the pools are that of
the wired network. A common pool to onboard both wired and wireless users allows for
uniform access policy enforcement.
Begin by going to Provision > Fabric > Bay-Area-Fabric > San_Jose-13 > Host Onboarding >
Virtual Networks. Click on the blue Campus Virtual Network to display the currently associated
IP Pools.
Checkbox the Campus VLAN Name, then under Action, select Enable/Disable Wireless Pool to
make this pool eligible to be chosen as the default pool for the enterprise wireless network (the
default selection will be made on another page).
Note the Wireless Pool column changes from Disabled to Enabled after making the selection.
Click Deploy (then Apply Now) to save the changes.

87
Repeat the same procedure for the Guest Virtual Network, making the Guest VLAN eligible to
be chosen as the default IP Pool for the Guest wireless network.
Both the Campus and Guest Virtual Networks are now enabled as wireless pools, laying the
groundwork for wireless fabric.

88
Section 6.3 | Configure Embedded Wireless on the FiaB Switch
With the wireless networks created and the IP Pools made eligible for wireless connectivity, we
now proceed to enabling the embedded wireless controller on the FiaB switch. Proceed to
Provision > Fabric > Bay-Area-Fabric > San_Jose-13 and ensure that the Fabric Infrastructure
page is shown. If wireless software package has not been activated on the FiaB switch, then it is
best to execute the actions in this section from the SE-PC on dCloud (use RDP to connect to
198.18.133.101, once connected to the dCloud Anyconnect VPN) as the necessary wireless
software package has already been saved to the Downloads folder.
Click on the FiaB switch. In the resulting side panel, click the slider to enable the Embedded
Wireless functionality.

89
If the wireless software package has not been activated on the switch, the below pictured
message will appear. Click on the blue OK button to proceed with uploading the wireless
software package. If the wireless package has already been activated on the switch, DNA Center
will not ask you to upload an image. In that case, skip ahead in this guide to the Managed Scope
section to continue.
On the Download Image panel, click on the Choose File button.
In the resulting popup windown, select the C9800-SW-iosxe image from the Downloads folder
and click on the Open button. Once the image selection has been made, click on the Activate
Image after Import option to automatically active the wireless package after it has been
downloaded to the FiaB switch.

90
Confirm to activate the image after import.
Click on the blue Import button to begin the image transfer and activation process. The upload
and activation will take time (anywhere from 10 minutes to over an hour, depending on
whether the software package already exists on the switch and the connectivity speed between
the FiaB switch and the dCloud infrastructure). Click on Next after both image transfer and
activation have succeeded.

91
For Managed Scope, click on San_Jose-13 to select all floors under that level in the hierarchy.
Then click on the blue Next button to continue.
On the Advanced panel, click on the blue Next button to proceed since no changes are needed.
On the Summary panel, click on the blue Save button to retain the settings after reviewing it.

92
Back on the FiaB detail page, click on the blue Add button to retain the settings.

93
Back on the Fabric Infrastructure page, note that the FiaB icon now has the additional letter W
to indicate that wireless functionality has been enabled, but that its color is gray, which
indicates that the changes have not been deployed to the FiaB switch. To push the changes to
the switch, click on the blue Deploy button at the bottom right (then Apply Now).
Examine the wireless related configuration that Cisco DNA Center has pushed out to the FiaB
switch. Connect to the CLI from SE-PC of the FiaB. Confirm that the wireless software package
has been successfully activated.
show install summary
Explore the running configuration to examine the wireless configuration that DNA Center
pushed out using Netconf.

94
show install summary
At this point the embedded wireless controller is ready to onboard Access Points.

95
Section 6.4 | Configure Host Onboarding to Support Campus and Guest Wireless SSIDs
With the IP Pools made eligible to support wireless connectivity in a prior section, we now
select the default IP pool to support the enterprise and guest SSIDs. Navigate to Provision >
Fabric > Bay-Area-Fabric > San_Jose-13 > Host Onboarding and click on the Wireless SSIDs tab.
Select the Guest pool to be the default for the guest SSID and the Campus pool to be the
default for the enterprise SSID. After making the selection, click on Deploy (then Apply Now) to
push out the changes.
Once complete, the SSIDs are ready to be broadcasted by Access Points and to onboard clients
and devices.

96
Section 6.5 | Connect and Provision the Access Point on the FiaB Switch
With the wireless functionality enabled on the FiaB switch, we are ready to connect an Access
Point to the FiaB switch. The ISE instance in dCloud has been configured to automatically profile
Cisco APs and properly place them on the INFRA_VN AP Pool (100.123.0.0/16). This allows for
seamless onboarding of Cisco APs. However, there may be times where the connectivity speed
and latency from the FiaB switch to dCloud may not be sufficient in order for automatic
profiling to work. In that situation, it is required to manually specify the port that the AP
connects to in order for the onboarding of AP to succeed.
Begin by connecting a Cisco Access Point (e.g. AP2800/3800, C9115/C9120/C9130, etc..) to port
GigabitEthernet1/0/2 on the FiaB switch. After 5 minutes, connect to the CLI on the FiaB switch
to verify that port Gi1/0/2 has been placed on the proper AP_VLAN (2045) AND that the AP has
acquired an address in the 100.123.0.0/16 range.
show authentication sessions interface g1/0/2 details
If the AP is shown to have an address in the 100.123.0.0/16 range, then verify that it has
successfully associated with the embedded wireless controller on the FiaB switch. If the AP is
shown, then skip ahead in this guide to the provisioning section of the AP.
show ap summary

97
If the AP is not shown to have an address in the 100.123.0.0/16 range or is not shown to be
associated to the wireless controller, then it may be necessary to manually override switch port
Gi1/0/2 as an Access Point port. In that case, begin by navigating to Provision > Fabric > Bay-
Area-Fabric > San_Jose-13 > Host Onboarding and click on the Port Assignment tab. Ensure the
FiaB switch is selected, then click on port GigabitEthernet1/0/2.
In the slide-out panel, select Access Point(AP) as device type, then ensure that No
Authentication has been defaulted for Authentication Template (note that the IP Pool is
automatically selected as AP_VLAN / 100.123.0.0/16 and cannot be modified). Provide an
interface description if desired. Then click Update.

98
Back on the Port Assignment page, click on Deploy (then Apply Now) to push out the changes.
Connect to the CLI of the FiaB switch and bounce the port Gi1/0/2 (shut/no shut) on the FiaB
switch to reset the connectivity of the AP.
Once the AP is shown to have associated with the wireless controller on the FiaB switch,
proceed to the Provision > Inventory page on DNA Center. If the new AP is not shown in the
inventory, then resync the configuration and operating state of the FiaB switch with DNA
Center. Select the FiaB, then click on Action > Inventory > Resync Device. On the popup
window confirming synchronization, click on OK to proceed.
It will take a couple of minutes to fully synchronize with the FiaB and for the new AP to show up
in the inventory. Once the AP is populated in the inventory, select it, then click on Action >
Provision > Provision Device in order to push out configuration to the AP and place it into
service.

99
On the Provision Devices page, click on the Choose a floor link and select the SJ-13-2 floor as
the location of the AP (AP must be placed on floor level). Then click Save.

100
On the Configuration page, select TYPICAL as the RF Profile. The TYPICAL profile provides a
balance between wireless throughput and range, whereas HIGH RF Profile may provide better
wireless throughput at a reduced range.
On the Summary page, review the settings for the AP, then click on Deploy (then Apply Now) to
push out the configuration to the AP.
Verify that the Access Point is now ready to onboard users and devices. Connect to the CLI of
the FiaB and issue the below command. Note the operating RF bands that are available.
show wireless summary

101
Exercise 7 | Test Campus and Guest Wireless on FiaB
The focus of this exercise is to test the newly provisioned Campus and Guest SSIDs managed by
the embedded 9800 IOS-XE Wireless LAN Controller on the FiaB switch.
Section 7.1 | Test Campus Wireless Connectivity
Use a wireless test client to access and connect to the Campus SSID (e.g. FiaB-WiFi-Campus)
broadcasting from the new AP. You can use a mobile device or a wireless workstation for
testing.
When prompted, enter the below credentials to access the Campus network then click OK.
Username: hr2

102
Confirm that the client receives a DHCP address in the 100.100.0.0/16 space after completing
authentication and test accessing the internet as pictured below.
You can also try accessing the FTP server on one of the wired test clients that has logged in as
an Accounting user. Since the BLOCK_FTP contracts that were created in Section 5.7 are still in
effect, FTP access from the wireless client (when logged in as an HR user) would still be blocked,
but all other access would be allowed. This illustrates the uniform access policy that the SD-
Access fabric enforces across the entire fabric, regardless of the mode of connectivity or
location.

103
Section 7.2 | Test Guest Wireless Connectivity
From Wireless client, connect to your Guest SSID (e.g. FiaB-WiFi-Guest).
The Guest Authentication Portal will open automatically in the Edge browser as pictured. If the
browser does not automatically open, then launch Microsoft Edge and try opening any site. The
user will be redirected to the ISE captive portal that was configured as part of Section 6.1.

104
Click on Details and then click on the red Go on to the webpage link.
On the login page for the Guest wireless captive portal, click on the blue Or register for guest
access link.
On the Create Account page, enter the information below and click on the Register button.
First Name: guest2

Last Name: account
Email Address: guest2@account.com

105
Write down the username and password that are issued. You will need this credential to sign on
again should your current Guest session times out. Click on the Sign On button to proceed.
At the Acceptable Use Policy, click on the Accept button.

106
After accepting, the portal will return the client to the original requested URL. Test accessing a
few other websites to confirm Internet access and confirm that the test client received an IP
address in the 100.99.0.0/16 space.

107
Exercise 8 | Adding a New Fabric Edge Node (Optional)
The SD-Access Fabric-in-a-Box solution offers a convenient fabric solution suitable for small
sites. However, in situations where a single switch may not provide the port density or flexibility
of extending the fabric to certain parts of the network, it is possible to add additional Fabric
Edge Nodes (FEN) to extend the fabric. These FENs need not be directly connected to the
border FiaB. In fact, the fabric can be extended to FENs that are connected to non-fabric
portions of the network. While the following demonstration uses LAN Automation to onboard a
directly connected FEN, Network Plug and Play can be utilized to onboard FENs that are not
directly connected to the FiaB. In either case, the process of enabling the fabric edge
functionality on the newly onboarded switch would be identical. Once the fabric is extended to
the FEN, all fabric settings will automatically be pushed to the new FEN, allowing for the rapid
deployment of access policies and connectivity.
As part of this demonstration, we will be using LAN Automation to onboard a new switch that is
directly connected to port GigabitEthernet1/0/20 of the FiaB. LAN Automation provides for
quick onboarding of new switches with minimal planning and no requirement of template
creation. In conjunction with LAN Automation, we will be utilizing Software Image Management
(SWIM) to automatically upgrade any switch that is not running a prescribed software version
with the golden image. SWIM can be skipped if there is of no interest, or that the connectivity
between the new switch and dCloud does not lend itself to a successful image transfer.
Section 8.1 | Specify a Golden Image for SWIM (Optional)
Note that if SWIM is coupled with LAN Automation, the process of onboarding a new switch will
be extended by at least 30 minutes (for image transfer and switch reload), on top of the normal
LAN Automation process. To begin, go to Design > Image Repository on DNA Center. Since the
new switch being onboarded is another Catalyst 9300 like our FiaB switch, expand the Cisco
Catalyst 9300 Switch family.

108
Click on the star under the Golden Image column for the version that should be specified as the
golden image. In our demonstration, we will be picking cat9k_iosxe.17.03.2a.SPA.bin.
Once the star is clicked for the version, a warning message will pop up indicating that it may
take more than 10 minutes to download the image from CCO to DNA Center. Click on OK to
confirm and proceed.
Once the image is fully downloaded, the star next to the software image will turn golden.

109
Note that we designated the golden image at the Global level, which means that all Catalyst
9300 family will be checked against the golden image for conformity. If only specific sites or
floors should have the golden image, we would then designate the golden image at that level.
Also, the golden image can also be specified for certain role types only (e.g. Core, Distribution,
Border Router, Access, etc…). To modify the role type, click on the pencil icon under the Device
Role column. It is also possible to import an image for a device family that has yet to be
populated in DNA Center. In that case, click on the Import link at the top to manually upload
the image to DNA Center. After the image has been imported, it can be assigned to the
appropriate device family and be tagged as the golden image at various hierarchical level or for
different kinds of device roles.
Once an image has been designated as golden, a device matching that family type will
automatically be upgraded (or downgraded) to match the golden image as part of the PnP or
LAN Automation onboarding process.

110
Section 8.2 | Onboarding New Fabric Edge Node Using LAN Automation
Before LAN Automation can begin, we need to ensure that the port on the FiaB switch that the
new C9300-24P switch will connect to does not have any configuration that would prevent
connectivity. Since port Gi1/0/20 on the FiaB is normally used as an access port to onboard
users and devices, it is configured automatically with the default close authentication template
of the fabric, which will prevent our new switch from connecting properly.
show run interface gi1/0/20
Clear the configuration on port Gi1/0/20 of the FiaB switch using the command “default
interface g1/0/20” in config mode.
default interface gi1/0/20
Once the interface Gi1/0/20 has been cleared, resync the configuration of the FiaB switch on
DNA Center, by going to Provision > Inventory, select the FiaB, then click on Action > Inventory
> Resync Device. On the popup window confirming synchronization, click on OK to proceed.

111
Once resync is done, initiate the LAN Automation process by going to Provision > Inventory on
DNA Center. Then click on Action > Provision > LAN Automation.
Fill in the LAN Automation parameters using the below information. The new switch will
connect to port Gi1/0/20 on the FiaB switch (from its own port of Gi1/0/1). After getting
onboarded, the new switch will be assigned to location SJ-13-1. Check the box to enable
multicast related configuration (PIM, RP) on both the FiaB (seed) switch, as well as the newly
added switch. Multicast forwarding is required for certain scenarios, like layer-2 flooding within
the fabric and higher scale multicast forwarding, so enabling the multicast checkbox will
automate the configuration necessary to support those scenarios later on. The Loopback0,
interface and multicast IP addresses will be assigned from the SJC-LAN-Automation-Pool. The
hostname of the newly added edge node will be assigned Edge-1 (DNA Center appends the -N
suffix to the indicated hostname prefix, where N starts from the number 1). Note that a CSV file
(a sample can be downloaded directly from the LAN Automation page) can be uploaded to DNA
Center if specific hostnames are desired for switches onboarded via LAN Automation. Click on
the blue Start button once all the required parameters are filled in.
Primary Site: SJ-13-2

Primary Device: FiaB.dcloud.cisco.com
Selected Ports of Primary Device: GigabitEthernet1/0/20
Discovered Device Site: SJ-13-1
Main IP Pool: SJC-LAN-Automation-Pool
IS-IS Domain Password: cisco
Enable Multicast: Checked
Device Hostname Prefix: Edge

112
Once the LAN Automation process is started, DNA Center configures the seed device (FiaB
switch in this case) temporarily with an interface VLAN1 and a DHCP pool to onboard any new
switches connected to the indicated interface (Gi1/0/20 in our case). Confirm the configuration
on the FiaB switch through CLI.
show run interface vlan1

113
show run | section ip dhcp pool
Since the SJC-LAN-Automation-Pool (100.124.126.0/23) is currently not advertised to the Fusion

router, DNA Center will not be able to communicate with any device or interface that has an IP
address assigned from that pool, which will prevent LAN Automation from working properly. To
rectify that issue, configure the following BGP configuration on the FiaB switch so that services
upstream of the FiaB switch are aware of the network 100.124.0.0/16, which encompasses the
100.124.126.0/23 subnet.
router bgp 65534

address-family ipv4
aggregate-address 100.124.0.0 255.255.0.0
With the LAN Automation process started and the BGP modification done, connect the new
switch to port Gi1/0/20:
New Switch C9300-24P (Port Gi1/0/1) → FiaB (Port Gi1/0/20)
Power up the new C9300-24P switch. If this switch has a previous configuration, it will not start
the PnP process necessary for LAN Automation to work. In that case, the switch can be reset for
PnP using the exec command “pnpa service reset no-prompt” (note that once the reset
command is issued, the configuration and certificates on the switch will be erased and it will
automatically reload). It is possible to connect to the console port of the new switch to monitor
its progress as it goes through the LAN Automation onboarding process.
To monitor the progress of LAN Automation on DNA Center, go to Provision > Inventory on
DNA Center. Then click on Action > Provision > LAN Automation Status to bring up the LAN
Automation Status window. Detail transactions can be viewed in the Logs tab.

114
Return to the Summary window to monitor the LAN Automation progress. After about 5
minutes (or more than 30 minutes if SWIM has been incorporated as part of the LAN
Automation process), the new switch will be onboarded onto DNA Center. Click STOP when all
Discovered Devices are shown to be in Completed state. Do NOT click STOP until all discovered
devices are shown to be in Completed state. Clicking STOP prematurely (i.e. with devices in In
Progress state) will prevent the new switch to fail onboarding; if that should happen, LAN
Automation will need to be restarted and the switch will need to be reset using the command
“pnpa service reset no-prompt”.

115
Once the STOP button is clicked, it will take a minute for LAN Automation to push the final set
of configurations to the new switch, after which the new switch is ready to be provisioned.
Close the LAN Automation Status window by clicking on the gray X in the upper right.
On the CLI of the FiaB switch, verify that port Gi1/0/20 has been configured as a layer-3 point-
to-point interface as part of the LAN Automation onboarding process.
Similarly, on the CLI of the Edge-1 switch, verify that port Gi1/0/1 has been configured as a
layer-3 point-to-point interface to match that of port Gi1/0/20 on the FiaB switch.
Back on the Inventory page of DNA Center, click on the Refresh link in the upper right to show
the newly onboarded Edge-1. If SWIM was used to upgrade (or downgrade) the software on the
switch, the switch should now be running a version matching the golden image. This can be
verified by clicking on the Compliant link for Edge-1.

116
Notice for Software Image, there is a green checkmark to indicate golden image software
compliance.

117
Section 8.3 | Provision and Enable New Fabric Edge Node
Once the new switch has been onboarded using LAN Automation, it can then be provisioned to
push out the necessary network settings required to be a SD-Access edge node (e.g. AAA
configurations). Go to Provision > Inventory on DNA Center, then select the new Edge-1 switch.
Click on Action > Provision > Provision Device.
On the Assign Site panel, confirm the site as SJ-13-1 (the site was already selected as part of
LAN Automation settings). Click Next.
On the Advanced Configuration page, we have no templates to apply, so click on Next.
On the Summary page, review the settings that will be pushed to the new Edge-1. Click on
Deploy (then Apply Now) to push out the configurations to the new switch.

118
With provisioning done, go to the Provision > Fabric > Bay-Area-Fabric > San_Jose-13 fabric
site. Under Fabric Infrastructure, click on the Edge-1 node.
On the resulting slide-out panel, click the slider next to Fabric Edge to enable SD-Access edge
functionality. Then click on Add to retain the settings.

119
Back on the main Fabric Infrastructure page, notice the letter E is now appended on the Edge-1
icon. The icon is not yet blue, indicating that the changes have not been pushed out yet. Click
on Deploy (then Apply Now) to fully enable the new Edge-1 node as a SD-Access Fabric Edge
Node.
Once all configurations are pushed out, the new Edge-1 is ready to onboard users and enforce
all existing policies that are now extended from the FiaB switch

120
Section 8.4 | Client Testing on New Fabric Edge Node
Once the new Edge-1 switch has been enabled as a Fabric Edge Node, all access policies that
are on the FiaB switch would be uniformly enforced on the new Edge-1 switch. This includes the
Scalable Group Policies restricting FTP access between the HR and ACCT users created under
Exercise 5. Consequently, all tests that were done under Exercise 4 and Exercise 7 will equally
be applicable on the Edge-1 switch, with identical test results. In addition, a new Access Point
can be added to the Edge-1 switch to onboard wireless users and devices. Alternatively, the
existing wireless Access Point that is currently connected to the FiaB switch can be moved to
the Edge-1 switch. Regardless, all existing wired and wireless access policies will be uniformly
enforced on the Edge-1 switch.
To confirm, connect a test client to port Gi1/0/13 on the Edge-1 switch and log in with the
following credential.
Username: acct2
show authentication sessions interface gi1/0/13 detail

121
Once the user is logged in, examine the role-based policies that are downloaded onto the Edge-
1 switch, which should be identical to similar test exercises in Exercise 4.
show cts role-based permissions

122
Exercise 9 | Adding a Policy Extended Node (Optional)
While a Fabric Edge Node is the ideal solution to extend a fabric to the edge, there may be
times where a Fabric Extended Node or Fabric Policy Extended Node may be suitable. A Fabric
Extended Node is a layer-2 access switch that connects directly upstream to a Fabric Edge Node
(FEN). In contrast, a FEN has layer-3 routing capability and does not need to be directly
connected to other fabric nodes. While an Extended Node can enforce 802.1x authentication
and authorization when users and devices connect, it does not enforce fabric policies—policy
enforcement is done on the directly connected Edge Node. When an Edge Node is enforcing
policies for traffic destined to an Extended Node, that enforcement is on the IP-Pool-based level
(i.e. VLAN-based), which is less granular than for users that are directly connected on the Edge
Node. A Fabric Extended Node deployment may be suitable in situations where a device is not
fully capable of supporting all fabric functionalities need to be made part of the SD-Access
fabric. Devices belonging to the Catalyst 3560CX, IE-4000, or IE-5000 families would fall into this
scenario.
A Fabric Policy Extended Node (PEN) is similar to a Fabric Extended Node in that it is also a
layer-2 access switch and can enforce 802.1x authentication and authorization. However, a PEN
can enforce the fabric policies locally instead of relying on the upstream Edge Node for
enforcement, due to the PEN’s capability of supporting inline SGT forwarding. Consequently,
the fabric policy enforcement on a PEN can be as granular as that on a FEN. A PEN deployment
may be suitable in situations where a device cannot be made into a full FEN due to migration
reasons, limited platform support for FEN functionalities (e.g. IE-3400), or to work around some
restrictions when a device is enabled as a FEN (e.g. a Catalyst 9200L switch cannot have fabric
Access Points directly connected when it is enabled as a FEN; however, when the same 9200L
switch is enabled as a PEN, fabric Access Points can be directly connected since the VXLAN
tunnel from the Access Point will terminate on the upstream FEN instead of the PEN). PEN
support currently extends to devices belonging to the Catalyst 9000 and IE-3400 families.
In this demonstration, we will onboard a Catalyst 9200L-48P as a PEN to the existing fabric.
Note that the process to onboard a PEN is identical to that of an Extended Node. DNA Center
will identify the device platform being onboarded and will automatically push out the proper
configuration to either enable the node as a regular Extended Node or a PEN.
Section 9.1 | Onboarding New Policy Extended Node
Before we can onboard a Policy Extended Node, we need to ensure that the port on the FiaB
switch that the new C9200L-48P switch will connect to does not have any configuration that
would prevent connectivity. Since port Gi1/0/21 on the FiaB is normally used as an access port
to onboard users and devices, it is configured automatically with the default close

123
authentication template of the fabric, which will prevent our new C9200L switch from
connecting properly.
Clear the configuration on port Gi1/0/21 of the FiaB switch using the command “default
interface g1/0/21” in config mode.
default interface gi1/0/21
Once the interface Gi1/0/21 has been cleared, resync the configuration of the FiaB switch on
DNA Center, by going to Provision > Inventory, select the FiaB, then click on Action > Inventory
> Resync Device. On the popup window confirming synchronization, click on OK to proceed.

124
Once resync is done, the IP Pool SJC-Extended-Pool (100.124.128.128/25) that will be used to
onboard the PEN will need to be added to the INFRA_VN virtual network. To add the pool to
the fabric, go to the Provision > Fabric > Bay-Area-Fabric > San_Jose-13 > Host Onboarding >
Virtual Networks page on DNA Center. Then click on the blue INFRA_VN button.
On the resulting Edit Virtual Network slide-out panel, click on the blue Add in the upper right.
On the Edit Virtual Network panel, add the SJC-Extended-Pool as shown. We will leave the
VLAN Name in the default syntax IP_Pool-VN since there is currently no ISE policies to onboard
Extended Nodes. Click on Add after filling out the parameters.
IP Address Pool: SJC-Extended-Pool (100.124.128.128/25)

Pool Type: Extended Node
VLAN Name: 100_124_128_128-INFRA_VN

125
Back on the main Edit Virtual Network page, notice that there are now two pools for INFRA_VN:
one for onboarding APs and one for onboarding Extended Nodes. Click on Deploy (then Apply
Now) to push out the configuration changes.

126
Verify the new pool that has now been added to the FiaB switch. Examine and note the VLAN
number that is used for the new pool (1023). This VLAN will be used as the PnP Startup VLAN to
onboard a PEN, once the required Port Channel configuration is completed at a later stage.
show vlan brief
Notice an interface VLAN1023 has also been added to the FiaB. This provides network
reachability for the PEN that will be added later.
show run interface vlan1023

127
With the new Extended pool added, go to the Fabric Infrastructure page on DNA Center and
click on the FiaB switch.
In the detail panel for the FiaB switch, click on the Port Channel tab, then click on the Create
Port Channel link in the upper right. A port channel is required to onboard an Extended Node or
Policy Extended Node, even if there is only one physical connection between the FEN and PEN.

128
The PEN will connect to port Gi1/0/21 on the FiaB. Consequently, select port Gi1/0/21 on the
Port Channel creation page. After selecting port Gi1/0/21, scroll all the way down in order to
select the channeling protocol to use.
Select PAgP Desirable as the channeling protocol, as strict ON mode or LACP is not supported as
a channeling protocol to onboard an Extended Node or PEN. Click on Done after making the
selection. Then Apply (Now) to push out the configuration changes.

129
The Port Channel detail page will then be updated to show the newly created port channel.
Click the gray X in the upper right to close the window.
Connect the PEN to port Gi1/0/21 on the FiaB switch from its own port of Gi1/0/1:
New Switch C9200L-48P (Port Gi1/0/1) → FiaB (Port Gi1/0/21)
Power on the C9200L-48P PEN switch. If this switch has a previous configuration, it will not start
the PnP process necessary for Extended Node onboarding to work. In that case, the switch can
be reset for PnP using the exec command “pnpa service reset no-prompt” (note that once the
reset command is issued, the configuration and certificates on the switch will be erased and it
will automatically reload). It is possible to connect to the console port of the new switch to
monitor its progress as it goes through the Policy Extended Node onboarding process. Notice
the PnP Startup VLAN 1023 that gets pushed to the PEN from the FiaB. Recall that VLAN 1023
corresponds to the SJC-Extended-Pool (100.124.128.128/25) that was added to the INFRA_VN.

130
To monitor the progress of Policy Extended Node onboarding on Cisco DNA Center, go to the
Provision > Plug and Play page. The PEN will transition from 10% to 100 % Provisioned state, all
without any manual intervention.
Onboarding Progress at 10%

131
Onboarding Progress at 40%
Fully Provisioned
Once the PEN has transitioned to the Provisioned state, it is ready to onboard users and
devices. There is no need to provision the PEN under Provision > Inventory (provisioning has
already been completed as part of the PEN onboarding process).

132
In addition, the PEN is automatically marked with an X (for Extended Node/PEN) notation under
Provision > Fabric > Bay-Area-Fabric > San_Jose-13 > Fabric Infrastructure page.
Before connecting test clients to the PEN, verify the configuration that has been pushed to the
PEN by DNA Center. Note that an interface VLAN1023 has been created and configured for
DHCP addressing on the PEN; subsequently, the interface will be assigned an IP address from
the SJC-Extended-Pool (100.124.128.128/25). This interface is used for management purposes
only by DNA Center. Notice that this is the only interface with an IP address on the PEN. There
are no loopback or tunnel interfaces, unlike that on a FEN.
Examine the physical interfaces between the PEN and FEN. They are configured as layer-2 port-
channel trunk interfaces, along with support for inline SGT forwarding. This configuration is in
contrast to the layer-3 routed interface that a FEN has. A PEN operates as a layer-2 access
switch, whereas a FEN operates as a layer-3 routed access switch. Consequently, consideration
for Spanning Tree issues must still be kept in mind with a PEN deployment.

133
PEN Physical Interface Gi1/0/1
FiaB Physical Interface Gi1/0/21

134
Section 9.2 | Client Testing on New Policy Extended Node
Although the C9200L PEN is a layer-2 access switch, it still has the ability to restrict and enforce
all access policies, much like the FiaB or the Edge-1 fabric edge. This ensures that all fabric
policies would be uniformly enforced regardless of where a user or device connects. This
includes the Scalable Group Policies restricting FTP access between the HR and ACCT users
created under Exercise 5. Consequently, all tests that were done under Exercise 4 and Exercise
7 will equally be applicable on the PEN switch, with identical test results. In addition, a new
Access Point can be added to the PEN switch to onboard wireless users and devices.
Alternatively, the existing wireless Access Point that is currently connected to the FiaB switch
can be moved to the PEN switch. Regardless, all existing wired and wireless access policies will
be uniformly enforced on the PEN switch.
To confirm, connect a test client to port Gi1/0/14 on the PEN switch and log in with the
following credential.
Username: hr2
Once the user is logged in, examine the role-based policies that are downloaded onto the Edge-
1 switch, which should be identical to test exercises in Exercise 4.

135
As stated earlier, one of the reasons to deploy a Catalyst 9200L switch as a PEN is to be able to
directly connect a fabric Access Point, which is not supported when the Catalyst 9200L is
operating as a Fabric Edge Node (FEN). To verify, connect a fabric Access Point to port Gi1/0/2
on the PEN (the AP that was previously on port Gi1/0/2 on the FiaB can be moved here as a
test). On the PEN, examine the authenticated state of port Gi1/0/2. The AP should pass
authentication due to ISE profiling, and be assigned an address in the AP_VLAN pool
(100.123.0.0/16).

136
On the FiaB, the AP should show up as been associated to the embedded wireless controller.
show ap summary
On the Provision > Fabric > Bay-Area-Fabric > San_Jose-13 > Fabric Infrastructure page, the AP
should now be shown as directly connected to the PEN, instead of the FiaB.
Connect a wireless test device to the enterprise SSID (e.g. FiaB-WiFi-Campus) using the
following credential. Once connected, the wireless client should be shown as being serviced by
the AP connected to the PEN.
Username: hr1

137
show wireless client summary detail
Since the AP forwards all user data plane traffic to the FEN via a VXLAN tunnel, the wireless
client is invisible to the PEN. Therefore, all fabric policy enforcement relating to the wireless
client will be performed on the FEN, not the PEN.
On DNA Center, the wireless client can be viewed topologically by going to Assurance > Health,
then click on the Network tab.

138
Under Network Health, click on the Access Point link to bring up the health information on
Access Points. Click on the green part of the circular KPI indicator to bring up a list of Access
Points.
On the list of APs, click on the Device Name of the AP to bring up the detail Device 360 view.
Scroll down to the Physical Neighbor Topology, then click on the 5GH Clients icon to reveal the
wireless client with the IP address 100.100.0.24, which matches the list of wireless client seen
on the embedded wireless controller on the FiaB. Notice that the wireless client is connected to
the fabric Access Point that is directly connected to the PEN.

139
This is the End of the SD-Access Fabric-in-a-Box Use Case Guide

140

IBN Campus PoV v4 0 DCloud Use Case Guide SDA FiaB v4.1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

IBN Campus PoV v4 0 DCloud Use Case Guide SDA FiaB v4.1

Uploaded by

Copyright:

Available Formats

Cisco dCloud IBN Campus PoV 4.

0 – Use Case Guide – SDA FiaB

Cisco Intent Based Networking

For Use With dCloud.cisco.com Demo Version Only

© 2020 Cisco All rights reserved Cisco Confidential

© 2020 Cisco All rights reserved Cisco Confidential

SECTION 7.1 | TEST CAMPUS WIRELESS CONNECTIVITY ....................................................................................................102

© 2020 Cisco All rights reserved Cisco Confidential

A. Cisco dCloud IBN Campus PoV 4.0—Base Guide—External Fusion Router

© 2020 Cisco All rights reserved Cisco Confidential

Credentials / Login Information

• Networking devices (FiaB, Fusion)

• DNA Center Web UI, ISE

• DNA Center SSH console

• Wireless Access Point (After joining controller)

• dCloud Demo AnyConnect credentials and IP Address

• 802.1x Client Testing Accounts

© 2020 Cisco All rights reserved Cisco Confidential

Stop & Read Fully Before Proceeding

• Wired and wireless test clients are available for testing.

Services Configured IP NAT Address on

© 2020 Cisco All rights reserved Cisco Confidential

Exercise 1 | Execute Initial Device Provisioning

Section 1.1 | Provision

© 2020 Cisco All rights reserved Cisco Confidential

On the Summary page, click on the blue Deploy button.

© 2020 Cisco All rights reserved Cisco Confidential

© 2020 Cisco All rights reserved Cisco Confidential

Return to the Inventory page and change the focus to Provision.

© 2020 Cisco All rights reserved Cisco Confidential

Exercise 2 | Create Fabric and Border Automation on FiaB

Section 2.1 | Create the Bay Area IP Transit

In Cisco DNA Center navigate to Provision > Fabric.

Transit Name: Bay-Area-Transit

© 2020 Cisco All rights reserved Cisco Confidential

The Bay-Area-Transit will now be present under Transit/Peer Networks.

© 2020 Cisco All rights reserved Cisco Confidential

Section 2.2 | Create the Bay Area Fabric

Fabric Domain Name: Bay-Area-Fabric

© 2020 Cisco All rights reserved Cisco Confidential

© 2020 Cisco All rights reserved Cisco Confidential

© 2020 Cisco All rights reserved Cisco Confidential

© 2020 Cisco All rights reserved Cisco Confidential

1. Enable Control Plane role

Enable Layer-3 Handoff: Checked

© 2020 Cisco All rights reserved Cisco Confidential

In addition to specifying the physical GigabitEthernet1/0/1 (and an optional interface

© 2020 Cisco All rights reserved Cisco Confidential

© 2020 Cisco All rights reserved Cisco Confidential

© 2020 Cisco All rights reserved Cisco Confidential

© 2020 Cisco All rights reserved Cisco Confidential

© 2020 Cisco All rights reserved Cisco Confidential

© 2020 Cisco All rights reserved Cisco Confidential

Section 2.5 | Explore the Configuration added by DNA Center Automation

show run | sec lisp

© 2020 Cisco All rights reserved Cisco Confidential

show run int g1/0/1

show ip interface brief

show run interface vlan 3001

show run | sec bgp

© 2020 Cisco All rights reserved Cisco Confidential

© 2020 Cisco All rights reserved Cisco Confidential

Section 2.6 | Verify Fabric Connectivity from Fusion Router

show ip bgp vpnv4 vrf underlay sum