DNAC SDA 2023
Topology
Underlay Config
ISE Integration and ASA CTS & SXP
ISE Integration Preparation
DNA Integrates with ISE
Add network hierarchy
Discovery and Provision
Add and Configure Fabric
EBGP border with ASA and inline Tagging and CTS Control
Port assignment
Group-Based Access Control
Wireless Fabric
Wireless - SGT Micro-segmentation
8KV as Fusion Router (Replacing ASAv)
Wireless Guest - Dedicated VN for Guest
L2 Handoff
DNAC Template
Troubleshooting Host Authentication Issues
Troubleshooting SGT issues
Troubleshooting Host DHCP Onboarding Issue
Appendix A - Fusion router configuration
Multicast
Over the Top Wireless
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Topology
L2
Underlay
Overlay
--------------------------------------------------------------------------------------------------------------------------------------------------------
Underlay Config
Lab-Router
interface GigabitEthernet0/0.25
encapsulation dot1Q 25
ip address 10.8.25.131 255.255.255.128
ip router isis
!
interface GigabitEthernet0/0.200
encapsulation dot1Q 200
ip address 10.8.20.125 255.255.255.128
ip router isis
!
router isis
net 49.0000.0000.0010.00
is-type level-2-only
metric-style transition
Fusion 4K
lab-router#ssh -v 2 -l admin 10.8.25.156
hostname CME-Fusion-A
!
ip name-server 10.8.25.190
ip domain name clab.com
!
interface Loopback0
ip address 10.0.1.4 255.255.255.255
ip router isis
!
interface GigabitEthernet0/0/1
ip address 10.8.25.156 255.255.255.128
ip router isis
!
interface GigabitEthernet0/0/2
ip address 10.0.2.14 255.255.255.252
ip router isis
mtu 9100
!
router isis
net 49.0000.0000.0005.00
is-type level-2-only
metric-style transitionexit
CME-Fusion-A(config)#crypto key generate rsa modulus 1024
Border-1
hostname Border-1
!
system mtu 9100
!
interface Loopback0
ip address 10.0.1.3 255.255.255.255
ip router isis
!
interface GigabitEthernet1/0/1
no switchport
ip address 10.0.2.1 255.255.255.252
ip router isis
!
interface GigabitEthernet1/0/2
no switchport
ip address 10.0.2.5 255.255.255.252
ip router isis
!
interface GigabitEthernet1/0/3
no switchport
ip address 10.0.2.13 255.255.255.252
ip router isis
!
interface GigabitEthernet1/0/4
no switchport
ip address 10.0.2.9 255.255.255.252
ip router isis
!
router isis
net 49.0000.0000.0003.00
is-type level-2-only
metric-style transition
redistribute connected
Edge-1
ip routing
!
system mtu 9100
!
interface Loopback0
ip address 10.0.1.1 255.255.255.255
ip router isis
!
interface GigabitEthernet1/0/1
no switchport
ip address 10.0.2.2 255.255.255.252
ip router isis
!
router isis
net 49.0000.0000.0001.00
is-type level-2-only
metric-style transition
Edge-2
ip routing
!
system mtu 9100
!
!
interface Loopback0
ip address 10.0.1.2 255.255.255.255
ip router isis
!
interface GigabitEthernet1/0/1
no switchport
ip address 10.0.2.6 255.255.255.252
ip router isis
!
router isis
net 49.0000.0000.0002.00
is-type level-2-only
metric-style transition
ASAv
hostname ASAv-a
!
enable password <Your_Password>1
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address 202.100.10.11 255.255.255.0
!
interface GigabitEthernet0/1
nameif SHARE
security-level 50
ip address 10.1.2.254 255.255.255.0
!
interface Management0/0
no management-only
nameif MGMT
security-level 100
ip address 10.8.25.145 255.255.255.128
isis
!
object network all_net
subnet 0.0.0.0 0.0.0.0
!
access-list out extended permit icmp any any
access-list share extended permit icmp any any
access-list share extended permit udp any any eq domain
!
object network all_net
nat (any,Outside) dynamic interface
!
access-group out in interface Outside
access-group share in interface SHARE
!conf
router isis
net 49.0000.0000.0011.00
is-type level-2-only
metric-style transition
default-information originate
!
route Outside 0.0.0.0 0.0.0.0 202.100.10.10 1
route MGMT 10.8.20.119 255.255.255.255 10.8.25.131 1
!
aaa authentication http console LOCAL
aaa authentication ssh console LOCAL
http server enable
http 0.0.0.0 0.0.0.0 MGMT
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ISE Integration and ASA CTS & SXP
Trusted Certificate
System certificates
Do NOT check "PX-Grid"
Domain
Network Device
1year
ASDM transfer PAC file
ASAv-a#
cts import-pac flash:/ASAv.pac PASsword <Your_Password>1
aaa-server ISE protocol radius
aaa-server ISE (MGMT) host 10.8.20.116
key *****
cts server-group ISE
ASAv-a# cts refresh environment-data
ASAv-a# show cts environment-data
CTS Environment Data
====================
Status: Active
Last download attempt: Successful
Environment Data Lifetime: 86400 secs
Last update time: 18:31:59 UTC Jul 27 2023
Env-data expires in: 0:23:59:56 (dd:hr:mm:sec)
Env-data refreshes in: 0:23:49:56 (dd:hr:mm:sec)
ASAv-a# test aaa authentication ISE username iseuser password cisco,123
Server IP Address or name: 10.8.20.116
INFO: Attempting Authentication test to IP address (10.8.20.116) (timeout: 12 seconds)
INFO: Authentication Successful
ASAv-a# show cts environment-data sg-table
Security Group Table:
Valid until: 18:31:59 UTC Jul 28 2023
Showing 17 of 17 entries
SG Name SG Tag Type
------- ------ -------------
ANY 65535 unicast
Auditors 9 unicast
BYOD 15 unicast
Contractors 5 unicast
Developers 8 unicast
Development_Servers 12 unicast
Employees 4 unicast
Guests 6 unicast
Network_Services 3 unicast
PCI_Servers 14 unicast
Point_of_Sale_Systems 10 unicast
Production_Servers 11 unicast
Production_Users 7 unicast
Quarantined_Systems 255 unicast
Test_Servers 13 unicast
TrustSec_Devices 2 unicast
Unknown 0 unicast
Security groups
Enable SXP, PassiveID, pxGrid
- SGT Exchange Protocol over TCP (SXP)
IP SGT static mapping
SXP settings
SXP device
cts sxp enable
cts sxp default password <Your_Password>1
cts sxp connection peer 10.8.20.116 source 10.8.25.145 password default mode peer speaker
ASAv-a(config)# show cts sxp connections
SXP : Enabled
Highest version : 3
Default password : Set
Default local IP : Not Set
Delete hold down period : 120 secs
Reconcile period : 120 secs
Retry open period : 120 secs
Retry open timer : Running
Total number of SXP connections: 1
Total number of SXP connections shown: 1
-----------------------------------------------------------
Peer IP : 10.8.20.116
Source IP : 10.8.25.145
Conn status : On
Conn version : 3
Local mode : Listener
Ins number : 1
TCP conn password : Default
Reconciliation timer : Not Running
Delete hold down timer : Not Running
Duration since last state change: 0:00:01:39 (dd:hr:mm:sec)
ASAv-a(config)# show cts sxp sgt-map
Total number of IP-SGT mappings : 3
Total number of IP-SGT mappings shown: 3
SGT : 20
IPv4 : 10.8.20.0/25
Peer IP : 10.8.20.116
Ins Num : 1
Status : Active
SGT : 20
IPv4 : 10.8.25.128/25
Peer IP : 10.8.20.116
Ins Num : 1
Status : Active
SGT : 19
IPv4 : 10.1.2.240
Peer IP : 10.8.20.116
Ins Num : 1
Status : Active
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ISE Integration Preparation
PassiveID Domain
Internal user
Authorization profile - priv15
Policy sets - Authorization policy
Authorization for External AD group and assign STG tag
Enable ERS
Enable SHA1
pxGrid auto-approve
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DNA Integrates with ISE
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Add network hierarchy
Add AAA server (** Under Global please)
DHCP / DNS/ NTP
Device credentials
...
Global Address Pools
Reserve address pools
Pools in DHCP server
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Discovery and Provision
Verify discovery
Verify manage devices in ISE
Provision devices except fusion router
Final state
Verify AAA login working
Edge-2#test aaa group dnac-client-radius-group iseuser <Your_Password>1 new-code
Verify CTS working
Border-1# cts refresh environment-data
Environment data download in progress
Border-1#show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Service Info Table:
Local Device SGT:
SGT tag = 2-00:TrustSec_Devices
Server List Info:
Installed list: CTSServerList1-0001, 1 server(s):
*Server: 10.8.20.116, port 1812, A-ID 911DC573492B20B34B554AE350A823BB
Status = ALIVE
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Security Group Name Table:
0-00:Unknown
2-00:TrustSec_Devices
3-00:Network_Services
4-00:Employees
5-00:Contractors
6-00:Guests
…
When 3650 switch, CTS will report error "5400 Authentication failed"
Enable TLS 1.0 to allow CTS pass
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
VN and Tags creations
Click start migration to see newly created tags from ISE
Create VN
SGT to VN
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Add and Configure Fabric
Transit
Anycast gateway (Host onboarding)
INFRA_VN
CLAB_VN
CLAB_VN2
Add border role
Add Control also
Add Edge
Finally deploy, if failed. Enable Wired Endpoint data collection Telemetry and re-provision
Error when adding Edge node
The fabric only takes 17.6 or later nodes, I replace 3650 with 9300 as Edges!
When added edge, do this to refresh cts data
Edge-1#cts refresh environment-data
Edge-1#show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Service Info Table:
Local Device SGT:
SGT tag = 2-00:TrustSec_Devices
Server List Info:
Installed list: CTSServerList1-0001, 1 server(s):
*Server: 10.8.20.116, port 1812, A-ID 911DC573492B20B34B554AE350A823BB
Status = DEAD
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Security Group Name Table:
0-00:Unknown
2-00:TrustSec_Devices
3-00:Network_Services
…
Border-1#show cts role-based sgt-map vrf CLAB_VN ALL
Verification commands
Border-1#show run | sec router lisp
router lisp
locator-table default
locator-set rloc_677057e3-8eb6-4516-b71d-9cbabcfa3d00
IPv4-interface Loopback0 priority 10 weight 10
auto-discover-rlocs
exit-locator-set
!
locator default-set rloc_677057e3-8eb6-4516-b71d-9cbabcfa3d00
service ipv4
encapsulation vxlan
//responsible for MR/MS
itr map-resolver 10.0.1.3
etr map-server 10.0.1.3 key 7 110C1F064F46085D022B7C277867657B4B
etr map-server 10.0.1.3 proxy-reply
etr
sgt
no map-cache away-eids send-map-request
//acting as ETR/ITR if doesn't know
proxy-etr
proxy-itr 10.0.1.3
map-server
map-resolver
exit-service-ipv4
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
EBGP border with ASA and inline Tagging and CTS Control
ASAv EBGP To Border
interface GigabitEthernet0/2
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2.3001
vlan 3001
nameif CLAB_VN
security-level 60
ip address 172.16.10.2 255.255.255.252
!
interface GigabitEthernet0/2.3002
vlan 3002
nameif CLAB_VN2
security-level 60
ip address 172.16.10.6 255.255.255.252
!
router bgp 1000
bgp log-neighbor-changes
address-family ipv4 unicast
neighbor 172.16.10.1 remote-as 100
neighbor 172.16.10.1 activate
neighbor 172.16.10.5 remote-as 100
neighbor 172.16.10.5 activate
network 0.0.0.0
no auto-summary
no synchronization
exit-address-family
Allow same security level traffic to talk
ASAv-a(config)# same-security-traffic permit inter-interface
ASAv-a# show nameif
Interface Name Security
GigabitEthernet0/0 Outside 0
GigabitEthernet0/1 SHARE 50
GigabitEthernet0/2.3001 CLAB_VN 60
GigabitEthernet0/2.3002 CLAB_VN2 60
Management0/0 MGMT 100
ASAv-a# show bgp ipv4 unicast summary
BGP router identifier 202.100.10.11, local AS number 1000
BGP table version is 9, main routing table version 9
6 network entries using 1200 bytes of memory
6 path entries using 480 bytes of memory
3/3 BGP path/bestpath attribute entries using 624 bytes of memoryshow bg
1 BGP AS-PATH entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 2328 total bytes of memory
BGP activity 6/0 prefixes, 6/0 paths, scan interval 60 secs
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
172.16.10.1 4 100 7 7 9 0 0 00:01:19 3
172.16.10.5 4 100 7 9 9 0 0 00:01:09 2
Border-1#show ip route vrf CLAB_VN
Routing Table: CLAB_VN
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 172.16.10.2 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 172.16.10.2, 00:01:08
172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks
B 172.16.1.0/24 [200/0], 06:11:58, Null0
C 172.16.1.254/32 is directly connected, Loopback1024
B 172.16.2.0/24 [200/0], 06:11:58, Null0
C 172.16.2.254/32 is directly connected, Loopback1023
C 172.16.10.0/30 is directly connected, Vlan3001
L 172.16.10.1/32 is directly connected, Vlan3001
Border-1#show ip route vrf CLAB_VN2
Routing Table: CLAB_VN2
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, m - OMP
n - NAT, Ni - NAT inside, No - NAT outside, Nd - NAT DIA
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
H - NHRP, G - NHRP registered, g - NHRP registration summary
o - ODR, P - periodic downloaded static route, l - LISP
a - application route
+ - replicated route, % - next hop override, p - overrides from PfR
& - replicated local route overrides by connected
Gateway of last resort is 172.16.10.6 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 172.16.10.6, 02:31:34
172.16.0.0/16 is variably subnetted, 4 subnets, 3 masks
B 172.16.3.0/24 [200/0], 1d20h, Null0
C 172.16.3.254/32 is directly connected, Loopback1025
C 172.16.10.4/30 is directly connected, Vlan3002
L 172.16.10.5/32 is directly connected, Vlan3002
ASAv-a# show route bgp
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, V - VPN
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, + - replicated route
SI - Static InterVRF
Gateway of last resort is 202.100.10.10 to network 0.0.0.0
B 172.16.1.0 255.255.255.0 [20/0] via 172.16.10.1, 20:14:45
B 172.16.2.0 255.255.255.0 [20/0] via 172.16.10.1, 20:14:45
B 172.16.3.0 255.255.255.0 [20/0] via 172.16.10.5, 20:14:35
Border-1#show bgp vrf CLAB_VN all summary
Configure Inline Tagging and VLAN CTS Control
//Use the cts manual command to enter the TrustSec manual interface configuration in which policies and the Security Association Protocol (SAP) are configured on the link
ASA
interface GigabitEthernet0/2
cts manual
policy static sgt 65000 trusted
!
interface GigabitEthernet0/2.3001
cts manual
policy static sgt 65000 trusted
!
interface GigabitEthernet0/2.3002
cts manual
policy static sgt 65000 trusted
Border-1
cts role-based enforcement
cts role-based enforcement vlan-list 3001-3002
!
interface GigabitEthernet1/0/5
cts manual
policy static sgt 65000 trusted
Border-1#ping vrf CLAB_VN 172.16.10.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Border-1#ping vrf CLAB_VN2 172.16.10.6
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.10.6, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Port assignment
Edge 1
Edge-1#show authentication sessions interface g1/0/12 details
Interface: GigabitEthernet1/0/12
IIF-ID: 0x11CCADA4
MAC Address: 0800.27c9.b24d
IPv6 Address: fe80::71da:5fc9:c57:c853
IPv4 Address: 172.16.1.11
User-Name: dnauser1
Device-type: Microsoft-Workstation
Device-name: WIN7PC1
VRF: CLAB_VN
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Acct update timeout: 172800s (local), Remaining: 171164s
Common Session ID: 0202000A0000003CB828DA0B
Acct Session ID: 0x00000015
Handle: 0xa3000032
Current Policy: PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
Local Policies:
Server Policies:
SGT Value: 16
Method status list:
Method State
dot1x Authc Success
Edge -2
Edge-2#show authentication sessions interface g1/0/13 details
Interface: GigabitEthernet1/0/13
IIF-ID: 0x1DE7879F
MAC Address: 0800.27ae.6e19
IPv6 Address: fe80::90c:a06d:645d:ed4b
IPv4 Address: 172.16.3.10
User-Name: dnauser2
Device-type: Microsoft-Workstation
Device-name: WIN7PC2
VRF: CLAB_VN2
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Acct update timeout: 172800s (local), Remaining: 172790s
Common Session ID: 0602000A00000021BB9F0801
Acct Session ID: 0x0000004e
Handle: 0xf9000017
Current Policy: PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
Local Policies:
Server Policies:
SGT Value: 17
Method status list:
Method State
dot1x Authc Success
Open VS Closed Authentication
template DefaultWiredDot1xOpenAuth
dot1x pae authenticator
dot1x timeout supp-timeout 7
dot1x max-req 3
switchport mode access
switchport voice vlan 2046
mab
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xOpenAuth_1X_MAB
source template DefaultWiredDot1xOpenAuth
VS
template DefaultWiredDot1xClosedAuth
dot1x pae authenticator
dot1x timeout supp-timeout 7
dot1x max-req 3
switchport mode access
switchport voice vlan 2046
mab
//preventing clients or devices from gaining network access before authentication is performed
access-session closed
access-session port-control auto
authentication periodic
authentication timer reauthenticate server
service-policy type control subscriber PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
Traffic between VN
Traffic between different SGT in same VN
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Group-Based Access Control
Adding Security Groups
ISE policy authorization to SGT
Port assignment
New Contract " Web"
Human Resources --> developer, apply Contact
Apply
Bounce port both switch
Edge-2#show cts role-based permissions
IPv4 Role-based permissions default:
Permit IP-00
IPv4 Role-based permissions from group 21:Human_Resources to group 8:Developers:
Web-02
RBACL Monitor All for Dynamic Policies : FALSE
RBACL Monitor All for Configured Policies : FALSE
Edge-2#show cts role-based counters
Role-based IPv4 counters
From To SW-Denied HW-Denied SW-Permitt HW-Permitt SW-Monitor HW-Monitor
* * 0 0 129671 286365 0 0
21 8 0 88 0 130 0 0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Wireless Fabric
Initial config
hostname WLC-A
!
ip domain name clab.com
!
!
!
!
enable secret 9 $9$KcJZz3qE4vS83k$w9fFhka1xw/9Yg5aMmEVaydslTJQKX4Ht2K6NSizSfw
!
username admin privilege 15 secret 9 $9$v8J2xvDy3FtUOU$LXDab6e3V07718fxL.v64mrWgA3ZMS/garWu0UKnJpU
username iseuser privilege 15 secret 9 $9$O3jiX6P6If9qbU$FmvGjLPIt4GW/am6DFICGMWBlz/GWVbfOw9Hlsqx5oQ
!
!
!
!
!
!
!
interface GigabitEthernet1
no switchport
ip address 10.0.2.10 255.255.255.252
negotiation auto
no mop enabled
no mop sysid
!
interface GigabitEthernet2
no switchport
ip address 10.8.25.147 255.255.255.128
negotiation auto
no mop enabled
no mop sysid
!
ip route 0.0.0.0 0.0.0.0 10.0.2.9
ip route 10.8.20.119 255.255.255.255 10.8.25.131
!
line con 0
stopbits 1
line vty 0 4
login local
transport input ssh
line vty 5 15
login local
transport input ssh
!
wireless management interface g1
Then, rediscovery WLC
Edit device
WLC-A(config)#no aaa new-model
WLC-A#show run | s username
username admin privilege 15 secret 9 $9$p1Z.7hmQ.KlTnE$9icinHsaeioPq5GtuBgV2wf6zG.2bRE0IlC81GMIzJc
username iseuser privilege 15 secret 9 $9$eR0Br34ScAshHU$A5yDazGdtKyg1XG8RoHYwjUiB5R3V8oPbGXnYG.lJck
Provision WLC
Provision APs
Add WLC into Fabric
Fabric - wireless SSID
Lastly provision the APs
Client needs to request person certificate and connect with EAP-TLS
WLC TrustSec
Make sure it is match with network devices in ISE
Edge-1#show access-tunnel summary
Access Tunnels General Statistics:
Number of AccessTunnel Data Tunnels = 1
Name RLOC IP(Source) AP IP(Destination) VRF ID Source Port Destination Port
------ --------------- ------------------ ------ ----------- ----------------
Ac0 10.0.1.1 10.0.3.10 0 N/A 4789
WLC-A#show run | s Clab-Staff_profile
wireless profile fabric Clab-Staff_profile
client-l2-vnid 8196
description Clab-Staff_profile
wireless profile policy Clab-Staff_profile
aaa-override
aaa-policy dnac-aaa-policy-74df41f4484d32b
accounting-list dnac-acct-Clab-Staff-ee09b3f5
no central dhcp
no central switching
cts inline-tagging
cts role-based enforcement
description Clab-Staff_profile
dhcp-tlv-caching
exclusionlist timeout 180
fabric Clab-Staff_profile
http-tlv-caching
radius-profiling
service-policy input platinum-up
service-policy output platinum
no shutdown
wlan Clab-Staff_profile policy Clab-Staff_profile
wlan Clab-Staff_profile 17 Clab-Staff
radio policy dot11 5ghz
security dot1x authentication-list dnac-cts-Clab-Staff-ee09b3f5
no shutdown
Border-1#show lisp site
LISP Site Registration Information
* = Some locators are down or unreachable
# = Some registrations are sourced by reliable transport
Site Name Last Up Who Last Inst EID Prefix
Register Registered ID
site_uci never no -- 4097 10.0.3.0/24
4d01h yes# 10.0.1.1:42916 4097 10.0.3.10/32
4d00h yes# 10.0.1.2:42723 4097 10.0.3.11/32
never no -- 4097 10.0.6.0/24
never no -- 4099 172.16.1.0/24
1d03h yes# 10.0.1.1:42916 4099 172.16.1.11/32
never no -- 4099 172.16.2.0/24
00:00:12 yes# 10.0.1.2:42723 4099 172.16.2.10/32
never no -- 4100 172.16.3.0/24
3d15h yes# 10.0.1.2:42723 4100 172.16.3.10/32
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Wireless - SGT Micro-segmentation
Border Config
Border-1#show lisp site
LISP Site Registration Information
* = Some locators are down or unreachable
# = Some registrations are sourced by reliable transport
Site Name Last Up Who Last Inst EID Prefix
Register Registered ID
site_uci never no -- 4097 10.0.3.0/24
3d00h yes# 10.0.1.1:42916 4097 10.0.3.10/32
2d23h yes# 10.0.1.2:42723 4097 10.0.3.11/32
never no -- 4097 10.0.6.0/24
never no -- 4099 172.16.1.0/24
02:22:07 yes# 10.0.1.1:42916 4099 172.16.1.11/32 wired client
never no -- 4099 172.16.2.0/24
01:17:18 yes# 10.0.1.2:42723 4099 172.16.2.10/32 wireless client
never no -- 4100 172.16.3.0/24
2d14h yes# 10.0.1.2:42723 4100 172.16.3.10/32
interface GigabitEthernet1/0/4
description To vWLC
no switchport
ip address 10.0.2.9 255.255.255.252
ip router isis
cts manual
policy static sgt 2 trusted
End
Border-1#show cts interface
re
WLC 9800
Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Bengaluru 17.5.x
cts sxp enable
cts sxp connection peer 10.8.20.116 password none mode local speaker hold-time 0
!
radius server dnac-radius_10.8.20.116
address ipv4 10.8.20.116 auth-port 1812 acct-port 1813
pac key 7 107D0A16111E13090D0A217A
!
wireless cts-sxp profile default-sxp-profile
cts sxp enable
!
wireless profile flex default-flex-profile
cts inline-tagging
cts role-based enforcement
!
wireless profile policy Clab-Staff_profile
cts inline-tagging
cts role-based enforcement
no shutdown
!
wireless profile policy default-policy-profile
cts inline-tagging
no shutdown
!
!
//Site Tag
wireless tag site ST_Testi_Clab_71e1a_0
description "Site Tag ST_Testi_Clab_71e1a_0"
fabric control-plane default-control-plane
!
wireless tag policy default-policy-tag
description "default policy-tag"
!
//Policy Tag
wireless tag policy PT_Testi_Clab_Floor5_92d90
description "PolicyTagName PT_Testi_Clab_Floor5_92d90"
wlan Clab-Staff_profile policy Clab-Staff_profile
!
interface GigabitEthernet1
ip address 10.0.2.10 255.255.255.252
cts role-based enforcement
WLC-A#show wireless cts summary
Local Mode CTS Configuration
Policy Profile Name SGACL Enforcement Inline-Tagging Default-Sgt
----------------------------------------------------------------------------------------
Clab-Staff_profile ENABLED ENABLED 0
default-policy-profile DISABLED ENABLED 0
Flex Mode CTS Configuration
Flex Profile Name SGACL Enforcement Inline-Tagging
-----------------------------------------------------------------------
default-flex-profile ENABLED ENABLED
WLC-A#show wireless profile policy detailed Clab-Staff_profile
WLC-A#show cts policy sgt
CTS SGT Policy
===============
….
SGT: 8-15:Developers
SGT Policy Flag: 0xC1400001
RBACL Source List:
Source SGT: 21-07:Human_Resources-0, Destination SGT: 8-15:Developers-0
rbacl_type = 80
rbacl_index = 1
name = Deny_Web_Permit_All-06
IP protocol version = IPV4, IPV6
refcnt = 2
flag = 0xC1000000
stale = FALSE
RBACL ACEs:
deny tcp dst eq 443
deny udp dst eq 443
deny tcp dst eq 80
permit ip
….
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
8KV as Fusion Router (Replacing ASAv)
Border-1 Config review
Border-1#show run | section vrf definition CLAB_VN
vrf definition CLAB_VN
rd 1:4099
!
address-family ipv4
route-target export 1:4099
route-target import 1:4099
exit-address-family
!
vrf definition CLAB_VN2
rd 1:4100
!
address-family ipv4
route-target export 1:4100
route-target import 1:4100
exit-address-family
interface Vlan3001
description vrf interface to External router
vrf forwarding CLAB_VN
ip address 172.16.10.1 255.255.255.252
no ip redirects
ip route-cache same-interface
!
interface Vlan3002
description vrf interface to External router
vrf forwarding CLAB_VN2
ip address 172.16.10.5 255.255.255.252
no ip redirects
ip route-cache same-interface
End
Border-1#show run | section bgp
router bgp 100
bgp router-id interface Loopback0
bgp log-neighbor-changes
bgp graceful-restart
!
address-family ipv4
bgp redistribute-internal
bgp aggregate-timer 0
network 10.0.1.3 mask 255.255.255.255
network 10.0.3.254 mask 255.255.255.255
network 10.0.6.254 mask 255.255.255.255
aggregate-address 10.0.6.0 255.255.255.0 summary-only
aggregate-address 10.0.3.0 255.255.255.0 summary-only
redistribute lisp metric 10
exit-address-family
!
address-family ipv4 vrf CLAB_VN
bgp aggregate-timer 0
network 172.16.1.254 mask 255.255.255.255
network 172.16.2.254 mask 255.255.255.255
network 172.16.10.0 mask 255.255.255.252
aggregate-address 172.16.2.0 255.255.255.0 summary-only
aggregate-address 172.16.1.0 255.255.255.0 summary-only
redistribute lisp metric 10
neighbor 172.16.10.2 remote-as 1000
neighbor 172.16.10.2 update-source Vlan3001
neighbor 172.16.10.2 activate
neighbor 172.16.10.2 weight 65535
exit-address-family
!
address-family ipv4 vrf CLAB_VN2
bgp aggregate-timer 0
network 172.16.3.254 mask 255.255.255.255
network 172.16.10.4 mask 255.255.255.252
aggregate-address 172.16.3.0 255.255.255.0 summary-only
redistribute lisp metric 10
neighbor 172.16.10.6 remote-as 1000
neighbor 172.16.10.6 update-source Vlan3002
neighbor 172.16.10.6 activate
neighbor 172.16.10.6 weight 65535
exit-address-family
Fusion-1
hostname Fusion-1
!
!
vrf definition CLAB_VN
rd 1:4099
!
address-family ipv4
import ipv4 unicast map Global_Map
export ipv4 unicast map CLAB_VN_Map
route-target export 1:4099
route-target import 1:4099
route-target import 1:4100
exit-address-family
!
vrf definition CLAB_VN2
rd 1:4100
!
address-family ipv4
import ipv4 unicast map Global_Map
export ipv4 unicast map CLAB_VN2_Map
route-target export 1:4100
route-target import 1:4100
route-target import 1:4099
exit-address-family
!
interface GigabitEthernet1
ip address 202.100.10.11 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
ip address 10.1.2.254 255.255.255.0
negotiation auto
!
interface GigabitEthernet3
no ip address
negotiation auto
No shutdown
!
interface GigabitEthernet3.3001
encapsulation dot1Q 3001
vrf forwarding CLAB_VN
ip address 172.16.10.2 255.255.255.252
!
interface GigabitEthernet3.3002
encapsulation dot1Q 3002
vrf forwarding CLAB_VN2
ip address 172.16.10.6 255.255.255.252
!
interface GigabitEthernet4
ip address 10.8.25.145 255.255.255.128
ip router isis
negotiation auto
!
router isis
net 49.0000.0000.0011.00
is-type level-2-only
metric-style transition
default-information originate
!
router bgp 1000
bgp log-neighbor-changes
!
address-family ipv4
network 10.1.2.0 mask 255.255.255.0
exit-address-family
!
address-family ipv4 vrf CLAB_VN
neighbor 172.16.10.1 remote-as 100
neighbor 172.16.10.1 update-source GigabitEthernet3.3001
neighbor 172.16.10.1 activate
neighbor 172.16.10.1 default-originate
exit-address-family
!
address-family ipv4 vrf CLAB_VN2
neighbor 172.16.10.5 remote-as 100
neighbor 172.16.10.5 update-source GigabitEthernet3.3002
neighbor 172.16.10.5 activate
neighbor 172.16.10.5 default-originate
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 202.100.10.10
ip route 10.8.20.119 255.255.255.255 10.8.25.131
ip route vrf CLAB_VN 0.0.0.0 0.0.0.0 202.100.10.10 global
ip route vrf CLAB_VN2 0.0.0.0 0.0.0.0 202.100.10.10 global
!
ip prefix-list CLAB_VN2_Prefix seq 5 permit 172.16.3.0/24
!
ip prefix-list CLAB_VN_Prefix seq 5 permit 172.16.1.0/24
ip prefix-list CLAB_VN_Prefix seq 10 permit 172.16.2.0/24
!
ip prefix-list Global_Prefix seq 5 permit 10.1.2.0/24
!
route-map Global_Map permit 10
match ip address prefix-list Global_Prefix
!
route-map CLAB_VN_Map permit 10
match ip address prefix-list CLAB_VN_Prefix
!
route-map CLAB_VN2_Map permit 10
match ip address prefix-list CLAB_VN2_Prefix
Fusion-1#show ip route vrf CLAB_VN
Gateway of last resort is 202.100.10.10 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 202.100.10.10
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B 10.1.2.0/24 is directly connected, 00:05:15, GigabitEthernet2
L 10.1.2.254/32 is directly connected, GigabitEthernet2
172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks
B 172.16.1.0/24 [20/0] via 172.16.10.1, 00:15:22
B 172.16.2.0/24 [20/0] via 172.16.10.1, 00:15:22
B 172.16.3.0/24 [20/0] via 172.16.10.5 (CLAB_VN2), 00:05:15
C 172.16.10.0/30 is directly connected, GigabitEthernet3.3001
L 172.16.10.2/32 is directly connected, GigabitEthernet3.3001
B 172.16.10.4/30 [20/0] via 172.16.10.5 (CLAB_VN2), 00:05:15
Fusion-1#show ip route vrf CLAB_VN2
Gateway of last resort is 202.100.10.10 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 202.100.10.10
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B 10.1.2.0/24 is directly connected, 00:04:44, GigabitEthernet2
L 10.1.2.254/32 is directly connected, GigabitEthernet2
172.16.0.0/16 is variably subnetted, 6 subnets, 3 masks
B 172.16.1.0/24 [20/0] via 172.16.10.1 (CLAB_VN), 00:04:44
B 172.16.2.0/24 [20/0] via 172.16.10.1 (CLAB_VN), 00:04:44
B 172.16.3.0/24 [20/0] via 172.16.10.5, 00:14:54
B 172.16.10.0/30 [20/0] via 172.16.10.1 (CLAB_VN), 00:04:44
C 172.16.10.4/30 is directly connected, GigabitEthernet3.3002
L 172.16.10.6/32 is directly connected, GigabitEthernet3.3002
Border-1#show ip lisp eid-table default map-cache
LISP IPv4 Mapping Cache for LISP 0 EID-table default (IID 4097), 4 entries
10.0.3.0/24, uptime: 1w0d, expires: never, via static-send-map-request
Negative cache entry, action: send-map-request
10.0.3.10/32, uptime: 4d01h, expires: 00:36:14, via map-reply, complete
Locator Uptime State Pri/Wgt Encap-IID
10.0.1.1 4d01h up 10/10 -
10.0.3.11/32, uptime: 3d22h, expires: 01:59:16, via map-reply, complete
Locator Uptime State Pri/Wgt Encap-IID
10.0.1.2 3d22h up 10/10 -
10.0.6.0/24, uptime: 1w0d, expires: never, via static-send-map-request
Negative cache entry, action: send-map-request
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Wireless Guest - Dedicated VN for Guest
Save
Border-1
vlan 3003
name 3003
!
interface Vlan3003
description vrf interface to External router
vrf forwarding GUEST
ip address 172.16.10.9 255.255.255.252
no ip redirects
ip route-cache same-interface
bfd interval 300 min_rx 300 multiplier 3
no bfd echo
end
Border-1#show run | s bgp
router bgp 100
!
address-family ipv4 vrf GUEST
bgp aggregate-timer 0
network 172.16.30.254 mask 255.255.255.255
aggregate-address 172.16.30.0 255.255.255.0 summary-only
redistribute lisp metric 10
neighbor 172.16.10.10 remote-as 1000
neighbor 172.16.10.10 update-source Vlan3003
neighbor 172.16.10.10 activate
neighbor 172.16.10.10 weight 65535
exit-address-family
Fusion-1
vrf definition GUEST
rd 1:4101
!
address-family ipv4
import ipv4 unicast map Global_Map
export ipv4 unicast map GUEST_Map
route-target export 1:4101
route-target import 1:4101
exit-address-family
!
ip prefix-list GUEST seq 5 permit 172.16.30.0/24
ip prefix-list Global_Prefix seq 5 permit 10.1.2.0/24
!
route-map Global_Map permit 10
match ip address prefix-list Global_Prefix
route-map GUEST_Map permit 10
match ip address prefix-list GUEST
router bgp 1000
bgp log-neighbor-changes
!
address-family ipv4
network 10.1.2.0 mask 255.255.255.0
network 10.8.25.128 mask 255.255.255.128
exit-address-family
!
address-family ipv4 vrf GUEST
neighbor 172.16.10.9 remote-as 100
neighbor 172.16.10.9 update-source GigabitEthernet3.3003
neighbor 172.16.10.9 activate
neighbor 172.16.10.9 default-originate
exit-address-family
!
ip route vrf GUEST 0.0.0.0 0.0.0.0 202.100.10.10 global
Test:
Border-1#show ip route vrf GUEST
Gateway of last resort is 172.16.10.10 to network 0.0.0.0
B* 0.0.0.0/0 [20/0] via 172.16.10.10, 10:36:17
10.0.0.0/24 is subnetted, 1 subnets
B 10.1.2.0 [20/0] via 172.16.10.10, 10:36:04
172.16.0.0/16 is variably subnetted, 5 subnets, 3 masks
C 172.16.10.8/30 is directly connected, Vlan3003
L 172.16.10.9/32 is directly connected, Vlan3003
B 172.16.30.0/24 [200/0], 11:39:05, Null0
l 172.16.30.12/32 [250/1], 00:22:26, Null0
C 172.16.30.254/32 is directly connected, Loopback1041
Fusion-1#show ip route vrf GUEST
Gateway of last resort is 202.100.10.10 to network 0.0.0.0
S* 0.0.0.0/0 [1/0] via 202.100.10.10
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
B 10.1.2.0/24 is directly connected, 00:00:53, GigabitEthernet2
L 10.1.2.254/32 is directly connected, GigabitEthernet2
172.16.0.0/16 is variably subnetted, 3 subnets, 3 masks
C 172.16.10.8/30 is directly connected, GigabitEthernet3.3003
L 172.16.10.10/32 is directly connected, GigabitEthernet3.3003
B 172.16.30.0/24 [20/0] via 172.16.10.9, 10:35:11
Traffic to Internet and other VNs
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
L2 Handoff
Border-2 initial Configuration
hostname Border-2
!
ip routing
!
ip domain name clab.com
!
system mtu 9100
!
interface Loopback0
ip address 10.0.1.5 255.255.255.255
ip router isis
!
interface GigabitEthernet0/0
vrf forwarding Mgmt-vrf
ip address 10.8.25.148 255.255.255.128
negotiation auto
!
interface GigabitEthernet1/0/1
no switchport
ip address 10.0.2.18 255.255.255.252
ip router isis
!
router isis
net 49.0000.0000.0012.00
is-type level-2-only
metric-style transition
!
ip http server
ip http secure-server
ip ftp source-interface GigabitEthernet0/0
ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 10.8.25.131
DNAC > Discovery > Provision
Make sure border-2 is DISTRIBUTION device role
Enable L2 handoff
Border-2#show ip route vrf CLAB_VN2 172.16.3.11
Routing Table: CLAB_VN2
Routing entry for 172.16.3.11/32
Known via "lisp", distance 10, metric 1, type unknown
Last update from 172.16.3.11 on Vlan999, 00:03:29 ago
Routing Descriptor Blocks:
* 172.16.3.11, from 0.0.0.0, 00:03:29 ago, via Vlan999
Route metric is 1, traffic share count is 1
Border-2#show lisp eid-table vrf CLAB_VN2 ipv4 map-cache
LISP IPv4 Mapping Cache for LISP 0 EID-table vrf CLAB_VN2 (IID 4100), 4 entries
0.0.0.0/0, uptime: 00:04:16, expires: never, via static-send-map-request
Encapsulating to proxy ETR
0.0.0.0/1, uptime: 00:03:47, expires: 00:11:12, via map-reply, forward-native
Encapsulating to proxy ETR
172.16.0.0/23, uptime: 00:02:44, expires: 00:12:15, via map-reply, forward-native
Encapsulating to proxy ETR
172.16.3.0/24, uptime: 00:04:16, expires: never, via dynamic-EID, send-map-request
Encapsulating to proxy ETR
Border-1#show lisp site
LISP Site Registration Information
* = Some locators are down or unreachable
# = Some registrations are sourced by reliable transport
Site Name Last Up Who Last Inst EID Prefix
Register Registered ID
site_uci never no -- 4097 10.0.3.0/24
1d23h yes# 10.0.1.1:44429 4097 10.0.3.10/32
1d23h yes# 10.0.1.2:33692 4097 10.0.3.11/32
never no -- 4097 10.0.6.0/24
never no -- 4099 172.16.1.0/24
2d05h yes# 10.0.1.1:44429 4099 172.16.1.11/32
never no -- 4099 172.16.2.0/24
never no -- 4100 172.16.3.0/24
19:50:01 yes# 10.0.1.2:33692 4100 172.16.3.10/32
00:08:24 yes# 10.0.1.5:47911 4100 172.16.3.11/32
never no -- 4101 172.16.30.0/24
Border-1#show lisp eid-table vrf CLAB_VN2 ipv4 map-cache
LISP IPv4 Mapping Cache for LISP 0 EID-table vrf CLAB_VN2 (IID 4100), 2 entries
172.16.3.10/32, uptime: 22:22:41, expires: 01:37:18, via map-reply, complete
Locator Uptime State Pri/Wgt Encap-IID
10.0.1.2 22:22:41 up 10/10 -
172.16.3.11/32, uptime: 00:08:48, expires: 23:51:11, via map-reply, complete
Locator Uptime State Pri/Wgt Encap-IID
10.0.1.5 00:08:48 up 10/10 -
Border-1#show ip cef vrf CLAB_VN2 172.16.3.11
172.16.3.11/32
nexthop 10.0.1.5 LISP0.4100
Border-2#show ip cef vrf CLAB_VN2 172.16.3.11
172.16.3.11/32
nexthop 172.16.3.11 Vlan999
Border-1#show run int LISP0.4100
interface LISP0.4100
vrf forwarding CLAB_VN2
end
Border-1#show run | s instance-id 4100
instance-id 4100
remote-rloc-probe on-route-change
service ipv4
eid-table vrf CLAB_VN2
database-mapping 172.16.10.4/30 locator-set rloc_677057e3-8eb6-4516-b71d-9cbabcfa3d00
route-export site-registrations
distance site-registrations 250
map-cache site-registration
exit-service-ipv4
!
exit-instance-id
eid-record instance-id 4100 172.16.3.0/24 accept-more-specifics
Edge-1#lig instance-id 4100 172.16.3.11
Mapping information for EID 172.16.3.11 from 10.0.1.3 with RTT 1 msecs
172.16.3.11/32, uptime: 00:00:31, expires: 23:59:59, via map-reply, complete
Locator Uptime State Pri/Wgt Encap-IID
10.0.1.5 00:00:31 up 10/10 -
Border-2#lig instance-id 4100 172.16.3.11
Mapping information for EID 172.16.3.11 from 10.0.1.5 with RTT 2 msecs
172.16.3.11/32, uptime: 00:00:00, expires: 23:59:59, via map-reply, self, complete
Locator Uptime State Pri/Wgt Encap-IID
10.0.1.5 00:00:00 up, self 10/10 -
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
DNAC Template
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Troubleshooting Host Authentication Issues
Edge-1#show aaa server
RADIUS: id 3, priority 1, host 10.8.20.116, auth-port 1812, acct-port 1813, hostname dnac-radius_10.8.20.116
State: current UP,
Edge-1#show authentication sessions interface g1/0/12 details
Interface: GigabitEthernet1/0/12
IIF-ID: 0x1135686C
MAC Address: 0800.27c9.b24d
IPv6 Address: fe80::71da:5fc9:c57:c853
IPv4 Address: 172.16.1.11
User-Name: dnauser1
Device-type: Microsoft-Workstation
Device-name: WIN7PC1
VRF: CLAB_VN
Status: Authorized
Domain: DATA
Oper host mode: multi-auth
Oper control dir: both
Session timeout: N/A
Acct update timeout: 172800s (local), Remaining: 172781s
Common Session ID: 0202000A00000098D76AD55E
Acct Session ID: 0x0000008e
Handle: 0x4200008e
Current Policy: PMAP_DefaultWiredDot1xClosedAuth_1X_MAB
Local Policies:
Server Policies:
SGT Value: 16
Method status list:
Method State
dot1x Authc Success
Edge-1#show cts pac
AID: 911DC573492B20B34B554AE350A823BB
PAC-Info:
PAC-type = Cisco Trustsec
AID: 911DC573492B20B34B554AE350A823BB
I-ID: FCW2327C0A1
A-ID-Info: Identity Services Engine
Credential Lifetime: 19:18:45 UTC Mon Oct 30 2023
PAC-Opaque: 000200B80003000100040010911DC573492B20B34B554AE350A823BB0006009C000301003B377E9290C93844007C5507361148B00000001364C04C8800093A805FAD739773070066B52FEA2D1D066E661F275E7C8834A147546D497F94B0BFE606EC692E402D8C0CE5D8FE64D04270B282A008BCF5D55D3FECF44CFA5ED2D293088C0E71F5DE2F02410EDE8A84DEE5A8804B884A294618D323A3D66FE3BE1E20D152FF59B08DA90E21B6C2FE77A34DFA2F160D104BC2EEC4241CFDE6
Refresh timer is set for 10w4d
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Troubleshooting SGT issues
Edge-1#show cts environment-data
CTS Environment Data
====================
Current state = COMPLETE
Last status = Successful
Service Info Table:
Local Device SGT:
SGT tag = 2-00:TrustSec_Devices
Server List Info:
Installed list: CTSServerList1-0001, 1 server(s):
*Server: 10.8.20.116, port 1812, A-ID 911DC573492B20B34B554AE350A823BB
Status = ALIVE
auto-test = TRUE, keywrap-enable = FALSE, idle-time = 60 mins, deadtime = 20 secs
Security Group Name Table:
0-00:Unknown
2-00:TrustSec_Devices
3-00:Network_Services
4-00:Employees
5-00:Contractors
6-00:Guests
7-00:Production_Users
8-04:Developers
9-00:Auditors
10-00:Point_of_Sale_Systems
11-00:Production_Servers
12-00:Development_Servers
13-00:Test_Servers
14-00:PCI_Servers
15-00:BYOD
16-16:win7_sgt_tag1
17-00:win7_sgt_tag2
18-05:win7_sgt_tag3
19-00:DC2012
20-00:MGMT_NET
21-00:Human_Resources
255-00:Quarantined_Systems
Environment Data Lifetime = 86400 secs
Last update time = 18:29:15 UTC Tue Aug 15 2023
Env-data expires in 0:23:05:11 (dd:hr:mm:sec)
Env-data refreshes in 0:23:05:11 (dd:hr:mm:sec)
Cache data applied = NONE
State Machine is running
Retry_timer (60 secs) is not running
Edge-1#
Edge-1#show cts role-based sgt-map vrf CLAB_VN all
%IPv6 protocol is not enabled in VRF CLAB_VN
Active IPv4-SGT Bindings Information
IP Address SGT Source
============================================
169.254.44.186 17 LOCAL
172.16.1.11 16 LOCAL
172.16.1.254 2 INTERNAL
172.16.2.254 2 INTERNAL
IP-SGT Active Bindings Summary
============================================
Total number of LOCAL bindings = 2
Total number of INTERNAL bindings = 2
Total number of active bindings = 4
Edge-1#show cts rbacl
CTS RBACL Policy
================
RBACL IP Version Supported: IPv4 & IPv6
name = Permit IP-00
IP protocol version = IPV4, IPV6
refcnt = 2
flag = 0xC1000000
stale = FALSE
RBACL ACEs:
permit ip
name = DenyWeb-02
IP protocol version = IPV4, IPV6
refcnt = 2
flag = 0xC1000000
stale = FALSE
RBACL ACEs:
deny tcp dst eq 80
deny tcp dst eq 443
deny udp dst eq 443
permit ip
Edge-1#show cts role-based counters
Role-based IPv4 counters
From To SW-Denied HW-Denied SW-Permitt HW-Permitt SW-Monitor HW-Monitor
* * 0 0 72713 112154 0 0
17 16 0 0 0 0 0 0
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Troubleshooting Host DHCP Onboarding Issue
Edge-1#show run | s ip dhcp
ip dhcp relay information option
ip dhcp snooping vlan 1021-1022,1031,1034-1035,1041
ip dhcp snooping
Debug ip dhcp server packet
.Aug 15 19:34:01.180: DHCPD: broadcasting BOOTREPLY to client 0800.27c9.b24d.
.Aug 15 19:34:01.209: DHCPD: tableid for 172.16.1.254 on Vlan1031 is 14
.Aug 15 19:34:01.209: DHCPD: client's VPN is CLAB_VN.
.Aug 15 19:34:01.209: DHCPD: No option 125
.Aug 15 19:34:01.209: DHCPD: No option 124
.Aug 15 19:34:01.209: DHCPD: Finding a relay for client 0108.0027.c9b2.4d on interface Vlan1031.
.Aug 15 19:34:01.209: DHCPD: Looking up binding using address 172.16.1.254
.Aug 15 19:34:01.209: DHCPD: setting giaddr to 172.16.1.254.
.Aug 15 19:34:01.209: DHCPD: BOOTREQUEST from 0108.0027.c9b2.4d forwarded to 10.1.2.240.
.Aug 15 19:34:01.211: DHCPD: tableid for 172.16.1.254 on LISP0.4099 is 14
.Aug 15 19:34:01.211: DHCPD: client's VPN is .
.Aug 15 19:34:01.211: DHCPD: No option 125
.Aug 15 19:34:01.211: DHCPD: No option 124
.Aug 15 19:34:01.211: DHCPD: forwarding BOOTREPLY to client 0800.27c9.b24d.
.Aug 15 19:34:01.211: DHCPD: Option 125 not present in the msg.
.Aug 15 19:34:01.211: DHCPD: egress Interfce Vlan1031
.Aug 15 19:34:01.211: DHCPD: broadcasting BOOTREPLY to client 0800.27c9.b24d.
.Aug 15 19:34:01.211: DHCPD: Address 172.16.1.11 is not local and is in configured LISP EID space
.Aug 15 19:34:01.211: DHCPD: egress Interface Vlan1031, called by server 0, reply to relay 0, msg type 5
Edge-1#show udp detail
Proto Remote Port Local Port In Out Stat TTY OutputIF
17 10.1.2.240 67 10.0.1.1 67 0 0 2102211 0
Edge-1#show ip dhcp snooping binding
MacAddress IpAddress Lease(sec) Type VLAN Interface
------------------ --------------- ---------- ------------- ---- --------------------
08:00:27:C9:B2:4D 172.16.1.11 690913 dhcp-snooping 1031 GigabitEthernet1/0/12
Total number of bindings: 1
Edge-1#show arp vrf CLAB_VN
Protocol Address Age (min) Hardware Addr Type Interface
Internet 172.16.1.11 1 0800.27c9.b24d ARPA Vlan1031
Edge-1#show device-tracking database
Binding Table has 9 entries, 3 dynamic (limit 200000)
Codes: L - Local, S - Static, ND - Neighbor Discovery, ARP - Address Resolution Protocol, DH4 - IPv4 DHCP, DH6 - IPv6 DHCP, PKT - Other Packet, API - API created
Preflevel flags (prlvl):
0001:MAC and LLA match 0002:Orig trunk 0004:Orig access
0008:Orig trusted trunk 0010:Orig trusted access 0020:DHCP assigned
0040:Cga authenticated 0080:Cert authenticated 0100:Statically assigned
Network Layer Address Link Layer Address Interface vlan prlvl age state Time left
DH4 172.16.1.11 0800.27c9.b24d Gi1/0/12 1031 0024 123s REACHABLE 129 s(690811 s)
LISP local database on the fabric edge
Border-1#show lisp site
LISP Site Registration Information
* = Some locators are down or unreachable
# = Some registrations are sourced by reliable transport
Site Name Last Up Who Last Inst EID Prefix
Register Registered ID
site_uci never no -- 4097 10.0.3.0/24
never no -- 4097 10.0.6.0/24
never no -- 4099 172.16.1.0/24
00:12:30 yes# 10.0.1.1:44429 4099 172.16.1.11/32
never no -- 4099 172.16.2.0/24
never no -- 4100 172.16.3.0/24
02:22:58 yes# 10.0.1.2:33692 4100 172.16.3.10/32
never no -- 4101 172.16.30.0/24
Edge-1#show ip lisp instance-id 4099 database
LISP ETR IPv4 Mapping Database for LISP 0 EID-table vrf CLAB_VN (IID 4099), LSBs: 0x1
Entries total 2, no-route 0, inactive 0, do-not-register 1
172.16.1.11/32, dynamic-eid 172_16_1_0-CLAB_VN-IPV4, inherited from default locator-set rloc_7729f71c-b0a2-4252-9524-c80902e89755
Uptime: 00:12:48, Last-change: 00:12:48
Domain-ID: local
Service-Insertion: N/A
Locator Pri/Wgt Source State
10.0.1.1 10/10 cfg-intf site-self, reachable
Edge-1#show ip lisp map-cache instance-id 4099
LISP IPv4 Mapping Cache for LISP 0 EID-table vrf CLAB_VN (IID 4099), 5 entries
0.0.0.0/0, uptime: 6d20h, expires: never, via static-send-map-request
Encapsulating to proxy ETR
0.0.0.0/1, uptime: 02:28:35, expires: 00:14:25, via map-reply, forward-native
Encapsulating to proxy ETR
172.16.1.0/24, uptime: 6d20h, expires: never, via dynamic-EID, send-map-request
Encapsulating to proxy ETR
172.16.2.0/24, uptime: 6d20h, expires: never, via dynamic-EID, send-map-request
Encapsulating to proxy ETR
176.0.0.0/4, uptime: 00:00:58, expires: 00:14:01, via map-reply, forward-native
Encapsulating to proxy ETR
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Appendix A - Fusion router configuration
!
vrf definition CLAB_VN
rd 1:4099
!
address-family ipv4
import ipv4 unicast map Global_Map
export ipv4 unicast map CLAB_VN_Map
route-target export 1:4099
route-target import 1:4099
route-target import 1:4100
exit-address-family
!
vrf definition CLAB_VN2
rd 1:4100
!
address-family ipv4
import ipv4 unicast map Global_Map
export ipv4 unicast map CLAB_VN2_Map
route-target export 1:4100
route-target import 1:4100
route-target import 1:4099
exit-address-family
!
vrf definition GUEST
rd 1:4101
!
address-family ipv4
import ipv4 unicast map Global_map
export ipv4 unicast map GUEST_Map
route-target export 1:4101
route-target import 1:4101
exit-address-family
!
no aaa new-model
!
!
!
!
!
interface GigabitEthernet1
ip dhcp client client-id ascii 9CZSIGGOLPC
ip address 202.100.10.11 255.255.255.0
negotiation auto
!
interface GigabitEthernet2
ip address 10.1.2.254 255.255.255.0
negotiation auto
!
interface GigabitEthernet3
no ip address
negotiation auto
!
interface GigabitEthernet3.3001
encapsulation dot1Q 3001
vrf forwarding CLAB_VN
ip address 172.16.10.2 255.255.255.252
!
interface GigabitEthernet3.3002
encapsulation dot1Q 3002
vrf forwarding CLAB_VN2
ip address 172.16.10.6 255.255.255.252
!
interface GigabitEthernet3.3003
encapsulation dot1Q 3003
vrf forwarding GUEST
ip address 172.16.10.10 255.255.255.252
!
interface GigabitEthernet4
ip address 10.8.25.145 255.255.255.128
negotiation auto
!
router bgp 1000
bgp log-neighbor-changes
!
address-family ipv4
network 10.1.2.0 mask 255.255.255.0
network 10.8.25.128 mask 255.255.255.128
exit-address-family
!
address-family ipv4 vrf CLAB_VN
neighbor 172.16.10.1 remote-as 100
neighbor 172.16.10.1 update-source GigabitEthernet3.3001
neighbor 172.16.10.1 activate
neighbor 172.16.10.1 default-originate
exit-address-family
!
address-family ipv4 vrf CLAB_VN2
neighbor 172.16.10.5 remote-as 100
neighbor 172.16.10.5 update-source GigabitEthernet3.3002
neighbor 172.16.10.5 activate
neighbor 172.16.10.5 default-originate
exit-address-family
!
address-family ipv4 vrf GUEST
neighbor 172.16.10.9 remote-as 100
neighbor 172.16.10.9 update-source GigabitEthernet3.3003
neighbor 172.16.10.9 activate
neighbor 172.16.10.9 default-originate
exit-address-family
!
ip route 0.0.0.0 0.0.0.0 202.100.10.10
ip route 10.8.20.119 255.255.255.255 10.8.25.131
ip route vrf CLAB_VN 0.0.0.0 0.0.0.0 202.100.10.10 global
ip route vrf CLAB_VN2 0.0.0.0 0.0.0.0 202.100.10.10 global
ip route vrf GUEST 0.0.0.0 0.0.0.0 202.100.10.10 global
!
!
!
ip prefix-list CLAB_VN seq 5 permit 172.16.1.0/24
ip prefix-list CLAB_VN seq 10 permit 172.16.2.0/24
!
ip prefix-list CLAB_VN2 seq 5 permit 172.16.3.0/24
!
ip prefix-list GUEST seq 5 permit 172.16.30.0/24
!
ip prefix-list Global_Prefix seq 5 permit 10.1.2.0/24
!
route-map Global_map permit 10
match ip address prefix-list Global_Prefix
!
route-map Global_Map permit 10
match ip address prefix-list Global_Prefix
!
route-map CLAB_VN_Map permit 10
match ip address prefix-list CLAB_VN
!
route-map GUEST_Map permit 10
match ip address prefix-list GUEST
!
route-map CLAB_VN2_Map permit 10
match ip address prefix-list CLAB_VN2
!
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Multicast
Border-1(config)#int lo 0
Border-1(config-if)#ip pim sparse-mode
Border-1(config)#int g1/0/1
Border-1(config-if)#ip pim sparse-mode
Border-1(config-if)#int g1/0/2
Border-1(config-if)#ip pim sparse-mode
Border-1(config)#ip multicast-routing
Border-1#show ip pim neighbor
PIM Neighbor Table
Mode: B - Bidir Capable, DR - Designated Router, N - Default DR Priority,
P - Proxy Capable, S - State Refresh Capable, G - GenID Capable,
L - DR Load-balancing Capable
Neighbor Interface Uptime/Expires Ver DR
Address Prio/Mode
10.0.2.14 GigabitEthernet1/0/3 00:00:48/00:01:25 v2 1 / DR S P G
10.0.2.2 GigabitEthernet1/0/1 00:08:04/00:01:32 v2 1 / DR S P G
10.0.2.6 GigabitEthernet1/0/2 00:07:18/00:01:19 v2 1 / DR S P G
Edge-1(config)#int lo0
Edge-1(config-if)#ip pim sparse-mode
Edge-1(config)#int g1/0/1
Edge-1(config-if)#ip pim sparse-mode
Edge-1(config)#ip multicast-routing
!
Edge-2(config)#int lo 0
Edge-2(config-if)#ip pim sparse-mode
Edge-2(config-if)#exit
Edge-2(config)#int g1/0/1
Edge-2(config-if)#ip pim sparse-mode
Edge-2(config)#ip multicast-routing
ASM group range 239.0.0.1 - 239.0.1.246
Enable L2 flooding
Border-1#show ip vrf CLAB_VN
Name Default RD Interfaces
CLAB_VN 1:4099 Vl3001
Lo1031
Lo1034
LI0.4099
Lo4099
Tu2
Tu3
Border-1#show run | i multicast-routing
ip multicast-routing
ip multicast-routing vrf CLAB_VN2
Border-1#show run interface LISP0.4099
interface LISP0.4099
vrf forwarding CLAB_VN
ip pim lisp transport multicast
ip pim lisp core-group-range 232.0.0.1 1000
end
ip pim vrf CLAB_VN rp-address 172.16.31.1 ASM_ACL_IPV4_CLAB_VN_172.16.31.1
ip pim vrf CLAB_VN register-source Loopback4099
ip pim vrf CLAB_VN ssm default
Border-1#show run | i pim vrf CLAB_VN
ip pim vrf CLAB_VN2 rp-address 172.16.32.1
ip pim vrf CLAB_VN2 register-source Loopback4100
ip pim vrf CLAB_VN2 ssm default
ip pim vrf CLAB_VN rp-address 172.16.31.1
ip pim vrf CLAB_VN register-source Loopback4099
ip pim vrf CLAB_VN ssm default
Fusion-1
ip prefix-list CLAB_VN seq 15 permit 172.16.31.0/24
!
ip prefix-list CLAB_VN2 seq 10 permit 172.16.32.0/24
!
ip prefix-list Global_Prefix seq 10 permit 10.0.1.6/32
Fusion-1#show ip route bgp
172.16.0.0/24 is subnetted, 6 subnets
B 172.16.1.0 [20/0] via 172.16.10.1 (CLAB_VN), 2d00h
B 172.16.2.0 [20/0] via 172.16.10.1 (CLAB_VN), 2d00h
B 172.16.3.0 [20/0] via 172.16.10.5 (CLAB_VN2), 2d00h
B 172.16.30.0 [20/0] via 172.16.10.9 (GUEST), 2d00h
B 172.16.31.0 [20/0] via 172.16.10.1 (CLAB_VN), 00:00:06
B 172.16.32.0 [20/0] via 172.16.10.5 (CLAB_VN2), 00:00:06
Fusion-1#show run | s bgp
router bgp 1000
bgp log-neighbor-changes
!
address-family ipv4
network 10.0.1.6 mask 255.255.255.255
network 10.1.2.0 mask 255.255.255.0
network 10.8.25.128 mask 255.255.255.128
Fusion-1#show run | s ip msdp
ip msdp peer 172.16.31.1 connect-source Loopback0
ip msdp cache-sa-state
ip msdp originator-id Loopback0
Fusion-1#show run | s ip pim
ip pim rp-address 10.0.1.6 ASM_ACL_IPV4_CLAB_VN_172.16.31.1
ip pim ssm default
Border-1
Border-1#show run | s ip pim
ip pim vrf CLAB_VN rp-address 172.16.31.1 ASM_ACL_IPV4_CLAB_VN_172.16.31.1
ip pim vrf CLAB_VN register-source Loopback4099
ip pim vrf CLAB_VN ssm default
Border-1#show run | s ip msdp
ip msdp vrf CLAB_VN peer 10.0.1.6 connect-source Loopback4099
ip msdp vrf CLAB_VN cache-sa-state
ip msdp vrf CLAB_VN originator-id Loopback4099
Testing
Edge-1#show run int vlan 1031
Building configuration...
Current configuration : 405 bytes
!
interface Vlan1031
description Configured from Cisco DNA-Center
mac-address 0000.0c9f.f520
vrf forwarding CLAB_VN
ip address 172.16.1.254 255.255.255.0
ip helper-address 10.1.2.240
no ip redirects
ip pim passive
ip route-cache same-interface
ip igmp join-group 239.0.1.99
ip igmp version 3
ip igmp explicit-tracking
no lisp mobility liveness test
lisp mobility 172_16_1_0-CLAB_VN-IPV4
Fusion-1#show run int g2
Building configuration...
Current configuration : 213 bytes
!
interface GigabitEthernet2
ip address 10.1.2.254 255.255.255.0
ip pim passive
ip route-cache same-interface
ip igmp join-group 239.0.1.99
ip igmp version 3
ip igmp explicit-tracking
negotiation auto
end
C:\Users\Administrator\Desktop\iperf-2.0.9-win32\iperf-2.0.9-win32>iperf -c 234.1.2.3 -u -T 32 -t 3 -i 1 -B 10.1.2.240
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Extended Node
interface GigabitEthernet1/0/14
switchport mode trunk
channel-group 1 mode desirable
end
Edge-2#show run int vlan 1021
interface Vlan1021
description Configured from Cisco DNA-Center
mac-address 0000.0c9f.f6ad
ip address 10.0.6.254 255.255.255.0
ip helper-address global 10.1.2.240
no ip redirects
ip route-cache same-interface
no lisp mobility liveness test
lisp mobility 10_0_6_0-INFRA_VN-IPV4
end
Edge-2#show run | s 10_0_6_0-INFRA_VN-IPV4
lisp mobility 10_0_6_0-INFRA_VN-IPV4
dynamic-eid 10_0_6_0-INFRA_VN-IPV4
database-mapping 10.0.6.0/24 locator-set rloc_d4e88495-a5dd-4d63-bc97-151d2bc297d2
exit-dynamic-eid
Edge-2#show run | s Port-channel
interface Port-channel1
switchport mode trunk
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
Over the Top Wireless
Design > Global > wireless
WLC is not part of Fabric
Verify
No comments:
Post a Comment