DNAC LAN Automation vs. PnP
Table of Contents
Operating a network can be a daunting task. Especially when you find yourself manually repeating ordinary work on a regular basis. As a network engineer you are likely to enjoy challenges with protocols and designs rather than unboxing, mounting, and installing hardware. The time spent on this everyday work should be kept at a minimum. In a streamlined network design, the configuration of new equipment should be based on a template with few variables, such as hostname and IP addressing. Many companies already practice using templates, but for the most part the engineer must still manually adjust these variables, or at best some advanced excel spreadsheet or flat text file is used with a manual search and replace to build new configurations. Next, the device is powered up, connected to with a console cable and the newly build configuration is pasted into the device before installing it in its final location. Oh, and now both software upgrade and licensing tasks must be performed to be compliant. The workflow is manual, time consuming, and worst of all error prone due to the inevitable human factor.
Companies seek ways to eliminate manual intervention when it comes to network operations. It brings great value to a business to be able to automate as many repeating tasks as possible. At a minimum to provide a solution that minimizes time spent on these tasks while ensuring a consistent outcome - every time. This should help lower OPEX. Cisco DNA Center is a product that offers such a solution. In particular the automation of onboarding of new devices for the purpose of either bringing up a new network or expand an existing network, is addressed in the following sections.
DNA Center features LAN automation which can build the underlay used for an SD-Access deployment - or if you simply want a quick way to build a routed network using ISIS. The general idea is to leverage PnP to bring up a routed network - automated by DNAC. The user need not think about or have any experience with configuring routing protocols, or how PnP works. In a few steps an entire network can be provisioned in very little time. Minutes.
Below topology is used to demonstrate how LAN automation works.
Some restrictions and limitations exist for LAN automation:
- Seed device cannot be an SVL device
- No support for stack renumbering
- No image upgrade of the devices
Whenever using PnP we must have a way to provide IP reachability for DNAC. Besides IP connectivity, the PnP device must also know how to contact DNAC for onboarding. More information about PnP can be found here
Luckily LAN automation automates this configuration for us using an IP pool of type “LAN”:
This IP pool is used by DNAC for the following functions:
- Temporary DHCP server
- ¼ of the IP pool is allocated for DHCP
- IP pool must be between /23 and /25 (inclusive)
- Linknets for P2P links
- With DNAC 22.214.171.124 these are configured as /31s
- Loopback addresses for management of the nodes and SDA fabric operation (LISP RLOC and VXLAN VTEP)
You still need to configure and add a seed device for DNAC. On this device, DNAC will configure the DHCP pool and routing. I’ve configured BGP for initial reachability between my fusion switch and the border node which will act as my seed device. BGP is needed for SDA on the border for L3 handoff anyways. Note that the IP address of the seed device will be in a different IP subnet than the LAN automation IP pool. If you want a very strict IP addressing plan with all loopbacks in a site belonging to the same subnet allocation, you must either use regular PnP, or manually change it once LAN automation is complete.
I’ve configured this on the border (seed):
router bgp 65001 bgp log-neighbor-changes neighbor 100.64.1.249 remote-as 65000 ! address-family ipv4 network 100.64.1.254 mask 255.255.255.255 redistribute connected redistribute isis level-1-2 neighbor 100.64.1.249 activate exit-address-family border#
This will ensure that when DNAC configures VLAN1 for 100.64.0.0/25 it will be redistributed (connected) and when it finishes with ISIS, this too will be redistributed. This is a must to ensure reachability during and after LAN automation.
To see what happens on my seed device during LAN automation, I’ve configured this:
event manager applet catchall event cli pattern ".*" sync no skip no action 1 syslog msg "$_cli_msg"
The EEM applet will log any command entered to the device. Here is an example:
border#sh run int lo0 Building configuration... Current configuration : 68 bytes ! interface Loopback0 ip address 100.64.1.254 255.255.255.255 end border# *Jan 30 15:28:48.690: %HA_EM-6-LOG: catchall: show running-config interface Loopback0 border#
Start LAN automation
Below are my settings for starting LAN automation:
The primary device (seed) is our pre-configured border and its downstream ports (where the edge nodes connect). The LAN pool is selected along with an ISIS domain password and a hostname prefix for our edge nodes.
Here is the log with the output of what DNAC does to the seed device upon starting LAN automation:
! MTU system mtu 9100 ! Multicast ip multicast-routing ip pim ssm default ! interface Loopback0 ip pim sparse-mode ! interface Loopback60000 ip address 100.64.0.33 255.255.255.255 ip pim sparse-mode ! ip pim rp-address 100.64.0.33 ip pim register-source Loopback0 ! ISIS router isis net 49.0000.1000.6400.1254.00 domain-password zartmann metric-style wide nsf ietf log-adjacency-changes bfd all-interfaces passive-interface Loopback0 default-information originate ! interface Loopback0 ip router isis clns mtu 1400 ! interface Loopback60000 ip router isis ! DHCP ip dhcp excluded-address 100.64.0.1 ! ip dhcp pool nw_orchestration_pool network 100.64.0.0 255.255.255.224 option 43 ascii 5A1D;B2;K4;I10.181.15.10;J80; default-router 100.64.0.1 class ciscopnp address range 100.64.0.2 100.64.0.30 ! ip dhcp class ciscopnp option 60 ^ciscopnp ! VLAN1 interface Vlan1 ip address 100.64.0.1 255.255.255.224 no shutdown ip router isis clns mtu 1400 bfd interval 500 min_rx 500 multiplier 3 no ip redirects
Now the seed device is ready to onboard the edge nodes. Here are some screenshots to verify the progress:
We can see that LAN automation in fact uses PnP to onboard devices.
Once devices have been claimed and onboarded, the state of LAN automation changes to “Completed”. Now it is safe to stop LAN automation, and this is what happens to our seed device:
Highlights for the stop process:
! EEM to configure downlinks (only Gi1/0/2 shown) event manager applet _L3Applet_GigabitEthernet1/0/2 authorization bypass event timer countdown time 1 action 1.0 cli command "enable" action 1.1 cli command "config t" action 1.2 cli command "interface GigabitEthernet1/0/2" action 1.3 cli command "no switchport" action 1.4 cli command "ip address 100.64.0.38 255.255.255.254" action 1.5 cli command "ip router isis" action 1.6 cli command "isis network point-to-point" action 1.7 cli command "no shutdown" action 1.8 cli command "bfd interval 100 min_rx 100 multiplier 3" action 1.9 cli command "no ip redirects" action 2.0 cli command "dampening" action 2.1 cli command "logging event link-status" action 2.2 cli command "load-interval 30" action 2.3 cli command "description Fabric Physical Link" action 2.6 cli command "clns mtu 1400" action 2.7 cli command "exit" action 2.8 cli command "no event manager applet _L3Applet_GigabitEthernet1/0/2 authorization bypass" action 4.1 cli command "interface GigabitEthernet1/0/2" action 4.2 cli command "ip pim sparse-mode" action 4.4 cli command "do write memory" action 4.5 cli command "end" action 4.6 cli command "exit" ! VLAN1 interface Vlan1 no ip router isis no clns mtu no ip address no bfd interval ip redirects ! DHCP no ip dhcp pool nw_orchestration_pool no ip dhcp excluded-address 100.64.0.1 no ip dhcp class ciscopnp
The magic of converting VLAN1 to routed links is done using an EEM applet.
That is how LAN automation works. You might discuss the un-modifiable configuration template that DNAC uses. Especially its ISIS configuration that features legacy clear text authentication and the fact that it configures L1L2 routing. Also, no protocol tweaking is done in terms of lsp and spf optimizations that you usually do with ISIS. But, if the case is to just create a routed network in an automated way with no knowledge, LAN automation does it for you.
Compared to LAN automation, PnP gives you complete control of the configuration via the template you provide. Also, PnP has these advantages over LAN automation:
- Stack renumbering capability
- Image upgrade during PnP
On the other hand, you’ll not be able to provision a three-tier network in one go with PnP. This LAN automation supports due to its clever EEM applet that finishes the PnP process off by migrating VLAN1 to routed links.
To return to the ISIS configuration that LAN automation does. Here is the template I usually use for ISIS:
key chain isis-keys key 1 key-string zartmann ! interface Loopback0 ip address 100.127.127.1 255.255.255.255 ! router isis 1 net 49.0001.1001.2712.7001.00 is-type level-2-only authentication mode md5 authentication key-chain isis-keys metric-style wide max-lsp-lifetime 65535 lsp-refresh-interval 65000 spf-interval 5 1 20 prc-interval 5 1 20 lsp-gen-interval 5 1 20 no hello padding nsf ietf bfd all-interfaces log-adjacency-changes passive-interface Loopback0 ! interface Gi1/1/1 ip address 100.126.1.1 255.255.255.254 isis network point-to-point isis metric 40 level-2 isis authentication mode md5 isis authentication key-chain isis-keys ip router isis 1
With the above configuration we have an optimal ISIS configuration in terms of lsp and sfp tuning. Also, it is more secure with MD5 type passwords for both IIHs and LSPs. My template configured the router as a L2 IS. There is no need to have both L1 and L2 adjacencies.
Rich APIs make it possible to interact with DNAC. You can script your templates and use APIs to send it to DNAC and create a planned PnP task containing necessary information such as hostname, serial number, stack renumbering, and software version required for the device along with its placement in the site hierarchy after successful onboarding. This is the way to go if bringing up new devices happens on a regular basis, or you want to be able to do bulk provisioning of new sites with many devices.
DNAC itself has a template editor which now features Jinja2. A tempate language with dynamic capabilities to bring intelligence to your configurations.
With DNAC it is now possible to create an automated routed network in minutes - not hours. No knowledge of how to configure routing protocols is needed. LAN automation can be used to bring up a routed network. The feature is intended for provisioning an underlay network for SD-Access, but can be used just to create a routed network. Some limitations exist with LAN automation, but it is an easy way to start an SD-Access implementation.
If custom configurations are required, or you simply do not need a routed network, but just want to be able to add devices to your network, Cisco PnP can be used. Here you have full control over the configuration and even the ability to upgrade software and renumber a stack during onboarding.
Offbox automation can be used with DNAC’s APIs which will use DNAC as an engine towards the network.
There is no longer a reason to manually configure new devices using a console cable. A method that belongs in the past. The future relies on automation which DNAC provides for us. And device onboarding is just one of its use cases.
- SVL support - CSCvs99008
- LAN Automation: Step-by-step deployment guide and Troubleshooting
- Cisco DNA Center SD-Access LAN Automation Deployment Guide
- LAN Automation Tips and Tricks for Digital Network Architecture (DNA) Center
- Configuring IS-IS Authentication
- Adam Radford - Cisco Blogs
- Jinja2 - Cisco Blogs