DNAC LAN Automation vs. PnP

Table of Contents

The Challenge

Operating a network can be a daunting task. Especially when you find yourself manually repeating ordinary work on a regular basis. As a network engineer you are likely to enjoy challenges with protocols and designs rather than unboxing, mounting, and installing hardware. The time spent on this everyday work should be kept at a minimum. In a streamlined network design, the configuration of new equipment should be based on a template with few variables, such as hostname and IP addressing. Many companies already practice using templates, but for the most part the engineer must still manually adjust these variables, or at best some advanced excel spreadsheet or flat text file is used with a manual search and replace to build new configurations. Next, the device is powered up, connected to with a console cable and the newly build configuration is pasted into the device before installing it in its final location. Oh, and now both software upgrade and licensing tasks must be performed to be compliant. The workflow is manual, time consuming, and worst of all error prone due to the inevitable human factor.


Companies seek ways to eliminate manual intervention when it comes to network operations. It brings great value to a business to be able to automate as many repeating tasks as possible. At a minimum to provide a solution that minimizes time spent on these tasks while ensuring a consistent outcome - every time. This should help lower OPEX. Cisco DNA Center is a product that offers such a solution. In particular the automation of onboarding of new devices for the purpose of either bringing up a new network or expand an existing network, is addressed in the following sections.

LAN Automation

DNA Center features LAN automation which can build the underlay used for an SD-Access deployment - or if you simply want a quick way to build a routed network using ISIS. The general idea is to leverage PnP to bring up a routed network - automated by DNAC. The user need not think about or have any experience with configuring routing protocols, or how PnP works. In a few steps an entire network can be provisioned in very little time. Minutes.

Below topology is used to demonstrate how LAN automation works.


Some restrictions and limitations exist for LAN automation:

  • Seed device cannot be an SVL device
  • No support for stack renumbering
  • No image upgrade of the devices

Whenever using PnP we must have a way to provide IP reachability for DNAC. Besides IP connectivity, the PnP device must also know how to contact DNAC for onboarding. More information about PnP can be found here

Luckily LAN automation automates this configuration for us using an IP pool of type “LAN”:


This IP pool is used by DNAC for the following functions:

  • Temporary DHCP server
    • ¼ of the IP pool is allocated for DHCP
    • IP pool must be between /23 and /25 (inclusive)
  • Linknets for P2P links
    • With DNAC these are configured as /31s
  • Loopback addresses for management of the nodes and SDA fabric operation (LISP RLOC and VXLAN VTEP)

You still need to configure and add a seed device for DNAC. On this device, DNAC will configure the DHCP pool and routing. I’ve configured BGP for initial reachability between my fusion switch and the border node which will act as my seed device. BGP is needed for SDA on the border for L3 handoff anyways. Note that the IP address of the seed device will be in a different IP subnet than the LAN automation IP pool. If you want a very strict IP addressing plan with all loopbacks in a site belonging to the same subnet allocation, you must either use regular PnP, or manually change it once LAN automation is complete.

I’ve configured this on the border (seed):

router bgp 65001
 bgp log-neighbor-changes
 neighbor remote-as 65000
 address-family ipv4
  network mask
  redistribute connected
  redistribute isis level-1-2
  neighbor activate

This will ensure that when DNAC configures VLAN1 for it will be redistributed (connected) and when it finishes with ISIS, this too will be redistributed. This is a must to ensure reachability during and after LAN automation.

To see what happens on my seed device during LAN automation, I’ve configured this:

event manager applet catchall
 event cli pattern ".*" sync no skip no
 action 1 syslog msg "$_cli_msg"

The EEM applet will log any command entered to the device. Here is an example:

border#sh run int lo0
Building configuration...

Current configuration : 68 bytes
interface Loopback0
 ip address

*Jan 30 15:28:48.690: %HA_EM-6-LOG: catchall: show running-config interface Loopback0

Start LAN automation

Below are my settings for starting LAN automation:



The primary device (seed) is our pre-configured border and its downstream ports (where the edge nodes connect). The LAN pool is selected along with an ISIS domain password and a hostname prefix for our edge nodes.

Here is the log with the output of what DNAC does to the seed device upon starting LAN automation:


Highlights are:

system mtu 9100

! Multicast
ip multicast-routing
ip pim ssm default
interface Loopback0
 ip pim sparse-mode
interface Loopback60000
 ip address
 ip pim sparse-mode
ip pim rp-address
ip pim register-source Loopback0

router isis
 net 49.0000.1000.6400.1254.00
 domain-password zartmann
 metric-style wide
 nsf ietf
 bfd all-interfaces
 passive-interface Loopback0
 default-information originate
interface Loopback0
 ip router isis
 clns mtu 1400
interface Loopback60000
 ip router isis

ip dhcp excluded-address
ip dhcp pool nw_orchestration_pool
 option 43 ascii 5A1D;B2;K4;I10.181.15.10;J80;
 class ciscopnp
  address range
ip dhcp class ciscopnp
 option 60 ^ciscopnp

interface Vlan1
 ip address
 no shutdown
 ip router isis
 clns mtu 1400
 bfd interval 500 min_rx 500 multiplier 3
 no ip redirects

Now the seed device is ready to onboard the edge nodes. Here are some screenshots to verify the progress:


We can see that LAN automation in fact uses PnP to onboard devices.



Once devices have been claimed and onboarded, the state of LAN automation changes to “Completed”. Now it is safe to stop LAN automation, and this is what happens to our seed device:


Highlights for the stop process:

! EEM to configure downlinks (only Gi1/0/2 shown)
event manager applet _L3Applet_GigabitEthernet1/0/2 authorization bypass
 event timer countdown time 1
 action 1.0 cli command "enable"
 action 1.1 cli command "config t"
 action 1.2 cli command "interface GigabitEthernet1/0/2"
 action 1.3 cli command "no switchport"
 action 1.4 cli command "ip address"
 action 1.5 cli command "ip router isis"
 action 1.6 cli command "isis network point-to-point"
 action 1.7 cli command "no shutdown"
 action 1.8 cli command "bfd interval 100 min_rx 100 multiplier 3"
 action 1.9 cli command "no ip redirects"
 action 2.0 cli command "dampening"
 action 2.1 cli command "logging event link-status"
 action 2.2 cli command "load-interval 30"
 action 2.3 cli command "description Fabric Physical Link"
 action 2.6 cli command "clns mtu 1400"
 action 2.7 cli command "exit"
 action 2.8 cli command "no event manager applet _L3Applet_GigabitEthernet1/0/2 authorization bypass"
 action 4.1 cli command "interface GigabitEthernet1/0/2"
 action 4.2 cli command "ip pim sparse-mode"
 action 4.4 cli command "do write memory"
 action 4.5 cli command "end"
 action 4.6 cli command "exit"

interface Vlan1
 no ip router isis
 no clns mtu
 no ip address
 no bfd interval
 ip redirects

no ip dhcp pool nw_orchestration_pool
no ip dhcp excluded-address
no ip dhcp class ciscopnp

The magic of converting VLAN1 to routed links is done using an EEM applet.

That is how LAN automation works. You might discuss the un-modifiable configuration template that DNAC uses. Especially its ISIS configuration that features legacy clear text authentication and the fact that it configures L1L2 routing. Also, no protocol tweaking is done in terms of lsp and spf optimizations that you usually do with ISIS. But, if the case is to just create a routed network in an automated way with no knowledge, LAN automation does it for you.


Compared to LAN automation, PnP gives you complete control of the configuration via the template you provide. Also, PnP has these advantages over LAN automation:

  • Stack renumbering capability
  • Image upgrade during PnP

On the other hand, you’ll not be able to provision a three-tier network in one go with PnP. This LAN automation supports due to its clever EEM applet that finishes the PnP process off by migrating VLAN1 to routed links.

To return to the ISIS configuration that LAN automation does. Here is the template I usually use for ISIS:

key chain isis-keys
 key 1
  key-string zartmann
interface Loopback0
 ip address
router isis 1
 net 49.0001.1001.2712.7001.00
 is-type level-2-only
 authentication mode md5
 authentication key-chain isis-keys
 metric-style wide
 max-lsp-lifetime 65535
 lsp-refresh-interval 65000
 spf-interval 5 1 20
 prc-interval 5 1 20
 lsp-gen-interval 5 1 20
 no hello padding
 nsf ietf
 bfd all-interfaces
 passive-interface Loopback0
 interface Gi1/1/1
  ip address
  isis network point-to-point
  isis metric 40 level-2
  isis authentication mode md5
  isis authentication key-chain isis-keys
  ip router isis 1

With the above configuration we have an optimal ISIS configuration in terms of lsp and sfp tuning. Also, it is more secure with MD5 type passwords for both IIHs and LSPs. My template configured the router as a L2 IS. There is no need to have both L1 and L2 adjacencies.

Offbox Automation

Rich APIs make it possible to interact with DNAC. You can script your templates and use APIs to send it to DNAC and create a planned PnP task containing necessary information such as hostname, serial number, stack renumbering, and software version required for the device along with its placement in the site hierarchy after successful onboarding. This is the way to go if bringing up new devices happens on a regular basis, or you want to be able to do bulk provisioning of new sites with many devices.

DNAC itself has a template editor which now features Jinja2. A tempate language with dynamic capabilities to bring intelligence to your configurations.


With DNAC it is now possible to create an automated routed network in minutes - not hours. No knowledge of how to configure routing protocols is needed. LAN automation can be used to bring up a routed network. The feature is intended for provisioning an underlay network for SD-Access, but can be used just to create a routed network. Some limitations exist with LAN automation, but it is an easy way to start an SD-Access implementation.

If custom configurations are required, or you simply do not need a routed network, but just want to be able to add devices to your network, Cisco PnP can be used. Here you have full control over the configuration and even the ability to upgrade software and renumber a stack during onboarding.

Offbox automation can be used with DNAC’s APIs which will use DNAC as an engine towards the network.

There is no longer a reason to manually configure new devices using a console cable. A method that belongs in the past. The future relies on automation which DNAC provides for us. And device onboarding is just one of its use cases.


Jacob Zartmann avatar
Jacob Zartmann
Passionate Network Engineer thriving for challenges and knowledge.