Solved: Re: IP Addressing Building DNAC

thefilmguy · ‎03-04-2021

Are the cluster and service (/20 or /21) networks only usable in the DNAC appliance? Or can they not overlap any IP space in the external network? If so, what is the real reason behind this?

Preston Chilcote · ‎03-04-2021

They are used for internal communication inside the appliance. They don't need to be routable to the outside world.

If it's not too late, you can do a fresh install of 2.1 release for Cisco DNA and these subnet requirements are removed. The 169.x subnet will be used instead. It only works with a fresh install though, not an upgrade from 1.3

View solution in original post

Mike.Cifelli · ‎04-09-2021

For your interfaces, how did you configure them? I made each interface a /28. Would that work?

-As long as you have connectivity to other networks and it works to meet your requirements then you should be fine.

ENT - VLAN 20 IP Sub - did you static route this interface for all 10.x IP addressing? I guess I'm confused on what's the point of having this if a default gateway is configured on mgmt. I keep getting validation error.

-Technically on paper (Cisco Docs) the enterprise port is used for communication between DNAC and your NADs inside the SDA fabric via the underlay. You can only configure one DFG so if you are using that on MGMT int that's fine. In this scenario then you would need static routes on the ENT interface essentially telling DNAC what interface to use and how to route to reach the NADs in your underlay.

HTH!

View solution in original post

Preston Chilcote · ‎03-04-2021

They are used for internal communication inside the appliance. They don't need to be routable to the outside world.

If it's not too late, you can do a fresh install of 2.1 release for Cisco DNA and these subnet requirements are removed. The 169.x subnet will be used instead. It only works with a fresh install though, not an upgrade from 1.3

thefilmguy · ‎03-04-2021

Actually I read that and I got confused. This is perfect because I am rebuilding our cluster. So I'll shoot for that version instead. Thanks!

Mike.Cifelli · ‎03-04-2021

Just literally reimaged 3 new UCS C220 M5 G2 servers to prep for a production G1 to G2 cluster migration. I can confirm that the fresh install of 2.1.2.5 uses the following which is default and recommended per Cisco guides:

Container Subnet: 169.254.32.0/20

Cluster Subnet: 169.254.48.0/20

Purposes/definitions:

Container subnet = A dedicated, non-routed IP subnet that Cisco DNA Center uses to manage internal services.

Cluster subnet = A dedicated, non-routed IP subnet that Cisco DNA Center uses to manage internal cluster services.

HTH!

thefilmguy · ‎03-05-2021

Oh thanks Mike I didn't see this.

thefilmguy · ‎03-05-2021

Mike,

Did you use separate VLANs for the cluster and enterprise/mgmt/cimc ports?

Mike.Cifelli · ‎03-05-2021

Did you use separate VLANs for the cluster and enterprise/mgmt/cimc ports?

-Yes for all. When running through the install via maglev wizard OR the web ui install you will not be able to proceed when attempting to use same vlan for two interfaces.

Here are a few good-to-knows that caused me grief:

Note once you IP & select interface as cluster you cannot modify it post install. If you try to do so you will hit this error:

I actually had this issue and I had to reimage a node due to this.

The web ui installer is actually pretty cool and aides in identifying/ensuring you are configuring the right interfaces. Make sure interfaces are UP and configured otherwise you cannot progress further:

Another item that changed I think in 2.x is that post install on first UI login you get prompted to reset admin password:

If you find yourself having to change it from what you want due to this you can always just change it back via CLI using this:

$magctl user password update admin -p <pass> TNT0

HTH!

thefilmguy · ‎03-05-2021

Thanks Mike!

thefilmguy · ‎04-08-2021

Hey Mike,

For your interfaces, how did you configure them? I made each interface a /28. Would that work?

MGMT - VLAN 10 IP/Sub/GW
ENT - VLAN 20 IP Sub - did you static route this interface for all 10.x IP addressing? I guess I'm confused on what's the point of having this if a default gateway is configured on mgmt. I keep getting validation error.

Mike.Cifelli · ‎04-09-2021

For your interfaces, how did you configure them? I made each interface a /28. Would that work?

-As long as you have connectivity to other networks and it works to meet your requirements then you should be fine.

ENT - VLAN 20 IP Sub - did you static route this interface for all 10.x IP addressing? I guess I'm confused on what's the point of having this if a default gateway is configured on mgmt. I keep getting validation error.

-Technically on paper (Cisco Docs) the enterprise port is used for communication between DNAC and your NADs inside the SDA fabric via the underlay. You can only configure one DFG so if you are using that on MGMT int that's fine. In this scenario then you would need static routes on the ENT interface essentially telling DNAC what interface to use and how to route to reach the NADs in your underlay.

HTH!

thefilmguy · ‎04-09-2021

Yea I'm confused on it. Since ENT needs access to all 10.0.0.0/8 and some other networks. It makes more sense to put the DFG on the ENT interface. But then I'm confused on the static route for the mgmt interface. Can I do a default 0.0.0.0/0.0.0.0/172.17.96.33 on the MGMT?

I am also not sure internet is reachable from the interfaces. Since our core is very locked down. Is internet reach-ability required in the validation?