Re: DNA Center Brownfield Provisioning

gbekmezi-DD · ‎03-15-2022

DNAC fails on provisioning brownfield devices that have TACACS configured. What is the intended/recommended workflow for using DNAC to manage brownfield switches? Should TACACS/AAA commands be removed in order to provision? This becomes problematic when there are thousands of devices being managed.

Thanks!

Flavio Miranda · ‎03-15-2022

What user you are using on the CLI credentials? This user must have total privileges.

Preston Chilcote · ‎03-15-2022

If you remove the AAA settings from Design->Network Settings, then you will be able to complete the provision. You then have 2 choices for the long term:

1) Manage your existing AAA settings via day-N templates.

2) Use the provision workflow to convert your brownfield AAA configs to the configs that DNA wants to see. That should enable you to re-enable AAA management via Design->Network settings going forward.

But you want to avoid having AAA configs in Design Settings AND in day-N templates at the same time.

gbekmezi-DD · ‎03-17-2022

Thanks for the reply and suggestions. How would you go about using the “provision workflow to convert your brownfield AAA configs to the configs that DNA wants to see?”

Is there a way to accomplish this without removing the relevant configurations from the network devices first?

Thanks!

Preston Chilcote · ‎03-17-2022

You can provision a spare device to see the aaa configs that DNA deploys.

gbekmezi-DD · ‎03-18-2022

Thanks for the reply and suggestions. How would you go about using the “provision workflow to convert your brownfield AAA configs to the configs that DNA wants to see?”

Is there a way to accomplish this without removing the relevant configurations from the network devices first?

Thanks!

Preston Chilcote · ‎03-18-2022

Your template can first unconfigure aaa and the reconfigure it with the same commands DNA expects (in the same template). Or just unconfigure aaa with a template and reapply AAA in Design Settings, but that takes 2 provisions instead of just 1.

Tim Bisel · ‎04-05-2024

Sorry to awaken the necro-thread here. But I am running into the same issue and have a question.

If I make the template that removes our current AAA and TACACS config, than reapply the config using the commands that DNA would see if it deployed it, than moved it to a different network or something to reprovision it with a new template and with the AAA and TACACS config instead in the settings. Would this work?

Issue I have is I built ISE to default deny and all of our equipment also will block sign in with local creds if TACACS servers are reachable. And to top it off, all my VLANs are assigned via 802.1x responses and switch is has all access ports assigned to a guest VLAN by default, and if ISE is unreachable falls into a VLAN similar to guest where they lose all internal access. So having a hard time trying to figure out what configs I need to remove so I can get CCC to push the configs, not get locked out of switch, and not kill access to the machines in the switch.