There are 3 main services that need to be enabled and running in order to complete a successful Integrations:
Just before you begin check to make sure ISE and Cisco DNA Center can ping each other, This may sound trivial, but many times is overseen and can save some headaches.
SSH enables the exchange of certificates to establish a trust relationship between ISE and Cisco DNA Center.
Verify that SSH is enabled on ISE. The following entry can be seen on the CLI Note: Both CLI and GUI Account must have identical passwords.
Validate by performing SSH from Cisco DNA Center to ISE , as well use the same username and password to access ISE GUI ( http://<ISE-Node> )
Various ERS API calls are used for the following:
- Certification exchange
- Cisco DNA Center requires knowledge of the ISE deployment infrastructure in order to subscribe to the pxGrid Persona
- pxGrid - subscription to ISE publisher to retrieve contextual date and SGTs
- Update ISE with Cisco DNA Center Orchestrated Group Based Policies (SGTs,Contracts)
In ISE, navigate to Administration > System > Settings > ERS Settings and verify the "Enable ERS for Read/Write" check box is marked.
Cisco DNA Center will subscribe to the pxGrid publisher in order to retrieve contextual data as well as the SGTs.When integration is complete the Scalable Groups on the Policy Dashboard in Cisco DNA Center will be updated reflecting the existing list of SGTs on ISE.
Navigate to Administration > System > Deployment and click the node on the right hand side.
Navigate on Cisco DNA Center dashboard to the top right and click on the cog icon and select "System Settings"
Select "Settings" tab and choose "Authentication and Policy Servers"
Click on the plus icon and enter the ISE settings
Once complete click "Apply"
Note: To complete the integration process you may need to log onto your ISE instance and navigate to Administration > pxGrid Services to approve "dnac" Subscriber at which stage the "Pending" Status will change to "Online".
When Integration is completed you will notice on the Cisco DNA Center Policy Dashboard that the "Scalable Groups" value has incremented to the value of the number of SGTs currently on your ISE deployment (the value was null before the integration).What you are witnessing is Cisco DNA Center retrieving the ISE SGTs over API call.
As a sanity check, create an SGT on ISE and see how it increments on the Cisco DNA Center Policy dashboard.
Hi there! I’m Shawn Wargo - Principal TME @ Cisco :)
This discussion is a companion to the BRKCRS-2810 - Cisco SD-Access: Fundamentals - A Look Under the Hood technical session that I created for Cisco Live (multiple events & regions, since 2016-2017)...
I have a ISP wireless router which connects to my lan. The gateway/dhcp server is connected directly to the isp via fa 0/1. Gateway fa 0/0 is connected to another router "local_router" and is a client of dhcp server. Everything is up and running and worki...
Hello All,We are currently looking to migrate 160+ servers from an EOL stacked switch, and looking at the following options:Catalyst 9600 with 25Gb line cardsNexus 9500 with 25Gb line cardsIf we deployed the Catalyst 9600 this could be managed by Cisco DN...
I have a C9300-24T-E with v16.9.5. The only module installed is NM-4G. All the ports are 1Gbps. But in running configuration, there are a number of tengigabitethernet, twentyfivegigabitethernet and fortygigabitethernet ports.... why? A new feature?
Hello I need some assistance with remote access VPN. Our current VPN client connects thru one ISP1 to our ASA. We would like the VPN client to use both our ISP's. How can i accomplish this design? Do i need to have another ASA pair? ISP1 = 100MbISP2 ...