Chapter 1 – Extended Node IoT in Cisco SD-Access

Starting from Cisco SD-Access  1.3, Extended Node is supported connected to Fabric Edge Nodes. Clients via Port Channel configuration. There has been lot of serviceability enhancements like IP Address change management and reload support. In the backend Autoconf has been enabled for Host-onboarding.

 Supported Platform

Here are the supported extended node devices with SD-Access:

Note: Extended node should not have any existing configuration for the plug and play to work. If there is any existing configuration please do “write erase” and reload the extended node so that it is at this promt:

Would you like to enter the initial configuration dialog? [yes/no]:

Fabric switches need to be on 16.11.1c release.

Chapter 2 – Configure Cisco DNAC for Extended Node

Site Level Credentials

Make sure credentials in Design > Network Settings > Device Credentials are applied to every site and not just at the Global level. Go to site San Jose and select the credentials and hit SAVE.

IP Pool For Extended Node

Step 1. Make sure IP Address pool for Extended Node is configured. This has to be a IPv4 Pool.

Go to Design > Network Settings > IP Address Pools > Global and add ExtNode Pool.

Also, IP Address Pools Campus, IoT, BorderHandoff can be created. You should see the following Pools created in Global:

Step 2. Make sure that IP Pool reservation is done for SJC site. For Campus, Guest, Multicast and Border Handoff for Building 22.

We will be reserving the IP Pools for the site we will be provisioning the devices to. In the hierarchy on the left side, choose SJC.

On San Jose Site, click Reserve IP Pool to make a reservation for this building. Follow the screenshots shown below to reserve IP Pools (for AP, Campus, IoT, and Border Handoff) for Building 22.

Ext Node Pool will be just IPv4.

You should see the following Pools reserved for SJC at the end of this.

Step 4. Make sure all the VN’s are created in the Policy page. Campus_VN, IoT_VN, Guest_VN

Provision the Fabric for Extended Node

Step 1. Make sure all the devices in Provision > Global are all assigned to site and in Managed State.

Step 2. Make sure the SJC Fabric and Transit Network is created. If not, Provision Fabric to configure Fabric and Transit.

Step 3. In Fabric, assign the roles of Border, Control Plane, and Edge devices. 

Host Onboarding

Step 1. Configure Auth Template as “No Authentication” for Extended Node to come up automatically when connected.

Step 2.  Select IP Pool for Extended Node’s management IP in Provision > Fabric > Host Onboarding > Infra_VN.\

The Extended Node will be part of the INFRA_VN for Cisco DNA Center’s PnP host onboarding feature.  Click on the Infra-VN and click on Add on top right.

Click on Add in the INFRA_VN to add ExtNode Pool created during IP Pool reservation.

 

Click on the Pool Type, and select Extended Node and click Update.

If the Auth Template is configured for anything other than “No Authentication” then follow the below steps:

Create Port Channel

From 1.3, SD-Access  supports port channel between Extended Node and Fabric Edge. Extended Node and Fabric Edge device is always connected using port-channel (even for single port).

For any authentication mode other than “No Authentication”, user needs to create port-channel on fabric edge in port-channel tab.

For “No Authentication” mode, port-channel will be created automatically.  For IE-3300/3400 series devices, port-channel should be created in static mode.  For all other extended devices, Port-channel should be created in PAGP mode.  

Step 1. Click on the Fabric Edge device to which extended node is connected and go to port-channel tab, providing the port(s) information and selecting the protocol. 

Step 2. In the Port Channel tab, click on Create PortChannel.

Step 3. In the Port Channel create section, select the interface that is connected to the extended node that you want to be part of the port channel.

Note: Even if only one interface is connected to Extended node from FE, port channel still needs to be created

There are three options. For IE 3300/3400 extended nodes select protocol “ON”. For other extended nodes use PAGP.  

Please verify that port channel gets created successfully.

Assign Port on FE to Extended Node

Now we need to assign the port channel as a extended node.

Step 1. To assign the port channel as a extended node, go to Provision > Fabric > Host Onboarding > Select Port Assignment > FE connected to Extended Node.

You should see the port channel that you just created.

Step 2. Click on Port-channel1 and click on Assign to assign it as an extended node.

Step 3. In the Port Assignments, select extended node at the Connected Device Type from the drop down menu and click on Update.

Step 4. Click on Save to push the configuration to the Fabric Edge device and start the Extended Node bringup.

Verify Extended Node Bringup

Extended node should not have any existing configuration for the plug and play to work. If there is any existing configuration please do “write erase” and reload the extended node so that it is at this promt:

Would you like to enter the initial configuration dialog? [yes/no]:

To check the status of the extended node, go to Provision > Devices > Plug and Play.

You should see the devices show up in the Plug and Play window and the devices will be in Provisioned state.

Once the extended nodes are provisioned in Plug and Play, they will start showing up in Fabric inventory and added to site and in Managed State. Also, it will be added to Fabric Topology.

Now you can go to Host Onboarding page and see the Extended Node and configure the ports to be connected to AP or other IoT devices.

Chapter 3 – Verify CLI Configuration

Fabric Edge Device

 

Check the port channel and interface configuration

FE2-9300-04#sh run int gig 1/0/2

!

interface GigabitEthernet1/0/2

 switchport mode trunk

 channel-group 1 mode desirable

end

 

FE2-9300-04#sh run int port-channel 1

Building configuration...

 

Current configuration : 54 bytes

!

interface Port-channel1

 switchport mode trunk

end

 

Check FE access to DHCP server

Here 10.5.130.12 is the DHCP server

3.3.3.5 is the Border node connected to Fusion router to the DHCP server

 

FE2-9300-04#sh vrf

  Name                             Default RD            Protocols   Interfaces

  Campus_VN                        <not set>             ipv4,ipv6   LI0.4099

                                                                     Vl1021

  DEFAULT_VN                       <not set>             ipv4,ipv6   LI0.4098

  Guest_VN                         <not set>             ipv4,ipv6   LI0.4100

  IoT_VN                           <not set>             ipv4,ipv6   LI0.4101

                                                                     Vl1022

  Mgmt-vrf                         <not set>             ipv4,ipv6   Gi0/0

 

 

FE2-9300-04#lig instance-id 4099 10.5.130.12

Mapping information for EID 10.5.130.12 from 3.3.3.21 with RTT 2 msecs

10.5.130.0/24, uptime: 1d00h, expires: 23:59:59, via map-reply, complete

  Locator  Uptime    State      Pri/Wgt     Encap-IID

  3.3.3.5  1d00h     route-rejec 10/10        -

FE2-9300-04#

 

ExtPool Management VLAN on FE

FE2-9300-04#sh run int Vlan1024

Building configuration...

 

Current configuration : 292 bytes

!

interface Vlan1024

 description Configured from Cisco DNA-Center

 mac-address 0000.0c9f.f45f

 ip address 192.168.17.1 255.255.255.0

 ip helper-address 10.5.130.12

 no ip redirects

 ip route-cache same-interface

 no lisp mobility liveness test

 lisp mobility 192_168_17_0-INFRA_VN-IPV4

end 

Host IP VLAN on FE

FE2-9300-04#sh run int Vlan1021

Building configuration...

 

Current configuration : 590 bytes

!

interface Vlan1021

 description Configured from Cisco DNA-Center

 mac-address 0000.0c9f.f45c

 vrf forwarding Campus_VN

 ip address 192.168.11.1 255.255.255.0

 ip helper-address 10.5.130.12

 no ip redirects

 ip route-cache same-interface

 no lisp mobility liveness test

 lisp mobility 192_168_11_0-Campus_VN-IPV4

 lisp mobility 192_168_11_0-Campus_VN-IPV6

 ipv6 address 2003::1/96

 ipv6 enable

 ipv6 nd managed-config-flag

 ipv6 nd other-config-flag

 ipv6 nd router-preference High

 ipv6 dhcp relay destination ACE::1

 ipv6 dhcp relay source-interface Vlan1021

 ipv6 dhcp relay trust

end

Parameter config on FE 

FE2-9300-04#sh run | s parameter

parameter-map type subscriber attribute-to-service BUILTIN_DEVICE_TO_TEMPLATE

 10 map device-type regex "Cisco-IP-Phone"

  20 interface-template IP_PHONE_INTERFACE_TEMPLATE

 20 map device-type regex "Cisco-IP-Camera"

  20 interface-template IP_CAMERA_INTERFACE_TEMPLATE

 30 map device-type regex "Cisco-DMP"

  20 interface-template DMP_INTERFACE_TEMPLATE

 40 map oui eq "00.0f.44"

  20 interface-template DMP_INTERFACE_TEMPLATE

 50 map oui eq "00.23.ac"

  20 interface-template DMP_INTERFACE_TEMPLATE

 60 map device-type regex "Cisco-AIR-AP"

  20 interface-template AP_INTERFACE_TEMPLATE

 70 map device-type regex "Cisco-AIR-LAP"

  20 interface-template LAP_INTERFACE_TEMPLATE

 80 map device-type regex "Cisco-TelePresence"

  20 interface-template TP_INTERFACE_TEMPLATE

 90 map device-type regex "Surveillance-Camera"

  10 interface-template MSP_CAMERA_INTERFACE_TEMPLATE

 100 map device-type regex "Video-Conference"

  10 interface-template MSP_VC_INTERFACE_TEMPLATE

 150 map device-type regex "CDB*"

  10 interface-template SWITCH_INTERFACE_TEMPLATE

 160 map device-type regex "WS-C3560CX*"

  10 interface-template SWITCH_INTERFACE_TEMPLATE

 170 map device-type regex "IE-400*"

  10 interface-template SWITCH_INTERFACE_TEMPLATE

 180 map device-type regex "IE-401*"

  10 interface-template SWITCH_INTERFACE_TEMPLATE

 190 map device-type regex "IE-500*"

  10 interface-template SWITCH_INTERFACE_TEMPLATE

 200 map device-type regex "Cisco-Switch"

  10 interface-template SWITCH_INTERFACE_TEMPLATE