• はじめに
• Discovery
• Site への割当
• Provision
• Fabric への組み込み
• Host Onboarding 設定
• Telemetry 設定

 

はじめに

 

DNA Center から AireOS デバイス (Wireless LAN Controller 5520/3504/8540) へプッシュされる CLI コマンドは debug aaa tacacs enable コマンドを実行することで確認できます。このコマンドは TACACS サーバがオンラインの場合にサーバへロギングする内容をプリントするもので、WLC で TACACS サーバを設定する必要はありません。

 

(Cisco Controller) >debug aaa tacacs enable

 

以下は、DNA Center 1.2 と AireOS 8.8 での例です。内容はバージョンやネットワークのデザインにより異なります。

 

 

Discovery

 

DNA Center は WLC に NA (Network Assurance) Certificate の取得と WSA 設定を行わせます。IOS デバイスと異なり、DNA Center 上で Telemetry 設定を行わなくても Assurance が機能するのは、このためです。Discovery の前提として Read-Write 権限の SNMP community string と management user を作成、および DNA Center への IP 接続性を確保しておきます。

*SNMPTask: Mar 12 10:39:10.266: Log to TACACS server(if online): snmp syscontact
*emWeb: Mar 12 10:39:28.133: Log to TACACS server(if online): transfer download datatype na-serv-ca-cert
*emWeb: Mar 12 10:39:28.176: Log to TACACS server(if online): transfer download mode sftp
*emWeb: Mar 12 10:39:28.176: Log to TACACS server(if online): transfer download port 22
*emWeb: Mar 12 10:39:28.220: Log to TACACS server(if online): transfer download username sftpuser
*emWeb: Mar 12 10:39:28.260: Log to TACACS server(if online): transfer download password <hidden>
*emWeb: Mar 12 10:39:28.301: Log to TACACS server(if online): transfer download path /cert/77b71c08-99b4-4b4a-96db-e606c178e89e/
*emWeb: Mar 12 10:39:28.340: Log to TACACS server(if online): transfer download serverip 192.168.1.20
*emWeb: Mar 12 10:39:28.380: Log to TACACS server(if online): transfer download filename systemcert.pem
*emWeb: Mar 12 10:39:28.420: Log to TACACS server(if online): transfer download port 22
*emWeb: Mar 12 10:39:28.501: Log to TACACS server(if online): transfer download start
Updating HBL license statistics file
Done.
*emWeb: Mar 12 10:39:33.223: Log to TACACS server(if online): save
*emWeb: Mar 12 10:39:33.937: Log to TACACS server(if online): network assurance on-change all Enable
*emWeb: Mar 12 10:39:33.939: Log to TACACS server(if online): network assurance subscribe all
*emWeb: Mar 12 10:39:33.981: Log to TACACS server(if online): network assurance url https://192.168.1.20
*emWeb: Mar 12 10:39:34.951: Log to TACACS server(if online): Server port 32626
*emWeb: Mar 12 10:39:35.173: Log to TACACS server(if online): network assurance wsa mode Enable
*emWeb: Mar 12 10:39:35.174: Log to TACACS server(if online): network assurance on-change all Enable
*emWeb: Mar 12 10:39:35.212: Log to TACACS server(if online): network assurance subscribe all

 

 

Site への割当

 

Network Settings の内容を反映します。

*emWeb: Mar 12 10:41:24.623: Log to TACACS server(if online): flow create exporter 192.168.1.20 192.168.1.20 port 6007
Updating HBL license statistics file
Done.
*emWeb: Mar 12 10:41:25.311: Log to TACACS server(if online): save
*emWeb: Mar 12 10:41:25.850: Log to TACACS server(if online): logging syslog host 192.168.1.20
Updating HBL license statistics file
Done.
*emWeb: Mar 12 10:41:26.324: Log to TACACS server(if online): save
*emWeb: Mar 12 10:41:26.671: Log to TACACS server(if online): snmp trapreceiver create 192.168.1.20 192.168.1.20
*emWeb: Mar 12 10:41:26.678: Log to TACACS server(if online): snmp trapreceiver mode enable 192.168.1.20
*emWeb: Mar 12 10:41:26.680: Log to TACACS server(if online): snmp trapreceiver mode enable 192.168.1.20
*emWeb: Mar 12 10:41:26.719: Log to TACACS server(if online): trapflags client enhanced-802.11-associate enable
*emWeb: Mar 12 10:41:26.759: Log to TACACS server(if online): trapflags client enhanced-802.11-deauthenticate enable
*emWeb: Mar 12 10:41:26.799: Log to TACACS server(if online): trapflags client enhanced-802.11-stats enable
*emWeb: Mar 12 10:41:26.839: Log to TACACS server(if online): trapflags client enhanced-authentication enable
Updating HBL license statistics file
Done.
*emWeb: Mar 12 10:41:27.404: Log to TACACS server(if online): save

 

 

 

 

 

以下は、SDA-Wireless の場合の設定です。

 

Provision

 

Site に割り当てられた WLAN の作成を行います。

*emWeb: Mar 12 10:44:34.199: Log to TACACS server(if online): 802.11a disable network
*emWeb: Mar 12 10:44:34.280: Log to TACACS server(if online): 802.11b disable network
*emWeb: Mar 12 10:44:34.325: Log to TACACS server(if online): aaa auth mgmt local radius
*emWeb: Mar 12 10:44:34.376: Log to TACACS server(if online): radius auth add 1 192.168.102.11 1812 ascii hidden
*emWeb: Mar 12 10:44:34.430: Log to TACACS server(if online): radius auth disable 1
*emWeb: Mar 12 10:44:34.448: Log to TACACS server(if online): radius auth retransmit-timeout 1 2
*emWeb: Mar 12 10:44:34.488: Log to TACACS server(if online): radius auth rfc3576 enable 1
*emWeb: Mar 12 10:44:34.565: Log to TACACS server(if online): radius auth enable 1
*emWeb: Mar 12 10:44:34.582: Log to TACACS server(if online): radius acct add 1 192.168.102.11 1813 ascii hidden
*emWeb: Mar 12 10:44:34.648: Log to TACACS server(if online): country J4
*emWeb: Mar 12 10:44:34.688: Log to TACACS server(if online): 802.11a enable network
*emWeb: Mar 12 10:44:34.728: Log to TACACS server(if online): 802.11b enable network
*emWeb: Mar 12 10:44:34.768: Log to TACACS server(if online): wlan create 17 SDA-Free-W_F_global_ab829_17 SDA-Free-Wifi
*emWeb: Mar 12 10:44:34.808: Log to TACACS server(if online): wlan broadcast-ssid enable 17
*emWeb: Mar 12 10:44:34.848: Log to TACACS server(if online): wlan qos 17 platinum
*emWeb: Mar 12 10:44:34.888: Log to TACACS server(if online): wlan security wpa disable 17
*emWeb: Mar 12 10:44:34.928: Log to TACACS server(if online): wlan aaa-override enable 17
*emWeb: Mar 12 10:44:34.970: Log to TACACS server(if online): wlan security ft adaptive enable 17
*emWeb: Mar 12 10:44:35.010: Log to TACACS server(if online): wlan radio 17 all
*emWeb: Mar 12 10:44:35.048: Log to TACACS server(if online): wlan interface 17 management
*emWeb: Mar 12 10:44:35.088: Log to TACACS server(if online): wlan avc 17 visibility enable
*emWeb: Mar 12 10:44:35.129: Log to TACACS server(if online): wlan ccx aironetiesupport disable 17
*emWeb: Mar 12 10:44:35.452: Log to TACACS server(if online): wlan create 18 SDA-TKY-Po_F_global_ab829_18 SDA-TKY-Pod2
*emWeb: Mar 12 10:44:35.492: Log to TACACS server(if online): wlan broadcast-ssid enable 18
*emWeb: Mar 12 10:44:35.535: Log to TACACS server(if online): wlan qos 18 platinum
*emWeb: Mar 12 10:44:35.584: Log to TACACS server(if online): wlan aaa-override enable 18
*emWeb: Mar 12 10:44:35.624: Log to TACACS server(if online): wlan security ft adaptive enable 18
*emWeb: Mar 12 10:44:35.744: Log to TACACS server(if online): wlan radio 18 all
*emWeb: Mar 12 10:44:35.787: Log to TACACS server(if online): wlan interface 18 management
*emWeb: Mar 12 10:44:35.828: Log to TACACS server(if online): wlan avc 18 visibility enable
*emWeb: Mar 12 10:44:35.868: Log to TACACS server(if online): wlan ccx aironetiesupport disable 18
Updating HBL license statistics file
Done.
*emWeb: Mar 12 10:44:38.423: Log to TACACS server(if online): save

 

 

Fabric への組み込み

 

CP を設定し、VNID を定義します。

*emWeb: Mar 12 10:50:04.960: Log to TACACS server(if online): fabric enable
*emWeb: Mar 12 10:50:06.002: Log to TACACS server(if online): fabric control-plane enterprise-fabric add primary ip 192.168.100.11 preshared-key hidden
*emWeb: Mar 12 10:50:07.028: Log to TACACS server(if online): fabric control-plane enterprise-fabric add secondary ip 192.168.100.12 preshared-key hidden
*emWeb: Mar 12 10:50:07.031: Log to TACACS server(if online): fabric vnid create name 172_16_222_0-Campus l2-vnid 8190 ip 0.0.0.0 subnet 0.0.0.0 l3-vnid 0
*emWeb: Mar 12 10:50:07.070: Log to TACACS server(if online): fabric vnid create name 172_16_5_0-Campus l2-vnid 8188 ip 0.0.0.0 subnet 0.0.0.0 l3-vnid 0
*emWeb: Mar 12 10:50:07.112: Log to TACACS server(if online): fabric vnid create name 172_16_112_0-INFRA_VN l2-vnid 8189 ip 172.16.112.0 subnet 255.255.255.0 l3-vnid 4097
Updating HBL license statistics file
Done.
*emWeb: Mar 12 10:50:07.817: Log to TACACS server(if online): save

 

 

Host Onboarding 設定

 

SSID に IP Pool を割り当てると WLAN に VNID が割り当てられます。

*emWeb: Mar 12 10:50:18.177: Log to TACACS server(if online): wlan fabric enable 17
*emWeb: Mar 12 10:50:18.258: Log to TACACS server(if online): wlan fabric name-vnid-mapping 172_16_5_0-Campus 17
*emWeb: Mar 12 10:50:18.337: Log to TACACS server(if online): wlan enable 17
Updating HBL license statistics file
Done.
*emWeb: Mar 12 10:50:19.079: Log to TACACS server(if online): save

*emWeb: Mar 12 10:50:25.919: Log to TACACS server(if online): wlan fabric enable 18
*emWeb: Mar 12 10:50:25.998: Log to TACACS server(if online): wlan fabric name-vnid-mapping 172_16_222_0-Campus 18
*emWeb: Mar 12 10:50:26.081: Log to TACACS server(if online): wlan enable 18
Updating HBL license statistics file
Done.
*emWeb: Mar 12 10:50:26.814: Log to TACACS server(if online): save

 

 

 

Telemetry 設定

 

WLC の Assurance は WSA ベースで機能しますが、Telemetry を Optimal にすると、DNAC をサーバとする Syslog, SNMP trap を設定することもできます。

*emWeb: Jan 07 07:23:00.730: Log to TACACS server(if online): logging syslog host 192.168.1.20
*emWeb: Jan 07 07:23:00.731: Log to TACACS server(if online): logging syslog level 6
*emWeb: Jan 07 07:23:00.995: Log to TACACS server(if online): snmp trapreceiver create 192.168.1.20 192.168.1.20
*emWeb: Jan 07 07:23:00.997: Log to TACACS server(if online): snmp trapreceiver mode enable 192.168.1.20