Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
6506
Views
4
Helpful
1
Comments

Updating management IP address of a switch during the PnP process

Preston Chilcote
Cisco Employee
Cisco Employee

on ‎04-25-2023 07:27 AM

Onboarding a switch with Plug and Play (PnP) requires that the onboarding switch initially get its IP address via DHCP.  After whichever method (i.e. DHCP option 43, DNS, PnP Connect) is successfully used to tell the switch the IP address of Cisco DNA, the onboarding device creates an HTTPS session to Cisco DNA.  Upon successful completion of a PnP Claim, Cisco DNA needs to add a management IP address to Inventory.  The IP address it selects is the source IP of the HTTPS session.  That commonly leads to the DHCP address showing up as the management IP in Inventory.  This can be fixed manually with a Edit Device action, however, it's helpful if everything is automatic.  It is very common for the onboarding configuration to replace the dynamic IP address with a static one, potentially on a different interface or vlan.  This commonly causes the PnP Claim process to timeout and fail since Cisco DNA can no longer reach the switch using the dynamic IP address.

 

With these facts in mind, an Onboarding configuration template can be created that allows Cisco DNA to both update the IP address and have Cisco DNA learn that new management IP address automatically.  The trick is make the onboarding device close the HTTPS connection (via interface shutdown).  The PnP agent will have configured a "pnp profile" for you, which will try to reestablish the HTTPS session to Cisco DNA every 5 seconds.  These templates will control the source of that new session, which Cisco DNA will use to infer the desired management IP address.

 

I tested these templates on a C9300-48U running IOS-XE version 17.9.3.  The upstream interface is configured as a trunk port with DTP enabled.

Example 1:  Using Vlan 1 for Onboarding and Management.

interface vlan 1
    shutdown
    ip address 192.168.1.2 255.255.255.0
    no shutdown

ip route 0.0.0.0 0.0.0.0 192.168.1.1

 

You can replace vlan 1 with whichever vlan you are using for pnp (as specificed by pnp startup-vlan command on the upstream switch.

 

Example 2: Using Vlan 2 for Onboarding and Vlan 3 for Management.  This requires "pnp startup-vlan 2" on the upstream switch.

interface vlan 2
    shutdown 
    !alternatively, you can configure "no interface vlan 2"

interface GigabitEthernet1/0/48
    no switchport trunk allowed vlan 2
    !when using pnp-startup vlan on a trunk port upstream, 
    !pnp-agent will configure "switchport trunk allowed vlan x"

interface vlan 3
    ip address 192.168.3.2 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.3.1

 

Example 3: Using Vlan 1 for Onboarding and Loopback 0 for Management.

interface vlan 1
  shutdown
  ip address 192.168.1.2 255.255.255.0
  no shutdown


interface Loopback 0
    ip address 10.1.1.1 255.255.255.0

ip route 0.0.0.0 0.0.0.0 192.168.1.1
ip http client source-interface Loopback0
! If we don't specify the source interface for http, the onboarding device will use
! vlan 1's new IP address to source http, and that is what Cisco DNA will infer is 
! the management IP address for Inventory.

 

I recommend keeping your Onboarding template as simple as the above.  The onboarding process will automatically add some config for you, including:

- CLI+SNMP credentials

- SSH config

- DNS

- Hostname

 

The rest of the production config should be present in a day-N template.  This is recommended so that a configuration change to any part of the config in the future can be done with a day-N provision, which doesn't require a repeat of the PnP process.

 

Comments
catpires
Cisco Employee
Cisco Employee
‎04-26-2023 12:51 AM
 
Just to add to these very useful tips&tricks for PnP:
 
      -When testing Example 1 and 2 I never flap the PnP VLAN SVI and it works just fine.
      -One note regarding "Example 3: Using Vlan 1 for Onboarding and Loopback 0 for Management." -  with the command "ip http client connection forceclose" there is no need to break reachability to the PnP VLAN SVI (by using "no interface vlan X" or shutdown). This forces closing the HTTPS connection.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents