Click here to print this page

Discovery 1: Introducing Cisco APIC-EM GUI-

Network, Device and Topology Discovery Using
APIC-EM
Task 1: Navigating Through Cisco APIC-EM Homepage
and Settings
Activity
Step 1: From wrkstn1, open your Chrome browser and go to https://192.168.1.21 to access
the Cisco APIC-EM GUI.
You may see the message on screen that your connection is not private.
Click Advanced and Proceed to 192.168.1.21.

You can log in to Cisco APIC-EM GUI using username admin and password Cisco123!.

Step 2: Now, you can navigate through the various options on the Cisco APIC-EM home
page.
You will see Dashboard, System Heath, and System Info tabs on the home page.

On the dashboard, you will see Device Inventory and also the information that is related to
device connections. You will see more information in next few steps.

Click the system health tab on home page, you will see the CPU, memory, and storage
utilization. It also lists the applications and the corresponding services running on Cisco
APIC-EM. It helps you to monitor the status of the services that are running on Cisco
APIC-EM.

Click the system info tab on home page, you will see the Cisco APIC-EM version. It will
also display the information about system requirements, deployment guides, and release
notes for Cisco APIC-EM.
Step 3: Check the Cisco APIC-EM GUI elements.
You can view the Cisco APIC-EM GUI elements in the home page.
 Name

Navigation pane At the left side of the window, the Navigation pa

IWAN, and Network Plug and Play.

Global Toolbar At the top of the window, the Global toolbar pro

Application or In the main window area, the application or func

from the Global toolbar, the corresponding appl
Function Pane

I wish this page At the bottom of the window, the "I wish this pa
your experience using the Cisco APIC-EM and
would... feedback

link
Step 4: Check the Navigation Pane options in the Cisco APIC-EM GUI.
You can click the arrow that is displayed in the top-left corner of the page to unhide the
navigation pane functions. The arrow allows you to hide and unhide the Navigation pane.

Step 5: Check the Global Toolbar options.

The Global toolbar provides access to API information, administrative functions, system
notifications.

APIs—Displays the automatically generated documentation for the northbound REST

APIs.
System Notifications—Opens the System Notifications dialog box, which provides
information about system notifications that have occurred.
The icons at the top provide a total of the number of notifications in each of the following
categories:
 Minor (yellow triangle icon)
 Major (orange triangle icon)
 Critical (red octagon icon)

If notifications have occurred, they are listed below the icons. For example, any
notifications about software

updates or security certificates updates appear in this window. Click the Notification
History link to open the Notifications window. This window provides information about the
notification, such as its severity, source, timestamp, and status.
You can perform the following actions in this window:
 Acknowledge a notification.
  Filter notifications by status or security level.
 Sort notifications by source, detail, description, timestamp, or status.

Step 6: Check the Administrative functions in the Cisco APIC-EM GUI.

Click Admin option on top right as shown below.

From this menu, you can choose the following administrative options:
 Settings—Allows you to configure controller settings, such user profiles,
discovery credentials, network security settings, backup and restore, and other
controller settings.
 App Management—Allows you to individually upload and enable Cisco and
third-party applications, backup and restore the controller data, and update the
Cisco APIC-EM software.
 System Administration—Allows you to manage and troubleshoot controller
services.
 Audit Logs—Provides information to help you monitor policy creation and
application.
 About APIC-EM—Displays the installed Cisco APIC-EM software version.

You can perform the following user functions:

 Change Password—Allows you to change your own password.
 Sign Out—Logs you out of the Cisco APIC-EM.

template_version4.0
Task 2: Using Discovery Application in Cisco APIC-EM
Activity
Step 1: From the APIC-EM admin tab, choose Settings in the upper right corner to view
the configured global credentials for the devices that are being managed by Cisco APIC-
EM.

Before proceeding to device discovery using Cisco APIC-EM, you need to check that the
CLI and SNMPv2c credentials have been configured in Discovery Credential window.

Following credentials have been configured and saved as shown above:

Parameters Credentials

Username cisco

Password cisco
 Parameters Credentials

Enable Password cisco

Read Community Name SNMP_RO

Read Community PUBLIC

Write Community Name SNMP_WR

Write Community PRIVATE

Cisco APIC-EM discovers the devices and hosts and populates the device and host
inventory database with the results of the discovery.
To discover devices and hosts, you must configure SNMPv2c credentials or SNMPv3
credentials or both SNMPv2c and SNMPv3 credentials (depending on your network). For
SNMPv2, only the SNMP read community credentials are mandatory.
When you need to configure network devices, you would also need the SNMPv2 write
community, but discovery only requires a read community.
CLI credentials are also mandatory. You need to configure CLI credentials to access to the
configuration files on the devices.
These credentials can be configured in two different places in Cisco APIC-EM GUI:
 Settings > Discovery Credentials window: Configure SNMP and CLI
credentials in this window when they are common to all or most of the devices
in your network. These credentials are referred to as global credentials. In this
lab, you will use global credentials.
 Discovery window: Configure SNMP and CLI credentials in this window
when you want to discover devices in real time. Or when you need to discover
devices that do not have the typical SNMP and CLI credentials. Most of the
devices in your network have SNMP and CLI credentials, and that were
configured in the Settings > Discovery Credentials window. These credentials
are referred to as exception credentials. You will see this option in the next few
steps.

You can add multiple credentials. Cisco APIC-EM will always try first the credentials that
are specified in the Discovery window. If these credentials are not valid, the controller will
try connecting to the devices using the global credentials that are added in this section.
Step 2: From the Navigation pane, click Discovery from the list of applications.
Click the arrow on top to expand the view. It will help you view all application names in
the navigation pane.

You can see that there is a discovery that named Discovery_CDP in the discovery pane on
the left. The discovery has been performed using Cisco Discovery Protocol and it has
discovered four devices. In this lab exercise, you will perform another discovery using IP
Range method.
The Discovery function scans the devices and hosts in your network and populates Cisco
APIC-EM database with the information that it retrieves. To do this, you need to tell the
controller some information about your network so that the Discovery function can reach as
many of the devices in your network as possible and gather as much information as it can.
The Discovery function uses a combination of the following protocols and methods to
retrieve the information about your network:
 Cisco Discovery Protocol (CDP)
 Community-based Simple Network Management Protocol version 2
(SNMPv2c)
 Simple Network Management Protocol version 3 (SNMPv3)
 Link Layer Discovery Protocol (LLDP)
 IP Device Tracking (IPDT)—IPDT is enabled automatically for all devices
by the controller. For this configuration, privileges must be given to the
controller during discovery.
 LLDP-MED—IP phones and possibly some servers are discovered using
LLDP Media Endpoint Discovery

There are two types of discovery scan methods that are used in Cisco APIC-EM GUI:
 Cisco Discovery Protocol: For this method, you enter the IP address of a
single device that is called seed device to use as the starting point for scan.
From this device, Cisco Discovery Protocol scans the directly connected Cisco
devices. Cisco Discovery Protocol is Cisco proprietary and it can be used to
scan and discover Cisco devices in the network.
 Range: For range, you enter the beginning and ending IP addresses to use as
the scan boundary. Cisco APIC-EM then scans subsequently, beginning with
the first IP address and ending with the last one. In this lab exercise, you will
use Range for the discovery scan. The Range method can be used to discover
devices in a multi-vendor environment.

Step 3: In this lab exercise, you will use Range option to discover devices.
Click "+" in the upper left to add a new discovery. In the Discovery Name field, enter a
unique name for this discovery- Disc_Range. From the
discovery Type field, choose Range.
Add the following IP address ranges and then click "+."
 192.168.1.1 to 192.168.1.20
 192.168.2.1 to 192.168.2.20
 172.16.1.1 to 172.16.1.2

Step 4: Ensure that the device credentials have been configured and selected.
Click Credentials to expand the view. You will see that the global credentials are selected.
All Cisco devices in this lab have been configured with these global credentials.
Step 5: Ensure that Cisco APIC-EM uses Telnet and SSH Protocols to connect to the
network devices.
Click Advanced to configure the protocols that Cisco APIC-EM uses to connect to devices.
By default, only SSH is selected. Select Telnet and SSH as protocols for this lab exercise.
Click Start to begin the discovery.
Note: You may have to scroll towards right to get to the Start tab.

To remove a protocol, Telnet or SSH from the scan, click the protocol name. The check
mark next to the protocol disappears and the protocol fades from the display. In this lab
exercise, you will not remove it.
To customize the order that protocols are used to connect to devices, drag and drop a
selected protocol to the desired location in the list.
Step 6: Ensure that Cisco APIC-EM completes the discovery scan process.
You will see a new page with the status of discovery as Starting. The status will change
to In Progress and then Completed once all devices in the IP address range are discovered.

Step 7: Ensure that Cisco APIC-EM discovers all four network devices- HQ, HQ-SW, BR,
and BR-SW.
Click the device icon next to the displayed number. You will see all four devices that are
listed.

If you cannot see all four devices that are listed, then you need to go back to previous steps
and perform another discovery function.
Note: You can ignore the devices that are marked as unreachable. The wrkstn1 has IP
address of 192.168.1.10. It is unreachable as the router and switch VMs used in this lab
exercise, are not configured to support IPDT.
template_version4.0
Task 3: Using Device and Host Inventory in Cisco APIC-
EM
Activity
Step 1: From the navigation pane, go to Device Inventory.
You will see all four devices listed here- HQ, BR, HQ-SW, and BR-SW.

Note: Please make sure all your devices are present in the inventory and that they come up
with Managed status. If you have any entries showing up with a different status, it means
that there has been a problem collecting the information (typically credentials and/or SNMP
communities entered incorrectly).
Next, choose the link to HQ in the Device Name column. After you click the device name,
you get a pop-up with specific device information and interface status.
Step 2: From the layout drop-down menu, choose Tagging.
The default Device Role is assigned to each device.
During the scan process, a device role is automatically assigned to each discovered device.
The device role is used for identifying and grouping devices according to their
responsibilities and placement within the network. The controller automatically sets a role
for each device that it discovers during a scan. If the controller is unable to determine a
device role, it sets the device role as unknown. You can use the drop-down list in this
column to change the assigned device role.
The device roles that are available: Unknown, Access, Core, Distribution, and Border
Router
You can make the following changes in the device inventory window. In this lab, you are
not required to make any change.
 Location: You can add the device location; like in this lab HQ and HQ-SW
will be San Jose and BR and BR-SW will be RTP.
 Policy Tag: Policy Tag is related to Quality of Service (QoS).
 Device Tag: Device tags allow you to define scopes or groups of devices.
Devices can have multiple “Device Tags.”

Step 3: From the layout drop-down menu, choose Hardware.

You can view information that is related to each device like IP address, serial numbers,
Cisco IOS Software version, and so on. You can also view the configuration file for each
device.
Step 4: You can customize the device inventory view by choosing the Customize Layout.
Step 5: You can go to navigation pane and view the host inventory.
In this lab exercise, you will not see any hosts that are listed. The hosts are not enabled for
the Cisco APIC-EM discovery.

Note: You do have a host, wrkstn1 being used in this lab. As this lab setup is a virtual
environment and the router and switch VMs used do not support IPDT, users do not see it
listed. In real network, you will see the host PCs, IP Phones, and so on being discovered as
well.
If the Discovery scan identifies a network element as a host (or cannot identify it as a
device), that element appears in the Host Inventory instead of the Device Inventory. The
Host Inventory table can display the following information about all hosts that the
controller discovers:
 Host Name
 User Status
 MAC address
 IP address
 Network Attachment Point
 Host Type
template_version4.0
Task 4: Using Topology Function in Cisco APIC-EM
Activity
Step 1: From the navigation pane, select the Topology icon.
You will see the topology that has been automatically created by Cisco APIC-EM.

Cisco APIC-EM auto discovers and maps network devices to a physical topology with
detailed device-level data. With its autovisualization feature, it presents a highly interactive
mechanism for viewing and troubleshooting the network. You can also easily customize its
GUI.
The Topology window displays a graphical view of your network. Using the discovery
settings that you have configured, the Cisco APIC-EM discovers and maps devices to a
physical topology with detailed device-level data.
The topology map includes the following key features:
 Auto-visualization of Layer 2 and 3 topologies on top of the physical
topology provides a granular view for design planning and simplified
troubleshooting.
 For a Layer 2 topology, the controller discovers configured VLANs within
your network to display in the Topology window. For a Layer 3 topology, the
controller discovers all forms of a Layer 3 topology (OSPF, IS-IS, and so on),
depending on what is currently configured and in use within your network to
display in the Topology window.

Step 2: Check the options in the Topology toolbar.

The figure and list below shows the options in the topology toolbar.

 Toggle Aggregation: It enables or disables device aggregation. Aggregating

devices means grouping devices. You can save the layout for future reference
by clicking the Save icon. This grouping does not affect the physical
configuration on the devices. Aggregation is enabled by default.
 Toggle Multiselect: It allows you to select multiple devices by pressing
Shift key and simultaneously dragging the desired device with mouse. You can
also select multiple groups of devices by clicking shift and dragging the mouse
over a group of devices. After selecting the group of devices, you can aggregate
or tag them. If you aggregate devices of different product families, the Cisco
APIC-EM shows them as generic devices (without a device type) and the
number of devices. Multiselect is off by default.
 Search Topology: It searches for a host or device by host name, device
name, device type, or IP address. As you enter information into this field, the
Cisco APIC-EM displays matches. You can select the host or device from the
results that appear. The selected host or device appears in the Topology
window.
  Filters: Allows you to choose a filter that you can apply to the topology
map.
 Zoom out: Adjusts the Topology window's view. Click the - (minus) icon to
minimize the view of the network hosts and devices.
 Zoom in: Adjusts the Topology window's view. Click the + (plus) icon on
the menu bar to maximize the view of the network hosts and devices.
 Toggle Color Code: Toggles between displaying the device icons in
different colors or in a single color. Color coding is enabled by default.
 Tags: It displays the available tags. Clicking on an individual tag highlights
the device or devices in the Topology window that have this tag. You can also
apply tags to devices by selecting the device, clicking Device Tagging in the
Device Information dialog box, and then creating and applying the tags.
 Layers: It displays devices with the following attributes on the topology
map:
o Layer 2—Displays the devices based on the selected VLAN or Layer 2
protocol.
o Layer 3—Displays the devices based on the selected Layer 3 protocol.
o VRF—Displays devices that have Virtual Routing and Forwarding (VRF)
tables.
 Save and Load Options: It displays the following options:
o Save current layout—It saves the current layout, device aggregations, and
labels.
o Load saved layout—It loads the previously saved layout, device
aggregations, and labels options.

Step 3: Click the HQ device icon in the topology to get information on the device.

You can display data for a specific device in the Topology window. Displaying device data
is helpful when troubleshooting network connectivity issues between devices. The device
data that is accessible in the Topology window is also accessible in the Device Inventory
window.
template_version4.0

© 2017 Cisco Systems, Inc.

Discovery 2: Implementing Cisco Network Plug
and Play Solution Using Cisco APIC-EM
Task 1: Implementing Cisco Network Plug and Play
Solution Using Cisco APIC-EM
Activity
Step 1: From wrkstn1, open your Chrome browser and go to https://192.168.1.21 to access
Cisco APIC-EM GUI.
You may see the message on screen that your connection is not private.
Click Advanced and Proceed to 192.168.1.21

You can log in to Cisco APIC-EM GUI using username admin and password Cisco123!.

Step 2: Click the arrow in the upper left and select Network Plug and Play application from
the menu.

Note: You will see the application names only if you click the arrow on top left as shown
above. Otherwise, you will see the symbols for each application.

Step 3: Review the information that is displayed on the Plug and Play application
dashboard.
Cisco APIC-EM dashboard displays a project list and added devices that are not associated
with a project. Right now, you have 0 projects, 0 devices, and 0 unplanned devices.

Step 4: Check the configuration file for router, HQ-CORE saved on the desktop of wrkstn1
in the folder named Plug_and_Play.
You will provision HQ-CORE router using Cisco APIC-EM Plug and Play application. On
the desktop of wrkstn1, you will find a folder that is named Plug_and_Play. Open the
folder and view the configuration file (HQ_CORE.txt). You will be pushing the
configuration to the router using PnP application.

You can go to the console of HQ-CORE router and view the configuration. You will see
that the hostname is "router" and all interfaces are shut down. The router has a default
configuration.

Router# show ip interface brief

Interface IP-Address OK? Method Status
Protocol
GigabitEthernet1 unassigned YES NVRAM
administratively down down
GigabitEthernet2 unassigned YES NVRAM
administratively down down
GigabitEthernet3 unassigned YES NVRAM
administratively down down
Router#
For testing, you can ping the IP address 192.168.1.18 from router HQ console. You will see
that it is unsuccessful as the configuration has not been pushed to the router. The ping test
is unsuccessful because the router is yet not configured with any IP address.
Enable password for HQ is cisco.
Step 5: Create a new project in the PnP application on Cisco APIC-EM to provision and
deploy a new device.
Go back to the wrkstn1 and open the PnP application. The first step for Network Plug and
Play is to preprovision the site. The network administrator will provide all necessary
parameters for the new device before the device is installed. In order to initiate process, you
need to choose the Projects tab at the top.

Step 6: Create a new project and name it —HQ_Site_Devices.

Add a name to the project, type HQ_Site_Devices in the box that is called Project and then
click the Add button. You will then see a pop-up window for Project configuration. You
can specify the TFTP server and path if required.
The tftp server is an option for positioning elements such as image, licenses, and so on
locally at the branch and limit traffic over the WAN in the deployment phase.
In this lab, you will not use a TFTP server. So, you can then click the Create tab.

Step 7: Add a device with name HQ-CORE to the new project created, HQ_Site_Devices.
The product ID will be CSR1000v.
Click Add in the project that is created.

Note: Please do not click Add in the blue box at the top. It is only to create a new project.
Instead, click the Add button lower down in the window as displayed in the figure, next
to Edit, Reset, and Delete buttons.
Once the Device configuration box appears, configure the required parameters. Provide the
name for the new router- HQ-CORE. Next, you need to specify the Product ID (PID) of
new router. Start typing "CSR" and you will notice that a pull-down window automatically
populates with available PIDs. The PID will be Cisco CSR1000v. You need to enter the
Serial Number or MAC address for the router. You can go back to the console of router
HQ-CORE and use the show license udi command to get the serial number.

Router# show license udi

SlotID PID SN UDI
-------------------------------------------------------------
-------------------
* CSR1000V 9TUULHSFFET
CSR1000V:9TUULHSFFET
Router#

Step 8: Upload the configuration file HQ_CORE.txt from the desktop.

You need to upload the configuration file that is saved in the Plug_and_Play folder on
your wrkstn1 desktop. Click the arrow next to config and browse to the file location
of HQ_CORE.txt(desktop>Plug_and_Play) and upload the file. Then click Add button in
the bottom to add the device to the project.

Note: In this lab exercise, you are only uploading the configuration file and not updating
the image.
Step 9: Verify that the device is successfully added, and it is in Pending state.
You will now see that the device HQ-CORE is added. To see the status of the device, click
the Filters tab as shown. You will see that the device status is displayed as Pending.

Step 10: Configure router HQ as the DHCP server with option 43. The DHCP pool name
will be "pnp_device_pool"
The DHCP requirements are:
 DHCP pool name—pnp_device_pool
 Network—192.168.1.0/24
 Default Gateway—192.168.1.1

You need to go to HQ router console, and configure the following:

HQ(config)# ip dhcp pool pnp_device_pool
HQ(dhcp-config)# network 192.168.1.0 255.255.255.0
HQ(dhcp-config)# default-router 192.168.1.1
HQ(dhcp-config)# option 43 ascii
"5A1D;B2;K4;I192.168.1.21;J80
HQ(dhcp-config)# lease infinite
HQ(dhcp-config)# end
Network PnP uses different discovery methods, that is, mechanisms for the Network PnP
agent to find the PnP server (APIC-EM).The method that is used in this lab is DHCP.
When the PnP agent of the new device sends a DHCP request, the response packet contains
the IP address of the PnP server that is populated in option 43.
PnP Device Provisioning Checklist
Before you go the next step, ensure that you have completed the following steps:
 Ensure that the device HQ-CORE has been added with the correct serial
number, Product ID, and configuration file.
 The status should be Pending in the PnP application window.
 HQ router has been configured with the DHCP configuration and option 43.

Step 11: From the HQ-CORE router console, erase the configuration and reload the router.
By performing this step, you can effectively turn the router into the same state as a
completely new device that is received by Cisco.
Router# write erase
Erasing the nvram filesystem will remove all configuration
files! Continue? [confirm]
[OK]
Erase of nvram: complete
Router#
Router#
*Dec 5 11:54:16.627: %SYS-7-NV_BLOCK_INIT: Initialized the
geometry of nvram
Router# reload
Proceed with reload? [confirm]
Step 12: After Cisco CSR 1000v is booted up, check the console of HQ-CORE router to see
the log messages that are related to PnP.
You will see the following message:
*Dec 5 11:56:48.394: %LINEPROTO-5-UPDOWN: Line protocol on
Interface GigabitEthernet1, changed state to up
*Dec 5 11:56:48.740: %LINEPROTO-5-U
[OK] (elapsed time was 1 seconds)
PDOWN: Line protocol on Interface GigabitEthernet2, changed
state to up
*Dec 5 11:56:49.006: %LINEPROTO-5-UPDOWN: Line protocol on
Interface GigabitEthernet3, changed state to up
*Dec 5 11:56:52.842: %PNPA-DHCP Op-43 Msg: Process state =
READY
*Dec 5 11:56:52.842: %PNPA-DHCP Op-43 Msg: OK to process
message
*Dec 5 11:56:52.842: XML-UPDOWN: PNPA_DHCP_OP43 XML
Interface(102) UP. PID=16
*Dec 5 11:56:52.842: %PNPA-DHCP Op-43 Msg:
_pdoon.1.ntf.don=16
*Dec 5 11:56:52.854: %PNPA-DHCP Op-43 Msg:
_pdoop.1.org=[A1D;B2;K4;I192.168.1.21;J80]
*Dec 5 11:56:52.854: %PNPA-DHCP Op-43 Msg:
_pdgfa.1.inp=[B2;K4;I192.168.1.21;J80]
*Dec 5 11:56:52.855: %PNPA-DHCP Op-43 Msg: _pdgfa.1.B2.s12=[
ipv4 ]
*Dec 5 11:56:52.855: %PNPA-DHCP Op-43 Msg: _pdgfa.1.K4.htp=[
transport http ]
*Dec 5 11:56:52.855: %PNPA-DHCP Op-43 Msg:
_pdgfa.1.Ix.srv.ip.rm=[ 192.168.1.21 ]
*Dec 5 11:56:52.855: %PNPA-DHCP Op-43 Msg:
_pdgfa.1.Jx.srv.rt.rm=[ port 80 ]
*Dec 5 11:56:52.855: %PNPA-DHCP Op-43 Msg:
_pdoop.1.ztp=[pnp-zero-touch] host=[] ipad=[192.168.1.21]
port=80
*Dec 5 11:56:52.855: %PNPA-DHCP Op-43 Msg: _pors.done=1
*Dec 5 11:56:52.855: %PNPA-DHCP Op-43 Msg:
_pdokp.1.kil=[PNPA_DHCP_OP43] pid=16 idn=[GigabitEthernet1]
*Dec 5 11:56:52.855: XML-UPDOWN: GigabitEthernet1 XML
Interface(102) SHUTDOWN(101). PID=16
*Dec 5 11:56:55.838: %SYS-5-RESTART: System restarted --
Cisco IOS Software [Denali], CSR1000V Software
(X86_64_LINUX_IOSD-UNIVERSALK9-M), Experimental Version
16.3(20160624:092502) [v163_throttle-BLD-
BLD_V163_THROTTLE_LATEST_20160624_090103 143]
Copyright (c) 1986-2016 by Cisco Systems, Inc.
Compiled Fri 24-Jun-16 04:16 by mcpre
*Dec 5 11:56:55.913: %CRYPTO-6-ISAKMP_ON_OFF: ISAKMP is OFF
*Dec 5 11:56:55.913: %CRYPTO-6-GDOI_ON_OFF: GDOI is OFF
*Dec 5 11:56:56.675: %SYS-6-BOOTTIME: Time taken to reboot
after reload = 149 seconds got vend id vend spec. info ret:
succeed
*Dec 5 11:57:05.824: %PNP-6-HTTP_CONNECTING: PnP Discovery
trying to connect to PnP server
http://192.168.1.21:80/pnp/HELLO
*Dec 5 11:57:07.835: %PNP-6-HTTP_CONNECTED: PnP Discovery
connected to PnP server http://192.168.1.21:80/pnp/HELLO
*Dec 5 11:57:08.200: %SSH-5-ENABLED: SSH 1.99 has been
enabled
*Dec 5 11:57:08.224: %PKI-4-NOCONFIGAUTOSAVE: Configuration
was modified. Issue "write memory" to save new IOS PKI
configuration
*Dec 5 11:57:09.230: %PNP-6-PROFILE_CONFIG: PnP Discovery
profile pnp-zero-touch configured
*Dec 5 11:57:09.837: %LINK-5-CHANGED: Interface
GigabitEthernet2, changed state to administratively down
*Dec 5 11:57:09.841: %LINK-5-CHANGED: Interface
GigabitEthernet3, changed state to administratively down
*Dec 5 11:57:10.836: %LINEPROTO-5-UPDOWN: Line protocol on
Interface GigabitEthernet2, changed state to down
*Dec 5 11:57:10.841: %LINEPROTO-5-UPDOWN: Line protocol on
Interface GigabitEthernet3, changed state to down
*Dec 5 11:57:22.001: %SYS-6-CLOCKUPDATE: System clock has
been updated from 11:57:22 UTC Mon Dec 5 2016 to 11:57:22 UTC
Mon Dec 5 2016, configured from console by vty1.
Dec 5 11:57:22.210: %PKI-4-NOCONFIGAUTOSAVE: Configuration
was modified. Issue "write memory" to save new IOS PKI
configuration
%Error opening tftp://255.255.255.255/network-confg (Timed
out)
%Error opening tftp://255.255.255.255/cisconet.cfg (Timed
out)
%Error opening tftp://255.255.255.255/router-confg (Timed
out)
Dec 5 11:59:59.092: %PKI-6-PKCS12IMPORT_SUCCESS: PKCS #12
Successfully Imported.
%Error opening tftp://255.255.255.255/ciscortr.cfg (Timed
out)
Dec 5 12:00:41.114: %PNPA-DHCP Op-43 Msg: Op43 has 5A. It is
for PnP
Dec 5 12:00:41.114: %PNPA-DHCP Op-43 Msg: After stripping
extra characters in front of 5A, if any:
"5A1D;B2;K4;I192.168.1.21;J80 op43_len: 28

Dec 5 12:00:41.115: %PNPA-DHCP Op-43 Msg:

_pdoon.2.ina=[GigabitEthernet1]
Dec 5 12:00:41.115: %PNPA-DHCP Op-43 Msg: _papdo.2.eRr.ena
Dec 5 12:00:41.115: %PNPA-DHCP Op-43 Msg: _pdoon.2.eRr.pdo=-
1
Dec 5 12:00:53.693: %SYS-5-CONFIG_I: Configured from
192.168.1.21 by snmp

The PnP related messages have been highlighted. Once you see the following message on
the console, you can go to the next step and monitor the status of the device through PnP
application interface on Cisco APIC-EM.
*Dec 5 11:57:05.824: %PNP-6-HTTP_CONNECTING: PnP Discovery
trying to connect to PnP server
http://192.168.1.21:80/pnp/HELLO
*Dec 5 11:57:07.835: %PNP-6-HTTP_CONNECTED: PnP Discovery
connected to PnP server http://192.168.1.21:80/pnp/HELLO
Note: It will take about 20 minutes for the router provisioning to be completed.
Step 13: Check the status of the device on Cisco APIC-EM Plug and Play application
interface.
The device status keeps changing and you can monitor this using Refresh tab above
the Status tab. You will see the following status:
 Getting Device Info
 Waiting for Resource
 Start Provisioning
 Deploying Device Certificate
 Deploying Config
 Provisioned

Below is the snapshot of the final status. It may take about 20 minutes for it to reach the
Provisioned status.
You can view the Device History by clicking on the status Provisioned.

Step 14: Verify that the configuration has been updated on HQ-CORE.
You can check the configuration on the HQ-CORE router using show run command. You
will see that the hostname, username, interface IP address, default route, and SNMP
credentials have been configured on the router. It has the same configuration as in the
HQ_CORE text file that is saved on the desktop. You can also ping the IP address
192.168.1.18 from HQ.
HQ# ping 192.168.1.18
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.18, timeout is 2
seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max =
1/1/2 ms
HQ#
Step 15: Go back to the Plug and Play dashboard where you will see that you now have 1
Project and 1 Device.
Step 16: After you provision the new device using Plug and Play, the PnP uses the
discovery service to automatically add the new device to Cisco APIC-EM inventory.
You can check this action by selecting the Discovery tab where you can see that a new
discovery was automatically created by the PnP process.

It is important to know that this discovery uses the global credentials. For this reason, you
need to have correct global credentials configured if you are going to use the PnP
Application.
Step 17: Select the Device Inventory application where you can see that the router HQ-
CORE, is now in the database.
Bulk Import of Devices Using PnP
You are now going to view how bulk import feature is used in PnP. This feature allows you
to populate projects in bulk as opposed to doing it one by one as you have seen in previous
steps. Network administrators can rapidly populate all the required fields in a spreadsheet
and upload the spreadsheet for fast provisioning. This feature allows you to download a
template that you can use to create your own bulk-import file. After you download the
template, you can complete all the fields and upload for bulk project provisioning.
The steps below are only for demonstration and no action is needed.
Step 18: Click Bulk Import from the Network Plug and Play dashboard and download the
sample that is provided by Cisco APIC-EM using Sample button.

After the file download is completed, open the .csv file with the sample template as shown
below.
You can use this template to create a customized file. You can complete the fields relevant
to your deployment. For each device added, you need to update the product ID, serial
number, and also a reference to a configuration file associated with it.
In this lab, you are not required to make any changes. You can close the spreadsheet and go
back to the PnP application.
Step 19: Choose the Configurations tab from the Network Plug and Play dashboard.
You can upload all the configuration files that are associated with the devices in the Bulk
Import spreadsheet by clicking on the Upload button.

After you upload the configuration files for all devices that are mentioned in the .csv file,
you can import the customized .csv file created using Bulk Import.

template_version4.0
Laboratorio 3

Click here to print this page

Discovery 3: Implementing EasyQoS Using Cisco
APIC-EM GUI
Task 1: Implement Cisco EasyQoS Using APIC-EM
Activity
Step 1: From wrkstn1, open your Chrome browser and go to https://192.168.1.21 to access
Cisco APIC-EM GUI.
You may see the message on screen that your connection is not private.
Click Advancedand Proceed to 192.168.1.21

You can log in to Cisco APIC-EM GUI using username admin and password Cisco123!.

Step 2: Before you go to Cisco EasyQoS, ensure that the devices are listed in the Device
Inventory section. Also, make sure that the global CLI and SNMP credentials have been
configured for the devices.
Navigate to Device Inventory and check if all devices are listed and are in Managedstate.

Navigate to Settings>Device Credentials for the CLI and SNMP credentials.

Step 3: From the navigation pane, go to EasyQoS application.

Click the arrow on top left to see the list of applications and choose EasyQoS.

Step 4: Create a new policy scope and name it as Border_Corporate_Policy.

Click the "+" symbol next to Create new Scopes. Type Border_Corporate_Policy as the
new scope name. Click the green checkmark to validate the scope that is created.

Step 5: Add devices HQ and BR to the created new policy scope.

Choose two devices—HQ, and BR by clicking on it.

Next, drag and drop routers HQ and BR to new policy scope—Border_Corporate_Policy.

Step 6: Click the Application Registry tab on the EasyQoS dashboard.

You can see that there are ten traffic classes and these classes have been grouped into three
buckets that are based on the type of application.
 Control
 Voice/Video
 Data

You can also view the application summary on the right. It highlights the total number of
applications, favorite application, and custom application.
Step 7: Create a custom application by clicking the Add Application button and name it
as Custom_APP. Following are the requirements for the application:
 Server IP: 192.168.1.21
 Port: 8080
 Traffic Class: Transactional Data

Click the Add Application button on the top.

In the Add Application window, select the type as ServerIP/Port.

The new custom application name will be Custom_APP and you need to select Port
Classifier to enter the required parameters.

Enter the server IP address and port. Also, select traffic class as Transactional Data. Then
click the Add button on top right to add the custom application

You will see a warning message and you need to proceed with the step by clicking OK.
This port is typically used for proxy, but in this lab activity, you will override this setting,
which is unlikely to happen in a real network.

Step 8: View the custom application that is created in the Transactional Data traffic class.
Step 9: Mark EIGRP as a favorite application in the Network Control drop-down list.
Scroll down the Network Control list of application to find EIGRP. Click the star next to
EIGRP to mark it as a favorite application.

Favorite applications are applied globally across all QoS policies. They are also pushed
first, before other policies. If your target platform does not take all the applications because
of system limits, the favorite applications are pushed first and therefore guarantees to be
applied always.
Step 10: Check the policy scope and policy name for BGP that is listed in the network
control.
Scroll down the list of applications that are mentioned under Network Control to find
BGP. Click BGP to view the details that are associated with the application.

The policy scope is CVD and the policy name is BUSINESS_RELEVANT_CVD_Policy.

It is a business-relevant application.
Similarly, you can view the details of each application.
Step 11: View the default SP profiles on the EasyQoS dashboard.
Click the SP profile from the dashboard.

There are four default SP profiles.

You can view and edit these profiles by clicking on it. Also, you can create your custom
Service Provider (SP) profile that is based on your network requirements.

For Cisco APIC-EM to identify the WAN interfaces that need dynamic policies, you must
specify the interface type (WAN) and (optionally) its subline rate and service-provider CoS
model.
When Cisco APIC-EM discovers the device and places it in inventory, Cisco APIC-EM
identifies these specifically marked interfaces as WAN interfaces. The subline rate
information is used, to trigger a congestion event on the device when this contracted rate is
reached (even if the physical WAN interface itself is not congested). As a result of the
congestion event, Cisco APIC-EM updates the device configuration with the queuing
policy that reflects the configured business-intent.
Before you can implement a policy of this type, you need to configure the following strings
on the device using the CLI:
 WAN interface: To indicate to Cisco APIC-EM that the interface needs
special handling, you need to include #WAN# in the interface description.
 Subline rate (MB): You need to indicate the interface subline rate by
including #rateM# in the interface description. The rate must be a value below
the actual line rate of the interface.
 Service provider profile: You need to specify one of the following four
Service Provider profiles by including #SPPProfileNumber# in the interface
description.

In this lab activity, the WAN interfaces on HQ and BR have been configured. Go to the
console of router HQ and BR. Check the configuration on the GigabitEthernet2 and
GigabitEthernet1 respectively on HQ and BR.
HQ# show run interface GigabitEthernet2
Building configuration...

Current configuration : 139 bytes

!
interface GigabitEthernet2
description *to BR* #WAN#50M#SSP4#
ip address 172.16.1.1 255.255.255.252
 negotiation auto
cdp enable
end

HQ#
BR# show run interface gig1
Building configuration...

Current configuration : 163 bytes

!
interface GigabitEthernet1
description *to HQ* #WAN#50M#SSP4#
ip address 172.16.1.2 255.255.255.252
ip access-group 101 in
negotiation auto
cdp enable
end

BR#
You are also advised to use the show run command on these two routers and check if any
QoS policies exist on these devices. You will not see any policies that are configured so far.
In the next step, you will apply the QoS policy.
Cisco EasyQoS Workflow
In this lab activity, you have completed the following steps so far :
 Created a policy scope and named it— Border_Corporate_Policy
 Add devices— HQ and BR to the policy scope.
 Created and added a custom application. Also, marked an application as
favorite.
 Reviewed the SP profiles available in EasyQoS dashboard.
 Check the device configuration of HQ and BR. Also, verified that the WAN
interfaces of the two devices have been tagged.

You are now ready to create the policy and apply it.
Step 12: Create a policy and name it as QoS_Policy, and apply it to the two devices HQ
and BR.
Click Policies from EasyQoS dashboard and then click Create Policy.

The policy name will be QoS_Policy.

You can change the business relevance of the applications (including custom application).
There are three different groups—Business Relevant, Default, and Business Irrelevant. You
can simply drag and drop the applications from one group to another, based on your
requirement.
In this lab activity, you will use the default classification of application. Click Apply
Policy to configure the QoS policy. All the applications in the list will be pushed to your
devices with their recommended QoS priority (matching RFC 4594). QoS policies for
applications that are marked with a star, which means that the favorite applications will be
pushed first.

Step 13: Ensure that the policy is applied to the two devices- HQ and BR.
After, you apply the policy, the state will change to Configuring.

If you go to the device console, you will see the following log message. It indicates that the
Cisco APIC-EM( 192.168.1.21) is configuring the QoS policies on the devices.
Oct 7 09:51:10.815: %SYS-5-CONFIG_I: Configured from console
by vty0 (192.168.1.21)
After the policy is applied, the state will again change and the devices will be highlighted in
green.

You can go to device console and verify the policies using the show run command. You
will see several class-maps and policy-maps that are configured. Also, the service policy
will be applied to the interfaces. These configurations are based on Cisco Validated Design
best practices.
template_version4.0

© 2017 Cisco Systems, Inc.

Practica 4

Click here to print this page

Discovery 1: Perform Site Provisioning and
Monitoring Using the Cisco IWAN Application
Task 1: Provision the Hub Site with a Single Data Center
Using the IWAN Application
Activity
Hub Provisioning Using the Cisco IWAN Application: Workflow
Overview

Step 1: From Wrkstn1, open your Chrome browser and go to to access the Cisco APIC-EM
GUI.
You may see the message on screen that your connection is not private.
Click Advancedand Proceed to 192.168.1.21 (unsafe).

You can log in to Cisco APIC-EM GUI using username admin and password Cisco123!.

Step 2: Configure the global credentials before configuring IWAN paramenters. Use the
information from Job aids for it.
Click on the wheel on top right and go to settings and navigate to CLI credentials dialog
box. This needs to be configured when you are logging in for the first time. Enter a user
name and password, then click Add.

The username and password is cisco. Enable password is cisco.

Step 3: From the navigation pane, go to the Cisco IWAN application.
You will see the application names only if you click the arrow on the top left.

Step 4: Click the Configure Hub Site &

Settings option in the IWAN page.
Step 5: Configure the System settings for the hub using the following information:
 NetFlow Destination IP: 192.168.1.24
 NetFlow Port Number: 8093
 SNMP Version: V2C
  Read Community: PUBLIC
 Domain Name: cisco.com

After you click Configure Hub Site & Settings, you will see the following page. Enter the
information that is provided, and then click the Save & Continue button.

NetFlow Collector: Enter the given IP address for the NetFlow collector. It is the IP
address of a NetFlow collector such as the LiveAction application. Application visibility
and performance metrics are sent to the collector.
DNS: Enter the given domain name. You can also enter the IP address of a DNS primary
server, and a secondary server can be specified for redundancy.
SNMP: Enter SNMP server details. Either Cisco APIC-EM can act as an SNMP manager
for managed network devices, or a separate SNMP server can be specified to handle SNMP
traps. SNMP settings determine the inventory from hub and remote site devices, and these
values are reflected in the configuration. Click Show more for SNMP Retries and Timeout,
to change the values for the number of retries and the timeout period.
In the NAT/Proxy IP Address area, select NO. You can Select Yes if the APIC-EM
controller is located behind a NAT router in your network.

The following parameters are optional:

Syslog: You can enter the IP address of a third-party syslog server, to which network
devices send syslog messages.
Authorization, Authentication, Accounting: TACACS is the only supported
centralized AAA service for Cisco IWAN. If a TACACS server is provided, spoke devices
will utilize TACACS for all management access to the spoke devices (SSH and HTTPS).
Whether or not a TACACS service is provided, a local AAA user database is created on the
spoke device, which can be used when TACACS is not available.
DHCP: Enter the IP address of a DHCP server that provides client computers and other
TCP/IP-based network devices with valid IP addresses.
Step 6: Choose the Certified IOS Releases tab.
Selecting an image in Certified IOS Releases is optional if the routers already have the
correct image loaded. In this lab activity, the routers have the image loaded.
Click Continue to proceed to the next tab.

You can upload certified Cisco IOS images from your computer into the Cisco IWAN
application. When a greenfield device comes up, the PnP agent interacts with the PnP
server in Cisco APIC-EM, downloads the appropriate Cisco IOS Software image to the
device, and reloads the device with that image.
If the appropriate software image is not installed on your router, you can follow these steps
to upload the image:
 From the left pane, choose the router type for which you want to upload the
Cisco IOS image.
  Do one of the following: Drag and drop the Cisco IOS Software image file
from your computer into the GUI, or browse to the location where you have
saved the Cisco IOS Software image file and upload it into the system.
 Click Continue.

Step 7: Configure the service providers using the following information.

 WAN Label: MPLS; WAN Type: Private
 WAN Label: INET; WAN Type: Public

Choose the Service Providers tab to view the type of links and the number of service
providers.

Configure WAN labels and the WAN types. In the lab topology, there are two WAN
clouds: MPLS and INET. MPLS will be a private cloud, while INET will be a public cloud.

You can specify up to four links and four service providers. Of the four links, one link can
be metered and public.

Field Description

WAN WAN transport type. This value should not be more than seven characters.
Label Example: MPLS.

WAN Two values: Private (MPLS) or Public (Internet).

Type

Metered Check this option for metered WAN. Leave unchecked for nonmetered
WAN. Note: One link can only be metered, and the metered link is permitted
on a public cloud.
Available QoS models for Service Providers: For an MPLS-facing WAN interface, a set
of predefined service provider profiles are available. You can select the profile that most
closely matches the service provider SLA for the branch sites. Egress QoS queuing will be
applied on the WAN egress to fulfill the service provider SLA.

After you select a profile, the profile details appear on the right side of the window. In this
lab exercise, you do not need to select a profile.
Note: The Cisco EasyQoS application performs end-to-end QoS provisioning, while Cisco
IWAN configures QoS for the WAN-facing interfaces only.
Step 8: Configure the IP address pools using the following information:
 Remote Site Count: 3
 Overlay IP address Pool for MPLS- 10.100.0.0/16
 Overlay IP address Pool for INET- 10.101.0.0/16
  Loopback IP Address Pool- 10.1.1.0/24
 LAN Greenfield IP Address Pool- 192.168.8.0/22

Click the IP Address Pools tab. The remote site count will be 3. To configure a service
provider address pools,go to Service Provider (Overlay) Address Pool section, click +Add
Address Pool . Enter the address pools for INET and MPLS. This pool is for service
provider overlay address needs.
To configure a global address pool, go to Global Address Pool section, click + Add
Address Pool. Enter the IP address for the Loopback Pool and Greenfield Address Pool.
Click Save and Continue to proceed with the configuration.
The Loopback Pool is used to assign IP address for management loopback addresses for
Cisco Performance Routing (PFR).
The LAN Greenfield defines the LAN IP address pool for new greenfield branch devices.
You can have any number of LAN greenfield IP address pools.
The LAN Brownfield defines the LAN IP address pool for brownfield branch devices
(devices with an existing configuration). You can have any number of LAN brownfield IP
address pools.

The IWAN App automatically uses IP addresses from the global enterprise IP address pool
space. When provisioning hub and spoke devices, the IWAN Application uses IP addresses
allocated in the user-configured IP address pools. This includes interface, LAN, VPN
overlay, and routing IP addresses.
One or more LAN greenfield IP address pools can be defined to further refine the branch
LAN side IP address space. If all LAN greenfield IP address pools are exhausted, the global
IP address pool is used.
It is important to define the size of the IP address pools to accommodate the long term
needs of the IWAN site. VPN requirements dictate that subnets must be defined and
allocated internally before any sites are provisioned. In the current Cisco IWAN release,
you can increase the site and service provider counts after initial provisioning, but
you cannot change the IP address pool once specified. Therefore, we recommend that you
account for any future scale of service providers and site sizes when defining the IP address
pools. The service provider IP address pool is used for overlay and loopback addresses.
Optionally, wherever specific IP addresses are required, site-specific LAN and VLAN
requirements can be defined and prioritized over the service provider and global IP address
pools.
The source of information above is from Cisco IWAN user guide. You can refer Cisco
IWAN user guide for more information.
Step 9: Configure the hub site with a single data center.
Choose the IWAN Aggregation Site tab to configure the hub routers with their respective
WAN clouds.
A default hub aggregation site with two data centers, routers, and service providers is
provided. You can add data centers, routers, and service providers as required for your
network. You can create a link by clicking a router and dragging it to a cloud or vice versa.
You can also delete the data centers, routers, service providers, and links if they are not
required by hovering on the network, router, or link and clicking X.
In this lab exercise, you have a single data center, so you need to delete the transit hub.
Click Transit-Hub-1, and you will see an "X" on the top right. You need to delete the
transit hub by clicking the X. You may also need to scroll toward the right to view the
Transit-Hub-1 box.

Step 10: Configure the master controller (MC) using the following information:
 Router Management IP address: 192.168.1.1
 SNMP Version: V2C
 SNMP Read Community: PUBLIC
 SNMP Write Community: PRIVATE
 Protocol: Telnet
 Username and Password: cisco
 Enable Password: cisco

Click the MC router in the hub.

Enter the router management IP address, 192.168.1.1. Click Validate.

The Configure Router dialog appears.

Configure the SNMP and CLI credentials. Also, make sure that you use Telnet as the
protocol.

Note: You can enter these credentials only once. The values will automatically populate to
the remaining hub devices in the system.
The device is verified in the background to determine if it is suitable for provisioning. The
Cisco IWAN application accesses the router and checks its configuration to determine if it
has any configurations that might conflict with the Cisco IWAN application. This
validation process is called the Brownfield Validation.
If the router does not have conflicting configurations, an orange icon appears on top of the
device. It will take a few minutes.
You can go to the HQ-MC router console after adding the device. You will see the
following message on the console. You can also view this message using the show
logcommand.

Dec 12 12:10:40.798: %SYS-5-CONFIG_I: Configured from

192.168.1.21 by snmp
The hub MC is the MC at the primary WAN aggregation site. The MC device has all PfRv3
policies configured. It also acts as the MC for that site and makes path optimization
decisions. There is only one hub MC per Cisco IWAN domain.
Step 11: Configure the two border routers using the following information:
 The router management IP address will be 192.168.1.2 for HQ-MPLS
and 192.168.1.3for HQ-INET.
  SNMP Version: V2C
 SNMP Read Community: PUBLIC
 SNMP Write Community: PRIVATE
 Protocol: Telnet
 Username and Password: cisco
 Enable Password: cisco

Similar to the previous step, validate the border router IP address and configure the settings.
The HQ-MPLS router is the router that is connected to the MPLS cloud.

The values are automatically populated to the border routers as it was entered on the hub
MC. Click Add Device after all given values are entered.
Now, click the HQ-INET router. The router that is connected to the INET cloud will be
HQ-INET.

In the consoles of HQ-INET and HQ-MPLS, you will see the following log message:
Dec 12 12:10:40.798: %SYS-5-CONFIG_I: Configured from
192.168.1.21 by snmp
HQ-MPLS and HQ-INET are the border routers at the hub site. The border router is the
device where the WAN interfaces terminate. A border router collects data from its
Performance Monitor cache and smart probes, provides a degree of aggregation of this
information, and influences the packet-forwarding path as directed by the MC to optimize
traffic.
Step 12: Complete the configuration on the three routers by correctly marking the LAN
interfaces. The interface GigabitEthernet1 will be the LAN interface.
When the device is validated and ready for configuration, a small orange color icon with
dotted lines appears on the device icon, which indicates that the Cisco APIC-EM now has
all configuration and information about these devices in its database. Click the device icon.

Please note that you may see a warning message box as well. You can ignore the warning
in the lab though it is recommended to fix it in real environment. Please select ignore every
time you see the warning box.

While provisioning a brownfield device, the IWAN app performs a validation to determine
whether any configuration conflicts exist. It reports the conflicts in two categories:
 Errors—Conflicts that prevent adding the device to the IWAN network.
 Warnings—Conflicts that do not prevent the device from being added to the
IWAN network. It is recommended to correct the configuration issues that
trigger validation warnings. If the IWAN app detects an error or warning during
provisioning, correct the issue on the device and perform the validation again.
The configure router dialog box appears once you click the device icon. Choose the correct
LAN interface for each router. It will be interface GigabitEthernet1.

Click the device that is connected to the MPLS cloud and mark interface GigabitEthernet1
as the LAN interface.

Similarly, click the device that is connected to the INET cloud and mark interface
GigabitEthernet1 as the LAN interface.

After the LAN interface is marked correctly for all three routers, you will see a green check
mark on each device.

Step 13: Configure the Hub LAN settings. The EIGRP AS number will be 1, and the data
center prefix will be 192.168.1.0/24.
To configure LAN settings for a data center, click the + symbol at the top-left corner of the
Hub Site box. The Configure LAN dialog box will appear.

The values for the Routing Protocol, AS Number, and Data Center Prefix fields (listed in
the following table) are collected from the devices and are autopopulated for ease of
configuration.

Field Description

Routing This protocol is the default routing protocol running on the hub routers.
Protocol Examples: EIGRP, OSPF, BGP

AS Number AS number or area number, depending on the routing protocol. Example:

1

Data Center IP address range for the data center addresses behind the hub, which is
Prefix specified as a prefix. Example: 192.168.1.0/24
Step 14: Configure the MPLS link with a default gateway of 172.16.1.1 and a bandwidth
of 10 Mbps.
Click the + symbol on the MPLS link to configure the parameters.

Step 15: Configure the INET link with the default gateway 209.165.200.202 and a
bandwidth of 12 Mbps.
Hub Site Configuration Check List

Ensure that you have configured the following before you proceed to the next step:
  Deleted the Transit Hub site
 Configured the MC
 Configured the border routers
 Configured the MPLS and INET links
 Configured the hub LAN settings

Step 16: Apply the configuration changes to the Hub site.

Review the checklist that is mentioned in the previous step, and click Save & Continue.

The Hub Site summary box will appear. Once again, review all the configuration settings,
and then click the Apply Now radio button and click Continue.

You will see a message that the configuration has been submitted. Click OK to proceed.

Step 17: Ensure that the Hub site is provisioned without any errors.

The hub provisioning may take about 20 minutes. You can go to the console of HQ-MC,
HQ-MPLS, and HQ-INET routers and observe the log message. You will see the following
log message, which indicates that Cisco APIC-EM is pushing configuration to the devices:
Dec 12 14:59:21.103: %SYS-5-CONFIG_I: Configured from console
by vty0 (192.168.1.21)
You will also see some log messages that are related to EIGRP, IPsec tunnels, and so on.
After the hub provisioning is completed, the Hub Site(s) Status will change to Provisioned.

You can now go to the console of each router in the Hub site and use the show
runcommand to see the configuration changes.
On HQ-MC, some of the configuration changes that you will notice are as follows:
 HQ-MC has been configured as the PfR MC.
 EIGRP has been configured as the routing protocol.

On HQ-INET and HQ-MPLS, some of the configuration changes that you will notice are as
follows:
 Both routers are configured as PfR border routers.
 DMVPN tunnels have been created.
 QoS policy is configured and applied to WAN-facing interfaces.
 There are FVRFs for each WAN transport.

The Cisco IWAN application uses Cisco Validated Designs and Cisco best practices to
configure the WAN devices.
Proceed to branch provisioning only after the hub is provisioned.
Task 2: Provision the Branch Site Using the IWAN
Application
Activity
Branch Provisioning Using the Cisco IWAN Application: Workflow
Overview

How does the Cisco IWAN application make branch provisioning simple and easy to
deploy?
Imagine shipping a new router directly from Cisco to the remote site rather than to your IT
staging facility. Before the device arrives on site, you would have provided some cables
along with a diagram that someone could use in order to cable the device according to the
provided specifications. Perhaps the person on the far end is not part of IT and does not
have the skills that are necessary to plug in cables without you shadowing them. You can
always leverage video from your end to the mobile device of this person, while working
with the individual to ensure that the devices are cabled properly. Once the router is cabled
and turned on, it gets an IP address from the provider and calls home to the Cisco APIC-
EM IWAN application. The software and configuration is then ready to be deployed via the
PnP capability. Setting up PnP Call Home settings on the router can be accomplished by
inserting a USB key with general bootstrap PnP setting on it before the router boots up.
In this lab activity, the remote site device has been powered on, and Cisco APIC-EM has
discovered it using the PnP application. You will provision the device to the branch site.
Step 1: Go to the Network PnP application to view the branch devices that are discovered
by Cisco APIC-EM.
Click the Network Plug and Play icon in the navigation pane. Scroll toward the right to
see the device that is discovered as Unclaimed.

Click Unclaimed to view the discovered device. The device should be in Unclaimed status.
If it is in an Error state, then proceed to the next step; otherwise, you can skip the next step.

Step 2: You need to restart the PnP application if the discovered device is in an Error state.
If you see that the device that is discovered is in an Error state in the PnP application
window, then click the serial number of the device as shown.

Click next to Filters (as shown) to expand the window so that you can view the device
status.

You will notice that the status of the device says Error.
You can click Error to view the log messages. The device is in an Error state because of
communication issues between the PnP server (APIC-EM) and PnP agent (on the branch
router). The branch router has been configured with a PnP bootstrap configuration to enable
it to communicate with the PnP server. In this lab, the PnP server uses a self-signed SSL
certificate for server-side authentication. The server should use the PnP certificate-install
service to instruct the agent to install the server self-signed certificate, and then
automatically reconnect back to the server over HTTPs. (You can read more on this issue in
the "Security Workflow for PnP" topic of this section.) Because there has been an issue
communicating with the device, you will have to restart the PnP process from the server
side.
Selecting the device and clicking Delete would reload the device, and it would start the PnP
sequence again. The PnP agent on the device will reset as instructed by the PnP server
when you reset the rule. In that way, the PnP process can begin again. Select the device
first, and then click Delete.

Click OK to delete the device. The branch router will be reloaded. You can go to the
console of the branch router and monitor the changes.
You will now see the device state change to "Cleaning Device."

After the device is reloaded, it will be deleted from the PnP application page.

When the device comes back up, the PnP agent on the branch router will contact Cisco
APIC-EM, which is the PnP server. The branch router has been configured with the
following PnP bootstrap configuration to make sure that it communicates with the PnP
server (APIC-EM):
pnp profile pnp-zero-touch
transport http ipv4 192.168.1.21 port 80
You will notice that the device is added to the PnP application page. You can monitor the
state changes by refreshing the page.

It will take about 10 minutes until you again see the state change to Unclaimed. Once the
device state is Unclaimed, you can proceed to the next step.
Step 3: Go back to the Cisco IWAN application from the navigation pane.
The device that you see as "Newly Discovered Device" on the top right is the same device
that was discovered using the PnP application. This device will be configured as the branch
router. If the device is in the Error state in PnP, then you will not see it here.

Step 4: Click Set up Branch Sites from the Cisco IWAN home page.
Step 5: Choose the Device(s) tab to view the list of devices.
Choose the Device(s) tab. You will see the device serial number, type (for example,
CSR1000v), and site name. It also displays that the device is discovered using the PnP
application.
Step 6: Configure the site name as New York.
Click UNKNOWN in the Site Name field. Change to New York. Then, click Save.

You cannot proceed to the next step unless you configure the site name.
Step 7: Select the device and click Provision Site.
Click the check box on the left of the device line, and then click Provision Site.

In this step, you have selected the device for provisioning. Now, the configuration wizard
will take you through the various steps to configure the settings for the branch site router.
Step 8: Choose One router with two WAN clouds as the WAN topology for the branch
site.
In this lab activity, the branch is connected to two WAN clouds, MPLS and INET.
Therefore, you will select One router with two WAN clouds as the WAN topology.

Note: The Two Router Configuration option only appears if two devices were selected
previously.
Step 9: Choose the Layer 2 configuration for LAN handoff.
Step 10: Configure the following settings for the branch site:
 Site Name: New York
 POP to Connect: HUB
 Site Location: Select any location in New York state

To choose any location in New York state, click the geographical location in the map.

Field Description

Site Name Site name, which you can change if needed.

Site Click Set Geo to specify the site location on a map. A map opens. Click the
Location site; the Site Location field is populated. Click anywhere outside the map to
exit the map.

POP to Choose the preferred hub site for this branch site from the drop-down list.
connect
Step 11: Configure the MPLS WAN cloud.
 CE IP address: 172.16.2.2/30
  PE IP address: 172.16.2.1/30
 Download & Upload (Mbps): 10
 Service Provider: Default 8-Class Model

Click the + symbol next to the WAN cloud to configure the settings.

The Configure WAN Cloud dialog box appears. The fields in the dialog box are different,
depending on whether the WAN uses the Internet or an MPLS link.

Field Description

WAN Type Public or Private appears, depending on the option that is selected
while configuring service providers in the Service Providers task.

Connect to WAN Connection method.

CE IP address Customer edge server IP address. The value for this field is
autopopulated with the IP address, if you specified static IP addresses
while configuring the hub.

PE IP address Provider edge server IP address. The value for this field is
autopopulated with the IP address, if you specified static IP addresses
while configuring the hub.

Download & Choose a bandwidth for upload and download (in megabits per second)
Upload (Mbps) from the drop-down menu.

Service Provider Choose a service provider model or QoS model from the drop-down
menu. Example: Default 6-Class Model.
Step 12: Configure the INET cloud.
 Static IP address for WAN
 WAN IP address: 209.165.201.201
 Default Gateway: 209.165.201.202
 Upload and Download Bandwidth: 10 Mbps

Click the + symbol on the INET link to configure the settings.

By default, the INET cloud uses DHCP. You need to choose Static IP and configure the
settings.
 Field Description

WAN Type Public or Private appears, depending on the option that is selected while
configuring service providers in the Service Providers task.

Interface Type of interface. Values: T1, E1, or Ethernet.

Type

Connect to Connection method.

WAN

Interface Choose an interface from the drop-down menu.

Example: FastEthernet0/0/0.

Upload Upload bandwidth (in megabits per second).

(Mbps)

Download Choose download bandwidth (in megabits per second) from the drop-
(Mbps) down menu.
Step 13: Configure LAN for the branch site. The branch will only have one VLAN for data
(VLAN 64). The total number of IP addresses should be 100. The LAN interface is
GigabitEthernet3.
Click the + symbol at the bottom of the topology next to LAN. The Configure LAN box
will appear.
Delete all VLANs except data by clicking the "–" symbol.

The VLAN ID is 64 for the Data VLAN, and the total number of IP addresses is 100.

Click Save to save the configuration for the LAN.

Field Description

VLAN Enter a VLAN type or select a VLAN type from the drop-down menu. Values:
Type Data, Guest, Voice, and Video, Wireless.

VLAN ID Range of values: 1–4094.

Total IP Number of chosen IP addresses for hosts in this VLAN.

Branch Site Configuration Checklist
Before you proceed to the next step, ensure that you see a green check mark next to each of
the parameters, as shown in the following figure.

You must go back to previous steps if you do not see the check mark.
Step 14: Click Apply Changes to complete provisioning of the site.
Click Apply Changes at the top right. The Provisioning Site Summary dialog box will
appear.

It gives you the option to Apply Now or Schedule to specify a date and time to apply the
site provisioning by clicking Submit.
Step 15: Monitor the provisioning and ensure that it is successful.

The branch provisioning will take about 15 minutes. You can go to the console of the
branch router to see that the configuration is being pushed from Cisco APIC-EM.
After the branch is provisioned, go back to the Cisco IWAN home page.
Task 3: Make Application Policy Changes Using the
Cisco IWAN Application
Activity
Administer Application Policy
The Administer Application Policy component of the Cisco IWAN application shows how
the business policy-driven view of application classification and QoS provisioning can be
implemented. Application Performance settings has the ability to dynamically switch paths
to preserve a consistent application experience.
Step 1: Click Administer Application Policy from the Cisco APIC-EM home page after
the hub and branch sites are provisioned.
After hub and branch provisioning, click Administer Application Policy.

The IWAN app operates with the Cisco NBAR2 Protocol Pack, which runs on routers
within the IWAN network. NBAR2 categorizes network application traffic using the
individual protocols in the Protocol Pack, in addition to any user-defined custom protocols.
(“Protocols” define how NBAR2 categorizes a specific network application.) The IWAN
app shows the applications defined by the NBAR2 Protocol Pack, grouped by application
category.
Step 2: Click the Categorize Applications box from the application page.
Use the Categorize Applications tab to view, edit, move, and add custom applications. you
can view all of the installed applications in an alphabetized list or view the applications by
category. You can also search for a specific application. To view the applications by
category, click the By Application Category / By Applications drop-down list, and select
View By Application Category .
You can move applications into different categories by simply drag and drop.

To edit application information, click on the pencil icon next to the application. The
information about the application appears on the right. You can then edit the application by
clicking on Edit on top.

Step 3: Click Add Application to provide details of a new application.

Click Add Application, and the editing box will appear on the right. You can add custom
applications to your network using this feature.

Step 4: To define the application policy groups, click Define Application Policy.
Applications are grouped into categories, such as Voice and Video. The categories form
part of the following business groups: Business Critical, Default, and Business Irrelevant.

Step 5: Click the down arrow next to a category, such as Social Networking, to change the
application performance in the category to perform the following actions:
 Enable or disable application performance.
 Enable or disable path preference.
 Choose the primary and secondary paths.

As you can see in the figure, you can enable application performance simply by sliding the
bar next to it. You can select the Path Preference radio button. Social Networking is a
business irrelevant application, and so the primary path is INET and secondary is MPLS.
You can change the path based on your requirements.
Step 6: Move an application category using drag and drop.

In this lab exercise, you will not make any changes to the application. If any change is
made, it needs to be saved by clicking Apply Changes.

Task 4: Monitor and Troubleshoot Using the Cisco

IWAN Application
Activity
Monitor Sites Using the Cisco IWAN Application
The Cisco IWAN application has a centralized policy automation engine that helps
guarantee that all sites run the business policies that are intended by the administrator. You
can monitor the sites using the Cisco IWAN application.
Step 1: In the IWAN home page, click Monitoring to monitor the IWAN sites.

The map displays all provisioned sites.

The green color indicates that the sites are provisioned successfully. If the site is marked in
red, it indicates that the site has an issue because of application, bandwidth allocation, and
so on.
Step 2: Click the branch site, New York, to view the site details.
Click the sites to get more information regarding site topology and IP address allocation.

Troubleshoot Sites Using the Cisco IWAN Application

Troubleshooting is not a part of the lab activity, so no action is required.

To check the status of the application, choose the Application Health tab to view the
application usage on the site in a graphical format.
The graph displays the following:
 Various applications that are configured for the site
 Bandwidth usage for each application

Choose the Troubleshooting tab to troubleshoot the application when the hub or branch
site application health is critical, as shown in the following figure.

In addition to detecting the application that is causing the issue, the system also provides
suggestions to improve the site. For example, if a site uses more bandwidth, the system
suggests adjusting the bandwidth among the various applications to provide more
bandwidth to the application that is causing the issue.
Practica 5

Click here to print this page

Discovery 5: Troubleshooting Using Cisco APIC-EM

Path Trace Applications
Task 1: Troubleshooting Using Cisco APIC-EM Path Trace
Applications
Activity
Step 1: From wrkstn1, open your Chrome browser and go to https://192.168.1.21 to access the
Cisco APIC-EM GUI.

You may see the message on screen that your connection is not private.
Click Advancedand Proceed to 192.168.1.21

You can log in to the Cisco APIC-EM GUI using username admin and password Cisco123!.

Step 2: Navigate to the Device Inventory tab from the home page and ensure that all devices are
in Managed state.

From the Cisco APIC-EM homepage, click the arrow in the upper left and choose Device
Inventory from the menu. You will see four devices—HQ, HQ-SW, BR, and BR-SW. Ensure that the
device is in Managed state. You may need to wait for a couple of minutes if the device status is In-
progress.

Before you begin Path Trace, make sure that you have devices in your inventory. If not, discover
devices using the Discovery function. Also, ensure that the controller has SSHor Telnet access to
the devices.

Step 3: Navigate to the Path Trace tab.

From the Cisco APIC-EM homepage, click the arrow in the upper left and choose the Path
Trace option.

This screenshot displays the Path Trace window. Next, click Start new Path Trace.

Step 4: The source device for the path trace will be HQ-SW.

In the Source drop-down field, enter the IP address of the host or the Layer-3 forwarding interface
where you want to start the trace.

In this lab activity, choose HQ-SW( 192.168.1.15). Using this Path Trace application, you will trace
the path from a particular source (HQ-SW) to destination (BR-SW). You need to click twice.

Step 5: The destination for the path trace will be BR-SW.

In the Destination drop-down field, choose the BR-SW device. You will need to click twice.

In this lab activity, you need to select BR-SW (192.168.2.15).

Step 6: Check the additional options that are available in the Path Trace application. Make sure
that the traced path refreshes every 30 seconds.

Click More Options to show the Source and Destination Ports, and Protocol options, which are all
optional features. You will not use the optional features in this lab exercise.

In the Source Port field, you can enter the port number of the host where you want to end the
trace.

In the Destination Port field, you can enter the port number of the host where you want to end
the trace.

In the Protocol field, choose tcp or udp from the drop-down menu for the Layer-4 path trace
protocol. This step is useful if you want to trace the path that is taken by a specific application,
especially useful in networks that have multiple links and ACLs in the path.

To configure the path trace to refresh every 30 seconds, you can check the Periodic Refresh (30
sec) check box. The default timer is 30 seconds. You can run the test for up to 24 hours

Step 7: The path trace should also include all device and interface related statistics.

To configure the path trace to collect additional statistics, click the Include Stats option. Select
the Device and Interface statistics for this lab exercise.
You can collect the following statistics from path trace tool.

 QoS: Collects and displays information about quality of service

 Interface: Collects and displays information about the interfaces on the devices along the
path.
 Device: Collects and displays information, such as a device's CPU and memory usage.
 Perf Mon: Collects and displays performance monitoring information about the devices
along the path

Step 8: The result should also list access-lists if any, in the path being traced between the two
devices.
To configure path trace to perform access-list analysis, check ACL Trace. An ACL path trace shows
whether the traffic matching your criteria would be permitted or denied based on the ACLs that
are configured on the path.

Next, click the Start Trace button to begin the path trace.

Step 9: Review the result of the path trace.

After you run a path trace, the results will be displayed in the Path Trace window.

The Path Trace Toolbar provides the following options and information:

 Filters: This option allows you to search for path traces by source or destination IP
address, source or destination ports, protocol, creation date, or gathered statistics (QoS, Device,
Interface, Perf Mon, and ACL trace).
 Start new Path Trace: This option displays a dialog box where you can define the
parameters for your path trace.
 Copy icon: This option allows you to create a new path trace using the parameters that are
defined in the selected (source) path trace. You can keep any of the values from the source path
trace and change, add, or deselect any parameters for the new path trace.

Step 10: You can collect the device and interface related statistics from the Path Tracewindow.

Click Device stats to view the device statistics that is related to CPU and memory usage.
Click View status next to interface to view the interface statistics. It includes the administrative
status of the interface, input packets, input queue drops, output packets, output drops, and so on.

The controller graphically displays the path direction and the hosts and devices (including their IP
addresses) along the path between the source and destination. Clicking an individual device in the
path trace highlights the device in the Trace Results Device Details area.

Trace Results Device Details

Name Description

IP IP address of the device

Type Wired or wireless device (access point, switch, or router)

Link Source Information about the link between two devices (source and destination).

Link information is based on the configuration of the source device. Some of the
examples are BGP, EIGRP, Inter-VLAN Routing, ECMP, Switched, Static, Connected,
and so on.

Ingress Ingress interface of the device for the path trace (physical or virtual).
interface

Egress Egress interface of the device for the path trace (physical or virtual).
interface

VRF If Path Trace detects a VRF on a router, it displays the VRF in the

graphical display and provides the interface name and VRF name

In this lab activity, you can see that the EIGRP is running between the two routers, HQ and BR, and
this status is displayed in the path trace.

Step 11: You can also view the access-lists in the Path Trace result.

In this lab activity, an access-list 101 is configured on BR. You can see that the access-list is
configured on interface GigabitEthernet1. Click View Matching ACEs to review the ACL.
The following rules affect the ACL path trace results:

 Only the matching ACEs are reported.

 If you leave out the protocol, source port, or destination port when defining a path trace,
the results include ACE matches for all possible values for these fields.
 If no matching ACEs exists in the ACL, the flow is reported to be implicitly denied.

You can log in to router BR and check this access-list.

BR# show run interface GigabitEthernet1
Building configuration...

Current configuration : 299 bytes

!
interface GigabitEthernet1
ip address 172.16.1.2 255.255.255.0
ip access-group 101 in
negotiation auto
end

BR# show access-list 101

Extended IP access list 101
30 deny tcp 192.168.1.0 0.0.0.255 any eq www
40 deny tcp 192.168.1.0 0.0.0.255 any eq smtp
50 deny tcp 192.168.1.0 0.0.0.255 any eq ftp
60 deny tcp 192.168.1.0 0.0.0.255 any eq ftp-data
70 permit ip any any (21804 matches)
BR#

Step 12: Trace the path for the return traffic between the two device HQ-SW and BR-SW.

Click the Show Reverse option to show the return traffic.

Step 13: Check the path that has been traced using the topology view.
Click View in Topology in the upper right-hand corner.

A new tab opens up with a topology that highlights the path from the HQ-SW to the BR-SW.

It would make more sense when you have multiple paths to a destination. It highlights the path
that is taken in that case. You can see an example here.

In the case of multiple paths, Path trace can detect which path (or which paths) is taken by each
application that you target based on IP address and port. Path trace can also detect the routing
protocol that is running along the path, and which ACL may affect your target application. With
PerfMon, you can also see the performances of the chosen path.

template_version4.0

© 2017 Cisco Systems, Inc.

Practica 6

Click here to print this page

Discovery 1: Site Provisioning with NFVIS on Cisco

UCS C220 M3 Server Using OAM Servers
Task 1: Check Integration of OAM Servers—Cisco APIC-EM,
Cisco Prime Infrastructure, and Cisco ESA.
In this task, you will perform following steps.

 Explore Cisco ESA and check the OAM server integration details in Cisco ESA.
 Verify that the device templates in Cisco Prime Infrastructure are synchronized with Cisco
ESA.
 Review the credential profile configuration that is preconfigured for Cisco ISRv and ASAv
deployment.
 Verify that the virtual images for VNFs are available in Cisco Prime Infrastructure.

Do not change user credentials in any of the OAM servers. Since these credentials are used for
integration, and changing these credentials will affect functioning of lab setup.
Activity
Step 1: In this step, you will explore Cisco ESA and the different sections available in the Cisco ESA
Web GUI.

Cisco ESA Web GUI provides access to following sections:

 Device Management: This section allows you to add and view the Cisco UCS devices that
are used for NFVIS provisioning.
 Branch Management: This section allows you to add and view the Branch locations to be
provisioned with NFVIS.
 Profiles: This section allows you to create, delete, and clone the branch profiles, and map
the profiles to the branch.
 System Configuration: This section allows you to view the system configuration options
for Cisco ESA.
 Deployments: This section allows you to view the deployments that are running in Cisco
ESA.
 Information: This section allows you to view more information about Cisco ESA.

Log in to Cisco ESA using the login credentials that are provided in the Job Aid section.
From PC01, open chrome browser and go to https://192.168.2.7. Log in to Cisco ESA with
username admin and password Prime123#.

Please do not try the wrong password more than three times, it will lock the account and you will
need to restart the lab.

If you get error (Your connection is not private), click on Advanced. Then, click Proceed to
192.168.2.7. From here, you should see the Cisco ESA home page. Log in with Cisco ESA
credentials.

The Cisco ESA Web GUI menu is displayed on the left side of the pane. Click the small circle that is
displayed on the top-left corner of the screen, to toggle between the views. You can view the
menu as icons only or icons with names.

Step 2: Before you create the branch profile, it is recommended to check the integration of OAM
servers. Check whether the Cisco APIC-EM and Cisco Prime Infrastructure are integrated into Cisco
ESA. Also, verify that the Cisco APIC-EM and Cisco Prime Infrastructure systems are active and
connected. You can verify the integration details in the System Configuration section in Cisco ESA.

Navigate to Configuration>System Configuration>APIC-EM, notice that the Cisco APIC-EM

credentials are configured already. Click the Check Connection button, note that the External
System is up message will be displayed at the bottom of the screen. You can also view the status
as Connected on the top-right corner of the window.

Following are the Cisco APIC-EM credentials that are configured to integrate with Cisco ESA.

Name APIC

Username/Password admin/Cisco123!

Protocol HTTPS

Host 192.168.2.16

Port 443
Choose Prime Infrastructure option, note that the Cisco Prime Infrastructure credentials are
configured already. Click the Check Connection button, note that the message External System is
up will be displayed at the bottom of the screen. You can also view the status as Connected on the
top-right corner of the window.

Following are the Cisco Prime Infrastructure credentials that are configured to integrate with Cisco
ESA.

Name PI

Username/Password admin/Prime123!

Protocol HTTPS

Host 192.168.2.17

Port 443

JMS Secret Key Prime123!

The Cisco APIC-EM and Cisco Prime Infrastructure credentials are provided during installation of
Cisco ESA. JMS Secret Key is used for communicating network operations between Cisco ESA and
Cisco Prime Infrastructure.

Step 3: In this step, you will check verify that the device templates are synchronized with Cisco
Prime Infrastructure in Cisco ESA. The device templates are stored in Cisco Prime infrastructure,
and when Cisco ESA is integrated with Cisco Prime infrastructure, the device templates gets
synchronized with Cisco ESA. However, it is recommended to check the synchronization status
before creating a branch profile. You will use Configuration section to manually sync the templates
and verify that synchronization is successful.

Click Configuration and choose Manual Sync option, which opens up a page to manually
synchronize external and internal changes. Click the Sync CLI Templatesbutton, note that
the Synchronization started message will be displayed at the bottom of the screen.

Click the notification icon on the top-right corner of the screen and view the CLI Template
Synchronization Completed messages, which confirm that the CLI templates are synchronized
with Cisco Prime Infrastructure. The notification section stores the messages that are related to
template synchronization, branch provisioning status, and reachability status of VNFs that are
installed on NFVIS.

Step 4: In this step, you will check the credential profile that is pre-configured in Cisco ESA. The
credential profile is pre-configured with login credentials and SNMP configuration that the VNFs
ISRv and ASAv will configure during deployment on the NFVIS. You will need to select the
credential profile for Cisco ISRv and ASAv while provisioning the branch in later part of the
discovery task. In this step, you will verify the configuration in the Configuration section.

In Configuration section, choose Credential Profiles option.

Review the credential profile that is named cisco. This credential profile will be used by Cisco ISRv
and ASAv while provisioning the branch. Choose the Edit option.

The SNMP configuration that is listed in the credential profile is pushed to virtual devices during
Cisco ESA provisioning process. Cisco ESA and Cisco Prime Infrastructure use these SNMP
configurations to monitor the devices. You can click the Cancel button as parameters are already
configured. You can create multiple credential profiles, and use any of the required profiles during
branch provisioning.

Name cisco

Version SNMPv2c

Read Community cisco

Write Community cisco

Protocol SSH2

Username/Password cisco/cisco
 Name cisco

Enable Password cisco

Step 5: When deploying branches, you will deploy Cisco ISRv and ASAv virtual devices. In this step,
you will check the virtual images that are available for the platform, to ensure a consistent
deployment throughout your network. You will log in to Cisco Prime Infrastructure and check
the Inventory section.

Note that the device pack and critical fixes software for Cisco ESA is installed with Cisco Prime
Infrastructure.

From PC01, go to https://192.168.2.17, provide username root and password Prime123!.

You will get the message requesting to add licenses as shown in following figure. Please ignore
adding licenses to Cisco Prime Infrastructure. Select "Do not show on startup" and click
the OK button.

Click on the top left bar next to Cisco Prime Infrastructure and open the navigation bar. Navigate
to Inventory > Virtual Image Repository.

Note that the Cisco ISRv and ASAv images are uploaded to Cisco Prime Infrastructure. While
designing branch profile, provide the image names of Cisco ASAv and ISRv in the profile template
in Cisco ESA. It is a best practice to check if necessary virtual images for the VNFs, which need to
be installed on NFVIS during branch provisioning are uploaded to Cisco Prime Infrastructure.

template_version4.0

Task 2: Access NFVIS Via CLI—Check Platform, Interface

Details, and Restart PnP Agent
Activity
In this task, you will perform the following steps

 Note down the serial number of the Cisco UCS C220 M3 Server.
  Check the system WAN and LAN interface details.
 Check the platform details.
 Restart PnP agent on NFVIS.
 Review additional NFVIS show commands.

Step 1: In this step, you will note down the serial number of the Cisco UCS C220 M3 Server. You
need to provide this serial number in the Cisco ESA while adding the device for branch
provisioning in Device Management section in Cisco ESA. This device will be identified in the Plug n
Play operations using the serial number of the Cisco UCS server. Use the show platform-
detail command in the NFVIS exec prompt to complete the step.
On PC01, go to terminal, type ssh 192.168.2.2 –l admin on the command prompt and provide
password Prime123#

You can use the show ? command to view available show command options.
cisco@cisco:~$ ssh 192.168.2.2 -l admin

Cisco Enterprise Network Function Virtualization Infrastructure

Software (NFVIS)

NFVIS Version: 3.6.1-FC3

Copyright (c) 2015-2017 by Cisco Systems, Inc.

Cisco, Cisco Systems, and Cisco Systems logo are registered
trademarks of Cisco
Systems, Inc. and/or its affiliates in the U.S. and certain other
countries.

The copyrights to certain works contained in this software are

owned by other
third parties and used and distributed under third party license
agreements.
Certain components of this software are licensed under the GNU GPL
2.0, GPL 3.0,
LGPL 2.1, LGPL 3.0 and AGPL 3.0.
admin@192.168.2.2's password:

admin connected from 192.168.2.20 using ssh on nfvis

nfvis#
nfvis# show ?
Possible completions:
banner-motd User's banner and/or message of the day
configuration Display configuration changes
debug-logs Display debug logs
history Display CLI command history
log Display all log files or content of a log
monitor Configure SPAN sessions
notification Display notifications
platform
platform-detail Show the hardware info of the box
pnp Display pnp current configuration
resources Display resources (CPU) information
running-config Display current configuration
snmp SNMP configuration
system NFVIS system
system-monitoring Display host and vnf stats
version Display NFVIS version
vm_lifecycle This module contains a collection of YANG
definitions
related to VM lifecycle management
vm_packages VM package configuration
vm_vnic_stats Show VM vnic statistics

Execute the show platform-detail command to view the platform details. Note down the serial
number of the Cisco UCS C220 M3 Server that is displayed in the command output.
nfvis#
nfvis# show platform-detail
platform-detail hardware_info Manufacturer "Cisco Systems Inc"
platform-detail hardware_info PID UCSC-C220-M3S
platform-detail hardware_info SN FCH1911V2EV
platform-detail hardware_info hardware-version 74-10442-02
platform-detail hardware_info UUID 1792D30A-E924-0B40-BE70-
1F17159B9906
platform-detail hardware_info Version 3.6.1-FC3
platform-detail hardware_info Compile_Time "Friday, August 18,
2017 [17:24:15 PDT]"
platform-detail hardware_info CPU_Information "Intel(R) Xeon(R)
CPU E5-2640 v2 @ 2.00GHz 16 cores"
platform-detail hardware_info Memory_Information "32648536 kB"
platform-detail hardware_info Disk_Size "998.0 GB"
platform-detail hardware_info CIMC_IP NA
platform-detail software_packages Kernel_Version 3.10.0-
514.10.2.el7.x86_64
platform-detail software_packages QEMU_Version 1.5.3
platform-detail software_packages LibVirt_Version 2.0.0
platform-detail software_packages OVS_Version 2.3.2
platform-detail switch_detail UUID NA
platform-detail switch_detail Type NA
platform-detail switch_detail Name NA
platform-detail switch_detail Ports 8

PCI
NAME TYPE MEDIA LINK SPEED MTU MAC
DETAIL
------------------------------------------------------------------
-----------
eth0 physical Twisted Pair up 1000 1500 b0:aa:77:96:b7:cc
01:00.0
eth1 physical Twisted Pair up 1000 1500 b0:aa:77:96:b7:cd
01:00.1
nfvis#

You can view the status of the WAN and LAN interfaces, which is displayed as "up." The first port
(Eth0) is always assigned as WAN port and Second port (Eth1) is assigned as LAN port.

Step 2: In this step, you will check the interface details of NFVIS using the show system settings-
native wan command, you will notice that NFVIS receives an IP address for WAN interface via
DHCP. You will also notice that the PnP server configuration details are received from router
csr1kv.

Execute the show system settings-native wan command to view the WAN interface details.
Use q to exit during show command listing, to return to enable prompt.
nfvis# show system settings-native wan
system settings-native wan ip-info interface wan-br
system settings-native wan ip-info ipv4_address 192.168.2.2
system settings-native wan ip-info netmask 255.255.255.252
system settings-native wan ip-info ipv6_address
fe80::b2aa:77ff:fe96:b7cc
system settings-native wan ip-info prefixlen 64
system settings-native wan ip-info mac_address b0:aa:77:96:b7:cc
system settings-native wan ip-info mtu 1500
system settings-native wan ip-info txqueuelen 1000
system settings-native wan ip-info secondary-ip 0.0.0.0
system settings-native wan ip-info secondary-ip-netmask 0.0.0.0
system settings-native wan stats rx_packets 708840
system settings-native wan stats rx_bytes 78585759
system settings-native wan stats rx_errors 0
system settings-native wan stats rx_dropped 166
system settings-native wan stats rx_overruns 0
system settings-native wan stats rx_frame 0
system settings-native wan stats tx_packets 143638
system settings-native wan stats tx_bytes 34903434
system settings-native wan stats tx_errors 0
system settings-native wan stats tx_dropped 0
system settings-native wan stats tx_overruns 0
system settings-native wan stats tx_carrier 0
system settings-native wan stats tx_collisions 0
system settings-native wan dhcp enabled
system settings-native wan dhcp offer true
system settings-native wan dhcp interface wan-br
system settings-native wan dhcp fixed_address 192.168.2.2
system settings-native wan dhcp subnet_mask 255.255.255.252
system settings-native wan dhcp gateway 192.168.2.1
system settings-native wan dhcp lease_time 4294967295
system settings-native wan dhcp message_type 5
system settings-native wan dhcp name_servers 192.168.2.1
system settings-native wan dhcp server_identifier 192.168.2.1
system settings-native wan dhcp renewal_time 2147483647
system settings-native wan dhcp rebinding_time 3758096377
system settings-native wan dhcp vendor_encapsulated_options
"5A1N;B2;K4;I192.168.2.16;J80"
system settings-native wan dhcp domain_name cisco.com
system settings-native wan dhcp renew 2085-09-27T11:05:09-00:00
system settings-native wan dhcp rebind 2136-10-11T19:30:39-00:00
system settings-native wan dhcp expire 2153-10-16T14:19:17-00:00
system settings-native wan vlan tag untagged

Note that NFVIS receives an IP address of 192.168.2.2 for WAN interface via DHCP. It also receives
the PnP server configuration details from router csr1kv.The Cisco APIC-EM IP address 192.168.2.16
is received as PnP server address. Note that the WAN interface is associated with WAN Bridge
(wan-br).

Run the show system settings-native mgmt command to view the management interface details.
nfvis# show system settings-native mgmt
system settings-native mgmt ip-info interface lan-br
system settings-native mgmt ip-info ipv4_address 192.168.1.1
system settings-native mgmt ip-info netmask 255.255.255.0
system settings-native mgmt ip-info ipv6_address
fe80::f46e:f6ff:fe43:3c47
system settings-native mgmt ip-info prefixlen 64
system settings-native mgmt ip-info mac_address b0:aa:77:96:b7:cd
system settings-native mgmt ip-info mtu 1500
system settings-native mgmt ip-info txqueuelen 1000
system settings-native mgmt stats rx_packets 457477
system settings-native mgmt stats rx_bytes 21065579
system settings-native mgmt stats rx_errors 0
system settings-native mgmt stats rx_dropped 0
system settings-native mgmt stats rx_overruns 0
system settings-native mgmt stats rx_frame 0
system settings-native mgmt stats tx_packets 8
system settings-native mgmt stats tx_bytes 648
system settings-native mgmt stats tx_errors 0
system settings-native mgmt stats tx_dropped 0
system settings-native mgmt stats tx_overruns 0
system settings-native mgmt stats tx_carrier 0
system settings-native mgmt stats tx_collisions 0
system settings-native mgmt dhcp disabled
nfvis#

Note that the management interface of NFVIS is configured as 192.168.1.1. This IP address is the
default IP address that is assigned to management interface during NFVIS installation process.

The management interface is associated to LAN Bridge and LAN network, so administrators can
directly connect their PC to LAN interface (Eth1), and configure PC in 192.168.1.0/24 network with
192.168.1.1 as their default gateway. This method is also used in cases where there is no WAN
connectivity to headquarters. This method is applicable for smaller deployments. For example,
when it is required to access NFVIS directly from onsite to provision the VNFs on NFIVS without
OAM servers.

Step 3: After the first installation of NFVIS on a host server, the PnP agent starts immediately. You
may encounter two types of scenerios that you will review in this step.

Scenario 1: The PnP agent running in the NFVIS automatically discovers the PnP server. In this lab,
APIC-EM is the PnP server. The PnP server information is passed to NFVIS using the DHCP
configuration on the CSR1KV gateway router. Please refer to the topology diagram for network
connections.

Log in to the Cisco APIC-EM. Go to https://192.168.2.16, provide username admin and

password Cisco123! You may see the screen message that your connection is not private.
Click Advanced and Proceed to 192.168.2.16. Navigate to Network Plug and Playsection. You will
observe the UCS C220 M3 Server identified as "Unclaimed". Click Unclaimed to display the details.

Notice that the Serial No, IP address, and Product ID of the Unclaimed device will be displayed
with status as Unclaimed.

Proceed to the following steps if you do not see the device listed as "Unclaimed" in the step
above.

Scenario 2: Sometimes the PnP agent communication with PnP server does not happen
automatically despite receiving the PnP server information from DHCP server. Hence, you will not
see the device in the PnP application on APIC-EM as shown below:

In this case, you need to configure the following pnp commands in the NFVIS.
nfvis# config t
Entering configuration mode terminal
nfvis(config)# pnp static ip-address 192.168.2.16 port 443
transport https cafile /etc/pnp/certs
nfvis(config)# commit

nfvis(config)# end
nfvis# pnp action command restart
nfvis# show pnp status
pnp status response "PnP Agent is running\nserver-connection\n
status: Success\n time: 21:59:30 Sep 20\ndevice-info\n status:
Success\n time: 21:59:27 Sep 20\nbackoff\n status: Success\n time:
21:59:30 Sep 20\ncertificate-install\n status: Success\n time:
21:53:38 Sep 20\ncli-exec\n status: Success\n time: 21:54:46 Sep
20\ntopology\n status: Success\n time: 21:54:56 Sep 20\n"
pnp status ip-address 192.168.2.16
pnp status port 443
pnp status transport https
pnp status cafile /etc/pnp/certs/trustpoint/pnplabel
pnp status created_by dhcp_discovery
pnp status dhcp_opt43 1
pnp status dns_discovery 1
pnp status cco_discovery 1
pnp status timeout 60
nfvis#

After configuring the above commands, log in to the APIC-EM and repeat the steps in the first
scenario to ensure that you can see the device in "Unclaimed" state in the PnP application.

If you are still do not see the UCS device in the “Unclaimed” state in the PnP application, configure
following commands to disable automatic discovery using dns and restart the PnP agent.
nfvis(config)# pnp automatic dns disable
nfvis(config)# end
Uncommitted changes found, commit them? [yes/no/CANCEL] yes
Commit complete.

nfvis# pnp action command restart

nfvis# show pnp status
pnp status response "PnP Agent is running\n"
pnp status ip-address 192.168.2.16
pnp status port 80
pnp status transport http
pnp status cafile ""
pnp status created_by dhcp_discovery
pnp status dhcp_opt43 1
pnp status dns_discovery 0
pnp status cco_discovery 1
pnp status timeout 60
nfvis#

NFVIS supports both enable and configuration modes. The enable mode allows administrators to
execute the show commands. The ping and trace commands are available to troubleshoot basic
connectivity issues. The configuration mode allows administrators to change the NFVIS
configuration for WAN and Management interfaces.

 show running-configuration—Displays NFVIS running configuration

 show system networks—Displays NFVIS networks details
 show system status—Displays NFVIS system status
 show system deployments—Displays VNFs that are deployed in NFVIS, displays
deployment names of the VNFs
 show vm_lifecycle—Displays VM lifecycle information that is managed by Elastic Service
Controller (ESC)

template_version4.0
Task 3: Design Profile in Cisco ESA
Activity
In this task, you will design the branch profile in Cisco ESA. The designing process involves
following steps:

 Add devices to be provisioned in Cisco ESA.

 Add the branch locations to be provisioned in Cisco ESA.
 Design Branch profile and select the virtual network functions (VNFs).
 Select the pre-defined validated branch topologies.
 Select template for the profile and configure parameters for VNFs, and finally map the
profile to single or multiple branches as per customer requirement.

Add Devices

Add Devices

Add Devices to be Used: The Devices option allows the administrators to add the Cisco UCS device
to be used for branch provisioning. These devices are typically the Cisco UCS C-Series Server or
Cisco 4000 series ISR that is installed with Cisco UCS E-Series Server Module. As a prior step to
adding devices to branch management section, these devices are installed with NFVIS. Cisco ESA
identifies devices using the unique serial number, later PnP server uses this serial number to
communicate with PnP agent that is running on the NFVIS platform. The Devices section also
allows administrators to monitor the reachability of VNFs, such as Cisco Adaptive Security Virtual
Appliance (ASAv), and Cisco Integrated Services Virtual Router (ISRv) that are provisioned on the
NFVIS platform. The detailed information about the VNFs is available in Cisco Prime infrastructure.

The administrators can also add multiple devices for provisioning, with the use of CSVtemplate file.
To add multiple devices, the administrator needs to download the sample CSV template file,
populate the devices names and serial numbers in the format that is specified in the template, and
then import the CSV file into Cisco ESA.

Step 1: As a first step in the Branch provisioning, you need to add the device. In this lab activity,
the device refers to the Cisco UCS C220 M3 Server. Therefore, add Cisco UCS C220 M3 Server for
branch provisioning in Cisco ESA. Go to Devices section and add the device details.

Navigate to Devices and click Add devices.

Click Add Single Device button.

Provide the information in the mandatory section that is marked with * symbol. Provide the Cisco
UCS C220 M3 Server serial number, which is noted down in earlier step. Choose the device type
as UCS and provide hostname as C220-M3S. Click the Savebutton to save the details.

Navigate to the Device Management option under Devices to view added device.

Add Branches

Add Branches

Add the Branch locations: The Branches section enables administrators to add branches, which
need to be provisioned. The WAN link provides the connectivity between the branch where the
device is installed and the headquarters. Cisco ESA is integrated with the Google map facility,
which autopopulates the location co-ordinates on the map when the address fields are provided
for branch location. The Branches Map View option allows the administrators to view the status of
the branch provisioning process.
The administrator can also add multiple number of branch locations for provisioning by using CSV
template file. To add multiple branch locations, the administrator needs to download the sample
CSV template file, populate the location names and address details in the format that is specified
in the template, and import the CSV file into Cisco ESA.

Step 2: After adding the device for branch provisioning, add the details about the branch to be
provisioned, you will add a branch and name it as San Jose. Also, provide Cisco Systems San Jose
office address in the address field.

Navigate to Branches and choose Add Branches option.

Next, click the Add Single Branch button.

Provide the necessary information in the mandatory section that is marked with * symbol. Create
a branch with name—San Jose, Street—170 West Tasman Drive, City name—San Jose, zip code—
95134, State—California, and Country—United States. When you finish entering the mandatory
information, click Save.

View the created branches using either Branches Map View or Branches Table Viewoption.

The Branches Map View option displays operation and deployment status of the branches. You
can zoom in and zoom out to view the branches that are installed at different locations.

Design Branch Profile and Select Virtual Network Functions

Design Branch Profile and Select Virtual Network Functions

Design Branch Profile: Cisco ESA allows administrators to create profiles for branch provisioning.
The process of creating profiles includes selecting the hardware platform such as the Cisco UCS C-
Series Server or Cisco UCS E-Series Server. Also, the process includes selecting VNFs such as Cisco
ASAv, ISRv, Virtual Wide Area Application Services (vWAAS), and Virtual Wireless LAN Controller
(vWLC) via graphical editor. The administrators can use the graphical editor to select the Cisco UCS
container, and then drag and drop the VNFs into the selected Cisco UCS container. Use the option
to draw the topology with required branch networks such as WAN, Service, and LAN networks, or
use a topology from Cisco validated topologies that are highlighted on the right side of the
graphical editor; the validated topologies are available in the form of built-in templates with
branch networks. After the topology is selected, administrators can provide the hostname and IP
address details of WAN Network (WAN Net), Service Network (Service Net), and LAN network (LAN
Net) of VNFs to be provisioned. The VNF images are stored in Cisco Prime Infrastructure in *.tar.gz
file formats. Cisco ESA obtains the details such as the image location, and image profile details
from Cisco Prime Infrastructure.

Based on the customer requirements, the completed profiles are submitted for approval. These
profiles are either approved by specific approver, or an administrator can select the auto approve
option. The option to have a separate approver other than the administrator, provides customer
to be compliant with ITIL change management system. The User Management under
the Configuration option enables the administrators to create users with different roles such as
administrators, viewers, and approvers.

Map profile to single or multiple branches: The approved profiles can be mapped to a single
branch or to multiple branches. After the profile is mapped to branch, administrators can either
provision the branch immediately or schedule to provision it later. During the provisioning
process, an administrator needs to choose the device serial number that needs to be associated
with branch profile, and verify the hostname and IP address details of the VNFs. An administrator
can modify the IP address details of VNFs, so that they can control the device serial number to
branch profile mapping efficiently.

The mapping of device serial number to branch is a one to one mapping. For example, a particular
Cisco UCS C-Series Server that is installed in San Jose is mapped to San Jose branch. But, the same
profile can be cloned and mapped to a different device in another branch location with the facility
to change hostname and the IP address details, during provisioning VNFs.

Step 3: In this step, you will create a branch profile to provision VNFs such as Cisco ASAv and ISRv
on the NFVIS platform. First, you need to select a container or device for installing VNFs.
Next, you need to select the VNFs that need to be installed on the NFVIS. Note that this
container or device is already installed on NFVIS platform that is placed at the branch
location. You will create branch profile either using graphical interface in Cisco ESA or you
can use existing Cisco validated topology template.

Navigate to Profiles, and choose the Create New Profile option.

Choose the UCS Container from the left pane in the NF container section. Drag and drop the UCS
container to the right side white area as displayed in following figure.

After selecting the UCS Container, Choose the network functions that need to be provisioned on
the Cisco UCS server. In this lab activity, you will use Cisco ISRv and ASAv virtual devices. Drag the
ISRv icon from the NETWORK FUNCTIONS section and drop into the UCS container. Repeat the
same procedure for Cisco ASAv.

Once, you have added the ISRv and ASAv, the matching template on the right will have vBranch-
ISRv-ASAv turned green.

There are two options to add connections from ISRv and ASAv to the networks—service-net,
mgmt-net, lan-net, and wan-net networks.

Option 1— Note the small black circle next to the Cisco ISRv icon, and note that service-net,
mgmt-net, lan-net, and wan-net networks that are displayed in the box can be used to graphically
allocate the virtual devices to corresponding networks. The lan-net is used to route the traffic from
branch network to VNFs, the service-net is used to route the traffic between VNFs, and the wan-
net is used to route the traffic from VNFs to WAN network. The mgmt-net is used to route the
management traffic for VNFs from headquarters, it is used for monitoring the VNFs.

You can use the small black circle icon, and create connection from Cisco ISRv and ASAv to the
networks that are listed at the bottom of the container manually.

Option 2— In this option you can use the template to create the connections. On the right side of
the screen, the vBranch-ISRv-ASAv template is highlighted, roll over the mouse over the
highlighted green dot, you will see that the View option below to green dot, click View and choose
the template. Click the Use Template button.

Create new profile and name it C220-M3S. Click the default profile name created and change it to
C220-M3S.

Let’s discuss in detail about the networks and bridges that are used by VNFs to route traffic
between the branch network and headquarters:

 Service-net: The VNFs are service chained and service-net is used to route traffic for
service chaining purpose. You need to provide the IP address and subnet mask for service-net
for Cisco ISRv. Similarly, provide the IP address and subnet mask for Cisco ASAv, and default
gateway for ASAv as service-net IP address of ISRv. The service-net is associated with Service
Bridge (service-br) in NFVIS.
 LAN-net: The lan-net is mapped to interface Eth1 and local LAN traffic from the branch
network enters NFVIS via LAN-net port (Eth1), and LAN-net is associated with LAN Bridge (lan-br)
in NFVIS.
  WAN-net: The WAN-net is mapped to interface Eth0, and WAN traffic from headquarters
enters the NFVIS device via wan-net port (eth0). WAN-net is associated with WAN Bridge (wan-
br) in NFVIS. You need to provide the IP address and subnet mask for WAN-net, and IP address
of headquarters router that wan link from NFVIS connects to acts as the default gateway for
Cisco ISRv. The WAN-net is associated with wan-br (internally) in NFVIS. The wan-br has two
interfaces, these interfaces are associated with 1) WAN interface of NFVIS, IP address used login
to NFVIS box remotely from headquarters, 2) WAN interface of Cisco ISRv router that traffic
from local LAN network is routed to headquarters WAN router.
 Mgmt-net: The Mgmt-net is used for routing management traffic. You need to provide
management IP address for Cisco ISRv and ASAv. The Cisco ISRv management IP address serves
as a default gateway for Cisco ASAv management traffic.

Step 4: In this step, you will provide the configuration parameters for Cisco UCS C220 M3 Server. In
order to provision the UCS device from Cisco ESA, you need to provide the username and
password for Cisco UCS device.
Click UCS that is displayed inside the container.

Configure username admin and password Prime123# for Cisco UCS device. Please make sure that
you do not use any other password.

template_version4.0

Task 4: Deploy Cisco ISRv and ASAv on NFVIS

Activity
In this task, you will perform following steps to deploy Cisco ISRv and ASAv on NFVIS:

 Understand service chaining of the VNFs—Cisco ISRv and ASAv.

 Understand NFVIS flow handling in Cisco UCS C220 M3 Server.
 Configure the parameters for VNFs—ISRv and ASAv.
 Submit the branch profile for approval and manually provision the branch.
 Monitor the branch provisioning status in Cisco ESA and observe the stages in provisioning
VNFs.

Service Chaining of Cisco ISRv and ASAv

In order to deploy Cisco ISRv and ASAv on NFVIS, these VNFs are service chained using the
concepts of network and bridges. The below figure illustrates the service chaining of ISRv and ASAv
configured in the lab exercise. The understanding about the service chaining key factor in
provisioning the VNFs, especially the designing of IP addressing schema for VNFs depends on how
the VNFs are service chained. In addition to service chaining, you will review the NFVIS flow
handling in Cisco UCS 220 M3 server for both data traffic flow and management traffic flow.

Cisco ASAv acts as transparent firewall and service-net and lan-net are bridged to interface BVI10.
The traffic from WAN enters Cisco ISRv and hits wan-net (Eth0) associated with wan bridge (wan-
br) and ISRv forwards traffic to the service-net that is associated with service bridge (service-br) to
ASAv and ASAv inspects packet and forwards to lan-net that is associated with lan-br. The Branch
LAN PCs connected to LAN use service- net IP address 192.168.1.2 on Cisco ISRv rotuer as their
default gateway. Since, the first hop for Branch Network PCs is located on Cisco ISRv as ASAv acts
transparent firewall acting in transparent in-line mode while processing the packets that are
flowing from WAN to LAN network.

NFVIS Flow Handling in Cisco UCS C220 M3 Server

Following figure illustrates the flow handling in Cisco UCS C220 M3 Server for WAN to LAN traffic
in the Cisco UCS C220 M3 Server that is used in the lab activity.

Following figure illustrates the flow handling in Cisco UCS C220 M3 Server for out-of-path
management that is used for routing the management traffic in Cisco C220 M3 Server that is used
in this lab activity. Cisco ISRv and ASAv are configured with management IP address that is used
exclusively for monitoring purpose by Cisco ESA and Cisco Prime Infrastructure. The traffic from
WAN (from OAM servers) hits wan-net that is associated with wan-br and forwards it to mgmt-net
and mgmt-br, and to corresponding management interface on Cisco ISRv and ASAv. The routing is
configured on the headquarters WAN router to route the management traffic via Cisco ISRv back
to OAM servers.

Step 1: In this step, you need to provide the configuration parameters for Cisco ISRv. You will
provide the IP address, gateway for Service-net, Wan-net, and Management-net for Cisco ISRv.

Click the ISRv icon that is displayed inside the container.

Configure following parameters for Cisco ISRv.

Parameters Data

Domain cisco.com
Name
 Parameters Data

Hostname isrv

WAN IP 192.168.2.12
Address

WAN 255.255.255.0
Network
Mask

WAN 192.168.2.1
Gateway IP
Address

Service IP 192.168.1.2
Address

Service 255.255.255.0
Network
Mask

Management 192.168.3.1
IP Address

Management 255.255.255.0
Network
Mask

Image https://192.168.2.17/imgrepo/isrv-
Location universalk9.16.06.01.tar.gz

Image Profile ISRv-mini

In this is a lab environment, we are using Cisco UCS C220 M3 Server and need to keep the resource
utilization to minimum, so make sure that you choose ISRv-mini image profile. The image profile
contains details for the memory and CPU requirements for deploying VNF images.

The screen shows ISRv-mini resource utilization; vCPU count—1, Memory Size—4096 MB, Disk
Size—8192 MB.

The image details are autopopulated with Cisco Prime Infrastructure hostname, image folder, and
image name. In this lab activity, you will use the IP address for Cisco Prime infrastructure instead
of hostname, click the image location field and type https://192.168.2.17/imgrepo/isrv-
universalk9.16.06.01.tar.gz and press Enter.

The Cisco ISRv and ASAv image names and location that is provided in Cisco ESA template are case-
sensitive. Branch provisioning will fail if the image names and location are given incorrectly. Check
for any misspelling before submitting the profile.

Step 2: In this step, you need to provide the configuration parameters for Cisco ASAv. You will
provide the IP address, gateway for Service-net, Wan-net, and Management-net for Cisco ASAv

Click the ASAv icon that is displayed inside the container.

Configure following parameters for Cisco ASAv.

Parameters Data

Domain Name cisco.com

Hostname asa

Service Bridge 192.168.1.3

IP Address

Service Bridge 255.255.255.0

Network Mask

Service Bridge 192.168.1.2

Gateway IP
 Parameters Data

address

Management 192.168.3.2
IP Address

Management 255.255.255.0
Network Mask

Management 192.168.3.1
Gateway IP
Address

Image Location https://192.168.2.17/imgrepo/asav951-

201.tar.gz

Image Profile ASAv10

In this is a lab environment, we are using Cisco UCS C220 M3 Server and need to keep the resource
utilization to minimum, so make sure that you choose ASAv10 image profile. The image profile
contains details for the memory and CPU requirements for deploying VNF images.

The screen shows ASAv10 resource utilization; vCPU count—1, Memory Size—2048 MB, Disk Size
—8192 MB.

The image details are autopopulated with Cisco Prime Infrastructure hostname, image folder, and
image name. In this lab activity, you will use IP address instead of hostname, click the image
location field and type https://192.168.2.17/imgrepo/asav951-201.tar.gzand press Enter.

Step 3: In this step, you need to submit the profile that is created for Cisco ISRv and ASAv for
approval. In this lab activity, the administrator is the approver, you can create separate users as
approver for approving the created branch profiles. The user management section in Cisco ESA
allows you to create users with various roles. You need to save and submit the profile for approval
and you can check the approver settings in the configuration section.

In continuation to the previous step, click the Save and Submit for Approval button to submit the
profile for approval.

Note that the profile is auto-approved and status is updated as Approved.

Navigate to Configuration > System Configuration > Workflow, note that the Branch Profile auto
Approve option is selected.

Step 4: In this step, you need to map the approved profile to the Branch. Cisco ESA allows the
administrator to create multiple Branch locations and map the profile to the Branch location,
which helps the administrator to provision multiple branches with same profile configuration. This
feature eliminates the need for creating multiple profiles for multiple branch locations. You need
to use Profiles section in Cisco ESA.

Navigate to Profiles > Available Profiles > Actions, which display the available actions, and
choose Map to Branch option.

Choose San Jose branch. Notice that when you choose the branch, color of the box turns green.
Click Next to move to next stage.

Click Next to review the Cisco APIC-EM and Cisco Prime Infrastructure details.

Click Next to proceed to the branch provisioning.

Step 5: In this step, you will provision the branch. When the profile is approved and mapped to
branch, you have options to provision the branch manually or save the deployment process to
resume later by exporting it to excel sheet. In this step, you will provision the branch immediately
using manual process.

In continuation with the previous step, click the Provision Manually button.
You need to select the Cisco UCS device, and select the serial number of the device to be
provisioned.

Choose ISRv and provide same management IP address (192.168.3.1) that is provided in earlier
step, when you configured the parameters for Cisco ISRv. Choose the credential profile that is
named cisco.

Choose ASAv and provide same management IP address (192.168.3.2) that is provided in earlier
step, when you configured the parameters for Cisco ASAv. Choose credential profile that is
named cisco.

Notice that the branch provisioning has been initiated. In next step, you will monitor the
provisioning activity.

Step 6: In this step, you will monitor the branch provisioning status in Cisco ESA and in Cisco APIC-
EM. During this step, you can toggle between Cisco ESA and Cisco APIC-EM Network Plug and Play
section to monitor the branch provisioning status.

Navigate to Branches > Branches Map View to view the list of provisioned branches.

Click the Branch icon that is displayed in the map, note the change in the color from blue to
orange, which indicates that the branch provisioning is in progress. Choose the Deployment
Status option in the top-right corner, you can view the provisioning status changing from one to
stage to other. Also, you can click View Provisioning Details to view the provisioning in detailed
manner.

Navigate to Cisco APIC-EM, and choose Network Plug and Play section. In the dashboard section,
you can view the status of device provisioning as In-Progress. You can refresh the Cisco APIC-EM
Network Plug n Play section web page to verify the updated status.
Navigate to Cisco ESA, notice that the provisioning status is moving from one stage to other. You
can click the circle with tick mark or circle show with loading symbol to view the provisioning stage
in brief. Normally, the provisioning process consumes 10 to 20 minutes, you can view the
provisioning status changing from one stage to other.

Return to Cisco APIC-EM, refresh the window in Network Plug and Play section and verify that the
device is provisioned.

After Cisco ISRv and ASAv are deployed in NFVIS, wait for few minutes for Cisco ISRv and ASAv
devices status to be changed to Reachable in the Device Managementsection.

You can click the View Provisioning Details button that is shown in the Branches Map
View section or choose Deployment Status in Deployments main menu, and in the current
deployment you will find details of the deployments. This option provides comprehensive
administration of VNFs from Cisco ESA application after the VNFs are provisioned on NFVIS.

In the next step, you will verify the connectivity from Cisco ISRv and ASAv, and test the traffic flow
from branch to Internet.

template_version4.0

Task 5: Verify the Traffic Flow from Branch Network to

Internet
Activity
In this task, you will perform following steps to verify deployments in NFVIS and traffic flow from
branch network to Internet.

 Verify device reachability in Cisco ESA

 View detailed information about Cisco ISRv and ASAv in Cisco Prime Infrastructure
 Verify deployed VNFs—Cisco ISRv and ASAv via NFVIS Web GUI
 Test the connectivity from branch network to Internet (from Cisco ISRv, ASAv and from
Ubuntu PC02)

Step 1: In this step, you will test the traffic flow from branch network to Internet, and verify the
Cisco ISRv and ASAv deployments in NFVIS Web GUI.
Click the View Provisioning Details button, you will find the option to log in to Cisco ISRv and ASAv
via VNC console. Click the option to open the VNC console for Cisco ISRv.

The browser may block the pop-up window for ISRv. Please click top right on browser and allow all
pop-ups from https://192.168.2.7.

It opens the VNC console window for Cisco ISRv, wait for few minutes for Cisco ISRv to boot up and
enter enable prompt.

Execute the show ip interface brief, ping 192.168.2.1, and ping 8.8.8.8 commands from Cisco
ISRv. Notice that the ping response is successful, which confirms the connectivity to the gateway
router and Internet. Notice that interface Gig1 of Cisco ISRv is assigned with the IP address
10.20.0.2, which is used for internal system monitoring that is configured within NFVIS, and it is
associated with int-mgmt-network and int-mgmt-bridge. This interface configuration is different
from the management interface Gig4 that is configured with IP address 192.168.3.1, which used
for Cisco ISRv management traffic that is routed back to OAM servers for monitoring and collecting
statistics from Cisco ISRv.

Note: The IP address 8.8.8.8 is Google Public DNS IP address. Google Public DNS is a Domain Name
System (DNS) service that is offered by Google. It functions as a recursive name server that
provides domain name resolution for any host on the Internet.

Click the Open VNC Console option to open the VNC console for Cisco ASAv.

It opens VNC console window for Cisco ASAv, wait for few minutes if Cisco ASAv is still booting up
and enter enable prompt.

Execute the show ip interface brief and show bridge-group commands to display the interface IP
address and bridge-group details. Notice that interface Gig0 and interface Gig1 are bridged to
interface BVI10 with Service Bridge IP address 192.168.1.3 and Management interface IP address
is 192.168.3.2. Cisco ASAv acts as transparent firewall in the LAN segment.
Execute the ping 192.168.2.1 command to verify the connectivity to the gateway router. You can
execute other show commands in Cisco ISRv and ASAv to verify the connectivity and traffic flow.

On Ubuntu PC02, go to terminal, type ping 192.168.1.2 (ISRv IP address that is configured as
default gateway for PC02) or ping 8.8.8.8 command on command prompt. Verify that the traffic
flows from PC02 to the destination via Cisco ISRv and ASAv devices.

Step 2: In this step, you will verify Cisco ISRv and ASAv deployments in NFVIS Web GUI.

Log in to NFVIS Web GUI, go to https://192.168.2.2, and use username admin and
password Prime123#. Click Home in the menu that is listed on the left pane. You can view the VM
status, VM Resource allocation, and Host Utilization.

Note that NFVIS Local Management allows the administrators to register, deploy, and manage
VMs as a standalone deployment without OAM servers. This standalone deployment model can be
used in small deployments and where the WAN connectivity is not available. In this step, you will
explore the options in NFVIS web portal for Cisco ASAv and ISRv that are deployed via OAM
servers.

Choose the Image Repository option under VM Life Cycle menu to view Cisco ISRv and ASAv
images names of that are deployed in NFVIS. You can also view image profiles for Cisco ASAv and
ISRv.

Choose the Deploy option under VM Life Cycle menu to view Cisco ISRv and ASAv that are
deployed in NFVIS, you can view the topology.

Choose the Networking option under VM Life Cycle menu to view networks and bridges.

Choose the Manage option under VM Life Cycle menu to view Cisco ISRv and ASAv deployments.
In this version of NFVIS, Cisco ISRv deployment is named as CSR. Click the icon that is marked
below CSR and ASA to log in to Cisco ISRv and ASAv.
Step 3: In this step, you will verify the monitor capabilities of Cisco ESA and Prime Infrastructure
for virtual devices that are provisioned on NFVIS platform.

Navigate to the Device Management section in Cisco ESA, choose ALL as filter criteria, so that both
physical and virtual devices will appear in the list. Notice that the status of Cisco ISRv and ASAv is
marked as Provisioned and both devices are REACHABLE.

Click Actions, and choose View the details in PI from the available options, which navigates you to
the Cisco Prime Infrastructure to view more details of the virtual device. Make sure that the popup
is not blocked in the chrome browser settings. If the popup blocker enabled, disable the popup
blocker for https://192.168.2.17. The username is root and password is Prime123! for Cisco Prime.

In Cisco Prime infrastructure, the details such as device summary, environment, location, memory,
modules, physical ports, and interfaces are available. Cisco Prime Infrastructure provides
comprehensive device management capabilities for VNFs that are deployed on the NFVIS platform.

template_version4.0

VNF Deployment Failures

The VNF deployment may fail because of following reasons:

 Incorrect Image location and Image names that are given in Profile for Cisco ISRv and ASAv
 Cisco APIC-EM and Prime Infrastructure are not reachable from Cisco ESA
 Mismatch in serial number of device that is given in Cisco ESA and learned from Cisco
APIC-EM

If deployment fails, perform the following steps:

 Delete current deployment and restart PnP agent in NFVIS. Also, verify that the OAM
servers are reachable.
 Verify the image names and location that are given for VNFs in profile template.
 You can clone the existing profile, populate parameters, and resubmit for approval.
 Reprovision the branch.

If the Branch provisioning fails, go to the Deployments section in Cisco ESA, choose
the Deployments Status option, and select to view the existing deployments, then delete the
existing deployment and restart PnP agent in NFVIS. Deleting the deployment in Cisco ESA will
delete all images and deployments that are associated with VNFs in NFVIS. Also, it will delete
related configurations in the Cisco APIC-EM and Prime Infrastructure. Repeat the lab procedure.
Note that you can clone the existing approved profile with different name and repeat the process.

Practica 7

Task 1: Serial Connection to the Catalyst 3560-C

Series Switch
 Step 1:

Click the PuTTY icon on the desktop to open the PuTTY application.

 Step 2:

You have a serial connection to the Cisco Catalyst 3560-C Series Switch from your lab PC.
Click Open. If you need the IP address, it is 192.168.1.92.

 Step 3:

When the serial session opens, the switch will require user access verification. You will see
a password prompt; type the password C1sc050 for the Catalyst 3560-C Series Switch, and
press Enter. This password is case-sensitive.

Password: C1sc050

CMX_Test_Switch>

 Step 4:

The switch will display the prompt CMX_Test_Switch>. To reach the privilege-level
prompt, enter enable at the prompt. The switch will return the password prompt. Type
the enable secret password cisco. If successful, the prompt will change to
CMX_Test_Switch#.

Password:
 CMX_Test_Switch> enable

Password: cisco

CMX_Test_Switch#

Task 2: Locate the 3700 Series Access Points

 Now that you are in the switch, you need to locate the AP that has the Hyperlocation
antenna and module in it. To test Hyperlocation effectively, you need to add at least three
APs with the Hyperlocation antenna and module to your test network; four APs with this
configuration is optimal. Once you can configure one AP with Hyperlocation, you can
configure all the others easily.

Use the show cdp neighbors command to locate the Cisco Aironet 3700 Series Access
Points (AP3700).

 Step 1:

Type show cdp neighbors and press Enter.

Password:

CMX_Test_Switch> enable

Password:

CMX_Test_Switch# show cdp neighbors

Capability Codes: R - Router, T - Trans Bridge, B - Source

Route Bridge Host,

S - Switch, H - Host, I - IGMP, r -

Repeater, P - Phone,

D - Remote, C- CVTA, M - Two-port

Mac Relay

Device ID Local Intrfce Holdtme

Capability Platform Port ID

BobNetSW Las 0/11 179

S I WS-C3560- Fas 0/3

APb838.6181.0520.hsdl.ga.comcast.net.
 Fas 0/3 164
T B I AIR-CAP37 Gig 0

BLIGGETT-JG69D Fas 0/9 145

H MSI on Wi Local Area Connection

CMX-Test1 Fas 0/1 176

H AIR-CT250 Gig 0/0/1

CMX_Test_Switch#

 As you can see, you have a single AP3700 connected to the FastEthernet port 0/3 on the
switch; you can determine this connection by the device ID or the platform type. Notice
the device IDs. The AP is the device that has an ID that starts with AP. The remainder of
the ID is the base MAC address. The platform type is AIR-CAP37, which is an AP3700.

Now, you will need to determine the amount of inline power that is being supplied by the
switch port.

 Step 2:

To determine the amount of inline power that is supplied by the switch to the AP3700,
enter at the prompt show power inline FastEthernet 0/3.

CMX_Test_Switch# show power inline FastEthernet 0/3

Interface Admin Oper Power

Device Class Max

(Watts)

-------------------------------------------------------------
-------------------------------------------------------------
----------

Fa0/3 auto on 16.8 AIR-

CAP3702I-A-K9 4 30.0

Interface AdminPowerMax
AdminConsumption

(Watts)
(Watts)
 -------------------------------------------------------------
-----------------------------------

Fa0/3 30.0
30.0

CMX_Test_Switch#

 Take note that the switch port is supplying 16.8 W of power, but can supply up to 30 W of
power.
 Step 3:

If you do need to increase the power for some reason, you would go to the interface
where the AP is connected. In this case, it is interface FastEthernet 0/3. You would need to
enter configuration mode by typing configure terminal and then pressing Enter. Then,
enter interface configuration mode by typing the interface FastEthernet 0/3 command.
Then, enter the power inline port 2x-modecommand to change the power that is supplied
by the switch to the AP.

CMX_Test_Switch# configure terminal

Enter configuration commands, one per line. End with CNTL/Z.

CMX_Test_Switch# interface FastEthernet 0/3

CMX_Test_Switch (config-if)# power inline port 2x-mode

CMX_Test_Switch (config-if)#

 Step 4:

Type end to exit configuration mode.

CMX_Test_Switch# config t

Enter configuration commands, one per line. End with CNTL/Z.

CMX_Test_Switch# interface FastEthernet 0/3

CMX_Test_Switch (config-if)# power inline port 2x-mode

CMX_Test_Switch (config-if)# end

CMX_Test_Switch#
  Step 5:

Minimize the PuTTY application by selecting the minimize option at the upper-right
portion of the page.

Be sure to select the inside minimize button for the PuTTY application, not the desktop
minimize option.

Task 3: Configure the WLC to Support Hyperlocation

 In the next steps, you will configure the WLC. The WLC that you have in your lab is a Cisco
2504.
 Step 1:

To log in to the Cisco 2504 WLC, double-click the Google Chrome icon from the desktop.
Then, go to the URL field and enter the website https://192.168.1.98. Press the Enter key
to continue.

 Step 2:

On the Wireless LAN Controller splash page, click the Login button at the center of the
page to begin the login process.

 Step 3:

Enter the security credentials to access the WLC. Enter the username admin and the
password 1234QWer. Entries are case-sensitive. Click the Log In button.

 Step 4:

The WLC will open the Monitoring screen. Go to the top right of the screen and
click Advanced. The Monitor page is displayed.

 Here is a view of the Monitor screen. From this view, you can see the following:
 o The management IP address is 192.168.1.98.
o The software version is 8.3.102.0.
o The system name is CMX_Test1.
o The WLC has been up for a few hours.

Scroll down to look down at the Access Point Summary information. You will see that one
AP has joined the WLC and has been initially configured for 802.11a/n/ac.

 Step 5:

Next, you will view the AP that has joined the WLC. Click the Wireless tab from the toolbar
at the top of the screen. The All APs page is displayed.

 The screen provides you with a wealth of information. This view is the left half of the
screen. Using the scroll bar at the bottom of the page, scroll to the left of the page. This is
the base MAC address of the AP and will be used as the name of the AP until you change
it. The red arrow on the right shows the PoE Status. You need PoE/Full Power to support
the Hyperlocation module and antenna. As indicated by this output, you are ready to go.

 Step 6:

Using the same scroll bar at the bottom of the page, scroll to the right side of the screen.
You will want to verify the Primary SW Version. You are using version 8.3.102.0, as shown
by the left red arrow. The Hyperlocation module and antenna have been installed on the
AP but not activated. The right red arrow shows the current Hyperlocation status as
Disable.

 Step 7:

Next, you will enable Hyperlocation. Under the Wireless tab, on the left menu bar, under
the Access Points section, click Global Configuration. Then, using the scroll bar on the far
right, scroll down to the bottom of the page to configure Hyperlocation.
 Take a look at the Hyperlocation Config Parameters area on this screen. Several
parameters can be changed here.

First, you need to enable Hyperlocation. Click the Enable Hyperlocation radio button to
enable this feature.

Now you have the option of changing the values for Packet Detection RSSI Minimum
(dBm) and the Scan Count Threshold for Idle Client Detection. The Packet Detection RSSI
Minimum is the minimum level at which a data packet can be heard by the Cisco Wireless
Security Module (WSM), and it is used for location calculations. The default value is –100
db; it is recommended that increase this value if you would like to have only strong signals
used in calculating locations. For example, if you are in a retail environment and you leave
the default at –100 db, you may see more devices outside your retail establishment, which
may or may not be useful information, or not. Adjusting this value to –95 or –90 db may
change the amount of information that the Wi-Fi network can provide. You may see fewer
devices passing your store but gather better location information from the devices in your
store. This value will be left at default.

The second value that can be changed is the Scan Count Threshold for Idle Client
Detection. The Scan Count Threshold represents the number of off-channel scan cycles
that the AP will wait before sending a BAR to idle clients. The default value is 10, which
corresponds to about 40 seconds, depending on the number of channels in the off-channel
scan cycle. This value will be left at default.

The last parameter is the NTP Server IP address. For Hyperlocation to work properly, all
the APs need to synchronize to the same NTP server. If your organization uses more than
one NTP server, it would be a good idea to make sure that the Wi-Fi network only uses a
single NTP server. The reason to use a single NTP server is that all need to sync to one NTP
server for accurate time. If AP A hears a signal at time Z and AP B hears the same signal at
time X, it is because they are using different NTP servers. Even though the time difference
may be tiny, this time difference will make locating the Wi-Fi device very difficult and lead
to inaccuracies in location. If all the APs use the same NTP source, they will report the
same signal more accurately, and Cisco Connected Mobile Experiences (CMX) will be able
to locate the device on a floor plan map much more accurately.

 Step 8:

Click the Enable Hyperlocation check box, and then select the NTP Server text box.

 Step 9:
 Enter 128.138.140.44 in the NTP Server text box as your NTP server source. This source is
located at the University of Colorado, Boulder, campus.

 Cisco CMX Location services require as much accurate information as you can provide. If
your measurements or timings are off, then the accuracy that Cisco CMX can provide will
be much less accurate than what you may expect.
 Step 10:

Once you have made your configuration changes, scroll to the top of the page and click
the Apply button at the top right of the screen. Then, click OK in the popup window.

 Step 11:

Verify that Hyperlocation has been enabled on the AP by using the scroll bar on the right
and scrolling to the bottom of the page.

 Step 12:

The next step is to configure a WLAN for a client to join so that Cisco CMX can calculate
their location. Click the WLANs tab at the top of the screen. Once you are on the WLANs
screen, click the Go button to create a new WLAN.

 Step 13:

Next, enter a new WLAN Profile Name and SSID. Use CMX_Test for your Profile Name and
SSID. Then, click the Apply button to add the new WLAN.

 Step 14:

The WLANs > Edit CMX_Test screen will open next. You need to change the status of the
new WLAN to enable by clicking the Enabled radio button and then clicking
the Apply button to save your changes to the configuration of the WLC.
 Step 15:

Finally, you will review the Security parameters. Click the Security tab. In the upper
portion of the screen, review the default settings for Layer 2 Security and WPA + WPA2
parameters.

 Step 16:

Using the inside scroll bar, scroll down to Authentication Key Management. Click the
PSK Enable check box. Then, select the PSK Format dialog box and enter the
password cisco. Click the Applybutton at the top of the page.

 Step 17:

Press the Enter key to end this task.

 Activity Verification

You have completed this task when you have achieved the following result:

o You configured a LAN switch and Cisco WLC to support Hyperlocation.

Prueba 8

Task 1: Adding Maps

 This lab begins with the Google Earth program open.
 Step 1:

Enter the address of the Cisco Campus (2250 East President George Bush Highway) in the
search box on the upper left of the screen and click Search, or select the Enter key.

When you click the search button, Google Earth will zoom in on the address and display an
overhead view of the Cisco Richardson, Tx campus.

Typically you would need to use the zoom and tilt buttons on the top right of the screen to
look down directly on RCDN 5. In this lab, the position of the building is correct for what
you need.

 Step 2:

Select the Tools option from the toolbar in the upper left of the screen. Select
the Ruler tool from the menu. This option allows you to measure the outside of the
building. The dialog box will open. Inside the dialog box, you can choose to measure in
meters or feet by using the drop-down menu. Since you will be measuring in feet, there is
no need to change this option.

 Step 3:

Using the mouse, you need to perform two measurements. You will need to measure both
the North-South and East-West dimensions, click the top right corner of the building and
drag the mouse to the lower right corner of the building. (To assist with this task, the
beginning and ending points are outlined in green (starting point), and blue (ending point.)

 You want to include the whole footprint of the building. RCDN 5 isn’t square. As a result
when you measure, you have to go beyond the outside edges of the building to take into
account the building shape.

Remember Garbage In Garbage Out? Using this method to measure the building is not as
accurate as using a scaled set of drawings or a laser or a rolling tape measure. Once you
have recorded the measurement, you have the option of clearing the distance or saving it.
Make note of the dimension as you will need them later.
  Step 4:

Click Clear.

 Step 5:

Click the lower left corner of the building and drag the ruler tool to the lower right corner
of the building. (To assist with this task, the beginning and ending points are outlined in
green (starting point), and blue (ending point.)

You will be using the same technique to measure the building as you did on the North to
South measurement. The building is not square and so you have to take into account the
shape of the building. Record measurement for use in Cisco Prime Infrastructure.

 Step 6:

Click Clear to clear the measurement. Then, select the "x" at the upper right portion of the
popup window to close the Ruler Tool.

 Step 7:

Click the Enter key to end this task.

Practicas 9

Task 1: Open Cisco Prime Infrastructure

 Step 1:

Click the Google Chrome icon and navigate to https://172.31.254.17.

 Step 2:

On the login page, enter the username root and password cisco.

The initial screen that will be displayed is the Dashboard/Network Summary. You need to
add the maps that you created in Google Earth to Cisco Prime Infrastructure. There are
two methods to reach the maps page where you can add the maps. First, navigate to the
top left of the screen next to the Cisco logo and click the round icon with three lines in it.
This icon will open a menu screen on the left side of the screen.
 Step 3:

Click the round icon next to the Cisco logo in the upper left of the screen.

 Step 4:

The left-side menu will expand, showing several options. Select the Maps menu item. A
new menu will appear to the right. The new menu includes headings for Topology Maps
and Wireless Maps. Look below the Wireless Maps heading for Site Maps. Click Site Maps.

 There is an alternate way to get to the Site Maps page. You will learn this method in the
next few steps.
 Step 5:

Click the little house icon in the upper left of the Site Maps screen. It will take you back to
the Dashboard/Network Summary screen.

 Step 6:

Then, in the Coverage Area section, click the View Maps link. This link will take you to the
same page.

 The map system in Cisco Prime Infrastructure is hierarchical. So, you start with a campus,
then go to a building, and then to a floor in the building.
 Step 7:

To begin the process, select New Campus from the drop-down menu on the right-hand
portion of the page. Click the Go button.

 Step 8:

The Site Maps New Campus screen is displayed.

 Step 9:

Enter the Campus Name (Richardson) and the Contact (Bill Smith), and click the Choose
File button to select the correct image file.

 You will use a single building and the floor plan for RCDN 5. Not all campuses are
multibuilding environments; you might consider a campus to be a single building and a
single floor in that building.
 Step 10:

A popup window will open the directory of files on this device. The file that you are
looking for is RCDN5 Exact Foot Print 160915, which is the file that you created in Google
Earth for RCDN 5. Select that file and then click Open. Then, click Next.

 Step 11:

In the Civic Location dialog box, enter 2250 President George Bush Highway.

 Step 12:

Uncheck the Maintain Aspect Ratio check box.

 Step 13:

Look at the dimensions of the building. These dimensions differ from what you generated
in Google Earth. Use the dimensions that you generated when you created the map in
Google Earth. Enter the dimensions in the Horizontal Span (381 feet) and the Vertical Span
(255 feet). Because you did not perform your plot, you will not be adding the longitude
and latitude locations. Once all the information is entered properly, click OK.

 When you click OK in the last step, the Site Maps screen will be displayed, and you will see
that the Richardson campus has been added to the list.
 Step 14:

Click Richardson.

 Step 15:
 Next, you need to add a building. Select the New Building option from the drop-down
menu on the upper-right portion of the page. Then, click Go.

 Step 16:

Enter the following information on the New Building page:

o Name: RCDN5
o Contact: Bill Smith
o Floors: 3
o Basements: 0
o Horizontal Span: 381
o Vertical Span: 255

The Civic Location is correct, but you will have to enter the horizontal and vertical spans
for the building. You will not be using the longitude and latitude or the horizontal and
vertical positioning.

 Step 17:

Once you enter all the information properly, click Place to put the building on the campus
map. Cisco Prime Infrastructure creates a building rectangle that is scaled and positioned
as you specified.

 Step 18:

Click Save. Cisco Prime Infrastructure places the building map on the campus map, and the
Site Maps tree view displays a hyperlink to the building.

 Step 19:

On the left navigation page, click the down arrow next to Richardson. RCDN5 will be
displayed. Click RCDN5.

 Step 20:
 Choose New Floor Area from the drop-down menu on the upper-right portion of the page.
Click Go.

 Step 21:

Enter the following information on the New Floor Area page:

o Floor Area Name: First Floor

o Contact: Bill Smith
o Floor drop-down menu: 1
o Floor Height: 11

Leave the Floor Type (RF Model) drop-down menu at the default (Cubes and Walled
Offices). The floor height on the first floor of RCDN5 is 11 feet. This dimension is
important. When Cisco Connected Mobile Experiences (CMX) calculates the location of a
device, it uses the X, Y, and Z coordinates. The Z coordinate is the floor height.

 Step 22:

Click Choose File to locate the floor plan for RCDN5. This file is the file that you created in
Google Earth. A popup window is displayed with a list of files. Choose RCDN5 Exact Foot
Print 160915file from the list. Click Open.

 Step 23:

Click Next to continue.

 Step 24:

Continuing on the New Floor Area page, enter the following information about the first
floor in RCDN5:

o Uncheck the Maintain Aspect Ratio check box.

o In the Horizontal Span field, enter 381 feet.
o In the Vertical Span field, enter 255 feet.
o Select the scroll bar on the right side of the page to scroll down, and click OK.

 Step 25:

The RCDN5 first floor is displayed. Select the scroll bar on the right-hand portion of the
page to view the entire page.
 Step 26:

Select the zoom in (+) and zoom out (-) options by using the controls in the upper left of
the map. It will provide you with a closer look at the layout.

 Step 27:

You now need to place APs on the map for the first floor. Using the scroll bar on the right-
hand portion of the page, scroll to the top of the page.

 Step 28:

Select Add Access Points from the drop-down menu on the upper-right portion of the
page. Then, click Go.

 You can select the individual APs that you want to add to the map. You can see that the
controller has five APs connected to it, but you only want to add those APs that start with
HALO. These APs are installed in the labs that have the Hyperlocation antennas and
modules.
 Step 29:

Click the check boxes for each of the HALO APs, starting with HALO-1. Then, click OK.

 The RCDN5 floor map is displayed. The four APs are listed at the upper-left portion of the
map. You now will need to place the APs in the lab accurately. Normally, you would drag
each AP to their specific position.
 Step 30:

Double-click HALO-1 near the top of the map.

 You will notice that the HALO-1 AP is now located within the map. Normally, you would
drag each AP to its specific position. Then, you could fine-tune the position of the AP by
using the specified fields to the left of the map.
 Step 31:

Click Enter to end this task.

 Activity Verification
You have completed this lab when you have attained these results:

o You created a new campus that is named Richardson and added the map to the
campus.
o You added a new building named RCDN5 and added the map for the building and
dimensions that were generated in Google Earth.
o You created a new floor in RCDN5 named First Floor and added the map for the
floor and the dimensions that were generated in Google Earth.
PRUEBA 10:

Task 1: AP Orientation with Hyperlocation Antenna

For the APs to provide accurate information all the APs have to be oriented in the same direction.
In the case of AP3700s with the hyperlocation antenna, you cannot adjust just the antenna, you
must change the direction of the whole AP. You may require to change the direction of the
mounting bracket of the AP, to change the orientation of three of the four APs to get them all
pointing in the same direction. This also may require you to have to change the direction of the
mounting bracket that the AP attaches to on the ceiling.

When the APs were installed, is was necessary to change the orientation of three of the four APs
to get them all pointing in the same direction. If you are not familiar with the way to determine
the orientation of the AP with the hyperlocation antenna attached. There is an arrow on the
hyperlocation antenna that is molded into the housing. To make this arrow easily visible from floor
level, Cisco provides a vinyl decal that goes into the arrow indentation. Review the figure below of
an AP3700.

View of the back of the AP3700 with the Hyperlocation antenna and module installed.

 You will be starting this lab where you left off in the previous lab exercise after placing
the HALO-1 AP in the map.
 Step 1:

To begin, select the Horizontal dimensions from the left portion of the page for the HALO-
1 AP. Then, make the following adjustments to the APs orientation:

o Horizontal: 149.5
o Vertical: 3.5
o AP Height: 11

 Step 2:

Using the inside scroll bar on the right, scroll down to view the Azimuth setting on the left
portion of the page. Now, leave this option set at 0 degrees.
 Step 3:

Double-click HALO-3 from the upper left of the map to add it to the map. Then, select the
Horizontal dimensions from the left portion of the page for the HALO-3 AP. Then, make
the following adjustments to the APs orientation:

o Horizontal: 154.2
o Vertical: 36.2
o AP Height: 11

 Step 4:

Using the inside scroll bar on the right, scroll down to view the Azimuth setting on the left
portion of the page. Now, leave this option set at 0 degrees.

 Step 5:

Double-click HALO-2 from the upper left of the map to add it to the map. Then, select the
Horizontal dimensions from the left portion of the page for the HALO-2 AP. Then, make
the following adjustments to the APs orientation:

o Horizontal: 114.4
o Vertical: 6
o AP Height: 11

 Step 6:

Using the inside scroll bar on the right, scroll down to view the Azimuth setting on the left
portion of the page. Now, leave this option set at 0 degrees.

 Step 7:
 Double-click HALO-4 from the upper left of the map to add it to the map. Then, select the
Horizontal dimensions from the left portion of the page for the HALO-4 AP. Then, make
the following adjustments to the APs orientation:

o Horizontal: 123.1
o Vertical: 35.25
o AP Height: 11

 Step 8:

Using the inside scroll bar on the right, scroll down to view the Azimuth setting on the left
portion of the page. Now, leave this option set at 0 degrees.

 Step 9:

Using the inside scroll bar on the right, scroll to the top of the page and click the Save icon
at the upper middle of the page. When you click to save the map, you will see a dialog box
that says the radios may reset if the antenna gain setting on the PI is different from what is
in the controller. Click the OK button on the popup window.

 Step 10:

Notice the APs have been placed in the four corners of the lab. Click the home button in
the upper left of the screen to go back to the Dashboard/Network Summary

 Dashboard/Network Summary page is displayed. Review the Coverage Area dashlet. An

entry for Richardson has four APs that have radios on both the 2.4 and 5 GHz bands. Take
note that there are no alarms and four clients are connected.

 Step 11:
 Click the Enter key to end this task.

 Activity Verification

You have completed this lab when you have attained these results:

o You have added and placed four APs with hyperlocation antennas and modules in
the lab space on the First Floor in RCDN5 with the correct dimensions.
o You have verified that Cisco Prime Infrastructure can see the four APs and the
wireless clients that are connected to the network.
Practica 11

Task 1: Opening Cisco Prime Infrastructure and Using

Export
 Step 1:

Click the Google Chrome icon in the taskbar. Select the URL and navigate
to https://172.31.254.17.

 Step 2:

On the login page, select the Username field and enter the username (root) and password
(cisco) in all lower case.

 Step 3:

From the Dashboard/Network Summary page, select the View Maps link located directly
next to the Coverage Area heading.

 Review the Site Maps page. You currently have three maps for Richardson; Campus,
RCDN5 Building, and First Floor.

In the next few steps, you will select all the maps that you want to export. However, there
are two ways to perform this operation.

o Select the check box next to each of the maps. It is very helpful if you are only
exporting a a few maps, or a certain set of maps.
o The other alternative is to click the check box next to Name. Selecting this check
box will automatically select the check boxes for all the maps that were added to Cisco
Prime Infrastructure. You will be using this method in this lab.
 Step 4:

Click the box next to Name to select all maps for export.
 Step 5:

After you have selected the three maps for export, select Export Maps from the dropdown
on the right portion of the page. Click the Go button.

 Step 6:

From the Export Map page, click the + to expand all the maps that are nested under the
Richardson campus. You now see the RCDN5 building which has a + next to it.

 Step 7:

Click the + next to RCDN5 to expand RCDN5. This step is important, because APs with
Hyperlocation antennas and modules might have deployed on more than one floor in
RCDN5. For example, when you expand RCDN5 you might see more than just the First
Floor. In this situation, you only have one floor, the First Floor.

With RCDN5 expanded, you will notice that there is only one entry for the First Floor.

 There are two ways to select the maps that you want to export. You can select the
individual maps by clicking on the individual check boxes next to the maps that you want
to export. The alternative is to click the box next to Select All Maps and all the maps are
selected, which includes the System Campus and Unassigned as well. In this lab, you will
be the whole map set from Richardson to RCDN5 to the First Floor.
 Step 8:

Select the Select All Maps checkbox. Then, use the scroll bar on the right to scroll down
and click the Export button.

 The file being sent to the Downloads folder, which can be seen at the bottom left of the
screen. The file has a unique file name that starts with Import_Export and ends
with .tar.gz. If you go over to your Downloads folder, you will see this file there.
 Step 9:

Open the downloads folder by the selecting the file folder in the taskbar. Then, select the
Downloads folder on the left pane. The first file in the list is the exported map file from
Prime Infrastructure.
Practica 12

Task 1: Configuring Cisco CMX

 Step 1:

Click the Google Chrome icon in the taskbar. Select the URL and navigate
to https://172.31.254.16.

 Step 2:

On the login page, select the Username field and enter the username (admin) and
password (admin) in all lower case.

 Once logged in you will see the opening screen in CMX. There are 5 major menu items
across the top of the screen; they are Detect & Locate, Analytics, Connect & Engage,
Manage, and System.
 Step 3:

Select the System option from the toolbar at the top of the page. The System screen is
displayed with the Setup Assistant.

 There are two methods of importing controllers and maps into CMX, which are using the
CLI or the Setup Assistant. In this lab, you will be using the Setup Assistant.
 Step 4:

On the Setup Assistant popup window, select the Next button.

 Step 5:

The first step is to create a new password for the admin user. In the New Password dialog
box enter the new password: cisco in all lower case. Repeat this operation for the Verify
Password dialog box. Then, click the Next button.
 The Maps and Controllers page is displayed. You will import both the controllers and maps
you have configured in Prime Infrastructure. You will need to enter the credentials that
will allow CMX to log in to Cisco Prime Infrastructure. Enter the following information:
o Username: root
o Password: cisco
o IP Address: 172.31.254.17
o Save the Cisco Prime Infrastructure Credentials: Checked
o Override Maps: Checked (leave as the default)
o Import Zones: Unchecked (leave as the default)

In a lab environment, you may be making changes to the maps that are imported to CMX.
Overriding the existing maps allows you to change maps more easily in the lab, but in a
production network overriding existing maps may cause unexpected issues if some or all
your maps are overridden when a new map is imported. As a result in a production
network this option will probably be unchecked.

 Step 6:

Select the Import Controllers and Maps button to import the controllers and maps that
are configured in Prime Infrastructure into CMX. Using the scroll bar on the right-hand
portion of the page, scroll down to the bottom of the page and click the Next button.

 You need to set up a connection to a mail server. The mail server (corp.rf-demo.com) is
already configured for this lab scenario.

On the Mail Server Settings page, enter the following information:

o From E-mail Address: Postmaster@corp.rf-demo.com

o To E-mail Address: Postmaster@corp.rf-demo.com
o Server: corp.rf-demo.com
o Port: 25
o Leave the Authenticate, SSL, and TLS buttons at the default settings.
 Step 7:

Click Save and Test Settings.

 Step 8:

On the next dialog box, enter the address of the postmaster: Postmaster@corp.rf-
demo.com.

 Step 9:

Then, click the Send e-mail button.

 Look for the Green check next to Send e-mail telling you that the test e-mail was sent. This
is great! If the e-mail fails, go back through what you have entered to see if there are any
errors. The first time that we tried to send the e-mail, it failed and there was an error in
one of the e-mail addresses.
 Step 10:

Review the page and take note of the Green check next to Send e-mail (Test email sent).
Click the Next button.

 Step 11:

On the Setup Done page, click the Finish button to complete Setup and exit the setup
assistant.

 Step 12:

Click the Enter key to end this task.

Practica 13

Task 1: Configuring System Setting in Cisco CMX

 Step 1:

Click the Google Chrome icon in the taskbar. Select the URL and navigate
to https://172.31.254.16.

 Step 2:

On the login page, select the Username field and enter the username (root) and password
(cisco) in all lower case.

 Step 3:

Select System option from the toolbar at the top of the page.

 Step 4:

Review the System at a Glance page. The localhost.localdomain entry is displayed, which
is the CMX server. All the services on the server are green. On the right, the Memory, CPU,
and Actions are displayed. The server is using a little over 40% of its memory and is yellow,
which is not a result of a large number of memory intensive actions, it’s more a function of
the amount of memory that is allocated when we created the virtual machine. The CPU is
to the right of Memory and the server is using a little more than 4% of the CPU, which is
pretty low. Lastly, the Actions are listed.

 Step 5:

Select the scroll down bar on the right portion of the page and review the Controllers
section of the screen. The Controller IP address is Green, which indicates that the
controller is active in CMX. The version is 8.3.102.0. This version was configured initially at
the beginning of this series of labs. Bytes In is the amount of traffic that the controller sees
coming from the clients.

Since the clients are not moving, the APs can only use the traffic that they are sending to
keep them in the database. If the clients would stop sending traffic, the clients would
quickly age out of the database and would no longer be tracked by the APs. The
application being used is LAN Traffic V2 to send traffic between the clients on the Wi-Fi
network. That’s the values you see in the Bytes In portion of the screen.
 The Bytes Out are minimal, and that is to be expected. The Bytes Out would be much
higher if CMX was sending information that it had collected to a third-party application like
an analysis server. In this lab, you are not using any third-party applications, so the Bytes
Out is low. The First Heard and Last Heard shows when the Controller was first and last
heard by CMX.

 If you want to change the configuration of a specific parameter, such as Node Details, the
types of devices CMX is configured to track, filtering, location setup, mail server,
controllers, and maps set up or upgrade the CMX software, click the gear icon in the upper
right side of the screen to enter the System Setup menu.
 Step 6:

Use the scroll bar on the right portion of the page, and scroll up. Then, click the gear icon
in the upper right of the Setup screen.

This menu operates in a different manner from the Setup Assistant. Each of the menu
items is independent. As a result, you will have the opportunity to cancel or save changes
in each menu item. When you cancel or save the changes, you will be taken back to the
System screen. If you want to make additional changes, you need to click the gear icon to
re-enter the Settings menu.

 Step 7:

On the General pop-up window, you will notice the Name (Cluster) and the Associated
Nodes. There is only one node and it is using localhost.localdomain. Select the Node
Details option on the left.

 You will notice that localhost.localdomain open under Node Details.

 Step 8:

In the left-hand portion of the page under Node Details, select localhost.localdomain.

 Step 9:

Review the options for Node ID, the IP address, the Hostname, and the Local Time. Leave
these options at the default, as you will not be making any changes now. Click
the Tracking option on the left-hand portion of the page.
 The next menu item is tracking. The default values are to have Wireless Clients and Tags
checked. You can also check Interferers if you would like, take the defaults in this lab, and
don’t make any changes.
 Step 10:

Review the options for Wireless Clients and Tags. Again, leave these options at the default,
as you will not be making any changes at this time. Click the Filtering option on the left-
hand portion of the page.

 On the Filtering page, there are several filtering parameters that you will leave at the
default. Duty Cycle is it’s the measurement of how much time the air is full with radio
transmissions. Which means a duty cycle of 100 means 100% of the possible airtime for
radio transmission is used up. In this situation, leave the Duty Cycle set to 0.

The RSSI of a probing client is set to -85 dBm. The next three options are radio buttons to
Exclude Probing Clients, Enable Locally Administered MAC Filtering, and Enable Location
MAC Filtering.

In a production environment, you may want to check the Exclude Probing Clients option as
knowing about the location and number of probing clients might be important. Enabling
Locally Administered MAC Filtering is only important if you are doing Locally Administered
MAC addresses. The last option for Enabling Location MAC Filtering would be used where
you need to filter MAC addresses at a specific location.

 Step 11:

In the left-hand portion of the page, select Location Setup.

 The Location Setup page is displayed. Many of the options should only be used under the
direction of Cisco TAC. At the top of this screen, there are five radio button options. Two of
them are checked by default.
 Step 12:

Select the Enable OW Location checkbox.

 The Enable OW Location checkbox is used to enable the use of Outer Walls (obstacles) for
location calculation. The Calibration model includes information regarding the walls. This
 setting controls whether the CMX should honor the walls while calculating the heatmaps
or not.

The Use Default Heatmaps for Non-Cisco Antennas check box is used to enable the usage
of default heat maps for non-Cisco antenna during location calculation. You are using Cisco
antennas, so this option is unchecked.

 Step 13:

Select the Enable Hyperlocation checkbox.

 The Enable Hyperlocation check box is used to enable hyperlocation in Cisco CMX. This
step is important, if you want to be able to use location services.

The Enable Location Filtering checkbox is used if you want the system to use previous
location estimates for estimating the current location. This parameter will be applied only
for client location calculation. Enabling this parameter reduces location jitter for stationary
clients and improves location tracking for mobile clients. This parameter is enabled by
default.

 Step 14:

Uncheck the Chokepoint Usage checkbox.

 The Chokepoint Usage is used to enable the usage of chokepoint proximity to determine
the location of a device. It applies only to Cisco-compatible tags that are capable of
reporting chokepoint proximity. This parameter is enabled by default. We are not using
any Cisco-compatible tags or a Chokepoint, so we have unchecked this option.

The Use Chokepoints for Interfloor conflicts and the Chokepoint Out of Range
Timeout check boxes are used with chokepoints, which you don’t have in this lab.

The Relative discard RSSI time, the Absolute discard RSSI time, the RSSI cutoff, the
Individual RSSI change threshold, Aggregated RSSI change threshold, Many New RSSI
change percentage threshold, and the Many Missing RSSI percentage threshold options
can be changed, but only under the direction of Cisco TAC. You will not make any changes
to these options.

The last option that you can change is the History Pruning Interval. This option specifies
the number of days of client location history to be stored for the location maps. You will
not make any changes to these options.

 Step 15:

Select the scroll bar at the right portion of the page and click Save at the bottom of the
screen to return to the System screen.
 Step 16:

Click the gear icon in the upper right of the System Screen. Then, click the Mail Server.

 Step 17:

On the Mail Server Settings page is displayed. Everything that you entered in the Setup
Assistant should be here. You would use this screen if you did not use the Setup Assistant
to configure the mail server parameters, or if you needed to make changes to the mail
server parameters. Select the Controllers and Maps Setup option from the left portion of
the page.

 Two new options will appear, Import and Advanced.

 Step 18:

There are two new options available; Import and Advanced. Click the Import option.

 Step 19:

The Import page is displayed, which appears similar to the Setup Assistant. Since you
already have a current map and controller, you will not need to make any changes now. If
you needed to import a new controller and or a new map, you would use this screen
instead of the Setup Assistant. In this case, you would uncheck the radio button to
Override Maps. Click the Advanced option from the left-hand portion of the page.

 The Controllers and Maps Setup Advanced page is displayed. This page is used to add a
new map and or a new controller. You would browse to locate a new map file for import.
In the maps area, there are two options on how you want the maps to be imported. The
first radio button is Delete & Replace Existing Maps. The second radio button allows you to
delete and replace existing zones. The bottom portion of the screen allows you to add a
new controller.
 Step 20:

Using the scroll bar on the right portion of the page, scroll to the bottom of the page to
view the remainder of the options available.
 Step 21:

From the left-hand portion of the page, select the Upgrade option. This page is used to
upgrade your current version of CMX to a newer version. This procedure will take you
through a set of steps to upgrade your version of CMX code.

 Step 22:

Click the Save button to return to the initial Settings screen.

Procedimiento 14

Task 1: Configuring Cisco CMX Floor Plan Maps

 Step 1:

Click the Google Chrome icon in the taskbar. Select the URL and navigate
to https://172.31.254.16.

 Step 2:

On the login page, select the Username field and enter the username (admin) and
password (cisco) in all lower case.

 Step 3:

Select System option from the toolbar at the top of the page. The System screen is
displayed. Click the gear icon in the upper right side of the System screen.

 Step 4:

On the Setting pop-up window, click the Locations Setup option from the left-hand portion
of the page.

 Step 5:

Check the Enable OW Locations checkbox. Then, use the scroll bar on the right-hand
portion of the page to scroll down to the bottom of the page. Click the Save button.

 Step 6:

On the System page, select the Manage option from the toolbar at the top of the page.
 The Manage page is displayed. On the left side of the screen, you see the Campus,
Building, Floor, Zone menu options. In the center of the screen, you see the Campus top-
level menu with two options, Richardson and Unassigned. When you imported the maps
from Cisco Prime Infrastructure, CMX automatically included Richardson, RCDN5, First
Floor, System Campus and Unassigned. In the Richardson portion of the screen, there is
an x1 next Richardson, which indicates that there is one building in the campus. If we had
added more buildings, then this number would increase to match the number of buildings
in the campus.
 Step 7:

Select the Richardson icon.

 The Building level map for RCDN5 is displayed. RCDN5 icon displays the x1, since there is
one floor in RCDN5 (we added this floor in a previous lab).
 Step 8:

Select the RCDN5 icon.

 Step 9:

The First Floor is now displayed. Select the First Floor icon (Note: There are no nested
floors, only the first floor (x0 is displayed next to the icon).

 When the screen opens, you will see the floor plan for the First Floor. There are a few
tools on this screen that you need to become familiar with. First, the + and – icons in the
upper left control the zoom in and zoom out functions. You may need to use these options
for a finer or more coarse view of the floor plan.

In the upper right side of the screen, there are four icons that allow you to to edit the floor
plan.

The top icon is the Delete Zone or Perimeter. The second icon from the top is Edit Zones
icon. When you open this icon you have two options, you can drag a zone across the map
or you can reshape it. The third icon from the top allows you to draw a polygon zone on
the floor map. The bottom icon allows you to create a perimeter. Take a look at the blue
bar across the top of the first floor map. It says “Please use the create perimeter tool to
add a perimeter to this floor” that is what you are going to do, that is the bottom icon in
the group on the right.
 Step 10:

Using the scroll bar on the right-hand portion of the page, scroll down to view the entire
floor plan for the First Floor.

 Step 11:

Click the bottom icon on the right-hand side of the page. You are going to outline the
perimeter of the first floor. When you begin to draw the outline of the first floor, the line
that you are drawing may look a bit strange. The reason is you are not really drawing a
line, you are creating an unbroken perimeter for the first floor.

 In the next few steps, you will be guided through the outline procedure using drag and
drop. The starting location will be highlighted with a light blue circle. The ending location
will be highlighted with light blue box. Simply drag the circle to the box to outline each
wall structure starting from the upper left corner of the building and moving in a counter-
clockwise fashion around the entire building.

Select the blue circle in the upper left corner. Click once and drag the circle to the next
corner (blue box). Repeat this process to encircle the entire building. You will see a faint
blue line running from where you started to the next corner as you complete each wall
structure. After you have added three or four corners, you will see a blue opaque layer
starting to cover the first floor map that shows you what you have included in the floor
map up to this point in time.

 Step 12:

Click the Add button on the pop-up window.

Here is the completed perimeter for the first floor.

 Step 13:

Once you have completed the entire building outline, select the bottom option option
again from the menu options on the right portion of the page. Then click the floor map.
The floor map will turn gray with a black dashed line. There are red dots at each corner.

If you need to edit a map, you would click and hold on one of the dots on one side of the
building. Then, drag the dot to their proper location.
 Step 14:

Move the pointer to the outside of the floor map area and click to get out of editing mode.
The gray will disappear and you will only see the black dashed line around the perimeter
of the first floor.

 When you have completed the editing process, the perimeter for the first floor should
appear similar to the following. The edits that you have made are automatically saved.
PRACTICA 15

Task 1: Open Cisco Connected Mobile Experiences

 Step 1:

Click the Google Chrome icon in the taskbar. Select the URL and navigate
to https://172.31.254.16.

 Step 2:

On the login page, select the Username field and enter the username (admin) and
password (cisco) in all lower case. Once logged in you will see the opening screen in CMX.

 Step 3:

On the opening screen in CMX, select the Detect & Locate option from the toolbar at the
top of the page.

 Step 4:

From the navigation pane on the left, select Richardson > RCDN5 > First Floor. The floor
plan map for the RCDN5 First Floor is displayed.

Review the upper right portion of the screen outside of the floor plan map, you will see
some collected information. CMX is aware of four APs, four Connected Clients, 113
Detected Clients, no Zones, Beacons Interferers, and Tags. The important information for
this lab is the number of APs and Connected Clients.

 Step 5:

Select the Firefox application from the taskbar at the bottom of the screen. Select the URL
and navigate to the WLC (https://172.31.254.10).

 Step 6:

Click Login.
 Step 7:

On the login page, select the Username field and enter the username (admin) and
password (cisco) in all lower case.

 Step 8:

The Monitoring page for the WLC is displayed. Verify the number of APs (5).
Click Advanced button in the upper right-hand portion of the page.

 Step 9:

Select the Wireless option from the toolbar at the top of the page.

 The Wireless page is displayed. You currently have five APs. You will be using four of them
(HALO-1 through HALO-4). The fifth AP still is using the MAC address for its name.
 Step 10:

Select the Monitor option from the toolbar at the top of the page.

 Step 11:

Again, the Monitor screen is displayed. Review the Client Summary down the middle of
the page. Using the scroll bar on the right-hand portion of the page, scroll down and
review the Client Summary. Then, click Detail at the right side of the Current Clients line.

 The Clients Detail page is displayed. You currently have four clients that are both
associated and authenticated to the network. These devices are sending traffic to each
other so the network can see them and will keep them in the locations database in CMX.
Two of the clients are associated and authenticated to HALO-1 and two are associated and
authenticated to HALO-4.
 Step 12:
 Click the Google Chrome icon from the taskbar to open CMX once again.

 The Detect & Connect page is displayed. Review the information in the upper right side of
the screen for the number of APs and Connected Clients. This information has not
changed, but the number of Detected Clients has now changed to 106, which is a dynamic
number and as clients come and go this number will change. If you have a store or a hotel
where many people will be entering and leaving, you can use CMX to determine how
many Detected Clients there are at a given time, how many Connected Clients there are
and how many become Connected Clients, as well as, how long they are staying in your
store or lobby of your hotel.

Next, review the vertical menu bar on the right side of the floor map. There are several
options in the menu, but for now you will be using the top icon. The icon that has been
selected and toggles the clients on and off in the floor map.

 Step 13:

Deselect the top icon from the vertical menu bar on the right. This icon will turn off the
clients to view the APs.

 Review the page with all clients turned off. From here, you can see the APs. It is much
easier to see which two of the APs have connected clients, and which two APs have no
connected clients. Notice the icons for all the APs display the number of Connected
Clients.
 Step 14:

To view the details about the APs, Click on HALO-4 (This AP is on the lower left of the
room). A new detail screen will appear on the right. Used the scroll bar on the right to
scroll down (select the scroll bar twice) to view the lower portion of the page.

 Review the right-hand portion of the page to view the additional detailed information
about HALO-4. The MAC Address of the AP, the number of Connected Clients (2) is
displayed. The number of Detected Clients which is 67.

Use the scroll bar on the right portion of the page to scroll down and review the remaining
options. You can verify the coordinates of where the AP is on the map. Remember that
you entered these coordinates to place the AP on the map in Prime Infrastructure. The
Name is HALO-4 and the Height is 11 feet. Look at the angles the antenna azimuth is
 correctly set to 0 degrees. Notice that the antenna angle (azimuth) for all the APs must be
the same.

Once again, use the scroll bar on the right portion of the page to scroll down and review
the remaining options. Near the bottom of the details, the CMX knows that the
hyperlocation module is present in this AP.

 Step 15:

Verify that the details of the other APs and that they each have their antenna angles that
are configured properly. Click HALO-1. (This AP is on the upper right of the room.) Verify
that the antenna angles are set to 0 degrees. Scroll up to the top of the page to view the
client information.

 Step 16:

Click HALO-2 (This AP is on the upper left of the room) to review the AP details.

 Step 17:

Click HALO-3 (This AP is on the lower right of the room) to review the AP details. Select the
scroll down bar on the right-hand portion of the page to verify the antenna angle.
PRUEBA 16

Task 1: Configuring Detect and Locate

 Step 1:

Click the Google Chrome icon on the screen and navigate to https://172.31.254.16 from
your screen.

 Step 2:

On the login page, select the Username field and enter the username (admin) and
password (cisco) in all lower case. Once logged in you will see the opening screen in Cisco
CMX.

 Step 3:

On the opening screen in CMX, select the Detect & Locate option from the toolbar at the
top of the page.

 Step 4:

From the navigation pane on the left, select Richardson > RCDN5 > First Floor. The floor
plan map for the RCDN5 First Floor is displayed.

 Review the floor map page. The pink dots on the screen and in the figure below represent
the Detected Clients and there are a lot of them. Take note of the dark green dots. They
are a little difficult to see, but these dots indicate your Connected Clients and they are all
much closer to the center of the lab.

The network is showing a many different types of devices, which include many Wi-Fi client
devices.

Being able to customize what is displayed is important. In the upper right side of the floor
plan map, there is a vertical menu bar. You will need to become familiar with these
options so you can customize the screen to allow Cisco CMX to display information it is
receiving from the Cisco Wireless LAN Controller (WLC) and APs. You have already used
the top menu item to turn on and off the clients.
 The top icon is the client icon. If there are no client devices that are shown on the map,
Connected and Detected Clients may move around on the floor map, and that is to be
expected. It may be helpful to be able to turn off the clients when you need to locate the
APs. You may need to verify an AP configuration or locate an AP that is causing problems.
Being able to locate the AP make service easier. You could also use Cisco Prime
Infrastructure to perform the same task.

The pink dots are Detected Client devices the network is aware of. These devices have not
been associated or authenticated to the network. The green dots are the four Connected
Client devices.

 Step 5:

Right-click each of the option, starting with the first option at the top. Read the description
of what each will do.

 Step 6:

Click any pink dot and in the right side of the screen a new window opens, which shows
the information that the network has gathered about this device. The device is not
associated or authenticated to the network, so you will not know the IP address. Use the
scroll bar on the right-hand portion of the page to scroll down and view the coordinates
on the floor plan map, the reporting WLC, and the RSSI.

 Step 7:

Click one of the green dots. The screen on the right will open and now you see a lot more
detailed information about the specific device, than you did for the Detected Devices. You
see the MAC address and that the client is Associated. You also see the IP address for IPv4
and IPv6, and the coordinates of the device.

 Step 8:

Click the second icon from the vertical menu bar on the right. You will see the heat map
for the floor. It can make the screen get a little busy, so you have the option of turning off
the APs and or the clients, or all of them if you need to and show the heat map.
 Step 9:

Click the top icon in the menu in the upper right of the screen to turn off the clients. It
provides a general view of the concentration of the clients with respect to the APs. At this
point, you really are only looking at the concentrations of clients. Remember, the heat
map is reporting both Connected and Detected Clients. There is no differentiation
between the two client types. You might use this as a general way to identify where the
bulk of the clients are located in the building or venue.

 Step 10:

Click the top icon in the menu in the upper right of the screen to turn on the clients again.
Look at the number of Connected Clients to the number of Detected Clients. What you see
is that there is a few Connected Clients and a pretty sizable number of Detected Clients.
This information might be useful in a retail environment where you would like to know
how many clients are joining your Wi-Fi network to view the on-line specials. This
information might also be useful in determining how many Detected Clients convert to
being Connected Clients.

 Step 11:

Go back over to the menu in the upper right of the screen. Make sure the first, second,
and fourth menu items are turned on.

The third icon turns on and off any Zones you may have configured.

Click this icon to turn this on even though you don’t have any zones that are configured.

 Step 12:

The fifth icon turns on and off any interferers that are detected. Click the fifth icon from
the vertical menu bar on the right.
 Step 13:

The sixth icon turns on and off any beacons that may be detected in the network. Click the
sixth icon from the vertical menu bar on the right, even though you do not have any
beacons that are configured.

 Step 14:

Click the seventh icon in the menu in the upper right of the screen. This menu item turns
on and off any tags that are detected in the network. You will see a small legend open in
the lower left of the screen that shows the different icons that are associated with Tags.

 Step 15:

Click the eighth icon. This icon displays filters. The reason that you have turned on all the
icons in the menu list is to see how they are displayed in the filters screen.

 Step 16:

Review the Connection Status. Right-click the green section of the bar at the far left of the
Connection Status bar. Take note of the associate devices (4) at 3.31%.

 The orange portion of the bar represents the Unassociated Clients, which are about 97%
of the clients seen. The green portion of the bar is the Associated Clients and is about 3%.
 Step 17:

Review the Manufacturer bar line. Right-click the next longer section of the bar (gray) to
view the next group of the devices. This is then shown as Apple with about 20% of the
devices.

 The Manufacturer allows you to see all the different manufacturer’s devices that you have
in your network. The display shows the number of devices and the percentage these
devices make up of all the devices. Most of the devices are from Intel with about 38% of
all devices.
 Step 18:

Review the SSID bar line. Right-click on the small gray section of the bar at the far right.
Take note that this is the CMX-Test1, representing our four APIs.

 On the SSID bar, you will notice that there are 117 devices.
 Step 19:

Review the graph for RSSI Distribution. Right-click on the vertical lines in the graph, to view
the specific RSSI value and the number of devices with that RSSI

 As the number of clients change this RSSI Distribution changes as well. On the upper end
of the graph, you have two devices with a -94 RSSI and on the lower end of the graph you
have one device with a -36 RSSI.

The bottom of the filter screen shows the Interferers, Beacons, and Tags. Since you do not
have any of these devices that are configured, you will not have any output in the filter
screen.

 Step 20:

When you are finished, use the scroll down bar on the right to scroll to the bottom of the
page and click the Close button to close the filter screen.

 Step 21:

Click the last icon from the vertical menu bar on the right. This icon shows the Inclusion
and Exclusion zones. You only have one inclusion zone on the first floor. As a result the
whole floor is green. If you had a combination of inclusion and exclusion zones the display
would differentiate between the two.
Practica 17

Task 1: Understanding and Customizing Analytics

 Step 1:

Click the Google Chrome icon on the screen and navigate to https://172.31.254.16 from
your screen.

 Step 2:

On the login page, select the Username field and enter the username (admin) and
password (cisco) in all lower case. Once logged in you will see the opening screen in CMX.

 Step 3:

Click the Analytics menu item in the menu bar at the top of the screen.

 The figure shows the Analytics screen. On the left side of the screen you see the Reports
bar. Since you have not yet created any reports, this field is empty. In the center of the
screen, you see the Create New Report area. You have two options in this area to create a
report. You can use the Auto-Generate or Customize tools to generate a report. Start with
the Auto-Generate tool to generate a report. It is the default selection when you open this
window in CMX (Notice the check mark in the Auto-Generate box).

 Step 4:

The first selection that you have to make is in the Focus Area Filter. Click the down arrow
in the first set of boxes below Auto-Generate and Customize. You have the option of
selecting the Campus, Building, Floor, Tag, or Zone. You have not configured a Tag or Zone.
Therefore, these selections are grayed out.

 Step 5:

Select Building from the first drop box to the left under the Auto-Generate selection.
 Step 6:

Select the box next to Building to refine the focus. Select RCDN5 from the dropdown.

 You want to focus on RCDN5. If you had more than one building in the Richardson campus,
this is how you would make a selection among all the buildings. In this case, you only have
one building in this campus, both the All and RCDN5 fields are automatically checked.

The next field is the Date and Time Filter. The first box on the left is the date field. You
have a few options for the date of the report. You could select Now, Today, Yesterday,
This week, Last Week, or Last Month.

 Step 7:

Click the down arrow in the left box in the Date Filter (the top left box next to the
calendar). Select Today for this report.

 Step 8:

Select All Day 12 AM to 11:59A, from the Time Filter drop-down menu is located just
below the Date Filter. If you have a traditional business that is open from 8 AM to 6 PM,
you may need to use multiple time periods which will require multiple reports to cover the
hours you are open, or use the Customized Report.

 Step 9:

The last filter is the Dwell Threshold filters. Select 15 minutes in the Minutes box.

 There are two options for narrowing the focus of the report. The left box is the minutes
and the right box is the hours. The minutes box starts at zero minutes and goes to 5, 10,
15, 30, 45 and 60 minutes and the hours option allows you to choose 4, 8 or 24 hours.

For example, you might want to know how many clients were in your store from 15
minutes to 1 hour. You would select 15 minutes in the left box and 4 hours in the right
 box. This selection would capture all the clients that were in your store from 15 minutes to
4 hours and the subset you are looking for is 15 minutes to 1 hour.

 Step 10:

Select 4 hours from the Hours dropdown. Click Done.

 When you click the Done button the results of the Auto-Generate Report, the top of the
page shows the Visitor Count and the Visitor Count by Floor. The Visitor Count shows the
total visits, below that you see the Hourly Trend for a 5-hour period. Use the scroll bar on
the right-hand portion of the page to view the lower part of the display output.
 Step 11:

Right-click the blue graph bar on the right for Visitor Count by Floor. This display includes
the total Count of Visits, the Focus Area which is the First Floor, the Parent Area (RCDN5
Richardson), and the Date and Time range.

 Step 12:

Select the scroll down bar once again to view the Visitor Count by Zone. However, since
you have not configured any Zones, there are no results.

 Step 13:

Select the scroll down bar one last time to view the Average Dwell Time and the Average
Dwell Time by Floor.

 Step 14:

Right-click the blue graph bar on the left to view the the Average Dwell Time by Floor. This
is same information as you saw for Visitor Count by Floor, except the Dwell Time replaces
the Visitor Count number in this graph. As more clients come on-line or logout the number
of visitors and the dwell time will change. Since you only have the First Floor in RCDN5,
you are only seeing the First Floor Average Dwell Time (47 mins). If there was more than
one floor you could compare them. The Average Time by Zone on the right is empty, since
no zones have been configured.
 Practica 8

Task 1: Create a Customized Report

 Step 1:

Click the Google Chrome icon on the screen and navigate to https://172.31.254.16.

 Step 2:

On the login page, enter the username admin and password cisco. Once logged in, you will
see the opening screen in Cisco CMX.

 Step 3:

Click Analytics in the menu bar at the top of the screen.

 A report that is titled RCDN5 is listed in the left column; it is the Auto-Generate report that
was created in the last discovery.
 Step 4:

Click the + icon in the left column next to Reports to create a new report.

 Step 5:

The Auto-Generate report is checked by default. Choose the Customize option to generate
a customized report. A check mark will appear in this box.

 When you click the Customize button, the screen will expand. You still have the ability to
choose the building and floor and a date and time, and you can still select a dwell time
interval, but now you have the ability to select from several widgets that will further
customize the report.
 Step 6:

Using the scroll bar on the right-hand portion of the page, scroll down to view the widgets.
You can customize six widgets. The first widget is Visitors.
 Step 7:

Click the + icon for the Visitors widget, which displays the options from zero through three
different widgets that can be selected. If you select no widgets, then no visitor information
will be included in the report, which is the default selection. If you click one, two, or three,
then you see that the widget repeated one, two, or three times in the report for visitors.
Select 1 to add a single Visitors widget to the report. Then, scroll to the bottom of the
page and click the Done button.

 There are three fields in this widget. They are the Total Number of Visitors, Compare Data
to Previous, and Hourly Trend. If you add three widgets to the report, then the three
different widgets can be compared side by side by side.
 Step 8:

To make the change to three widgets, you will need to add two more Visitors widgets.
Click the expander icon under the Date (Today) box. The Edit Report customize page is
displayed.

 Step 9:

Review the Edit Report page. Then, scroll down the page and notice that you have one
Visitor widget added.

 Step 10:

Click the + icon again next to 1 Added in the Visitors section, and select 3. Then, scroll to
the bottom of the page and click the Done button. You now have three instances of the
same widget.

 The customized report is displayed after the three Visitors widgets have been added. Each
of the widgets is the same. Each of the Visitors widgets can be customized to display
within different components of the visitor information. Because of the page width, only
two widgets are showing.
 Step 11:

Click the notes icon in the upper-right corner of the left widget. It will allow you to change
what the Visitor widget displays.

 When you click the notes icon, the screen changes to the widget view. Use the scroll bar to
scroll down to view the lower section of the page.

 Step 12:

There are several options for the widget information, or if you want to delete this widget.
Change the view by selecting Summary from the drop-down menu near the top of the
page.

 There are three options for the display: Chart, Table, and Summary. Summary is checked
by default, providing the three-panel display. Leave the first widget as the summary by
selecting it from the drop-down menu.

 Step 13:

Scroll to the top of the page and select Go Back To: RCDN5 (Richardson) - Today near the
top of the page.

 Step 14:

Click the notes icon for the second widget.

 Step 15:
 Choose Chart from the options. The chart view is displayed.

Above the chart on the right, you can change the option from by Hour to by Campus, by
Building, by Floor, by Area, by Zone, or by Tag by using the drop-down menu. Leave these
options at the default for now. The Sort button is grayed out and unavailable because you
do not have anything to sort.

 Step 16:

Select the scroll-down bar on the right to view the entire chart. The chart view is
displayed.


 Step 17:

Right-click the data point at 7 a.m. to view the chart details. The popup window displays
the total count and details.

 Step 18:

Then, use the scroll bar on the right to scroll to the top of the page. Select Go Back To:
RCDN5 (Richardson) - Today near the top of the page to return to the main Visitors
screen.

 Step 19:

Use the scroll bar once again to scroll down to view the third widget. Then, click the notes
icon in the third widget.

 Step 20:

Click the down arrow in the Summary dialog box, and select Table. The table view is
displayed. Use the scroll bar on the right to view the lower section of the page.

 Step 21:

Then, use the scroll bar on the right to scroll to the top of the page. Select Go Back To:
RCDN5 (Richardson) - Today near the top of the page to return to the main Visitors
screen.

 Step 22:
Now, you have all three widgets configured for different views: Summary, Chart, and
Table. Click the Save button at the top of the page.