DNAC Wireless

DNAC Wireless | By

001 WLC Management in DNAC

Cisco DNA Center Overview

Cisco DNA Center (DNAC) supports a range of wireless controllers, primarily the Catalyst 9800 Series, as well as older Catalyst 3504, 5520, and 8540 WLCs, and those running Catalyst WLC software (IOS XE). Compatibility Matrix

Netconf Overview

The purpose of the Network Configuration Protocol (NETCONF) is to provide a secure, standardized, and programmatic way to manage the configurations of network devices.

  • NETCONF is layered over a secure transport protocol, typically Secure Shell (SSH).
  • NETCONF supports a locking mechanism that allows a client to lock parts of or the entire device configuration.
  • Enabling Netconf in WLC
    • CLI: > netconf-yan
    • GUI: Admistration > Management > HTTP/HTTPS/Netconf

Note: By default, NETCONF is disabled and when enabled, operates on port 830.

Discovery Process

On Cisco DNA Center, Go to Provision > Devices > Add Device (reference)

Adding Device(s):
1. We can add devices manually, 1 at a time
2. We can run discoveries

  • Create Global Credentials
  • Discover by IP
  • Discover via CDP (Slowest)

Before a 9800-CL WLC can be added to the fabric, it must first be discovered by DNAC. In this case, we’re using an IP range to discover the WLC. Run a discovery job on the DNAC GUI (Settings -> Discovery) by filling out the following detail details:

  • The discovery profile name can be anything of your liking.
  • Select the ‘IP address/Range’ option and give the IP range for the WLCs.
  • Preferred Management IP should be none as the WLC doesn’t have a loopback address at this point in time.

Add credentials:

  • CLI – create a CLI set in the Design page, and input the username/password. Select this as the CLI you want to use when discovering the WLCs.
  • SNMPv2c – create a SNMPv2 read/write set in the Design page (you need to fill in the read and write community strings as configured on 9800-CL WLC. Remember each read and write window needs to be saved separately) and select the same here for your discovery.
  • HTTP is optional
  • NETCONF – netconf with a port of 830 needs to be enabled.

Network Hierarchy Overview

You can create a network hierarchy that represents your network’s geographical locations.  (Design > Network Hierarchy)

Network Settings Overview

You can create network settings that become the default for your entire network. There are two primary areas from which you can define the settings within your network:

  • Global settings: Settings defined here affect your entire network and include settings for servers such as DHCP, DNS, AAA, NTP, and so on; IP address pools; Device Credential profiles; Telemetry settings such as Syslog, Traps, and NetFlow.

    • You can specific the DHCP and DNS server. (Network Settings > Network)
    • Add Servers (+), you can add AAA,NTP and Netflow.

  • Site settings: Settings define here override global settings and can include settings for servers, IP address pools, and device credential profiles.

Network Profiles Overview

Network profiles allow you to configure settings and apply them to a specific site or group of sites. You can create network profiles for various elements in Cisco DNA Center.

  • Create a wireless profile (Design > Network Profiles)

Wireless Device Provisioning Overview

is the automated process of deploying configurations, software images, and policies to network devices, including wireless controllers. It moves a device from a discovered state in the inventory to a fully configured, operational, and managed state within the network hierarchy.

While the most definitive check is on the Cisco DNA Center (DNAC) GUI itself, you can also look at the WLC’s configuration via the command-line interface (CLI) to find evidence of DNAC management. Provisioning by DNAC adds specific configurations, primarily to enable monitoring, telemetry, and secure communication.

  • On the WLC itself (via CLI)
    • show run | section netconf
    • show run | section telemetry
    • show run | section network-assurance 
      • telemetry ietf subscription 10
 encoding encode-kv-pair
 filter xpath /wireless-stats:wireless-stats/client
 source-interface Loopback10
 stream cisco-tms
 update-policy periodic 6000
 receiver ip address 10.10.10.10 5000 protocol grpc-tls
!
network-assurance
For a WLC that has been provisioned by Cisco DNA Center (DNAC), you should not make direct configuration changes on the WLC itself. Cisco highly recommends performing all configuration changes through the DNAC GUI.
Cisco Wireless Controller High Availability (HA) can be configured through Cisco DNA Center. Currently, both the formation and breaking of wireless controller HA is supported; switchover options are not supported.
+++++
#show snmpv3user
#show mgmtuser
Yes you can manage greenfiled and brownfield deployments of C9800.
That information seems to be related to the scenario call Over the Top wireless where the WLC does not integrate as Fabric.

Provisioning Non-Fabric WLANs to WLCs

Wireless in Non-Fabric Mode

Wireless in a non-fabric mode is the traditional way of deploying a wireless network, while wireless in a fabric mode is an advanced architecture used with Cisco’s Software-Defined Access (SD-Access) solution. The key difference lies in how wireless client data traffic is handled.

Everything works the same way as a traditional unified wireless where an AP will authenticate and switch traffic centrally at the WLC. The only difference is  we will be using DNAC to perform the initial configuration.

Feature Non-Fabric Mode (Traditional Wireless) Fabric Mode (Fabric-Enabled Wireless)
Data Plane All wireless client data traffic is tunneled back to the Wireless LAN Controller (WLC) over a Control and Provisioning of Wireless Access Points (CAPWAP) tunnel, where it is then switched or routed. The wireless client data plane is distributed, meaning the traffic is encapsulated into a Virtual Extensible LAN (VXLAN) tunnel directly from the fabric-enabled Access Point (AP) to the fabric edge switch.
Control Plane The WLC centrally handles both the control plane (managing APs, providing mobility) and the data plane (tunneling traffic). The WLC only handles the control plane. It distributes AP images, manages configurations, and handles client sessions, but the data traffic forwarding decision is made within the fabric.
Traffic Flow Wireless traffic is “over-the-top” (OTT), meaning it runs on top of the existing fabric but is treated like any other traffic. This can create a bottleneck at the WLC. Wireless traffic is integrated into the fabric’s overlay, meaning it gains the benefits of the SD-Access fabric, such as automated segmentation and policy application.
Client Roaming Roaming is handled by the WLC, and the scope is limited to the APs managed by a single WLC or mobility group. Roaming is managed by the fabric control plane. Wireless clients can seamlessly roam across any AP within the same fabric domain.
Network Segmentation Segmentation is typically tied to VLANs configured on the WLC. Segmentation is policy-based using Scalable Group Tags (SGTs). The AP applies an SGT to the wireless client’s traffic, and the fabric edge switch enforces the policy regardless of the underlying network topology.

The traffic will be sent over the top inside the CAPWAP, so It’ll go out, hit the controller. That’s why the feature also know as over-the-top mode.

Why would you run the Non-fabric?

  1. You may need to migrate the Wireless to DNAC, but you have yet to migrate the wired hence there is no fabric for us to run the fabric enabled wireless infrastructure.
  2. You already have the fabric built, but do not want to make drastic changes to your wireless user.
  3. Mixes technologies A non-fabric deployment allows for a mix of different Cisco wireless solutions, and potentially even other vendor equipment, to coexist without being constrained by the fabric architecture.
  4. Not all wireless access points (APs) are compatible with fabric mode wireless. By running in non-fabric mode, an organization can continue to use older or legacy APs, extending the life of their equipment.
  5. Keeps wireless separate: An organization might choose to keep its wireless and wired networks completely separate from a design and operational perspective. In non-fabric mode, the WLC acts as a traditional anchor, and wireless traffic is handled distinctly from the wired fabric traffic.

Identify Fabric or Non-Fabric

First, when you create a wireless profile, you can specific if you want to be fabric. Absolutely not in he case.

On the Catalyst 9800 WLC GUI

  1. Go to Fabric Configuration: Navigate to Configuration > Wireless > Fabric.
  2. Check Fabric Status: The page will display the fabric status, including whether it is enabled or disabled.

On the Cisco DNA Center GUI

  1. Navigate to Inventory: Go to Provision > Inventory.
  2. Filter by Device Role: Filter for Wireless Controllers and locate your WLC. The inventory will show the fabric status.
  3. Check Wireless Profiles: In Design > Network Settings > Wireless, check the wireless profiles. A profile configured for fabric will have “Fabric Enabled” selected and will be tied to a specific Virtual Network (VN) and Scalable Group (SG).
  4. Check Site Assignment: In Provision > Inventory, verify the site to which your WLC and APs are assigned. Only fabric-capable sites can have fabric-enabled wireless.

Setup and Configuration

  1. First thing we gonna do is to create a vlan interface in DNAC (Design > Network Settings > Wireless)
    • Go to Wireless Interfaces section the (+) Add.
  2. Create an SSID (Design > Network Settings > Wireless)
    • Go to Enterprise Wireless Section (+) Add.
      • Name, Enable, Broadcast, Fastlane, Session and Idle timeout .
  3. Under Wireless Profile (Design > Wireless)
    • Fabric – NO
    • Specify which interface you want to map the SSID (e.g. Vlan33)
  4. Push the config out to WLC (Provision > Network devices > Inventory)
    • Select the WLC then hit Action > Provision device
    • You may need to configure the SVI for Vlan 33
    • Deploy

You can check the status on the controller.

  1. the vlan configuration, make sure it up. if down the need to check the interface whether vlan is allowed if switchport is trunk mode. (Configuration > Interface > ethernet)
  2. WL AN profile, you should see the “Profile name”. SSID Name, Security layer2/Layer3/AAA.
  3. Policy (Tags & Policy), check the Switching policy, Central switching should be enabled while for Fabric mode central switch is “Disabled”. You can see under Access Policies the Mapping of VLAN. then Timeout and Idle. Fabric profile should be empty/non-associated.

Defining WLANs

We have 2 different types of WLANs we can configure

  • Enterprise – Open, WPA2 Personal and WPA2 Enterprise
  • Guest – Generally includes out web-related WLANs

WLANs are defined at the Global Level of our site hierarchy

  • You can override PSKs and CMS servers at site/building/floor level

WLANs will then get associated to Network Profile

  • Network profile determine where the WLANs lives.

Wireless in a non-fabric mode is the traditional way of deploying a wireless network, while wireless in a fabric mode is an advanced architecture used with Cisco’s Software-Defined Access (SD-Access) solution. The key difference lies in how wireless client data traffic is handled.

Everything works the same way as a traditional unified wireless where an AP will authenticate and switch traffic centrally at the WLC. The only difference is  we will be using DNAC to perform the initial configuration.

Feature Non-Fabric Mode (Traditional Wireless) Fabric Mode (Fabric-Enabled Wireless)
Data Plane All wireless client data traffic is tunneled back to the Wireless LAN Controller (WLC) over a Control and Provisioning of Wireless Access Points (CAPWAP) tunnel, where it is then switched or routed. The wireless client data plane is distributed, meaning the traffic is encapsulated into a Virtual Extensible LAN (VXLAN) tunnel directly from the fabric-enabled Access Point (AP) to the fabric edge switch.
Control Plane The WLC centrally handles both the control plane (managing APs, providing mobility) and the data plane (tunneling traffic). The WLC only handles the control plane. It distributes AP images, manages configurations, and handles client sessions, but the data traffic forwarding decision is made within the fabric.
Traffic Flow Wireless traffic is “over-the-top” (OTT), meaning it runs on top of the existing fabric but is treated like any other traffic. This can create a bottleneck at the WLC. Wireless traffic is integrated into the fabric’s overlay, meaning it gains the benefits of the SD-Access fabric, such as automated segmentation and policy application.
Client Roaming Roaming is handled by the WLC, and the scope is limited to the APs managed by a single WLC or mobility group. Roaming is managed by the fabric control plane. Wireless clients can seamlessly roam across any AP within the same fabric domain.
Network Segmentation Segmentation is typically tied to VLANs configured on the WLC. Segmentation is policy-based using Scalable Group Tags (SGTs). The AP applies an SGT to the wireless client’s traffic, and the fabric edge switch enforces the policy regardless of the underlying network topology.

The traffic will be sent over the top inside the CAPWAP, so It’ll go out, hit the controller. That’s why the feature also know as over-the-top mode.

Why would you run the Non-fabric?

  1. You may need to migrate the Wireless to DNAC, but you have yet to migrate the wired hence there is no fabric for us to run the fabric enabled wireless infrastructure.
  2. You already have the fabric built, but do not want to make drastic changes to your wireless user.
  3. Mixes technologies A non-fabric deployment allows for a mix of different Cisco wireless solutions, and potentially even other vendor equipment, to coexist without being constrained by the fabric architecture.
  4. Not all wireless access points (APs) are compatible with fabric mode wireless. By running in non-fabric mode, an organization can continue to use older or legacy APs, extending the life of their equipment.
  5. Keeps wireless separate: An organization might choose to keep its wireless and wired networks completely separate from a design and operational perspective. In non-fabric mode, the WLC acts as a traditional anchor, and wireless traffic is handled distinctly from the wired fabric traffic.

Identify Fabric or Non-Fabric

First, when you create a wireless profile, you can specific if you want to be fabric. Absolutely not in he case.

On the Catalyst 9800 WLC GUI

  1. Go to Fabric Configuration: Navigate to Configuration > Wireless > Fabric.
  2. Check Fabric Status: The page will display the fabric status, including whether it is enabled or disabled.

On the Cisco DNA Center GUI

  1. Navigate to Inventory: Go to Provision > Inventory.
  2. Filter by Device Role: Filter for Wireless Controllers and locate your WLC. The inventory will show the fabric status.
  3. Check Wireless Profiles: In Design > Network Settings > Wireless, check the wireless profiles. A profile configured for fabric will have “Fabric Enabled” selected and will be tied to a specific Virtual Network (VN) and Scalable Group (SG).
  4. Check Site Assignment: In Provision > Inventory, verify the site to which your WLC and APs are assigned. Only fabric-capable sites can have fabric-enabled wireless.

Setup and Configuration

  1. First thing we gonna do is to create a vlan interface in DNAC (Design > Network Settings > Wireless)
    • Go to Wireless Interfaces section the (+) Add.
  2. Create an SSID (Design > Network Settings > Wireless)
    • Go to Enterprise Wireless Section (+) Add.
      • Name, Enable, Broadcast, Fastlane, Session and Idle timeout .
  3. Under Wireless Profile (Design > Wireless)
    • Fabric – NO
    • Specify which interface you want to map the SSID (e.g. Vlan33)
  4. Push the config out to WLC (Provision > Network devices > Inventory)
    • Select the WLC then hit Action > Provision device
    • You may need to configure the SVI for Vlan 33
    • Deploy

You can check the status on the controller.

  1. the vlan configuration, make sure it up. if down the need to check the interface whether vlan is allowed if switchport is trunk mode. (Configuration > Interface > ethernet)
  2. WL AN profile, you should see the “Profile name”. SSID Name, Security layer2/Layer3/AAA.
  3. Policy (Tags & Policy), check the Switching policy, Central switching should be enabled while for Fabric mode central switch is “Disabled”. You can see under Access Policies the Mapping of VLAN. then Timeout and Idle. Fabric profile should be empty/non-associated.

Defining WLANs

We have 2 different types of WLANs we can configure

  • Enterprise – Open, WPA2 Personal and WPA2 Enterprise
  • Guest – Generally includes out web-related WLANs

WLANs are defined at the Global Level of our site hierarchy

  • You can override PSKs and CMS servers at site/building/floor level

WLANs will then get associated to Network Profile

  • Network profile determine where the WLANs lives.

Multi-Site Wireless with FlexConnect

FlexConnect Overview

What if you do not need the enabled wireless? You can always do the over-the-top wireless. With central switching enabled on Non-Fabric setup, all the traffic will need to go to wherever the controller is location which might not be ideal from the traffic routing perspective.

Fortunately, the DNAC can give you the ability to configure the AP in a FlexConnect mode and this could be with or without the SDA deployment.

Create a Floor and Assign the Access Point(AP)

To create a floor and assign an Access Point (AP) in Cisco DNA Center (DNAC), you must first build out your network hierarchy by creating the necessary areas and buildings.

  1. Design > Network Hierarchy > in the left pane, navigate to the building where you want to add the floor. Hover over the ellipsis (…) next to the building name and click Add Floor.

Setup and Configuration

  1. The is a section at the very bottom that is dedicated to Flex Connect AP Native VLAN (Design > Wireless Tab > Hierarchy > Global)
    • This would be the VLAN that your AP needs to be on in order to get to the controller and registered.
    • Need to specify the native vlan, if we are running SDA then it should be vlan 2045 regardless of the IP subnets. In non SDA deployment, this will be whatever VLAN you want to use for the AP management.
  2. Create a new Network Profile
    • Add SSID, Fabric type. Inerface Name, Flexconnect
    • Assign to site

002 Cisco Traditional vs Fabric Enabled Wireless

 

In both traditional and fabric-enabled wireless deployments, CAPWAP (Control and Provisioning of Wireless Access Points) is used for control communication between the Access Points (APs) and the Wireless LAN Controller (WLC).

All control messages are exchanged through the CAPWAP control tunnel. This includes essential operations such as AP discovery, AP configuration, firmware updates, WLAN management, client authentication, and statistics exchange — basically all the fundamental control traffic between APs and the controller.

There are two primary AP modes for handling client data:

  1. Local Mode

    • Data traffic is tunneled through the CAPWAP data tunnel to the WLC.

    • The AP encapsulates the wireless data into CAPWAP and forwards it to the controller.

    • The WLC then makes all forwarding decisions.

    • Even if two clients are connected to nearby APs (e.g., AP1 and AP2), their traffic still goes through the CAPWAP data tunnel to the WLC.

  2. FlexConnect Mode

    • Data traffic is switched locally at the AP instead of going through the WLC.

    • This uses 802.1Q VLAN tagging for the local data path.

    • The WLC only manages control traffic, while data stays within the local network, reducing WAN dependency.

When we move to a fabric-enabled wireless architecture, the distinction between Local and FlexConnect modes disappears — all APs operate as part of the fabric.

  • The AP becomes a fabric edge node, participating directly in the fabric infrastructure.

  • For the data plane, instead of using 802.1Q like FlexConnect, VXLAN (Virtual Extensible LAN) is used to encapsulate and bridge client data traffic into the wired fabric network.

  • This approach integrates wireless and wired traffic seamlessly within the SD-Access fabric, improving scalability and consistency.

 

Leave a Comment

Your email address will not be published. Required fields are marked *

Subscribe
Subscribe