The following table details the planning and information-gathering tasks you must perform before attempting to install, configure and set up your appliances. When you have completed the tasks in this table successfully, you can continue by physically installing your appliances in the data center.

You can use Cisco DNA Center to manage any type of network, including networks that employ the Cisco SD-Access fabric architecture. Cisco SD-Access transforms conventional networks into intent-based networks, where business logic becomes a physical part of the network, making it easy to automate day-to-day tasks such as configuration, provisioning, and troubleshooting. The Cisco SD-Access solution reduces the time taken to adapt the network to business needs, improves issue resolutions, and reduces security-breach impacts.

A complete discussion of the SDA solution is outside the scope of this guide. Network architects and administrators planning to implement a Cisco SD-Access fabric architecture for use with Cisco DNA Center can find additional information and guidance from the following resources:

• For more information on how Cisco DNA Center leverages Cisco SD-Access to automate solutions that are not possible with normal networking approaches and techniques, see Software Defined Access: Enabling Intent-Based Networking.

• For guidance in using Cisco SD-Access access segmentation to enhance network security, see the Software-Defined Access Segmentation Design Guide.

• For guidance on deploying SDA with Cisco DNA Center, see the Software-Defined Access Deployment Guide.

• For more on the Digital Network Architecture that is the foundation of Cisco DNA Center and the SDA solution, and the roles other Cisco and third-party products and solutions play in this innovative architecture, see the Cisco DNA Design Zone.

Connect the ports on the appliance to switches providing the following types of network access. At a minimum, you must configure the Enterprise and Cluster port interfaces, as they are required for Cisco DNA Center functionality.

• (Required) 10Gbps Cluster Port (Port 2, enp10so, Network Adapter 1): This is the left-hand port on the VIC 1227 card in the appliance mLOM slot. Its purpose is to enable communications among the primary and add-on nodes in a Cisco DNA Center cluster. Cable this port to a switch with connections to the other nodes in the cluster.

• (Required) 10Gbps Enterprise Port (Port 1, enp9s0, Network Adapter 4): This is the right-hand port on the VIC 1227 card in the appliance mLOM slot. Its purpose is to enable Cisco DNA Center to communicate with and manage your network. Cable this port to a switch with connections to the enterprise network.

• (Optional, but strongly recommended) 1Gbps Cisco IMC Port (M): This port provides browser access to the Cisco IMC out-of-band appliance management interface and its graphic user interface. Its purpose is to allow you to manage the appliance and its hardware. Cable this port to a switch with connections to your enterprise management network.

• (Optional) 1Gbps Cisco DNA Center GUI Port (1, enp1s0f0, Network Adapter 2): This port provides access to the Cisco DNA Center graphic user interface. Its purpose is to enable users to manage your network using the Cisco DNA Center software. Cable this port to a switch with connections to your enterprise management network.

• (Optional) 1Gbps Cloud Port (2, enp1s0f1, Network Adapter 3): This port is optional. Use it only if you cannot connect the appliance to the Internet (including to your Internet proxy server) using the 10Gbps Enterprise Port (Port 1, enp9s0, Network Adapter 4). If you need to use the Cloud Port, cable it to a switch with connections to your Internet proxy server.

The following figure shows the recommended connections for a standalone Cisco DNA Center primary node:

The following figure shows recommended connections for a three-node cluster of Cisco DNA Center appliances. As you can see, all but one of the connections for each node in the cluster are the same as those for a standalone node, and use the same ports. The exception is the cluster port, which is required so that each host in the cluster can communicate with the others.

For a short video presentation about the rear-panel ports and how they are used, see the first five minutes of Unboxing Cisco DNA Center Appliance for Assurance and SD-Access (under the section "Get Started").

For more details on each of the ports, see the Figure 2 diagram and accompanying descriptions in Front and Rear Panels.

Note	Multi-node cluster deployments require all member nodes to be in the same network and at the same site. Cisco DNA Center does not support distribution of nodes across multiple networks or sites.

When cabling the 10Gbps Enterprise and Cluster ports, please note that both ports support the following media types only:

• SFP-10G-SR (Short range, MMF)

• SFP-10G-LR (Long range, SMF)

• SFP-H10GB-CU1M (Twinax cable, passive, 1 Meter)

• SFP-H10GB-CU3M (Twinax cable, passive, 3 Meters)

• SFP-H10GB-CU5M (Twinax cable, passive, 5 Meters)

• SFP-H10GB-CU7M (Twinax cable, passive, 7 Meters)

• SFP-H10GB-ACU7M (Twinax cable, active, 7 Meters)

Cisco switches will automatically detect and adjust to the media type you use.

Before beginning the installation, you must ensure that your network has sufficient IP addresses available to assign to each of the appliance ports that you plan on using. Depending on whether you are installing the appliance as a single-node cluster or as a primary or add-on node in a three-node cluster, you will need the following appliance port (NIC) addresses:

• Enterprise Port Address (Required): One IP address with subnet mask.

• Cluster Port Address (Required): One IP address with subnet mask.

• Management Port Address (Optional): One IP address with subnet mask.

• Cloud Port Address (Optional): One IP address with subnet mask. This is an optional port, used only when you cannot connect to the cloud using the Enterprise port. You do not need an IP address for the Cloud port unless you must use it for this purpose.

• CIMC Port Address (Optional, but strongly recommended): One IP address with subnet mask.

Note	All of the IP addresses called for in these requirements must be valid IPv4 addresses with valid IPv4 netmasks. Ensure that the addresses and their corresponding subnets do not overlap. Service communication issues can result if they do.

You will also need the following additional IP addresses and dedicated IP subnets, which are prompted for and applied during configuration of the appliance:

1. Cluster Virtual IP Address (Required): One IP address with subnet mask for a VIP used for all traffic between the appliance cluster and your enterprise network. As this is a virtual IP, it is stored as part of the primary node configuration.

   If you are installing the appliance as standalone primary node, this is technically optional. However, you will be prompted for it during configuration and it is required in order to add nodes and create a multi-node cluster configuration. For these reasons, Cisco strongly recommends that you choose and assign the cluster VIP address during configuration of the primary node.

2. Default Gateway IP Address (Required): The IP address for your network's preferred default gateway. If no other routes match the traffic, traffic will be routed through this IP address. The default gateway IP must be in the same subnet as the Enterprise Port Address.

3. DNS Server IP Addresses (Required): The IP address and subnet mask for one or more of your network's preferred DNS servers. During configuration, you can specify multiple DNS server IP addresses and netmasks by entering them as a space-separated list. Note that, due to an unresolved bug, customers currently cannot change the list of DNS servers after configuration. If you find that you must change the list of DNS server IPs after configuration, contact the Cisco Technical Assistance Center (TAC).

4. Static Route Addresses (Optional): The IP addresses, subnet masks and gateways for one or more static routes. During configuration, you can specify multiple static-route IP addresses, netmasks and gateways by entering them as a space-separated list.

   You can set one or more static routes for any interface on the appliance. You should supply static routes when you want to route traffic in a specific direction other than the default gateway. Each of the interfaces with static routes will be set as the "device" the traffic will be routed through in the IP route command table. For this reason, it is important to match the static route directions with the interface though which the traffic will be sent.

   Static routes are not recommended in network device routing tables such as those used by switches and routers. Dynamic routing protocols are better for this. However, you should add them where needed to allow the Cisco DNA Center appliance access to particular parts of the network that can be reached no other way.

5. NTP Server IP Addresses (Required): The DNS-resolvable hostname, or IP address and subnet mask, for at least one Network Time Protocol (NTP) server.

   During configuration, you can specify multiple NTP server IPs/masks or hostnames by entering them as a space-separated list. For a production deployment, Cisco recommends that you configure a minimum of three NTP servers.

   You will specify these servers during pre-flight hardware synchronization and again during configuration of the Cisco DNA Center software on each appliance in the cluster. Time synchronization is critical to the accuracy of Cisco DNA Center data and coordination of processing across a multi-host cluster. Before deploying Cisco DNA Center in production, make sure that the time on the appliance system clock is current and that the Network Time Protocol (NTP) servers you specified are keeping accurate time. If you are planning to integrate Cisco DNA Center with Cisco Identity Services Engine (ISE), you should also ensure that ISE is synchronizing with the same NTP servers as Cisco DNA Center.

6. Services Subnet (Required): Identifies one dedicated IP subnet for Cisco DNA Center to use in managing and getting IPs for communications among its internal application services, such as Assurance, inventory collection, and so on. The dedicated IPv4 Services Subnet must not conflict or overlap with any other subnet in use in the enterprise network, including the Cluster Services Subnet. The minimum size of the subnet is 21 bits. The Services Subnet must conform with the IETF RFC1918 specification for private networks (for details, see RFC1918, Address Allocation for Private Internets). An example of a conformant Services Subnet would be 10.10.10.0/21.

7. Cluster Services Subnet (Required): Identifies one dedicated IP subnet for Cisco DNA Center to use in managing and getting IPs for communications among its infrastructure services, such as database access, the message bus, and so on. The dedicated IPv4 Cluster Services subnet must not conflict or overlap with any other subnet in use in the enterprise network, including the dedicated Cisco DNA Center Services Subnet. The minimum size of the subnet is 21 bits. The Cluster Services Subnet must conform with the IETF RFC1918 specification for private networks (for details, see RFC1918, Address Allocation for Private Internets). An example of a conformant Cluster Services Subnet would be 172.16.10.0/21. If you were to specify 10.10.10.0/21 as your Services Subnet, you could also specify a Cluster Services Subnet of 10.0.8.0/21, since these two subnets do not overlap. Also note that the Configuration Wizard will detect any overlap between these subnets and will prompt you to correct the overlap.

The recommended total IP address space for the two Services and Cluster Services subnets contains 4,096 addresses, broken down into two /21 subnets of 2,048 addresses each. The two /21 subnets must not overlap. IP addresses in this space are assigned to NICs, VIPs, Calico and BGP routing, BGP Route Reflectors (RR), and Kubernetes nodes, pods and services.

One reason Cisco DNA Center requires this amount of address space is to maintain system performance. Because it uses internal routing and tunneling technologies for east-west (inter-node) communications, using overlapping address spaces would force Cisco DNA Center to run Virtual Routing and Forwarding FIBs internally. This would lead to multiple encaps/decaps for packets going from one service to another, causing high internal latency at a very low level, with cascading impacts at higher layers.

Another reason is the product's Kubernetes design. Cisco DNA Center uses the IP addresses in this space per Kubernetes K8 node. Multiple nodes can make up a single service. Currently, Cisco DNA Center supports more than 100 services, each requiring several IP addresses, and new features and corresponding services are added all the time. The address space requirement is purposely kept large at the start to ensure that Cisco can add new services and features to Cisco DNA Center without either running out of IPs or requiring customers to re-allocate contiguous address spaces simply to upgrade their systems.

The services supported over these subnets are also enabled at Layer 3. The Cluster Services space, in particular, carries data between application and infrastructure services, and is heavily used.

The RFC1918 requirement is due to Cisco DNA Center's need to download packages and updates from the cloud. If the selected IP ranges do not conform with RFC1918, this can quickly lead to problems with public IP overlaps.

The appliance requires secure access to the following table of URLs and Fully Qualified Domain Names (FQDNs).

The table describes the features that make use of each URL and FQDN. You must configure either your network firewall or a proxy server so that IP traffic can travel to and from the appliance and these resources. If you cannot provide this access for any listed URL and FQDN, the associated features will be impaired or inoperable.

For more on requirements for proxy access to the Internet, see Provide Secure Access to the Internet.

By default, Cisco DNA Center is configured to access Cisco.com and other URLs via the Internet, in order to download Cisco DNA Center software updates, licenses, and device software, as well as provide up-to-date map information, user feedback, and so on.

Providing Internet connections for these purposes is a mandatory requirement.

Using an HTTPS proxy server is a reliable way to access remote URLs securely. Cisco recommends that you use an HTTPS proxy server to provide Cisco DNA Center with the access it needs to the URLs listed in Required Internet URLs and Fully Qualified Domain Names. During Cisco DNA Center installation, you will be prompted to enter the URL and port number of the proxy server you want to use for this purpose, along with the proxy's login credentials (if the proxy requires them).

As of this release, Cisco DNA Center supports communication with proxy servers over HTTP only. You may locate the HTTPS proxy server anywhere within your network. The proxy server can communicate with the Internet using HTTPS, while Cisco DNA Center communicates with the proxy server via HTTP. For these reasons, you will want to be sure to specify the proxy's HTTP port when configuring the proxy during Cisco DNA Center configuration.

If for any reason you need to change the Cisco DNA Center proxy setting after configuration, you can do so via the Cisco DNA Center GUI interface.

During appliance configuration, you will be prompted for the following information, in addition to the Required IP Addresses and Subnets:

1. Linux User Name: This is maglev. This user name is the same on all Cisco DNA Center appliances in a cluster, including both the primary node and add-on nodes, and cannot be changed.

2. Linux Password : Identifies the password for the Linux User Name maglev. This password ensures secure access to each appliance's Maglev database root and clients via the Linux command line. Access to the Maglev root and clients requires this password. If you choose to do so, you can assign a different Linux Password for each maglev Linux User Name on each appliance in a cluster.

   You must create the Linux Password because there is no default. The password must meet the following requirements:

   • Eight character minimum length.

   • Does NOT contain a tab or a line break.

   • Does contain characters from at least three of the following categories:

     • Uppercase alphabet

     • Lowercase alphabet

     • Numeral

     • Special characters (for example, ! or #)

   The Linux password is encrypted and hashed in the Cisco DNA Center database. If you are deploying a multi-node cluster, you will also be prompted to enter the primary node's Linux Password on each of the add-on nodes.

3. Password Generation Seed (Optional): Instead of inventing the Linux Password, you can enter a seed phrase and press Generate Password. The Maglev Configuration Wizard will generate a random and secure password using that seed phrase. You can further edit the generated password using the Auto Generated Password field.

4. Administrator Passphrase: Identifies the password used for web access to Cisco DNA Center in a cluster. This is the password for the superuser account admin, which you use to log in to Cisco DNA Center for the first time (see Log In For the First Time). You will be prompted to change this password when you log in for the first time, to ensure it is secure.

   You must create this password because there is no default. The Administrator Passphrase must meet the same requirements as the Linux Password described above.

5. CIMC User Password: Identifies the password used for access to the CIMC graphic user interface. The factory default is password, but you will be prompted to change it when you first set up CIMC for access via Web browser (see Enable Browser Access to CIMC).

   The CIMC User password must meet the same requirements as the Linux Password described above. It can be changed back to password only by a reset to factory defaults.

6. Primary Node's Cluster Port IP Address: Required only when you are installing add-on nodes in a cluster. This is the IP address of the Cluster Port on the primary node (see Interface Cable Connections).

Once you have completed configuration of your appliances, you will log into Cisco DNA Center for the first time and complete essential setup tasks. During this first-time setup, you will need to have the following information:

1. New Admin Superuser Password: You will be prompted to enter a new password for the Cisco DNA Center admin superuser. Resetting the superuser password enhances operational security. This is especially important if, for example, the enterprise staff who installed and configured the Cisco DNA Center appliance will not be Cisco DNA Center users or administrators.

2. Cisco.com Credentials: The Cisco.com user ID and password that your organization uses to register software downloads and receive system communications via email.

3. Cisco Smart Account Credentials: The Cisco.com Smart Account user ID and password your organization uses for managing your device and software licenses.

4. IP Address Manager URL and Credentials: The host name, URL, admin user name and admin password of the third-party IP address manager (IPAM) server you plan to use with Cisco DNA Center. The current release supports InfoBlox or Bluecat.

5. Proxy URL, Port and Credentials: The URL (host name or IP address), port number, user name and user password of the proxy server you plan to use with Cisco DNA Center in order to get updates to the Cisco DNA Center software, manage device licenses, and retrieve other downloadable content.

6. Cisco DNA Center Users: User names, passwords, and privilege settings for the new Cisco DNA Center users you will be creating. Cisco recommends that you always use one of these new user accounts for all your normal Cisco DNA Center operations. Avoid using the admin superuser account for anything but reconfiguring Cisco DNA Center and other operations where superuser privileges are explicitly required.

For details about how to launch and respond to the first-time setup wizard that prompts you for this information, see Log In For the First Time

You will also need the following information to complete the remaining setup tasks, which can be done after your first login:

1. ISE Server IP and Credentials: You will need the Cisco Identify Services Engine (ISE) server IP address, administrative user name, and password. These are needed to log in to and configure your organization's ISE server to share data with Cisco DNA Center, as explained in Integrate Cisco ISE With Cisco DNA Center.

2. Authorization and Policy Server Information: If you are using Cisco ISE as your authentication and policy server, you will need the same information as for the ISE integration above, plus the ISE CLI user name, CLI password, server FQDN, a subscriber name (such as dnac) , the ISE SSH key (optional), the protocol choice (RADIUS or TACACS), the authentication port, the accounting port, and retry/timeout settings.

   If you are using a different authorization and policy server, you will need that server's IP address, protocol choice (RADIUS or TACACS), authentication port, accounting port, and retry/timeout settings.

   You will use this information to integrate Cisco DNA Center with your chosen authentication and policy server, as explained in Configure Authentication and Policy Servers.

3. SNMP Retry and Timeout Values: Needed to setup up device polling and monitoring, as explained in Configure SNMP Properties.