NOTE:
- Catalyst 9800 Wireless Controller is only supported with Virtual Edge version 16.1.5+
- The minimum support Cisco IOS is 17.9.5
- The IP address used for onboarding cannot be assigned to an interface associated with a VRF.
- SSH must be enabled and permitted between the Virtual Edge and the Catalyst 9800
- Elisity does not configure Catalyst 9800 Policy Profiles. It is assumed that existing profiles are being leveraged.
- Ensure TCP port 9063 is open between the Virtual Edge and the WLC. Verify that no firewalls or other network configurations are blocking the WLC's access to the Virtual Edge on this port.
- This integration supports only Local mode. For FlexConnect Local mode support, please refer to the Wireless Design Guide.
Onboarding Steps
Step 1: You should either have a user account with privilege 15 configured or TACACS login configured to provide privilege 15 level access. This is needed for the Virtual Edge to authenticate with the Catalyst 9800. Leverage the Wireless Controller UI to enable the user or execute the following command under global configuration mode if a local account is being used and is not already configured:
switch(config)# username <username> privilege 15 secret 0 <password>
Step 2: Log into Cloud Control Center and navigate to Virtual Edges and select the Virtual Edge you wish to use to onboard the Catalyst 9800 Wireless Controller.
Step 3: On the next screen, select + Add Virtual Edge Node and then select Add Single Virtual Edge Node in the dropdown.
Step 4: Select Wireless LAN Controller as the Virtual Edge Node Type.
Step 5: Fill in the required fields such as management IP, description and credentials then select Add.
The following chart provides details about each field in the Wireless Controller onboarding workflow.
Switch Management IP |
This is the management IP of the Wireless Controller you wish to onboard as a Virtual Edge Node for policy enforcement. This can be an IP as long as it is reachable by the previously deployed Virtual Edge container. This field is mandatory. |
Description |
This allows a user-defined description to be configured for the VEN. This field is optional. |
Enable Endpoint Discovery |
Selecting this option enables the active collection of identifying data for endpoints discovered behind a VEN, gleaned from Wireless Controller telemetry. This feature actively tracks assets for updates in identifying data. (Recommended) |
Enable Flow Telemetry |
Selecting this option enables the collection of flow data and network traffic analytics that are sent to Cloud Control Center. (Recommended) |
Site Label |
Site labels can be applied to Virtual Edge Nodes for policy distribution and for analytics purposes. Site labels are used to assign Virtual Edges and Virtual Edge Nodes to Policy Sets. If this field is left blank, the site label from the parent Virtual Edge is inherited, if it exists. |
Distribution Zone |
Here we can select to inherit the Distribution Zone from the parent Virtual Edge, or we can assign a Distribution Zone manually. If you are unfamiliar with the concept of Distribution Zones, read here. |
Switch Admin Username |
If not using global admin credentials, this is the admin username of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS. Privilege 15 is required. This field is mandatory. Username should be alphanumerical and may contain only permitted special characters (_, +, \\\\, /, -).'} |
Switch Admin Password |
If not using global admin credentials, this is the admin password of the switch you wish to onboard as a Virtual Edge Node for policy enforcement. This can either be local or TACACS/RADIUS. Password cannot contain whitespaces |
After filling out all the required fields, click Add. The Virtual Edge Node onboarding process will begin immediately.
Step 6: Log into the Wireless Controller, navigate to Configuration > Policy.
Step 7: Select the profile(s) you are using for your wireless network and enable SGACL Enforcement under the General tab.
NOTE:
This step must be repeated for every wireless profile you wish to apply enforcement to.
Step 8: Select the profile(s) you are using for your wireless network and under the QOS and AVC tab select ElisityNetFlowMonitor for both Egress and Ingress.
NOTE:
For the flow monitor to operate as expected, all policy profiles associated with a single SSID must be configured with the same ElisityNetFlowMonitor
for both egress and ingress. This is a requirement due to Cisco’s network design, as documented in their guidelines.
Checking the Status of a VEN Onboarding
In the top right of your Cloud Control Center dashboard, you will see a notification icon. After beginning the VEN onboarding, a blue dot will indicate that the status of your VEN onboarding has an update.
Clicking on this icon will reveal the status of your VEN onboarding n the Activity tab. As each step of the onboarding is completed successfully, that item is marked with a green check mark and a "Success" status.
If any errors are encounter during onboarding, a red error indicator will appear on that item, with a brief description of the issue. In this case, we can surmise that the reason this onboarding has failed is because the Wireless Controller is unreachable. We need to then check for errors and confirm that our Virtual Edge Node can reach both CCC and our VE.
Once the onboarding is complete, your VEN will show green in Cloud Control Center and information about the Wireless Controller is now visible such as hostname, model, number of discovered devices, and more.
NOTE:
If the WLC fails to onboard as a VEN, it will not automatically retry. To resolve this, delete the VEN, make the necessary configuration adjustments, and attempt the onboarding process again.
Decommissioning and Deleting a Virtual Edge Node
Decommissioning a VEN takes the enforcement point out of service by removing the configurations from the Wireless Controller, but retains the configuration in Cloud Control Center so that you can easily put the VEN back in service with a single click.
Step 1: Log into the Wireless Controller, navigate to Configuration > Policy. Select the profile(s) you are using for your wireless network and disable SGACL Enforcement under the General tab.
Step 2: Select the profile(s) you are using for your wireless network and under the QOS and AVC tab deselect ElisityNetFlowMonitor for both Egress and Ingress.
Step 3: Open the details view of your Virtual Edge Node and then select Decommission in the top right. The Virtual Edge Node status will say Decommissioned.
You can also decommission from the main VEN dashboard by clicking the three dots to the right and selecting Decommission Virtual Edge Node.
If you want to decommission multiple VENs simultaneously, select the VENs using the check boxes on the left and click Bulk Actions. Here you can perform various bulk actions such as restart Restonf, Decommission, and Delete.
In any case, you will be presented with a confirmation request to finalize the decommission action with warnings or errors where applicable.
After decommissioning, the Activity Panel will show the status of the decommission process. The Activity Panel is accessible through the notification icon in the top right corner of Cloud Control Center.
After completing the decommission process for the VENs, you can then delete them from Cloud Control Center, or leave as decommissioned for easily recommissioning at a later time. Clicking the more options button under the actions panel to the right of the VENs will show the delete or recommission options for each VEN. These options are also available in the bulk actions menu as seen earlier. Deleting a VEN requires no further action.
Recommissioning a VEN will also provide a status feedback in the activity panel for tracking the step by step recommissioning process.