SD-Access Wireless โ A Look Under the Hood
I've only covered what I observed, so please refer to the complete guide for more information. You can find it at:
SD-Access Wireless Architectureโ

Here, we will explore the fundamental functions of SD-Access Wireless to offer you a comprehensive comprehension of the processes that take place in the Cisco DNA Center. This guide assumes that you have completed the Design phase and will solely concentrate on the implementation and provisioning stage.
Adding a WLC to the fabricโ

- In Cisco DNAC, first provision the WLC and add it to the fabric domain
- Fabric configuration is pushed to the WLC. The WLC becomes fabric aware. Most importantly, the WLC is configured with credentialsto established a secure connection to CP
- The WLC is ready to participate in SD-Access Wireless
Adding WLC to Fabric - Configuration Verificationโ
Verify Adding WLC to the Fabric:
- In GUI
- In CLI

Using command:
show wireless fabric summary

AP Joinโ
Configures AP Poolsโ

- Admin configures AP pool in Cisco DNA Center in INFRA_VN. Cisco DNA Center preprovision a configuration on all the FEs to automatically onboard APs
AP INFRA_VNโ
- INFRA_VN is introduced to easily onboard APs. APs are in the Fabric overlay but INFRA_VN is mapped to the global routing table. Only APs and Extended nodes can belong to INFRA_VN

- "Layer 2 Extension" is automatically enabled and turn on L2 LISP service.
WLC Configurationโ
- By choosing Pool Type = AP and Layer-2 extension to ON, DNA Center connects to the Wireless Controller and set the Fabric interface to VN_ID mapping for the AP subnet for both L2 & L3 VN_IDs
- Using CLI:
show wireless fabric summary
Automatic AP onboardingโ
- In Cisco DNA Center 1.2.x a CDP macro is pushed to all FEs for AP onboarding. This is done only if the switchport No Authentication template is selected:
- If any other switchport Authentication template is selected, then use static assignment to map the APsโ switch ports to the right IP pool or use MAB and ISE profiling to assign the port to the right pool
- In release 1.3 and above, Cisco DNA Center leverages Interface Templates (IBNS 2.0) and these are pushed also for dot1x/MAB authentication on the FE ports
From Macros to Autoconf (IBNS2.0):

Authentication Template with dot1x/MAB:


- (*) MAB: MAC Authentication Bypass
Authentication Template per site:
- Authentication Template per site level
- Does not affect the global level Authentication Template parameters
- Settings will be applied to all FE ports unless overridden by static port assignment

- Admin configures AP pool in Cisco DNA Center in INFRA_VN. Cisco DNA Center pre-provision a configuration on all the FEs to automatically onboard APs
- AP is plugged in and powers up. FE discovers itโs an AP via CDPand applies the marco( or the interface template) to assign the switch port to the right VLAN.
- (*) AP can be connectted also through an "Extended node" switch

- AP gets an IP address via DHCP in the overlay

- Fabric Edge registers APโs IP address and MAC (EID) and updates the Control Plane (CP)
- AP learns WLCโs IP using traditional methods and joins. Fabric AP joins in Local mode
- WLC checks if AP is fabric-capable (Wave 1 APs and higher)
- If AP is supported, WLC queries the CP to know if AP is connected to Fabric

- Control Plane (CP) replies to WLC with RLOC. This means AP is attached to Fabric and will be shown as โFabric enabledโ
AP Join - configuration verificationโ
Verify AP join the Fabric:
- In GUI
- In CLI

- If Fabric Status is not โEnabledโ, check the communication between WLC and CP
Using command:
show ...

- Control Plane (CP) replies to WLC with RLOC. This means AP is attached to Fabric and will be shown as โFabric enabledโ
- WLC does a L2 LISP registration for the AP in CP (a.k.a. AP โspecialโ secure client registration). This is used to pass important metadata information from WLC to the FE

- In response to this proxy registration, Control Plane (CP) notifies Fabric Edge and pass the metadata received from WLC (flag that says itโs an AP and the AP IP address)
- Fabric Edge processes the information, it learns itโs an AP and creates a VXLAN tunnel interface to the specified IP (optimization: switch side is ready for clients to join)

- APs are now ready to be provisioned on Cisco DNA Center
AP Provisioningโ

Note: with C9800, APs will not reboot but just do a CAPWAP restart. It takes less than 30 sec!!
AP Provisioning - WLC config verification:
- APs are configured with the Policy and Site tags for Fabric
- For C9800, the Policy tag identifies which SSIDs are broadcasted by the AP and with what policy, the Site tag identifies the site characteristic.
- In AireOS, the APs are assigned to the AP Group
Client Onboarding flowโ

- Admin user defines a Pool for wireless clients in Cisco DNA Center Design phase. The pool is then associated to a VN during โHost Onboardingโ phase. For a wireless pool, L2 LISP needs to be enabled.
- As soon as the SSID is mapped to the client Pool, the WLAN will be enabled and clients will see the Fabric SSID
- Add the pool to Virtual Network and verify that Layer-2 Extension toggle is ON to enable L2 LISP and Layer 2 subnet extension on the client Pool/subnet. In DNA Center 1.3.x you cannot disable it
- When the pool is assigned to the Virtual Network, the correspondent Fabric interface to VNID mapping is pushed to the controller. Note: these are all L2 VNIDs

- WLANs are mapped to the pool in the respective Virtual Networks

IMPORTANT: from 1.3.1.4 we need an extra step to have an Enable Wireless Pool, for the correspondent subnet to be available to be assigned to an SSID

IMPORTANT: from 1.3.1.4 we need to Enable Wireless Pool in order for the subnet to be available and assigned to an SSID

WLC config verification:

- The Fabric WLANs are now in enable state and clients can join

-
Client authenticates to a Fabric enabled WLAN. WLC gets SGT from ISE, updates AP with client L2VNID and SGT

-
WLC knows RLOC of AP from internal DB . WLC proxy registers Client L2 info in CP; this is LISP modified message to pass additional info, like the client SGT
-
FE gets notified by CP and knows itโs a client; FE adds client MAC in L2 forwarding table and go and fetch the client policy from ISE based on the client SGT

-
Client initiates DHCP Request
-
AP encapsulates it in VXLAN with L2 VNI info (and SGT)
-
Fabric Edge maps L2 VNID to the VLAN interface and forwards the DHCP packet in the overlay (same as for a wired Fabric client)

-
Client receives an IP address from DHCP
-
DHCP snooping triggers the client EID registration by the Fabric Edge to the CP. (If client has a static IP, then ARP or any other IP packet will trigger the registration)
This completes Client onboarding process
Client Join - WLC config verification:
