Network Access Control &

Wireless Infrastructure Labs

Course Focus: CCNA – RADIUS, TACACS+, WLC
&Cisco DNA Center (Theory + Labs)

Abstract
This report summarizes key concepts and practical lab implementations related to
centralized access control and wireless infrastructure in modern networks. The focus is on
the configuration and understanding of RADIUS, TACACS+, Wireless LAN Controllers, and
Cisco DNA Center using Cisco Packet Tracer and CLI-based setups. The goal is to simplify
enterprise-grade topics for job readiness and field application.

Amisha Tehra
 Included Lab Configurations:
1. RADIUS Server Authentication on Cisco Router
2. TACACS+ Device Access Control using AAA
3. Wireless LAN Controller (WLC) Setup & AP Management
4. Cisco DNA Center – Introduction & Network Automation Use Case

Included Lab Topics

1. RADIUS – Remote Authentication Dial-In User Service
2. TACACS+ – Terminal Access Controller Access-Control System Plus
3. WLC – Wireless LAN Controller
4. Cisco DNA Center – Digital Network Architecture

Tools Used:
 Cisco Packet Tracer
 Cisco 2900/2911 Routers
 Cisco 2960 Series Switches
 PC, Laptop, and Wireless Devices
 CLI Configuration + Server Setup
 Optional: Cisco DNA Center Emulator/Simulator View

Note:

This report contains custom topologies, AAA configurations, wireless setups, lab screenshots, and
simplified explanations of each topic for practical understanding and interview preparation.
This report focuses on RADIUS, TACACS+, Wireless LAN Controller (WLC), and Cisco DNA Center
implementations using Cisco Packet Tracer.

1
1. Introduction
Modern networks demand centralized control over user access, device privileges, and wireless infrastructure.
RADIUS and TACACS+ are key AAA protocols used for authentication and admin access control. Wireless LAN
Controllers (WLCs) simplify the management of wireless networks, while Cisco DNA Center brings automation, policy
control, and visibility under one umbrella. This report introduces each concept with simplified explanations followed
by hands-on lab setups.

2. Theoretical Overview of Topics

1. RADIUS (Remote Authentication Dial-In User Service)

 What is it?

RADIUS is a protocol used to authenticate (verify identity), authorize (decide permissions), and account (track
usage) for users trying to access a network.

 Why we use it?

To centrally manage login credentials for network users. Instead of setting up passwords on every router
or switch, use one RADIUS server.

 Where is it used?

 Office Wi-Fi networks

 VPN logins
 Enterprise remote access

 Simple Example:

A company employee connects to office Wi-Fi and enters a username/password. This request is sent to a
RADIUS server which checks if the credentials are correct and allows access.

2. TACACS+ (Terminal Access Controller Access-Control System Plus)

 What is it?

A Cisco proprietary protocol similar to RADIUS but used mainly for controlling access to network devices
like routers and switches.

 Why we use it?

To allow different levels of access for different users. One admin may view configs, another can make
changes — all controlled centrally.

 Provides granular control (e.g., one user can run only ‘show’ commands, another can run config
commands)
 Separates authentication, authorization, and accounting clearly

2
 Where it's used?

 On routers, switches, firewalls

 In networks where multiple engineers/admins access devices

 Simple Example:
You’re one of three network admins. TACACS+ ensures only you can run conf t while others can only use
show commands

3. Wireless LAN Controller (WLC)

 What is it?
WLC is a device (or software) that centrally manages all access points (APs) in a wireless network.

 Why we use it?

To configure and monitor all APs from one place, instead of logging into each one separately.

 Where it's used?

 Corporate offices
 Hospitals
 Airports
 University campuses

 Simple Example:

Imagine you have 50 access points across different floors. A WLC helps you configure them all in one go —
no need to touch each AP one by one.

4. DNA Center (Digital Network Architecture Center)

 What is it?
DNA Center is Cisco’s platform for network automation, monitoring, and policy control.

 Why do we use it?

To automate network configs, track real-time performance, apply security policies, and get detailed
analytics — all from one dashboard.

 Where is it used?

 Enterprise networks
 Smart campuses
 IT environments needing centralized visibility and control

3
 Simple Example:

Instead of manually configuring VLANs on each switch, DNA Center lets you configure multiple devices at
once and even shows you where performance is dropping.

What is AAA in Networking?

AAA stands for:

 Authentication
 Authorization
 Accounting

These are the three core steps used to secure access to a network or device.

1. AUTHENTICATION – “WHO ARE YOU?”

This is the process of checking who is trying to log in.

It verifies the username and password (or other credentials) of a user or device.

Example:
You try to access a router using telnet. The router asks for your username and password — this is
authentication.

2. AUTHORIZATION – “WHAT CAN YOU DO?”

Once you're authenticated, authorization checks what level of access you have.

Example:
One user might be allowed to only use show commands, while another can use conf t to make changes. That
control is authorization.

3. ACCOUNTING – “WHAT DID YOU DO?”

This logs what actions the user performed and when.

It’s useful for tracking, auditing, and catching suspicious behavior.

Example:
It records that user admin1 logged in at 3 PM and entered configuration mode.

IN SIMPLE TERMS:
TERM QUESTION IT ANSWERS REAL-WORLD MEANING
AUTHENTICATION Who are you? Login ID check
AUTHORIZATION What are you allowed to do? Access level (read-only, admin, etc.)
ACCOUNTING What did you do? Activity logging for auditing and tracking

4
WHERE IS AAA USED?

 On routers, switches, firewalls

 In wireless networks with user logins
 With RADIUS or TACACS+ servers
 Anywhere that needs secure access and tracking

INTERVIEW TIP:

“AAA is the foundation of network access control. It verifies users, controls what they can do, and logs
their actions. It works best with RADIUS or TACACS+ servers in enterprise setups.”

3. Practical Labs Summary

LAB 1: RADIUS CONFIGURATION WITH CENTRALIZED AUTHENTICATION (AAA)

OBJECTIVE:

To configure a Cisco router using the AAA model with a RADIUS server for centralized user authentication.
This helps secure access and manage users from a single point.

RADIUS (Remote Authentication Dial-In User Service): OVERVIEW

Why we use it:

To verify who is connecting to the network — mainly users like employees connecting over Wi-Fi or VPN.
✅ It gives central control over usernames and passwords.
✅ Reduces the need to configure credentials on every router/switch.

Where we use it:

 Wi-Fi networks in offices and universities

 VPN authentication for remote workers
 Any setup where users need to authenticate before using the network

How we use it:

1. A user connects to the network (e.g., Wi-Fi or VPN)

2. Their credentials are sent to a centralized RADIUS server
3. Server checks the username and password
4. If credentials are valid ➝ access is granted; if not ➝ rejected

Think of RADIUS as a security guard who checks ID before letting anyone into the network.

5
NETWORK TOPOLOGY:

Connections (Use straight-through cables):

FROM INTERFACE TO INTERFACE

PC0 FastEthernet0 Switch0 Fa0/1

SERVER0 FastEthernet0 Switch0 Fa0/2

ROUTER0 FastEthernet0/0 Switch0 Fa0/3

IP ADDRESSING TABLE
DEVICE INTERFACE IP ADDRESS DEFAULT GATEWAY

PC0 FastEthernet0 10.0.0.2 10.0.0.1

SERVER0 FastEthernet0 10.0.0.100 10.0.0.1

ROUTER0 FastEthernet0/0 10.0.0.1 N/A

6
ROUTER0 CONFIGURATION

ROUTER 0

SERVER0 AAA CONFIGURATION (RADIUS)

Go to Services > AAA tab in Packet Tracer:

1. Enable AAA service

2. At the top, make sure AAA service is ON
3. Add user:
o Username: amisha
o Password: cisco
o Save
4. Add AAA Client:
o Client Name: aaa
o IP: 10.0.0.1 (Router IP)
o Secret: 12345
o Server Type: RADIUS
o Save

7
VERIFICATION & OUTPUT

1. IP CONNECTIVITY CHECK (PING TEST)

From Router0:
Router> ping 10.0.0.100
Result:

From PC0: ping 10.0.0.1

Result:

8
2. AAA DEBUG VERIFICATION
From Router0 CLI: debug aaa authentication
Output during login attempt:
* AAA/AUTHEN/LOGIN(0000001A): Pick method list 'ssh'
* RADIUS: Received Access-Accept
This confirms that the RADIUS server authenticated the user successfully, and the login request was accepted.
undebug all (Later)
All debug logging disabled after verification.

3. SSH AUTHENTICATION TEST VIA PC0

From PC0 Command Prompt: ssh -l amisha 10.0.0.1
Password: cisco
Result:
AAA> enable
Password: cisco
AAA# show run
User successfully authenticated using RADIUS server.

9
4. SHOW RUNNING CONFIGURATION OUTPUT

10
11
CHECK OUTPUT ON ROUTER:
Once logged in, type:
>enable
>cisco ← (if using enable password)
#show run

12
EXPECTED OUTPUT:

 SSH login prompt from PC0

 Router accepts amisha as username, authenticated via RADIUS
 If RADIUS fails, fallback is local admin localadmin with password localpass
 show run should show AAA and SSH configuration

CONCLUSION:

In this lab, we successfully configured RADIUS authentication using a centralized server in Cisco Packet
Tracer. The setup included a router, switch, PC, and a RADIUS server, all connected in a flat network.

We implemented AAA (Authentication, Authorization, Accounting) services on the router and verified
remote login through SSH from PC0 using RADIUS credentials stored on Server0.

Key outcomes:

 ✅ Verified IP connectivity between all devices

 ✅ Enabled secure SSH access using RADIUS authentication
 ✅ Successfully tested and validated login using debug and ssh commands
 ✅ Demonstrated how centralized login management works in real-world networks

This lab reinforces how centralized user management using RADIUS simplifies network security and
ensures scalable, consistent control across enterprise infrastructure.

13
Lab 2: TACACS+ Configuration (via Telnet)

OBJECTIVE:

To configure and test a Cisco switch for Telnet-based login authentication using a centralized TACACS+
server in Cisco Packet Tracer.

WHAT IS TACACS+?

TACACS+ (Terminal Access Controller Access-Control System Plus) is a Cisco protocol that controls who
can log in to network devices like switches and routers — and what they can do after logging in.

Why we use it:

 Gives central control over login access for network admins.

 Supports command-level restrictions (unlike RADIUS).
 All login and command events can be logged centrally.

Where it's used:

 In enterprise networks
 On devices accessed by multiple admins
 In teams needing role-based access

How it works:

1. Admin connects to a switch (via Telnet).

2. The switch contacts the TACACS+ server with login info.
3. The server checks credentials and permissions.
4. User is granted or denied access based on that.

Think of it like a receptionist who checks your name and job role before letting you in the server room.

NETWORK TOPOLOGY:

Topology stays the same — but now Switch0 is the AAA client and Telnet is used for remote access.

DEVICE IP ADDRESS DEFAULT GATEWAY

PC0 10.0.0.2 10.0.0.1
SWITCH0 10.0.0.1 N/A
SERVER0 10.0.0.100 10.0.0.1

14
CONFIGURATION
On Switch0 (TACACS+ Client):

Breakdown of What Each Command Does:

COMMAND PURPOSE
aaa new-model Enables AAA services on the switch
tacacs-server host 10.0.0.100 key abc Sets the TACACS+ server IP and secret key
aaa authentication login tauth group tacacs+ local Uses TACACS+ server to authenticate users, with local as backup

aaa authorization exec default group tacacs+ local Controls user privilege levels after login (authorization step)

line vty 0 4 and login authentication tauth Applies AAA authentication to Telnet sessions
enable password cisco Optional if you're not using enable secret, but fine for labs

15
On Server0 (TACACS+ Setup):

1. Go to Services tab → AAA

2. Enable AAA
3. Select TACACS+
4. Add a client:
o Client Name: TACACS_SWITCH
o Client IP: 10.0.0.1
o Secret: 12345
5. Add user credentials:
o Username: amisha
o Password: cisco
6. Click Save for both the client and user

16
VERIFICATION & OUTPUT
From PC0 Command Prompt:
Ping 10.0.0.1

telnet 10.0.0.1
Enter username: amisha
Enter password: cisco

17
✅ If successful, the switch will display the prompt SW1>, confirming that the Telnet login was authenticated by the
TACACS+ server.

NOTE ON TELNET USAGE

In this lab, Telnet was used to test TACACS+ login from a client system to the switch. While Telnet is functionally
valid for such testing and supported in Cisco Packet Tracer, it is not secure for real-world use, as all data (including
usernames and passwords) is transmitted in plain text.

In production environments, SSH (Secure Shell) should always be used instead of Telnet to ensure encrypted and
secure communication between clients and network devices.

Using Telnet in this lab allowed a quick and clear demonstration of AAA authentication and TACACS+ server
interaction without needing RSA key generation or domain name settings.

CONCLUSION

This lab demonstrated how to configure Telnet login authentication using TACACS+ on a Cisco switch. The
TACACS+ server handled username/password verification, centralizing control and enforcing login security.

We verified:

 The switch correctly forwarded login requests to the TACACS+ server

 Telnet access worked only after user verification
 Configuration allowed fallback to local login if server failed

This setup is a real-world example of centralized admin control with minimal device-side user
management.

18
What Did We Do in RADIUS and TACACS+ Labs?

We used this common topology:

DEVICE IP ADDRESS ROLE

PC0 10.0.0.2 End-user (test client)
ROUTER0/SWITCH0 10.0.0.1 AAA Client (network device)
SERVER0 10.0.0.100 RADIUS/TACACS+ server

1. RADIUS LAB – USER AUTHENTICATION

What we did:

We used a RADIUS server to authenticate a user (like an employee) trying to log into a router over SSH.

Goal:

Let the RADIUS server verify user credentials before giving access to the router.

Simple Steps:

1. PC0 runs:
ssh -l amisha 10.0.0.1
2. Router sends the login request to Server0 (RADIUS server).
3. Server checks:
o Does user "amisha" exist?
o Is password "cisco" correct?
4. If yes → access granted
If no → access denied

Real-World Use:

Used for Wi-Fi logins, VPN, and employee access in networks — anytime a user needs authentication.

Interview Line:

“RADIUS is used for authenticating end users across the network — like Wi-Fi or VPN access — and it
combines authentication and authorization into one step.”

19
2. TACACS+ LAB – ADMIN ACCESS CONTROL
What we did:

We used a TACACS+ server to control admin login to a switch over Telnet.

Goal:

Let the TACACS+ server verify the admin login and control what commands they can run.

Simple Steps:

1. PC0 runs:
telnet 10.0.0.1
2. Switch sends the login info to Server0 (TACACS+ server).
3. Server checks:
o Is user "amisha" allowed to log in?
o What privilege level or commands can she use?
4. If yes → login allowed, user enters SW1> prompt

Real-World Use:

Used to control admin access to devices like switches and routers in companies — especially when many
engineers manage the same network.

Interview Line:

“TACACS+ is used for managing device admin access — it separates authentication, authorization, and
accounting, which gives more granular control.”

RADIUS VS TACACS+ IN SIMPLE WORDS

FEATURE RADIUS TACACS+
USED FOR User login (Wi-Fi/VPN) Admin login (routers/switches)
PROTOCOL UDP TCP
DEVELOPED BY IETF (open standard) Cisco
AAA SEPARATION Combined (Auth + Author) Fully separated (Auth/Authz)

ENCRYPTS Only passwords Entire communication

COMMON USAGE Wi-Fi login, VPN CLI access control

ONE-LINE SUMMARY FOR BOTH:

 RADIUS = "Use it to authenticate normal users across the network."

 TACACS+ = "Use it to control and monitor what admins can do on devices."

20
Lab 3: Wireless LAN Controller Configuration

OBJECTIVE:

To configure a Wireless LAN Controller (WLC) to centrally manage Lightweight Access Points (LAPs), assign
IPs via DHCP, and enable wireless connectivity for end devices like smartphones.

WLC OVERVIEW

What is a WLC?

A Wireless LAN Controller (WLC) manages all the wireless access points (APs) in a network from a single
central interface. You don’t have to configure each AP individually — the WLC does that job for you.

Why do we use it?

✅ To push settings like SSID or security policy to all APs

✅ To monitor and manage clients in real time
✅ To simplify administration in large wireless networks

Where is it used?

Corporate buildings, universities, hospitals — anywhere with many access points.

NETWORK TOPOLOGY OVERVIEW:

 WLC-2504 – Wireless LAN Controller (IP: 192.168.1.1)

 3702i Lightweight Access Point – Wireless AP for clients
 2960-24TT Switch – Connects all devices
 Server-PT – DHCP server (IP: 192.168.1.100)
 PC-PT – Used to access and configure WLC via browser
 Smartphone-PT (x2) – Wireless clients
21
Connections:

 Server0 → Switch0 (FastEthernet0)

 WLC → Switch0 (WLC Gig0/1 to Switch FastEthernet1) via crossover cable
 Access Point → Switch0 (Access Point Gig0 to Switch FastEthernet0)
 PC0 → Switch0 (FastEthernet4)
 Smartphones connect wirelessly to the configured WLAN.

THEORY:

A Wireless LAN Controller (WLC) centrally manages wireless networks. In enterprise setups, it handles APs,
WLANs, security policies, and client authentication. Lightweight Access Points (LWAPs) rely on WLCs to
function properly.

Since WLC has no console interface, a PC is required to access the web-based GUI. A DHCP server is also
necessary to dynamically assign IP addresses to wireless clients.

IP ADDRESSING TABLE:
DEVICE INTERFACE IP ADDRESS SUBNET MASK DEFAULT GATEWAY
SERVER0 FastEthernet0 192.168.1.100 255.255.255.0 -
WLC Management 192.168.1.1 255.255.255.0 192.168.1.100
ACCESS POINT DHCP via Server Auto - 192.168.1.1
PC0 DHCP via Server Auto 192.168.1.1
SMARTPHONES DHCP via Server Auto 192.168.1.1

CONFIGURATION STEPS:

Step 1: Configure WLC Management Interface

1. Go to Config > GLOBAL > Settings

o Set the System Name: WLC
2. Go to Config > INTERFACE > Management
o IP Address: 192.168.1.1
o Subnet Mask: 255.255.255.0
o Default Gateway: 192.168.1.100
o DNS: 8.8.8.8

22
Step 2: Configure Server0 as DHCP Server

1. Set Static IP:

o IP: 192.168.1.100
o Subnet Mask: 255.255.255.0
o Gateway: 192.168.1.1

2. Go to Services > DHCP

o Pool Name: sysap
o Default Gateway: 192.168.1.1
o DNS Server: 8.8.8.8
o Start IP: 192.168.1.201
o Subnet Mask: 255.255.255.0
o Max Users: 10
o WLC Address: 192.168.1.1
o Click Add → Then ON

23
Step 3: Configure the Access Point

1. Plug in the Power Adapter

2. In Config > Settings:
o Set IP to DHCP
o Gateway: 192.168.1.1
o DNS: 8.8.8.8

Access Point should now get IP automatically via DHCP and register with WLC.

Step 4: Configure PC0

1. Set DHCP in Config > FastEthernet

o Confirm it gets an IP (e.g., 192.168.1.3)

2. Open Web Browser

o URL: http://192.168.1.1
o Login with:
 Username: admin
 Password: admin@123

24
Apply the details:

25
Click on Apply.

26
Step 5: WLC Web Configuration

1. Open web browser again with https://192.168.1.1 Login in with username and password.
2. You’ll see summary of configurations we did.

3. Go to WLAN tab > open student

4. Go to Advanced > AP Groups

o Click Add New
 Name: sysapstudent
o Click on the group → Go to APs
 Select Lightweight Access Point0
 Click Add to Group

27
 o Go to WLANs tab inside AP Group
 Add the WLAN Student
o Save

Step 6: Configure Wireless Clients (Smartphones or Laptops)

1. Go to Config > Wireless

o Set SSID: student
o WPA2 Password: 1234567890
o Enable DHCP

28
2. Confirm IP is assigned from 192.168.1.x range.

3. Do same for smartphone 1

29
 4. You can see changes on devices.

VERIFICATION:

 Ping from one wireless client (smartphone/laptop) to another.

 Both should have DHCP-assigned IPs from 192.168.1.201+
 If successful, you'll see replies in Command Prompt or Terminal.

 Smartphone0 IP is 192.168.1.7
 Smartphone1 IP is 192.168.1.10

 Ping 192.168.1.10 from smartphone0

 Ping 192.168.1.7 from smartphone1

30
NOTE ON DEVICE COMPATIBILITY IN PACKET TRACER

Laptop devices in Packet Tracer (e.g., PT-Laptop-NM-1W-A) often fail to receive DHCP IPs when
connecting to wireless SSIDs managed by a WLC. This is due to wireless module limitations and
inconsistent support for WPA2-PSK and DHCP. Even with correct SSID and passphrase, laptops may fall
back to APIPA (169.x.x.x).

To overcome this issue, I used Smartphones and later added a Tablet device, where I successfully
configured the same SSID Student with WPA2-PSK passphrase 1234567890. The Tablet connected successfully
via DHCP and could communicate with other wireless clients.

31
CONCLUSION:

In this lab, we successfully configured a Wireless LAN Controller (WLC) along with a Lightweight Access
Point, DHCP server, and wireless clients. The configuration allowed wireless devices to obtain IP addresses
dynamically and communicate with each other over the SSID student secured by WPA2-PSK.

What We Did in the WLC Lab (with APs, Smartphones, and Tablet)

WHAT WE DID:

We built a wireless network setup using:

 A Wireless LAN Controller (WLC)

 A Lightweight Access Point (AP)
 Two Smartphones and one Tablet
 All connected via a central Switch
 Server0 gave out DHCP IPs

We created and configured a WLAN (SSID = Student) on the WLC and secured it using WPA2-PSK with
passphrase 1234567890.

Then we connected wireless devices (smartphones and tablet) to the Student Wi-Fi network and tested if
they could communicate (ping) with each other.

32
WHY WE DID IT:

To learn how to centrally manage wireless networks:

 Configure Wi-Fi once on the WLC instead of on each AP

 Easily manage security (like passwords) and client access
 Monitor and control wireless users from one location

This is exactly what happens in real offices, colleges, and hospitals where IT teams don’t configure 20+
APs one by one — instead, they use a WLC to push settings to all APs.

HOW WE DID IT (STEP-BY-STEP):

1. Connected Server0, WLC, Access Point, and PCs/phones via Switch0

2. Set up DHCP on Server0 to assign automatic IPs to wireless clients
3. Opened WLC Web GUI via PC0’s browser → https://192.168.1.1
4. Created a WLAN (SSID = Student) secured by WPA2
5. Added AP Group and assigned the AP to that group
6. On Smartphones, connected to Wi-Fi:
o SSID: Student
o Passphrase: 1234567890
o IP mode: DHCP
7. Later added a Tablet, configured it the same way
8. Used Ping from command line to test if wireless devices could talk to each other

WHY LAPTOP DIDN'T WORK:

Laptops in Packet Tracer require a wireless module, which is often:

 Not fully compatible with WPA2-PSK

 Unable to request an IP from DHCP (causing APIPA 169.x.x.x)

So even if we typed the right SSID and password, Laptop0 couldn’t join the network properly. It’s a
limitation of Packet Tracer, not your mistake.

WHAT WORKED INSTEAD:

✅ Smartphones connected perfectly

✅ Tablet also connected fine
➡️ Both received valid IP addresses (192.168.1.x) from DHCP
➡️ Both were able to ping each other, confirming full connectivity

IN SIMPLE WORDS:
We built a real-world Wi-Fi setup using Cisco tools, proved that the WLC can manage wireless devices from one
place, and tested device communication.
We also diagnosed a tool-specific problem (laptop wireless bug) and smartly solved it by using other compatible
devices.

33
Lab 4: Cisco DNA Center Lab

OBJECTIVE:

To configure Cisco DNA Center in a simulated enterprise environment using Packet Tracer. This includes IP
addressing, enabling SSH on routers and switches, connecting and discovering devices from the DNA
Controller, and monitoring devices through its GUI-based dashboard.

THEORY:

 What is Cisco DNA Center?

Cisco DNA Center (Digital Network Architecture Center) is a centralized network controller and
management dashboard. It allows administrators to automate device configuration, manage network
policies, discover and monitor connected devices, and ensure end-to-end visibility and control.

 Why is DNA Center Used?

 Automates manual network configuration

 Centralizes management of large enterprise networks
 Monitors device health, performance, and topology
 Enables quick policy pushes across routers and switches
 Simplifies troubleshooting through path trace and assurance features

 Where is it Used?

 Enterprises, campuses, data centers, and large organizations

 Universities and hospitals with large distributed networks
 Secure environments needing policy-based segmentation
 Any setup requiring software-defined networking (SDN)

 How It Works:

DNA Center connects to network devices (routers, switches) over SSH. Once IPs and credentials are
configured, the controller discovers devices automatically. From there, it can push configurations, monitor
devices, and apply policies via a GUI dashboard.

34
NETWORK TOPOLOGY

Devices Used:

 2 Routers (Router0: Mumbai, Router1: Delhi)

 2 Multilayer Switches (Switch0: SW1, Switch1: SW2)
 1 PT-Controller (DNA Center)
 1 PC (PC0)

Connections and Cable Types:

 Router0 ↔ Switch0 (GigabitEthernet0/0/0) – Straight-through

 Router1 ↔ Switch1 (GigabitEthernet0/0/0) – Straight-through
 Switch0 ↔ Switch1 – Crossover
 PC0 ↔ Switch1 – Straight-through
 PC0 ↔ PT-Controller (optional – management port) – Straight-through

IP ADDRESSING SCHEME:
DEVICE INTERFACE IP ADDRESS SUBNET MASK
ROUTER0 (MUMBAI) G0/0/0 10.0.0.1 255.0.0.0
SWITCH0 (SW1) VLAN 1 10.0.0.2 255.0.0.0
SWITCH1 (SW2) VLAN 1 10.0.0.3 255.0.0.0
ROUTER1 (DELHI) G0/0/0 10.0.0.4 255.0.0.0
DNA CONTROLLER NIC 10.0.0.100 255.0.0.0
PC0 NIC 10.0.0.10 255.0.0.0

35
CONFIGURATION
Step 1: Power ON Multilayer Switches
Select each switch → Physical Tab → Power switch ON.
Step 2: SSH Configuration on All Devices

Router0 – Mumbai

Switch0 – SW1

36
Router1 – Delhi

Switch1 – SW2

37
Step 3: IP Address Configuration
Router0

Switch0 – SW1

Switch1 – SW2

Router1

PC0 Settings:

 IP Address: 10.0.0.10
 Subnet Mask: 255.0.0.0

Network Controller (DNA Center):

 IP Address: 10.0.0.100
 Subnet Mask: 255.0.0.0
 No default gateway required (same LAN)

38
Since IP addressing is complete on all devices, let's now verify connectivity and SSH access before we go to
the DNA Center GUI setup.

VERIFICATION STEPS

FROM EACH ROUTER AND SWITCH:

Run this to confirm interfaces and IPs:

show ip interface brief

 Check that the assigned interface (G0/0/0 or VLAN 1) shows Status: up, Protocol: up.

39
FROM PC0 TERMINAL OR CMD:

Try to ping each device:

ping 10.0.0.1 ← Router0 (Mumbai)

ping 10.0.0.2 ← SW1
ping 10.0.0.3 ← SW2
ping 10.0.0.4 ← Router1 (Delhi)
ping 10.0.0.100 ← DNA Controller

40
All should respond successfully.

TEST SSH FROM PC0 TO ROUTER0:

ssh -l admin 10.0.0.1

Expected Output:

Repeat for other devices if you like:

ssh -l admin 10.0.0.2 ← SW1

ssh -l admin 10.0.0.3 ← SW2
ssh -l admin 10.0.0.4 ← Delhi

Once we confirm pings and SSH are working, we’ll jump into DNA Center's GUI via browser and begin
device discovery.
41
DNA CENTER SETUP VIA PC0 (WEB GUI):

Login to Controller:

 Open web browser

 Enter http://10.0.0.100
 Default credentials:
o Username: admin
o Password: admin

Monitoring panel shown, which devices are connected and their health is shown here, task is to discover
which devices is connected to your LAN. On left there is menu option click on that.

42
Add Credentials for Device Discovery:

 Menu → Provisioning → Credentials

 Add new credential:
o Username: admin
o Password: admin
o Description: Sysap Network

Start Discovery:

 Go to: Provisioning → Discovery

 Click Add
 Discovery type: Range
 Name: Sysap
 Start IP Address: 10.0.0.1
 End IP Address: 10.0.0.100
 Assign the saved credential
 Click Start

43
Once started, DNA Center will discover all connected SSH-enabled devices.

Network Device: will let you know that discovery has done or not it will show the details of all devices
connected.

Monitor and View Network:

 Navigate to Dashboard

44
 Tabs:
o Assurance → Device Health

o Topology → Full network map

o Hosts → Connected hosts

45
o Path Trace → View packet path(apply source and destination address to check path)

46
 o Policy → Setting the ground rules for how traffic flows in your network securely, efficiently,
and as per company needs.

Optional Network Services:

In Network Settings, you can define:

SERVICE IP ADDRESS
NTP 10.0.0.50
SYSLOG 10.0.0.60
DNS 8.8.8.8

47
Click Push Config to apply to discovered devices.

48
OUTPUT

On Router or any device check if the above configurations applied or not using #show run

Final Outcome:

49
WHAT WE DID IN DNA CENTER (QUICK SUMMARY)

After configuring SSH and IP on all devices, we used the DNA Center web interface (http://10.0.0.100) via
PC0 to manage and monitor the network.

We:

 Logged into DNA Center.

 Added credentials (admin/admin).
 Discovered SSH-enabled network devices (Router0, Router1, SW1, SW2).
 Verified device status and monitored via dashboard.
 Configured Network Services (NTP, Syslog, DNS).

DNA CENTER GUI PANEL – KEY SECTIONS EXPLAINED

PANEL WHAT IT DOES
DASHBOARD Home page showing overall device health, alerts, discovered devices, network topology, etc.
PROVISIONING Main section to manage, configure, and push changes to network devices.
DEVICES Shows the list of discovered routers, switches, and hosts.
CREDENTIALS Stores SSH login info (username/password) used during discovery. Must be added before
scanning.

DISCOVERY Starts the process of scanning and identifying devices via SSH/IP. You enter IP range, select
credentials, and begin discovery.

ASSURANCE Provides visibility into device performance, client health, and event logs. Helps in
troubleshooting.

POLICY Let’s you apply policies like ACLs, VLANs, segmentation, NTP/Syslog/DNS settings to devices.
NETWORK Section to configure global services like: NTP – Time server, Syslog – Log server, DNS – Domain
SETTINGS Name Resolution

SUMMARY OF WHY IT’S USEFUL

Using the GUI:

 You don’t need to CLI into each router/switch.

 It automates discovery, monitoring, and config pushes.
 Provides real-time visibility of network performance and issues

50
Cisco DNA Center Interface – Key Panels and Their Roles

DASHBOARD

This is the home panel of DNA Center. It gives you a real-time overview of your entire network. You can
see:

 Network health status

 Alerts or issues
 Topology snapshots
 Recently discovered devices

It's like the network control room where everything important is visible at a glance.

PROVISIONING

This panel is where you handle the onboarding and management of devices. Under Provisioning, you do
things like:

 Add SSH credentials (so DNA Center can log in to devices)

 Start device discovery
 Assign devices to sites, locations, and groups
 Push configurations or policies to multiple devices at once

You can think of this as the "setup and deployment" section of DNA Center.

CREDENTIALS

Located under Provisioning, this section is where you save login details for accessing network devices (like
routers and switches). Without credentials, DNA Center cannot connect to your devices during discovery.

You typically enter:

 Username (e.g., admin)

 Password
 Description (like "Sysap Device" to label your group)

Once saved, these credentials are used in Discovery.

DISCOVERY

This feature scans the network to find all devices connected to your main switch or router. It supports
protocols like:

 CDP (Cisco Discovery Protocol) – recommended

 Range (manual IP address range scan)

51
You choose:

 The IP to start discovery (usually a switch or router IP)

 The saved SSH credential
 The protocol (e.g., CDP)

If SSH is properly configured and IPs are reachable, DNA Center will auto-detect all connected routers,
switches, and hosts.

ASSURANCE

This is the monitoring and analytics section. It shows:

 Device health (CPU, memory, uptime)

 Connectivity issues
 User and application performance
 Error or alert logs

Tabs under Assurance:

 Device Health
 Client Health
 Network Trends

Think of it as a real-time network doctor, constantly checking your system.

NETWORK SETTINGS

This section lets you configure global network services like:

 NTP (Network Time Protocol) → for time sync

 Syslog → for logging and auditing
 DNS → to resolve domain names (e.g., 8.8.8.8)

After adding these services with their IPs, you click “Push Config” to apply them to all discovered devices.

POLICY

This is where you apply intent-based networking. You define rules and automation policies to manage:

 Traffic control (ACLs, VLANs, segmentation)

 QoS (quality of service)
 Security settings (trust boundaries)

Example: If you want only admin PCs to reach certain VLANs, you can create a Policy to enforce that rule
on all routers/switches with one click.

52
PATH TRACE

This tool lets you simulate and visualize the path a packet would take through your network.

Steps:

1. Select a source device/IP

2. Select a destination device/IP
3. Click Trace

DNA Center will map out every hop (router/switch) the packet travels through. This helps in
troubleshooting network bottlenecks or verifying ACLs.

SUMMARY TABLE
PANEL/OPTION PURPOSE
DASHBOARD Shows network status, device health, alerts, and quick summaries
PROVISIONING Manages devices, discovery, credentials, deployment
CREDENTIALS Stores SSH login details for network devices
DISCOVERY Scans and finds devices via CDP or IP range
ASSURANCE Monitors real-time health and performance of network devices
NETWORK SETTINGS Configures NTP, Syslog, DNS, and other services
POLICY Defines rules and automation for network access, traffic, and control
PATH TRACE Simulates the data flow route to check connectivity

WHAT WE DID, WHY WE DID IT, AND HOW IT WORKED (DNA CENTER LAB)

What We Did

In this lab, we created a complete enterprise-like network environment and configured Cisco DNA Center
(Digital Network Architecture Center) to act as a centralized network controller. We used a total of four
devices (2 routers and 2 switches), connected via proper cabling, assigned IP addresses, and enabled SSH
for secure remote access. Then, we accessed the DNA Center via PC0’s browser, performed device
discovery, added SSH credentials, and verified that all devices were being monitored centrally.

Why We Did It

We configured DNA Center because it allows us to:

 Remotely manage all network devices from one place

 Avoid manual CLI configuration for every router/switch
 Use a Graphical Interface (GUI) to monitor health, performance, and connectivity
 Automate basic services like NTP, Syslog, and DNS
 Simulate real-world Software Defined Networking (SDN) used in large enterprise networks

This lab reflects how modern networks are managed today, especially in large organizations where manual
configuration of each device is impractical.

53
How It Worked

1. SSH Configurations: First, we powered on both multilayer switches and configured SSH access on
each router and switch. This allowed secure remote access using the DNA Center.
2. IP Addressing: We assigned IP addresses to all routers and switches on Gigabit and VLAN 1
interfaces, making them reachable over the network.
3. PC & DNA Controller Setup: PC0 was given IP 10.0.0.10 and used as an access point to open DNA
Center's GUI at IP 10.0.0.100.
4. Login to DNA Center: We logged into the web interface using default credentials admin/admin.
5. Credential Setup: We added SSH credentials (username and password) so DNA Center could
authenticate to each device.
6. Device Discovery: We selected Discovery and entered the IP of SW2 (10.0.0.3). DNA Center used
CDP (Cisco Discovery Protocol) to automatically find other connected SSH-enabled devices.
7. Monitoring the Network: After discovery, we were able to view:
o Network Topology (graphically)
o Device health under Assurance
o Host devices connected
o Run path trace to simulate traffic flow
8. Service Configuration: We added optional services:
o NTP: 10.0.0.50
o Syslog: 10.0.0.60
o DNS: 8.8.8.8
These services can be pushed from DNA Center to discovered devices as a policy.

CONCLUSION

This lab demonstrated how Cisco DNA Center simplifies the management of complex enterprise networks
through centralized automation. Instead of configuring devices individually, we used a single controller to
discover, monitor, and manage all connected routers and switches. After assigning IP addresses and
enabling SSH, the controller successfully discovered devices via SSH credentials. Through its GUI
dashboard, we accessed network health, applied policies, and traced packet paths. This setup reflects how
modern enterprise networks operate using Software-Defined Networking (SDN) principles — allowing
faster configuration, easier troubleshooting, and consistent policy enforcement across the entire
infrastructure.

Summary Table

CONCEPT PURPOSE WHERE USED BENEFIT

RADIUS User Authentication & Wi-Fi, VPN, Enterprise Central login for users
Accounting Networks
TACACS+ Admin Authentication & Network devices (CLI Access) Control over who does
Authorization what
WLC Wireless Access Point Large Wi-Fi networks Centralized AP control
Management
DNA Automation & Network Visibility Smart/Enterprise networks Automation + Analytics
CENTER

54
Final Reflection: Network Security & Automation Labs

This report explored four key labs focused on securing and managing enterprise networks using Cisco tools.
Each lab simulated realistic scenarios where device configuration, access control, wireless management,
and automation were applied using Cisco Packet Tracer. The goal was to practice how networks are
managed efficiently and securely in real-world setups.

 Lab 1 – RADIUS Authentication (Router-Based)

This lab introduced AAA using the RADIUS protocol, with the router acting as the AAA client. A username-password
combination was verified via the RADIUS server during SSH login from a PC. This setup showed how centralized
authentication simplifies and secures access control across networks.

 Lab 2 – TACACS+ Authentication (Switch-Based)

Here, TACACS+ was configured on a switch, allowing both login and exec authorization through Server0. Unlike
RADIUS, TACACS+ separates authentication and authorization. The remote login was done using Telnet, and the
results helped understand how network admins can enforce detailed access policies.

 Lab 3 – Wireless LAN Controller (WLC)

We configured a WLC-2504 to manage wireless connectivity through a centrally controlled WLAN. A secure WLAN
named Student was created using WPA2-PSK authentication. After correctly assigning the Lightweight Access Point
(LAP) to a custom AP group, wireless devices were able to join the network. Smartphones and a tablet were
successfully connected and tested for communication, confirming that the SSID broadcast and DHCP services were
functioning as expected. This lab demonstrated how wireless access can be efficiently managed using centralized
WLC settings.

 Lab 4 – Cisco DNA Center (SDN Automation)

This lab focused on Cisco DNA Center as a centralized controller for managing enterprise networks. After setting up
SSH and IPs on routers and switches, the DNA Controller was used to discover devices, monitor network health,
apply policies, and configure services like NTP, DNS, and Syslog—all through a web-based dashboard. This
demonstrated the efficiency of software-defined networking and automation.

FINAL THOUGHT

Each lab reinforced critical areas of enterprise networking—from secure user authentication to centralized
wireless and SDN-based automation. These practical exercises helped simulate how modern IT
environments are built, managed, and secured.

End of Report.

55