This article will help you install Provider Connectivity Assurance.
Deployment Prerequisites
To install Provider Connectivity Assurance, your system must meet the following requirements:
- Linux operating system
- We test on RHEL9, Ubuntu 22.04/24.04, and Debian 12
- x86-64 architecture
- systemd
Computing Resources
CPU Cores | Memory | Disk | Minimun # Nodes | # of Sessions | Read IOPS | Write IOPS | Retention | |
---|---|---|---|---|---|---|---|---|
Lab | 32 | 64GB | 750GB | 1 | Up to 100 | 10000 IOPS | 1000 IOPS | N/A |
Small | 72 | 128GB | 2.5TB | 1 | Up to 10000 | 10000 IOPS | 1000 IOPS | 1 minute data for 3 months |
Ports Used by Local Processes
- 2379/TCP
- 7443/TCP
- 9099/TCP
- 10248/TCP
- 10257/TCP
- 10259/TCP
Ports Required for Internal Exposure
By default, the Admin Console uses port 30000/TCP.
Ports Required for Bidirectional Communication Between Nodes
The following ports enable bidirectional communication between nodes.
Note: For multi-node installations, create firewall openings between nodes for these ports. For single-node installations, ensure that no other processes using these ports. Although there is no communication between nodes in single-node installations, these ports are still required.
- 2380/TCP
- 4789/UDP
- 6443/TCP
- 9091/TCP
- 9443/TCP
- 10249/TCP
- 10250/TCP
- 10256/TCP
External URL Access
The following URLs need to be accessible for installing Provider Connectivity Assurance:
- proxy-registry.pca.cisco.com
- update.pca.cisco.com
DNS Configuration
If you are planning on using domain names for your deployment, you must have the following entries configured:
Application | Domain Name | Example |
---|---|---|
Identity and Access Management | auth.{domain} | auth.mydomain.com |
Tenant | {tenant-name}.{domain} | pca.mydomain.com |
Deployment | {deployment-name}.{domain} | performance.mydomain.com |
When using DNS, only port 443/TCP needs to be externally exposed.
No-DNS Configuration
If you are not using DNS, then applications are accessed via different ports. No-DNS mode only works with IPv4.
If DNS is not used, applications must be accessed through different ports. Note that No-DNS mode only supports IPv4.
Application | Port |
---|---|
Identity and Access Management | {ip}:3443 |
Tenant | {ip}:443 |
Deployment | {ip}:2443 |
(Optional) Dual-Stack Linux Infrastructure for IPv6 Support
To utilize IPv6 functionality with Provider Connectivity Assurance, your underlying Linux infrastructure must be configured for dual-stack networking. Single stack IPv6 is not supported.
Also note that if using IPv6, you must have DNS configured for your host machine. You will be asked to provide the server's domain name when deploying Provider Connectivity Assurance from the Admin Console. The Admin Console will have to be accessed via the machine's IPv4 address.
Increase Limits for Monitoring File System Events
Run the following commands on your machines to ensure optimal performance and stability for Provider Connectivity Assurance.
echo "fs.inotify.max_user_watches=100000000" | sudo tee -a /etc/sysctl.conf
echo "fs.inotify.max_user_instances=8192" | sudo tee -a /etc/sysctl.conf
echo "fs.inotify.max_queued_events=16384" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p
sudo bash -c 'echo "DefaultLimitNOFILE=unlimited" >> /etc/systemd/system.conf && \
echo -e "* soft nofile unlimited\n* hard nofile unlimited\nroot soft nofile unlimited\nroot hard nofile unlimited" >> /etc/security/limits.conf && echo "All limits set. Please reboot for changes to take full effect."'
## important: Reboot!!
sudo reboot
Getting Started
To begin, you must download Provider Connectivity Assurance from the Download Portal. To access the website, an account must be created for you by Cisco or by a user with an existing account.
You must provide a valid email to access your Download Portal. You may be emailed a temporary access code to continue.
In the Download Portal, follow the Installation Guide to obtain the tar archive for the provider-connectivity-assurance installation asset.
The first step is to prepare an instance by giving it a name and selecting if the instance will be able to make outbound requests back to our servers directly or if they will require an HTTPS proxy.
Choose the appropriate network availability for your installation environment. This selection will modify the installation command provided in the next step to include the appropriate instructions for configuring the HTTPS proxy.
If you are running Provider Connectivity Assurance using IPv6, you must choose a version of the software that is for dual stack. For example, version 25.7.7-1-dual-stack
. If you are not using IPv6, your version will look like 25.7.7-1
.
Once obtained, extract the installation assets to your machine and install the software using the following command:
sudo ./provider-connectivity-assurance install --license license.yaml
The installation will prompt you to set a password for accessing the Admin Console.
Note: This step can take up to 15 minutes.
Example Output
? Set the Admin Console password (minimum 6 characters): ************
? Confirm the Admin Console password: ************
✔ Host files materialized!
✔ Host preflights succeeded!
◒ Waiting for provider-connectivity-assurance node to be ready
Access the Provider Connectivity Assurance Admin Console
Once the provider-connectivity-assurance installation is complete, you can access the Admin Console. This will be used to further configure your deployment, for future upgrades of the software, and for obtaining support bundles to get help with troubleshooting, if needed.
The Admin Console is hosted as a web server on port 30000 of your machine; connect to it via your web browser of choice. It only needs to be accessed internally for users who are managing the cluster's deployment and maintenance.
When first setting up the Admin Console, you can optionally create a TLS certificate to secure the communications of the Admin Console. By default, a self-signed certificate is used and connections are always via HTTPS.
Upon installation, you were asked to configure a password for the Admin Console. Provide this password to access the Admin Console.
Note: This password can be reset using the provider-connectivity-assurance command line utility installed on your machine.
Adding Nodes to the Cluster
Provider Connectivity Assurance can be deployed over a cluster of nodes. In order to add more nodes to the cluster, the provider-connectivity-assurance installation assets must be copied to the new nodes. The Admin Console presents the necessary steps to add the node to the cluster.
Note: This is optional and can be completed before the first deployment of the Provider Connectivity Assurance software or on a subsequent patching of the deployment.
Configuring Provider Connectivity Assurance
Follow the steps below to configure your Provider Connectivity Assurance deployment. Each configuration option is documented with details on its purpose. Most options have default values, and it is recommended to stick with defaults when possible.
Once the deployment begins, a spinner will indicate that it is in progress.
Note: This process takes approximately 15 minutes.
Pre-Flight Checks
Upon deploying your software, your system will undergo a series of pre-flight checks to determine compatibility. These checks should not be ignored because they check for the minimum requirements needed to run Provider Connectivity Assurance in your environment.
If you deploy using an IPv6 address for the host machine but you do not use a version of the deployer that is post-fixed with the label dual-stack
in the version, the pre-flight checks will fail, indicating that you must use a dual-stack version of the deployer.
First Time Login
Once the deployment from the Admin Console is complete, you can log in for the first time using the default admin user for the deployment.
Note: The default admin user's username will come from the deployment name and domain name entered in the Admin Console configuration.
PCA Version | Default Admin Username | Password |
---|---|---|
25.07 CA | {deployment-name}-admin@auth.{domain-name} For example: performance-admin@auth.onprem.cisco.internal |
The password is listed in the Admin Console. |
As the default admin user, you can log in to the web UI hosted at:
If your installation was installed with DNS
Web UI |
---|
https://{tenant-name}.{domain-name} |
If your installation was installed with no DNS
Web UI |
---|
https://{external—ip} |
Note: On first login, you will be asked to change the default admin user's password.
Accessing the Identity and Access Management UI
Identity and access management in Provider Connectivity Assurance is implemented via Zitadel. The Zitadel UI can be used to create service users for API integration as well as for configuring SSO for the deployment.
It is hosted at:
If your installation was installed with DNS
Zitadel UI |
---|
https://auth.{domain-name} |
If your installation was installed with no DNS
Zitadel UI |
---|
https://{external—ip}:3443 |